Dear Larry and Mark….

Larry Page, Google

Mark Zuckerberg, Facebook

8th June, 2013

Dear Larry and Mark

The PRISM project

I know that you’ve been as deeply distressed as I have by the revelations and accusations released to the world about the PRISM project – and I am delighted by the vehemence and clarity with which you have denied the substance of the reports insofar as they relate to your services. The zeal with which you wish to protect your users’ privacy is highly commendable – and I’m looking forward to seeing how that zeal produces results in the future. To find that the two of you, the leaders of two of the biggest providers of services on the internet, are so clearly in favour of individual privacy on the internet is a wonderful thing for privacy advocates such as myself. There are, however, a few ways that you could make a slightly more direct contribution to that individual privacy – and seeing the depth of feeling in your proclamations over PRISM I feel sure that you will be happy to do them.

Do Not Track

As I’m sure you’re aware, people are concerned not just about governments tracking their activities on the net, but others tracking them – not least since it appears clear from the PRISM project that if commercial organisations track people, governments might try to get access to that tracking, and perhaps even succeed. As you know, the Do Not Track initiative was designed with commercial tracking in mind – but it has become a little bogged down since it began, and looks as though it might be far less effective than it could be. You could change that – put your considerable power into making it strong and robust, very clearly do not track rather than do not target, and most importantly ensure that do not track is on by default. As you clearly care about the surveillance of your users, I know that you’ll want them not to be tracked unless they actively choose to let advertisers track them. That’s the privacy-friendly way – and as supporters of privacy, I’m sure you’ll want to support that. Larry, in particular, I know this is something you’ll want to do, as perhaps the world leader in advertising – and now also in privacy – your support of this will be both welcome and immensely valuable.

Anonymity – no more ‘real names’ policies

As UN Special Rapporteur on Freedom of Expression and Opinion, Frank La Rue, recently reported, privacy, and in particular anonymity is a crucial underpinning of freedom of expression on the internet. I’m sure you will have read his report – and will have realised that your insistence on people using real names when they use your services is a mistake. I imagine, indeed, that you’re already preparing to reverse those policies, and come out strongly for people’s right to use pseudonyms – particularly you, Mark, as Facebook is so noted for its ‘real names’ policy. As supporters of privacy, there can’t be any other way – and now that you’re both so clearly in the privacy-supporting camp, I feel confident that you’ll make that choice. I’m looking forward to the press releases already.

Data Protection Reform

As supporters of privacy, I know you’ll be aware of the current reform programme going on with the European Data Protection regime – data protection law is strongly supportive of individual privacy, and may indeed be the most important legal protection for privacy in the world. You might be shocked to discover that there are people from both of your companies lobbying to weaken and undermine that reform – so I’m sure you’ll tell them at once to stop that lobbying, and instead to get solidly behind those looking for better protection for individual privacy and stronger rights to protect themselves from tracking and misuse of their data.  As you are now the champions of individual privacy, I’m sure you’ll be delighted to do so – and I suspect memos have already been issued from your desks to those lobbying teams ordering them to change your stance and support rather than undermine individuals’ rights over their data. I know that those pushing for this reform will be delighted by your new found support.

That support, I’m sure, will build on Eric Schmidt’s recent revelation that he thinks the internet needs a ‘delete’ button – so you’ll be backing Viviane Reding’s ‘right to be forgotten’ and doing everything you can to build in easy ways for people to delete their accounts with you, to remove all traces of their profiling and related data and so on.

Geo-location, Facial Recognition and Google Glass

Your new found zeal for privacy will doubtless also be reflected in the way that you deal with geo-location and facial recognition – and in Larry’s case, with Google Glass. Of course you’ve probably had privacy very much in the forefront of your thoughts in all of these areas, but just haven’t yet chosen to talk about it. Moving away from products that gather location data by default, and cutting back on facial recognition except where people really need it and have given clear and properly informed consent will doubtless be built in to your new programs – and, Larry, I’m sure you’ll find some radical way to cut down on the vast array of privacy issues associated with Google Glass. I can’t quite see how you can at the moment, but I’m sure you’ll find a way, and that you’re devoting huge resources to do so.

Supporting privacy

We in the privacy advocacy field are delighted to have you on our side now – and look forward greatly to seeing that support reflected in your actions, and not just in relation to government surveillance. I’ve outlined some of the ways that this might be manifested in reality – I am waiting with bated breath to see it all come to fruition.

Kind regards

Paul Bernal

P.S. Tongue very firmly in cheek

Lobbyists: who pays the piper…

A few weeks ago I experienced first hand the role of lobbyists, when I saw them do their best to start steering the CREATe project in their own direction (see my blog here). In the time since then, two more issues have come up that have highlighted their significance – and why we need to be concerned. We should be looking much more carefully at their activities.

Copyright lobbyists

To recap, at CREATe it was the lobbyists for the ‘content’ industry – what might loosely be called ‘copyright’ lobbyists – who were trying to ensure that the project, which is amongst other things looking at copyright reform, did not dare to challenge their assumption that ‘piracy’ needs to be stomped on above all things. The copyright lobby is a very powerful one indeed, and has had huge influence on the policies of governments worldwide – in the UK, they still seem to have a firm grip on all the major parties, and were the key behind the controversial Digital Economy Act. They are, however, only one of the lobby groups that we should be watching.

Advertising industry lobbyists

The second emerging issue concerns another key lobby – the online advertising industry. For privacy advocates like me, the advertising industry as often been a bit of a bête noire – behavioural advertising in particular generally works through significant invasions of privacy – but their recent activities in relation to the ‘Do Not Track’ initiative have been concerning. They’ve been fighting tooth and nail to block Microsoft’s idea that DNT should be ‘on’ by default on Internet Explorer – and according to Alexander Hanff they’ve also managed to co-opt privacy advocates to help undermine the DNT specification itself, allowing for ‘de-identified’ tracking without any kind of consent.

There’s a long way to go on this one, but I’m far from alone in thinking that they’ll manage to pretty much entirely neuter DNT. As security expert Nadim Kobeissi put it in a blog post yesterday, DNT is becoming ‘Dangerous and Ineffective’. We can largely thank advertising industry lobbyists for that.

‘Internet Industry’ Lobbyists

The third and potentially most worrying of all the recent lobbyists activities to emerge is the story of US ‘internet industry’ lobbyists working to undermine the draft Data Protection Regulations. As the Telegraph reported:

“Tory MEPs ‘copy and paste Amazon and Google lobbyist text'”

As I also experienced first hand at the Computers, Privacy and Data Protection conference in Brussels earlier this month, industry lobbyists particularly from the US are very concerned by the proposed Data Protection Regulation, partly because as drafted it would allow them to have the power to actually fine industry groups a meaningful amount of money – 2% of their global turnover – the kind of fine that would actually make a difference, and could actually make them change their activities.

Making changes….

That’s the key – indeed, the key for all three of the lobbying stories above. A resistance to change. The copyright lobbyists don’t want to have to change either their business model or their approach to enforcement. The advertising industry don’t want to have to change their privacy-invasive way of tracking people. The ‘internet industry’ companies don’t want to have to change their way of gathering and using people’s personal data. And in all three cases, they don’t seem to really care what people want or care about. In the copyright lobbyists example, as I noted in my blog at the time, they seem to be resisting even the gathering of evidence. In the other two cases, I suspect the same is true – because the more evidence that comes out, the clearer it is that people do care about privacy and don’t want to be tracked.

It’s not US vs EU

One of the most common arguments made in these cases is that it’s some kind of a Transatlantic conflict – a ‘cultural difference’ between the US and the EU. We in Europe are trying to ‘impose’ our values onto the US. Is it true? Well, the most recent evidence suggests otherwise – indeed, it suggests that people in the US care every bit as much as people in Europe do about privacy. According to a recent survey, 77% of Americans would select ‘do not track’  if it were available – putting them above many European countries, below only France. As David Meyer put it: ‘Think Europeans are more into data privacy than Americans? Think again.”

I suspect he’s right – and the divide isn’t a Transatlantic one. It’s a divide between individuals everywhere and the industry lobbyists. Lobbyists, by their nature, look out for those they’re lobbying on behalf of. Of course they do – that’s their job. We need to understand that – and act appropriately. What the lobbyists do should worry us – because they don’t serve our interests. Who pays the piper calls the tune – and it’s not us!

That’s not to say that they don’t have legitimate interests – they do! What the industries they represent do is crucial for all of us, for the future of the internet. However, it does need to be balanced, and right now it looks very much out of balance.

Taking a lead on privacy??

Two related stories about privacy and tracking are doing the rounds at the moment: both show the problems that companies are having in taking any sort of lead on privacy.

The first is about Apple, and the much discussed recent upgrade to their iOS, the operating system for the iPhone and iPad. There’s been a huge amount said about the problems with the mapping system (and geo-location is of course a huge privacy issue – as I’ve discussed before) but now there’s an increasing buzz about their newly introduced tracking controls. Apple, for the first time, have provided users with the option to ‘limit ad tracking’ – though as noted in a number of stories, including this one from Business Insider, that option is hidden away, not in the vaunted ‘Privacy’ tab, but under a convoluted set of menus (first ‘General’ settings, then ‘About’, then scroll down to the bottom to find ‘Advertising’, then click ‘Limit Ad Tracking’). Not easy to find, as even the techie and privacy geeks that I converse with on twitter have found.

This of course raises a lot of issues – it’s great to have the feature, but the opposite to have it hidden away where only the geeks and the paranoid will find it. It looks as though the people at Apple have been thinking hard about this, and working hard at this, and have come up with an interesting (and perhaps effective – but more on that below) solution, but then been told by someone, somewhere, that they should hide it for fear of upsetting the advertisers. I’d love to know the inside story on this – but Apple are rarely quite as open about their internal discussions as they could be.

There’s a conflict of motivations, of course. On the one hand, Apple wants to make customers happy, and there is increasing evidence that customers don’t want to be tracked – most recently this excellent paper from Hoofnagle, Urban and Li, appropriately entitled “Privacy and Modern Advertising: Most US Internet Users Want ‘Do Not Track’ to Stop Collection of Data about their Online Activities”. On the other hand, Apple don’t want to annoy the advertisers – particularly when the market for mobile is getting increasingly competitive. And the advertisers seem to be on a knife edge at the moment, very touchy indeed, as the latest spats over the ‘Do Not Track’ initiative have shown.

That’s the second story doing the rounds at the moment: the increasing acrimony and seemingly bitter conflict over Do Not Track. It’s a multi-dimensional spat, but seems to have been triggered by Microsoft’s plan to make do not track ‘on’ by default – something that the advertising industry are up in arms about. The ‘Digital Advertising Alliance’ issued a statement effectively saying they would simply ignore Microsoft’s system and track anyway – which led to privacy advocates suggesting that the advertisers wanted to kill the whole Do Not Track initiative. This is Jeff Chester of the Center for Digital Democracy:

“The DAA is trying to kill off Do Not Track.  Its announcement today to punish Microsoft for putting consumers first is an extreme measure designed to strong-arm companies that care about privacy.”

Chester and others saying similar things may be right – and it makes people like me wonder if the whole problem is that the ‘Do Not Track’ initiative was never really intended to work, but was just supposed to make people think that their privacy was protected. If it actually got some teeth – and setting it to a default ‘on’ position would be the first way to give it teeth – then the industry wouldn’t want it to exist. There are other huge issues with Do Not Track anyway. As the title of the Hoofnagle, Urban and Li report suggested, people think ‘Do not track’ means they won’t be tracked – that their data won’t be collected at all – while the industry seems to think what really matters to people is that they aren’t targeted – i.e. their data is still collected, and they’re still tracked and profiled, but that tracking isn’t used to send advertisements to them. For me, that at least is completely clear. Do Not Track should mean no tracking. Blocking data collection is more important than stopping targetting – because once the data is collected, once the profiles are made, they’re available for misuse later down the line.

That, far deeper point, is still not being discussed sufficiently. The battle is at a more superficial level – but it’s still an important battle. Who matters more, the consumers or the advertisers? Advertisers would have us believe that by stopping behavioural targetting we will break the whole economic basis of the internet – but that is based on all kinds of assumptions and presumptions, as Sarah A Downey pointed out in this piece for TechCrunch “The Free Internet Will Be Just Fine With Do Not Track. Here’s Why.” At the recent Amsterdam Privacy Conference, Simon Davies, one of the founders of Privacy International, made the bold suggestion that the behavioural targetting industry should simply be banned – and there is something behind his argument. Right now, the industry is not doing much to improve its image: seeming to undermine the whole nature of Do Not Track does not make them look good.

There’s another spectre that the industry might have to face: the European Union is getting ready to act, and when they act, they tend to do things without a great deal of subtlety, as the fuss around the Cookie Directive has shown. If the advertisers want to avoid heavy-handed legislation, they should beware: ‘Steelie’ Neelie Kroes is getting impatient. As reported in The Register, if they don’t stop their squabbling tactics over Do Not Track, she’s going to call in the politicians….

Someone, somewhere, has to take a lead on privacy. Apple had the chance, and to a great extent blew it, by hiding their tracking controls where the sun doesn’t shine. Microsoft seems to be making an attempt too, but will they hold their nerve in the face of huge pressure from the advertising industry – and even if they do, will their lead be undermined by the tactics of the advertising industry? If no-one takes that lead, no-one takes that initiative, the EU will take their kid gloves off… and then we’re all likely to be losers, consumers and advertisers alike….

Privacy for all?

The big ‘privacy’ story this week has been that surrounding the Duchess of Cambridge’s breasts. The coverage it’s been given (and will doubtless continue to be given) has been immense – but the issues that it should raise are far more complex than those that have appeared in the media. A shortish blog post isn’t enough to cover even a fraction of them – but there are a few points that a privacy advocate like me should be highlighting.

This particular intrusion is in many ways a ‘classical’ intrusion: the kind of long-lens photography of a celebrity that has existed pretty much since photography was invented. Indeed, the kind of intrusion that inspired Warren and Brandeis’ seminal piece The Right to Privacy in the Harvard Law Review as long ago as 1890. We can rant and rage about it, put laws in place and try to establish press standards and ethical guidelines as much as we want, but it almost certainly won’t go away – not so long as we’re interested in celebrities, and much though people like me might hope that our celebrity-obsessed culture disappears, I can’t see it happening. However, it does raise some very serious points.

Firstly, from my perspective, it reminds me of an overriding principle: rights, if they are to mean anything, should apply to all. That works both ways in this case:

Even people you dislike, or disapprove of have rights!

Even people that we don’t like, people we disapprove of, should have the right to privacy. In fact, this is one of the biggest tests of any commitment to rights: do we grant those rights to people we don’t like! I’m no royalist – indeed, in most ways I’m a fairly ardent republican – but I do think the Duchess of Cambridge has a right to privacy. Similarly, though I detest his politics, I believe Max Mosley has a right to privacy. They’re human beings – even if they’re ultra-privileged and ultra-rich, even if they ‘represent’ aspects or elements of society that I thoroughly dislike, and institutions that I would much rather don’t exist.

But so do the rest of us!

Just as importantly, it shouldn’t be JUST the Royals and other celebrities that have the right to privacy, and the kinds of protection that this right demands, but all of us. We shouldn’t save our outrage at invasions of privacy for those like the Duchess of Cambridge for whom the privacy invasions are obvious and well publicised – we should be aware of, and oppose, invasions of privacy wherever and however they occur. The threats we face are very different from those faced by the Duchess – I doubt anyone wants to point a telephoto lens at my window – but they’re there, and they’re growing all the time. If we care about privacy – and we should care about privacy – we should care about the way the government is planning to invade our privacy on a systematic and devastating scale with the Communications Data Bill (the snoopers’ charter), and we should care about the way businesses are monitoring our behaviour online on an equally systematic basis.

Privacy is about control

It may not seem the same, but there are more similarities about these two kinds of invasions of privacy. They’re both about control – the Duchess wants to have some control over what images of her are used, and by whom. Invasions of privacy like this destroy that control, and allow the most intimate of information to be spread without her consent or any chance of her control. The kinds of invasions of privacy that we ‘ordinary’ people face also allow the most intimate of information to be gathered about us – whether it’s discovering our sexual preferences by monitoring the websites we visit or our political views by the kind of music we listen to, or even our body shape and size by the products we browse – and allow that to be spread without our consent or control.

Of course the information is spread to different people and for different reasons. The Duchess’s breasts may be shared over the internet for the purpose of titillation or just gossip – our personal details are spread so that businesses can make money from us, insurance companies raise our premiums, employers learn about our personal habits – or authorities learn when and what we might be wanting to protest about in order to stifle that protest.

What is grotesque?

Where is the greater harm? At a personal, immediate and obvious level, the invasion of the Duchess’s privacy is grotesque, and it should be thoroughly rejected. At a societal level – and at a personal level for each and every one of us, the other, systematic, silent, hardly noticed invasions of privacy may be far more dangerous. They have the potential to be truly grotesque – and we should make that very clear.

Opt-in is no red herring…

Briefly, very briefly, Microsoft looked like being surprising but serious ‘good-guys’ in relation in Internet privacy. They announced that Internet Explorer 10 would be launched with ‘do not track’ set as ‘on’ by default. That is, that out of the box (or more likely when downloaded), Internet Explorer would be set to prevent tracking by behavioural advertisers. When I read the story, I was shocked, momentarily delighted, and then instantly cynical… and the cynic ended up being right, because within a week, and before it was launched, action was taken to stop it happening.

As Wired reported it, the new draft of the Do Not Track specification, less than a week after Microsoft’s announcement, required that the system be set to ‘opt-out’, rather than ‘opt-in': users must make a specific decision NOT to be tracked, rather than a specific decision to allow tracking. The idea of Microsoft as heroes of privacy died a quick and sadly unsurprising death…..

Why did this happen?

…and why does it matter? Well, I’ve banged on a large number of times about the importance of ‘opt-in’ – partly because I’m in general an ‘autonomy’ person, who likes the idea of us having as much freedom of action as I can, and partly because I understand the importance of defaults. Defaults matter. They really matter. From a philosophical perspective they matter because they suggest (and even sometimes set) the norms of the society. Is our ‘norm’ that we’re happy to be tracked and surveilled? That’s what setting the default to ‘opt-out’ means. It means that ‘normal’ people don’t mind being tracked, it’s only extremists and privacy geeks that care, and they’ll find their way to turn the tracking off. I don’t know about the rest of you, but that’s a norm I don’t want to accept!

More importantly, perhaps, they matter  for a simple, practical reason: because the majority of people don’t ever bother to change their settings – so what they’re given to start with it what they’ll stick with. The internet advertisers know that, and know that very well, which is why Microsoft’s initial announcement must have sent shivers down their spines – and why they made sure that it was quickly and relatively quietly killed. They don’t want ‘normal’ people to avoid being tracked – or even to think about whether they’re being tracked, or at the implications of their being tracked.

Opt-in is NOT a red herring

At a few conferences recently I’ve been told that opt-in is a red herring, that it doesn’t matter, and that only old fuddy-duddies who really don’t ‘get it’ still care about it. At a Westminster e-Forum, the panel basically refused to answer my question about it, and tried to get the audience to laugh rather than respond. There have been good pieces written about the down side of opt-in – most notably ‘opt-in dystopias’ by Lundbad and Masiello (which you can find here), and it cannot be denied that opt-in is far from a panacea. We all know that when given terms and conditions we generally just scroll through them without reading them and just click ‘OK’ when we’re asked.

That, however, does not mean that we should abandon the idea of opt-in: it just means that we should be more intelligent and flexible about it. Find a way that emphasises the important bits about something rather than giving us page after page after page of mind-numbing legalese. Use the interactive and user-friendly nature of modern software to make the process work better – rather than make it work so badly that people ignore it.

The advertisers and others who want to track us understand this very well – and they’re almost certainly delighted that to an extent they’ve managed to shift the discussion away from the opt-in/opt-out agenda, that they’ve managed, to a great extent, to pull the wool over the eyes over even some very experienced and quite expert privacy activists into accepting their own agenda. We should not let this happen.

Defaults matter. Opt-in matters. This little story with Internet Explorer shows that the advertisers know this. Those of us working in the privacy field should remember it too.

Time for a change?

I attended the Westminster eForum this morning. The subject was the new Data Protection Framework, and there was a stellar cast of speakers and panellists, from the estimable Peter Hustinx (the European Data Protection Supervisor), the MoJ’s Lord McNally and the ICO’s David Smith to representatives of Facebook, Google, the online advertising industry, computer security experts Symantec, Which, and top lawyers Allen and Overy..

Most of the forum was fairly predictable – strong and excellent stuff from Hustinx defending the new framework, even suggesting it might not go far enough in some places, to the expected (if carefully worded) attempts to undermine it from the politicians and most of the business people. The latter were generally disappointing in one particular way: very few of them seemed to grasp the ultimate purpose of the regulation, or the real reasons for its existences. They didn’t seem to have asked themselves two key questions: why has this regulation come about in the first place, and what is its underlying purpose?

Why has this regulation come about?

The two are of course linked – and missing the point of both is similarly linked. So why has this regulation come about? Well, we heard a lot of history this morning, all about how much had changed since the original data protection regime came into existence in 1995. All of it was undoubtedly true – the internet as it now exists was close to inconceivable back in 1995, and what we do now both as individuals and as businesses has completely changed. Is that why the regulation needed to change? In a way, of course it is – but thinking along those lines is missing the bigger point. Why was data protection regulation needed in the first place, back in 1995, and what was its intention then?

Ultimately, there were (and still are) two purposes. As Hustinx and other (including an excellent intervention from Douwe Korff) stressed, it is about what we (in Europe at least) consider to be fundamental rights. Ilias Chantzos of Symantec made the point that the original intention was to enable better cross-border data flow – and indeed it is clear that both are the case. Fundamental rights need protecting, and data needs to be allowed (or even encouraged) to flow, but in accordance with those rights.

All that is well and good – but still begs the underlying question: why was data protection needed? Regulation generally comes about because there is a problem – and that is the case here.

The problem was twofold: that data was not flowing as freely as it should had been, and that fundamental rights were not being protected. In particular, privacy was not being respected.

What has changed in the intervening period? Well, there doesn’t seem to be as much of a problem of data flowing as there used to be – but there’s still a problem of privacy not being respected. That, more than anything else, is what lies behind the need for the new regulation. That’s why the regulation is tough. If there aren’t big problems, there’s no need for tough regulation.

We have a tough regulation here – because there ARE big problems.

How do you comply with regulation?

This is where the real problem seemed to come for me. All the businesses want to know how to comply with regulations – but they don’t seem to understand the real point. These kinds of regulations aren’t really supposed to be about ticking boxes, or finding the right words to describe your activities in order to comply with the technical details of the relevant laws. Nigel Parker from Allen and Overy gave a very revealing and detailed picture of how he had to navigate some of his multi-national clients through the complexities of the different international regulations concerning data protection – but he seemed not to want to offer one particular piece of advice. He didn’t seem to want to tell his clients that they might well have to change what they do – or perhaps even decide not to do it.

The purpose of the very existence of these regulations are to make businesses (and governments) change what they do, or at least how they do it.

Changes!

Protecting fundamental rights when those rights are being infringed does not mean filling boxes or writing reports. It means changing what you do. Let me repeat that. It means changing what you do.

The approach to regulations seems generally to be more like ‘we’re going to do this, now help us comply with the regulations’ than ‘what do the regulations suggest is inappropriate – let’s not do them’. That’s not the real point – the point is that compliance should come by doing the right thing, not by trying to shape your ‘wrong’ thing into a form that ticks the boxes. Only the impressive Anthony House from Google seemed to grasp that – and suggest that Google wants to do the ‘right’ thing about privacy not because the law says it should, but because it’s a good thing to do, and because its users want these kinds of things. Whether Google are actually doing this is a slightly moot point – but he did seem to understand.

Change is hard, everyone knows that – but the first stage is recognition that change is necessary. If you find that your business, or your government department, can’t seem to comply with the regulations, don’t complain about the regulations – ask yourself why your activities don’t seem to comply. Could it be that you need to change? It could, you know, it could….

Big Brother is watching you – and so are his commercial partners

Today, President Obama unveiled a proposal for an internet ‘bill of rights':

“American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” said Mr. Obama.

In a lot of ways, this is to be applauded. The idea, as reported in the media, is to “give consumers greater online privacy protection”, which for privacy advocates and researchers such as myself is of course a most laudable aim. Why, then, am I somewhat wary of what is being proposed? Anyone who works in the field is of course naturally sceptical – but there’s more to it than that. There’s one word in Obama’s statement, repeated without real comment in the media reports that I’ve read, that is crucial. That word is ‘consumers’.

Consumers, citizens or human beings?

The use of the word ‘consumer’ has two key implications. First of all, it betrays an attitude to the internet and to the people who use it. If we’re consumers, that makes the net a kind of ‘product’ to be consumed. It makes us passive rather than active. It means we don’t play a part in the creation of the net – and it means that the net is all about money and the economy, rather than about communication, about (free) expression, about social interaction, about democratic discourse and participation. It downplays the political role that the net can be played – and misunderstands the transformations that have gone on in the online world over the last decades. The net isn’t just another part of the great spectrum of ‘entertainment’ – much though the ‘entertainment’ industry might like to think it is, and hence have free rein to enforce intellectual property rights over anything else.

That’s not to downplay the role of economic forces on the net – indeed, as I’ve argued many times before, business has driven many of the most important developments on the net, and the vast expansion and wonderful services we all enjoy have come from business. Without Google, Facebook and the like, the internet would be a vastly less rich environment than it is – but that’s not all… and treating users merely as ‘consumers’ implies that it is.

The second, perhaps more sinister side to portraying us all as consumers rather than citizens – or even human beings – is that it neatly sidesteps the role that governments have in invading rather than protecting our privacy. Treating us as consumers, and privacy as a ‘consumer right’, makes it look as though the government are the ‘good guys’ protecting us from the ‘bad’ businesses – and tries to stop us even thinking about the invasions of privacy, the snooping, the monitoring, the data gathering and retention, done by governments and their agencies.

Big Brother is watching you…

The reality is, of course, that governments do snoop, they do gather information, they do monitor our activities on social networks and so forth. What’s more, we should be worried about it, and we should be careful about how much we ‘let’ them do it. We need protection from government snooping – we need privacy rights not just as consumers, but as citizens. Further, as I’ve argued elsewhere, rights to privacy (and other rights) on the internet can be viewed as human rights – indeed I believe they should be viewed as human rights. From an American perspective, this is problematic – but it should at least be possible to cast privacy rights on the net as civil rights rather than consumer rights.

…and so are his commercial partners

At the same time, however, Obama is right that we need protection from the invasions of privacy perpetrated by businesses. For that reason, his initiative should be applauded, though his claiming of credit for the idea should be treated with scepticism, as similar ideas have been floating around the net for a long time – better late than never, though.

There is another side to it that may be even more important – the relationship between businesses and governments. They’re not snooping on us, or invading our privacy independently – in practice, and in effect, the biggest problems can come when they work together. Facebook gathers the data, encourages us to ‘share’ information, to ‘self-profile’ – and then governments use the information that Facebook has gathered. Email systems, telephone services, ISPs and the like may well gather information for their own purposes – but through data retention they’re required not only to keep that information for longer than they might wish to, but to make it available to authorities when the ‘need’ arises.

Worse, authorities may encourage or even force companies to build ‘back-doors’ into their products so that ‘when needed’ the authorities can use them to tap into our conversations, or to discover who we’ve been socialising with. They may require that photos on networks are subject to facial recognition analysis to hunt down people they wish to find for some reason or other – legitimate or otherwise. Facebook may well build their facial recognition systems for purely commercial reasons – but that doesn’t mean that others, including the authorities, might use them for more clearly malign purposes.

We need protection from both

So what’s the conclusion? Yes, Obama’s right, we need protection from commercial intrusions into our privacy. That, however, is just a small part of what we need. We need protection as human beings, as citizens, AND as consumers. Don’t let’s be distracted by looking at just a small part of the picture.

Personalisation and politics

I have to admit to following the Republican party’s presidential candidate race with some fascination. It’s a slightly ghoulish fascination – there’s often a touch of fear when I listen to some of the candidates, and there’s always the underlying question of ‘how low can they go’. There’s comedy, tragedy, a bit of historical eccentricity, and often a good deal of farce. It’s also, however, revealing of some of the issues that we should take seriously in terms of how our politics, our democratic politics, functions – and in particular, how it might function in the future.

One particular aspect that came to the fore to me in the recent Iowa Caucus – the role of advertising in politics. We haven’t developed it to nearly the same degree in the UK as the US, though every successful politician this side of the pond has tried to follow Thatcher’s hugely effective use of Saatchi & Saatchi. In the US, though, it’s a highly developed art form – and is only likely to become more so. In Iowa, an orchestrated advertising campaign against the surging Newt Gingrich sent him down from first to fourth place (and nearly out of the race) in a matter of days. Advertising works, or at least appears to – and politicians know it, and know it well.

What might this mean for the future? I’ve written about advertising many times before, both in academic papers and in blogs. The internet is changing advertising – and we need to be aware of how that change might have an impact not only on our commercial behaviour but on our political behaviour: on politics itself. There are two trends in internet advertising that are particularly relevant and worth thinking about here: behavioural profiling and personalisation. People browsing the internet can be (and are) profiled according to their online behaviour, from the search terms they use and the links they follow to the friends they have on social media sites, the music they listen to, movies they watch and so forth. That profiling is generally used to target advertising – advertising more suited to their personal needs and desires. My last blog, Privacy and the Phantom Tollbooth, talked about some of the risks of this kind of thing – but when looked at from a political perspective the risks are even more sinister.

Through profiling, it is possible to make good guesses – sometimes very good guesses – as to which political issues matter to someone and which ones don’t. With just a little bit of work, the vast majority of which could be entirely automatic, it could become possible to create tailored political advertisements designed to highlight the policies or features of a particular candidate or party that are of specific interest to an individual – and to omit anything that might detract from their attraction. And, given the US experience in particular, to do the reverse for any opponents – automatically pick out the things that will make a particular voter see them in the most negative light possible.

Taking this a few steps further, these ads could include background music that the advertiser knows that you particularly like, and even voice-overs by an actor that they know you admire – they could even choose the colours, styles and typefaces to suit your ‘known’ preferences. Of course they wouldn’t do this for everyone, at least not at first, but it wouldn’t take that much effort to produce a range of options (a handful of different actors, soundtracks etc would do the job) that would cover most of the key, swing voters. Political advertising in its current form is already persuasive – how much more persuasive could it be in this kind of form? And remember that with behavioural targeting in the hands of relatively few advertising organisations, these advertisements can be sent to a vast number of different websites that you visit. They can be sent to you in emails. They can be inserted at the beginnings of videos that you watch online…. the possibilities are endless.

Is this far fetched? A nightmare scenario beyond the realms of possibility? Spend a little time watching US elections and I don’t think you’ll feel that way. It’s just the logical extension of existing advertising and political trends. It is important to remember, too, that this kind of thing requires money – and money already talks enormously in politics. The power of personalised advertising can very easily become just one more tool in the hands of those who already wield excessive power over the political domain.

What can be done? Well, the first thing is a matter of awareness. The impact of behavioural advertising goes beyond the commercial sphere, and we need to understand this. It’s not just a matter of deciding which deodorant or drink we choose – potentially it’s about our whole lives. We ignore its importance at our peril – so things like ‘do not track’ really matter, and the European ‘Cookie Directive’ should not be dismissed as a legalistic impediment to good business. They may not be perfect tools – indeed, it seems clear that they aren’t – but they’re being pushed for very good reasons. Tracking on the internet should not be the default, accepted without a thought. The risks are far greater than most people realise.

Privacy… and the Phantom Tollbooth!

Last night I was reading my daughter’s bedtime story from that classic of American children’s literature, The Phantom Tollbooth, when I came across a passage that set out brilliantly the problems that can arise as a result of the gathering and use of private data. Bear in mind that The Phantom Tollbooth was first published in 1961: Norton Juster didn’t have the benefit of seeing how what can loosely now be described as ‘big data’ operates – but he did have an understanding of how our information can be used against us, even when we have ‘nothing to hide’.

To set the scene: Milo the boy, Tock the Watchdog and the huge insect the Humbug are on the final stages of their mission to rescue the princesses Rhyme and Reason from the Castle in the Air. They reach the bottom of the final staircase, pursued by demons, where they don’t notice a little round man sleeping peacefully on a very large ledger. The next part I’m just going to repeat:

——————————————
   “NAMES?” the little man called out briskly, just as the startled bug reached for the first step. He sat up quickly, pulled the book out from under him, put on a green eyeshade, and waited with his pen poised in the air.
   “Well, I…” stammered the bug.
   “NAMES?” he cried again, and as he did, he opened the book to page 512 and began to write furiously. The quill made horrible scratching noises, and the point, which was continuously catching on the paper, flicked tiny inkblots all over him. As they called out their names, he noted them carefully in alphabetical order.
   “Splendid, splendid, splendid,” he muttered to himself. “I haven’t had an M for ages.”
   “What do you want our names for?” asked Milo, looking anxiously over his shoulder. “We’re in a bit of a hurry.”
   “Oh, this won’t take a minute,” the man assured them. “I’m just the official Senses Taker, and I must have some information before I can take your senses. Now, if you’ll just tell me when you were born, where you were born, why you were born, how old you are now, how old you were then, how old you’ll be in a little while, your mother’s name, your father’s name, your aunt’s name, your uncle’s name, your cousin’s name, where you live, how long you’ve lived there, the schools you’ve attended, the schools you haven’t attended, your hobbies, your telephone number, your shoe size, shirt size, collar size, hat size, and the names and addresses of six people who can verify all this information, we’ll get started.”
——————————————

These days, of course, there wouldn’t need to be a ‘senses taker’ to get most of that information – 800 million or so of us have already ‘volunteered’ much of it to Facebook, while much of the rest of it (the sensible bits anyway) can be gathered reasonably directly from other sources. Anyway, the Senses Taker proceeds to gather all this and more, before Milo quite reasonably suggests that they need to get a move on, and can they just proceed. At that point, the Senses Taker demands to know their destination.

——————————————
   “The Castle in the Air,” said Milo impatiently.
   “Why bother?” said the Senses Taker, pointing to the distance. “I’m sure you’d rather see what I have to show you.”
   As he spoke, they all looked up, but only Milo could see the gay and exciting circus there on the horizon. There were tents and side shows and rides and even wild animals – everything a little boy could spend hours watching.
   “And wouldn’t you enjoy a more pleasant aroma?” he said, turning to Tock.
   Almost immediately the dog smelt a wonderful smell that no-one but he could smell. It was made up of all the marvellous things that had ever delighted his curious nose.
   “And here’s something I know you’ll enjoy hearing,” he assured the Humbug.
   The bug listened with rapt attention to something he alone could hear – the shouts and applause of an enormous crowd, all cheering for him.
   They each stood as if in a trance, looking, smelling, and listening to the very special things that the Senses Taker had provided for them, forgetting completely about where they were going and who, with evil intent, was coming up behind them.
   The Senses Taker sat back with a satisfied smile on his puffy little face as the demons came closer and closer, until less than a minute separated them from their helpless victims.
   But Milo was too engrossed in the circus to notice, and Tock had closed his eyes, the better to smell, and the bug bowing and waving, stood with a look of sheer bliss on his face, interested only in the wild ovation.
——————————————

Of course Milo, Tock and the Humbug do eventually escape, and the Senses Taker’s true nature is revealed: he is a demon himself:

——————————————
   “I warned you; I warned you I was the Senses Taker,” sneered the Senses Taker. “I help people find what they’re not looking for, hear what they’re not listening for, run after what isn’t there. And, furthermore,” he cackled, hopping around gleefully on his stubby legs, “I’ll steal your sense of purpose, take your sense of duty, destroy your sense of proportion…”
——————————————

It’s as good a description of the dangers of the personalisation of the internet – which I’ve written about before, and is inherent in the Symbiotic Web model that underlies a lot of my work – as you might find. The Senses Taker’s processes – gather all the data it can, use it to conceptualise how each individual might be seduced into doing something to the benefit of the Senses Taker (rather than to the benefit of the individual) is pretty much exactly what behavioural advertising does, what Facebook does, what many other kinds of privacy-invasive profile-based systems do. And the Sense Taker is a demon…….

P.S. If you haven’t read the Phantom Tollbooth, you should! It’s a brilliant book, lots of fun and at the same time actually quite deep!

Romanian re-Phorm-ation?

News has emerged this week that Phorm, the online-behavioural-advertising company about whom a great deal has been written (including by me) has targeted a new country for its latest attempt to track internet users’ every move: Romania.

Having been kicked out of the UK after a huge struggle a couple of years ago – a struggle from which civil society came out with a lot of credit, not least the Foundation for Information Policy Research and in particular the work of Richard Clayton and Nicholas Böhm, while the UK government came out with a severe amount of egg on its face – Phorm has tried to relaunch its services in a number of other countries. South Korea was the first, then Brazil, both without much sign of success, before the current efforts in Romania.

As a reminder, what Phorm’s services essentially do is ‘intercept’ the instructions a user sends as he or she browses the web – every site visited, every link followed, every click – and uses that information to build up a profile of the user, mostly to enable it to target advertising as accurately as possible but potentially (at least according to the publicity put out by Phorm during their attempts to launch in the UK) to tailor content.  In a lot of ways Phorm’s system is only a logical extension of what many other advertisers on the web do – almost everyone’s at it, from Google to Facebook to Amazon (particularly if the stories emerging about the Kindle Fire are true). There are significant differences, however, to even the most privacy-invasive services offered by the others. The most important of these is that it covers ALL your activity on the web: even the latest furore about Facebook tracking you when you’re logged out didn’t get close to that, only potentially tracking you when you visit sites with Facebook links or ‘like’ buttons.

The second difference, almost as important, is that in exchange for these immense invasions of privacy, Phorm offers you nothing except better targeted advertising – something that few people would value very much. All the others give you something quite significant in exchange for their gathering your data: Google offers you very effective search engines, mapping systems, blogging services (including the one on which this blog is hosted) and much more, Facebook provides a social networking service of huge functionality, while Amazon’s Kindle is a lovely bit of kit for a remarkably small price, one that many people enjoy. There’s a ‘bargain’ going on for your data, even if few people fully grasp that this exchange is going on. With Phorm there’s nothing – essentially, they just spy on you for their own benefit, and give you nothing in return. Indeed, they might even harm your browsing, as the ‘interception’ process can potentially slow down your web-browsing.

Phorm failed in the UK, and I for one am very glad that they did. I hope the same happens in Romania, unless they’ve changed their practices significantly. The signs so far, sketchy though they are, do not suggest that this is very likely. Just as they did in the UK, they’ve done a deal with one of the big ISPs, Romtelecom, which is a part state-owned telecoms and internet company, and are looking for business partners. Their product appears to be pretty much the same as it was before, though they do at least mention the word ‘choose’ in terms of customer actions. That ‘choice’ does not seem to amount to much in reality, and indeed there seems to be another twist: they’ve added flash cookies to the system, with the express intention of using them to re-spawn their own status cookies in case you ‘accidentally’ delete them. The precise technical details have not yet emerged: I am looking forward to finding out if they’ve learned the lessons of their previous failures and decided to do something that actually respects the individual users and gives them some kind of real consent process. I’m not exactly waiting with bated breath…

I have a personal connection with Romania – my wife’s Romanian – and that country has experienced far too much of surveillance and invasions of privacy in the past. Indeed, Romania was one of the first countries to hit out against the privacy-invasive Data Retention Directive, their supreme court striking down the implementation of the Directive in their country as unconstitutional in 2009. I am fully confident that they will find a way to fight against this latest intrusion into their privacy. Phorm may have chosen Romania as a ‘soft target’. I suspect they’ll find the reality quite different, unless they’ve seriously changed their spots….