January 28, 2010


In a report published on Tuesday, Harvard assistant professor and security researcher Benjamin Edelman presented findings about a privacy flaw in the Google Toolbar, Web browser add-on software that makes Google Search more easily accessible through Internet Explorer and Firefox. In order to do things like compute the PageRank of visited Web pages or list Related Web Pages, the Google Toolbar sends the URLs of Web pages that users view to Google's servers. The Google Toolbar does so only after the user allows this data to be sent. But the Google Toolbar turns out to be less attentive to users who seek to disable page tracking. Though a user may choose to disable the Enhanced Features that prompt Web page tracking, the Google Toolbar does not respond, at least until the user restarts his or her browser.

"I'm reminded of The Eagles' Hotel California," muses Edelman in his report. "'You can check out anytime you like, but you can never leave.'"

Edelman acknowledges in a disclosure statement that he has served as a consultant for Google's competitors and has litigated against the company on behalf of plaintiffs. But such relationships, though invariably mentioned by Google representatives, do not change the validity of his findings. Indeed, Google has acknowledged that its Toolbar wasn't working as it should have been and has issued fix. "To be clear, this is only an issue until a user restarts the browser, and it only affects the currently open tabs for a small number of users," said a Google spokesperson in an e-mailed statement. "Specifically it affects those using Google Toolbar versions 6.3.911.1819 through 6.4.1311.42 in Internet Explorer, with enhanced features enabled, who chose to disable Toolbar without uninstalling it. Once the user restarts the browser, the issue is no longer present. A fix that doesn't require a browser restart is now available on www.google.com/toolbar and in an automatic update to Google Toolbar that we are starting tomorrow."

Google has become more attentive to privacy issues in the past two years as critics have increasingly depicted the company's appetite for data as a threat. While Google's popularity suggests that the majority of users trust the company and aren't all that worried about potential privacy risks, competitors nonetheless see online privacy as a point of differentiation.

Search engine Ixquick, for example, plans later this week to introduce a way to browse Web sites privately, using a proxy service, to complement its search service that does not track users. Online application provider and storage service TransMedia recently changed the default search engine in its Glide OS service from Google to Bing as a show of support for Microsoft's data retention period reduction and promised not to use user data for targeted advertising. The company is also looking into a new legal structure for cloud computing that offers users stronger privacy protection.

Whether privacy moves beyond being something that's theoretically desirable but sacrificed for convenience or discounts remains to be seen. Past efforts to sell privacy as a consumer service failed because the market wasn't there. Moreover, the ongoing success of services like Facebook suggests that sharing trumps privacy.

January 27, 2010


From The Sunday Times
January 24, 2010

WE may be able to amass 5,000 friends on Facebook but humans’ brains are capable of managing a maximum of only 150 friendships, a study has found. Robin Dunbar, professor of Evolutionary Anthropology at Oxford University, has conducted research revealing that while social networking sites allow us to maintain more relationships, the number of meaningful friendships is the same as it has been throughout history.

Dunbar developed a theory known as “Dunbar’s number” in the 1990s which claimed that the size of our neocortex — the part of the brain used for conscious thought and language — limits us to managing social circles of around 150 friends, no matter how sociable we are. These are relationships in which a person knows how each friend relates to every other friend. They are people you care about and contact at least once a year.

Dunbar derived the limit from studying social groupings in a variety of societies — from neolithic villages to modern office environments. He found that people tended to self-organise in groups of around 150 because social cohesion begins to deteriorate as groups become larger. Dunbar is now studying social networking websites to see if the “Facebook effect” has stretched the size of social groupings. Preliminary results suggest it has not.

“The interesting thing is that you can have 1,500 friends but when you actually look at traffic on sites, you see people maintain the same inner circle of around 150 people that we observe in the real world,” said Dunbar. “People obviously like the kudos of having hundreds of friends but the reality is that they’re unlikely to be bigger than anyone else’s. “There is a big sex difference though ... girls are much better at maintaining relationships just by talking to each other. Boys need to do physical stuff together.”

Dunbar’s study is due to be published later this year.

January 26, 2010


By Natalie Weinstein

An Italian decree that would require the vetting of videos with sexual or violent content could take effect as soon as February 4, according to reports. The government decree, which affects sites such as Google's YouTube, would also require sites that regularly upload videos to obtain a license to operate in Italy, the Associated Press reported Friday.

Companies and organizations, including Google, telecommunications providers, and press watchdog groups, are seeking changes in the proposed decree. They assert that it would hurt freedom of expression and be extremely difficult to enforce and monitor. The draft decree "poses yet another threat to freedom of expression in Italy," Reporters Without Borders said in a statement this week.

Marco Pancini, European senior policy counsel of Google Italia who testified this week before an Italian parliamentary committee, said Friday that he expects that the proposal will undergo changes and be delayed. "We are concerned over the fact that [companies], like YouTube, that simply make content available to the general public, are being bundled together with traditional television networks that actually manage content," Pancini told the newspaper La Stampa, according to Time. "It amounts to destroying the entire Internet system."



WASHINGTON — Declaring that an attack on one nation’s computer networks “can be an attack on all,” Secretary of State Hillary Rodham Clinton issued a warning on Thursday that the United States would defend itself from cyberattacks, though she left unclear the means of response. In a sweeping, pointed address that dealt with the Internet as a force for both liberation and repression, Mrs. Clinton said: “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society. Countries or individuals that engage in cyber-attacks should face consequences and international condemnation.”

Her speech was the first in which a senior American official had articulated a vision for making Internet freedom a plank of American foreign policy. While the details remained sketchy, her remarks could have far-reaching consequences, given the confrontation between Google and the Chinese government over the company’s assertion that its networks had been subject to a sophisticated attack that originated in mainland China. Mrs. Clinton called for China to investigate Google’s accusation and be open about its findings. She said that the United States supported Google in publicly defying the Chinese government’s requirement that it censor the contents of its Chinese-language search engine. “Censorship should not be in any way accepted by any company from anywhere,” Mrs. Clinton said. “American companies need to take a principled stand. This needs to be part of our national brand.”

This month Google announced that it was “no longer willing to continue censoring” search results for its Chinese users, pointing to breaches of Gmail accounts held by human rights activists in China. Several other companies had also been targets of hacking, the company found. Google has avoided placing direct blame on the government in Beijing, which has sought to describe the situation as strictly a business dispute.

The Obama administration has been similarly cautious. Last week, a senior administration official said the United States would issue a “démarche” — a diplomatic move often used to lodge a protest — against China in the coming days. An official said Thursday that the administration would hold off to see whether the Chinese responded to Mrs. Clinton’s call for an explanation of the Google allegations.

The administration’s dealings with China are further complicated by the American debt held by the Chinese government and issues like climate change, on which the United States is seeking its cooperation. Though Mrs. Clinton said the administration would air its differences with Beijing, she said it would be in the context of a “positive, cooperative, and comprehensive relationship” — a clause added to her speech at the last minute.

Mrs. Clinton also identified Saudi Arabia, Egypt, Tunisia, Vietnam and Uzbekistan as countries that constrain Internet freedom or persecute those who use the Web to circulate unpopular ideas. She pointed to an Egyptian blogger, Bassem Samir, who was in the audience at the Newseum in Washington for Mrs. Clinton’s speech and had been imprisoned by Egyptian authorities. Human rights groups applauded the speech, though some questioned how the United States would enforce the warnings.

Tom Malinowski, the Washington advocacy director for Human Rights Watch, said the United States should treat China’s forced censorship as an unfair trade practice, which could be confronted through the World Trade Organization or raised in future trade negotiations. Still, Mr. Malinowski said: “I really thought this was groundbreaking. She showed no hesitation in naming countries, including U.S. allies, for suppressing speech on the Internet. She made a very strong case for connecting Internet freedom to core American national security interests.”

As secretary of state, Mrs. Clinton has elevated the role of the Internet and digital technology in American diplomacy. She named Alec Ross, a technology entrepreneur who advised the campaign of President Obama, as her senior adviser for innovation. Mr. Ross has assembled a team that is pursuing programs like a social network for young people in Pakistan and a service that lets people in Mexico file electronic reports on drug-related activity.

Mrs. Clinton announced a new $15 million effort to help more young people, women and citizens groups in other countries communicate on the Web. None of the proposals she mentioned focused on China or Iran, and the financing is relatively modest. For Cameran Ashraf, 29, an Iranian-American information technology worker who has helped Iranian protesters circumvent government filtering of their messages, Mrs. Clinton’s tone was enough. “I didn’t expect such strong, forceful language,” he said. “I was beyond pleased.”

Brian Knowlton contributed reporting.

January 14, 2010


By Andrew Jacobs
The New York Times

BEIJING — Google has agreed to hand over a list of books by Chinese authors that it has scanned in recent years, company executives said on Monday, in an apparent effort to placate writers who say their works were digitized without their permission. In a letter sent to an association of 8,000 Chinese writers, Google also apologized for any misunderstanding that might have angered authors and said it would work to forge an agreement on digitizing books by early summer.

“We definitely agree that we haven’t done a sufficient job in communicating with Chinese writers,” Erik Hartmann, who runs the Asia-Pacific division of Google Books, wrote in a letter to the China Writers’ Association, which posted the letter Sunday on its Web site. The clash between Google and the Chinese writers group mirrors similar strife that has accompanied the company’s Books Search project, an ambitious effort to digitize every known book and make the contents searchable online.

Writers in the United States, France and Germany have filed lawsuits seeking to stop the company from digitizing works without the explicit permission of copyright holders. Some litigants have demanded monetary compensation for scanned books.

Last month Mian Mian, a novelist in Shanghai, became the first Chinese writer to sue Google for copyright infringement. A judge has urged both sides to settle the litigation. Google insists it is following Chinese and American copyright law and says digitized books are deleted upon the request of an author or publisher. It also rejects assertions that the company has made some Chinese books available on the Internet in their entirety.

“In China like everywhere else, if a book is in copyright we don’t show more than a few snippets of text without the explicit permission of the rights holder,” Courtney Hohne, a Google spokeswoman, wrote in an e-mail message. “In addition, we have a longstanding policy of honoring authors’ wishes, and authors or publishers who wish to exclude their book may do so at any time.” Ms. Hohne said that more than 50 Chinese publishers had agreed to allow 60,000 books to be included in the company’s scanning program.

Zhang Hongbo, the secretary general of the China Written Works Copyright Society, which manages Chinese copyrights, hailed the letter and the apology. “It is a result that all Chinese copyright holders have been waiting for,” he said. “We look forward to Google’s deeper understanding of this issue.”

Some media accounts suggested that the search engine giant had caved to the group’s demands, but Google insisted that it had agreed only to provide a list of scanned titles and to find a workable solution for both sides.

In his letter, Mr. Hartmann, the Google executive, described the agreement to release scanned book titles as “unprecedented” and asked Chinese writers to appreciate the company’s sincere interest in settling the issue amicably.

January 7, 2010


By Abu Bakar Munir

Soon, Malaysia will have a comprehensive data protection law governing the processing of personal data. As mentioned elsewhere, the Personal Data Protection Bill (PDP) has been tabled for the first reading in November 2009. The second reading will take place in March 2010. This discussion is based on the assumption that the PDP Bill is passed in its current form.

The European Union (EU) has adopted its 1995 Data Protection Directive (DPD). Article 25 of the DPD provides that the Member States shall provide that the transfer to a third country of personal data may only take place only if the third country in question ensures an adequate level of protection. In another words, transfer of personal data from any European country to Malaysia may only take place if there is an adequate protection afforded by the PDP Act.

The European Commission has the power to make a decision of adequacy upon consultation with the Article 29 Data Protection Working Party. This Working Party has developed the Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12). The WP 12 assessment framework consists of two parts: content principles and procedural/enforcement requirements.

Content principles sets out minimum requirements for the content of the law governing collection and processing of personal data. There are six contents principles that Malaysian PDP law should have: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the right of access, rectification and opposition, and restrictions on onward transfers. The Malaysian PDP law does contain all these principles.

In assessing the adequacy, the Working Party will also consider the scope or reach of the regime. They are divided into: (1) scope with regard to the data controller, (2) scope with regard to the data subject, (3) scope with regard to the means of processing, (4) scope with regard to the purpose of the processing operations, and (5) territorial scope. The Malaysian PDP law may not be able to satisfy scopes (1) and (4). Under the former, the data protection law of a country must apply to all entities and organizations, all data controllers within the jurisdiction: public or private, corporate and individual, actual and potential. Here lies the problem, the Malaysian PDP Act, in section 3 exempts the Federal and State Government from its application. Under the latter, the law is to be applied to all processing of personal data regardless of purpose. Again, the Malaysian PDP Act in section 2 provides that the Act only applies to the processing of personal data in respect of commercial transactions.

Under the procedural and enforcement mechanisms or requirement, the WP 12 states that a system of external supervision in the form of an independent authority is a necessary feature of a data protection compliance system. In another words, there must be an independent supervisory authority to enforce the law. Under the Malaysian PDP Act, the supervisory authority is the Data Protection Commissioner (DPC). He or she will be appointed by and responsible to the Minister. Clearly, the DPC is not an independent authority.

The EU is one of the Malaysia’s largest trading partners. The total trade in 2008 alone amounted to USD41.0 billion. Free flow of personal data can further facilitate and stimulate trade and investment. The enactment of the PDP law is the best opportunity for Malaysia to achieve that. This very brief assessment, however, indicates that the PDP Act does not pass the EU’s adequacy requirement test. What is the implication? Transfers of personal data may still take place provided that the originating party takes additional measures to ensure that the data is adequately protected in Malaysia. It is a missed opportunity.

As the adviser to the Government of Malaysia on data protection, it is my duty to ensure that the PDP Law is in line with the international norms and standards, including the standards set by the EU DPD. However, I have been advised that the issues mentioned above are policy matters that could not be changed.

January 6, 2010


By Abu Bakar Munir

The EU Data Retention Directive 2006/24/EC is being implemented. This Directive obligates the operators of public telephone services and internet service providers to retain trafiic and communications data for a period of between six months and two years for the purpose of investigation, detection and prosecution of serious crime. This means that each Member State should have its own version of the “data retention” directive embodied and incorporated into its national law. Unfortunately, the national legislation some of the Member States have been challenged and declared unconstitutional and in contravention with Article 8 of the European Convention on Human Rights (ECHR).

The Romanian Constitutional Court (RCC) in its decision no 1258 (1) from 8 October 2009 held that the Romanian Law 298/2008 which implements the Directive was unconstitutional. Among others, the RCC based its decision on the fact that Law 298/2008 which mandates data retention considers all citizens as potential criminals. The RCC held,"This operation equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes.”

The RCC went further and held that Law 298/2008 has large applicability – practically to all physical and legal persons users of electronic communication services or public communication networks. It can't be considered to be in agreement with the provisions in the Constitution and Convention for the defence of human rights and fundamental freedoms regarding the guaranteeing of the rights to private life, secrecy of the correspondence and freedom of expression.

The Bulgarian Supreme Administrative Court (SAC) in December 2008 annulled Article 5 of the national legislation that implements the Data Retention Directive. A five-member panel of the SAC annulled the Article, considering that the provision did not set any limitations with regard to the data access by a computer terminal and did not provide for any guarantees for the protection of the right to privacy stipulated by the Bulgarian Constitution. The SAC held that Article 5 of the Regulation is in contradiction with the provision of Article 8 of the ECHR.

On 16 March 2009, the Administrative Court of Wiesbaden in Germany held that the blanket recording of the entire population’s telephone, mobile phone, e-mail and Internet usage was disproportionate. The court is of the opinion that data retention violates the fundamental right to privacy. It is not necessary in a democratic society. The Court held that Directive does not respect the principle of proportionality guaranteed in Article 8 ECHR and therefore is invalid.

On 15 December 2009, the Germany's biggest-ever class action lawsuit took place with over 34,000 plaintiffs which includes the Justice Minister challenging the local law that implements the Directive. The parties to this legal battle are anxiously waiting for the decision of the German Constitutional Court on this matter. So as the other Europeans and EU Member Countries. Constitutional Court President Hans-Jürgen Papier said at the beginning of the hearing that the complaint raises fundamental questions about the relationship between freedom and security. Let’s wait and see.

The Data Retention Directive, so far, has not been challenged in the U.K. However, in the landmark case from the country, S. Marper v The United Kingdom, the European Court of Human Rights had held that blanket retention of fingerprints, cellular samples and DNA profiles is in breach of Article 8 of the ECHR. In this case, the Court held:

“The blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society.”

According to the European Digital Rights (EDRi), another action is pending in Ireland, while an application to the Constitutional Court of the Czech Republic is currently being prepared. As recently as December 2009, the EDRi and German Working Group on Data Retention (AK Vorrat) are calling on the European Union to repeal the 2006 Directive. Alternatively, they demanded that it is amended to introduce an opt-out right allowing Member States to decide whether or not to require the retention of communications data. The Directive is still very young but it is already facing a lot of challenges. In fact, it has received strong criticisms and resistances throughout since the very inception until its birth. But now it is a different kind of challenge – legal in nature. Would it survive?

January 2, 2010


By Abu Bakar Munir

Our lives are being “invaded” by the Social Networking Sites (SNS), allowing us to socialize in cyberspace. We are facing the world of Facebook, MySpace, Friendster, Twitter, etc. These SNS are extremely popular. The users and usages are very diverse; from children as young as ten years old to corporate and country leaders; from just chitchatting and posting photos to business and science applications. Obama uses SNS to get into, and, perhaps remain in power. Only recently in July 2009, Bill Gates said that he decided to give up using Facebook as he does not want to have too many friends. He said, “Facebook was just way too much trouble so I gave it up”. Social networking services are increasingly being used for criminal investigations. Information posted on the sites has been used by the police, probation, and university officials to prosecute users of the sites. Now, SNS are crawling into the courtrooms.

The Australian Capital Territory Supreme Court in the case of MKM Capitol Property Ltd v. Corbo and Poyser, ACT Sup Ct, 12 December 2008 (No. SC 608 of 2008) has allowed substituted notice be served through the Facebook. MKM, a lending company, obtained default judgment against two defendants. The company has made several attempts to reach the defendants, but still experienced difficulty serving the default judgment using traditional methods. MKM’s lawyers then discovered that both defendants had active Facebook profiles, and that they were “friends” with one another. In this case, the friends list of both defendants was visible. The lawyers sought permission for default judgment to be served on both defendants via Facebook. An application for substituted service was granted.

Just eight months earlier in April, in the case of Citigroup Plc Ltd v Weekaroon [2008] QDC 174 (16 April 2008), a similar application was made for substituted service of a statement of claim on a defendant through the Facebook. In rejecting the application, the Queensland District Court Judge Ryrie said:

"I am not satisfied in light of looking at the – the uncertainty of Facebook pages, the facts that anyone can create an identity that could mimic the person identity and indeed some of the information that is provided there does not show me with any real force that the person who created the Facebook page might indeed be the defendant, even though practically speaking it may well indeed be the person who is the defendant".

What are the distinguishing factors between MKM and this case that led to the differing of the decisions? In the former, MKM’s lawyers were able to show that the Facebook profiles were those of the defendants. The lawyers demonstrated that these profiles listed various personal details, such as their dates of birth, which were known to MKM. Neither defendant had used any of the various privacy settings, which would have restricted the outside world’s access to their pages. In granting the application, the judge in the MKM case even stipulated that the documents were to be served privately, which rules out the option to post anything on the defendants’ “walls” – the Facebook equivalent of a public notice board.

On 16 March 2009, the New Zealand court followed MKM case. In the case of Axe Market Gardens Limited v. Axe CIV-2008-485-2676, the High Court of Wellington granted an application for a substituted service on a defendant in the U.K through Facebook. In this case, the plaintiff company had difficulties in locating and serving the defendant. The latter was living in the U.K but his exact location was unknown. The defendant had corresponded via email and was also known to have a Facebook site. According to the New Zealand Free Press, “Justice Gendall did not bat an eyelid in the court room when approving the order after being assured that newspaper adverts could not be effectively targeted”.

The Canadian courts in several occasions have had to deal with the requests to produce personal information from the website of Facebook as evidence in litigations. The courts had to decide on the admissibility of the evidence. So far, in all the cases, the courts have decided that the evidence taken from the Facebook webpage is admissible in court. In the case of Kourtesis v. Joris (2007) O.J. No. 5539 (S.C.J), the request was for four color photos taken from Facebook. The Ontario Superior Court of Justice held that the photographs were highly relevant and admissible. The same court had another opportunity in the case of Murphy v. Perger (2007) O.J. No. 5511 (S.C.J). The judge ordered Facebook pages to be produced because of the public nature of the website.

In the case of Leduc v. Roman (2009) O.J. No. 681, Justice Brown concluded that a party who maintains a private or limited access, Facebook profile stands in no different position than one who sets up a publicly-available profile. He went further stated that both are obliged to identify and produce any postings that related to any matter at issues in action.

In the most recent case of Terry v. Mullowney (2009) NLTD 56, the defense lawyers were able to use the Facebook activities of the plaintiff to argue that the plaintiff exaggerated his injuries and claimed. The court accepted this evidence and held that without the evidence he would have been left with a very different impression of Mr. Terry, the plaintiff. Justice Adam stated, “Mr. Terry was claiming a $ 1.5 million payout and was given $40, 000 instead. His credibility was undermined because of his activities as displayed on his public profile on Facebook”.

Obviously, SNS and Facebook in particular are delighted by this court endorsement. In response to the decision of the Australian court in MKM case, Facebook stated, “We’re pleased to see Australian court validate Facebook as a reliable, secure and private medium of communication. The ruling is also an interesting indication of the increasing role that Facebook is playing in people’s lives…” Is this a beginning to the many invasions in the future? Would it spread into other courts in other countries? SNS in future, perhaps, would also mean Substituted Networking Services.