" /> net.wars: September 2019 Archives

« August 2019 | Main | October 2019 »

September 27, 2019

Balancing acts

800px-Netherlands-4589_-_Lady_of_Justice_&_William_of_Orange_Coat-o-Arms_(12171086413).jpgThe Court of Justice of the European Union had an important moment on Tuesday, albeit overshadowed by another court elsewhere, ruling that the right to be forgotten can be limited to the EU. To recap: in 2014, in its ruling in Google Spain v. AEPD and Mario Costeja González ("Costeja") CJEU required Google to delist results returned by searches on a person's name under certain circumstances. Costeja had complained that the fact that a newspaper record of the foreclosure on his house in 1998 was the first thing people saw when they searched for him gave them a false impression. In an effort to balance freedom of expression and privacy, the court's ruling left the original newspaper announcement intact, but ordered Google to remove the link from its index of search results. Since then, Google says it has received 845,501 similar requests representing 3.3 million links, of which it has dereferenced 45%.

Well, now. Left unsettled was the question of territorial jurisdiction: one would think that a European court doesn't have the geographical reach to require Google to remove listings worldwide - but if Google doesn't, then the ability to switch to a differently-located version of the search engine trivially defeats the ruling. What is a search engine to do?

This is a dispute we've seen before, beginning in 2000, when, in a case brought by the Ligue contre le racisme et l'antisémitisme et Union des étudiants juifs de France (LICRA), a French tribunal ordered Yahoo to block sales of Nazi memorabilia on its auction site. Yahoo argued that it was a US company, therefore the sales were happening in the US, and don't-break-the-Internet; the French court claimed jurisdiction anyway. Yahoo appealed *in the US*, where the case was dismissed for lack of jurisdiction. Eventually, Yahoo stopped selling the memorabilia everywhere, and the fuss died down.

Costeja offered the same conundrum with a greater degree of difficulty; the decision has been subsumed into GDPR as Article 17, "right to erasure". Google began delisting Costeja's unwanted result, along with those many others, from EU versions of its search engine but left them accessible in the non-EU domains. The French data protection regulator, CNIL, however, felt this didn't go far enough and in May 2015 it ordered Google to expand dereferencing to all its servers worldwide. Google's version of compliance was to deny access to the listings to anyone coming from the country where the I-want-to-be-forgotten complaint originated. In March 2016 CNIL fined Google €100,000 (pocket change!), saying that the availability of content should not depend on the geographic location of the person seeking to view it. In response to Google's appeal, the French court referred several questions to CJEU, leading to this week's ruling.

The headlines announcing this judgment - for example, the Guardian's - give the impression that the judgment is more comprehensive than it is. Yes, the court ruled that search engines are not required to delist results worldwide in right to be forgotten cases, citing the need to balance the right to be forgotten against other fundamental rights such as freedom of expression. But it also ruled that search engines are not prohibited from doing so. The judgment suggests that they should take into account the details of the particular case and the complainant, as well as the need to balance data protection and privacy rights against the public interest.

The remaining ambiguity means we should expect there will be another case along any minute. Few are going to much happier than they were in 2013, when putting right to be forgotten into law was proposed, or in 2014, when Costeja was decided, or shortly afterwards, when Google first reported on its delisting efforts. Freedom of speech advocates and journalists are still worried that the system is an invitation to censorship, as it has proved to be in at least one case; the French regulator, and maybe some other privacy advocates and data protection authorities, is still unhappy; and we still have a situation where a private company is being asked to make even more nuanced decisions on our behalf. The reality, however, is that given the law there is no solution, only compromise.

This is a good moment for a couple of other follow-ups:

- Mozilla has announced it will not turn on DNS-over-HTTPS by default in Firefox in the UK. This is in response to the complaints noted in May that DoH will break workarounds used in the UK to block child abuse images.

- Uber and Transport for London aren't getting along any better than they were in 2017, when TfL declined to renew its license to operate. Uber made a few concessions, and on appeal it was granted a 15-month extension. With that on the verge of running out, TfL has given the company two months to produce additional information before it makes a final decision. As Hubert Horan continues to point out, the company's aggressive regulation-breaking approach is a strategy, not the work of a rogue CEO, and its long-term prospects remain those of a company with "terrible underlying economics".


Illustrations: Justitia outside the Delft Town Hall, the Netherlands (via Dennis Jarvis at Wikimedia.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 20, 2019

Jumping the shark

800px-Guadalupe_Island_Great_White_Shark_with_Horizon_Charters.pngThis week, the Wall Street Journal claimed that Amazon has begun ordering item search results according to their profitability for the company. ( (The story is summarized at Ars Technica, for non-WSJ subscribers.) Amazon has called the story "not factually accurate", though, unsurprisingly, it declined to explain its algorithm's inner workings.

My reaction: "Well, that's a jump the shark moment."

Of course we know that every business seeks to optimize profits. Supermarkets - doubtless including Amazon's Whole Foods - choose the products to place at the ends of aisles and at cash registers only partly because those are the ones that tempt customers to make impulse buys but also because the product manufacturers pay them to do so. Both halves of that motivation have to be there. But Amazon's business and reputation are built on being fiercely devoted to putting customers first. So what makes this story different is the - perhaps only very slight - change in the weighting given to customer welfare.

In this, Amazon is following a time-honored Silicon Valley tradition (despite being based 800 miles north, in Seattle). In 2017, the EU fined Google $2.7 billion for favoring its own services in its shopping search results.

Obviously, Amazon has done and is doing far worse things. Just a few days earlier, the company announced changes that will remove health benefits for nearly 2,000 part-time employees at Whole Foods. It seems capriciously cruel: the richest man in the world, who last year told Business Insider he couldn't think of anything to spend his money on other than space travel, is willing to actively harm (given the US health system) some of the most vulnerable people who work for him. Even if he can't see it himself, you'd think the company's PR department would.

And that's just the latest in the catalogue. The company's warehouse workers regularly tell horror stories about their grueling jobs - and have for years. It will pay no US federal taxes this year for the second year in a row.

Whether or not it's true, one reason the story is so plausible is that increasingly we have no idea how businesses make their money. We *assume* we know that Coca-Cola's primary business is selling soft drinks, airlines' is selling seats on planes, and Spotify's is the sort of combination of subscriptions and advertising that has sustained many different media for a century. But not so fast: in 2017, Bloomberg reported that actually airlines make more money selling miles than they do from selling seats. Maybe the miles can't exist without the seats, but motives go where the money is, so this business reality must have consequences. Spotify, it turns out, has been building itself up into the third-largest player in digital advertising, collaborating with the PR and advertising holding company WPP to mine the billions of data points collected daily from its users' playlists and giving advertisers a new meaning for the term "mood music".

In the most simple mental model, we might expect Amazon to profit more from items it sells itself than from those sold on its platform by marketplace sellers. In fact, Amazon noted in its 2008 annual report (PDF, see p32) that its profits were about the same either way. This year, however, the EU opened an investigation into whether the company is taking advantage of the data it collects about third-party sales to identify profitable products it can cherry-pick and make for itself. No one, Lina Khan wrote in 2017 in a discussion of the modern failings of the US's antitrust enforcement, valued the data Amazon collects from smaller sellers' transactions, not even in those annual reports. Revenue-neutral, indeed.

In fact, Amazon's biggest source of profits is not its retail division, which even The Motley Fool can't figure out if it makes money. Amazon's biggest profit center is Amazon Web Services; *Netflix* was built on it. It may in fact be the case that the cloud business enables Amazon to act as an increasingly rapacious predator feasting on the rest of retail, a business model familiar from Uber (though it's far from the only one).

So Spotify is a music service in the same sense that Adobe and Oracle are software companies. Probably none of their original business plans focused on data exploitation, and their "pivot" (or bait and switch) into data passes us by while Facebook and Google get all the stick. Amazon may be the most problematic; it is, as Kashmir Hill discovered earlier this year, hard to do without Google but impossible to excise Amazon from your life. Finding alternatives for retail can still be done with enough diligence, but opting out of every business that depends on its cloud services can't be done.

Amazon was doing very well at escaping the negative scrutiny accruing to Facebook, Uber, and Google, all while becoming arguably the bigger threat, in part because we think of it as a nice company that sends us things. But if its retail customers are becoming just fungible piles of data to be optimized, that's a systemic failure the company can't reverse by restoring 2,000 people's health benefits, or paying taxes, or getting its owner to say, oh, yeah, space travel...what was I thinking?


Illustrations: Great white shark (via Sharkcrew at Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 13, 2019

Purposeful dystopianism

Truman-Show-exist.pngA university comparative literature class on utopian fiction taught me this: all utopias are dystopias underneath. I was reminded of this at this week's Gikii, when someone noted the converse, that all dystopias contain within themselves the flaw that leads to their destruction. Of course, I also immediately thought of the bare patch on Smaug's chest in The Hobbit because at Gikii your law and technology come entangled with pop culture. (Write-ups of past years: 2018; 2016; 2014; 2013; 2008.)

Granted, as was pointed out to me, fictional utopias would have no dramatic conflict without dystopian underpinnings, just as dystopias would have none without their misfits plotting to overcome. But the context for this subdiscussion was the talk by Andres Guadamuz, which he began by locating "peak Cyber-utopianism" at 2006 to 2010, when Time magazine celebrated the power the Internet had brought each of us, Wikileaks was doing journalism, bitcoin was new, and social media appeared to have created the Arab Spring. "It looked like we could do anything." (Ah, youth.)

Since then, serially, every item on his list has disappointed. One startling statistic Guadamuz cited: streaming now creates more carbon emissions than airplanes. Streaming online video generates as much carbon dioxide per year as Belgium; bitcoin uses as much energy as Austria. By 2030, the Internet is projected to account for 20% of all energy consumption. Cue another memory, from 1995, when MIT Media Lab founder Nicholas Negroponte was feted for predicting in Being Digital that wired and wireless would switch places: broadcasting would move to the Internet's series of tubes, and historically wired connections such as the telephone network would become mobile and wireless. Meanwhile, all physical forms of information would become bits. No one then queried the sense of doing this. This week, the lab Negroponte was running then is in trouble, too. This has deep repercussions beyond any one institution.

Twenty-five years ago, in Tainted Truth, journalist Cynthia Crossen documented the extent to which funders get the research results they want. Successive generations of research have backed this up. What the Media Lab story tells us is that they also get the research they want - not just, as in the cases of Big Oil and Big Tobacco, the *specific* conclusions they want promoted but the research ecosystem. We have often told the story of how the Internet's origins as a cooperative have been coopted into a highly centralized system with central points of failure, a process Guadamuz this week called "cybercolonialism". Yet in focusing on the drivers of the commercial world we have paid insufficient attention to those driving the academic underpinnings that have defined today's technological world.

To be fair, fretting over centralization was the most mundane topic this week: presentations skittered through cultural appropriation via intellectual property law (Michael Dunford, on Disney's use of Māui, a case study of moderation in a Facebook group that crosses RuPaul and Twin Peaks fandom (Carolina Are), and a taxonomy of lying and deception intended to help decode deepfakes of all types (Andrea Matwyshyn and Miranda Mowbray).

Especially, it is hard for a non-lawyer to do justice to the discussions of how and whether data protection rights persist after death, led by Edina Harbinja, Lilian Edwards, Michael Veale, and Jef Ausloos. You can't libel the dead, they explained, because under common law, personal actions die with the person: your obligation not to lie about someone dies when they do. This conflicts with information rights that persist as your digital ghost: privacy versus property, a reinvention of "body" and "soul". The Internet is *so many* dystopias.

Centralization captured so much of my attention because it is ongoing and threatening. One example is the impending rollout of DNS-over-HTTPS. We need better security for the Internet's infrastructure, but DoH further concentrates centralized control. In his presentation Derek MacAuley noted that individuals who need the kind of protection DoH is claimed to provide would do better to just use Tor. It, too, is not perfect, but it's here and it works. This adds one more to so many historical examples where improving the technology we had that worked would have spared us the level of control now exercised by the largest technology companies.

Centralization completely undermines the Internet's original purpose: to withstand a bomb outage. Mozilla and Google surely know this. The third DoH partner, Cloudflare, the content delivery network in the middle, certainly does: when it goes down, as it did for 15 minutes in July, millions of websites become unreachable. The only sensible response is to increase resilience with multiple pathways. Instead, we have Facebook proposing to further entrench its central role in many people's lives with its nascent Libra cryptocurrency. "Well, *I*'m not going to use it" isn't an adequate response when in some countries Facebook effectively *is* the Internet.

So where are the flaws in our present Internet dystopias? We've suggested before that advertising saturation may be one; the fakery that runs all the way through the advertising stack is probably another. Government takeovers and pervasive surveillance provide motivation to rebuild alternative pathways. The built-in lack of security is, as ever, a growing threat. But the biggest flaw built into the centralized Internet may be this: boredom.


Illustrations: The Truman Show.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 6, 2019

Traffic stop

rotated-dead-end.jpgIn a week when Brexit has been at peak chaos generation, it's astonishing how little attention has been paid to what would happen to data flows if the UK exits the EU on October 31 with no agreement in place. At a stroke, the UK would become a "third country" in data protection parlance. Granted, at the instant of withdrawal, under the Withdrawal Act (2018), all EU law is immediately incorporated into UK law - which in turn means that the General Data Protection Regulation, which came into force in 2018, is recreated as a UK law. But as far as I can tell, there still has to be a decision that the UK's data protection regime qualifies under EU law as adequate for data flows to continue unimpeded from the EU27 into the UK.

Which means that at the very least a no-deal Brexit will deliver a lengthy delay while the European Commission makes that decision. Most of the other things people are worrying about since the leaked "Yellowhammer" documents outlining the government's expectations in case of a no-deal exit alerted the country to the likely disruption - food, medicines, Customs and immigration clearance - have widespread impact but are comparatively confined to one or a few sectors. Data is *everything*. Food and medicine supply chains, agriculture, national security, immigration, airline systems...there is hardly an aspect of this country's life that won't be disrupted if data flows can't continue. As DP Network explains it, the process of assessing the adequacy of the UK's data protection regime can't even start until the UK has left - and can take months or even years. During that time, the UK can send data to the EU perfectly well - but transfers the other way will require a different legal framework. The most likely is Standard Contractual Clauses - model clauses that are already approved that can be embedded in contracts with suppliers and partners. I haven't seen any assessment of what kind of progress companies have made in putting these in place.

But this, too, is not assured. These clauses form part of the second case brought to the Court of Justice of the European Union by Max Schrems, the Austrian lawyer whose court action brought down Safe Harbor in 2015. Schrems 2.0, calls into question the legal validity of those SCCs as part of his challenge to Privacy Shield, the EU/US agreement that replaced Safe Harbor in 2016. Schrems himself believes that SCCs can meet the adequacy standard if they are properly enforced, and that they can be used to stop specific illegal transfers. For larger companies with lawyers on call, SCCs may be a reasonable option. It's harder to see how smaller companies will cope. The Information Commissioner's Office has advice. Its guidance on international transfers refers businesses to the European Data Protection Bureau's note on the subject (PDF), which outlines the options.

That's if there's a no-deal crash-out. The Withdrawal Agreement, which Theresa May tried three times to get through Parliament and saw voted down three times, has provisions preserving the status quo - unimpeded data flows - until at least 2020 as part of the transition period. This is the agreement that Boris Johnson is grandstanding about, insisting that the EU must and will make changes and that negotiations are ongoing - which the EU denies. I believe the EU, if only because for the last three years it has consistently done what it said it would do, whereas Boris Johnson...

While the UK of course participated in the massive legislative exercise that led to GDPR, it's worth remembering that a number of the business-oriented ministers of the day were not fans of some of its provisions and wanted it watered down. No matter how Brexit comes out, however, the UK will not get to do this: GDPR, like Richard Stallman's GNU license carries with it like a stowaway the pay-it-forward requirement that future use of the same material must be subject to its rules. The UK can choose: it can be a "vassal state" and "surrender" to ongoing EU enhancements to data protection - OR it can cut itself off entirely from the modern international business world.

It's not clear if any of the data issues have filtered through into the public consciousness, perhaps because stopped data flows, as SA Mathieson writes at The Register, don't sound like much compared to the specter of bare supermarket shelves. Mathieson goes into some detail about the fun businesses are going to have: EU-based travel agencies that can't transfer tourists' data to the hotels they've booked, internal transfers within companies with offices spread across several countries, financial services... If "data is the new oil", then we're talking banning all the tankers. No wonder the EU is reportedly regarding no-deal Brexit as the equivalent of a natural disaster, and accordingly setting aside funds to mitigate the damage.


Illustrations: Dead-end sign.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.