Data and politics…

One of the less obvious side shows to the defection of Douglas Carswell MP from the Tories to UKIP has been the report that he may be taking his data with him – detailed data about his constituents, it appears, and according to the Daily Mail people at UKIP are ‘purring’ at the prospect of getting hold of the data.

This raises many, many issues – not least data protection issues. The excellent Jon Baines (@bainesy1969 on twitter) has been blogging about political data issues for some time, not least how it appears that political parties ride roughshod over data protection law and yet somehow the Information Commissioner’s Office does not want to get involved. He’s written something today in relation to Douglas Carswell – you can read it here. As Jon Baines explains, there are many legal issues to deal with, including a possible criminal offence.

Even setting the law to one side, there are some very disturbing aspects to this.

The first is a moral or ethical one – when people gave their data to Carswell, or to the local Conservative Party, they presumably intended (if they thought about it at all) to help the Conservative Party – Carswell was, at the time at least, a representative of the Conservative Party, and made many statements of loyalty. Would they be happy for that data then to be used by UKIP, a rival party? Some might have UKIP sympathies, and might well follow Carswell in his defection – but many others might not, and their data is being taken along with those who might defect, and without the chance to object or consent. Data protection law should require this – but in practice it might well fail to produce the results it should. Can we expect a moral or ethical approach from Douglas Carswell on the matter, recognising these issues? I doubt it very much. Morality and ethics are in very short supply in politics even at the best of times. These are very far from the best of times.

The second is a deeper one – it seems to me that we don’t consider nearly enough the impact of data on politics. The most obvious aspect of the Carswell business is the gathering of the data, but the use of that data is perhaps even more important and could have even more impact. I’ve written about this before – most notably in my book, Internet Privacy Rights – but it bears repeating. The use of data for political purposes is something of increasing importance. Obama knew that, and one of his key strategies for re-election was better use of data. This piece ‘How President Obama’s campaign used big data to rally individual voters‘, gives at least a flavour of what Obama did – and the beginning of a sense of what might be possible in the future. Data such as that gathered by Carswell could be aggregated with other data, much of it commercially gathered, and used for profiling in increasingly sophisticated ways. Here’s a brief extract from my book (chapter 10) that hints at what kind of thing can – and almost certainly will – happen in the future. Indeed, some of it is already happening now.

“Imagine, for example, tailored advertisements created for individual ‘swing voters’ (selected automatically through profiling), pointing out a party’s positive steps in the policy areas that are most likely to interest them (also selected automatically), omitting those areas where party policy doesn’t fit, and couching it in a language appropriate to the individual’s ethnic, educational, cultural and linguistic background, illustrated with a few appropriate news TV clips, and playing background music exactly to the individual’s taste and voiced over by an actor that profiling reveals that individual likes? The reverse, of course, about the political party’s opponents – negative campaigning and personal attacks taken to an extreme level. This could be extended from tailored advertisements to whole ‘news’ pages where the ‘news’ provider has a particular political agenda, and also (and more simply) to individual automated emails.”

Now I don’t imagine for a moment that UKIP’s operation is anywhere near as sophisticated as that – right now, most UK political parties seem to be lagging far behind the US in this field – but the ideas and the possibilities ought to be giving us pause for thought. Recent events like the Facebook Experiment, which I’ve blogged about before, show how the internet can be used to manipulate people. Political manipulation is just one of the possibilities. We need to be very careful here – and pay more attention to how our data can be used to manipulate us.

Wikipedia and the Right to be Forgotten…

…or why Jimmy Wales might want to support a right to delete.

One of the more strident critics of the Google Spain ruling by the ECJ, bringing into action at least a form of the much derided ‘right to be forgotten’, has been Jimmy Wales, co-founder of Wikipedia. He has spoken and written about it in highly critical terms, calling it ‘one of the most wide-sweeping internet censorship rulings that I’ve ever seen’ and, since Wikipedia itself started receiving notifications, ‘completely insane’. His statements, amplified by the obliging British press, were followed by his appointment to Google’s advisory committee on implementation of the court’s ruling. He has so far stood firmly by Google’s side, and against the ECJ – and yet, if looked at from the perspective of ‘openness’, there are arguments that he should shift his position. The so-called right to be forgotten – in some forms at least – is far from incompatible with the principles of openness that underpin Wikipedia. Indeed, it can be argued to be supportive of those principles – or even necessary to produce more openness in the way the internet operates for most ordinary people.

Wikipedia and ‘openness’

Wikipedia is viewed by many as the epitome of the new(ish) idea of ‘openness’ (e.g. http://www.theguardian.com/technology/2014/aug/10/wikipedia-isnt-perfect-model-channel-4-government) . Crowdsourcing information, allowing edits by anyone. Words like ‘participatory’, ‘collaborative’, even ‘democratic’ are used to describe it – indeed, it’s often used as an example of what those terms mean. These are words that are almost always used positively: participation, collaboration and democracy are seen as fundamentally ‘good’ things. Specifically, they’re seen as good things in relation to the internet: the fight for an ‘open’ and ‘free’ internet, a fight which the Wikimedia Foundation often seems to see itself at the forefront of, is a fight for the sort of internet built around participation, collaboration and openness.

But what does that mean in practice? Take a look at Wikipedia. As a teacher of university students, I often discuss the use of Wikipedia for research. In the old days, universities frowned on the use of Wikipedia – and we generally still disapprove of its use as a primary source (a citation of a Wikipedia page will raise both eyebrows and hackles in any university teacher) – but now it is usually seen as something very useful. You can get a broad brush view of a subject from reading the Wikipedia page – and you can find links to better, more reliable information about the subject. You don’t cite the Wikipedia page, but you can find sources that you can cite by looking at the Wikipedia page.

This all comes from both the strength and the weakness of Wikipedia. It is generally reliable – because crowdsourcing works, and because people with an intimate knowledge of all the various subjects contribute to it – but it is also, and just as importantly, ever-changing. It changes as events develop – new information appears, new views come in and, crucially, errors are corrected, biases revealed and changes made. Inaccurate and out of date information – and irrelevant information – is corrected or deleted from Wikipedia pages.

Deletion of information…

Let me repeat that.

Inaccurate, out of date and irrelevant information is corrected or deleted from Wikipedia pages.

That’s the strength of Wikipedia. Indeed, it is a key virtue of digital publishing – it is dynamic, not static. When errors creep in – whether by accident, by error, by biased editing, by malice (and cases of falsification of Wikipedia pages are well known, as are the strong and consistent critiques of both Wales and Wikipedia) the openness of the Wikipedia platform means that those errors, those biases, and so forth are open to being corrected. Information is deleted. That’s what makes Wikipedia great – and also what shapes the way we use it. We know Wikipedia isn’t set in stone, and that at any particular moment it may include errors or misunderstandings. We know that, so we don’t treat it with undue reverence. We check what we see against other sources. We look for alternative views and compare them to what we see on Wikipedia. We sometimes even help to edit Wikipedia. We treat Wikipedia as ‘organic’, growing and changing all the time.

Treating the internet as ‘organic’

Isn’t it appropriate – and desirable – to treat the whole internet in the same, open way? As organic, growing and changing all the time? Why should other material in the free floating internet be treated as inviolable; privileged by virtue of their form, if we are happy to see it otherwise with Wikipedia? In many ways we know that this is how the internet really is anyway – we know that when we look at a page we need to consider who created it, what sort of people they are, what biases they might have and so on. We know that new material is appearing all the time – every blog post, every newspaper article, every uploaded photo – and we should also understand that other material is being deleted or edited every day. Old, irrelevant or inaccurate information disappears every day. That’s part of the process – life and death are part of the same cycle.

What the internet isn’t, is a perfect archive of truth, set in stone as a record of perfect accuracy. To evoke otherwise, as Wales and the Wikimedia foundation have done, is simply false. It isn’t Asimov’s vision (deliberately misleading) of an Encyclopaedia Galactica in his seminal ‘Foundation’ books, designed to preserve and maintain humanity’s store of knowledge against barbarians and the decline of civilisation. It’s much closer to the reality of Wikipedia. Somewhere were things are being deleted all the time. Somewhere where routes to things are being corrected all the time. Somewhere that should be treated with respect but not reverence.

The right to delete – or the right to be forgotten

That’s where a right to delete – and yes, sometimes, a right to be forgotten fits in. It’s not such a big deal, really – things get deleted and forgotten all the time on the internet. Eric Schmidt and Jimmy Wales’ things, too. The right to be forgotten is just one of many mechanisms through which such deletions might take place. Almost completely overlooked in the media coverage, and the runaway notion that this is a ‘right for the rich and famous’ is the fact that already people with resources and knowledge use ‘reputation management’ services to hunt down and remove uncomplimentary things about them. Already ‘rights holders’ use copyright law to have things that breach their rights removed from the net – and routes to them removed, obscured or deleted. Already companies choose to cleanse old websites, to rebrand themselves and so forth. The right to be forgotten – both in its ‘Google Spain’ form and in a purer deletion of data form – would be just one of many tools through which the internet changes form. That constant changing should be understood and celebrated – and refined not fought and feared. It’s part of what makes the internet so great.

That doesn’t, of course, mean that it shouldn’t be treated critically. It should, very much so. It doesn’t mean that the Google Spain ruling is without fault – it isn’t, and the way that Google has implemented it to date has highlighted many of those faults. And yes, it’s a tool that could well be misused – most tools are, but we don’t outlaw kitchen knives because they could be used to stab people. For ordinary people, in extraordinary circumstances, it could be a real boon. Ordinary people need to be given a chance to contribute, to participate, to be part of that great community that so many of us hope the internet can become. Of course we need to find a way to make it work better. We need to set out more appropriate rules and good, solid guidelines as to how it should be operated – and to reduce the possibility of its misuse. We need all of this, both to help Google and to keep the internet open….

…because that’s the bottom line. Having ways to delete information isn’t the enemy of the internet of the people, so much as an enemy of the big players of the internet. In terms of the ordinary people, it’s very much the internet’s friend. Wikipedia demonstrates the need to have deletion and correction as well as addition as part of its toolkit. Jimmy Wales knows this, I suspect, though I’m not sure he’s applied this knowledge to the internet as a whole. He may not like the way that this particular tool has been developed – for judges and courts are often seen as the enemies of openness, and from an America perspective, European judges and courts may be the worst of all. Nobody wants to be told what to do – and often they’re quite right to resist what they’re told to do.

However, an excessive faith in the ‘record’ of the internet, and an excessive reverence for the way that the internet (and Google in particular) currently works are also enemies of real openness. We need to be open to changes – and yes, even changes in all of these.

—————-

This blog post was inspired in part by reading Nathaniel Tkacz’s work on Openness.

Privacy invasive law in Mexico – guest post by Lisa M Brownlee

I’ve written about this before – but things have moved on, and not in a good way. Some aspects of the law discussed are deeply troubling, and privacy activists around the world should be concerned. The following is by Lisa M Brownlee – an information security/privacy and intellectual property legal scholar and author residing in Mexico, and someone whose work is well worth following, as is Lisa herself, on Twitter, where her tag is @lmbrownlee1. Her work on an early version of the law being discussed was published in ArsTechnica.

Mexico’s new telecommunications law – including controversial surveillance and data retention provisions.

On Wednesday, August 13, in a 4-3 vote, Mexico’s personal data protection authority, IFAI, (Federal Institute for Access to Information and Data Protection) considered and voted against challenging the constitutionality of Mexico’s new telecommunications law, the Federal Telecommunications and Broadcasting Act (FTBA).

The National Human Rights Commission (CNDH) was also empowered to block the legislation on constitutional grounds but failed to do so by Wednesday’s challenge deadline. The Mexican legislature’s Chamber of Deputies, also empowered to prevent the law’s taking effect, was 12 signatures short of a vote to block the FTBA. FTBA therefore took effect on August 13.

Shortly after the vote, Mexico’s Secretary of Communications and Transport (SCT), Gerardo Ruiz Esparza welcomed the new law and hailed, among other provisions, the law’s authorization of SCT to establish new Internet connections in over 40,000 public places nationwide.

IFAI is mandated to protect the privacy and personal data of citizens, and thus had the authority to challenge the constitutionality of the data collection, retention and access provisions of FTBA Articles 189 and 190. During the hearing, IFAI members stated that the data collected and retained under the FTBA was not “personal data”, and that IFAI therefore lacked standing to bring the suit.

FTBA Article 189 requires telecommunications licensees and Internet service providers to provide real-time geographic location of any type of communication device to public servants and security officials at their request, without warrant. Article 190 provides for the collection of data pertaining to communications, including the-origin of calls, duration, location, text messages metadata, activity on the network, and for the retention of such data for up to 24 months. Both provisions provide warrantless access by a broad range of government and law enforcement personnel.

Human rights activists fighting the constitutionality of the FTBA’s geolocation and data retention and access provisions were disappointed in IFAI’s failure to take action. The Twitter hashtag #IFAIL arose shortly after the no vote, the tag being a play on IFAI’s name, designating failure to carry out its privacy and data protection authority.

The digital rights group R3D Mexico decried as indefensible the statement made by IFAI president Ximena Puente that the data retained by the telecommunications companies was not “personal data”, and later criticized the failure of IFAI, CNDH and the Chamber of Deputies to act.

We need to watch this space!

DRIP: web-mail and web-browsing….

One of the big questions concerning data retention and the hastily-passed DRIP is whether it applies to web-browsing activities. Indeed, Julian Huppert MP asked the question during that all-too-brief debate in parliament, and was assured that it did not. I was far from convinced by the answer, and remain far from convinced, particularly given the idea that this ‘update’ to powers is intended to cover activities like webmail and social networking messages. Some colleagues have been asking questions, and a reliable source within one of the US companies that operates webmail (amongst other things) told us that they don’t expect the data retention powers to apply, given that they have never done so and the government made clear that there was no change in that through DRIP. They added further that as a US company, they are in a very different situation to UK providers.

That leaves us in a very interesting situation. If you’re communicating by webmail or social networking, how can your activities be caught? I can see only two ways: directly from the webmail company, or by capturing web-browsing through the ISP. If there are other ways, I’d like to know… because in the current circumstances I can see only three options:

That webmail and social networking will not be covered by DRIP. That’s almost inconceivable, given the intentions of DRIP and the extent to which communications of the kind that those behind DRIP want to capture take place on webmail and social networks; or
That the non-UK webmail and social network providers have been misled, and DRIP will be used to compel them to gather and hold communications data concerning activities on their services; or
That Julian Huppert – and parliament, and the people of the UK – has been misled, and DRIP will be used to gather web-browsing activities.

If there’s another option, I’d like to know it. It’s entirely possible, as I’ve been wrong often before, but I can’t see it immediately.

My instinct is that the third option is the most likely – and that the intent of DRIP was always to gather web-browsing activity. If we’d had proper time for scrutiny of the bill, and to get experts to ask questions in committee, we might know the answers – and make sure that appropriate balances and controls are put in place. We didn’t. I have a strong suspicion that was entirely intentional too.

A right to delete – not a right to be forgotten…

One of the many things people are getting angry about the ‘right to be forgotten’ is in the name… something that I’ve been banging on about for some years. I talk about the right quite a lot in my book Internet Privacy Rights… so I thought I’d just give a quick flavour of it. Here are a couple of paragraphs from Chapter 7:

“This idea of a right to delete is subtly but importantly different from the idea of a ‘right to be forgotten,’ as currently under discussion by European Regulators for inclusion in the forthcoming revision of the Data Protection regime. Quite how such a right might work in practice is still not entirely clear – but the connotations of the name of the right as well as the implications of its implementation are of concern and have been subject to criticism. A right to be forgotten looks like the rewriting or erasing of history, or a kind of censorship. The right to delete is about the control of data, not about censorship – and if properly understood and implemented is not in conflict with freedom of expression. It should not be seen as a way to rewrite or conceal history or as a tool for celebrities or politicians; it is rather a basic and pragmatic right available to all.

Equally importantly, a right to delete imposes different duties on different people that what might be understood by a right to be forgotten. It changes the rights being balanced, and the duties that are imposed on others: it is balanced against businesses’ ‘right’ to hold data rather than against individuals’ rights to remember. Of course we have the right to remember things – it is much more questionable whether businesses have a right to hold our personal data. We can impose duties (both moral and legal) on businesses to delete – but we can’t impose duties on people to forget.”

So far, we seem to be stuck with the name. I wish we weren’t… but we are. That shouldn’t, however, detract from the underlying issues.

Dave Eggers’ The Circle: a book for our times…

I was introduced to Dave Eggers’ novel, The Circle, by Professor Andrew Murray – one of the pre-eminent scholars in IT Law in the UK, and also on of my PhD supervisors. I know I’m very late to this game – the book came out in 2013, and all the cool people will already have read it or reviewed it, but in this case I think it’s worth it. And the fact that someone like Andrew Murray would recommend it should give pause for thought: this isn’t just an entertaining piece of science fiction, it’s a book that really makes you think. It’s not just a dystopian vision of the future, it’s one that is far, far closer to reality than almost any I’ve read – and dystopian novels and films are pretty much my favourite genre.

It’s a book that reminded me why, unlike most of my schoolmates, I always preferred Brave New World to 1984 – and why, of the various privacy stories of the last few months I suspect, ultimately, the Facebook Experiment and the ruling over the Right to be Forgotten will matter more than the passing of the deeply depressing DRIP. In the end, as The Circle demonstrates graphically, we have more to fear from corporate domination of the Internet than we do from all the spooks and law enforcement agencies.

The Circle from which the novel gets its name is a technology company that combines a great deal of Google and Facebook with a little dash of Apple and a touch of Twitter. It dominates search and social media, but also makes cool and functional hardware. Egger’s triumph in the Circle is that he really gets not just the tech but the culture that surrounds it – little details like sending frowns to paramilitaries in Guatemala echo campaigns like #BringBackOurGirls in their futility, superficiality and ultimate inanity. The lives portrayed in the Circle should send shivers down the spines of any of us who spend much time on Twitter or Facebook: that I read the book whilst on a holiday without much Internet access made the point to me most graphically.

Privacy is theft

Eggers echoes both 1984 and Brave New World in using slogans to encapsulate concepts – exaggerating to make the point. For the Circle, these are:

Secrets are lies
Sharing is caring
Privacy is theft

All three are linked together – and connected to the idea that there’s something almost mystical about data. We don’t just have no right to privacy, we have a duty to disclose, a duty to be transparent. A failure to disclose means we’re depriving others of the benefits of our information: by claiming privacy, we’re stealing opportunities and advantages that others have the right to. If we care about others, we should share with them. This is Facebook, this is Google Flu Trends – and it’s the philosophy that implies that those of us who oppose the care.data scheme through which all our health data will be shared with researchers, pharmaceutical companies and many others, are selfish Luddites likely to be responsible for the deaths of thousands.

It is also the philosophy behind a lot of the opposition to the right to be forgotten. That opposition is based on the myth – one that Eggers exposes excellently – that the records on the Internet represent ‘the truth’ and that tampering with them, let alone deleting anything from them, is tantamount to criminality. Without spoiling the plot too much, one of the characters is psychologically and almost physically destroyed by the consequences of that. Eggers neatly leaves it unclear whether the key ‘facts’ that do the damage are actually real – he knows that this, ultimately, isn’t the point. Even if it all were true, the idea that maintaining it and exposing it would be a general good, something to be encouraged and fought for, is misguided at best.

It’s about power – and how it’s wielded

In the novel, The Circle has the power – and it wields it in many ways. Emotional manipulation, keeping people happy and at the same time keeping them within the Circle, is the key point – and the echoes of the Facebook Experiment, about which much has been written, but much has missed the deeper points, are chilling here. One of the real functions of the experiment was for Facebook to find ways to keep people using Facebook…

Another of the key ways that the Circle wields power is through its influence over lawmakers – and the same is sadly evident of Google and Facebook, in the UK as much as in the US. In the UK in particular the influence over things like opposition to data protection reform – and the right to be forgotten – are all too clear. It would be great if this could change, but as in the novel, the powers and common interests are far too strong for much chance. More’s the pity.

As a novel, The Circle is not without fault. I guessed the main plot twist less than half-way through the book. There’s a good deal of hyperbole – but this is dystopian fiction, after all – and the tech itself is not exactly described convincingly. What’s more, the prose is far from beautiful, the characters are mostly rather two-dimensional, and often they’re used primarily to allow Eggers to make his points, often through what amount to set speeches – but Huxley was guilty of that from time to time too. Those speeches, however, are often worth reading. Here, one of the dissidents explains his objections:

“It’s the usual utopian vision. This time they were saying it’ll reduce waste. If stores know what their customers want, then they don’t overproduce, don’t overship, don’t have to throw stuff away when it’s not bought. I mean, like everything else you guys are pushing, it sounds perfect, sounds progressive, but it carries with it more control, more central tracking of everything we do.”

“Mercer, the Circle is a group of people like me. Are you saying that somehow we’re all in a room somewhere, watching you, planning world domination?”

“No. First of all, I know it’s all people like you. Individually you don’t know what you’re doing collectively. But secondly, don’t presume the benevolence of your leaders.”

In that brief exchange Eggers shows how well he gets the point. A little later he nails why we should care much more about this but don’t, focussing instead on the spooks of the NSA and GCHQ.

“Here, though, there are no oppressors. No one’s forcing you to do this. You willingly tie yourself to these leashes.”

That’s the problem. We don’t seem to see the risk – indeed, just as in the novel, we willingly seem to embrace the very things that damage us. Lawmakers, too, seem not to see the problem – and as noted all too often allow themselves to be lobbied into compliance. The success of Google’s lobbyists over the right to be forgotten is testimony to this. Even now, people who really should know better are being persuaded to support the Circle sorry, I mean Google’s business model rather than address a real, important privacy issue.

Coming to a society near you…

We’re taking more and more steps in the direction of the Circle. Not just the Facebook experiment and the reaction to the ‘right to be forgotten’ ruling – but even in the last week or two a House of Lords committee has recommended an end to online anonymity, effectively asking service providers to require real names before receiving services. This is one of the central planks of the way the Circle takes control over people’s lives, and one which our lawmakers seem to be very happy to give them. There are also stories going around about government plans to integrate various databases from health and the DVLA to criminal records… another key tenet of the Circle‘s plans… The ‘detailed’ reasons for doing so sound and seem compelling – but the ultimate consequences could be disastrous…

Anyway, that’s enough from me. Read the book. I’ll be recommending it to
my Internet Law and Privacy students, but I hope it’s read much more widely than that. It deserves to be.