Robin Wilton's esoterica

As part of the ongoing legal punch-up between Viacom (MTV, Paramount pitcures) and Google (YouTube) over allegations of copyright infringement, a US court has ruled that Google must disclose the usernames, IP addresses and viewing histories of all its users.

This seems a strange move on the face of it; surely all that's needed is a list of the history entries which relate to Viacom's copyright material... not the associated user-name. After all, what Viacom appears to be after is Google's money, rather than royalties from the users themselves.

Both the EFF (Electronic Frontier Foundation)  and Simon Davies of the LSE have commented via this BBC article, noting that this has been a privacy disaster waiting to happen for a while now...

"Leading privacy expert Simon Davies told BBC News that the privacy of millions of YouTube users was threatened:

"The chickens have come home to roost for Google.

"Their arrogance and refusal to listen to friendly advice has resulted in the privacy of tens of millions being placed under threat."

Mr Davies said privacy campaigners had warned Google for years that IP addresses were personally identifiable information.

Google pledged last year to anonymise IP addresses for search information but it has said nothing about YouTube data.

Mr Davies said: "Governments and organisations are realising that companies like Google have a warehouse full of data. And while that data is stored it is under threat of being used and putting privacy in danger."

The EFF said: "The Court's erroneous ruling is a set-back to privacy rights, and will allow Viacom to see what you are watching on YouTube.

"We urge Viacom to back off this overbroad request and Google to take all steps necessary to challenge this order and protect the rights of its users."

The body said the ruling was also potentially unlawful because the log data did contain personally identifiable data.

The court also ruled that Google disclose to Viacom the details of all videos that have been removed from the site for any reason."

I suppose, from the point of view of the average user, three questions are appropriate:

1. Once this disclosure has happened, what adverse effects should users look out for, and what should they do about it?
   
2. Will this actually prompt any users to change their YouTube viewing habits? I would guess not: if the content is posted, people will watch it... believing the whole copyright question to be Someone Else's Problem.
   
3. What's the position of those users who allegedly uploaded the copyright material in question?

Last week I blogged about the release of the highly critical Poynter Report into the HMRC data breach;what I didn't also blog at the time was the localised blizzard of other public-sector-data-custody-related reports which, fortuitously, just happened to be released at the same time.

- The Coleman Report (Nick Coleman, formerly of IBM), Cabinet Office-commissioned report on Government Information Assurance - 31 pages;

- Sir Edmund Burton's (MoD) report into the loss of 600,000 personal records on a laptop in January 2008 - 76 pages;

- IPCC (Independent Police Complaints Commission) report into the HMRC data breach - 61 pages.

The timing of their release means that all these can be conveniently offset against the publication of:  

- Sir Gus O'Donnell's long-anticipated report into Government Data-Handling - 46 pages.

The web page for this report also has a link to a document which sets out "mandatory minimum measures" for improved data-handling and access control, here. It relates only to central government departments and agencies. Regrettably, this linked document is missing some useful things - such as a title page, author, date, document reference number, index, table of contents, overview or summary of recommendations... but the contents themselves look interesting, so in the interests of public service, here's what the Table of Contents would have contained:

Document Title: Cross Government Actions: Mandatory Minimum Measures

Section 1 - Process measures to manage information risk

Section 2 - Specific minimum measures to protect personal information

Section 3 - Minimum scope of protected personal data

Annex - external access by impact/eGIF level

This last part, the Annex, sets out a matrix classifying kinds of data (from 'public domain' up to 'violent/sex offender and witness protection information') and sets out the network and terminal access which is to be allowed for each classification.

It all looks commendable, but I wonder if the technical and procedural implementation work can succeed in "delivering against the vision", as they say.

It sounds expensive... which will doubtless raise the question: is this expenditure paying off in a way which is visible to the voter and quantifiable to the government? If not, it will be interesting to see how long the resolve to continue funding it persists.