Anyway, the topic of the talk was ‘death and the web’, and these are my notes (handwritten at first, typed up on the train afterwards).  As always, this is my summary of what was said, please contact the speaker to verify quotes/assertions if you need a more formal report. But from now on, this is a paraphrased summary of what the speaker said.

Now for starters, this isn’t a topic that is mentioned all that often, except in dramatic events that make it into tabloid newspapers.  Yet with 400m Facebook users, some will be dead by tomorrow – and with the average age being 34 (in 2007 – probably older now), this is a developing issue.  So what happens to ‘digital assets’ – this doesn’t just mean virtual property in the sense of massively multi-player online role-playing games (MMORPGS), but a broader concept including profiles and personal data.  Who owns all this when you die – you or the platform?  The issues include preservation, succession, and value (economic, dignity or other wise).

Traditionally, we see ‘love letters’ and the like as important sources for research.  But the equivalent today may be an email, a YouTube song, a Facebook update or a blog post.  In our digital lives, many of us ‘self-map’ through web 2.0 services.  We may not keep a private diary, but some will share information with ‘strangers’.  Where is the balance, especially as between privacy and the public interest?  The Library of Congress announced this year that it had acquired all public Twitter messages (with some horrified at this) and services like the Wayback Machine (archive.org) are engaged in big projects.

But of course, much of the information we are talking about is in ‘walled gardens’; some may maintain their own sites but many others use services like Facebook.  This will mean accepting terms and conditions, and the existence of restrictions on ‘getting data out’, through both technical and legal means.  Digital assets can range from email to preferences on last.fm (would we like to know what famous poets listened to, if we had the data?) and even reputation such as that associated with eBay, which can have important economic consequences, or ‘friend of a friend’ networks.  The issues are both of data protection and ownership/IP.  In the case of the latter, we need to look at the license (non-exclusive but quite broad) as well as the restrictions on access.  Facebook is a service that has a ‘death policy’, i.e allowing particular relatives/friends of deceased (although not proper legal categories of succession) to apply to delete or memorialise the account (but not to take it over).  There is no way for the user to indicate a preference for actions after his or her own death – should there be?

So we see the impact of intermediaries, property, multiple parties and also the location (for legal purposes) of the relevant property.  Furthermore, there are wide disparities as between the practice of various services, such as Yahoo (complete deletion) vs last.fm (maintain as is part of community data).  Yahoo was indeed the subject of one of the few cases on this topic, relating to access to the email account of a deceased soldier.

In general: do we believe in privacy after death?  Both libel and data protection have restrictions.  Even something we understand (or think we do) like organ donation still provides for a family veto.  But think about email – would you want your family having full access?

There are various emerging suggestions, including digitalwills (like LegacyLocker), including passwords with the actual will – but most people don’t have wills, particular younger people who die suddenly.  Should we instead regulate the platform – or encourage disintermediation at the level of the individual user?

(Talk ends).

In the question and answer session, a number of additional issues were explored, including the role of self-archiving (noting that a lot of web 2.0 content is but a copy so the original can be treated differently), access to physical-digital artefacts (a portable hard drive, for example) after death, jurisdiction and choice of law questions, Gmail and the Data Protection Directive, the powerlessness of the individual user, and the relevance of probate orders (or similar devices) for virtual assets that may appear to be de minimis.

A very interesting talk, then, and one that takes on particular relevance as the Data Protection Directive is reviewed in Europe and the struggles of services like Facebook in dealing with high-profile privacy disputes continues.  I do wonder (and said from the floor) how researchers, librarians and archivists will deal with the opportunity (but also the dangers) of a very different type of record of the activities and communications of the deceased than many are used to.  Think too of the individual – I had an interesting conversation with a colleague recently about the role of the personal email archive – do you have every email you ever sent?  I have some (probably more than others), but not all (damn Hotmail automatic delete some time in the 90s), in a variety of formats and filing systems.  Others keep a single searchable file but not a system of folders, or purge on a regular basis.  But that’s certainly not the case for other (non-email) aspects of life.  Things to think about, for sure.

The third session of Day One addressed the question of data protection and social networking, and brought together an interesting range of speakers, who had all encountered the law and policy of data protection in different ways.

The provocative introduction is given by Monica Vilasau of UOC, highlighting various examples of non-compliance by social networking sites, but also alluding to Grimmelmann’s point of the morning about the threats to data protection rights by fellow users alongside familiar threats associated with public authorities and private enterprises. She also drew our attention to the high levels of SNS use in Spain, and how the existing privacy controls are often ignored by users (i.e. defaults followed).

Esther Mitjans of the Catalan Data Protection Agency reviewed her experiences dealing with new web services and was quite frank about the limitations of existing legislation but also the persistent need for scrutiny of private enterprises involved in the processing of data. She acknowledged the pressure for clear rules to become established (in whatever fashion is appropriate) but that this should not ignore the abiding importance of parental control and scrutiny, where there is a significant degree of responsibility that cannot be replaced by a data protection agency. She also posed some thoughtful questions about the possible ‘new vulnerabilities’ associated with social networking, the meaning of ‘informed consent’ in the current era, and suggested that although there may be lacunae in the law, it does contribute to user ‘confidence’ despite this. Mitjans also discussed the Article 29 Working Party report on online social networking in some detail, explaining its principles clearly and cogently. On a number of occasions, she did argue that it was necessary to prosecute those who act illegally (whether they are involved in managing sites or gathering data published on them) as part of a broader philosophy of risk management.

Pablo Perez of the INTECO observatory reported on his research into social networking sites published as a recent report, including some in-depth work with under-14 users who are (as you may expect) frequent and fluent users of such websites. He identifies three points at which crucial decisions are made and potential risks are present: the creation of the profile, the use of the service, and the deletion of an account. His range of recommendations included some suggestions towards age identification/verification, which of course has been the subject of discussion in the US for some time now. He also considered the need for better coordinated or harmonised international law on these topics.

A philosophical perspective was provided by Franck Dumortier, who focused on the ‘de-contextualization’ of identity and information through the use and reuse of such in different contexts. He traced the roots of privacy, including possible tensions between the right to be left alone and the right to contextual integrity. Illustrating a key point with a wry discussion of how information on one’s sexual life is most appropriate in certain contexts and wholly inappropriate in others, Dumortier took a sceptical approach to some of the claims of social networking sites, arguing that identity itself was being challenged by the way in which information is stored and shared. He also made a useful argument regarding the distinctions between ‘privacy’ and ‘data protection’, with some criticisms being expressed of the language and framing of the latter (the data subject etc).

Barbara Navarro, of various hats but particularly the person responsible for institutional relations in Google’s outpost in Spain and Portugal, had the difficult task of following the earlier papers with a defence of Google’s activities and practices. And defend it she did, setting out to demolish myths and misunderstandings of Google’s behaviour. She noted that Google is seen by many as a ‘symbol’ of the Internet, and therefore is frequently in the public eye, but suggested that the perception among some of the amount of information held and used by Google is inaccurate. She relied upon the pronouncements by certain EU authorities that IP addresses are not personal data and explained how Google’s activities in the area of data retention have particular technical and quality control purposes, but also discussed the role of contextual advertising and its importance to the Internet industries (and, crossing both points, set out to reassure Gmail users that Google neither has the time nor the will to ‘read your email’!). On these points, as indeed with other points, Navarro was an advocate for both self-regulation and for protection of privacy based on education and the ability of users to choose.

This was, as you can see, a wide-ranging discussion, drawing upon reports from the research coalface, a defence of the role of public authorities as guarantors of the public interest, the view from a large commercial player, and a long-term view looking at the implications of data exchange for concepts of privacy. There was some discussion of broader ‘safety’ issues, which will be discussed in a further panel on day 2. Another report is provided by Ismael.

Back after coffee for a roundtable discussion on legal issues of all sorts. In the chair is Raquel Xalabarder, who makes the perceptive remark that we still struggle with definitions of the platforms that we are talking about. Platforms, though, clearly create rights and obligations – for the users and for the owners.

Profs. Jane Ginsburg from Columbia Law School and Alain Strowel of Saint-Louis in Brussels but also a lawyer with Covington & Burling collaborate on their presentation, weaving back and forth regarding copyright issues. Strowel opens with a reference to the recent FT article on Facebook, highlighting the desire for openness, sharing and co-operation. This is ‘free’ but there is an invisible or dark side, which is the economics. IP fits into this category. As services develop, they become more IP-conscious – look for example at Twitter’s assertion of trademark. We should distinguish between content originated by the users and content that is ‘made by others’.

This brings us over to Ginsburg, who will look at user-created content; typically this content is automatically endowed with protection (subject to the usual fixation and originality requirements), reminding us that literary merit is not a requirement of copyright law. She reads extracts from the Facebook and MySpace standard terms and translates them into their real meaning – to me, this is the gift that never stops giving, and the audience responds accordingly. The Creative Commons icons are a useful way of adopting user-friendly and meaningful terms … but they are certainly not ‘self-enforcing’ and actual enforcement is extremely difficult (not to mention certain registration requirements under US law).

Strowel picks up the question of non-UGC (i.e. potentially infringing content published on these platforms) and the various degrees of liability, considering the possible infringements (distribution? reproduction? derivative work?) as well as limitations to the law (the unclear status of ‘making available’ as applied to mere placement on the Internet in the US). It is refreshing to go into this in detail – often we take for granted some of the more complicated ‘old’ aspects of copyright law (or what Strowel calls the mechanics of copyright) when considering it in the digital context.

Selected other comments (from both contributors – put together they engaged in a good discussion/rotation):

- there is an issue in comparing something like YouTube (where the infringing content on which secondary liability is alleged is ‘high value’) with other sites where this is not the issue.
- even under EU law there are different interpretations from state to state of implied licences as applied to copyright.
- Art 5 EUCD (limitations) is quite different to (the flexible but unpredictable) ‘fair use’ doctrine in the US – the various cases on thumbnails are discussed as an example of this.
- there are more intermediaries on the Internet than was expected – and they can be in different categories when it comes to liability; hosting providers (inc. social networking sites) are different to traditional web-hosts too (multiple third parties, many more pages than a normal website, intermediary both technical and advertising-based) – art 14 EUCD has a too-brief definition of hosting provider in any event (does it cover Facebook? Strowel argues it is not certain)
- brief discussion of the French cases: MySpace, DailyMotion, Google Video have all been the subject of legal proceedings with some inconsistent results and some elaboration on the concept of notice; all of this is in the context of the (unresolved) Viacom case in the US, which may well be superceded by industry principles.
- YouTube’s business model is affected by the steps required to keep the safe harbour: they cannot tailor their advertising in the way that they might like to, as doing so would affect their categorisation
- can a HADOPI-like solution deal with repeat infringers outside of the ISP context?

Speaking separately, Antoni Roig, a professor of constitutional law at the home-town Universitat Autònoma de Barcelona, brings the questions back into the realm of public law, but also wondering what the differences are between ‘IT law’ and ‘IT for lawyers’, and how jurists and engineers approach privacy in different ways. (Interestingly, he says that the Spanish data protection regulations date from 1978, along with the Constitution). Privacy and data protection can have different aspects – they are in many respects separate legal regimes, with the EU having a particular role on data protection and the role of the Article 29 Working Party. The courts have acknowledged a right to data protection but there is also the use of the human dignity clause as a way of ‘updating’ rights. Is the US moving towards an EU-style data protection framework?

Roig summarises the A29 approach as including on principles of
- awareness amongst the users not to give data if necessary (& this affects the providers too; the principles mention this which is a surprisingly radical move towards ethical engineering)
- informing the user e.g. when there has been a breach

He also has some good words for the role of privacy-enhancing technologies (PETs), and how they play a part in a constitutional concept of privacy based not on law alone. Persistent pseudonyms are crucial to success here. (We will be returning to data protection in the afternoon session). By designing for privacy, we can achieve a long-term solution even though there may be short-term difficulties with making it work. Legal scholars have not really legitimised these technologies yet, though there is potential for showing a court that a tool that protects privacy could prevent a violation of fundamental rights. Concluding, he argues that the European approach to RFID, where incorporation of privacy at the design stage is being encouraged, is promising and brings with it some optimism.

Issues covered in the Q&A included the power of terms and conditions, the potential for advertising revenue without violating safe harbour, the difference between the ‘user’ and the ‘provider’ terminology (should bloggers be considered providers for safe harbour purposes?), multiple vs unique pseudonyms (and the relationship with biometrics), the convergence between trademark law and domain name policy (with Facebook URLs being a good example of where there is controversy), the L’Oreal/Ebay litigation at the ECJ and the French courts

• Sara Smyth (Rochester Institute of Technology) on ‘Child pornography and the law in Canada’; this was the topic of her PhD and forthcoming book (U of T Press). Using Canada as a critical case study on circulation of CP materials; the broadest provisions in the world, but argues that a more narrowly focused provision combined with broad targeting of Internet circulation. ‘Global epidemic’ – but much of the regulatory approach is based on quick fixes. The Canadian law is contained in s 163.1 of the Criminal Code, and includes representations of u-18s as well as actual u-18s, and a wide range of materials (e.g. cartoons, written materials, morphed images, etc); Internet distribution (significant and popular due to privacy, anonymity and convenience) covered by the progression of this rather than the development of a new offence. ‘Moral panic‘ is a good conceptual framework. She discussed the (in)famous R v Sharpe on CP offences vs freedom of expression, reading in exceptions re privately held material. The subsequent amendments (Bill C-2) increased penalties (including mandatory minimum); Smyth argues that materials are circulating while the public desire for ‘justice’ has been satisfied by prosecutions of people like Sharpe, giving examples of R v Chin [2005] AJ No 1712, R v Austin [2006] BCK No 3430 and (missed the last one), and suggesting model legislation that would be more appropriate based on the harm, referring to images that reasonable person would consider indistinguishable from that of a real child (though contrast with Ashcroft v ACLU in the US re: ‘appears to be’). Finally, a model is presented of strategies (int’l co-operation: Canada should ratify the Cybercrime Convention, architectural innovation (interceptability in particular) and user regulation/self-help like INHOPE) that would be of benefit


• Edinburgh alum Gerrit Hornung (Kassel) is looking at the ID card legislation (passed through parliament in 2009) in Germany. The backdrop is biometric passports and electronic signatures; why have a separate authentication function in ID cards? The approach under development is separating, in terms of the ID card (which includes RFID and biometrics – voluntary fingerprints), between governmental purposes, general authentication (free) and (with additional cost) voluntary signature functions. Constitutional requirements on data protection have been quite influential. User must give written consent to use ID card as electronic proof of identity, and service providers will need an authentication certificate (and to get it must prove legitimate purpose, proof of necessity). There will be application-specific attributes, and alternative information (e.g. being of age rather than specific age, being of a locality rather than actual place of residence). DP supervisory authority can revoke auth certificate or ID card. (Some great diagrams for this). Some practical uses: everything from online opening of bank account to age verification for adult services. It’s planned that services will be available from November 2010 – depends on all parts being present. Some unresolved questions include non-German providers, availability of RFID readers and the security of PINs.
• Finally, Shizuka Abe & On-Kwok Lai turn to the age-old question of ageing. Ageing in Asia is catching up with N. America/EU. Lots and lots of fascinating (but rapid-fire) tables and graphs, reviewing social and demographic changes across Asian states. Some interesting points included: use of ICT in ‘caring relationship’ (e-medicine etc), the difference between Internet diffusion in countries and how this has an impact on behaviour, ownership of mobile phones and the requirement for ownership across generations in order to be a communicative tool, Imadaco and related GPS services (people-tracking!) and how they are framed by both developer and society, the intelligent pot (!) that tracks your tea-making habits. The common theme is the idea that the authors call ‘ICT-embedded filial piety’, with a zeitgeisty reference to current financial crisis and the need for ‘pro-growth development’ in areas like this; the conclusion is that the use of technologies reinforces face-to-face communication and is also quite local despite the use of ‘global technologies’, and ultimately holds the potential of facilitating ‘inter-generational dynamics’.

1. The Information and Privacy Commissioner in the Canadian province of Ontario, Ann Cavoukian, is organising the ‘Privacy By Design Challenge‘, a workshop and presentations on how technology can be used, and in particular designed, to promote personal privacy. The fact that this event is organised by a statutory privacy commissioner is still quite remarkable (and welcome) and I look forward to finding out how it goes. Spotted via Mediacaster.
2. Another Canadian one: the 2007 and 2008 report of the federal Privacy Commissioner has been published: get it here
3. The Bar Council gets visited by some tea-leafs, who run away with the contact details of all of the barristers in England and Wales, and more besides (BBC News)
4. In related news, the Open Rights Group has a new tool to find out if your data has been disclosed, Who’s Been Losing Your Data? Nice.
5. And finally, unlucky for lawyers: Law firms are expected to register as data controllers in the UK – if not, like these three firms, they may end up paying a fine, and more importantly, probably never get a privacy case again…

The European Court of Justice adds some detail to the body of EU caselaw on the Data Protection Directive, and perhaps goes in a new direction. This case, Satakunnan Markkinapörssi and Satamedia (C-73/07), is a really intriguing one and has had to be read carefully, and I’m still not sure what’s being said. Finland (from where the case comes) is one of those jurisdictions where everyone’s tax and income information is made available for all to see. Radical transparency doesn’t even begin to describe it, though there are very interesting ideas (for another day) of whether this is ‘good’ or ‘bad’ for personal privacy. Interesting business models are built upon this data, including the one in question, which is not just a group of newspapers (Veropörssi) which has the primary purpose of collating and publishing this information (collected from public sources) but also a newer service (as part of the same overarching company) where individual items from the collection are supplied through a SMS service. The Court finds fairly easily that the various activities are the processing of personal data for the purposes of the Directive, including the digitisation and SMS activities which are based on already-in-the-media information. However, the Court goes on to find that, in principle, these activities can be ‘saved’ by the exemption of data processing for journalistic purposes, with some helpful (and extremely broad) definitions of journalistic purposes:

58      First, as the Advocate General pointed out at point 65 of her Opinion and as is apparent from the legislative history of the directive, the exemptions and derogations provided for in Article 9 of the directive apply not only to media undertakings but also to every person engaged in journalism.
59      Secondly, the fact that the publication of data within the public domain is done for profit-making purposes does not, prima facie, preclude such publication being considered as an activity undertaken ‘solely for journalistic purposes’. As Markkinapörssi and Satamedia state in their observations and as the Advocate General noted at point 82 of her Opinion, every undertaking will seek to generate a profit from its activities. A degree of commercial success may even be essential to professional journalistic activity.
60      Thirdly, account must be taken of the evolution and proliferation of methods of communication and the dissemination of information. As was mentioned by the Swedish Government in particular, the medium which is used to transmit the processed data, whether it be classic in nature, such as paper or radio waves, or electronic, such as the internet, is not determinative as to whether an activity is undertaken ‘solely for journalistic purposes’.
61      It follows from all of the above that activities such as those involved in the main proceedings, relating to data from documents which are in the public domain under national legislation, may be classified as ‘journalistic activities’ if their object is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They are not limited to media undertakings and may be undertaken for profit-making purposes.
62      The answer to the second question should therefore be that Article 9 of the directive is to be interpreted as meaning that the activities referred to at points (a) to (d) of the first question, relating to data from documents which are in the public domain under national legislation, must be considered as activities involving the processing of personal data carried out ‘solely for journalistic purposes’, within the meaning of that provision, if the sole object of those activities is the disclosure to the public of information, opinions or ideas. Whether that is the case is a matter for the national court to determine.

Aside from the privacy questions, this is extremely interesting in the context of the ongoing debate on definitions of journalism and journalists for everything from the protection of sources to access to press galleries. If the rule of thumb for defining journalistic purposes is doing something for the sole purpose of “disclosure of information, opinions or ideas” (which is a phrase that seems a new one in yesterday’s decision, not cited, not familiar to me and not apparent from some quick searching), then the debate on ‘are bloggers journalists?’ is over. In terms of data protection and privacy in the EU, it’s also perhaps a move away from the high water mark that was the Lindqvist case and its broad definition of processing.

Some other reports: EU Law Blog, The Register, Out-Law.com. More as I get them.