Facebook, Google and the little people….

This last week has emphasised the sheer power and influence of the internet giants – Facebook and Google in particular.

The Facebook Experiment

First we had the furore over the so-called ‘Facebook Experiment’ – the revelation that Facebook had undertaken an exercise in ‘emotional contagion’, effectively trying to manipulate the emotions of nearly 700,000 of its users without their consent, knowledge or understanding. There were many issues surrounding it (some of which I’ve written about here) starting with the ethics of the study itself, but the most important thing to understand is that the experiment succeeded, albeit not very dramatically. That is, by manipulating people’s news feeds, Facebook found that they were able to manipulate peoples emotions. However you look at the ethics of this, that’s a significant amount of power.

Google and the Right to be Forgotten

Then we’ve had the excitement over Google’s ‘clumsy’ implementation of the ECJ ruling in the Google Spain case. I’ve speculated before about Google’s motivations in implementing the ruling so messily, but regardless of their motivations the story should have reminded us of the immense power that Google have over how we use the internet. This power is demonstrated in a number of ways. Firstly, in the importance we place in whether a story can be found through Google – those who talk about the Google Spain ruling being tantamount to censorship are implicitly recognising the critical role that Google plays and hence the immense power that they wield. Secondly, it has demonstrated Google’s power in that, ultimately, how Google decides to interpret and implement the ruling of the court is what decides whether we can or cannot find a story. Thirdly, the way that Google seems to be able to drive the media agenda has been apparent: it sometimes seems as though people in the media are dancing to Google’s tune.

Further, though the early figures for takedown requests under the right to be forgotten sound large – 240,000 since the Google Spain ruling – the number of requests they deal with based on copyright is far higher: 42,324,954 since the decision. Right to be forgotten requests are only 0.5% of those under copyright. Google deals with these requests without the fanfare of the right to be forgotten – and apart from a few internet freedom advocates, very few people seem to even notice. Google has that much control, and their decisions have a huge impact upon us.

Giants vs. Little People

Though the two issues seem to have very little in common, they both reflect the huge power that the internet giants have over ordinary people. It is very hard for ordinary people to fight for their rights – for little people to be able to face up to giants. Little people, therefore, have to do two things: use every tool they can in the fight for their rights, and support each other when that support is needed. When the little people work together, they can punch above their weight. One of the best ways for this to happen, is through civil society organisations. All around the world, civil society organisations make a real difference – from the Open Rights Group and Privacy International in the UK to EDRi in Europe and the EFF in the US. One of the very best of these groups – and one that punches the most above its weight, has been Digital Rights Ireland. They played a critical role in one of the most important legal ‘wins’ for privacy in recent years: the effective defeat of the Data Retention Directive, one of the legal justifications for mass surveillance. They’re a small organisation, but one with expertise and a willingness to take on the giants. Given that so many of those giants – including Facebook – are officially based in Ireland, Digital Rights Ireland are especially important.

Europe vs. Facebook

There is one particular conflict between the little people and the giants that is currently in flux: the ongoing legal fight between campaigner Max Schrems and Facebook. Schrems, who is behind the ‘Europe vs. Facebook’ campaign,  has done brilliantly so far, but his case appears to be at risk. After what looked like an excellent result – the referral by the Irish High Court to the ECJ of his case against Facebook (which relates to the vulnerability of Facebook data to US surveillance via the PRISM program) – Schrems is reported as considering abandoning his case, as the possible costs might bankrupt him if things go badly.

This would be a real disaster – and not just for Schrems. This case really matters in a lot of ways. The internet giants need to know that we little people can take them on: if costs can put us off, the giants will be able to use their huge financial muscle to win every time. It’s a pivotal case – for all of us. For Europeans, it matters in protecting our data from US surveillance. For non Europeans it matters, because it challenges the US giants at a critical point – we all need them to fight against US surveillance, and they’ll only really do that wholeheartedly if it matters to their bottom line. This case could seriously hit Facebook’s bottom line – so if they lost, they’d have to do something to protect their data from US surveillance. They wouldn’t just do that for European Facebook users, they’d do it for all.

Referral to the ECJ is critical, not just because it might give a chance to win, but because (as I’ve blogged before) recently the ECJ has shown more engagement with technological issues and more willingness to rule in favour of privacy – as in the aforementioned invalidation of the Data Retention Directive and in the contentious ruling in Google Spain. We little people need to take advantage of those times when the momentum is on our side – and right now, at least in some ways, the momentum seems to be with us in the eyes of the ECJ.

So what can be done to help Schrems? Well, the first thing I would suggest to Max is to involve Digital Rights Ireland. They could really help him – and I understand that they’ve been seeking an amicus brief in the case. They’re good at this kind of thing, and they and other organizations in Europe have experience in raising the funds for this type of case. Max has done brilliant work, but where ‘little people’ have to face up to giants, they’re much better off not fighting alone.

Are Google intentionally overreacting to the Right to be Forgotten?

In one of my original reactions to the Google Spain ruling on the Right to be Forgotten, which I wrote for The Justice Gap, I said this, about Google’s response to the ruling.:

“How they respond to the ruling will be interesting – for the moment they’re saying very little. They have creative minds working for them – if they can rise to the challenge and find a way to comply with the ruling that enables ordinary people to take back a little control, that could be a very good thing. If, instead, they retrench and withdraw – or go over the top in allowing censorship too easily, it could be very bad.”

From what I’ve seen so far, it looks as though they’ve taken the ‘over the top’ approach, and are allowing censorship too easily. Two particular stories have come out today, one from the Guardian (here), the other from the BBC (here). In both cases, the journalists concerned are high profile, influential and expert – James Ball at the Guardian and Robert Peston at the BBC – and the stories, to be frank, do not seem to fall within the categories that the CJEU ruling in the Google Spain case suggested might be suitable for the right to apply. James Ball’s stories were mostly pretty recent – from 2010 and 2011 – as well as being fairly easy to argue as being ‘relevant’ in terms of public interest. Robert Peston’s stories are not so recent, but even more clearly relevant and in the public interest.

So why have they been caught by Google’s net as appropriate for the ‘right to be forgotten’? It looks very much as though this is the intentional overreaction that I was concerned about in my original posting for the Justice Gap. They’re trying to say, I think, ‘you know, we were right! This ruling means censorship! This is dangerous!’ They’re also trying to get journalists like James Ball and Robert Peston to be on their side, not on the side of the CJEU – and in Ball’s case, at least, they seem to be succeeding to an extent. Peston is more critical, saying that Google’s implementation of the ruling ‘looks odd, perhaps clumsy.’

Clumsy or intentional?

I’m not convinced that it’s clumsy at all, but intentional. I hope I’m wrong, and that, as Google themselves have said, they will be refining the method and sorting out the details. If they’re really trying to fight this, to prove that the ruling is unworkable, we’re in for some serious trouble, because the ruling will not be at all easy to reverse. Rather the opposite – and the wheels of the European legal system grind very slowly, so the fight and the mess could be protracted.

What’s more, what this should really highlight for people is not just the problem with the Google Spain ruling, but the huge power that Google already wields – because, ultimately, it is Google that is doing this ‘censorship’, not the court ruling. And Google does similar things already, though without such a fanfare, in relation to copyright protection, links to things like obscene content and so forth. Google already are acting like censors, if you see it that way, and without the drama of the right to be forgotten.

What can we do now?

In the meantime, people will develop coping mechanisms – or find ways to bypass Google’s European search systems, either going straight to google.com or using alternatives like duckduckgo, or even not using search at all, because there are other ways to find information such as crowdsourcing via Twitter. The more people use these, the more they’ll like them, and the more they’ll move away from Google.  I hope that Google see this, and find a more productive way forward than this excessive, clumsy implementation of the ruling. What’s more, I hope they engage positively and actively with the reform process for the Data Protection Regime – because a well executed reform, with a better written and more appropriate version of the right to be forgotten (or even better, the right to erasure) is the ultimate solution here. If that can be brought in soon – rather than delayed or undermined – then we can all move on from the Google Spain ruling, both legally and practically. I think everyone might benefit from that.

A week not to be forgotten….

…for those of us interested in the right to be forgotten. I’ve found myself writing and talking to people about it unlike any time before. Privacy is becoming bigger and bigger news – and I have a strong feeling that the Snowden revelations influenced the thinking of the ECJ in last week’s ruling, subconsciously if nothing else. That should not be viewed as a bad thing – quite the opposite. What we have learned through Edward Snowden’s information should have been a wake-up call for everyone. Privacy matters – and the links between the commercial gathering and holding of data and the kind of surveillance done by the authorities are complex and manifold. If we care about privacy in relation to anyone – the authorities, businesses, other individuals, advertisers, employers, criminals etc – then we need to build a more privacy-friendly infrastructure that protects us from all of these. That means thinking more deeply, and considering more radical options – and yes, that even means the right to be forgotten, for all its flaws, risks and complications. More thought is needed, and more action – and we must understand the sources of information here, the nature of those contributing to the debate and so forth.

Anyway, this isn’t a ‘real’ blog post about the subject – I’ve done enough of them in the last week. What I want to do here is provide links to what I’ve written and said in the last week, as well as to my academic contributions to the subject, both past and present, and then to link to Julia Powles’ excellent curation of the academic blogs and articles written by many people in the aftermath of the judgment.

Here’s what I’ve written:

For CNN, a summary of the judgment and its implications, written the same day as the judgment.

For the Justice Gap, a day later, looking at the judgment in context and asking whether it was a ‘good’ or a ‘bad’ thing for internet freedom.

My interview for CBC (Canada)’s Day 6 programme – talking about the implications, and examining the right for a non-European audience.

For my own blog, looking at Google’s options for the future and suggesting that the judgment isn’t the end of the world

Also for my own blog, a day later, trying to put the judgment into context – it’s not about paedophiles and politicians, and it won’t be either a triumph or a disaster.

This last piece may in some ways be the most important – because already there’s a huge about of hype being built up, and scare stories are being leaked to the media at a suspiciously fast rate. There are huge lobbies at play here, particularly from the ‘big players’ on the internet like Google, who will face significant disruption and significant costs as a result of the ruling, and seem to want to make sure that people view the conflict as one of principle, rather than one of business. People will rally behind a call to defend freedom of expression much more easily than they will behind a call to defend Google’s right to make money, particularly given Google’s taxation policies.

Then here are my academic pieces on the subject.

‘A right to delete?’ from 2011, for the European Journal of Law and Technology. This is an open access piece, suggesting a different approach.

‘The EU, the US and the Right to be Forgotten’, published in early 2014, a chapter in a Springer Book on data protection reform, arising from the CPDP conference in Brussels 2013. This, unfortunately, is not open access, but a chapter in an expensive book. This does, however, deal directly with some of the lobbying issues.

The right to be forgotten – and my particular take on it, the right to delete, is also discussed at length in my recently released book, Internet Privacy Rights. There’s a whole chapter on the subject, and it’s part of the general theme.

Finally, here’s a link to Julia Powles’ curation of the topic. This is really helpful – a list of what’s been written by academics over the last week or so, with a brief summary of each piece and a link to it. Some of the academics contributing are from the very top of the field,  including Viktor Mayer-Schönberger, Daniel Solove and Jonathan Zittrain. All the pieces are worth a read.

This subject is far from clear cut, and the debate will continue on, in a pretty heated form I suspect, for quite some time. Probably the best thing that could come out of it, in my opinion, is some more impetus for the completion of the data protection reform in the EU. This reform has been struggling on for some years, stymied amongst other things by intense lobbying  by Google and others. That lobbying will have to change tack pretty quickly: it’s no longer in Google’s interests for the reform to be delayed. If they want to have a more ‘practical’ version of the right to be forgotten in action, the best way is to be helpful rather than obstructive in the reform of the data protection regime. A new regime, with a well balanced version of the right incorporated, would be in almost everyone’s best interests.

The Right to be Forgotten: Neither Triumph Nor Disaster?

“If you can meet with triumph and disaster
And treat those two imposters just the same”

Kipling_ndThose are my two favourite lines from Kipling’s unforgettable poem, ‘If’. They have innumerable applications – and I think another one right now. The Right to be Forgotten, about which I’ve written a number of times recently, is being viewed by some as a total disaster, others as a triumph. I don’t think either are right: it’s a bit of a mess, it may well end up costing Google a lot of time, money and effort, and it may be a huge inconvenience to Data Protection Authorities all over Europe, but in the terms that people have mostly been talking about it, privacy and freedom of expression, it seems to me that it’s unlikely to have nearly as big an impact as some have suggested.

Paedophiles and politicians – and erasure of the past

Within a day or two of the ruling, already the stories were coming out about paedophiles and politicians wanting to use the right to be forgotten to erase their past – precisely the sort of rewriting of history that the term ‘right to be forgotten’ evokes, but that this ruling does not provide for. We do need to be clear about a few things that the right will NOT do. Where there’s a public interest, and where an individual is involved in public life, the right does not apply. The stories going around right now are exactly the kind of of thing that Google can and should refuse to erase links to. If Google don’t, then they’re just being bloody minded – and can give up any claims to be in favour of freedom of speech.

Similarly, we need to be clear that this ruling only applies to individuals – not to companies, government bodies, political parties, religious bodies or anything else of that kind. We’re talking human rights here – and that means humans. And, because of the exception noted above, that only means humans not involved in public life. It also only means ‘old’, ‘irrelevant’ information – though what defines ‘old’ and ‘irrelevant’ remains to be seen and argued about. There are possible slippery slope arguments here, but it doesn’t, at least on the face of it, seem to be a particularly slippery kind of slippery slope – and there’s also not that much time for it to get more slippery, or for us to slip down it, because as soon as the new data protection regime is in place, we’ll almost certainly have to start again.

We still can’t hide

Conversely, this ruling won’t really allow even us ‘little people’ to be forgotten very successfully. The ruling only allows for the erasure of links on searches (through Google or another search engine) that are based on our names. The information itself is not erased, and other forms of search can still find the same stories – that is, ‘searches’ using something other than a search engine, and even uses of search engines with different terms. You might not be able to find stories about me by searching for ‘Paul Bernal’ but still be able to find them by searching under other terms – and creative use of terms could even be automated.

There already are many ways to find things other than through search engines – whether it be crowdsourcing via Twitter or another form of search engine, employing people to look for you, or even creating your own piece of software to trawl the web. This latter idea has probably occurred to some hackers, programmers or entrepreneurs already – if the information is out there, and it still will be, there will be a way to find it. Stalkers will still be able to stalk. Employers will still be able to investigate potential employees. Credit rating agencies will still be able to find out about your ancient insolvency.

…but ‘they’ will still be able to hide

Some people seem to think that this right to be forgotten is the first attempt to manipulate search results or to rewrite history – but it really isn’t. There’s already a thriving ‘reputation management’ industry out there, who for a fee will tidy up your ‘digital footprint’, seeking out and destroying (or at least relegating to the obscurity of the later pages on your search results) disreputable stories, and building up those that show you in a good light. The old industry of SEO – search engine optimisation – did and does exactly that, from a slightly different perspective. That isn’t going to go away – if anything it’s likely to increase. People with the power and knowledge to be able to manage their reputations will still be able to.

On a slightly different tack, criminals and scammers have always been able to cover their tracks – and will still be able to. The old cat-and-mouse game between people wanting to hide their identity and people wanting to uncover those hiding them will still go on. The ‘right to be forgotten’ won’t do anything to change that.

But it’s still a mess?

It is, but not, I suspect, in the terms that people are thinking about. It will be a big mess for Google to comply, though stories are already going round that they’re building systems to allow people to apply online for links to be removed, so they might well already have had contingency plans in place. It will be a mess for data protection agencies (DPAs), as it seems that if Google refuse to comply with your request to erase a link, you can ask the DPAs to adjudicate. DPAs are already vastly overstretched and underfunded – and lacking in people and expertise. This could make their situation even messier. It might, however, also be a way for them to demand more funding from their governments – something that would surely be welcome.

It’s also a huge mess for lawyers and academics, as they struggle to get their heads around the implications and the details – but that’s all grist to the mill, when it comes down to it. It’s certainly meant that I’ve had a lot to write about and think about this week….

 

It’s not the end of the world as we know it….

Screen Shot 2014-05-14 at 10.51.36

Over the weekend, I was asked by CNN if I would be able to write something about the ruling that was due on the right to be forgotten – it was expected on Tuesday, they told me. I said yes, partly because I’m a bit of a sucker for a media gig, and partly because I thought it would be easy. After all, we all knew what the CJEU was going to say – the Advocate-General’s opinion in June last year had been clear and, frankly, rather dull, absolving Google of responsibility for the data on third party websites and denying the existence of the right to be forgotten.

On Monday, which was a relatively free day for me, I drafted something up on the assumption that the ruling would follow the AG’s opinion, as they generally do. On Tuesday morning, however, when the ruling came out, all hell broke loose. When I saw the press release I was doing a little shopping – and I actually ran back from the shops straight home to try to digest what the ruling meant. I certainly hadn’t expected this – and I don’t know anyone in the field who had. The ruling was strong and unequivocally against Google – and it said, clearly and simply, that we do have a right to be forgotten.

I rewrote the piece for CNN – it’s here – and the main feeling I had was that this would really shake things up. I still think that – but that this isn’t the end of the world as we know it, despite some pretty apocalyptic suggestions going around the internet.

On the positive side, the ruling effectively says that individuals (and only individuals, not corporations, government bodies or other institutions) can ask Google to remove links (and not the stories themselves) that come up as a result of searches for their names. It’s a victory for the individual over the corporate – in one way. The most obvious negative side is that it could reduce our ability to find information about other individuals – but there are other risks attached too. Most of those concern what Google does next – and that’s something which, for the moment, Google seem to be keeping very close to their chest.

On the surface, Google’s legal options seem very limited – there’s no obvious route of appeal, as the CJEU is the highest court. If they don’t comply, they could find themselves losing case after case after case – and there could be thousands of cases. There are already more than 200 in Spain alone, and this ruling effectively applies throughout Europe. If they do choose to comply, how will they do so? Will they create a mechanism to allow individuals to ask for things to be unlinked automatically? Will they ‘over-censor’ by taking things down at a simple request – they already do something rather like that when YouTube videos are accused of breaching copyright?

My suspicion that one thing they will do is to tweak their algorithm to reduce the number of possible cases – they will look at the kinds of search results that are likely to trigger requests, and try to reduce those automatically. That could mean, for example, setting their systems so that older stories have even less priority than before – producing an effect similar to Viktor Mayer-Schönberger’s ‘expiry dates’ for data, something that in my opinion might well be beneficial in the main. It could also mean, however, placing less priority on things like insolvency actions (the specific case that the ruling arose from was about debts) or other financial events, which would not have such a beneficial effect. Indeed, it could well be seen as detrimental.

The bigger risk, however, is to Google’s business model. Complying with this ruling could end up very costly – it effectively asks Google to make a kind of judgment call of privacy vs public interest, and making those kinds of calls is very difficult algorithmically. It might mean employing people – and people are expensive and slow… and reduce profits.  Threatening Google’s business model doesn’t just threaten Google’s shareholders – it threatens the whole ‘free services for data’ approach to the net, and that’s something we all (in general) benefit from. I don’t currently think this threat is that big – but we’re still digesting the possibilities, I think.

One other possible result – in the longer term – which I would hope to see (though I’m not holding my breath) is less of a reliance on search, and on Google in particular. There are other ways to find information on the internet, ways that this ruling would not have an impact on. One of the most direct is crowdsourcing via something like Twitter – these days I get more of my information through Twitter than I do through Google. If you have a body of informed, intelligent and helpful people out there who are scouring the internet for information in their own particular way, they can supply you in a very different way to Google. They can bypass the filters that Google already put in place, and the biases that Google has (but pretends not to have) – with your own connections there are of course other biases but they’re more obvious and out in the open.

Indeed, I would also hope that this ruling is the start of our having a more objective view of what Google is – though the reactions of some that this ruling is the end of the world suggest rather the opposite. Further, we should start to think more about the kind of internet we want to have – and how to get it. I would hope that those bemoaning the censorship that this ruling might bring are equally angry about the censorship that our government in the UK, and many others around the world, have already brought in inside the Trojan Horse of ‘porn filters’. That kind of censorship, in my opinion, offers far more of a threat to freedom of expression than the idea of a right to be forgotten. If we’re really keen on freedom of expression, we should be up in arms about that – but we mostly seem to be acquiescing to it with barely a murmur.

What this ruling actually results in is yet to be seen – but if we’re positive and creative it can be something positive rather than something negative. It should be seen as a start, and not an end.

Dear Larry and Mark….

Larry Page, Google

Mark Zuckerberg, Facebook

8th June, 2013

Dear Larry and Mark

The PRISM project

I know that you’ve been as deeply distressed as I have by the revelations and accusations released to the world about the PRISM project – and I am delighted by the vehemence and clarity with which you have denied the substance of the reports insofar as they relate to your services. The zeal with which you wish to protect your users’ privacy is highly commendable – and I’m looking forward to seeing how that zeal produces results in the future. To find that the two of you, the leaders of two of the biggest providers of services on the internet, are so clearly in favour of individual privacy on the internet is a wonderful thing for privacy advocates such as myself. There are, however, a few ways that you could make a slightly more direct contribution to that individual privacy – and seeing the depth of feeling in your proclamations over PRISM I feel sure that you will be happy to do them.

Do Not Track

As I’m sure you’re aware, people are concerned not just about governments tracking their activities on the net, but others tracking them – not least since it appears clear from the PRISM project that if commercial organisations track people, governments might try to get access to that tracking, and perhaps even succeed. As you know, the Do Not Track initiative was designed with commercial tracking in mind – but it has become a little bogged down since it began, and looks as though it might be far less effective than it could be. You could change that – put your considerable power into making it strong and robust, very clearly do not track rather than do not target, and most importantly ensure that do not track is on by default. As you clearly care about the surveillance of your users, I know that you’ll want them not to be tracked unless they actively choose to let advertisers track them. That’s the privacy-friendly way – and as supporters of privacy, I’m sure you’ll want to support that. Larry, in particular, I know this is something you’ll want to do, as perhaps the world leader in advertising – and now also in privacy – your support of this will be both welcome and immensely valuable.

Anonymity – no more ‘real names’ policies

As UN Special Rapporteur on Freedom of Expression and Opinion, Frank La Rue, recently reported, privacy, and in particular anonymity is a crucial underpinning of freedom of expression on the internet. I’m sure you will have read his report – and will have realised that your insistence on people using real names when they use your services is a mistake. I imagine, indeed, that you’re already preparing to reverse those policies, and come out strongly for people’s right to use pseudonyms – particularly you, Mark, as Facebook is so noted for its ‘real names’ policy. As supporters of privacy, there can’t be any other way – and now that you’re both so clearly in the privacy-supporting camp, I feel confident that you’ll make that choice. I’m looking forward to the press releases already.

Data Protection Reform

As supporters of privacy, I know you’ll be aware of the current reform programme going on with the European Data Protection regime – data protection law is strongly supportive of individual privacy, and may indeed be the most important legal protection for privacy in the world. You might be shocked to discover that there are people from both of your companies lobbying to weaken and undermine that reform – so I’m sure you’ll tell them at once to stop that lobbying, and instead to get solidly behind those looking for better protection for individual privacy and stronger rights to protect themselves from tracking and misuse of their data.  As you are now the champions of individual privacy, I’m sure you’ll be delighted to do so – and I suspect memos have already been issued from your desks to those lobbying teams ordering them to change your stance and support rather than undermine individuals’ rights over their data. I know that those pushing for this reform will be delighted by your new found support.

That support, I’m sure, will build on Eric Schmidt’s recent revelation that he thinks the internet needs a ‘delete’ button – so you’ll be backing Viviane Reding’s ‘right to be forgotten’ and doing everything you can to build in easy ways for people to delete their accounts with you, to remove all traces of their profiling and related data and so on.

Geo-location, Facial Recognition and Google Glass

Your new found zeal for privacy will doubtless also be reflected in the way that you deal with geo-location and facial recognition – and in Larry’s case, with Google Glass. Of course you’ve probably had privacy very much in the forefront of your thoughts in all of these areas, but just haven’t yet chosen to talk about it. Moving away from products that gather location data by default, and cutting back on facial recognition except where people really need it and have given clear and properly informed consent will doubtless be built in to your new programs – and, Larry, I’m sure you’ll find some radical way to cut down on the vast array of privacy issues associated with Google Glass. I can’t quite see how you can at the moment, but I’m sure you’ll find a way, and that you’re devoting huge resources to do so.

Supporting privacy

We in the privacy advocacy field are delighted to have you on our side now – and look forward greatly to seeing that support reflected in your actions, and not just in relation to government surveillance. I’ve outlined some of the ways that this might be manifested in reality – I am waiting with bated breath to see it all come to fruition.

Kind regards

Paul Bernal

P.S. Tongue very firmly in cheek

Google Glass: just because you can…

As a bit of a geek, and a some-time game player, it’s hard not to like the look of Google Glass. Sure, it makes you look a little dorky in its current incarnation (even if you’re Sergey Brin, as in the picture below) but people like me are used to looking dorky, and don’t really care that much about it. What it does, however, is cool, and cool in a big way. We get heads-up displays that would have been unimaginable even a few years ago, a chance to feel like Arnie in the Terminator, with the information about everything we can see immediately available. It’s cool – in a dorky, sci-fi kind of way, and for those of us brought up on a diet of SF it’s close to irresistible.

Sergey Brin

And yet, there’s something in the back of my mind – well, OK, pretty close to the front of my mind now – that says that we should be thinking twice about pushing forward with developments like this. Just because we can make something as cool as Google Glass, doesn’t mean that we should make it. There are implications to developments like this, and risks attached to it, both direct and indirect.

Risks to the wearer’s privacy

First we need to be clear what Google Glass does – and how it’s intended to be used. The idea is that the little camera on the headset essentially ‘sees’ what you see. It then analyses what it can see, and provides the information about what you see – or information related to it. In one of the promotional videos for it, for example, as the wearer looks at a subway station, the Glass alerts the wearer to the fact that there’s a delay on the subway, so he’d better walk. Then he looks at a poster for a concert – it analyses the poster, then links directly to a ticket agency that lets him buy a ticket for the concert.

Cool? Sure, but think about what’s going on in the background – because there’s a lot. First of all, and almost without saying, the Google Glass headset is tracking the wearer: what we can ‘geolocation’. It knows exactly where you are, whenever you’re using it. There are implications to that – I’ve written about them before – and this is yet another step towards making geolocation the ‘norm’. The idea is that Google (and others) want to know exactly where you are at all times – and of course that means that others could find out, whether for good purposes or bad.

Secondly, it means that Google are able to analyse what you are looking at – and profile you, with huge accuracy, in the real world, the way to a certain extent they already do in the online world. And, again, if Google can profile you, others can get access to that profile – either through legal means or illegal. You might have consented to giving others access, in one of those long Terms and Conditions documents you scrolled down without reading and clicked ‘OK’ to. The government might ask Google for access to your feed, in the course of some investigation or other. A hacker might even hack into your system to take a look…

…and this last risk, the risk of hacking, is a very real one. Weaknesses in Google Glass have already surfaced. As the Guardian reported a few days ago:

“Augmented reality glasses could be compromised by a hacker who would be able to see and hear everything the wearer does”

This particular weakness may or may not turn out to be a real risk – but the potential is there. Where data exists, and where systems exist, they are hackable – Google Glass, by its nature, could be a clear target. And what they get, as a result, could be seriously dangerous and damaging.

Risks to others’ privacy

Equally worrying are the risks to those the wearer looks at. There are specific risks – anyone who knows about the concept of ‘creepshots’ – surreptitiously taken photographs, usually of young women and girls, up skirts, down blouses etc, posted on the internet – should be see the possibilities immediately. As Gizmodo put it:

“Once these things stop being a rich-guy novelty and start actually hitting the streets, the rise in creepshots is going to be worse than any we’ve ever seen before”

They’re right – and the makers of Google Glass should be aware of the possibilities. Some people are even working on developing an app to allow you to take a picture using Google Glass just by winking, which would extend the possibilities of creepshots one creepy step forward – at the moment, at least, voice commands are needed to take shots, alerting the victim, but with winking or other surreptitious command systems even that protection would be gone.

Creepshots are just one extreme – the other opportunities for invasions of privacy are huge. In mitigation, some say ‘Oh, at least you can see that people are wearing Google Glass, so you know they’re filming you’. Well, yes, but there are lots of problems with that. Firstly, should we really need to check the glasses of everyone who can see us? Secondly, this is just the first generation of Google Glass. What will the next one look like? Cooler, less like something out of Star Trek? And the technology could be used in ways that are much less obvious – hack and disguise your own Google Glass and make it look like a pair of ordinary sunglasses? Not hard for a hacker. They’ll be available on the net within a pretty short time.

Normalising surveillance

All these, however, are just details. The real risk is at a much higher level – but it may be a danger that’s already been discounted. It’s the risk that our society goes down a route where surveillance is the norm. Where we expect to be filmed, to have our every movement, our every action, our every word followed, analysed, compiled, and aggregated for the service of companies that want to make money out of us and governments that want to control us. Sure, Google Glass is cool, and sure it does some really cool stuff, but is it really worth that?

Now there may be ways to mitigate all these risks, and there may be ways that we can find to help overcome some of the issues. I’d like it to be so, because I love the coolness of the technology. Right now, though, I’m not convinced that we have – or even that we necessarily will be able to. It means, for me, I think we need to remember that just because we can do things like this, it doesn’t mean that we should.

Google, privacy and a new kind of lawsuit

Today is Data Privacy Day – and new lawsuit has been launched against Google in the UK – one which highlights a number of key issues. It could be very important – a ‘landmark case’ according to a report on Reuters. The most notable thing about the case, for me, is that it is consumer-led: UK consumers are no longer relying on the authorities, and the Information Commissioner’s Office in particular, to safeguard their privacy. They’re taking it into their own hands.

The case concerns the way that Google exploited a bug in Apple’s Safari browser to enable it to bypass customers’ privacy settings. As reported on Reuters:

“Through its DoubleClick adverts, Google designed a code to circumvent privacy settings in order to deposit the cookies on computers in order to provide user-targeted advertising. The claimants thought that cookies were being blocked on their devices because of Safari’s strict default privacy settings and separate assurances being given by Google at the time. This was not the case.”

The group of consumers have engaged noted media and telecomms lawyers Olswang for the case. Dan Tench, the partner at Olswang responsible for the case, told Reuters:

“Google has a responsibility to consumers and should be accountable for the trust placed in them. We hope that they will take this opportunity to give Safari users a proper explanation about what happened, to apologise and, where appropriate, compensate the victims of their intrusion.”

For further information – and if you want to join the action – Tench can be contacted by email at daniel.tench@olswang.com

There’s also a Facebook page for the suit: https://www.facebook.com/SafariUsersAgainstGooglesSecretTracking

What’s important here?

The case highlights several crucial aspects of privacy on the net. The first is the extent to which we can – or should be able to – rely on the settings we make on our browsers. What was happening here is that those settings were being overridden. Now it’s a moot point quite how many people use their privacy settings – or indeed even know that they exist – but if those settings are being overridden by anyone, let alone a company as big and respected as Google, it’s something that we need to know about and to fight. Browser settings – and privacy settings in general – are the key control, perhaps the only control, that individuals have over their online privacy, so we need to know that they work if we are to have any trust. A lack of trust is something that damages everyone.

The second is that the case highlights that users aren’t going to take things lying down – and neither are they going to rely on what often seem to be supine regulators, regulators unwilling to take on the ‘big boys’ of the internet, regulators who seem to take their role as supporters of business much more seriously than their role as protectors of the public. Alexander Hanff, a privacy advocate who is assisting Olswang on this case, said that:

“This group action is not about getting rich by suing Google, this lawsuit is about sending a very clear message to corporations that circumventing privacy controls will result in significant consequences. The lawsuit has the potential of costing Google £10s of millions, perhaps even breaking £100m in damages given the potential number of claimants – making it the biggest group action ever launched in the UK. It should also be seen as a message to the Information Commissioner’s Office that they are in contempt of the British public and are not doing their job.”

This last point is crucial – and it may suggest not that the Information Commissioner’s Office are not doing their job but that their job is one that needs redefining. The ICO sometimes appears to be caught between two stools – their role is more complex than just as protectors of the public. They’re not a Privacy Commissioner’s Office – and perhaps that is what we need. An office with teeth whose prime task is to protect individuals’ privacy.

What happens next?

This lawsuit will be watched very carefully by everyone in the field of online privacy. The number of people who join the case is one question – there are plenty who could, as Safari, though somewhat a niche browser on computers, is the default browser on iPhones, so is used by many millions in the UK. How it progresses has yet to be seen – there are many different possibilities. If nothing else, I hope it acts as a wake-up-call for all involved: Google, the ICO, and the public.

They’re taking over the internet!

bond_vill05There’s a big story going around at the moment: the UN’s trying to take over the internet, or some variant of that. It’s all based on the current ITU proposals at the World Conference on International Telecommunications (WCIT) currently taking place in Dubai… Lots of people – and I mean LOTS of people – are spreading this story of terror and danger. What’s at stake? Freedom of expression, anonymity, privacy, the whole openness of the internet etc etc…

…and yet I find it very difficult to get enthusiastically behind the fight, though I’m a fierce advocate of all of those things, and care deeply and passionately about the future of the internet as an open and free place. So why do I find it hard? Not because I agree with the ITU’s proposals – I don’t, I think they’re generally very bad and very unhelpful. There are, however, a few reasons:

  1. The prime characteristic of the ITU, as for so many UN bodies, is not an ability to actually do anything – let alone control or ‘take over’ anything. UN peacekeepers aren’t exactly brilliant at keeping peace, UN resolutions tend to be ignored by almost anyone who might be affected (ask anyone who pays attention to what goes on in Israel and Palestine), UN charters are aspirational at best. Whatever they do is unlikely to have any real effect – unless others want it to have an effect. The UN has some great strengths – and some of the UN bodies do excellent work – but for those strengths to come into play, they need the states involved to want them to work. The various Human Rights declarations, for example, help to set standards that were then applicable (and applied) worldwide…
  2. The ITU itself is far from the most competent of ‘secret’ organisations – for all their supposed secrecy, they just ‘gave’ the information on their DPI proposals to the excellent @Asher_Wolf when she asked them for it….
  3. What’s more, opposition to the ITU’s proposals is already huge – and if anyone imagines that the US or the EU will quickly acquiesce to whatever the ITU suggests, they really don’t understand international politics or international law
  4. To suggest that these ITU proposals offer the biggest threat to any of the issues concerned at the current moment. In every areas there are far greater threats, far closer to home.
  5. You want a threat to privacy? Look more closely at our own governments – what the UK government is proposing with the Communications Data Bill, that’s a REAL threat to privacy. What’s being revealed by the NSA whistleblower William Binney about surveillance in the US is a vastly, vastly worse than anything imagined by the ITU. Our governments don’t need the ITU in order to invade our privacy….
  6. You want a threat to anonymity on the internet? Look much more close to home – look at Facebook’s ‘real names’ policy, and the same for Google! Google are one of the strongest supporters of the fight against the ITU – and yet they still have what amounts to a real names policy for Google plus!
  7. You want a threat to freedom of expression? Look very hard at the ‘entertainment industry’, whose copyright trolls do more to block people’s expression than almost anyone else. They use notice and take down, they want ‘piracy’ sites blocked, they want to be able to block users from accessing the internet at all if there’s suspicion of piracy.

…and yet it’s the UN, and in particular the ITU that’s the target of the attacks. I don’t particularly like the ITU, and I don’t like these proposals one bit, but they won’t destroy the openness of the internet – because they won’t be able to make it happen. The others, on the other hand – our own governments, our ‘own’ industries, from Facebook and Google to the ‘entertainment’ industries, they’re already doing a lot to restrict all those freedoms that they claim to care so passionately about. Why? Because there’s money in it for them…. just as that’s the main real reason for their concerns about the ITU proposals – one part is to effectively levy a kind of tax on companies like Google. When money matters, it’s easy for industry to play the ‘good guys’. When money works the other way…..

No reason to be complacent – keep fighting!

All this ranting isn’t meant to stop people fighting the ITU proposals – we should! They should be opposed with vigour, because they’re not good at all. There are some distinctly worrying things about these proposals, and some particular risks attached. There’s the risk that they can be used to spread the idea that surveillance, that the removal of any effective form of anonymity, become the norm – and that they are allowed to spread as a result of this kind of thing. The UN is an ‘aspirational’ organisation, so ideas spread by it can be seen as somehow acceptable, and supportable – and used in some ways to ‘justify’ bad things that are happening.

This risk – of the ‘normalisation’ of this kind of thing – is something that we need to oppose, and oppose strongly. It is, however, something quite different from the suggestion that the UN is actually trying to take over the internet. That idea shouldn’t be overblown, or hyped up to the degree that it is. There’s an element in crying wolf about this too – if we keep going on about something being likely to ‘destroy the internet’ we’ll miss the real threats. I don’t want that to happen – and to an extent is is already happening, with ideas like Facebook and Google’s ‘real names’ policies not being subject to nearly sufficient scrutiny, and the copyright lobby still wielding enormously disproportionate power. Let’s get things a bit more in proportion….