I had a lot I wanted to say about the news that Volkswagen gamed its cars' software to give both their customers and environmental protection agencies what they want - better performance in the first case, less pollution in the second. However, James Grimmelmann, writing in (among others) Mother Jones beat me to what I wanted to say about the dangers coming our way in a future full of hidden software that can change the physical world, and then Zeynep Tufecki covered my other point, asking whether we still think electronic voting is a pretty neat idea.
Grimmelmann's - and EFF's - concern is that current copyright law, specifically the Digital Millennium Copyright Act, makes it harder to catch such issues by restricting research. Well, sure: the law was created to serve the entertainment industries, primarily music, not a future of software inside everything of public import, from printer cartridges and cars to streetlights and medical devices. The EU's equivalent 2001 EU Copyright Directive has similar but not identical clauses that have been invoked to block the presentation of research from the University of Birmingham into cracking keyless car entry systems (the paper has since been published with some redactions (PDF).
VW's is the kind of scandal that gives corporate malfeasance a bad name for generations to come. And it has company: this week's news that Exxon's own research confirmed global warming in 1982, the tobacco companies' long suppression of permitted to create their own impenetrable encrypted communications system, despite their history. It all goes to prove Simon Davies' contention, stated in an interview for a 1999 Scientific American article (TXT), "Companies are pathologically unable to punish themselves."
This is a roundabout lead-up to this week's notable but overshadowed story that the Advocate-General of the European Court of Justice, Yves Bot, has issued an opinion that the "safe harbor" agreement that allows personal data to be transferred from the EU to the US is invalid. Assuming the court follows Bot's advice, which I'm told it does approximately four-fifths of the time - we might be on the verge of the trade war Davies predicted in 1999. Companies like Google and Apple, which are more focused on individuals, may not be too severely affected, but how does a social media platform like Facebook manage users' international social graphs under a system that requires it to sequester EU citizens' personal data?
The CJEU case was brought by the Austrian lawyer and activist Max Schrems. Following the 2013 Snowden revelations, which made plain that EU citizens could not escape spying by the US authorities, Schrems decided to test whether the EU's data protection laws are in fact enforceable in practice. In 2014, he took his complaint to Ireland's data protection commissioner (where Facebook is based) and asked him to force the company to conform to EU law. He found found widespread support; unlike the UK but like the US, Austria allows class action suits. From there, the case found its way to the CJEU.
Even in 1999, when safe harbor was agreed, privacy advocates were arguing that it was inadequate. Basically, it's a kludge. EU data protection law prohibits the transfer of personal data to countries that lack a similar level of privacy protection. The US doesn't. Safe harbor allows everyone to pretend it does by allowing companies to self-certify their compliance. The BBC counts more than 4,000 companies that use safe harbor and quotes Schrems calling this is an unfair advantage over companies that are more tightly bound by privacy law. It would be good to see this claim stood up by research (of the kind few companies will permit). Instinctively, it seems reasonable: it's an imbalance comparable to allowing US companies to sell into the EU without collecting VAT, given them a substantial price advantage over EU-based companies, a loophole that's been closed.
At least one American commentator - Lauren Weinstein - has called the ruling hypocritical, on the basis that EU is perfectly happy to spy on its own citizens. He's missing the point. An Austrian citizen who believes their privacy has been invaded by their own government has means of recourse: filing a court case or freedom of information requests, spearheading civil protests, campaigning, voting. There are no such means of recourse for a foreign national in the US. Plus, this isn't a case the government brought: Schrems has noted that the Irish data protection commissioner's office did their best to avoid bringing the case, answering Schrems' 22 complaints with a best-practice audit rather than a prosecution.
"[Americans] fail to understand that what has happened in Europe is a legal, constitutional thing, and they can no more cut a deal with the Europeans than the Europeans can cut a deal with your First Amendment," Davies said in 1999. That was before they started secretly negotiating treaties intended to bypass domestic, democratically enacted law. Alongside the provisions in nascent treaties such as the Transpacific Partnership are equally contentious, business-backed attempts to bypass data protection law by prohibiting requirements for local storage (PDF). For our benefit, I'm sure. Like breathing particulates.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.