Transparency report page for Alaveteli sites

[RichardTaylor]

Introduction and Purpose

The purpose of the transparency page would be to publicly report on:

• material removed from the site.
• material site operators have been asked to remove from the site (whether those requests have been acted on or not).
• how requests to disclose users' personal information have been dealt with, including providing information on where those requests came from, how many have been received and how many resulted in disclosure.

I think a public transparency page would focus the minds of site operators on running sites in a considered and justifiable manner and expose the pressures those running Freedom of Information services come under.

Specifically on WhatDoTheyKnow.com I would like the transparency page to highlight the handful of substantive FOI responses which have been permanently hidden from public view due to a judgement about the legal risk of continued publication but which anyone could request a copy of themselves, and expect to receive one.

I suggest one way of producing a transparency page would be admin editable free text into which automatically generated statistics could be inserted. The page could be a narrative and explain the statistics in the context of the site's usage levels and policies.

The transparency page could be supported by adding a feature to the search engine enabling searching specifically for request threads where a message has been hidden from public view (effectively a partial takedown log see #2657 ). Potentially the search could also enable the identification of requests where material has been removed for particular reasons.

To enable the collection of data for a transparency page more of the site's administration operations would ideally be recorded / carried out via the admin interface (see #419 ). Certain admin actions eg. hiding a message/thread or setting a censor rule could be prevented where a reason is not given.

There could be a default of showing all-time statistics alongside a say the last full year; with options to change to different time periods.

Cautionary Notes

• Sometimes there are good reasons for not wanting to make it easy for people to find material removed from a site. Sometimes sensitive personal information is published accidentally and will still be available in a search engine cache or archive site after it has been removed from an Alaveteli site. In such cases delayed reporting of removal would be justified and desirable to give a chance for the material to be removed from other services.
• Where the transparency page relies on administrators to categorise take-downs these may not be complete and accurate; particularly on sites which were running before additional transparency features were added.

• The benefits of greater transparency need to be balanced against increased complexity of the system and in particular any additional burden on site administrators.

  Additional Records to Consider Collecting In the System

  User Information Requests

  On a user admin page include options to:

• flag if a request has been made for the users' personal information by i/ a public body or ii/ anyone else
• flag if i/ some or ii/ all or a user's personal information which the site holds has been released i/ with or ii/ without a court order.
• flag if the user was notified of a request for their information
• flag if site administrators contested a court order seeking user information.

  Reasons for Hiding, or Censoring, Messages or Threads

Currently the system records if a request is

• Not a FOI request
• Vexatious

Additional classifications to consider when hiding threads and messages or adding censor rules:

• Request was a subject access request (or a similar request for a third party's personal information) (see related comment)
• Personal data accidentally/inappropriately included
• Sensitive personal data accidentally included
• Defamation concern
• Copyright concern
• Commercial confidentiality concern
• Requester seeking name removal
• Public body staff seeking name removal (some overlap with personal data, but most appropriate classification could be given)
• Material extraneous to a request (same as "Not a FOI request when applied to censor rule / message hiding?)

For each it may be desirable to distinguish between concerns about material derived from the requestor vs material derived from the public body and if the concern was raised by an administrator, a user, the requestor, the public body, the government (eg. court, regulator, police etc.).

It should be possible to flag a concern without hiding the thread or message.

Action on requests from users to anonymise their requests could be brought within the system to enable greater transparency of this action (see #444 )

A special flag for substantive responses which are not hidden due to being "contaminated" with eg. accidentally released personal information, but on the basis of the site operator not being willing to publish the response (which anyone could obtain themselves) due to legal risk could be included as these are particularly interesting and notable takedowns.

Possible Narrative and Statistics for WhatDoTheyKnow.com

We run WhatDoTheyKnow.com as openly and transparently as we can. This page provides an overview of statistics relating to the removal of material from our site and on requests we receive for user's personal information.

In addition to this summary page, we try to add a note to any correspondence page we have removed material from it making clear where we have acted, and why. Recent requests on which we have taken such action can be viewed via [provide link, or maybe insert a list of links, and dates of takedown (See #2657)]

Since the the site began operation [STAT] correspondence threads have been started. Of those threads started [STAT (STAT%)] can currently be viewed in full, or part, on our site.

The most common reason we remove correspondence threads is that they do not contain requests for recorded information expected to be held by the public body in question. We remove general correspondence, complaints, spam and other inappropriate material. We also remove "subject access" requests for the requestor's personal information or requests for this kind of information in respect of a third party. If we consider a request is vexatious we remove it from public view.

Table 1: Breakdown of reasons for removing whole correspondence threads from public view

Thread Removal Reason	Number (%) of Hidden Threads
Not a request for recorded information	NNN (N%)
Vexatious	NNN (N%)
Request for personal information	NNN (N%)
Other	NNN (N%)

[Ideally the "other" class would be 0%, at least for recent requests since the removal reasons have been recorded. If administrators could be given access to identify those which come into this category a comment on them could be made]

Some requests for personal information eg. for a senior public figure's salary and expenses are reasonable; we do not remove requests which could reasonably be expected to receive a substantive response. If a hidden request was to receive a substantive response we would re-consider our decision to hide it on request.

Table 2: Breakdown of reasons for removing text, or messages, from a thread

Removal Reason	Number of Threads Affected
Personal Data - All	NNN (N%)
Personal Data - Sensitive	NNN (N%)
Personal Data - Requestor name	NNN (N%)
Personal Data - Public servant name	NNN (N%)
Defamation Concern	NNN (N%)
Copyright Concern	NNN (N%)
Commercial Confidentiality Concern	NNN (N%)
Extraneous Material	NNN (N%)
Other	NNN (N%)

Clicking the removal reasons in the above table links to lists of requests where material has been removed on those grounds. We also publish a full list of published requests from which material has been removed. (Subject to #2657 )

There are a small handful of cases where, for reasons of legal risk, we have decided we are not able to publish substantive FOI responses. More details are available on the correspondence threads involved themselves [insert list or link].

There are currently X requests where we are not prepared, due to advice on the degree of legal risk, to even publish the request threads with the problematic response removed. [Considering publishing a transparency page may prompt us to republish the sole? thread in this category!]

Unless there is a very good reason, for example the accidental release of large quantities of sensitive personalise information in a response, when we hide a correspondence thread, or an individual message, from public view we continue to give the requester access to the exchange.

Table 3: Who Makes Requests to Take Material Down

Requested by	Number of Threads Affected	Number of Threads Where Material Removed
Public Body	NNN (N%)	NNN (N%)
Requester	NNN (N%)	NNN (N%)
Other user	NNN (N%)	NNN (N%)
Action Initiated by Admin Team	NNN (N%)	NNN (N%)
Government (police, court, regulator etc.)	NNN (N%)	NNN (N%)

[In this context an FOI officer from another public body would be another user]

Those wanting to ask us to take material down from our site must make their request in writing and specifically identify the material in question and explain the reason(s) for seeking the removal.

_Table 4: Requests for User Information _

Requested by	Number of Users ID'd	Cases Supported with Valid Court Order	Number of Users Whose Information We Released
Public Body	NNN (N%)	NNN (N%)	NNN (N%)
Individual	NNN (N%)	NNN (N%)	NNN (N%)
Government (Police, court, regulator etc.)	NNN (N%)	NNN (N%)	NNN (N%)

WhatDoTheyKnow notified users of impending, or actual, court orders prior to releasing material in [STAT%] of cases where user information was disclosed.

At WhatDoTheyKnow we promise our users "We will not disclose your email address to anyone unless we are obliged to by law, or you ask us to". We keep that promise and also apply it to other personal information we may hold, for example IP addresses and records of use of the site. (Link to page describing policies on retaining server logs etc. and any policies on notifying users when WhatDoTheyKnow is aware of their personal information is being sought).

Sources of Inspiration

https://www.google.com/transparencyreport/ https://transparency.twitter.com/ https://transparency.wikimedia.org/ https://www.reddit.com/wiki/transparency/2014

It would be awesome if an Alaveteli transparency report page was to transparancy reports what https://2014.mysociety.org/ is to annual reports.

URL

An Alaveteli site's transparency page could use a URL like:

http://www.whatdotheyknow.com/transparancy

Dates might be required if reports for specific periods were desirable.

Proposed Minimal Initial Implementation of a Transparency Page

• [ ] Set up a transparency page on which admins can add narrative content which can pull in basic stats eg. total requests, total requests with some material has been removed, and eg. contents of table 1 above.
• [ ] Enable searching for requests where material has been removed. This would be essentially a take-down log covering those threads where some material is still published, which could be linked to from the transparency page.
• [ ] Enable flagging of the handful of particularly notable takedowns where a substantive response has been removed due to a policy decision, in light of legal risk, not to publish that response.

[RichardTaylor]

It might be desirable to specifically tag / highlight cases where sensitive personal information accidentally released in bulk by public bodies has been removed.

[confirmordeny]

Perhaps we should also tag which FOI/EIR exemptions could have been used to withhold the information. Might get too complicated.

[RichardTaylor]

If #34 was completed a transparency report page could link to; or list, the latest annotations by administrators. (This might be a rather similar list to the recent take-downs though).

This issue #2658 mentions spam threads; but not hiding individual spam messages sent to threads. I think spam (and messages misdirected to a thread) might want to be treated differently to other hidden messages; typically on WhatDoTheyKnow we just delete such things and don't leave a note.

[RichardTaylor]

Takedown requests themselves could be published on or linked to from a transparency page (see discussion in the comments on another issue)

[RichardTaylor]

Above I listed some additional reasons for hiding material it would be useful to flag up in the system. This follow-up is to add "duplicate request" as a further reason.

Sometimes people accidentally make requests twice and we hide one to keep things tidy. (We don't hide repeated requests made by different people, just help users fix things when they mistakenly send something twice).

[RichardTaylor]

Some further thoughts on what we might want to consider covering in a transparency report:

• Requests for the release of, or release of, hidden material eg. requests and annotations.
• Unprompted action by administrators to release personal information eg. in an effort to prevent serious harm.

These cases are so rare, and future cases may not come into any category conceived now. That's one reason I think some free text for administrators to write and maintain on a transparency report page would be a good idea.

[RichardTaylor]

Google sends site operators notices of "European data protection removal from Google Search" - presumably under the "right to be forgotten".

We could consider listing these in a transparency report.

If we did we probably ought note Google's caution:

In many cases, affected queries don’t relate to the name of any person mentioned prominently on the page. For example, the name might only appear in a comment section.

[RichardTaylor]

Other thoughts having reviewed the requests hidden completely on WhatDoTheyKnow:

• I think it's important to distinguish between a substantive hidden request thread and those which while not clearly vexatious or "not FOI" weren't really appropriate such as a request for a named individual's fraudulent expenses claims, when there were no such claims, which has been removed on defamation grounds (That's a fictional example along the lines of real cases).
• About 40% of the fully hidden requests were made by one user, and further 4% by another. It would be good to show this distribution in some way and give reassurance that only a tiny number of users' requests get hidden.
• Having the transparency page information accessible will enable transparent running of the site. eg. if admins can check for example a list of requests hidden without a reason, or a list of hidden successful requests, those lists can be reviewed to see if the requests can be republished in all or part.
• There are things we will probably want to exclude from a transparency report including requests made and hidden via FOI_Register, test requests, and request threads used for site administration.

[RichardTaylor]

There are currently X requests where we are not prepared, due to advice on the degree of legal risk, to >even publish the request threads with the problematic response removed. [Considering publishing a >transparency page may prompt us to republish the sole? thread in this category!]

I'm now aware it's not just one request on WhatDoTheyKnow, there's a small handful of substantive requests where we've hidden the whole thread for various reasons including libel, unjustified impact on an individual, and publication of personal information which can't be separated from the request.

A narrative or commentary is required to explain the figures as, to create a fictional example which isn't far off the kind of thing we've experienced, one user might make requests to a small school and series of local and national bodies about policies on a certain rare disease, they then might feel sensitive personal information about their child can be inferred from the requests and ask us to hide them from public view. Removal of say 5-10 requests in such a case can be a large fraction of the total substantive requests ever hidden on the site.

[RichardTaylor]

One option to simplify things might be not to aim to produce a report covering the whole time an Alaveteli site has been operational; but just for the last year, from a point in time onwards, or for a particular period.

Administrators could check takedowns were properly classified over a short period more easily than reviewing all historic takedowns which occurred before any standardised tagging / marking process was established.

[RichardTaylor]

Consider integration with the Lumen Database of take-down requests (formerly known as the Chilling Effects Database):

https://lumendatabase.org/

which is used by Google, Twitter, Bing, Vimeo and others to bring transparency to take-down requests based on copyright, defamation and other grounds.

Could Alaveteli collaborate with Lumen, or their partners eg. the Electronic Frontier Foundation to improve our transparency surrounding the handling of takedown requests?

Perhaps we should try and make contact with some individuals and institutions involved, perhaps there would be an opportunity for collaboration and joint grant applications?

[RichardTaylor]

A transparency report may also help with strategic decision making as well as governance and oversight.

In order to be most useful / informative collecting and publishing statistics on the type of material removed, in common cases, might help, where there are themes eg. HMO landlords / licence holders' names being removed from registers. This could be achieved by tagging classes of takedown.

[RichardTaylor]

The number of users suspended could feature in a transparency report.

Perhaps this could usefully be broken down by "banned for spamming" vs "banned for misuse of the service".

An interesting metric might be banned after making 10+ requests on the basis that banning someone after making one inappropriate request, or even just a handful of inappropriate annotations, feels less important than banning an established user.

Note that we do already identify banned users publicly by putting "(Account suspended)" after their names, and we post a public reason for bans. Perhaps a transparency report could collate and link to such information which is already public, but then we don't want to draw attention to misuse of the services, we'd much prefer focus on the positive and impactful uses.

[mdeuk]

Consider integration with the Lumen Database of take-down requests (formerly known as the Chilling Effects Database):

https://lumendatabase.org/

which is used by Google, Twitter, Bing, Vimeo and others to bring transparency to take-down requests based on copyright, defamation and other grounds.

Could Alaveteli collaborate with Lumen, or their partners eg. the Electronic Frontier Foundation to improve our transparency surrounding the handling of takedown requests?

Perhaps we should try and make contact with some individuals and institutions involved, perhaps there would be an opportunity for collaboration and joint grant applications?

This seems like an idea worth further consideration - however, I'm not sure if any UK entities are currently submitting data to Lumen. It could be worth a chat?

[RichardTaylor]

Better reporting of take-downs and their reasons could assist those responsible for oversight of Alavetlei installations.

A transparency log page might offer a useful view of the service's operation for managers, trustees etc.

Such information might also usefully inform routine team meetings.

[RichardTaylor]

Consider including a statement along the lines of:

"The Investigatory Powers Act 2016 provides certain public bodies with powers to require the release of personal information in response to "authorisations" which do not have to be issued judicially. We understand it is an offence for us at WhatDoTheyKnow to disclose the existence of any such requests and, if they are lawful, we think we are legally required to comply with them. https://www.legislation.gov.uk/ukpga/2016/25/contents/enacted"

[mdeuk]

Consider including a statement along the lines of:

"The Investigatory Powers Act 2016 provides certain public bodies with powers to require the release of personal information in response to "authorisations" which do not have to be issued judicially. We understand it is an offence for us at WhatDoTheyKnow to disclose the existence of any such requests and, if they are lawful, we think we are legally required to comply with them. https://www.legislation.gov.uk/ukpga/2016/25/contents/enacted"

This sounds a bit like a “warrant canary” - if we’re careful as to wording I think this would be useful.

[RichardTaylor]

A transparency report could usefully cover rejected requests to remove material from sites.

WhatDoTheyKnow was asked to point to requests where we have rejected requests to take down released material. We didn't have any easy answer to point to. There has been some use of tagging requests with eg. takedown and rejected. See https://wdtkwiki.mysociety.org/wiki/Request_tags