Re: EU Data Protection
At 04:43 PM 8/4/95 +0002, Kari Laine wrote:
Excuse me - what the f**k is this? Does it bear some truth in it or is it just a bad joke? If it is not a joke where to get the damn text - thanks. Sorry for the language but this does sound just the thing I have heard some rumours of and which certainly would result in banning strong crypto.
http://snyside.sunnyside.com/cpsr/privacy/privacy_international/internationa l_laws/ec_data_protection_directive_1995.txt Has the preliminary text. The final won't be up for a while but won't be that different. Also try: http://www.open.gov.uk/dpr/dprhome.htm The UK Data Protection Registrar's home page. They've been trying to control electronically stored records since 1984. DCF
Just more evidence for why even "well meaning" policywonks are dangerous. Take for instance the rule that "data must be kept up to date and accurate" How up to date and what is accuracy? So if I have a commercial web page which records transactions on my server, and I stop logging and keep year old records, do some statistic processing on them, I am in violation for having stale data. And what the hell is "accurate" data? All information about other people is subjective. I should be entitled to record any statistics about you for my use that I want. Just by interacting with me you transmit information. If I interact with you and get the "wrong impression" about what type of person you are, am I in violation for storing inaccurate data? (e.g. if I write in my computerized diary "I think John Smith is a jerk.") How will this law affect reputation servers? If my reputation server has what you consider a bad review of you, am I in violation? Privacy should be implemented via cryptography, not obscure politcal machines which are doomed to fail and produce a black market for personal data anyway. -Ray
In message <199508041840.OAA01729@clark.net>, Ray Cromwell writes:
Just more evidence for why even "well meaning" policywonks are dangerous. Take for instance the rule that "data must be kept up to date and accurate" How up to date and what is accuracy? So if I have a commercial web page which records transactions on my server, and I stop logging and keep year old records, do some statistic processing on them, I am in violation for having stale data.
If I remember the Irish data protection laws accurately, the idea is to keep innaccurate data on individials (and, possibly, companies). I doubt if data which cannot be used to identify individuals would qualify. (There is a small exemption for clubs, I can't remember the details exactly.) Assuming the same model is being proposed where you are, I doubt if it would mean you could be prosecuted for holding old transaction records, just ones that either (i) are out of date because someone may be listed as not having paid when they have or (ii) record transactions that didn't take place.
And what the hell is "accurate" data? All information about other people is subjective. I should be entitled to record any statistics about you for my use that I want. Just by interacting with me you transmit information. If I interact with you and get the "wrong impression" about what type of person you are, am I in violation for storing inaccurate data? (e.g. if I write in my computerized diary "I think John Smith is a jerk.")
I think you miss an important point; your opinion is subjective, but data can relate to objective facts (e.g. credit records). Would you take the same stance if a credit bureau claimed that you couldn't pay back half the loans you took out? What worries me about the *lack* of some form of data protection legislation is that is allows someone to build up a database of information which is a mishmash of truth, misunderstandings and lies. How would you feel if "Concerned Citizens against Cryptography" compiled a list of all members of this list, branding them as `dangerous, possibily criminal subversives'? What if that opinion was spread to other databases? How about the police investigating you because of this kind of database?
How will this law affect reputation servers? If my reputation server has what you consider a bad review of you, am I in violation?
Personally, I wouldn't take a reputation server seriously; after all if you labelled me a jerk, I could do the same to me on my own server! :-) Seriously, I don't think something as frivilous as a reputation server should be illegal, but anything that records information about individuals that could result in harm to said individuals (e.g. by falsely branding them a bad credit risk, falsely claiming them to have a criminal record, etc.)
Privacy should be implemented via cryptography, not obscure politcal machines which are doomed to fail and produce a black market for personal data anyway.
I'm sorry, but I don't think this marked metaphor holds here. Derek Bell
participants (3)
-
Derek Bell -
Duncan Frissell -
Ray Cromwell