Communications Data Bill Venn Diagram…

Will the government ‘get’ digital policy?

I had an interesting time at the ‘Seventh Annual Parliament and Internet Conference’ yesterday – and came away slightly less depressed than I expected to be. It seemed to me that there were chinks of light emerging amidst the usually stygian darkness that is UK government digital policy and practice – and signs that at least some of the parliamentarians are starting to ‘get it’. There were also some excellent people there from other areas – from industry, from civil society, from academia – and I learned as much from private conversations as I did in the main sessions.

The highlight of the conference, without a doubt, was Andy Smith, the PSTSA Security Manager at the Cabinet Office, recommending to everyone that they should use fake names on the internet everywhere except when dealing with the government – the faces of the delegation from Facebook, whose ‘real names’ policy I’ve blogged about before were a sight to behold. Andy Smith’s suggestion was noted and reported on by Brian Wheeler of the BBC within minutes, and made Slashdot shortly after.

It was a moment of high comedy – Facebook’s Simon Milner, on a panel in the afternoon, said he had had a ‘chat’ with Andy Smith afterwards, a chat which I think a lot of us would have liked to listen in on. The comedic side, though, reveals exactly why this is such a thorny issue. Smith, to a great extent, is right that we should be deeply concerned by the extent to which our real information is being gathered, held and used by commercial providers for their own purposes – but he’s quite wrong that we should be able and willing to trust the government to hold our data any more securely or use it any more responsibly. The data disasters when HMRC lost the Child Benefit details of 25 million families or the numerous times the MoD has lost unencrypted laptops with all the details of both serving and retired members of the armed forces – and potential recruits – are not exceptions but symptoms of a much deeper problem. Trusting the government to look after our data is almost as dangerous as trusting the likes of Facebook and Google.

The worst aspect of the conference for me was that there seemed to still be a large number of people who believed that ‘complete’ security was not just possible but practical and just a few tweaks away. It’s a dangerous delusion – and means that bad decisions are being made, and likely to continue. A few other key points of the conference:

• Chloe Smith, giving the morning keynote, demonstrated that she’d learned a little from her Newsnight mauling – she was better at evading questions, even if she was no better at actually answering them.
• In Chi Onwurah, Labour have a real star – I hope she gets a key position in a future Labour government (should one come to pass)
• We’ve got a long way to go with the Defamation Bill – without seeing the regulations that will accompany the bill, which apparently haven’t even been drafted yet, it’s all but impossible to know whether it will have any real effect (at least insofar as the internet is concerned)
• In a private conversation, someone who really would know told me that one of the problems with sorting out the Defamation Bill has been an apparent obsession that Westminster insiders have with the ‘threat’ from anonymous bloggers – I suspect Guido Fawkes would be delighted by the amount of fear and loathing he seems to have generated in MPs, and how much it seems to have distracted them from doing what they should on defamation and libel reform.
• After a few conversations, I’m quietly optimistic that we’ll be able to defeat the Communications Data Bill – it wasn’t on the agenda at the conference, but it was on many people’s minds and the whispers were generally more positive than I had feared they might be. Time will tell, of course.
• Ed Vaizey is funny and interesting – but potentially deeply dangerous. His enthusiasm for the ‘iron fist’ side of copyright enforcement built into the Digital Economy Act was palpable and depressing. The way he spoke, it seemed as though the copyright lobby have him in the palm of their hand – and that neither they nor he have learned anything about the failure of the whole approach.
• Vaizey’s words on porn-blocking – he seemed to suggest that we’ll go for an ‘opt-out’ blocking systems, where child-free households would effectively have to ‘register’ for access to porn, something which has HUGE risks (see my blog here) – were worrying, but again, another insider assured me that this wasn’t what he meant to say, nor the proposal currently on the table. This will need very careful watching!!
• The savaging of Vaizey by a questioner from the floor revealing how much better and cheaper broadband internet access was in Bucharest than in Westminster was enjoyed by most – but not Vaizey, nor the industry representatives who remained conspicuously quiet.
• Julian Huppert – my MP, amongst other things – was again impressive, and seems to have understood the importance of privacy in all areas: the fact that Nick Pickles of Big Brother Watch was invited to the panel on the internet of things that Huppert chaired made that point.
• On that subject – mentions of either privacy or free speech were conspicuous by their absence in the early sessions on cybersecurity, but they grew both in presence and importance during the day. I asked a couple of questions, and they were both taken seriously and answered reasonably well. There’s a huge way to go, of course, but I did feel that the issue is taken a touch more seriously than it used to be. Mind you, none of the government representatives mentioned either in their speeches at all – it was all ‘economy’ and ‘security’, without much space for human rights….
• The revelation from the excellent Tom Scott that though the rest of us are blocked from accessing the Pirate Bay, it IS accessible from Parliament was particularly good – and when my neighbour accessed the site and saw the picture of Richard O’Dwyer on the front page, it was poignant…

I came away from the conference with distinctly mixed feelings – there are some very good signs and some very bad ones. The biggest problem is that the really good people are still not in the positions of power, or seemingly being listened to – and those at the top don’t seem to be changing as fast as the rest. If we could replace Ed Vaizey with Julian Huppert and Chloe Smith with Chi Onwurah, government digital policy would be vastly improved….

Taking a lead on privacy??

Two related stories about privacy and tracking are doing the rounds at the moment: both show the problems that companies are having in taking any sort of lead on privacy.

The first is about Apple, and the much discussed recent upgrade to their iOS, the operating system for the iPhone and iPad. There’s been a huge amount said about the problems with the mapping system (and geo-location is of course a huge privacy issue – as I’ve discussed before) but now there’s an increasing buzz about their newly introduced tracking controls. Apple, for the first time, have provided users with the option to ‘limit ad tracking’ – though as noted in a number of stories, including this one from Business Insider, that option is hidden away, not in the vaunted ‘Privacy’ tab, but under a convoluted set of menus (first ‘General’ settings, then ‘About’, then scroll down to the bottom to find ‘Advertising’, then click ‘Limit Ad Tracking’). Not easy to find, as even the techie and privacy geeks that I converse with on twitter have found.

This of course raises a lot of issues – it’s great to have the feature, but the opposite to have it hidden away where only the geeks and the paranoid will find it. It looks as though the people at Apple have been thinking hard about this, and working hard at this, and have come up with an interesting (and perhaps effective – but more on that below) solution, but then been told by someone, somewhere, that they should hide it for fear of upsetting the advertisers. I’d love to know the inside story on this – but Apple are rarely quite as open about their internal discussions as they could be.

There’s a conflict of motivations, of course. On the one hand, Apple wants to make customers happy, and there is increasing evidence that customers don’t want to be tracked – most recently this excellent paper from Hoofnagle, Urban and Li, appropriately entitled “Privacy and Modern Advertising: Most US Internet Users Want ‘Do Not Track’ to Stop Collection of Data about their Online Activities”. On the other hand, Apple don’t want to annoy the advertisers – particularly when the market for mobile is getting increasingly competitive. And the advertisers seem to be on a knife edge at the moment, very touchy indeed, as the latest spats over the ‘Do Not Track’ initiative have shown.

That’s the second story doing the rounds at the moment: the increasing acrimony and seemingly bitter conflict over Do Not Track. It’s a multi-dimensional spat, but seems to have been triggered by Microsoft’s plan to make do not track ‘on’ by default – something that the advertising industry are up in arms about. The ‘Digital Advertising Alliance’ issued a statement effectively saying they would simply ignore Microsoft’s system and track anyway – which led to privacy advocates suggesting that the advertisers wanted to kill the whole Do Not Track initiative. This is Jeff Chester of the Center for Digital Democracy:

“The DAA is trying to kill off Do Not Track.  Its announcement today to punish Microsoft for putting consumers first is an extreme measure designed to strong-arm companies that care about privacy.”

Chester and others saying similar things may be right – and it makes people like me wonder if the whole problem is that the ‘Do Not Track’ initiative was never really intended to work, but was just supposed to make people think that their privacy was protected. If it actually got some teeth – and setting it to a default ‘on’ position would be the first way to give it teeth – then the industry wouldn’t want it to exist. There are other huge issues with Do Not Track anyway. As the title of the Hoofnagle, Urban and Li report suggested, people think ‘Do not track’ means they won’t be tracked – that their data won’t be collected at all – while the industry seems to think what really matters to people is that they aren’t targeted – i.e. their data is still collected, and they’re still tracked and profiled, but that tracking isn’t used to send advertisements to them. For me, that at least is completely clear. Do Not Track should mean no tracking. Blocking data collection is more important than stopping targetting – because once the data is collected, once the profiles are made, they’re available for misuse later down the line.

That, far deeper point, is still not being discussed sufficiently. The battle is at a more superficial level – but it’s still an important battle. Who matters more, the consumers or the advertisers? Advertisers would have us believe that by stopping behavioural targetting we will break the whole economic basis of the internet – but that is based on all kinds of assumptions and presumptions, as Sarah A Downey pointed out in this piece for TechCrunch “The Free Internet Will Be Just Fine With Do Not Track. Here’s Why.” At the recent Amsterdam Privacy Conference, Simon Davies, one of the founders of Privacy International, made the bold suggestion that the behavioural targetting industry should simply be banned – and there is something behind his argument. Right now, the industry is not doing much to improve its image: seeming to undermine the whole nature of Do Not Track does not make them look good.

There’s another spectre that the industry might have to face: the European Union is getting ready to act, and when they act, they tend to do things without a great deal of subtlety, as the fuss around the Cookie Directive has shown. If the advertisers want to avoid heavy-handed legislation, they should beware: ‘Steelie’ Neelie Kroes is getting impatient. As reported in The Register, if they don’t stop their squabbling tactics over Do Not Track, she’s going to call in the politicians….

Someone, somewhere, has to take a lead on privacy. Apple had the chance, and to a great extent blew it, by hiding their tracking controls where the sun doesn’t shine. Microsoft seems to be making an attempt too, but will they hold their nerve in the face of huge pressure from the advertising industry – and even if they do, will their lead be undermined by the tactics of the advertising industry? If no-one takes that lead, no-one takes that initiative, the EU will take their kid gloves off… and then we’re all likely to be losers, consumers and advertisers alike….