Romanian re-Phorm-ation?

News has emerged this week that Phorm, the online-behavioural-advertising company about whom a great deal has been written (including by me) has targeted a new country for its latest attempt to track internet users’ every move: Romania.

Having been kicked out of the UK after a huge struggle a couple of years ago – a struggle from which civil society came out with a lot of credit, not least the Foundation for Information Policy Research and in particular the work of Richard Clayton and Nicholas Böhm, while the UK government came out with a severe amount of egg on its face – Phorm has tried to relaunch its services in a number of other countries. South Korea was the first, then Brazil, both without much sign of success, before the current efforts in Romania.

As a reminder, what Phorm’s services essentially do is ‘intercept’ the instructions a user sends as he or she browses the web – every site visited, every link followed, every click – and uses that information to build up a profile of the user, mostly to enable it to target advertising as accurately as possible but potentially (at least according to the publicity put out by Phorm during their attempts to launch in the UK) to tailor content.  In a lot of ways Phorm’s system is only a logical extension of what many other advertisers on the web do – almost everyone’s at it, from Google to Facebook to Amazon (particularly if the stories emerging about the Kindle Fire are true). There are significant differences, however, to even the most privacy-invasive services offered by the others. The most important of these is that it covers ALL your activity on the web: even the latest furore about Facebook tracking you when you’re logged out didn’t get close to that, only potentially tracking you when you visit sites with Facebook links or ‘like’ buttons.

The second difference, almost as important, is that in exchange for these immense invasions of privacy, Phorm offers you nothing except better targeted advertising – something that few people would value very much. All the others give you something quite significant in exchange for their gathering your data: Google offers you very effective search engines, mapping systems, blogging services (including the one on which this blog is hosted) and much more, Facebook provides a social networking service of huge functionality, while Amazon’s Kindle is a lovely bit of kit for a remarkably small price, one that many people enjoy. There’s a ‘bargain’ going on for your data, even if few people fully grasp that this exchange is going on. With Phorm there’s nothing – essentially, they just spy on you for their own benefit, and give you nothing in return. Indeed, they might even harm your browsing, as the ‘interception’ process can potentially slow down your web-browsing.

Phorm failed in the UK, and I for one am very glad that they did. I hope the same happens in Romania, unless they’ve changed their practices significantly. The signs so far, sketchy though they are, do not suggest that this is very likely. Just as they did in the UK, they’ve done a deal with one of the big ISPs, Romtelecom, which is a part state-owned telecoms and internet company, and are looking for business partners. Their product appears to be pretty much the same as it was before, though they do at least mention the word ‘choose’ in terms of customer actions. That ‘choice’ does not seem to amount to much in reality, and indeed there seems to be another twist: they’ve added flash cookies to the system, with the express intention of using them to re-spawn their own status cookies in case you ‘accidentally’ delete them. The precise technical details have not yet emerged: I am looking forward to finding out if they’ve learned the lessons of their previous failures and decided to do something that actually respects the individual users and gives them some kind of real consent process. I’m not exactly waiting with bated breath…

I have a personal connection with Romania – my wife’s Romanian – and that country has experienced far too much of surveillance and invasions of privacy in the past. Indeed, Romania was one of the first countries to hit out against the privacy-invasive Data Retention Directive, their supreme court striking down the implementation of the Directive in their country as unconstitutional in 2009. I am fully confident that they will find a way to fight against this latest intrusion into their privacy. Phorm may have chosen Romania as a ‘soft target’. I suspect they’ll find the reality quite different, unless they’ve seriously changed their spots….

Is sharing natural? Is privacy?

To someone like me, who works in the field of privacy, Facebook and similar services have always represented a challenge. Pretty much every time Mark Zuckerberg gets up on his feet to make another announcement, I find my stomach churning, and my mind turning. When he suggests that privacy is no longer a social norm, when he tells us that we all want to share more, when he implies that Facebook does what we want it to do, and that anyone who’s at all concerned about what it does is an old stick-in-the-mud or a luddite, I always wonder, just for a moment, if he might be right. Is privacy an outdated concept, a kind of social construction that has outlived its purpose? Is openness and sharing how we’re ‘meant’ to live? Is Facebook about liberating us, allowing us to be how we’ve always wanted to be, how we naturally want to be?

I wonder that for a few moments every time. I wondered it when the new features on Facebook were launched a week or two back. I wondered it when the mini-furore over Facebook ‘continuing to track us after we log out’ happened two days ago – though the truth or otherwise of that tracking continues to be debated. Am I wrong about privacy? I wonder that for a moment – and then something brings me right back to earth. I have a five-year-old child….

For my child, privacy seems something entirely natural, something deeply desired, something clearly needed. It has done since she was six months old – and perhaps even earlier. Now that she’s at school, it’s even more important to her. She doesn’t tell anyone all her secrets, she carefully controls who she tells what, and I’m quite sure there are many things she tells no-one at all. Privacy, to her and to her friends, is something very much natural.

What about sharing? Well, I can’t imagine that there are many parents who have found that there child wants to share ANYTHING as a matter of course. And that applies just as much to secrets as it does to things. Sharing is something we have to almost force our children to do – often kicking and screaming, and entirely against their will. It takes a long time before they do it willingly, if they ever really do. Even many adults find sharing very difficult – and again, that applies as much to information as it does to material goods.

Of course my evidence is entirely anecdotal, and I have only one example to follow (plus her friends (in the real sense of the word), classmates and acquaintances, while Zuckerberg has 800 million or so – but to my eyes and ears, and to my mind, that anecdotal evidence is pretty compelling. Privacy, to me, is far more natural than sharing. The kind of denial of privacy and enforcement of sharing that an unfettered Facebook would have us believe is ‘natural’ is far from it. For me, at least, it is something that should be resisted, and resisted with vigour.

Logout should mean logout! UPDATED

Hidden (or at least untrumpeted) amongst all the new features in the latest Facebook upgrade is one deeply concerning issue: when you ‘logout’ of Facebook, Facebook will continue to track you. This fact has made it onto a few blogs (for example Nik Cubrilovic’s blog here) and is doing the rounds on twitter – but for those of us concerned with privacy, there should be a lot more noise about it, because it has huge implications. It flies in the face of what users expect and understand – and that should really matter.

The reality is that very, very few users ever check their terms and conditions – almost all of us scroll straight through the pages and pages of legalese (even those of us who work in the law!) and then click ‘OK’ at the bottom. Why? Because we want to use the service, and because we know we don’t have any real choice about what’s in those terms and conditions – and because we have a reasonable expectation that what is in those terms and conditions is at least in most ways ‘reasonable’, and will conform to what we expect and understand terms and conditions to be.

So the question of what would we expect to happen when we ‘logout’ of Facebook is one that matters. Most people, I suspect, would expect that ‘logout’ would cut our connection with Facebook, until we log back in. It should be like putting the phone down when we’ve finished a conversation – you don’t expect the person on the other end of the line to be able to hear what you say after you’ve hung up, let alone be able to keep a microphone open in your living room and record every conversation you have with anyone in that room. In fact, if you thought something like that was happening, you’d be outraged, and rightfully so, as well as having all kinds of opportunities to take legal action against the people who are, in effect, bugging you.

Of course what Facebook is doing isn’t quite the same – but in some ways it could be considered even more invasive of your privacy, because the opportunities to analyse and exploit the data gathered through their tracking are greater in some ways that a simple phone tap. The data they can gather can be aggregated and analysed – its digital nature, together with the vast volume of other such data that they gather, gives them an unprecedented scope for such aggregation and analysis.

This is hardly the first time that Facebook has tried to move the goalposts on privacy, and to set new norms. This attempted resetting of norms, so that tracking is normal, whether you’re signed in or not, and that it should (and will) happen all the time, is one that should be resisted very strongly. The opposite should be the case – we should be able to assume that tracking DOESN’T take place unless we explicitly allow it, and are reminded that it is happening. We should have a right to know when we’re being tracked, and a right to turn that tracking off, and people like Facebook should be required to offer their services without that tracking, at the very least when we’re not signed in to their service.

Like it or not, the use of Facebook has become effectively the norm. I have a new batch of undergraduate students arriving today, and if the experience of the last few years is anything to go by, it will be a rare student indeed who doesn’t have a Facebook account. That in itself should place demands on Facebook, requirements that they must meet. That should mean that they should, in general, understand and meet the expectations of their users – and, in this case, that should mean that logout should mean logout. Tracking should be turned off the moment we log out of Facebook. And we, the users, should demand that it happens.

UPDATE (with gratitude to Emil Protalinski at ZDNet for his blog)Facebook are denying that this is what is happening – they say “…the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of “keep me logged in.”

We’ll have to see what comes of this – and whether the privacy implications are as significant as they seem. However, regardless of the technical details, the underlying point needs stressing: when we logout, we need to know that we’re no longer monitored or tracked, even for some of Facebook’s stated purposes. Stated purposes don’t always match with real uses… and function creep is hardly unknown in this context! For me, this underlines the need for clarity of rights and practices in this area. Facebook need to be told in no uncertain terms that tracking is not acceptable in these circumstances….

A tale of three conferences…

IT Law certainly seems to be flavour of the month. Even more particularly, it seems to be flavour of the next couple of days. Today and tomorrow there are three conferences on different aspects of the subject, all of which I’d like to be at… if only I could be three places at once.

Starting in Yorkshire…

The place I’ll actually be is Leeds, for the Human Rights in the Digital Era Conference: Professors Andrew Murray and Viktor Mayer-Schönberger will be providing the keynote speeches, while I’ll be presenting on a topic which I hope to be making a central part of my work in the next year or so, the idea of a right to an online identity (you can find my prezi here). Other excellent speakers include Jim Killock of the Open Rights Group, whose work is of increasing importance – particularly with the current government seemingly following the recent trend of seemingly being in thrall to the copyright lobby, if Jeremy Hunt’s suggestions are anything to go by – and my colleague Emily Laidlaw. It should be a fascinating day – and a subject of great current interest.

…and at the same time in London…

…the Society for Computers and Law is having its annual policy forum – with the focus on the ‘New Shape of European Internet Regulation’. Chaired by Lilian Edwards, and with contributions from such as Caspar Bowden (newly liberated from Microsoft) and my colleague Daithí Mac Síthigh, it’s another event of immense current interest, and one which I’m sad to have to miss. I’ll be following it on twitter (probably on #scl) and I’m looking forward to hearing more about it after the event. Daithí’s presentation on the App Store should be particularly good!

Meanwhile, in Poland…

…Warsaw is hosting the latest Creative Commons global meeting. At a time when attitudes and approaches to copyrights seem to be getting if anything even more regressive, with the EU Council voting this week to extend copyright on sound recordings from 50 to 70 years, and as noted above, Jeremy Hunt setting out an aggressive and punitive strategy for dealing with online piracy, finding imaginative and effective ways forward for dealing with intellectual property issues is of ever growing significance. Lots of interesting people will be in Warsaw, putting together lots of excellent ideas – and again, I’m looking forward to reading and hearing all about it.

Three conferences – but common themes

Three very different conferences, three very different cities, three seemingly quite different agendas – but they all tie together, and they’re all attempting to address issues of crucial current interests. The Leeds conference focusses on human rights, the London conference on regulation, the Warsaw conference on creativity – but the issues all interact with each other, and all impact upon each other. If, as the likes of Jeremy Hunt suggests, we use the twin heavy hands of law and finance to try to ‘protect’ our ‘creative’ arts (though the idea that Cliff Richard, one of the figureheads sent out this week to support the extension of copyright, represents ‘creativity’ is a somewhat difficult to swallow), then it is likely to be human rights that suffer.  Those of us interested in human rights need to be doing everything we can to prevent the focus of regulation – indeed, the new shape of regulation – to be protecting copyright at the expense of those human rights, which, ultimately, is what the copyright lobby is intending to bring about. Human rights, regulation and creativity are all very closely connected – as these timely conferences should do their very best to make clear.