tag:blogger.com,1999:blog-75586360461892517682024-03-10T02:46:33.863+00:00The Symbiotic Web blogMy thoughts and stories relating to privacy, autonomy, human rights, law and the webPaul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.comBlogger57125tag:blogger.com,1999:blog-7558636046189251768.post-43178797399387422302012-03-06T12:52:00.002+00:002012-03-06T12:52:58.622+00:00This blog is moving.......to Wordpress. Anyone who's followed the Google Privacy Policy debate will understand some of the reasons...<br />
<br />
The address of the new site is:<br />
<br />
<a href="http://paulbernal.wordpress.com/">http://paulbernal.wordpress.com/</a><br />
<br />
...and the first post solely on that site is<br />
<br />
<a href="http://paulbernal.wordpress.com/2012/03/06/infamy-infamy-theyve-all-got-it-in-for-me/" target="_blank">"Infamy, Infamy, they've all got it in for me"</a><br />
<br />
Please follow me there!<br />
<br />
Thanks!<br />
<br />
PaulPaul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com5tag:blogger.com,1999:blog-7558636046189251768.post-8762686459233381342012-03-01T14:26:00.001+00:002012-03-01T14:26:47.775+00:00Ready to Rumble?<br />
This morning I attended a lecture given by European Commissioner Viviane Reding – and I have to say I was impressed. The lecture was at my old Alma Mater, the LSE, with the estimable Professor Andrew Murray in the chair, and was officially about the importance of data protection in keeping businesses competitive – but in practice it turned about to be a vigorous defence of the new Data Protection Regulation. Commissioner Reding was robust, forthright – and remarkably straightforward for someone in her position.<br />
<br />
Her speech started off by looking at the changes that have taken place since the original Data Protection Directive – which was brought in in 1995. She didn’t waste much time – most of the changes are pretty much self-evident to anyone who’s paid much attention, and she knew that her audience wasn’t the kind that would need to be told. The key, though, was that she was looking from the perspective of business. The needs of businesses have changed – and as she put it, the new regulation was designed to meet those needs.<br />
<br />
The key points from this perspective will be familiar to most who have studied the planned regulation. First and foremost, because it is a regulation rather than a directive, it applies uniformly throughout the EU, creating both an even playing field and a degree of certainty. Secondly, it is intended to remove ‘red tape’ – multinational companies will only have to deal with the data protection authorities in the country that is their primary base, rather than having to deal with a separate authority for each country they operate in. Taken together, she said that the administrative burden for companies would go down by 2.3 billion Euro a year. It was very direct and clear – she certainly seems to believe what she’s saying.<br />
<br />
She also made the point (which she’s made before) that the right to be forgotten, which has received a lot of press, and which I’ve written about before (ad nauseam I suspect), is NOT a threat to free expression, and not a tool for censorship, regardless of how that point seems to be misunderstood or misrepresented. The key, as she described, is to understand that no rights are absolute, and that they have to compete with other rights – and they certainly don’t override them. As I’ve also noted before, this is something that isn’t really understood in the US as well as it is in Europe – the American ‘take’ on rights is much more absolutists, which is one of the reason they accept as ‘rights’ a much narrower range of things that most of the rest of the world.<br />
<br />
I doubt her words on the right to be forgotten will cut much mustard with the critics of the right on either side of the Atlantic – but I’m not sure that will matter that much to Commissioner Reding. She’s ready for a fight on this, it seems to me, and for quite a lot else besides. Those who might be expecting her to back down, to compromise, I think are in for a surprise. She’s ready to rumble…<br />
<br />
The first and biggest opponent she’s ready to take on looks like being Google. She name-checked them several times both in the speech and in her answers to questions. She talked specifically about the new Google privacy policy – coming into force today – and in answer to a question I asked about the apparent resistance of US companies to data protection she freely admitted that part of the reason for the form and content of the regulation is to give the Commission teeth in its dealings with companies like Google. Now, she said, there was little that Europe could do to Google. Each of the individual countries in the EU could challenge Google, and each could potentially fine Google. ‘Peanuts’ was the word that she used about these fines, freely acknowledging that she didn’t have the weapons with which to fight. With the new regulations, however, they could fine Google 2% of their worldwide revenue. 560 million euro was the figure she quoted: enough to get even Google to stand up and take notice.<br />
<br />
She showed no sign of backing down on cookies either – reiterating the need for explicit, informed consent whenever data is gathered, including details of the purposes to which the data is to be put. She seemed ready for a fight on that as well.<br />
<br />
Overall, it was a combative Commissioner that took to the lectern this morning – and I was impressed. She’s ready for the fight, whether businesses and governments want it or not. As <a href="http://ukconstitutionallaw.org/2012/02/27/paul-bernal-between-a-european-rock-and-an-american-hard-place/" target="_blank">I’ve blogged elsewhere</a>, the UK government doesn’t share her enthusiasm for a strengthening of data protection, and the reaction from the US has been far from entirely positive either. Commissioner Reding had a few words for the US too, applauding Obama’s moves for online privacy (about which I've blogged <a href="http://symbioticweb.blogspot.com/2012/02/big-brother-is-watching-you-and-so-are.html" target="_blank">here</a>) but suggesting that the US is a good way behind the EU in dealing with privacy. They’re still playing catch-up, talking about it and suggesting ideas, but not ready to take the bull by the horns yet. We may yet lead them to the promised land, seemed to be the message…. and only with her tongue half in her cheek.<br />
<br />
She's not going to give up - and neither should she, in my opinion. This is important stuff, and it needs fighting for. She's one of the '<a href="http://symbioticweb.blogspot.com/2012/01/crazy-europeans.html" target="_blank">Crazy Europeans</a>' about which I've written before - but we need them. As @spinzo tweeted to me there's 'nothing more frightening than a self-righteous regulator backed by federal fiat and federal coffers' - but I'd LIKE some of the companies involved in privacy invasive practices around the net to be frightened. If they behaved in a bit more of a privacy friendly way we wouldn't need the likes of Commissioner Reding to be ready to rumble. They don't - and we do!<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com0tag:blogger.com,1999:blog-7558636046189251768.post-30657743837272224102012-02-23T09:28:00.002+00:002012-02-23T09:28:59.033+00:00Big Brother is watching you - and so are his commercial partnersToday, President Obama <a href="http://m.theglobeandmail.com/news/technology/tech-news/white-house-unveils-bill-of-rights-to-protect-online-privacy/article2347100/?service=mobile" target="_blank">unveiled a proposal</a> for an internet 'bill of rights':<br />
<br />
<br />
“American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” said Mr. Obama.<br />
<br />
In a lot of ways, this is to be applauded. The idea, as reported in the media, is to "give consumers greater online privacy protection", which for privacy advocates and researchers such as myself is of course a most laudable aim. Why, then, am I somewhat wary of what is being proposed? Anyone who works in the field is of course naturally sceptical - but there's more to it than that. There's one word in Obama's statement, repeated without real comment in the media reports that I've read, that is crucial. That word is 'consumers'.<br />
<br />
<b>Consumers, citizens or human beings?</b><br />
<br />
The use of the word 'consumer' has two key implications. First of all, it betrays an attitude to the internet and to the people who use it. If we're consumers, that makes the net a kind of 'product' to be consumed. It makes us passive rather than active. It means we don't play a part in the creation of the net - and it means that the net is all about money and the economy, rather than about communication, about (free) expression, about social interaction, about democratic discourse and participation. It downplays the political role that the net can be played - and misunderstands the transformations that have gone on in the online world over the last decades. The net isn't just another part of the great spectrum of 'entertainment' - much though the 'entertainment' industry might like to think it is, and hence have free rein to enforce intellectual property rights over anything else.<br />
<br />
That's not to downplay the role of economic forces on the net - indeed, as I've argued many times before, business has driven many of the most important developments on the net, and the vast expansion and wonderful services we all enjoy have come from business. Without Google, Facebook and the like, the internet would be a vastly less rich environment than it is - but that's not all... and treating users merely as 'consumers' implies that it is.<br />
<br />
The second, perhaps more sinister side to portraying us all as consumers rather than citizens - or even human beings - is that it neatly sidesteps the role that governments have in<i> invading</i> rather than <i>protecting</i> our privacy. Treating us as consumers, and privacy as a 'consumer right', makes it look as though the government are the 'good guys' protecting us from the 'bad' businesses - and tries to stop us even thinking about the invasions of privacy, the snooping, the monitoring, the data gathering and retention, done <i>by</i> governments and their agencies.<br />
<br />
<b>Big Brother is watching you...</b><br />
<br />
The reality is, of course, that governments <i>do</i> snoop, they do gather information, they do monitor our activities on social networks and so forth. What's more, we should be worried about it, and we should be careful about how much we 'let' them do it. We need protection from government snooping - we need privacy rights not just as consumers, but as citizens. Further, <a href="http://symbioticweb.blogspot.com/2012/01/internet-is-human-right.html" target="_blank">as I've argued elsewhere</a>, rights to privacy (and other rights) on the internet can be viewed as human rights - indeed I believe they should be viewed as human rights. From an American perspective, this is problematic - but it should at least be possible to cast privacy rights on the net as civil rights rather than consumer rights.<br />
<br />
<b>...and so are his commercial partners</b><br />
<br />
At the same time, however, Obama is right that we need protection from the invasions of privacy perpetrated by businesses. For that reason, his initiative should be applauded, though his claiming of credit for the idea should be treated with scepticism, as similar ideas have been floating around the net for a long time - better late than never, though.<br />
<br />
There is another side to it that may be even more important - the relationship between businesses and governments. They're not snooping on us, or invading our privacy independently - in practice, and in effect, the biggest problems can come when they work together. Facebook gathers the data, encourages us to 'share' information, to 'self-profile' - and then governments use the information that Facebook has gathered. Email systems, telephone services, ISPs and the like may well gather information for their own purposes - but through data retention they're required not only to keep that information for longer than they might wish to, but to make it available to authorities when the 'need' arises.<br />
<br />
Worse, authorities may encourage or even force companies to build 'back-doors' into their products so that 'when needed' the authorities can use them to tap into our conversations, or to discover who we've been socialising with. They may require that photos on networks are subject to facial recognition analysis to hunt down people they wish to find for some reason or other - legitimate or otherwise. Facebook may well build their facial recognition systems for purely commercial reasons - but that doesn't mean that others, including the authorities, might use them for more clearly malign purposes.<br />
<br />
<b>We need protection from both</b><br />
<br />
So what's the conclusion? Yes, Obama's right, we need protection from commercial intrusions into our privacy. That, however, is just a small part of what we need. We need protection as human beings, as citizens, AND as consumers. Don't let's be distracted by looking at just a small part of the picture.<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com4tag:blogger.com,1999:blog-7558636046189251768.post-84598942317567010772012-02-12T10:53:00.003+00:002012-02-12T10:53:28.233+00:00What Muad’Dib can teach us about personal data…<br />
With all the current debate about the so-called 'right to be forgotten', I thought I'd post one of my earlier, somewhat less than serious takes on the matter. A geeky take. A science fiction take...<br />
<br />
I've written about it before in more serious ways - both in blogs (such as the two part one on the INFORRM blog, part 1 <a href="http://inforrm.wordpress.com/2011/10/07/a-right-to-be-forgotten-%E2%80%93-or-a-right-to-delete-part-1-paul-bernal/" target="_blank">here</a> and part 2 <a href="http://inforrm.wordpress.com/2011/10/08/a-right-to-be-forgotten-%E2%80%93-or-a-right-to-delete-part-2-paul-bernal/" target="_blank">here</a>) and in an academic paper (<a href="http://ejlt.org//article/view/75/144" target="_blank">here</a>, in the European Journal of Law and Technology) - and I've ranted about it on this blog too (<a href="http://symbioticweb.blogspot.com/2012/01/crazy-europeans.html" target="_blank">'Crazy Europeans!?!'</a>).<br />
<br />
This, however, is a very different take - one I presented at the <a href="http://www.digital-rights.net/?p=3230" target="_blank">GiKii conference in Gothenburg last summer.</a> In it I look back at that classic of science fiction, Dune. There's a key point in the book, a key issue in the book, that has direct relevance to the issue of personal data. As the protagonist, Paul-Muad'Dib, puts it:<br />
<br />
<div style="text-align: center;">
<i><b>“The power to destroy a thing is the absolute control over it."</b></i></div>
<br />
In the book, Muad'Dib has the power to destroy the supply of the spice 'Melange', the most valuable commodity in the Dune universe. In a similar manner, if a way can be found for individuals to claim the right to delete personal data, control over that data can begin to shift from businesses and governments back to the individuals.<br />
<br />
Here's an animated version of the presentation I gave at Gikii...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dxT1XWAquqtChVsT1vTkwbDKMhXu1V0QTsD5TDdZJLRNTbRuh32MW1UBPqIkAShaEuyr-pC819uY1046ykP0Q' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<br />
<br />
This is what it's supposed to suggest...<br />
<br />
<b><i>Melange in Dune</i></b><br />
<br />
In Frank Herbert’s Dune series, the most essential and valuable commodity in the universe is melange, a geriatric drug that gives the user a longer life span, greater vitality, and heightened awareness; it can also unlock prescience in some humans, depending upon the dosage and the consumer's physiology. This prescience-enhancing property makes safe and accurate interstellar travel possible. Melange comes with a steep price, however: it is addictive, and withdrawal is fatal.<br />
<br />
<b><i>Personal data in the online world</i></b><br />
<br />
In our modern online world, personal data plays a similar role to the spice melange. It is the most essential and valuable commodity in the online world. It can give those who gather and control it heightened awareness, and can unlock prescience (through predictive profiling). This prescience enhancing property makes all kinds of things possible. It too comes with a steep price, however: it is addictive, and withdrawal can be fatal – businesses and governments are increasingly dependent on their gathering, processing and holding of personal data.<br />
<br />
<b><i>What we can learn from Muad’Dib</i></b><br />
<br />
For Muad'Dib to achieve ascendency, he had to assert control over the spice - we as individuals need to assert the same control over personal data. We need to assert our rights over the data - both over its 'production' and over its existence afterwards. The most important of these rights, the absolute control over it, is the right to destroy it – the right to delete personal data. That's what the right to be forgotten is about - and what, in my opinion, it should be called. If we have the right to delete data - and the mechanisms to make that right reality - then businesses and governments need to take what we say and want into account before they gather, hold or use our data. If they ride roughshod over our views, we'll have a tool to hold them to account...<br />
<br />
The final solution, as for Arrakis, the proper name for the planet known as 'Dune', should be a balance. Production of personal data should still proceed, just as production of spice on Arrakis could still proceed, but on our own terms, and to mutual benefit. Most people don't want a Jihad, just as Paul Atreides didn't want a Jihad – though some may seek confrontation with the authorities and businesses rather than cooperation with them. In Dune, Paul Muad’Dib was not strong enough to prevent that Jihad – and though there has certainly been a ramping up of activism and antagonism over the last year or two, it should be possible to prevent it. If that is to happen, an assertion of rights, and in particular rights over the control over personal data, could be a key step.<br />
<br />
<b><i>A question of control - not of censorship</i></b><br />
<br />
Looked at from this direction, the right to be forgotten (which I still believe is better understood as a right to delete) is not, as some suggest, about censorship, or about restricting free expression. Instead, it should be seen as a salvo in a conflict over control – a move towards giving netizens more power over the behemoths who currently hold sway.<br />
<br />
If people are too concerned about the potential censorship issues - and personally I don't think they should be, but I understand why they are - then perhaps they can suggest other ways to give people more control over what's happening. Right now, as things like the Facebook 'deleted' photos issue I blogged about last week suggest, those who are in control don't seem to be doing much to address our genuine concerns....<br />
<br />
Otherwise, they might have to deal with the growing power of the internet community...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibhz60pp7P8FuDhLe5_rORoj4JAa9iY8Xe3ni3vPpesTlD3fxOgOwH2VFQZoAkmWzRIk2HjmSxzvrYZMVbXx4P4ZkLzBlIZuwLdwkp8_8nG4mrk3Yy8UWiXGGeR4BQAxVuILWItoljyjlV/s1600/Dunecat.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibhz60pp7P8FuDhLe5_rORoj4JAa9iY8Xe3ni3vPpesTlD3fxOgOwH2VFQZoAkmWzRIk2HjmSxzvrYZMVbXx4P4ZkLzBlIZuwLdwkp8_8nG4mrk3Yy8UWiXGGeR4BQAxVuILWItoljyjlV/s320/Dunecat.jpg" width="320" /></a></div>
<br />
<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com5tag:blogger.com,1999:blog-7558636046189251768.post-14872373516851374852012-02-07T09:36:00.003+00:002012-02-07T09:37:52.453+00:00Do you want a camera in your kid's bedroom??This morning's disturbing privacy story is the revelation that live feeds from thousands of 'home security cameras' run by the US company Trendnet have been 'breached', allowing anyone on the net access to video feeds, without the need for a password. It was reported in the BBC <a href="http://www.bbc.co.uk/news/technology-16919664" target="_blank">here</a>, by their technology reporter Leo Kelion.<br />
<br />
It's a disturbing tale. As Kelion describes it:<br />
<br />
<i>"Internet addresses which link to the video streams have been posted to a variety of popular messageboard sites. Users have expressed concern after finding they could view children's bedrooms among other locations. US-based Trendnet says it is in the process of releasing updates to correct a coding error introduced in 2010."</i><br />
<br />
The internet being what it is, news of the problem seems to have spread faster than Trendnet has been able to control it. This is from Kelion's piece again:<br />
<br />
<i>"Within two days a list of 679 web addresses had been posted to one site, and others followed - in some cases listing the alleged Google Maps locations associated with each camera. Messages on one forum included: "someone caught a guy in denmark (traced to ip) getting naked in the bathroom." Another said: "I think this guy is doing situps."</i><br />
<i><br /></i><br />
<i>One user wrote "Baby Spotted," causing another to comment "I feel like a pedophile watching this".</i><br />
<br />
A cautionary tale, one might think, and to privacy people like me a lot of questions immediately come to mind. Many of them, particularly the technical ones, have been answered in Kelion's piece. There is one question, however, that is conspicuous by its absence from Kelion's otherwise excellent piece: what are the cameras doing in children's bedrooms in the first place? Is it normal, now, to have this kind of level of surveillance in our private homes? In our children's bedrooms?<br />
<br />
I asked Kelion about this on twitter, and his initial (and admirably instant) response was that security cameras were nothing new, but the breach in the feeds was. That was news, the presence of the cameras was not. That set me thinking - and made me write this blog. Is he right? Should we just 'accept' the presence of surveillance even in our most intimate and private places? The success of companies like Trendnet suggests that many thousands of people do accept it - but I hope that millions more don't. I also hope that an affair like this will make some people think twice before installing their own 'private' big brother system.<br />
<br />
Surveillance is a double-edged sword. Just as any data on the internet is ultimately vulnerable, so is any data feed - the only way for data not to be vulnerable is for it not to exist. Those parents wanting to protect their children from being watched in the internet have a simple solution: don't install the cameras in the first place!<br />
<br />
It's the same story over and over again in the world of privacy and surveillance. We build systems, gather data, set up infrastructures and then seem shocked and amazed when they prove vulnerable. It shouldn't be a surprise... we should think before we build, think before we design, think before we install...Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com19tag:blogger.com,1999:blog-7558636046189251768.post-34021733456727840872012-02-06T11:58:00.004+00:002012-02-06T11:58:44.517+00:00Facebook, Photos and the Right to be ForgottenAnother day, another story about the right to be forgotten. This time it's another revelation about how hard it is to delete stuff from Facebook. In this case it's photos - with <a href="http://arstechnica.com/business/news/2012/02/nearly-3-years-later-deleted-facebook-photos-are-still-online.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss" target="_blank">Ars Technica giving an update</a> on their original story from 2009 about how 'deleted' photos weren't really deleted. Now, according to their new story, three years later, the photos they tried to remove back then are STILL there.<br />
<br />
The Ars Technica story gives a lot more detail - and does suggest that Facebook are at least trying to do something about the problem, though without much real impact at this stage. As Ars Technica puts it:<br />
<br />
<i>"....with the process not expected to be finished until a couple months from now—and unfortunately, with a company history of stretching the truth when asked about this topic—we'll have to see it before we believe it."</i><br />
<br />
I'm not going to try to analyse why Facebook has been so slow at dealing with this - there are lots of potential reasons, from the technical to the political and economic - but from the perspective of someone who's been watching developments over the years one thing is very important to understand: this slowness and apparent unwillingness (or even disinterest) has had implications. Indeed, it can be seen as one of the main drivers behind the push by the European Union to bring in a 'right to be forgotten'.<br />
<br />
I've written (and most recently ranted in my blog <a href="http://symbioticweb.blogspot.com/2012/01/crazy-europeans.html" target="_blank">'Crazy Europeans'</a>) about the subject many times before, but I think it bears repeating. This kind of legislative approach, which seems to make some people in the field very unhappy, doesn't arise from nothing, just materialising at the whim of a few out-of-touch privacy advocates or power-hungry bureaucrats. It emerges from a real concern, from the real worries of real people. As the Ars Technica article puts it:<br />
<br />
<i>"That's when the reader stories started pouring in: we were told horror stories about online harassment using photos that were allegedly deleted years ago, and users who were asked to take down photos of friends that they had put online. There were plenty of stories in between as well, and panicked Facebook users continue to e-mail me, asking if we have heard of any new way to ensure that their deleted photos are, well, deleted."</i><br />
<i><br /></i><br />
When people's real concerns aren't being addressed - and when people <i>feel</i> that their real concerns aren't being addressed - then things start to happen. Privacy advocates bleat - and those in charge of regulation think about changing that regulation. In Europe we seem to be more willing to regulate than in the US, but with Facebook facing regular privacy audits from the FTC in the US, they're going to have to start to face up to the problem, to take it more seriously.<br />
<br />
There's something in it for Facebook too. It's in Facebook's interest that people are confident that their needs will be met. What's more, if they want to encourage sharing, particularly immediate, instinctive, impulsive sharing, they need to understand that when people do that kind of thing they can and do make mistakes – and they would like the opportunity to rectify those mistakes. Awareness of the risks appears to be growing among users of these kinds of system – and privacy is now starting to become a real selling point on the net. Google and Microsoft's recent advertising campaigns on privacy are testament to that - and Google's attempts to portray its new privacy policy as something positive are quite intense.<br />
<br />
That in itself is a good sign, and with Facebook trying to milk as much as they can from the upcoming IPO, they might start to take privacy with the seriousness that their users want and need. Taking down photos when people want them taken down - and not keeping them for years after the event - would be a good start. If it doesn't happen soon, and isn't done well, then Facebook can expect an even stronger push behind regulation like the Right to be Forgotten. If they don't want this kind of thing, then they need to pre-empt it by implementing better privacy, better<i> user rights</i>, themselves.Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com1tag:blogger.com,1999:blog-7558636046189251768.post-91785165517223671202012-01-28T13:23:00.001+00:002012-01-28T14:30:17.931+00:00Phorm - a chapter closes?Another chapter of the long-running Phorm saga seems to have come to a close, with the <a href="http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/60&format=HTML&aged=0&language=EN&guiLanguage=en" target="_blank">announcement by the European Commission</a> that they have closed the infringement case with the UK about their implementation of rules on privacy in electronic communications. In order to get this closure, the UK had, in the words of the Commission press release<br />
<br />
<i>'amended its national legislation so as not to allow interception of users' electronic communications without their explicit consent, and established an additional sanction and supervisory mechanism to deal with breaches of confidentiality in electronic communications.'</i><br />
<br />
This case came about as a result of the big mess that the UK government got into over Phorm - something which I've written about both academically and in blogs on more than one occasion before. In essence, the government decided to back Phorm, a business which privacy advocates and others had been telling them from the very beginning was deeply problematic, and that decision backfired pretty spectacularly. The amount of egg that ended up on government faces as a result of the affair was pretty spectacular. The action of the Commission was a direct result of the admirable work of campaigners like Alexander Hanff at <a href="https://www.privacyinternational.org/" target="_blank">Privacy International</a>, drawing on the excellent investigatory analysis by the <a href="http://www.cl.cam.ac.uk/~rnc1/" target="_blank">University of Cambridge Computer Lab's Richard Clayton</a> and the legal work of Nicholas Bohm for the <a href="http://www.fipr.org/index.html" target="_blank">Foundation for Information Policy Research</a> - work that was effectively in direct opposition to the government. This work led to questions to the commission, upon which the commission acted, as well as, more directly, to the collapse of the Phorm business model as its business allies deserted it and opposition from the public became clearer and clearer.<br />
<br />
Phorm's business model was particularly pernicious from a privacy perspective. They took behavioural advertising (which is problematic in most of its forms) to an extreme, monitoring people's <i>entire</i> browsing behaviour by intercepting each and every click made as you browse, in order to build up a profile which they then used to target advertising. All this without real consent from the user, or at least so it appeared, and indeed without the consent of the owners of the websites to whom these intercepted instructions were intended to be sent. As a model it appeared to break not only laws but people's ideas about being under surveillance - Orwellian in the extreme. It failed here - thanks to the resistance noted above - and has since failed again in South Korea, and appears to be failing in Romania (about which <a href="http://symbioticweb.blogspot.com/2011/09/romanian-re-phorm-ation.html" target="_blank">I've blogged before</a>) and Brazil, the three places that Phorm's backers have tried it since. In each case, it looks as though people's resistance has been a key....<br />
<br />
There are lessons to learn for all concerned:<br />
<br />
1) Those of us advocating and campaigning for privacy can take a good deal of heart from the whole affair - essentially, we won, stopping the pernicious Phorm business model and forcing the UK government not just to back down but to change the law in ways that, ultimately, are more 'privacy-friendly'. 'People power' proved too strong for both business and government forces in this case - and it may be possible again. We certainly shouldn't give up!<br />
<br />
2) Businesses need to take note: privacy-invasive business models will face opposition, and that opposition is more powerful than you might imagine. From the perspective of the symbiotic web (my underlying theory, more about which can be found here), if a privacy-invasive model is to succeed, it must give something back to those whose privacy is invaded, something of sufficient value to compensate for the privacy that is either lost or compromised. In Phorm's case, there was very little benefit to the people being monitored - the benefit was all for Phorm or Phorm's advertising partners. That sort of model isn't going to succeed nearly as easily as businesses might think - people will fight, and fight well! Businesses would do better to build more privacy-friendly models from the outset...<br />
<br />
3) Governments need to understand the needs and abilities of the people - as well as the needs of businesses and business lobby groups. People are getting more and more aware and more and more able to articulate their needs and make their views known - and to wield powers beyond the understanding of most governments. The recent resistance to SOPA and PIPA in the US is perhaps another example - though the fact that people's interests coincided with those of internet powerhouses like Wikipedia and Google may have been even more important.<br />
<br />
This last point is perhaps the most important. Governments all over the world seem to be massively underestimating the influence and power of people, particularly people on the internet. People will fight for what they want - and, more often than governments realise, they will find ways to win those fights. There needs to be a significant shift in the attitude of those governments if we are not to have more conflicts of the sort that caused such a mess over Phorm. There are more conflicts already on the horizon - from the judicial review of the Digital Economy Act to the shady agreement that is ACTA. There will be a lot of mess, I suspect, much of which could be avoided if 'authorities' understood what we wanted a bit more. The people of the net are starting to get mad, and they're not going to take it anymore.Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com5tag:blogger.com,1999:blog-7558636046189251768.post-5815103132862878022012-01-26T22:10:00.004+00:002012-01-27T00:16:57.914+00:00Crazy Europeans!?!<br />
As anyone who pays attention to the world of data - and data privacy in particular - cannot help but be aware, those crazy Europeans are pushing some more of their mad data protection laws (a good summary of which can be found <a href="http://ipandit.practicallaw.com/0-517-4165#null" target="_blank">here</a>) including the clearly completely insane 'right to be forgotten'. Reactions have been pretty varied on in Europe, but in the US they seem to have been pretty consistent, and can largely be boiled down to two points:<br />
<br />
1) These Europeans are crazy!<br />
2) This will all be a huge imposition on business - No fair!!!<br />
<br />
There have been a fair few similar reactions in the UK too, and there will probably be more once the more rabidly anti-European parts of the popular press actually notice what's going on. As I've blogged before, the likes of Ken Clarke have spoken up against this kind of thing before.<br />
<br />
So I think we need to ask ourselves one question: why ARE these crazy Europeans doing all this mad stuff?<br />
<br />
Well, to be frank, the Internet 'industry' has only got itself to blame. This is an industry that has developed the surreptitious gathering of people's personal data into an art form, yet an industry that can't keep its data safe from hackers and won't keep it safe from government agencies. This is an industry that tracks our every move on the web and gets stroppy if we want to know when it's happening and why. This is an industry that makes privacy policies ridiculously hard to read whilst at the same time working brilliantly on making other aspects of their services more and more user-friendly. Why not do the same to the privacy settings? This is an industry that makes account deletion close to impossible (yes, I'm talking to you, Facebook) and pulls out all the stops to keep us 'logged in' at all times. This is an industry that tells us that WE should be completely transparent while remaining as obscure and opaque as possible themselves. This is an industry that often seems to regard privacy as just a little problem that needs to be sidestepped - or something that is 'no longer a social norm' (and yes, I'm talking to you, Facebook again).....<br />
<br />
So.... If the internet 'industry', particularly in the US, doesn't want this kind of regulation, this kind of 'interference' with its business models, the answer's actually really simple: build better business models, models that respect people's privacy! Stop riding rough-shod over what we, particularly in Europe, but certainly in the US too, care deeply about. Use your brilliance in both business and technology to find a better way, rather than just moaning that we're interfering with what you want to do. When fighting against SOPA and PIPA (and I hope ACTA too in the near future), most of the industry champion the people admirably - perhaps because the people's interests coincided with their own. In privacy, the same is actually true, however much it may seem the other way around. In the end, the internet industry will be better off if it takes privacy seriously.<br />
<br />
Regulation doesn't happen just because a bunch of faceless Belgian bureaucrats have too much power and too little to do - it happens when there's a real problem to solve. Oh, they may well go over the top, they may well use crude regulatory sledgehammers where delicate rapiers would do the job better, but they do at least try, which seems more than much of the industry does...<br />
<br />
So don't blame the crazy Europeans. Take a closer look in the mirror...<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com4tag:blogger.com,1999:blog-7558636046189251768.post-82968936922981701292012-01-25T13:11:00.001+00:002012-01-25T13:11:10.653+00:00Players and Pawns in the Game of Privacy<br />
Privacy is pretty constantly in the news at the moment. People like me can hardly take their eye off the news for a moment. This morning I was trying to do three things at once: follow David Allen Green's evidence at the <a href="http://www.levesoninquiry.org.uk/" target="_blank">Leveson inquiry</a> (where amongst other things he was t<a href="http://www.newstatesman.com/blogs/david-allen-green/2012/01/public-interest-times-hacking" target="_blank">alking about the NightJack story</a> which has significant privacy implications), listen to Viviane Reding talking about the new reforms to the data protection regime in Europe, and discover what was going on in the <a href="http://www.thinkbroadband.com/news/4990-o2-shares-your-mobile-phone-number-with-every-website-you-visit.html" target="_blank">emerging story of 02</a>'s apparent sending of people's mobile numbers to websites visited via their mobile phones....<br />
<br />
Big issues... and lots of media coverage... and lots of opportunities for academics, advocates of one position or other, technical experts and so forth to write/talk/tweet/blog etc on the subject. And many of us are taking the opportunity to say our bit, as we like to do. A good thing? Yes, in general - because perhaps the biggest change I've seen over the years I've been researching into the field is that the debate is wider, bringing in more people and more subjects, and getting more public attention - which must, overall, be a good thing. The more the issues are debated and thought about, the more chance there is that we can get better understanding, some sort of consensus, and find better solutions. And yet there are dangers attached to the process - because as well as the people who have valuable things to say and good, strong ethical positions to support their case, there are others with much more questionable agendas, often hidden, who would like to use others for their own purposes. Advocates, academics and experts need to guard against being used by others with very different motives.<br />
<br />
There are particular examples happening right now. One subject that particularly interests me, about which I've blogged and written many times before, is the right to be forgotten. Viviane Reding has talked about it in the last few days - and there have been reactions in both directions. Both, it seems to me, need to be wary of their being used in ways that they don't intend:<br />
<br />
i)<span class="Apple-tab-span" style="white-space: pre;"> </span>Those who oppose a ‘right to be forgotten’/’right to delete’ need to be careful that they’re not being used as ‘cover’ for those whose business models depend on the holding and using of personal data. The right to delete is a threat to their business models, and they can (and probably will) use all the tools at their disposal to oppose it, including using 'experts' and academics. The valid concerns about censorship/free expression aren't what those people care about - they want to be able to continue to use people's personal data to make money. Advocates for free expression etc need to be careful that they're not being used in that kind of way.<br />
<br />
ii)<span class="Apple-tab-span" style="white-space: pre;"> </span>Conversely, those who (like me) advocate for a ‘right to be forgotten’/’right to delete’ need to be careful that they’re not being used by those who wish to censor and control - because there IS a danger that a poorly written and executed right to be forgotten could be set up in that kind of way. I don't believe that's what's intended by the current version, nor to I believe that this is how it would or could be used, but it's certainly possible, and people on 'my' side of the argument need to be vigilant that it doesn't go that way.<br />
<br />
Similar arguments can be used in other fields - for example about the question of the right to anonymity. Those who (like me) espouse a right to anonymity need to be careful about not providing unfettered opportunities for those who wish to bully, to defame etc., while those who support the reverse – an internet with real name/identification systems throughout, to control access to age-sensitive sites, to deal with copyright infringement etc – need to be very careful not to be used as an excuse for setting up systems which allow control and ultimately oppression.<br />
<br />
So what does this all mean? Should academics and other 'experts' simply keep out of the blogosphere and the media, and leave their musings for academic journals and unreadable books? Certainly not - but we do need to be a little more thoughtful about the agendas of those who might use us, who might misquote us, who might take us out of context and so forth. I suspect that this might have been what happened to Vint Cerf when he wrote a short while ago suggesting that internet access was not a human right. Others might well have been trying to use him... as they might well try to use any of those who write in this kind of a field. However clever we might think we are, we're very often pawns in the game, not players.<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com0tag:blogger.com,1999:blog-7558636046189251768.post-32531823319701049472012-01-19T13:58:00.002+00:002012-01-19T13:58:29.994+00:00Same as it ever was... privacy in history!Earlier today, <a href="http://online.wsj.com/article/SB10001424052970204555904577169920031456052.html" target="_blank">Eastman Kodak filed for Chapter 11 Bankruptcy protection</a>. It might well signal the end for a company which was perhaps the single most important player in an industry that revolutionised the world in many ways: the photographic industry. Kodak has been in existence for 131 years, and in that time the world has changed dramatically in many ways - but perhaps not in as many ways as we might think. Kodak was crucial in the history of photography - but it was also crucial in the history of privacy.<br />
<br />
Back in the late 19th century, when Kodak introduced the first hand-held camera, that new technology scared a lot of people - and inspired a whole new phase in the legal understanding of privacy. Amongst those alarmed by it were young lawyers Samuel Warren and Louis Brandeis - who went on to write a seminal piece for the Harvard Law Review: "The Right to Privacy". It was a remarkable piece of work and set into motion a train of legal thought that is still chuffing away to this very day. I remember when I first read it I assumed the date was a misprint: 1890. Surely that must mean 1980? Here's an extract:<br />
<br />
<i>“The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasion upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.”</i><br />
<br />
The same debate rages now - and the 'enterprise and invention' that was 'modern' in 1890 is every bit as prevalent now. Have things really changed? Are the attacks on privacy a 'modern' crisis in the 21st century - or are things just the same as they ever were. Here's some more of Warren and Brandeis:<br />
<br />
<i>"Gossip is no longer the resource of the idle and the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle."</i><br />
<br />
Lord Justice Leveson might well say something very similar when his inquiry into the culture, ethics and practice of the press comes to its conclusion. Phone hacking may be the latest form of 'intrusion upon the domestic circle' but in many ways it's not that different from the tactics that have been used by the press (and others) for well over a century, as Warren and Brandeis made very clear.<br />
<br />
So has much changed? Or is this all just human nature, and we need to 'grin and bear it'. Has the technological development of the last 120+ years had a significant effect? Here's a little more of Warren and Brandeis:<br />
<br />
<i>"Even gossip apparently harmless, when widely and persistently circulated, is potent for evil."</i><br />
<br />
The internet, by its very nature, gives a far greater opportunity for wide and persistent circulation of gossip - but once again, it's not qualitatively different from what Warren and Brandeis were concerned about. The tools are more efficient, the mechanisms more generally available, and the scale larger, but isn't it the same problem, just writ a bit larger? The other side of the coin, however, is also, in my opinion, true. Privacy isn't a problem that's going away - and it's not, despite the suggestions of the likes of Mark Zuckerberg, something that's no longer a social norm. The ways in which Warren and Brandeis's piece, written more than 120 years ago, seems to fit so well with current practices and current concerns suggests precisely the opposite. Privacy is still an issue - and it will in all likelihood remain an issue forever. They were right to be concerned about it - and right, in my opinion, that we have a right to privacy. We had it then, and we have it now - not an absolute right, not a right that overrides other competing rights such as freedom of expression, but a right that needs to be considered, and needs to be fought for. That fight will go on... as it always has.Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com3tag:blogger.com,1999:blog-7558636046189251768.post-6658957716009932772012-01-12T12:01:00.001+00:002012-01-12T12:01:52.167+00:0010 things I hate about the ICO<br />
With apologies to William Shakespeare, Elizabeth Barrett Browning, Heath Ledger, Julia Stiles and many more…<br />
<br />
<br />
<b>10 things I hate about the ICO</b><br />
<br />
I hate the way you ask for teeth but seem afraid to bite<br />
I hate the way you think the press are far too big to fight<br />
I hate the way you always think that business matters most<br />
Leaving all our online rights, our privacy, as toast<br />
<br />
I hate the way you keep your fines for councils and their kind<br />
While leaving business all alone, in case the poor dears mind<br />
I hate the way you take the rules that Europe writes quite well<br />
And turn them into nothing much, as far as we can tell<br />
<br />
I hate the way that your advice on cookies was so vague<br />
Could it possibly have been, you were a touch afraid?<br />
I hate the way you talked so tough to old ACS Law<br />
But when it came to action, it didn’t hurt for sure<br />
<br />
I hate the way it always seems that others take the fore<br />
While you sit back and wait until the interest is no more<br />
I hate that your investigations all stop far too soon<br />
As PlusNet, Google and BT have all found to their boon<br />
<br />
I hate the way you tried your best to hide your own report<br />
‘Bury it on a busy day’; a desperate resort!<br />
You should be open, clear and fair, not secretive and poor<br />
We’ll hold you up for all to see – we expect so much more!<br />
<br />
I hated how when Google’s cars were taking all our stuff<br />
You hardly seemed to care at all – that wasn’t near’ enough<br />
Even when you knew the truth, you knew not what to do<br />
It took the likes of good PI to show you where to go…<br />
<br />
I hated how my bugbears Phorm, didn’t get condemned<br />
Even when their every deed could not help but offend<br />
You let them off with gentle words, ‘must try harder’ you just said<br />
Some of us, who cared a lot, almost wished you dead<br />
<br />
You tease us, tempt us, give us hope – then let us down so flat<br />
We think you’re on our side – you’re not – and maybe that is that!<br />
Will all these bad things ever change? We can but hope and dream<br />
That matters at the ICO aren’t quite as they might seem.<br />
<br />
We need you, dearest ICO, far more than we should<br />
We’d love you if you only tried to do the job you could<br />
We’d love you if you stood up tall, and faced our common foes<br />
Until you do, sad though it is, then hatred’s how it goes.<br />
<br />
<br />
<br />
<br />
P.S. I don’t really hate the ICO at all really.... this is 'poetic' licence!<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com6tag:blogger.com,1999:blog-7558636046189251768.post-29021562447893887092012-01-11T11:18:00.003+00:002012-01-15T18:51:15.744+00:00The Internet IS a (Human) Right...<br />
It isn’t often that I find myself disagreeing with something that Vint Cerf, one of the ‘fathers of the internet’ has said, but when I read his much publicised <a href="http://www.nytimes.com/2012/01/05/opinion/internet-access-is-not-a-human-right.html?_r=4&pagewanted=all" target="_blank">Op Ed piece in the New York Times</a>, I did.<br />
<br />
First of all, and perhaps most importantly, I didn’t like the headline, which stated baldly and boldly that <b>‘Internet Access is not a Human Right’</b>. Regardless of whether you agree or disagree with that statement, the piece said a great deal more than that – indeed, the main thrust of the argument was about the importance of the internet, and of internet access, to human rights. Many people will have just read the headline – or even read the many tweets which stated just that headline and a link – and drawn conclusions very different to those which Cerf might like. The headline, of course, may well have been the choice of the editorial team and the New York Times, rather than Cerf himself, but either he was OK with it or he allowed himself to be led in a particular direction.<br />
<br />
Secondly, I think the point that he makes leading to this headline, and to his conclusions, reflects a particularly US perspective on 'human rights' - a minimalist approach which emphasises civil and political rights and downplays (or even denies) economic and social rights amongst others. Most of the rest of the world takes a broader view of human rights: the <a href="http://www2.ohchr.org/english/law/cescr.htm" target="_blank">International Covenant on Economic, Social and Cultural Rights</a> was introduced in 1966, and has been ratified by the vast majority of the members of the UN – but not by the US. The covenant includes such rights as the right to work, the right to social security, rights to family life, right to health, to education and so forth - and it isn't too much of a stretch to see that right to internet access might fit within this spectrum.<br />
<br />
That Cerf doesn't see it this way is not surprising given that he is American - but I think his argument is weaker than that. In the piece, Cerf’s gives the example of a man not having a right to a horse. He talks about how a horse was at one time crucial to ‘make a living’, and that means that the ‘human right’ isn’t a right to have a horse, but a right to ‘make a living’. However, even that’s based on assumptions to do with our time and system. Do you ‘need’ to ‘make a living’ if your society isn’t based on capitalism? Non-capitalist societies have existed in the past - and indeed exist on small scales in various places around the world today. Can we really assume that they will never exist in the future? It is a bold assumption to make - but not, I think, one that needs to be made.<br />
<br />
We need to be very careful about the assumptions we make about any human right – and that, in practice, many of what we consider to be human rights are instrumental, qualified, or contextual rather than absolute, pure and simple. Another example from the legal field: do we have a ‘right to a free trial’ – or a right to justice? Trial by jury may be the best way we know now of assuring justice, but might there not be other ways?<br />
<br />
What does this mean? Well, primarily, to me, it means we need to be less 'purist' about the terms we use, and more pragmatic - and to understand that we live in a particular time, where particular things matter. Moreover, that the language that is currently used in most parts of the world is one in which the term 'human right' has power - and we should not be afraid to use that power. Right now, to flourish in a 'free', developed society, internet access is crucial. Perhaps even more to the point, internet access has shown itself to have a potential for liberation even in places less 'free' and less 'developed. I'm not a cyber-utopian - and I fully acknowledge the strengths of the arguments of Morozov about the potential of the internet for control as much as for liberation - but for me that actually makes it even more important that we look at the internet from a rights perspective: if we have a right to internet access then it's much easier to argue that we have rights (such as privacy rights) while we use the internet, and those rights are critical for supporting the more liberating aspects of the internet.<br />
<br />
That's another thing that disappoints me about Cerf's Op Ed piece. He doesn’t mention privacy, he doesn’t mention freedom from censorship, he doesn’t mention freedom from surveillance – I wish he would, because next after access these are the crucial enablers to human rights, to use his terms. I’d put it in stronger terms myself. I’d say we have <i>rights</i> to privacy online, <i>rights</i> to freedom from censorship, and <i>rights</i> to freedom from surveillance. If you don’t want to call them human rights, that’s fine by me – but right now, right here, in the world that we live in, we need these rights. The fact that we need them means that we should claim them, and that governments, businesses and yes, engineers, should be doing what they can to ensure that we get them.<br />
<br />
Finally, going back to the headline itself I think Cerf and other seminal figures in the history and development of the internet, have got to be careful about not letting themselves be used by those who'd like to restrict internet access and freedom: there are others with very dubious agendas who would like to push the 'internet access not a human right' point. When one of the fathers of the internet writes that internet access is not a human right, regardless of the details below, there is a significant chance that it will be latched onto by those who would like to restrict our freedoms, whether to enforce copyright, to 'fight' terrorism or online crime, or for other purposes. That is something that we should be careful to avoid.<br />
<br />
ADDENDUM (15/1/2012)<br />
<br />
There have been a number of other interesting blogs/responses on the subject. Here are links to a few of them:<br />
<br />
<a href="http://ukhumanrightsblog.com/2012/01/11/is-internet-access-a-human-right/" target="_blank">Adam Wagner's UK Human Rights Blog</a><br />
<a href="http://madisonian.net/2012/01/14/internet-access-as-a-human-right/" target="_blank">Frank Pasquale on madisonian.net</a><br />
<a href="http://blog.amnestyusa.org/business/is-internet-access-a-human-right/" target="_blank">Amnesty International's Scott Edwards blog post on HUMAN RIGHTS NOW</a><br />
<a href="http://www.almasryalyoum.com/en/node/601891" target="_blank">Sherif Elsayed-Ali in Egypt Independent</a><br />
<div>
<br />
All well worth a read!</div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com11tag:blogger.com,1999:blog-7558636046189251768.post-18567412294936288282012-01-05T07:32:00.003+00:002012-01-05T08:14:23.143+00:00Personalisation and politicsI have to admit to following the Republican party's presidential candidate race with some fascination. It's a slightly ghoulish fascination - there's often a touch of fear when I listen to some of the candidates, and there's always the underlying question of 'how low can they go'. There's comedy, tragedy, a bit of historical eccentricity, and often a good deal of farce. It's also, however, revealing of some of the issues that we should take seriously in terms of how our politics, our democratic politics, functions - and in particular, how it might function in the future.<br />
<br />
One particular aspect that came to the fore to me in the recent Iowa Caucus - the role of advertising in politics. We haven't developed it to nearly the same degree in the UK as the US, though every successful politician this side of the pond has tried to follow Thatcher's hugely effective use of Saatchi & Saatchi. In the US, though, it's a highly developed art form - and is only likely to become more so. In Iowa, an orchestrated advertising campaign against the surging Newt Gingrich sent him down from first to fourth place (and nearly out of the race) in a matter of days. Advertising works, or at least appears to - and politicians know it, and know it well.<br />
<br />
What might this mean for the future? I've written about advertising many times before, both in academic papers and in blogs. The internet is changing advertising - and we need to be aware of how that change might have an impact not only on our commercial behaviour but on our political behaviour: on politics itself. There are two trends in internet advertising that are particularly relevant and worth thinking about here: behavioural profiling and personalisation. People browsing the internet can be (and are) profiled according to their online behaviour, from the search terms they use and the links they follow to the friends they have on social media sites, the music they listen to, movies they watch and so forth. That profiling is generally used to target advertising - advertising more suited to their personal needs and desires. My last blog, <a href="http://symbioticweb.blogspot.com/2011/12/privacy-and-phantom-tollbooth.html" target="_blank">Privacy and the Phantom Tollbooth</a>, talked about some of the risks of this kind of thing - but when looked at from a political perspective the risks are even more sinister.<br />
<br />
Through profiling, it is possible to make good guesses - sometimes <i>very </i>good guesses - as to which political issues matter to someone and which ones don't. With just a little bit of work, the vast majority of which could be entirely automatic, it could become possible to create tailored political advertisements designed to highlight the policies or features of a particular candidate or party that are of specific interest to an individual - and to omit anything that might detract from their attraction. And, given the US experience in particular, to do the reverse for any opponents - automatically pick out the things that will make a particular voter see them in the most negative light possible.<br />
<br />
Taking this a few steps further, these ads could include background music that the advertiser knows that you particularly like, and even voice-overs by an actor that they know you admire - they could even choose the colours, styles and typefaces to suit your 'known' preferences. Of course they wouldn't do this for everyone, at least not at first, but it wouldn't take that much effort to produce a range of options (a handful of different actors, soundtracks etc would do the job) that would cover most of the key, swing voters. Political advertising in its current form is already persuasive - how much more persuasive could it be in this kind of form? And remember that with behavioural targeting in the hands of relatively few advertising organisations, these advertisements can be sent to a vast number of different websites that you visit. They can be sent to you in emails. They can be inserted at the beginnings of videos that you watch online.... the possibilities are endless.<br />
<br />
Is this far fetched? A nightmare scenario beyond the realms of possibility? Spend a little time watching US elections and I don't think you'll feel that way. It's just the logical extension of existing advertising and political trends. It is important to remember, too, that this kind of thing requires money - and money already talks enormously in politics. The power of personalised advertising can very easily become just one more tool in the hands of those who already wield excessive power over the political domain.<br />
<br />
What can be done? Well, the first thing is a matter of awareness. The impact of behavioural advertising goes beyond the commercial sphere, and we need to understand this. It's not just a matter of deciding which deodorant or drink we choose - potentially it's about our whole lives. We ignore its importance at our peril - so things like 'do not track' really matter, and the European 'Cookie Directive' should not be dismissed as a legalistic impediment to good business. They may not be perfect tools - indeed, it seems clear that they aren't - but they're being pushed for very good reasons. Tracking on the internet should not be the default, accepted without a thought. The risks are far greater than most people realise.Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com2tag:blogger.com,1999:blog-7558636046189251768.post-66307812008352132562011-12-30T07:24:00.002+00:002011-12-30T11:09:49.601+00:00Privacy... and the Phantom Tollbooth!Last night I was reading my daughter's bedtime story from that classic of American children's literature, <a href="http://en.wikipedia.org/wiki/The_Phantom_Tollbooth" target="_blank">The Phantom Tollbooth</a>, when I came across a passage that set out brilliantly the problems that can arise as a result of the gathering and use of private data. Bear in mind that The Phantom Tollbooth was first published in 1961: Norman Juster didn't have the benefit of seeing how what can loosely now be described as 'big data' operates - but he did have an understanding of how our information can be used against us, even when we have 'nothing to hide'.<br />
<br />
To set the scene: Milo the boy, Tock the Watchdog and the huge insect the Humbug are on the final stages of their mission to rescue the princesses Rhyme and Reason from the Castle in the Air. They reach the bottom of the final staircase, pursued by demons, where they don't notice a little round man sleeping peacefully on a very large ledger. The next part I'm just going to repeat:<br />
<br />
------------------------------------------<br />
<span class="Apple-style-span" style="color: blue;"> "NAMES?" the little man called out briskly, just as the startled bug reached for the first step. He sat up quickly, pulled the book out from under him, put on a green eyeshade, and waited with his pen poised in the air.</span><br />
<span class="Apple-style-span" style="color: blue;"> "Well, I..." stammered the bug.</span><br />
<span class="Apple-style-span" style="color: blue;"> "NAMES?" he cried again, and as he did, he opened the book to page 512 and began to write furiously. The quill made horrible scratching noises, and the point, which was continuously catching on the paper, flicked tiny inkblots all over him. As they called out their names, he noted them carefully in alphabetical order.</span><br />
<span class="Apple-style-span" style="color: blue;"> "Splendid, splendid, splendid," he muttered to himself. "I haven't had an M for ages."</span><br />
<span class="Apple-style-span" style="color: blue;"> "What do you want our names for?" asked Milo, looking anxiously over his shoulder. "We're in a bit of a hurry."</span><br />
<span class="Apple-style-span" style="color: blue;"> "Oh, this won't take a minute," the man assured them. "I'm just the official Senses Taker, and I must have some information before I can take your senses. Now, if you'll just tell me when you were born, where you were born, why you were born, how old you are now, how old you were then, how old you'll be in a little while, your mother's name, your father's name, your aunt's name, your uncle's name, your cousin's name, where you live, how long you've lived there, the schools you've attended, the schools you haven't attended, your hobbies, your telephone number, your shoe size, shirt size, collar size, hat size, and the names and addresses of six people who can verify all this information, we'll get started."</span><br />
------------------------------------------<br />
<br />
These days, of course, there wouldn't need to be a 'senses taker' to get most of that information - 800 million or so of us have already 'volunteered' much of it to Facebook, while much of the rest of it (the sensible bits anyway) can be gathered reasonably directly from other sources. Anyway, the Senses Taker proceeds to gather all this and more, before Milo quite reasonably suggests that they need to get a move on, and can they just proceed. At that point, the Senses Taker demands to know their destination.<br />
<br />
------------------------------------------<br />
<span class="Apple-style-span" style="color: blue;"> "The Castle in the Air," said Milo impatiently.</span><br />
<span class="Apple-style-span" style="color: blue;"> "Why bother?" said the Senses Taker, pointing to the distance. "I'm sure you'd rather see what I have to show you."</span><br />
<span class="Apple-style-span" style="color: blue;"> As he spoke, they all looked up, but only Milo could see the gay and exciting circus there on the horizon. There were tents and side shows and rides and even wild animals - everything a little boy could spend hours watching.</span><br />
<span class="Apple-style-span" style="color: blue;"> "And wouldn't you enjoy a more pleasant aroma?" he said, turning to Tock.</span><br />
<span class="Apple-style-span" style="color: blue;"> Almost immediately the dog smelt a wonderful smell that no-one but he could smell. It was made up of all the marvellous things that had ever delighted his curious nose.</span><br />
<span class="Apple-style-span" style="color: blue;"> "And here's something I know you'll enjoy hearing," he assured the Humbug.</span><br />
<span class="Apple-style-span" style="color: blue;"> The bug listened with rapt attention to something he alone could hear - the shouts and applause of an enormous crowd, all cheering for him.</span><br />
<span class="Apple-style-span" style="color: blue;"> They each stood as if in a trance, looking, smelling, and listening to the very special things that the Senses Taker had provided for them, forgetting completely about where they were going and who, with evil intent, was coming up behind them.</span><br />
<span class="Apple-style-span" style="color: blue;"> The Senses Taker sat back with a satisfied smile on his puffy little face as the demons came closer and closer, until less than a minute separated them from their helpless victims.</span><br />
<span class="Apple-style-span" style="color: blue;"> But Milo was too engrossed in the circus to notice, and Tock had closed his eyes, the better to smell, and the bug bowing and waving, stood with a look of sheer bliss on his face, interested only in the wild ovation.</span><br />
------------------------------------------<br />
<br />
Of course Milo, Tock and the Humbug do eventually escape, and the Senses Taker's true nature is revealed: he is a demon himself:<br />
<br />
------------------------------------------<br />
<span class="Apple-style-span" style="color: blue;"> "I warned you; I warned you I was the Senses Taker," sneered the Senses Taker. "I help people find what they're <i>not</i> looking for, hear what they're <i>not</i> listening for, run after what isn't there. And, furthermore," he cackled, hopping around gleefully on his stubby legs, "I'll steal your sense of purpose, take your sense of duty, destroy your sense of proportion..."</span><br />
------------------------------------------<br />
<br />
It's as good a description of the dangers of the personalisation of the internet - which I've written about before, and is inherent in the Symbiotic Web model that underlies a lot of my work - as you might find. The Senses Taker's processes - gather all the data it can, use it to conceptualise how each individual might be seduced into doing something to the benefit of the Senses Taker (rather than to the benefit of the individual) is pretty much exactly what behavioural advertising does, what Facebook does, what many other kinds of privacy-invasive profile-based systems do. And the Sense Taker is a demon.......<br />
<br />
<br />
P.S. If you haven't read the Phantom Tollbooth, you should! It's a brilliant book, lots of fun and at the same time actually quite deep!Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com3tag:blogger.com,1999:blog-7558636046189251768.post-91592178084428553102011-12-18T08:47:00.001+00:002011-12-18T08:47:38.637+00:0012 wishes for online privacy....<br />
It's that time of year for lists, predictions and so forth. I don't want to make predictions myself - I know all too well how hard it is to predict anything in this world, and even more so in the online world. I do, however, have wishes. Many of these are pipe dreams, I'm afraid, but some of them do have some small hope of coming true. So here they are, my twelve wishes for online privacy…<br />
<br />
<br />
<ol>
<li>That I don’t hear the ‘if you’ve got nothing to hide…’ argument against privacy ever again...</li>
<li>That governments worldwide begin to listen more to individuals and to advocacy groups and less to the industry lobby groups, particularly those of the copyright and security industries</li>
<li>That privacy problems continue to grab the headlines – so that privacy starts to be something of a selling point, and companies compete to become the most ‘privacy-friendly’ rather than just paying lip service to privacy</li>
<li>That the <a href="http://symbioticweb.blogspot.com/2011/10/goo-goo-googles-tiny-steps-towards.html" target="_blank">small signs I’ve been seeing that Google might be ‘getting’ privacy</a> do not turn out to be illusions. Go on, Google, go on!</li>
<li>That my ‘gut feeling’ that 2012 could be the peak year for Facebook turns out to be true. Not because I particularly dislike Facebook – I can see the benefits and strengths of its system – but because the kind of domination and centralisation it represents can’t be good for privacy in the end, and I don't believe that the man who said that privacy was no longer a 'social norm' has really changed his spots</li>
<li>That the ICO grows some cojones, and starts understanding that <a href="http://symbioticweb.blogspot.com/2011/03/ico-between-rock-and-hard-place-not.html" target="_blank">it’s supposed to represent us,</a> not just find ways for businesses to get around data protection regulations…</li>
<li>That the media (and yes, I’m talking to YOU, BBC), whenever they get told about a new technical innovation, don’t just talk about how wonderful and exciting it is, but think a little more critically, and particularly about privacy</li>
<li>That the revision to the Data Protection Directive (or perhaps Regulation) turns into something that is both helpful and workable – and not by compromising privacy to the wishes of business interests.</li>
<li>That neither SOPA nor PIPA get passed in the US…</li>
<li>That the right to be forgotten, something I’ve written about a number of times before, is discussed for what it is, not what people assume it must be based solely on the misleading name. It’s not about censorship or rewriting history. It really isn’t! It’s about people having rights over their own data! <a href="http://symbioticweb.blogspot.com/2011/11/whose-data-our-data.html" target="_blank">Whose data? Our data!</a></li>
<li>That the Labour Party begins to put together a progressive digital policy, and says sorry for ever having listened to the copyright lobby in introducing the Digital Economy Act! </li>
<li>That we start thinking more about the <a href="http://symbioticweb.blogspot.com/2011/11/significance-of-insignificant.html" target="_blank">ordinary privacy of ordinary people</a>, not just that of celebrities and politicians… </li>
</ol>
<div>
These are of course just a sample of the things I could say - but if even a few of them start to become true, it would be a really good start. Here's wishing....</div>
<br />Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com7tag:blogger.com,1999:blog-7558636046189251768.post-49867092930121851772011-12-08T06:27:00.001+00:002011-12-08T07:06:12.194+00:00Privacy is not the enemy...I attended the Oxford Institute event 'Anonymity, Privacy and Open Data' yesterday, notable amongst other things for Professor Ross Anderson's systematic and incredibly powerful destruction of the argument in favour of 'anonymisation' as a protection for privacy. It was a remarkable event, with excellent speakers talking on the most pertinent subjects of the day in terms of data privacy: compelling stuff, and good to see so many interesting people working in the privacy and related fields.<br />
<br />
And yet, at one point, one of the audience asked a question about whether a group like this was not too narrow, and that by focussing on privacy we were losing sight of other 'goods' - he was thinking particularly of medical goods, as 'privacy' was seen as threatening the possibility of sharing medical data. I understood his point - and I understood his difficulty, as he was in a room to a great extent full of people interested in privacy (hardly surprising given the title of the event). Privacy advocates are often used to the reverse position - trying to 'shout out' about privacy to a room full of avid data-sharers or supporters of business innovation above all things. A lot of antagonism. A lot of feelings about being 'threatened'. And yet I believe that many of those threatened are missing the point about privacy. Just as Guido Fawkes is wrong to characterise privacy just as a 'euphemism for censorship' (as I've <a href="http://symbioticweb.blogspot.com/2011/11/significance-of-insignificant.html" target="_blank">written about before</a>) and Paul McMullan is wrong to suggest that <a href="http://www.huffingtonpost.co.uk/2011/11/29/notw-journalist-paul-mcmu_n_1118764.html" target="_blank">'privacy is for paedos'</a>, the idea that privacy is the 'enemy' of so many things is fundamentally misconceived. To a great extent the opposite is true.<br />
<br />
<b>Privacy is not the enemy of free expression</b> - indeed, as <a href="https://www.privacyinternational.org/article/bbi-why-privacy-essential-free-speech-thrive" target="_blank">Jo Glanville of Index on Censorship has argued</a>, privacy is essential for free expression. Without the protection provided by privacy, people are shackled by the risk that their enemies, those that would censor them, arrest them or worse, can uncover their indentures, find them and do their worst. Without privacy, there is no free expression.<br />
<br />
<b>Privacy is not the enemy of 'publicness' -</b> in a similar way, to be truly 'public', people need to be able to protect what is private. They need to be able to have at least some control over what they share, what they put into the public. If they have no privacy, no control at all, how can they know what to share?<br />
<br />
<b>Privacy is not the enemy of law enforcement</b> - privacy is sometimes suggested to be a tool for criminals, something behind which they can hide behind. The old argument that 'if you've got nothing to hide, you've got nothing to fear' has been exposed as a fallacy many times - perhaps most notably by Daniel Solove (e.g. <a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565" target="_blank">here</a>), but there is another side to the argument. Criminals will use whatever tools you present them with. If you provide an internet with privacy and anonymity they'll use that privacy and anonymity - but if you provide an internet without privacy, they'll exploit that lack of privacy. Many scams related to identity theft are based around taking advantage of that lack of privacy. It would perhaps be stretching a point to suggest that privacy is a friend to law enforcement - but it is as much of an enemy to criminals as it is to law enforcement agencies. Properly implemented privacy can protect us from crime.<br />
<br />
<b>Privacy is not the enemy of security</b> - in a similar way, terrorists and those behind what's loosely described as cyberwarfare will exploit whatever environment they are provided with. If Western Law enforcement agencies demand that social networks install 'back doors' to allow them to pursue terrorists and criminals, you can be sure that those back doors will be used by their enemies - terrorists, criminals, agents of enemy states and so forth. This last week has seen Privacy International launch their <a href="https://www.privacyinternational.org/big-brother-incorporated" target="_blank">'Big Brother Inc'</a> database, revealing the extent to which surveillance products developed in the West are being sold to despotic and oppressive regimes. It's systematic, and understandable. Surveillance is a double-edged sword - and privacy is a shield which faces many ways (to stretch a metaphor beyond its limits!). Proper privacy protection works against the 'bad guys' as well as the 'good'. It's a supporter of security, not an enemy.<br />
<br />
<b>Privacy is not the enemy of business</b> - though it is the enemy of certain particular business models, just as 'health' is the enemy of the tobacco industry. Ultimately, privacy is a supporter of business, because better privacy increases trust, and trust helps business. Governments need to start to be clear that this is the case - and that by undermining privacy (for example though the oppressive and disproportionate attempts to control copyright infringement) they undermine trust, both in businesses and in themselves as governments. Privacy is certainly a challenge to business - but that's merely reflective of the challenges that all businesses face (and should face) in developing businesses that people want to use and are willing to pay money for.<br />
<br />
<b>Privacy is not the enemy of open data</b> - indeed, precisely the opposite. First of all, privacy should make it clear which data should be shared, and how. 'Public' data doesn't infringe privacy - from bus timetables to meteorological records, from public accounts to parliamentary voting records. Personal data is just that - personal - and sharing it should happen with real consent. When is that consent likely to be given? When people trust that their data will be used appropriately. When will they trust? When privacy is generally in place. Better privacy means better data sharing.<br />
<br />
<br />
All this is without addressing the question of whether (and to what extent) privacy is a fundamental right. I won't get into that here - it's a philosophical question and one of great interest to me, but the arguments in favour of privacy are highly practical as well as philosophical. Privacy shouldn't be the enemy - it should be seen as something positive, something that can assist and support. Privacy builds trust, and trust helps everyone.Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com4tag:blogger.com,1999:blog-7558636046189251768.post-46920830779291168572011-11-26T06:19:00.001+00:002011-11-28T14:23:12.859+00:00Heroes and villains?I wrote a piece a little while ago about Julian Assange - you can find it <a href="http://symbioticweb.blogspot.com/2011/11/assange-keeping-issues-separate.html" target="_blank">here</a> - which amongst other things suggested that just because you consider someone a hero for one part of their lives doesn't mean that they're necessarily something other than a hero in another way. Events this week have reminded me of the other side of that coin: that just because someone might be seen as a villain in one way, doesn't mean that everything about them is despicable. What's more, if we believe in human rights, it doesn't mean that 'villains' shouldn't have those human rights. One particular such 'villain' has been in the news these last few days: Max Mosley.<br />
<br />
Before I say anything more, I need to make it clear that my background is very left wing - I have grandparents, step-grandparents and great aunts who were communists. I myself had the nickname 'commie bastard' at college - though all that really meant is that I was the only member of the Labour Party at what was then the extremely right-wing Pembroke College Cambridge. As such, Max Mosley is someone who I 'instinctively' look on with extreme distaste. His father, Oswald Mosley, was a particular figure of hate for my family - in case anyone is unaware, Oswald Mosley was the founder and leader of the British Union of Fascists, and a supporter of Hitler. Hitler was a guest at his wedding. I still consider myself to be very much on the political left. Max Mosley, not just as his father's son, but as someone who represents extreme wealth and the excesses connected with it, is not someone that I have anything but instinctive dislike for.<br />
<br />
...but just as even 'heroes' like Assange need to be subject to the law when appropriate (as I argued before), even those you dislike intensely need to be accorded rights. Indeed, one of the key tests of whether you <i>really</i> believe in human rights is whether you really grant them to those you dislike. Many people have been tested on those grounds over the last months and hardly come up smelling of roses - the attitude to the death of Gaddafi is perhaps the most extreme example. For Max Mosley, the test is simpler and should be less taxing. However much I might dislike what he seems to represent, he still deserves privacy. What the newspapers did to him was, in my view, unacceptable - and he was right to fight against them. Personally I thought he came across well in the Leveson inquiry. It wasn't Mosley that looked like the villain here - and his work in supporting other victims of phone hacking is something to be applauded too.<br />
<br />
...which brings me onto the other 'heroes' and 'villains' of the last week: the press. If you listened as I did to the testimony of the many witnesses to the Leveson inquiry, from Mosley himself to the celebs like Hugh Grant, Steve Coogan and Sienna Miller, to JK Rowling, to the families of Milly Dowler and Madelaine McCann, and to Margaret Watson, it's hard not to see the press as venal, vicious, unprincipled and unfair. The instinctive reaction again is to punish them, to clamp down on them, to restrict them. And yet that's not the whole story either - because we also have to remember how the story itself broke, though the work of the Guardian. We have to remember how the MPs' expenses scandal was revealed by the Telegraph. How the cricket match-fixing scandal was uncovered by the now-departed News of the World. Just as Assange and Mosley could be heroes in one way and might be villains in another, so are the press. We need to look at the balance, and remember both sides to all their stories.<br />
<br />
How is that balance maintained? The most important thing to remember is that it's a dynamic balance, and that we have to remain vigilant. Don't overreact - and that's an easy temptation particularly in relation to the press, and if the stories about Max Mosley planning to sue Google are true, they would be a prime example of such overreaction, and something I plan to write about separately - but don't be afraid of action either. Even in terms of the press, there are two currently very different things going on right now. At the same time as any action emerging from Leveson might produce restrictions on press activity in relation to privacy, the potential changes to the draft defamation bill might produce greater freedom for the press in relation to defamation. Instinctively, again, that might be right for people of my political perspective - defamation law has often been seen as a tool for the rich, while privacy should (though often isn't, as <a href="http://symbioticweb.blogspot.com/2011/11/significance-of-insignificant.html" target="_blank">I've argued before</a>) be something of as much interest to the 'insignificant' as the rich and famous. Both the potential shifts in balance, from Leveson and from changes to libel law, could well be appropriate. Let's hope it works out that way.Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com4tag:blogger.com,1999:blog-7558636046189251768.post-50201880876534883612011-11-19T12:29:00.001+00:002011-11-20T07:57:01.658+00:00Whose data? Our data!!!<br />
There’s a slogan echoing around the streets of major cities around the globe at the moment: ‘Whose streets – our streets!’ It’s the mantra of the ‘occupy’ movement, expressing the frustration and injustice – particularly economic injustice – and the sense that all kinds of things that should be ‘ours’ have been taken out of ‘our’ control.<br />
<br />
The same could – and should – be said about personal data. The mantra of the occupy movement has a very direct parallel in the world of data, which is why I think we should be saying, loud and proud, ‘Whose data – our data!’<br />
<br />
Just as for the occupy movement (which I’ve <a href="http://symbioticweb.blogspot.com/2011/10/privacy-and-occupy-wall-street.html" target="_blank">written about before</a>), the chances of getting everything that we want in relation to data are slim – but the chances of changing the agenda in relation to data are not, and the chances of bringing about some real changes in the medium and long term even less so. The occupy movement, particularly in the US, have brought some ideas that previously were hardly talked about in the media, like wage and wealth inequality, close to the top of the agenda. They may even have moved it high enough that politicians feel the need to do something about it – I certainly hope so.<br />
<br />
<b>The personal data agenda.</b><br />
<br />
Can we do the same for personal data? One of the current points of discussion is the idea of a ‘right to be forgotten’ – something that relates directly to the question of whether personal data is ‘ours’ in any meaningful way. I’ve spoken and written about it a lot before – my academic article on my take on it, ‘a right to delete?’ can be found online <a href="http://ejlt.org//article/view/75/144" target="_blank">here</a>, while I’ve also <a href="http://inforrm.wordpress.com/2011/10/07/a-right-to-be-forgotten-%E2%80%93-or-a-right-to-delete-part-1-paul-bernal/" target="_blank">blogged on the subject on the INFORRM blog</a>. It’s currently under discussion as part of the forthcoming revision to the Data Protection Directive, to great resistance from the UK. The latest manifestation of this resistance has come from the ICO, <a href="http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Research_and_reports/ico_stakeholder_briefing_-_the_future_of_dp_in_the_eu.ashx" target="_blank">suggesting that the right to be forgotten should not be included as it would be unenforceable</a>, and that the inclusion would give people unrealistic expectations, as well as potentially interfering with free speech. Effectively, they seem to be suggesting that including it would send out the wrong message. This pronouncement echoes previous statements by Ken Clarke in May, and Ed Vaizey a couple of weeks ago – it looks like part of a campaign to rein in the attempts by Europe to give more weight to privacy and user rights in the balancing exercise with business use of personal data.<br />
<br />
<b>Are the ICO right?</b><br />
<br />
I believe that the ICO are wrong about this in a number of ways. First of all, I think they’re wrong about the unenforceability issue – at least to a great extent. In the Mexico City conference on data protection earlier this month, even Google admitted that they could do their part, but that it would be expensive. That's very different from saying that it is unenforceable. What’s more, it doesn’t have to be perfectly implemented in order to have a benefit to people – if, for example, the right to be forgotten would allow people to easily, simply and quickly delete their Facebook profiles, or the data held on them by Tesco, that could be significant. It could also, as I’ve argued in my article, help persuade businesses to develop business models less dependent on the gathering and holding of massive amounts of personal data – if they know that such data might be ‘deletable’.<br />
<br />
Secondly, I believe they’re quite wrong about the free speech issue – again, as I outline in my paper, if proper exceptions are put in place to allow archives to be kept, then free speech isn’t affected at all. The idea is not to be able to delete a record of what school you went to – but to be able to delete records of what breakfast cereal you bought, or profiles created based on surveillance of your internet activity.<br />
<br />
Thirdly, and perhaps most importantly, I think they’re wrong about the message being sent out – profoundly wrong. The message that the ICO is sending out is that business matters more than people’s rights – and it’s a message that has echoes throughout the world at the moment, echoes that are what has provoked the anger in so many people that lies being the ‘occupy’ movement. It’s the same logic as that which supports bankers bonuses over benefits for the disabled, and looks for tax cuts for the rich whilst enforcing austerity measures that cut public services to the bone and beyond. Even more importantly, it suggests that the ICO does not see its role as protecting individual rights over data – but as supporting the government’s business agenda.<br />
<br />
<b>Whose data – our data!</b><br />
<br />
The actions and messages of the ICO are essentially saying that this is too difficult to do, so we shouldn’t even try. It reminds me very much of the arguments against the idea of having smoke-free restaurants and pubs – a lot of people said it would be impossible, would drive the restaurants and pubs out of business. Further back, there have been similar stories throughout history – most dramatically, they were made against the abolition of slavery. We shouldn’t let this kind of logic stop us from doing what is right – we should find a way. And we <i>can</i> find a way, if only we can find the will. The ICO needs to be stronger, to understand that it has to serve us, not just business or the government. Privacy International asked in February <a href="https://www.privacyinternational.org/blog/are-ico-fit-purpose" target="_blank">whether the ICO was fit for purpose</a> – and the answer increasingly seems to be clearly not. We need to remind them what their purpose should be – and that, more than anything else, is to represent us, the people. We need to remind them whose data they’re supposed to be protecting. Whose data? Our data!<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com0tag:blogger.com,1999:blog-7558636046189251768.post-92068698206155195782011-11-15T06:49:00.001+00:002011-11-15T06:56:23.617+00:00The significance of the insignificant<div>
I watched yesterday’s parliamentary committee session on Privacy and Injunctions with some interest – after all, privacy is one of my subjects. The excellent David Allen Green (of <a href="http://jackofkent.blogspot.com/">Jack of Kent</a> fame) gave the committee a number of lessons both in law and technology, and <a href="http://order-order.com/">Guido Fawkes</a> (Paul Staines) tormented them with the reality of the modern world. It was entertaining stuff – and yet the more I watched, the less it seemed to be connected with what I see as the biggest and fastest growing problem that the internet in particular represents in terms of privacy.</div>
<div>
<br /></div>
<div>
That came to a head when Guido Fawkes made the remark that ‘privacy is just a euphemism for censorship’. It was a good soundbite – and fitted some excellent subsequent tweets – and he certainly had a point when considering the way that privacy has been used to protect the rich, the famous and the influential, particularly in relation to super-injunctions, one of the key subjects being discussed by the committee. As a football fan, I’ve hardly been able to blink this year without hearing another piece of gossip that I’m not allowed to know, let alone talk about. However, there’s another side to privacy, one to which neither the committee nor the witnesses before them seemed to pay any attention. The side of the insignificant.</div>
<div>
<br /></div>
<div>
<b>Insignificant people have the right to privacy too</b></div>
<div>
<br /></div>
<div>
The focus of both the committee and the witnesses, entirely understandably given their remit, was on the privacy of what might loosely be described as ‘significant’ people. And yet ordinary people, ‘insignificant’ people, have a right to privacy too. Protecting their privacy, except in unusual circumstances, isn’t anything to do with censorship. It’s about autonomy. It’s about the right, as Warren and Brandeis put it so long ago, to be left alone. The right to live, to enjoy the fruits of our modern society freely and without excessive interference.</div>
<div>
<br /></div>
<div>
<i>By focussing on privacy as protecting significant information about ‘significant’ people, we miss what is, in many ways the far more important issue of the lack of control over the gathering of insignificant information about ‘insignificant’ people.</i></div>
<div>
<br /></div>
<div>
The result is that what is seen as ‘privacy’ – insofar as it is protected by law (and David Allen Green gave yesterday’s committee an excellent exposition of the inadequacies of that law) very often ends up protecting the ‘wrong’ people in the wrong ways, and failing to protect the right people in the right ways.</div>
<div>
<br /></div>
<div>
<b>Insignificant invasions of privacy matter</b></div>
<div>
<br /></div>
<div>
Protections against the significant stuff, particularly for significant people is already provided. The law protects against defamation – perhaps excessively, at least in the eyes of the supporters of libel reform – and ‘significant’ people can and have used that law to provide that protection, but provides little in the way of protection for ‘insignificant’ invasions of privacy.</div>
<div>
<br /></div>
<div>
Why is this? To a great extent it is because these ‘insignificant’ breaches of privacy are seen as, well, insignificant. On their own, that may even be appropriate. What does it matter if someone knows what I had for breakfast this morning, or what kind of music I’m listening as I type this blog? Each individual fact gathered this way doesn’t seem to matter at all – and yet they do matter. They matter philosophically – they’re really my business, and no one else’s – but they also matter in a much more important way. In this digital world of ours, they’re used to profile me, to categorise me, to determine what advertisements I receive on the internet, perhaps what content I’m shown, what links I’m provided with. They might determine what prices I’m offered for insurance, for plane tickets and so forth. They might be used to ‘rate’ me (I’m not even going to start on Klout) in other ways. They might be used to assess my likely political leanings – perhaps just for advertising at the moment, but after that….</div>
<div>
<br /></div>
<div>
…and yet far less attention is paid to them than the ‘obvious’ side of privacy. Even on social networking sites like Facebook, attention is paid to the ‘significant’ privacy problems – compromising or clearly embarrassing photographs for example, rather than the much more financially important detailed profiling and social mapping data that are the basis of Facebook’s business model. Do the compromising photos matter? Yes, of course they do, but ways are already being found to deal with them, through education of the users, or at least greater understanding from the users, something which has at least some chance of succeeding. As for the profiling data, few people seem to care that much at all.</div>
<div>
<br /></div>
<div>
<b>Changes are needed</b></div>
<div>
<br /></div>
<div>
There are all sorts of legal problems with dealing with insignificant stuff. There is a need to show damage – and individually insignificant facts aren’t damaging, and even profiling isn’t necessarily directly ‘damaging’ in financial terms. There is the thorny issue of consent – do we consent to all this data gathering and use through the various terms and conditions we never read? Do we, as the recent Wikileaks/Twitter ruling suggests, have no real expectation of privacy in our internet dealings?</div>
<div>
<br /></div>
<div>
As it stands, there is little to help. Law doesn’t seem to cut it – for all the valiant efforts of the Article 29 Working Party and others. Politicians in general seem neither to understand nor to care. Business models, particularly on the internet, almost rely on these invasions of privacy. We need to change that. To protect the insignificant, we need a change in approach, a change in infrastructure, and a change in business plans. We need to understand and control online tracking. We need opt-in, not opt-out, we need explanations that actually explain, and we need a whole lot more. Most of all, we need better understanding that privacy is more than just a way for the rich and powerful to protect themselves. It's about all of us.</div>
<div>
<br /></div>
<div>
The privacy of the insignificant hasn’t needed protecting before – only in this digital age can their insignificant events be gathered, or processed into something significant – so the law hasn’t been needed to protect them, and hasn’t developed a form that can protect them. It needs to now.</div>
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com2tag:blogger.com,1999:blog-7558636046189251768.post-6540182862897782792011-11-10T10:04:00.001+00:002011-11-10T10:04:22.697+00:00The beginning or the end of cyberlaw?<br />
From time to time I have described myself as a ‘cyberlawyer’. When I’ve done so, I’ve had three kinds of reaction: the positive, the negative and the dumbfounded. Some people find the idea of cyberlaw almost exciting – looking to the future in a kind of William Gibson-esque way. Others look at it with derision – Easterbrook’s comparison of it with the non-existent law of the horse back in 1996 is one that echoes still. Some simply don’t understand what cyberlaw is, or what it might be.<br />
<br />
For a long time I’ve taken the side of the first – indeed, my enjoyment of science fiction was certainly part of what led me down the path of cyberlaw – but I’m beginning to think that the other two reactions are perhaps more appropriate – though not necessarily for the reasons that proponents of either argument might have made. It’s not, as Easterbrook suggested, that cyberlaw is too much of a niche subject, nor that ‘cyberspace’ is something only of interest to geeks and nerds. The opposite. Increasingly it seems that almost all lawyers will have to learn cyberlaw – and that almost all people are becoming citizens of cyberspace.<br />
<br />
The significance of cyberlaw within the legal community seems to be growing. The first time I went to the cyberlaw section of the Society of Legal Scholars conference, at the LSE in 2008, I sat through sessions with just a handful of other scholars – making even a small seminar room feel empty. This year, at Downing College Cambridge, it was standing room only as pretty much every session was packed beyond the capacity of the room. We had to borrow chairs from other far less popular sessions, and even thought of moving to one of the bigger venues. In other ways, too, cyberlaw seems to be becoming more mainstream. Over the last month or so I’ve been lucky enough to make contributions to two high-quality blogs well outside the realms of cyberspace – most recently <a href="http://ukconstitutionallaw.org/2011/11/06/paul-bernal-to-block-or-not-to-block-is-not-the-question%E2%80%A6/">writing about web-blocking for the UK Constitutional Law Group blog</a>, and before that <a href="http://inforrm.wordpress.com/2011/10/07/a-right-to-be-forgotten-%E2%80%93-or-a-right-to-delete-part-1-paul-bernal/">writing about the ‘right to be forgotten’ for the excellent INFORRM media law blog</a>. Whilst I would like to pretend that I’ve been asked to make these contributions because of my individual brilliance, I have a feeling it’s much more of a reflection of the way that cyberlaw now impacts upon almost every aspect of law – and not just media and constitutional law.<br />
<br />
Media lawyers need to understand the ‘new media’. Constitutional lawyers need to think about the impact of the cross-border nature of the internet on sovereignty, and the way that rights function online. Employment lawyers need to consider how social media impacts upon things like hiring and firing. Commercial lawyers need to understand electronic contracting. Intellectual property lawyers may well spend more time dealing with digital IP than anything else. Tax lawyers have to grapple with the complex issues of jurisdiction and so forth. Criminal lawyers have to look at how the rules of evidence apply to digital records, and think carefully about the legality of electronic investigatory methods. Human rights lawyers – and I consider my field to be as much human rights as cyberlaw – need to understand both the opportunities for and threats to human rights that arise as a result of the internet. And for each branch of law these are just some of the more obvious and superficial ways in which the digital world has to be taken into account – there are few areas of law where the internet doesn’t have a significant impact.<br />
<br />
So what does this mean? Does the increasing importance of cyberlaw mean that we all have to become cyberlawyers – and hence that the whole idea of cyberlaw disappears? Will every lawyer be a cyberlawyer? Ultimately that may be so – but there’s a long way to go before that happens. The law is still finding it hard to come to terms with the internet, for all the efforts of the pioneering cyberlawyers – and the politicians are even further behind, with a few honourable exceptions. There’s also a significant rump of the legal ‘establishment’ that may have to be dragged kicking and screaming into the brave new world where ‘reality’ and ‘cyberspace’ are increasingly integrated. It’s coming, though, and faster, I suspect, than even people like me imagine.<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com1tag:blogger.com,1999:blog-7558636046189251768.post-4283883441638664572011-11-03T08:27:00.002+00:002011-11-03T08:27:25.335+00:00Assange - keeping the issues separate<br />
Yesterday, as most people interested in the subject know, Assange lost his appeal against extradition to Sweden to face accusations of sexual misconduct. He lost on all four counts of his appeal, and lost so convincingly that many commentators have suggested that his chances of success in one, final appeal to the Supreme Court are very slim indeed. He has not yet, at the time of writing, decided whether or not to make such an appeal.<br />
<br />
It’s not the facts of what happened yesterday that matters to me, but the implications – and in particular, the reactions from so many people interested in Assange, in Wikileaks, in freedom of information, in combating secrecy, in the potential liberating power of the internet and so forth. For far too many of them, in my opinion, all these issues have been far to closely linked. We need to separate out the different issues. Julian Assange is not Wikileaks, and Wikileaks is not Julian Assange. Freedom of information and the fight against government and corporate secrecy and power is not dependent on Wikileaks, let alone on Julian Assange himself. We need to be able to separate the issues, and to think clearly about them. We need to be able to fight the right battles, not the wrong ones.<br />
<br />
There are many people who, like me, are very much in support of the aims of Wikileaks, and who see the liberating potential of the internet as one of the most important things to emerge in recent times (without understating the reverse – the potential for the internet to be used for oppression and control, as so ably set out by Evgeny Morozov and others), but who, at the same time, support the concept of the rule of law, where that law is both appropriate and proportionate. I want open government, liberal government, accountable government – not no government at all. I don’t want personality cults, I don’t want anyone to be above the law, whether they are ‘good guys’ or ‘bad guys’. For me, that means I want Assange to face his accusers, and I want to be able to find out whether he is guilty or not.<br />
<br />
Assange has already lost a lot of supporters in Sweden –<a href="http://www.guardian.co.uk/commentisfree/2011/nov/02/assange-hero-zero-swedes-pitiable"> as this Swedish commentator points out</a> – by attacking both their legal system in relation to sexual offences and their apparent willingness to extradite easily to the US. For me, both of these accusations need to be looked at very carefully. Most people who have studied the way that sexual offences – and in particular accusations of rape – have been treated historically in the courts should recognise that women have generally got a very raw deal indeed. The way that the Swedish system has attempted to at least to start to rectify this balance is one that should be applauded and supported, not attacked or even vilified, in the way that some supporters of Assange seem to have done – ‘the Saudi Arabia of Feminism’ is one of the descriptions put forward. Such attacks are not justified or in any way appropriate – at least not to me.<br />
<br />
And are Sweden really more likely to extradite Assange to the US than we are in the UK? It seems unlikely, as <a href="http://www.forbes.com/sites/andygreenberg/2011/11/02/why-julian-assange-might-be-better-off-in-sweden/">Andy Greenberg’s report in Forbes suggests</a>. The UK doesn’t have a good record in resisting such requests – and given all the publicity it seems highly unlikely that the Swedish would let such a thing happen on their watch. Moreover, the Swedish system would require dual criminality for an extradition to occur – that is, the offence committed has to be a crime both in the country seeking extradition and in Sweden itself. Assange’s ‘offenses’ would not easily be shoehorned into that description. Either way, it’s hard to see an extradition occurring from Sweden – extradition from the UK seems far more likely.<br />
<br />
There's one further point about the Swedish system - one that seems to have been missed by many of his supporters. It’s not really true that ‘no charges’ have been brought. As the judge pointed out in yesterday’s ruling, the Swedish system is different to that in the UK, and ‘charges’ are only brought at a very late stage, with a trial to follow almost immediately. The Swedish investigation has gone past the point where, in the UK, US or Australian investigation, charges would have been brought. Implications that the opposite true are really not helpful.<br />
<br />
When I’ve suggested either that Assange was likely to get a fair trial in Sweden or that extradition to the US was unlikely, many people have shot me down, suggesting that there would be a stitch up between the Swedish and US authorities, that the charges were trumped up to start with – ultimately that there is a great conspiracy to bring Assange down. I don’t find the latter that difficult to believe – there are certainly some very bad things happening in relation to Wikileaks, and the approach used to try to squeeze the life out of them through the financial blockade is one of the most reprehensible and dangerous developments of recent years. However, if that conspiracy extends to ‘trumped up’ charges of rape and sexual assault on Assange, then for me that actually provides an opportunity, not a threat.<br />
<br />
That’s where the rub comes. If Assange is guilty, then he should face the charges and receive appropriate punishment. If he’s innocent – and in particular if he’s the victim of a conspiracy-based set-up – then by facing the charges, by going through a legal process, he can prove that, and even expose the conspiracy. I’m not saying that I believe either way – neither I, nor the vast majority of either his supporters or his enemies know enough to know that. If he’s guilty, he wouldn’t be the first man to have abused his position of celebrity and power to behave inappropriately. If he’s innocent, he wouldn’t be the first innocent man accused in this way – or the first set up by his enemies.<br />
<br />
For me, though, if you support the kinds of things that Wikileaks supports – exposing the truth, holding the powerful to account, moving towards a better, more open, more liberal future – you should want all this to be out in the open too. That means letting Assange go to Sweden, and it means refraining from the very smear tactics that his opponents use in relation to the Swedish judicial system. There are many, many things to be concerned about in relation to the treatment of Wikileaks, and indeed of Assange – but yesterday’s ruling, almost certainly correct from a legal perspective as bloggers like the <a href="http://ukhumanrightsblog.com/2011/11/02/julian-assange-loses-high-court-appeal-against-extradition/">excellent Adam Wagner have made clea</a>r, is not one of them.<br />
<br />
Whether Assange is guilty or not, and whether he’s found guilty or not, supporters of freedom of information – and supporters of Wikileaks – should try not to tie his personal issues with the broader, more important issues that Wikileaks has raised. They’re not intrinsically and inextricably linked – and if we let them be, we’re playing into the hands of the very groups that we should be opposing.<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com3tag:blogger.com,1999:blog-7558636046189251768.post-31517764951419033992011-10-25T10:32:00.001+01:002011-10-25T10:32:37.565+01:00Search Engines, Search Engine Optimisation - and us!<br />
Last week, Google announced that it was making <a href="http://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html">SSL encryption the default on all searches for ‘signed in’ people</a>. They announced it as a move towards better security and privacy, and some people (myself included) saw it as a small but potentially significant step in the right direction. Almost as soon as the announcement was out, however, stories saying exactly the opposite began to appear: the blogosphere was abuzz. One of the more notable – one that was tweeted around what might loosely be described as ‘privacy circles’ came in the Telegraph. <a href="http://www.telegraph.co.uk/technology/google/8836415/Google-is-selling-your-privacy-for-a-price.html">“Google is selling your privacy at a price” </a>was the scary headline.<br />
<br />
So who was right? Was it a positive move for privacy, or another demonstration that Google doesn’t follow its own mantra about doing evil? Perhaps, when you look a little deeper, it was neither – and both Google and those who wrote stories like that in the Telegraph have another agenda. Perhaps it’s not what happened with SSL, but that agenda that we should be concerned about. The clue comes from looking a bit closer at who wrote the story in the Telegraph: Rob Jackson, who is described as ‘the MD of Elisa DBI, a digital business measurement and optimisation consultancy’. That is, he comes from the Search Engine Optimisation (SEO) industry. What’s happening here isn’t really much to do with privacy as far as either Google or the SEO industry – it’s just another episode in the cat-and-mouse story between search engines and those who want to ‘manipulate’ them, a story that’s been going on since search engines first appeared. The question is, how do we, the ordinary citizens of cyberspace, fit into that story. Do we benefit from the ongoing conflict and tension between the two, a tension which brings about developments both on both a technological and business level – or are we, as some think is true in much of what goes on in cyberspace, just being used to make money by all concerned, and our privacy and autonomy is neither here nor there?<br />
<br />
<b>What’s really going on?</b><br />
<br />
As far as I can see, the most direct implication of the implementation of SSL encryption is that Google are preventing webmasters of sites reached through a Google search – and SEOs – from seeing the search term used to find them. Whether those webmasters – let alone the SEOs – have any kind of ‘right’ to know how they were found is an unanswered question, but for the webmasters it is an annoyance at least. For SEOs, on the other hand, it could be a major blow, as it undermines a fundamental part of the way that they work. That, it seems to me, is why they’re so incensed by the move – it makes their job far harder to do. Without having at least some knowledge of which search term produces which result, how can they help sites to be easier to find? How can they get your site higher on the search results, as they often claim to be able to do?<br />
<br />
I have little doubt that they’ll find a way – historically they always have. With every new development of search there’s been a corresponding development by those who wish to get their sites – or more directly the sites of their clients – higher up the lists, from choosing particular words on the sites to the use of metatags right up to today’s sophisticated SEOs. Still, it’s interesting that the story that they’ve been pushing out is that Google is ‘selling your privacy for a price’. That in itself is somewhat misleading. A more honest headline might have been:<br />
<br />
<i>‘Google is STILL selling your privacy for a price, but now they’re trying to stop us selling it too!’</i><br />
<br />
Google has, in many ways, always been selling your private information – that’s how their business model works, using the terms you use to search in order to target their advertising – but with the SSL move they’ve made it harder for others to use that information too. They themselves will still know the search terms, and seems to still be ‘selling’ the terms to those using their AdWords system – but that’s what they’ve pretty much always done, even if many people have remained blissfully unaware that this was what was happening.<br />
<br />
There’s another key difference between Google and the SEOs – from Google, we do at least get an excellent service in exchange for letting them use our search terms to make money. Anyone who remembers the way we used to navigate the web before Google should acknowledge that what they do makes our online lives much faster and easier. There’s an exchange going on, an exchange that is at least to an extent mutually beneficial. It's part of the symbiotic relationship between the people using the internet and the businesses who run the fundamental services of the internet that is described in my theory of <a href="http://www.paulbernal.co.uk/symbiotic-web.html">The Symbiotic Web</a>. With SEOs, the question is whether we – <i>particularly in our capacity as searchers</i> – are actually benefiting at all.<br />
<br />
<b>The business of Search Engine Optimisation</b><br />
<br />
Who DOES benefit from the work of SEOs? Their claims are bold. As Rob Jackson puts it in the Telegraph article:<br />
<br />
<i>“One leading SEO professional told me that Google is essentially reverse-engineered by the the SEO professionals around the world. If they were all to stop at once, Google wouldn't be able to find its nose.”</i><br />
<br />
It’s a bold claim, but I suspect that people within Google would be amused rather than alarmed by the idea. Do we, as users, benefit from the operations of SEOs? On the face of it, it appears unlikely: searchers want to find the sites most relevant and useful to them, not the sites whose webmasters have employed the best SEOs to optimise their sites. Excellent and relevant sites and services get pushed down the search list by less good and less helpful sites who have used the most advanced and effective SEO techniques. And it’s our information, our search terms, that are being used by the SEOs.<br />
<br />
There is, however, another side to the business, and one that’s growing in significance all the time. The idea that we are just ‘searchers’ looking round the web for information and interesting things is outdated, at least for a fair number of us. We also blog, we have our own private sites – and often our own ‘business’ sites. And we want our blogs to be read, our sites to be found – and how can this happen unless there is a way for them to be found.<br />
<br />
SEOs might say that this is where they come in, this is where they can help us – and this might well be true to an extent. I for one, however, would like my sites to be judged on their merits, read because they’re worth reading and not just because I’ve employed a bit of a wizard to do the optimisation. I’d like search to be fair – I don’t want my services to be at a disadvantage either to those who have a commercial tie-in with Google or to those who are paying a better SEO than mine. I want a right to be found – when I want to be found.<br />
<br />
Do I have a right like that? Should I have a right like that? Cases like the Foundem case have asked that, but I don’t think we yet have an answer, or at least what answers we have have been inconclusive and hardly heard. Perhaps we should be asking it a bit more loudly.<br />
<div>
<br /></div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com3tag:blogger.com,1999:blog-7558636046189251768.post-52512135617634413202011-10-20T09:24:00.002+01:002011-10-20T12:43:23.567+01:00Goo goo google's tiny steps towards privacy...<div>
Things seem to be hotting up in the battle for privacy on the internet. Over the last few days, Google have made three separate moves which look, on the surface at least, as though they're heading, finally, in the right direction as far as privacy is concerned. Each of the moves could have some significance, and each has some notable drawbacks - but to me at least, it's what lies behind them that really matters.</div>
<div>
<br /></div>
<div>
The first of the three moves was the announcement on October 19th, that <a href="http://www.theregister.co.uk/2011/10/19/google_default_ssl/">for signed in users, Google was now adding end-to-end (SSL) encryption for search</a>. I'll leave the technical analysis of this to those much more technologically capable than me, but the essence of the move is that it adds a little security for users, making it harder to eavesdrop on a user's seating activities - and meaning that when someone arrives at a website after following a google search, the webmaster of the site arrived at will know that the person arrived via google, but not the search term used to find them. There are limitations, of course, and Google themselves still gather and store the information for their own purposes, but it is still a step forward, albeit small. It does, however, only apply to 'signed in' users - which cynics might say is even more of a drawback, because by signing in a user is effectively consenting to the holding, use and aggregation of their data by Google. The Article 29 Working Party, the EU body responsible for overseeing the data protection regime, differentiates very clearly between signed-in and 'anonymous' (!) users of the service in terms of complying with consent requirements - Google would doubtless very much like more and more users to be signed in when they use the service, if only to head off any future legal conflicts. Nonetheless, the implementation of SSL should be seen as a positive step - the more that SSL is implemented in all aspects of the internet, the better. It's a step forward - but a small one.<br />
<br />
There have also been suggestions (e.g. in <a href="http://www.telegraph.co.uk/technology/google/8836415/Google-is-selling-your-privacy-for-a-price.html">this article in the Telegraph</a>) that the move is motivated only by profit, and in particular to make Google's AdWords more effective at the expense of techniques used by Search Engine Optimisers, who with the new system will be less able to analyse and hence optimise. There is something to this, no doubt - but it must also be remembered first of all that pretty much every move of Google is motivated by profit, that's the nature of the beast, and secondly that a lot of the complaints (including the Telegraph article) come from those with a vested interest in the status quo - the Search Engine Optimisers themselves. Of course profit is the prime motivation - but if profit motives drive businesses to do more privacy-friendly things, so much the better. That, as will be discussed below, is one of the keys to improving things for privacy.</div>
<div>
<br /></div>
<div>
The second of the moves was the launch of <a href="http://www.google.co.uk/goodtoknow">Google's 'Good to know'</a>, a 'privacy resource centre', intended to help guide users in how to find out what's happening to their data, and to use tools to control that data use. Quite how effective it will be has yet to be seen - but it is an interesting move, particularly in terms of how Google is positioning itself in relation to privacy. It follows from the much quieter and less user-friendly Google Dashboard and Google AdPreferences, which technically gave users quite a lot of information and even some control, but were so hard to find that for most intents and purposes they appeared to exist only to satisfy the demands of privacy advocates, and not to do anything at all for ordinary users. 'Good to know' looks like a step forward, albeit a small and fairly insubstantial one.</div>
<div>
<br /></div>
<div>
The third move is the one that has sparked the most interest - the announcement by Google executive Vic Gundotra that social networking service Google+ will 'begin supporting pseudonyms and other types of identity.' The Electronic Frontier Foundation immediately claimed <a href="https://www.eff.org/deeplinks/2011/10/victory-google-surrenders-nymwars">'victory in the nymwars'</a>, suggesting that Google had 'surrendered'. Others have taken a very different view - as we shall see. The 'nymwars' as they've been dubbed concern the current policies of both Facebook and Google to require a 'real' identity in order to maintain an account with them - a practice which many (myself definitely included) think is pernicious and goes against the very things which have made the internet such a success, as well as potentially putting many people at real risks in the real world. The Mexican blogger who was killed and decapitated by drugs cartels after posting on an anti-drugs website is perhaps the most dramatic example of this, but the numbers of people at risk from criminals, authoritarian governments and others is significant. To many (again, myself firmly included), the issue of who controls links between 'real' and 'online' identities is one of the most important on the internet in its current state. The 'nymwars' are of fundamental importance - and so, to me, is Google's announcement.</div>
<div>
<br /></div>
<div>
Some have greeted it with cynicism and anger. One <a href="http://www.jwz.org/blog/2011/10/eff-declares-premature-victory-in-nymwars/">blogger put it bluntly</a>:</div>
<div>
<br /></div>
<div>
<div>
<i>"Google's statement is obvious bullshit, and here's why. The way you "support" pseudonyms is as follows: </i><i>Stop deleting peoples' accounts when you suspect that the name they are using is not their legal name.</i></div>
<div>
<i><br /></i></div>
<div>
<i>There is no step 2."</i></div>
</div>
<div>
<br /></div>
<div>
The EFF's claims of 'victory' in the nymwars is perhaps overstated - but Google's move isn't entirely meaningless, nor is it necessarily cynical. Time will tell exactly what Google means by 'supporting pseudonyms', and whether it will really start to deal with the problems brought about by a blanket requirement for 'real' identities - but this isn't the first time that someone within Google has been thinking about these issues. Back in February, Google's 'Director of Privacy, Product and Engineering' wrote a blog for the Google Policy Blog called '<a href="http://googlepublicpolicy.blogspot.com/2011/02/freedom-to-be-who-you-want-to-be.html">The freedom to be who you want to be...'</a>, in which she said that Google recognised three kinds of user: 'unidentified', pseudonymous and identified. It's a good piece, and well worth a read, and shows that within Google these debates must have been going on for a while, because the 'real identity' approach for Google Plus has at least in the past been directly contrary to what Whitten was saying in the blog.</div>
<div>
<br /></div>
<div>
That's one of the reasons I think Vic Gundotra's announcement is important - it suggests that the 'privacy friendly' people within Google are having more say, and perhaps even winning the arguments. When you combine it with the other two moves mentioned above, that seems even more likely. Google may be starting to position itself more firmly on the 'privacy' side of the fence, and using privacy to differentiate itself from the others in the field - most notably Facebook. To many people, privacy has often seemed like the last thing that Google would think about - that may be finally changing.</div>
<div>
<br /></div>
<div>
4Chan's Chris Poole, in a <a href="http://www.informationweek.com/news/231900986">brilliant speech to the Web 2.0 conference on Monday</a>, challenged Facebook, Google and others to start thinking of identity in a more complex, nuanced way, and suggested that Facebook and Google, with their focus on real identities, had got it fundamentally wrong. I agreed with almost everything he said - and so, I suspect, did some of the people at Google. The tiny steps we've seen over the last few days may be the start of their finding a way to make that understanding into something real. At the very least, Google seem to be making a point of saying so.</div>
<div>
<br /></div>
<div>
That, for me, is the final and most important point. While Google and Facebook, the two most important players in the field, stood side by side in agreement about the need for 'real' identities, it was hard to see a way to 'defeat' that concept, and it felt almost as though victory for the 'real' identities side was inevitable, regardless of all the problems that would entail, and regardless of the wailing and gnashing of teeth of the privacy advocates, hackers and so forth about how wrong it was. If the two monoliths no longer stand together, that victory seems far less assured. If we can persuade Google to make a point of privacy, and if that point becomes something that brings Google benefits, then we all could benefit in the end. The nymwars certainly aren't over, but there are signs that the 'good guys' might not be doomed to defeat.</div>
<div>
<br /></div>
<div>
Google is still a bit of a baby as far as privacy is concerned, making tiny steps but not really walking yet, let alone running. In my opinion, we need to encourage it to keep on making those tiny steps, applaud those steps, and it might eventually grow up...<br />
<br />
UPDATED TO INCLUDE REFERENCE TO SEOS...</div>Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com1tag:blogger.com,1999:blog-7558636046189251768.post-32867151705604817632011-10-18T10:35:00.002+01:002011-10-18T10:38:32.963+01:00Privacy is personal...My real interest in privacy - and specifically internet privacy - arose a little over ten years ago. Something happened to me that change the way I thought about the whole issue - something personal, something direct. Up until that point I hadn't really thought much about privacy, though I'd been involved with the online world from a very early stage, setting up projects to provide rural communities with access to information, and trying to provide online education to housebound children in the mid 1990s - not exactly cutting edge stuff, but not too far from it. I'd also been involved in human rights work - most directly children's rights - but I'd never thought much about privacy. To me, then, just as to many people now, it just didn't feel important, particularly compared to the problems happening all over the world. 911 had just happened, and war was in the air.<br />
<br />
I was living in New Zealand when the US invaded Afghanistan - and I was deeply concerned about the consequences of that action. I wrote about my concern in an email to a friend, also in New Zealand, and in that email I was at least partially critical of US foreign policy. I even mentioned Israel at one point. Some time over the next three hours, my email account became inaccessible.<br />
<br />
At the time I was using a free email account - one of the big ones - that I had set up whilst in the US a few years earlier. A '.com' email account. As I was living in a very isolated part of New Zealand, this email account was one of my few links to the outside world. It had all my contacts' details, and all the messages I had sent and received for a long time - and I had been foolish enough not to keep written records elsewhere of a lot of the details. At first I thought it was just a blip, an accident - and I set up another email account and wrote to the service provider asking what had happened to my account, whether the password had been accidentally reset or something else. I was met with terse replies saying that the account had been terminated for a breach of contract terms. Friends told me to give up, and go with the new account - but I'm not that kind of person. I kept on badgering them, trying to find out what was going on. I hadn't yet thought that it might be connected with the email that I'd sent. Eventually I got a message saying that I had been using the email for commercial purposes, which is why it had been cancelled - which was absurd, as anyone who knew my financial position at the time would know. Then, about six months later, they reinstated the account, minus all the content, contacts and so forth.<br />
<br />
Now of course I have no evidence to prove that the account was cancelled because of that particular email - it may indeed just have been a mistake, the account may even have been hacked into (though such things were much rarer in those days), but even the suspicion was enough to disturb me enormously, and set me on the path that I'm still on today. I started asking how it could have happened, what happens to emails, how easily they can be read, how my privacy might have been invaded. The more I investigated, the more I uncovered, the more interested I became - and it ended up changing my whole life. The perceived invasion of privacy - in a sense it doesn't even matter if it was real - was so personal that it cut me to the quick.<br />
<br />
Back then I had had very little to do with the law - my degree was in mathematics, I qualified as an accountant and worked with technology, not the law. Now, as a result of following this path, I'm a lecturer in a law school at a good university, have published research and submitted a PhD on the subject of data privacy - and it seems even more relevant than it did ten years ago, as the online world has expanded and become more and more intrinsically linked with everything we do. Invasions of privacy do matter - whatever the likes of Mark Zuckerberg might think - and they matter because they're deeply personal, and touch the parts of us that we really care about.Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com0tag:blogger.com,1999:blog-7558636046189251768.post-62414276367888876342011-10-14T10:48:00.002+01:002011-10-14T10:48:39.179+01:00Business and Privacy: Evidence and Assumptions?I came across a couple of stories yesterday that at first glance appeared unconnected, dealing with difference aspects of the current privacy debates concerning the internet. One comes from one side of the Atlantic, the other from the other. One deals with the 'fight' against piracy, the other with the current favourite of the online advertising industry, behavioural targeting. Very different issues - but they do have something in common: an inherent assumption that business success should take precedence over individual rights and freedoms.<br />
<br />
The first issue was the revelation, through a Freedom of Information Request by the admirable Open Rights Group, that the Department of Culture, Media and Sport had no evidence to support their strategies to reduce the infringement of copyright by websites - you can see their report on the issue <a href="http://www.openrightsgroup.org/blog/2011/the-need-for-evidence">here</a>.<br />
<br />
The second came from my following of the House Energy and Commerce Committee hearing in Washington, about consumer privacy and online behavioural advertising - a hearing at least on the surface intended to consider consumer concerns, but which by the sound of it had a lot more to do with industry putting their case to avoid regulation. I followed on twitter, and remember one particular call from a regular and respected tweeter from the US who demanded evidence before regulation is considered. Specifically, he wanted evidence as to how much of the advertising economy depended on behavioural targeting - the underlying suggestion being, presumably, that we shouldn't regulate if it would have too significant an impact on revenue streams.<br />
<br />
There are two different ways to look at the two stories. You can look at them as a reflection of the different attitudes to regulation on the two sides of the Atlantic - in England we're rushing to regulate, while in the US regulation is to be avoided unless absolutely necessary. Alternatively, however, you can look at them as a reflection of the way that business needs are set above individual rights and freedoms.<br />
<br />
<b>Copyright and piracy....</b><br />
<br />
The Open Rights Group's request was in relation to the proposals in the Digital Economy Act, but that Act is just one of many measures introduced over the years to combat 'piracy', although the evidence in support of any of them has generally been conspicuous by its absence. That applies both to evidence to suggest that the problem is as bad as the industry suggests and to the efficacy of the measures being proposed to combat it. Does piracy cause a massive loss of revenue to rights holders? Perhaps, but the suggestions over the years that every illegally downloaded song is a lost sale is far from convincing, and the idea that listening to something illegally might even lead to further legal sales seems to have merit too. The massive success of iTunes suggests that carrots rather than sticks might be more effective - indeed, recent reports from <a href="http://www.telegraph.co.uk/technology/6513919/Spotify-helps-curb-music-piracy.html">Sweden showing that piracy had reduced as Spotify had been introduced</a> adds weight to this idea.<br />
<br />
The Open Rights Group's FOI request was about the effectiveness of the proposals - and the DCMS effectively acknowledged that they have no evidence about it. So we have proposals for measures about which there is no evidence, to address an issue about which evidence is scanty to say the least... and yet on that basis we're willing to put restrictions on individuals' freedoms, potentially apply censorship, and even cut off people's internet access as a result. That same internet access that is increasingly regarded as a human right.<br />
<br />
The Digital Economy Act is one thing, but there's something else looming on the horizon of even more concern: the Anti-Counterfeiting Trade Agreement (ACTA), whose measures are potentially even more draconian than those in the DEA, and whose scope is even more all-encompassing. The US has already signed it - somewhat against the suggestion that the US prefers not to regulate where possible - and the EU may well sign it soon, though it still needs to pass through the European Parliament, and lobbying of MEPs is underway on both sides.<br />
<br />
<b>Behavioural advertising...</b><br />
<br />
Legislation on behavioural advertising has already taken place in Europe, with the notorious 'Cookies Directive', <a href="http://symbioticweb.blogspot.com/2011/06/out-of-mouths-of-europeans.html">about which I've written before</a> - but the implementation, enforcement and acceptance of that directive has proved troublesome from the outset, and whether it ends up being at all meaningful has yet to be seen. Legislation in the US is what is currently under discussion, and what is being keenly resisted by the advertising industry and others. 'Show us the evidence' is the call - and until that evidence is shown, advertisers should be able to do whatever they want.<br />
<br />
Evidence in relation to privacy is a contentious issue in lots of ways. Demonstrating 'harm' from an invasion of privacy is difficult, partly because each individual invasion isn't likely to be significant - particularly in respect of mundane tracking of websites browsed and so forth - and partly because the 'harm' is generally intangible, and far from easily turned into something easily quantifiable. Some people suggest that we should treat our personal information like a commodity, akin in some ways to intellectual property, but for me that fails to capture the real essence of privacy. I don't want to put a 'value' on my personal data, any more than I want to put a value on each of my fingers, or on my relationships with my friends and family. It's something different, and needs protecting as something different. I shouldn't need to prove the 'harm' done by that data being at risk - the loss of it, or loss of control over it, is a harm in itself.<br />
<br />
That isn't all - not only does there appear to be an expectation that we should prove harm, but that even if there IS harm, we've got to prove that we wouldn't be damaging the advertisers' businesses too much. If their businesses would be harmed too much, we shouldn't put regulations in place....<br />
<br />
<b>Two different situations - but the same assumptions</b><br />
<br />
In the copyright scenario, we're having our freedom restricted and our privacy invaded without real evidence to support what's happening. In the behavioural advertising scenario, we're having our privacy invaded and we're being asked to prove that there's a problem before any restrictions are placed - and, what's more, we're being asked to prove that we wouldn't damage business too much.<br />
<br />
In both cases, it's the individuals who lose out. Business takes priority, and individuals rights, particularly in respect of privacy, are overridden. Where businesses perceive there are problems (as in the copyright scenario), they're not asked for proof - but where individuals perceive there are problems, they're asked for proof in ways that are inappropriate and unattainable. Shouldn't the situation be exactly the other way around? Shouldn't individuals' rights be considered above the business models of corporations? Shouldn't the burden of proof work in favour of individuals against businesses, rather than the other way around? Of course that's a difficult argument to make in economically troubled times - but it's an argument that in my opinion needs to be made, and made strongly.Paul Bernalhttp://www.blogger.com/profile/04328860700793073068noreply@blogger.com0