Safe Hands?

'Big Data in Small Hands' by Woodrow Hartzog and Evan Selinger in (2013) 66 Stanford Law Review Online 81 comments

“Big data” can be defined as a problem-solving philosophy that leverages massive data-sets and algorithmic analysis to extract “hidden information and surprising correlations." Not only does big data pose a threat to traditional notions of privacy, but it also compromises socially shared information. This point remains under appreciated because our so-called public disclosures are not nearly as public as courts and policymakers have argued — at least, not yet. That is subject to change once big data becomes user friendly.

Most social disclosures and details of our everyday lives are meant to be known only to a select group of people. Until now, technological constraints have favored that norm, limiting the circle of communication by imposing transaction costs — which can range from effort to money — onto prying eyes. Unfortunately, big data threatens to erode these structural protections, and the common law, which is the traditional legal regime for helping individuals seek redress for privacy harms, has some catching up to do.

To make our case that the legal community is under-theorizing the effect big data will have on an individual’s socialization and day-to-day activities, we will proceed in four steps. First, we explain why big data presents a bigger threat to social relationships than privacy advocates acknowledge, and construct a vivid hypothetical case that illustrates how democratized big data can turn seemingly harmless disclosures into potent privacy problems. Second, we argue that the harm democratized big data can inflict is exacerbated by decreasing privacy protections of a special kind — ever-diminishing “obscurity.” Third, we show how central common law concepts might be threatened by eroding obscurity and the resulting difficulty individuals have gauging whether social disclosures in a big data context will sow the seeds of forthcoming injury. Finally, we suggest that one way to stop big data from causing big, un-redressed privacy problems is to update the common law with obscurity-sensitive considerations.

'Big Data Proxies and Health Privacy Exceptionalism' by Nicolas Terry argues that

while “small data” rules protect conventional health care data (doing so exceptionally, if not exceptionally well), big data facilitates the creation of health data proxies that are relatively unprotected. As a result, the carefully constructed, appropriate, and necessary model of health data privacy will be eroded. Proxy data created outside the traditional space protected by extant health privacy models will end exceptionalism, reducing data protection to the very low levels applied to most other types of data. The article examines big data and its relationship with health care, including the data pools in play, and pays particular attention to three types of big data that lead to health proxies: “laundered” HIPAA data, patient-curated data, and medically-inflected data. It then reexamines health privacy exceptionalism across legislative and regulatory domains seeking to understand its level of “stickiness” when faced with big data. Finally the article examines some of the claims for big data in the health care space, taking the position that while increased data liquidity and big data processing may be good for health care they are less likely to benefit health privacy.

Terry concludes -

There is little doubt how the big data industry and its customers wish any data privacy debate to proceed. In the words of a recent McKinsey report the collective mind-­set about patient data needs to be shifted from “protect” to “share, with protections.” Yet these “protections” fall far short of what is necessary and what patients have come to expect from our history of health privacy exceptionalism. Indeed, some of the specific recommendations are antithetical to our current approach to health privacy. For example, the report suggests encouraging data sharing and streamlining consents, specifically that “data sharing could be made the default, rather than the exception.” However, McKinsey also noted the privacy-­based objections that any such proposals would face:

[A]s data liquidity increases, physicians and manufacturers will be subject to increased scrutiny, which could result in lawsuits or other adverse consequences.We know that these issues are already generating much concern, since many stakeholders have told us that their fears about data release outweigh their hope of using the information to discover new opportunities.

Speaking at a June 2013 conference FTC Commissioner Julie Brill acknowledged that HIPAA was not the only regulated zone that was being side-­stepped by big data as “new-­fangled lending institutions that forgo traditional credit reports in favor of their own big-­data-driven analyses culled from social networks and other online sources.” With specific regard to HIPAA privacy and, likely, data proxies the Commissioner lamented:

[W]hat damage is done to our individual sense of privacy and autonomy in a society in which information about some of the most sensitive aspects of our lives is available for analysts to examine without our knowledge or consent, and for anyone to buy if they are willing to pay the going price.

Indeed, when faced with the claims for big data, health privacy advocates will not be able to rely on status quo arguments and will need to sharpen their defense of health privacy exceptionalism, while demanding new upstream regulation to constrict the collection of data being used to create proxy health data and sidestep HIPAA. As persuasively argued by Beauchamp and Childress, “We owe respect in the sense of deference to persons’ autonomous wishes not to be observed, touched, intruded on, and the like. The right to authorize access is basic.”

Of course one approach to the issue is to shift our attention to reducing or removing the incentives for customers of predictive analytics firms to care about the data. Recall how Congress was sufficiently concerned about how health insurers would use genetic information to make individual underwriting decisions that it passed GINA, prohibiting them from acquiring such data. Yet, today some (but not all) arguments for such genetic privacy exceptionalism seem less urgent given that the ACA broadly requires guaranteed issue and renewability, broadly prohibiting pre-existing condition exclusions or related discrimination. A realistic long-­term goal must be to reduce disparities and discrimination and thereby minimize any incentive to segment using data profiling.

A medium-­term but realistic prediction is that there is a politically charged regulatory fight on the horizon. After all, as Mayer-­Schonberger and Cukier note, “The history of the twentieth century [was] blood-­soaked with situations in which data abetted ugly ends.” Disturbingly, however, privacy advocates may not like how that fight likely will turn out. Increasingly, as large swathes of the federal government become embroiled in and enamored with big data-­driven decision-­making and surveillance, so it may become politically or psychologically difficult for them to contemplate regulating mirroring behavior by private actors.

On the other hand the position that we should not be taken advantage of without our permission could gain traction resulting in calls such as expressed herein for increased data protection. Then we will need to enact new upstream data protection of broad applicability (i.e., without the narrow data custodian definitions we see in sector-­based privacy models). Defeat of such reform will leave us huddled around downstream HIPAA protection, an exceptional protection, but increasingly one that is (in big data terms) too small to care about and that can be circumvented by proxy data produced by the latest technologies.

Secrets

Robert Carolina and Kenneth G. Paterson in 'Megamos Crypto, Responsible Disclosure, and the Chilling Effect of Volkswagen Aktiengesellschaft vs Garcia, et al' comment [PDF] that

The recent decision of the English High Court to censor the publication of an academic paper describing weaknesses in the Megamos Crypto automobile immobiliser system raises a number of concerns for members of the cryptographic academic community, legal practitioners, and commercial users of cryptographic products. In this paper we will provide a brief description of the technology at the heart of the dispute, the crypto research project, the court's decision, and then provide a critique of the decision and make observations about its potential impact. Our description and our observations are based on evidence as it was disclosed in the published decision of the court, Volkswagen Aktiengesellschaft vs Garcia, et al [2013] EWHC 1832 (Ch) (25 June 2013). This decision addressed a request for preliminary injunction pending a full trial on the merits. It remains possible that additional evidence introduced later, or existing evidence that has not been disclosed in the decision, could have a significant impact upon the observations and opinions presented here. We do not take any position, nor do we make any prediction, about the ultimate outcome of this case. 

 The authors note that -

... three researchers decided to test the strength of the Megamos Crypto system. This type of activity – an unsolicited effort to identify weaknesses in commercial crypto devices – is common in the field of crypto research. This would not be the first paper published by academics highlighting weaknesses in RF-based automobile security devices. See, for example, Indesteege, Keller, Dunkelman, Biham, and Preneel, "How To Steal Cars – A Practical Attack on KeeLoq", EUROCRYPT 2008, LNCS 4965, pp. 1–18, 2008. (Cooperative effort by academic researchers resident in Belgium and Israel, supported by both public and private research grants, revealing deficiencies in KeeLoq – a widely installed remote key entry system. We note without further comment that it is common practice for academics in this field to give such papers rather provocative titles.) 

To conduct their analysis of Megamos Crypto the researchers needed to obtain details of the crypto algorithm used. The manufacturers of the immobiliser do not publish the algorithm. The algorithm is claimed as a trade secret. It is not clear from the decision whether the researchers considered paying a laboratory to reverse engineer the crypto chip itself. The court was advised that reverse engineering the chip would cost in the region of €50,000 – an outlay that might have seemed expensive in the context of an academic grant proposal. Instead, the researchers identified a third party hardware and software product called Tango Programmer. This product (sold for an initial payment of €1,000 per unit) can be used, among other things, to create keys for automobile immobilisers using Megamos Crypto and other immobiliser systems. The algorithm is incorporated within the Tango Programmer software, but not directly disclosed by the manufacturer. 

The researchers conducted a careful study of the Tango Programmer software. From this they were able to reverse engineer the functionality of the system and discover the details of the cryptographic algorithm. Having obtained the algorithm, they set about to study the system. The researchers eventually identified three weaknesses in the system. (Para.11.) Two of these (use of weak secret keys and poor key updating practices) were not an issue in the case. The court did not comment on this, but we note that weaknesses of this type recur with sad frequency in the operation of secure systems. 

The other weakness identified is much more serious. This is alleged to be a weakness in the design of the cryptographic algorithm itself. To explain the flaw that they had uncovered, the researchers planned to include a description of the algorithm in their published paper. It was this desire to publish the (allegedly secret) algorithm that created the dispute. 

In November 2012 the three authors approached EM (the crypto chip manufacturer) to explain the weaknesses they had uncovered. (Para.15.) It is not clear from the decision whether the researchers understood that EM was using the algorithm under license from Thales. The court's published decision, unsurprisingly, does not provide details of the exact nature of the weakness in the Megamos Crypto algorithm. 

The researchers planned to publish their paper in August 2013 in the proceedings of the annual USENIX Security conference. Volkswagen learned of the soon-to-be published academic paper on 23 May 2013, and brought a lawsuit in the High Court of England to prohibit disclosure of the algorithm. (Para.16.) The lawsuit names the three academic authors (two resident in the Netherlands and one resident in England), and the two universities that employ them (in England and the Netherlands).

The authors conclude -

The decision constructs a narrative about the academics that is very unflattering. Faced with a request to delay publication for just a little while longer the researchers instead demanded the ability to publish immediately and thereby jeopardised the security of millions of cars. (We have already questioned whether this was such a serious risk.) While the court admits that the failure to make Volkswagen aware of the problem was not their fault, it chastises them anyway for failing to consent to any more delay: "A responsible approach would be to recognise the legitimacy of the interest in protecting the security of motor vehicles." (Para.41) The court delivers some of its most harsh commentary in describing the responsible disclosure process. "I think the defendants' mantra of 'responsible disclosure' is no such thing. It is a self-justification by defendants for the conduct they have already decided to undertake and it is not the action of responsible academics." (Para.42) 

We suggest that a review of the evidence disclosed in the decision also supports a different narrative. This begins by considering the difficult work undertaken by the academics as part of their mission to support security research. The selection of Megamos Crypto as a potential research subject, the sourcing of Tango Programmer, the reverse engineering work needed to liberate the algorithm from the software, and then the core research work of examining the crypto algorithm for flaws. The decision does not state how long the researchers spent on this process, but we have little doubt that it was significant. Acting under ethical guidelines regularly applied by academics in this field, they approached the chip manufacturer EM with their findings in November 2012. They offered their assistance to develop work-arounds or replacement technology. They planned to publish their findings in August 2013, nine months after private disclosure. Having been open with EM, they heard very little in response. The researchers were then surprised when Volkswagen entered the picture in May 2013 – seven months after initial disclosure to EM – and sued them. Volkswagen requested and received an emergency temporary injunction with no notice to the academics. Given that the only meeting about the weakness in Megamos Crypto described by the court took place in June 2013 – a matter of weeks before scheduled publication – we are left to ponder how much emotion may have entered the situation at this stage. 

The difference in these two competing narratives demonstrates a significant disagreement about what constitutes "responsible disclosure". It appears that the court may not have fully appreciated how this phrase is used as a term of art in the context of security research. There are three main methods of public disclosure that are in common use in this admittedly abstruse field: (1) non-disclosure, (2) responsible disclosure and (3) full disclosure. In the first case, the researcher tells the affected party, and then says nothing more; in the third case, the researcher publishes without telling the affected party in advance and without any regard to their interests. The second way is a middle path between these extremes that is now very widely followed by academics and more generally security researchers. Typically, six weeks is set as the "time to disclosure" in the case of software flaws, and six months in the case of hardware flaws. However, in extreme cases, where no simple fix is available and the impact is very serious, researchers might feel compelled to wait longer than six months. These time scales (six weeks and six months) are not unique to these academic researchers. They are widely used baselines within the field of security research. We imagine that the researchers felt that they had already "gone the extra mile" by disclosing nine months in advance of publication, and might have felt rather abused when someone other than the product's manufacturer suddenly appeared and brought a lawsuit only two months before planned publication. 

It is crucial to understand that "responsible disclosure" is simply a phrase used by researchers to describe one approach to the public disclosure of security flaws, one that is certainly more responsible than full disclosure, and arguably even more responsible than non-disclosure, given that the latter approach does not create any incentive for the affected party to address any disclosed flaws in their products. The court did not appear to appreciate this distinction, given the way in which the decision criticizes the researchers. (Para.42.) 

Furthermore, and more importantly, it is apparent (from para.14) that the court's understanding of the term is incomplete: there, a definition of responsible disclosure is offered which entails "telling the manufacturer in advance" about the flaws, but which does not include the critical point that, in this mode of disclosure, a date is set up-front for when disclosure will take place, irrespective of the circumstances at the time when that date is reached. Establishing such a publication deadline when disclosing to the manufacturer is not simply the arbitrary or capricious act of a petulant researcher. This mechanism is used to prevent affected parties (who, as noted above, often form part of complex supply chains) from unnecessary dithering and to ensure they have an incentive to address the identified security flaws. It seems that this missing point concerning timing is what leads the court to heap opprobrium on the researchers in paras. 41 and 42, where it is opined that "it was not consistent with the idea of responsible disclosure for the defendants to simply say, 'We are going ahead anyway'." and "I think the defendants' mantra of 'responsible disclosure' is no such thing." There is a value judgment implied by the use of the word "mantra" here – this meaning a phrase repeated often and without significant thought. Our experience is that academic security researchers and industrial consumers of cryptography alike do understand the significance and methodology of responsible disclosure, and accept it as the preferred, if not universal, modus operandus for disclosing security vulnerabilities. This apparent breakdown in understanding seems to heavily colour the court's view of the academics' probity. 

We find the strong language used to describe the actions of the academics both puzzling and disappointing. First, it is clear that their approach to "responsible disclosure" was well within normal guidelines followed by security researchers for the benefit of the security industry (and society) as a whole. Even if it were not, the strength of the court's condemnation is surprising given the reality it had already acknowledged – reasonably accessible methods are available that would allow the academics or anyone else to publish the algorithm without the permission of the complaining parties.

The authors suggest that -

This ruling is likely to have a chilling effect on legitimate security research in the UK. While the circumstances of this case are rather specific, and the decision hangs on those specifics, the case creates a degree of uncertainty and confusion around what can, and cannot, be done by security researchers without running the risk of encountering legal obstacles. For academic researchers, "publish or perish" is a no less pressing or relevant a motto for it being hackneyed through overuse. And the investment in time and effort required to conduct the kind of research relevant to this case is significant, as are the risks that any given research avenue selected will turn out to be unfruitful. So the mere perception that legal barriers to publication might arise is likely to cause some researchers, particularly new entrants to the field, to think twice about starting at all. 

It is then especially ironic that, all the while, the UK government, through its funding agencies (such as EPSRC) and UK government departments (such as CESG/GCHQ and Business, Innovation and Skills, BIS), has been investing heavily in cyber security research, with a proportion of that funding being directed towards projects involving the development of techniques for the analysis, discovery, and eventual elimination, of weaknesses in security systems. 

We may also speculate that the ruling may have repercussions beyond the UK. Academic research in cryptography and security is a discipline now observed routinely around the world. Multi-country collaborations (like the collaboration that is the subject of this case) are commonplace. It is unclear whether the High Court of England would have been vested with jurisdiction of this case but for the fact that one of the authors and his employer are resident in the United Kingdom. The remaining two authors are normally resident in the Netherlands. The putative publisher is based in the United States. Certainly courts in the United States are highly suspicious of such prior restraint cases due to a combination of the guarantee of free speech (under the First Amendment of the US Constitution) and certain limitations in the US treatment of trade secrets. (See generally, Samuelson, "Principles For Resolving Conflicts Between Trade Secrets And The First Amendment", 58 Hastings L.J. 777 (March, 2007).) 

As a result of this decision, it seems plausible that researchers based outside the UK may be less enticed by the prospect of working with UK-based researchers given the possible injunction of their eventual joint research papers. The effect would be to isolate UK- based security researchers, at a time when national governments are strongly emphasising the need for cross-border efforts in cyber security research (see for example the UK Cyber Security Strategy at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/6096 1/uk-cyber-security-strategy-final.pdf). .... 

In granting a preliminary injunction that partially restrains publication of academic research into weaknesses in the Megamos Crypto system, the English High Court has taken a step that is – and should be – troubling to legitimate security researchers. In our opinion, the court's decision evinces a lack of understanding of the foundational principles of cryptography and secure system design that would have been necessary to conduct an appropriate enquiry into the risks of publication. The decision also appears to lack a clear understanding of the term of art "responsible disclosure", and the well- established role that this plays in security research. Although this is a preliminary decision, given the admitted infringement of free speech we find the application of law to the facts in this decision to be surprisingly brief and unhelpful. We are especially puzzled by the court's willingness to jump so quickly to the conclusion that the manufacturer of the Tango Programmer product engaged in misappropriation of a trade secret, and having reached that conclusion that the academics ought to have been aware of the misappropriation. If the court had better reasons to draw these inferences from the preliminary evidentiary record, it is unfortunate that the court did not describe this evidence in the published decision. We are also troubled at the chilling effect that this decision may have on legitimate security research in the UK. This decision, which we expect will be viewed as out of step with the prevailing trends of other countries regularly engaged in such research, could have the effect of isolating UK security research academics from their international colleagues – at precisely the time that the government in the UK is encouraging an increase in such research and in international cooperation. 

As a final comment, we have no doubt that the judge in this matter – who was required to hear this application and make this decision in a very compressed time frame – is an extremely able jurist. Judges, no matter how able, cannot be experts in all subjects. In English courts (and other common law courts around the world) it is the responsibility of others to explain to the court key elements of technology under review. Perhaps for no reason other than the compressed timetable leading up to the hearing and decision, it appears to us that this process of explaining complex technical facts and practices from an otherwise abstruse specialist field has somehow broken down.

Peer Review

Is the peer review system in academic publishing so broken that we should start again?

'Deep impact: unintended consequences of journal rank' by Björn Brembs, Katherine Button and Marcus Munafò in (2013) Frontiers of Human Neuroscience comments that

Most researchers acknowledge an intrinsic hierarchy in the scholarly journals (“journal rank”) that they submit their work to, and adjust not only their submission but also their reading strategies accordingly. On the other hand, much has been written about the negative effects of institutionalizing journal rank as an impact measure. So far, contributions to the debate concerning the limitations of journal rank as a scientific impact assessment tool have either lacked data, or relied on only a few studies. In this review, we present the most recent and pertinent data on the consequences of our current scholarly communication system with respect to various measures of scientific quality (such as utility/citations, methodological soundness, expert ratings or retractions). These data corroborate previous hypotheses: using journal rank as an assessment tool is bad scientific practice. Moreover, the data lead us to argue that any journal rank (not only the currently-favored Impact Factor) would have this negative impact. Therefore, we suggest that abandoning journals altogether, in favor of a library-based scholarly communication system, will ultimately be necessary. This new system will use modern information technology to vastly improve the filter, sort and discovery functions of the current journal system.

The article has an exhaustive bibliography.

Defamation and Confidentiality

The High Court of Australia has rejected a special leave application by The Age and journalists Richard Baker, Philip Dorling and Nick McKenzie regarding the February 2012 NSW Supreme Court decision that granted businesswoman Helen Liu access to documents in their possession relating to the identity or whereabouts of three of their sources.

In February 2010 The Age published two articles alleging Liu paid federal MP Joel Fitzgibbon $150,000 as part of ''a campaign to cultivate him as an agent of political and business influence''. The articles were supported by quotes from 135 pages of documents said to be her personal and business records, including a list of ''money paid'' for unstated purposes to 22 people, including Fitzgibbon. 

Fitzgibbon denies receiving the $150,000 payment and launched defamation proceedings. Liu claims the documents are forged or falsely attributed to her by a person or people with a vendetta against her. She asked the court to compel the journalists to reveal the identity of the sources as the basis for initiating defamation proceedings against the sources.

In Liu v The Age Company Limited [2012] NSWSC 12 McCallum J commented that

the protection of sources from disclosure of their identity is not a right or an end in itself. The rationale for the protection lies in the public interest in cultivating trust between sources and journalists as a boon to free speech and, in particular, free political discussion. The defendants unilaterally determined in the present case that the interests of the sources must yield to what the defendants claimed was a paramount public interest. It was that decision which exposed the sources to the risk of disclosure of their identity. Having invoked the relativity of competing interests as the basis for that decision, the defendants can hardly maintain that interests competing with the public interest in protecting confidentiality of journalists' sources must be set to one side in the determination of the present application. In my assessment, the force of the considerations underlying the newspaper rule is substantially lessened in the present circumstances.

An undertaking by journalists to keep a source confidential could be overridden "in the interests of justice".

McCallum J stated that

I am satisfied that, as submitted on behalf of the plaintiff, the correspondence reveals that Mr Baker disobeyed a specific request made to him by the contact on behalf of the sources. It was clearly indicated, so far as at least one of the sources was concerned, that the handwritten papers had been included inadvertently among the documents sent. A request was made on that basis not to publish those papers. Contrary to that request, The Age published details of the handwritten papers on its front page. 

The newspaper's decision to use the handwritten documents in the face of requests from the contact not to do so had the tendency, in my view, to undermine the very protection sought to be achieved by the practice of not requiring journalists to disclose their sources unless such disclosure is necessary in the interests of justice.

The Court went on to find that

... the defendants submitted that the interests of the sources should be taken into account in determining whether to exercise the discretion to grant the relief sought by the plaintiff. The evidence as to that issue comes primarily from the contents of the email correspondence (Exhibits N and 2). That correspondence reveals that the sources initially contacted the defendants with a view to selling information. They sought payment in the order of $120,000. The defendants responded by offering up to $10,000. A suggestion that one of the sources might lose his employment upon providing the information was plainly tied to attempts to negotiate a higher payment in that context. 

As submitted on behalf of the plaintiff, the early correspondence did not include any explicit request that the defendants not disclose the identity of the sources. Rather, the focus of the correspondence was upon obtaining reassurances that the defendants would not sell the information to any third party without consulting the sources. 

A consideration of the emails in chronological order reveals that it was in fact the defendants who first volunteered that they would not disclose the identity of the sources. 

After considering the contents of the relevant correspondence before me (Exhibits N and 2), I am not persuaded that there is any tangible risk of adverse consequences to the sources in the event that their identity is revealed beyond the risk of their being sued for defamation and the consequential impact upon their relationship (if any) with the plaintiff.

High Court found there were no grounds for special leave.

Constitutional Identity

'Constructing Identity in Australian Constitutional Law' (Sydney Law School Research Paper No. 13/56) by Elisa Arcioni comments

Written constitutions can identify and construct membership of the relevant constitutional community. This paper addresses how the language of the Australian Constitution, as seen through the eyes of judges, constructs such an identity. The phrase ‘the people’ is focused upon. Three case studies are considered in order to discuss the approaches of judges of the Australian High Court to the interpretation of constitutional language. One approach is to treat constitutional language as symbolic and absolute, representing inclusion, popular participation in government and representation. A competing approach is to treat the language as reflective of historical circumstances, limited by legal understandings at the time of drafting the text. This article concludes that determining the meaning of legal language is inherently connected with methods of interpretation. In order to understand the identity of the constitutional community, the underlying approach of judges and the external principles or theories they incorporate into the text must be identified.

Her 2009 'That Vague But Powerful Abstraction: The Concept of ‘The People’ in the Constitution' comments

The concept of ‘the people’ in the Australian Constitution is undoubtedly unfinished constitutional business. The concept is “vague” due to a lack of development by the High Court but also because it is an inherently fluid concept. Yet it is also “powerful” because of what ‘the people’ has come to signify, which is something that I suggest should be further developed by the High Court. There are two questions that I consider in this paper. The first is: who are ‘the people’? The second is: what impact do they have on our understanding of the Constitution and constitutional terms?

She continues

Is ‘the people’ a vague concept? A majority of the Court has now directly stated that ‘the people’ is a reference to the community under the Constitution. While still somewhat vague, there is at least the hint in Roach, as well as in earlier statements, that the community is to be identified in accordance with determining who is part of the group who has the ability and legitimacy to be involved in constitutional government. In Roach it was the act of voting that was at issue, so the Court looked to what it means to vote and what is required in order to be involved in that process. It is unrealistic to suggest that there is going to be a clear identification of either the exact identity of ‘the people’ or the criteria for their identification. The identity of ‘the people’ is going to remain vague, or at least fluid. This is because the identity of the constitutional community will change over time, as can be seen in the history of who is accepted as part of the community. 

In colonial times, the constitutional community was not every person in Australia, but a more limited group – predominantly white men. In the early part of federation, the constitutional community could be considered to be all British subjects resident in Australia, with some racial exceptions (although these were not consistently applied). Over time, British subjecthood was no longer a true label for the constitutional community, just as the High Court recognised the separation between the UK and Australia in Sue v Hill  in 1999 such that the UK is now considered a foreign power. Australian citizenship seems an obvious identifier of ‘the people’ in the Constitution, but it cannot simply be in the hands of the Parliament to determine who fall within the group ‘the people’ by legislating for citizenship. 

The Court will need to expand on what they mean by being a member of the community under the Constitution. The parameters need to be explored because of the possible implications that such identity has for our understanding of the Constitution. Yet such development is obviously going to be a sensitive and contested exercise and my guess is that it will be a case of incremental development before a clear outline of ‘the people’ is revealed by the Court. 

Despite the vagueness of the identity of ‘the people’, ‘the people’ is nevertheless a powerful constitutional concept. This has been shown most recently in Roach, where the concept of ‘the people’ led to the striking down of legislation which restricted prisoners’ voting rights. Given the significance of the people both in history and in High Court jurisprudence, the concept has the potential to go further than being a symbolic reference to the source of the Constitution’s authority. It certainly has the ability to further affect the franchise, along the lines of the reasoning in Roach. Further areas for contestation include a consideration of who else is included or excluded from the vote. Apart from horror hypotheticals of the Parliament excluding all people of a particular gender or race, there are the more realistic challenges to the franchise as it exists today. For example, the exclusion of some Australians living overseas. Australians living overseas may be deprived of the right to vote if they remain or intend to remain outside Australia for more than six years. Or, there might be a challenge to the voting age being 18. In the future, there may be a challenge from some under-age individuals, who have the same ability and maturity as those over 18. Just as the voting age changed from 21 to 18 in 1973, could it be that some people between the ages of, say, 16 and 18 should be entitled to vote? Or the question of permanent residents, who may be as involved in Australian life as citizens – should they continue to be denied the vote? However, I suggest that the significance of ‘the people’ could go further than the franchise. As hinted at by McHugh J, as well as by Kirby J in a number of cases, such as Patterson in 2001, there may be the development of constitutional citizenship, not confined to the current legislative definition of citizen, which insulates individuals from attempts at deportation or being categorised in a class such as ‘alien’. The concept of ‘the people’ could be used in the future to challenge citizenship legislation, which is treated as the current indicator of membership of the Australian community. And, by extension, to challenge migration legislation, which operates on the basis of individuals being ‘non-citizens’, with non-citizen being used as an equivalent to the constitutional status of ‘alien’ in s 51(19).

‘The people’ has become more than a symbolic reference to the authority of the Constitution, or the group who has freedom of political communication in order that there be fully informed elections. It is a powerful force, symbolically and legally. It was the rallying cry for successful federation, and a reference to the group at the heart of constitutional government. 

‘The people’ can be understood as a reference to the constitutional community. That is, as a reference to the individuals who make up the Australian population under the Constitution and therefore to the ones who have a claim to involvement in constitutional government and the possibility of protections or freedoms under that Constitution. As a phrase approximating constitutional citizenship, the Parliament’s power may be limited with respect to ‘the people’ in areas such as the franchise, citizenship and deportation, which are all areas that intersect with membership of the constitutional community.

Shaming, Naming, Claiming and Inking

''Naming and Shaming' in Western Australia: Prohibited Behaviour Orders, Publicity and the Decline of Youth Anonymity'' by Thomas Cofts and Normann Witzleb in (2011) 35(1) Criminal Law Journal 34 comments that

The Western Australian Parliament has passed the Prohibited Behaviour Order Act 2010. This Act enables a court to prohibit a person aged 16 years or over who has been convicted of an offense with an anti-social element from engaging in otherwise lawful behaviour that the court regards likely to increase the chances that the person will commit a further such offense. The Act provides that details of the person and the order will be posted on a departmental website even in the case of the young and that anyone is free to republish that information. This paper reviews the traditional stance of the law relating to publication of child offending before discussing the pros and cons of how prohibited behaviour orders will affect this position. ...

It is accepted that while publicity in relation to criminal proceedings is essential to ensure a fair and impartial justice system, the glare of publicity can also have negative effects for the subject of that publicity. In relation to adults these negative effects are accepted and generally thought to be deserved. However, it has historically been recognised that the young need protecting from publicity and therefore legal safeguards to ensure this protection is delivered are in place throughout Australia.

The PBOs in Western Australia will remove the right of the young to anonymity. The State government submits that this is necessary to ensure effective enforcement, deterrence and reassurance of the public. PBOs are modelled on a variant of the ASBO in the United Kingdom, for which publicity is likewise the norm. However, upon closer examination it is questionable whether making the community responsible for policing anti-social behaviour is effective at combating such behaviour and reassuring the community. Given the high rate at which similar orders in the United Kingdom are breached it remains unproven that the threat of publicity acts as an effective deterrent, in particular on young persons. Due to their immaturity and still-developing ability to control their impulses the young may either not appreciate the reality of the threat or may underestimate the future harm that may ensue from publicity. Some may even welcome the publicity as a badge of honour and value the immediate gratification of belonging to an “outside group”. Thus publicity may have the unintended consequence of cementing anti-social behaviour. Social exclusion of those labelled “anti-social” is also likely to occur where the community is made aware of “who in their midst has been responsible for such outrageous behaviour”. Strategies encouraging active citizenry to police anti-social behaviour operate on the basis of categorical suspicion. The young, and especially Aboriginal youth, are particularly susceptible to being demonised and labelled deviant; a process which is likely to be compounded by sensationalist reporting. This in turn can actually undermine public confidence in the authorities and increase, rather than decrease, the fear of criminal and anti-social behaviour, thus undermining one of the purposes of publicity.

The advantages of publicity in the case of a PBO do not outweigh the negative effects which may flow from publicity in the case of the young. However, there has been a rigid adherence in the United Kingdom to the belief that publicity is a necessary corollary to ASBOs. This belief has been accepted without question in Western Australia. This desire to publicise, even if the advantages thereof are disputed, may actually be part of a larger picture of a gradual shift away from the conviction that the young need protecting from publicity. The movement away from the welfarist approach to a justice model for dealing with young offenders is concomitant with the belief that the young should be held to take responsibility for their actions. Under this approach, young persons who persistently engage in anti-social behaviour are thought to no longer need protecting from publicity because they have already chosen to reject society’s norms. Such an argument fails to appreciate that anti-social behaviour is in many cases a normal part of growing up and will not necessarily lead to a criminal career. Labelling and shaming can compound any temporary rebelliousness and cement rather than help shift the young person away from such behaviour. 

This paper has not been concerned with efficacy of ASBOs or PBOs but merely with their effect on anonymity protection for young offenders. The aim was not therefore to argue here whether or not such orders are likely to be effective and should or should not have been introduced. The authors’ concern is that publicity should not be accepted without question as an essential part of a PBO in the case of the young. The right of the young to anonymity has been protected for good reasons which far outweigh any of the potential benefits of publicity. Publicity is likely to have damaging effects on the young and on society by encouraging suspicion in the community, progressing social exclusion and the fear of crime. It is therefore urged that the right of the young to anonymity be protected and that there be a presumption against publication in the case of minors.

Another perspective on anonymity and registration is provided in the speech by Raymond Stevens MP, Member for Mermaid Beach in the Queensland Parliament.

Endorsing the Criminal Proceeds Confiscation (Unexplained Wealth and Serious Drug Offender Confiscation Order) Amendment Bill 2013 (Qld) Mr Stevens states [PDF] that

My beloved region of the Gold Coast unfortunately seems to be a place where bikie gangs have infiltrated, with their clubhouses and headquarters making their homes in the region. While many do have legitimate businesses, the ones who are involved in illegal businesses are going to get caught. The proceeds from their criminal activities will be seized under these new laws. In a lot of these businesses dirty money is being cleaned through these front-door legal activities.

A recent story that has been in the media is of bikie gangs infiltrating the Victorian police force. Bikie gang members have been cultivating, compromising and corrupting police officers. They have been offering police officers access to strip clubs and drug related activities. They will do anything and stop at nothing to continue their illegal activity. The speed and accessibility of this sort of corruption which is causing a lot of damage is immense and usually drug related. These networks infiltrate legitimate areas of business to corrupt for their own gain. They hide behind legitimate businesses, such as gymnasiums, where there is a lot of drug and steroid use. I think peptides are the latest ones they are all promoting. ...

Tattoo parlours are very much a focus for this bikie gang behaviour. There is no doubt in my mind that these tattoo parlours that have popped up all along the Gold Coast—and I am sure in the electorates of other members; there are plenty of heads nodding—are the way that bikie clubs clean their money. Once this bill becomes law the Attorney-General will be able to pursue those ill-gotten gains. I have a suggestion in relation to tattoos that the health minister might look at. Under the Health Act there should be a register of people getting tattoos so that we can identify those people getting tattoos rather than have John Smith, Bill Brown and all the other fake names of people who are paying $5,000 or $10,000 for tattoos. This is a way for these bikie clubs to clean their money.

Next stop barcodes on bikie btms (and those of barristers, bogans and anyone else getting inked)?

In Western Australia the Government has introduced the Criminal Investigation (Identifying People) Amendment Bill 2013 [here], touted as requiring Muslim women to remove a burqa or niqab to prove their identity to WA. The amendment aims to require "a person to remove headwear or do other things to facilitate the officer being able to confirm a person's identity", with police gaining explicit powers to detain the person pending compliance.The requirement will apply to an item of clothing, hat, helmet, mask, sunglasses or "any other thing worn by a person that totally or partially covers the person's head".

Enthusiasts have called for a comprehensive ban on the burqa, unlikely to be constitutional. 'Section 116 of the Australian Constitution and Dress Restrictions' by Anthony Gray in (2011) 16(2) Deakin Law Review 293 for example comments

In this article, I will consider constitutional (and discrimination) issues that would arise if an Australian parliament enacted legislation with the effect, amongst other things, of prohibiting the wearing of particular items of clothing often thought to have religious significance, in particular the hijab, burqa or niqab. While the ban could apply to other items of clothing or jewellery of significance in religions other than Islam, given that most of the current debate concerns symbols of Islam, I will use this particular context as the focus of discussion. In so doing, I will draw briefly upon the rich jurisprudence concerning these issues in other jurisdictions, where much more litigation has taken place regarding the question than in Australia. I will also consider briefly whether a different result would apply if the ban were passed at state level. This is not an abstract argument; a current Senator in the Australian parliament has personally called for a burqa ban, and private members’ bills have been introduced in New South Wales and South Australia to introduce such a ban, at least in some circumstances.

In Part II I set the statutory framework for the discussion that follows. In Part III the meaning of the wearing of the hijab and burqa is considered. Part IV considers how laws banning the wearing of religious dress or symbols have been considered in various courts. In Part V I consider the validity of a Commonwealth law that had the effect of banning the wearing of some religious dress or symbols. ...

If the Commonwealth Government passed a law (otherwise constitutional) banning the wearing of religious dress or symbols, the High Court should read the principle of religious freedom in section 116 broadly. It should not validate a law just because the Commonwealth argues the law was passed for other (legitimate) purposes; in some cases, it is submitted courts in other jurisdictions have been too willing to accept at face value government arguments that bans on religious dress or symbols were necessary in pursuit of legitimate objectives of equality and neutrality, or that effects on religious freedoms were incidental (and so not considered to be objectionable). While the precise meaning of the wearing of items such as the hijab or burqa is open to interpretation, on at least some interpretations such wearing is supported by the Qur’an; it is highly contentious to extrapolate from the wearing of such items of clothing that oppression, subjugation or ‘extremism’ is being reflected.

Such a ban might also infringe the Racial Discrimination Act 1975 (Cth); for a Commonwealth law, this is not significant since the Commonwealth can amend its own legislation; in relation to a state law which purported to implement a ban, the court would have to consider directly whether Islam followers are an ‘ethnic group’ within the meaning of the Act; and then whether a blanket state ban on all face covering would be inconsistent with the RDA, in particular section 10. There is a strong argument that Muslim followers do comprise an ethnic group, and that section 10 might be used to invalidate a state attempt to ban face covering, given given its effect on those of Muslim ‘ethnicity’, compared with other ethnicities

That is consistent with works such as 'Can and Should Burqas Be Banned? - The Legality and Desirability of Bans of the Full Veil in Europe and Australia' by Anne Hewitt and Cornelia Koch in (2011) 36(1) Alternative Law Journal 16 and 'The Full Face Covering Debate: An Australian Perspective' by Renae Barker in (2012) 36(1) University of Western Australia Law Review.

ACIP Designs Review

The Advisory Council on Intellectual Property (ACIP) has released a discussion paper [PDF] regarding its review of the Australian designs regime.

Appendix 4 provides  statistics regarding the regime.  On average some 6,000 design applications have been filed each year since 2002.  Approximately 20% of total registrations request examination, with most being certified. Under 20% of applications filed in any given year continue in force for the full 16 years (after payment of the third and final renewal fee). The majority of design applicants are Australian residents.

The paper asks several questions -

1. Would Australia benefit from a designs system with a maximum term in excess of 10 years? 
2.  Would a design grace period be of benefit to users and potential users? Why/why not? 
3. If a grace period were to be made available, how long should it be for? 
4. Should such a grace period be an alternative, or an addition to deferment of publication of the kind offered under the Hague System? 
5. Is there confusion about the use of Statements of Newness and Distinctiveness? Please explain how. 
6. The ALRC thought that such a Statement of Newness and Distinctiveness should not be mandatory. Do you agree? Please explain why. 
7. Is a deferred publication process desirable? What are the potential advantages and disadvantages of permitting it? 
8. How long should the period of deferment be? 
9. What benefits and/or costs would there be for Australia if an Unregistered Design Right system were introduced? 
10. Would an Unregistered Design Right system, if introduced into Australia, create confusion? If so, what measures might be appropriate to limit any such confusion? 
11. Would Australia benefit from acceding to the Hague System? 
12. Would Australia benefit from legislation changes to include designs in the Notice of Objection scheme? Please explain why/why not? 
13. Are the copyright/design overlap provisions operating satisfactorily? Please explain why/why not. 
14. Should there be restrictions in the Trade Marks Act 1995 for registered designs? Please explain why/why not? 
15. Have the changes to the threshold of registrability introduced with the Designs Act 2003 provided greater differentiation between a new design and the prior art? Please explain how. 
16. Are the differences between registration, publication and certification under the Designs Act 2003 clear? Should the multi-step process remain? Please explain why.
17. Is there a continuing need for publication (and the current regime of requesting registration or publication)? Please explain why? 
18. Is the Designs Act 2003 able to deal with new technologies eg 3D printing and GUIs? 
19. Should GUIs be registrable?
20. Are there any new opportunities for enhancing the designs system? 
21. Are there any unintended consequences arising from its implementation to date?
22. Do you have any other comments?

In relation to question 18 - ie 'Additive manufacturing (3D printing technology)' - ACIP comments that

One rapidly evolving technology of topical interest is the emergence of additive manufacturing (also known as three-dimensional (3D) printing technology). 3D printers produce articles by layering numerous, custom printed sheets of material, one on top of the other, and binding each layer together in the process. Most 3D printers manufacture products using a range of plastics or composite materials and some printers can also print in metals (e.g. stainless steel).

Until recently, 3D printers were extremely expensive and rare. As such, they were used for prototyping—mainly in the aerospace, medical and automotive industries. Once a design was finalised, a production line would be established and the part would be manufactured and assembled using conventional methods. But 3D printing has now improved to the point that it is starting to be used to produce the finished article. These printers are also becoming increasingly available and affordable, with a number of companies making desktop units. The capacity of the internet has also improved to the extent that a design can be sent as a digital file to be printed on a 3D printer almost anywhere in the world.

Hence, 3D printing is opening up new opportunities for innovation, customisation and creativity. It is also creating new opportunities for counterfeiting and imitating designs (both registered designs and unregistered designs).

As a legal matter, 3D printing may raise issues familiar in other areas of IP, such as the scope of secondary liability for designs infringement; liability of individuals for non-commercial acts relating to designs; and/or the territorial nature of the exclusive rights.

The paper also comments on Graphical User Interfaces (GUIs) -

Another area of new technology of significance is Graphical User Interfaces (GUIs) or screen icons. In recent years, GUIs have been increasingly lodged as design applications. There is no standardisation in how countries treat GUIs under their designs systems. Recent editions of the Locarno Classification (LOC) of the Locarno Agreement have introduced a new classification to include: Graphic symbols and logos, surface patterns, ornamentation.58 Although Australia is not a member of the Locarno Agreement, IP Australia uses the 8th edition of the LOC to classify designs. For Member States, the 10th edition will enter into force on January 1, 2014. The consideration of screen icons is raised in the examiner’s manual at D04.3.2. IP Australia does not consider screen icons are a registrable product. However, registrability is not considered during the formalities process and screen icons are appearing on the Register of Designs.