John Lewis, Brexit… and Goldilocks!

The ‘row’ (such as it is) about John Lewis’ decision to remove the ‘girls’ and ‘boys’ labels from clothes has been in some ways quite revealing. There’s a lot of anger, a lot of downright rage being shown – at levels that have certainly surprised me. The strange thing is that it has come from many of those people who are equally vehemently fighting to ‘ban the burkha’.

On the one hand, they hate the idea of removing the distinction between genders, on the other hand they hate the idea of excessive distinctions between genders. It’s a bit of Goldilocks thinking: the burkha porridge is too cold, the ‘ungendered’ clothing too hot. Only having the precise level of control that they approve of is just right. Girls need to be put in their place, but not too much in their place.

It has echoes of the way that many Brexiters are also vehemently against Scottish independence. The EU is too big. Scotland is too small. Only the United Kingdom is just right. And again, it seems to be a lot of the same people who make this argument. They want to control everything, because only they know what is right. Everyone else is either too big or too small, too weak or too strong, too liberal or too ‘fundamentalist’.

For me, it’s strange to be so certain – and even stranger to want to impose that certainty on everyone else. Mind you, I always thought Goldilocks was the real villain in the story. I was rooting for the bears.

Listen to the privacy geeks…

The story of Google’s AI subsidiary DeepMind took a not-unexpected turn this week when the ICO ruled that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided patient details to DeepMind. This is the latest step in a saga that looks set to rumble on for some time – and one from which there are many, many lessons to be learned. One of those – sadly one that does not seem likely to be heeded as much as it should be – is that those involved in projects like this should pay more attention to those who can loosely be described as ‘privacy geeks’.

Two in particular have been critically involved in this process – Hal Hodson (@halhod) and Julia Powles (@juliapowles). Hal started the ball rolling with a serious piece of investigative journalism in New Scientist in April 2016, which brought the issue to light, and as well as further journalistic work Hal and Julia wrote a piece of ‘proper’ academic work – ‘Google DeepMind and healthcare in an age of algorithms’ in the journal Healthcare and Technology. This led, ultimately, to the ICO’s investigation and ruling – though it has to be noted that the ICO’s ruling is on DeepMind’s trial with the Royal Free: the real test will be when DeepMind’s work rolls out. The ICO has asked the Royal Free, amongst other things, to do a full ‘privacy impact assessment’ prior to further work. That they did not do so prior to the previous trial is one of the serious shortcomings of the project. As Julia Powles put it in the Guardian yesterday:

“The ruling states that by transferring this data and using it for app testing, the Royal Free breached four data protection principles, as well as patient confidentiality under the common law. The transfer was not fair, transparent, lawful, necessary or proportionate. Patients wouldn’t have expected it, they weren’t told about it and their information rights weren’t available to them.”

These are serious matters – and they could have been avoided, if only DeepMind had listened to the right people. To the privacy geeks. That they didn’t is part of a pattern that has been seen on many occasions in the past. It was one of the reasons the Samaritans, one of the most respected charities in the world, launched their ill-conceived and ill-fated Twitter app Samaritans Radar – which had to be abandoned within ten days. It was one of the reasons that NHS England’s massive data project ‘care.data’ failed. Going further back, it was why the behavioural advertising firm Phorm failed – after conducting secret trials monitoring thousands of people’s web activity back in 2006 – and what led to all those annoying ‘cookie warnings’ you see at the top of websites.

In all these cases, the warning signs were there, if only the people involved had been willing to listen. The same will happen again – because the privacy geeks know what they’re doing. All too often those involved in these kinds of projects – people from businesses and from big public sector organisations – see those who raise concerns as either easily-dismissed tinfoil-hat-wearing consipiracy theorists, or as people who can cause a little trouble on Twitter but little more than that. Nothing to be taken seriously, little more than an annoyance. More, they’re seen as barriers to innovation, people just raising trouble for its own sake, luddites or worse.

None of this is true. Firstly, the people involved – whether they’re journalists, academics or ‘activists’ (and often they wear more than one of those hats) are often genuine experts. Hal Hodson’s degree from Trinity College Dublin is in Astrophysics, for example, whilst Julia Powles has a PhD in Law from Cambridge. Their concerns aren’t foolish, the issues they raise aren’t just for the sake of it.

Secondly, they know how to use the media – both the social media and the ‘traditional’ media. Hal’s original work was in the New Scientist, and he’s now The Economist’s Technology Correspondent. Julia writes regularly for the Guardian. Both know people all over the media and academia – and they’re far from alone. The failure of care.data and Samaritans Radar involved different people (there are many of us) but similar patterns – blogs, articles in the mainstream media, academic attention and more.

Thirdly, and perhaps most importantly, the people involved are far from a barrier to innovation. I have labelled them (and I’m very much one of them!) ‘geeks’ for a reason. We’re not geeks only about privacy – we’re real geeks. We like technology, we like innovation. We play with all the new technological toys, and see the potential in all kinds of directions – but we want these innovations to work for the people, to work responsibly, to be sustainable. Indeed, this last point is critical – it is a central tenet of much of my own academic work that if privacy is not considered properly, it is not just that a project should fail, but that it will fail. People will reject it – who now remembers the wonderful Google Glass, for example? Despite the sexy technology and the backing of Google’s deep pockets it died a death. It may well re-emerge at some point, but it need not have failed…

…and the same is true of many other projects. There are some great ideas, great innovations, that could avoid suffering the fate of Samaritans Radar, care.data and Google Glass. If they are to do so, the people involved should start listening to the privacy geeks, and sooner rather than later. Don’t see us as the enemy. Don’t try to hide what you do – it is very tempting to do everything you can ‘under the radar’, but when it is revealed  it looks even worse. That was true of DeepMind’s deal with the Royal Free – and was just as true about Phorm’s ‘secret trials’ with BT and others back in 2006. One thing that people really should have learned is that these things do get discovered, one way or another. When they do, and it looks as though they’ve been done secretly or without proper scrutiny, they look even worse than they are.

It can all be avoided – but it rarely is. Sadly I expect to have to write similar pieces to this many times in the future.

A poem for Brexit

A year ago

We threw it away

But we live to fight

Another day

We won’t give up

We’ll keep on going

You were sold a pup

And now that’s showing

The lies, the hate

The wounds are sore

But Britain’s great

And we mean more

When we can find

What we can share

And ties that bind

And show we care.

The Return of Mr Gove!

The Return of Mr Gove Cover

Mr Gove was Back.

He had always known he would be. A Prodigious Talent like his could not be held down for long. He knew that even Little Miss Maybot would recognise that eventually, and she was generally almost completely unaware of anything going on around her at all. In her Hour of Need, Mr Gove knew she would come to him. And she did.

So he was Back.

Of course if he had been in charge instead of Little Miss Maybot, they would never have been in the pickle they were now. Mr Gove would never have let that awful Mr Corbyn get nearly so close – because Mr Gove had a Winning Personality and Endless Charm, unlike Little Miss Maybot. Now, that Winning Personality and Endless Charm would be brought to bear.

And everything would be better from now on.

Mr Gove Close up

Mr Gove had been a little worried that it would take a bit longer to return.

Some people had not really understood that his decision to throw Mr Blowhard under a bus – and not even a bus with ‘£350m a week to the EU’ painted on the side – had actually shown that Mr Gove was loyal, trustworthy and a Good Friend. Still that was the past, and in the end they would realise how wrong they were.

At least Little Miss Maybot had begun to realise that she – and the country – needed Mr Gove. And she did. By Golly she did. Without him, the Tory Party had lost its way. It would be up to Mr Gove to save it, and to save the country.

And he could do it. He knew he could.

Mr Gove Super Close up

Little Miss Maybot had not been perceptive enough to give him one of the jobs he really deserved, but at least she had given him a job he was well suited for.

Of course he wasn’t an expert in Farming or the Environment – but everyone knew that Britain had had Enough of Experts. Mr Gove did, however, know more about Farming and the Environment than he had about education – after all, he had visited a farm a couple of times when he was ten, and once been for a ramble in the Cotswolds – and his time as the Secretary of State for Education had been an Absolute Triumph.  Everyone knew that.

And being in charge of the Environment was great too. At least there wasn’t any of that awkward ‘science’ stuff involved – the stuff that had caused him so much trouble when he was in education. Everyone knew that the environment wasn’t anything to do with science. All that lefty ‘climate change’ rubbish could be quickly shelved – and quite right too!

Mr Gove Super Close up 2

And now that his other Great Triumph had come to pass – Brexit – he had plenty more Good News to tell the farmers.

They would be so happy, he was sure, that Brexit had relieved them of all those terrible subsidies that were plaguing them with paperwork and money.  Farmers were like that. Strong. Independent. They didn’t like getting money from those faceless Eurocrats.

And they’d be delighted to contribute more to the Europeans when the tariffs started to kick in.

And absolutely ecstatic that they no longer had to use any of those young, healthy and hardworking European labourers that they’d been using for the last few years. Things would be much better when they’d replaced them with British workers.

Oh yes.

Mr Gove smiled to himself when he thought about it. Everyone was going to be happy with Mr Gove. And the world would be right again.

Mr Gove was back.

The Return of Mr Gove Cover

A few words on Labour

My own particular ‘lefty-Labour-Twitter-Bubble’ has been enjoying itself in the aftermath of the surprisingly non-depressing election result. I mean, who could possibly not have enjoyed the humiliation of Theresa May?

The analyses of Labour’s performance has been a little less straightforward – which is not surprising given the seemingly enormous divide amongst the people I follow, which include strong Corbyn fans and equally strong Corbyn enemies. Most have been able to simply enjoy the result, but there have been two other analyses offered, both on that Labour could and perhaps should have done even better (more of which later).

Firstly, from the pro-Corbyn people, if only the Blairites hadn’t been undermining Corbyn for the last two years, Labour could have won.

Secondly, from the anti-Corbyn people, if only Labour had had a decent leader, Labour would have won.

Both these arguments have two clear virtues: they’re entirely unprovable and they totally vindicate the positions that had been taken by those advocating them for the last few years.  I have more sympathy for the first argument than the second, but neither, for me, is very helpful. The past has happened – the sniping (and worse) happened. And the idea that this result leaves open the possibility of ousting Corbyn is as much a denial of reality as Theresa May claiming it’s given her a resounding mandate. Corbyn will be leading Labour for quite some time!

The key now is to think about what happens next. This is a massive opportunity for unity – and MPs (and commentators) could and should swallow their pride and acknowledge Corbyn’s success. Yes, Theresa May inflicted a lot of wounds on herself, but that’s not the whole story. And don’t forget that this election was set up by May, for May, for the maximum disadvantage for Corbyn. Labour was rock-bottom in the polls, riven by division, caught unprepared, faced by a massively hostile media – and still put together a fine manifesto and a coherent and principled campaign. There were hiccups and messes – there always are – but relatively few. The enthusiasm and positivity- and the competence overcame them.

It would be great to see Labour take this chance to unite. For apologies and acknowledgement rather than point-scoring and revenge. 

I for one was quite wrong about how this campaign would go. I’ll happily admit it, and that I was wrong about a whole load of details as well as the big picture. Sometimes it’s great to have been wrong.
 

 

A disturbing plan for control…

The Conservative Manifesto, unlike the Labour Manifesto, has some quite detailed proposals for digital policy – and in particular for the internet. Sadly, however, though there are a few bright spots, the major proposals are deeply disturbing and will send shivers down the spine of anyone interested in internet freedom.

Their idea of a ‘digital charter’ is safe, bland, motherhood and apple-pie stuff about safely and security online, with all the appropriate buzzwords of prosperity and growth. It seems a surprise, indeed, that they haven’t talked about having a ‘strong and stable internet’. They want Britain to be the best place to start and run a digital business, and to make Britain the safest place in the world to be online. Don’t we all?

When the detail comes in, some of it sounds very familiar to people who know what the law already says – and in particular what EU law already says – the eIDAS, the E-Commerce Directive, the Directive on Consumer Rights already say much of what the Tory Manifesto says. Then, moving onto data protection, it gets even more familiar:

“We will give people new rights to ensure they are in control of their own data, including the ability to require major social media platforms to delete information held about them at the age of 18, the ability to access and export personal data, and an expectation that personal data held should be stored in a secure way.”

This is all from the General Data Protection Regulation (GDPR), passed in 2016, and due to come into force in 2018. Effectively, the Tories are trying to take credit for a piece of EU law – or they’re committing (as they’ve almost done before) to keeping compliant with that law after we’ve left the EU. That will be problematic, given that our surveillance law may make compliance impossible, but that’s for another time…

“…we will institute an expert Data Use and Ethics Commission to advise regulators and parliament on the nature of data use and how best to prevent its abuse.”

This is quite interesting – though notable that the word ‘privacy’ is conspicuous by its absence. It is, perhaps, the only genuinely positive thing in the Tory manifesto as it relates to the internet.

“We will make sure that our public services, businesses, charities and individual users are protected from cyber risks.”

Of course you will. The Investigatory Powers Act, however, does the opposite, as does the continued rhetoric against encryption. The NHS cyber attack, it must be remembered, was performed using a tool developed by GCHQ’s partners in the NSA. If the Tories really want to protect public services, businesses, charities and individuals, they need to change tack on this completely, and start promoting and supporting good practice and good, secure technology. Instead, they again double-down in the fight against encryption (and thus against security):

“….we do not believe that there should be a safe space for terrorists to communicate online and will work to prevent them from having this capability.”

…but as anyone with any understanding of technology knows, if you stop terrorists communicating safely, you stop all of us from communicating safely.

Next:

“…we also need to take steps to protect the reliability and objectivity of information that is essential to our democracy and a free and independent press.”

This presumably means some kind of measures against ‘fake news’. Most proposed measures elsewhere in the world are likely to amount to censorship – and given what else is in the manifesto (see below) I think that is the only reasonable conclusion here.

“We will ensure content creators are appropriately rewarded for the content they make available online.”

This looks as though it almost certainly means harsher and more intense copyright enforcement. That, again, is only to be expected.

Then, on internet safety, they say:

“…we must take steps to protect the vulnerable… …online rules should reflect those that govern our lives offline…”

Yes, We already do.

“We will put a responsibility on industry not to direct users – even unintentionally – to hate speech, pornography, or other sources of harm”

Note that this says ‘pornography’, not ‘illegal pornography’, and the ‘unintentionally’ part begins the more disturbing part of the manifesto. Intermediaries seem likely to be stripped of much of their ‘mere conduit’ protection – and be required to monitor much more closely what happens through their systems. This, in general, has two effects: to encourage surveillance, and to encourage caution about content (effectively to chill speech). This needs to be watched very carefully indeed.

“…we will establish a regulatory framework in law to underpin our digital charter and to ensure that digital companies, social media platforms and content providers abide by these principles. We will introduce a sanctions regime to ensure compliance, giving regulators the ability to fine or prosecute those companies that fail in their legal duties, and to order the removal of content where it clearly breaches UK law.”

This is the most worrying part of the whole piece. Essentially it looks like a clampdown on the social media – and, to all intents and purposes, the establishment of a full-scale internet censorship system (see the ‘fake news’ point above). Where the Tories are refusing to implement statutory regulation for the press (the abandonment of part 2 of Leveson is mentioned specifically in the manifesto, along with the repeal of Section 40 of the Crime and Courts Act 2013, which was one of the few bits of Leveson part 1 that was implemented) they look very much as though they want to impose it upon the online media. The Daily Mail will have more freedom than blogging platforms, Facebook and Twitter – and you can draw your own conclusions from that.

When this is all combined with the Investigatory Powers Act, it looks very much like a solid clampdown on internet freedom. Surveillance has been enabled – this will strengthen the second part of the authoritarian pincer movement, the censorship side. Privacy has been wounded, now it’s the turn of freedom of expression to be attacked. I can see how this will be attractive to some – and will go down very well indeed with both the proprietors and the readers of the Daily Mail – but anyone interested in internet freedom should be very much disturbed.

 

Privacy and Security together…

I just spent a very interesting day at ‘Project Breach’ – an initiative of Norfolk and Suffolk police, trying to encourage businesses and others to understand and protect themselves from cybercrime. It was informative in many ways, and primarily (as far as I could tell) intended to be both a pragmatic workshop, giving real advice, and to ‘change the narrative’ over cybercrime. In both ways, I think it worked – the advice, in particular, seemed eminently sensible.

What was particularly interesting, however, was how that advice was in most ways in direct tension with the government’s approach to surveillance, as manifested most directly in the Investigatory Powers Act 2016 – often labelled the ‘Snooper’s Charter’.

The speaker – Paul Maskall – spent much of the first session outlining the risks associated with your ‘digital footprint’. How your search history could reveal things about you. How your ‘meta data’ could say more about you than the content of your postings. How your browsing history could put you at risk of all kinds of scams and so forth. And yet all of this is made more vulnerable by the Investigatory Powers Act. Search histories and metadata could be forced to be retained by service providers. ‘Internet Connection Records’ could be used to create a record of your browsing – and all of this could then be vulnerable to the many forms of hacking etc that Maskall then went on to detail. The Investigatory Powers Act makes you more vulnerable to scams and other crimes.

The keys to the next two sessions were how to protect yourself – and two central pillars were encryption and VPNs. Maskall emphasised again and again the importance of encryption – and yet this is what Amber Rudd railed against only a few weeks ago, trying to link it to the Westminster attack, though subsequent evidence proved yet again that this was a red herring at best. The Investigatory Powers Act adds to the old Regulation of Investigatory Powers Act (RIPA) in the way it could allow encryption to be undermined…. which again puts us all at risk. When I raised this issue, first on Twitter and then in the room, Maskall agreed with me – encryption is critical to all of us, and attempts to undermine it put us all at risk – but I was challenged, privately, by another delegate in the room, after the session was over. Amber Rudd, this delegate told me, wasn’t talking about undermining encryption for us, but only for ISIS and Al Qaeda. I was very wrong, he told me, to put the speaker on the spot about this subject. All that showed me was how sadly effective the narrative presented by Amber Rudd, and Theresa May before her, as well as others in what might loosely be called the ‘security lobby’ has been. You can’t undermine encryption for ISIS without undermining it for all of us. You can’t allow backdoors for the security services without providing backdoors for criminals, enemy states and terrorists.

VPNs were the other key tool mentioned by the speaker – and quite rightly. Though they have not been directly acted against by the Investigatory Powers Act, they do (or might) act against the main new concept introduced by the Act, the Internet Connection Record. Further, VPN operators might also be subjected to the attention of the authorities, and asked to provide browsing histories themselves – though the good ones don’t even retain those histories, which will cause a conflict in itself. Quite now the authorities will deal with the extensive use of VPNs has yet to be seen – but if they frustrate the intentions of the act, we can expect something to be done. The overall point, however, remains. For good security – and privacy – we need to go against the intentions of the act.

The other way to put that is that the act goes directly against good practice in security and privacy. It undermines, rather than supports security. This is something that many within the field understand – including, from his comments to me after the event, the speaker at Project Breach. It is sad that this should be the case. A robust, secure and privacy-friendly internet helps us all. Even though it might go against their instincts, governments really should recognise that.