Privacy / compliance: planning: consider implications of upcoming changes to UK Computer Misuse Act

[jayaddison]

Is your feature request related to a problem? Please describe. There is an open consultation by the UK Government regarding potential changes to the Computer Misuse Act (1990).

RecipeRadar is hosted within the UK and although most of the provisions of the consultation don't seem relevant to us, the sections regarding power to preserve data and data copying could be relevant to operation of the service.

In particular: we intentionally do not log any personally identifiable information since we don't believe that recipe search is something that requires personal information and we also believe that logging and building customer profiles can result in anti-competitive marketplace practices.

We also may encourage copying of some parts of our dataset so that other sites can host and run their own instances of RecipeRadar (perhaps in future on local devices, to provide offline support) -- but before doing so we need to ensure that the data made available for copying would not include any content that could imply copyright infringement were someone to copy it.

Describe the solution you'd like TBD - planning for a few different scenarios would make sense; no changes to the CMA have yet been proposed. Responding to the consultation could make sense, but only if we have valuable and well-considered input to provide.

Describe alternatives you've considered

• Do nothing. In the rare circumstances that law enforcement came to us to request preservation of records related to someone or some group's recipe searches, then we would have to determine how to respond to that.

• Record the data required for compliance and publish it, without requiring preservation requests. This could be the most 'honest' and transparent approach: if it's possible that some traffic would be requested for relaying-in-private to law enforcement, then we could potentially do better for some recipe search customers by making clear up-front that that is a regulatory requirement in our jurisdiction, making clear what information is covered by those terms, and publishing all of that information on the site for the general public (including law enforcement).

[jayaddison]

A few thoughts-in-development related to this:

• Sometimes making an analogy with an existing real-world situation can be instructive, although that is sometimes difficult based on the way that today's information flows on the Internet are architected.
  • In this case, perhaps an analogy could be people walking into a supermarket to look around at the goods
  • Can people see what each other are buying? Are there security cameras? Who can view the security cameras, and for what reasons? Who cannot view the security cameras, and for what reasons? Can people remember who else was looking around the shop, and how long is that memory reliable for? Do people feel (and/or say they feel) comfortable shopping there?

if it's possible that some traffic would be requested for relaying-in-private to law enforcement, then we could potentially do better for some recipe search customers by making clear up-front that that is a regulatory requirement in our jurisdiction, making clear what information is covered by those terms, and publishing all of that information on the site for the general public

In one sense this could be an over-reaction; it would reduce privacy for all users of hosted instances of RecipeRadar.

In another sense it is a more level playing field. Imagine that we had a third of the world's entire population using the hosted RecipeRadar instance. That would be a lot of traffic and a lot of information about who is looking for what kind of recipes in what places. There would probably be enormously benevolent ways to use that information, although there would also be manipulative and exploitative ways of using the information (for example, to provide unfair advantages to some retailers, or to reduce availability / increase price of ingredients for some group of people who we are prejudiced against). Making the same data available to everyone could avoid those risks.

An additional argument in support: it's not always great to have the public and law enforcement provided with the same information. Law enforcement should be more familiar with the ways in which information that appears to say one thing can be misleading or incorrect, based on their experience. The public may not have that professional experience. Recipe search could be a low-risk environment in which it is possible to educate the public that information that appears, to them, to be interpreted in one way could in fact have a different meaning in reality.

[jayaddison]

Note: if publishing visitor personal information, then it'd probably make sense to provide at least two (preferably geographically-disparate, albeit perhaps our ISP to begin with) datasources that attest to the contents of what should be the same datastream (with some tiny percentage margin of error for dropped packets, connections, etc - things that should probably be investigated for resilience/robustness/quality reasons) -- especially if any of the consultation results lead to the potential for DNS/IP hijacking (because how would it be possible for anyone (server, law enforcement, users, or public) to trust the data they read from RecipeRadar about visitors if they don't know whether they are being provided with a response from RecipeRadar?)

[jayaddison]

As mentioned, we don't currently log access requests to the RecipeRadar service. However, if and when we do begin doing that, I think we should also log the integrity hash of each HTTP response generated.