A privacy friendly future?

UPDATE: The slides for this presentation are now online here.

Later this week I shall be attending BILETA – the British and Irish Law, Education and Technology Association conference – at Liverpool Law School. In technology terms it’s a venerable institution and a long standing event: this will be the 28th annual conference. I’ve attended the last four, and talked about privacy-related subjects in all of them. Looking back at them, what surprises me is that, despite some of the doom-laden stuff that I write and talk about, I seem to be getting more rather than less optimistic.

The very fact that the subject I’m presenting on this week is ‘A Privacy-Friendly Future?’, albeit with a crucial question mark, gives a hint as to my overall view. The future of privacy on the internet is very much in the balance, in my opinion – but a few years ago I would have said that the balance was tilted hugely in one direction – against privacy – and now I’m not quite so sure.

My talk will explain why I think this is so. There are a number of key reasons to feel less than completely depressed about privacy. There have been ‘victories’ of a sort over the last few years, from the defeat of that most intrusive of behavioural advertisers, Phorm, to the (at least short term) rebuffing of the Communications Data Bill. The well-orchestrated defeats of SOPA, PIPA and ACTA even had their privacy elements. What’s more, even businesses seem to be getting the privacy bug. That old dinosaur Microsoft’s bold stance that Do Not Track should be ‘on’ by default on Internet Explorer, and Mozilla’s decision to block third party cookies by default on the latest version of Firefox are both signals. They may not work – indeed, Microsoft’s decision may be counterproductive in the short term, as advertisers choose to simply ignore the Do Not Track setting – but they are still significant. Significant in that they show that privacy has become a selling point – that doing things that are ‘privacy-friendly’ and being seen to do things that are privacy-friendly are viewed as being good for business.

Other privacy-friendly technology, is developing apace, and getting more user-friendly all the time – track-blockers like Ghostery and DoNotTrackMe, VPN and proxy services like hidemyass.com, TOR etc, privacy-friendly search engines like duckduckgo.com and startpage are simple, functional and attractive – and in their basic forms free.

Of course these are in many ways little things, and at the same time we have such privacy nightmares as Facebook’s new ‘Home’ and technology like Google Glass pushing the privacy-invasive envelope in previously unimaginable ways, and governments pushing for more and more surveillance all the time.

Will the privacy-invaders win? Or do we have a chance to create a privacy-friendly future? Ultimately, I think we still do. The bottom line of my hopeful outlook is that surveys seem to suggest that this, in the end, is what people want. One of the most recent such surveys, by Ovum, suggest ‘that 68 percent of the Internet population across 11 countries would select a “do-not-track” (DNT) feature if it was easily available‘ – and that this figure is pretty consistent around the world. In particular, the people of the US are just as keen not to be tracked as those in Europe. What’s more, the more people learn about what’s happening, the more they seem to care. And they will learn – privacy is much bigger news than it was when I first started working in this field. It’s no longer just a subject for geeks and tin-foil hat-wearers.

Ultimately, what the people want, they will get. Businesses will respond – and they’re beginning to. Governments will respond – in the UK, the way that the Communications Data Bill was given a thorough bashing will have raised a few eyebrows, and may have started a few people thinking differently. I hope so.

It’s still very much in the balance – but right now, it feels possible, where a few years ago it felt all-but impossible. I hope I’m right….

Let’s forget the right to be forgotten…

….and talk about the important part of that right in less emotive, less distracting, and more accurate terms. I’m not interested in rewriting or erasing history, I’m not interested in hiding my past – selectively or completely. I am, however, interested in cutting down the amount of data held about me for spurious purposes, and interested in having more control over what commercial enterprises do with the data they have on me. I don’t want a right to be forgotten – I want a right to delete personal data!

I asked a question about this at the Westminster Media Forum a few weeks ago, and gave a presentation on the subject at BILETA in Manchester yesterday – but I think the subject needs more attention. At the Westminster Media Forum, there was a particularly acerbic attack on the right to forgotten by journalist Tessa Mayes, who seemed to think that the right was all about restricting journalists’ rights to report on past events. At BILETA, even though I made the point very directly that the right to delete data isn’t the same as a right to be forgotten, one of the biggest questions I got was actually exactly about how such a right would effectively mess up the historical archive that the internet provides. For me, the right to delete data isn’t like that at all – but calling it a right to be forgotten can easily mislead people into thinking it is.

The right to delete, as I set it out in my presentation (slides of which are available by email), is something that allows individuals control over what data is held about them – but it has a number of specific exceptions, situations where data should be allowed to be kept, regardless of the desire of the individual concerned. They include examples such as medical records, criminal records, electoral rolls and so forth – and appropriate historical archives. All that should be clear – and should prevent the problems that would be associated with a real ‘right to be forgotten’.

The point is, though, that those holding data should need to justify that holding – rather than the individual justify why they would like data to be removed. If there ARE good reasons to hold data, then say so. If not, then the individual should have the right to delete it. The key thing to understand, though, is that BUSINESS reasons – and in particular the fact that you can make money out of holding someone’s data – are not sufficiently strong to override someones right to delete data. Privacy is more important than that.

Forgetting is important too – as Viktor Mayer-Schönberger has described so eloquently and compellingly in his excellent book Delete – but, as Mayer-Schönberger himself suggests, rights may not be the best way to bring it about. Talking about a bald ‘right to be forgotten’ doesn’t really help either the understanding of what is a complex and important issue, or about dealing with the important both practical and ethical issues surrounding rights over personal data.

So let’s forget about the right to be forgotten – but fight strongly for the right to delete personal data.