Tuesday 23 March 2010

Consent: a red herring?

I asked Peter Fleischer, Google's Global Privacy Counsel, a question about 'opt-in' or 'opt-out', in a panel session at the Computers, Privacy and Data Protection Conference in Brussels in January, to which he gave an interesting answer, but one that was greeted with more than a little dismay. In essence, his answer was that the whole question of 'opt-in/opt-out', and by implication the whole issue of consent, was a bit of a red herring. Unsurprisingly, that was not a popular view at a conference where many of the delegates were privacy advocates - but he did and does have a very good point. He went on to explain, quite reasonably, that if someone wants something online, they'll just consent to anything - scrolling down through whatever legalese is put in the consent form without reading it, then clicking OK without a second thought, just to get at the service or website they want. And he's right, isn't he? That IS what we all do, except in the most exceptional circumstances.

The question, then, is what can or should be done about it. Peter Fleischer's implication - one shared, it appears, by most in the industry, is that we should realise that emptiness and unhelpfulness of consent, and not bang on so much about 'opt-in' or 'opt-out'. We're missing the point, and barking up the wrong tree. And, to a certain extent, I'm sure he's right. As things stand, consent, and opt-in, and not really very helpful. However, it seems to me that he's also missing the point - whether deliberately, as it suits the interests of his employers to have opt-out systems and allow such things as browse-wrap consent on the net, or because he thinks there's no alternative, I wouldn't like to say - in the conclusions that he draws, and the suggestions as to what we do next.

If consent, in its current form on the net, is next to meaningless, rather than abandoning the concept as useless wouldn't it be better to find a way to make it more meaningful? This is something that many people are wrestling with - including the EnCoRe (Ensuring Consent & Revocation) group - and something I shall be presenting a paper about at the BILETA conference in Vienna next week. The way I see it, the internet offers unprecedented opportunities for real-time communication and interaction, for supplying information and for allowing users choices and options - shouldn't there be a way to harness these opportunities to make the consent process more communicative, more interactive, more 'real-time', and to give users more choice and more options?

Peter Fleischer's employers, Google, actually do some really interesting and positive things in this field - the Google Dashboard and Google's AdPreferences both provide information and allow options and choices for people whose data is being gathered and used - the next stage is for these to be given more prominence, for right now they're pretty hidden away, and it's mostly just the hackers and privacy advocates that even know they exist, let alone use them well. If they can perhaps Google can help consent to become much more than a red herring, and instead part of the basic process of the internet.

Thursday 18 March 2010

Now we're all at it... especially the good guys...

It's not just the German government who are using illegally acquired data to root out tax evaders - the latest revelation is that both the French and the UK Government are doing it to. A report from the Sunday Times, available online here, has revealed much more detail - and in particular that HMRC in the UK is very enthusiastic about getting hold of this illegally acquired data. A senior tax official is quoted as saying "It’s fair to say that the prospect of getting hold of this information has generated some excitement here."

The whole thing raises a lot of issues - some of which I mentioned in my post of 7th March - but the German, French and UK governments are all seemingly happy to do it, and at least so far there seems to be very little resistance or outcry about their tactics. The ends justify the means, perhaps. Personally, I don't think so, and an experience I had in the classes I teach (Information Technology & the Law) suggested to me why. The class was about surveillance in the digital environment, and we were discussing the nature of enhanced CCTV, and how it, combined with information from systems like Oyster Cards, could allow coordinated tracking of individuals. I teach three classes, with a mix of different individuals with very different backgrounds. In the first class, the reaction to this kind of tracking could be described as general interest, but nothing more. In the second, it might even be described as enthusiastic - with some agreement with the view of a Police CCTV Liaison Officer that "The cameras are there to help the police and to protect the community. There is no way anybody should be afraid of them unless they have something to hide."

The third class was different - the first person to speak had a reaction that I hadn't really heard in the first two classes. His immediate response was that he didn't want the government to be able to track him - and when asked why, he almost laughed, because to him it was so obvious. Why was it obvious to him, and not to the others in the previous classes? Because he happened to have experience of living in a country with what is close to an authoritarian regime. People who live in those circumstances are naturally and appropriately more likely to be suspicious and distrustful of government motives.

Here in the 'safe' West, where the governments are suspected much more of incompetence than evil, we don't really seem to care that much about things like this. Right now, we seem to mostly 'trust' our governments, and imagine that they will only use the powers we grant them (or allow them to take for themselves) for good purposes - like catching tax evaders, or tracking terrorists. We rarely imagine that they might end up using them for entirely different purposes, purposes for which we would have much less sympathy. What would it take to make us realise the risks, let alone take them seriously? It would be nice to think that we could do so before they are taken too far. 

Tuesday 16 March 2010

Digital Economy Bill passes the Lords...

Just a brief note - further to last week's post, the Digital Economy Bill has now passed its third reading in the House of Lords, and is expected to be rushed through the commons before the election (see the BBC report here). Do people really understand what's happening here? And more to the point, even if they do, do they care? There will be active campaigning against it for sure - not least by the Open Rights Group - and it will be interesting to see how much opposition to the disconnection provisions can be raised in the face of the Government's clear desire to get it done quickly. Will the UK demonstrate the kind of 'active community' that worked so well in Germany to deal with their data retention laws, as I mentioned a couple of weeks ago?

I certainly hope so - and at a time when an election is looming, the government should certainly be responsive to signs of popular resistance. Are we in the UK ready to stand up for freedom on and with the internet? Time will tell...

Thursday 11 March 2010

All hail the Internet?

Two stories this week have emphasised the importance of the Internet in today's world.

The most recent, and perhaps the strangest, is the news that the Internet has been nominated for the Nobel Peace Prize, in a campaign mounted by Wired Italy - this is how the English language version of Wired is reporting it. Of course there have been stranger (and much more controversial) nominations over the years, but even so it does seem an unusual, though far from unwelcome suggestion. The Internet can be (and at times has been) a wonderful tool for peace. As said Riccardo Luna, editor-in-chief of the Italian edition of Wired magazine puts it: "The internet can be considered the first weapon of mass construction, which we can deploy to destroy hate and conflict and to propagate peace and democracy. What happened in Iran after the latest election, and the role the web played in spreading information that would otherwise have been censored, are only the newest examples of how the internet can become a weapon of global hope."

The second story comes from the BBC World Service, who commissioned a poll, covering more than 27,000 people in 26 countries across the digital divide which came up with some headline grabbing statistics, the most notable of which was that across the world, almost 80% of people now regard Internet access as a basic human right. There are many highly revealing findings, both on a country-by-country basis and giving more of a global picture, but the headline figure is certainly something about which we should stop and think. Internet access a basic human right, comparable with electricity and water? And this is something believed not just in technologically advanced countries, but right across the digital divide - countries such as Mexico, Brazil andTurkey most strongly supporting the idea of net access as a right.

So, two stories, one suggesting that the Internet should be considered for the Nobel Peace Prize, the other suggesting that access to the Internet is a fundamental human right - and what do we have happening in the UK, and seemingly quite likely to become law, but the idea of restricting or even cutting off internet access for people caught illegally file-sharing, in the shape of the Digital Economy Bill. Cutting off a fundamental human right, for something that, though illegal, is hardly of the most egregious of crimes, doesn't exactly seem proportionate. Though people like Ian Livingston, British Telecom's Chief Executive, who has publicly raised his concerns about the Bill, along with various other industry leaders (including representatives of BT, Virgin Media, Carphone Warehouse and Orange) may have a clear vested interest in opposing these terms within the Bill, it is certainly something that many more of us should be concerned about.

Sunday 7 March 2010

The good, the bad and the ugly side of privacy in Germany

Privacy advocates in the UK sometimes look across at Germany in wistful admiration - but is the story quite as rosy for privacy in Germany as it sometimes appears? Perhaps not, for though one recent event has shown Germany in its best light, as a beacon for privacy rights across Europe, another has demonstrated the opposite. Even Germany has an ugly side to how it deals with privacy.

First for the good. As reported widely (and in this case in out-law.com), this last week Germany's highest court has suspended that country's implementation of the EU Data Retention Directive by ruling that it violates citizens' rights to privacy. This suspension comes after a class action suit brought by 35,000 German citizens - a level of citizen activity that would be close to miraculous in the UK, particularly for as issue such as privacy. The law by which the German government implemented the Data Retention Directive has been found unconstitutional, failing to include enough safeguards for the privacy of the individuals that is required under Germany's constitution. A victory for privacy, albeit neither a complete nor a permanent one, since the court did not say that it would be impossible to implement the Data Retention Directive in a constitutionally acceptable way, just that this particular implementation was unconstitutional. Nonetheless, it is something about which German privacy advocates will feel justifiably proud - and many in other countries in Europe will hope signals changes elsewhere. It is hard to imagine, however, that it will be possible to achieve a similar result in the UK.

Then for the bad - or at least the ugly. A story reported far less widely, at least in the UK, is emerging concerning the German government's use of data concerning the use by German citizens of Swiss banks for the purposes of tax evasion. This data has been acquired through various methods, most of which would probably be considered illegal - certainly from the perspective of the Swiss banks. Reuters has reported on the subject - it is a somewhat complex story, but the essence of it is that private data, detailing the banking activities of German citizens, has been offered for sale to a number of German states. Some of that data may have come from insider whistle-blowers, but some has also come from hackers - and earlier this year the German Federal Government gave states the go-ahead to buy the data if they want, whether or not the data has been obtained illegally. At least one state, the State of North Rhine-Westphalia, has bought the data, and is using it to flush out tax evaders. As Reuters reports, nearly 6,000 German tax evaders have 'owned up' to the tax evasion as a result of this evidence - and more could still be about to come out of the woodwork. As DSTG head Dieter Ondracek said, "If we get a signal from the politicians that it'll only be possible for people to come clean this year, then we could have another 5,000 doing so with corresponding additional revenues," Ondracek told Reuters. "Then a billion euros could be possible."

This is not the first time that Germany has bought illegally acquired private data. Two years ago, something similar happened with bank data from Lichtenstein, effectively forcing the principality to relax its previously stringent bank secrecy laws. The current affairs over Swiss banking data might have a somewhat similar effect over the banking rules in Switzerland, though that of course could be a long way away - though already the Swiss have complied with a US request over tax evasion, and as reported in Reuters, Switzerland's justice minister questioned on Sunday whether tax evasion should continue to be treated as a misdemeanour rather than a crime.

It is hard, of course, to generate much sympathy for people evading tax through the use of bank accounts in Switzerland - but that should not blind us to the significance of the events that are taking place. It's not so much the nature of the data that's significant, but the way in which is has been acquired. Getting data through the use of official requests from one government to another, as in the case of the US, is one matter, but paying money for data acquired illegally, and quite likely through hacking, is quite another, and sets a very uncomfortable precedent. Moreover, it provides a new and potentially large incentive to hackers to go after this kind of data. And if this kind of data, why not other data? Aside from the obvious problems of Germany's potential obligations as a signatory of the Cybercrime Convention, there is an awkward parallel here with another recent event - the enormously publicised hacking of the gmail accounts of Chinese dissident groups. The Chinese government of course vigorously denies any involvement in the hack, but if it were to be offered data on illegal groups acquired by hacking, how different would it be for the Chinese government to buy it from the German government's buying of this Swiss banking data?

From the perspectives of the two governments, they're just seeking to root out people involved in illegal activities - for the Germans, tax evaders, for the Chinese, people involved in subversive (and illegal) activities. And in both cases, the fact that it might be possible to make money from selling this kind of data cannot help but be an incentive to try to acquire it. People in the West may have much more sympathy for Chinese dissidents than they do for German tax-evaders, but in some ways the principles are very much the same. Do we really want to set that kind of precedent?

Saturday 6 March 2010

Welcome

Welcome to the Symbiotic Web blog... where I will post thoughts and stories relating to privacy, autonomy and the web, and in particular concerning stories related to the idea of the symbiotic web. This will be an occasional blog - when stories arise, rather than regular. The contents will mainly be musings and suggestions, and will in general represent my opinions and views rather than academically rigorous research!