On ICT law, politics and other digital stuff
This is a close-up of a banner belonging to the Prefecture de police, Paris, Rue de la citè.
Actually this banner says nothing special but what a public police power is supposed to do; nevertheless ? – as I wrote commenting the picture – I don’t know why, but every time I hear a public power saying that he cares about me I feel a bit worried.
All the fuss generated by the use of cookies by almost every website on the traditional Internet that led the EU to pass the Cookie Directive just produced a pop-up that warns the anonymous user about the presence of these digital candies. Thus, the Ad-dicted can claim to be law-abiding netizens while giving no actual privacy protection for the users. Want a proof? What follows is a cookie left on my computer by a well-known e-commerce giant: A0CJfSiKBUmZik9DPj7fCXA. Firefox tells me about it existence and expiring date, but how am I supposed to know what does this cookie means? And what difference does it make whether I am aware or not of its presence, since I have no way of understanding what’s its function?
Short: the Cookie Directive is useless and, as Cicero used to say, Summum Jus, Summa Injuria.
One of the oddities of the Data Protection legal framework is the relationship between Data Retention and Data Protection and the (wrong) notion that when the retention period has expired, the retained data must be deleted.
Let’s start from scratch: as soon as the services work properly, an ISP has no need to preserve the traffic data, but since we don’t live in a perfect world, problems happen so it is necessary to retain some information for troubleshooting and traffic shaping; furthermore, customers’ claims, billing and legal issues strongly support the need to save some more information. Thus, ISPs – though on a voluntary basis – do collect and retain traffic-related information as long as these information are useful to pursue legitimate goals.
Enter the Data Retention. With a questionable motive, ISPs are now forced – forced – to retain for a limited time some traffic data for the sake of the law enforcement community. In other words, what before the Data Rention Era was voluntary, now is mandatory.
But what happens when the mandatory retention period expires? The answer is (supposed to be) easy: the ordinary Data Protection legal regime comes back into force, so the ISPs are – or should be – free to either continue keeping those data (for legitimate purposes) or deleting it.
Back to one of my first love: next March 11 (Rome University La Sapienza) and 20 (Milan University Statale) I have been asked to talk about “Reverse Engineering of the gray world: Intelligence as a black-box” and “Use(less) online Open Source Intelligence”.
The EU Cookie Directive, the “privacy-hyped” piece of legislation that forces websites to display a “cookie-waring” for the sake of “privacy protection” is flawed by two weakness.
The first is technical: HTTP (the web, in other words) is not the only protocol around and – though admittedly there are a lot of people using it – there are other ways to use a network that don’t involve a browser. I know, the “command-line” era is gone (it actually is?), there are no “clients” anymore to chat or to do other stuff (there aren’t anymore, actually?) and so on, but what the EU Cookie Directive was built upon is simply a misunderstanding of how the Internet works. By focusing on a single, tiny piece of technology, the EU allowed the idea that technologies have to be regulated instead of the use that humans do of it.
The second mistake is legal: as soon as a network(ed) resource ‘s user is not identifiable than there are no personal data involved. Thus, the privacy of somebody who access a website without disclosing somehow his personal identity is not at stake. Of course I’m aware of the issues related to the anonymous profiling, the fact that no matter if I know exactly who you are, I’m nevertheless able to lure into your personal habits and so on.
But the law is made of both words and definitions: as much as you can stress one or all of them you can’t do it up the reverse the basic meaning of the rules – its ratio as the Latins scholars loved to say – i.e. no identification, no privacy protection. We may, rightfully, disagree on that and claim that a further protection is needed. But this doesn’t justify turn the law upside-down.