IT law isn’t simple….

….but it’s certainly seems to be newsworthy at the moment. In the last two weeks there seems to have been a deluge of new stories.

1) On the 28th October, there was a call for an ‘internet bill of rights’ in a parliamentary debate.
2) On the 2nd November, business minister Ed Vaizey suggested a ‘mediation service’ to deal with disputes about personal data held on the net.
3) Also on the 2nd November, the US Supreme Court began a hearing about violent computer games...
4) ….and Google put forward its proposed settlement over the Google Buzz privacy issue
5) ….and the busy Ed Vaizey put forward the suggestion of a new ‘privacy code’ for online businesses like Google and Facebook
6) …while the case of the stabbing of MP Stephen Timms by a young woman who had been ‘radicalised’ by watching videos on YouTube sparked a little furore about why such things should be allowed online – this is just one piece about it from The Telegraph.
7) On the 3rd November the ICO issued its response to the Google Street View data gathering fiasco
8) …followed almost immediately by a statement from five civil liberties groups (Privacy International, NO2ID, Big Brother Watch, Action on Rights for Children, and Open Rights Group) suggesting that the ICO’s action on this issue (and indeed on many others) makes it ‘not fit for purpose’.
9) On the 4th November, Prime Minister David Cameron spoke in East London about making that region the ‘new silicon valley’ – and, amongst other things, about making our copyright laws ‘fit for the internet age’.
10) …and the European Commission launched its proposals for a ‘comprehensive approach on personal data protection in the European Union’.
11) On the 8th November, Google announced it was shutting off its data feeds to Facebook…
12) And yesterday it was announced that BT and Talk Talk had been successful in getting a judicial review of the Digital Economy Act.

Lots of news – but what does it all mean? Firstly, that the subject really is current, and of increasing importance. In these two weeks we’ve had a statement from the prime minister, we’ve had a hearing in the US supreme court, , we’ve had one of the biggest players in the internet world Google, involved in three different ways – four if you blame their YouTube service for hosting the radicalising videos – and we’ve had the European Commission making what could be a very significant statement.

Secondly, that the situation is far from simple – and that the ‘regulatory matrix’ is complex. The differing relationships between the different interested parties have all come into play. We’ve had civil liberties groups challenging a regulatory body, we’ve had companies challenging the law, we’ve had questions in parliament, we’ve had a spat between probably the two biggest players in the internet world, we’ve had a class action against a company (Google), we’ve had interventions from regulatory bodies and politicians.

This lack of simplicity is the key – as Andrew Murray highlights in his theory of Symbiotic Regulation (in his excellent book The Regulation of Cyberspace). All these different relationships – between politicians, the judiciary, companies, civil liberties groups, and, of course, individuals – have their part to play in what happens on the internet from a regulatory perspective. It makes it complex – but it makes it interesting. And, at times like these, it makes it news!

Opting out of Street View….

Nearly 250,000 Germans have ‘opted out’ of having their homes visible when Google’s Street View comes online, though Andreas Türk, Product Manager for Street View in Germany, has admitted that some of those homes will still be visible when the service comes online, which will be some time in the near future, as the process is complex and not all instructions were clear. His blog here provides the explanations.

It’s an interesting figure – is 250,000 (or, to be more precise, 244,237) a large number? As Andreas Türk says, it amounts to 2.89% of those who could have objected, and the argument can be made both ways. Google might argue that it means that the vast, vast majority don’t object to Street View, so their service has some kind of overall ‘acceptance’ or even ‘support’ by the populace. Privacy advocates might say the converse – in absolute terms, 250,000 is a LOT of people. If you had 250,000 people marching on the streets with banners saying ‘NO TO STREET VIEW’ it would make headline news, certainly in Germany, and probably throughout Europe.

Both sides have a point: 2.89% isn’t a very large proportion, but 250,000 is a lot of people, and when you look closer at the process I suspect that the privacy advocates have a stronger position. Given that the opt-out required an active process (and Google say that 2/3 of those who objected used their own online tool to do so) it does suggest that quite a lot of people care about this. If the reverse system had been in place – and you had to actively choose to HAVE your home ‘unblurred’ on Street View, what kind of figures would you get? Would more than 250,000 have gone through a process to make their houses visible? I doubt it….

…and what of the rest of us? Germans got a choice because their government made a point about it, and demanded that Google give them the choice before the service went active. As the BBC reports, other governments have made other kinds of objections, but none have been given the choice that the Germans have had. As I’ve blogged before, Germany has a pretty active privacy lobby, so it’s not surprising that they are the country that has taken this step – what would the result have been if the option had been given in the UK? Or the US? Probably not as dramatic as the German result – which makes me wonder whether Google has missed a trick by not providing the option elsewhere. If they did so, and an even tinier fraction than the 2.9% in privacy-aware Germany objected, they might be able to be even bolder about proclaiming that people love Street View…..

How personal is personal?

The Register is reporting that the ICO wants a clearer definition of what consititutes ‘personal data’ – and it is indeed a crucial question, particularly under the current data protection regime. The issue has come up in the ICO’s response to the Government consultation on the review of the Data Protection Directive – and one of the key points is that there is a difference between how personal data is defined in the directive and how it is defined in the UK Data Protection Act. That difference gives scope for lots of legal argument – and is one of many factors that help to turn the data protection regime from something that should be about rights and personal protection into something often hideously technical and legalistic. The ICO, fortunately, seems to recognise this. As quoted in The Register, ICO Deputy Director David Smith says:

“We need to ensure that people have real protection for their personal information, not just protection on paper and that we are not distracted by arguments over interpretations of the Data Protection Act,”

That’s the crux of it – right now, people don’t really have as much real protection as they should. Will any new version of the directive (and then the DPA) be any better? It would be excellent if it did, but right now it’s hard to imagine that it will, unless there is a fundamental shift in attitudes.

There’s another area, however, that just makes it into the end of the Register’s article, that may be even more important – the question of what constitutes ‘sensitive personal data’.  Here, again, the ICO is on the ball – this is again from the Register:

“The current distinction between sensitive and non-sensitive categories of personal data does not work well in practice,” said the submission. “The Directive’s special categories of data may not match what individuals themselves consider to be ‘sensitive’ – for example their financial status or geo-location data about them.”

The ICO go on to suggest not a broadening of the definition of sensitive personal data, but a more ‘flexible and contextual approach’ to it – and they’re right. Data can be sensitive in one context, not sensitive in another. However, I would suggest that they’re not going nearly far enough. The problem is that the idea of the ‘context’ of any particular data is so broad as to be unmanageable. What matters isn’t just who has got the data and what they might do with it, but a whole lot of other things concerning the data subject, the data holder, any other potential data user and so on.

For instance, consider data about someone’s membership of the Barbra Streisand fan club. Sensitive data? In most situations, people might consider it not to be sensitive at all – who  cares what kind of music someone listens to? However, liking Barbra Streisand might mean a very different thing for a 22 year old man than it does for a 56 year old woman. Extra inferences might be drawn if the data gatherer has also learned that the data subject has been searching for holidays only in San Francisco and Sydney, or spends a lot of time looking at hairdressing websites. Add to that the real ‘geo-tag’ kind of information about where people actually go, and you can build up quite detailed profiles without ever touching what others might consider sensitive. When you have all that information, even supposedly trivial information like favourite colours or favourite items in your Tesco online shopping could end up being sensitive – as an extra item in a profile that ‘confirms’ or ‘denies’ (according to the kinds of probabilistic analyses that are used for behavioural profiling) that a person fits into a particular category.

What does all this mean? Essentially that ANY data that can be linked to a person can become sensitive – and that judging the context is so difficult that it is almost impossible. Ultimately, if we believe that sensitive data needs particular protection, then we should apply that kind of protection to ALL personal data, regardless of how apparently sensitive it is….

Every which way to lose your data…

The ACS ‘data leak’ story that’s been emerging fairly dramatically over the last couple of days has got pretty much everything you could hope for in this kind of story: a bit of porn, a bit of piracy, some hacking, threats of huge fines, legal action and so on. It’s already been widely reported on – Andrew Murray’s blog on the subject gives an excellent description of what ACS do, and how this whole thing has to a great extent blown up in ACS’s face. As he explains, it’s a prime example of how symbiotic regulation works – and why the law is not the only thing that matters when regulating the internet.

There is, however, something else that is very graphically demonstrated by the whole saga – how many different ways your personal data can be at risk. This small story alone demonstrates at least five different ways that personal data can be vulnerable:

  1. To monitoring and tracking – the initial data about the supposed copyright infringers was obtained by monitoring traffic on the internet.
  2. To ‘legal’ attack – ACS initially got a court order to demand that the ISPs involved (we know about BT, Sky and PlusNet in this case) disclose the personal details of the account holders suspected of copyright infringement, based upon this monitoring.
  3. To human error – BT have admitted that they sent this personal data on an unencrypted Excel file attached to an ordinary email, in breach of their official policies and practices.
  4. To hacking – at least this is part of what ACS have claimed – that their systems were hacked into in order for the data to be obtained in order to be leaked.
  5. To deliberate leaking – precisely who did the leaking is far from clear, and who wished for the data to be leaked, but there is certainly a possibility that someone wanted the names to be out in the public domain.
Of course the data itself is far from reliable. It is just the details of the account holders that are suspected of being used to share illegal content, without there being any direct evidence that the people themselves did the sharing – which brings even more dimensions of vulnerability into play: confusion, mistaken identity, even things like defamation by implication could come into play. If your name is on the list, you’re not only being labelled a lawbreaker but a consumer of porn – and it might very easily not have been you doing it at all. Other people might be using your account, perhaps without your knowledge, perhaps without your permission, perhaps without your understanding.
Simon Davies, of Privacy International, quoted in the BBC, said that ‘You rarely find an aspect where almost every aspect of the Data Protection Act (DPA) has been breached, but this is one of them’. It’s also true that almost every aspect of data vulnerability has been demonstrated in one fell swoop.

Perhaps an even more important point, however, is the way that personal data – and individuals’ privacy – is viewed almost as ‘collateral damage’ in the ongoing battle between the entertainment industry (and their hired guns like ACS:Law) and the ‘pirates’. From the outside it looks as though as far as the 4chan hackers and ACS:Law are concerned, it’s that battle that matters. ACS:Law wants to ‘get’ the pirates, while the 4chan hackers want to ‘get’ ACS:Law and to ‘win’ the war with the entertainment industry for the ’cause’ of free and unfettered file-sharing. The fact that some 13,000 individuals have had their personal data released into the public domain and face all kinds of possible consequences from embarrassment (or humiliation) to legal action onwards seems somehow less important. Sadly it often seems to be that way. Privacy is squeezed by politics, law, business and a whole lot more. Every which way, privacy loses.  

No more place for privacy?

With the launch of Facebook Places in the UK, ‘location’ services have really hit the mainstream. With Facebook Places, people can ‘check in’ to indicate exactly where they are to their ‘friends’ (and probably quite a lot of others too, unless they’re very careful). It’s another step – and perhaps a very big one – along a path that some might suggest has an inevitable outcome: the end of privacy, at least as we know it.

Scott McNealy, CEO of Sun Microsystems, told journalists, way back in 1998 that “You have zero privacy anyway, get over it.”  Others, most recently and persistently Mark Zuckerberg, co-founder and CEO of Facebook, have suggested that the whole idea of that is simply outdated and now irrelevant – people just don’t care about it anymore.

Are they right? Is privacy dead – or at least dying? Should we just ‘get over it’, join all those many millions of happy Facebook customers who don’t care about privacy, and start enjoying all the advantages of having a truly ‘transparent’ life? Embrace such wonders as Facebook Places, and enjoy the pleasures of meeting people for coffee in unexpected places just through the medium of our smartphones – after all, it’s so much more convenient than having to call and arrange things. Of course there’s an obvious possible downside – but burglary’s not much of a danger as long as you have state of the art security systems, or a ravenous Rottweiler, or employ someone to housesit whenever you’re out.

That, however, is just the simplest and most obvious problem. The other, less obvious, but ultimately more important issue is what happens to all the data about where you are, where you’ve been, and so forth. The possibilities of using this data for profiling – and eventually predictive profiling – are immense, which presumably is why Facebook and many others are introducing products like this. They’ll be able to learn even more about you than they already can.

Do we care? Zuckerberg would suggest not, but there isn’t much evidence to back up his claims. McNealy would say that it doesn’t matter whether or not we care, there’s nothing we can do about it. Personally I don’t think either of them are right. Events like the fall of Phorm and Facebook’s own forced abandonment of their Beacon system, and the 30,000+ Germans who put their names to a challenge to data retention legislation, all suggest that there is still an appetite for privacy – and for some more control over what’s going on.

Will Facebook Places be a huge success? Will people just embrace it, without considering the downsides? It will be an interesting test….

A creditable approach?

Is the new UK government ‘privacy friendly’ after all? Some of the early signs have been very promising – from the headline-grabbing cancellation of the ID card programme onward – but the latest news out of Downing Street should start certain alarm bells ringing.

David Cameron’s announcement of a new ‘crackdown’ on benefit fraud might be politically simple and far from contentious on the surface – indeed, the early reports in various news sources focussed on the ideas that few could complain about, as ‘everyone’ knows that benefit fraud is ‘a bad thing’ – but the ideas that lie beneath the surface are potentially far more contentious, even dangerous. The key is the way that the ‘crackdown’ is to be performed: through the use of data from credit agencies. As Cameron put it “Why should government not use the same tools that are available to independent organisations?” Why indeed? Well, the one question begs another – are those tools, available to and used by independent organisations tools that should be used at all?

Credit agencies gather data on people and use that data to help other organisations make decisions that have a real, concrete impact on those people – and yet we really know very little about how they work and have very little control over how they work. What is clear is that they work through the gathering and analysing of data – data gathered from a whole variety of sources. Whether and how that data should be gathered and used is something that has not really been up for debate on a serious scale – and here we have David Cameron’s government simply assuming that the use of the data is OK, and indeed endorsing its use. More than that, they’re offering a potentially very lucrative contract to the credit agencies, offering even more incentive for them to gather more and more data about more and more people. Is that something that should be encouraged?

Benefit fraud has always been an easy target – one popular with politicians and tabloids alike – but is this just a starting point for more government use of this kind of data? And other kinds of data? A government who looked (and proclaimed itself to be) in favour of privacy and autonomy is taking quite the opposite approach with this announcement. Not a creditable approach at all.

Quality matters!

Momentum seems to be building for the idea that internet access is a universal right – and more than that, that high quality internet access is a universal right. As seems often to be the case in the digital world, the lead is coming from Scandinavia – Finland have made broadband a ‘legal’ right, according to a report in the BBC. From the 1st of July 2010, every Finn has the right to access to a 1Mbps (megabit per second) broadband connection. As reported by the BBC, Finland’s communication minister Suvi Linden sad that “We considered the role of the internet in Finns everyday life. Internet services are no longer just for entertainment.”

That much is becoming clearer and clearer. We need internet access for proper access to government services, we need internet access to get the best prices for goods and services – indeed, there are some goods and services that are almost impossible to get without access to the net. We need internet access for access to information and news – and we need information and news if we are to fully participate in our society. What the Finnish government have realised is that it’s not just ‘access’ that matters, but the quality of that access, if some of the ‘digital divide’ issues are to be dealt with – and that, surely, is what really matters.

From a human rights perspective, what is needed is an infrastructure that allows all people to fully participate in society. Making access to broadband a legal right doesn’t just mean giving people the right to download music or watch YouTube videos fast, it means that they have an opportunity to take advantage of the huge benefits that the internet can bring – benefits that those on the ‘advantaged’ side of the digital divide are already enjoying. Try searching for legal advice as to your rights as an employee when your job is under threat – as so many are in the current economic climate – and you soon discover why broadband is important. If you have to sit there waiting and waiting when you don’t even know what you’re waiting for, it’s all too easy to give up – and hence not to discover what your rights might be.

The Finns have taken the lead – but others will follow, and it is to be hoped that they will follow not just with bland statements or aspirations, but legal rights.