Category: Privacy and Data Protection

The title that links the article about the leaked Italian Data Protection Authority secret report is no more easily accessible on Repubblica.it (the newspaper that did the scoop.) There is no trace of this link in the home-page, and the title is missed in the Technology section.

If you are quick enough, a one minute short video clip gives you the possibility to click an anonymous link (labelled “Leggi su Repubblica.it” – “Read it on Repubblica.it”) and finally the article comes on screen.

Technically speaking, then, the article is still online but now in a hard-to-find form. And this is rather odd, because other older and less important articles (such as the valueless research on the personal data selling price) are still featured in the technology section of this newspaper.

A paper by a scholar of the university of Trento (IT), co-authored by people from the Kessler Foundation,Telefonica Network, Telecom Italia and Google finds that we are ready to sell our personal data for about two Euros.

Although the conclusions are – in principle – fair enough and match the “gut-feeling” of whoever works in the field of the personal-data handling, I wonder how it would be possible to draw statistics evidence by the criteria adopted.

I’m not a statisticians, but the only part of the paper dedicated to the sample’s composition reads:

All volunteers were recruited within the target group of young families with children, using a snowball sampling approach where existing study subjects recruit future subjects from among their acquaintances … A total of 60 volunteers from the living lab chose to participate in our mobile personal data monetization study. Par- ticipants’ age ranged from 28 to 44 years old (μ = 38, σ = 3.4). They held a variety of occupations and education levels, ranging from high school diplomas to PhD degrees.
All were savvy Android users who had used the smartphones provided by the living lab since November 2012. Regard- ing their socio-economic status, the average personal net in- come amounted to e21169 per year (σ = 5955); while the average family net income amounted to e 36915 per year (σ = 10961). All participants lived in Italy and the vast majority were of Italian nationality.

While, again, I have a limited knowledge of the statistic, there are a few oddities in the method applied by the researchers that undermine the value of the findings:

1. The sample is made by only 60 people, belonging to young (wealthy enough) young families with children. This isn’t actually a fair depiction of the Italian socio-economics. Furthermore, there are neither enough information about the socio-economic status nor the ? geographic location of the participants to actually understand the sample quality.
2. Even Wikpedia knows that the “snowballing” sample selection method is known to be prone to biases. No evidence are given in this paper of who the biases are handled.
3. Though broadly used, Android isn’t the only platform. A well balanced sample should have taken into account Blackberry, IOS and Windows Mobile (or whatever the name.)
4. The “measurements” of individual traits data relies upon psychological categories and methods. Psychology is not a science and putting a bunch of equations into an highly subjective discipline doesn’t turn it to hard science (I know, I know, positivism is dead, natural sciences aren’t so “absolute” etc. But try to send a rocket to the moon by assessing the “mood” of a ballistic trajectory and tell me the results.)

Before concluding that this paper offers no scientific evidence of its findings I would like to have these (and maybe other, expert-made) questions be answered. But I’m afraid that the final judgements wouldn’t change.

A final remark: the lack of scientific method shown in this paper is dangerous because, as often happens, poorly informed journalists jump on the news and “sell” it without any warning to the readers, thus luring them – and the Data Protection Authority, I fear – into thinking that what is a limited, partial and non-relevant work actually drives to factual conclusions.

 

A Linkedin post by Luciano Floridi announce a British House of Lords EU Committee hearing about the Google Spain ECJ Decision and the right to be forgotten. Here are my two cents (sorry, this isn’t going to be a short post):

Q. Do you agree with the Court’s ruling that Google (and other search engines) can be classed as data controllers?

A. NO. The search engine activity as such doesn’t handle personal data under the 95/46/CE Directive. The collection and organization of the retrieved data are the automatic output of a search algorithm. The issue arise when the retrieved data are used for purposes different than the pure providing search engines results, thus attempting to identify a natural person and creating his/her profile. To give an example: Duckduckgo.com and before, Cuil, are no-user-data-collection search engines so it is not possible to include them into the legal “data-controller” definition.

Q. The question put by the Spanish court to the Court of Justice referred to the data subject wishing to have information “consigned to oblivion”. Isn’t the true position that information removed from websites will always continue to exist, but will simply not be so easily accessible?

A. Yes. And fact is that information still available are still accessible by alternative means (word-of-mouth, newsgroups, social networks etc.) The point is that we are lured into thinking that there isn’t anything else, on the Internet, outside Google but this is simply not true. Google is used because is quick and effective, but when proper information are needed nobody will rely upon a search engine while trying to connect with an expert of the matter.

Q. The Court has ruled that the data subject’s fundamental right to privacy “as a rule” overrides the right to receive information, but that this will not be the case if there is a public interest in “the role played by the data subject in public life”. Do you agree with this order of priorities? Can it in practice be implemented?

A. It is a legal mistake to build the right to be forgotten on the EU Data Protection Directive. The right to privacy is set forth by the European Convention on Human Rights and the data protection is a principle set forth in a EU Directive. Thus data protection is a subordinate and particular right that doesn’t necessarily implies privacy issues. EU Data Protection Directive, indeed, is contrary to the Right to be forgotten because sets a precise legal duty to handle personal data so that they are readily available, updated and exact. This is contradictory with the idea of being forgotten, because a messy way to handle personal data (i.e. non reliable information) would be the best protection for an individual, whose personal whereabouts wouldn’t be easily found.

Q. Do you think it is in practice possible for Google to comply with the Court’s ruling?

A. Yes, but the decision is wrong and Google shouldn’t be forced to comply. The balancement between individual rights and public needs can only be assessed by a Court and we can’t bear the risk of letting a private company to decide what we should and shouldn’t find. The Google Spain ECJ decision shift the burden of protecting the public interest on a private company’s shoulders. To put it short: the ECJ ruling gave Google the legal power to re-write the History.

Q. What do you consider to be a ‘reasonable time’ for companies to put in place an acceptable response to the CJEU’s ruling?

 ?A. I don’t think a general answer is possible. There are issues to be considered such as the number of users’ claims, the kind of legal issues involved by every single claim, the impact on the technical infrastructure and so on that make giving a figure a roll of dice.

Q. The proposed new EU Data Protection Regulation would give data subjects an even stronger ‘right to be forgotten’. Do you think the UK Government are right to oppose this?

A. Again, data protection doesn’t equal right to privacy. The upcoming EU regulation shouldn’t deal with the right to be forgotte because it is an out of scope issue that should be handled within the EU Convention of Human Rights framework.

Q. How do you think an acceptable balance can be achieved at EU level between the public’s right to know, and the right to privacy?

A. By re-affirming and hardening the principle that online (as offline) the main legal liability is on the natural person that performs an action. In the specific case, if a fact is true and reported in a proper way there is no reason to erase it. Following the contrary opinion, today we wouldn’t know anything about the Lucius Catilina’s attempted golpe because his heirs might legitimately ask, after about 2.000 years, that their ancestor be let rest in peace.