Friday, January 15, 2021

UKCRC/CPHC/UKRI/BCS policy engagement workshop

I spent the morning at a joint UKCRC/CPHC/UKRI/BCS workshop on policy engagement. There were a selection of interesting contirbutions from Jane Hillston Chair UKCRC, Edmund Robinson chair of CPHC, James Dracott of UKRI, Alastair Irons of the BCS, Chris Hankin of ICL and Chris Johnson, PVC, Queens University Belfast, who was repeatedly described as the hero who does  much of the heavy lifting on policy engagement & consultation work for UKCRC.

James Dracott, Sarah Main of the Campaign for Science and Engineering (CaSE) and chief government adviser, Anthony Finkelstein, particularly focussed on the practicalities of effective policy engagement with really engaging talks.

I liked James's reminder of Wiio's laws of communication.

  1. Communication usually fails, except by accident.
    1. If communication can fail, it will.
    2. If communication cannot fail, it still most usually fails.
    3. If communication seems to succeed in the intended way, there's a misunderstanding.
    4. If you are content with your message, communication certainly fails.
  2. If a message can be interpreted in several ways, it will be interpreted in a manner that maximizes the damage.
  3. There is always someone who knows better than you what you meant with your message.
  4. The more we communicate, the worse communication succeeds.
    1. The more we communicate, the faster misunderstandings propagate.
  5. In mass communication, the important thing is not how things are but how they seem to be.
  6. The importance of a news item is inversely proportional to the square of the distance.
  7. The more important the situation is, the more probable you had forgotten an essential thing that you remembered a moment ago.

Sarah had a great example of CaSE's influence on immigration policy.

Firstly, they asked government to exempt scarce skills STEM areas from the tier 2 visa cap. They produced and coordinated co-signed letters and petitions engaging authoritative other organisations in a broad STEM and business coalition, emphasising the cap was causing problems. They got the media to pick up the cause and it got traction. There was significant pressure on the Home Secretary, Amber Rudd at the time, from a range of issues, not least of which was the Windrush scandal. Ms Rudd then got replaced by Savid Javid. The combination of Windrush, unfilled vacancies in an under-pressure NHS and the CaSE campaign eventually led to government exempting NHS roles from the tier 2 visa cap. Now, post Brexit, The Home Office support for a global talent visa is particularly pertinent to the STEM agenda.

In summary, Sarah concluded that effective policy engagement requires:

1.       A substantive body of evidence underpinning your case

2.       The building of relationships in the policy space

3.       Collaboration with other organisations to work together

4.       Good timing

Policy decisions are multifactorial decisions and we cannot expect to be considered the most important voice but should work to bring evidence-based influence to bear.

Anthony Finkelstein rounded off the morning with a no nonsense collection of ten things to know and do to make a policy impact. Firstly you have to know the politics. Many academics may have soft liberal or left tendencies but must recognise that the current government is Tory. Do not believe what you read in the papers – reacting to newspaper speculation often leads to circular discussion and debate bubbles that don’t make useful contributions. Remember you are one voice amongst many. Be active in being in right place at right time. If the issue is current, you are probably too late. If you are reacting to a research funding call you are a year too late. What is needed is foresight and preparation. Authority and tone count. Speaking with authority of national academies, UKCRC, high quality peer reviewed literature carries weight. A whiny critical tone will not be attended to. Know 'who and where' – know the 'geography of government.' The person handling your material is probably pretty junior. The central civil service is now very thin and very stretched. Junior civil servants welcome help (backed with evidence) not criticism. In government money is in short supply. Everything that happens does so at the expense of something else. Manage your own political capital. If your point is made elsewhere by and with authority don’t repeat it. Leverage other good voices. CaSE are brilliant at this. Encourage your students to become civil servants. It is a rich career. These people are in great demand. They will also make government technological capability better. Use government chief scientific advisers. They have significant influence and can reach directly into Downing St if needed, have regular meetings with Patrick Vallance and can reach their own permanent secretaries when they need to. In short:

1.       Issues matter and service is noble

2.       Know the politics

3.       Do not believe what you read in the papers

4.       Remember you are one voice amongst many … If the issue is current you are probably too late

5.       Authority counts, tone matters

6.       Know who and where. The person handling this is probably pretty junior (and will not welcome criticism but will welcome help, generally evidence)

7.       Money is in short supply – time and people are too

8.       Manage your political capital

9.       Encourage your students to be civil servants

10.   Use the Chief Scientific Advisors

 

Tuesday, November 10, 2020

UK-Japan trade deal data laundering threat

Upon prompting by the Open Rights Group, I've written to my MP, Layla Moran, about the data laundering provisions of the UK-Japan trade agreement.

Dear Layla,

You may or may not be aware that that new UK-Japan trade agreement includes expansive data transfer clauses posing a threat to our privacy. These provisions essentially create a surreptitious process for your data to be transferred to other jurisdictions with poor data protection records, including the US.

MPs seem to have been deliberately kept in the dark about these measures which amount to turning the UK into a data laundering haven for unaccountable multinational corporations and countries with weak data protection standards.

I would encourage you and your MP colleagues to call for the freezing of these sections of the treaty - as happened with the unconscionable intellectual property chapters of the Trans Pacific Partnership agreement.

The dangerous undermining of UK citizen and other residents' rights is likely to be an ongoing feature of the government's desperate rush to enter into trade deals they can promote as Brexit successes. In these challenging times, significant vigilance will be required on the part of all our parliamentary representatives to protect fundamental rights in the UK.

I this instance I would ask you to ask the government to “freeze data transfer clauses from the new UK-Japan trade agreement”. This will allow the agreement to go ahead but would freeze (stop) the harmful clauses endangering our privacy.

Thank you.

Yours sincerely,

Ray Corrigan

You can find the  UK-Japan Comprehensive Economic Partnership Agreement documents containing treaty information and a summary of the agreement online.

Jim Killock and Heather Burns at the Open Rights Group have prepared a succinct explanation of the issues. The agreement  contains brand new clauses which priotise the “free flow of data” between the UK and Japan, and from there on to other trade partners, over and above data protection rights.

"A “free flow of data” approach would be a radical departure from the current position. Today, UK companies must only transfer your personal data where they can guarantee that you continue to have similar rights over access, correction and deletion of that data. The UK Japan agreement would force the UK to accept lower data protection frameworks, including voluntary self-regulation, as compatible with the UK’s world leading privacy framework, in Article 8.80 and 8.84.

The UK-Japan agreement, together with the UK adequacy decision, would create a “gateway” for your data to flow to other countries that also have “free flow of data” trade arrangements with Japan. Worryingly, this will permit UK data to be transferred to the USA, without it being kept under GDPR-style protections.

Once data is exported from the UK to the USA via Japan under this agreement, your rights would vastly reduce. In the USA, there is no automatic right for you to know where the data is held, or by whom; you cannot prevent resale, reuse, or the data being put to new uses. There is no right to prevent your data from being used in ways that are discriminatory, or unfair. You cannot ask for your data to be deleted. If it is lost, then there is no legal barrier to a third party from obtaining it and using it. And there is no simple recourse to you if your data is breached or sold...

It is likely to prove impossible for the EU to conclude a data protection adequacy decision for the UK while these unrestricted data flows with Japan, and its trade partners are in place. The EU specifically excluded data flows from their trade agreement with Japan. Although Japan has an adequacy decision from the EU, it had to put specific arrangements in place for EU data to stay in Japan.

This stopped the data of people in the EU — including the UK — from being shifted to an overlapping legal regime and freely siphoned off to third countries. This trade deal bypasses both of those safeguards."

ORG also have a more comprehensive briefing on how the UK-Japan deal severs post Brexit data adequacy. (Pdf version available too).

There are also other serious concerns with the agreement, particularly in relation to general monitoring provisions - upload filters like the EU copyright directive's Article 17 - and bans on circumventing DRM/TPM even for the facilitation of interoperability or repair.

Given the Johnson government Svengali Cumming's obsession with eviscerating the controls on the collection and exploitation of big data, an intense and ongoing focus on resisting such dismantling of fundamental privacy and data protection rights is certainly in order.

Tuesday, October 20, 2020

DCMS Review of Representative Action Provisions, Data Protection Act 2018

Upon a prompt from Jim Killock at the Open Rights Group, I've submitted the following response to the Department for Digital, Culture, Media & Sport Review of Representative Action Provisions, Section 189 Data Protection Act 2018 consultation. (Apologies for the repetition in the paragraph about some of the worst breaches of data protection law being attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites.)

[This is the first time I've used the new Blogger interface and I'm not keen. The html interface is particularly dense tiny font and challenging to read/interpret/use]

I didn't have a lot of time, so drew heavily from Jim's own and Dr Johnny Ryan's work on challenging the legality of the adtech industry's architecture and operational practices.

Department for Digital, Culture, Media & Sport Review of Representative Action Provisions, Section 189 Data Protection Act 2018

My name is Ray Corrigan. I am a senior lecturer in the Science, Technology Engineering and Mathematics Faculty at The Open University but I am responding to this consultation in a personal capacity.

I write, in particular, in relation to the department’s examination of whether to introduce new provisions to permit organisations to act on behalf of individuals who have not given their express authorisation.

I am in favour of such provisions.

Chapter VIII Article 80(2) of the General Data Protection Regulation, provides that EU Member States may provide that any not-for-profit body, organisation or association which has been properly constituted in accordance with the law, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to GDPR Article 77 and to exercise the rights referred to in GDPR Articles 78 (right to an effective judicial remedy against a supervisory body) and 79 (right to an effective judicial remedy against a data controller or processor), if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.

The UK government chose not to incorporate this provision into the Data Protection Act 2018, and I would suggest it is important that this now be rectified.

The big technology and associated “ad tech” companies having been running rings round governments and regulators for too long. As Johnny Ryan of Brave points out, in this formal complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under the GDPR,

“Every time a person visits a website and is shown a “behavioural” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.

A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful...

Bid request data can include the following personal data:

• What you are reading or watching

• Your location

• Description of your device

• Unique tracking IDs or a “cookie match”.

• This allows advertising technology companies to try to identify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you

• Your IP address (depending on the version of “real time bidding” system)

• Data broker segment ID, if available.

• This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc. (depending on the version of bidding system)

Dr Ryan said “There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply. Our complaint should trigger a EU-wide investigation in to the ad tech industry’s practices, using Article 62 of the GDPR. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data”.”

https://brave.com/adtech-data-breach-complaint/

For all their flaws, getting the GDPR and the Data Protection Act 2018 in place as legal infrastructure for regulating the collection & processing was not a bad start. Unfortunately, with few exceptions such as the recent Belgian data protection authority declaration that the behavioural advertising industry has been engaged in routine, systematic, industrial scale, blanket data collection and management practices, in serious breach of multiple provisions of the GDPR from the day it was passed, enforcement efforts have been underwhelming, at best, so far.

Ordinary internet users are almost completely oblivious to the mechanics of the hidden personal data processing adtech architecture behind most websites; and as the Belgian data protection authority have just pointed out, the deployment and operation of that invasive technology is systemically and systematically unlawful. It is almost astonishing that we, commerce, industry & governments enabled it, but we did and it is time to do something about that.

Mass data collection, processing, onward dissemination and storage has become incredibly complex. Relying on individuals to spot misbehaviour and malfeasance in this area and initiate complaints or legal proceedings to reign in an industry out of control, is unrealistic. The woman on the Clapham omnibus simply does not have the expertise, time or resources. Not-for-profit bodies, human rights organisations or other related associations, however, which have been properly constituted in accordance with the law, do have the expertise and understanding, even if, in these difficult times, many are experiencing a shortage of resources. It is more important than ever that such organisations are given the authority in law to raise complaints, independently, about nefarious data collection and management practices. NGOs should be empowered to complain, in the public interest and to protect individual rights, to the Information Commissioner’s Office and complain to the court about controllers, processors or ICO failure.

This power must include the capacity to challenge the Information Commissioner’s Office. In September 2018, Jim Killock of the Open Rights Group and Dr Michael Veale of University College London, submitted a formal GDPR complaint to the UK Information Commissioner about “real time bidding” the core of the industry’s invasive adtech architecture. In June 2019, the ICO gave the adtech industry six months to clean up its act. In January 2020, after six months of substantive inaction on the part of the industry, the ICO threw in the towel and said they would be taking no enforcement action to remedy industry breaches. https://brave.com/ico-faces-action/

Some of the worst breaches of data protection law are attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites. The ad tech described in the extract from Dr Ryan above engages in some invisible and deeply invasive profiling. Some of the worst breaches of data protection law are attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites. These areas need to be challenged but often are not because of their sensitivity.

When you visit a website, which delivers ads your personal data is broadcast to tens or hundreds of companies. What you read, watch or listen to is categorised and you are profiled into categories. Some of these are bland e.g. “football” or “jazz”. Some are hugely and outrageously sensitive. The rule making representative body for the adtech industry, the Interactive Advertising Industry (IAB) has, for example, got a “IAB7-28 Incest/Abuse Support” category. Other categories are related to sensitive or embarrassing health conditions, sexual orientation, religious affiliation etc. Google categories include “eating disorders”, political leanings etc.

These tags and profiles and trackers can stick with internet users for a long time and people have no idea of the digital baggage they are carrying round as a result. Such tags are not necessary for ad targeting. They are more a convenience for the industry to make it easier to track and profile and re-identify people. And the obscurity of the whole process, systems and mechanisms make it almost impossible for individuals to exercise their rights under the law, in the UK, the Data Protection Act 2018. We cannot find, identify, verify, correct or delete these digital shadows and profiles. The power differential and lack of transparency make it extremely difficult for individuals to take effective action to rectify unlawful and unethical activities on the part of the requisite industries.

Industry pretend they deal in anonymous or non-sensitive data which is a flat-out falsehood. Detailed, invasive personal profiles are constantly and casually created and traded as people innocently surf the internet unaware of these machinations. Industry treats this as routine business practice. It does not have to be this way and should stop. That mass privacy invasion is routine business practice on the internet does not make it right and it is time to stop it.

There is no great functional difference between adtech and techniques Cambridge Analytica used in an attempt to influence voters but, the Cambridge Analytica story, for a time, entered the realm of short attention span news cycle. The adtech data management platforms are just a longer running, invisible scandal.

It is particularly important, in the case of sensitive personal information, therefore, that qualified NGOs be given the power to bring complaints, independently, to protect individual and societal privacy. Privacy is not just an individual value but the fundamental basis of a healthy society.

A couple of final points before I close – firstly to note the necessary parallels with consumer law and secondly on Brexit.

Consumer law allows consumer organisations to initiate complaints in the public interest on the part of consumers. There is no reason, in principle, why NGOs should be prevented from engaging in an equivalent form of action in relation to consumer privacy.

On the Brexit front the UK in January 2021 will be facing the prospect of getting an approved data adequacy decision from the EU in relation to cross border flows of data. Elements of the Investigatory Powers Act 2016, the Digital Economy Act 2017 and recent government moves to pass the Internal Market Bill mean this could prove difficult. (See e.g. Brown, I. & Korff, D. The inadequacy of UK data protection law Part One: General inadequacy https://www.ianbrown.tech/wp-content/uploads/2020/10/Korff-and-Brown-UK-adequacy.pdf) A move to incorporate Article 80(2) of the GDPR into UK domestic law, enabling NGOs and other lawfully constituted public interest organisations to challenge unlawful data collection and management practices, could only help the process of demonstrating the UK, post Brexit, should be held to provide “adequate” protection to personal data.

Tuesday, March 31, 2020

Tired

I have spent the past umpteen years, in the day job, juggling and reacting to chaos and crises, crises that seem completely insignificant in the context of the prevailing pandemic. Three of those years have been at home, in the corner of the small bedroom where my desk is, since The Open University closed our regional infrastructure.

Isolated, 10 to 16 hours a day, mainly in front of a screen, engaged in micro-administrative, bureaucratic trivia and attempting to shield my staff and students from the worst excesses of what has been, at times, a difficult and destructive environment at The Open University.

Last week, although our operations are continuing, most staff in HQ and the remaining satellite offices were despatched to work from home. The focus, in the Covid-19 crisis, of the internal communications has shifted to concern for staff and student welfare, whilst we all try to keep frontline operations rolling, as smoothly, flexibly and sensitively as possible.

This afternoon, shortly after 3pm, my daily chaos slowed to something of a trickle. 30 minutes on, the trickle is still just that and I find myself somewhat flummoxed. We have been engaged in a vast amount of energetic activity making sure students can continue their studies as seamlessly as possible and we are fortunate enough to have the organisational infrastructure to do that.

If the demands flowing to my microscopic corner of the OU universe remain manageable through to this evening, I might have some time and space to do something constructive.

But I'm tired and I expect the chaos to resume later this afternoon or evening.

Tired and discombobulated and unproductive, sure enough I've wasted the window of opportunity in the day, as the communications begin to ping in again and the temporary lull in increasing entropy appears over.

It is disappointing to note the muscle memory of my little grey cells seems conditioned these days only to juggle the chaos.

I'm tired and irritated at wasting an opportunity but the chaos and the opportunity are trivial... my thoughts are with the family of a friend, infected with Covid-19, in an induced coma, on a ventilator in an intensive care unit.

This thing is real and dangerous.

Keep safe, stay well.

Friday, March 06, 2020

Carl Malamud at the Open University

On Tuesday, 3 March, 2020, Carl Malamud visited The Open University and shared his thoughts on text and data mining in scientific journals. He opened with the story of Mahatma Gandhi's writing of the book Hind Swaraj (India self rule) on a boat trip between the UK and South Africa in 1909.

The book is relevant to the open access movement in two key particulars. The first edition of the book was published with "No rights reserved", Gandi being the first author to explicitly eschew copyright. Secondly Malamud has been inspired by Gandhi's resistance to colonialism. Scientific knowledge has been colonised and, as James Boyle has argued for a generation, we are in the midst of a second enclosure movement, an enclosure of the commons of the mind.

Malmud has written a book, Code Swaraj, about this, with Sam Pitroda, a former Indian cabinet minister and telecommunications businessman. Gandi preached you had to rule yourself, not let others colonise. But nowadays if you want to do research you have to ask permission and that permission is often not forthcoming because of the immoral and probably illegal assertion of ownership of human knowledge by vested economic gatekeepers such as the scientific publishers.

Christopher Booker read hundreds of books over more than thirty years before writing The Seven Basic Plots: Why We Tell Stories, first published in 2004. His three decade long analysis was an exercise in text and data mining. Text and data mining is now something we can automate with computers. A study of gender in literature showed that the number of female characters has declined rather than increased, matching a proportionate decline in female authors.

Gitanjali Yadav, a plant genome researcher at Delhi’s National Institute of Plant Genome Research (NIPGR) and at Cambridge University is working on the mechanics and chemistry of plant communication channels, using a plant chemicals database.

Elisabeth Bik is a scientist working on fraudulent re use of images in academic papers and exposing paper mills. In China, part of the pre-requisites for becoming a doctor is the publication of peer review papers. The incentive to buy them from paper mills is high.

Scientific literature has been locked up and it is unclear what the potential for research could be as a result.

Max Häussler is researcher at the University of California, Santa Cruz (UCSC) and he has created a genome browser. The browser links human genome DNA sequences to sections of published articles that deal with the same sequences. He wrote to 43 publishers and explained he would like to do text and data mining on their articles. Many publishers did not want to cooperate, refused permission or did not engage at all. So he didn't get access to as much literature as he would have liked. Malamud considers there is an argument to be made that text and data mining of research is permitted in law, even if the publishers do not grant explicit permission. Häussler is unsure and doesn't mine articles for which permission is not forthcoming. It would seem clear that the power of his genome browser would be significantly greater if he had that broader access to data.

Without asking publishers' permission, Malamud has put a lot of stuff online via a project at Jawaharlal Nehru University (JNU) in India - 125 million journal articles from many sources, from the mid 19th century up to the present.

The storage facility is air-gapped and not connected to the internet. Researchers who want access can bring their computers to the facility and text & data mine the materials there. Without having to read or download the articles which is not permitted, they can, nevertheless, draw scientific insights, thereby circumventing any potential copyright problems. The terms and conditions are modeled on those of the HathiTrust and the store specialises in bioinformatics. The access model is 3-tiered:

Tier 0 is air-gapped and pdfs of the articles

Tier 1 is extracted texts and is also air-gapped

Tier 2 is facts. As there is no copyright on facts, this can be made available openly to everyone.

The HathiTrust were the involved in providing Google with books for scanning for the Google Book project. Google in return gave the trust digital copies of the scanned books where out of copyright works are now made freely available online. Publishers sued Google in the US for breach of copyright and the case took many years to make its way through the courts. The appeal court concluded, Authors Guild v Google in 2014, that Google's use of the books was "transformative" and therefore permissible under US copyright law:
"1) Google’s unauthorized digitizing of copyright-protected works, creation of a search functionality, and display of snippets from those works are non-infringing fair uses. The purpose of the copying is highly transformative, the public display of text is limited, and the revelations do not provide a significant market substitute for the protected aspects of the originals. Google’s commercial nature and profit motivation do not justify denial of fair use. 
2) Google’s provision of digitized copies to the libraries that supplied the books, on the understanding that the libraries will use the copies in a manner consistent with the copyright law, also does not constitute infringement. Nor, on this record, is Google a contributory infringer. Accordingly, the court affirmed the judgment."
In 2016 the US Supreme Court rejected the Authors Guild's request to further appeal the decision, ending the more than a decade long litigation. The Authors Guild also tried suing the HathiTrust but were unsuccessful in that case too. The technicalities of the case were different.  One interesting angle was that the court made a point of noting the value of the HathiTrust approach to making the books available to print disabled and visually impaired.

The bottom line was that Google Books and the HathiTrust were given the ok by the US courts.

In the UK text and data mining is permitted only for non-commercial use. The text and data mining copyright exception was introduced in the UK in 2014. A format shifting exception, partly based on a report I co-wrote with two Oxford economists, Mark Rogers and Josh Tomalin, 'The economic impact of consumer copyright exceptions', was introduced at the same time. This latter exception was subject to a legal challenge by the music industry and a high court judge quashed the exception in the summer of 2015. In British Academy of Songwriters, Composers And Authors & Ors, R (On the Application Of) v Secretary of State for Business, Innovation And Skills [2015] EWHC 1723 (Admin) (19 June 2015), Mr Justice Green also based his decision to negate the format shifting exception, partly, on that same report I wrote with Mark and Josh. We had simply advocated evidence based policy making on intellectual property.

Getting back to the text and data mining, Malamud suggests the UK situation makes the invalid assumption that we have an access subscription to everything and that publishers cooperate with researchers which they don't.

In 2012, Delhi University got into a legal scrap with Oxford and Cambridge University presses and Taylor & Frances. The case revolved around a copy shop on the campus which lecturers used to make copies of course packs for students. Under Indian law, section 52 of the Copyright Act of 1957, copyright does not apply to materials issued by a teacher to a student. Copying is also permitted for research purposes. The cost of the textbooks that extracts were copied from was way beyond the means of most of the students. The publishers, nevertheless, demanded that the university pay them a licence fee to cover the copying. The High Court in Delhi ruled in favour of the university.

It seems to have been at the time Malamud read about the case that he began to think India might be a fertile territory for his campaign to provide access to knowledge. Those early inklings, backed up with expert legal opinions he has since solicited noting that it is permitted under Indian law since text & data mining does not involve copying or reading the articles, have bloomed into the repository at Jawaharlal Nehru University (JNU) with his store of 125 million articles. Gitanjali Yadav's plant database is up and running and linked with another university research group.

The Indian government's chief scientific adviser has a plan to make all scientific abstracts of published papers openly available. Malamud is also beginning to work with a wikipedian at the University of Virginia who is keen to integrate correct scientific references into Wikipedia.

In the US federal employee authored work done in the course of their employment is not copyrightable. So Malamud decided it might be a fruitful activity to attempt to find journal articles written by federal employees. He sampled ten thousand articles and discovered many were done as part of official duties but they were still locked behind publishers' paywalls.  When Barack Obama was president he wrote an article for the Harvard Law Review. Though the small print connected with the article says it is not copyrighted, the manner in which the Harvard Law Review presents the article makes it appear that it is subject to copyright.  Malamud, when he finds works written by federal employees, can only guess whether they were produced as part of the authors' public service duties. But he might get it wrong, so chooses not to make them openly available. His principle goal is to challenge and push back against official and commercial copyright overreach but not break any law.

On the law, he has been sued by the state of Georgia for publishing the state code. Just in case you are doing a double take with that, I did really say that Carl Malamud is being sued by the state of Georgia for making the laws of Georgia freely available to the public.  The state sued and won at the court of first instance. Malamud appealed and won in the appeal court. This was appealed to the US Supreme Court which heard the case in December of last year. He is expecting a decision by the summer. Edicts of government are not subject to copyright protection, yet this case is in the US Supreme Court. You do sometimes have to wonder at the state of copyright law (excuse the pun).

Malamud cut his teeth on campaigning and access to knowledge activism with public codes that have the force of law. Building codes and electrical and plumbing and fire safety etc codes are edicts of government. Malamud bought copies from official standards bodies and put a lot of them freely online. Lots of standards get updated and we are obliged to work to them but they do not get released. Malamud has been sued by standards organisations in litigation that has been ongoing for 6 years. His annual legal costs are $1.6 million but he has the good fortune to be represented by lawyers who work pro bono. He can walk into a pub anywhere and strike up a conversation and it is easy for people to understand the work he does. He'll often get a plumber or builder etc offering to buy him a drink, explaining they had to fork out thousands of their hard earned cash for standards codes they are obliged to work to.

India has a very strong right to information law. Malamud put nineteen thousand Indian standards online, reformatted for usability. He bought the standards from the Bureau of Indian Standards. When he got renewal notices from them asking for the next due licence fee he wrote back saying he had put the standards online. He got an angry, "unhinged" response, accusing him of breaking the law, being no longer welcome as a customer and a variety of legal threats.

In the EU, member states must transpose standards into national laws within six months of being issued. Malamud got sued by the German standards organisation for posting the EU standard for baby soothers. The standard is just full of common sense - the mouth guard must be big enough so it doesn't present a swallowing/choking threat etc. The German court sided with the standards body. Malamud is now subject to a German court injunction punishable by a fine of up to €250k and a jail term of up to two years, should he decide to re-publish the standard online. He has, however, posted four EU toy standards focusing on environmental implications and petitioned the UK government on the matter. He got turned down by the standards bodies for access to these standards and is bringing a case to the Court of Justice of the European Union.

Malamud's friends, critics and acquaintances regularly ask him why he expends such energy on what he does, when there are so many bigger problems in the world like the climate crisis, conflict and disease. His answer is a simple and irrefutable one: without access to knowledge you cannot solve the any of these problems and you cannot educate the citizenry to enable them to formulate their own solutions. Access to knowledge is the pre-condition for solving the world's fundamental problems.

Update: On 27 April 2020, the US Supreme Court ruled in favour of Malamud in a tight 5-4 split decision. Justice Ginsburg, interestingly, sided with the minority.