Title: WORK IN PROGRESS IN D7.9: AMBIENT LAW

Conceptualisation of Ambient Law

Ambient Law (AmL) should articulate the relevant legal norms into technological devices:  

1. the mandatory rules of D46/95 EC should be inscribed into the technological infrastructure and its devices, making the violation of these rules impossible by design (transparency, use limitation, purpose specification, consent, data quality, participation, accountability of the data controller)

   1. transparency: history management of one’s personal data and access to processed personal data with data controllers should be made possible via M2M communication

   2. purpose specification & use limitation: such transparency should enable one’s PDA (M2M) to check which purposes are declared, and to check whether the principles of purpose specification and use limitation have been complied with

   3. consent: one’s machine-proxy should be capable of negotiating the supply and processing of personal data, according to one’s personal preferences, while taking into account the mandatory aspects of data protection legislation

   4. data quality & participation: one’s machine-proxy should be capable of matching data stored at data bases with the one’s accurate personal data, and be capable of requiring adjustments if data is not correct (anymore)

   5. accountability of the data controller: at all times one’s machine-proxy should be capable of identifying the data controller that reads, collects, stores, and/or processes data, including all others that have access to these data

1. a legal right for citizens to access profiles that may be used to categorise them, irrespective of whether these profiles have been derived from one’s own or other’s (personal) data. The relevant criterion is not how the profile has been inferred (looking back) but how it can be put to use (looking forward). The point is whether the profile can be used to influence the opportunities or risks one is attributed (price discrimination, which is fine in itself as long as consumers are aware of the differences made, otherwise we have a market failure).  

We could paraphrase: Ambient law in fact uses the technologies that data protection aims to legitimate while protecting against their undesired consequences, in order to facilitate this protection. A bit of a paradox, but not a negative one.

Three scenarios of AmI

The need for AmL was detected in the course of investigating the legal framework relevant to Ambient Intelligence. In FIDIS deliverable 7.9 three scenarios have been developed to acquire a more accurate picture of the need for AmL. These scenarios are relevant for the present deliverable because they all involve many RFID enabled interactions.  

scenario I is user-centric: the user is empowered in AmI, carrying a device with which to control the environment, for example, by determining which data can be exchanged between user and environment. This may be a ‘privacy-friendly’ and perhaps a commercial doom scenario. Key concepts are ‘data minimisation’, ‘contextual integrity’, ‘partial identities’ (pseudonyms).

scenario II is provider-centric: AmI is controlled by the providers of services (and goods, if there still are goods by then). The environment knows exactly who is where and will interact without consent, and perhaps without knowledge, of the user. Data flows freely between users and their devices, service providers, and perhaps third parties as well. This may be a ‘user-friendly’ and commercial walhalla scenario. Key concepts are ‘data optimisation’, ‘networked environment’ and ‘distributed intelligence’ (the intelligence flows from the interconnectivity). 

scenario III is a mix: in acknowledging that hiding data can make the environment less intelligent, while unlimited access to data can make individual citizens vulnerable to undesirable profiling, this scenario aims to achieve some kind of balance by minimising knowledge asymmetry.

As regards privacy it is interesting to note that in all three scenarios the division between the public and the private is problematic, it seems to make more sense to think in terms of contexts. This is effectively already the case today: work may be done at home, private email may be exchanged from one’s office, private conversations made on a mobile phone in the train or at a restaurant, CCTV cameras may register one’s every movement ‘on the road’. Traditional conceptions of privacy limit the relevance of the concept to realm of the private, while in visions like the Internet of Things and AmI the dividing line between the public and the private crumbles even further than in today’s world, rendering any conception of privacy that is based on such a division redundant. According to Nissenbaum the traditional understanding of privacy tends to employ a universal definition of privacy that restricts privacy to:

1. limiting surveillance of citizens and use of information about them by government agents 

2. restricting access to sensitive, personal or private information 

3. curtailing intrusion into places deemed private or personal 

The first scenario seems inspired by such an understanding of privacy, while the second scenario is the shameless negation of any effective concept of privacy. Nissenbaum instead proposes to understand privacy in terms of ‘contextual integrity’, in order to prevent the association with a separate private space. Her proposition follows an analysis of the violation of ‘privacy in public’, a violation that cannot be conceptualised in terms the private/public divide. The problem we face in visions of a smart interconnected world of things is the increasing reach of public surveillance technologies that make people transparent in their public behaviour. These public surveillance technologies need not be under control of government agents, they can very well be the monitoring devices of the service providers that sustain the AmI environment. Instead of the general, a-contextual definition of privacy referred to above, Nissenbaum argues for the more sophisticated concept of ‘contextual integrity’, which entails:  

1. norms of the appropriateness of a specific information flow

2. norms of flow or distribution of information

In an AmI environment that aims to combine citizens’ autonomy with smart proactive computing the determination of a violation of privacy should depend on the context and take note of the power imbalances prevalent between an individual citizen and the service provider that controls the flow of information. Such contextual determination implies flexibility and a keen eye for detail, but it does not mean that ‘context is all’ in the sense that general rules lose their meaning. According to Nissenbaum, norms of appropriateness and norms of distribution need to be inscribed at the constitutional, the legislative, the administrative and the judicial level: this would acknowledge the fact that privacy is an underdetermined concept with an open texture, though not entirely undetermined and not open to the extent that it can mean anything. Appropriateness comes close to several of the fair information principles, e.g. the purpose specification and the use limitation principle, but appropriateness seems to be more flexible. Instead of demanding that purposes are declared and the use of data limited to the declared purpose, norms of appropriateness demand that the purpose is appropriate, taking into consideration the context within which the data are exchanged. Distribution comes close to the transparency rights, but again distribution seems a more responsive way to deal with information flows, as it takes into account the reciprocity between data subject and data controller.

Nissembaum’s concept fits well with the mixed scenario: other than in the case of user control, the intelligence of the environment is distributed (which is also the case in the second scenario), but  

1. the flow of information is not unlimited (not every exchange of data or profiles is appropriate), and

2. the transparency of consumer-citizens is countered by transparency of profiles (the flow of information is reciprocal, generating a fair distribution of knowledge and information)

Nissenbaum has made her concept of ‘contextual integrity’ operational in collaboration with John Mitchell of Stanford University . This is an example of what she has called ‘values in design’ , which comes close to AmL in as far as it denotes the articulation of specific human values in the design of a technology.

Nissenbaum and Mitchell have formalised aspects of the concept of ‘contextual integrity’ in a framework of temporal logic, thus articulating norms of transmission of personal data into technological devices . One can imagine – if nanotechnologies move in – that by the time AmI turns from vision into reality RFID tags will have enough computing power to facilitate the type of M2M communication needed to realise AmL. This is not to say that we should wait for nanotechnology to create a holistic privacy framework for RFID. It rather means that computer engineers and lawyers should sit down – together with those versed in constructive technology assessment (CTA) - at this very moment, to construct the enabling sociotechnical infrastructure for AmI in a way that inscribes the legal norms of privacy and transparency discussed above.