For an informed view on connected entertainment in the UK & Ireland, visit Cue Entertainment
Online
retailer Gamestation revealed its “terms and conditions” shortly after the
first day of the fourth month of 2010. Everyone who clicked “I accept” without
reading the small print learned that they had assigned to Gamestation “a
non-transferable option to claim, for now and forever more, your immortal
soul.”
It was, of
course, an April Fools’ Day spoof. The terms and conditions required by Google
are not.
Millions
of users have nodded through the boilerplate and signed up to “a perpetual,
irrevocable, worldwide, royalty-free and non-exclusive license to reproduce,
adapt, modify, translate, publish, publicly perform, publicly display and
distribute any Content which you submit, post or display on or through the
Services.”
It is no
joke. Those are Google’s terms and conditions for anyone who accesses the
company’s online sites, whether Gmail, Google Docs or YouTube.
Comparable
conditions apply to Apple’s services where users grant the company a “ …
worldwide, royalty-free, non-exclusive license to use, distribute, reproduce,
modify, adapt, publish, translate, publicly perform and publicly display such
Content on the Service.”
Caught
between the requirements of customer confidentiality and the technical needs of
the service, other cloud operators impose near-identical conditions. Of course,
they are all reputable companies that would not dream of implementing such
draconian terms or poking about in other people’s data so the courts will never
test such legal jargon.
Or will
they?
One of the
primary reasons these terms and conditions are included is to accommodate the
legal right of the US Department of Justice to require a cloud service provider
to hand over data without the consent or the knowledge of the owner. Microsoft
drew attention to the provisions of the US Patriot Act at the launch of its
Office 365 cloud computing service last month when UK MD Gordon Frazer
acknowledged that the American authorities could intercept and inspect any data
on the system.
“Any
US-headquartered company operating in Europe is subject to the same law,” said
Frazer.
Criminologist
Zack Whittaker, who is an authority on the Patriot Act and its implications for
European businesses, says that any data held in the US, even for a brief
moment, is vulnerable to US law although data stored locally and processed by a
wholly owned UK company will remain under UK jurisdiction.
In a
Q&A hosted by online technical news service ZD Net, he said, “The scope of
the Patriot Act is widespread and could apply to entire companies. Patriot Act
requests can be vague and lacking in description. Your data can be mined for
information and your customers (if you have any) could have intelligence
acquired on them. Ultimately, if something incriminates you or your clients and
customers, they could face the US courts, even if they are outside US
jurisdiction.”
This is
significant because Microsoft, Google and Facebook occupy the first three
places in the Top 10 online properties in the UK for the month of May,
according to internet analyst comScore. Other major names included are Amazon,
Glam Media and Apple. Just one organisation in the list – BBC.co.uk, which is
in fifth place – is outside the tentacles of the Patriot Act although some
parts of the BBC’s operation are vulnerable.
Whittaker
says, “Even though the BBC in London is under UK law, its US-based offices will
be subject to US law. However, there’s no reason why UK law enforcement cannot
request data under the Regulation of Investigatory Powers Act and then hand
this over to the US in an intelligence sharing agreement.”
The
comScore data reveals that Microsoft and Google each had more than 38 million
unique visitors from the UK in May. All of their data, from Gmails to Google
Docs and Office 365 files, is subject to US law and must be disclosed by the
operator on request. In the same month, just over 30 million people in the UK
spent an average of seven hours each on Facebook. Here again, whatever the
“privacy” settings on the Facebook account, the US Department of Justice can
examine their information if it so wishes. US citizens might have some
protection under the law but there appears to be little that British residents
can do to prevent it.
The
department is empowered to search for evidence of bribery and corruption,
unfair business terms and practices and any other activity prejudicial to the
perceived interests of the United States, including terrorism. According to a
report earlier this year in Wired magazine, a Justice official told a
Congressional committee that the “business records” provision of the Patriot
Act covers “Driver’s licence records, hotel records, car-rental records,
apartment-leasing records, credit card records and the like.”
Some US
politicians have tried to draw attention to the catchall application of the
Act. Oregon Democratic Senator Ron Whyden said, “The (US) government is relying
on secret interpretations of what the law says without telling the public what
those interpretations are, and reliance on secret interpretations of the law is
growing.”
The
comment by Microsoft’s UK MD took EU regulators by surprise. The European Data
Protection Directive requires EU-based organisations to notify users whenever
they disclose information to third parties, which is not the case with the
Patriot Act. When data is exported, however briefly, it loses any protection
afforded under European law and is open to examination by US investigators.
Dutch MEP
Sophia in t’Veld was swift to point out that the Commission affirmed in a 2007
written reply that national data protection laws apply to services provided
within the EU. In an official question last week, she asked, “Does the
Commission consider that the US Patriot Act effectively overrules the EU
Directive on Data Protection? What will the Commission do to remedy this
situation and ensure that EU data protection rules can be effectively enforced
and that third-country legislation does not take precedence over EU
legislation?”
The
official viewpoint is still that European subscribers benefit from the
protection afforded by the EU data protection law but behind the scenes there
is consternation. The Commission had already planned to come forward with
specific proposals before the end of this year: the concern engendered by
Frazer’s revelation may speed up the process.
A report
published last month by the research organisation Eurobarometer revealed that
three out of four Europeans accept that revealing personal data is inevitable.
They worry, however, that the companies that operate search engines and social
networking sites could misuse the information entered into them.
According
to the report, 62% of respondents say they provide the minimum information
required in order to protect their identity, while 75% want the ability to
delete personal information: the “right to be forgotten”.
In
response to the concerns voiced in the survey, EU Justice Commissioner Viviane
Reding says, “When I modernise the data protection rules, I want to clarify
explicitly that people shall have the right – not only the possibility – to
withdraw their consent to data processing.”
European
Commission Digital Agenda VP Neelie Kroes says, “Many people are reluctant to
shop online because they are worried about privacy. This is holding back the
development of Europe’s digital single market, and hampering our economic
recovery.”
One of the
goals of EU data protection reform is to ensure increased transparency about
what data is collected and further processed, for what purposes and where and
how it is stored. A key principle is that users must give consent before their
data is used. Companies must not pass on information without the user’s
approval and cannot use it for purposes other than those agreed.
The
Eurobarometer survey shows that 58% of internet users read privacy statements
online but not all understand them. In total, 62% of users do not understand,
do not read, cannot find, or ignore such privacy statements.
At least
Gamestation rewarded the folk who actually read the contract and clicked to opt
out of the deal with devil. A £5.00 voucher went to the one-in-eight customers
who claimed not to have an immortal soul or to have already assigned it to a
third party.
Europeans
who fall afoul of the Patriot Act simply because their Cloud happens to be
hosted in North America could find that it is nothing to laugh about.
No comments:
Post a Comment