Researchers Uncover a Flaw in Europe’s Tough Privacy Rules Source: MARK SCOTT
Europe likes to think it leads the world in protecting people’s privacy, and that is particularly true for the region’s so-called right to be forgotten. That legal right allows people connected to the Continent to ask search engines like Google to remove links about themselves from online search results under certain conditions.
Yet that right — one of the world’s most widespread efforts to protect people’s privacy online — may not be as effective as many European policy makers think, according to new research by computer scientists based, in part, at New York University.
The academic team, which also included experts from the Federal University of Minas Gerais in Brazil, said that in roughly a third of the cases examined, the researchers were able to discover the names of people who had asked for links to be removed. Those results, based on the researchers’ use of basic coding, came despite the individuals’ expressed efforts to remove their names from online searches.
The findings, which had not previously been made public and will be presented at an academic conference in July, raise questions about how successful Europe’s “right to be forgotten” can be if people’s identities can still be found with just a few clicks of a mouse. The paper says such breaches may undermine “the spirit” of the legal ruling.
The analysis will also increase pressure on some European authorities, particularly the French privacy regulator, that would like Google and other online search engines, like Microsoft’s Bing, to extend the reach of the right to be forgotten across all of the companies’ global domains, including Google.com in the United States.
“This poses a threat to whether the ‘right to be forgotten’ can be maintained in the long term,” said Keith Ross, the dean of engineering and computer science at N.Y.U. Shanghai who led the project and who said he had contacted Google with his research. “If a hacker can easily find 30 or 40 percent of people’s names from delisted articles, what is the point?” he said in an interview.
Both Google and the French privacy agency, known as the Commission Nationale de l’Informatique et des Libertés, declined to comment.
To get around Europe’s tough privacy rules, the academic team turned to computer science to analyze more than 280 links to British news articles that Google had removed from online search results after individuals had successfully petitioned for the information to be taken down. People can ask for links to be removed if the information is no longer relevant or is out of date. Celebrities and other public figures cannot take advantage of the privacy decision.
Although media organizations represent a mere fraction of the companies affected by the European ruling, according to data provided by Google, the removal of online articles has raised hackles from freedom of expression campaigners, who say the public has a right to all digital information.
Using basic coding, the researchers created an algorithm that cross-referenced the names in each report with every article’s headline on Google.co.uk, the company’s British domain. If a link to the online article did not show up in results, the academics said, they could deduce that the individual they had searched for had asked for the link to be removed.
Dr. Ross said that for the 283 articles analyzed, his team was able to identify 80 people’s names within 103 articles. He added that, for privacy reasons, he would not be releasing the names.
“Someone with an undergraduate computer science degree would be able to do what we did,” Dr. Ross said. “It would be relatively straightforward to find the delisted links and republish people’s names online.”
| }
|