The Saga Of the Privacy Shield…

Screen Shot 2016-02-09 at 06.23.54

(With apologies to all poets everywhere)


Listen to the tale I tell

Of Princes bold and monsters fell

A tale of dangers well conceal’d

And of a bright and magic shield


There was a land, across the bay

A fair land called the USA

A land of freedom: true and just

A land that all the world might trust


Or so, at least, its people cheered

Though others thought this far from clear

From Europe all the Old Folk scowled

And in the darkness something howled


For a monster grew across the bay

A beast they called the NSA,

It lived for one thing: information

And for this it scoured that nation


It watched where people went and came

It listened and looked with naught of shame

The beast, howe’er, was very sly

And hid itself from prying eyes


It watched while folk from all around

Grew wealthy, strong and seeming’ sound

And Merchant Princes soon emerged

Their wealth it grew surge after surge


They gathered data, all they could

And used it well, for their own good

They gave the people things they sought

While keeping more than p’rhaps they ought


And then they looked across the bay

Saw Old Folk there, across the way

And knew that they could farm those nations

And take from them their information


But those Old Folk were not the same

They did not play the Princes’ game

They cared about their hope and glory

Their laws protected all their stories


‘You cannot have our information

Unless we have negotiations

Unless our data’s safe and sound

We’ll not let you plough our ground’


The Princes thought, and then procured

A harbour safe and quite secure

Or so they thought, and so they said

And those Old Folk gave them their trade


And so that trade just grew and grew

The Old Folks loved these ideas new

They trusted in that harbour’s role

They thought it would achieve its goal


But while the Princes’ realms just grew

The beast was learning all they knew

Its tentacles reached every nook

Its talons gripped each face, each book


It sucked up each and ev’ry drop:

None knew enough to make it stop

Indeed, they knew not what it did

‘Til one brave man, he raised his head


And told us all, around the world

‘There is a beast, you must be told’

He told us of this ‘NSA’

And how it watched us day by day


He told us of each blood-drenched claw

He named each tentacle – and more

And with each word, he made us fear

That this beast’s evil held us near


In Europe one man stood up tall

“Your harbour is not safe at all!

You can’t protect us from that beast

That’s not enough, not in the least!”


He went unto Bourg of Luxem

The judges listened care’fly to him

‘A beast ‘cross the bay sees ev’rywhere

Don’t send our secrets over there!


The judges liked not what they saw

‘That’s no safe habour,’ they all swore

“No more stories over there!

Sort it out! We do all care!”


The Princes knew not what to do

They could not see a good way through

The beast still lurked in shadows dark

The Princes’ choices seemed quite stark


Their friends and fellows ‘cross the bay

Tried to help them find a way

They whispered, plotted, thought and plann’d

And then the Princes raised their hands


“Don’t worry now, the beast is beaten

It’s promised us you won’t be eaten

It’s changed its ways; it’s kindly now

And on this change you have our vow


Behold, here is our mighty shield

And in its face, the mighty yield

It’s magic, and its trusty steel

Is strong enough for all to feel


Be brave, be bold, you know you should

You know we only want what’s good”

But those old folk, they still were wary

That beast, they knew, was mighty scary


“That beast of yours, is it well chained?

Its appetites, are they contained?

Does it still sniff at every door?

Its tentacles, on every floor?


The Princes stood up tall and proud

“We need no chains”, they cried aloud

“Our beast obeys us, and our laws

You need not fear it’s blunted claws.”


“Besides,” they said, “you are contrary

You have your own beasts, just as scary”

The Old Folk looked a mite ashamed

‘Twas true their own beasts were not tamed


“‘Tis true our beasts remain a blight

But two wrongs never make a right

It’s your beast now that we all fear

Tell us now, and make it clear!”


“Look here” the Princes cried aloud

“Of this fair shield we all are proud,

Its face is strong, its colours bright

There’s no more need for any fright.”


The Old Folk took that shield in hand

‘Twas shiny, coloured, bright and grand

But as they held it came a worry

Why were things in such a hurry?


Was this shield just made of paper?

Were their words just naught but vapour?

Would that beast still suck them dry?

And their privacy fade and die?


Did they trust the shield was magic?

The consequences could be tragic

The monster lurked and sucked its claws

It knew its might meant more than laws


Whatever happened, it would win

Despite the tales the Princes spin

It knew that well, and so did they

In that fair land across the bay.





Infamy, Infamy, they’ve all got it in for me!

“Beware the Ides of March!”

These are strange times for a company who does no evil. The top people at Google must feel at times as though everyone’s got it in for them. Google already faces 20 years of privacy audits from the FTC in the US and is under fairly continuous attack by regulators in Europe – as I blogged last week, Commissioner Reding in particular seems ready to rumble. More that that, it is facing almost unprecedented and aggressive advertising and lobbying from its competitors – Microsoft in particular seems to be trying to ‘smear’ Google, as one noted blogger has put it. Google’s new privacy policy, officially in place since 1st March, has come under attack from almost everyone – not just the various regulators and their competitors but a whole range of privacy advocacy groups. Google are under attack from the top to the bottom – in the UK, privacy campaigner Alexander Hanff has launched a small claim against Google, effectively asking for his money back for the Android phone he bought before the privacy policy came in. On top of all this, the latest revelations that apps on the Android platform can access your calls and texts has sent waves of dissent and anger around the web.

Why does it look as though everyone has got it in for Google? Jealous competitors trying to bring down them down for purely selfish reasons? Sniping privacy advocates missing the point? Overzealous regulators trying to catch the biggest fish? After all, Google are the good guys! As they see it, they’ve been open and honest about their privacy policy, giving people plenty of warnings that it was coming in – far too many for some. I’ve lost count how many times they’ve tried to tell me all about it in various ways. Also from their perspective, the problems with Android are just a side effect of their ‘openness’ – compared to the ultra-controlling Apple, they give app developers plenty of freedom. As for the European regulators, well we all know they’re crazy, and their right to be forgotten is just an excuse for censorship – all Google are doing in opposing them is fighting for freedom. Excessive regulation could “stifle innovation and stall foreword progress” as Google Executive Chairman Eric Schmidt warned last week.

Are Google right and everyone else wrong? I can see their perspective – and have some sympathy with them in some ways. The glee with which their competitors have leapt upon the privacy policy furore isn’t exactly edifying, and I can’t say that I would trust Microsoft or Facebook any more than I would Google – and even the previously relatively ‘clean’ Twitter has seriously blotted its privacy copybook by selling its tweet archive to data-miners Datasift. It’s also true that European regulators can seem to have a tendency to use a sledgehammer to crack even a small nut….

….but from my perspective, at least, there’s something in each of the complaints, and the way that Google seems to be dealing with them doesn’t exactly seem positive or productive. They’ve come out fighting, complaining about regulation without seeming to ask why that regulation has happened. Regulation doesn’t come from a vacuum – if it did, it wouldn’t get support, even from the most zealous of bureaucrats. Regulation arises in reaction to a problem – sometimes it causes problems of its own, sometimes it is over the top, sometimes it misses the point, but it unless there’s a problem there to start with the regulation won’t get even close to becoming reality. Here, there IS a problem, and if Google wants to stop everyone having it in for them they need to start by recognising the problem and starting to address it. If Larry Page wants to stop excessive regulation from stifling innovation and stopping forward progress, he should know what to do.

Why did Caeser meet his doom on the Ides of March? Was it the jealousy of all those around him, each wanting to stick the knife in? That certainly seemed to contribute – but it probably wasn’t the main reason. Everyone had it in for Caesar because he’d become a tyrant. He’d stopped listening. If Google wants things to change, it has to start by changing itself. It has to understand why people are bothered by all the things it has done – and do something about them.

From a privacy perspective, Google stands at a crossroads. There have been signs that it had started to ‘get’ privacy – Alma Whitten in particular seems to have a real understanding of the issues – but at the same time there is still a sense that they want to ride roughshod over everyone’s objections. If Google choose the ‘privacy direction’, they could play a key part in shaping a more ‘privacy-friendly’ internet. They seem at times as though they’re floundering – privacy could be a chance for them to find a new role, one which would get the support, rather than the opposition, of a great many people.

P.S. For anyone that doesn’t recognise either the title of this post or the picture, it’s from that prime example of fine British film-making, Carry On Cleo. If you haven’t seen it – do!

Ready to Rumble?

This morning I attended a lecture given by European Commissioner Viviane Reding – and I have to say I was impressed. The lecture was at my old Alma Mater, the LSE, with the estimable Professor Andrew Murray in the chair, and was officially about the importance of data protection in keeping businesses competitive – but in practice it turned about to be a vigorous defence of the new Data Protection Regulation. Commissioner Reding was robust, forthright – and remarkably straightforward for someone in her position.

Her speech started off by looking at the changes that have taken place since the original Data Protection Directive – which was brought in in 1995. She didn’t waste much time – most of the changes are pretty much self-evident to anyone who’s paid much attention, and she knew that her audience wasn’t the kind that would need to be told. The key, though, was that she was looking from the perspective of business. The needs of businesses have changed – and as she put it, the new regulation was designed to meet those needs.

The key points from this perspective will be familiar to most who have studied the planned regulation. First and foremost, because it is a regulation rather than a directive, it applies uniformly throughout the EU, creating both an even playing field and a degree of certainty. Secondly, it is intended to remove ‘red tape’ – multinational companies will only have to deal with the data protection authorities in the country that is their primary base, rather than having to deal with a separate authority for each country they operate in. Taken together, she said that the administrative burden for companies would go down by 2.3 billion Euro a year. It was very direct and clear – she certainly seems to believe what she’s saying.

She also made the point (which she’s made before) that the right to be forgotten, which has received a lot of press, and which I’ve written about before (ad nauseam I suspect), is NOT a threat to free expression, and not a tool for censorship, regardless of how that point seems to be misunderstood or misrepresented. The key, as she described, is to understand that no rights are absolute, and that they have to compete with other rights – and they certainly don’t override them. As I’ve also noted before, this is something that isn’t really understood in the US as well as it is in Europe – the American ‘take’ on rights is much more absolutists, which is one of the reason they accept as ‘rights’ a much narrower range of things that most of the rest of the world.

I doubt her words on the right to be forgotten will cut much mustard with the critics of the right on either side of the Atlantic – but I’m not sure that will matter that much to Commissioner Reding. She’s ready for a fight on this, it seems to me, and for quite a lot else besides. Those who might be expecting her to back down, to compromise, I think are in for a surprise. She’s ready to rumble…

The first and biggest opponent she’s ready to take on looks like being Google. She name-checked them several times both in the speech and in her answers to questions. She talked specifically about the new Google privacy policy – coming into force today – and in answer to a question I asked about the apparent resistance of US companies to data protection she freely admitted that part of the reason for the form and content of the regulation is to give the Commission teeth in its dealings with companies like Google. Now, she said, there was little that Europe could do to Google. Each of the individual countries in the EU could challenge Google, and each could potentially fine Google. ‘Peanuts’ was the word that she used about these fines, freely acknowledging that she didn’t have the weapons with which to fight. With the new regulations, however, they could fine Google 2% of their worldwide revenue. 560 million euro was the figure she quoted: enough to get even Google to stand up and take notice.

She showed no sign of backing down on cookies either – reiterating the need for explicit, informed consent whenever data is gathered, including details of the purposes to which the data is to be put. She seemed ready for a fight on that as well.

Overall, it was a combative Commissioner that took to the lectern this morning – and I was impressed. She’s ready for the fight, whether businesses and governments want it or not. As I’ve blogged elsewhere, the UK government doesn’t share her enthusiasm for a strengthening of data protection, and the reaction from the US has been far from entirely positive either. Commissioner Reding had a few words for the US too, applauding Obama’s moves for online privacy (about which I’ve blogged here) but suggesting that the US is a good way behind the EU in dealing with privacy. They’re still playing catch-up, talking about it and suggesting ideas, but not ready to take the bull by the horns yet. We may yet lead them to the promised land, seemed to be the message…. and only with her tongue half in her cheek.

She’s not going to give up – and neither should she, in my opinion. This is important stuff, and it needs fighting for. She’s one of the ‘Crazy Europeans‘ about which I’ve written before – but we need them. As @spinzo tweeted to me there’s ‘nothing more frightening than a self-righteous regulator backed by federal fiat and federal coffers’ – but I’d LIKE some of the companies involved in privacy invasive practices around the net to be frightened. If they behaved in a bit more of a privacy friendly way we wouldn’t need the likes of Commissioner Reding to be ready to rumble. They don’t – and we do!

Out of the mouths of Europeans?

We in Britain can often be highly suspicious of things that come out of Europe – and particularly so when it comes to laws. There’s a level of distrust, a degree of distain and sometimes a sense that these ‘continentals’ really don’t know what they’re talking about, and that somehow we need to save them from themselves.

Two prime examples of this are current in the world of privacy law. Two pieces of legislation, one current, one proposed, have been given the disdainful British attitude over recent months.

The first is the so called ‘Cookie Directive’ which came into force on May 26th, essentially suggesting that installing or amending any cookie on any user’s computer would require prior, explicit and informed consent. A strong requirement, and one that was launched amid confusion and complaints – needing to be clarified not just by the issuance of advice by the ICO but subsequently ‘clarified’ by the DCMS in a way that many people thought just added more confusion. The attitude from ministers that suggested they really thought it was essentially stupid and that complying with it was pretty much irrelevant. The Open Rights Group summed it up well, suggesting that Ed Vaizey thought it was all meaningless.

The second is the proposed ‘right to be forgotten’ – an idea currently being pushed by European Commissioner Viviane Redding for inclusion in the forthcoming revision to the Data Protection Directive. This time it was Ken Clarke’s turn to be dismissive and disdainful, suggesting in a speech to the British Chamber of Commerce in Brussels that it was unworkable and, in essence, that the Europeans need to listen more to the British. As he put it:

‘I am optimistic that there’s a common sense solution on this. Our experience in the UK is that security, freedom and privacy are possible.’

Perhaps, however, it’s us, the British, who need to listen more to the Europeans rather than vice versa. For sure, there are problems with both of these two issues. The cookies directive is highly problematic, probably over-the-top, somewhat confused, and clearly very hard to work out in practice – which is why only three of the 27 member states had actually implemented it within the prescribed timescale. The right to be forgotten is ill-defined, also confused, and capable of producing over-emotional reactions – which is why I’ve blogged in the past about renaming and refocusing it – and clearly needs more thought. Both, however, exist for good reasons – and the problems with them should not blind us to those reasons.

The cookies directive was brought in because people are, justifiably, concerned about being tracked, profiled and monitored without their permission, knowledge or understanding. The right to be forgotten is being considered because people are, equally justifiably, concerned about the amount of data being gathered and held about them, and the purposes to which all this data is being put. These are genuine concerns, connected with real rights of great importance – and so far the internet industry and most governments (and particularly the UK government) have paid scant attention to them, and done little to allay our fears or deal with the problems. The European Parliament and Commissioner Redding understand those fears – and want to do something about it. Their reactions may not exactly work, and may even cause more problems than they solve – but they have at least tried to address the issues. Rather than react with disdain and superiority, it would be far better if our ministers listened a little more – and understood that they need to do something….