Nosey Parkers

Three years ago this month the Western Australia state Transport Minister tabled a government review into the release by the Department for Planning & Infrastructure of private vehicle registration details. That information was provided to two non-government bodies: Wilson Parking and Westralia Airports Corporation.

That review followed criticism that the state government had provided Wilson, the dominant Australian carpark operator, with registration details (including home addresses) regarding 25,522 vehicles that had overstayed their welcome at Wilson's private facuilities. The registrants had not expected the state to provide that information to a commercial body.

As the Minister's statement (Legislative Council Hansard of 9 December 2008, p 1042) indicates, Wilson was billed $75,049.15 by the Department for the personal information. The state government subsequently tried to retrieve the information on several occasions and sought legal advice on how to force Wilson to hand back or destroy the data after what was characterised as "an honest mistake" made by "a junior staff member". Wilson "declined to return the information and subsequently made several unsuccessful attempts to pay the account".

The Department's Acting Minister, Ljiljanna Ravlich, said at the time that Wilson Parking should return the records, rather plaintively explaining that -

Now that it is explained to them that this has arisen due to a very junior person making this mistake then I think that morally they should give that information back.

I am very disappointed that this has happened. I can understand the disappointment of the people that have received these notices, but what I can tell you is that I am doing everything in my power to make sure that this does not occur again.

A Wilson representative demurred, commenting that "We're entitled to be able to, in accordance with the road traffic act, receive this information and then use it commercially to follow up on people who aren't complying with our terms and conditions". no enthusiasm there for changing the Act.

The document tabled by Ravlich's colleague noted a finding by the WA Corruption & Crime Commission (alas not online) that "no misconduct" had occurred. It was accompanied by the Minister's announcement that the department had agreed to implement all of the review’s 34 recommendations, including changes to legislation. He stated that "I will now progress this legislation as a matter of priority" and would fully support bringing about cultural change within the licensing area.

Three years later Wilson, the state government and registrant privacy are again in the news. The SMH reports that -

The confidential details of 10,000 WA drivers have been revealed to a private parking company pursuing customers for unpaid parking fees.

The state government gave the information to Wilson Parking during September and October after the company took action in the Supreme Court to be able to contact a handful of drivers who had parking debts.

The government was ordered by the Supreme Court to make the details available, but rather than only the targeted drivers', 10,031 other drivers' records were sent.

A thousand here, a thousand there ... the numbers soon add up.

Opposition transport spokesman Ken Travers is reported as commenting that the Government had reneged on its 2008 commitment, repeated in 2010, to protect drivers' confidential details.

This is just another example of a government that is quick to grab the headlines but when it comes to action and protecting people it is nowhere to be seen.

It is outrageous for the Barnett Government to not only renege on their promise, but it never informed the public their private details were being released.

If the government intends to release personal information there must be the proper framework in place for managing that information

Travers called for safeguards. He may be waiting some time, given the slow pace of legislative reform, complacency within the government transport/registration agencies and silence on the part of privacy advocates.

Last year Wilson won a WA Supreme Court order for access to the names and addresses of 20 vehicle owners that Wilson argued had not paid its parking breach notices. With that precedent, Wilson was back in court in July this year. The Transport Department was ordered to provide details regarding a further 10,000 motorists, claimed to represent about $600,000 in unpaid breaches.

That action has attracted criticism, given that Wilson does not have the authority to issue fines, instead relying on parking infringement notices under contract law (characterised - delightfully - as not a fine but a "pre-calculation" of Wilson's lost revenue and enforcement costs, ie liquidated damages).

IMS

'Sorrell v. IMS Health: Details, Detailing, and the Death of Privacy' by Ashutosh Avinash Bhagwat in Vermont Law Review (2012) considers the implications of the US Supreme Court’s recent decision in IMS Health v. Sorrell, 131 S. Ct. 2653 (2011).

In IMS Health the Court struck down a Vermont statute that banned the sale or disclosure by pharmacies of information regarding the prescribing habits of physicians, if that information was going to be used for the purposes of marketing by pharmaceutical manufacturers.

Bhagwat indicates that

I consider here an important issue that was raised, discussed, but ultimately avoided in IMS Health: what restrictions does the First Amendment place on the government’s ability to limit or prohibit the disclosure of pure data, in order to protect personal privacy. The issue could be avoided in IMS Health because the specific Vermont statute at issue in that case did not, as it happens, impose a general restriction on data disclosure for privacy reasons, it rather only restricted specific uses of regulated data, in order to advance state interests quite distinct from privacy concerns. The broader question of data regulation, however, is lurking in the wings of this and other litigation, and is likely to pose difficult challenges for courts in coming years, as the spread of the Internet drives legislatures to adopt increasingly stringent privacy laws.

While the IMS Health majority did not decide the data-disclosure issue posed in the case, it did address it in ways that strongly suggest the six justices in the majority would treat such disclosures as fully protected speech. Moreover, the analysis provided in this article demonstrates that the majority’s hints are fully justified by current Supreme Court doctrine. As currently interpreted by the Court, the First Amendment provides full constitutional protection to disclosures of even personal data, and so restrictions on such disclosures must survive strict scrutiny, a standard that has proven almost impossible to satisfy in the First Amendment context. As a consequence, under current law most statutes seeking to protect privacy by prohibiting data disclosure are likely to be invalidated.

In the balance of the article, I suggest that this result reflects a serious weakness in current doctrine, which is the failure to recognize that factual speech is distinct from, and requires different constitutional analysis than, the sorts of political and cultural speech that have traditionally been the mainstay of First Amendment litigation. In particular, drawing on a number of areas of developed law, I argue that speech consisting purely of specific factual data regarding individuals should be considered to be fully protected under the First Amendment only if the speech meaningfully contributes to the process of democratic self-governance. Other data should remain protected, but under a lower standard of scrutiny, perhaps an intermediate standard incorporating an element of balancing. I also briefly explore how different kinds of privacy laws might fare under such an approach.

Anonymous Gametes

'Rethinking Sperm-Donor Anonymity: Of Changed Selves, Non-Identity, and One-Night Stands' by I. Glenn Cohen, forthcoming in Georgetown Law Journal, comments that -

In the United States, a movement urging legally prohibiting sperm-donor anonymity is rapidly gaining steam. In her forthcoming article in this journal, 'The New Kinship', and in her wonderful book, Test Tube Families, Naomi Cahn is among this movement’s most passionate and thoughtful supporters. She argues for mandatory sperm-donor registries of the type in place in Sweden, Austria, Germany, Switzerland, the Australian states of Victoria and Western Australia, the Netherlands, Norway, and, most recently, the United Kingdom and New Zealand. The UK system is typical in requiring new sperm (and egg) donors to put identifying information into a registry and providing that a donor-conceived child “is entitled to request and receive their donor’s name and last known address, once they reach the age of 18.”

In this Article, I explain why the arguments for these registries fail, using Cahn’s article as my jumping off point.

I demonstrate four problems with the arguments she offers for eliminating anonymous sperm donation:

1) Her argument for harm to sperm donor and recipient parents fails in light of the availability of open-identity programs for those who want them, such that she imposes a one-size-fits-all solution where it would be better to let sperm donor and recipients parents choose for themselves.

2) Her argument for harm to children that result from anonymous sperm donation fails for reasons relating to the Non-Identity Problem. This portion of the Article summarizes work I have done elsewhere, most in-depth in 'Regulating Reproduction: The Problem With Best Interests', 96 Minn. L. Rev (forthcoming, 2011), and 'Beyond Best Interests', 96 Minn. L. Rev. (forthcoming, 2012 and up on SSRN soon).

3) She has sub silentio privileged analogies to adoption over analogies to coital reproduction. When the latter analogy is considered, her argument is weakened. I show this through a Swiftian Modest Proposal of a Misattributed-Paternity and One-Night-Stand Registry paralleling the one she defends for sperm donation.

4) The argument may not go far enough even on its own terms in endorsing only a “passive” registry in which children have to reach out to determine if they were donor conceived, rather than an “active” registry that would reach out to them. If we recoil from such active registries, that is a reason to re-examine the reasons in favor of the less effective passive ones.

For the reasons discussed, despite my admiration for this paper and all of Cahn’s work, I am not persuaded by the argument for adopting a mandatory sperm-donor identification registry of the kind in place elsewhere in the world. Indeed, I think these registries should be eliminated, not replicated. At a moment in which the idea of these registries is rapidly gaining popularity and attention in the United States, I hope my dissenting voice will be heeded.

The article is worthy of consideration.

Vodafail

Past entries in this blog have noted the permissive stance of the national Privacy Commissioner regarding problems with the Vodafone dealer network and - by extension - with poor practice on the part of Vodafone's competitors.

Unsurprisingly, the deficiencies of the co-regulatory regime are evident in the belated response by the Australian Communications & Media Authority (ACMA) to the large scale Vodafone data breach.

The Australian Communications Consumer Action Network (ACCAN) has criticised ACMA's response to "Vodafail" as revealing "deep flaws" in the regulatory regime [PDF] -

Peak consumer body ACCAN says current and ex Vodafone customers will be left shaking their heads today when they discover that, 12 months on, the telecommunications regulator has let the provider off virtually scot-free for the widespread network, complaint-handling problems that plagued Vodafone customers last summer.

ACCAN goes on to comment that -

Following an investigation, the Australian Communications and Media Authority (ACMA) has issued Vodafone with “directions” to comply with the voluntary Telecommunications Consumer Protection Code.

“These ‘directions’ by the ACMA effectively mean what was a voluntary industry Code is now mandatory for Vodafone,” said ACCAN Chief Executive Officer Teresa Corbin.

“There are no fines and no sanctions that the regulator can issue as a result of this investigation, despite its findings of four serious Code breaches by Vodafone, including customer service representatives giving their customers incorrect and inconsistent advice while experiencing widespread network problems, and failing to adequately identify and address systemic complaints.”

“These network problems impacted on millions of Vodafone customers last summer and were it not for the negative publicity generated through the media picking up on the story, Vodafone might have continued to deny there was any.”

“The media in Australia do a great job but we don’t think holding the telecommunications industry to account should be left to journalists, consumer advocates and members of the public

ACMA notes the national telco regulator "has issued directions to two Vodafone companies requiring them to comply with the Telecommunications Consumer Protections Code (TCP Code)" -

‘These directions are intended to make sure Vodafone remains focussed on improving outcomes for its consumers by increasing the regulatory consequences of any further breach,’ said ACMA Chairman, Chris Chapman.

‘Certainly, Vodafone has made positive changes over the course of this year but, from this point on, if either Vodafone company fails to comply with the TCP Code, the ACMA can approach the Federal Court seeking civil penalties of up to $250,000.’

Crunch the numbers, of course, and the penalty of a few cents per customer sounds somewhat less impressive. ACMA has belatedly concluded that Vodafone Pty Limited and Vodafone Network Pty Limited -

• failed to classify and analyse complaints as required by the TCP Code
• failed to provide timely customer information about network performance issues in late 2010
• had poor systems in place for protecting the privacy of customers’ personal details prior to January 2011.

Vodafone and the rest of the industry are no doubt quivering in their boots.

As I indicated in a conference paper last month, large-scale data breaches in Australia will continue to occur as long as regulators lack the will/capacity to impose meaningful sanctions and shoddy practice - such as that evident in the recent Telstra data breach - is excused as normal (thus acceptable) industry practice.

Employment Law

The Commonwealth Minister for Employment & Workplace Relations has announced membership of and terms of reference for the Review of the Fair Work Act 2009 (Cth).

The three person committee - Reserve Bank Board Member John Edwards, former Federal Court Judge the Hon Michael Moore and Professor Ron McCallum AO - is to report by 31 May 2012.

The Minister's media release states that -

The Government believes the Fair Work Act is working well, but there is always room for improvement and I am very pleased these three eminent Australians have agreed to lead the review. They are all highly respected and will bring the level of independence and objectivity required for a review of this nature.

We will of course continue to consult with employer organisations, trade unions, employees, workplace relations experts and peak bodies throughout the review period and beyond.

The Fair Work Act underlines a balanced system for good workplace relations – one that promotes national economic prosperity and social inclusion for all Australians. Real economic prosperity and growth requires fairness and security in the workplace. This review reaffirms the Gillard Government’s fundamental commitment to these aims. ...

The review represents an important opportunity to have an evidence based discussion about the operation of the legislation and the extent to which its effects have been consistent with the Government’s objectives.

The Terms of Reference require the committee toexamine and report on -

The extent to which the Fair Work legislation is operating as intended including

• creation of a clear and stable framework of rights and obligations that is simple and straightforward to understand;
• the emphasis on enterprise-level collective bargaining underpinned by simple good faith bargaining obligations and related powers of Fair Work Australia;
vthe promotion of fairness and representation at work;
• effective procedures to resolve grievances and disputes;
• genuine unfair dismissal protection;
• the creation of a new institutional framework and a single and accessible compliance regime; and
• any differential impacts across regions, industries occupations and groups of workers including (but not limited to) women, young workers and people from non-English speaking backgrounds;

and

Areas where the evidence indicates that the operation of the Fair Work legislation could be improved consistent with the objects of the legislation.

The review will not examine issues to be separately addressed by Fair Work Australia as part of the review of all modern awards (other than modern enterprise awards and state reference public sector moderns awards) after the first two years as required by Fair Work (Transitional Provisions and Consequential Amendments) Act 2009 (Cth) Schedule 5, Item 6.

The Minister indicated that the review will draw on a range of sources regarding the operation of the Fair Work legislation. Key evidence gathering will include -

• the release of a background paper on the Fair Work legislation inviting stakeholders to make a submission to the review;
• meetings with key stakeholders/roundtable discussions to outline their experiences with the Fair Work legislation; and
vthe commissioning of any additional quantitative and qualitative data that may be required.

Qualitative and quantitative data collection to measure the regulatory impact of the legislation will include -

• the Department of Education, Employment & Workplace Relations’ Workplace Agreements Database;
• the Fair Work Ombudsman;
• Fair Work Australia;
• the Australian Bureau of Statistics;
• evidence sources developed by stakeholders; and
• other relevant statistical sources.

Anonymity

The 43 page 'Lessons Learned Too Well', a paper by Michael Froomkin for the Oxford Internet Institute’s September 2011 conference A Decade in Internet Time: Symposium on the Dynamics of the Internet and Society, "examines, contextualizes, and critiques an international trend towards the regulation of anonymity".

The paper -

describes private incentives and initiatives during the past decade that resulted in the deployment of a variety of technologies and services each of which is unfriendly to anonymous communication. It then looks at three types of government regulation, relevant to anonymity: the general phenomenon of chokepoint regulation, and the more specific phenomena of online identification requirements and data retention (which can be understood as a special form of identification).

The concluding section takes a pessimistic view of the likelihood that given the rapid pace of technical and regulatory changes the fate of online anonymity in the next decade will be determined by human rights law rather than by the deployment of new technologies or, most likely, pragmatic political choices. It therefore offers normative and pragmatic arguments why anonymity is worth preserving and concludes with questions that proponents of further limits on anonymous online speech should be expected to answer.

The consequences of an anonymity ban are likely to be negative. This paper attempts to explain how we came to this pass, and what should be done to avoid making the problem worse.

Froomkin comments that -

There are those who say that in order to be safe we will have to create an infrastructure of mandatory identification. Some, including many of those charged with making decisions for the public’s safety, clearly say it in the best of faith. Other argue, sometimes despite the evidence, that we in the US must do so to protect the profits of an industry important to our trade balance. It is all very well for academics, often living in genteel surroundings, to ask that we not give in to fear, and to reply that before we create a regime that may be persistent and eventually ineradicable we should first ensure that there are no less restrictive means, and that we should consider all the externalities. But that is our job.

Here, then, are a few suggestions for avoiding what could otherwise be an outcome we likely will regret, also based on lessons learned from the past twenty years or so. Several of these concepts are already present in European data protection law, but none of them are legal requirements in the US today.

• Demand evidence of the need for mandatory identification and data retention rules, and insist the rules be proportional to the need.
• Avoid rules that lock technology into law.
• Always consider what an identification rule proposed for one purpose can do in the hands of despots.
• Empower user self-regulation whenever possible rather than chokepoint regulation.
• Design filters and annotators before designing walls and takedown mechanisms.
• Require transparency. Make it an offense for devices to make records without clear, knowing, and meaningful consent on the part of the speaker, reader, listener, or viewer.
• Build alternatives in technology and law that allow people to control how much their counterparts know about them, and which by making selective release of information easier reduce the need for a binary choice between anonymity or data nudity.
• Require that privacy-enhancement be built in at the design level.

Those who disagree with these suggestions worry, with some reason, about new technology undermining the powers of states and sovereigns. Why is allowing people to speak freely to each other, without fear of eavesdroppers or retaliation, such a terrible thing? After all, most core government powers, like the power to tax, will not in fact be undermined in any substantial way by unfettered communication so long as we still need to eat and we want physical things such as houses. The issues are the same ‘four horsemen’ they have been for many years: fear of terrorism, money-laundering, child pornographers and drug-dealers, to which one might add in some countries, revolutionaries.

The flip side of these fears is the recognition that even if the power to speak freely and privately is sometimes misused, it is also empowering. Communicative freedom allows people to share ideas, to form groups, and to engage not just in self-realization, but in small scale and even mass political organization. Here then is the most important lesson to be learned, but one that needs to be learned over and over again:

Protections for anonymous speech are vital to democratic discourse. Allowing dissenters to shield their identities frees them to express critical, minority views . . . Anonymity is a shield from the tyranny of the majority.

The Internet and related communications technologies have shown a great potential to empower end-users, but also to empower firms and especially governments at their expense. Governments (and firms) around the world have learned this lesson all too well, and are taking careful, thorough, and often coordinated steps to ensure that they will be among the winners when the bits settle.

The thing to watch out for, therefore, is whether we, and especially those individuals already burdened with repressive regimes, will be among the winners also.

Transparency

'WikiLeaks: The Illusion of Transparency' by Alasdair Roberts in International Review of Administrative Sciences, (2012) reaches the unremarkable conclusion about wikileaks transcendentalism. He comments that -

It has been said that the 2010 WikiLeaks disclosures marked "the end of secrecy in the old fashioned, cold-war-era sense." This is not true. Advocates of WikiLeaks have overstated the scale and significance of the leaks. They also overlook many ways in which the simple logic of radical transparency - leak, publish, and wait for the inevitable outrage - can be defeated in practice. WikiLeaks only created the illusion of a new era in transparency. In fact the 2010 leaks revealed the obstacles to achievement of increased transparency, even in the digital age.

Roberts argues that -

The WikiLeaks program is politically naive. It is predicated on the assumption that the social order -- the set of structures that channel and legitimize power -- is both deceptive and brittle. Deceptive, in the sense that most people who observe the social order are unaware of the ways in which power is actually used; and brittle, in the sense that it is at risk of collapse once people are shown the true nature of things. As Assange said in December 2006:

[I]n a world in which leaking is easy, secretive or unjust systems are nonlinearly hit relative to open, just systems. ... [M]ass leaking leaves them exquisitely vulnerable to those who seek to replace them with more open forms of governance (Assange 2006b).

The primary goal, therefore, is revelation of the truth. In the past it has been difficult to do this, mainly (it is assumed) because primitive technologies made it difficult to collect and disseminate damning information. But now these technological barriers to revelation are gone.

None of this is right. There is no such thing, even in the age of the internet, as the instantaneous and complete revelation of the truth. In its undigested form, information has no ransformative power at all. Raw data must be distilled; the attention of a distracted audience must be captured; and that audience must accept the message that is put before it. The process by which this is done is complex and easily swayed by commercial and governmental interests. This was true before the advent of the internet and remains true today. Moreover it is not clear that the social order is either deceptive or brittle. We might even say that WikiLeaks proved the reverse: that what was in fact going on behind the curtain was more or less what most people had suspected and were prepared to tolerate. Perhaps for this reason, revelations were not destabilizing. There does not appear to be any fundamental way in which these disclosures have changed realities about the exercise of American power abroad.

The diplomatic and national security apparatus of the United States government employs millions of people and consumes perhaps a trillion dollars annually. Its internal architecture -- a mass of laws, regulations, treaties, routines and informal understandings -- was built up over three-quarters of a century and is now extraordinarily complex. Little of this happened in secret. Most of the critical decisions about the development of American foreign policy, and about the apparatus necessary to execute that policy, were made openly by democratically elected leaders, and sanctioned by voters in thirty national elections.

None of this is meant to deny the need for stronger accountability, and thus increased transparency, for the diplomatic and national security apparatus. Precisely because of the scale and importance of this sector of American government, it ought to be subjected to close scrutiny. Existing oversight policies are inadequate and ought to be strengthened. The monitoring capacity of journalists and other nongovernmental organizations must be enhanced. And citizens should be encouraged to engage more deeply in debates about the aims and methods of U.S. foreign policy. All of these steps involve hard work. There is no technological quick fix. A major difficulty with the WikiLeaks project is that it may delude us into believing otherwise.