Twitter/DataSift – an early ICO response

I’ve just received a response from the ICO to my initial question about whether or not they were investigating the Twitter/DataSift issue (about which I’ve just blogged here)

This is the full response (set down here with the permission of Dr Simon Rice of the ICO)

————————————————

Paul,

David Smith passed on your email regarding Twitter/DataSift.

The ICO is aware of an arrangement between Twitter and some third-parties which permits access to a greater volume of Tweets than would normally be accessible through the website or API. Insofar as they are required to comply with UK law both Twitter and these third-parties would need to ensure that they remain compliant with the DPA and PECR for the processing undertaken with such data.

The report linked to from your blog suggests that the data is used for purposes of thematic analysis and not for direct marketing or otherwise attempting to identify the users of the Twitter accounts. This is important because clearly a third party learning that I might be interested in their products and marketing me on that basis still needs to comply with the rules on marketing and still needs to justify why they are holding personal data relating to me; on the other hand, a third party which analyses the mass of tweets to infer that their efforts are best focussed on a particular demographic or geographical area might not face the same compliance problems. Then, of course, there are the mass of third parties whose activities lie somewhere in the middle.

The privacy policy at http://twitter.com/privacy does state that the sharing of non-personal data may take place and we would expect Twitter to comply with this. However, if you are aware of evidence that is contrary to this understanding then of course please do not hesitate to let us know.

I you have any further questions please feel free to get in contact.

Regards,

Simon Rice

Dr Simon Rice Principal Policy Adviser (Technology)

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

————————————————

I would welcome any responses – but it seems to me that we would need to see the details of the agreement between Twitter and DataSift (and any other subsequent agreements) to see whether they meet the requirements of the ICO as set out in the letter. There’s more to investigate here – I will be interested to see how DataSift might be able to guarantee that they will only be using the data for thematic analysis rather than direct marketing, and have written to DataSift to ask that question.

Dr Rice has asked that anyone contacting the ICO directly should use the usual ICO website or helpline (see https://www.ico.gov.uk/Global/contact_us.aspx)

10 things I hate about the ICO

With apologies to William Shakespeare, Elizabeth Barrett Browning, Heath Ledger, Julia Stiles and many more…

10 things I hate about the ICO

I hate the way you ask for teeth but seem afraid to bite
I hate the way you think the press are far too big to fight
I hate the way you always think that business matters most
Leaving all our online rights, our privacy, as toast

I hate the way you keep your fines for councils and their kind
While leaving business all alone, in case the poor dears mind
I hate the way you take the rules that Europe writes quite well
And turn them into nothing much, as far as we can tell

I hate the way that your advice on cookies was so vague
Could it possibly have been, you were a touch afraid?
I hate the way you talked so tough to old ACS Law
But when it came to action, it didn’t hurt for sure

I hate the way it always seems that others take the fore
While you sit back and wait until the interest is no more
I hate that your investigations all stop far too soon
As PlusNet, Google and BT have all found to their boon

I hate the way you tried your best to hide your own report
‘Bury it on a busy day’; a desperate resort!
You should be open, clear and fair, not secretive and poor
We’ll hold you up for all to see – we expect so much more!

I hated how when Google’s cars were taking all our stuff
You hardly seemed to care at all – that wasn’t near’ enough
Even when you knew the truth, you knew not what to do
It took the likes of good PI to show you where to go…

I hated how my bugbears Phorm, didn’t get condemned
Even when their every deed could not help but offend
You let them off with gentle words, ‘must try harder’ you just said
Some of us, who cared a lot, almost wished you dead

You tease us, tempt us, give us hope – then let us down so flat
We think you’re on our side – you’re not – and maybe that is that!
Will all these bad things ever change? We can but hope and dream
That matters at the ICO aren’t quite as they might seem.

We need you, dearest ICO, far more than we should
We’d love you if you only tried to do the job you could
We’d love you if you stood up tall, and faced our common foes
Until you do, sad though it is, then hatred’s how it goes.

P.S. I don’t really hate the ICO at all really…. this is ‘poetic’ licence!

12 wishes for online privacy….

It’s that time of year for lists, predictions and so forth. I don’t want to make predictions myself – I know all too well how hard it is to predict anything in this world, and even more so in the online world. I do, however, have wishes. Many of these are pipe dreams, I’m afraid, but some of them do have some small hope of coming true. So here they are, my twelve wishes for online privacy…

  1. That I don’t hear the ‘if you’ve got nothing to hide…’ argument against privacy ever again…
  2. That governments worldwide begin to listen more to individuals and to advocacy groups and less to the industry lobby groups, particularly those of the copyright and security industries
  3. That privacy problems continue to grab the headlines – so that privacy starts to be something of a selling point, and companies compete to become the most ‘privacy-friendly’ rather than just paying lip service to privacy
  4. That the small signs I’ve been seeing that Google might be ‘getting’ privacy do not turn out to be illusions. Go on, Google, go on!
  5. That my ‘gut feeling’ that 2012 could be the peak year for Facebook turns out to be true. Not because I particularly dislike Facebook – I can see the benefits and strengths of its system – but because the kind of domination and centralisation it represents can’t be good for privacy in the end, and I don’t believe that the man who said that privacy was no longer a ‘social norm’ has really changed his spots
  6. That the ICO grows some cojones, and starts understanding that it’s supposed to represent us, not just find ways for businesses to get around data protection regulations…
  7. That the media (and yes, I’m talking to YOU, BBC), whenever they get told about a new technical innovation, don’t just talk about how wonderful and exciting it is, but think a little more critically, and particularly about privacy
  8. That the revision to the Data Protection Directive (or perhaps Regulation) turns into something that is both helpful and workable – and not by compromising privacy to the wishes of business interests.
  9. That neither SOPA nor PIPA get passed in the US…
  10. That the right to be forgotten, something I’ve written about a number of times before, is discussed for what it is, not what people assume it must be based solely on the misleading name. It’s not about censorship or rewriting history. It really isn’t! It’s about people having rights over their own data! Whose data? Our data!
  11. That the Labour Party begins to put together a progressive digital policy, and says sorry for ever having listened to the copyright lobby in introducing the Digital Economy Act! 
  12. That we start thinking more about the ordinary privacy of ordinary people, not just that of celebrities and politicians… 
These are of course just a sample of the things I could say – but if even a few of them start to become true, it would be a really good start. Here’s wishing….

Whose data? Our data!!!

There’s a slogan echoing around the streets of major cities around the globe at the moment: ‘Whose streets – our streets!’ It’s the mantra of the ‘occupy’ movement, expressing the frustration and injustice – particularly economic injustice – and the sense that all kinds of things that should be ‘ours’ have been taken out of ‘our’ control.

The same could – and should – be said about personal data. The mantra of the occupy movement has a very direct parallel in the world of data, which is why I think we should be saying, loud and proud, ‘Whose data – our data!’

Just as for the occupy movement (which I’ve written about before), the chances of getting everything that we want in relation to data are slim – but the chances of changing the agenda in relation to data are not, and the chances of bringing about some real changes in the medium and long term even less so. The occupy movement, particularly in the US, have brought some ideas that previously were hardly talked about in the media, like wage and wealth inequality, close to the top of the agenda. They may even have moved it high enough that politicians feel the need to do something about it – I certainly hope so.

The personal data agenda.

Can we do the same for personal data? One of the current points of discussion is the idea of a ‘right to be forgotten’ – something that relates directly to the question of whether personal data is ‘ours’ in any meaningful way. I’ve spoken and written about it a lot before – my academic article on my take on it, ‘a right to delete?’ can be found online here, while I’ve also blogged on the subject on the INFORRM blog. It’s currently under discussion as part of the forthcoming revision to the Data Protection Directive, to great resistance from the UK. The latest manifestation of this resistance has come from the ICO, suggesting that the right to be forgotten should not be included as it would be unenforceable, and that the inclusion would give people unrealistic expectations, as well as potentially interfering with free speech. Effectively, they seem to be suggesting that including it would send out the wrong message. This pronouncement echoes previous statements by Ken Clarke in May, and Ed Vaizey a couple of weeks ago – it looks like part of a campaign to rein in the attempts by Europe to give more weight to privacy and user rights in the balancing exercise with business use of personal data.

Are the ICO right?

I believe that the ICO are wrong about this in a number of ways. First of all, I think they’re wrong about the unenforceability issue – at least to a great extent. In the Mexico City conference on data protection earlier this month, even Google admitted that they could do their part, but that it would be expensive. That’s very different from saying that it is unenforceable. What’s more, it doesn’t have to be perfectly implemented in order to have a benefit to people – if, for example, the right to be forgotten would allow people to easily, simply and quickly delete their Facebook profiles, or the data held on them by Tesco, that could be significant. It could also, as I’ve argued in my article, help persuade businesses to develop business models less dependent on the gathering and holding of massive amounts of personal data – if they know that such data might be ‘deletable’.

Secondly, I believe they’re quite wrong about the free speech issue – again, as I outline in my paper, if proper exceptions are put in place to allow archives to be kept, then free speech isn’t affected at all. The idea is not to be able to delete a record of what school you went to – but to be able to delete records of what breakfast cereal you bought, or profiles created based on surveillance of your internet activity.

Thirdly, and perhaps most importantly, I think they’re wrong about the message being sent out – profoundly wrong. The message that the ICO is sending out is that business matters more than people’s rights – and it’s a message that has echoes throughout the world at the moment, echoes that are what has provoked the anger in so many people that lies being the ‘occupy’ movement.  It’s the same logic as that which supports bankers bonuses over benefits for the disabled, and looks for tax cuts for the rich whilst enforcing austerity measures that cut public services to the bone and beyond. Even more importantly, it suggests that the ICO does not see its role as protecting individual rights over data – but as supporting the government’s business agenda.

Whose data – our data!

The actions and messages of the ICO are essentially saying that this is too difficult to do, so we shouldn’t even try. It reminds me very much of the arguments against the idea of having smoke-free restaurants and pubs – a lot of people said it would be impossible, would drive the restaurants and pubs out of business. Further back, there have been similar stories throughout history – most dramatically, they were made against the abolition of slavery. We shouldn’t let this kind of logic stop us from doing what is right – we should find a way. And we can find a way, if only we can find the will. The ICO needs to be stronger, to understand that it has to serve us, not just business or the government. Privacy International asked in February whether the ICO was fit for purpose – and the answer increasingly seems to be clearly not. We need to remind them what their purpose should be – and that, more than anything else, is to represent us, the people. We need to remind them whose data they’re supposed to be protecting. Whose data? Our data!

The ICO: between a rock and a hard place? Not really…

In the last week I’ve been to two events in which representatives of the Information Commissioner’s Office have spoken. First came the 16th March meeting of the Society for Computers and Law entitled ‘Privacy by Design: Grand Design or Pipe Dream?’ at which Steve Wood, the ICO’s ‘Head of Policy Design’ spoke to a mixed group of lawyers of various kinds, some representing companies in the computing business. Then, on 22nd March, the Information Commissioner himself, Christopher Graham, spoke to the Westminster Media Forum, which was discussing ‘Social media, online privacy and the ‘right to be forgotten’.

On both occasions, the representatives of the ICO had a pretty rough ride, one way or another. At the first meeting, Steve Wood was given a hard time by people working in or for the people providing online services for the way that the ICO has dealt with the ‘EU Cookie Directive’, about which the ICO has recently issued a warning, suggesting that ‘UK businesses must ‘wake up’ to new EU law on cookies’. To put it at its most basic, the ICO was being castigated for being too tough on the industry. Steve Wood’s primary defence seemed to be ‘don’t shoot the messenger’, and that all they were doing was following orders from the EU, though how well that defence went down with the audience seemed a little unclear.

At the Westminster Media Forum, the Commissioner himself had an equally rough ride – and I have to admit that I was one of those who asked him a question that was perhaps a little negative in angle, wondering why so little attention was paid to data minimisation by the ICO, despite it embodying some of the most fundamental principles of data protection. The reply I got was somewhat terse – but my question was one of the gentlest that the Commissioner had to answer. In effect, he was being challenged by privacy advocates, consumer groups and others (including Microsoft’s Caspar Bowden) for not being tough enough on the industry.

So what are the ICO to do? One week they’re attacked for being too tough on the industry, the next they’re attacked for not being tough enough? Are either forms of attack fair or justified? Is there anything that the ICO can do to meet the expectations of both sides? Is the problem just an intractable one that can’t be resolved?

As someone who’s on the privacy advocacy side of the debate, I have a lot of sympathy for the ICO. They do a lot of good things, provide a lot of good guidance, and generally say the right things. They try to tread a delicate path between the industry and the people – and do their best to tread that path with care and without causing too many fights – and have asked (and now received) for some more ‘teeth’ to punish those who transgress and deter those who might be tempted to.

Still, however, I find myself wanting to criticise them quite a lot of the time, and find myself in general agreement with NGOs like Privacy International who wondered in February whether the ICO was fit for purpose. Why? Mostly, because the role I think they should be playing does not seem to be the role that they think they’re playing. They shouldn’t be playing a kind of conciliation service, working out compromises between the industry and the people – they should be on the side of the people first and foremost, and supporting those people’s rights. We haven’t got anyone else on our side – while the industry has huge amounts of lobbying power, together with the support of great ministries of government to whom trade and finance is the be-all and end-all. They also have the tacit support of large parts of the security lobby, who’d like as much surveillance and data retention as possible, as many back-doors into websites and social networks as possible, and would be happy for the industry to do the building, gathering and retaining of data for them.

So does the ICO need to be so careful not to upset them? I don’t think so – they should be braver to speak out and upset companies when those companies need to be upset, and to challenge them when they need to be challenged. They shouldn’t be ashamed of this – Steve Wood seemed highly apologetic at the SCL meeting, as if he was ashamed to acknowledge that, deeply flawed though the Cookie Directive may be, it was introduced to address a real issue, and a real issue that the industry had failed to address themselves. If the ICO ends up caving in on this issue too, it really will be showing that it’s not fit for purpose…

How personal is personal?

The Register is reporting that the ICO wants a clearer definition of what consititutes ‘personal data’ – and it is indeed a crucial question, particularly under the current data protection regime. The issue has come up in the ICO’s response to the Government consultation on the review of the Data Protection Directive – and one of the key points is that there is a difference between how personal data is defined in the directive and how it is defined in the UK Data Protection Act. That difference gives scope for lots of legal argument – and is one of many factors that help to turn the data protection regime from something that should be about rights and personal protection into something often hideously technical and legalistic. The ICO, fortunately, seems to recognise this. As quoted in The Register, ICO Deputy Director David Smith says:

“We need to ensure that people have real protection for their personal information, not just protection on paper and that we are not distracted by arguments over interpretations of the Data Protection Act,”

That’s the crux of it – right now, people don’t really have as much real protection as they should. Will any new version of the directive (and then the DPA) be any better? It would be excellent if it did, but right now it’s hard to imagine that it will, unless there is a fundamental shift in attitudes.

There’s another area, however, that just makes it into the end of the Register’s article, that may be even more important – the question of what constitutes ‘sensitive personal data’.  Here, again, the ICO is on the ball – this is again from the Register:

“The current distinction between sensitive and non-sensitive categories of personal data does not work well in practice,” said the submission. “The Directive’s special categories of data may not match what individuals themselves consider to be ‘sensitive’ – for example their financial status or geo-location data about them.”

The ICO go on to suggest not a broadening of the definition of sensitive personal data, but a more ‘flexible and contextual approach’ to it – and they’re right. Data can be sensitive in one context, not sensitive in another. However, I would suggest that they’re not going nearly far enough. The problem is that the idea of the ‘context’ of any particular data is so broad as to be unmanageable. What matters isn’t just who has got the data and what they might do with it, but a whole lot of other things concerning the data subject, the data holder, any other potential data user and so on.

For instance, consider data about someone’s membership of the Barbra Streisand fan club. Sensitive data? In most situations, people might consider it not to be sensitive at all – who  cares what kind of music someone listens to? However, liking Barbra Streisand might mean a very different thing for a 22 year old man than it does for a 56 year old woman. Extra inferences might be drawn if the data gatherer has also learned that the data subject has been searching for holidays only in San Francisco and Sydney, or spends a lot of time looking at hairdressing websites. Add to that the real ‘geo-tag’ kind of information about where people actually go, and you can build up quite detailed profiles without ever touching what others might consider sensitive. When you have all that information, even supposedly trivial information like favourite colours or favourite items in your Tesco online shopping could end up being sensitive – as an extra item in a profile that ‘confirms’ or ‘denies’ (according to the kinds of probabilistic analyses that are used for behavioural profiling) that a person fits into a particular category.

What does all this mean? Essentially that ANY data that can be linked to a person can become sensitive – and that judging the context is so difficult that it is almost impossible. Ultimately, if we believe that sensitive data needs particular protection, then we should apply that kind of protection to ALL personal data, regardless of how apparently sensitive it is….