Do you “own” personal data?

I’ve been meaning to re-write this as a blog post for ages, and a Twitter exchange with the excellent @mediamocracy has finally nudged me into doing so.

Incidentally, I say “re-write” because, despite rumours to the contrary, the Internet is not as indelible as people might have you believe. I used to have a blog at http://blogs.sun.com/racingsnake, but all you will get there now is a 404 from Oracle. I don’t know what line of reasoning they followed to delete some Sun blogs while leaving many others up, but there you go.

“Ah, but what about the Wayback Engine?”, I hear you say… What indeed? The thing about Wayback is that it only captures the page pointed to by a URL at the time of its crawl. Sun’s blogs, like many, worked as a push-down stack; so any posts that got pushed off the bottom of the page between one Wayback crawl and the next were not captured. In short, Wayback will replay some of my posts for anyone wanting to dig into them, but not the one about data “ownership”.

That being the case, I’ll base this post on a related comment I made later, on an IETF thread about privacy and geo-location.

In brief, my underlying argument is this:

You’ve probably all seen privacy threads where an aggrieved data subject says “All I want is to be given back *my* data”… The implicit assumption is that, in some way, I ‘own’ my [sic] personal data. Unfortunately, not far down the line that leads to all kinds of unwanted consequences, and therefore we’re better off not starting out with a model based on concepts of ‘ownership’ if at all possible.

For instance, as Bob Blakley pithly put it, “You can’t control the stories other people tell about you”. There’s lots of personal data about you over which you have no control, let alone ‘ownership’, because it’s generated by other people. The only time you get control over it is, for instance, if the information is libellous. Even then, you don’t get ‘ownership’ of the data, but you get the opportunity to exercise certain rights pertaining to it. [The Google “de-indexing” ruling of 2014 is a classic example of this principle.]

Similarly, a model based on a concept of ‘ownership’ doesn’t work well for informational resources that can be ‘stolen’ from you, yet still leave you in possession of the data. Think of copyright digital media… you own the CD of Beethoven’s 5th., but there are rights to do with the original work (or the performance) that you don’t enjoy.

Legally – at least in the UK and US, and I believe elsewhere, too – there are distinctions between the treatment of “personal property” (or personalty) and “real property” (or realty), my own belief is that we’re better off treating personal data as if it were realty than as if it were personalty. This is especially true of the legal remedies when something is stolen from you. What has to happen in the case of realty offers a better model than the legal remedies for theft of personalty.

I know this is a rather terse and dense statement of the issue – there are doubtless points here that could be unpacked in far greater detail – but suffice to say, I think an approach based on assumptions of ‘rights’ over data has fewer problems than one based on assumptions of ‘ownership’. Think of personal data such as location/tracking/behavioural data: it makes little sense to claim that I ‘own’ the data collected about my path through a shopping mall, but it makes a lot of sense to claim that I have certain rights relating to it.

[Update]: since I initially wrote this, I have actually tended to take a tougher line still. In my view, not only do I have rights relating to data about me; I also, I believe, have rights relating to data that affect me. I sometimes express this as “PII should be re-defined from ‘Personally Identifiable Information’ to ‘Privacy-Impacting Information'”. This might reflect more accurately the reality of today’s personal data ecosystem, in which you are affected not only by personally identifiable data, but also:

  • by inferences drawn from that data
  • by personally identifiable data about other people thought to be similar to you
  • by aggregations of metadata
  • by aggregated data about the behaviour of others.

In short, trying to protect your own privacy and self-determination by focussing solely on data over which you think you have “ownership” is likely to prove ineffective, and will fail to address a significant proportion of the real privacy risk.

A victory in the Investigatory Powers Tribunal. Or is it?

Yesterday’s big privacy headline was all about the mass data breach at the US insurance firm Anthem… today’s is about the Investigatory Powers Tribunal (IPT) ruling against GCHQ. For the first time since it was established in 2000, the IPT has ruled against an intelligence agency; GCHQ’s interception regime under the PRISM and UPSTREAM programs, it says, violated articles 8 (privacy) and 10 (freedom of expression) of the European Convention on Human Rights, and as a consequence, was unlawful from 2007 to 2014.

So far, so good: a succinct, clear and definitive ruling. And hats off, by the way to Privacy International, Amnesty International, Liberty, the ACLU, Bytes4All and others who stood up for citizens’ rights under the ECHR, getting this ruling despite the government’s ingrained unwillingness to release any data about governance of the intelligence services’ activities.  So unwilling are they that, even in the context of the Tribunal, they refuse to admit the existence of the TEMPORA program so clearly described in documents disclosed by Edward Snowden. As the Tribunal president puts it in the judgment:

“The alleged conduct itself is not admitted by the Respondents. It falls to be considered as a result of allegations made by Mr Edward Snowden, a former contractor for the National Security Agency (“NSA”) of the United States, by whom a very substantial quantity of documentation has been leaked and much put into the public domain.”

They only admit the existence of PRISM because – in the words of the senior civil servant concerned – “it has been expressly avowed by the executive branch of the US government”.

A huge victory, then? Regrettably not. GCHQ’s mass surveillance program continues exactly as before, and this ruling will not affect its operation in any way. There are two reasons why.

First, the IPT’s ruling of unlawfulness only applies to GCHQ’s actions up to December 2014. From then on, they are satisfied that the intercept regime is lawful.

Second, what was the basis for ruling the program unlawful from 2007 to 2014? It was that the ECHR requires any such interference with articles 8 and 10 to be conducted “in accordance with the law”; that, in turn, means it must not only have a basis in law, but that that legal basis must be sufficiently accessible and foreseeable to anyone potentially affected. In other words, this is not about whether the interception itself was acceptable: it’s about whether citizens were reasonably informed about the kinds of action to which the law is liable to give rise. The human rights basis for this is clear: justice and the rule of law cannot be served if citizens are governed by laws (or interpretations of those laws) that they cannot see.

So, what changed in December 2014?

Well, in the course of the Tribunal hearing, some evidence from the intelligence agencies was heard in the presence of the claimants, and some was heard behind closed session without them. This is part of the procedure for dealing with the special nature of intelligence-related hearings, where some of the relevant evidence is too sensitive to be discussed in open session. The claimants can be represented, in closed session, by a Special Advocate – but that was not the case in this hearing. The closed session is also attended by a Counsel to the Tribunal, whose role is to help the Tribunal, rather than represent the claimants. The Counsel is able to report back, in good faith, to the open session, such details as the intelligence services agree can safely be disclosed – this is to help reassure the claimants that the Tribunal is making its decision on a sound basis.

In this instance, the intelligence services explained, in closed session, some of the oversight mechanisms they apply in order to ensure that their interception activities are not indiscriminate or arbirtary. They agreed that some of that explanation could be taken back into the open session (and, as such, put into the public domain). It appears on page 26 of  the Tribunal’s December 2014 judgment, in paragraph 47. It sets out the conditions under which the intelligence services can request interception data from another country (such as the US) and the internal rules and safeguards that apply to the data received.

According to the judgment, the fact that these details are now in the public domain is enough to meet the ECHR’s requirement for foreseeability – a requirement which the European Court of Human Rights has expressed like this:

“in a system applicable to citizens generally … the law has to be sufficiently clear in its terms to give them an adequate indication as to the circumstances in which and the conditions on which the public authorities are empowered to resort to this kind of secret and potentially dangerous interference with private life” (Leander v Sweden, 1987)

In other words, it is the Tribunal’s judgment itself which, by including these details, renders GCHQ’s interception regime ‘foreseeable’ enough to comply with the ECHR. Although the Tribunal declined to admit it at the time, the logical corollary of this is that the interception regime was therefore not compliant in the absence of this explanation… and that is the substance of today’s judgment. Phew.

So, since nothing in the interception regime will change as a result, has the whole thing just been a huge waste of time?

No.

It is absolutely, vitally important that we should have legal means to challenge the policies and actions of our government and its agencies, whether those legal means are domestic (such as the IPT) or international (such as the ECHR). It’s to the credit of the claimants in this case that they were determined to exercise those legal means, and that they did so successfully.

It’s also important that the assertions of civil servants (such as Charles Farr), ministers (such as the Home Secretary) and those responsible for overseeing the intelligence services (such as Sir Malcolm Rifkind) be demonstrably open to challenge. All three of them repeatedly assured us that the surveillance regime was lawful, and all three of them have been shown to be wrong.

Where law enforcement and intelligence activities have to be carried out in secret, we rely entirely on the good faith and trustworthiness of those responsible for the governance regime. When they fall short – as they have done – we must have the means to find out, and call them to account.

We also have to learn lessons from this about the consequences of unlawful surveillance. The intelligence services now have seven years’ worth of surveillance data collected unlawfully. What are they going to do with it? That personal data is seven years’ worth of toothpaste that can’t be put back into the tube. At a time when the government keeps pressing, again and again, for increased powers of interception and surveillance, we should remind them, again and again, that mistakes here are indelible.