In my name?

I don’t usually write personal blogs – but something’s about to happen that makes me feel I really want to write about.

My grandfather was JD Bernal – he was quite a famous figure in his day, a scientist of great reputation, one of the pioneers of X-ray crystallography and the mentor of amongst other Nobel Prize winners Max Perutz and Dorothy Hodgkin – his wikipedia page (here) is a reasonably accurate reflection of his life and significance. He was ‘one of Britain’s best known and most controversial scientists’ to quote that page. He was controversial primarily because of his politics – he was an unashamed communist, right until he died in 1971.

His political activism shaped his life – and his work. Some of his best writing was as much political as scientific – The Social Function of Science and Science in History give you a flavour of what he was interested in.

He spent the latter part of his career as a professor at Birkbeck – and after he died, there has been an annual ‘Bernal Lecture’ in his name. The speakers are generally either scientists or people with some connection with the kind of radicalism and progressiveness that my grandfather was associated with. Two years ago we had another Nobel Prize winner, Harry Kroto, last year Professor Jim Al-Khalili on the hidden history of Islamic Science.

This year, we had a surprise: a ‘hush-hush’ email arrived, telling us that the speaker was going to be a government minister, but that we weren’t allowed to know who, and shouldn’t tell anyone for ‘security’ reasons. At the best of times the idea of a government minister as speaker would be highly suspect – but this government? A government that has presided over some of the worst decisions for universities in living memory – and one that seems to regard education and science as only tools for generating cash and supporting business.

The speaker, it turns out, is David Willetts – ‘Two brains’ – and relative to others in the cabinet he’s probably one of the most open and the most interesting. It might at least be an interesting debate, a chance for the more radical people who still remember my grandfather to question government priorities – but no. We’re not allowed to know the title to his talk, he won’t be available for questions before or after or take questions during the talk. He won’t even have a chair or anyone to respond to his speech – just a tiny introduction. We’ll be expected to listen, applaud, and let him walk away doubtless surrounded by his ‘security’ people.

…and all this in my grandfather’s name. In my name. Frankly, I’m very disappointed by Birkbeck for allowing this to happen – and I’m not prepared to keep it confidential. The lecture is on April 17th, at 6pm, at Birkbeck. Tickets can be booked by eventbrite, here

I’d be delighted if people came – I’m not sure exactly how I’m going to ‘protest’, but I’m going to do something.

Truth and lies, policy and practice…

Last week it struck me that we were entering a new phase in the way that privacy is dealt with on the net. Two of the biggest players, Google and Facebook, have made significant shifts in their ‘privacy policy’ – shifts that have got some people up in arms.

I’m not going to go through the new policies in detail – lots of people have already done that, and in Google’s case in particular close legal investigation by the French data protection authority CNIL is underway. No, what interests me is something different. Is the biggest change in both Google and Facebook’s case actually something that we should be greeting with a little more positivity? Is it just that now they’re both telling a bit more of the truth? Showing a bit more of that transparency that we privacy advocates are always talking about?

Brutal Honesty

Taking Google first, the key change in their policy, it seems to me, is that they’re admitting to data aggregation. That is, they’re openly acknowledging – indeed in some ways trumpeting – the fact that they’re now bringing together the data they gather from all the various different google services, and using it together. Google has a vast array of different services, from search to gmail, their various ‘location’ services (Google Earth, Google Streetview, Google Maps etc), YouTube, picassa, and of course Google +, so from their own perspective this makes perfect sense. Many of us in the privacy field have suspected (or even assumed) that they’ve always been doing this, or something like it – and their previous privacy policies have been vague enough or ambiguous enough that they could be read to make this sort of thing possible. Now, it seems to me, they’re being more open about it – more honest, more transparent.

That, of course, doesn’t make it any more ‘legal’ or ‘acceptable’ as a policy. Indeed, I wouldn’t be at all surprised if the CNIL investigation concludes that the new policy breaches EU data protection law – but, in reality, I wouldn’t have been at all surprised if the old policies, if investigated properly, had been in breach of EU data protection law. Even more pertinently, as I shall suggest below, I wouldn’t be at all surprised if Google’s practices, rather than they policies, were in breach of data protection law. They may well still be….

Moving on to Facebook, there is a bit of a hoo-haa about their changing the name of their ‘privacy policy’ to a ‘data use policy’. Again, it seems to me, this is actually a bit more honest, a bit more transparent. Facebook’s policy was always to use your data. Indeed, that’s the whole basis of their business model – and why we get to use Facebook for free. They give us the service, we let them use our data. For Facebook to admit that is a good thing, surely? If they’re more honest about what they do, we can make better informed decisions about whether to use them or not. If there is anyone out there who uses Facebook and doesn’t realise that Facebook are using their data – then they should be picked up and shaken, and told!

Facebook’s policy is to use your data, not to protect your privacy – isn’t it better to be open and say that?

Google’s policy is to aggregate all of your data – isn’t it better for them to be open and say that?

Policy and Practice

Finally, it should be remembered that policies are just words – what really matters isn’t what companies like Google and Facebook say they’re doing, but what they actually do. Very few people read privacy (or data use!) policies anyway. We don’t want companies to think changing privacy policies is a matter of good legal drafting – but a reflection of changing the way they actually operate, how they actually gather, hold and use our data, how they monitor us, profile us, target us and so forth.  I hope that the investigation by the CNIL looks properly at that – and that the regular FTC privacy audits of both Facebook and Google do the same. I wouldn’t say I’m exactly optimistic that they will…

….at least not this time. However, I do suspect that the increase in awareness about privacy issues by both individuals and authorities is one of the reasons that policy and practice may be getting closer. Facebook and Google seem to be being more honest and open about how they deal with privacy – because they are realising that they may have to be. We’re starting to at least try to hold them to account. That must be a good thing.

Once upon a time in Mexico…

A new and disturbing law has almost made its way through the system in Mexico, awaiting only Presidential assent. Under this law, the police would be able to use a mobile phone’s geolocation system immediately, and without a warrant, in order to find that phone (see http://humanrightsgeek.blogspot.co.uk/2012/02/la-inconstitucionalidad-de-la.html – in Spanish, but translatable, and the excellent EFF’s blog https://www.eff.org/deeplinks/2012/03/mexico-adopts-surveillance-legislation ).

The law has been brought in, as I understand, to combat kidnappings, primarily of the children of prominent and influential people – and in many ways it is a classical response to a threat, echoing the various laws that justify intrusion and surveillance to combat the threat of terrorism, from the USA PATRIOT Act downwards.  The law, so far, seems to have passed through the parliamentary system without much resistance, and with huge majorities in votes. In that sense, in the eyes of the powerful at least, it seems to be very popular. And yet it sends shivers down my spine, for a number of reasons.

The first is a theoretical concern: any additional surveillance, any additional privacy-intrusive technology or law should be considered very carefully before bring brought in. When I first heard this story, it brought to mind the words of cybersecurity expert Bruce Schneier, writing in 2010: “It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk.”

What Scheier said about technology (which is excellent advice, though it seems to be consistently ignored) is equally – and perhaps even more perniciously – true about laws. It is very, very bad civic hygiene to enact laws that could be used to facilitate a police state. In the case of this Mexican law, the ‘police state’ analogy is much closer than in many situations. This doesn’t just make a police state a possibility – on the surface at least it provides the police with an exceptionally powerful tool, with almost no checks and balances.

The second is much more immediately and practically dangerous. As someone who works in the field of privacy and the net, I am all too aware of another story that has been coming out of Mexico over the last year or two: the way that at least four Mexican bloggers have been brutally murdered – decapitated – apparently by the drugs cartels. The bloggers try to work anonymously, but somehow the cartels locate them and kill them. Geolocation might have been used – it is hard to know – but providing another tool to the cartels would seem to put the crucial blogging community at even more risk. By putting a tool in the hands of the police, there is a more than theoretical risk that this tool will be able to be used by the cartels.

These two thoughts – one more theoretical, the other highly practical – are intrinsically linked. The practical risk is a prime example of why the theoretical consideration is important. If we build these systems, and set in place these laws, we need to consider the implications no just insofar as the technologies and laws are ‘intended’ to be used, by the ‘good guys’, but look at what might happen, how they might be used by the ‘bad guys’. Those ‘bad guys’ might be as obviously ‘bad’ as the drugs cartels in Mexico, but they might equally be governments wishing to suppress what they think of as ‘disorder’ but the participants think of as their right to free assembly, to free expression. In the UK, for example, a protest against the government plans for our health service is being planned and the police are concerned about potential disorder, wouldn’t it be nice for the police to be able to track the key organisers? The possibilities and implications are huge…

This is a key moment. If they do this in Mexico, where will it happen next? Law-makers and police forces worldwide may be watching events in Mexico with a great deal of interest.

Free expression needs privacy!

The Nightjack saga – and particularly its most recent dramatic episode, Lord Leveson’s scorching interrogation of veteran Times legal manager Alastair Brett – has been compelling stuff. I am looking forward with great interest to the forthcoming article from David Allen Green (blogger Jack of Kent), due in the New Statesman on Monday, possibly including quotes from Nightjack himself.

I’m not going to rehash the saga – not least because David Allen Green will be producing something far, far better than anything I could. What I am interested in, however, is one of the underlying issues: the relationship between free expression and privacy. It is often thought that privacy is an enemy of free expression – blogger Guido Fawkes, for example, told the Parliamentary Joint Committee on Privacy and Injunctions that ‘privacy is a euphemism for censorship’. From his point of view it is easy to see that argument: celebrities (and in particular a number of Premier League footballers) have invoked privacy law to attempt to get injunctions to prevent publication of stories concerning their private lives. You don’t have to be a gossip columnist to consider that such actions might be seen as censorship.

That, however, is just part of the story. Privacy, like so many things, is a double-edged sword: the Nightjack saga shows that all too clearly. Nightjack was a blogger, a police ‘insider’ – and in order to get his stories out into the world, he needed to be able to protect his identity. He needed to be able to control who knew what about him – and that, ultimately, is what privacy is about. Having some control – albeit inherently limited – over what information about you is made public, and what remains private.

For Nightjack, losing that privacy meant losing his online identity: ‘Nightjack’ effectively ceased to exist. Anonymity (or perhaps more accurately pseudonymity) was crucial to his functioning as a blogger. For other bloggers, losing anonymity means losing much more – at least four Mexican bloggers have been brutally killed by the drug cartels about whom they have been writing.

In all kinds of situations this kind of privacy is crucial, from those combatting oppression to those threatened by abusive spouses, whistleblowers – and for others though the need isn’t so obviously crucial, anonymity or privacy allows them the freedom to talk about things that matter, not just to them but to us all. I’ve ‘met’ a number of people like this on Twitter, and have learned a huge amount from them both from their tweets and their blogs, things that they wouldn’t have felt so free to say if they had feared that they might be identified.

That’s the key. If we want to encourage people to speak freely, if we want to learn about what’s really happening in a whole range of situations, we need to give people not just the space and the opportunity to express themselves, but the protection that will give them the confidence to do so. We need to give them privacy… that way we’ll get more free expression.

Twitter/DataSift – an early ICO response

I’ve just received a response from the ICO to my initial question about whether or not they were investigating the Twitter/DataSift issue (about which I’ve just blogged here)

This is the full response (set down here with the permission of Dr Simon Rice of the ICO)

————————————————

Paul,

David Smith passed on your email regarding Twitter/DataSift.

The ICO is aware of an arrangement between Twitter and some third-parties which permits access to a greater volume of Tweets than would normally be accessible through the website or API. Insofar as they are required to comply with UK law both Twitter and these third-parties would need to ensure that they remain compliant with the DPA and PECR for the processing undertaken with such data.

The report linked to from your blog suggests that the data is used for purposes of thematic analysis and not for direct marketing or otherwise attempting to identify the users of the Twitter accounts. This is important because clearly a third party learning that I might be interested in their products and marketing me on that basis still needs to comply with the rules on marketing and still needs to justify why they are holding personal data relating to me; on the other hand, a third party which analyses the mass of tweets to infer that their efforts are best focussed on a particular demographic or geographical area might not face the same compliance problems. Then, of course, there are the mass of third parties whose activities lie somewhere in the middle.

The privacy policy at http://twitter.com/privacy does state that the sharing of non-personal data may take place and we would expect Twitter to comply with this. However, if you are aware of evidence that is contrary to this understanding then of course please do not hesitate to let us know.

I you have any further questions please feel free to get in contact.

Regards,

Simon Rice

Dr Simon Rice Principal Policy Adviser (Technology)

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

————————————————

I would welcome any responses – but it seems to me that we would need to see the details of the agreement between Twitter and DataSift (and any other subsequent agreements) to see whether they meet the requirements of the ICO as set out in the letter. There’s more to investigate here – I will be interested to see how DataSift might be able to guarantee that they will only be using the data for thematic analysis rather than direct marketing, and have written to DataSift to ask that question.

Dr Rice has asked that anyone contacting the ICO directly should use the usual ICO website or helpline (see https://www.ico.gov.uk/Global/contact_us.aspx)

In praise of the ephemeral!

Like many people who spend a lot of time (perhaps far too much time) using Twitter, the recent revelation that Twitter was ‘partnering’ with data-mining company DataSift to ‘unlock’ their tweet archive made me distinctly uneasy. The idea was presented as something essentially beneficial – unlocking an archive sounds like a ‘good’ thing, getting benefits from what is ‘public’ information (because Twitter’s terms and conditions say quite clearly that the default position for a tweet is that it is ‘public’).

Why, then, do I feel nervous about it? Privacy campaigners reacted badly to the idea. Privacy International said: “Twitter has turned a social network that was meant to promote real-time global conversation into a vast market-research enterprise with unwilling, unpaid participants,” while the Electronic Frontier Foundation described the idea as ‘creepy’.

To my mind, both are right. Yes, the information is public, but for me the nature of twitter – the joy of twitter – is that it is spontaneous, instinctive, current and instantaneous. When I tweet, I tweet in the moment – and almost all the best tweeters work mostly like that. Pre-prepared, marketing, political tweets are generally as dull as dishwater – which is why such excellent hashtags as #tweetlikeanMP are so effective, showing up the lack of honesty, spontaneity and creativity in the tweeting of most of our politicians.

I may be unusual – after all, I don’t follow the likes of Lady Gaga or Justin Bieber as many millions do, and only follow a handful of MPs – but I don’t think I’m that unusual. I like the ephemeral nature of Twitter, the fact that something I tweet one day will be all but forgotten the next day – indeed, something I tweet one hour will be mostly forgotten even an hour later. Setting up a twitter ‘archive’ puts that spontaneity at risk.

Anyone who works in the privacy field must be familiar with the idea of the Panopticon. Bentham’s concept was of a prison, set out in a circular form, in which at any moment the occupant of a cell could be observed. The key point was that the possibility of being observed was intended to alter the behaviour of the prisoner. If they know they might be seen at any time, they would control their own behaviour – they would be naturally constrained, and not behave badly. The logic of the Panopticon lies behind many of the most privacy-invasive policies both online and in the ‘real’ world – ever-present CCTV cameras, constant monitoring of web-traffic and so forth. It makes sense, however, only when you want to restrict the behaviour of people. It curtails freedom, stifles creativity, crushes spontaneity. That might be necessary to control potentially violent and dangerous prisoners – but in a ‘free society’ it is disastrous.

For real freedom of action, for real freedom of expression, you need the reverse of the panopticon. You need people to feel free to speak, to write, to express themselves without the feeling that anything and everything you might say or do might be written down, quoted back at you (often out of context), manipulated and misused. You need to know that making mistakes won’t be fatal – that you can correct yourself and clarify your comments and not be treated as some kind of hypocrite.

Right now, on the internet, Twitter is one of the few places where that kind of freedom feels possible. Digital memory is all too eternal – Viktor Mayer-Schönberger’s excellent ‘Delete’ talks eloquently of the benefits of forgetting in the digital era. Mayer-Schönberger’s concept of data with expiry dates may be difficult to bring into reality – but Twitter has, to date, been one of the places where in a practical sense it almost happens. That is something worth celebrating, something worth preserving. The Twitter/DataSift deal, and others like it, put it at risk. For me, it puts the whole benefit of Twitter at risk.

If I want something to be archived, to be used as a reference, I’ll put it in a blog like this one – there are plenty of places where the eternal nature of internet data storage is possible. There are very few where the benefits of the opposite, the joys of the ephemeral shine through. Twitter is one. I hope Twitter itself realises this – and changes its direction.

Time for a change?

I attended the Westminster eForum this morning. The subject was the new Data Protection Framework, and there was a stellar cast of speakers and panellists, from the estimable Peter Hustinx (the European Data Protection Supervisor), the MoJ’s Lord McNally and the ICO’s David Smith to representatives of Facebook, Google, the online advertising industry, computer security experts Symantec, Which, and top lawyers Allen and Overy..

Most of the forum was fairly predictable – strong and excellent stuff from Hustinx defending the new framework, even suggesting it might not go far enough in some places, to the expected (if carefully worded) attempts to undermine it from the politicians and most of the business people. The latter were generally disappointing in one particular way: very few of them seemed to grasp the ultimate purpose of the regulation, or the real reasons for its existences. They didn’t seem to have asked themselves two key questions: why has this regulation come about in the first place, and what is its underlying purpose?

Why has this regulation come about?

The two are of course linked – and missing the point of both is similarly linked. So why has this regulation come about? Well, we heard a lot of history this morning, all about how much had changed since the original data protection regime came into existence in 1995. All of it was undoubtedly true – the internet as it now exists was close to inconceivable back in 1995, and what we do now both as individuals and as businesses has completely changed. Is that why the regulation needed to change? In a way, of course it is – but thinking along those lines is missing the bigger point. Why was data protection regulation needed in the first place, back in 1995, and what was its intention then?

Ultimately, there were (and still are) two purposes. As Hustinx and other (including an excellent intervention from Douwe Korff) stressed, it is about what we (in Europe at least) consider to be fundamental rights. Ilias Chantzos of Symantec made the point that the original intention was to enable better cross-border data flow – and indeed it is clear that both are the case. Fundamental rights need protecting, and data needs to be allowed (or even encouraged) to flow, but in accordance with those rights.

All that is well and good – but still begs the underlying question: why was data protection needed? Regulation generally comes about because there is a problem – and that is the case here.

The problem was twofold: that data was not flowing as freely as it should had been, and that fundamental rights were not being protected. In particular, privacy was not being respected.

What has changed in the intervening period? Well, there doesn’t seem to be as much of a problem of data flowing as there used to be – but there’s still a problem of privacy not being respected. That, more than anything else, is what lies behind the need for the new regulation. That’s why the regulation is tough. If there aren’t big problems, there’s no need for tough regulation.

We have a tough regulation here – because there ARE big problems.

How do you comply with regulation?

This is where the real problem seemed to come for me. All the businesses want to know how to comply with regulations – but they don’t seem to understand the real point. These kinds of regulations aren’t really supposed to be about ticking boxes, or finding the right words to describe your activities in order to comply with the technical details of the relevant laws. Nigel Parker from Allen and Overy gave a very revealing and detailed picture of how he had to navigate some of his multi-national clients through the complexities of the different international regulations concerning data protection – but he seemed not to want to offer one particular piece of advice. He didn’t seem to want to tell his clients that they might well have to change what they do – or perhaps even decide not to do it.

The purpose of the very existence of these regulations are to make businesses (and governments) change what they do, or at least how they do it.

Changes!

Protecting fundamental rights when those rights are being infringed does not mean filling boxes or writing reports. It means changing what you do. Let me repeat that. It means changing what you do.

The approach to regulations seems generally to be more like ‘we’re going to do this, now help us comply with the regulations’ than ‘what do the regulations suggest is inappropriate – let’s not do them’. That’s not the real point – the point is that compliance should come by doing the right thing, not by trying to shape your ‘wrong’ thing into a form that ticks the boxes. Only the impressive Anthony House from Google seemed to grasp that – and suggest that Google wants to do the ‘right’ thing about privacy not because the law says it should, but because it’s a good thing to do, and because its users want these kinds of things. Whether Google are actually doing this is a slightly moot point – but he did seem to understand.

Change is hard, everyone knows that – but the first stage is recognition that change is necessary. If you find that your business, or your government department, can’t seem to comply with the regulations, don’t complain about the regulations – ask yourself why your activities don’t seem to comply. Could it be that you need to change? It could, you know, it could….