Taking a lead on privacy??

Two related stories about privacy and tracking are doing the rounds at the moment: both show the problems that companies are having in taking any sort of lead on privacy.

The first is about Apple, and the much discussed recent upgrade to their iOS, the operating system for the iPhone and iPad. There’s been a huge amount said about the problems with the mapping system (and geo-location is of course a huge privacy issue – as I’ve discussed before) but now there’s an increasing buzz about their newly introduced tracking controls. Apple, for the first time, have provided users with the option to ‘limit ad tracking’ – though as noted in a number of stories, including this one from Business Insider, that option is hidden away, not in the vaunted ‘Privacy’ tab, but under a convoluted set of menus (first ‘General’ settings, then ‘About’, then scroll down to the bottom to find ‘Advertising’, then click ‘Limit Ad Tracking’). Not easy to find, as even the techie and privacy geeks that I converse with on twitter have found.

This of course raises a lot of issues – it’s great to have the feature, but the opposite to have it hidden away where only the geeks and the paranoid will find it. It looks as though the people at Apple have been thinking hard about this, and working hard at this, and have come up with an interesting (and perhaps effective – but more on that below) solution, but then been told by someone, somewhere, that they should hide it for fear of upsetting the advertisers. I’d love to know the inside story on this – but Apple are rarely quite as open about their internal discussions as they could be.

There’s a conflict of motivations, of course. On the one hand, Apple wants to make customers happy, and there is increasing evidence that customers don’t want to be tracked – most recently this excellent paper from Hoofnagle, Urban and Li, appropriately entitled “Privacy and Modern Advertising: Most US Internet Users Want ‘Do Not Track’ to Stop Collection of Data about their Online Activities”. On the other hand, Apple don’t want to annoy the advertisers – particularly when the market for mobile is getting increasingly competitive. And the advertisers seem to be on a knife edge at the moment, very touchy indeed, as the latest spats over the ‘Do Not Track’ initiative have shown.

That’s the second story doing the rounds at the moment: the increasing acrimony and seemingly bitter conflict over Do Not Track. It’s a multi-dimensional spat, but seems to have been triggered by Microsoft’s plan to make do not track ‘on’ by default – something that the advertising industry are up in arms about. The ‘Digital Advertising Alliance’ issued a statement effectively saying they would simply ignore Microsoft’s system and track anyway – which led to privacy advocates suggesting that the advertisers wanted to kill the whole Do Not Track initiative. This is Jeff Chester of the Center for Digital Democracy:

“The DAA is trying to kill off Do Not Track.  Its announcement today to punish Microsoft for putting consumers first is an extreme measure designed to strong-arm companies that care about privacy.”

Chester and others saying similar things may be right – and it makes people like me wonder if the whole problem is that the ‘Do Not Track’ initiative was never really intended to work, but was just supposed to make people think that their privacy was protected. If it actually got some teeth – and setting it to a default ‘on’ position would be the first way to give it teeth – then the industry wouldn’t want it to exist. There are other huge issues with Do Not Track anyway. As the title of the Hoofnagle, Urban and Li report suggested, people think ‘Do not track’ means they won’t be tracked – that their data won’t be collected at all – while the industry seems to think what really matters to people is that they aren’t targeted – i.e. their data is still collected, and they’re still tracked and profiled, but that tracking isn’t used to send advertisements to them. For me, that at least is completely clear. Do Not Track should mean no tracking. Blocking data collection is more important than stopping targetting – because once the data is collected, once the profiles are made, they’re available for misuse later down the line.

That, far deeper point, is still not being discussed sufficiently. The battle is at a more superficial level – but it’s still an important battle. Who matters more, the consumers or the advertisers? Advertisers would have us believe that by stopping behavioural targetting we will break the whole economic basis of the internet – but that is based on all kinds of assumptions and presumptions, as Sarah A Downey pointed out in this piece for TechCrunch “The Free Internet Will Be Just Fine With Do Not Track. Here’s Why.” At the recent Amsterdam Privacy Conference, Simon Davies, one of the founders of Privacy International, made the bold suggestion that the behavioural targetting industry should simply be banned – and there is something behind his argument. Right now, the industry is not doing much to improve its image: seeming to undermine the whole nature of Do Not Track does not make them look good.

There’s another spectre that the industry might have to face: the European Union is getting ready to act, and when they act, they tend to do things without a great deal of subtlety, as the fuss around the Cookie Directive has shown. If the advertisers want to avoid heavy-handed legislation, they should beware: ‘Steelie’ Neelie Kroes is getting impatient. As reported in The Register, if they don’t stop their squabbling tactics over Do Not Track, she’s going to call in the politicians….

Someone, somewhere, has to take a lead on privacy. Apple had the chance, and to a great extent blew it, by hiding their tracking controls where the sun doesn’t shine. Microsoft seems to be making an attempt too, but will they hold their nerve in the face of huge pressure from the advertising industry – and even if they do, will their lead be undermined by the tactics of the advertising industry? If no-one takes that lead, no-one takes that initiative, the EU will take their kid gloves off… and then we’re all likely to be losers, consumers and advertisers alike….

Annoyed by those cookie warnings?

…spread your anger!

I’m sure you know the warnings I’m talking about – at least you do if you’re in the European Union. Warnings that appear almost every time you look at a new page on the web, telling you that the site uses cookies, generally telling you that if you continue into the site, you’re accepting they’re going to put cookies on your computer.

Annoying, aren’t they? Patronising, perhaps? Pedantic? Pointless?

Yes, all of the above. The whole thing’s a bit silly, really. As many people who visit this blog probably realise, they’re appearing as a result of a bit of European law – often referred to as the ‘cookies directive’, but more accurately an update to the e-privacy directive (the Directive on Privacy and Electronic Communications). An annoying piece of legislation, one which even before it was passed in 2009 had been subject to pretty intense criticism – and rightly so. The drafters of the legislation deserve a great deal of criticism and a good deal of anger – it’s a bit of a pig’s ear, to be frank. So should the politicians and bureaucrats who brought it into action. Typical European busybodies, I’ve heard it said. They want to control everything we do…

…and yet, deserving though they are of a lot of criticism, they’re not the only ones who should bear the brunt of the anger, of the annoyance. Legislation, even poorly drafted and misguided legislation, doesn’t emerge in a vacuum. That’s particularly true in the case of the cookies directive – it emerged, as most law does, because there was a problem. In this case, the problem was that our privacy was being invaded, persistently and on a large scale, particularly by those involved in the online advertising industry.

Those who follow my blog may have heard me write before about Phorm, perhaps the most invasive and offensive of the behavioural advertisers, whose systems were designed to intercept your entire internet activity, track you and profile you, so as to be able to target advertisements at you. Their activities were hugely invasive of privacy – so much so that the outrage that grew about it played a key part in forcing them to abandon their business – and yet the online advertising industry bodies supported them throughout and did their very best to discourage any kind of investigation into their activities.

The cookies directive – and all those annoying warnings – has its origins in that story. Whilst privacy advocates investigated and European politicians and bureaucrats tried to first of all find out what was happening and then try to work out some kind of solution, what they got from the industry was characterised by denial, obfuscation and obstruction. Either there wasn’t a problem at all, or it would be best solved by self-regulation. Neither of those were true – and the people, politicians and bureaucrats knew it. Their equivalents in the US know it too, which is why they’re still trying to get the ‘Do Not Track’ initiative off the ground – and in the US they’re receiving the same kind of resistance as they got in Europe.

Regulators don’t like being fobbed off. They don’t like being treated without respect, or told they’re being foolish – it’s not the best way to get useful, helpful and productive regulation. Instead, it’s likely to bring about bad law – stuff like the cookies directive. Yes, it’s a stupid law – but it would never have been brought into action if the online advertisers had admitted that there was a problem, and at least tried to do something about it. If they’d shown some degree of understanding first of all that people were upset, secondly that they had a reason to be upset, and thirdly that they should do something about it, then they might have been able to head off the legislative mess that has resulted. They didn’t.

It’s not an unusual story – there are parallels with the way the newspaper industry’s far-from effective self-regulation led to the Leveson Inquiry, and may end up in over-the-top regulation of the press. If you behave badly, and continue to behave badly even when people complain, things like that happen…. and you can’t just blame the regulators.

In the case of the cookies directive – and all those annoying warnings – the online advertising industry should take their share of your annoyance and anger…..

10 things I hate about the ICO

With apologies to William Shakespeare, Elizabeth Barrett Browning, Heath Ledger, Julia Stiles and many more…

10 things I hate about the ICO

I hate the way you ask for teeth but seem afraid to bite
I hate the way you think the press are far too big to fight
I hate the way you always think that business matters most
Leaving all our online rights, our privacy, as toast

I hate the way you keep your fines for councils and their kind
While leaving business all alone, in case the poor dears mind
I hate the way you take the rules that Europe writes quite well
And turn them into nothing much, as far as we can tell

I hate the way that your advice on cookies was so vague
Could it possibly have been, you were a touch afraid?
I hate the way you talked so tough to old ACS Law
But when it came to action, it didn’t hurt for sure

I hate the way it always seems that others take the fore
While you sit back and wait until the interest is no more
I hate that your investigations all stop far too soon
As PlusNet, Google and BT have all found to their boon

I hate the way you tried your best to hide your own report
‘Bury it on a busy day’; a desperate resort!
You should be open, clear and fair, not secretive and poor
We’ll hold you up for all to see – we expect so much more!

I hated how when Google’s cars were taking all our stuff
You hardly seemed to care at all – that wasn’t near’ enough
Even when you knew the truth, you knew not what to do
It took the likes of good PI to show you where to go…

I hated how my bugbears Phorm, didn’t get condemned
Even when their every deed could not help but offend
You let them off with gentle words, ‘must try harder’ you just said
Some of us, who cared a lot, almost wished you dead

You tease us, tempt us, give us hope – then let us down so flat
We think you’re on our side – you’re not – and maybe that is that!
Will all these bad things ever change? We can but hope and dream
That matters at the ICO aren’t quite as they might seem.

We need you, dearest ICO, far more than we should
We’d love you if you only tried to do the job you could
We’d love you if you stood up tall, and faced our common foes
Until you do, sad though it is, then hatred’s how it goes.

P.S. I don’t really hate the ICO at all really…. this is ‘poetic’ licence!

Out of the mouths of Europeans?

We in Britain can often be highly suspicious of things that come out of Europe – and particularly so when it comes to laws. There’s a level of distrust, a degree of distain and sometimes a sense that these ‘continentals’ really don’t know what they’re talking about, and that somehow we need to save them from themselves.

Two prime examples of this are current in the world of privacy law. Two pieces of legislation, one current, one proposed, have been given the disdainful British attitude over recent months.

The first is the so called ‘Cookie Directive’ which came into force on May 26th, essentially suggesting that installing or amending any cookie on any user’s computer would require prior, explicit and informed consent. A strong requirement, and one that was launched amid confusion and complaints – needing to be clarified not just by the issuance of advice by the ICO but subsequently ‘clarified’ by the DCMS in a way that many people thought just added more confusion. The attitude from ministers that suggested they really thought it was essentially stupid and that complying with it was pretty much irrelevant. The Open Rights Group summed it up well, suggesting that Ed Vaizey thought it was all meaningless.

The second is the proposed ‘right to be forgotten’ – an idea currently being pushed by European Commissioner Viviane Redding for inclusion in the forthcoming revision to the Data Protection Directive. This time it was Ken Clarke’s turn to be dismissive and disdainful, suggesting in a speech to the British Chamber of Commerce in Brussels that it was unworkable and, in essence, that the Europeans need to listen more to the British. As he put it:

‘I am optimistic that there’s a common sense solution on this. Our experience in the UK is that security, freedom and privacy are possible.’

Perhaps, however, it’s us, the British, who need to listen more to the Europeans rather than vice versa. For sure, there are problems with both of these two issues. The cookies directive is highly problematic, probably over-the-top, somewhat confused, and clearly very hard to work out in practice – which is why only three of the 27 member states had actually implemented it within the prescribed timescale. The right to be forgotten is ill-defined, also confused, and capable of producing over-emotional reactions – which is why I’ve blogged in the past about renaming and refocusing it – and clearly needs more thought. Both, however, exist for good reasons – and the problems with them should not blind us to those reasons.

The cookies directive was brought in because people are, justifiably, concerned about being tracked, profiled and monitored without their permission, knowledge or understanding. The right to be forgotten is being considered because people are, equally justifiably, concerned about the amount of data being gathered and held about them, and the purposes to which all this data is being put. These are genuine concerns, connected with real rights of great importance – and so far the internet industry and most governments (and particularly the UK government) have paid scant attention to them, and done little to allay our fears or deal with the problems. The European Parliament and Commissioner Redding understand those fears – and want to do something about it. Their reactions may not exactly work, and may even cause more problems than they solve – but they have at least tried to address the issues. Rather than react with disdain and superiority, it would be far better if our ministers listened a little more – and understood that they need to do something….