09

C’est aujourd’hui que paraît le roman de Suzanne, Meurtre à Sciences Po ! Je ne peux que vous inviter à aller le lire, car il est très divertissant et qu’il dépeint avec un humour pointé de sarcasme, les individualités parfois originales qu’on trouve rue Saint-Guillaume ! Évidemment comme son titre l’indique, il s’agit d’un roman policier. Vous me direz si on reconnaît l’influence d’Agatha Christie 😉

Couverture du livre


Et non, ce n’est pas moi sur la gauche, mais Maxime ! Je suis sur la droite mais il faut croire que je gâchais toute l’harmonie visuelle de la photographie ☺

It’s been a few months now since the controversial EUCJ ?Google Spain v. González (C-131/12) decision has been published. And I’m too busy, lagging behind: my draft (in French) on why I disagree a lot with this decision is still in the making. But it will eventually come. Meanwhile I got some interesting discussions, for instance with Neil Brown. I’m still waiting for Neil to set up is Known profile online somewhere so we can copy/paste our discussion there. Just now, Reuben Binns sent me a paper pointing out that, yes, the EUCJ decision overlooked the balance needed to protect our right to freedom of expression. By the way, Reuben has also written an interesting piece on how Wikipedia deals with person’s subjective rights — I think you should read it because I think Wikipedia is a very good illustration on how to do this right, and thus also an incredibly strong illustration on how the EUCJ’s so called “right to be forgotten” (RTBF for short) is wrong.

So, roughly and quickly, I’d like to point out a few flaws that I think are very worrying considering the wider context; namely, the European Union Court of Justice getting more powerful as a court dealing with fundamental rights (in addition to the European Court of Human Rights).

The EUCJ is confused about privacy

You may disagree, and I have no time to explain here now (it’s still a draft mode) but I think there’s no such thing as a personal, subjective right to privacy. A right to privacy is not the same thing as a right to the respect of your private life. There is an important distinction to make.

Privacy is an ecological thing as Moglen says, it’s not an individual thing. Privacy is often understood only in a given context: a technological context and a social as well as cultural context. We have different privacy expectations and understanding depending on who we communicate with, what we communicate about, where we communicate, by which means we communicate and based on the cultural background of the communicating parties. Note that “communicate” needs to be understood broadly and may not be the right word.

One of the most interesting researchers working on explaining privacy is danah boyd. She lately published a piece: What Is Privacy? You should read the entire piece, it’s not long. Meanwhile, emphasis is mine:

The notion of private is also a social convention, but privacy isn’t a state of a particular set of data. It’s a practice and a process, an idealized state of being, to be actively negotiated in an effort to have agency.

[…]

While learning to read social contexts is hard, it’s especially hard online, where the contexts seem to be constantly destabilized by new technological interventions. As such, context becomes visible and significant in the effort to achieve privacy. Achieving privacy requires a whole slew of skills, not just in the technological sense, but in the social sense. Knowing how to read people, how to navigate interpersonal conflict, how to make trust stick. This is far more complex than people realize, and yet we do this every day in our efforts to control the social situations around us.

The core of the point is, privacy is not an individual’s subjective legal right. It’s a social and fragile, but needed social process. We shouldn’t mess this up with simplistic views on the issue, because there could be casualties (like getting the State involved in defining all the things where privacy was dealt with socially and, freely, before).

The judges’ justification is in the decisions’ paragraphs 80, 81 and 36, 38. As you’ll notice, it significantly lags behind good research on what privacy is and it also lacks a thorough legal analysis.

In the EUCJ’s RTBF, privacy is considered in a simplistic, narrow way that does not consider the right of the public to access lawfully published information that can be of public interest. This is very worrisome because that right is substantially a consequence of our right to free speech.

Moreover, the legal basis of the EUCJ analysis is unclear. To make their arguments justified by fundamental rights, the EUCJ takes article 7 of the EU Charter. This article is not a right to privacy, otherwise it would say just that: “a right to privacy.” Instead, it is a right to the “respect for private and family life” and that’s not the same thing.

On the one hand, the right to respect for private life is well established as a person’s subjective right. For instance, in France it used to be under general tort law (art. 1382) but then has taken its own stance in article 9 of the code civil. One important condition of such a right is that there is a need to demonstrate préjudice, i.e. harm has been done to that persons’ in way of infringing their private life.

On the other hand, as already pointed out, privacy is a process. And as you know if you’ve read the decision, there’s no such need to demonstrate prejudice in order for the RTBF to apply.

The legal basis thus is not clear. Is this new so called “right to be forgotten” based on the right for the respect of private life (in this case it needs to be demonstrated that there is prejudice) or is it based on another part of the EU Charter, the one that recognises personal data protection? Well, if it’s the latter, then the RTBF should be much less powerful than what the EUCJ makes it!

The EUCJ new “general rule” harms freedom of expression

The personal data protection directive says in article 7:

‘Member States shall provide that personal data may be processed only if:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests [or] fundamental rights and freedoms of the data subject which require protection under Article 1(1).’

In the case where the service in question is accessible and used by a large majority of the population, it means that we are talking about the legitimate interests of the public. Surely, the right to access lawfully published information is a priori a legitimate interest of the public. Otherwise, what good is a right to freedom of expression if nobody else has the right to hear you and that someone can block access to your article when they feel like?

Now, let’s have another read at the article above (article 7). It is clear that the general rule is that processing of personal data is allowed when the right of the public to freedom of expression is at stake, except where the data subject’s fundamental rights should override them.

But as already pointed out, there is a confusion between fundamental rights and thus the whole analysis on balance breaks, at the detriment of the public’s right to access lawfully published information.

In the decision, the Court indeed invents a new “general rule”:

The rights to privacy of the data subject override “as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name.” (¶ 97)

It is clear now that there’s a problem. The rule and the exception have been exchanged.


Interesting fact: I just learned that the Spanish plaintiff, M. González, is a lawyer… This whole case and the decision to me, is an illustration of what goes wrong when we try to solve problems that should be best solved freely with our social processes. Solving privacy with this kind of ruling is doing us no favour.

The real privacy issues for us today come from massive surveillance by the NSA and other mass-surveillance State agencies aroudn the world. They also come from surveillance operated by companies.

Search engines giving access to lawfully published information is not the real privacy issue! The RTBF is the wrong fight, and it’s actually wasting our time; time that should be better spent fighting the real issues of massive surveillance which makes much more harm to our right to have a private life outside the reach of the State’s agents.

Finally, the ultimate irony of the decision is that Google and the like are the ones who have to apply individual’s requests to be deleted from search engines results relating to their names. Thus, giving the role of defining privacy to… Google. Well done for the rule of law.

We should demand that the European commission does not to pursue this RTBF nonsense, but instead focuses on the real issues affecting our privacy and our autonomy.

Last month, I introduced what defensive publications are: documents describing something (a new feature, a new algorithm, a new system) in order to prevent further patents.

Defensive publications are needed because on the one hand, even when the source code is available to the public, it is not necessarily accessible to the patent office examiner who’s reviewing patent applications. This is why we submit defensive publications to their databases: it makes the review process more aware of what free software projects develop.

On the other hand, while pushing code to a public repository is easy for a project contributor, writing and submitting a defensive publication is not as straightforward.

On of my goals is to help fix this, so that producing defensive publications gets as easy as possible for Free Software projects. So, during this month, amongst other patent-related activities, I published a first version the a defensive publication template on Github. Hopefully, I will be able to improve on this version and push other useful things for the whole Linux Defenders programme. Your feedback would be very appreciated!

A prior observation before explaining how the template works: obviously, writing defensive publications is not a developer’s top priority. But writing a defensive publication is not something that can be left entirely to lawyers (although we can help). Writing a defensive publication requires insights on:

  • how the code works, how the system is designed
  • how other solutions, especially prior solutions and current trends develop

For this reason, developers are in a privileged position to write defensive publications. The situation is not entirely unlike that of writing documentation. Writing documentation is probably not a developer’s favourite task (and indeed the state of some documentation is evidence of this). However, we know that a good documentation is also a sign of a project’s health and so we make process and tools to facilitate this task. Fortunately, writing a defensive publication is not much different from writing documentation, and so we should be able to kill two birds with one stone.

How does it work?

Once you have identified some part of your software that you want to write a defensive publication about:

  1. Download and extract the template

    The README should guide you. Especially, you can find examples of things to use to start your own publication, such as figures, flowcharts, etc.

  2. Update variables like:

    TITLE
    PROJECT
    URL
    DESCRIPTION
    TAGS
    

    (I’ll probably write a script to automate that…)

  3. Create an abstract.yaml file in src/ (you can one from the example/ directory) and also update the tags. You can edit the abstract itself, later at the end.

    This will later appear on the list of http://defensivepublications.org.

  4. You can start writing your document in src/ - You can write in any format provided that you are able to produce a PDF at the end so we can submit it to the patent office. Right now the template is very much focused around pandoc which is able to convert a lot of different kinds of texts, like Markdown to LaTeX. You can follow the README.

As you see, it’s a bit rudimentary now, but the idea behind with this template is that you should be able to take relevant bits of your documentation and integrate them directly into your defensive publication’s source files. Then you can use pandoc to combine all the files together in the relevant order.

That way you don’t have to duplicate content, but rather you reuse relevant parts of your documentation that describe your software for the defensive publication.

Once you’ve done that, you need to write the abstract and probably write an introduction if you need to give more details. Another part to introduce your publication can be a description of the current state of the art relevant to your software: basically, what’s the problem your software solves and how other solutions try to address this problem in your field.

The template comes with a file example/template.pdf that should guide you through the different parts that make a defensive publication.

Get involved with us

If you are interested in writing a defensive publication or have more questions, don’t hesitate to join #linuxdefenders on the IRC freenode server.

Also, I’m very much interested in your feedback. What’s your opinion? What do you need to write a defensive publication as easily as possible?


Next month, I should be able to show an example from defensive publications, with additional explanation and comments!