30 December 2021

NFTs

'The thousand-and-second tale of NFTs, as foretold by Edgar Allan Poe' by Johanna Gibson in (2021) 11(3) Queen Mary Journal of Intellectual Property 3249–269 comments 

Everything went virtual in 2020, which may or may not have created the perfect storm for the apparent eruption of non-fungible tokens (NFTs) in the mainstream press. Of course, NFTs had been around for several years before this but, in March 2021, seemingly all of a sudden and everywhere at once, they were occupying almost the entire news cycle. Everything was NFTs, which is not bad for something that is nothing. The application of NFTs has continued with considerable momentum in recent months, with NFTs entering high-profile art markets in sales at the top auction houses, including: Christie’s, who sold Beeple, the first NFT based on an art work; Sotheby’s; and Phillips. But NFTs are now well beyond the elite world of contemporary art and moving into the mainstream consumer environments of fashion, film, music, food, publishing, and even architecture. I too am so under their spell, so to speak, that I have even minted my own NFTs into this article ... in a manner of speaking. 

The current excitement has led to a proliferation of commentary and explication (of which this is merely the thousand-and-second), articles teeming with somewhat predictably obligatory references to Walter Benjamin and the age of mechanical reproduction, frenzied denunciations of any connection between NFTs and art, money, property, and everything in between, met with an almost revelational rhetoric of reverence in their defence. The tale of NFTs is indeed an absurdist one. But it is also a tale of detection. It boils down to cryptography ... and it’s a puzzle worth solving. An absurd cryptogram? We need a cryptographer for this strange tale. And who better to ask than Edgar Allan Poe? ...

So much of the noise around NFTs is preoccupied with their perceived nothingness, faddishness, and technomancy; the apparent inconsequence and untethered explanation for their value – afloat, adrift, and unbound. At the same time, so much of the suspicion and fear betrays a certain nostalgia for traditions of ownership, property, and objects, including the traditions of intellectual property and of money. NFTs and the surrounding technology have been described variously as alchemy, snake oil and spin, and even a hoax. And far from democratizing the market, the NFT marketplace has been criticized as nothing more than a secret world of nerds, fortune-hunting, and tricks.  As well as confusion over what is being made, what is being sold, and what is being owned, cryptocurrency itself is notoriously volatile and described as a bubble or a fad, not a permanent development in representative currencies. That one of the newer cryptocurrencies is called Tether  is all too fantastically connected. Balloons and inflations, indeed. Just another block in the chain. 

But in the apparent emergence of NFTs from the elite world of art markets and into the mainstream, the tension between the original work of art and the mass production of consumer markets is persistent. What is the ‘original’ digital art to which the NFT relates, and what does owning that NFT mean? Is it originality in an idea? Is it ownership in an idea? Or is it all smoke and mirrors and nothing more than a date stamp? A contrivance of digital scarcity? Perhaps the joke is a twice-told tale, an originality in repetition, and this is where the real innovation, not only for art but also for ownership, might be found. Indeed, more than a digital provenance, or artificial scarcity, NFTs refer ownership not to the work, but to the encounter, the ritual, the communication itself. In this way, a multitude of NFTs might relate to one work, but what is repro- duced and yet produced anew each time is ownership in the original and unique encounter. In other words, the scarcity is not in the work but in each item of attention on the work. I would therefore disagree that the brand of digital scarcity created by NFTs is somehow at odds with the philosophy of the Internet. It is immaterial, quite literally, that Jack Dorsey’s tweet is still available, free as air even. NFTs place the value elsewhere, and bring res familiaris into play, a sociable property of affiliation and sympathy, as distinct from the rivalrous combat and traditional property lines of objects. As for the object, the NFT is a notice for taking; the objects proliferate because there is nothing for trade but preference. In other words, the competition is for attention – but not on the work or product amidst a sea of objects, as much as it is on the relationship between creator and buyer. Rather than scarcity, the value is generated through an abundance of encounters and an ownership of preferences: ‘This image is not an artwork, it is a description of an artwork. The artwork is how you feel when you read this’. No, an NFT is not art, at least not in the conventional, marketable sense. But the ritual may well be.

Tort, Social Justice and Feminist Theories

'Social Justice Tort Theory' by Martha Chamallas in (2021) 14(2) Journal of Tort Law comments 

Alongside the dominant law and economics and corrective justice approaches to tort law, a new genre of tort theory based on principles and perspectives of social justice has come into its own and deserves recognition. Social justice tort theory starts from the premise that tort law reflects and reinforces systemic forms of injustice in the larger society and maintains that the compensatory ideal of tort law cannot be extricated from these larger systems. It is multi-dimensional and intersectional, recognizing that the impact of injury lands intersectionally, sometimes changing the intensity of the injury or distorting the nature of the injury. Social justice tort scholars have examined torts in gendered and racialized contexts, as well as in ordinary cases that seem to have little to do with systemic injury. In addition to feminist and critical race theory, they have borrowed from critical disability studies, queer theory and political economy. Their work demonstrates how tort law unfairly distributes damages, fails to provide adequate relief for victims of sexual assault or for people who suffer racial insult and discrimination, and erases maternal and reproductive harms. In their work, we can see common deconstructive moves (an emphasis on disparate impacts and devaluation; a teasing out of cognitive bias; and a critique of exceptionalism in tort doctrine) as well as guiding principles for reconstruction (incorporating victims’ perspectives; treating boundaries between civil rights law and tort law as permeable; and enhancing dignity and recognition).

Her 'Race and Tort Law' in Khiara Bridges, Devon Carbado and Emily Houh (eds) Oxford Handbook on Race and the Law in the United States comments 

Although Richard Delgado published the first critique of tort law from a critical race perspective in 1982, the role of race remains undertheorized in torts scholarship and torts theory, taking a back seat to the dominant approaches that rarely mention race or other social identities. This leave the misimpression that tort law is race-neutral and bears little connection to constitutional or civil rights law, where issues of racial justice are more frequently analyzed and debated. 

This chapter contests that conventional wisdom and demonstrates that the shape of contemporary tort law has been affected by the social identities of the parties and cultural views on race and ethnicity. The significance of race is not confined to a particular doctrinal area but crops up in intentional tort, negligence and strict liability cases and spills over into debates about the proper measure of damages. It enters tort law through a variety of pathways, sometimes explicitly, but more often the influence of race is beneath the surface and can be gleaned only by looking closely at judicial rhetoric or at implicitly biased assumptions relied on by judges and juries. 

This overview of the contemporary “race and torts” legal landscape borrows frames from critical race and interdisciplinary scholarship to organize the key cases, issues and debates into four, somewhat overlapping categories: (1) racial discrimination, harassment and insult; (2) stereotyping and racialized contexts; (3) racial devaluation; and (4) racially disparate effects. The portrait that emerges is of a flawed system that tends to reproduce rather than ameliorate racialized harms, while never quite losing its potential to change course and advance racial justice.

'Law and Economics Against Feminism' by Martha T McCluskey in Deborah L Brake, Martha Chamallas and Verna L Williams (eds) Oxford Handbook of Feminism and Law in the United States comments 

 This chapter analyzes feminism in legal theory in relation to the rise of “law and economics” during the late twentieth century. Building on other accounts, I trace how non-academic organizations invested heavily in developing and institutionalizing law and economics as a seemingly neutral methodology that could build academic credibility for anti-egalitarian ideology and legal change. Further, the chapter explains how the substance of this law and economics fundamentally undermines feminism in law by constructing the economy as a sphere best insulated from contested morality and politics. The central law and economics division between seemingly objective economic maximizing and subjective social distribution puts feminist law in a double bind, naturalizing a gendered baseline that generally makes feminist reforms appear costly, unfair, or ineffective. This core conceptual move closes off feminist legal efforts to question and redefine what counts as productive, legitimate economic gain. 

Finally, I explore how this core division of law and economics constructs an idea of liberty that makes feminist efforts to remedy gender-based harms appear illegitimate and oppressive. Law and economics identifies freedom with an economy imagined to remove individual self-interested choices from public support or accountability. That ideal of freedom closes off analysis of how law’s gendered assumptions and unequal protections pervasively limit individual agency and meaningful choice in the economy and in society. Law and economics cuts against legal feminism not because gender justice is a non-economic goal, but because law and economics promotes a misleading economic ideology steeped in gender and tilted toward those most willing and able to disregard and discount others’ well-being.

'Liberal Feminist Jurisprudence: Foundational, Enduring, Adaptive' by Linda C McClain and Brittany Hacker in the same volume comments 

Liberal feminism remains a significant strand of feminist jurisprudence in the U.S. Rooted in 19th and 20th century liberal and feminist political theory and women’s rights advocacy, it emphasizes autonomy, dignity, and equality. Liberal feminism’s focus remains to challenge unjust gender-based restrictions based on assumptions about men’s and women’s proper spheres and roles. Second wave liberal legal feminism, evident in Ruth Bader Ginsburg’s constitutional litigation, challenged pervasive sex-based discrimination in law and social institutions and shifted the Supreme Court’s interpretation of the Equal Protection Clause to a more skeptical review of gender-based classifications. Liberal feminists have developed robust conceptions of autonomy, liberty, privacy, and governmental obligations to promote gender equality, including in the family. Addressing internal feminist critiques, liberal feminism shows the capacity to evolve. Maintaining its focus on disrupting traditionally-conceived gender roles and fostering meaningful autonomy, it adopts more complex, nuanced discourse about sex, gender, and the gender binary and embraces new demands for inclusion and equality.

'Sex-Positive Feminism's Values in Search of the Law of Pleasure' by Susan Frelich Appleton in the same volume comments 

In challenging traditional stereotypes of female sexualities centered on passivity, subordination, harm, and repronormativity, sex-positive feminism’s proponents criticize legal feminism generally for undervaluing women’s pleasure, which they celebrate. Yet these proponents often struggle with charting a supportive and affirmative course for law and legal institutions, which have long fostered sex negativity. 

This essay proceeds in three parts. Part I identifies sex positivity not as a distinct theory but rather as a thread that runs through multiple iterations and eras of feminisms, sometimes expressly and at other times latently, as a potential answer to criticisms and problems. Along the way, this Part demonstrates the importance of power and power disparities in sex-positive feminism and the role of gender. Part II turns to the place of law and legal institutions in sex-positive feminism, juxtaposing prevailing critiques of law’s sex negativity with promising opportunities for change. Part III continues on this note of optimism, consulting popular culture for possibilities to support a more fully developed sex-positive and feminist legal regime.

29 December 2021

Identity and Indigenous Knowledge

'Indigenous Knowledge in a Postgenomic Landscape: The Politics of Epigenetic Hope and Reparation in Australia' by Megan Warin, Emma Kowal and Maurizio Meloni in (2020) 45(1) Science, Technology, & Human Values 87-111 comments 

 A history of colonization inflicts psychological, physical, and structural disadvantages that endure across generations. For an increasing number of Indigenous Australians, environmental epigenetics offers an important explanatory framework that links the social past with the biological present, providing a culturally relevant way of understanding the various inter-generational effects of historical trauma. In this paper, we critically examine the strategic uptake of environmental epigenetics by Indigenous researchers and policy advocates. We focus on the relationship between epigenetic processes and Indigenous views of Country and health—views that locate health not in individual bodies but within relational contexts of Indigenous ontologies that embody interconnected environments of kin/animals/matter/ bodies across time and space. This drawing together of Indigenous experience and epigenetic knowledge has strengthened calls for action including state-supported calls for financial reparations. We examine the consequences of this reimagining of disease responsibility in the context of “strategic biological essentialism,” a distinct form of biopolitics that, in this case, incorporates environmental determinism. We conclude that the shaping of the right to protection from biosocial injury is potentially empowering but also has the capacity to conceal forms of governance through claimants’ identification as “damaged,” thus furthering State justification of biopolitical intervention in Indigenous lives. 

It is well-documented that Indigenous peoples around the world have con- sistently rejected genetic research for ethical, cultural, and political reasons (Reardon and TallBear 2012; Kowal 2016). Genetic research conducted on “socially identifiable” populations can reinforce essentialist biological con- cepts of race (Foster, Bernsten, and Carter 1998; Tsosie 2007), and Indigenous populations have raised concerns over issues of consent, cultural ownership, the use (and abuse) of DNA and other bodily products, and the many differences between scientific and Indigenous understandings of bod- ies and kinship (Dodson and Williamson 1999; Reardon 2005; TallBear 2007; Garrison 2013; Hook 2009). In Australia, these concerns occur in a historical context where Indigenous people have been the focus of biologi- cal research that supported scientific claims of inferiority, the “doomed race” theory, and, later, policies of assimilation that removed children of “mixed” ancestry from their families (Anderson 2002; Human Rights and Equal Opportunity Commission [HREOC] 1997; McGregor 1997). Due to this fraught history, Indigenous Australians have, until recently, remained cautious about genetic and genomic research, and so very limited research has been conducted in this population (Kowal 2013). 

In sharp contrast to this resistance to genetic research, the recent rise of epigenetics has been embraced by Indigenous peoples in Australia, New Zealand, Canada, and the United States. Over the last five to ten years, there has been a remarkable increase in the use of environmental epigenetics1 as an explanatory framework that draws upon the relationship between biological mechanisms and social lives to understand ongoing intergenerational Indi- genous disadvantage and ill-health (Kowal 2016; Kowal and Warin 2018). Aboriginal and Torres Strait Islander Australians (hereafter Indigenous Australians) remain the least healthy population group in Australia (Australian Institute of Health and Welfare 2015), and it is well-documented that rapid cultural destruction, coupled with decades of slow violence in the form of government policies and marginalization from mainstream society, is to blame (Atkinson, Nelson, and Atkinson 2010; Boulton 2016). 

This paper argues that the uptake of Indigenous epigenetics in Australia points to a “political economy of hope” among those that produce and consume biological knowledge (Rose and Novas 2005; Petersen 2015). In this variation of Rose and Novas’s concept, biology is no longer a blind destiny but mutable, improvable, and potentially reversible. Epigenetics introduces a distinctive pathway to this view of the biological as a hopeful domain open to environmental and structural intervention and manipulation, a pathway that expands the potential sources and mechanisms of intervention in Indigenous people’s lives. 

We begin our exploration into this particular bioeconomy of hope with a vignette describing an event where a prominent Indigenous academic used the concept of epigenetics to frame Aboriginal health in an optimistic light (in comparison to the negative framing of “deficit discourse,” Fogarty et al. 2018). This framing is paradigmatic of the collective narrative of hope, co-constituted by Indigenous histories, environmental epigenetics, and health that we examine in this paper. 

Following a description of the study, we broaden the argument by describing how the molecular embodiment of colonial oppression provides a biological explanation for the intergenerational transmission of historical trauma. Moreover, we suggest that epigenetics is an appealing conduit for this discourse as it reconfigures singular and bounded concepts of the environment and personhood toward more dynamic and relational models. For many Indigenous people, personhood is not located in individuals but known in relation to other persons, Country, and across time and space. Epigenetics appears to correspond to Indigenous aspirations, to foster legal and human rights, and to reflect Indigenous knowledges. Thus, in the context that we write about, dominant (and counterhegemonic) Indigenous conceptions of personhood align with epigenetics and reinforce each other. As we explore, epigenetics is used in specific ways in the biopolitical economy of hope surrounding Indigenous health discourses. The uncertainty of the science, particularly surrounding the reversibility of epigenetic changes and their transgenerational inheritance, is, however, generally overlooked. The alignment of epigenetics and Indigenous knowledge is therefore provisional, dependent on features of human epigenetic change and inheritance that are not yet clear in the scientific literature. 

In the final sections, we question whether the humanitarian usage of epigenetics to reinforce notions of acquired multigenerational bio-injury as a platform for political reparations may give rise to new forms of biole- gitimacy (Fassin 2000, 2009) in which the epigenetic body is used as an historical testimony of colonial violence. 

In our argument, we coin the term strategic biological essentialism to understand the biological turn in the representation of Indigenous rights. Strategic essentialism, a term attributed to Spivak, describes the process by which a minority group represents particular qualities as (culturally or biologically) inherent to the group in order to foster claims for social justice and rights. A strategically essentialist claim strategically overlooks the fact that qualities (e.g., connection to land or vulnerability to the state) are not homogenously shared across groups: qualities are represented as inherent in what Spivak ([1985] 1996) describes as “a scrupulously visible political interest” (p. 214). In the case of Indigenous epigenetics, we point to the limitations of strategic biological essentialism. Enacting forms of citizenship through identification with a history of biosocial deprivation may not only lead to intensified biopolitical attention from the State but also consolidate quasi- essentialist notions of specific biological difference among certain popula- tions seen as epigenetically different (e.g., with distinctive methylation profiles as a result of their prolonged exposures to pathogenic environ- ments, Mansfield 2012, 2017; Meloni 2016). In conclusion, we argue that while epigenetics offers a bioeconomy of hope that the effects of settler colonialism can be recognized and reversed, the conjunction of epigenetics and Indigenous knowledges may lead to new forms of biolegitimacy that reproduce essentialisms.

24 December 2021

Health Data Sharing

Share, but respectfully and with conditions. That's one conclusion from 'Patients’ and public views and attitudes towards the sharing of health data for research: a narrative review of the empirical evidence' by Shona Kalkman, Johannes van Delden, Amitava Banerjee, Benoît Tyl, Menno Mostert and Ghislaine van Thiel in (2021) 48(1) Journal of Medical Ethics, abstracted as 

Introduction International sharing of health data opens the door to the study of the so-called ‘Big Data’, which holds great promise for improving patient-centred care. Failure of recent data sharing initiatives indicates an urgent need to invest in societal trust in researchers and institutions. Key to an informed understanding of such a ‘social license’ is identifying the views patients and the public may hold with regard to data sharing for health research.  We performed a narrative review of the empirical evidence addressing patients’ and public views and attitudes towards the use of health data for research purposes. The literature databases PubMed (MEDLINE), Embase, Scopus and Google Scholar were searched in April 2019 to identify relevant publications. Patients’ and public attitudes were extracted from selected references and thematically categorised. Twenty-seven papers were included for review, including both qualitative and quantitative studies and systematic reviews. Results suggest widespread—though conditional—support among patients and the public for data sharing for health research. Despite the fact that participants recognise actual or potential benefits of data research, they expressed concerns about breaches of confidentiality and potential abuses of the data. Studies showed agreement on the following conditions: value, privacy, risk minimisation, data security, transparency, control, information, trust, responsibility and accountability. Our results indicate that a social license for data-intensive health research cannot simply be presumed. To strengthen the social license, identified conditions ought to be operationalised in a governance framework that incorporates the diverse patient and public values, needs and interests.

 The authors argue 

Large-scale, international data sharing opens the door to the study of so-called ‘Big Data’, which holds great promise for improving patient-centred care. Big Data health research is envisioned to take precision medicine to the next level through increased understanding of disease aetiology and phenotypes, treatment effects, disease management and healthcare expenditure.  However, lack of public trust is proven to be detrimental to the goals of data sharing. The case of care.data in the UK offers a blatant example of a data sharing initiative gone awry. Criticism predominantly focused on limited public awareness and lack of clarity on the goals of the programme and ways to opt out. Citizens are becoming increasingly aware and critical of data privacy issues, and this warrants renewed investments to maintain public trust in data-intensive health research. Here, we use the term data-intensive health research to refer to a practice of grand-scale capture, (re)use and/or linkage of a wide variety of health-related data on individuals. 

Within the European Union (EU), the recently adopted General Data Protection Regulation (GDPR) (EU 2016/679) addresses some of the concerns the public may have with respect to privacy and data protection. One of the primary goals of the GDPR is to give individuals control over their personal data, most notably through consent. Other lawful grounds for the processing of personal data are listed, but it is unclear how these would exactly apply to scientific research. Legal norms remain open to interpretation and thus offer limited guidance to researchers. In Recital 33, the GDPR actually mentions that additional ethical standards are necessary for the processing of personal data for scientific research. This indicates a recognised need for entities undertaking activities likely to incite public unease to go beyond compliance with legal requirements. Complementary ethical governance then becomes a prerequisite for securing public trust in data-intensive health research. 

A concept that could be of use in developing ethical governance is that of a ‘social license to operate’. The social license captures the notion of a mandate granted by society to certain occupational groups to determine for themselves what constitutes proper conduct, under the condition that such conduct is in line with society’s expectations. The term ‘social license’ was first used in the 1950s by American sociologist Everett Hughes to address relations between professional occupations and society. The concept has been used since to frame, for example, corporate social responsibility in the mining industry, governance of medical research in general and of data-intensive health research more specifically. As such, adequate ethical governance then becomes a precondition for obtaining a social license for data sharing activities. 

Key to an informed understanding of the social license is identifying the expectations society may hold with regard to sharing of and access to health data. Here, relevant societal actors are the subjects of Big Data health research, constituting both patients and the general public. Identification of patients’ and public views and attitudes allows for a better understanding of the elements of a socially sanctioned governance framework. We know of the existence of research papers that have captured these views using quantitative or qualitative methods or a combination of both. So far, systematic reviews of the literature have limited their scope to citizens of specific countries, qualitative studies only or the sharing of genomic data. Therefore, we performed an up-to-date narrative review of both quantitative and qualitative studies to explore predominant patient and public views and attitudes towards data sharing for health research.

In discussing Conditions for sharing the authors comment 

Widespread willingness to share data for health research very rarely led to participants’ unconditional support. Studies showed agreement on the following conditions for responsible data sharing: value, privacy, minimising risks, data security, transparency, control, information, trust, responsibility and accountability. 

Value 

One systematic review found that participants found it important that the research as a result of data sharing should be in the public’s interest and should reflect participants’ values.  The NICE Citizens Council advocated for appropriate systems and good working practices to ensure a consistent approach to research planning, data capture and analysis. 

Privacy, risks and data security 

The need to protect individuals’ privacy was considered paramount and participants often viewed deidentification of personal data as a top privacy measure. One survey among US patients with cancer found that only 20% (n=228) of participants found linkage of individuals with their deidentified data acceptable for return of individual health results and to support further research. Secured access to databases was considered an important measure to ensure data security in data sharing activities. A systematic review of participants’ attitudes towards data sharing showed that people established risk minimisation as another condition for data sharing. Findings by Mazor et al suggest that patients only support studies that offer value and minimise security risks. 

Transparency and control 

Conditions regarding transparency were information about how data will be shared and with whom, the type of research that is to be performed, by whom the research will be performed, information on data sharing and monitoring policies and database governance, conditions framing access to data and data access agreements, and any partnerships with the pharmaceutical industry. More generally, participants expressed the desire to be involved in the data sharing process, to be notified when their data are (re)used and to be informed of the results of studies using their data. Spencer et al identified use of an electronic interface as a highly valued means to enable greater control over consent choices. When asked about the use of personal data for health research by the NHS, UK citizens were typically willing to accept models of consent other than the ones they would prefer. Acceptance of consent models with lower levels of individual control was found to be dependent on a number of factors, including adequate transparency, control over detrimental use and commercialisation, and the ability to object, particularly to any processing considered to be inappropriate or particularly sensitive. 

Information and trust 

One systematic review identified trust in the ability of the original institution to carry out the oversight tasks as a major condition for responsible data sharing. Appropriate education and information about data sharing was thought to include public campaigns to inform stakeholders about Big Data and information communicated at open days of research institutions (such as NICE) to ensure people understand what their data are being used for and to reassure them that personal data will not be passed on or sold to other organisations. The informed consent process for study participation was believed to include information about the fact that individuals’ data could potentially be shared, the objectives of data sharing and (biobank) research, the study’s data sharing plans, governance structure, logistics and accountability. 

Responsibility and accountability 

Participants often placed the responsibility for data sharing practices on the shoulders of researchers. Secondary use of data collected earlier for scientific research was viewed to require a data access committee that involves a researcher from the original research project, a clinician, patient representative and a participant in the original study.  Researchers of the original study were required to monitor data used by other researchers. In terms of accountability, patient and public groups in Italy (n=280) placed high value on sanctions for misuse of data. Information on penalties or other consequences of a breach of protection or misuse was considered important by many. Discussion In this study, we narratively reviewed 27 papers on patients’ and public views on and attitudes towards the use of health data for scientific research. Studies reported a widespread—though conditional—support for the linkage and sharing of data for health research. The only outlier seems to be the finding that just over half (n=25) of the NICE Citizens Council answered ‘no’ to the question whether they had any concerns if NICE used anonymised data to fill in the gaps if NICE was not getting enough evidence in ‘the usual ways’. However, we hasten to point out that the question about willingness to share is different from the question whether people have concerns or not. In addition, after a 2-day discussion meeting Council members were perhaps more sensitised to the potential concerns regarding data sharing. Therefore, we suggest that the way and context within which questions are phrased may influence the answers people give. 

Overall, people expressed similar motivations to share their data, perceived similar benefits (despite some variation between patients and citizens), yet at the same time displayed a range of concerns, predominantly relating to confidentiality and data security, awareness about access and control, and potential harms resulting from these risks. Both patient and public participants conveyed that certain factors would increase or reduce their willingness to have their data shared. For example, the presence of privacy-protecting measures (eg, data deidentification and the use of secured databases) seemed to increase willingness to share, as well as transparency and information about data sharing processes and responsibilities. The identified views and attitudes appeared to come together in the conditions stipulated by participants: value, privacy and confidentiality, minimising risks, data security, transparency, control, information, trust, responsibility and accountability. 

In our Introduction, we mentioned that identifying patients’ and public views and attitudes allows for a better understanding of the elements of a socially sanctioned governance framework. In other words, what work should our governance framework be doing in order to obtain a social license? This review urges researchers and institutions to address people’s diverse concerns and to make an effort to meet the conditions identified. Without these conditions, institutions lack trustworthiness, which is vital for the proceedings of medicine and biomedical science. As such, a social license is not a ‘nice to have’ but a ‘need to have’. Our results also confirm that patients and the public indeed care about more than legal compliance alone, and wish to be engaged through information, transparency and control. This work supports the findings of a recent systematic review into ethical principles of data sharing as specified in various international ethical guidelines and literature.  What this body of research implies is considerable diversity of values and beliefs both between and within countries.   

The goal of this narrative review was to identify the most internationally dominant, aggregated patient and public views about the broad topic of data sharing for health research. We deliberately opted for the methodology of a narrative review rather than a systematic review. Most narrative reviews deal with a broad range of issues to a given topic rather than addressing a particular topic in depth.  This means narrative reviews may be most useful for obtaining a broad perspective on a topic, and that they often are less useful in generating quantitative answers to specific clinical questions. However, because narrative reviews do not require specification of the search and selection strategy and the way of critically appraising literature can be variable, the connection between evidence generated by narrative reviews and (clinical) recommendations is less rigorous and risk of bias exists. This is something to take into account in this study. A risk of bias assessment was not possible due to the heterogeneity of the findings. We acknowledge that our methodological choices may have affected the discriminative power or granularity of our findings. For example, there is a difference between sharing of routinely collected health data versus secondary use of health data collected for research purposes. And we can only make loose assumptions about potential differences between patient and public views. 

In addition, we should mention that this work is centred around studies conducted in Western countries as the whole Big Data space and literature is dominated by Western countries, higher socioeconomic status and Caucasians. However, most of the disease burden globally and within countries is most probably not represented in the ‘Big Data’ and so we have to stress the lack of generalisability to large parts of the world. 

Nevertheless, we believe our findings point towards essential elements of a governance framework for data sharing for health research purposes. If we are to conclude that the identified conditions ought to act as the pillars of a governance framework, the next step is to identify how these conditions could be practically operationalised. For example, if people value information, transparency and control, what type of consent is most likely to valorise these conditions? And what policy for returning research results would be desirable? Once we know what to value, we can start thinking about the ways to acknowledge that value. A new challenge arising here, however, is what to do when people hold different or even conflicting values or preferences. Discrete choice experiments could help to test people’s preferences regarding specific topics, such as preferred modes of informed consent. Apart from empirical work, conceptual analysis is needed to clarify how public trust, trustworthiness of institutions and accountability are interconnected.

22 December 2021

Fake COVID Certs

Another instance of fake vax certificates in Mr David Brownbill v O&M Pty Ltd [2021] FWC 6635, with the Fair Work Commission noting that on 8 December Brownbill made an application to the Commission under section 526 of the Fair Work Act 2009 (Cth) alleging he had been unlawfully stood down from employment with O&M Pty Ltd. 

The hearing was via Microsoft teams. O&M raised the question of Brownbill’s COVID-19 vaccination status, arguing that Brownbill was a casual employee, Brownbill had not been stood down and that as result of a Direction of the state's Acting Chief Health Officerit could not place its employees on a certain client site unless they had proof of vaccination or a first vaccination dose or had a booking to receive a first vaccination dose. O&M asserted that Brownbill had not supplied the requisite proof; accordingly it was unable to use his services from 14 October 2021. 

[3] During the conference, it was asserted by Mr Brownbill that he had supplied proof of having been vaccinated to the Company on 22 November 2021. The Company held some concerns about the vaccination certificate produced by Mr Brownbill. I requested a copy of the email Mr Brownbill had sent to the Company on 22 November 2021. It was provided. 

[4] The email dated 22 November 2021 contained within it the following hyperlink: [omitted here] 

[5] Having clicked on the hyperlink, it appeared to me that the means by which the vaccination certificate had been procured by Mr Brownbill may have been fraudulent and that the certificate he produced may be a fraud. 

[6] I expressed this view to the parties. 

[7] If the vaccination certificate is a fraud and has been fraudulently obtained via an illegitimate hyperlink on the internet, this would be a matter of extremely serious public policy concern. I invite the relevant public authorities to investigate further. 

[8] During a further exchange with Mr Brownbill about a separation certificate he says he was sent to him by the Company, he terminated his involvement in the conference by stating: “[expletive], I’m not wasting any more time with you corrupt idiots.” 

Brownbill left the conference.  

[9] From this, I have taken Mr Brownbill to have discontinued his application pursuant to Rule 10(2)(c) of the Fair Work Commission Rules 2013. The Commission’s file will now be closed.

The 'gimme a fake vax cert' site states "Welcome to the Medicare vaccine pass generator. Please input the data needed to make the pass here", with users needing to input their name and date of birth and fake vaccination details, alongside guidance (“Make sure your dose dates add up. Remember, 12 weeks between AZ and 5 (give or take 1) between Pfizer") about how to make the fake certificate appear more authentic.

'COVID-19 Vaccination Certificates in the Darkweb: A Preprint' by Dimitrios Georgoulias, Jens Myrup Pedersen, Morten Falch and Emmanouil Vasilomanolakis comments 

COVID-19 vaccines have been rolled out in many countries and with them a number of vaccination certificates. For instance, the EU is utilizing a digital certificate in the form of a QR-code that is digitally signed and can be easily validated throughout all EU countries. In this paper, we investigate the current state of the COVID-19 vaccination certificate market in the darkweb with a focus on the EU Digital Green Certificate (DGC). We investigate 17 marketplaces and 10 vendor shops, that include vaccination certificates in their listings. Our results suggest that a multitude of sellers in both types of platforms are advertising selling capabilities. According to their claims, it is possible to buy fake vaccination certificates issued in most countries worldwide. We demonstrate some examples of such sellers, including how they advertise their capabilities, and the methods they claim to be using to provide their services. We highlight two particular cases of vendor shops, with one of them showing an elevated degree of professionalism, showcasing forged valid certificates, the validity of which we verify using two different national mobile COVID-19 applications. 

The darkweb has been actively serving as a platform where cybercriminals can carry out their operations, since the founding of the Farmer’s Market (2010) (18) and Silk Road (2011) (4). Both of these marketplaces, operated via Tor hidden services, which is still the most popular anonymization network to this day. While these marketplaces started off with a heavy focus on drugs, though the years such platforms have evolved, providing a large variety of products and services (e.g. firearms, botnet services, malware, stolen bank credentials). The COVID-19 pandemic has had a great impact on millions of people around the globe, affecting many different aspects of their lives. In order to reverse the worldwide disruption that the virus has caused, vaccines were developed, aiming towards protecting the population and halting the spread of the virus. 

Trading platforms on the darkweb were very quick to take advantage of the pandemic situation. Vendors started offering vaccines on several marketplaces, or on their own independent vendor shops (2). After the vaccine development, the next step was monitoring the vaccination status of the population, which was achieved through the issuance of vaccination certificates, in physical or digital form. In several countries, not being vaccinated is bound to cause implications in people’s social and work life, often excluding them from some activities, and making daily tasks harder to carry out. For example, the non-vaccinated population needs COVID tests frequently, might be denied indoor access to restaurants, or have challenges while traveling. Since vaccinations can play such an important role in certain countries, a new market has emerged on the darkweb. Marketplaces and vendor shops are currently offering both physical and digital certificates, from a variety of countries, or fake PCR test results as an alternative, with non-vaccinated people as the target client group. Individuals that do not wish to be vaccinated, but want the convenience of owning a vaccination certificate, can visit the darkweb and purchase one on a number of different platforms. 

In this paper, we focus on the COVID-19 vaccination certificate darkweb market, with an emphasis on the EU Digital Green Certificate (DGC). We investigate 17 marketplaces and 10 vendor shops that list physical or digital proofs of vaccination as available products, with the purpose of documenting the different aspects that compose this specific type of illegal trading. This includes elements such as countries of origin, countries that the certificate is valid in, shipping, means of communication with the vendors, as well as how these items find their way to the sellers. We then demonstrate examples of such sellers and emphasize on two interesting cases in which the vendors provide valid EU digital certificates as proof of their service’s legitimacy. Notably, one of the shops presents a very high degree of professionalism. We confirm the validity of these certificates, and examine their details. 

The remainder of this paper is structured as follows. In Section 2, we give an overview of the methods used to carry out our research for the purposes of this paper. Section 3 provides background information on the issuance and the verification of vaccination certificates, and discusses the related work. In Section 4, we dive into the mapping of the certificate market of the darkweb. Section 5 is dedicated to investigating the legitimacy of the listings we found. Lastly, Section 6 concludes this paper.

21 December 2021

Copyright Reform

Just in time for Christmas (amid a tsunami of other consultations) the government has released a discussion paper on the Exposure Draft Copyright Amendment (Access Reform) Bill 2021 and on the Review of Technological Protection Measures Exceptions. Submissions are due 11 February. 

The discussion paper indicates that the Exposure Draft of the Copyright Amendment (Access Reform) Bill 

 aims to simplify and update provisions of the Copyright Act 1968 (the Act) to better support the needs of Australians accessing content in the digital environment. The Bill builds on the Copyright Amendment (Disability Access and Other Measures) Act 2017 and the Copyright Amendment (Service Providers) Act 2018 by providing reasonable and practical measures that reflect contemporary use of copyright material in the public interest, while maintaining appropriate protections and incentives for content creators. The Government has released the Bill, and this discussion paper, so that interested individuals and organisations can have their say on these proposed reforms. The Government is also conducting a review of the technological protection measure (TPM) exceptions in section 40 of the Copyright Regulations 2017

It states that the Australian copyright framework

has been subject to extensive review over recent years. These reviews have assessed how copyright is adapting to the modern challenges of evolving technology, changing consumer usage patterns and broader global trends. They have consistently highlighted the need for a more flexible and adaptive framework to facilitate access to, and dissemination of, creative content in the digital environment. Copyright law is essential in incentivising creators and their industries to produce Australian content and receive payment for their creativity. At the same time, allowing reasonable access to that creative content is critical to enhance learning and Australian culture, and driving new creativity and innovation. The Act seeks to balance the rights of copyright owners to manage and protect their content with the public interest to access that content. It is also important that the Act gives creators, copyright owners and users certainty about the scope of rights and the permissible use of copyright material. A key issue is how to introduce more flexibility in the Act to allow clear and reasonable access to content in the public interest in an increasingly digital world, while maintaining appropriate safeguards to protect copyright owners’ commercial interests.

The Productivity Commission’s 2016 Intellectual Property Arrangements inquiry and Australian Law Reform Commission’s 2013 Copyright and the Digital Economy inquiry recommended adopting a broad ‘fair use’ copyright exception to replace Australia’s narrower, purpose-based ‘fair dealing’ exceptions and some other specific exceptions. 

A ‘fair use’ system (such as in the United States) is a principles-based system that allows the use of copyright material if it is ‘fair’. By contrast, a ‘fair dealing’ exception regime allows the use of copyright material for certain purposes specified in the legislation. Proponents of fair use argue that it is a more flexible legal tool, capable of accommodating new and valuable fair uses of copyright material without waiting for legislative change. The PC inquiry overlapped with copyright reforms that were already being developed by the Government. These reforms resulted in the Copyright Amendment (Disability Access and Other Measures) Act 2017 that improved the workability of the Act for the disability, library and archives, and education sectors and included:

• technology neutral exceptions that facilitate access to copyright material for people with a disability, on par with the general community • updated preservation provisions for libraries and archives and other key cultural institutions • new standard terms of copyright protection for works, sound recordings and films, including unpublished material, and • streamlined education statutory licence.

The Government response to the PC inquiry flagged that further consultation was necessary for certain recommendations given the complexity of the issues and different approaches available to address them. The Government’s subsequent Copyright modernisation consultations held in 2018 sought views on flexible copyright exceptions such as fair use and extended fair dealing exceptions; access to ‘orphan works’ (where the copyright owner cannot be found); and ‘contracting out’ of exceptions. ... 

The Copyright modernisation consultations highlighted that there is no clear case to move to a broad, principles based ‘fair use’ system. Stakeholders’ views remained polarised, and the evidence base for broader reform was not clear. A change to fair use would represent a significant departure from Australia’s current copyright system of fair dealing and specific exceptions. It would risk introducing ambiguity or uncertainty, which may be difficult and costly to resolve, and in some cases lead to litigation or people simply abandoning use of creative content. While there is no uniform international approach, the large majority of countries rely on copyright frameworks that include exceptions similar to Australia, rather than fair use. 

The Government has chosen, at this time, to undertake more specific, targeted reforms to the existing exceptions framework. This framework recognises that certain reasonable uses of copyright material in the public interest should be permitted without the consent of, or payment of money to, the copyright owner. ... incremental reform to this existing exceptions framework would avoid significant disruption to copyright owners’ commercial markets that sweeping reforms may cause. 

Shift in the digital landscape 

In recent years, the digital landscape has changed significantly with the rise of multinational digital platforms, driven by user-generated content. The Australian Competition and Consumer Commission’s 2019 Digital Platforms Inquiry final report reinforced copyright owners’ concerns that broad flexible exceptions could potentially result in content being exploited by digital platforms for commercial gain. At the same time, the access issues identified by the Government’s Copyright modernisation consultations, the PC inquiry and the ALRC inquiry remained. This COVID-19 pandemic has further highlighted these access issues, with the need for an urgent transition to widespread online and remote learning, and many public institutions having to move their services online. ... 

The reforms in the Bill target those sectors that serve important public interests, including the cultural, education, research and government sectors. It will make sure that they can provide their services effectively and efficiently in an increasingly digital environment and, in doing so, enhance access to the wider community. Recognising too the importance of copyright law in incentivising creators and their industries to produce Australian content and receive payment for their creativity, these reforms have been designed in a way to minimise the commercial impacts on copyright owners. For the most part, the reforms relate to non commercial use of copyright material or use that has a limited impact on the commercial market for the material. 

Open up access to ‘orphaned’ material 

Orphan works (copyright material where the copyright owner cannot be found), can be of great cultural, social or educational value but are generally underused. Many copyright owners cannot be identified or contacted to permit the use of material, even after time consuming and costly searches. This is a significant issue for Australia’s cultural institutions, as they hold huge amounts of orphaned material in their collections. There is a reluctance to use or allow others to access orphan works as there remains a risk the copyright owner could emerge and claim compensation for use of the material, or object to its use altogether. This could result in any new material that uses the orphan work being destroyed, withdrawn or modified at significant expense. 

Reduce time, costs and uncertainty of quotation for academics and researchers 

Seeking clearances of quotes of copyright material in publications and presentations, particularly when multiple copyright owners are involved, can represent a significant and disproportionate time and cost burden for academics, universities, libraries and archives and researchers. This can sometimes result in academics and researchers abandoning the use of material or risking using unlicensed material in their works. 

More certainty and efficiencies for cultural, education and government sectors 

The current copyright exceptions available to cultural and educational institutions, and the government statutory licensing scheme, originated in a paper-based era. Many provisions are outdated, narrow and overly prescriptive. This creates uncertainty and exposes our public sectors to a higher risk of legal liability, and imposes significant administrative burden. Many of the reforms aim to provide reasonable and practical measures to allow the use of copyright material fit for a contemporary digital-based society, and improve efficiencies.

The paper features the following questions - 

Q 1.1: Orphan works: Application to Copyright Tribunal to fix reasonable terms 

Part 11, Division 3 of the Copyright Regulations 2017 sets out the matters to be included in particular kinds of applications and references to the Copyright Tribunal. What matters do you consider should be included in an application to the Tribunal to fix reasonable terms for ongoing use of a former orphan work? 

Q 2.1: Quotation: Unpublished material 

Should the proposed new quotation fair dealing exception in section 113FA extend to the quotation of unpublished material or categories of unpublished material? 

Q 3.1: Libraries and archives: Online access - ‘Reasonable steps’ 

For the purposes of new paragraph 113KC(1)(b), what measures do you consider should be undertaken by a library or an archives to seek to limit wider access to copyright material when made available online? 

Q 3.2: Libraries and archives: Illustrations 

Does proposed new section 113KK, which replaces and simplifies current section 53 but is not intended to make any substantive changes to that section, adequately cover all of the matters set out in current section 53 or are there some potential gaps in coverage? 

Q 4.1: Education: Online access – ‘Reasonable steps’ 

For the purposes of new paragraph 113MA(2)(d), what measures do you consider should be undertaken by an educational institution to seek to limit access to copyright material, when made available online in the course of a lesson, to persons taking part in giving or receiving of the lesson, and ensure it is used only for the purposes of the lesson? 

Q 5.1: Government: Use of incoming material Does proposed new section 183G contain effective safeguards to avoid unwarranted harm to copyright owners’ commercial markets? If not, what other safeguards would assist?

The consultation paper refers to 'Additional minor measures' - 

Sch 6: Registrar of the Copyright Tribunal 

The Bill will simplify the process for appointing the Registrar of the Copyright Tribunal. These amendments will align the Act with current practices for the appointment of other Australian court registrars by giving the power to the Chief Executive Officer and Principal Registrar of the Federal Court to appoint, or terminate the appointment of, the Registrar of the Copyright Tribunal. 

Sch 7: Streamline the process for making technological protection measure (TPM) exceptions 

The Bill will streamline the process for making regulations to create or amend exceptions to liability for circumventing a TPM that controls access to copyright material. The amendment removes the requirement that a ‘submission’ must be made before the Minister can recommend changes to the regulations. Allowing regulations to be made in relation to access control TPM exceptions, where changes are consequential to amendments to the Act or otherwise identified in a review or proceeding, without first obtaining a specific stakeholder submission seeking this, will improve Australia’s ability to maintain a copyright framework that is fit for the digital environment. More information about TPM exceptions, and the current review of the exceptions listed in the Copyright Regulations 2017, can be found at Part B. 

Schedule 8: Archives The Bill will update the definition of ‘archives’ to capture current Commonwealth and State archives offices in the Act. 

Schedule 9: Referrals to the Copyright Tribunal 

The Bill will improve the consistency of language in the Act when referring to applications and references to the Copyright Tribunal. 

Schedule 10: Notifiable instruments 

The Bill will update the mode of notification required by the Act, changing outdated references to ‘Gazette’ publication to ‘notifiable instrument’.  

The paper also covers  the Review of Technological Protection Measures (TPM) exceptions, commenting

The Australia-United States Free Trade Agreement (AUSFTA) requires a review of exceptions to the TPM provisions made under the Copyright Act 1968 (the Act) every four years. The last TPM exceptions review occurred in August 2017. Consultation on this Bill provides an opportunity to consider whether existing TPM exceptions should remain and whether any new TPM exceptions should be added to section 40 the Copyright Regulations 2017 (Copyright Regulations). This includes any consequential amendments because of measures proposed in the Bill. All new TPM exceptions, including those that are consequential to the amendments proposed in the Bill, are subject to the criteria for review as set out in subsection 249(4) of the Act (and discussed further below). 

Current TPM scheme 

Technological protection measures (TPMs) are technical locks that copyright owners, and exclusive licensees, use to stop their material being accessed or copied. For example, passwords, encryption software and access codes. TPMs can be grouped into two broad categories: • Access control TPMs that prevent a person from being able to read, listen to or watch material. • Copy control TPMs that allow a person to read, listen or watch material but prevent a person from making a copy of the material. Australia’s TPM scheme allows for both civil actions and criminal actions in response to unlicensed circumvention of TPMs (see Part V of the Act: Division 2, Subdivision A, and Division 5, Subdivision E). 

Specific exclusions 

The scheme specifically excludes protection for TPMs that: 

• control geographic market segmentation: o For example, consumers can bypass region coding measures to play overseas purchased DVDs or computer programs on Australian devices. 

• restrict use of after-market goods or services, including restricting the supply of spare parts or repair or maintenance services by third parties: o For example, a computer printer manufacturer cannot use the TPM scheme to stop generic cartridges being used in its printers. o TPMs used by the providers of computer systems to restrict services being provided by competing computer system maintenance providers are also not protected. 

Exceptions to override access control TPMs 

The Act provides for a number of exceptions to civil and criminal liability for circumventing an access control TPM. This includes:

• specific exceptions in subsections 116AN(2)–(8) and 132APC(2)–(8) of the Act. These exceptions are not subject to this review, and 

• additional exceptions for acts which are prescribed by the regulations (see subsections 116AN(9)(c) and 132APC(9)(c)).

These provisions implement Article 17.4.7(e)(viii) of AUSFTA. The current additional exceptions are set out in section 40 of the Copyright Regulations, and are the subject of this review. 

This review covers both existing exceptions to access control TPMs as set out in section 40 of the Copyright Regulations, as well as possible new TPM exceptions to add to the Regulations. Currently, section 249 of the Act allows the making of new regulations in relation to TPM exceptions, and regulations varying or revoking existing regulations, on the recommendation of the Minister. Subsection 249(4) of the Act allows an additional act to be prescribed by the regulations when a submission for is received which provides credible evidence of certain criteria, and the Minister makes a decision to grant an exception. Under subsection 249(8) of the Act existing additional prescribed acts can be revoked or varied through a similar process.

The paper accordingly invites submissions on: 

• the appropriateness of the current TPM exceptions listed in section 40 of the Copyright Regulations, 

• potential consequential amendments to section 40 of the Regulations due to the Bill. 

Submissions should: 

1. Identify whether you are seeking a new exception, or to vary or revoke an existing exception. 

2. If seeking the variation or revocation of an existing exception, identify the existing exception. 

3. If a new exception is sought, clearly outline the exception and the circumstances in which it would apply. 

4. Address how the exception does or does not fit the criteria of subsections 249(4) and/or (8) of the Act.

Submissions should provide examples to support whether or not (as relevant): 

• the use of the TPM has had an adverse impact on the non-infringing use by the person or body the subject of the exception, or is likely to have such an impact, or 
 
• the TPM exception would impair the adequacy of legal protection or the effectiveness of legal remedies against the circumvention of the TPM.

19 December 2021

Elections and Social Media

The First Interim Report of the Senate Select Committee on Foreign Interference Through Social Media, which quotes my submission, features the following recommendations: 

R 1  The committee recommends that the Australian Government clearly delegate lead accountability for cyber-enabled foreign interference to a single entity in government. 

R 2  The committee recommends that the Australian Government take a proactive approach to protecting groups that are common targets of foreign interference but are not classified as government institutions. 

R 3  The committee recommends that the Australian Government establish appropriate, transparent, and non-political institutional mechanisms for publicly communicating cyber-enabled foreign interference in our elections and review the processes and protocols for classified briefings for the Opposition during caretaker with respect to cyber-enabled foreign interference. 

R 4  The committee recommends that the Australian Communications and Media Authority's report into the functioning of the Australian Code of Practice on Disinformation and Misinformation be publicly released as a matter of priority. 

R 5  The committee recommends that the Australian Government publicly release the Electoral Integrity Assurance Taskforce's terms of reference. 

R 6  The committee recommends that the Australian Government establish clear requirements and pathways for social media platforms to report suspected foreign interference, including disinformation and coordinated inauthentic behaviour, and other offensive and harmful content, and formalise agency remits, powers and resourcing arrangements accordingly. 

R 7  The committee recommends that the Election Integrity Assurance Taskforce undertake an audit to assess capability relevant to detecting disinformation prior to the coming election and, further, that the Australian Government consider providing information about relevant capabilities and resourcing to this committee as appropriate to assist in our deliberations.

WHO

'The Intellectual Property Turn in Global Health: From a Property to a Human Rights View of Health' by Laura G. Pedraza-Fariña in (2021) 36 Osiris comments 

 International intellectual property (IP) law for pharmaceuticals has fundamentally shifted in the twenty-first century from a property-centric to a human rights view. Scholars tend to explain this transformation in the context of both the power struggle between developing and developed countries, and the influence of a social movement that criticized IP rights as hindering access to essential medicines. Yet, these explanations leave out the central role of two international organizations, the World Trade Organization (WTO) and the World Health Organization (WHO), and particularly their permanent staffs, whose boundary disputes have shaped international IP law at the intersection of trade and global health. Bringing into conversation historical and legal literatures on global health and IP, this article traces how a human rights perspective on IP emerged as a strategy to reconcile the WHO staff’s sociomedical views of health with an increasingly dominant set of global IP rules. It shows how the WHO staff used the language of economics—an analytical frame favored by the WTO—to advance a then unorthodox economic understanding of IP as a type of governmental regulation. This allowed the WHO to argue that states should enjoy regulatory autonomy to curtail IP rights in order to meet broader state objectives, such as human rights protection. Paradoxically, despite their divergent views on the nature of IP, both WTO and WHO engagement with it heralded the emergence of a new technocratic view of global health that focuses on patentable medicines and technologies, and that has ultimately turned away from the WHO’s sociomedical roots.

'Patenting Personalized Medicine: Molecules, Information, and the Body' by Mario Biagioli and Alain Pottage in the same issue comments 

The histories of patent law and medical practice in the United States have intersected in various ways over the past 150 years, beginning with the professional campaign against “patent medicines” in the late nineteenth century, and culminating, for now, in attempts to patent the diagnostic procedures discussed in this article. The patenting of diagnostic procedures provokes a set of fundamental questions about the episteme of patent law. These questions are not new. They emerged at the very origins of patent jurisprudence, centered on the question of what distinguished an invention from a law of nature, and this question of patentability has persistently reemerged over the past century in the contexts of plant breeding, biotechnology, and now diagnostic medicine. So far, the question has been addressed in terms that imagine the invention as a machine, understood in the figurative sense of a transformative organization of forces and elements. But diagnostic procedures, because they address the body informationally, as a system based on the recursive patterning of signals rather than a linear transformation of inputs into outputs, stretch the figure of the machine to the point at which it ceases to be effective. How then should one define and delimit invention?

16 December 2021

Clearview, OAIC and the Federal Police

The Office of the Australian Information Commissioner has, somewhat belatedly and with uncertain effect, issued a Determination under the Privacy Act 1988 (Cth) regarding use by the Australian Federal Police of Cleaview. 

The Determination states 

110. I find that the Respondent interfered with the privacy of individuals whose images it uploaded to the Facial Recognition Tool, by failing to take reasonable steps under APP 1.2 to implement practices, procedures and systems relating to its functions or activities that would ensure that it complied with Clause 12 of the Code. 

 Disquietingly but unsurprisingly the Determination states

116. While these appear to be constructive developments, on the evidence before me, I cannot be satisfied that steps the Respondent has taken to date will ensure that the breaches of clause 12 of the Code and APP 1.2 are not repeated or continued.

It notes

There is a disagreement between the OAIC and the Respondent about whether an interference with privacy has occurred, and this determination allows this question to be resolved. There is a public interest in making declarations setting out my reasons for finding that an interference with privacy has occurred and the appropriate response by the Respondent. 

Further it states 

According to a media article dated 21 January 2020, a spokesperson for the Respondent [ie the AFP] had advised at that time that it did not use the Facial Recognition Tool (see paragraph 13). The Respondent refused 3 FOI requests on 13 February 2020 on the basis that no information relating to the third party service provider had been identified, notwithstanding that the Facial Recognition Tool had been used by several Trial participants (see paragraph 15). There were limited records of how this novel technology was used. For example, the dates of registration for  Trial participants are unknown;  the Respondent did not have logs recording details of access and/ or use of the Facial Recognition Tool; and for many uploaded images, the Respondent had no record of the particular image that had been uploaded. 

Regrettably the OAIC is not using the Determination as an opportunity to encourage best practice in FOI responses.

The OAIC states 

96. I am not satisfied that during the Trial Period, the Respondent had appropriate systems in place to identify, track and accurately record its use of new investigative technologies to handle personal information. 

97. I consider that the Respondent should have instituted a more centralised approach to identifying and assessing new and emerging investigative techniques or technologies that handle personal information. This would have assisted the Respondent to identify new high privacy risk projects within its organisation and take a consistent approach to risk assessment. It would also have supported the Respondent’s compliance with APP 1.2 in future, by enabling it to explain why a new or changed way of handling personal information did not have the potential to be high privacy risk (noting that it is the responsibility of each agency to be able to demonstrate whether a new or changed way of handling personal information was a high privacy risk project). 

98. In addition, the Respondent’s policies should have specifically addressed the use of free trials and other freely available online search applications, for investigative purposes. The privacy risks of using such applications (such as those outlined in 69 to 73), were foreseeable given that search tools and applications are easily accessible on the internet, and noting the ACCCE’s commitment to exploring ‘new and innovative solutions’ to meet challenges posed by offenders evolving their operating methods to avoid detection. 

95 The policies should have explained how attendant privacy risks should be assessed to enable compliance with Clause 12 of the Code, and the controls and approval processes in place to support such privacy risk assessments.  ...

Privacy training 

99.Under the Respondent’s written policies that applied during the Trial Period, functional areas were responsible for ensuring that PIAs were undertaken for all high privacy risk projects. The policies clearly stated that personnel could contact the Privacy Officer for assistance in determining whether a PIA is required, and included their contact details. 

100. Notwithstanding this, none of the 10 members of the ACCCE who registered for trial accounts conducted a threshold assessment or a PIA (see paragraph 64). Given this omission, I have considered the steps the Respondent took to implement its written policies about privacy risk assessments, including through staff training and other communications about requirements under the Code. 

101. While I recognise that the Respondent’s written policies contained some information about requirements to undertake a PIA under clause 12 of the Code, the Respondent’s online training module:

  • did not include sufficient information to enable staff to identify whether a planned project may involve high privacy risk, such as factors indicating that a project may be high privacy risk, 

  • information about the process of conducting threshold assessments and PIAs, or relevant operational examples did not set out clear pathways and triggers for functional areas to consult with appropriate legal and technical experts, before engaging in new or changed personal information handling practices 

  • did not clearly identify who was responsible for undertaking threshold assessments and PIAs, and for keeping relevant records 

  • did not include information about the potential privacy risks of novel high privacy-impact technologies, or the risks to individuals of uploading personal information held by the agency to a third party service provider in the absence of a Commonwealth contract (as discussed in paragraph 71). 

102. The Respondent’s submissions also indicate that at least 3 of the Trial participants had not received privacy training in the 12 months leading up to the Trial Period. 

103. Based on the Respondent’s submissions and documentation provided, I cannot be satisfied that adequate training was provided to functional areas about how to undertake such an assessment, when to do so, and when to involve the Privacy Officer or other privacy experts. 

PIA 

104. In addition to being a discrete obligation under the Code, an example of the practices, procedures and systems that an APP entity should consider implementing to comply with APP 1.2, is a commitment to conducting a PIA for new projects in which personal information will be handled or when a change is proposed to information handling practices.  A PIA can assist in identifying the practices, procedures or systems that will be reasonable to ensure that new projects are compliant with the APPs. 

105. I have concluded at paragraph 76 above that the Respondent breached clause 12 of the Code by failing to undertake a PIA for a high privacy risk project. 

What additional steps were reasonable in the circumstances? 

106. The requirement in APP 1.2 is to take ‘reasonable steps’ to implement practices, procedures and systems to ensure compliance with the APPs and the Code. 

107. I have considered the seriousness of decisions that may flow from use of the Facial Recognition Tool (see paragraph 71), the fact that the personal information of victims (including children and other vulnerable individuals) was searched, and the likelihood that the Trial involved the handling of sensitive biometric information for identification purposes. I would expect the Respondent to take steps commensurate with this level of risk under APP 1.2, to ensure any privacy risks in using technologies like the Facial Recognition Tool are carefully identified, considered and mitigated against. In some circumstances, the privacy impacts of a high privacy risk project, may be so significant that the project should not proceed. 

108. I consider that having regard to these heightened risks and the deficiencies outlined above, the Respondent should have at least taken the following additional steps before the Trial Period:

  • The Respondent should have implemented a centralised system to identify, track and accurately record its use of new investigative technologies to handle personal information. 

  • The Respondent’s written policies should have specifically identified the privacy risks of using new technologies to handle personal information as part of its investigative functions (including on a trial basis and when a service is available free of charge) and included controls and approval processes to address these risks. 

  • The Respondent should have ensured that staff who were responsible for assessing privacy risk received appropriate privacy training on a regular basis, which covered at least the matters outlined at paragraph 101. 

  • The Respondent should have conducted a PIA in relation to the Trial. 

109. I have taken into account the relevant circumstances, including the Respondent’s role as a federal law enforcement agency, its use of the Facial Recognition Tool to search for victims, suspects and persons of interest for investigative purposes, the sensitive nature of the biometric information collected and used by the Facial Recognition Tool, and the time and costs of implementing appropriate policies, procedures, and training. Having regard to these circumstances, I am satisfied that the Respondent did not take steps as were reasonable in the circumstances to implement practices, procedures and systems relating to its functions or activities that would ensure that it complied with clause 12 of the Code, as required under APP 1.2. ... 

Remedies 

111. There are a range of regulatory options that I may take following an investigation commenced on my own initiative. In determining what form of regulatory action to take, I have considered the factors outlined in the OAIC’s Privacy Regulatory Action Policy103 and the OAIC’s Guide to Privacy Regulatory Action. 

112. I am satisfied that the following factors weigh in favour of making a determination that finds that the Respondent has engaged in conduct constituting an interference with the privacy of an individual and must not repeat or continue such conduct: The objects in s 2A of the Act include promoting the protection of the privacy of individuals, and promoting responsible and transparent handling of personal information by entities.

Specified steps  

113. Under s 52(1A)(b) I may declare that the Respondent must take specified steps within a specified period to ensure that an act or practice investigated under s 40(2) is not repeated or continued. 

114. I recognise that the Respondent is proactively working to build the maturity of its privacy governance framework and embed a culture of privacy compliance across the agency. I particularly acknowledge the Respondent’s commitment since the Trial Period, to reviewing and strengthening parts of its privacy governance framework. This includes reviewing and updating its privacy management plan (1 July 2021 to 1 July 2022), which identifies specific, measurable privacy goals and targets and sets out how the agency will meet its compliance obligations under APP 1.2. 

115. In addition, the Respondent submitted during the investigation that it:

  • had appointed a dedicated position within the ACCCE, who would be responsible for undertaking software evaluations of similar kinds of applications in future 

  • was undertaking a review of existing internal governance processes and documents to specifically address the use of free trials in the online environment 

  • had commissioned a broader review of the Respondent’s privacy governance with the assistance of an external legal services provider 

  • was reviewing its training module to ensure operational relevance to all staff by including sufficient context and explanation. 

116. While these appear to be constructive developments, on the evidence before me, I cannot be satisfied that steps the Respondent has taken to date will ensure that the breaches of clause 12 of the Code and APP 1.2 are not repeated or continued. 

117. The Respondent has not provided the OAIC with specific information about how any steps it has taken or is taking, will prevent similar breaches occurring again in the future, by addressing the deficiencies in paragraphs 95 to 105 above. For example, during this investigation, the OAIC was not provided with details of how the Respondent’s policies, decision making processes, and approval processes in relation to the use of new technologies have changed since January 2020.  In addition, while the OAIC’s preliminary view contained findings about additional steps that should have been taken to train staff about privacy impact assessments, the Respondent did not provide any updated information about changes to its training program. 

118. Without a more coordinated approach to identifying high privacy risk projects and improvements to staff privacy training, there is a risk of similar contraventions of the Privacy Act occurring in the future. This is particularly the case given the increasing accessibility and capabilities of facial recognition service providers and other new and emerging high privacy impact technologies that could support investigations. 

119. For these reasons, I consider that it is reasonable, proportionate and appropriate to make the declarations in paragraph 2(c) of this determination, under s 52(1A)(b) of the Privacy Act, requiring an independent review of the changes made to the Respondent’s relevant practices, procedures, systems (including training) since the Trial Period. The declarations will provide the OAIC with ongoing oversight of updates to the Respondent’s privacy governance framework. The independent review may also provide additional assurance to Australians that the deficiencies identified in this determination have been addressed. These specified steps will help the Respondent to prevent similar contraventions, and ensure any privacy risks in using high privacy impact technologies are carefully identified, considered and mitigated against.

In October the OAIC in a separate Determination addressed data collection by Clearview, with the OAIC subsequently commenting

Clearview AI, Inc. breached Australians’ privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool. 

The determination follows a joint investigation by the Office of the Australian Information Commissioner (OAIC) and the UK’s Information Commissioner’s Office (ICO). 

Commissioner Falk found that Clearview AI breached the Australian Privacy Act 1988 by: collecting Australians’ sensitive information without consent collecting personal information by unfair means not taking reasonable steps to notify individuals of the collection of personal information not taking reasonable steps to ensure that personal information it disclosed was accurate, having regard to the purpose of disclosure not taking reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles. 

The determination orders Clearview AI to cease collecting facial images and biometric templates from individuals in Australia, and to destroy existing images and templates collected from Australia.  

Clearview AI’s facial recognition tool includes a database of more than three billion images taken from social media platforms and other publicly available websites. The tool allows users to upload a photo of an individual’s face and find other facial images of that person collected from the internet. It then links to where the photos appeared for identification purposes. 

The OAIC determination highlights the lack of transparency around Clearview AI’s collection practices, the monetisation of individuals’ data for a purpose entirely outside reasonable expectations, and the risk of adversity to people whose images are included in their database. 

“The covert collection of this kind of sensitive information is unreasonably intrusive and unfair,” Commissioner Falk said. 

“It carries significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images can be searched on Clearview AI’s database. 

“By its nature, this biometric identity information cannot be reissued or cancelled and may also be replicated and used for identity theft. Individuals featured in the database may also be at risk of misidentification. 

“These practices fall well short of Australians’ expectations for the protection of their personal information.” 

Commissioner Falk found the privacy impacts of Clearview AI’s biometric system were not necessary, legitimate and proportionate, having regard to any public interest benefits. “When Australians use social media or professional networking sites, they don’t expect their facial images to be collected without their consent by a commercial entity to create biometric templates for completely unrelated identification purposes,” she said. 

“The indiscriminate scraping of people’s facial images, only a fraction of whom would ever be connected with law enforcement investigations, may adversely impact the personal freedoms of all Australians who perceive themselves to be under surveillance.” 

Between October 2019 and March 2020, Clearview AI provided trials of the facial recognition tool to some Australian police forces which conducted searches using facial images of individuals located in Australia. ... 

Clearview AI argued that the information it handled was not personal information and that, as a company based in the US, it was not within the Privacy Act’s jurisdiction. Clearview also claimed it stopped offering its services to Australian law enforcement shortly after the OAIC’s investigation began. 

However, Commissioner Falk said she was satisfied Clearview AI was required to comply with Australian privacy law and that the information it handled was personal information covered by the Privacy Act.