Why make privacy complicated?

The current ‘row’ about Facebook’s privacy settings, and the similar ‘affair’ about privacy on Google Buzz raise one significant question: why do companies like Facebook and Google make privacy so complicated? That, it seems, is one of the key problems, particularly in Facebook’s case. According to the New York Times, Facebook’s privacy policy has 50 different settings and 170 options, and the policy is longer than the US Constitution – closing in on 6,000 words.

Why? Is it complicated simply because privacy itself is complicated? Well, it’s certainly true that privacy isn’t as simple and clear cut as some might imagine, but does that really mean that privacy policies, and privacy options need to be so complex as to require a law degree to even begin to understand? It’s hard to justify – and for companies that demonstrate immense creativity when it comes to designing new products and services, and excellent ways to make those products and services simple to use and easy to understand, it does seem quite surprising that they can’t make their privacy policies easy to understand and their privacy options simple to use. They have the experience and the expertise to find a way – if they really want to.

So why don’t they? Two reasons immediately spring to mind, one simple and in some ways reasonable, the other much more pernicious. The first is that until recently they simply didn’t care enough about it – and didn’t think their users cared enough about it. A privacy policy was something that only concerned lawyers (to cover their potential liabilities) and geeks (who are those who bleat on about privacy), and lawyers and geeks don’t need things to be simple to understand and use – they need things to cover all the relevant issues in a logical and coherent fashion…. which leads to documents the size of the US constitution and 170 options and 50 different settings. What’s more, they want their creative minds and experienced programmers to be working on the ‘important stuff’, not wasting time and money on something like privacy policies that no-one really care about. So, from a business point of view, putting effort into making privacy simple and understandable would be wasteful. And boring, too, for the creative people.

The second possible reason is far more shady – maybe they want to make privacy complicated because they don’t want people to know what they do and what the implications are? If an ordinary user has to wade through a document the size of the US constitution, and spend their time choosing between 170 options and 50 settings, the chances are that they simply won’t bother. And if they don’t bother, and leave the settings on what Facebook choose as the defaults, then everything’s much happier, at least for Facebook.

I wouldn’t like to suggest that the second is true – the first is far more likely. However, if the second does have an element of truth to it, we might start to see that over the next year or two. Public interest in privacy appears to be growing – the question is how companies like Facebook respond to it. If things change, and change quickly, that would tell us a lot. If they don’t, and if there is more prevarication and less action, that would tell us something else entirely.

The politics of privacy – does privacy matter?

A few weeks ago I attended Privacy International’s 20th anniversary party – a fascinating event, celebrating a truly admirable organisation which has done sterling work over the last twenty years, from a time when privacy seemed to be very much a ‘niche’ subject, one that most people didn’t think mattered much at all. Over the last few years, however, that seems to have changed – privacy issues regularly make headlines, from lost data to the sell-out of Chinese dissidents, from ID cards to data retention. Emphasising that, one of the two keynote speakers at the party was Nick Clegg – and this was BEFORE the first of the UK’s leadership debates, so before Clegg had etched himself on the public consciousness. He spoke powerfully, quite eloquently, and fairly passionately about privacy – and at the same time, since he and we all knew that the election was just aroung the corner, he used the occasion as an ‘electoral address’, suggesting that his party, the Lib Dems, was the best party for privacy, and would protect all our rights much better than the other two. No to ID cards. No to centralised databases for Data Retention. No to fingerprinting our children….

….well, now he’s become the ‘kingmaker’, it will be interesting to see how high up his agenda privacy really is. Is it one of the points he makes to his potential coalition partners? Will he get his way? It’s a very interesting test of both his political will and his judgment as to the views of his supporters. We should know in a week or two….

The business of rights…

Today sees the second reading in the House of Commons of the Digital Economy Bill, something I’ve mentioned in my blog more than once before. It is a bill that has been much discussed by privacy advocates and in the media, but that to the frustration (or even fury) of many is likely to get very little discussion time in the House of Commons, but rather be rushed through in the run up to the coming General Election. Even so, it is a very hot topic, and is very much in the news – and in the newspapers. Today, in advance of that second reading in the house, both ‘sides’ of the debate have taken out full page advertisements in the UK’s national press. The trade union-led Creative Coalition Campaign (CCC) has come out in support of the bill, with their full page advertisement in the Guardian talking of job losses if the bill isn’t passed, while the Open Rights Group and digital campaigners 38 Degrees have taken out their own ads, funded by donation, in both the Guardian and the Times, in opposition to the bill. A big fight – with the industry taking the canny approach of using the ‘jobs’ and leaving it to the unions rather than being seen so directly as the big, bad, business wolf, the pantomime villains of the piece, the enemies of ‘rights’.

It does seem that all too often the positions become polarised, and what should be negotiation for mutual benefit ends up in conflict. The story surrounding music is a prime example – the digital revolution should (and does) represent a vast opportunity for both the music industry and for individual consumers and creators of music, and yet what we have is a series of law suits and a big and often very antagonistic conflict. What’s happening with music is echoed almost everywhere else – with privacy advocates in conflict with the big boys of the internet world like Google, Microsoft and Yahoo over their data gathering and retention practices as another clear example. Does it have to be that way? Of course a certain degree of tension is inevitable – and indeed in many ways beneficial – does business really have to be ‘an enemy’ of individual rights? Sometimes it seems that way. I recently attended a lecture given by an  expert practitioner in the field of Data Protection – he was talking to students about the realities of a career as a data protection lawyer. He was in most ways a very good and very positive person – and yet to listen to him it was clear that from the perspective of both businesses and the lawyers who work for business that data protection was seen as a barrier to be overcome (or even sidestepped or avoided) rather than in any sense a set of positive principles that could (or should) be for the benefit of the individual data subjects or indeed for society as a whole. From his perspective, rights weren’t a beneficial thing so much as something that gets in the way of an enterprise’s opportunity to make a profit.

From the other point of view, privacy advocates sometimes seem to take an equally antagonistic approach – and if you view someone as an enemy, they may find it all to easy to slip into that role. Attack someone and they are quite likely to defend themselves. It may seem necessary – indeed in the short term and in specific situations it may BE necessary – but in the long term, surely both sides would be better off looking at it from a more cooperative and positive perspective. Advocates might find it a better way to get what they want – and industries might find themselves new, better and more sustainable ways to build their businesses.

How to do this is the big question – we seem to know very well how NOT to do it, but not have much of a clue of the reverse. The starting point, however, has to be more talking. The idea of rushing through the Digital Economy Bill is the exact opposite of that. The government is effectively saying that enough discussion happened in the House of Lords, and so we don’t need to talk more about it in the Commons. That can’t be right, can it? We have two Houses for a reason – and the Commons is supposed to be the place where the people are represented. If the music industry wants these proposals to work, it ultimately needs to get the people on its side – and if it wants that, it needs to be willing to talk about it, and to see things a little more from the people’s point of view. That, at the very least, would be a start.

Consent: a red herring?

I asked Peter Fleischer, Google’s Global Privacy Counsel, a question about ‘opt-in’ or ‘opt-out’, in a panel session at the Computers, Privacy and Data Protection Conference in Brussels in January, to which he gave an interesting answer, but one that was greeted with more than a little dismay. In essence, his answer was that the whole question of ‘opt-in/opt-out’, and by implication the whole issue of consent, was a bit of a red herring. Unsurprisingly, that was not a popular view at a conference where many of the delegates were privacy advocates – but he did and does have a very good point. He went on to explain, quite reasonably, that if someone wants something online, they’ll just consent to anything – scrolling down through whatever legalese is put in the consent form without reading it, then clicking OK without a second thought, just to get at the service or website they want. And he’s right, isn’t he? That IS what we all do, except in the most exceptional circumstances.

The question, then, is what can or should be done about it. Peter Fleischer’s implication – one shared, it appears, by most in the industry, is that we should realise that emptiness and unhelpfulness of consent, and not bang on so much about ‘opt-in’ or ‘opt-out’. We’re missing the point, and barking up the wrong tree. And, to a certain extent, I’m sure he’s right. As things stand, consent, and opt-in, and not really very helpful. However, it seems to me that he’s also missing the point – whether deliberately, as it suits the interests of his employers to have opt-out systems and allow such things as browse-wrap consent on the net, or because he thinks there’s no alternative, I wouldn’t like to say – in the conclusions that he draws, and the suggestions as to what we do next.

If consent, in its current form on the net, is next to meaningless, rather than abandoning the concept as useless wouldn’t it be better to find a way to make it more meaningful? This is something that many people are wrestling with – including the EnCoRe (Ensuring Consent & Revocation) group – and something I shall be presenting a paper about at the BILETA conference in Vienna next week. The way I see it, the internet offers unprecedented opportunities for real-time communication and interaction, for supplying information and for allowing users choices and options – shouldn’t there be a way to harness these opportunities to make the consent process more communicative, more interactive, more ‘real-time’, and to give users more choice and more options?

Peter Fleischer’s employers, Google, actually do some really interesting and positive things in this field – the Google Dashboard and Google’s AdPreferences both provide information and allow options and choices for people whose data is being gathered and used – the next stage is for these to be given more prominence, for right now they’re pretty hidden away, and it’s mostly just the hackers and privacy advocates that even know they exist, let alone use them well. If they can perhaps Google can help consent to become much more than a red herring, and instead part of the basic process of the internet.

Now we’re all at it… especially the good guys…

It’s not just the German government who are using illegally acquired data to root out tax evaders – the latest revelation is that both the French and the UK Government are doing it to. A report from the Sunday Times, available online here, has revealed much more detail – and in particular that HMRC in the UK is very enthusiastic about getting hold of this illegally acquired data. A senior tax official is quoted as saying “It’s fair to say that the prospect of getting hold of this information has generated some excitement here.”

The whole thing raises a lot of issues – some of which I mentioned in my post of 7th March – but the German, French and UK governments are all seemingly happy to do it, and at least so far there seems to be very little resistance or outcry about their tactics. The ends justify the means, perhaps. Personally, I don’t think so, and an experience I had in the classes I teach (Information Technology & the Law) suggested to me why. The class was about surveillance in the digital environment, and we were discussing the nature of enhanced CCTV, and how it, combined with information from systems like Oyster Cards, could allow coordinated tracking of individuals. I teach three classes, with a mix of different individuals with very different backgrounds. In the first class, the reaction to this kind of tracking could be described as general interest, but nothing more. In the second, it might even be described as enthusiastic – with some agreement with the view of a Police CCTV Liaison Officer that “The cameras are there to help the police and to protect the community. There is no way anybody should be afraid of them unless they have something to hide.”
The third class was different – the first person to speak had a reaction that I hadn’t really heard in the first two classes. His immediate response was that he didn’t want the government to be able to track him – and when asked why, he almost laughed, because to him it was so obvious. Why was it obvious to him, and not to the others in the previous classes? Because he happened to have experience of living in a country with what is close to an authoritarian regime. People who live in those circumstances are naturally and appropriately more likely to be suspicious and distrustful of government motives.
Here in the ‘safe’ West, where the governments are suspected much more of incompetence than evil, we don’t really seem to care that much about things like this. Right now, we seem to mostly ‘trust’ our governments, and imagine that they will only use the powers we grant them (or allow them to take for themselves) for good purposes – like catching tax evaders, or tracking terrorists. We rarely imagine that they might end up using them for entirely different purposes, purposes for which we would have much less sympathy. What would it take to make us realise the risks, let alone take them seriously? It would be nice to think that we could do so before they are taken too far. 

Digital Economy Bill passes the Lords…

Just a brief note – further to last week’s post, the Digital Economy Bill has now passed its third reading in the House of Lords, and is expected to be rushed through the commons before the election (see the BBC report here). Do people really understand what’s happening here? And more to the point, even if they do, do they care? There will be active campaigning against it for sure – not least by the Open Rights Group – and it will be interesting to see how much opposition to the disconnection provisions can be raised in the face of the Government’s clear desire to get it done quickly. Will the UK demonstrate the kind of ‘active community’ that worked so well in Germany to deal with their data retention laws, as I mentioned a couple of weeks ago?

I certainly hope so – and at a time when an election is looming, the government should certainly be responsive to signs of popular resistance. Are we in the UK ready to stand up for freedom on and with the internet? Time will tell…

All hail the Internet?

Two stories this week have emphasised the importance of the Internet in today’s world.

The most recent, and perhaps the strangest, is the news that the Internet has been nominated for the Nobel Peace Prize, in a campaign mounted by Wired Italy – this is how the English language version of Wired is reporting it. Of course there have been stranger (and much more controversial) nominations over the years, but even so it does seem an unusual, though far from unwelcome suggestion. The Internet can be (and at times has been) a wonderful tool for peace. As said Riccardo Luna, editor-in-chief of the Italian edition of Wired magazine puts it: “The internet can be considered the first weapon of mass construction, which we can deploy to destroy hate and conflict and to propagate peace and democracy. What happened in Iran after the latest election, and the role the web played in spreading information that would otherwise have been censored, are only the newest examples of how the internet can become a weapon of global hope.”

The second story comes from the BBC World Service, who commissioned a poll, covering more than 27,000 people in 26 countries across the digital divide which came up with some headline grabbing statistics, the most notable of which was that across the world, almost 80% of people now regard Internet access as a basic human right. There are many highly revealing findings, both on a country-by-country basis and giving more of a global picture, but the headline figure is certainly something about which we should stop and think. Internet access a basic human right, comparable with electricity and water? And this is something believed not just in technologically advanced countries, but right across the digital divide – countries such as Mexico, Brazil andTurkey most strongly supporting the idea of net access as a right.

So, two stories, one suggesting that the Internet should be considered for the Nobel Peace Prize, the other suggesting that access to the Internet is a fundamental human right – and what do we have happening in the UK, and seemingly quite likely to become law, but the idea of restricting or even cutting off internet access for people caught illegally file-sharing, in the shape of the Digital Economy Bill. Cutting off a fundamental human right, for something that, though illegal, is hardly of the most egregious of crimes, doesn’t exactly seem proportionate. Though people like Ian Livingston, British Telecom’s Chief Executive, who has publicly raised his concerns about the Bill, along with various other industry leaders (including representatives of BT, Virgin Media, Carphone Warehouse and Orange) may have a clear vested interest in opposing these terms within the Bill, it is certainly something that many more of us should be concerned about.