Online freedom of expression : human rights and exceptions.

Online freedom of expression : human rights and exceptions.

There are numerous Human rights conventions, including the global and the regional ones. For example the UN's Declaration and that of the European Convention on Human Rights (UNDHR & ECHR).The signatory parties are obliged to respect certain restrictions on the State power to regulate certain aspects of the their citizens' behaviour. The theorist Prof. Eric Posner suggested in his book "Twilight of Human Rights" that Authoritarian states do so as it establishes a patina of respectability in the international community while the more Liberal states believe their own constitutional freedoms are equivalent to their convention obligations and regard it is a pro-forma exercise. As with any of the convention articles, there are very few absolute rights contained within. The signatory documents as well contain numerous exceptions. For instance the ECHR places express limitations in Articles 8-11.

                                                           

Thus concentrating on one of these rights: Freedom of expression. This has been held as being a right that "constitutes one of the essential freedoms foundations of a democratic society" - Handyside v UK 1976. One question though is how Freedom of expression is regulated in an online environment from the perspective of Authoritarian and Liberal Jurisdictions. In each case, other rights have been forwarded as a reason to restrict this. For instance, according to Prof. Tim Wu in "Who controls the Internet", China justifies speech restrictions with a mixture of justifications drawn from the needs of state security and that the social good requires a stable society which is the basis of a functional economy. Whilst Liberal nations may not stress the security aspect, they as well base restrictions on the need of the greater social good. As Wu mentioned, France expanded considerable resources against Yahoo to prevent Nazi related material (illegal under French law) being sold in that Country in the early days of the Internet. At a Convention level, the main case in imposing limitations of expression is Gunduz, where freedom of expression in (for instance in incitement to hatred) was upheld as this was deemed to be contra societal good.

However, as authors such as Jacobs (author of the text "European Convention on Human Rights") mentioned that there were qualifiers. One being context as per Jersild (if it were part of a media discussion) and in another if it were part of a political speech, as per Surek (albeit this was a split decision). These seem to suggest that limitation is possible in both circumstances but these would need to reach a fairly high bar for the authorities to prove that this was the case.

As well and for ECHR rights in general, the restrictions must be ones authorised by the convention and "shall not be applied from any other purpose other than those for which they have been prescribed". The conclusion from Jacob's seems to be that the court would frown on all but the narrowest restrictions on rights but this being very fact specific depending on the case. Hence there is a difficulty establishing hard and fast rules.

How to protect Medical Data

Medical information and Database Systems

How does one model a data system, this was a question posed in recent discussion. Normally this should be implemented based on best practice of Database analysis and Requirements engineering.

This therefore involves a number of stages.

1- Talk to the clients

2- Create various use cases

3- Model the data using Entity-Relationship Diagrams

4- Normalise the Data from above.

5- Create the database

None of these directly impinges on legal matters, beyond the normal contractual obligations a designer owes the employer and the standard data protection rules that are present in now nearly all jurisdictions.

However, there is one aspect of data modeling where there is special emphasis, is that of sensitive data :specifically that which has its origins from medical patients. Sensitive data is of the kind mentioned as per the EU's Data Privacy Directive Article 8 as "racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health". Given the confidenital nature of the Doctor/Patient relationship, there must be a reasonable expectation of privacy.

Therefore the best practices which can be designed to secure this are:

- Ensure that there is adequate physical security. For instance where the data is being processed on site that simple steps such as having secure ids to enter a lockable room should be standard.

- Ensure that there is adequate electronic security. That access to computers must depend on at least one stage security methods; such as fingerprints or passwords unique to each user.

- That the Sysadmin ensures that the virus protections are functional and has a process for updating & patching the underlying operating system to combat Zero-Day exploits.

- Use the Database system itself as a tool to provide security. Instead of allowing a normal access user to view the underlying table, create views which filter out only data which the user can access to fulfill their role, but no more than that. In additional engaging auditing of who viewed, updated or deleted records, This provides an excellent tool to investigators overseeing any potential issues.

- Finally, if the data were encrypted this would potentially foil any large scale data breach.

Medical data is valuable. The UK's NHS has advanced plans in place to sell such to companies - link. This data will undergo anonymization so as to purge the personal details of patients: thus removing the data from the remit of the EU Data Directive. That this process can sometimes be undone is known from such well documented cases as Netflix. 

Thus this implies a need to design security considerations within the DNA of any database system which processes medical records. This should be done both to protect a valued economic resource and to remain within a statutory duty.

TLD and the US domestic law

ICANN still do it.

TLD stands for Top level domain. This is part of the protocol schema that allows the Internet to function. Within the TCP/IP stack, the former can be conceptualised as the envelope (holding a data packet) while the latter is the address. This then can either be in numeric or else in the more human friendly format: e.g. bitter-crank.blogspot.com, The TLD ".com" is an example of an address used by a commercial entity, while an address such as news.bcc,co.uk uses the TLD ".uk" to denote a site connected to the United Kingdom.



The background to this is at the dawn of the Internet era, such addresses like the technology itself were under the de facto control of the US, due to the ARPA funding of the research that laid the foundation of the Internet (see book "Where Wizards stay up late"). However in the 90s, as the US moved to divest itself of the full control of Internet policy, a body known as ICANN was contracted to handle such matters by the US Dept. of Commerce. This would allow a diverse and multi-stakeholder international model of Internet governance to emerge.

Following this, the collection of state TLD also includes that of countries such as Iran, Syria and North Korea: nations unfriendly to the US. According to the ICANN website, https://www.icann.org/resources/press-material/release-2014-11-12-en, a trial judge in the District of Columbia Circuit court dismissed an attempt to seize their TLDs as assets ( due to an alleged connection to State terrorism in a series of co-joined cases). The ruling' reasoning was that, as per the noted initial action of the Dept. of Commerce, the TLDs were held under a type of contractual right and hence outside the remit of the remedy sought by the Plaintiffs of the actions.

If the case had been decided an other way, what would have this resulted in? Not the destruction of the internet in those countries. As due to the hierarchical yet diffuse nature of the Web addressing, it should have been possible for those countries to retain the addressing, but be based on a new root system within their country. However this would be a fragmentation which both would have decreased the open nature of the web and could have potentially laid the foundation of other authoritarian countries to opt out of the ICANN framework. This could have had a crippling effect on the innovation potential of the web.

Data Privacy at Work and Anton Piller Orders

Data Privacy at Work and Anton Piller Orders

Privacy is a right. But like a majority of such is not absolute. There are usually a slew of other rights (several hundred according to Eric Posner's "Twilight of human rights") which need be balanced. Thus at work the employer has a measured right as well to monitor employees, within a reasonable limit.

The cases of Halford v UK (1997) 24 EHRR 523 and Copland v UK (2007) 45 EHRR 37  suggest there also has to be reasonable expectation of privacy at work to balance this. So if there was a credible threat of larceny involved it would seem to be correct to monitor, provided the employees were informed clearly and in good time. This type of data is also a resource so has a measure of value: for instance if companies are being merged, then up to a certain point it would be sensible not to swap employee personal data or at least make real efforts to anonymise the records in a commercial context.

Thus from an IT perspective, how does this relate to company supplied mobile devices such as smart phones? The data found within these, both in internal or external storage thanks to Moore's law, is always expanding. Even if no personal data or apps were permitted, the fact that geo-location data is captured during non-core office hours means not only is personal data being stored, but the protected class known as sensitive data could be viewed by employers. For instance, that an employee is going to a specialist doctor or at a rival's place of business would not be facts that the employee would wish to share.

These are not the only non-state actor that could view the personal data. There is the civil search warrant present in Common law countries known as the Anton Piller order. This is basically a search and seize order. This has been called the "Stealthbomber" of litigation. However, given that Data Protection is of EU Directive origin, would suggest that such orders need to modified to respect the personal information of the employee.

If there were to be shown the existence of procedural problems with the safety of this data, this would call into question the proportionality of any such order and would likely result in the designated Data Protection office becoming involved. The adverse publicity and possible fines could then apply as core individual EU rights are not lightly breached.

Book Review: The Master Switch

The Master Switch: The Rise and Fall of Information Empires by Tim Wu

This was published in 2011 and finally got around to reading it. The key idea behind this work echoes the concept of the “Creative Destruction” cycle in innovation. This was first posited by the Austrian economist Joseph Schumpeter: "process of industrial mutation that incessantly revolutionizes the economic structure from within, incessantly destroying the old one, incessantly creating a new one." - link.

In this book, Mr. Wu provides a legal/historical/technological context so as to show how this has effected both the development of innovation in the IT sector (e.g. Telegraph vs Telephones) as well as how this cycle is still in play in the modern digital era. So that small companies challenge a traditional service provider, with one emerging to take the elder's place (the Kronos effect) and in turns has to defend its new position against fresh newer challengers' innovations.

What seems to be missing is the grand sense of public service that motivated the early monopolists such as Bell's Vail, and instead the action to regulate the modern web is driven by an attempt to lock-in industrial power of past gains, such as present in the Copyright lobby.

Overall a well constructed, crafted read which places current innovations in context.

Embedded Videos and copyright

Embedded Videos

The Court of Justice of the European Union (CJEU) has recently ruled on a matter of copyright within Youtube videos. BestWater International Case (C-348/13). A German court relying on the EU power to seek the CJEU guidance on EU legal matters referred it. The material facts were that the applicant objected that two rival contractors had linked embedded youtube material from the applicant without permission on the rival's website

The legal question was

“

Does the embedding, within one’s own website, of another person’s work made available to the public on a third-party website, in circumstances such as those in the main proceedings, constitute communication to the public within the meaning of Article 3(1) of Directive 2001/29/EC, 1 even where that other person’s work is not thereby communicated to a new public and the communication of the work does not use a specific technical means which differs from that of the original communication?”

- Link to CJEU.

Result: Embedding a Youtube video on a 3^rd party site is not an infringement of copyright.

Context:

Taking a definition of copyright as “ that is is an identifier placed on works to inform the world of ownership”- “Fashion Law” by Ursula Furi-Perry.

My own understanding of embedding would be to hyperlink to another web-location and allow content, in this case a video, to be played.

Of interest: EU Copyright directive can be found here: http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32001L0029

Currently the judgement is only in German.

Ich kann nicht sprechen gut Deutsch : http://www.scribd.com/doc/244360017/EuGH-C-348-13-Framing (auf Deutesh) So my understanding is sparse, to say the least.

Comment:

So to peek beneath the surface of this ruling there are always a number of factors which influence the outcome: both the explicit ones of both public policy reasons for the “social good” and as part of the foundation impetus of the EU to boost trade as well as factors, borrowed from Posner's law and economics, on how well the embedded stakeholders have managed to lobbied so as to have their world view taken as the normative scenario. However, based on the outcome it seems common sense has prevailed.

Long term, what will be the fallout? i.e. does the rather overused term landmark belong to this.

Overall a cautious welcome. While it is rather trite at this stage to state that “Information wants to be free”, it can hardly be said that material on Youtube is out of the way. The material was in no way illegal uploaded onto the site or illegally kept their by the site's owners.

In fact, the ability to disable embedding was present.

“

If you've uploaded a video and do not want to allow others to embed your video on external sites, here's how to disable the option:

Visit your Video Manager.

Find the video you'd like to change and click Edit.

Click Advanced Settings under the video.

Uncheck the Allow Embedding checkbox under the "Distribution Options" section.

Click Save changes at the bottom of the page.

” https://support.google.com/youtube/answer/171780?hl=en, accessed 02/11/2014

Hence overkill. De minimus non curat lex, and this is rather an excellent reason for this to be followed. Thus the speed which the court dealt with this can be commended.

Interesting other view on this:

“The CJEU Continues to be the Court of Common Sense: The BestWater Case Ruling or Another Good Day for the Internet” -link.