22 June 2013

Data Protection Inventory

Apropos the preceding post SSRN now features 'Sheherezade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories' [PDF] by Graham Greenleaf in (2012) Journal of Law & Information Science
It is forty years since Sweden’s Data Act 1973 was the first comprehensive national data privacy law, and the first such national law to implement what we can now recognize as a basic set of data protection principles. The core of this paper is the question 'How many countries now have data privacy laws?'. First, a definition is provided of a 'data privacy law', based largely on the requirements of the earliest international data protection instruments, the OECD privacy guidelines, and Council of Europe data protection Convention 108. 'Countries' are considered to include separate legal jurisdictions.
The answer to the question – documented in the Global Table of data privacy laws [PDF] is that, as of mid-2013, 99 countries have such laws, a number considerably higher than earlier commentators had assumed. By looking at the related questions of the date at which such laws were enacted, and the regions of the world in which they have arisen, we can see trends in development which indicate the future direction of global development of data privacy laws. The conclusion reached is that, given the continuing accelerating growth in the number of such laws, it seems likely that, within a decade, data privacy laws will be ubiquitous in that they will be found in almost all economically more significant countries, and most others. This conclusion is supported by the number of official data privacy Bills currently before legislatures or under government consideration in at least 20 more countries.
The article also analyses which international agreements or requirements concerning data privacy (OECD, EU directive and 'adequacy', APEC, ECOWAS etc) affect which countries, and how many relevant parties have enacted laws in accordance with the various agreements or requirements. The extent to which data protection authorities (DPAs) are required as part of data privacy laws is analysed, and existing DPAs identified. The associations of DPAs in which each is involved are also identified, and some conclusions drawn concerning their overlapping but incomplete memberships.
In summary, this paper gives a global snapshot of data privacy laws and the international agreements relevant to each, and of Data Protection Authorities and their interlocking associations.

Truly, deeply, sincerely

One of the joys of teaching the inaugural intensive Privacy, Confidentiality Access Law unit at UC Law last week was being able to leverage the PRISM furore and Australia's Senate inquiry into the anaemic 'Data Alert' (better labelled 'Data Breach') Bill.

There's nothing like researching and teaching in a topical area. Today we have the announcement via the NY Times that "Facebook has inadvertently exposed six million users’ phone numbers and e-mail addresses to unauthorized viewers over the last year". Ouch.

The NYT reports that
Facebook blamed the data leaks, which began in 2012, on a technical flaw in its huge archive of contact information collected from its 1.1 billion users worldwide. As a result of the problem, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have.
Facebook’s security team was alerted to the problem last week and fixed it within 24 hours. But Facebook did not publicly acknowledge the flaw until Friday afternoon, when it published a message on its blog explaining the situation.
A Facebook spokesman said the delay was because of a company procedure stipulating that regulators and affected users be notified before making a public announcement.
“We currently have no evidence that this bug has been exploited maliciously, and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said on its blog.
While the privacy breach was limited, “It’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again,” it added.
The no doubt heartfelt commitment that the problem will never ever occur again is alas very formulaic, the same sort of flannel that we see time and time again.

Reuters meanwhile reports that "The Pentagon has granted many exceptions, possibly numbering in the thousands, to allow staff members who administer secure computer networks to use flash drives and other portable storage devices".
 The exceptions to policies barring the use of such devices could make it easier for rogue employees to remove sensitive documents. But officials say waivers go to people who update software and run helpdesk services for the Pentagon's vast computer network and are needed to run the system efficiently....
Storage devices have been a concern at the Defense Department since the 2008 Buckshot Yankee incident, in which a malicious software worm known as agent.btz was uploaded to military networks by a thumb drive.
Then-Deputy Secretary Bill Lynn declassified the incident in 2010 and U.S. Cyber Command, which was established in the wake of Buckshot Yankee, banned the devices.
About that same time, according to prosecutors, Private Bradley Manning, an Army intelligence analyst, copied thousands of documents onto CDs and a digital camera card and leaked them to the anti-secrecy website WikiLeaks. ...
While use of flash drives is largely barred, exceptions are granted to systems administrators who install software and manage helpdesk services for the department's millions of computers and nearly 600,000 mobile devices in some 15,000 networked groups.
Lieutenant Colonel Damien Pickart, a Pentagon spokesman, said the department was unable to specify how many exceptions had been given because authority is delegated to smaller units within the service and is not tracked at the department level.
Given the size of the system, it could be in the thousands, he said.
Do we - and should we - care about surveillance? 'The Dangers of Surveillance' by Neil M. Richards in (2013) 126 Harvard Law Review argues that
 From the Fourth Amendment to George Orwell’s Nineteen Eighty-Four, our culture is full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don’t really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with “privacy,” we lack an understanding of what “privacy” means in this context, and why it matters. Developments in government and corporate practices have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance. 
This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of “surveillance studies,” I explain what those harms are and why they matter. At the level of theory, I explain when surveillance is particularly dangerous, and when it is not. Surveillance is harmful because it can chill the exercise of our civil liberties, especially our intellectual privacy. It ialso gives the watcher power over the watched, creating the the risk of a variety of other harms, such as discrimination, coercion, and the threat of selective enforcement, where critics of the government can be prosecuted or blackmailed for wrongdoing unrelated to the purpose of the surveillance. 
At a practical level, I propose a set of four principles that should guide the future development of surveillance law, allowing for a more appropriate balance between the costs and benefits of government surveillance. First, we must recognize that surveillance transcends the public-private divide. Even if we are ultimately more concerned with government surveillance, any solution must grapple with the complex relationships between government and corporate watchers. Second, we must recognize that secret surveillance is illegitimate, and prohibit the creation of any domestic surveillance programs whose existence is secret. Third, we should recognize that total surveillance is illegitimate and reject the idea that it is acceptable for the government to record all Internet activity without authorization. Fourth, we must recognize that surveillance is harmful. Surveillance menaces intellectual privacy and increases the risk of blackmail, coercion, and discrimination; accordingly, we must recognize surveillance as a harm in constitutional standing doctrine.

Touche

From 'Spying on Americans: A Very Old Story' by Aryeh Neier on the NYRB site -
There is nothing new about political surveillance. One of the early practitioners, Joseph Fouché, the chief of police in Napoleonic France, supposedly had thousands of informers who sometimes acted as agents provocateurs. It is said that, on one occasion, two of his agents, unknown to each other, attended the same meeting where each proposed various revolutionary acts. Leaving at about the same time, they are reported to have arrested each other at the foot of the stairs. Though the activities of the National Security Agency now in dispute are different than such earlier precursors, it is important to recognize that the older forms of surveillance persist.
Consider the complaint filed in a federal court today by the American Civil Liberties Union against The New York Police Department: it describes the systematic surveillance of mosques within a 250-mile radius of New York City and of at least 263 “hot spots” in New York City, such as cafés, restaurants, and bookstores owned and patronized by Muslims. The complaint also describes the ways in which the surveillance—and awareness that it is taking place—have disrupted Muslim community life in New York. New-style electronic surveillance and old-style use of informers, who may be tempted to become agents provocateurs because that is a means to penetrate groups suspected of plotting against the government, can co-exist.

Property in Gametes

'Property Rights in Human Gametes in Australia' by Vanessa White in (2013) 20(3) Journal of Law and Medicine 1 argues that
It has long been a basic tenet of the common law that there can be no property interest in human bodies or body parts. However, exceptions to the rule have been recognized from the mid-19th century and developed over time. In the early 21st century, there have been interesting developments in the common law of Australia and England; with Australian Supreme Court judges and the English Court of Appeals casting aside existing exceptions; and finding property rights in human body parts, including gametes, by relying instead on a “rational” and “logical” basis to identify property interests in human body parts.
...This article considers the above questions by tracing the development of the common law in relation to property in human body parts in England and Australia from the mid-1800s to 2011. It follows lines of English and Australian case law from a presumption against property in human bodies, to development of a "work or skill" exception to the no-property rule and finally, to the introduction of a "rational" and "logical" approach to finding property in human body parts that transcends the traditional no-property rule completely. The most recent evolution of the common law approach to finding property in human gametes was established in the English case Yearworth v North Bristol NHS Trust [2010] QB 1 and has been subsequently considered in a small number of Australian cases. This article considers and critiques the reasoning in the English and Australia cases, and finds that the development of the common law has mostly relied upon a shallow concept of property focusing on the physical qualities of preserved gametes. It concludes that finding property in preserved gametes in favour of their producer is a positive development of the law, but in future needs to be grounded in a more accurate concept of property as a relationship between legal persons with respect to an object. 
White concludes
Although recent cases in England and Australia have recognised gametes as a type of property without referring to the "no property" rule, the exact scope of the property interest in reproductive material is not entirely clear, and has been limited by the facts of the decided cases. For example, Pecar, Roche and S recognised a property interest purely for purposes of applying State Supreme Court Rules, while the posthumous estate case of Bazley recognised property in stored semen, insofar as it could be property held by a deceased estate. It was not until Yearworth that reproductive material was held to be property for purposes of a property-based claim when the English Court of Appeal found (at [60]) that "the sperm was the property of the men for the purposes of their claims in tort and … in bailment".
Recognition of robust property rights in relation to human gametes is necessary to ensure sufficient sanctions against the unauthorised storage, use and destruction of human gametes. Practically, theft is usually the only criminal charge that can be made against someone who uses or destroys human gametes without authorisation. Trespass to goods, conversion, detinue and breach of bailment serve similar practical functions in civil claims. As yet, there has been no case in Australia where a plaintiff has brought a property-based claim in relation to preserved gametes. However, given the long-standing willingness of Australian courts to push the boundaries of property rights in reproductive material, Yearworth is likely to prove persuasive, and actions in negligence and bailment may be successful.
Over the past decade, State Supreme Court judges have shown increasing willingness to advance Australia's common law by moving away from the strict "no-property" rule and recognising property in body parts, including gametes, without relying on the existing "work or skill" exception. English and Australian judges have declared both the rule and the exception "illogical" and have adopted a "commonsense" approach to finding property rights in relation to reproductive material. When deciding that human tissues, including gametes, are objects of property irrespective of whether work or skill has been applied, judgments have tended to focus on the physical characteristics of the tissue. For example, in Roche Master Sanderson stated (at [24]) that "[the] samples have a real physical presence … there is no purpose to be served in ignoring physical reality",   while in Bazley White J referred (at [33]) to the gametes' "essential characteristics as frozen semen capable of being used". In Yearworth , too, the tangible qualities of the preserved semen supported the conclusion that it was property.  This focus on the natural nature of the tissues lends itself to the "commonsense" conclusion that preserved human tissues, including gametes, are property because they are "things".  However, the physical nature of preserved human tissue is not a strong justification for recognising property rights in it, and does not provide a strong basis for differentiating gametes from other human tissues. The concept of property is an artificial means of describing the relationship between legal persons with respect to things.  Property does not exist in nature; it only exists in law.  A more satisfactory reason for conferring property rights on producers of gametes rests in the notion of property as a relationship rather than a "thing". Through this lens, property is an appropriate legal mechanism to view the right of producers of gametes to direct storage, use and destruction of their gametes, and to take legal action against anyone who stores, uses or destroys their gametes without consent. This focus on the legal nature (as opposed to the natural nature) of property was touched on in Yearworth, when the court considered that conferring property rights on the men the best way to ensure they retained control of their gametes, despite the fact they were entirely reliant on the Trust for physical storage of the gametes.  Practically, it is also crucial that property rights to gametes are conferred on the producer of the gametes, to ensure that there is always an identifiable holder of property rights.
The line of case law that has developed in Australia and England over the past two decades has realised the prediction of Rose LJ in Kelly (at 631) that "human body parts are capable of being property … even without the acquisition of different attributes, if they have a use or significance beyond their mere existence". In the case of preserved gametes, their significance lies in the potential to preserve and extend fertility in individuals who may otherwise never have a child of their own. To date, development of the common law has mostly focused on the physical nature of preserved human tissue, including gametes. In the future, a producer's property rights in their gametes may be founded on a more accurate concept of property rights as a relationship, whereby a legal nature is established independently of a physical nature.

21 June 2013

IMSW

'An evolving trade? Male sex work and the internet', an insightful doctoral dissertation [PDF] regarding the online male sex trade in Melbourne
explores the Internet's rise in popularity as a marketplace for male sex workers (MSWs). It examines the ways in which clients and workers engage with the Internet, as well as the effect(s) of this new domain upon workers and their professional encounters. The study finds that engaging in sex work is a common experience for young, attractive gay men, with many opting to offer their services (illegally) online in favour of more traditional sites (e.g. street, brothel/agency and print) due to a number of perceived advantages - such as anonymity, convenience and greater economic rewards. In turn, clients of MSWs also prefer to use the Internet for reasons pertaining to privacy and convenience. The marketing strategies employed by MSWs widely exploit stereotypes associated with (gay) masculinity in a market where visual representations of sexuality are of paramount importance. The study examines workers‟ perceptions of success. Many associate long-term success in the industry with an ability to self-monitor, allowing for the maintenance of a wealthy client base. Finally, the study investigates the key legislative and social issues that may complicate the working and personal lives of Internet-based male sex workers (IMSWs).

19 June 2013

IP and health

'Growing Conflicts Between Intellectual Property Rights and Health' by Tania Voon in (2013) 2 European Intellectual Property Review
explains a number of international developments demonstrating continuing tensions between intellectual property rights and health. In particular, it examines steps at the World Health Organization in relation to so-called 'counterfeit' medicines and the Protocol to Eliminate Illicit Trade in Tobacco Products, as well as domestic and international challenges to Australia's plain tobacco packaging law.

Dark Data Cycle

'The Dark Data Cycle: How the U.S. Government Has Gone Rogue in Trading Personal Data from an Unsuspecting Public' by Melissa Oppenheim argues that
While the historical and legal relationship in the U.S. between privacy expectations and privacy protections has remained a continuously evolving topic, this thesis demonstrates how this relationship has grown increasingly muddled since the midtwentieth century. Contrary to existing law, this thesis argues that a new phenomenon, the “Data Cycle,” has developed in the twenty-first century whereby governmental entities employ private companies as middlemen to buy and sell individuals’ data. Politicians in particular are extremely interested in obtaining information about their constituents. This thesis contends that the Data Cycle has developed due to a shift in informational power between the government and private companies, permitting the government to indirectly acquire large amounts of personal information from individuals online. Although Americans remain concerned about their waning privacy protections, individuals’ increasing addiction to the very technologies that spur the Cycle has pushed privacy to a crossroads in 2012.

Honour

Noting what's claimed to be another 'stolen honour' (aka identity crime) case in Victoria, with the Melbourne Herald Sun reporting that
a former state RSL sub-branch president who has claimed to be a war veteran for more than four decades has been charged with multiple deception offences.
69 year old  Lance Smith is alleged to have "claimed he was among the first Australian infantry to serve in Vietnam in 1965". He reportedly joined the Glenroy RSL in 1972 and resigned as the branch's president last month.

Smith reportedly faces charges of
having suspected proceeds of crime, wearing service decorations not conferred upon him, falsely representing himself to be a person upon whom Army decorations had been conferred, falsely representing himself to be a returned soldier and obtaining a financial advantage by pretending to be an RSL member".  
He had been
photographed apparently wearing a Returned from Active Service badge, issued by the Federal Government to those returning from warlike service. He was also alleged to have a set of "dog tags" - metal identification tags that soldiers wear around the neck. Searches of the national archives failed to show that the service number cited by Mr Smith had been issued by the Department of Defence, and no defence service file for someone with his name and birth date could be discovered. 
Sadly,  Smith reportedly did not provide documentation regarding his military service, instead relying on a traditional explanation in "claiming that his military record had been kept secret because he had been a witness in a case concerning stolen weapons".