EU Data Retention Requirements Ruled 'Invalid' By EU Court Of Justice

from the no-more-"because-terrorism" dept

Back in December, we reported on a slightly mixed ruling from the EU Court Of Justice's Advocate General regarding the 2006 Data Retention Directive, which obliges European telecom companies to retain metadata about their customers. Although the Advocate found the Directive incompatible with fundamental European rights, he proposed merely suspending it until it was fixed. His opinion was not binding on Europe's highest court, but was generally regarded as indicative of the final verdict.

Today, the EU Court Of Justice (ECJ) handed down its judgment. As expected, it does follow the same general lines as the Advocate's view, but in a surprising and welcome turn of events, it goes far beyond it in the harshness of its condemnation and finality of its ban (pdf)

The Court of Justice declares the Data Retention Directive to be invalid

It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.

The ECJ clarified what exactly it meant when it declared the Directive "invalid":

Given that the Court has not limited the temporal effect of its judgment, the declaration of invalidity takes effect from the date on which the directive entered into force.

In other words, it is not just invalid from today's judgment, it was invalid from the moment it came into existence -- a pretty stunning slap down. The Court has no hesitation in declaring that blanket data retention interferes with fundamental rights (the emphasis below is in the original):

The Court takes the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance.

Equally, the Court does recognize that there are valid circumstances for retaining such personal data:

the retention of data for the purpose of their possible transmission to the competent national authorities genuinely satisfies an objective of general interest, namely the fight against serious crime and, ultimately, public security.

The key issue -- one that Techdirt has emphasized many times -- is proportionality, and here the ECJ has no doubts:

the Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.

The Court goes on to list three specific ways in which the Data Retention Directive fails the test of proportionality. First, it notes that the Directive specifies that all data must be retained, without any kind of "differentiation, limitation or exception being made in the light of the objective of fighting against serious crime." That is, the "collect it all mentality" that has infected security services is inherently disproportionate and thus unacceptable.

The Court then notes that there are no objective criteria that can be used to assess whether the police or other authorities are allowed to access that data: again, pretty much anything goes with the current Directive. In addition:

the directive does not lay down substantive and procedural conditions under which the competent national authorities may have access to the data and subsequently use them. In particular, the access to the data is not made dependent on the prior review by a court or by an independent administrative body.

It's perhaps not surprising to see Europe's highest court insisting that national authorities need to ask a judge for permission to access highly personal data, but it's a hugely important reminder of the need to do so against a background where governments seem to regard such formalities as optional and dispensable.

Finally, the ECJ points out that there are no objective criteria for setting the Directive data retention period as between six and 24 months, and that no distinctions are made based on the kind of data stored, and about whom. It also notes that the Directive does not address the important issues of abuses or unlawful access, that nothing is said about how data should be destroyed at the end of the retention period, and there is no requirement for data to be retained within the EU at all times.

As with the Advocate's opinion, the ECJ's judgment offers implicit guidance on how the major flaws in the Data Retention Directive might be addressed -- with the important difference that the Court has imposed far more stringent conditions that will require those drafting any new Directive to be much more cautious in the requirements they lay down. Even if that's possible, the end result is likely to be a far meeker version of the current Directive.

It's also not yet clear what the status of existing national legislation implementing the Directive is now. These laws were passed by the EU member states in order to comply with the Directive; now that the Directive is invalid, it presumably means that they, too, are invalid. Will they be repealed by governments, or will they continue until challenged in national courts? Those are questions that politicians and lawyers around Europe will doubtless be discussing with some urgency. Here's what the European Commission claims:

National legislation needs to be amended only with regard to aspects that become contrary to EU law after a judgment by the European Court of Justice. Furthermore, a finding of invalidity of the Directive does not cancel the ability for Member States under the e-Privacy Directive (2002/58/EC) to oblige retention of data.

One thing is for certain: the large-scale and disproportionate surveillance activities carried out by the NSA and GCHQ within Europe, which bear many similarities to those authorized under the Data Retention Directive, cannot now be justified by invoking "national security". Today's ruling by the EU Court of Justice means that "because terrorism" is no longer a trump card that can be used in Europe to justify anything and everything.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: data retention, disproportionate, eu, eu court of justice, privacy

Australian Attorney General Wants To Make It A Criminal Offense To Not Turn Over Private Encryption Keys

from the a-disaster-waiting-to-happen dept

The Attorney-General's department in Australia is apparently pushing for new laws down under that would force anyone who's asked to hand over their private encryption keys -- and that covers both end users and service providers. Buried in the middle of a submission concerning revising Australia's wiretapping laws, the AG's office notes:

The Department is also advised that sophisticated criminals and terrorists are exploiting encryption and related counter-interception techniques to frustrate law enforcement and security investigations, either by taking advantage of default-encrypted communications services or by adopting advanced encryption solutions.

The Department’s current view is that law enforcement, anti-corruption and national security agencies should be permitted to apply to an independent issuing authority for a warrant authorising the agency to issue ‘intelligibility assistance notices’ to service providers or other persons. The issuing authority should be permitted to impose conditions or restrictions on the scope of this authority.

[....]

Under this approach, the person receiving a notice would be required to provide ‘information or assistance’ to place information obtained under the warrant into an intelligible form. The person would not be required to hand over copies of the communication in an intelligible form, and, a notice would not compel a person to do something which they are not reasonably capable of doing. Failure to comply with a notice would constitute a criminal offence, consistent with the Crimes Act.

The above approach is consistent with the approach taken by the United Kingdom, which permits officials of law enforcement and national security agencies to, where authorised under a warrant, issue a notice requiring a person to provide assistance in connection with accessing encrypted communications. Similarly, South African law permits agencies to apply to a judicial officer for a direction requiring a person to provide information to the agency to enable the agency to decrypt lawfully intercepted communications.

The Orwellian nature of "intelligibility assistance notices" is fairly striking. Basically, this says if you don't make encrypted communication "intelligible" upon request, you would have violated criminal law. It's kind of funny how it claims this doesn't require anyone to hand over communication in an intelligible form... because it just asks for the encrypted content and the key to decrypt them. Which, you know, is basically the same damn thing.

Meanwhile, at the same time as part of the same discussion over wiretapping laws, there's an effort under way in Australia to force service providers into a big data retention scheme, forcing them to hold onto all sorts of data for law enforcement purposes. Incredibly, Australian officials seem to be using the NSA/Snowden leaks as the impetus for this.

Intelligence agency ASIO is using the Snowden leaks to bolster its case for laws forcing Australian telecommunications companies to store certain types of customers' internet and telephone data for a period of what some law enforcement agencies would like to be two years.

ASIO also, like the AG's office, seems quite concerned about you damn kids and all your encrypting:

"Since the Snowden leaks, public reporting suggests the level of encryption on the internet has increased substantially," ASIO said.

"In direct response to these leaks, the technology industry is driving the development of new internet standards with the goal of having all web activity encrypted, which will make the challenges of traditional telecommunications interception for necessary national security purposes far more complex."

So, even if everything's getting encrypted, certain law enforcement interests seem hell-bent on having everything collected and easy (forced) availability of private keys. If you happen to live in Australia, you might want to speak up about what's about to happen to what you thought were your private communications and browsing activity.

Filed Under: asio, attorney general, australia, data retention, encryption, privacy, wiretapping

Data Retention Directive Incompatible With Fundamental Rights According To EU Court Of Justice's Advocate General

from the not-quite-what-we'd-hoped-for dept

Almost exactly a year ago, we wrote about two important cases before Europe's highest court, the Court of Justice of the European Union (ECJ). They both involved the European Union's Data Retention Directive, which obliges telecoms companies to retain metadata about their customers -- now an even more contentious issue in the wake of Edward Snowden's leaks. One case was from Ireland, brought by Digital Rights Ireland, which needs donations to carry on its great work, and the other from the Austrian digital rights group AKVorrat (which probably also needs support.)

As is usual, before the ECJ makes its ruling, the court's Advocate General offers an opinion. It's not binding, but it's generally taken into account, and is often indicative of how the court will find. Here's what the Advocate General has just published:

In his Opinion delivered today, Advocate General Pedro Cruz Villalón, takes the view that the Data Retention Directive is as a whole incompatible with the requirement, laid down by the Charter of Fundamental Rights of the European Union, that any limitation on the exercise of a fundamental right must be provided for by law. According to the Advocate General, the Directive constitutes a serious interference with the fundamental right of citizens to privacy, by laying down an obligation on the providers of telephone or electronic communications services to collect and retain traffic and location data for such communications.

Specifically, he says that from the retained data it is possible to create a detailed and thus intrusive picture of someone's private life, and also notes that by storing this information, there is an increased risk it will fall into the wrong hands, causing damage to the privacy of the person concerned. Because of the seriousness of its incompatibility with fundamental European rights, the Directive should have spelt out key details, rather than leaving it to the Member States of the EU to interpret the rules as they thought best. He also found that:

the Data Retention Directive is incompatible with the principle of proportionality in that it requires Member States to ensure that the data are retained for a period whose upper limit is set at two years.

According to the Advocate General, there is no reason why the upper limit should not be set at just one year. Unfortunately, despite these serious flaws, he did not suggest that the Directive should be rescinded. Instead:

the Advocate General proposes, after weighing up the various competing interests, that the effects of a finding that the Directive is invalid should be suspended pending adoption by the EU legislature of the measures necessary to remedy the invalidity found to exist, but such measures must be adopted within a reasonable period.

In other words, the Advocate General seems to think the problems are fixable, provided the EU adopts suitable measures to address the issues he has raised.

That makes the current opinion something of a mixed bag. On the plus side, it has clearly found that the Data Retention Directive in its present form is incompatible with fundamental European rights; but against that, the Advocate General not only suggested that the problems could be rectified, but even explained how that might be achieved.

The full Opinion is, of course, much more complex than the rough summary above, and experts will argue over what the details might mean for data retention in Europe. In any case, what counts is the final judgement of the ECJ, which may have views that differ from the Advocate General's Opinion in important ways. At least we are now closer to finding out.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: court of justice, data retention, ecj, eu, fundamental rights, privacy

Data Retention Means You Are On The Record, Like It Or Not

from the it's-not-retention,-it's-surveillance dept

This week the advocate general of the Court of Justice of the EU (CJEU), Yves Bot, publishes an opinion on the extent to which the Data Retention Directive, one of the most controversial security measures introduced by the EU in the past decade, is compatible with human rights law. Although not a binding judgement (this will come later), the CJEU’s opinion is a significant intervention in the ongoing debate over how to balance human rights with states' perceived surveillance needs.

The security-related retention of communications by telecoms firms was on the European agenda well before 9/11, but privacy concerns had led to a limited approach. Telecoms companies in the EU were obliged to delete communications data as soon as all business needs had been met; the data could not be retained for security or criminal investigation purposes. Some states had attempted to adjust this and introduce a retention system in 2000, but this failed - again, largely because of privacy concerns. All this changed, however, after 9/11.

As early as May 2002, a “data retention amendment” had been made to existing EU privacy laws to allow for security-related data retention, and drafts of a provision that would require retention began to circulate. Those proposals attracted so much rights-based criticism that they were apparently abandoned; however, they quickly reappeared in the wake of the London and Madrid bombings, and in 2006, the Data Retention Directive was adopted.

It obliges all member states to introduce national data retention regimes, even where -— as in the UK —- there had already been significant resistance to such regimes when they were previously proposed at a national level. The directive requires telecommunications providers to retain data on the source, destination, time, date, duration and type of all communications by fixed and mobile telephone, fax and internet, and on the location and type of equipment used.

The data is to be retained for between six months and two years, with national law deciding on the duration, and can be accessed by state agencies investigating “serious crime” —- a term that has different definitions across the member states.

Blanket surveillance

The volume and extent of information retained under the directive is stunning; in effect, it has introduced a system of blanket surveillance across the entire EU. Although access to the information is regulated by law, state agencies can nonetheless access an enormous amount of information about our communications patterns and activities. This naturally raises serious human rights concerns, especially about privacy.

Security services insist that data retention is an indispensable tool for investigating serious crimes, such as terrorism and the production and distribution of child pornography. Yet different states make use of the Directive to wildly varying extents: in 2012, for example, Cyprus made 22 requests for access to data, while the UK made 725,467.

The question for the advocate general, the CJEU and the EU more broadly is whether or not the approach taken by the directive privileges perceived security needs over human rights. Data retention unquestionably constitutes a prima facie infringement on privacy; the real issue is whether this infringement is justified because it is necessary, effective, and limited. This question is at the core of all debates about “balance” in the security context: how far are we prepared to allow state power into our individual, family, social and democratic lives in order to “secure” us?

Answering this question requires us to decide on what we think “effectiveness” means in the context of security. If the directive helps to resolve a handful of serious crimes per year, or to prevent one terrorist attack, is it effective? Could a more limited approach -— such as requiring telecoms companies to collect data related to certain investigations but not to retain all data -— achieve the same security objectives while better protecting rights?

These are difficult questions, but they are ones we must resolve if we are to have a balanced security system. The advocate general’s opinion will be an important contribution to the debate, but it will not be the final word. Achieving a balanced approach to security requires critical scrutiny at practical, political, social and legal levels. This is all the more true given that, as the Data Retention Directive illustrates, security measures operate upon and have implications for the rights of all of us, all of the time.

Fiona de Londras is the Project Co-Ordinator of SECILE (Securing Europe through Counter-Terrorism: Impact, Legitimacy and Effectiveness), a project that has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement number 313195.

This article was originally published at The Conversation. Read the original article.

Filed Under: data retention, europe, surveillance

Dutch Telcos Used Customer Metadata, Retained To Fight Terrorism, For Everyday Marketing Purposes

from the I'm-shocked,-shocked dept

One of the ironies of European outrage over the global surveillance conducted by the NSA and GCHQ is that in the EU, communications metadata must be kept by law anyway, although not many people there realize it. That's a consequence of the Data Retention Directive, passed in 2006, which:

requires operators to retain certain categories of data (for identifying users and details of phone calls made and emails sent, excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.

Notice the standard invocation of terrorism and serious crime as a justification for this kind of intrusive data gathering -- the implication being that such highly-personal information would only ever be used for the most heinous of crimes. In particular, it goes without saying that there is no question of it being accessed for anything more trivial -- like this, say:

Some Dutch telecommunications and Internet providers have exploited European Union laws mandating the retention of communications data to fight crime, using the retained data for unauthorised marketing purposes.

Of course, the news will come as no surprise to the many people who warned that exactly this kind of thing would happen if such stores of high-value data were created. But it does at least act as a useful reminder that whatever the protestations that privacy-destroying databases will only ever be used for the most serious crimes, there is always the risk of function creep or -- as in the Netherlands -- outright abuse. The only effective way to stop it is not to retain such personal information in the first place.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: crimes, data retention, marketing, netherlands, telcos, terrorism

Belgian 'Royal Decree' Requires ISPs To Log All Sorts Of Info For A Year

from the invest-in-encryption-now dept

Theo Lietaert alerted us to the very troubling news out of Belgium, that a "royal decree" has been passed requiring Belgian telcos, internet service providers, information service providers, email providers, etc. to log a ridiculous amount of metadata for a year. The full decree (in French) includes an awful lot of information that will be tracked (though it's been published in a manner that's nearly impossible to read). Among the examples listed: how many emails you send, if you use a VoIP provider (like Skype), how long your calls are, how you pay your bills -- basically any and all (non-content) data that ISPs can collect, they are required to keep. And then they need to make it available to basically all law enforcement. That is, this is not just for anti-terrorism purposes, but for any government purpose under the sun, allowing them to troll through basically all of your internet activity.

The justification for all of this? Because law enforcement "needs" this data do their job better. This is not all that different than the excuses we've heard from those defending NSA surveillance, that this data is somehow "needed" because it might stop "bad guys." But that turns the privacy questions upside down entirely. As we've noted, law enforcement would, most likely, be able to stop a lot more crime if we were all required to have video cameras hooked up to a giant database installed in every room in every home. But we don't do that because it's a massive breach of privacy.

The ministers behind this abomination, Johan Vande Lanotte and Annemie Turtelboom appear to recognize that this goes "far beyond" what's allowed under the European privacy directive, but they don't seem to care, claiming that the privacy directive is "obsolete." The whole situation is fairly sketchy as well, since it was done by royal decree, allowing them to totally bypass Parliament, but is equally binding. I guess they're worried that Parliament (*gasp*) might actually protect the rights of the people.

This seems like a horrifyingly broad attack on privacy rights in Belgium, and while the Privacy Commission is reviewing the issue, it's possible that this will be considered the law in Belgium. If you're a VPN vendor, it would seem like a marketing campaign in Belgium might be appropriate just about now.

Filed Under: belgium, data collection, data retention, eu, metadata, privacy, privacy directive, royal decree

Australia Drops Snooping Plans -- For Now

from the too-early-to-celebrate dept

Last year, we reported on Australia's plans to bring in comprehensive snooping on its citizens, and more recently how its spies had realized that encrypted services offered an easy way to avoid much of that surveillance. Reuters is now reporting that Australia has put its spying plans on hold -- for the moment:

Australia's government on Monday shelved plans to force phone and Internet companies to hold two years of phone call and email data following concerns raised by a parliamentary inquiry into telecommunications interception laws.

…

[Lawmakers on the telecommunications inquiry] said Internet browsing data should be excluded from the plans, and called for greater oversight of government agency access to telecommunications data by the ombudsmen and the Inspector-General of Intelligence and Security.

However, this seems to be only a temporary reprieve: as the article above notes, Australia will be holding elections in September, and it is expected that the center-right Coalition, currently in opposition, will win power, and probably bring back the proposals. Of course, the current round of leaks about spying on a massive scale by the NSA and GCHQ may well have some impact on the debate, as will any future leaks of information, especially if they concern Australia directly.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: australia, data retention, snooping, spying, surveillance

Australian Spies Want To Hack Tor After Realizing It Routes Around Their Surveillance

from the how-daft-can-you-get? dept

One of the key flaws with the data retention schemes being proposed by the UK and elsewhere, supposedly to catch terrorists and serious criminals, is that they won't work. It is trivially easy to avoid surveillance by using encrypted connections, for example those provided by The Onion Router (Tor). This means that the only people who are likely to end up being spied on are innocent members of the public.

According to this article in Crikey, the secret services in Australia have apparently woken up to this fact; but rather than convince their government that data retention is therefore an expensive and intrusive waste of time, they have decided to take the damage to the next level:

In a major admission, the Attorney-General's Department has revealed Australia's intelligence and law enforcement agencies are seeking the legal power to break into internet routing encryption services such as Tor, after admitting the centerpiece of its proposed national security reforms, data retention, will be "trivially easy" to defeat.

This is, of course, an incredibly stupid idea, for reasons that one of Tor's developers, Jacob Appelbaum, explains well in the Crikey piece:

"If they wish to break such [encrypted] services, they ensure that when they use such services, they will also be insecure -- this ensures again that only criminals will have privacy, regular people -- including the police fighting crime -- they will be left out of having strong privacy. This opens business people up to industrial and economic espionage. It also promotes the idea that to make ourselves more secure, we should weaken our networks and add the very backdoors that most attackers work day and night to create," he said.

The plan to create detailed, centralized stores of high-value information about people's Internet and telephone usage already exposes the public to an elevated risk of having personal information accessed and misused. Moving beyond that to break key encrypted Internet services like Tor and virtual private networks (VPNs) would deal another serious blow to online privacy and business confidentiality.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: australia, data retention, encryption, hacking, security, surveillance, tor

Danish Police Admit That Data Retention Hasn't Helped At All

from the time-to-ditch-it dept

There's been a big push around the globe to ramp up data retention rules, which require various online services to keep all sorts of data on their users for a long time, just in case it's possible that law enforcement officials might need that data at some later date. That this only adds to the pile of data, and often makes it more difficult to find useful data, is never discussed. That this likely puts more people's private data at risk of being hacked or accidentally revealed is never discussed. Also, almost never discussed: whether or not such data retention laws actually help solve crimes.

Over in Denmark, we have an answer, and that answer is an emphatic no. After half a decade of having strict data retention laws, the Danish police have announced that it has not helped them find criminals. And, as predicted, having all that data has made it unwieldy for law enforcement when they actually think they need some data.

“Session logging has caused serious practical problems,” the ministry's staffers write in the report. “The implementation of session logging proved to be unusable to the police; this became clear the first time they tried to use [the data] as part of a criminal investigation.”

This seems like a pretty damning point concerning data retention. Hopefully, at the very least, this example is raised whenever any other country proposes data retention laws.

Filed Under: data retention, denmark

Dangerous: European Courts Considering Requiring Search Engine Filters Over Embarrassing Content

from the bad-bad-ideas dept

Remember Max Mosley? He's trying to argue that search engines need to forget him. Mosley, the former head of motorsports organization FIA, got upset a few years back when UK tabloids, led by News of the World, published some photos of Mosley's "rendezvous with five sex workers" that involved some role playing -- the women were dressed as prison guards, and he as the "prisoner" who needed to be punished. One of the workers took some photos which leaked... and Mosley went legal. He sued News of the World on a couple of issues, and actually "won" on the more narrow issue of what kind of role playing he was involved in. The paper had described it as a "Nazi orgy," but Mosley (who is extra sensitive to this considering that his father, Oswald Mosley, was the leader of the UK Fascist party, and both Adolf Hitler and Joseph Goebbels apparently attended his parents' wedding) made it clear that the setup was merely a German prison camp, and there was nothing Nazi about it. He won that argument and News of the World had to pay up a fairly significant sum. The court also said that the story and the pictures invaded his privacy.

You can understand why he'd be upset about such private actions becoming public, but once they're public, then what? Most people would recognize that the best thing to do is to recognize that the information is public, and move on in life, allowing people to gradually stop caring. But not Max Mosley. He seems to have dedicated his life to forcing everyone to take overt actions to make sure that rich and famous people, such as himself, can never be embarrassed again. First, he argued that newspapers should be required to alert famous people before they are written about, allowing the famous people to then use the court to block any stories they dislike. Thankfully, the European Court of Human Rights rejected this request.

That did not stop Mosley, however, who first used the recent "Leveson Inquiry" (a response to the later story of News of the World hacking into phone lines) to push for new rules requiring search engines to delete the photos from ever being found online. And thus began phase two of Mosley's response to the article: he went on a campaign against search engines, believing that if he could somehow force search engines to ignore the photos from that original story, the world might forget about it. Even though, in the Leveson hearing, Mosley admits that he was warned that by taking this issue to trial in the first place, it would renew interest in the issue, including putting such private information into official public court documents:

I mean, when I had my first meeting with counsel, they explained to me very carefully that.... By taking the matter to court, the entire private information which I was complaining about would be rehearsed again in public, with all the press there, with the benefit of absolute privilege for anything that was said, and that at the end of all of that, no judge could remove the private information from the public mind. Indeed, by going to court, I was augmenting the degree to which the public were aware of it.

And, yet, Mosley still believes that it's possible to erase such things from the public mind, and the way to do that, obviously, is to filter Google. Thus he began both a legal and publicity campaign arguing that Google must magically filter out the content in question. He's asked by Leveson about how many sites his lawyers have "been able to shut down" and he responds by blaming Google:

It's in the hundreds. My lawyers would probably produce an exact figure. One of the difficulties is that Google have these automatic search machines so if somebody puts something up somewhere, if you Google my name, it will appear. We've been saying to Google, you shouldn't do this, this material is illegal, these pictures have been ruled illegal in the English High Court. They say we're not obliged to police the web and we don't want to police the web, so we have brought proceedings against them in France and Germany where the jurisprudence is favourable. We're also considering bringing proceedings against them in California.

But the fundamental point is that Google could stop this material appearing, but they don't, or they won't as a matter of principle. My position is that if the search engines -- if somebody were to stop the search engines producing the material, the actual sites don't really matter because without a search engine, nobody will find it, it would be just a few friends of the person who posts it. The really dangerous thing are the search engines.

And thus began his legal campaign for mandatory search engine filters to block out content that he doesn't like. Yes, one country, the UK, has ruled that the use of those photos in a newspaper story represented a violation of his privacy, but the photos themselves are out there, and in other parts of the world, we have a belief in the freedom of the press. And in discussing the legality of showing the images, it seems that there is a strong journalistic reason to include at least some examples of the images. For example, Gawker reported on the case and quite reasonably included some of the images, including the following:

While it may have been unfortunate (and upsetting) for the story to get out in the press in the first place, that doesn't change the fact that once the information is out there, it's out there. Resorting to outright censorship as a response is not reasonable, nor would it really help. Attempting to censor such information would only serve to call more attention to it in the first place. While it may be true that the UK allows ridiculous "injunctions" by famous people who don't like being embarrassed by the press, the public is increasingly fed up with such rules. They tend to anger the public, who feels that their own free speech rights are being restricted.

Furthermore, asking search engines (or anyone, really) to create specific filters to pre-block such content raises all sorts of concerns and consequences. Not only would it do little to hide the actual imagery or make people forget the story in the first place, but it sets a horrifying precedent, allowing people to seek to censor legitimate free expression all for the sake of trying to avoid embarrassment.

For example, if the French or German courts decide to force Google to censor access to the images above, then Google wouldn't just be forced to block and censor the images directly, but various stories that include the images too, such as the Gawker stories above. And those stories aren't about the initial "sex party," but rather the legal issues that were raised after the fact. Trying to silence discussion of the legal issues, such as in this article, starts to go deep into very concerning territory when we're talking about the freedom of the press. You can argue that the original article broke some UK rules, but many of the followup articles are important discussions on a topic of public interest, which news organizations need to be free to pursue.

And where do you stop with such filters? If he actually did get filters required on search engines, as with other injunctions on speech, you can imagine discussion and links quickly moving to social networks. So then what? Mosley goes back to court seeking mandatory filters on social networks like Facebook and Twitter? Anyone who links to or posts the images he does't like gets blocked? Add to this other famous rich people demanding similar filtering of stories, images and videos that they, too, find embarrassing, and you're talking about a complete logistical nightmare of censorship.

In addition, such filters present potential monitoring and data privacy issues, as they require extensive monitoring, rather than mere indexing of information. In fact, the European Court of Justice has already ruled that forcing social networks or search engines to set up automatic filters to catch "illegal" content is actually a violation of existing EU law, requiring way too much of companies' "freedom to conduct business", as well as leading to the blocking of perfectly legal communications. In one case, involving a court that had ordered a filter for Netlog, the EU Court of Justice said the unintended consequences were too great:

Accordingly, such an injunction would result in a serious infringement of Netlog’s freedom to conduct its business since it would require Netlog to install a complicated, costly, permanent computer system at its own expense.

Moreover, the effects of that injunction would not be limited to Netlog, as the filtering system may also infringe the fundamental rights of its service users - namely their right to protection of their personal data and their freedom to receive or impart information - which are rights safeguarded by the Charter of Fundamental Rights of the European Union. First, the injunction would involve the identification, systematic analysis and processing of information connected with the profiles created on the social network, that information being protected personal data because, in principle, it allows those users to be identified. Second, that injunction could potentially undermine freedom of information, since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications.

Given that, you would have hoped that the courts in France and Germany would have already rejected these lawsuits, and told Mosley that his comments to the Leveson Inquiry committee remain true: the more he continues to bring this up in court, the more attention he, himself, is calling to the story. Perhaps the best thing to do is to let it go, rather than trying to impose a massive, wasteful, unworkable filtering system that would do little to stop people from knowing the story or seeing the pictures, but would have dangerous unintended consequences that impact free expression and privacy.

Filed Under: data retention, europe, filters, france, free speech, germany, journalism, max mosley