Google, privacy and a new kind of lawsuit

Today is Data Privacy Day – and new lawsuit has been launched against Google in the UK – one which highlights a number of key issues. It could be very important – a ‘landmark case’ according to a report on Reuters. The most notable thing about the case, for me, is that it is consumer-led: UK consumers are no longer relying on the authorities, and the Information Commissioner’s Office in particular, to safeguard their privacy. They’re taking it into their own hands.

The case concerns the way that Google exploited a bug in Apple’s Safari browser to enable it to bypass customers’ privacy settings. As reported on Reuters:

“Through its DoubleClick adverts, Google designed a code to circumvent privacy settings in order to deposit the cookies on computers in order to provide user-targeted advertising. The claimants thought that cookies were being blocked on their devices because of Safari’s strict default privacy settings and separate assurances being given by Google at the time. This was not the case.”

The group of consumers have engaged noted media and telecomms lawyers Olswang for the case. Dan Tench, the partner at Olswang responsible for the case, told Reuters:

“Google has a responsibility to consumers and should be accountable for the trust placed in them. We hope that they will take this opportunity to give Safari users a proper explanation about what happened, to apologise and, where appropriate, compensate the victims of their intrusion.”

For further information – and if you want to join the action – Tench can be contacted by email at daniel.tench@olswang.com

There’s also a Facebook page for the suit: https://www.facebook.com/SafariUsersAgainstGooglesSecretTracking

What’s important here?

The case highlights several crucial aspects of privacy on the net. The first is the extent to which we can – or should be able to – rely on the settings we make on our browsers. What was happening here is that those settings were being overridden. Now it’s a moot point quite how many people use their privacy settings – or indeed even know that they exist – but if those settings are being overridden by anyone, let alone a company as big and respected as Google, it’s something that we need to know about and to fight. Browser settings – and privacy settings in general – are the key control, perhaps the only control, that individuals have over their online privacy, so we need to know that they work if we are to have any trust. A lack of trust is something that damages everyone.

The second is that the case highlights that users aren’t going to take things lying down – and neither are they going to rely on what often seem to be supine regulators, regulators unwilling to take on the ‘big boys’ of the internet, regulators who seem to take their role as supporters of business much more seriously than their role as protectors of the public. Alexander Hanff, a privacy advocate who is assisting Olswang on this case, said that:

“This group action is not about getting rich by suing Google, this lawsuit is about sending a very clear message to corporations that circumventing privacy controls will result in significant consequences. The lawsuit has the potential of costing Google £10s of millions, perhaps even breaking £100m in damages given the potential number of claimants – making it the biggest group action ever launched in the UK. It should also be seen as a message to the Information Commissioner’s Office that they are in contempt of the British public and are not doing their job.”

This last point is crucial – and it may suggest not that the Information Commissioner’s Office are not doing their job but that their job is one that needs redefining. The ICO sometimes appears to be caught between two stools – their role is more complex than just as protectors of the public. They’re not a Privacy Commissioner’s Office – and perhaps that is what we need. An office with teeth whose prime task is to protect individuals’ privacy.

What happens next?

This lawsuit will be watched very carefully by everyone in the field of online privacy. The number of people who join the case is one question – there are plenty who could, as Safari, though somewhat a niche browser on computers, is the default browser on iPhones, so is used by many millions in the UK. How it progresses has yet to be seen – there are many different possibilities. If nothing else, I hope it acts as a wake-up-call for all involved: Google, the ICO, and the public.

In praise of regulation….

Travelling back from the Computers, Privacy and Data Protection conference in Brussels, I had a fascinating conversation with someone who was there right at the beginning of data protection. It was a conversation that revealed a great deal to me, first of all about the process towards the reform of the Data Protection regime, but more importantly about the whole process of reform.

The conversation was about the negotiations that led up to the adoption of the initial Data Protection Directive, back in 1995 – nearly 20 years ago – a process that has great parallels with the current, somewhat agonizing processes as we work towards a new data protection regime. This is something that needs proper academic study – but even at first glance the echoes are very strong. As it was outlined to me, the process had two very direct parallels with the current negotiations:

  1. Businesses were lobbying very heavily, and making predictions of total disaster: data protection was going to destroy business, ruin lives etc
  2. The UK government was supporting their lobbying – helping them directly in an attempt to undermine, weaken or possible destroy the directive.

Exactly the same seems to be happening this time around – the business lobbying is if anything even heavier and doom-laden, and the government has been laying on just as thick with speeches and reports coming thick and fast, most recently suggesting that the whole ‘regulation’ approach is inappropriate.

Now the first time around, despite the doom mongering, the business world didn’t come to an end. Data protection hasn’t brought about the end of the world as we know it – indeed, for something created nearly 20 years ago in a world where technology has been changing with incredible rapidity, data protection has, in my opinion, shown remarkable resilience and continuing relevance.

The world didn’t end….

If the world didn’t come to an end that time around, is it any more likely to this time around? It doesn’t seem likely – so we should take all the moaning, groaning and doom-mongering about the new regulation, and in particular about things like the right to be forgotten which is part of that regulation, with huge pinches of salt.

There are, of course, many other reasons that the world didn’t come to an end as a result of the introduction of data protection. The first, and perhaps most important, is that IT itself developed in such a way as to either circumvent the ‘disadvantages’ of data protection regulation, or as to make compliance with data protection easier. The latter could be said to be an advantage of the legislation – it brought about the beginnings of what’s now known as ‘privacy by design’. That is, systems were designed with compliance in mind – which is a good thing, if you believe in the aims of the legislation.

The former, that people found ways to circumvent the disadvantages, is also closely connected with the other main reason that data protection legislation didn’t cause the end of the world: many people simply ignored it, and went along their own merry way, either undetected or willing to take the consequences of any detection.

Will it be any different this time around?

All of these key factors – that systems will develop to make compliance easy or to avoid the legislation, or that people will just not bother to comply – are pretty much as likely to happen this time around as last time. IT will develop – it always does – and in all kinds of unpredictable ways. People will find ways to avoid, circumvent, or comply with the legislation in other ways – they always do. It will be the same cat-and-mouse story as before – as it is in pretty much all areas of law. Ultimately, though, life will go on.

Of course businesses moan – and of course they fear regulation, because regulation challenges them. It challenges them to change – because change is needed. That’s the real point. Regulation doesn’t arise in a vacuum, just because some bureaucrats have decided they want to wrap us all in a bit more red tape. Regulation arises, in general, because there’s a problem that needs addressing. Sometimes it arises because businesses or people have been behaving in ways that they shouldn’t, or ways that threaten the rights of others. Sometimes it arises because new technology or new situations demand it.

In the case of the new data protection regime, it’s a bit of both of these – some businesses are doing things they shouldn’t. They’re invading our privacy in ways that they really shouldn’t, and ways that do threaten our rights. And the technology has changed, and those changes need addressing. So we need a new regulation – and we shouldn’t be so afraid of it. Regulation isn’t all bad – indeed, it’s very often quite the opposite. Good, robust regulation helps those it regulates – as data protection has, in general, helped over the years.

Yes, regulation will challenge some business models – but business models NEED to be challenged. Some may even fail – but, frankly, some businesses need to fail. We shouldn’t be overly concerned by it – and shouldn’t bend over backwards to support them, as we seem to do all to often. Phorm is an example in this field which springs immediately to mind…

New regulation can help support new and better businesses – and businesses that are positive and forward-looking, that build business models that respect the privacy and rights of their customers, could find that new regulations offer new opportunities. Better businesses could get competitive advantages by behaving well, rather than by behaving badly.  It’s all too easy for systems to support the unethical businesses over those that are ethical and supportive of their customers, as the last few years have demonstrated all too graphically.

…so let’s embrace regulation – even privacy regulation – and see how it can help us, rather than fighting it and fearing it. That doesn’t help anyone. The new proposed Data Protection Regulation has a lot going for it – and being more positive about it, working with it, trying to understand it rather than trying to undermine it, is much more likely to get a good result, both for people and for businesses.

Children have a right to privacy

The latest proposal from David Cameron’s ‘Advisor on Childhood’, Claire Perry, is that parents should ‘snoop’ on their children’s texts. Apparently it’s ‘bizarre that parents treat youngsters’ internet and mobile exchanges as private’, as reported in the Daily Mail.

For those of us who work in the privacy field – and indeed for anyone who works or has knowledge of children’s rights – it’s Claire Perry’s ideas that are bizarre. In fact, I’d go a lot further: to anyone who pays any real attention to their children, that kind of idea should be bizarre. Children have a right to privacy – and not in the technical, legal sense (though in that too, because it’s enshrined in Article 16 of the United Nations Convention on the Rights of the Child, which the UK has both signed and ratified) but in what I would call the real, natural, sense. They want privacy. They need privacy. They demand privacy. Anyone who has children, who spends time with and listens to their children, who respects their children should be able to see that.

Part of that privacy – perhaps the most important part of that privacy – relates to privacy from their parents. That’s the part that children are most likely to care about too – they’re not so worried about the government snooping on them, or companies gathering their personal details for marketing purposes – but they do care about, and need to have some control over, what their parents know about their private thoughts. And we, as parents, need to understand that and respect that – if we are to understand and respect our children. If you want to know what your child is thinking about and caring about, and what they might be doing in their private lives, the best way, as the excellent @SturdyAlex tweeted this morning, is to ‘foster a relationship with them where they trust you enough to tell you’.

Of course the extent to which this is true varies from child to child and from age to age, but children all want and need privacy, and if we don’t understand and respect that all we’ll do is make them less likely to respect and to trust us – and hence more likely to find ways to hide the stuff that really matters from us.

So, Mr Cameron, and Ms Perry, don’t snoop on your children’s texts – or encourage anyone else to. Encourage them to listen to their children more, to respect their children more, to build better relationships to their children. Help your children to help themselves…

If you “can’t” leave Facebook…

I’ve been posting a lot about Facebook recently. I gave ‘10 reasons to leave Facebook‘ a few weeks ago – but for many people that seems either to be impossible, or very, very difficult. So, what can you do if you ‘can’t’ leave Facebook, and you want to minimise your privacy risks? After the new stuff on Facebook’s Graph Search (see my blog posts here and here), now the revelation that people on Facebook will no longer have the option to avoid being ‘searchable’, this is becoming more and more important.

So what can you do? Well, here are twelve suggestions from me – I’m sure there are many more…

  1. Check your privacy settings. Really check them. Lock them down as tight as you can – but remember that they only control what other users can see, not what Facebook can see or use for their profiling of you.
  2. Prune your ‘friends’ list down to an absolute minimum. With Graph Search this is particularly important – it seems as though Graph Search will assume that if you’re ‘friends’ with someone then all your data is available for full analysis for search by those friends. If they’re just people you met once, or were in the same year as at school or college, would you really trust them with your most intimate details?
  3. Never press the ‘like’ button ever, ever again. The ‘like’ button is another of the profiling keys – and could effectively give permission for those whom you like to access your data.
  4. Do a serious deletion job on your photographs – Graph Search will search them, facial recognition may be applied, and not just to you but to anyone in the photos. If you have a friend (a real one) who’s in one of your photos, it’s not just you who’s being subject to privacy risks.
  5. Think before you post any more photos – same reasons, really. Do you really need to ‘share’ that picture? If you don’t, don’t! And if you ‘need’ to, is there a way to do it other than Facebook?
  6. Never use geolocation again – at least not on Facebook. If you’re given the option to allow any application to know your location, say no! Geolocation is a tool that’s immensely useful at times – when you’re using maps, or other transport apps (for train timetables etc) but most of the time it’s really not necessary at all.
  7. Check the apps you use to access Facebook on your phone or tablet – there are all kinds of risks associated with apps that people simply don’t think about. The settings may be very different from what you think – again, think geolocation, think photo tagging.
  8. Think about when you post, as well as what and why. Posting at night, for example, could profile you as a ‘night owl’, for whatever reason.
  9. Don’t play games on Facebook – play them somewhere else. Games are primarily used for profiling, and may have privacy risks attached that are not immediately obvious.
  10. Don’t sign into any other service ‘via Facebook’ if you have the option. All you’re doing is allowing the two services to share data, to add depth and strength to their profile.
  11. Sign out of Facebook whenever you’re not using it – don’t leave it running in the background when you do other stuff. When you’re signed in, you can be giving permission to Facebook to track or follow other activities. Now they might be doing that anyway, but you shouldn’t give them the legal excuse to!
  12. Keep ‘work’ and home separate on Facebook if you can. It may not be easy….

Finally, though, think again about whether you really do need to be on Facebook. You may need to – or you may want to – but if so, you should manage your risks and be as ‘savvy’ about it as you can.

Facebook Graph Search: Privacy issues….

thumbs-downI wrote yesterday about Facebook’s new ‘Graph Search’ system – in particular, about the way in which it is intended to convince people to put more and better data onto the system, and to lock them and businesses further into the Facebook system. What I didn’t talk about much was privacy…. not because there aren’t privacy issues with the new system, but more because there are so many privacy issues that it’s hard to know where to start.

One of the most interesting things is that as a part of the launch, Mark Zuckerberg has been very keen to stress that privacy is built into the system, even releasing information suggesting that the reason he went with Bing rather than Google for the web-search part of the service is that Google weren’t ‘privacy-friendly enough’ for him – see this piece in the Guardian. Why did he do that? Well, in one way I’m glad he did because it shows that he knows that people care about privacy, and that Facebook doesn’t exactly have the greatest reputation about privacy, to put it mildly. However, I’m far from convinced that what he’s been saying means very much – because the essence of Facebook Graph Search makes privacy very, very hard to achieve.

There are many things to mention – I can’t even get close to covering them all in one post. I’ll start with the very purpose of the system. Zuckerberg gave an example of a possible search: “people who like fencing and live in Palo Alto”. It doesn’t take much of a stretch to turn that into something distinctly creepy: “Single women who live in Palo Alto, work in Menlo Park and ‘like’ public transportation.” You can take it a lot further than that – which is why many commentators suggest that the system could be a stalker’s dream. Facebook already allows things that point in that direction: the scrutiny of other peoples’ profiles is one of the points of the system. Graph Search takes that to another level…

Secondly, the idea of the ‘built-in privacy’ that Zuckerberg talked about is that ‘stuff’ is only searchable if you’ve let friends see it anyway. There are big problems with that. Firstly, it relies on people understanding and using Facebook’s notoriously over complex privacy settings – which is quite something to rely on. Secondly, it assumes that if you’re willing to let your friends see or know something, then you’re willing to let it be aggregated, analysed, searched, sorted and so forth… which is of course what Facebook do anyway, but I would be very surprised if many Facebook users realise this. For that, and other reasons, I suppose we should welcome Graph Search – it demonstrates graphically what Facebook actually does with your data.

Thirdly, Zuckerberg made the point that photos and location information would be part of Graph Search – again, something that we should all have known, but I’m not sure people have fully understood. Combine this with facial recognition, and with the new smartphone Facebook apps that will automatically post photos you take with your camera onto Facebook, complete with location stamp, and you get a whole new scale of possible intrusion. Add this to the stalking capabilities noted above, and you’ve got quite a tool…

The point with a lot of this is that it’s all becoming the default – which is clearly the intention. As I noted in my previous post, Graph Search will work best if you ‘give’ Facebook all your information – and Facebook is providing the tools to let you give them it all. Moreover, they’re making it easier to give that information than not to give that information. They want all your data… and not just to give you a better service. They want it because they can use it to make more money…

….which brings me to the final privacy point. Zuckerberg makes the point again and again that in some ways you are in control of privacy, by using your privacy settings. You decide who sees what. However, that’s not really true at all. You may decide which other users get to see which bits of your data – but Facebook gets to see it all. Facebook gets to analyse it, to profile you through it, to effectively share it with its partners, to use it to categorise you for advertisers, or for others pretending to be advertisers. You may have more privacy from other people – but to Facebook, you are transparent, and have no privacy at all. Graph Search doesn’t really change that – but it should make it clearer that it is the case, and what some of the implications are.

I wrote over the holiday season my ‘Ten Reasons to Leave Facebook’. For me, Graph Search adds an eleventh – and makes some of the other ten even clearer than before. It’s not going to convince me to re-join Facebook. Quite the opposite: it makes it crystal clear to me that I was right to leave when I did.

Facebook Graph Search: It’s about the data!

Little Shop of Horrors lost endingThe first thing to ask whenever Facebook (or indeed any other business) releases a new product or service is what’s in it for them. In the case of Facebook’s new ‘Graph Search’, as in most things Facebook, the answer’s pretty direct: it’s about the data. Graph Search, though it may seem to be just a cool new way of finding stuff, could also turn out to be a very clever way of Facebook gobbling up even more data than before – as well as trying to squeeze even more value from the data that’s already out there.

It comes at a time when Facebook might be facing a new situation – they may be reaching saturation point in terms of user numbers, at least in their prime markets. Figures seem to be suggesting that they are losing users – apparently down 600,000 in the UK and 1.4 million in the US – and though those figures need to be taken with a decent pinch of salt, they do at least suggest that the era of unrelenting user number growth for Facebook may be over. What that means for Facebook, particularly after their less than stellar IPO, is that the pressure’s on to make more money from existing users. They need money, and for that money they need data! They’re like the plant in Little Shop of Horrors, continually shouting out ‘Feed me!’. They need to be fed, so they can grow, and the more they grow, the more they need to be fed.

Firstly, its important to understand what Graph Search does. As the BBC’s Rory Cellan-Jones puts it, Graph Search is a “new way of mining the information your friends, and their friends”. Essentially, as it’s been described, it takes the data about you, and about your ‘friends’, and uses it as a source from which to search – giving you back stuff that your ‘trusted’ friends either use, or ‘like’, or something along those lines. Where it can get stuff off Facebook, it gives you that – and if it can’t find relevant stuff, it goes to Bing, and does a web search instead. You can search for whatever you want – the examples given by Zuckerberg were things like “people who like fencing and live in Palo Alto” or “films my friends like” or “restaurants recommended in New York” – but the possibilities are endless, and Cellan-Jones highlighted the possibilities of using it as a sort of ‘dating search': companies like eHarmony etc will be quaking in their boots.

Still, how is this about data? Well, if Graph Search takes off, it will have a number of implications:

  1. When people search, they reveal stuff about themselves – they effectively add more stuff to their profile. That’s one of the reasons Google do so well – having information about what people are interested in is key. Each search term entered on Graph Search is more data for Facebook – and a potentially more accurate profile of the user.
  2. Graph search will work better for people if their own profile is better – that is, the more data you put up about yourself, the more ‘personalised’ your Graph search will be. Facebook will be sure to let people know that, to persuade them to enter more and more data.
  3. There have already been hints made that you might want to put more data up to ‘help’ your friends when they use Graph search. Of course the people it really helps are Facebook – they want more of your data – but the altruism, the sociability, will doubtless be stressed. Be a good friend – put more data up! Tell people what you like!
  4. Businesses will start to realise that if people are using Graph search, they need to be on Facebook – and they need to get people to ‘like’ them even more than before. The ‘like’ button is already a big deal – this will make it more so. Businesses will be pushing you to ‘like’ them even more than before…. which means yet more data to Facebook, and more ‘permission’ given for that data to be used. Do you know what you’re consenting to when you press ‘like’?
  5. The more businesses are on Facebook, the more individuals have to be Facebook to manage those business pages – it’s another ‘lock in’. I know many people who say ‘I’d love to leave Facebook, but I have to be there to manage my business’s page’. That will only increase…

For Facebook, it’s a ‘win-win’ scenario. They get more data – and potentially better data, as people might focus on refining their profiles in order to get ‘better’ Graph Search results. They get more uses – and hence more money – from their existing data. They get others – individuals and businesses – to do both their selling and their data gathering for them. They lock people into their business model even more.

There’s another interesting issue for me. Google are under pressure for not making their searches ‘neutral’ enough – for possibly prioritising businesses that they make money from, or downgrading rivals or so forth. They deny that this is happening, and claim their search algorithm is ‘neutral’. Facebook Graph Search by design prioritises businesses and others on Facebook – it doesn’t even pretend to be neutral. Should it? And if it can exist in this form, why shouldn’t Google be allowed to be less than neutral? Of course there are vast differences between the services, but I have a feeling this may open up an already squirming can of worms even further.

I should note that this is only a first set of thoughts on Facebook Graph Search – and I haven’t even talked about privacy yet! What actually happens to it may be very different from Mark Zuckerberg’s dream. It could be a distinctly damp squib – much of the reporting has suggested people are underwhelmed by it. I hope so, because the one thing, more than any other, that I don’t want to see on the internet is one service dominating. The net needs to be open, it needs to be varied, it needs to be flexible and it needs to be dynamic. If we all do the same thing, or all use the same service all the time, that is far less likely to continue.

It’s about the children…

The Jimmy Savile story has provoked a huge amount of reaction – revulsion, disgust, anger, frustration, and great many attempts to find someone or something to blame. One of the biggest questions being asked is why we didn’t find out about it earlier – so many people seem to have known about it, or at least suspected what was happening, so why didn’t the news come out?

Many different suggestions have been made. Some blame the BBC – and its failures as an institution over this and related matters are all too clear. Some have blamed the libel laws – saying that they would have told the story if it hadn’t been for the threat of a big law suit. For me (as someone who teaches defamation law) that one really doesn’t wash: it may have made a small difference, but newspapers and others have published many, many stories over the years with far less evidence and with pretty much a guarantee of legal action. If they really wanted to publish, they would have.

Some of the ‘mea culpa’ stories from celebrities and others who knew but said nothing have rung true – but others haven’t. For many of them, if they’d really wanted to, they could have said something. For some it might have been ‘career suicide’ to do so – but is your career worth so much? Is anything worth so much?

That, brings me to my point. The main reason, as I see it, that the information didn’t get out, it ultimately that we didn’t care enough. Why? Well, there are two closely connected issues. Firstly, the idea of a man having sex with a young girl wasn’t (and still isn’t) considered such a bad thing. Rock-stars and underage groupies wasn’t (and still isn’t) seen as child abuse by a large number of people. The opposite. It’s almost one of the perks of the job. That’s not just a 70s attitude, it’s a current one. If you look back at the story of the 15 year old girl who went off to France with her 30s teacher, some of the reactions – indeed some of the press coverage – made that very clear. ‘Lucky bloke’ was how it was described by some. The story was presented to a great extent as titillating, a bit scandalous, not as what it was. For many men, the idea of a good-looking and ‘mature’ 15 year old girl seemed very attractive – and if you look at (for example) the sidebar on the Mail Online you can see that idea repeated again and again and again.

The second point, though it might not seem so obvious, is closely related: our overall attitude to young people. We don’t respect them – and we don’t take them seriously. We don’t listen to them, and we don’t believe them – and they know it. We laugh at their taste in music (Justin Bieber, One Direction etc) and their taste in clothes – or we demonise them as terrifying youths in hoodies. What we don’t do is treat them with respect, and try to properly listen to them or be willing to take seriously what they take seriously. To some parents – at least as it’s presented in the media – children are possessions or investments, or devices to be controlled. To some people children are something to be ‘managed’, or corralled like cattle – stop them gathering on street corners, ban them from places. The whole ASBO approach to children took this angle. Does it help? Only at the most superficial level – and it spreads a culture that says that children and young people aren’t worth listening to. They’re a problem to be managed.

So of course it’s hard for children to speak up when things really matter. If they’re not used to being listened to or taken seriously, they won’t talk. If they’re used to their wishes and ideas being either derided or over-riden, why would they think it was worth trying to be heard?

Of course what Savile did was hideously monstrous, and I doubt very much that many of those who knew or had suspicions over Savile and didn’t speak up knew that much of it – but the many who knew a little and didn’t speak up either knew they wouldn’t be listened to, or didn’t think it was such a big deal. Given our attitudes to children in other ways, the more ‘obvious’ stuff he did – groping a few teenaged girls on TV or in his caravan – wouldn’t have been seen as such a big deal. That attitude wasn’t (and isn’t) restricted to a few institutions or a few people – it pervaded (and to an extent still pervades) pretty much our whole society.

That’s not say things aren’t getting better – I think they are, but not to the extent that some people seem to think. Until we show more respect to children, until we listen more to children, until we trust our children a lot more, things won’t change nearly enough…