Thursday, 30 September 2010

Every which way to lose your data...

The ACS 'data leak' story that's been emerging fairly dramatically over the last couple of days has got pretty much everything you could hope for in this kind of story: a bit of porn, a bit of piracy, some hacking, threats of huge fines, legal action and so on. It's already been widely reported on - Andrew Murray's blog on the subject gives an excellent description of what ACS do, and how this whole thing has to a great extent blown up in ACS's face. As he explains, it's a prime example of how symbiotic regulation works - and why the law is not the only thing that matters when regulating the internet.

There is, however, something else that is very graphically demonstrated by the whole saga - how many different ways your personal data can be at risk. This small story alone demonstrates at least five different ways that personal data can be vulnerable:

  1. To monitoring and tracking - the initial data about the supposed copyright infringers was obtained by monitoring traffic on the internet.
  2. To 'legal' attack - ACS initially got a court order to demand that the ISPs involved (we know about BT, Sky and PlusNet in this case) disclose the personal details of the account holders suspected of copyright infringement, based upon this monitoring.
  3. To human error - BT have admitted that they sent this personal data on an unencrypted Excel file attached to an ordinary email, in breach of their official policies and practices.
  4. To hacking - at least this is part of what ACS have claimed - that their systems were hacked into in order for the data to be obtained in order to be leaked.
  5. To deliberate leaking - precisely who did the leaking is far from clear, and who wished for the data to be leaked, but there is certainly a possibility that someone wanted the names to be out in the public domain.
Of course the data itself is far from reliable. It is just the details of the account holders that are suspected of being used to share illegal content, without there being any direct evidence that the people themselves did the sharing - which brings even more dimensions of vulnerability into play: confusion, mistaken identity, even things like defamation by implication could come into play. If your name is on the list, you're not only being labelled a lawbreaker but a consumer of porn - and it might very easily not have been you doing it at all. Other people might be using your account, perhaps without your knowledge, perhaps without your permission, perhaps without your understanding.

Simon Davies, of Privacy International, quoted in the BBC, said that 'You rarely find an aspect where almost every aspect of the Data Protection Act (DPA) has been breached, but this is one of them'. It's also true that almost every aspect of data vulnerability has been demonstrated in one fell swoop.

Perhaps an even more important point, however, is the way that personal data - and individuals' privacy - is viewed almost as 'collateral damage' in the ongoing battle between the entertainment industry (and their hired guns like ACS:Law) and the 'pirates'. From the outside it looks as though as far as the 4chan hackers and ACS:Law are concerned, it's that battle that matters. ACS:Law wants to 'get' the pirates, while the 4chan hackers want to 'get' ACS:Law and to 'win' the war with the entertainment industry for the 'cause' of free and unfettered file-sharing. The fact that some 13,000 individuals have had their personal data released into the public domain and face all kinds of possible consequences from embarrassment (or humiliation) to legal action onwards seems somehow less important. Sadly it often seems to be that way. Privacy is squeezed by politics, law, business and a whole lot more. Every which way, privacy loses.  

Saturday, 18 September 2010

No more place for privacy?

With the launch of Facebook Places in the UK, 'location' services have really hit the mainstream. With Facebook Places, people can 'check in' to indicate exactly where they are to their 'friends' (and probably quite a lot of others too, unless they're very careful). It's another step - and perhaps a very big one - along a path that some might suggest has an inevitable outcome: the end of privacy, at least as we know it.

Scott McNealy, CEO of Sun Microsystems, told journalists, way back in 1998 that “You have zero privacy anyway, get over it.”  Others, most recently and persistently Mark Zuckerberg, co-founder and CEO of Facebook, have suggested that the whole idea of that is simply outdated and now irrelevant – people just don't care about it anymore.

Are they right? Is privacy dead - or at least dying? Should we just 'get over it', join all those many millions of happy Facebook customers who don't care about privacy, and start enjoying all the advantages of having a truly 'transparent' life? Embrace such wonders as Facebook Places, and enjoy the pleasures of meeting people for coffee in unexpected places just through the medium of our smartphones - after all, it's so much more convenient than having to call and arrange things. Of course there's an obvious possible downside - but burglary's not much of a danger as long as you have state of the art security systems, or a ravenous Rottweiler, or employ someone to housesit whenever you're out.

That, however, is just the simplest and most obvious problem. The other, less obvious, but ultimately more important issue is what happens to all the data about where you are, where you've been, and so forth. The possibilities of using this data for profiling - and eventually predictive profiling - are immense, which presumably is why Facebook and many others are introducing products like this. They'll be able to learn even more about you than they already can.

Do we care? Zuckerberg would suggest not, but there isn't much evidence to back up his claims. McNealy would say that it doesn't matter whether or not we care, there's nothing we can do about it. Personally I don't think either of them are right. Events like the fall of Phorm and Facebook's own forced abandonment of their Beacon system, and the 30,000+ Germans who put their names to a challenge to data retention legislation, all suggest that there is still an appetite for privacy - and for some more control over what's going on.

Will Facebook Places be a huge success? Will people just embrace it, without considering the downsides? It will be an interesting test....