Dear Larry and Mark….

Larry Page, Google

Mark Zuckerberg, Facebook

8th June, 2013

Dear Larry and Mark

The PRISM project

I know that you’ve been as deeply distressed as I have by the revelations and accusations released to the world about the PRISM project – and I am delighted by the vehemence and clarity with which you have denied the substance of the reports insofar as they relate to your services. The zeal with which you wish to protect your users’ privacy is highly commendable – and I’m looking forward to seeing how that zeal produces results in the future. To find that the two of you, the leaders of two of the biggest providers of services on the internet, are so clearly in favour of individual privacy on the internet is a wonderful thing for privacy advocates such as myself. There are, however, a few ways that you could make a slightly more direct contribution to that individual privacy – and seeing the depth of feeling in your proclamations over PRISM I feel sure that you will be happy to do them.

Do Not Track

As I’m sure you’re aware, people are concerned not just about governments tracking their activities on the net, but others tracking them – not least since it appears clear from the PRISM project that if commercial organisations track people, governments might try to get access to that tracking, and perhaps even succeed. As you know, the Do Not Track initiative was designed with commercial tracking in mind – but it has become a little bogged down since it began, and looks as though it might be far less effective than it could be. You could change that – put your considerable power into making it strong and robust, very clearly do not track rather than do not target, and most importantly ensure that do not track is on by default. As you clearly care about the surveillance of your users, I know that you’ll want them not to be tracked unless they actively choose to let advertisers track them. That’s the privacy-friendly way – and as supporters of privacy, I’m sure you’ll want to support that. Larry, in particular, I know this is something you’ll want to do, as perhaps the world leader in advertising – and now also in privacy – your support of this will be both welcome and immensely valuable.

Anonymity – no more ‘real names’ policies

As UN Special Rapporteur on Freedom of Expression and Opinion, Frank La Rue, recently reported, privacy, and in particular anonymity is a crucial underpinning of freedom of expression on the internet. I’m sure you will have read his report – and will have realised that your insistence on people using real names when they use your services is a mistake. I imagine, indeed, that you’re already preparing to reverse those policies, and come out strongly for people’s right to use pseudonyms – particularly you, Mark, as Facebook is so noted for its ‘real names’ policy. As supporters of privacy, there can’t be any other way – and now that you’re both so clearly in the privacy-supporting camp, I feel confident that you’ll make that choice. I’m looking forward to the press releases already.

Data Protection Reform

As supporters of privacy, I know you’ll be aware of the current reform programme going on with the European Data Protection regime – data protection law is strongly supportive of individual privacy, and may indeed be the most important legal protection for privacy in the world. You might be shocked to discover that there are people from both of your companies lobbying to weaken and undermine that reform – so I’m sure you’ll tell them at once to stop that lobbying, and instead to get solidly behind those looking for better protection for individual privacy and stronger rights to protect themselves from tracking and misuse of their data.  As you are now the champions of individual privacy, I’m sure you’ll be delighted to do so – and I suspect memos have already been issued from your desks to those lobbying teams ordering them to change your stance and support rather than undermine individuals’ rights over their data. I know that those pushing for this reform will be delighted by your new found support.

That support, I’m sure, will build on Eric Schmidt’s recent revelation that he thinks the internet needs a ‘delete’ button – so you’ll be backing Viviane Reding’s ‘right to be forgotten’ and doing everything you can to build in easy ways for people to delete their accounts with you, to remove all traces of their profiling and related data and so on.

Geo-location, Facial Recognition and Google Glass

Your new found zeal for privacy will doubtless also be reflected in the way that you deal with geo-location and facial recognition – and in Larry’s case, with Google Glass. Of course you’ve probably had privacy very much in the forefront of your thoughts in all of these areas, but just haven’t yet chosen to talk about it. Moving away from products that gather location data by default, and cutting back on facial recognition except where people really need it and have given clear and properly informed consent will doubtless be built in to your new programs – and, Larry, I’m sure you’ll find some radical way to cut down on the vast array of privacy issues associated with Google Glass. I can’t quite see how you can at the moment, but I’m sure you’ll find a way, and that you’re devoting huge resources to do so.

Supporting privacy

We in the privacy advocacy field are delighted to have you on our side now – and look forward greatly to seeing that support reflected in your actions, and not just in relation to government surveillance. I’ve outlined some of the ways that this might be manifested in reality – I am waiting with bated breath to see it all come to fruition.

Kind regards

Paul Bernal

P.S. Tongue very firmly in cheek

Lobbyists: who pays the piper…

A few weeks ago I experienced first hand the role of lobbyists, when I saw them do their best to start steering the CREATe project in their own direction (see my blog here). In the time since then, two more issues have come up that have highlighted their significance – and why we need to be concerned. We should be looking much more carefully at their activities.

Copyright lobbyists

To recap, at CREATe it was the lobbyists for the ‘content’ industry – what might loosely be called ‘copyright’ lobbyists – who were trying to ensure that the project, which is amongst other things looking at copyright reform, did not dare to challenge their assumption that ‘piracy’ needs to be stomped on above all things. The copyright lobby is a very powerful one indeed, and has had huge influence on the policies of governments worldwide – in the UK, they still seem to have a firm grip on all the major parties, and were the key behind the controversial Digital Economy Act. They are, however, only one of the lobby groups that we should be watching.

Advertising industry lobbyists

The second emerging issue concerns another key lobby – the online advertising industry. For privacy advocates like me, the advertising industry as often been a bit of a bête noire – behavioural advertising in particular generally works through significant invasions of privacy – but their recent activities in relation to the ‘Do Not Track’ initiative have been concerning. They’ve been fighting tooth and nail to block Microsoft’s idea that DNT should be ‘on’ by default on Internet Explorer – and according to Alexander Hanff they’ve also managed to co-opt privacy advocates to help undermine the DNT specification itself, allowing for ‘de-identified’ tracking without any kind of consent.

There’s a long way to go on this one, but I’m far from alone in thinking that they’ll manage to pretty much entirely neuter DNT. As security expert Nadim Kobeissi put it in a blog post yesterday, DNT is becoming ‘Dangerous and Ineffective’. We can largely thank advertising industry lobbyists for that.

‘Internet Industry’ Lobbyists

The third and potentially most worrying of all the recent lobbyists activities to emerge is the story of US ‘internet industry’ lobbyists working to undermine the draft Data Protection Regulations. As the Telegraph reported:

“Tory MEPs ‘copy and paste Amazon and Google lobbyist text'”

As I also experienced first hand at the Computers, Privacy and Data Protection conference in Brussels earlier this month, industry lobbyists particularly from the US are very concerned by the proposed Data Protection Regulation, partly because as drafted it would allow them to have the power to actually fine industry groups a meaningful amount of money – 2% of their global turnover – the kind of fine that would actually make a difference, and could actually make them change their activities.

Making changes….

That’s the key – indeed, the key for all three of the lobbying stories above. A resistance to change. The copyright lobbyists don’t want to have to change either their business model or their approach to enforcement. The advertising industry don’t want to have to change their privacy-invasive way of tracking people. The ‘internet industry’ companies don’t want to have to change their way of gathering and using people’s personal data. And in all three cases, they don’t seem to really care what people want or care about. In the copyright lobbyists example, as I noted in my blog at the time, they seem to be resisting even the gathering of evidence. In the other two cases, I suspect the same is true – because the more evidence that comes out, the clearer it is that people do care about privacy and don’t want to be tracked.

It’s not US vs EU

One of the most common arguments made in these cases is that it’s some kind of a Transatlantic conflict – a ‘cultural difference’ between the US and the EU. We in Europe are trying to ‘impose’ our values onto the US. Is it true? Well, the most recent evidence suggests otherwise – indeed, it suggests that people in the US care every bit as much as people in Europe do about privacy. According to a recent survey, 77% of Americans would select ‘do not track’  if it were available – putting them above many European countries, below only France. As David Meyer put it: ‘Think Europeans are more into data privacy than Americans? Think again.”

I suspect he’s right – and the divide isn’t a Transatlantic one. It’s a divide between individuals everywhere and the industry lobbyists. Lobbyists, by their nature, look out for those they’re lobbying on behalf of. Of course they do – that’s their job. We need to understand that – and act appropriately. What the lobbyists do should worry us – because they don’t serve our interests. Who pays the piper calls the tune – and it’s not us!

That’s not to say that they don’t have legitimate interests – they do! What the industries they represent do is crucial for all of us, for the future of the internet. However, it does need to be balanced, and right now it looks very much out of balance.

Taking a lead on privacy??

Two related stories about privacy and tracking are doing the rounds at the moment: both show the problems that companies are having in taking any sort of lead on privacy.

The first is about Apple, and the much discussed recent upgrade to their iOS, the operating system for the iPhone and iPad. There’s been a huge amount said about the problems with the mapping system (and geo-location is of course a huge privacy issue – as I’ve discussed before) but now there’s an increasing buzz about their newly introduced tracking controls. Apple, for the first time, have provided users with the option to ‘limit ad tracking’ – though as noted in a number of stories, including this one from Business Insider, that option is hidden away, not in the vaunted ‘Privacy’ tab, but under a convoluted set of menus (first ‘General’ settings, then ‘About’, then scroll down to the bottom to find ‘Advertising’, then click ‘Limit Ad Tracking’). Not easy to find, as even the techie and privacy geeks that I converse with on twitter have found.

This of course raises a lot of issues – it’s great to have the feature, but the opposite to have it hidden away where only the geeks and the paranoid will find it. It looks as though the people at Apple have been thinking hard about this, and working hard at this, and have come up with an interesting (and perhaps effective – but more on that below) solution, but then been told by someone, somewhere, that they should hide it for fear of upsetting the advertisers. I’d love to know the inside story on this – but Apple are rarely quite as open about their internal discussions as they could be.

There’s a conflict of motivations, of course. On the one hand, Apple wants to make customers happy, and there is increasing evidence that customers don’t want to be tracked – most recently this excellent paper from Hoofnagle, Urban and Li, appropriately entitled “Privacy and Modern Advertising: Most US Internet Users Want ‘Do Not Track’ to Stop Collection of Data about their Online Activities”. On the other hand, Apple don’t want to annoy the advertisers – particularly when the market for mobile is getting increasingly competitive. And the advertisers seem to be on a knife edge at the moment, very touchy indeed, as the latest spats over the ‘Do Not Track’ initiative have shown.

That’s the second story doing the rounds at the moment: the increasing acrimony and seemingly bitter conflict over Do Not Track. It’s a multi-dimensional spat, but seems to have been triggered by Microsoft’s plan to make do not track ‘on’ by default – something that the advertising industry are up in arms about. The ‘Digital Advertising Alliance’ issued a statement effectively saying they would simply ignore Microsoft’s system and track anyway – which led to privacy advocates suggesting that the advertisers wanted to kill the whole Do Not Track initiative. This is Jeff Chester of the Center for Digital Democracy:

“The DAA is trying to kill off Do Not Track.  Its announcement today to punish Microsoft for putting consumers first is an extreme measure designed to strong-arm companies that care about privacy.”

Chester and others saying similar things may be right – and it makes people like me wonder if the whole problem is that the ‘Do Not Track’ initiative was never really intended to work, but was just supposed to make people think that their privacy was protected. If it actually got some teeth – and setting it to a default ‘on’ position would be the first way to give it teeth – then the industry wouldn’t want it to exist. There are other huge issues with Do Not Track anyway. As the title of the Hoofnagle, Urban and Li report suggested, people think ‘Do not track’ means they won’t be tracked – that their data won’t be collected at all – while the industry seems to think what really matters to people is that they aren’t targeted – i.e. their data is still collected, and they’re still tracked and profiled, but that tracking isn’t used to send advertisements to them. For me, that at least is completely clear. Do Not Track should mean no tracking. Blocking data collection is more important than stopping targetting – because once the data is collected, once the profiles are made, they’re available for misuse later down the line.

That, far deeper point, is still not being discussed sufficiently. The battle is at a more superficial level – but it’s still an important battle. Who matters more, the consumers or the advertisers? Advertisers would have us believe that by stopping behavioural targetting we will break the whole economic basis of the internet – but that is based on all kinds of assumptions and presumptions, as Sarah A Downey pointed out in this piece for TechCrunch “The Free Internet Will Be Just Fine With Do Not Track. Here’s Why.” At the recent Amsterdam Privacy Conference, Simon Davies, one of the founders of Privacy International, made the bold suggestion that the behavioural targetting industry should simply be banned – and there is something behind his argument. Right now, the industry is not doing much to improve its image: seeming to undermine the whole nature of Do Not Track does not make them look good.

There’s another spectre that the industry might have to face: the European Union is getting ready to act, and when they act, they tend to do things without a great deal of subtlety, as the fuss around the Cookie Directive has shown. If the advertisers want to avoid heavy-handed legislation, they should beware: ‘Steelie’ Neelie Kroes is getting impatient. As reported in The Register, if they don’t stop their squabbling tactics over Do Not Track, she’s going to call in the politicians….

Someone, somewhere, has to take a lead on privacy. Apple had the chance, and to a great extent blew it, by hiding their tracking controls where the sun doesn’t shine. Microsoft seems to be making an attempt too, but will they hold their nerve in the face of huge pressure from the advertising industry – and even if they do, will their lead be undermined by the tactics of the advertising industry? If no-one takes that lead, no-one takes that initiative, the EU will take their kid gloves off… and then we’re all likely to be losers, consumers and advertisers alike….

Privacy for all?

The big ‘privacy’ story this week has been that surrounding the Duchess of Cambridge’s breasts. The coverage it’s been given (and will doubtless continue to be given) has been immense – but the issues that it should raise are far more complex than those that have appeared in the media. A shortish blog post isn’t enough to cover even a fraction of them – but there are a few points that a privacy advocate like me should be highlighting.

This particular intrusion is in many ways a ‘classical’ intrusion: the kind of long-lens photography of a celebrity that has existed pretty much since photography was invented. Indeed, the kind of intrusion that inspired Warren and Brandeis’ seminal piece The Right to Privacy in the Harvard Law Review as long ago as 1890. We can rant and rage about it, put laws in place and try to establish press standards and ethical guidelines as much as we want, but it almost certainly won’t go away – not so long as we’re interested in celebrities, and much though people like me might hope that our celebrity-obsessed culture disappears, I can’t see it happening. However, it does raise some very serious points.

Firstly, from my perspective, it reminds me of an overriding principle: rights, if they are to mean anything, should apply to all. That works both ways in this case:

Even people you dislike, or disapprove of have rights!

Even people that we don’t like, people we disapprove of, should have the right to privacy. In fact, this is one of the biggest tests of any commitment to rights: do we grant those rights to people we don’t like! I’m no royalist – indeed, in most ways I’m a fairly ardent republican – but I do think the Duchess of Cambridge has a right to privacy. Similarly, though I detest his politics, I believe Max Mosley has a right to privacy. They’re human beings – even if they’re ultra-privileged and ultra-rich, even if they ‘represent’ aspects or elements of society that I thoroughly dislike, and institutions that I would much rather don’t exist.

But so do the rest of us!

Just as importantly, it shouldn’t be JUST the Royals and other celebrities that have the right to privacy, and the kinds of protection that this right demands, but all of us. We shouldn’t save our outrage at invasions of privacy for those like the Duchess of Cambridge for whom the privacy invasions are obvious and well publicised – we should be aware of, and oppose, invasions of privacy wherever and however they occur. The threats we face are very different from those faced by the Duchess – I doubt anyone wants to point a telephoto lens at my window – but they’re there, and they’re growing all the time. If we care about privacy – and we should care about privacy – we should care about the way the government is planning to invade our privacy on a systematic and devastating scale with the Communications Data Bill (the snoopers’ charter), and we should care about the way businesses are monitoring our behaviour online on an equally systematic basis.

Privacy is about control

It may not seem the same, but there are more similarities about these two kinds of invasions of privacy. They’re both about control – the Duchess wants to have some control over what images of her are used, and by whom. Invasions of privacy like this destroy that control, and allow the most intimate of information to be spread without her consent or any chance of her control. The kinds of invasions of privacy that we ‘ordinary’ people face also allow the most intimate of information to be gathered about us – whether it’s discovering our sexual preferences by monitoring the websites we visit or our political views by the kind of music we listen to, or even our body shape and size by the products we browse – and allow that to be spread without our consent or control.

Of course the information is spread to different people and for different reasons. The Duchess’s breasts may be shared over the internet for the purpose of titillation or just gossip – our personal details are spread so that businesses can make money from us, insurance companies raise our premiums, employers learn about our personal habits – or authorities learn when and what we might be wanting to protest about in order to stifle that protest.

What is grotesque?

Where is the greater harm? At a personal, immediate and obvious level, the invasion of the Duchess’s privacy is grotesque, and it should be thoroughly rejected. At a societal level – and at a personal level for each and every one of us, the other, systematic, silent, hardly noticed invasions of privacy may be far more dangerous. They have the potential to be truly grotesque – and we should make that very clear.

Opt-in is no red herring…

Briefly, very briefly, Microsoft looked like being surprising but serious ‘good-guys’ in relation in Internet privacy. They announced that Internet Explorer 10 would be launched with ‘do not track’ set as ‘on’ by default. That is, that out of the box (or more likely when downloaded), Internet Explorer would be set to prevent tracking by behavioural advertisers. When I read the story, I was shocked, momentarily delighted, and then instantly cynical… and the cynic ended up being right, because within a week, and before it was launched, action was taken to stop it happening.

As Wired reported it, the new draft of the Do Not Track specification, less than a week after Microsoft’s announcement, required that the system be set to ‘opt-out’, rather than ‘opt-in': users must make a specific decision NOT to be tracked, rather than a specific decision to allow tracking. The idea of Microsoft as heroes of privacy died a quick and sadly unsurprising death…..

Why did this happen?

…and why does it matter? Well, I’ve banged on a large number of times about the importance of ‘opt-in’ – partly because I’m in general an ‘autonomy’ person, who likes the idea of us having as much freedom of action as I can, and partly because I understand the importance of defaults. Defaults matter. They really matter. From a philosophical perspective they matter because they suggest (and even sometimes set) the norms of the society. Is our ‘norm’ that we’re happy to be tracked and surveilled? That’s what setting the default to ‘opt-out’ means. It means that ‘normal’ people don’t mind being tracked, it’s only extremists and privacy geeks that care, and they’ll find their way to turn the tracking off. I don’t know about the rest of you, but that’s a norm I don’t want to accept!

More importantly, perhaps, they matter  for a simple, practical reason: because the majority of people don’t ever bother to change their settings – so what they’re given to start with it what they’ll stick with. The internet advertisers know that, and know that very well, which is why Microsoft’s initial announcement must have sent shivers down their spines – and why they made sure that it was quickly and relatively quietly killed. They don’t want ‘normal’ people to avoid being tracked – or even to think about whether they’re being tracked, or at the implications of their being tracked.

Opt-in is NOT a red herring

At a few conferences recently I’ve been told that opt-in is a red herring, that it doesn’t matter, and that only old fuddy-duddies who really don’t ‘get it’ still care about it. At a Westminster e-Forum, the panel basically refused to answer my question about it, and tried to get the audience to laugh rather than respond. There have been good pieces written about the down side of opt-in – most notably ‘opt-in dystopias’ by Lundbad and Masiello (which you can find here), and it cannot be denied that opt-in is far from a panacea. We all know that when given terms and conditions we generally just scroll through them without reading them and just click ‘OK’ when we’re asked.

That, however, does not mean that we should abandon the idea of opt-in: it just means that we should be more intelligent and flexible about it. Find a way that emphasises the important bits about something rather than giving us page after page after page of mind-numbing legalese. Use the interactive and user-friendly nature of modern software to make the process work better – rather than make it work so badly that people ignore it.

The advertisers and others who want to track us understand this very well – and they’re almost certainly delighted that to an extent they’ve managed to shift the discussion away from the opt-in/opt-out agenda, that they’ve managed, to a great extent, to pull the wool over the eyes over even some very experienced and quite expert privacy activists into accepting their own agenda. We should not let this happen.

Defaults matter. Opt-in matters. This little story with Internet Explorer shows that the advertisers know this. Those of us working in the privacy field should remember it too.

Time for a change?

I attended the Westminster eForum this morning. The subject was the new Data Protection Framework, and there was a stellar cast of speakers and panellists, from the estimable Peter Hustinx (the European Data Protection Supervisor), the MoJ’s Lord McNally and the ICO’s David Smith to representatives of Facebook, Google, the online advertising industry, computer security experts Symantec, Which, and top lawyers Allen and Overy..

Most of the forum was fairly predictable – strong and excellent stuff from Hustinx defending the new framework, even suggesting it might not go far enough in some places, to the expected (if carefully worded) attempts to undermine it from the politicians and most of the business people. The latter were generally disappointing in one particular way: very few of them seemed to grasp the ultimate purpose of the regulation, or the real reasons for its existences. They didn’t seem to have asked themselves two key questions: why has this regulation come about in the first place, and what is its underlying purpose?

Why has this regulation come about?

The two are of course linked – and missing the point of both is similarly linked. So why has this regulation come about? Well, we heard a lot of history this morning, all about how much had changed since the original data protection regime came into existence in 1995. All of it was undoubtedly true – the internet as it now exists was close to inconceivable back in 1995, and what we do now both as individuals and as businesses has completely changed. Is that why the regulation needed to change? In a way, of course it is – but thinking along those lines is missing the bigger point. Why was data protection regulation needed in the first place, back in 1995, and what was its intention then?

Ultimately, there were (and still are) two purposes. As Hustinx and other (including an excellent intervention from Douwe Korff) stressed, it is about what we (in Europe at least) consider to be fundamental rights. Ilias Chantzos of Symantec made the point that the original intention was to enable better cross-border data flow – and indeed it is clear that both are the case. Fundamental rights need protecting, and data needs to be allowed (or even encouraged) to flow, but in accordance with those rights.

All that is well and good – but still begs the underlying question: why was data protection needed? Regulation generally comes about because there is a problem – and that is the case here.

The problem was twofold: that data was not flowing as freely as it should had been, and that fundamental rights were not being protected. In particular, privacy was not being respected.

What has changed in the intervening period? Well, there doesn’t seem to be as much of a problem of data flowing as there used to be – but there’s still a problem of privacy not being respected. That, more than anything else, is what lies behind the need for the new regulation. That’s why the regulation is tough. If there aren’t big problems, there’s no need for tough regulation.

We have a tough regulation here – because there ARE big problems.

How do you comply with regulation?

This is where the real problem seemed to come for me. All the businesses want to know how to comply with regulations – but they don’t seem to understand the real point. These kinds of regulations aren’t really supposed to be about ticking boxes, or finding the right words to describe your activities in order to comply with the technical details of the relevant laws. Nigel Parker from Allen and Overy gave a very revealing and detailed picture of how he had to navigate some of his multi-national clients through the complexities of the different international regulations concerning data protection – but he seemed not to want to offer one particular piece of advice. He didn’t seem to want to tell his clients that they might well have to change what they do – or perhaps even decide not to do it.

The purpose of the very existence of these regulations are to make businesses (and governments) change what they do, or at least how they do it.

Changes!

Protecting fundamental rights when those rights are being infringed does not mean filling boxes or writing reports. It means changing what you do. Let me repeat that. It means changing what you do.

The approach to regulations seems generally to be more like ‘we’re going to do this, now help us comply with the regulations’ than ‘what do the regulations suggest is inappropriate – let’s not do them’. That’s not the real point – the point is that compliance should come by doing the right thing, not by trying to shape your ‘wrong’ thing into a form that ticks the boxes. Only the impressive Anthony House from Google seemed to grasp that – and suggest that Google wants to do the ‘right’ thing about privacy not because the law says it should, but because it’s a good thing to do, and because its users want these kinds of things. Whether Google are actually doing this is a slightly moot point – but he did seem to understand.

Change is hard, everyone knows that – but the first stage is recognition that change is necessary. If you find that your business, or your government department, can’t seem to comply with the regulations, don’t complain about the regulations – ask yourself why your activities don’t seem to comply. Could it be that you need to change? It could, you know, it could….

Big Brother is watching you – and so are his commercial partners

Today, President Obama unveiled a proposal for an internet ‘bill of rights':

“American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” said Mr. Obama.

In a lot of ways, this is to be applauded. The idea, as reported in the media, is to “give consumers greater online privacy protection”, which for privacy advocates and researchers such as myself is of course a most laudable aim. Why, then, am I somewhat wary of what is being proposed? Anyone who works in the field is of course naturally sceptical – but there’s more to it than that. There’s one word in Obama’s statement, repeated without real comment in the media reports that I’ve read, that is crucial. That word is ‘consumers’.

Consumers, citizens or human beings?

The use of the word ‘consumer’ has two key implications. First of all, it betrays an attitude to the internet and to the people who use it. If we’re consumers, that makes the net a kind of ‘product’ to be consumed. It makes us passive rather than active. It means we don’t play a part in the creation of the net – and it means that the net is all about money and the economy, rather than about communication, about (free) expression, about social interaction, about democratic discourse and participation. It downplays the political role that the net can be played – and misunderstands the transformations that have gone on in the online world over the last decades. The net isn’t just another part of the great spectrum of ‘entertainment’ – much though the ‘entertainment’ industry might like to think it is, and hence have free rein to enforce intellectual property rights over anything else.

That’s not to downplay the role of economic forces on the net – indeed, as I’ve argued many times before, business has driven many of the most important developments on the net, and the vast expansion and wonderful services we all enjoy have come from business. Without Google, Facebook and the like, the internet would be a vastly less rich environment than it is – but that’s not all… and treating users merely as ‘consumers’ implies that it is.

The second, perhaps more sinister side to portraying us all as consumers rather than citizens – or even human beings – is that it neatly sidesteps the role that governments have in invading rather than protecting our privacy. Treating us as consumers, and privacy as a ‘consumer right’, makes it look as though the government are the ‘good guys’ protecting us from the ‘bad’ businesses – and tries to stop us even thinking about the invasions of privacy, the snooping, the monitoring, the data gathering and retention, done by governments and their agencies.

Big Brother is watching you…

The reality is, of course, that governments do snoop, they do gather information, they do monitor our activities on social networks and so forth. What’s more, we should be worried about it, and we should be careful about how much we ‘let’ them do it. We need protection from government snooping – we need privacy rights not just as consumers, but as citizens. Further, as I’ve argued elsewhere, rights to privacy (and other rights) on the internet can be viewed as human rights – indeed I believe they should be viewed as human rights. From an American perspective, this is problematic – but it should at least be possible to cast privacy rights on the net as civil rights rather than consumer rights.

…and so are his commercial partners

At the same time, however, Obama is right that we need protection from the invasions of privacy perpetrated by businesses. For that reason, his initiative should be applauded, though his claiming of credit for the idea should be treated with scepticism, as similar ideas have been floating around the net for a long time – better late than never, though.

There is another side to it that may be even more important – the relationship between businesses and governments. They’re not snooping on us, or invading our privacy independently – in practice, and in effect, the biggest problems can come when they work together. Facebook gathers the data, encourages us to ‘share’ information, to ‘self-profile’ – and then governments use the information that Facebook has gathered. Email systems, telephone services, ISPs and the like may well gather information for their own purposes – but through data retention they’re required not only to keep that information for longer than they might wish to, but to make it available to authorities when the ‘need’ arises.

Worse, authorities may encourage or even force companies to build ‘back-doors’ into their products so that ‘when needed’ the authorities can use them to tap into our conversations, or to discover who we’ve been socialising with. They may require that photos on networks are subject to facial recognition analysis to hunt down people they wish to find for some reason or other – legitimate or otherwise. Facebook may well build their facial recognition systems for purely commercial reasons – but that doesn’t mean that others, including the authorities, might use them for more clearly malign purposes.

We need protection from both

So what’s the conclusion? Yes, Obama’s right, we need protection from commercial intrusions into our privacy. That, however, is just a small part of what we need. We need protection as human beings, as citizens, AND as consumers. Don’t let’s be distracted by looking at just a small part of the picture.