The Symbiotic Web blog

What Muad’Dib can teach us about personal data…

2012-02-12T10:53:00.003Z

With all the current debate about the so-called 'right to be forgotten', I thought I'd post one of my earlier, somewhat less than serious takes on the matter. A geeky take. A science fiction take...

I've written about it before in more serious ways - both in blogs (such as the two part one on the INFORRM blog, part 1 here and part 2 here) and in an academic paper (here, in the European Journal of Law and Technology) - and I've ranted about it on this blog too ('Crazy Europeans!?!').

This, however, is a very different take - one I presented at the GiKii conference in Gothenburg last summer. In it I look back at that classic of science fiction, Dune. There's a key point in the book, a key issue in the book, that has direct relevance to the issue of personal data. As the protagonist, Paul-Muad'Dib, puts it:

“The power to destroy a thing is the absolute control over it."

In the book, Muad'Dib has the power to destroy the supply of the spice 'Melange', the most valuable commodity in the Dune universe. In a similar manner, if a way can be found for individuals to claim the right to delete personal data, control over that data can begin to shift from businesses and governments back to the individuals.

Here's an animated version of the presentation I gave at Gikii...

This is what it's supposed to suggest...

Melange in Dune

In Frank Herbert’s Dune series, the most essential and valuable commodity in the universe is melange, a geriatric drug that gives the user a longer life span, greater vitality, and heightened awareness; it can also unlock prescience in some humans, depending upon the dosage and the consumer's physiology. This prescience-enhancing property makes safe and accurate interstellar travel possible. Melange comes with a steep price, however: it is addictive, and withdrawal is fatal.

Personal data in the online world

In our modern online world, personal data plays a similar role to the spice melange. It is the most essential and valuable commodity in the online world. It can give those who gather and control it heightened awareness, and can unlock prescience (through predictive profiling). This prescience enhancing property makes all kinds of things possible. It too comes with a steep price, however: it is addictive, and withdrawal can be fatal – businesses and governments are increasingly dependent on their gathering, processing and holding of personal data.

What we can learn from Muad’Dib

For Muad'Dib to achieve ascendency, he had to assert control over the spice - we as individuals need to assert the same control over personal data. We need to assert our rights over the data - both over its 'production' and over its existence afterwards. The most important of these rights, the absolute control over it, is the right to destroy it – the right to delete personal data. That's what the right to be forgotten is about - and what, in my opinion, it should be called. If we have the right to delete data - and the mechanisms to make that right reality - then businesses and governments need to take what we say and want into account before they gather, hold or use our data. If they ride roughshod over our views, we'll have a tool to hold them to account...

The final solution, as for Arrakis, the proper name for the planet known as 'Dune', should be a balance. Production of personal data should still proceed, just as production of spice on Arrakis could still proceed, but on our own terms, and to mutual benefit. Most people don't want a Jihad, just as Paul Atreides didn't want a Jihad – though some may seek confrontation with the authorities and businesses rather than cooperation with them. In Dune, Paul Muad’Dib was not strong enough to prevent that Jihad – and though there has certainly been a ramping up of activism and antagonism over the last year or two, it should be possible to prevent it. If that is to happen, an assertion of rights, and in particular rights over the control over personal data, could be a key step.

A question of control - not of censorship

Looked at from this direction, the right to be forgotten (which I still believe is better understood as a right to delete) is not, as some suggest, about censorship, or about restricting free expression. Instead, it should be seen as a salvo in a conflict over control – a move towards giving netizens more power over the behemoths who currently hold sway.

If people are too concerned about the potential censorship issues - and personally I don't think they should be, but I understand why they are - then perhaps they can suggest other ways to give people more control over what's happening. Right now, as things like the Facebook 'deleted' photos issue I blogged about last week suggest, those who are in control don't seem to be doing much to address our genuine concerns....

Otherwise, they might have to deal with the growing power of the internet community...

Do you want a camera in your kid's bedroom??

2012-02-07T09:36:00.003Z

This morning's disturbing privacy story is the revelation that live feeds from thousands of 'home security cameras' run by the US company Trendnet have been 'breached', allowing anyone on the net access to video feeds, without the need for a password. It was reported in the BBC here, by their technology reporter Leo Kelion.

It's a disturbing tale. As Kelion describes it:

"Internet addresses which link to the video streams have been posted to a variety of popular messageboard sites. Users have expressed concern after finding they could view children's bedrooms among other locations. US-based Trendnet says it is in the process of releasing updates to correct a coding error introduced in 2010."

The internet being what it is, news of the problem seems to have spread faster than Trendnet has been able to control it. This is from Kelion's piece again:

"Within two days a list of 679 web addresses had been posted to one site, and others followed - in some cases listing the alleged Google Maps locations associated with each camera. Messages on one forum included: "someone caught a guy in denmark (traced to ip) getting naked in the bathroom." Another said: "I think this guy is doing situps."

One user wrote "Baby Spotted," causing another to comment "I feel like a pedophile watching this".

A cautionary tale, one might think, and to privacy people like me a lot of questions immediately come to mind. Many of them, particularly the technical ones, have been answered in Kelion's piece. There is one question, however, that is conspicuous by its absence from Kelion's otherwise excellent piece: what are the cameras doing in children's bedrooms in the first place? Is it normal, now, to have this kind of level of surveillance in our private homes? In our children's bedrooms?

I asked Kelion about this on twitter, and his initial (and admirably instant) response was that security cameras were nothing new, but the breach in the feeds was. That was news, the presence of the cameras was not. That set me thinking - and made me write this blog. Is he right? Should we just 'accept' the presence of surveillance even in our most intimate and private places? The success of companies like Trendnet suggests that many thousands of people do accept it - but I hope that millions more don't. I also hope that an affair like this will make some people think twice before installing their own 'private' big brother system.

Surveillance is a double-edged sword. Just as any data on the internet is ultimately vulnerable, so is any data feed - the only way for data not to be vulnerable is for it not to exist. Those parents wanting to protect their children from being watched in the internet have a simple solution: don't install the cameras in the first place!

It's the same story over and over again in the world of privacy and surveillance. We build systems, gather data, set up infrastructures and then seem shocked and amazed when they prove vulnerable. It shouldn't be a surprise... we should think before we build, think before we design, think before we install...

Facebook, Photos and the Right to be Forgotten

2012-02-06T11:58:00.004Z

Another day, another story about the right to be forgotten. This time it's another revelation about how hard it is to delete stuff from Facebook. In this case it's photos - with Ars Technica giving an update on their original story from 2009 about how 'deleted' photos weren't really deleted. Now, according to their new story, three years later, the photos they tried to remove back then are STILL there.

The Ars Technica story gives a lot more detail - and does suggest that Facebook are at least trying to do something about the problem, though without much real impact at this stage. As Ars Technica puts it:

"....with the process not expected to be finished until a couple months from now—and unfortunately, with a company history of stretching the truth when asked about this topic—we'll have to see it before we believe it."

I'm not going to try to analyse why Facebook has been so slow at dealing with this - there are lots of potential reasons, from the technical to the political and economic - but from the perspective of someone who's been watching developments over the years one thing is very important to understand: this slowness and apparent unwillingness (or even disinterest) has had implications. Indeed, it can be seen as one of the main drivers behind the push by the European Union to bring in a 'right to be forgotten'.

I've written (and most recently ranted in my blog 'Crazy Europeans') about the subject many times before, but I think it bears repeating. This kind of legislative approach, which seems to make some people in the field very unhappy, doesn't arise from nothing, just materialising at the whim of a few out-of-touch privacy advocates or power-hungry bureaucrats. It emerges from a real concern, from the real worries of real people. As the Ars Technica article puts it:

"That's when the reader stories started pouring in: we were told horror stories about online harassment using photos that were allegedly deleted years ago, and users who were asked to take down photos of friends that they had put online. There were plenty of stories in between as well, and panicked Facebook users continue to e-mail me, asking if we have heard of any new way to ensure that their deleted photos are, well, deleted."

When people's real concerns aren't being addressed - and when people feel that their real concerns aren't being addressed - then things start to happen. Privacy advocates bleat - and those in charge of regulation think about changing that regulation. In Europe we seem to be more willing to regulate than in the US, but with Facebook facing regular privacy audits from the FTC in the US, they're going to have to start to face up to the problem, to take it more seriously.

There's something in it for Facebook too. It's in Facebook's interest that people are confident that their needs will be met. What's more, if they want to encourage sharing, particularly immediate, instinctive, impulsive sharing, they need to understand that when people do that kind of thing they can and do make mistakes – and they would like the opportunity to rectify those mistakes. Awareness of the risks appears to be growing among users of these kinds of system – and privacy is now starting to become a real selling point on the net. Google and Microsoft's recent advertising campaigns on privacy are testament to that - and Google's attempts to portray its new privacy policy as something positive are quite intense.

That in itself is a good sign, and with Facebook trying to milk as much as they can from the upcoming IPO, they might start to take privacy with the seriousness that their users want and need. Taking down photos when people want them taken down - and not keeping them for years after the event - would be a good start. If it doesn't happen soon, and isn't done well, then Facebook can expect an even stronger push behind regulation like the Right to be Forgotten. If they don't want this kind of thing, then they need to pre-empt it by implementing better privacy, better user rights, themselves.

Phorm - a chapter closes?

2012-01-28T13:23:00.001Z

Another chapter of the long-running Phorm saga seems to have come to a close, with the announcement by the European Commission that they have closed the infringement case with the UK about their implementation of rules on privacy in electronic communications. In order to get this closure, the UK had, in the words of the Commission press release

'amended its national legislation so as not to allow interception of users' electronic communications without their explicit consent, and established an additional sanction and supervisory mechanism to deal with breaches of confidentiality in electronic communications.'

This case came about as a result of the big mess that the UK government got into over Phorm - something which I've written about both academically and in blogs on more than one occasion before. In essence, the government decided to back Phorm, a business which privacy advocates and others had been telling them from the very beginning was deeply problematic, and that decision backfired pretty spectacularly. The amount of egg that ended up on government faces as a result of the affair was pretty spectacular. The action of the Commission was a direct result of the admirable work of campaigners like Alexander Hanff at Privacy International, drawing on the excellent investigatory analysis by the University of Cambridge Computer Lab's Richard Clayton and the legal work of Nicholas Bohm for the Foundation for Information Policy Research - work that was effectively in direct opposition to the government. This work led to questions to the commission, upon which the commission acted, as well as, more directly, to the collapse of the Phorm business model as its business allies deserted it and opposition from the public became clearer and clearer.

Phorm's business model was particularly pernicious from a privacy perspective. They took behavioural advertising (which is problematic in most of its forms) to an extreme, monitoring people's entire browsing behaviour by intercepting each and every click made as you browse, in order to build up a profile which they then used to target advertising. All this without real consent from the user, or at least so it appeared, and indeed without the consent of the owners of the websites to whom these intercepted instructions were intended to be sent. As a model it appeared to break not only laws but people's ideas about being under surveillance - Orwellian in the extreme. It failed here - thanks to the resistance noted above - and has since failed again in South Korea, and appears to be failing in Romania (about which I've blogged before) and Brazil, the three places that Phorm's backers have tried it since. In each case, it looks as though people's resistance has been a key....

There are lessons to learn for all concerned:

1) Those of us advocating and campaigning for privacy can take a good deal of heart from the whole affair - essentially, we won, stopping the pernicious Phorm business model and forcing the UK government not just to back down but to change the law in ways that, ultimately, are more 'privacy-friendly'. 'People power' proved too strong for both business and government forces in this case - and it may be possible again. We certainly shouldn't give up!

2) Businesses need to take note: privacy-invasive business models will face opposition, and that opposition is more powerful than you might imagine. From the perspective of the symbiotic web (my underlying theory, more about which can be found here), if a privacy-invasive model is to succeed, it must give something back to those whose privacy is invaded, something of sufficient value to compensate for the privacy that is either lost or compromised. In Phorm's case, there was very little benefit to the people being monitored - the benefit was all for Phorm or Phorm's advertising partners. That sort of model isn't going to succeed nearly as easily as businesses might think - people will fight, and fight well! Businesses would do better to build more privacy-friendly models from the outset...

3) Governments need to understand the needs and abilities of the people - as well as the needs of businesses and business lobby groups. People are getting more and more aware and more and more able to articulate their needs and make their views known - and to wield powers beyond the understanding of most governments. The recent resistance to SOPA and PIPA in the US is perhaps another example - though the fact that people's interests coincided with those of internet powerhouses like Wikipedia and Google may have been even more important.

This last point is perhaps the most important. Governments all over the world seem to be massively underestimating the influence and power of people, particularly people on the internet. People will fight for what they want - and, more often than governments realise, they will find ways to win those fights. There needs to be a significant shift in the attitude of those governments if we are not to have more conflicts of the sort that caused such a mess over Phorm. There are more conflicts already on the horizon - from the judicial review of the Digital Economy Act to the shady agreement that is ACTA. There will be a lot of mess, I suspect, much of which could be avoided if 'authorities' understood what we wanted a bit more. The people of the net are starting to get mad, and they're not going to take it anymore.

Crazy Europeans!?!

2012-01-26T22:10:00.004Z

As anyone who pays attention to the world of data - and data privacy in particular - cannot help but be aware, those crazy Europeans are pushing some more of their mad data protection laws (a good summary of which can be found here) including the clearly completely insane 'right to be forgotten'. Reactions have been pretty varied on in Europe, but in the US they seem to have been pretty consistent, and can largely be boiled down to two points:

1) These Europeans are crazy!
2) This will all be a huge imposition on business - No fair!!!

There have been a fair few similar reactions in the UK too, and there will probably be more once the more rabidly anti-European parts of the popular press actually notice what's going on. As I've blogged before, the likes of Ken Clarke have spoken up against this kind of thing before.

So I think we need to ask ourselves one question: why ARE these crazy Europeans doing all this mad stuff?

Well, to be frank, the Internet 'industry' has only got itself to blame. This is an industry that has developed the surreptitious gathering of people's personal data into an art form, yet an industry that can't keep its data safe from hackers and won't keep it safe from government agencies. This is an industry that tracks our every move on the web and gets stroppy if we want to know when it's happening and why. This is an industry that makes privacy policies ridiculously hard to read whilst at the same time working brilliantly on making other aspects of their services more and more user-friendly. Why not do the same to the privacy settings? This is an industry that makes account deletion close to impossible (yes, I'm talking to you, Facebook) and pulls out all the stops to keep us 'logged in' at all times. This is an industry that tells us that WE should be completely transparent while remaining as obscure and opaque as possible themselves. This is an industry that often seems to regard privacy as just a little problem that needs to be sidestepped - or something that is 'no longer a social norm' (and yes, I'm talking to you, Facebook again).....

So.... If the internet 'industry', particularly in the US, doesn't want this kind of regulation, this kind of 'interference' with its business models, the answer's actually really simple: build better business models, models that respect people's privacy! Stop riding rough-shod over what we, particularly in Europe, but certainly in the US too, care deeply about. Use your brilliance in both business and technology to find a better way, rather than just moaning that we're interfering with what you want to do. When fighting against SOPA and PIPA (and I hope ACTA too in the near future), most of the industry champion the people admirably - perhaps because the people's interests coincided with their own. In privacy, the same is actually true, however much it may seem the other way around. In the end, the internet industry will be better off if it takes privacy seriously.

Regulation doesn't happen just because a bunch of faceless Belgian bureaucrats have too much power and too little to do - it happens when there's a real problem to solve. Oh, they may well go over the top, they may well use crude regulatory sledgehammers where delicate rapiers would do the job better, but they do at least try, which seems more than much of the industry does...

So don't blame the crazy Europeans. Take a closer look in the mirror...

Players and Pawns in the Game of Privacy

2012-01-25T13:11:00.001Z

Privacy is pretty constantly in the news at the moment. People like me can hardly take their eye off the news for a moment. This morning I was trying to do three things at once: follow David Allen Green's evidence at the Leveson inquiry (where amongst other things he was talking about the NightJack story which has significant privacy implications), listen to Viviane Reding talking about the new reforms to the data protection regime in Europe, and discover what was going on in the emerging story of 02's apparent sending of people's mobile numbers to websites visited via their mobile phones....

Big issues... and lots of media coverage... and lots of opportunities for academics, advocates of one position or other, technical experts and so forth to write/talk/tweet/blog etc on the subject. And many of us are taking the opportunity to say our bit, as we like to do. A good thing? Yes, in general - because perhaps the biggest change I've seen over the years I've been researching into the field is that the debate is wider, bringing in more people and more subjects, and getting more public attention - which must, overall, be a good thing. The more the issues are debated and thought about, the more chance there is that we can get better understanding, some sort of consensus, and find better solutions. And yet there are dangers attached to the process - because as well as the people who have valuable things to say and good, strong ethical positions to support their case, there are others with much more questionable agendas, often hidden, who would like to use others for their own purposes. Advocates, academics and experts need to guard against being used by others with very different motives.

There are particular examples happening right now. One subject that particularly interests me, about which I've blogged and written many times before, is the right to be forgotten. Viviane Reding has talked about it in the last few days - and there have been reactions in both directions. Both, it seems to me, need to be wary of their being used in ways that they don't intend:

i) Those who oppose a ‘right to be forgotten’/’right to delete’ need to be careful that they’re not being used as ‘cover’ for those whose business models depend on the holding and using of personal data. The right to delete is a threat to their business models, and they can (and probably will) use all the tools at their disposal to oppose it, including using 'experts' and academics. The valid concerns about censorship/free expression aren't what those people care about - they want to be able to continue to use people's personal data to make money. Advocates for free expression etc need to be careful that they're not being used in that kind of way.

ii) Conversely, those who (like me) advocate for a ‘right to be forgotten’/’right to delete’ need to be careful that they’re not being used by those who wish to censor and control - because there IS a danger that a poorly written and executed right to be forgotten could be set up in that kind of way. I don't believe that's what's intended by the current version, nor to I believe that this is how it would or could be used, but it's certainly possible, and people on 'my' side of the argument need to be vigilant that it doesn't go that way.

Similar arguments can be used in other fields - for example about the question of the right to anonymity. Those who (like me) espouse a right to anonymity need to be careful about not providing unfettered opportunities for those who wish to bully, to defame etc., while those who support the reverse – an internet with real name/identification systems throughout, to control access to age-sensitive sites, to deal with copyright infringement etc – need to be very careful not to be used as an excuse for setting up systems which allow control and ultimately oppression.

So what does this all mean? Should academics and other 'experts' simply keep out of the blogosphere and the media, and leave their musings for academic journals and unreadable books? Certainly not - but we do need to be a little more thoughtful about the agendas of those who might use us, who might misquote us, who might take us out of context and so forth. I suspect that this might have been what happened to Vint Cerf when he wrote a short while ago suggesting that internet access was not a human right. Others might well have been trying to use him... as they might well try to use any of those who write in this kind of a field. However clever we might think we are, we're very often pawns in the game, not players.

Same as it ever was... privacy in history!

2012-01-19T13:58:00.002Z

Earlier today, Eastman Kodak filed for Chapter 11 Bankruptcy protection. It might well signal the end for a company which was perhaps the single most important player in an industry that revolutionised the world in many ways: the photographic industry. Kodak has been in existence for 131 years, and in that time the world has changed dramatically in many ways - but perhaps not in as many ways as we might think. Kodak was crucial in the history of photography - but it was also crucial in the history of privacy.

Back in the late 19th century, when Kodak introduced the first hand-held camera, that new technology scared a lot of people - and inspired a whole new phase in the legal understanding of privacy. Amongst those alarmed by it were young lawyers Samuel Warren and Louis Brandeis - who went on to write a seminal piece for the Harvard Law Review: "The Right to Privacy". It was a remarkable piece of work and set into motion a train of legal thought that is still chuffing away to this very day. I remember when I first read it I assumed the date was a misprint: 1890. Surely that must mean 1980? Here's an extract:

“The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasion upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.”

The same debate rages now - and the 'enterprise and invention' that was 'modern' in 1890 is every bit as prevalent now. Have things really changed? Are the attacks on privacy a 'modern' crisis in the 21st century - or are things just the same as they ever were. Here's some more of Warren and Brandeis:

"Gossip is no longer the resource of the idle and the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle."

Lord Justice Leveson might well say something very similar when his inquiry into the culture, ethics and practice of the press comes to its conclusion. Phone hacking may be the latest form of 'intrusion upon the domestic circle' but in many ways it's not that different from the tactics that have been used by the press (and others) for well over a century, as Warren and Brandeis made very clear.

So has much changed? Or is this all just human nature, and we need to 'grin and bear it'. Has the technological development of the last 120+ years had a significant effect? Here's a little more of Warren and Brandeis:

"Even gossip apparently harmless, when widely and persistently circulated, is potent for evil."

The internet, by its very nature, gives a far greater opportunity for wide and persistent circulation of gossip - but once again, it's not qualitatively different from what Warren and Brandeis were concerned about. The tools are more efficient, the mechanisms more generally available, and the scale larger, but isn't it the same problem, just writ a bit larger? The other side of the coin, however, is also, in my opinion, true. Privacy isn't a problem that's going away - and it's not, despite the suggestions of the likes of Mark Zuckerberg, something that's no longer a social norm. The ways in which Warren and Brandeis's piece, written more than 120 years ago, seems to fit so well with current practices and current concerns suggests precisely the opposite. Privacy is still an issue - and it will in all likelihood remain an issue forever. They were right to be concerned about it - and right, in my opinion, that we have a right to privacy. We had it then, and we have it now - not an absolute right, not a right that overrides other competing rights such as freedom of expression, but a right that needs to be considered, and needs to be fought for. That fight will go on... as it always has.

10 things I hate about the ICO

2012-01-12T12:01:00.001Z

With apologies to William Shakespeare, Elizabeth Barrett Browning, Heath Ledger, Julia Stiles and many more…

10 things I hate about the ICO

I hate the way you ask for teeth but seem afraid to bite
I hate the way you think the press are far too big to fight
I hate the way you always think that business matters most
Leaving all our online rights, our privacy, as toast

I hate the way you keep your fines for councils and their kind
While leaving business all alone, in case the poor dears mind
I hate the way you take the rules that Europe writes quite well
And turn them into nothing much, as far as we can tell

I hate the way that your advice on cookies was so vague
Could it possibly have been, you were a touch afraid?
I hate the way you talked so tough to old ACS Law
But when it came to action, it didn’t hurt for sure

I hate the way it always seems that others take the fore
While you sit back and wait until the interest is no more
I hate that your investigations all stop far too soon
As PlusNet, Google and BT have all found to their boon

I hate the way you tried your best to hide your own report
‘Bury it on a busy day’; a desperate resort!
You should be open, clear and fair, not secretive and poor
We’ll hold you up for all to see – we expect so much more!

I hated how when Google’s cars were taking all our stuff
You hardly seemed to care at all – that wasn’t near’ enough
Even when you knew the truth, you knew not what to do
It took the likes of good PI to show you where to go…

I hated how my bugbears Phorm, didn’t get condemned
Even when their every deed could not help but offend
You let them off with gentle words, ‘must try harder’ you just said
Some of us, who cared a lot, almost wished you dead

You tease us, tempt us, give us hope – then let us down so flat
We think you’re on our side – you’re not – and maybe that is that!
Will all these bad things ever change? We can but hope and dream
That matters at the ICO aren’t quite as they might seem.

We need you, dearest ICO, far more than we should
We’d love you if you only tried to do the job you could
We’d love you if you stood up tall, and faced our common foes
Until you do, sad though it is, then hatred’s how it goes.

P.S. I don’t really hate the ICO at all really.... this is 'poetic' licence!

The Internet IS a (Human) Right...

2012-01-11T11:18:00.003Z

It isn’t often that I find myself disagreeing with something that Vint Cerf, one of the ‘fathers of the internet’ has said, but when I read his much publicised Op Ed piece in the New York Times, I did.

First of all, and perhaps most importantly, I didn’t like the headline, which stated baldly and boldly that ‘Internet Access is not a Human Right’. Regardless of whether you agree or disagree with that statement, the piece said a great deal more than that – indeed, the main thrust of the argument was about the importance of the internet, and of internet access, to human rights. Many people will have just read the headline – or even read the many tweets which stated just that headline and a link – and drawn conclusions very different to those which Cerf might like. The headline, of course, may well have been the choice of the editorial team and the New York Times, rather than Cerf himself, but either he was OK with it or he allowed himself to be led in a particular direction.

Secondly, I think the point that he makes leading to this headline, and to his conclusions, reflects a particularly US perspective on 'human rights' - a minimalist approach which emphasises civil and political rights and downplays (or even denies) economic and social rights amongst others. Most of the rest of the world takes a broader view of human rights: the International Covenant on Economic, Social and Cultural Rights was introduced in 1966, and has been ratified by the vast majority of the members of the UN – but not by the US. The covenant includes such rights as the right to work, the right to social security, rights to family life, right to health, to education and so forth - and it isn't too much of a stretch to see that right to internet access might fit within this spectrum.

That Cerf doesn't see it this way is not surprising given that he is American - but I think his argument is weaker than that. In the piece, Cerf’s gives the example of a man not having a right to a horse. He talks about how a horse was at one time crucial to ‘make a living’, and that means that the ‘human right’ isn’t a right to have a horse, but a right to ‘make a living’. However, even that’s based on assumptions to do with our time and system. Do you ‘need’ to ‘make a living’ if your society isn’t based on capitalism? Non-capitalist societies have existed in the past - and indeed exist on small scales in various places around the world today. Can we really assume that they will never exist in the future? It is a bold assumption to make - but not, I think, one that needs to be made.

We need to be very careful about the assumptions we make about any human right – and that, in practice, many of what we consider to be human rights are instrumental, qualified, or contextual rather than absolute, pure and simple. Another example from the legal field: do we have a ‘right to a free trial’ – or a right to justice? Trial by jury may be the best way we know now of assuring justice, but might there not be other ways?

What does this mean? Well, primarily, to me, it means we need to be less 'purist' about the terms we use, and more pragmatic - and to understand that we live in a particular time, where particular things matter. Moreover, that the language that is currently used in most parts of the world is one in which the term 'human right' has power - and we should not be afraid to use that power. Right now, to flourish in a 'free', developed society, internet access is crucial. Perhaps even more to the point, internet access has shown itself to have a potential for liberation even in places less 'free' and less 'developed. I'm not a cyber-utopian - and I fully acknowledge the strengths of the arguments of Morozov about the potential of the internet for control as much as for liberation - but for me that actually makes it even more important that we look at the internet from a rights perspective: if we have a right to internet access then it's much easier to argue that we have rights (such as privacy rights) while we use the internet, and those rights are critical for supporting the more liberating aspects of the internet.

That's another thing that disappoints me about Cerf's Op Ed piece. He doesn’t mention privacy, he doesn’t mention freedom from censorship, he doesn’t mention freedom from surveillance – I wish he would, because next after access these are the crucial enablers to human rights, to use his terms. I’d put it in stronger terms myself. I’d say we have rights to privacy online, rights to freedom from censorship, and rights to freedom from surveillance. If you don’t want to call them human rights, that’s fine by me – but right now, right here, in the world that we live in, we need these rights. The fact that we need them means that we should claim them, and that governments, businesses and yes, engineers, should be doing what they can to ensure that we get them.

Finally, going back to the headline itself I think Cerf and other seminal figures in the history and development of the internet, have got to be careful about not letting themselves be used by those who'd like to restrict internet access and freedom: there are others with very dubious agendas who would like to push the 'internet access not a human right' point. When one of the fathers of the internet writes that internet access is not a human right, regardless of the details below, there is a significant chance that it will be latched onto by those who would like to restrict our freedoms, whether to enforce copyright, to 'fight' terrorism or online crime, or for other purposes. That is something that we should be careful to avoid.

ADDENDUM (15/1/2012)

There have been a number of other interesting blogs/responses on the subject. Here are links to a few of them:

Adam Wagner's UK Human Rights Blog
Frank Pasquale on madisonian.net
Amnesty International's Scott Edwards blog post on HUMAN RIGHTS NOW
Sherif Elsayed-Ali in Egypt Independent

All well worth a read!

Personalisation and politics

2012-01-05T07:32:00.003Z

I have to admit to following the Republican party's presidential candidate race with some fascination. It's a slightly ghoulish fascination - there's often a touch of fear when I listen to some of the candidates, and there's always the underlying question of 'how low can they go'. There's comedy, tragedy, a bit of historical eccentricity, and often a good deal of farce. It's also, however, revealing of some of the issues that we should take seriously in terms of how our politics, our democratic politics, functions - and in particular, how it might function in the future.

One particular aspect that came to the fore to me in the recent Iowa Caucus - the role of advertising in politics. We haven't developed it to nearly the same degree in the UK as the US, though every successful politician this side of the pond has tried to follow Thatcher's hugely effective use of Saatchi & Saatchi. In the US, though, it's a highly developed art form - and is only likely to become more so. In Iowa, an orchestrated advertising campaign against the surging Newt Gingrich sent him down from first to fourth place (and nearly out of the race) in a matter of days. Advertising works, or at least appears to - and politicians know it, and know it well.

What might this mean for the future? I've written about advertising many times before, both in academic papers and in blogs. The internet is changing advertising - and we need to be aware of how that change might have an impact not only on our commercial behaviour but on our political behaviour: on politics itself. There are two trends in internet advertising that are particularly relevant and worth thinking about here: behavioural profiling and personalisation. People browsing the internet can be (and are) profiled according to their online behaviour, from the search terms they use and the links they follow to the friends they have on social media sites, the music they listen to, movies they watch and so forth. That profiling is generally used to target advertising - advertising more suited to their personal needs and desires. My last blog, Privacy and the Phantom Tollbooth, talked about some of the risks of this kind of thing - but when looked at from a political perspective the risks are even more sinister.

Through profiling, it is possible to make good guesses - sometimes very good guesses - as to which political issues matter to someone and which ones don't. With just a little bit of work, the vast majority of which could be entirely automatic, it could become possible to create tailored political advertisements designed to highlight the policies or features of a particular candidate or party that are of specific interest to an individual - and to omit anything that might detract from their attraction. And, given the US experience in particular, to do the reverse for any opponents - automatically pick out the things that will make a particular voter see them in the most negative light possible.

Taking this a few steps further, these ads could include background music that the advertiser knows that you particularly like, and even voice-overs by an actor that they know you admire - they could even choose the colours, styles and typefaces to suit your 'known' preferences. Of course they wouldn't do this for everyone, at least not at first, but it wouldn't take that much effort to produce a range of options (a handful of different actors, soundtracks etc would do the job) that would cover most of the key, swing voters. Political advertising in its current form is already persuasive - how much more persuasive could it be in this kind of form? And remember that with behavioural targeting in the hands of relatively few advertising organisations, these advertisements can be sent to a vast number of different websites that you visit. They can be sent to you in emails. They can be inserted at the beginnings of videos that you watch online.... the possibilities are endless.

Is this far fetched? A nightmare scenario beyond the realms of possibility? Spend a little time watching US elections and I don't think you'll feel that way. It's just the logical extension of existing advertising and political trends. It is important to remember, too, that this kind of thing requires money - and money already talks enormously in politics. The power of personalised advertising can very easily become just one more tool in the hands of those who already wield excessive power over the political domain.

What can be done? Well, the first thing is a matter of awareness. The impact of behavioural advertising goes beyond the commercial sphere, and we need to understand this. It's not just a matter of deciding which deodorant or drink we choose - potentially it's about our whole lives. We ignore its importance at our peril - so things like 'do not track' really matter, and the European 'Cookie Directive' should not be dismissed as a legalistic impediment to good business. They may not be perfect tools - indeed, it seems clear that they aren't - but they're being pushed for very good reasons. Tracking on the internet should not be the default, accepted without a thought. The risks are far greater than most people realise.

Privacy... and the Phantom Tollbooth!

2011-12-30T07:24:00.002Z

Last night I was reading my daughter's bedtime story from that classic of American children's literature, The Phantom Tollbooth, when I came across a passage that set out brilliantly the problems that can arise as a result of the gathering and use of private data. Bear in mind that The Phantom Tollbooth was first published in 1961: Norman Juster didn't have the benefit of seeing how what can loosely now be described as 'big data' operates - but he did have an understanding of how our information can be used against us, even when we have 'nothing to hide'.

To set the scene: Milo the boy, Tock the Watchdog and the huge insect the Humbug are on the final stages of their mission to rescue the princesses Rhyme and Reason from the Castle in the Air. They reach the bottom of the final staircase, pursued by demons, where they don't notice a little round man sleeping peacefully on a very large ledger. The next part I'm just going to repeat:

------------------------------------------
"NAMES?" the little man called out briskly, just as the startled bug reached for the first step. He sat up quickly, pulled the book out from under him, put on a green eyeshade, and waited with his pen poised in the air.
"Well, I..." stammered the bug.
"NAMES?" he cried again, and as he did, he opened the book to page 512 and began to write furiously. The quill made horrible scratching noises, and the point, which was continuously catching on the paper, flicked tiny inkblots all over him. As they called out their names, he noted them carefully in alphabetical order.
"Splendid, splendid, splendid," he muttered to himself. "I haven't had an M for ages."
"What do you want our names for?" asked Milo, looking anxiously over his shoulder. "We're in a bit of a hurry."
"Oh, this won't take a minute," the man assured them. "I'm just the official Senses Taker, and I must have some information before I can take your senses. Now, if you'll just tell me when you were born, where you were born, why you were born, how old you are now, how old you were then, how old you'll be in a little while, your mother's name, your father's name, your aunt's name, your uncle's name, your cousin's name, where you live, how long you've lived there, the schools you've attended, the schools you haven't attended, your hobbies, your telephone number, your shoe size, shirt size, collar size, hat size, and the names and addresses of six people who can verify all this information, we'll get started."
------------------------------------------

These days, of course, there wouldn't need to be a 'senses taker' to get most of that information - 800 million or so of us have already 'volunteered' much of it to Facebook, while much of the rest of it (the sensible bits anyway) can be gathered reasonably directly from other sources. Anyway, the Senses Taker proceeds to gather all this and more, before Milo quite reasonably suggests that they need to get a move on, and can they just proceed. At that point, the Senses Taker demands to know their destination.

------------------------------------------
"The Castle in the Air," said Milo impatiently.
"Why bother?" said the Senses Taker, pointing to the distance. "I'm sure you'd rather see what I have to show you."
As he spoke, they all looked up, but only Milo could see the gay and exciting circus there on the horizon. There were tents and side shows and rides and even wild animals - everything a little boy could spend hours watching.
"And wouldn't you enjoy a more pleasant aroma?" he said, turning to Tock.
Almost immediately the dog smelt a wonderful smell that no-one but he could smell. It was made up of all the marvellous things that had ever delighted his curious nose.
"And here's something I know you'll enjoy hearing," he assured the Humbug.
The bug listened with rapt attention to something he alone could hear - the shouts and applause of an enormous crowd, all cheering for him.
They each stood as if in a trance, looking, smelling, and listening to the very special things that the Senses Taker had provided for them, forgetting completely about where they were going and who, with evil intent, was coming up behind them.
The Senses Taker sat back with a satisfied smile on his puffy little face as the demons came closer and closer, until less than a minute separated them from their helpless victims.
But Milo was too engrossed in the circus to notice, and Tock had closed his eyes, the better to smell, and the bug bowing and waving, stood with a look of sheer bliss on his face, interested only in the wild ovation.
------------------------------------------

Of course Milo, Tock and the Humbug do eventually escape, and the Senses Taker's true nature is revealed: he is a demon himself:

------------------------------------------
"I warned you; I warned you I was the Senses Taker," sneered the Senses Taker. "I help people find what they're not looking for, hear what they're not listening for, run after what isn't there. And, furthermore," he cackled, hopping around gleefully on his stubby legs, "I'll steal your sense of purpose, take your sense of duty, destroy your sense of proportion..."
------------------------------------------

It's as good a description of the dangers of the personalisation of the internet - which I've written about before, and is inherent in the Symbiotic Web model that underlies a lot of my work - as you might find. The Senses Taker's processes - gather all the data it can, use it to conceptualise how each individual might be seduced into doing something to the benefit of the Senses Taker (rather than to the benefit of the individual) is pretty much exactly what behavioural advertising does, what Facebook does, what many other kinds of privacy-invasive profile-based systems do. And the Sense Taker is a demon.......

P.S. If you haven't read the Phantom Tollbooth, you should! It's a brilliant book, lots of fun and at the same time actually quite deep!

12 wishes for online privacy....

2011-12-18T08:47:00.001Z

It's that time of year for lists, predictions and so forth. I don't want to make predictions myself - I know all too well how hard it is to predict anything in this world, and even more so in the online world. I do, however, have wishes. Many of these are pipe dreams, I'm afraid, but some of them do have some small hope of coming true. So here they are, my twelve wishes for online privacy…

That I don’t hear the ‘if you’ve got nothing to hide…’ argument against privacy ever again...
That governments worldwide begin to listen more to individuals and to advocacy groups and less to the industry lobby groups, particularly those of the copyright and security industries
That privacy problems continue to grab the headlines – so that privacy starts to be something of a selling point, and companies compete to become the most ‘privacy-friendly’ rather than just paying lip service to privacy
That the small signs I’ve been seeing that Google might be ‘getting’ privacy do not turn out to be illusions. Go on, Google, go on!
That my ‘gut feeling’ that 2012 could be the peak year for Facebook turns out to be true. Not because I particularly dislike Facebook – I can see the benefits and strengths of its system – but because the kind of domination and centralisation it represents can’t be good for privacy in the end, and I don't believe that the man who said that privacy was no longer a 'social norm' has really changed his spots
That the ICO grows some cojones, and starts understanding that it’s supposed to represent us, not just find ways for businesses to get around data protection regulations…
That the media (and yes, I’m talking to YOU, BBC), whenever they get told about a new technical innovation, don’t just talk about how wonderful and exciting it is, but think a little more critically, and particularly about privacy
That the revision to the Data Protection Directive (or perhaps Regulation) turns into something that is both helpful and workable – and not by compromising privacy to the wishes of business interests.
That neither SOPA nor PIPA get passed in the US…
That the right to be forgotten, something I’ve written about a number of times before, is discussed for what it is, not what people assume it must be based solely on the misleading name. It’s not about censorship or rewriting history. It really isn’t! It’s about people having rights over their own data! Whose data? Our data!
That the Labour Party begins to put together a progressive digital policy, and says sorry for ever having listened to the copyright lobby in introducing the Digital Economy Act!
That we start thinking more about the ordinary privacy of ordinary people, not just that of celebrities and politicians…

These are of course just a sample of the things I could say - but if even a few of them start to become true, it would be a really good start. Here's wishing....

Privacy is not the enemy...

2011-12-08T06:27:00.001Z

I attended the Oxford Institute event 'Anonymity, Privacy and Open Data' yesterday, notable amongst other things for Professor Ross Anderson's systematic and incredibly powerful destruction of the argument in favour of 'anonymisation' as a protection for privacy. It was a remarkable event, with excellent speakers talking on the most pertinent subjects of the day in terms of data privacy: compelling stuff, and good to see so many interesting people working in the privacy and related fields.

And yet, at one point, one of the audience asked a question about whether a group like this was not too narrow, and that by focussing on privacy we were losing sight of other 'goods' - he was thinking particularly of medical goods, as 'privacy' was seen as threatening the possibility of sharing medical data. I understood his point - and I understood his difficulty, as he was in a room to a great extent full of people interested in privacy (hardly surprising given the title of the event). Privacy advocates are often used to the reverse position - trying to 'shout out' about privacy to a room full of avid data-sharers or supporters of business innovation above all things. A lot of antagonism. A lot of feelings about being 'threatened'. And yet I believe that many of those threatened are missing the point about privacy. Just as Guido Fawkes is wrong to characterise privacy just as a 'euphemism for censorship' (as I've written about before) and Paul McMullan is wrong to suggest that 'privacy is for paedos', the idea that privacy is the 'enemy' of so many things is fundamentally misconceived. To a great extent the opposite is true.

Privacy is not the enemy of free expression - indeed, as Jo Glanville of Index on Censorship has argued, privacy is essential for free expression. Without the protection provided by privacy, people are shackled by the risk that their enemies, those that would censor them, arrest them or worse, can uncover their indentures, find them and do their worst. Without privacy, there is no free expression.

Privacy is not the enemy of 'publicness' - in a similar way, to be truly 'public', people need to be able to protect what is private. They need to be able to have at least some control over what they share, what they put into the public. If they have no privacy, no control at all, how can they know what to share?

Privacy is not the enemy of law enforcement - privacy is sometimes suggested to be a tool for criminals, something behind which they can hide behind. The old argument that 'if you've got nothing to hide, you've got nothing to fear' has been exposed as a fallacy many times - perhaps most notably by Daniel Solove (e.g. here), but there is another side to the argument. Criminals will use whatever tools you present them with. If you provide an internet with privacy and anonymity they'll use that privacy and anonymity - but if you provide an internet without privacy, they'll exploit that lack of privacy. Many scams related to identity theft are based around taking advantage of that lack of privacy. It would perhaps be stretching a point to suggest that privacy is a friend to law enforcement - but it is as much of an enemy to criminals as it is to law enforcement agencies. Properly implemented privacy can protect us from crime.

Privacy is not the enemy of security - in a similar way, terrorists and those behind what's loosely described as cyberwarfare will exploit whatever environment they are provided with. If Western Law enforcement agencies demand that social networks install 'back doors' to allow them to pursue terrorists and criminals, you can be sure that those back doors will be used by their enemies - terrorists, criminals, agents of enemy states and so forth. This last week has seen Privacy International launch their 'Big Brother Inc' database, revealing the extent to which surveillance products developed in the West are being sold to despotic and oppressive regimes. It's systematic, and understandable. Surveillance is a double-edged sword - and privacy is a shield which faces many ways (to stretch a metaphor beyond its limits!). Proper privacy protection works against the 'bad guys' as well as the 'good'. It's a supporter of security, not an enemy.

Privacy is not the enemy of business - though it is the enemy of certain particular business models, just as 'health' is the enemy of the tobacco industry. Ultimately, privacy is a supporter of business, because better privacy increases trust, and trust helps business. Governments need to start to be clear that this is the case - and that by undermining privacy (for example though the oppressive and disproportionate attempts to control copyright infringement) they undermine trust, both in businesses and in themselves as governments. Privacy is certainly a challenge to business - but that's merely reflective of the challenges that all businesses face (and should face) in developing businesses that people want to use and are willing to pay money for.

Privacy is not the enemy of open data - indeed, precisely the opposite. First of all, privacy should make it clear which data should be shared, and how. 'Public' data doesn't infringe privacy - from bus timetables to meteorological records, from public accounts to parliamentary voting records. Personal data is just that - personal - and sharing it should happen with real consent. When is that consent likely to be given? When people trust that their data will be used appropriately. When will they trust? When privacy is generally in place. Better privacy means better data sharing.

All this is without addressing the question of whether (and to what extent) privacy is a fundamental right. I won't get into that here - it's a philosophical question and one of great interest to me, but the arguments in favour of privacy are highly practical as well as philosophical. Privacy shouldn't be the enemy - it should be seen as something positive, something that can assist and support. Privacy builds trust, and trust helps everyone.

Heroes and villains?

2011-11-26T06:19:00.001Z

I wrote a piece a little while ago about Julian Assange - you can find it here - which amongst other things suggested that just because you consider someone a hero for one part of their lives doesn't mean that they're necessarily something other than a hero in another way. Events this week have reminded me of the other side of that coin: that just because someone might be seen as a villain in one way, doesn't mean that everything about them is despicable. What's more, if we believe in human rights, it doesn't mean that 'villains' shouldn't have those human rights. One particular such 'villain' has been in the news these last few days: Max Mosley.

Before I say anything more, I need to make it clear that my background is very left wing - I have grandparents, step-grandparents and great aunts who were communists. I myself had the nickname 'commie bastard' at college - though all that really meant is that I was the only member of the Labour Party at what was then the extremely right-wing Pembroke College Cambridge. As such, Max Mosley is someone who I 'instinctively' look on with extreme distaste. His father, Oswald Mosley, was a particular figure of hate for my family - in case anyone is unaware, Oswald Mosley was the founder and leader of the British Union of Fascists, and a supporter of Hitler. Hitler was a guest at his wedding. I still consider myself to be very much on the political left. Max Mosley, not just as his father's son, but as someone who represents extreme wealth and the excesses connected with it, is not someone that I have anything but instinctive dislike for.

...but just as even 'heroes' like Assange need to be subject to the law when appropriate (as I argued before), even those you dislike intensely need to be accorded rights. Indeed, one of the key tests of whether you really believe in human rights is whether you really grant them to those you dislike. Many people have been tested on those grounds over the last months and hardly come up smelling of roses - the attitude to the death of Gaddafi is perhaps the most extreme example. For Max Mosley, the test is simpler and should be less taxing. However much I might dislike what he seems to represent, he still deserves privacy. What the newspapers did to him was, in my view, unacceptable - and he was right to fight against them. Personally I thought he came across well in the Leveson inquiry. It wasn't Mosley that looked like the villain here - and his work in supporting other victims of phone hacking is something to be applauded too.

...which brings me onto the other 'heroes' and 'villains' of the last week: the press. If you listened as I did to the testimony of the many witnesses to the Leveson inquiry, from Mosley himself to the celebs like Hugh Grant, Steve Coogan and Sienna Miller, to JK Rowling, to the families of Milly Dowler and Madelaine McCann, and to Margaret Watson, it's hard not to see the press as venal, vicious, unprincipled and unfair. The instinctive reaction again is to punish them, to clamp down on them, to restrict them. And yet that's not the whole story either - because we also have to remember how the story itself broke, though the work of the Guardian. We have to remember how the MPs' expenses scandal was revealed by the Telegraph. How the cricket match-fixing scandal was uncovered by the now-departed News of the World. Just as Assange and Mosley could be heroes in one way and might be villains in another, so are the press. We need to look at the balance, and remember both sides to all their stories.

How is that balance maintained? The most important thing to remember is that it's a dynamic balance, and that we have to remain vigilant. Don't overreact - and that's an easy temptation particularly in relation to the press, and if the stories about Max Mosley planning to sue Google are true, they would be a prime example of such overreaction, and something I plan to write about separately - but don't be afraid of action either. Even in terms of the press, there are two currently very different things going on right now. At the same time as any action emerging from Leveson might produce restrictions on press activity in relation to privacy, the potential changes to the draft defamation bill might produce greater freedom for the press in relation to defamation. Instinctively, again, that might be right for people of my political perspective - defamation law has often been seen as a tool for the rich, while privacy should (though often isn't, as I've argued before) be something of as much interest to the 'insignificant' as the rich and famous. Both the potential shifts in balance, from Leveson and from changes to libel law, could well be appropriate. Let's hope it works out that way.

Whose data? Our data!!!

2011-11-19T12:29:00.001Z

There’s a slogan echoing around the streets of major cities around the globe at the moment: ‘Whose streets – our streets!’ It’s the mantra of the ‘occupy’ movement, expressing the frustration and injustice – particularly economic injustice – and the sense that all kinds of things that should be ‘ours’ have been taken out of ‘our’ control.

The same could – and should – be said about personal data. The mantra of the occupy movement has a very direct parallel in the world of data, which is why I think we should be saying, loud and proud, ‘Whose data – our data!’

Just as for the occupy movement (which I’ve written about before), the chances of getting everything that we want in relation to data are slim – but the chances of changing the agenda in relation to data are not, and the chances of bringing about some real changes in the medium and long term even less so. The occupy movement, particularly in the US, have brought some ideas that previously were hardly talked about in the media, like wage and wealth inequality, close to the top of the agenda. They may even have moved it high enough that politicians feel the need to do something about it – I certainly hope so.

The personal data agenda.

Can we do the same for personal data? One of the current points of discussion is the idea of a ‘right to be forgotten’ – something that relates directly to the question of whether personal data is ‘ours’ in any meaningful way. I’ve spoken and written about it a lot before – my academic article on my take on it, ‘a right to delete?’ can be found online here, while I’ve also blogged on the subject on the INFORRM blog. It’s currently under discussion as part of the forthcoming revision to the Data Protection Directive, to great resistance from the UK. The latest manifestation of this resistance has come from the ICO, suggesting that the right to be forgotten should not be included as it would be unenforceable, and that the inclusion would give people unrealistic expectations, as well as potentially interfering with free speech. Effectively, they seem to be suggesting that including it would send out the wrong message. This pronouncement echoes previous statements by Ken Clarke in May, and Ed Vaizey a couple of weeks ago – it looks like part of a campaign to rein in the attempts by Europe to give more weight to privacy and user rights in the balancing exercise with business use of personal data.

Are the ICO right?

I believe that the ICO are wrong about this in a number of ways. First of all, I think they’re wrong about the unenforceability issue – at least to a great extent. In the Mexico City conference on data protection earlier this month, even Google admitted that they could do their part, but that it would be expensive. That's very different from saying that it is unenforceable. What’s more, it doesn’t have to be perfectly implemented in order to have a benefit to people – if, for example, the right to be forgotten would allow people to easily, simply and quickly delete their Facebook profiles, or the data held on them by Tesco, that could be significant. It could also, as I’ve argued in my article, help persuade businesses to develop business models less dependent on the gathering and holding of massive amounts of personal data – if they know that such data might be ‘deletable’.

Secondly, I believe they’re quite wrong about the free speech issue – again, as I outline in my paper, if proper exceptions are put in place to allow archives to be kept, then free speech isn’t affected at all. The idea is not to be able to delete a record of what school you went to – but to be able to delete records of what breakfast cereal you bought, or profiles created based on surveillance of your internet activity.

Thirdly, and perhaps most importantly, I think they’re wrong about the message being sent out – profoundly wrong. The message that the ICO is sending out is that business matters more than people’s rights – and it’s a message that has echoes throughout the world at the moment, echoes that are what has provoked the anger in so many people that lies being the ‘occupy’ movement. It’s the same logic as that which supports bankers bonuses over benefits for the disabled, and looks for tax cuts for the rich whilst enforcing austerity measures that cut public services to the bone and beyond. Even more importantly, it suggests that the ICO does not see its role as protecting individual rights over data – but as supporting the government’s business agenda.

Whose data – our data!

The actions and messages of the ICO are essentially saying that this is too difficult to do, so we shouldn’t even try. It reminds me very much of the arguments against the idea of having smoke-free restaurants and pubs – a lot of people said it would be impossible, would drive the restaurants and pubs out of business. Further back, there have been similar stories throughout history – most dramatically, they were made against the abolition of slavery. We shouldn’t let this kind of logic stop us from doing what is right – we should find a way. And we can find a way, if only we can find the will. The ICO needs to be stronger, to understand that it has to serve us, not just business or the government. Privacy International asked in February whether the ICO was fit for purpose – and the answer increasingly seems to be clearly not. We need to remind them what their purpose should be – and that, more than anything else, is to represent us, the people. We need to remind them whose data they’re supposed to be protecting. Whose data? Our data!

The significance of the insignificant

2011-11-15T06:49:00.001Z

I watched yesterday’s parliamentary committee session on Privacy and Injunctions with some interest – after all, privacy is one of my subjects. The excellent David Allen Green (of Jack of Kent fame) gave the committee a number of lessons both in law and technology, and Guido Fawkes (Paul Staines) tormented them with the reality of the modern world. It was entertaining stuff – and yet the more I watched, the less it seemed to be connected with what I see as the biggest and fastest growing problem that the internet in particular represents in terms of privacy.

That came to a head when Guido Fawkes made the remark that ‘privacy is just a euphemism for censorship’. It was a good soundbite – and fitted some excellent subsequent tweets – and he certainly had a point when considering the way that privacy has been used to protect the rich, the famous and the influential, particularly in relation to super-injunctions, one of the key subjects being discussed by the committee. As a football fan, I’ve hardly been able to blink this year without hearing another piece of gossip that I’m not allowed to know, let alone talk about. However, there’s another side to privacy, one to which neither the committee nor the witnesses before them seemed to pay any attention. The side of the insignificant.

Insignificant people have the right to privacy too

The focus of both the committee and the witnesses, entirely understandably given their remit, was on the privacy of what might loosely be described as ‘significant’ people. And yet ordinary people, ‘insignificant’ people, have a right to privacy too. Protecting their privacy, except in unusual circumstances, isn’t anything to do with censorship. It’s about autonomy. It’s about the right, as Warren and Brandeis put it so long ago, to be left alone. The right to live, to enjoy the fruits of our modern society freely and without excessive interference.

By focussing on privacy as protecting significant information about ‘significant’ people, we miss what is, in many ways the far more important issue of the lack of control over the gathering of insignificant information about ‘insignificant’ people.

The result is that what is seen as ‘privacy’ – insofar as it is protected by law (and David Allen Green gave yesterday’s committee an excellent exposition of the inadequacies of that law) very often ends up protecting the ‘wrong’ people in the wrong ways, and failing to protect the right people in the right ways.

Insignificant invasions of privacy matter

Protections against the significant stuff, particularly for significant people is already provided. The law protects against defamation – perhaps excessively, at least in the eyes of the supporters of libel reform – and ‘significant’ people can and have used that law to provide that protection, but provides little in the way of protection for ‘insignificant’ invasions of privacy.

Why is this? To a great extent it is because these ‘insignificant’ breaches of privacy are seen as, well, insignificant. On their own, that may even be appropriate. What does it matter if someone knows what I had for breakfast this morning, or what kind of music I’m listening as I type this blog? Each individual fact gathered this way doesn’t seem to matter at all – and yet they do matter. They matter philosophically – they’re really my business, and no one else’s – but they also matter in a much more important way. In this digital world of ours, they’re used to profile me, to categorise me, to determine what advertisements I receive on the internet, perhaps what content I’m shown, what links I’m provided with. They might determine what prices I’m offered for insurance, for plane tickets and so forth. They might be used to ‘rate’ me (I’m not even going to start on Klout) in other ways. They might be used to assess my likely political leanings – perhaps just for advertising at the moment, but after that….

…and yet far less attention is paid to them than the ‘obvious’ side of privacy. Even on social networking sites like Facebook, attention is paid to the ‘significant’ privacy problems – compromising or clearly embarrassing photographs for example, rather than the much more financially important detailed profiling and social mapping data that are the basis of Facebook’s business model. Do the compromising photos matter? Yes, of course they do, but ways are already being found to deal with them, through education of the users, or at least greater understanding from the users, something which has at least some chance of succeeding. As for the profiling data, few people seem to care that much at all.

Changes are needed

There are all sorts of legal problems with dealing with insignificant stuff. There is a need to show damage – and individually insignificant facts aren’t damaging, and even profiling isn’t necessarily directly ‘damaging’ in financial terms. There is the thorny issue of consent – do we consent to all this data gathering and use through the various terms and conditions we never read? Do we, as the recent Wikileaks/Twitter ruling suggests, have no real expectation of privacy in our internet dealings?

As it stands, there is little to help. Law doesn’t seem to cut it – for all the valiant efforts of the Article 29 Working Party and others. Politicians in general seem neither to understand nor to care. Business models, particularly on the internet, almost rely on these invasions of privacy. We need to change that. To protect the insignificant, we need a change in approach, a change in infrastructure, and a change in business plans. We need to understand and control online tracking. We need opt-in, not opt-out, we need explanations that actually explain, and we need a whole lot more. Most of all, we need better understanding that privacy is more than just a way for the rich and powerful to protect themselves. It's about all of us.

The privacy of the insignificant hasn’t needed protecting before – only in this digital age can their insignificant events be gathered, or processed into something significant – so the law hasn’t been needed to protect them, and hasn’t developed a form that can protect them. It needs to now.

The beginning or the end of cyberlaw?

2011-11-10T10:04:00.001Z

From time to time I have described myself as a ‘cyberlawyer’. When I’ve done so, I’ve had three kinds of reaction: the positive, the negative and the dumbfounded. Some people find the idea of cyberlaw almost exciting – looking to the future in a kind of William Gibson-esque way. Others look at it with derision – Easterbrook’s comparison of it with the non-existent law of the horse back in 1996 is one that echoes still. Some simply don’t understand what cyberlaw is, or what it might be.

For a long time I’ve taken the side of the first – indeed, my enjoyment of science fiction was certainly part of what led me down the path of cyberlaw – but I’m beginning to think that the other two reactions are perhaps more appropriate – though not necessarily for the reasons that proponents of either argument might have made. It’s not, as Easterbrook suggested, that cyberlaw is too much of a niche subject, nor that ‘cyberspace’ is something only of interest to geeks and nerds. The opposite. Increasingly it seems that almost all lawyers will have to learn cyberlaw – and that almost all people are becoming citizens of cyberspace.

The significance of cyberlaw within the legal community seems to be growing. The first time I went to the cyberlaw section of the Society of Legal Scholars conference, at the LSE in 2008, I sat through sessions with just a handful of other scholars – making even a small seminar room feel empty. This year, at Downing College Cambridge, it was standing room only as pretty much every session was packed beyond the capacity of the room. We had to borrow chairs from other far less popular sessions, and even thought of moving to one of the bigger venues. In other ways, too, cyberlaw seems to be becoming more mainstream. Over the last month or so I’ve been lucky enough to make contributions to two high-quality blogs well outside the realms of cyberspace – most recently writing about web-blocking for the UK Constitutional Law Group blog, and before that writing about the ‘right to be forgotten’ for the excellent INFORRM media law blog. Whilst I would like to pretend that I’ve been asked to make these contributions because of my individual brilliance, I have a feeling it’s much more of a reflection of the way that cyberlaw now impacts upon almost every aspect of law – and not just media and constitutional law.

Media lawyers need to understand the ‘new media’. Constitutional lawyers need to think about the impact of the cross-border nature of the internet on sovereignty, and the way that rights function online. Employment lawyers need to consider how social media impacts upon things like hiring and firing. Commercial lawyers need to understand electronic contracting. Intellectual property lawyers may well spend more time dealing with digital IP than anything else. Tax lawyers have to grapple with the complex issues of jurisdiction and so forth. Criminal lawyers have to look at how the rules of evidence apply to digital records, and think carefully about the legality of electronic investigatory methods. Human rights lawyers – and I consider my field to be as much human rights as cyberlaw – need to understand both the opportunities for and threats to human rights that arise as a result of the internet. And for each branch of law these are just some of the more obvious and superficial ways in which the digital world has to be taken into account – there are few areas of law where the internet doesn’t have a significant impact.

So what does this mean? Does the increasing importance of cyberlaw mean that we all have to become cyberlawyers – and hence that the whole idea of cyberlaw disappears? Will every lawyer be a cyberlawyer? Ultimately that may be so – but there’s a long way to go before that happens. The law is still finding it hard to come to terms with the internet, for all the efforts of the pioneering cyberlawyers – and the politicians are even further behind, with a few honourable exceptions. There’s also a significant rump of the legal ‘establishment’ that may have to be dragged kicking and screaming into the brave new world where ‘reality’ and ‘cyberspace’ are increasingly integrated. It’s coming, though, and faster, I suspect, than even people like me imagine.

Assange - keeping the issues separate

2011-11-03T08:27:00.002Z

Yesterday, as most people interested in the subject know, Assange lost his appeal against extradition to Sweden to face accusations of sexual misconduct. He lost on all four counts of his appeal, and lost so convincingly that many commentators have suggested that his chances of success in one, final appeal to the Supreme Court are very slim indeed. He has not yet, at the time of writing, decided whether or not to make such an appeal.

It’s not the facts of what happened yesterday that matters to me, but the implications – and in particular, the reactions from so many people interested in Assange, in Wikileaks, in freedom of information, in combating secrecy, in the potential liberating power of the internet and so forth. For far too many of them, in my opinion, all these issues have been far to closely linked. We need to separate out the different issues. Julian Assange is not Wikileaks, and Wikileaks is not Julian Assange. Freedom of information and the fight against government and corporate secrecy and power is not dependent on Wikileaks, let alone on Julian Assange himself. We need to be able to separate the issues, and to think clearly about them. We need to be able to fight the right battles, not the wrong ones.

There are many people who, like me, are very much in support of the aims of Wikileaks, and who see the liberating potential of the internet as one of the most important things to emerge in recent times (without understating the reverse – the potential for the internet to be used for oppression and control, as so ably set out by Evgeny Morozov and others), but who, at the same time, support the concept of the rule of law, where that law is both appropriate and proportionate. I want open government, liberal government, accountable government – not no government at all. I don’t want personality cults, I don’t want anyone to be above the law, whether they are ‘good guys’ or ‘bad guys’. For me, that means I want Assange to face his accusers, and I want to be able to find out whether he is guilty or not.

Assange has already lost a lot of supporters in Sweden – as this Swedish commentator points out – by attacking both their legal system in relation to sexual offences and their apparent willingness to extradite easily to the US. For me, both of these accusations need to be looked at very carefully. Most people who have studied the way that sexual offences – and in particular accusations of rape – have been treated historically in the courts should recognise that women have generally got a very raw deal indeed. The way that the Swedish system has attempted to at least to start to rectify this balance is one that should be applauded and supported, not attacked or even vilified, in the way that some supporters of Assange seem to have done – ‘the Saudi Arabia of Feminism’ is one of the descriptions put forward. Such attacks are not justified or in any way appropriate – at least not to me.

And are Sweden really more likely to extradite Assange to the US than we are in the UK? It seems unlikely, as Andy Greenberg’s report in Forbes suggests. The UK doesn’t have a good record in resisting such requests – and given all the publicity it seems highly unlikely that the Swedish would let such a thing happen on their watch. Moreover, the Swedish system would require dual criminality for an extradition to occur – that is, the offence committed has to be a crime both in the country seeking extradition and in Sweden itself. Assange’s ‘offenses’ would not easily be shoehorned into that description. Either way, it’s hard to see an extradition occurring from Sweden – extradition from the UK seems far more likely.

There's one further point about the Swedish system - one that seems to have been missed by many of his supporters. It’s not really true that ‘no charges’ have been brought. As the judge pointed out in yesterday’s ruling, the Swedish system is different to that in the UK, and ‘charges’ are only brought at a very late stage, with a trial to follow almost immediately. The Swedish investigation has gone past the point where, in the UK, US or Australian investigation, charges would have been brought. Implications that the opposite true are really not helpful.

When I’ve suggested either that Assange was likely to get a fair trial in Sweden or that extradition to the US was unlikely, many people have shot me down, suggesting that there would be a stitch up between the Swedish and US authorities, that the charges were trumped up to start with – ultimately that there is a great conspiracy to bring Assange down. I don’t find the latter that difficult to believe – there are certainly some very bad things happening in relation to Wikileaks, and the approach used to try to squeeze the life out of them through the financial blockade is one of the most reprehensible and dangerous developments of recent years. However, if that conspiracy extends to ‘trumped up’ charges of rape and sexual assault on Assange, then for me that actually provides an opportunity, not a threat.

That’s where the rub comes. If Assange is guilty, then he should face the charges and receive appropriate punishment. If he’s innocent – and in particular if he’s the victim of a conspiracy-based set-up – then by facing the charges, by going through a legal process, he can prove that, and even expose the conspiracy. I’m not saying that I believe either way – neither I, nor the vast majority of either his supporters or his enemies know enough to know that. If he’s guilty, he wouldn’t be the first man to have abused his position of celebrity and power to behave inappropriately. If he’s innocent, he wouldn’t be the first innocent man accused in this way – or the first set up by his enemies.

For me, though, if you support the kinds of things that Wikileaks supports – exposing the truth, holding the powerful to account, moving towards a better, more open, more liberal future – you should want all this to be out in the open too. That means letting Assange go to Sweden, and it means refraining from the very smear tactics that his opponents use in relation to the Swedish judicial system. There are many, many things to be concerned about in relation to the treatment of Wikileaks, and indeed of Assange – but yesterday’s ruling, almost certainly correct from a legal perspective as bloggers like the excellent Adam Wagner have made clear, is not one of them.

Whether Assange is guilty or not, and whether he’s found guilty or not, supporters of freedom of information – and supporters of Wikileaks – should try not to tie his personal issues with the broader, more important issues that Wikileaks has raised. They’re not intrinsically and inextricably linked – and if we let them be, we’re playing into the hands of the very groups that we should be opposing.

Search Engines, Search Engine Optimisation - and us!

2011-10-25T10:32:00.001+01:00

Last week, Google announced that it was making SSL encryption the default on all searches for ‘signed in’ people. They announced it as a move towards better security and privacy, and some people (myself included) saw it as a small but potentially significant step in the right direction. Almost as soon as the announcement was out, however, stories saying exactly the opposite began to appear: the blogosphere was abuzz. One of the more notable – one that was tweeted around what might loosely be described as ‘privacy circles’ came in the Telegraph. “Google is selling your privacy at a price” was the scary headline.

So who was right? Was it a positive move for privacy, or another demonstration that Google doesn’t follow its own mantra about doing evil? Perhaps, when you look a little deeper, it was neither – and both Google and those who wrote stories like that in the Telegraph have another agenda. Perhaps it’s not what happened with SSL, but that agenda that we should be concerned about. The clue comes from looking a bit closer at who wrote the story in the Telegraph: Rob Jackson, who is described as ‘the MD of Elisa DBI, a digital business measurement and optimisation consultancy’. That is, he comes from the Search Engine Optimisation (SEO) industry. What’s happening here isn’t really much to do with privacy as far as either Google or the SEO industry – it’s just another episode in the cat-and-mouse story between search engines and those who want to ‘manipulate’ them, a story that’s been going on since search engines first appeared. The question is, how do we, the ordinary citizens of cyberspace, fit into that story. Do we benefit from the ongoing conflict and tension between the two, a tension which brings about developments both on both a technological and business level – or are we, as some think is true in much of what goes on in cyberspace, just being used to make money by all concerned, and our privacy and autonomy is neither here nor there?

What’s really going on?

As far as I can see, the most direct implication of the implementation of SSL encryption is that Google are preventing webmasters of sites reached through a Google search – and SEOs – from seeing the search term used to find them. Whether those webmasters – let alone the SEOs – have any kind of ‘right’ to know how they were found is an unanswered question, but for the webmasters it is an annoyance at least. For SEOs, on the other hand, it could be a major blow, as it undermines a fundamental part of the way that they work. That, it seems to me, is why they’re so incensed by the move – it makes their job far harder to do. Without having at least some knowledge of which search term produces which result, how can they help sites to be easier to find? How can they get your site higher on the search results, as they often claim to be able to do?

I have little doubt that they’ll find a way – historically they always have. With every new development of search there’s been a corresponding development by those who wish to get their sites – or more directly the sites of their clients – higher up the lists, from choosing particular words on the sites to the use of metatags right up to today’s sophisticated SEOs. Still, it’s interesting that the story that they’ve been pushing out is that Google is ‘selling your privacy for a price’. That in itself is somewhat misleading. A more honest headline might have been:

‘Google is STILL selling your privacy for a price, but now they’re trying to stop us selling it too!’

Google has, in many ways, always been selling your private information – that’s how their business model works, using the terms you use to search in order to target their advertising – but with the SSL move they’ve made it harder for others to use that information too. They themselves will still know the search terms, and seems to still be ‘selling’ the terms to those using their AdWords system – but that’s what they’ve pretty much always done, even if many people have remained blissfully unaware that this was what was happening.

There’s another key difference between Google and the SEOs – from Google, we do at least get an excellent service in exchange for letting them use our search terms to make money. Anyone who remembers the way we used to navigate the web before Google should acknowledge that what they do makes our online lives much faster and easier. There’s an exchange going on, an exchange that is at least to an extent mutually beneficial. It's part of the symbiotic relationship between the people using the internet and the businesses who run the fundamental services of the internet that is described in my theory of The Symbiotic Web. With SEOs, the question is whether we – particularly in our capacity as searchers – are actually benefiting at all.

The business of Search Engine Optimisation

Who DOES benefit from the work of SEOs? Their claims are bold. As Rob Jackson puts it in the Telegraph article:

“One leading SEO professional told me that Google is essentially reverse-engineered by the the SEO professionals around the world. If they were all to stop at once, Google wouldn't be able to find its nose.”

It’s a bold claim, but I suspect that people within Google would be amused rather than alarmed by the idea. Do we, as users, benefit from the operations of SEOs? On the face of it, it appears unlikely: searchers want to find the sites most relevant and useful to them, not the sites whose webmasters have employed the best SEOs to optimise their sites. Excellent and relevant sites and services get pushed down the search list by less good and less helpful sites who have used the most advanced and effective SEO techniques. And it’s our information, our search terms, that are being used by the SEOs.

There is, however, another side to the business, and one that’s growing in significance all the time. The idea that we are just ‘searchers’ looking round the web for information and interesting things is outdated, at least for a fair number of us. We also blog, we have our own private sites – and often our own ‘business’ sites. And we want our blogs to be read, our sites to be found – and how can this happen unless there is a way for them to be found.

SEOs might say that this is where they come in, this is where they can help us – and this might well be true to an extent. I for one, however, would like my sites to be judged on their merits, read because they’re worth reading and not just because I’ve employed a bit of a wizard to do the optimisation. I’d like search to be fair – I don’t want my services to be at a disadvantage either to those who have a commercial tie-in with Google or to those who are paying a better SEO than mine. I want a right to be found – when I want to be found.

Do I have a right like that? Should I have a right like that? Cases like the Foundem case have asked that, but I don’t think we yet have an answer, or at least what answers we have have been inconclusive and hardly heard. Perhaps we should be asking it a bit more loudly.

Goo goo google's tiny steps towards privacy...

2011-10-20T09:24:00.002+01:00

Things seem to be hotting up in the battle for privacy on the internet. Over the last few days, Google have made three separate moves which look, on the surface at least, as though they're heading, finally, in the right direction as far as privacy is concerned. Each of the moves could have some significance, and each has some notable drawbacks - but to me at least, it's what lies behind them that really matters.

The first of the three moves was the announcement on October 19th, that for signed in users, Google was now adding end-to-end (SSL) encryption for search. I'll leave the technical analysis of this to those much more technologically capable than me, but the essence of the move is that it adds a little security for users, making it harder to eavesdrop on a user's seating activities - and meaning that when someone arrives at a website after following a google search, the webmaster of the site arrived at will know that the person arrived via google, but not the search term used to find them. There are limitations, of course, and Google themselves still gather and store the information for their own purposes, but it is still a step forward, albeit small. It does, however, only apply to 'signed in' users - which cynics might say is even more of a drawback, because by signing in a user is effectively consenting to the holding, use and aggregation of their data by Google. The Article 29 Working Party, the EU body responsible for overseeing the data protection regime, differentiates very clearly between signed-in and 'anonymous' (!) users of the service in terms of complying with consent requirements - Google would doubtless very much like more and more users to be signed in when they use the service, if only to head off any future legal conflicts. Nonetheless, the implementation of SSL should be seen as a positive step - the more that SSL is implemented in all aspects of the internet, the better. It's a step forward - but a small one.

There have also been suggestions (e.g. in this article in the Telegraph) that the move is motivated only by profit, and in particular to make Google's AdWords more effective at the expense of techniques used by Search Engine Optimisers, who with the new system will be less able to analyse and hence optimise. There is something to this, no doubt - but it must also be remembered first of all that pretty much every move of Google is motivated by profit, that's the nature of the beast, and secondly that a lot of the complaints (including the Telegraph article) come from those with a vested interest in the status quo - the Search Engine Optimisers themselves. Of course profit is the prime motivation - but if profit motives drive businesses to do more privacy-friendly things, so much the better. That, as will be discussed below, is one of the keys to improving things for privacy.

The second of the moves was the launch of Google's 'Good to know', a 'privacy resource centre', intended to help guide users in how to find out what's happening to their data, and to use tools to control that data use. Quite how effective it will be has yet to be seen - but it is an interesting move, particularly in terms of how Google is positioning itself in relation to privacy. It follows from the much quieter and less user-friendly Google Dashboard and Google AdPreferences, which technically gave users quite a lot of information and even some control, but were so hard to find that for most intents and purposes they appeared to exist only to satisfy the demands of privacy advocates, and not to do anything at all for ordinary users. 'Good to know' looks like a step forward, albeit a small and fairly insubstantial one.

The third move is the one that has sparked the most interest - the announcement by Google executive Vic Gundotra that social networking service Google+ will 'begin supporting pseudonyms and other types of identity.' The Electronic Frontier Foundation immediately claimed 'victory in the nymwars', suggesting that Google had 'surrendered'. Others have taken a very different view - as we shall see. The 'nymwars' as they've been dubbed concern the current policies of both Facebook and Google to require a 'real' identity in order to maintain an account with them - a practice which many (myself definitely included) think is pernicious and goes against the very things which have made the internet such a success, as well as potentially putting many people at real risks in the real world. The Mexican blogger who was killed and decapitated by drugs cartels after posting on an anti-drugs website is perhaps the most dramatic example of this, but the numbers of people at risk from criminals, authoritarian governments and others is significant. To many (again, myself firmly included), the issue of who controls links between 'real' and 'online' identities is one of the most important on the internet in its current state. The 'nymwars' are of fundamental importance - and so, to me, is Google's announcement.

Some have greeted it with cynicism and anger. One blogger put it bluntly:

"Google's statement is obvious bullshit, and here's why. The way you "support" pseudonyms is as follows: Stop deleting peoples' accounts when you suspect that the name they are using is not their legal name.

There is no step 2."

The EFF's claims of 'victory' in the nymwars is perhaps overstated - but Google's move isn't entirely meaningless, nor is it necessarily cynical. Time will tell exactly what Google means by 'supporting pseudonyms', and whether it will really start to deal with the problems brought about by a blanket requirement for 'real' identities - but this isn't the first time that someone within Google has been thinking about these issues. Back in February, Google's 'Director of Privacy, Product and Engineering' wrote a blog for the Google Policy Blog called 'The freedom to be who you want to be...', in which she said that Google recognised three kinds of user: 'unidentified', pseudonymous and identified. It's a good piece, and well worth a read, and shows that within Google these debates must have been going on for a while, because the 'real identity' approach for Google Plus has at least in the past been directly contrary to what Whitten was saying in the blog.

That's one of the reasons I think Vic Gundotra's announcement is important - it suggests that the 'privacy friendly' people within Google are having more say, and perhaps even winning the arguments. When you combine it with the other two moves mentioned above, that seems even more likely. Google may be starting to position itself more firmly on the 'privacy' side of the fence, and using privacy to differentiate itself from the others in the field - most notably Facebook. To many people, privacy has often seemed like the last thing that Google would think about - that may be finally changing.

4Chan's Chris Poole, in a brilliant speech to the Web 2.0 conference on Monday, challenged Facebook, Google and others to start thinking of identity in a more complex, nuanced way, and suggested that Facebook and Google, with their focus on real identities, had got it fundamentally wrong. I agreed with almost everything he said - and so, I suspect, did some of the people at Google. The tiny steps we've seen over the last few days may be the start of their finding a way to make that understanding into something real. At the very least, Google seem to be making a point of saying so.

That, for me, is the final and most important point. While Google and Facebook, the two most important players in the field, stood side by side in agreement about the need for 'real' identities, it was hard to see a way to 'defeat' that concept, and it felt almost as though victory for the 'real' identities side was inevitable, regardless of all the problems that would entail, and regardless of the wailing and gnashing of teeth of the privacy advocates, hackers and so forth about how wrong it was. If the two monoliths no longer stand together, that victory seems far less assured. If we can persuade Google to make a point of privacy, and if that point becomes something that brings Google benefits, then we all could benefit in the end. The nymwars certainly aren't over, but there are signs that the 'good guys' might not be doomed to defeat.

Google is still a bit of a baby as far as privacy is concerned, making tiny steps but not really walking yet, let alone running. In my opinion, we need to encourage it to keep on making those tiny steps, applaud those steps, and it might eventually grow up...

UPDATED TO INCLUDE REFERENCE TO SEOS...

Privacy is personal...

2011-10-18T10:35:00.002+01:00

My real interest in privacy - and specifically internet privacy - arose a little over ten years ago. Something happened to me that change the way I thought about the whole issue - something personal, something direct. Up until that point I hadn't really thought much about privacy, though I'd been involved with the online world from a very early stage, setting up projects to provide rural communities with access to information, and trying to provide online education to housebound children in the mid 1990s - not exactly cutting edge stuff, but not too far from it. I'd also been involved in human rights work - most directly children's rights - but I'd never thought much about privacy. To me, then, just as to many people now, it just didn't feel important, particularly compared to the problems happening all over the world. 911 had just happened, and war was in the air.

I was living in New Zealand when the US invaded Afghanistan - and I was deeply concerned about the consequences of that action. I wrote about my concern in an email to a friend, also in New Zealand, and in that email I was at least partially critical of US foreign policy. I even mentioned Israel at one point. Some time over the next three hours, my email account became inaccessible.

At the time I was using a free email account - one of the big ones - that I had set up whilst in the US a few years earlier. A '.com' email account. As I was living in a very isolated part of New Zealand, this email account was one of my few links to the outside world. It had all my contacts' details, and all the messages I had sent and received for a long time - and I had been foolish enough not to keep written records elsewhere of a lot of the details. At first I thought it was just a blip, an accident - and I set up another email account and wrote to the service provider asking what had happened to my account, whether the password had been accidentally reset or something else. I was met with terse replies saying that the account had been terminated for a breach of contract terms. Friends told me to give up, and go with the new account - but I'm not that kind of person. I kept on badgering them, trying to find out what was going on. I hadn't yet thought that it might be connected with the email that I'd sent. Eventually I got a message saying that I had been using the email for commercial purposes, which is why it had been cancelled - which was absurd, as anyone who knew my financial position at the time would know. Then, about six months later, they reinstated the account, minus all the content, contacts and so forth.

Now of course I have no evidence to prove that the account was cancelled because of that particular email - it may indeed just have been a mistake, the account may even have been hacked into (though such things were much rarer in those days), but even the suspicion was enough to disturb me enormously, and set me on the path that I'm still on today. I started asking how it could have happened, what happens to emails, how easily they can be read, how my privacy might have been invaded. The more I investigated, the more I uncovered, the more interested I became - and it ended up changing my whole life. The perceived invasion of privacy - in a sense it doesn't even matter if it was real - was so personal that it cut me to the quick.

Back then I had had very little to do with the law - my degree was in mathematics, I qualified as an accountant and worked with technology, not the law. Now, as a result of following this path, I'm a lecturer in a law school at a good university, have published research and submitted a PhD on the subject of data privacy - and it seems even more relevant than it did ten years ago, as the online world has expanded and become more and more intrinsically linked with everything we do. Invasions of privacy do matter - whatever the likes of Mark Zuckerberg might think - and they matter because they're deeply personal, and touch the parts of us that we really care about.

Business and Privacy: Evidence and Assumptions?

2011-10-14T10:48:00.002+01:00

I came across a couple of stories yesterday that at first glance appeared unconnected, dealing with difference aspects of the current privacy debates concerning the internet. One comes from one side of the Atlantic, the other from the other. One deals with the 'fight' against piracy, the other with the current favourite of the online advertising industry, behavioural targeting. Very different issues - but they do have something in common: an inherent assumption that business success should take precedence over individual rights and freedoms.

The first issue was the revelation, through a Freedom of Information Request by the admirable Open Rights Group, that the Department of Culture, Media and Sport had no evidence to support their strategies to reduce the infringement of copyright by websites - you can see their report on the issue here.

The second came from my following of the House Energy and Commerce Committee hearing in Washington, about consumer privacy and online behavioural advertising - a hearing at least on the surface intended to consider consumer concerns, but which by the sound of it had a lot more to do with industry putting their case to avoid regulation. I followed on twitter, and remember one particular call from a regular and respected tweeter from the US who demanded evidence before regulation is considered. Specifically, he wanted evidence as to how much of the advertising economy depended on behavioural targeting - the underlying suggestion being, presumably, that we shouldn't regulate if it would have too significant an impact on revenue streams.

There are two different ways to look at the two stories. You can look at them as a reflection of the different attitudes to regulation on the two sides of the Atlantic - in England we're rushing to regulate, while in the US regulation is to be avoided unless absolutely necessary. Alternatively, however, you can look at them as a reflection of the way that business needs are set above individual rights and freedoms.

Copyright and piracy....

The Open Rights Group's request was in relation to the proposals in the Digital Economy Act, but that Act is just one of many measures introduced over the years to combat 'piracy', although the evidence in support of any of them has generally been conspicuous by its absence. That applies both to evidence to suggest that the problem is as bad as the industry suggests and to the efficacy of the measures being proposed to combat it. Does piracy cause a massive loss of revenue to rights holders? Perhaps, but the suggestions over the years that every illegally downloaded song is a lost sale is far from convincing, and the idea that listening to something illegally might even lead to further legal sales seems to have merit too. The massive success of iTunes suggests that carrots rather than sticks might be more effective - indeed, recent reports from Sweden showing that piracy had reduced as Spotify had been introduced adds weight to this idea.

The Open Rights Group's FOI request was about the effectiveness of the proposals - and the DCMS effectively acknowledged that they have no evidence about it. So we have proposals for measures about which there is no evidence, to address an issue about which evidence is scanty to say the least... and yet on that basis we're willing to put restrictions on individuals' freedoms, potentially apply censorship, and even cut off people's internet access as a result. That same internet access that is increasingly regarded as a human right.

The Digital Economy Act is one thing, but there's something else looming on the horizon of even more concern: the Anti-Counterfeiting Trade Agreement (ACTA), whose measures are potentially even more draconian than those in the DEA, and whose scope is even more all-encompassing. The US has already signed it - somewhat against the suggestion that the US prefers not to regulate where possible - and the EU may well sign it soon, though it still needs to pass through the European Parliament, and lobbying of MEPs is underway on both sides.

Behavioural advertising...

Legislation on behavioural advertising has already taken place in Europe, with the notorious 'Cookies Directive', about which I've written before - but the implementation, enforcement and acceptance of that directive has proved troublesome from the outset, and whether it ends up being at all meaningful has yet to be seen. Legislation in the US is what is currently under discussion, and what is being keenly resisted by the advertising industry and others. 'Show us the evidence' is the call - and until that evidence is shown, advertisers should be able to do whatever they want.

Evidence in relation to privacy is a contentious issue in lots of ways. Demonstrating 'harm' from an invasion of privacy is difficult, partly because each individual invasion isn't likely to be significant - particularly in respect of mundane tracking of websites browsed and so forth - and partly because the 'harm' is generally intangible, and far from easily turned into something easily quantifiable. Some people suggest that we should treat our personal information like a commodity, akin in some ways to intellectual property, but for me that fails to capture the real essence of privacy. I don't want to put a 'value' on my personal data, any more than I want to put a value on each of my fingers, or on my relationships with my friends and family. It's something different, and needs protecting as something different. I shouldn't need to prove the 'harm' done by that data being at risk - the loss of it, or loss of control over it, is a harm in itself.

That isn't all - not only does there appear to be an expectation that we should prove harm, but that even if there IS harm, we've got to prove that we wouldn't be damaging the advertisers' businesses too much. If their businesses would be harmed too much, we shouldn't put regulations in place....

Two different situations - but the same assumptions

In the copyright scenario, we're having our freedom restricted and our privacy invaded without real evidence to support what's happening. In the behavioural advertising scenario, we're having our privacy invaded and we're being asked to prove that there's a problem before any restrictions are placed - and, what's more, we're being asked to prove that we wouldn't damage business too much.

In both cases, it's the individuals who lose out. Business takes priority, and individuals rights, particularly in respect of privacy, are overridden. Where businesses perceive there are problems (as in the copyright scenario), they're not asked for proof - but where individuals perceive there are problems, they're asked for proof in ways that are inappropriate and unattainable. Shouldn't the situation be exactly the other way around? Shouldn't individuals' rights be considered above the business models of corporations? Shouldn't the burden of proof work in favour of individuals against businesses, rather than the other way around? Of course that's a difficult argument to make in economically troubled times - but it's an argument that in my opinion needs to be made, and made strongly.

Privacy, Parenting and Porn

2011-10-11T15:02:00.002+01:00

One of the stories doing the media rounds today surrounded the latest pronouncements from the Prime Minister concerning porn on the internet. Two of my most commonly used news sources, the BBC and the Guardian, had very different takes on in. The BBC suggested that internet providers were offering parents an opportunity to block porn (and 'opt-in' to website blocking) while the Guardian took it exactly the other way - suggesting that users would have to opt out of the blocking - or, to be more direct, to 'opt-in' to being able to receive porn.

Fool that I am, I fell for the Guardian's version of the story (as did a lot of people, from the buzz on twitter) which seems now to have been thoroughly debunked, with the main ISPs saying that the new system would make no difference, and bloggers like the excellent David Meyer of ZDNet making it clear that the BBC was a lot closer to the truth. The idea would be that parents would be given the choice as to whether to accept the filtering/blocking system, which, on the face of it, seems much more sensible.

Even so, the whole thing sets off a series of alarm bells. Why does this sort of thing seem worrying? The first angle that bothers me is the censorship one - who is it that decides what is filtered and what is not? Where do the boundaries lie? One person's porn is another person's art - and standards are constantly changing. Cultural and religious attitudes all come into play. Now I'm not an expert in this area - and there are plenty of people who have written and said a great deal about it, far more eloquently than me - but at the very least it appears clear that there are no universal standards, and that decisions as to what should or should not be put on 'block lists' need to be made very carefully, with transparency about the process and accountability from those who make the decisions. There needs to be a proper notification and appeals process - because decisions made can have a huge impact. None of that appears true about most 'porn-blocking' systems, including the UK's Internet Watch Foundation, often very misleadingly portrayed as an example of how this kind of thing should be done.

The censorship side of things, however, is not the angle that interests me the most. Two others are of far more interest: the parenting angle, and the privacy angle. As a father myself, of course I want to protect my child - but children need independence and privacy, and need to learn how to protect themselves. The more we try to wrap them in cotton wool, to make their world risk-free, the less able they are to learn how to judge for themselves, and to protect themselves. If I expect technology, the prime minister, the Internet Watch Foundation to do all the work for me, not only am I abdicating responsibility as a parent but I'm denying my child the opportunity to learn and to develop. The existence of schemes like the one planned could work both ways at once: it could make parents think that their parenting job is done for them, and it could also reduce children's chances to learn to discriminate, to decide, and to develop their moral judgment....

....but that is, of course, a very personal view. Other parents might view it very differently - what we need is some kind of balance, and, as noted above, proper transparency and accountability.

The other angle is that of privacy. Systems like this have huge potential impacts on privacy, in many different ways. One, however, is of particular concern to me. First of all, suppose the Guardian was right, and you had to 'opt-in' to be able to view the 'uncensored internet'. That would create a database of people who might be considered 'people who want to watch porn'. How long before that becomes something that can be searched when looking for potential sex offenders? If I want an uncensored internet, does that make me a potential paedophile? Now the Guardian appears to be wrong, and instead we're going to have to opt-in to accept the filtering system - so there won't be a list of people who want to watch porn, instead a list of people who want to block porn. It wouldn't take much work, however, on the customer database of a participating ISP to select all those users who had the option to choose the blocking system, and didn't take it. Again, you have a database of people who, if looked at from this perspective, want to watch porn....

Now maybe I'm overreacting, maybe I'm thinking too much about what might happen rather than what will happen - but slippery slopes and function creep are far from rare in this kind of a field. I always think of the words of Bruce Schneier, on a related subject:

"It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state"

Now I'm not suggesting that this kind of thing would work like this - but the more 'lists' and 'databases' we have of people who don't do what's 'expected' of them, or what society deems 'normal', the more opportunities we create for potential abuse. We should be very careful...

Privacy - and Occupy Wall Street?

2011-10-10T06:46:00.001+01:00

One of tweeters I follow, the estimable @privacycamp, asked a question on twitter last night: is there a privacy take on 'Occupy Wall Street'? I immediately fired off a quick response - of course there is - but it started me off on a train of thought that's still chugging along. That's brought about this somewhat rambling blog-post, a bit different from anything I've done before - and I'd like to stress that even more than usual these are my personal musings!

Many people in the UK may not even have noticed Occupy Wall Street - it certainly hasn't had a lot of mainstream media coverage over here - but it seems to me to be something worthy of a lot of attention. A large number of people - exactly how many is difficult to be sure about - have been 'occupying' Liberty Square near Wall Street, the financial heart of New York - indeed, some might call it the financial heart of the modern capitalist world. Precisely what they're protesting against is hard to pin down but not at all hard to understand. As it's described on occupywallst.org, it is a:

"leaderless resistance movement with people of many colors, genders and political persuasions. The one thing we all have in common is that We Are The 99% that will no longer tolerate the greed and corruption of the 1%."

That isn't in any sense an 'official' definition - because there's nothing 'official' about occupy wall street. The movement has spread - the Guardian, one of the UK newspapers to give it proper coverage, talks about it reaching 70 US cities - and has lasted over three weeks so far, with little sign of flagging despite poor media coverage, strong-arm police tactics and a perceived lack of focus.

So what has this got to do with privacy? Or, perhaps more pertinently, what has this kind of a struggle got in common with the struggle for privacy? Why do people like me, whose work is concerned with internet privacy, find ourselves instinctively both supporting and admiring the people occupying Wall Street? Well, the two struggles do have a lot more in common than might appear at first glance. They're both struggles for the 'ordinary' people - for the 'little' people - against a huge and often seemingly irresistible 'machine'. Where Occupy Wall Street is faced by an array of banks with huge political and financial influence, internet privacy advocates are faced by the monoliths of the internet industry - Google, Facebook, Amazon, Microsoft, Apple etc - whose political and financial influence is beginning to rival that of the banks. Both Occupy Wall Street and internet privacy advocates are faced by systems and structures that seems to have no alternatives, and institutions which appear so entrenched as to be impossible to stand against.

Further to that, both the banks and the big players of the internet can claim with justification that over the years they've provided huge benefits to all of us, and that we wouldn't be enjoying the pleasures and benefits of our modern society but for their innovation and enterprise - I'm writing this blog on a system owned by Google, on a computer made by Apple, and bought through a credit card provided by one of the big banks. Does this mean, however, that I should accept everything that those big players - either financial or technological - give me, and accept it uncritically? Does it mean that the people occupying Wall Street should shuffle off home and accept that Wall Street, warts and all, cannot be stood up against - and should be supported, not challenged? I don't think so.

Of course there are ways in which the two struggles are radically different. The damage done to peoples' lives by the financial crisis which is the core of the protest against Wall Street is huge - far huger than the material damage done by all the privacy-intrusive practices performed on the internet. People have lost their livelihoods, their houses, their families - perhaps even their futures - as a result. The damage from privacy intrusions is less material, harder to pin down, harder to see, harder to prove. It is, however, very important - and is likely to become more important in the future. Ultimately it has an affect on our autonomy - and that's where the real parallels with Occupy Wall Street lie. Both movements are about people wanting more control over their lives. Both are about people standing up and saying 'enough is enough,' and 'we don't want to take this any more'.

Occupy Wall Street may well fizzle out soon. I hope not - because I'd love to see it have a lasting influence, and help change the political landscape. The odds are stacked against them in more ways that I can count - but I didn't think they'd last as long as they have, so who knows what will happen? The struggle for privacy faces qualitatively different challenges, but at times it seems as though the odds are stacked just as much in favour of those who would like the whole idea of privacy to be abandoned. Even if that is the case, it's still a fight that I believe needs fighting.

The privacy race to the bottom

2011-10-03T09:03:00.001+01:00

I tend to be a ‘glass-half’ sort of person, seeing the positive side of any problem. In terms of privacy, however, this has been very hard over the last few weeks. For some reason, most of the ‘big guns’ of the internet world have chosen the last few weeks to try to out-do each other in their privacy-intrusiveness. One after the other, Google, Facebook and Amazon have made moves that have had such huge implications for privacy that it’s hard to keep positive. It feels like a massive privacy 'race to the bottom'.

Taking Google first, it wasn’t exactly that any particular new service or product hit privacy, but more the sense of what lies ahead that was chilling, with Google’s VP of Products, Bradley Horowitz, talking about how ‘Google + was Google itself’. As Horowitz put it in an interview for Wired last week:

"But Google+ is Google itself. We're extending it across all that we do — search, ads, Chrome, Android, Maps, YouTube — so that each of those services contributes to our understanding of who you are."

Our understanding of who you are. Hmmm. The privacy alarm bells are ringing, and ringing loud. Lots of questions arise, most directly to do with consent, understanding and choice. Do people using Google Maps, or browsing with Chrome, or even using search, know, understand and accept that their actions are being used to build up profiles so that Google can understand 'who they are'? Do they have any choice about whether their data is gathered or used, or how or whether their profile is being generated? The assumption seems to be that they just 'want' it, and will appreciate it when it happens.

Mind you, Facebook are doing their very best to beat Google in the anti-privacy race. The recent upgrade announced by Facebook has had massive coverage, not least for its privacy intrusiveness, from Timeline to Open Graph. Once again it appears that Mark Zuckerberg is making his old assumption that privacy is no longer a social norm, and that we all want to be more open and share everything. Effectively, he seems to be saying that privacy is dead - and if it isn't quite yet, he'll apply the coup-de-grace.

That, however is only part of the story. The other side is a bit less expected, and a bit more sinister. Thanks to the work of Australian hacker/blogger Nik Cubrilovic, it was revealed that Facebook's cookies 'might' be continuing to track us after we log out of Facebook. Now first of all Facebook denied this, then they claimed it was a glitch and did something to change it. All the time, Facebook tried to portray themselves as innocent - even as the 'good guys' in the story. A Facebook engineer – identifying himself as staffer Gregg Stefancik – said that “our cookies aren’t used for tracking”, and that “most of the cookies you highlight have benign names and values”. He went on to make what seemed to be a very reassuring suggestion quoted in The Register:

"Generally, unlike other major internet companies, we have no interest in tracking people."

How, then, does this square with the discovery that a couple of weeks ago Facebook appears to have applied for a patent to do precisely that? The patent itself is chilling reading. Amongst the gems in the abstract is the following:

"The method additionally includes receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the third-party website"

Not only do they want to track us, but they don't want us to know about it, telling us they have no interest in tracking.

OK, so that's Google and Facebook, with Facebook probably edging slightly ahead in their privacy-intrusiveness. But who is this coming fast on the outside? Another big gun, but a somewhat unexpected one: Amazon. The new Kindle Fire, a very sexy bit of kit, takes the Kindle, transforms the screen into something beautiful and colourful. It also adds a web-browsing capability, using a new browser Amazon calls Silk. All fine, so far, but the kicker is that Silk appears to track your every action on the web and pass it on to Amazon. Take that, Google, take that Facebook! Could Amazon beat both of them in the race to the bottom? They're certainly giving it a go.

All pretty depressing reading for those of us interested in privacy. And the trio could easily be joined by another of the big guns when Apple launches its new 'iCloud' service, due this week. I can't say I'm expecting something very positive from a service which might put all your content in the cloud....

...and yet, somehow, I DO remain positive. Though the big guns all seem to be racing the same way, there has at least been a serious outcry about most of it, and it's making headline news not just in what might loosely be described as the 'geek press'. Facebook seemed alarmed enough by Nik Cubrilovic's discoveries to react swiftly, even if a touch disingenuously. We all need to keep talking about this, we all need to keep challenging the assumption that privacy doesn't matter. We need to somehow start to shift the debate, to move things so that companies compete to be the most privacy-friendly rather than the most privacy-intrusive. If we don't, there's only one outcome. The only people who really lose in the privacy race-to-the-bottom are us....

Romanian re-Phorm-ation?

2011-09-30T08:40:00.001+01:00

News has emerged this week that Phorm, the online-behavioural-advertising company about whom a great deal has been written (including by me) has targeted a new country for its latest attempt to track internet users’ every move: Romania.

Having been kicked out of the UK after a huge struggle a couple of years ago – a struggle from which civil society came out with a lot of credit, not least the Foundation for Information Policy Research and in particular the work of Richard Clayton and Nicholas Böhm, while the UK government came out with a severe amount of egg on its face – Phorm has tried to relaunch its services in a number of other countries. South Korea was the first, then Brazil, both without much sign of success, before the current efforts in Romania.

As a reminder, what Phorm’s services essentially do is ‘intercept’ the instructions a user sends as he or she browses the web – every site visited, every link followed, every click – and uses that information to build up a profile of the user, mostly to enable it to target advertising as accurately as possible but potentially (at least according to the publicity put out by Phorm during their attempts to launch in the UK) to tailor content. In a lot of ways Phorm’s system is only a logical extension of what many other advertisers on the web do – almost everyone’s at it, from Google to Facebook to Amazon (particularly if the stories emerging about the Kindle Fire are true). There are significant differences, however, to even the most privacy-invasive services offered by the others. The most important of these is that it covers ALL your activity on the web: even the latest furore about Facebook tracking you when you’re logged out didn’t get close to that, only potentially tracking you when you visit sites with Facebook links or ‘like’ buttons.

The second difference, almost as important, is that in exchange for these immense invasions of privacy, Phorm offers you nothing except better targeted advertising – something that few people would value very much. All the others give you something quite significant in exchange for their gathering your data: Google offers you very effective search engines, mapping systems, blogging services (including the one on which this blog is hosted) and much more, Facebook provides a social networking service of huge functionality, while Amazon’s Kindle is a lovely bit of kit for a remarkably small price, one that many people enjoy. There’s a ‘bargain’ going on for your data, even if few people fully grasp that this exchange is going on. With Phorm there’s nothing – essentially, they just spy on you for their own benefit, and give you nothing in return. Indeed, they might even harm your browsing, as the ‘interception’ process can potentially slow down your web-browsing.

Phorm failed in the UK, and I for one am very glad that they did. I hope the same happens in Romania, unless they’ve changed their practices significantly. The signs so far, sketchy though they are, do not suggest that this is very likely. Just as they did in the UK, they’ve done a deal with one of the big ISPs, Romtelecom, which is a part state-owned telecoms and internet company, and are looking for business partners. Their product appears to be pretty much the same as it was before, though they do at least mention the word ‘choose’ in terms of customer actions. That ‘choice’ does not seem to amount to much in reality, and indeed there seems to be another twist: they’ve added flash cookies to the system, with the express intention of using them to re-spawn their own status cookies in case you ‘accidentally’ delete them. The precise technical details have not yet emerged: I am looking forward to finding out if they’ve learned the lessons of their previous failures and decided to do something that actually respects the individual users and gives them some kind of real consent process. I’m not exactly waiting with bated breath…

I have a personal connection with Romania – my wife’s Romanian – and that country has experienced far too much of surveillance and invasions of privacy in the past. Indeed, Romania was one of the first countries to hit out against the privacy-invasive Data Retention Directive, their supreme court striking down the implementation of the Directive in their country as unconstitutional in 2009. I am fully confident that they will find a way to fight against this latest intrusion into their privacy. Phorm may have chosen Romania as a ‘soft target’. I suspect they’ll find the reality quite different, unless they’ve seriously changed their spots….

Is sharing natural? Is privacy?

2011-09-28T09:39:00.001+01:00

To someone like me, who works in the field of privacy, Facebook and similar services have always represented a challenge. Pretty much every time Mark Zuckerberg gets up on his feet to make another announcement, I find my stomach churning, and my mind turning. When he suggests that privacy is no longer a social norm, when he tells us that we all want to share more, when he implies that Facebook does what we want it to do, and that anyone who's at all concerned about what it does is an old stick-in-the-mud or a luddite, I always wonder, just for a moment, if he might be right. Is privacy an outdated concept, a kind of social construction that has outlived its purpose? Is openness and sharing how we're 'meant' to live? Is Facebook about liberating us, allowing us to be how we've always wanted to be, how we naturally want to be?

I wonder that for a few moments every time. I wondered it when the new features on Facebook were launched a week or two back. I wondered it when the mini-furore over Facebook 'continuing to track us after we log out' happened two days ago - though the truth or otherwise of that tracking continues to be debated. Am I wrong about privacy? I wonder that for a moment - and then something brings me right back to earth. I have a five-year-old child....

For my child, privacy seems something entirely natural, something deeply desired, something clearly needed. It has done since she was six months old - and perhaps even earlier. Now that she's at school, it's even more important to her. She doesn't tell anyone all her secrets, she carefully controls who she tells what, and I'm quite sure there are many things she tells no-one at all. Privacy, to her and to her friends, is something very much natural.

What about sharing? Well, I can't imagine that there are many parents who have found that there child wants to share ANYTHING as a matter of course. And that applies just as much to secrets as it does to things. Sharing is something we have to almost force our children to do - often kicking and screaming, and entirely against their will. It takes a long time before they do it willingly, if they ever really do. Even many adults find sharing very difficult - and again, that applies as much to information as it does to material goods.

Of course my evidence is entirely anecdotal, and I have only one example to follow (plus her friends (in the real sense of the word), classmates and acquaintances, while Zuckerberg has 800 million or so - but to my eyes and ears, and to my mind, that anecdotal evidence is pretty compelling. Privacy, to me, is far more natural than sharing. The kind of denial of privacy and enforcement of sharing that an unfettered Facebook would have us believe is 'natural' is far from it. For me, at least, it is something that should be resisted, and resisted with vigour.

Logout should mean logout! UPDATED

2011-09-26T10:42:00.000+01:00

Hidden (or at least untrumpeted) amongst all the new features in the latest Facebook upgrade is one deeply concerning issue: when you 'logout' of Facebook, Facebook will continue to track you. This fact has made it onto a few blogs (for example Nik Cubrilovic's blog here) and is doing the rounds on twitter - but for those of us concerned with privacy, there should be a lot more noise about it, because it has huge implications. It flies in the face of what users expect and understand - and that should really matter.

The reality is that very, very few users ever check their terms and conditions - almost all of us scroll straight through the pages and pages of legalese (even those of us who work in the law!) and then click 'OK' at the bottom. Why? Because we want to use the service, and because we know we don't have any real choice about what's in those terms and conditions - and because we have a reasonable expectation that what is in those terms and conditions is at least in most ways 'reasonable', and will conform to what we expect and understand terms and conditions to be.

So the question of what would we expect to happen when we 'logout' of Facebook is one that matters. Most people, I suspect, would expect that 'logout' would cut our connection with Facebook, until we log back in. It should be like putting the phone down when we've finished a conversation - you don't expect the person on the other end of the line to be able to hear what you say after you've hung up, let alone be able to keep a microphone open in your living room and record every conversation you have with anyone in that room. In fact, if you thought something like that was happening, you'd be outraged, and rightfully so, as well as having all kinds of opportunities to take legal action against the people who are, in effect, bugging you.

Of course what Facebook is doing isn't quite the same - but in some ways it could be considered even more invasive of your privacy, because the opportunities to analyse and exploit the data gathered through their tracking are greater in some ways that a simple phone tap. The data they can gather can be aggregated and analysed - its digital nature, together with the vast volume of other such data that they gather, gives them an unprecedented scope for such aggregation and analysis.

This is hardly the first time that Facebook has tried to move the goalposts on privacy, and to set new norms. This attempted resetting of norms, so that tracking is normal, whether you're signed in or not, and that it should (and will) happen all the time, is one that should be resisted very strongly. The opposite should be the case - we should be able to assume that tracking DOESN'T take place unless we explicitly allow it, and are reminded that it is happening. We should have a right to know when we're being tracked, and a right to turn that tracking off, and people like Facebook should be required to offer their services without that tracking, at the very least when we're not signed in to their service.

Like it or not, the use of Facebook has become effectively the norm. I have a new batch of undergraduate students arriving today, and if the experience of the last few years is anything to go by, it will be a rare student indeed who doesn't have a Facebook account. That in itself should place demands on Facebook, requirements that they must meet. That should mean that they should, in general, understand and meet the expectations of their users - and, in this case, that should mean that logout should mean logout. Tracking should be turned off the moment we log out of Facebook. And we, the users, should demand that it happens.

UPDATE (with gratitude to Emil Protalinski at ZDNet for his blog)Facebook are denying that this is what is happening - they say "...the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of “keep me logged in."

We'll have to see what comes of this - and whether the privacy implications are as significant as they seem. However, regardless of the technical details, the underlying point needs stressing: when we logout, we need to know that we're no longer monitored or tracked, even for some of Facebook's stated purposes. Stated purposes don't always match with real uses... and function creep is hardly unknown in this context! For me, this underlines the need for clarity of rights and practices in this area. Facebook need to be told in no uncertain terms that tracking is not acceptable in these circumstances....

New website...

2011-09-25T11:44:00.002+01:00

Just a quick post to say that I've set up a new website - to meet my new status as a Lecturer at the UEA, and to 'celebrate' the submission of my thesis...

It's at www.paulbernal.co.uk

More to come!

A tale of three conferences...

2011-09-15T10:01:00.001+01:00

IT Law certainly seems to be flavour of the month. Even more particularly, it seems to be flavour of the next couple of days. Today and tomorrow there are three conferences on different aspects of the subject, all of which I'd like to be at... if only I could be three places at once.

Starting in Yorkshire...

The place I'll actually be is Leeds, for the Human Rights in the Digital Era Conference: Professors Andrew Murray and Viktor Mayer-Schönberger will be providing the keynote speeches, while I'll be presenting on a topic which I hope to be making a central part of my work in the next year or so, the idea of a right to an online identity (you can find my prezi here). Other excellent speakers include Jim Killock of the Open Rights Group, whose work is of increasing importance - particularly with the current government seemingly following the recent trend of seemingly being in thrall to the copyright lobby, if Jeremy Hunt's suggestions are anything to go by - and my colleague Emily Laidlaw. It should be a fascinating day - and a subject of great current interest.

...and at the same time in London...

...the Society for Computers and Law is having its annual policy forum - with the focus on the 'New Shape of European Internet Regulation'. Chaired by Lilian Edwards, and with contributions from such as Caspar Bowden (newly liberated from Microsoft) and my colleague Daithí Mac Síthigh, it's another event of immense current interest, and one which I'm sad to have to miss. I'll be following it on twitter (probably on #scl) and I'm looking forward to hearing more about it after the event. Daithí's presentation on the App Store should be particularly good!

Meanwhile, in Poland...

...Warsaw is hosting the latest Creative Commons global meeting. At a time when attitudes and approaches to copyrights seem to be getting if anything even more regressive, with the EU Council voting this week to extend copyright on sound recordings from 50 to 70 years, and as noted above, Jeremy Hunt setting out an aggressive and punitive strategy for dealing with online piracy, finding imaginative and effective ways forward for dealing with intellectual property issues is of ever growing significance. Lots of interesting people will be in Warsaw, putting together lots of excellent ideas - and again, I'm looking forward to reading and hearing all about it.

Three conferences - but common themes

Three very different conferences, three very different cities, three seemingly quite different agendas - but they all tie together, and they're all attempting to address issues of crucial current interests. The Leeds conference focusses on human rights, the London conference on regulation, the Warsaw conference on creativity - but the issues all interact with each other, and all impact upon each other. If, as the likes of Jeremy Hunt suggests, we use the twin heavy hands of law and finance to try to 'protect' our 'creative' arts (though the idea that Cliff Richard, one of the figureheads sent out this week to support the extension of copyright, represents 'creativity' is a somewhat difficult to swallow), then it is likely to be human rights that suffer. Those of us interested in human rights need to be doing everything we can to prevent the focus of regulation - indeed, the new shape of regulation - to be protecting copyright at the expense of those human rights, which, ultimately, is what the copyright lobby is intending to bring about. Human rights, regulation and creativity are all very closely connected - as these timely conferences should do their very best to make clear.

Phone-hacking, Online Behavioural Advertising and Tobacco

2011-07-08T16:02:00.001+01:00

I read a tweet yesterday asking 'where were you when the News of the World died?' suggesting that people will remember it in the same sort of way that they remember where they were when they heard about the assassination of JFK, or the death of Princess Diana. Now I'm pretty sure the demise of the News of the World isn't close to being as memorable as either of those deaths - but I suspect I'll remember where I when I heard: I was at a conference/workshop discussing privacy.

We were talking about what appears at least on the surface to be a very different kind of invasion of privacy than the News of the World's phone hacking: Online Behavioural Advertising. It was a remarkable workshop, expertly put together by Judith Rauhofer in Edinburgh, bringing together representatives of the internet industry (representatives of Microsoft, Yahoo! and the Internet Advertising Bureau), academia, privacy advocacy and lawmakers - including the European Data Protection Supervisor, Peter Hustinx. It was a pretty fiery workshop - which seemed to me to reflect the real tensions and conflicts that exist in what is a highly contentious field.

The representative of the IAB defended his corner pretty aggressively, effective suggesting that privacy advocates want to kill an entire industry based on something for which no harm has been proved, and from which any harm is at the most potential rather than actual. There were distinct echoes of the defences of tobacco industry when he suggested that internet advertising doesn't seek to influence people, merely to guide them better to the products and services that they want to buy. These echoes left me wondering if this kind of privacy intrusive system will go the same way that tobacco advertising did - particularly when he also suggested that even if rich Westerners can 'afford' to pay for their internet but that those outside our pampered world appreciate getting their internet services cheap or free, just at the cost of their privacy. The tobacco industry has been reaping rich harvests from the poorer parts of the world since Western governments started cracking down both on smoking and on tobacco advertising...

The news of the demise of the News of the World appeared right in the middle of one of the sessions - and set a lot of hearts racing. Did it mean that people REALLY care about privacy after all? Could this be a pivotal moment for the whole 'business' of privacy? I'm far from sure - because although people who work in the field can see the parallels between the way that the online advertising industry monitors, tracks and gathers information on pretty much all of us in pretty much all of our online activities and the News of the World's phone tapping, I'm not at all sure that the public would see any similarity at all. They should - but it's up to us in academia and advocacy to find better ways to explain it, and to explain the risks, and why we need to be more careful, and to demand more privacy friendly systems.

There are further parallels with the current phone-hacking saga - not least the coziness of the relationships between those invading privacy and the government. There may not be any individuals from the advertising industries as close to the Prime Minister as Andy Coulson, but at a corporate level the influence of the internet industry on the government appears stronger than ever.

What if anything could change this? Will it take some kind of Milly Dowler incident for people and governments to take it more seriously? Is even such an event possible in the murky world of behavioural tracking? It's hard to imagine - but even a week ago so was the idea that such an institution as the News of the World could cease publishing. Everything is possible...

Out of the mouths of Europeans?

2011-06-05T10:45:00.000+01:00

We in Britain can often be highly suspicious of things that come out of Europe – and particularly so when it comes to laws. There’s a level of distrust, a degree of distain and sometimes a sense that these ‘continentals’ really don’t know what they’re talking about, and that somehow we need to save them from themselves.

Two prime examples of this are current in the world of privacy law. Two pieces of legislation, one current, one proposed, have been given the disdainful British attitude over recent months.

The first is the so called 'Cookie Directive' which came into force on May 26th, essentially suggesting that installing or amending any cookie on any user’s computer would require prior, explicit and informed consent. A strong requirement, and one that was launched amid confusion and complaints – needing to be clarified not just by the issuance of advice by the ICO but subsequently 'clarified' by the DCMS in a way that many people thought just added more confusion. The attitude from ministers that suggested they really thought it was essentially stupid and that complying with it was pretty much irrelevant. The Open Rights Group summed it up well, suggesting that Ed Vaizey thought it was all meaningless.

The second is the proposed ‘right to be forgotten’ - an idea currently being pushed by European Commissioner Viviane Redding for inclusion in the forthcoming revision to the Data Protection Directive. This time it was Ken Clarke's turn to be dismissive and disdainful, suggesting in a speech to the British Chamber of Commerce in Brussels that it was unworkable and, in essence, that the Europeans need to listen more to the British. As he put it:

'I am optimistic that there's a common sense solution on this. Our experience in the UK is that security, freedom and privacy are possible.'

Perhaps, however, it's us, the British, who need to listen more to the Europeans rather than vice versa. For sure, there are problems with both of these two issues. The cookies directive is highly problematic, probably over-the-top, somewhat confused, and clearly very hard to work out in practice - which is why only three of the 27 member states had actually implemented it within the prescribed timescale. The right to be forgotten is ill-defined, also confused, and capable of producing over-emotional reactions - which is why I've blogged in the past about renaming and refocusing it - and clearly needs more thought. Both, however, exist for good reasons - and the problems with them should not blind us to those reasons.

The cookies directive was brought in because people are, justifiably, concerned about being tracked, profiled and monitored without their permission, knowledge or understanding. The right to be forgotten is being considered because people are, equally justifiably, concerned about the amount of data being gathered and held about them, and the purposes to which all this data is being put. These are genuine concerns, connected with real rights of great importance - and so far the internet industry and most governments (and particularly the UK government) have paid scant attention to them, and done little to allay our fears or deal with the problems. The European Parliament and Commissioner Redding understand those fears - and want to do something about it. Their reactions may not exactly work, and may even cause more problems than they solve - but they have at least tried to address the issues. Rather than react with disdain and superiority, it would be far better if our ministers listened a little more - and understood that they need to do something....

Dogs will be dogs...

2011-04-26T12:10:00.000+01:00

The growing furore over the gathering and retention of location data by smartphones reminds me very strongly of a joke that I heard first in the school playground many years ago. ‘Why does a dog lick his balls? Because he can.’

The same is true about smartphone operators. Why do they gather location data? Because they can. Technically, they can, because of the very nature of smartphones. Legally they can, because our laws over this kind of thing are obtuse and opaque – and because they understand the way they can get ‘consent’ through the small print of terms and conditions that no-one ever reads, let alone understands.

A lot of the discussion about the current furore has centred around the individual companies concerned, and brought out all the usual views of the merits or otherwise of Apple, Google and Microsoft – but whether you consider each of them to be fancified show-bred French poodles, friendly and loveable Labradors or ageing but far from toothless Rottweilers, they’re all dogs, and dogs will be dogs. Even the best behaved and most presentable show dog will lick his balls if he’s allowed to.

Three questions arise for me. Firstly, why are people surprised? Many people seem to be genuinely shocked by what has been revealed – even people who know a great deal about the subject. Is it really such a surprise? We’ve known about the capabilities of smartphones since they first emerged, and about the behaviour of all the companies involved for even longer. Dogs will be dogs.

The second question is whether any of it matters – and for me the answer is clear. Of course it matters, and matters a lot. That doesn’t mean that we need to panic, or need to throw our iPhones, Blackberries and HTCs in the nearest river – just that we need to aware of what is going on, and do what we can to ameliorate or manage the situation.

That brings me to the last question – what, if anything, can be done about it? Well, if we were talking about dogs, the answer would be simple: make sure they’re well trained, and well managed. If badly looked after, dogs behave badly. If they’re well trained, they can be very useful, helpful and excellent pets. They can help us in our personal lives, in our work and in many social situations – but you still need to train them and manage them. We need to do the same for the likes of Apple, Google and Microsoft. Show them who’s boss – using all the tools we can to do so. That means putting the right laws in place, but also using our powers as consumers, as advocates, and lobbyists.

If dogs know what they can do and what they can’t, they’ll behave much better. It's very hard to train a dog not to lick his balls - and probably just as hard to train companies like Apple, Google and Microsoft not to push the limits of privacy - but it can be done. We need to tell them that this kind of thing is not acceptable – and back up what we say with the law and with our money. If we don’t want our location data gathered, we need to be clear about it.

My personal view is that we have the right not to have this kind of thing happen to us - and that we need to proclaim that right (and other rights) loud and clear.

The real challenge for IT Lawyers: the law!

2011-04-21T08:25:00.000+01:00

Sometimes it's tempting for an IT lawyer - or rather an academic IT lawyer - to feel that things are moving essentially in the right direction, that the subject is getting more mainstream, more understandable - and more importantly, more understood. In some ways, of course, that's true - but in others, we need to remember that things are far from positive, and that in many ways the 'establishment' - the legal system, the politicians, even the public - still don't really 'get it' at all. Perhaps the most important of these is the legal system. To a significant extent it seems as though the legal system - and the law - is just completely out of kilter with the reality of the IT world, and in particular the internet.

A couple of things in recent weeks have driven that home to me. Neither was surprising, but both were disappointing, particularly to those of us interested in privacy and autonomy. First of all, there was the announcement that there won't be any prosecutions arising from the Phorm secret trials, something which has been greeted with dismay by privacy advocates. Secondly, and most recently, was the failure of the judicial review to overturn the Digital Economy Act.

In both cases, it's easy to see how the results came about - and indeed to argue that from a precise legal standpoint the results might have been technically correct. In both - and in the case of the Digital Economy Act in particular - it shows that the legal system really doesn't understand what's going on in the internet, and how our online world functions. The Digital Economy Act - in its provisions concerning the policing of illegal downloading - is so clearly inappropriate that it's hard to find an academic lawyer in the field who believes it's appropriate or proportionate, or even who believes that it stands any real chance of being effective. Precisely the opposite. It won't work. It misses the point. It will victimise the innocent. It shows a fundamental misunderstanding of both the nature of the internet and the habits of most of those who use it. It's such a bad law it just makes many of us shake our heads in disbelief.

The Phorm story is a little less dramatic, but demonstrates some similar features. The CPS have decided not to prosecute - and they may be right that there might not be much chance of a result. That, however, just reveals that our legal system doesn't have the teeth or the capability to deal with the reality of the internet - for what Phorm and BT did was something that the law should have been able to deal with. It was a serious invasion of privacy on a very serious scale - secretly tracking the entire internet activities of 30,000 people without their knowledge or consent - and yet the law seems to be incapable of dealing with it, incapable of providing people with the kind of protection that people need. The kind of protection that people have a right to expect. The law should do this - and in its current form it doesn't.

In the grand scheme of things, neither of these two incidents are likely to matter in the end. Despite the failures of the law, Phorm still failed, brought down by a combination of the privacy advocacy of such excellent groups as the Open Rights Group and the Foundation for Information Policy Research, interventions by the European Commission, and the belated intelligence of businesses like BT who withdrew their support as they began to understand how things really work. Similarly, the Digital Economy Act is likely to end up an irrelevance, as the people who it is intended to catch find ways to sidestep it, as further legal challenges arise, and as embarrassing prosecutions fail - and something that gets closer to understanding the reality of the situation is brought in to replace it.

It feels, though, as if the legal system needs to be dragged kicking and screaming into the modern world. That's the challenge for IT lawyers. People are thinking and writing interesting, informative and insightful things about the nature of the internet - but right now, it isn't being sufficiently read or understood, and certainly isn't finding its way into the mindsets of those creating or enforcing the law. It needs to be - for though other forces will (and have, in the case of Phorm) stop many of the worst things from happening, without the law being 'fit for purpose' everything is a struggle, and many people suffer along the way.

Let's forget the right to be forgotten...

2011-04-13T16:39:00.001+01:00

....and talk about the important part of that right in less emotive, less distracting, and more accurate terms. I'm not interested in rewriting or erasing history, I'm not interested in hiding my past - selectively or completely. I am, however, interested in cutting down the amount of data held about me for spurious purposes, and interested in having more control over what commercial enterprises do with the data they have on me. I don't want a right to be forgotten - I want a right to delete personal data!

I asked a question about this at the Westminster Media Forum a few weeks ago, and gave a presentation on the subject at BILETA in Manchester yesterday - but I think the subject needs more attention. At the Westminster Media Forum, there was a particularly acerbic attack on the right to forgotten by journalist Tessa Mayes, who seemed to think that the right was all about restricting journalists' rights to report on past events. At BILETA, even though I made the point very directly that the right to delete data isn't the same as a right to be forgotten, one of the biggest questions I got was actually exactly about how such a right would effectively mess up the historical archive that the internet provides. For me, the right to delete data isn't like that at all - but calling it a right to be forgotten can easily mislead people into thinking it is.

The right to delete, as I set it out in my presentation (slides of which are available by email), is something that allows individuals control over what data is held about them - but it has a number of specific exceptions, situations where data should be allowed to be kept, regardless of the desire of the individual concerned. They include examples such as medical records, criminal records, electoral rolls and so forth - and appropriate historical archives. All that should be clear - and should prevent the problems that would be associated with a real 'right to be forgotten'.

The point is, though, that those holding data should need to justify that holding - rather than the individual justify why they would like data to be removed. If there ARE good reasons to hold data, then say so. If not, then the individual should have the right to delete it. The key thing to understand, though, is that BUSINESS reasons - and in particular the fact that you can make money out of holding someone's data - are not sufficiently strong to override someones right to delete data. Privacy is more important than that.

Forgetting is important too - as Viktor Mayer-Schönberger has described so eloquently and compellingly in his excellent book Delete - but, as Mayer-Schönberger himself suggests, rights may not be the best way to bring it about. Talking about a bald 'right to be forgotten' doesn't really help either the understanding of what is a complex and important issue, or about dealing with the important both practical and ethical issues surrounding rights over personal data.

So let's forget about the right to be forgotten - but fight strongly for the right to delete personal data.

The ICO: between a rock and a hard place? Not really...

2011-03-22T18:06:00.000Z

In the last week I've been to two events in which representatives of the Information Commissioner's Office have spoken. First came the 16th March meeting of the Society for Computers and Law entitled 'Privacy by Design: Grand Design or Pipe Dream?' at which Steve Wood, the ICO's 'Head of Policy Design' spoke to a mixed group of lawyers of various kinds, some representing companies in the computing business. Then, on 22nd March, the Information Commissioner himself, Christopher Graham, spoke to the Westminster Media Forum, which was discussing 'Social media, online privacy and the 'right to be forgotten'.

On both occasions, the representatives of the ICO had a pretty rough ride, one way or another. At the first meeting, Steve Wood was given a hard time by people working in or for the people providing online services for the way that the ICO has dealt with the 'EU Cookie Directive', about which the ICO has recently issued a warning, suggesting that 'UK businesses must ‘wake up’ to new EU law on cookies'. To put it at its most basic, the ICO was being castigated for being too tough on the industry. Steve Wood's primary defence seemed to be 'don't shoot the messenger', and that all they were doing was following orders from the EU, though how well that defence went down with the audience seemed a little unclear.

At the Westminster Media Forum, the Commissioner himself had an equally rough ride - and I have to admit that I was one of those who asked him a question that was perhaps a little negative in angle, wondering why so little attention was paid to data minimisation by the ICO, despite it embodying some of the most fundamental principles of data protection. The reply I got was somewhat terse - but my question was one of the gentlest that the Commissioner had to answer. In effect, he was being challenged by privacy advocates, consumer groups and others (including Microsoft's Caspar Bowden) for not being tough enough on the industry.

So what are the ICO to do? One week they're attacked for being too tough on the industry, the next they're attacked for not being tough enough? Are either forms of attack fair or justified? Is there anything that the ICO can do to meet the expectations of both sides? Is the problem just an intractable one that can't be resolved?

As someone who's on the privacy advocacy side of the debate, I have a lot of sympathy for the ICO. They do a lot of good things, provide a lot of good guidance, and generally say the right things. They try to tread a delicate path between the industry and the people - and do their best to tread that path with care and without causing too many fights - and have asked (and now received) for some more 'teeth' to punish those who transgress and deter those who might be tempted to.

Still, however, I find myself wanting to criticise them quite a lot of the time, and find myself in general agreement with NGOs like Privacy International who wondered in February whether the ICO was fit for purpose. Why? Mostly, because the role I think they should be playing does not seem to be the role that they think they're playing. They shouldn't be playing a kind of conciliation service, working out compromises between the industry and the people - they should be on the side of the people first and foremost, and supporting those people's rights. We haven't got anyone else on our side - while the industry has huge amounts of lobbying power, together with the support of great ministries of government to whom trade and finance is the be-all and end-all. They also have the tacit support of large parts of the security lobby, who'd like as much surveillance and data retention as possible, as many back-doors into websites and social networks as possible, and would be happy for the industry to do the building, gathering and retaining of data for them.

So does the ICO need to be so careful not to upset them? I don't think so - they should be braver to speak out and upset companies when those companies need to be upset, and to challenge them when they need to be challenged. They shouldn't be ashamed of this - Steve Wood seemed highly apologetic at the SCL meeting, as if he was ashamed to acknowledge that, deeply flawed though the Cookie Directive may be, it was introduced to address a real issue, and a real issue that the industry had failed to address themselves. If the ICO ends up caving in on this issue too, it really will be showing that it's not fit for purpose...

Do we have a 'right to be found'?

2011-02-13T14:51:00.000Z

I've thought (and written) a lot about privacy and autonomy - but I'm fully aware that privacy and autonomy are not the only important human rights relevant to the internet. Indeed, they may not be the most important, particularly compared to freedom of expression – the internet is to a great extent a communications medium, and much of the current use of the internet relates to the expression of ideas, particularly in relation to what might loosely be described as the Web 2.0 applications: blogs, wikis, social networking and related services. Free expression can be considered another aspect of autonomy – what's more, the privacy-related threats to autonomy can have a significant impact on freedom of expression, not just directly (for example where a dissident blogger is tracked down and arrested as a result of breaches of privacy) but through the chilling effect – a kind of ‘Internet Panopticon’ effect – that the knowledge of the potential privacy-related risks can produce.

There are also, however, aspects to the issue of free expression that do not relate just to privacy. One particularly direct aspect relates to the functioning of search engines and other navigation methods through the internet. Does the creator of a website have a ‘right to be found’? That kind of a right wouldn’t mean that a site could demand special treatment from a search engine – but that the site should be able to be sure that it wouldn’t receive specially unfair treatment, and that a search engine should treat it on its merits, according the principles that are known and understood. Any kind of a right to free expression, in relation to the internet, wouldn't seem to mean much if what you express can't be found.

The implementation of a right like this would have particular difficulties in relation to the rights of the search engines themselves to trade secrets insofar as their search algorithms are concerned, but companies and the EC have already bitten the bullet sufficiently to take Google on in terms of possible biasing of search results in the ‘Foundem’ case and this kind of right would related directly to this kind of bias, as bias in favour of something is by its very nature bias against something else. Google have responded to that accusation in relation to Foundem by saying (amongst other things) ‘We built Google for users, not websites,' (see for example here) but in an increasingly personal internet, where users are becoming publishers, is that a sufficiently strong argument? If free expression is to be taken seriously, it may not be.

A ‘right to be found’ would be intended to prevent both bias and censorship – of the kind exercised by authoritarian regimes, for example – and would also have direct implications on the work of organisations like the Internet Watch Foundation, requiring them to be properly transparent and accountable, something that at present they generally seem not to be...

A Disinformation Age?

2011-01-26T20:18:00.000Z

Those of us who are fans of Silent Witness had a pretty traumatic beginning to the week. This week's show, which broadcasts its two-hour drama in two hour-long parts, one on Monday and one on Tuesday, included some truly traumatic stuff: those of us who watched on Monday night saw one of the three main characters, Dr Harry Cunningham, seemingly brutally executed, doused with petrol and then set on fire. It was very realistic - so much that someone naive like me was totally convinced, and even began to mourn poor Harry, my favourite character.

What has this got to do with the subject of this blog, and why have I called it 'the disinformation age'? Well, being a bit of a geek, my laptop was sitting on my coffee table as I watched the programme, and as the titles rolled at the end of the show, I found myself immediately looking on the web to try to find out what would happen next - being naive, it still hadn't occurred to me that Harry wasn't actually dead. I was wondering whether they were going to replace him, or whether this was going to be the end of the show, or something else dramatic. I couldn't find much directly, so I checked on the fount of all wisdom, Wikipedia. There wasn't much there, but there was a list of the main characters, and how long they had been in the show. Of the three main actors, William Gaminara was listed as being in the show '2002-present', Emilia Fox as '2004-present', and Tom Ward, who plays Harry, was listed as '2002-2011'. That last fact confirmed, it seemed, that Harry was dead, gone from the show....

Of course the BBC had done the usual kind of tricks to hide the fact that Harry wasn't actually dead - he didn't appear in the trailer for the second part, and the actor's name was conspicuous by its absence from the opening titles, so it was a solid shock when he did reappear, some time into Tuesday's episodes - and added to the fact that the previous episode had been full of flashbacks and dream sequences, it took some time to realise what was actually going on. That, however, is just ordinary broadcasting, and nothing that out of the ordinary. At the end of the episode, rejoicing at Harry's return, I went back to Wikipedia - and already the page had mysteriously changed, listing Tom Ward as '2002-present'....

So what was going on? Why do I call it the 'disinformation age'? Well, of course I don't know who edited the Wikipedia page - but if it was anyone connected to the BBC, I'm impressed. They had thought through how to really convince people that the character was dead, had understood what people like me were likely to do, and set out to create a perfect illusion - to supply the disinformation needed to complete that illusion. On me, it worked - though I know very well I'm naive in a lot of ways, and actually like to be convinced by this kind of thing - but there is a somewhat more sinister side to this. If illusions like this can be created for artistic reasons, aren't they equally likely to be created for other, less palatable purposes? And then what do we trust? 'Official' information? 'Trusted' sources? A combination of these? Could we be moving to an age where as much effort is put into the creation of false information as is put into the presentation of real information? A disinformation age?

One thing's for sure - I'll be even less trusting than I was before..... and that, in itself, may not be such a good thing. Mind you, I thought the week's Silent Witness was great!

IT law isn't simple....

2010-11-11T10:27:00.000Z

....but it's certainly seems to be newsworthy at the moment. In the last two weeks there seems to have been a deluge of new stories.

1) On the 28th October, there was a call for an 'internet bill of rights' in a parliamentary debate.
2) On the 2nd November, business minister Ed Vaizey suggested a 'mediation service' to deal with disputes about personal data held on the net.
3) Also on the 2nd November, the US Supreme Court began a hearing about violent computer games...
4) ....and Google put forward its proposed settlement over the Google Buzz privacy issue
5) ....and the busy Ed Vaizey put forward the suggestion of a new 'privacy code' for online businesses like Google and Facebook
6) ...while the case of the stabbing of MP Stephen Timms by a young woman who had been 'radicalised' by watching videos on YouTube sparked a little furore about why such things should be allowed online - this is just one piece about it from The Telegraph.
7) On the 3rd November the ICO issued its response to the Google Street View data gathering fiasco
8) ...followed almost immediately by a statement from five civil liberties groups (Privacy International, NO2ID, Big Brother Watch, Action on Rights for Children, and Open Rights Group) suggesting that the ICO's action on this issue (and indeed on many others) makes it 'not fit for purpose'.
9) On the 4th November, Prime Minister David Cameron spoke in East London about making that region the 'new silicon valley' - and, amongst other things, about making our copyright laws 'fit for the internet age'.
10) ...and the European Commission launched its proposals for a 'comprehensive approach on personal data protection in the European Union'.
11) On the 8th November, Google announced it was shutting off its data feeds to Facebook...
12) And yesterday it was announced that BT and Talk Talk had been successful in getting a judicial review of the Digital Economy Act.

Lots of news - but what does it all mean? Firstly, that the subject really is current, and of increasing importance. In these two weeks we've had a statement from the prime minister, we've had a hearing in the US supreme court, , we've had one of the biggest players in the internet world Google, involved in three different ways - four if you blame their YouTube service for hosting the radicalising videos - and we've had the European Commission making what could be a very significant statement.

Secondly, that the situation is far from simple - and that the 'regulatory matrix' is complex. The differing relationships between the different interested parties have all come into play. We've had civil liberties groups challenging a regulatory body, we've had companies challenging the law, we've had questions in parliament, we've had a spat between probably the two biggest players in the internet world, we've had a class action against a company (Google), we've had interventions from regulatory bodies and politicians.

This lack of simplicity is the key - as Andrew Murray highlights in his theory of Symbiotic Regulation (in his excellent book The Regulation of Cyberspace). All these different relationships - between politicians, the judiciary, companies, civil liberties groups, and, of course, individuals - have their part to play in what happens on the internet from a regulatory perspective. It makes it complex - but it makes it interesting. And, at times like these, it makes it news!

Opting out of Street View....

2010-10-21T15:06:00.001+01:00

Nearly 250,000 Germans have 'opted out' of having their homes visible when Google's Street View comes online, though Andreas Türk, Product Manager for Street View in Germany, has admitted that some of those homes will still be visible when the service comes online, which will be some time in the near future, as the process is complex and not all instructions were clear. His blog here provides the explanations.

It's an interesting figure - is 250,000 (or, to be more precise, 244,237) a large number? As Andreas Türk says, it amounts to 2.89% of those who could have objected, and the argument can be made both ways. Google might argue that it means that the vast, vast majority don't object to Street View, so their service has some kind of overall 'acceptance' or even 'support' by the populace. Privacy advocates might say the converse - in absolute terms, 250,000 is a LOT of people. If you had 250,000 people marching on the streets with banners saying 'NO TO STREET VIEW' it would make headline news, certainly in Germany, and probably throughout Europe.

Both sides have a point: 2.89% isn't a very large proportion, but 250,000 is a lot of people, and when you look closer at the process I suspect that the privacy advocates have a stronger position. Given that the opt-out required an active process (and Google say that 2/3 of those who objected used their own online tool to do so) it does suggest that quite a lot of people care about this. If the reverse system had been in place - and you had to actively choose to HAVE your home 'unblurred' on Street View, what kind of figures would you get? Would more than 250,000 have gone through a process to make their houses visible? I doubt it....

...and what of the rest of us? Germans got a choice because their government made a point about it, and demanded that Google give them the choice before the service went active. As the BBC reports, other governments have made other kinds of objections, but none have been given the choice that the Germans have had. As I've blogged before, Germany has a pretty active privacy lobby, so it's not surprising that they are the country that has taken this step - what would the result have been if the option had been given in the UK? Or the US? Probably not as dramatic as the German result - which makes me wonder whether Google has missed a trick by not providing the option elsewhere. If they did so, and an even tinier fraction than the 2.9% in privacy-aware Germany objected, they might be able to be even bolder about proclaiming that people love Street View.....

How personal is personal?

2010-10-07T12:35:00.000+01:00

The Register is reporting that the ICO wants a clearer definition of what consititutes 'personal data' - and it is indeed a crucial question, particularly under the current data protection regime. The issue has come up in the ICO's response to the Government consultation on the review of the Data Protection Directive - and one of the key points is that there is a difference between how personal data is defined in the directive and how it is defined in the UK Data Protection Act. That difference gives scope for lots of legal argument - and is one of many factors that help to turn the data protection regime from something that should be about rights and personal protection into something often hideously technical and legalistic. The ICO, fortunately, seems to recognise this. As quoted in The Register, ICO Deputy Director David Smith says:

"We need to ensure that people have real protection for their personal information, not just protection on paper and that we are not distracted by arguments over interpretations of the Data Protection Act,"

That's the crux of it - right now, people don't really have as much real protection as they should. Will any new version of the directive (and then the DPA) be any better? It would be excellent if it did, but right now it's hard to imagine that it will, unless there is a fundamental shift in attitudes.

There's another area, however, that just makes it into the end of the Register's article, that may be even more important - the question of what constitutes 'sensitive personal data'. Here, again, the ICO is on the ball - this is again from the Register:

"The current distinction between sensitive and non-sensitive categories of personal data does not work well in practice," said the submission. "The Directive’s special categories of data may not match what individuals themselves consider to be ‘sensitive’ – for example their financial status or geo-location data about them."

The ICO go on to suggest not a broadening of the definition of sensitive personal data, but a more 'flexible and contextual approach' to it - and they're right. Data can be sensitive in one context, not sensitive in another. However, I would suggest that they're not going nearly far enough. The problem is that the idea of the 'context' of any particular data is so broad as to be unmanageable. What matters isn't just who has got the data and what they might do with it, but a whole lot of other things concerning the data subject, the data holder, any other potential data user and so on.

For instance, consider data about someone's membership of the Barbra Streisand fan club. Sensitive data? In most situations, people might consider it not to be sensitive at all - who cares what kind of music someone listens to? However, liking Barbra Streisand might mean a very different thing for a 22 year old man than it does for a 56 year old woman. Extra inferences might be drawn if the data gatherer has also learned that the data subject has been searching for holidays only in San Francisco and Sydney, or spends a lot of time looking at hairdressing websites. Add to that the real 'geo-tag' kind of information about where people actually go, and you can build up quite detailed profiles without ever touching what others might consider sensitive. When you have all that information, even supposedly trivial information like favourite colours or favourite items in your Tesco online shopping could end up being sensitive - as an extra item in a profile that 'confirms' or 'denies' (according to the kinds of probabilistic analyses that are used for behavioural profiling) that a person fits into a particular category.

What does all this mean? Essentially that ANY data that can be linked to a person can become sensitive - and that judging the context is so difficult that it is almost impossible. Ultimately, if we believe that sensitive data needs particular protection, then we should apply that kind of protection to ALL personal data, regardless of how apparently sensitive it is....

Every which way to lose your data...

2010-09-30T21:02:00.003+01:00

The ACS 'data leak' story that's been emerging fairly dramatically over the last couple of days has got pretty much everything you could hope for in this kind of story: a bit of porn, a bit of piracy, some hacking, threats of huge fines, legal action and so on. It's already been widely reported on - Andrew Murray's blog on the subject gives an excellent description of what ACS do, and how this whole thing has to a great extent blown up in ACS's face. As he explains, it's a prime example of how symbiotic regulation works - and why the law is not the only thing that matters when regulating the internet.

There is, however, something else that is very graphically demonstrated by the whole saga - how many different ways your personal data can be at risk. This small story alone demonstrates at least five different ways that personal data can be vulnerable:

To monitoring and tracking - the initial data about the supposed copyright infringers was obtained by monitoring traffic on the internet.
To 'legal' attack - ACS initially got a court order to demand that the ISPs involved (we know about BT, Sky and PlusNet in this case) disclose the personal details of the account holders suspected of copyright infringement, based upon this monitoring.
To human error - BT have admitted that they sent this personal data on an unencrypted Excel file attached to an ordinary email, in breach of their official policies and practices.
To hacking - at least this is part of what ACS have claimed - that their systems were hacked into in order for the data to be obtained in order to be leaked.
To deliberate leaking - precisely who did the leaking is far from clear, and who wished for the data to be leaked, but there is certainly a possibility that someone wanted the names to be out in the public domain.

Of course the data itself is far from reliable. It is just the details of the account holders that are suspected of being used to share illegal content, without there being any direct evidence that the people themselves did the sharing - which brings even more dimensions of vulnerability into play: confusion, mistaken identity, even things like defamation by implication could come into play. If your name is on the list, you're not only being labelled a lawbreaker but a consumer of porn - and it might very easily not have been you doing it at all. Other people might be using your account, perhaps without your knowledge, perhaps without your permission, perhaps without your understanding.

Simon Davies, of Privacy International, quoted in the BBC, said that 'You rarely find an aspect where almost every aspect of the Data Protection Act (DPA) has been breached, but this is one of them'. It's also true that almost every aspect of data vulnerability has been demonstrated in one fell swoop.

Perhaps an even more important point, however, is the way that personal data - and individuals' privacy - is viewed almost as 'collateral damage' in the ongoing battle between the entertainment industry (and their hired guns like ACS:Law) and the 'pirates'. From the outside it looks as though as far as the 4chan hackers and ACS:Law are concerned, it's that battle that matters. ACS:Law wants to 'get' the pirates, while the 4chan hackers want to 'get' ACS:Law and to 'win' the war with the entertainment industry for the 'cause' of free and unfettered file-sharing. The fact that some 13,000 individuals have had their personal data released into the public domain and face all kinds of possible consequences from embarrassment (or humiliation) to legal action onwards seems somehow less important. Sadly it often seems to be that way. Privacy is squeezed by politics, law, business and a whole lot more. Every which way, privacy loses.

No more place for privacy?

2010-09-18T18:56:00.000+01:00

With the launch of Facebook Places in the UK, 'location' services have really hit the mainstream. With Facebook Places, people can 'check in' to indicate exactly where they are to their 'friends' (and probably quite a lot of others too, unless they're very careful). It's another step - and perhaps a very big one - along a path that some might suggest has an inevitable outcome: the end of privacy, at least as we know it.

Scott McNealy, CEO of Sun Microsystems, told journalists, way back in 1998 that “You have zero privacy anyway, get over it.” Others, most recently and persistently Mark Zuckerberg, co-founder and CEO of Facebook, have suggested that the whole idea of that is simply outdated and now irrelevant – people just don't care about it anymore.

Are they right? Is privacy dead - or at least dying? Should we just 'get over it', join all those many millions of happy Facebook customers who don't care about privacy, and start enjoying all the advantages of having a truly 'transparent' life? Embrace such wonders as Facebook Places, and enjoy the pleasures of meeting people for coffee in unexpected places just through the medium of our smartphones - after all, it's so much more convenient than having to call and arrange things. Of course there's an obvious possible downside - but burglary's not much of a danger as long as you have state of the art security systems, or a ravenous Rottweiler, or employ someone to housesit whenever you're out.

That, however, is just the simplest and most obvious problem. The other, less obvious, but ultimately more important issue is what happens to all the data about where you are, where you've been, and so forth. The possibilities of using this data for profiling - and eventually predictive profiling - are immense, which presumably is why Facebook and many others are introducing products like this. They'll be able to learn even more about you than they already can.

Do we care? Zuckerberg would suggest not, but there isn't much evidence to back up his claims. McNealy would say that it doesn't matter whether or not we care, there's nothing we can do about it. Personally I don't think either of them are right. Events like the fall of Phorm and Facebook's own forced abandonment of their Beacon system, and the 30,000+ Germans who put their names to a challenge to data retention legislation, all suggest that there is still an appetite for privacy - and for some more control over what's going on.

Will Facebook Places be a huge success? Will people just embrace it, without considering the downsides? It will be an interesting test....

A creditable approach?

2010-08-10T10:55:00.000+01:00

Is the new UK government 'privacy friendly' after all? Some of the early signs have been very promising - from the headline-grabbing cancellation of the ID card programme onward - but the latest news out of Downing Street should start certain alarm bells ringing.

David Cameron's announcement of a new 'crackdown' on benefit fraud might be politically simple and far from contentious on the surface - indeed, the early reports in various news sources focussed on the ideas that few could complain about, as 'everyone' knows that benefit fraud is 'a bad thing' - but the ideas that lie beneath the surface are potentially far more contentious, even dangerous. The key is the way that the 'crackdown' is to be performed: through the use of data from credit agencies. As Cameron put it "Why should government not use the same tools that are available to independent organisations?" Why indeed? Well, the one question begs another - are those tools, available to and used by independent organisations tools that should be used at all?

Credit agencies gather data on people and use that data to help other organisations make decisions that have a real, concrete impact on those people - and yet we really know very little about how they work and have very little control over how they work. What is clear is that they work through the gathering and analysing of data - data gathered from a whole variety of sources. Whether and how that data should be gathered and used is something that has not really been up for debate on a serious scale - and here we have David Cameron's government simply assuming that the use of the data is OK, and indeed endorsing its use. More than that, they're offering a potentially very lucrative contract to the credit agencies, offering even more incentive for them to gather more and more data about more and more people. Is that something that should be encouraged?

Benefit fraud has always been an easy target - one popular with politicians and tabloids alike - but is this just a starting point for more government use of this kind of data? And other kinds of data? A government who looked (and proclaimed itself to be) in favour of privacy and autonomy is taking quite the opposite approach with this announcement. Not a creditable approach at all.

Quality matters!

2010-07-11T10:57:00.001+01:00

Momentum seems to be building for the idea that internet access is a universal right - and more than that, that high quality internet access is a universal right. As seems often to be the case in the digital world, the lead is coming from Scandinavia - Finland have made broadband a 'legal' right, according to a report in the BBC. From the 1st of July 2010, every Finn has the right to access to a 1Mbps (megabit per second) broadband connection. As reported by the BBC, Finland's communication minister Suvi Linden sad that "We considered the role of the internet in Finns everyday life. Internet services are no longer just for entertainment."

That much is becoming clearer and clearer. We need internet access for proper access to government services, we need internet access to get the best prices for goods and services - indeed, there are some goods and services that are almost impossible to get without access to the net. We need internet access for access to information and news - and we need information and news if we are to fully participate in our society. What the Finnish government have realised is that it's not just 'access' that matters, but the quality of that access, if some of the 'digital divide' issues are to be dealt with - and that, surely, is what really matters.

From a human rights perspective, what is needed is an infrastructure that allows all people to fully participate in society. Making access to broadband a legal right doesn't just mean giving people the right to download music or watch YouTube videos fast, it means that they have an opportunity to take advantage of the huge benefits that the internet can bring - benefits that those on the 'advantaged' side of the digital divide are already enjoying. Try searching for legal advice as to your rights as an employee when your job is under threat - as so many are in the current economic climate - and you soon discover why broadband is important. If you have to sit there waiting and waiting when you don't even know what you're waiting for, it's all too easy to give up - and hence not to discover what your rights might be.

The Finns have taken the lead - but others will follow, and it is to be hoped that they will follow not just with bland statements or aspirations, but legal rights.

Why make privacy complicated?

2010-05-22T19:02:00.000+01:00

The current 'row' about Facebook's privacy settings, and the similar 'affair' about privacy on Google Buzz raise one significant question: why do companies like Facebook and Google make privacy so complicated? That, it seems, is one of the key problems, particularly in Facebook's case. According to the New York Times, Facebook's privacy policy has 50 different settings and 170 options, and the policy is longer than the US Constitution - closing in on 6,000 words.

Why? Is it complicated simply because privacy itself is complicated? Well, it's certainly true that privacy isn't as simple and clear cut as some might imagine, but does that really mean that privacy policies, and privacy options need to be so complex as to require a law degree to even begin to understand? It's hard to justify - and for companies that demonstrate immense creativity when it comes to designing new products and services, and excellent ways to make those products and services simple to use and easy to understand, it does seem quite surprising that they can't make their privacy policies easy to understand and their privacy options simple to use. They have the experience and the expertise to find a way - if they really want to.

So why don't they? Two reasons immediately spring to mind, one simple and in some ways reasonable, the other much more pernicious. The first is that until recently they simply didn't care enough about it - and didn't think their users cared enough about it. A privacy policy was something that only concerned lawyers (to cover their potential liabilities) and geeks (who are those who bleat on about privacy), and lawyers and geeks don't need things to be simple to understand and use - they need things to cover all the relevant issues in a logical and coherent fashion.... which leads to documents the size of the US constitution and 170 options and 50 different settings. What's more, they want their creative minds and experienced programmers to be working on the 'important stuff', not wasting time and money on something like privacy policies that no-one really care about. So, from a business point of view, putting effort into making privacy simple and understandable would be wasteful. And boring, too, for the creative people.

The second possible reason is far more shady - maybe they want to make privacy complicated because they don't want people to know what they do and what the implications are? If an ordinary user has to wade through a document the size of the US constitution, and spend their time choosing between 170 options and 50 settings, the chances are that they simply won't bother. And if they don't bother, and leave the settings on what Facebook choose as the defaults, then everything's much happier, at least for Facebook.

I wouldn't like to suggest that the second is true - the first is far more likely. However, if the second does have an element of truth to it, we might start to see that over the next year or two. Public interest in privacy appears to be growing - the question is how companies like Facebook respond to it. If things change, and change quickly, that would tell us a lot. If they don't, and if there is more prevarication and less action, that would tell us something else entirely.

The politics of privacy - does privacy matter?

2010-05-10T10:56:00.001+01:00

A few weeks ago I attended Privacy International's 20th anniversary party - a fascinating event, celebrating a truly admirable organisation which has done sterling work over the last twenty years, from a time when privacy seemed to be very much a 'niche' subject, one that most people didn't think mattered much at all. Over the last few years, however, that seems to have changed - privacy issues regularly make headlines, from lost data to the sell-out of Chinese dissidents, from ID cards to data retention. Emphasising that, one of the two keynote speakers at the party was Nick Clegg - and this was BEFORE the first of the UK's leadership debates, so before Clegg had etched himself on the public consciousness. He spoke powerfully, quite eloquently, and fairly passionately about privacy - and at the same time, since he and we all knew that the election was just aroung the corner, he used the occasion as an 'electoral address', suggesting that his party, the Lib Dems, was the best party for privacy, and would protect all our rights much better than the other two. No to ID cards. No to centralised databases for Data Retention. No to fingerprinting our children....

....well, now he's become the 'kingmaker', it will be interesting to see how high up his agenda privacy really is. Is it one of the points he makes to his potential coalition partners? Will he get his way? It's a very interesting test of both his political will and his judgment as to the views of his supporters. We should know in a week or two....

The business of rights...

2010-04-06T09:56:00.002+01:00

Today sees the second reading in the House of Commons of the Digital Economy Bill, something I've mentioned in my blog more than once before. It is a bill that has been much discussed by privacy advocates and in the media, but that to the frustration (or even fury) of many is likely to get very little discussion time in the House of Commons, but rather be rushed through in the run up to the coming General Election. Even so, it is a very hot topic, and is very much in the news - and in the newspapers. Today, in advance of that second reading in the house, both 'sides' of the debate have taken out full page advertisements in the UK's national press. The trade union-led Creative Coalition Campaign (CCC) has come out in support of the bill, with their full page advertisement in the Guardian talking of job losses if the bill isn't passed, while the Open Rights Group and digital campaigners 38 Degrees have taken out their own ads, funded by donation, in both the Guardian and the Times, in opposition to the bill. A big fight - with the industry taking the canny approach of using the 'jobs' and leaving it to the unions rather than being seen so directly as the big, bad, business wolf, the pantomime villains of the piece, the enemies of 'rights'.

It does seem that all too often the positions become polarised, and what should be negotiation for mutual benefit ends up in conflict. The story surrounding music is a prime example - the digital revolution should (and does) represent a vast opportunity for both the music industry and for individual consumers and creators of music, and yet what we have is a series of law suits and a big and often very antagonistic conflict. What's happening with music is echoed almost everywhere else - with privacy advocates in conflict with the big boys of the internet world like Google, Microsoft and Yahoo over their data gathering and retention practices as another clear example. Does it have to be that way? Of course a certain degree of tension is inevitable - and indeed in many ways beneficial - does business really have to be 'an enemy' of individual rights? Sometimes it seems that way. I recently attended a lecture given by an expert practitioner in the field of Data Protection - he was talking to students about the realities of a career as a data protection lawyer. He was in most ways a very good and very positive person - and yet to listen to him it was clear that from the perspective of both businesses and the lawyers who work for business that data protection was seen as a barrier to be overcome (or even sidestepped or avoided) rather than in any sense a set of positive principles that could (or should) be for the benefit of the individual data subjects or indeed for society as a whole. From his perspective, rights weren't a beneficial thing so much as something that gets in the way of an enterprise's opportunity to make a profit.

From the other point of view, privacy advocates sometimes seem to take an equally antagonistic approach - and if you view someone as an enemy, they may find it all to easy to slip into that role. Attack someone and they are quite likely to defend themselves. It may seem necessary - indeed in the short term and in specific situations it may BE necessary - but in the long term, surely both sides would be better off looking at it from a more cooperative and positive perspective. Advocates might find it a better way to get what they want - and industries might find themselves new, better and more sustainable ways to build their businesses.

How to do this is the big question - we seem to know very well how NOT to do it, but not have much of a clue of the reverse. The starting point, however, has to be more talking. The idea of rushing through the Digital Economy Bill is the exact opposite of that. The government is effectively saying that enough discussion happened in the House of Lords, and so we don't need to talk more about it in the Commons. That can't be right, can it? We have two Houses for a reason - and the Commons is supposed to be the place where the people are represented. If the music industry wants these proposals to work, it ultimately needs to get the people on its side - and if it wants that, it needs to be willing to talk about it, and to see things a little more from the people's point of view. That, at the very least, would be a start.

Consent: a red herring?

2010-03-23T09:25:00.003Z

I asked Peter Fleischer, Google's Global Privacy Counsel, a question about 'opt-in' or 'opt-out', in a panel session at the Computers, Privacy and Data Protection Conference in Brussels in January, to which he gave an interesting answer, but one that was greeted with more than a little dismay. In essence, his answer was that the whole question of 'opt-in/opt-out', and by implication the whole issue of consent, was a bit of a red herring. Unsurprisingly, that was not a popular view at a conference where many of the delegates were privacy advocates - but he did and does have a very good point. He went on to explain, quite reasonably, that if someone wants something online, they'll just consent to anything - scrolling down through whatever legalese is put in the consent form without reading it, then clicking OK without a second thought, just to get at the service or website they want. And he's right, isn't he? That IS what we all do, except in the most exceptional circumstances.

The question, then, is what can or should be done about it. Peter Fleischer's implication - one shared, it appears, by most in the industry, is that we should realise that emptiness and unhelpfulness of consent, and not bang on so much about 'opt-in' or 'opt-out'. We're missing the point, and barking up the wrong tree. And, to a certain extent, I'm sure he's right. As things stand, consent, and opt-in, and not really very helpful. However, it seems to me that he's also missing the point - whether deliberately, as it suits the interests of his employers to have opt-out systems and allow such things as browse-wrap consent on the net, or because he thinks there's no alternative, I wouldn't like to say - in the conclusions that he draws, and the suggestions as to what we do next.

If consent, in its current form on the net, is next to meaningless, rather than abandoning the concept as useless wouldn't it be better to find a way to make it more meaningful? This is something that many people are wrestling with - including the EnCoRe (Ensuring Consent & Revocation) group - and something I shall be presenting a paper about at the BILETA conference in Vienna next week. The way I see it, the internet offers unprecedented opportunities for real-time communication and interaction, for supplying information and for allowing users choices and options - shouldn't there be a way to harness these opportunities to make the consent process more communicative, more interactive, more 'real-time', and to give users more choice and more options?

Peter Fleischer's employers, Google, actually do some really interesting and positive things in this field - the Google Dashboard and Google's AdPreferences both provide information and allow options and choices for people whose data is being gathered and used - the next stage is for these to be given more prominence, for right now they're pretty hidden away, and it's mostly just the hackers and privacy advocates that even know they exist, let alone use them well. If they can perhaps Google can help consent to become much more than a red herring, and instead part of the basic process of the internet.

Now we're all at it... especially the good guys...

2010-03-18T10:56:00.001Z

It's not just the German government who are using illegally acquired data to root out tax evaders - the latest revelation is that both the French and the UK Government are doing it to. A report from the Sunday Times, available online here, has revealed much more detail - and in particular that HMRC in the UK is very enthusiastic about getting hold of this illegally acquired data. A senior tax official is quoted as saying "It’s fair to say that the prospect of getting hold of this information has generated some excitement here."

The whole thing raises a lot of issues - some of which I mentioned in my post of 7th March - but the German, French and UK governments are all seemingly happy to do it, and at least so far there seems to be very little resistance or outcry about their tactics. The ends justify the means, perhaps. Personally, I don't think so, and an experience I had in the classes I teach (Information Technology & the Law) suggested to me why. The class was about surveillance in the digital environment, and we were discussing the nature of enhanced CCTV, and how it, combined with information from systems like Oyster Cards, could allow coordinated tracking of individuals. I teach three classes, with a mix of different individuals with very different backgrounds. In the first class, the reaction to this kind of tracking could be described as general interest, but nothing more. In the second, it might even be described as enthusiastic - with some agreement with the view of a Police CCTV Liaison Officer that "The cameras are there to help the police and to protect the community. There is no way anybody should be afraid of them unless they have something to hide."

The third class was different - the first person to speak had a reaction that I hadn't really heard in the first two classes. His immediate response was that he didn't want the government to be able to track him - and when asked why, he almost laughed, because to him it was so obvious. Why was it obvious to him, and not to the others in the previous classes? Because he happened to have experience of living in a country with what is close to an authoritarian regime. People who live in those circumstances are naturally and appropriately more likely to be suspicious and distrustful of government motives.

Here in the 'safe' West, where the governments are suspected much more of incompetence than evil, we don't really seem to care that much about things like this. Right now, we seem to mostly 'trust' our governments, and imagine that they will only use the powers we grant them (or allow them to take for themselves) for good purposes - like catching tax evaders, or tracking terrorists. We rarely imagine that they might end up using them for entirely different purposes, purposes for which we would have much less sympathy. What would it take to make us realise the risks, let alone take them seriously? It would be nice to think that we could do so before they are taken too far.

Digital Economy Bill passes the Lords...

2010-03-16T12:06:00.003Z

Just a brief note - further to last week's post, the Digital Economy Bill has now passed its third reading in the House of Lords, and is expected to be rushed through the commons before the election (see the BBC report here). Do people really understand what's happening here? And more to the point, even if they do, do they care? There will be active campaigning against it for sure - not least by the Open Rights Group - and it will be interesting to see how much opposition to the disconnection provisions can be raised in the face of the Government's clear desire to get it done quickly. Will the UK demonstrate the kind of 'active community' that worked so well in Germany to deal with their data retention laws, as I mentioned a couple of weeks ago?

I certainly hope so - and at a time when an election is looming, the government should certainly be responsive to signs of popular resistance. Are we in the UK ready to stand up for freedom on and with the internet? Time will tell...

All hail the Internet?

2010-03-11T13:20:00.002Z

Two stories this week have emphasised the importance of the Internet in today's world.

The most recent, and perhaps the strangest, is the news that the Internet has been nominated for the Nobel Peace Prize, in a campaign mounted by Wired Italy - this is how the English language version of Wired is reporting it. Of course there have been stranger (and much more controversial) nominations over the years, but even so it does seem an unusual, though far from unwelcome suggestion. The Internet can be (and at times has been) a wonderful tool for peace. As said Riccardo Luna, editor-in-chief of the Italian edition of Wired magazine puts it: "The internet can be considered the first weapon of mass construction, which we can deploy to destroy hate and conflict and to propagate peace and democracy. What happened in Iran after the latest election, and the role the web played in spreading information that would otherwise have been censored, are only the newest examples of how the internet can become a weapon of global hope."

The second story comes from the BBC World Service, who commissioned a poll, covering more than 27,000 people in 26 countries across the digital divide which came up with some headline grabbing statistics, the most notable of which was that across the world, almost 80% of people now regard Internet access as a basic human right. There are many highly revealing findings, both on a country-by-country basis and giving more of a global picture, but the headline figure is certainly something about which we should stop and think. Internet access a basic human right, comparable with electricity and water? And this is something believed not just in technologically advanced countries, but right across the digital divide - countries such as Mexico, Brazil andTurkey most strongly supporting the idea of net access as a right.

So, two stories, one suggesting that the Internet should be considered for the Nobel Peace Prize, the other suggesting that access to the Internet is a fundamental human right - and what do we have happening in the UK, and seemingly quite likely to become law, but the idea of restricting or even cutting off internet access for people caught illegally file-sharing, in the shape of the Digital Economy Bill. Cutting off a fundamental human right, for something that, though illegal, is hardly of the most egregious of crimes, doesn't exactly seem proportionate. Though people like Ian Livingston, British Telecom's Chief Executive, who has publicly raised his concerns about the Bill, along with various other industry leaders (including representatives of BT, Virgin Media, Carphone Warehouse and Orange) may have a clear vested interest in opposing these terms within the Bill, it is certainly something that many more of us should be concerned about.

The good, the bad and the ugly side of privacy in Germany

2010-03-07T21:47:00.001Z

Privacy advocates in the UK sometimes look across at Germany in wistful admiration - but is the story quite as rosy for privacy in Germany as it sometimes appears? Perhaps not, for though one recent event has shown Germany in its best light, as a beacon for privacy rights across Europe, another has demonstrated the opposite. Even Germany has an ugly side to how it deals with privacy.

First for the good. As reported widely (and in this case in out-law.com), this last week Germany's highest court has suspended that country's implementation of the EU Data Retention Directive by ruling that it violates citizens' rights to privacy. This suspension comes after a class action suit brought by 35,000 German citizens - a level of citizen activity that would be close to miraculous in the UK, particularly for as issue such as privacy. The law by which the German government implemented the Data Retention Directive has been found unconstitutional, failing to include enough safeguards for the privacy of the individuals that is required under Germany's constitution. A victory for privacy, albeit neither a complete nor a permanent one, since the court did not say that it would be impossible to implement the Data Retention Directive in a constitutionally acceptable way, just that this particular implementation was unconstitutional. Nonetheless, it is something about which German privacy advocates will feel justifiably proud - and many in other countries in Europe will hope signals changes elsewhere. It is hard to imagine, however, that it will be possible to achieve a similar result in the UK.

Then for the bad - or at least the ugly. A story reported far less widely, at least in the UK, is emerging concerning the German government's use of data concerning the use by German citizens of Swiss banks for the purposes of tax evasion. This data has been acquired through various methods, most of which would probably be considered illegal - certainly from the perspective of the Swiss banks. Reuters has reported on the subject - it is a somewhat complex story, but the essence of it is that private data, detailing the banking activities of German citizens, has been offered for sale to a number of German states. Some of that data may have come from insider whistle-blowers, but some has also come from hackers - and earlier this year the German Federal Government gave states the go-ahead to buy the data if they want, whether or not the data has been obtained illegally. At least one state, the State of North Rhine-Westphalia, has bought the data, and is using it to flush out tax evaders. As Reuters reports, nearly 6,000 German tax evaders have 'owned up' to the tax evasion as a result of this evidence - and more could still be about to come out of the woodwork. As DSTG head Dieter Ondracek said, "If we get a signal from the politicians that it'll only be possible for people to come clean this year, then we could have another 5,000 doing so with corresponding additional revenues," Ondracek told Reuters. "Then a billion euros could be possible."

This is not the first time that Germany has bought illegally acquired private data. Two years ago, something similar happened with bank data from Lichtenstein, effectively forcing the principality to relax its previously stringent bank secrecy laws. The current affairs over Swiss banking data might have a somewhat similar effect over the banking rules in Switzerland, though that of course could be a long way away - though already the Swiss have complied with a US request over tax evasion, and as reported in Reuters, Switzerland's justice minister questioned on Sunday whether tax evasion should continue to be treated as a misdemeanour rather than a crime.

It is hard, of course, to generate much sympathy for people evading tax through the use of bank accounts in Switzerland - but that should not blind us to the significance of the events that are taking place. It's not so much the nature of the data that's significant, but the way in which is has been acquired. Getting data through the use of official requests from one government to another, as in the case of the US, is one matter, but paying money for data acquired illegally, and quite likely through hacking, is quite another, and sets a very uncomfortable precedent. Moreover, it provides a new and potentially large incentive to hackers to go after this kind of data. And if this kind of data, why not other data? Aside from the obvious problems of Germany's potential obligations as a signatory of the Cybercrime Convention, there is an awkward parallel here with another recent event - the enormously publicised hacking of the gmail accounts of Chinese dissident groups. The Chinese government of course vigorously denies any involvement in the hack, but if it were to be offered data on illegal groups acquired by hacking, how different would it be for the Chinese government to buy it from the German government's buying of this Swiss banking data?

From the perspectives of the two governments, they're just seeking to root out people involved in illegal activities - for the Germans, tax evaders, for the Chinese, people involved in subversive (and illegal) activities. And in both cases, the fact that it might be possible to make money from selling this kind of data cannot help but be an incentive to try to acquire it. People in the West may have much more sympathy for Chinese dissidents than they do for German tax-evaders, but in some ways the principles are very much the same. Do we really want to set that kind of precedent?

Welcome

2010-03-06T09:43:00.000Z

Welcome to the Symbiotic Web blog... where I will post thoughts and stories relating to privacy, autonomy and the web, and in particular concerning stories related to the idea of the symbiotic web. This will be an occasional blog - when stories arise, rather than regular. The contents will mainly be musings and suggestions, and will in general represent my opinions and views rather than academically rigorous research!