Virtual Worlds and the EU

Virtual Worlds and the EU

I am about to return to Brussels for the final session of the EU’s citizen’s assembly on virtual worlds. I decided to make a document from my notes on the EU citizens panel on Virtual Worlds. As I have said, my notes were contemporaneous and do not tell a story. This article hopefully documents the lessons I have learned and would like others to read, and of course agree. Hopefully, it’s more directed!

The biggest question I have is around the framing of the questions to be considered. The Commission seem to use the terms, virtual world and metaverse as synonyms. They tried to offer a definition virtual worlds by referring to the reality-virtuality continuum, about which I was unnecessarily rude. There is no question in my mind that attempting to frame the questions as those stemming from a virtual world rather than the future of the Internet causes problems, not the least, being just how important is the 3D representation and metaphor and the use of avatars. NB the Renault example does not seem to have personal avatars and I question the utility of 3D representation as part of their problem-solving algorithm. Wikipedia offers  a limited definition , and perhaps this McKinsey article office more. I have made a note on definitions on my wiki. I am unclear how much publicly funded research has been done.

To my mind, the quality of the experts, and their ability to engage with the citizens is highly variable, with, in my opinion, several offering little and at least one not only offering little but what was offered being wrong.

On the other hand, in my opinion, also some of the quality of the citizen contributions is poor. On the whole they seem to find it difficult to imagine a future with a pervasive metaverse and what they can conceive, they don’t seem to want. To be honest, I find it difficult, beyond games to have an idea of what the metaverse has to offer. In my notes, I mentioned this, but note I need to guard against personal arrogance. The internet’s designers need to take account of these fears although both banks and entertainment have just about, left the real world.

One of the questions or axioms stated by the workgroup I observed is that the world needs an Internet built for human need not driven my profit. This implies the need for public investment and regulation of both the platform providers and software developers/owners.

CoFoE proposed higher fines, and the right of the Commission to prohibit companies from some or all of their activities.

The more I think about it, the more I am concerned that Fake News aka lying is not taken seriously. In the Anglosphere and in Germany, much of the press is owned by billionaires whose business model involves using the political power ownership of media organisations brings. Many balance the need for a duty of truth with the rights of freedom of expression. European citizen’s need to decide where that balance point lies because the effective answer in the Anglosphere is not good enough. The citizen’s assembly is not as engaged on this issue as CoFoE was.

The other issues on which citizen’s seem less interested are press and platform monopoly regulation and on the press it’s possible that the EU could learn from the UK’s Leveson report, although the Government unsurprisingly bottled the opportunity to transfer libel court costs to newspapers unless they agreed to sign-up to an approved standards body. Most of the UK press do not and the failure to implement a press regulator even after the scandal that led to Leveson show the entrenched power of these corporations.

The EU is busy passing a series of laws to regulate the digital economy. One of the problems they seek to remedy is that of computer crime. There is rightly much concern about cyber-bullying, child protection and pornography. However, we are starting from the point where the platforms have established rights as a carrier not as a publisher. The lawmakers’ response has been to develop a statutory “notify and take down” scheme, but this is very much to the advantage of large scale intellectual property owners and the large platform providers. We need a law the suits people, not companies.

The Commission is clear that privacy is at the centre of the goals of the regulation of the new digital society. The threats to citizen privacy comes from both private sector usually foreign owned, surveillance capitalism and the intelligence services. CoFoE has suggested both that GDPR fines are increased and that social media platforms should be licenced and that the withdrawal of a licence to operate should be a sanction available to the authorities.

There is also the need to review our copyright laws. Content publication is a supply chain, and our current laws do not favour the mass of creators. The value web is not going to be born with the current laws. The world needs a law that favours creation and not rent seeking. This means rebalancing the rights to make derived works against the default position of all rights reserved. Copyright longevity needs to be reviewed too. This has not really been raised at CoFoE or the citizens’ assembly but it’s a conclusion I have drawn from looking at what is needed.


In the document version, based on the articles in this blog, I made a document of my notes from the first two sessions of the Virtual Worlds citizens’ assembly. I added some foot notes.

  1. I made some rude comments about their use of the Reality/Virtuality continuum. In retrospect, something was required; it was needed to help define the metaverse and the focus of the assembly as something other than that of the future internet.
  2. I made some approving comments about the simplicity of the Commission’s bulleted statement of digital principles. Later in the month I found the full statement of the digital principles and I need to consider what I said, which was about the superiority of the short statement. On first review, the full statement which is longer, seems comprehensive and sufficiently technology neutral to be effective and to last.
  3. On review of the full text of the statement of principles, the right to digitally die is covered.
  4. On the shocked, shocked statement, which is a reference to Casablanca, I am suggesting that the professional moderators are taking guidance from the Commission and not the citizens.

Image Credit: European Parliament CC 2010 BY-NC-ND MEPs Voting …

What the CoFoE thinks about citizen privacy

What the CoFoE thinks about citizen privacy

The Conference on the Future of Europe, Democracy and Rule of Law panel has generated 39 recommendations to improve the EU’s Democracy and compliance with the Rule of Law. Three of these related to Privacy and one to Cybersecurity. I have drafted a response for CTOE, which I hope will become part of their response but did not form part of their first response, which is fortunate since I changed my mind slightly. The article, overleaf, covers regulations and sanctions, equality of arms, and enforcement and political will. ...

On Cyber-security

On Cyber-security

I posted a note on cyber security on my linkedin blog. I post some pointers on the standards and controls needed to defend against a cyberattack and implement “adequate technical and organisational” protection. It looks and links at the NIST cyber-security framework and lists some of the necesary controls to implement a reasonable defence and prove “adequate technical and organisational” controls. If you do what I suggest badly, you might get away with it, if you do it well, you might stop and or recover from attacks.  …

Privacy Regulation

Privacy Regulation

I wrote a little piece on my linkedin blog on the EU Commission’s proposal to agree a data “adequacy” agreement. I point out the next set of hurdles, although I downplay the likelihood of any intervention by the CJEU but note that not was critical in striking down the original EU/US “Safe Harbour” agreement. I note that one threat to its renewal at the end of its four year live is the desire and plans of the British Govt to depart from the current legal protections which are based on the EU’s GDPR.

Issues of state surveillance, the European Council’s Convention 108 and the Human Rights act are all engaged. We’ll probably get it, but for it to be renewed, we’ll have to remain aligned with the GDPR & C108. The right to seek judicial redress by EU citizens may become important as it is a point of contention between the EU & US over the Privacy Shield.

One indicator of a desire for divergence is the advert for the role of Information Commissioner, which asks for,

The Government’s National Data Strategy sets out its ambition for the UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, …

This has been picked up by the Open Rights Group, who are asking people to write to their MPs, we need an independent Privacy Regulator.

The retreat from the promise of the GDPR is not just a UK phenomenon, across Europe pro-business politicians are beginning to say that it’s too onerous. It’s a shame we’re out, our voices no longer count …



I am a bit confused over the whatsapp privacy update furore. Whatsapp say it’s only about business correspondence, Alec Muffet agrees, and so does the Independent Schneier thinks it’s a bad thing, and points at Nick Slatt’s article which adds to my confusion by pointing out that early users of whatsapp had the opportunity to deny Facsebook access to their data and that European users are managed under a different policy to ensure Facebook’s compliance with the GDPR. I am an early user and so they shouldn’t be mining my address book however they maybe doing so for my correspondents, particularly any US correspondents. However, I wonder if they or Facebook still consider the UK regime as equivalent to that of European Union, the Independent article confirms it does. I don’t consider the update notice to be a collection of consent that is freely given nor ‘informed’, as the future purpose is not clear, at least not to me but I may not have to worry yet. The problem is Facebook, both the company and the service, if we’re serious about our privacy, we’d stop using it but until then they can obey the law. …

Bosses & CCTV

I wrote a piece on my linkedin blog called, “Reusing CCTV in employee relations“. I rang the ICO and was told that employers can reuse CCTV, “if they come across something they cannot reasonably ignore”. The linkedin article looks at the ramifications of this and points to the ICO document, “the employment practices code“, which states that cameras may not be covert and may not be used for general monitoring. …

A first domino?

Carol Cadwalladr and others are speculating that the US Federal Trade Commission plan to fine Facebook $5bn for its privacy law breaches. This is reported today in the New York Times, in an article, Facebook Expects to Be Fined Up to $5 Billion by F.T.C. Over Privacy Issues. This documents the breaches which focus on Cambridge Analytica and the Brexit time span and the laws. $5bn is a lot, the EU only fined Google €1.5bn. I posted the NYT article on Facebook with the following comment.

But he still won’t come to the UK to testify to the DCMS select committee, although I have sympathy with the argument that if we aren’t investigating our citizens who have broken the law, why should he put himself at the front of the queue.


Do the right thing!

A new linkedin blog by me on the fine print of the GDPR’s “legitimate interest”. The print is not so fine, and in summary, you don’t need to read the fine print to do the right thing.

When claiming a legitimate interest, the privacy rights of data subjects are established as controlling the data processor/controller’s legitimate interest by the requirement to recognise the “fundamental rights and freedoms” of the data subject. The “fundamental rights and freedoms” are defined in the Charter of Fundamental Rights

Due to indirection and thus undocumented nature of the data subject’s consent inherent in legitimate interest, I’d advise finding another lawful purpose. …