1995-08-11 - Re: EU Data Protection

Header Data

From: Derek Bell <dbell@maths.tcd.ie>
To: CypherPunks <cypherpunks@toad.com>
Message Hash: 906c181fb0b25f64bd52479c003264a93d4ff31b669a18888b473b090d121551
Message ID: <9508112013.aa23273@salmon.maths.tcd.ie>
Reply To: <199508041840.OAA01729@clark.net>
UTC Datetime: 1995-08-11 19:13:57 UTC
Raw Date: Fri, 11 Aug 95 12:13:57 PDT

Raw message

From: Derek Bell <dbell@maths.tcd.ie>
Date: Fri, 11 Aug 95 12:13:57 PDT
To: CypherPunks <cypherpunks@toad.com>
Subject: Re: EU Data Protection
In-Reply-To: <199508041840.OAA01729@clark.net>
Message-ID: <9508112013.aa23273@salmon.maths.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain


In message <199508041840.OAA01729@clark.net>, Ray Cromwell writes:
>  Just more evidence for why even "well meaning" policywonks are dangerous.
>Take for instance the rule that "data must be kept up to date and accurate"
>How up to date and what is accuracy? So if I have a commercial web page
>which records transactions on my server, and I stop logging and keep
>year old records, do some statistic processing on them, I am in
>violation for having stale data. 

	If I remember the Irish data protection laws accurately, the idea
is to keep innaccurate data on individials (and, possibly, companies). I
doubt if data which cannot be used to identify individuals would qualify.
(There is a small exemption for clubs, I can't remember the details exactly.)
Assuming the same model is being proposed where you are, I doubt if it would
mean you could be prosecuted for holding old transaction records, just ones
that either (i) are out of date because someone may be listed as not having
paid when they have or (ii) record transactions that didn't take place.

>  And what the hell is "accurate" data? All information about other people is 
>subjective. I should be entitled to record any statistics about you for my 
>use that I want. Just by interacting with me you transmit information. If
>I interact with you and get the "wrong impression" about what type of
>person you are, am I in violation for storing inaccurate data? (e.g. if
>I write in my computerized diary "I think John Smith is a jerk.")

	I think you miss an important point; your opinion is subjective, but
data can relate to objective facts (e.g. credit records). Would you take the
same stance if a credit bureau claimed that you couldn't pay back half the
loans you took out?

	What worries me about the *lack* of some form of data protection
legislation is that is allows someone to build up a database of information
which is a mishmash of truth, misunderstandings and lies. How would you feel if
"Concerned Citizens against Cryptography" compiled a list of all members
of this list, branding them as `dangerous, possibily criminal subversives'?
What if that opinion was spread to other databases? How about the police
investigating you because of this kind of database?

>  How will this law affect reputation servers? If my reputation server
>has what you consider a bad review of you, am I in violation?

	Personally, I wouldn't take a reputation server seriously; after all
if you labelled me a jerk, I could do the same to me on my own server! :-)

	Seriously, I don't think something as frivilous as a reputation
server should be illegal, but anything that records information about
individuals that could result in harm to said individuals (e.g. by falsely
branding them a bad credit risk, falsely claiming them to have a criminal
record, etc.)

>  Privacy should be implemented via cryptography, not obscure politcal
>machines which are doomed to fail and produce a black market for 
>personal data anyway.

	I'm sorry, but I don't think this marked metaphor holds here.

	Derek Bell





Thread