Why Big Data Could Sink Europe's 'Right To Be Forgotten'

concealment tips this news from GigaOm: "Europe's proposed 'right to be forgotten' has been the subject of intense debate, with many people arguing it's simply not practical in the age of the internet for any data to be reliably expunged from history. Well, add another voice to that mix. The European Network and Information Security Agency (ENISA) has published its assessment of the proposals (PDF), and the tone is skeptical to say the least. And, interestingly, one of the biggest problems ENISA has found has to do with big data. They say, 'Removing forgotten information from all aggregated or derived forms may present a significant technical challenge. On the other hand, not removing such information from aggregated forms is risky, because it may be possible to infer the forgotten raw information by correlating different aggregated forms.'"

Don't store it in the first place

[EmperorOfCanada]

If customers want their data forgotten then maybe they didn't want it stored or shared in the first place. The rule should not so much be about data retention but data gathering. The rule should be quite simple. Any organization that gathers data can't share it at all with anyone not directly connected with the reason it was gathered. So my power company needs my address to know where the lights need to be turned on and enough info to bill me. But anyone beyond billing and switching should not have my data, not management, not marketing, and definitely not a "trusted" third party.

The same with my driver's license that is needed by two small groups of people, the people who issue the license, and the police if they need to know that I am allowed to drive. It should literally be illegal for anyone else to copy anything from my license if it doesn't involve my ability to drive so say a car rental place would be OK. Many bars have taken to scanning driver's licenses as you enter the bar. Then you start getting mail and crap from the bar and anyone else they sell the data to. I met a guy who rewrote the data on the magnetic strip to cause buffer overruns and crash their little hand held units. He regularly went to every bar downtown that had the scanners as the crash wasn't a simple reboot of the unit as some remote server lost its mind requiring someone to come in.

These organizations find this data valuable but somehow think they can take that valuable thing from us without negotiation. I say you want my data you can pay me $1,000,000 per byte plus royalties on resale.

Re:Don't store it in the first place

[seifried]

But let's say I didn't share my data with Facebook, my friends and associates did. E.g. photos from an event I attended get posted, they tag me in the photos, now Facebook recognition tags me (well in theory..). Someone else enters my birthday in order to be notified a week in advance so they don't forget to email me a happy birthday. Someone enters my home town (actually happened on linkedin, grr). So now Facebook has my name, bday, address, photos of me, and I never logged into Facebook. That is why we need the right to be forgotten.

Lets forget the 'right to be forgotten'

[parodyca]

What about my right to control my server. I look at this 'right to be forgot' as the same sort of over reach which allows media companies to put DRM on my ebook reader or smartphone, then make it illegal for me to remove it. My equipment. My decision. You want to force be to keep or remove any software/data, then you get yourself a court order. I don't see why phantom Imaginary property rights seem to keep trumping rights over real property. Sheesh.

Re:Lets forget the 'right to be forgotten'

[Luckyo]

This is the entire point of legislation - it's a "court order" without having to go to court every time (which is prohibitive for individual and society) on specific kind of information storage.

Unfortunately most US-based folks would likely not understand this any more then average afghani can understand equality of women. When you never had any expectation of privacy in your culture, another culture with significant presence of such expectation would seem very alien.

Re:Lets forget the 'right to be forgotten'

[buchner.johannes]

The right to be forgotten is about the right to have your personal data removed from a companies server, when you want to revoke your trust into a company. If it's your server, and you don't store personal data about other people you don't have an issue.

Re:Lets forget the 'right to be forgotten'

There is a fundamental difference between the US and the EU in how personally identifyable data is looked at. In the EU people are practically considered to be the owners of data about them. Users didn't give their data to you, they entrusted you with their data, and you're supposed to take good care of it. That includes using it only for the purpose you collected it for with the user's permission, not passing it on to others, and if this takes effect, removing it if the user request it.

You talk about imaginary property rights trumping rights over real property, but you won't be asked to destroy hard drives, your real property isn't touched by this at all, and yet you react as if your property rights over data are real. It really is a question of perspective. Please be open to cultural differences and perspectives different from your own.

It depends on who is asking.

[AftanGustur]

When big corporations want "their" data removed from a server farm they simply send a email/letter to the owner and he has to remove it.

What is the problem with doing the same for people?

Facebook actually makes it hard for people to remove their content from the service, and it doesn't even say "delete", it says "remove from timeline" (but not from the whole system).

If I want my Facebook history Wiped, it is my right to do that, it is *my* data and Facebook and others shouldn't have a operating license unless they make it really simple for people to "be forgotten".

Re:It depends on who is asking.

[Luckyo]

Warning: cultural clash. In Europe, many rights cannot be signed away through TOS regardless of text in the aforementioned TOS. In US, you can even sign away your right to trial by jury.

As a result, attempts to cross-jury-rig comparisons are quite pointless.

Re:It depends on who is asking.

[FireFury03]

But you give Facebook a licence to use this data when you agree to their TOS. The data may have originated from you, but you transferred ownership of it in exchange for the services Facebook provided you with.

Not in the UK. British data protection laws hold that your data still belongs to you, even if its being held by another company. This is why that company needs your permission to sell it on. Of course, if it is illegally sold on without your permission and the seller lies to the buyer and tells them you authorised further sales then even if the buyer cares about the law, they may end up selling your data on even though you never gave that permission. (This happened to my data)

What is needed is a law that prevents dissemination of your data by a company who you haven't given explicit permission to directly.

If you want full control over your personal data, only sign up with services that gives you full control of the data.
This includes not signing up to any service that have a TOS that allows them to change their TOS.

Good luck finding such a service. For personal customers, contracts aren't negotiated, you don't have the option to strike out terms you don't like. And when so mant companies require you to permit them to use and sell your data in ways not directly associated with the services they provide, some regulation is needed to stop the public being railroaded into agreeing to this by virtue of having little choice.

the internet destroyed forgetting

[circletimessquare]

not any government policy or commercial entity

they call it disruptive technology for a reason. like the printing press, or the gun, or the atom bomb, it dramatically changes the status quo

it's simple: if you don't want it to live forever, don't put it on the internet. if you put it on the internet, it lives for ever

that's about the truth of it

but i suppose many people out there are like music company executives trying to impose legal constructs from the cassette tape age on the internet: unwelcome to accept ugly reality on the subject

well i'm sorry, you need to accept this as reality, no matter your feelings

one other point: privacy is NOT dead

all you have to do is stop offering parts of your life to the internet

the insane part is feeding private parts of your life to the internet, and then whining about a lack of privacy

Re:the internet destroyed forgetting

[Luckyo]

Unfortunately you make one massive presumption that is simply impossible to be true, which in turn collapses your house of cards.

You presume that all information about any given person is supplied only by that person.

In modern world, it's often the exact opposite. Aside of a few attention whores, most of the "moderately embarrassing info" is posted by people who know the person in question but are not the person in question.

Re:The 'right to be forgotten'

[Daniel+Dvorkin]

Few ideas are more absurd. They will have to outlaw all recorded media and burn down the libraries. Make ignorance the law of the land.

"Right to be forgotten" is an odd phrase, but it doesn't mean anything like what you seem to think it means. Basically it just means you have the right to request that information which you have provided to a particular data repository be removed from that repository. IOW, no more "we own everything you post forever" policies. Seems reasonable enough.

Re:Here's spin

[Daniel+Dvorkin]

Let's say you meet The President or Prime Minister in real life. They say something that impacts you so greatly, it changes your entire life.

I met the Prime Minister once, and it had no effect on my life at all. Then again, the PM in question was John Major, so not really a surprise.

Not so absurd after all.

[Let's+All+Be+Chinese]

To techies the idea seems absurd, but it's not. Sure, your server, your rules. But what you pull into them is another matter entirely, and the American view that if it's not behind closed curtains, it must be public, doesn't scale.

Compare, of all places, Japan, where it is in fact customary to "not see" things that are pretty much out in the open out of sheer necessity because too many people are living too close together. In a sense, the internet is worse than Tokyo.

There's irony here, where the techies are deriding politicians for doing boneheaded things with far too much data. Well, this is part of that, but in reverse, and if they're doing it wrong it's up to us to find ways to do it right and nudge them in the right direction.

DRM became a bad word because big media deployed it to control their customer whom had thought they'd bought something only the seller afterward pulled a legalised fast one. David losing to Goliath until dvdjon came along.

Data protection in this case wouldn't include money passing hands in the reverse direction. It's more like, well, you put DRM on your SSN when you sign up (and pay) for something that requires it, and you can more or less reliably wipe your SSN out of their databases once they no longer need it.

No longer having to trust some faceless large entity on their wooly word salad assurances and their pretty face is a nice boon for the individual. Bit of a different power balance there.

Yet the only real fix is to not store all that data in the first place. This means that a lot of data that's being gathered now must not be gathered at all or perhaps some other data needs to be gathered. Zero-knowledge proofs will likely have a big place in that, say to prove you're old enough without showing your ID card with all that extra data you're forced to give out currently. This'll need new techology, but will prove necessary to really scale out our data use without building databases of ruin.

Like a Subject Access Request?

[Phydaux]

In the UK (I don't know about the rest of the EU) an individual can send a subject access request to a company or organisation and that organisation has 40 days to send you all the information they have on you. Companies have been doing this for years now. It doesn't seem so hard to change the query from a SELECT to a DELETE.

Now the paper in the article talks about how publicly available information may be copied (via the web) without the original author/organisation knowing, e.g. you could copy this post and store/publish it else where and neither slashdot or I would know, so you can't guarantee that the data will be completely deleted. But personally I don't think this is that big of a deal. If I want company Foo to remove all the information they have on me, for whatever reason, what do I care that company Bar also has information on me?

I think, to a point, an individual should be responsible for tracking all the information that they want removed, and companies/organisations should be responsible for acting on legitimate requests to remove the information.