what do we know and what should we do about…? internet privacy

My new book, what do we know and what should we do about internet privacy has just been published, by Sage. It is part of a series of books covering a wide range of current topics – the first ones have been on immigration, inequality, the future of work and housing.

This is a very different kind of book from my first two books – Internet Privacy Rights, and The Internet, Warts and All, both of which are large, relatively serious academic books, published by Cambridge University Press, and sufficiently expensive and academic as to be purchasable only by other academics – or more likely university libraries. The new book is meant for a much more general audience – it is short, written intentionally accessibly, and for sale at less than £10. It’s not a law book – the series is primarily social science, and in many ways I would call the book more sociology than anything else. I was asked to write the book by the excellent Chris Grey – whose Brexit blogs have been vital reading over the last few years – and I was delighted to be asked, because making this subject in particular more accessible has been something I’ve been wanting to do for a long time. Internet privacy has been a subject for geeks and nerds for years – but as this new book tries to show, it’s something that matters more and more for everyone these days.

It may be a short book (well, it is a short book, well under 100 pages) but it covers a wide range. It starts by setting the context – a brief history of privacy, a brief history of the internet, and then showing how we got from what were optimistic, liberal and free beginnings to the current situation – all-pervading surveillance, government involvement at every level, domination by a few, huge corporations with their own interests at heart. It looks at the key developments along the way – the world-wide-web, search, social networks – and their privacy implications. It then focusses on the biggest ‘new’ issues: location data, health data, facial recognition and other biometrics, the internet of things, and political data and political manipulation. It sketches out how each of these matters significantly – but how the combination of them matters even more, and what it means in terms of our privacy, our autonomy and our future.

The final part of the book – the ‘what should we do about…’ section – is by its nature rather shorter. There is not as much that we can do as many of us would like – as the book outlines, we have reached a position from which it is very difficult to escape. We have built dependencies that are hard to find alternatives to – but not impossible. The book outlines some of the key strategies – from doing our best to extricate ourselves from the disaster that is Facebook to persuading our governments not to follow the current ultimately destructive paths that it seems determined to pursue. Two policies get particular attention: Real Names, which though superficially attractive are ultimately destructive and authoritarian, fail to deal with the issues they claim to and put vulnerable people in more danger, and the current and fundamentally misguided attempts to undermine the effectiveness of encryption.

Can we change? I have to admit this is not a very optimistic book, despite the cheery pink colour of its cover, but it is not completely negative. I hope that the starting point is raising awareness, which is what this book is intended to do.

The book can be purchased directly from Sage here, or via Amazon here, though if you buy it through Amazon, after you’ve read the book you might feel you should have bought it another way!

Paul Bernal

February 2020

A disturbing plan for control…

The Conservative Manifesto, unlike the Labour Manifesto, has some quite detailed proposals for digital policy – and in particular for the internet. Sadly, however, though there are a few bright spots, the major proposals are deeply disturbing and will send shivers down the spine of anyone interested in internet freedom.

Their idea of a ‘digital charter’ is safe, bland, motherhood and apple-pie stuff about safely and security online, with all the appropriate buzzwords of prosperity and growth. It seems a surprise, indeed, that they haven’t talked about having a ‘strong and stable internet’. They want Britain to be the best place to start and run a digital business, and to make Britain the safest place in the world to be online. Don’t we all?

When the detail comes in, some of it sounds very familiar to people who know what the law already says – and in particular what EU law already says – the eIDAS, the E-Commerce Directive, the Directive on Consumer Rights already say much of what the Tory Manifesto says. Then, moving onto data protection, it gets even more familiar:

“We will give people new rights to ensure they are in control of their own data, including the ability to require major social media platforms to delete information held about them at the age of 18, the ability to access and export personal data, and an expectation that personal data held should be stored in a secure way.”

This is all from the General Data Protection Regulation (GDPR), passed in 2016, and due to come into force in 2018. Effectively, the Tories are trying to take credit for a piece of EU law – or they’re committing (as they’ve almost done before) to keeping compliant with that law after we’ve left the EU. That will be problematic, given that our surveillance law may make compliance impossible, but that’s for another time…

“…we will institute an expert Data Use and Ethics Commission to advise regulators and parliament on the nature of data use and how best to prevent its abuse.”

This is quite interesting – though notable that the word ‘privacy’ is conspicuous by its absence. It is, perhaps, the only genuinely positive thing in the Tory manifesto as it relates to the internet.

“We will make sure that our public services, businesses, charities and individual users are protected from cyber risks.”

Of course you will. The Investigatory Powers Act, however, does the opposite, as does the continued rhetoric against encryption. The NHS cyber attack, it must be remembered, was performed using a tool developed by GCHQ’s partners in the NSA. If the Tories really want to protect public services, businesses, charities and individuals, they need to change tack on this completely, and start promoting and supporting good practice and good, secure technology. Instead, they again double-down in the fight against encryption (and thus against security):

“….we do not believe that there should be a safe space for terrorists to communicate online and will work to prevent them from having this capability.”

…but as anyone with any understanding of technology knows, if you stop terrorists communicating safely, you stop all of us from communicating safely.

“…we also need to take steps to protect the reliability and objectivity of information that is essential to our democracy and a free and independent press.”

This presumably means some kind of measures against ‘fake news’. Most proposed measures elsewhere in the world are likely to amount to censorship – and given what else is in the manifesto (see below) I think that is the only reasonable conclusion here.

“We will ensure content creators are appropriately rewarded for the content they make available online.”

This looks as though it almost certainly means harsher and more intense copyright enforcement. That, again, is only to be expected.

Then, on internet safety, they say:

“…we must take steps to protect the vulnerable… …online rules should reflect those that govern our lives offline…”

Yes, We already do.

“We will put a responsibility on industry not to direct users – even unintentionally – to hate speech, pornography, or other sources of harm”

Note that this says ‘pornography’, not ‘illegal pornography’, and the ‘unintentionally’ part begins the more disturbing part of the manifesto. Intermediaries seem likely to be stripped of much of their ‘mere conduit’ protection – and be required to monitor much more closely what happens through their systems. This, in general, has two effects: to encourage surveillance, and to encourage caution about content (effectively to chill speech). This needs to be watched very carefully indeed.

“…we will establish a regulatory framework in law to underpin our digital charter and to ensure that digital companies, social media platforms and content providers abide by these principles. We will introduce a sanctions regime to ensure compliance, giving regulators the ability to fine or prosecute those companies that fail in their legal duties, and to order the removal of content where it clearly breaches UK law.”

This is the most worrying part of the whole piece. Essentially it looks like a clampdown on the social media – and, to all intents and purposes, the establishment of a full-scale internet censorship system (see the ‘fake news’ point above). Where the Tories are refusing to implement statutory regulation for the press (the abandonment of part 2 of Leveson is mentioned specifically in the manifesto, along with the repeal of Section 40 of the Crime and Courts Act 2013, which was one of the few bits of Leveson part 1 that was implemented) they look very much as though they want to impose it upon the online media. The Daily Mail will have more freedom than blogging platforms, Facebook and Twitter – and you can draw your own conclusions from that.

When this is all combined with the Investigatory Powers Act, it looks very much like a solid clampdown on internet freedom. Surveillance has been enabled – this will strengthen the second part of the authoritarian pincer movement, the censorship side. Privacy has been wounded, now it’s the turn of freedom of expression to be attacked. I can see how this will be attractive to some – and will go down very well indeed with both the proprietors and the readers of the Daily Mail – but anyone interested in internet freedom should be very much disturbed.

The Saga Of the Privacy Shield…

(With apologies to all poets everywhere)

Listen to the tale I tell

Of Princes bold and monsters fell

A tale of dangers well conceal’d

And of a bright and magic shield

There was a land, across the bay

A fair land called the USA

A land of freedom: true and just

A land that all the world might trust

Or so, at least, its people cheered

Though others thought this far from clear

From Europe all the Old Folk scowled

And in the darkness something howled

For a monster grew across the bay

A beast they called the NSA,

It lived for one thing: information

And for this it scoured that nation

It watched where people went and came

It listened and looked with naught of shame

The beast, howe’er, was very sly

And hid itself from prying eyes

It watched while folk from all around

Grew wealthy, strong and seeming’ sound

And Merchant Princes soon emerged

Their wealth it grew surge after surge

They gathered data, all they could

And used it well, for their own good

They gave the people things they sought

While keeping more than p’rhaps they ought

And then they looked across the bay

Saw Old Folk there, across the way

And knew that they could farm those nations

And take from them their information

But those Old Folk were not the same

They did not play the Princes’ game

They cared about their hope and glory

Their laws protected all their stories

‘You cannot have our information

Unless we have negotiations

Unless our data’s safe and sound

We’ll not let you plough our ground’

The Princes thought, and then procured

A harbour safe and quite secure

Or so they thought, and so they said

And those Old Folk gave them their trade

And so that trade just grew and grew

The Old Folks loved these ideas new

They trusted in that harbour’s role

They thought it would achieve its goal

But while the Princes’ realms just grew

The beast was learning all they knew

Its tentacles reached every nook

Its talons gripped each face, each book

It sucked up each and ev’ry drop:

None knew enough to make it stop

Indeed, they knew not what it did

‘Til one brave man, he raised his head

And told us all, around the world

‘There is a beast, you must be told’

He told us of this ‘NSA’

And how it watched us day by day

He told us of each blood-drenched claw

He named each tentacle – and more

And with each word, he made us fear

That this beast’s evil held us near

In Europe one man stood up tall

“Your harbour is not safe at all!

You can’t protect us from that beast

That’s not enough, not in the least!”

He went unto Bourg of Luxem

The judges listened care’fly to him

‘A beast ‘cross the bay sees ev’rywhere

Don’t send our secrets over there!

The judges liked not what they saw

‘That’s no safe habour,’ they all swore

“No more stories over there!

Sort it out! We do all care!”

The Princes knew not what to do

They could not see a good way through

The beast still lurked in shadows dark

The Princes’ choices seemed quite stark

Their friends and fellows ‘cross the bay

Tried to help them find a way

They whispered, plotted, thought and plann’d

And then the Princes raised their hands

“Don’t worry now, the beast is beaten

It’s promised us you won’t be eaten

It’s changed its ways; it’s kindly now

And on this change you have our vow

Behold, here is our mighty shield

And in its face, the mighty yield

It’s magic, and its trusty steel

Is strong enough for all to feel

Be brave, be bold, you know you should

You know we only want what’s good”

But those old folk, they still were wary

That beast, they knew, was mighty scary

“That beast of yours, is it well chained?

Its appetites, are they contained?

Does it still sniff at every door?

Its tentacles, on every floor?

The Princes stood up tall and proud

“We need no chains”, they cried aloud

“Our beast obeys us, and our laws

You need not fear it’s blunted claws.”

“Besides,” they said, “you are contrary

You have your own beasts, just as scary”

The Old Folk looked a mite ashamed

‘Twas true their own beasts were not tamed

“‘Tis true our beasts remain a blight

But two wrongs never make a right

It’s your beast now that we all fear

Tell us now, and make it clear!”

“Look here” the Princes cried aloud

“Of this fair shield we all are proud,

Its face is strong, its colours bright

There’s no more need for any fright.”

The Old Folk took that shield in hand

‘Twas shiny, coloured, bright and grand

But as they held it came a worry

Why were things in such a hurry?

Was this shield just made of paper?

Were their words just naught but vapour?

Would that beast still suck them dry?

And their privacy fade and die?

Did they trust the shield was magic?

The consequences could be tragic

The monster lurked and sucked its claws

It knew its might meant more than laws

Whatever happened, it would win

Despite the tales the Princes spin

It knew that well, and so did they

In that fair land across the bay.

Fear and loathing of social media…

There seems to have been a lot of negativity about social media in the last few weeks and months. It has a number of different facets and works in a number of different directions.

Command central for terrorists

One is the portrayal of the social media as evil and dangerous, full of paedophiles, terrorists and worse. We should be afraid of social media. The new head of GCHQ has called Google and Facebook ‘Command Central’ for terrorists such as the so-called Islamic State, something echoed in detail by the Parliament Intelligence and Security Committee’s apparent conclusion that Facebook were the only ones who could have (and didn’t) stop the murder of Lee Rigby. According to this mantra, we need to take control of the social media if the social media companies don’t take control themselves, and accept their ‘social responsibility’

The playground of irrelevant keyboard warriors

The second is the seemingly contradictory portrayal of the social media as pointless, puerile and distracting, reflective of nothing of substance and a great deal of stupidity and foolishness. Social media is something to be loathed. The reaction to the #CameronMustGo hashtag is perhaps the best example – and in particular complaints about the idea that this fact that the hashtag has now trended for upwards of a week (which for people unfamiliar with Twitter trends is something quite remarkable – in Twitter terms) deserves coverage in the mainstream media – and has received it. ‘Why,’ the argument goes, ‘should the real media pay any attention at all to the online witterings of a few dodgy lefty keyboard warriors? That’s not real news.’

So which is it? Is the social media a den of evil, command central for terrorists and something we should all be desperately afraid of – and need to police, to control, to censor? Or is it just the playground of geeks and nerds, lefty political wonks and the liberal media elite, to which we should pay no attention at all? Both? Neither?

A little more complicated….

Reality, as usual, is a little more complicated than that. Social media is in some ways new, in some ways old, in some ways crucially important, in others entirely irrelevant. It needs thought in order to understand, not just a few clichéd words and a bit of pigeon-holing. It’s reflective of ‘real’ life in some ways – and a place and space of its own in others. That, for many of those of us who spend a lot of time using social media, is actually what makes it worthwhile. There are things on here that matter – and there are things that don’t at all. There are ways in which the social media can challenge the ‘mainstream media’, and do jobs that the mainstream media either can’t or won’t do – the coverage of the Israeli incursions into Gaza earlier this year was one of those, opening eyes and then leading at least some of the mainstream media into a very different form of coverage of Palestine and the Palestinians than they had ever shown before. The same for the coverage of the reaction to the killing of Michael Brown in Ferguson – social media’s immediacy, the way that ordinary people could get their own experiences ‘out there’, provided something different, and seemed, at least in some ways, to change the way that the mainstream media (or at least some of it) covered the events. That matters.

At the same time, a lot of the other stuff on social media really is pretty pointless. Stories abound that have no basis in reality – or, worse, distort reality and distract from real coverage of real events. Some of the photos of the full and empty chambers of the Houses of Parliament currently circulating on Twitter fit into this category, as Isabel Hardman has revealed in the Spectator. At times, though, even these pictures do matter – or at least I think so – such as the ones I tweeted myself of the empty chamber during the DRIP debate. They mattered then because the chamber really was empty, and that was the only time that Parliament had to discuss that critical debate – there was no other chance to debate it, no committee stages, no public (or even private) hearings, just that debate. That was it.

At other times, Twitter is just stupid and irrelevant – or silly and fun, depending on your perspective. I use Twitter for important, work-related stuff, for political debate – but also for silly hashtag games. My tweet ‘The Hunt For Red Leicester’ in the #CheeseFilms hashtag games remains one of my favourites.

#CameronMustGo

Where, then, does #CameronMustGo fit in to this – and why do some people seem to absolutely loath it? Some have positively seethed when they tweet about how pointless and irrelevant it is, how ridiculous it is that other people are angry that the BBC isn’t giving it more coverage, how much of a distraction it is from ‘real’ news, how it doesn’t have any ‘real’ basis behind it and so on. Are they right?

For me, there’s a lot of truth in what the critics say in detail – but they miss the ‘bigger’ social media picture. Yes, there’s no ‘real’ basis for it – it wasn’t a particular event that triggered the tweets, just an idea to try to get it trending. It’s not one particular action of our Prime Minister that made people think it was time for him to go. It’s also not true that #CameronMustGo has any chance whatsoever of actually succeeding in making Cameron go anywhere – let alone forcing him out of office.

…but very, very few of those contributing to the hashtag would ever believe that it does. The ones that I know, at least, have very few illusions about what a hashtag can actually contribute, or what the point of it is. #CameronMustGo is something that allows people to vent their frustration at a government that they detest – and at a media that seems to ignore them. It was born out of anger with the mainstream media’s apparent obsession with Ed Miliband’s oddness and awkwardness – and their unwillingness to subject Cameron to similar levels of scrutiny. It was an opportunity to have fun too – and the hashtag is full of humorous as well as serious tweets.

That doesn’t mean that the hashtag needs or deserves attention by the mainstream media in terms other than its own: as a hashtag. As a hashtag, however, it does deserve attention. That is, if you’re studying or covering what’s happening on Twitter, it deserves attention – because Twitter trends rarely last long, and for #CameronMustGo to trend this long. The level of dissent, of attention, of focus necessary to keep this trending is impressive – in Twitter terms.

That’s not to be sneezed at – but neither is it earthshattering. It’s a bit of a Twitter phenomenon – but I doubt Cameron will be losing much sleep over it either. The main way that Twitter matters to politicians is that their own injudicious (or at least arguably injudicious) tweets can be deeply damaging to their careers, as Emily Thornberry found out. Twitter matters most to those on Twitter. It’s not really something to be either feared or loathed – particularly by those who don’t really understand it.

It is, however, those who don’t really understand social media who seem to display the most of that fear and loathing. They might do better to listen a little more to those who spend more time on the social media…..

UPDATE: 2 December 2014

As I write, two days after the initial post, #CameronMustGo is still trending – and the loathing of it seems to have reached new heights. One Tory MP has suggested witheringly that those behind it don’t understand economics, others that it’s no substitute for ‘real’ politics – while journalists continue to treat it largely with disdain. I can see why both politicians and journalists don’t like it – but at times there seems to be something close to fear in their reactions. It’s natural to be afraid of the unknown to some degree – and the problem seems to be that this really is unknown territory.

Journalists have embraced Twitter to a great degree – but there is still a tendency to look down on it because it’s not ‘real’ journalism. That’s true. It isn’t ‘real’ journalism – but that doesn’t mean that it’s somehow a ‘lesser’ thing. It’s just different. It performs different functions – mobilisation of groups who are otherwise unheard is just one of them. Anyone who followed the ‘IamSpartacus’ movement should see that – and journalists should be able to look beyond their own bubbles and see that too.

Most politicians haven’t embraced Twitter to the same extent – except to #TweetLikeAnMP – and they generally treat Twitter with either fear (as it may end their careers, Emily Thornberry-style) or as a PR tool (as they treat a great many things). That, too, is missing the point. Twitter is something quite different…

…and those behind the #CameronMustGo hashtag have realised that. They’re in unknown territory too, as no-one imagined the hashtag would trend this long. As I noted above, this still isn’t earth shattering, and it definitely won’t unseat Cameron – but neither is it intended to. It does what it does, and on its own terms – and it does it spectacularly well, in comparison to other similar attempts.

Facebook And Twitter – Handling Extremism And Disorder

After extensive consultation, FAT-HEAD has been amended to take into account its lack of clarity over costs (see 8) and the unfortunate limitation of extent (see 9).

Facebook And Twitter – Handling Extremism And Disorder Bill (‘FAT-HEAD’)

Contents:

When this Act applies
Facebook and Twitter
Social and Moral Responsibility
Code of conduct
Extremism
Disorder
Acceptance of blame
Costs
Extent, commencement and short title

Bill

Make provision as to matters concerning the social and moral responsibility of Facebook and Twitter, to ensure that proper cooperation is made with the authorities in relation to morality, extremism and disorder.

BE IT ENACTED by the Queen’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—

1. When this Act applies

This Act applies whenever an event of such significance, as determined by the Secretary of State, requires it to. Events include but are not restricted to acts of extremism, of disorder and of embarrassment to the Secretary of State, the government, the intelligence and security services and the police, or any other event deemed appropriate by the Secretary of State.

2. Facebook and Twitter

The powers conferred through this Act apply to Facebook, Twitter and any other online services, systems, or their equivalents, successors or alternatives (‘the services’) as determined by the Secretary of State.

3. Social and moral responsibility

The services shall recognise that they have a social and moral responsibility above and beyond any requirements hitherto required by the law. The requirements that constitute this social and moral responsibility shall be determined by the Secretary of State, in consultation with the editors of the Sun and the Daily Mail.

4. Code of Conduct

The Secretary of State shall prepare a Code of Conduct to cover the actions of the services, in accordance with the social and moral responsibility as set out in section 1. This code of conduct shall cover extremism, disorder, obscenity, dissent and other factors as determined by the Secretary of State.

5. Extremism

i) The services shall monitor the activities of all those who use their services for evidence of extremism, including but not limited to reading all their posts, messages and other communications, analysing all photographs, monitoring all location information, all music listened to and all areas of the internet linked to.

ii) The services shall provide real-time access to all of their servers and all user information to the security services, the police and any others authorised by the Secretary of State, including the provision of tools to enable that access.

iii) The services shall prepare reports on all its users activities, including but not limited to those activities relating to extremism, including contact information, personal details, locations visited and any other information that may be determined from such information.

iv) The services shall provide these reports to the security services, the police and any others authorised by the Secretary of State.

v) The services shall delete the accounts of any user upon the request of the security services, the police or any others authorised by the Secretary of State.

vi) The services may not report that they have provided the access or these reports to anyone without the express permission of the Secretary of State.

6. Disorder

At a time of disorder, as determined by the Secretary of State, the security services or a police officer, the services shall provide the following:

i) Immediate access to location data of all users.

ii) Immediate access to all communications data of all users

iii) Detailed information on all accounts that have any relationship to the disorder

iv) Deletion of accounts of any users deemed to be involved, or likely to be involved, in disorder.

v) Upon order by the Secretary of State, the security services or a police officer, the services shall block all access to their services in an area to be determined by the Secretary of State.

7. Acceptance of Blame

The services shall recognise that their social and moral responsibility includes the requirement to accept the blame for the existence, escalation or consequences of any extremism or disorder. This acceptance of blame must be acknowledged in writing and in the broadcast media, ensuring that the government, the security services and the police are not held responsible for their own roles in such extremism or disorder or their consequences.

8. Costs

All costs for the development, implementation, monitoring, updating and supporting the systems required for the services to comply with the Facebook And Twitter – Handling Extremism And Disorder Act 2014 shall be borne by the services.

9. Extent, commencement and short title

i) This Act extends to England, Wales, and anywhere else on the entire planet, and in addition to inner and outer space, the moon, any planets, comets and other bodies as deemed appropriate by the Secretary of State.

ii) This Act comes into force on the day on which this Act is passed.

iii) This Act may be cited as the Facebook And Twitter – Handling Extremism And Disorder Act 2014.

In praise of pseudonyms…

A remarkably inappropriately titled article appeared in the Telegraph this morning.

“Facebook will soon let you post using someone else’s name”

The article itself, however, said something quite different: that ‘Facebook is reportedly working on a mobile app that will let its users interact without using their real name’. If true, this could be important – and a very positive move. Facebook have long been the champions of ‘real names’ policies: for them to recognise that there are important benefits that arise from the use of pseudonymity and sometimes anonymity is a big development – because there are benefits, and pseudonymity is one of the keys to real freedom of speech and autonomy, both online and in the ‘real’ world.

Firstly, to dispose of the Telegraph’s appalling headline, a pseudonym is very rarely ‘someone else’s name’. There are cases where people try to impersonate others, but these are a tiny fraction of the times that people use pseudonyms. Pseudonyms have been used for a very long time, and for very good reasons. Many people are better known for their pseudonyms than for their ‘real’ names – and they certainly didn’t ‘steal’ them. Did Eric Blair steal the name George Orwell? Did Mary Ann Evans steal the name ‘George Eliot’? Did Gideon Osborne steal the name George? And looking at the first two of those names, did Orwell and Eliot, ‘belong’ to someone else? Of course they don’t. Another George even springs to mind: George Osborne. Should we inset on calling him Gideon, because that was the name his parents gave him? I’m politically opposed to him in every way – but I’d defend his right to call himself George, and defend it to the hilt. Pseudonyms often belong to the people using them every bit as much as their ‘real’ names. In some ways they’re even more representative of the people: when choosing a pseudonym, people often put a lot of thought into the process, choosing something that represents them in some way, or represents some aspect of them.

Sometimes it’s about presentation – and sometimes it’s to protect your ‘real’ identity in an entirely reasonable way. It’s not that you have something to hide – but that your autonomy is better served by the ability to separate your life in some ways. Without that ability, your freedom of expression is chilled. As I’ve written before, there are many kinds of people for whom pseudonymity is crucial: whistle-blowers, people whose positions of responsibility make open speech difficult, people with problematic pasts, people with enemies, people in vulnerable positions, people living under oppressive regimes, young people, people with names that identify their ethnicity or religion, women (at times), victims of spousal abuse and others. It’s also something that helps people to let of steam, to explore different aspects of their lives – or simply to enjoy themselves.

I use my real name most of the time online – amongst other things because my ‘online presence’ is part of my job, an because I make professional links and connections here – but I’m in a privileged position, without any of the obvious vulnerabilities. I’m a white, middle-class, middle-aged, educated, employed, able-bodied, heterosexual, married man. It’s easier for me to function online with my real name – but even I don’t always do so. Over the last decade or so I’ve used a number of pseudonyms, and still use one now. For many years my main online presence was as ‘SpiritualWolf’, prowling the football message boards: I’m a Wolves fan. I didn’t particularly want to connect what I was doing on the football boards with my work life or even my home life – and wanted my football postings to be judged for their content, not on the basis of who I might be. Online life works like that. I created ‘SpiritualWolf’ – but I also was SpiritualWolf. It wasn’t someone else’s name – it was my name.

Even now I used a pseudonym – KipperNick – when I play at being the BBC’s Nick Robinson, in his role as cheerleader for UKIP, a role which, sadly, he often plays better than me. It’s a very different kind of identity – a clearly marked parody account – but it allows me a certain kind of freedom, and lets me have some fun. I don’t use it maliciously – at least I don’t try to….

…and that, in the end, is the rub. It’s not the pseudonymity that’s the problem when we’re looking at malicious communications, for example: it’s the malice. By attacking the pseudonyms we’re not just missing the target we’re potentially shutting off a great deal of freedom, chilling speech and controlling people when that control is really unnecessary. I’m delighted that Facebook has begun to realise this – though I’ll believe it when I see it.

Thanks to the many people who replied to my initial tweet about this earlier today – I’ve shamelessly used your examples in the blog post!

The Resurrection of Privacy?

The video below is the slideshow of my presentation this morning at the Society of Legal Scholars conference in Nottingham – and what follows it are some brief notes to support it. Some of this is speculative and some of it is contentious – particularly in relation to the relative importance of corporate and governmental surveillance – and this is an early stage of this research, though it builds on the work in my book, Internet Privacy Rights. I should also note that this is a development of the paper I gave at BILETA earlier this year: ‘who killed privacy?’

The Resurrection of Privacy?

In 1999, Scott McNealy, then CEO of Sun Microsystems, famously said:

“You have zero privacy anyway. Get over it.”

Events and developments since 1999 have hardly improved the prospects for privacy: the growth of social networking, technological developments like smartphones, geo-location, business ideas such as behavioural tracking and, most recently, the revelations from Edward Snowden about the near universal surveillance systems of the NSA, GCHQ and others. If privacy was in trouble in 1999, the argument that it is at least close to death in 2014 is much stronger.

That brings two questions:

If privacy is dead, who killed it? Did we kill it ourselves? Is it the activities of government agencies like the NSA and GCHQ, or of businesses like Google and Facebook?
If if privacy is in fact dead, is there a possible route towards its resurrection?

Suspect 1: us!

On the face of it, it might appear as though we ourselves have simply given up on privacy. We’ve killed it ourselves by embracing all the privacy-invasive technology that’s offered to us, by failing even to read privacy policies, by allowing the intelligence services to do whatever they want, with barely a murmur of protest. More than a billion of us have joined Facebook, for example, a service based at least in some ways on giving up on privacy, sharing our most intimate information.

That, however, is not the whole story. In many ways it appears that what we have done has been through a lack of awareness rather than by deliberate decisions. The extent to which people understand how systems like Facebook work is hard to gauge – but the surprise that people show when bad things happen suggests that there isn’t a great deal of awareness. It also appears that people are becoming more aware – and as they become more aware, they’re making more privacy-based decisions, taking control of their privacy settings and so forth.

Further, when we’re given the chance to see how intelligence agencies work, we don’t seem to be happy about it – though less, it has to be acknowledged, in the UK than in many other countries. Even so, when the Communications Data Bill was put under full scrutiny, it was rejected – in part because of the public reaction. Further, studies show that people don’t like behavioural advertising – and dislike it more when they learn more about how it works.

All this suggests that we aren’t really the key to the death of privacy: we’re more like unwitting accomplices.

Suspect 2: the NSA and GCHQ

The revelations of Edward Snowden about the surveillance activities sent shockwaves through the internet. Many people had already believed that the NSA, GCHQ and other agencies performed surveillance on the internet – Snowden’s revelations seemed to prove it, and to suggest that the level of surveillance was greater even than that feared by the more extreme of conspiracy theorists. Not just had they been gathering telephony and internet data and building (in the US) massive data centres, but they’d been accessing the servers of the big commercial internet providers, tapping into undersea cables, intercepting traffic between server sites and undermining encryption systems – and much more. The level of privacy invasion is extreme.

However, until Edward Snowden revealed all of this, the agencies were working largely in secret – and while this still constitutes a major invasion of privacy, the impact on people’s behaviour is much smaller. If we don’t know we’re being watched, our actions aren’t chilled – and our beliefs about privacy are not changed. Moreover, the kind of harms done to people by surveillance by the NSA and GCHQ are indirect, at least for most people. Finally, and most importantly, if it were not for the commercial operators’ surveillance, the NSA and GCHQ would have far less to ‘feed’ on.

All this is not to dismiss the role of the intelligence services or indeed the impact of their surveillance activities – they should be resisted with the utmost vigour – but in terms of the death of privacy, they can be seen more as opportunist accomplices, rather than instigators.

Suspect 3: businesses like Facebook and Google

The role of the commercial operators on the internet, on the other hand, is both deeper and more significant either than is often believed or than the role of governments and government agencies on their own. The commercial entities have contributed to the decline of privacy in three kinds of ways:

Systematic – commercial entities have undermined privacy both in technological and business model senses, developing technologies to invade privacy and business models that depend on systematic and essentially covert gathering of personal data. Businesses have also lobbied strongly to reduce the effectiveness of legal privacy protection. In Europe they have done their best to undermine and weaken data protection – including the on-going reform process. They continue to do so, for example in relation to the right to be forgotten. In the US, they have contributed to the effective scuppering of the Do Not Track initiative.
Cooperative – businesses have been working with governments, sometimes willingly, sometimes unwillingly, sometimes knowingly and sometimes unknowingly. The extent of this cooperation and the extent to which is has been willing is unclear – though recent statements from the NSA have suggested that they did know about it and did cooperate willingly. Further, they kept this cooperation secret – until it was revealed by the Snowden leaks.
Normative – businesses have been attempting to undermine the idea that privacy is something to value and something of importance. Mark Zuckerberg’s suggestion that ‘privacy is no longer a social norm’ is reflected not just words but actions, encouraging people to ‘share’ information of all kinds rather than consider the privacy impact. Further, they continue to develop technologies that invade privacy inherently – from geo-technology to wearable health monitoring and things like Google Glass.

All this combines to make the role of the businesses look most significant – if anyone is guilty of killing privacy, it is Facebook and Google rather than the NSA and GCHQ. Moreover, the harms to most people possible from corporate surveillance are both tangible and more likely than harms from the NSA and GCHQ: impact on things like insurance, credit ratings, employability, relationships and so forth are not just theoretical.

As Bruce Schneier put it:

“The NSA didn’t wake up and say, ‘Let’s just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a copy.’”

And as Timothy Garton Ash said when considering the Stasi:

“…the Minister for State Security observed that the results achieved by his ministry ‘would be unthinkable without the energetic help and support of the citizens of our country’. ‘For once,’ I comment, ‘what the Minister says is true.’”

Where the Stasi needs the citizen informers, the new surveillance programmes need the ISPs and the internet giants – the Googles, Facebooks, Microsofts, Yahoo!s, Apples and so forth. That is what makes their role in the reverse so important.

The resurrection of privacy

In the post-Snowden environment, at least on the surface, businesses have started to take a more ‘pro-privacy’ stance. Whether that meaningful, or they are just paying lip service to it, has yet to be seen. Their role, however, is crucial.

Reversing the three roles noted above – systematic, cooperative and normative – could produce a positive impact for privacy, effectively being a part of the ‘resurrection’ of privacy:

Systematic – businesses could play a part by building more robust technology and developing more privacy-friendly business models
Cooperative – and Resistant. Businesses could cooperate more with civil society and academia in working towards privacy – and could do more to resist being co-opted by governments, not just being more transparent in their dealings with governments but acting as a barrier and protection for their users in their dealings with governments.
Normative – businesses could play a part in changing the message so that it becomes clearer that privacy is a social norm.

At the moment it seems unlikely that businesses will do very much of this – but there are a few signs that are positive. Real names policies have been relaxed on Google +, and even Facebook has shown some moves in that direction. All the big companies are doing more to secure their systems – encryption is more common, both in the infrastructure and in user systems. Google does at least seem to be making some attempt to cooperate with the right to be forgotten – though whether these attempts are being done in good faith has yet to be seen.

It will probably take a miracle – resurrections generally do – but miracles do sometimes happen.

Data and politics…

One of the less obvious side shows to the defection of Douglas Carswell MP from the Tories to UKIP has been the report that he may be taking his data with him – detailed data about his constituents, it appears, and according to the Daily Mail people at UKIP are ‘purring’ at the prospect of getting hold of the data.

This raises many, many issues – not least data protection issues. The excellent Jon Baines (@bainesy1969 on twitter) has been blogging about political data issues for some time, not least how it appears that political parties ride roughshod over data protection law and yet somehow the Information Commissioner’s Office does not want to get involved. He’s written something today in relation to Douglas Carswell – you can read it here. As Jon Baines explains, there are many legal issues to deal with, including a possible criminal offence.

Even setting the law to one side, there are some very disturbing aspects to this.

The first is a moral or ethical one – when people gave their data to Carswell, or to the local Conservative Party, they presumably intended (if they thought about it at all) to help the Conservative Party – Carswell was, at the time at least, a representative of the Conservative Party, and made many statements of loyalty. Would they be happy for that data then to be used by UKIP, a rival party? Some might have UKIP sympathies, and might well follow Carswell in his defection – but many others might not, and their data is being taken along with those who might defect, and without the chance to object or consent. Data protection law should require this – but in practice it might well fail to produce the results it should. Can we expect a moral or ethical approach from Douglas Carswell on the matter, recognising these issues? I doubt it very much. Morality and ethics are in very short supply in politics even at the best of times. These are very far from the best of times.

The second is a deeper one – it seems to me that we don’t consider nearly enough the impact of data on politics. The most obvious aspect of the Carswell business is the gathering of the data, but the use of that data is perhaps even more important and could have even more impact. I’ve written about this before – most notably in my book, Internet Privacy Rights – but it bears repeating. The use of data for political purposes is something of increasing importance. Obama knew that, and one of his key strategies for re-election was better use of data. This piece ‘How President Obama’s campaign used big data to rally individual voters‘, gives at least a flavour of what Obama did – and the beginning of a sense of what might be possible in the future. Data such as that gathered by Carswell could be aggregated with other data, much of it commercially gathered, and used for profiling in increasingly sophisticated ways. Here’s a brief extract from my book (chapter 10) that hints at what kind of thing can – and almost certainly will – happen in the future. Indeed, some of it is already happening now.

“Imagine, for example, tailored advertisements created for individual ‘swing voters’ (selected automatically through profiling), pointing out a party’s positive steps in the policy areas that are most likely to interest them (also selected automatically), omitting those areas where party policy doesn’t fit, and couching it in a language appropriate to the individual’s ethnic, educational, cultural and linguistic background, illustrated with a few appropriate news TV clips, and playing background music exactly to the individual’s taste and voiced over by an actor that profiling reveals that individual likes? The reverse, of course, about the political party’s opponents – negative campaigning and personal attacks taken to an extreme level. This could be extended from tailored advertisements to whole ‘news’ pages where the ‘news’ provider has a particular political agenda, and also (and more simply) to individual automated emails.”

Now I don’t imagine for a moment that UKIP’s operation is anywhere near as sophisticated as that – right now, most UK political parties seem to be lagging far behind the US in this field – but the ideas and the possibilities ought to be giving us pause for thought. Recent events like the Facebook Experiment, which I’ve blogged about before, show how the internet can be used to manipulate people. Political manipulation is just one of the possibilities. We need to be very careful here – and pay more attention to how our data can be used to manipulate us.

Dave Eggers’ The Circle: a book for our times…

I was introduced to Dave Eggers’ novel, The Circle, by Professor Andrew Murray – one of the pre-eminent scholars in IT Law in the UK, and also on of my PhD supervisors. I know I’m very late to this game – the book came out in 2013, and all the cool people will already have read it or reviewed it, but in this case I think it’s worth it. And the fact that someone like Andrew Murray would recommend it should give pause for thought: this isn’t just an entertaining piece of science fiction, it’s a book that really makes you think. It’s not just a dystopian vision of the future, it’s one that is far, far closer to reality than almost any I’ve read – and dystopian novels and films are pretty much my favourite genre.

It’s a book that reminded me why, unlike most of my schoolmates, I always preferred Brave New World to 1984 – and why, of the various privacy stories of the last few months I suspect, ultimately, the Facebook Experiment and the ruling over the Right to be Forgotten will matter more than the passing of the deeply depressing DRIP. In the end, as The Circle demonstrates graphically, we have more to fear from corporate domination of the Internet than we do from all the spooks and law enforcement agencies.

The Circle from which the novel gets its name is a technology company that combines a great deal of Google and Facebook with a little dash of Apple and a touch of Twitter. It dominates search and social media, but also makes cool and functional hardware. Egger’s triumph in the Circle is that he really gets not just the tech but the culture that surrounds it – little details like sending frowns to paramilitaries in Guatemala echo campaigns like #BringBackOurGirls in their futility, superficiality and ultimate inanity. The lives portrayed in the Circle should send shivers down the spines of any of us who spend much time on Twitter or Facebook: that I read the book whilst on a holiday without much Internet access made the point to me most graphically.

Privacy is theft

Eggers echoes both 1984 and Brave New World in using slogans to encapsulate concepts – exaggerating to make the point. For the Circle, these are:

Secrets are lies
Sharing is caring
Privacy is theft

All three are linked together – and connected to the idea that there’s something almost mystical about data. We don’t just have no right to privacy, we have a duty to disclose, a duty to be transparent. A failure to disclose means we’re depriving others of the benefits of our information: by claiming privacy, we’re stealing opportunities and advantages that others have the right to. If we care about others, we should share with them. This is Facebook, this is Google Flu Trends – and it’s the philosophy that implies that those of us who oppose the care.data scheme through which all our health data will be shared with researchers, pharmaceutical companies and many others, are selfish Luddites likely to be responsible for the deaths of thousands.

It is also the philosophy behind a lot of the opposition to the right to be forgotten. That opposition is based on the myth – one that Eggers exposes excellently – that the records on the Internet represent ‘the truth’ and that tampering with them, let alone deleting anything from them, is tantamount to criminality. Without spoiling the plot too much, one of the characters is psychologically and almost physically destroyed by the consequences of that. Eggers neatly leaves it unclear whether the key ‘facts’ that do the damage are actually real – he knows that this, ultimately, isn’t the point. Even if it all were true, the idea that maintaining it and exposing it would be a general good, something to be encouraged and fought for, is misguided at best.

It’s about power – and how it’s wielded

In the novel, The Circle has the power – and it wields it in many ways. Emotional manipulation, keeping people happy and at the same time keeping them within the Circle, is the key point – and the echoes of the Facebook Experiment, about which much has been written, but much has missed the deeper points, are chilling here. One of the real functions of the experiment was for Facebook to find ways to keep people using Facebook…

Another of the key ways that the Circle wields power is through its influence over lawmakers – and the same is sadly evident of Google and Facebook, in the UK as much as in the US. In the UK in particular the influence over things like opposition to data protection reform – and the right to be forgotten – are all too clear. It would be great if this could change, but as in the novel, the powers and common interests are far too strong for much chance. More’s the pity.

As a novel, The Circle is not without fault. I guessed the main plot twist less than half-way through the book. There’s a good deal of hyperbole – but this is dystopian fiction, after all – and the tech itself is not exactly described convincingly. What’s more, the prose is far from beautiful, the characters are mostly rather two-dimensional, and often they’re used primarily to allow Eggers to make his points, often through what amount to set speeches – but Huxley was guilty of that from time to time too. Those speeches, however, are often worth reading. Here, one of the dissidents explains his objections:

“It’s the usual utopian vision. This time they were saying it’ll reduce waste. If stores know what their customers want, then they don’t overproduce, don’t overship, don’t have to throw stuff away when it’s not bought. I mean, like everything else you guys are pushing, it sounds perfect, sounds progressive, but it carries with it more control, more central tracking of everything we do.”

“Mercer, the Circle is a group of people like me. Are you saying that somehow we’re all in a room somewhere, watching you, planning world domination?”

“No. First of all, I know it’s all people like you. Individually you don’t know what you’re doing collectively. But secondly, don’t presume the benevolence of your leaders.”

In that brief exchange Eggers shows how well he gets the point. A little later he nails why we should care much more about this but don’t, focussing instead on the spooks of the NSA and GCHQ.

“Here, though, there are no oppressors. No one’s forcing you to do this. You willingly tie yourself to these leashes.”

That’s the problem. We don’t seem to see the risk – indeed, just as in the novel, we willingly seem to embrace the very things that damage us. Lawmakers, too, seem not to see the problem – and as noted all too often allow themselves to be lobbied into compliance. The success of Google’s lobbyists over the right to be forgotten is testimony to this. Even now, people who really should know better are being persuaded to support the Circle sorry, I mean Google’s business model rather than address a real, important privacy issue.

Coming to a society near you…

We’re taking more and more steps in the direction of the Circle. Not just the Facebook experiment and the reaction to the ‘right to be forgotten’ ruling – but even in the last week or two a House of Lords committee has recommended an end to online anonymity, effectively asking service providers to require real names before receiving services. This is one of the central planks of the way the Circle takes control over people’s lives, and one which our lawmakers seem to be very happy to give them. There are also stories going around about government plans to integrate various databases from health and the DVLA to criminal records… another key tenet of the Circle‘s plans… The ‘detailed’ reasons for doing so sound and seem compelling – but the ultimate consequences could be disastrous…

Anyway, that’s enough from me. Read the book. I’ll be recommending it to
my Internet Law and Privacy students, but I hope it’s read much more widely than that. It deserves to be.

Facebook, Google and the little people….

This last week has emphasised the sheer power and influence of the internet giants – Facebook and Google in particular.

The Facebook Experiment

First we had the furore over the so-called ‘Facebook Experiment’ – the revelation that Facebook had undertaken an exercise in ’emotional contagion’, effectively trying to manipulate the emotions of nearly 700,000 of its users without their consent, knowledge or understanding. There were many issues surrounding it (some of which I’ve written about here) starting with the ethics of the study itself, but the most important thing to understand is that the experiment succeeded, albeit not very dramatically. That is, by manipulating people’s news feeds, Facebook found that they were able to manipulate peoples emotions. However you look at the ethics of this, that’s a significant amount of power.

Google and the Right to be Forgotten

Then we’ve had the excitement over Google’s ‘clumsy’ implementation of the ECJ ruling in the Google Spain case. I’ve speculated before about Google’s motivations in implementing the ruling so messily, but regardless of their motivations the story should have reminded us of the immense power that Google have over how we use the internet. This power is demonstrated in a number of ways. Firstly, in the importance we place in whether a story can be found through Google – those who talk about the Google Spain ruling being tantamount to censorship are implicitly recognising the critical role that Google plays and hence the immense power that they wield. Secondly, it has demonstrated Google’s power in that, ultimately, how Google decides to interpret and implement the ruling of the court is what decides whether we can or cannot find a story. Thirdly, the way that Google seems to be able to drive the media agenda has been apparent: it sometimes seems as though people in the media are dancing to Google’s tune.

Further, though the early figures for takedown requests under the right to be forgotten sound large – 240,000 since the Google Spain ruling – the number of requests they deal with based on copyright is far higher: 42,324,954 since the decision. Right to be forgotten requests are only 0.5% of those under copyright. Google deals with these requests without the fanfare of the right to be forgotten – and apart from a few internet freedom advocates, very few people seem to even notice. Google has that much control, and their decisions have a huge impact upon us.

Giants vs. Little People

Though the two issues seem to have very little in common, they both reflect the huge power that the internet giants have over ordinary people. It is very hard for ordinary people to fight for their rights – for little people to be able to face up to giants. Little people, therefore, have to do two things: use every tool they can in the fight for their rights, and support each other when that support is needed. When the little people work together, they can punch above their weight. One of the best ways for this to happen, is through civil society organisations. All around the world, civil society organisations make a real difference – from the Open Rights Group and Privacy International in the UK to EDRi in Europe and the EFF in the US. One of the very best of these groups – and one that punches the most above its weight, has been Digital Rights Ireland. They played a critical role in one of the most important legal ‘wins’ for privacy in recent years: the effective defeat of the Data Retention Directive, one of the legal justifications for mass surveillance. They’re a small organisation, but one with expertise and a willingness to take on the giants. Given that so many of those giants – including Facebook – are officially based in Ireland, Digital Rights Ireland are especially important.

Europe vs. Facebook

There is one particular conflict between the little people and the giants that is currently in flux: the ongoing legal fight between campaigner Max Schrems and Facebook. Schrems, who is behind the ‘Europe vs. Facebook’ campaign, has done brilliantly so far, but his case appears to be at risk. After what looked like an excellent result – the referral by the Irish High Court to the ECJ of his case against Facebook (which relates to the vulnerability of Facebook data to US surveillance via the PRISM program) – Schrems is reported as considering abandoning his case, as the possible costs might bankrupt him if things go badly.

This would be a real disaster – and not just for Schrems. This case really matters in a lot of ways. The internet giants need to know that we little people can take them on: if costs can put us off, the giants will be able to use their huge financial muscle to win every time. It’s a pivotal case – for all of us. For Europeans, it matters in protecting our data from US surveillance. For non Europeans it matters, because it challenges the US giants at a critical point – we all need them to fight against US surveillance, and they’ll only really do that wholeheartedly if it matters to their bottom line. This case could seriously hit Facebook’s bottom line – so if they lost, they’d have to do something to protect their data from US surveillance. They wouldn’t just do that for European Facebook users, they’d do it for all.

Referral to the ECJ is critical, not just because it might give a chance to win, but because (as I’ve blogged before) recently the ECJ has shown more engagement with technological issues and more willingness to rule in favour of privacy – as in the aforementioned invalidation of the Data Retention Directive and in the contentious ruling in Google Spain. We little people need to take advantage of those times when the momentum is on our side – and right now, at least in some ways, the momentum seems to be with us in the eyes of the ECJ.

So what can be done to help Schrems? Well, the first thing I would suggest to Max is to involve Digital Rights Ireland. They could really help him – and I understand that they’ve been seeking an amicus brief in the case. They’re good at this kind of thing, and they and other organizations in Europe have experience in raising the funds for this type of case. Max has done brilliant work, but where ‘little people’ have to face up to giants, they’re much better off not fighting alone.