Categories
Internet Governance

Some Highlights

Since this is my first blog entry, I would like to sum up the highlights of the first two days of the IGF. This is my second IGF experience after the Hyderabad IGF in 2008 and like I did there, I am trying to follow sessions that are outside the scope of my usual areas of interest (cyberlaw issues) as well, which I find truly eye opening.

On the first day I have attended the workshop on “Use of ICTs by people with immigrant background” and got first hand information on some really interesting practices and experiences that set perfect examples to the fact that the internet can be used perfectly on both ends of the good-evil spectrum. On one hand there were great online initiatives for integrating immigrants to the social system of the host country in a practical and informative manner, whereas on the other some people were using the very same technology to facilitate human trafficking.

Another workshop that I was really impressed with was “Can mobile ‘Apps’ create a new golden age of Accessibility?” with a focus on users with disabilties, in which fellow ISOC Ambassador Arnoud was a panelist and he made a really successful and informative presentation on realtext. The panel showed me how effective mobile applications were not only to simplify everyday life&communication of people wıth disabilities but also integrate them into both the real and the online world. The discussion was so real and it was nice for a change to see people not with egos bigger than themselves coming together to make positive contributions to the society, which is a rare quality in legal discussions…

And back to legal issues, I believe the ISOC workshop on the future of privacy was a success and the discussion was vibrant. Balancing interests and rights in the online world, particularly in the field of privacy is really hard as free speech and privacy, two equally important and fundamental rights are at stake. Participants from multiple stakeholders, which is another fascinating aspect of the IGF as these people are really hard to be brought together in any other place, shared their own views and experiences while looking at the future.

Yesterday afternoon I was a panelist on the UNESCO workshop on “Privacy and Social Networking” and it went fine, apart from the rather unfortunate room selection (maybe it’s a habit of being an academic but I prefer classroom settings) and the distracting noises coming from the open ceilings, which is actually a problem I observed in several other workshops.

I thought it would be a good idea to share my presentation with you so that maybe we can exchange views over coffee…Warning particularly for non-lawyers: it’s kind of long so feel free to stop reading at this point;)

………..

The right to privacy was defined as “the right to be let alone” by Warren and Brandeis in 1890. Although this definition remains valid, it is definitely challenged by social networking. How to protect such a right in an online environment in which the main idea is putting yourself out there, sharing personal information, interacting with others is really tricky. Some even argue that the terms privacy and social networking are absolutely incompatible with each other. I wouldn’t go that far but it is true that social networking presents some unique problems which are rather hard to resolve through existing legal provisions on privacy and data protection.

In the last couple of years, there have been some initiatives to address these problems that resulted in soft law documents, serving as guidelines in setting privacy principles specific to social networking services; such as Safer Social Networking Principles for the EU, the Position Paper on Security Issues and Recommendations for Online Social Networks issued by the European Network and Information Security Agency (ENISA) and Article 29 Data  Protection Working Party’s Opinion on Online Social Netwoking. All of these instruments define the possible privacy risks and threaths in social networking services, establish the roles of the stakeholders involved  and set substantial principles to prevent privacy violations. I will try to follow the same path while adding my humble suggestions and sharing my local experience with you.

Users of social networking services can find themselves in privacy threathening situations mainly in two ways; through content, contacts or conducts coming from others or the very conducts of the users themselves might be self threathening as well. Content that constitutes a privacy violation can be illegal in itself such as hate speech, racist and xenophobic remarks and child pornography or it can be age-inappropriate for young users and children, like sexual or pornographic material. Since under age users consist the majority of the users of social networking services, prevention of such age inappropriate content is crucial. Contacts by others threathening privacy vary from abusive friend requests or sexually explicit messages to unsolicited commercial communications for behavioral targeting. Cyberbullying, cyberstalking and other forms of cyber targeting are examples that first comes to our minds as privacy violating online conducts. Cyberbullying is another issue of particular importance for young users which might result in some serious real life consequences, even suicide, as it happened in the MySpace teen suicide case in the US, in which a 13 year old teenage girl took her own life…

Apart from threaths coming from the outside world, unfortunately, on social networks the users are also perfectly capable of putting themselves at risk by mainly uncautiously disclosing too much personal information- sometimes even sensitive data, although I have to add that this might happen partly due to the complicated privacy settings of some social networking platforms as well…

In order to prevent these threaths there are duties to assign for all of the stakeholders involved. Social networking service providers, the industry in general, governments, regulators, lawmakers, law enforcement officials, as well as the users themselves; not to forget parents, educators and other caretakers of under age users, they all have a role in providing the essential technical, social and legal environment for effective privacy protection. The governments and lawmakers need to provide effective regulation and make sure that they don’t over regulate or hinder the free flow of information and free speech; at this point I should add that I am a firm believer of industry self regulation especially when it comes to privacy protection. Self regulation of technical standards in a manner complementing legislation that sets general standards will provide the best solution and enable flexibility and updates, based on technical developments in a way much faster and more appropriate than imposing detailed state regulation. As perfectly put by the Art. 29 Working Party, such self regulation should also be disciplinary in nature and equipped with effective enforcement measures. Law enforcement officials need to implement these standards to prevent and combat privacy violations through appropriate training and along with other public bodies, they need to work for international cooperation, which is a key element for combatting any kind of illegal online activity as a whole…

Users also need to act responsibly (I keep remembering the bumper sticker saying don’t drink&tweet) and cautiously while deciding whether or not to make their personal information available online. After all, under the right to informational self determination, which is the underlying principle for data protection provisions, users are the only ones to decide what to do with their personal data or who to share it with for whatever purpose, for how long ect. Of course this is only possible when the social networking service providers are meeting the requirements at their end, by providing appropriate terms of use, practical solutions to possible threaths and ensuring technical safety in their networks. For minors, parents and educators also carry an important burden to make sure that all online activities are age approppriate.

And then we have the substantial legal requirements:

First of all, consent, a freely given, specific, unambigous and informend consent of the data subject, in our case being the user of social networking services, is the most important requirement for fair and lawful processing of personal data is even more significant in social networks, since it is much more difficult to make sure that consent given by the user is really an “informed” one…To achieve such consent, clear, practical, easily accessible terms of use and policies that include updated warnings on privacy risks, not only at the beginning but during the whole term of subscription is essential, particularly with regard to applications provided by third parties. Restricting access to self-selected contacts by users should be practically available and making changes in privacy settings and unsubscription must not be burdensome, as sometimes we all experience…

 The principles of privacy by design, which basically means privacy and data protection being integrated into the design of ICTs by default, along with transparency and accountability should be incorporated in regulation…In fact EU data protection directive is currently in review in this line.

With regard to the protection of minors, appropriate age verification tools should be made available by social network service providers. Privacy protection on mobile social networks should also be enhanced. I believe European Commission’s Framework for Safer Mobile Use by Younger Teenagers and Children would be a good guideline to follow on that.

Effective and practical mechanisms of reporting abuse should also be made available to the user. This can be done both by the service providers themselves and public regulators, through legal provisions on notice and take down procedures. This is particularly important for social networking service providers since receiving such notice is likely to be considered as having or at least ought to be having actual knowledge of the violation, which is the first step towards their liability for 3rd party content. Upon receiving the notice, the service provider would acknowledge and assess the notice and if required, remove the content in violation of privacy.

While regulating notice and take down procedures, it should be taken into consideration that such provisions would be ineffective if blocking access to web content as an alternative sanction for privacy violations is simple. This is actually what happened in my home country, Turkey. You may probably have heard that, as of 2007 we have a new law which really simplified the procedure for blocking access to web content on specific criminal grounds, which unfortunately resulted in the infamous Youtube ban of two years. Although privacy violations are not provided as one of these grounds per se, grounds such as obscenity and sexual abuse are likely to be considered privacy violations and therefore may be subject to this simplified procedure. Even if they are not, the courts have a tendency to issue blocking orders either as provisional measures or actual sanctions. Thus, a provision in this law, which I may say is one of the very few positive provisions, providing for a general framework for notice and take down procedure for privacy violatons is left ineffective and hardly ever resorted to.

Of course such national provisions will be much more meaningful when the service provider is also located in that country, which is hardly the case most of the time. So that brings us back to the importance of international cooperation and harmonisation.

Last but definitely not least, I would like to emphasise the principles that should be followed at all times while trying to protect privacy on social networks:

            Free flow of data and free speech should not be compromised, nor should the unique characteristics of social networking, such as personalised profiles, user generated content and interaction between users, all of which enables social networking platforms with enermous potential to promote democracy, participation and diversity…

            Preventive measures should be favoured rather than punitive sanctions and such measures need to be designed in a practical and user-friendly (or let’s rephrase it as being actually useable for an average person)…

            Sanctions should be proportionate and in line with the needs of a democratic society, so hopefully no more banning websites as a whole for a single video file!

…………………

 those who have read until the end definitely deserve some strong coffee, so please come find me and claim yours:)))