Dear Larry and Mark….

Larry Page, Google

Mark Zuckerberg, Facebook

8th June, 2013

Dear Larry and Mark

The PRISM project

I know that you’ve been as deeply distressed as I have by the revelations and accusations released to the world about the PRISM project – and I am delighted by the vehemence and clarity with which you have denied the substance of the reports insofar as they relate to your services. The zeal with which you wish to protect your users’ privacy is highly commendable – and I’m looking forward to seeing how that zeal produces results in the future. To find that the two of you, the leaders of two of the biggest providers of services on the internet, are so clearly in favour of individual privacy on the internet is a wonderful thing for privacy advocates such as myself. There are, however, a few ways that you could make a slightly more direct contribution to that individual privacy – and seeing the depth of feeling in your proclamations over PRISM I feel sure that you will be happy to do them.

Do Not Track

As I’m sure you’re aware, people are concerned not just about governments tracking their activities on the net, but others tracking them – not least since it appears clear from the PRISM project that if commercial organisations track people, governments might try to get access to that tracking, and perhaps even succeed. As you know, the Do Not Track initiative was designed with commercial tracking in mind – but it has become a little bogged down since it began, and looks as though it might be far less effective than it could be. You could change that – put your considerable power into making it strong and robust, very clearly do not track rather than do not target, and most importantly ensure that do not track is on by default. As you clearly care about the surveillance of your users, I know that you’ll want them not to be tracked unless they actively choose to let advertisers track them. That’s the privacy-friendly way – and as supporters of privacy, I’m sure you’ll want to support that. Larry, in particular, I know this is something you’ll want to do, as perhaps the world leader in advertising – and now also in privacy – your support of this will be both welcome and immensely valuable.

Anonymity – no more ‘real names’ policies

As UN Special Rapporteur on Freedom of Expression and Opinion, Frank La Rue, recently reported, privacy, and in particular anonymity is a crucial underpinning of freedom of expression on the internet. I’m sure you will have read his report – and will have realised that your insistence on people using real names when they use your services is a mistake. I imagine, indeed, that you’re already preparing to reverse those policies, and come out strongly for people’s right to use pseudonyms – particularly you, Mark, as Facebook is so noted for its ‘real names’ policy. As supporters of privacy, there can’t be any other way – and now that you’re both so clearly in the privacy-supporting camp, I feel confident that you’ll make that choice. I’m looking forward to the press releases already.

Data Protection Reform

As supporters of privacy, I know you’ll be aware of the current reform programme going on with the European Data Protection regime – data protection law is strongly supportive of individual privacy, and may indeed be the most important legal protection for privacy in the world. You might be shocked to discover that there are people from both of your companies lobbying to weaken and undermine that reform – so I’m sure you’ll tell them at once to stop that lobbying, and instead to get solidly behind those looking for better protection for individual privacy and stronger rights to protect themselves from tracking and misuse of their data.  As you are now the champions of individual privacy, I’m sure you’ll be delighted to do so – and I suspect memos have already been issued from your desks to those lobbying teams ordering them to change your stance and support rather than undermine individuals’ rights over their data. I know that those pushing for this reform will be delighted by your new found support.

That support, I’m sure, will build on Eric Schmidt’s recent revelation that he thinks the internet needs a ‘delete’ button – so you’ll be backing Viviane Reding’s ‘right to be forgotten’ and doing everything you can to build in easy ways for people to delete their accounts with you, to remove all traces of their profiling and related data and so on.

Geo-location, Facial Recognition and Google Glass

Your new found zeal for privacy will doubtless also be reflected in the way that you deal with geo-location and facial recognition – and in Larry’s case, with Google Glass. Of course you’ve probably had privacy very much in the forefront of your thoughts in all of these areas, but just haven’t yet chosen to talk about it. Moving away from products that gather location data by default, and cutting back on facial recognition except where people really need it and have given clear and properly informed consent will doubtless be built in to your new programs – and, Larry, I’m sure you’ll find some radical way to cut down on the vast array of privacy issues associated with Google Glass. I can’t quite see how you can at the moment, but I’m sure you’ll find a way, and that you’re devoting huge resources to do so.

Supporting privacy

We in the privacy advocacy field are delighted to have you on our side now – and look forward greatly to seeing that support reflected in your actions, and not just in relation to government surveillance. I’ve outlined some of the ways that this might be manifested in reality – I am waiting with bated breath to see it all come to fruition.

Kind regards

Paul Bernal

P.S. Tongue very firmly in cheek

Google Glass: just because you can…

As a bit of a geek, and a some-time game player, it’s hard not to like the look of Google Glass. Sure, it makes you look a little dorky in its current incarnation (even if you’re Sergey Brin, as in the picture below) but people like me are used to looking dorky, and don’t really care that much about it. What it does, however, is cool, and cool in a big way. We get heads-up displays that would have been unimaginable even a few years ago, a chance to feel like Arnie in the Terminator, with the information about everything we can see immediately available. It’s cool – in a dorky, sci-fi kind of way, and for those of us brought up on a diet of SF it’s close to irresistible.

Sergey Brin

And yet, there’s something in the back of my mind – well, OK, pretty close to the front of my mind now – that says that we should be thinking twice about pushing forward with developments like this. Just because we can make something as cool as Google Glass, doesn’t mean that we should make it. There are implications to developments like this, and risks attached to it, both direct and indirect.

Risks to the wearer’s privacy

First we need to be clear what Google Glass does – and how it’s intended to be used. The idea is that the little camera on the headset essentially ‘sees’ what you see. It then analyses what it can see, and provides the information about what you see – or information related to it. In one of the promotional videos for it, for example, as the wearer looks at a subway station, the Glass alerts the wearer to the fact that there’s a delay on the subway, so he’d better walk. Then he looks at a poster for a concert – it analyses the poster, then links directly to a ticket agency that lets him buy a ticket for the concert.

Cool? Sure, but think about what’s going on in the background – because there’s a lot. First of all, and almost without saying, the Google Glass headset is tracking the wearer: what we can ‘geolocation’. It knows exactly where you are, whenever you’re using it. There are implications to that – I’ve written about them before – and this is yet another step towards making geolocation the ‘norm’. The idea is that Google (and others) want to know exactly where you are at all times – and of course that means that others could find out, whether for good purposes or bad.

Secondly, it means that Google are able to analyse what you are looking at – and profile you, with huge accuracy, in the real world, the way to a certain extent they already do in the online world. And, again, if Google can profile you, others can get access to that profile – either through legal means or illegal. You might have consented to giving others access, in one of those long Terms and Conditions documents you scrolled down without reading and clicked ‘OK’ to. The government might ask Google for access to your feed, in the course of some investigation or other. A hacker might even hack into your system to take a look…

…and this last risk, the risk of hacking, is a very real one. Weaknesses in Google Glass have already surfaced. As the Guardian reported a few days ago:

“Augmented reality glasses could be compromised by a hacker who would be able to see and hear everything the wearer does”

This particular weakness may or may not turn out to be a real risk – but the potential is there. Where data exists, and where systems exist, they are hackable – Google Glass, by its nature, could be a clear target. And what they get, as a result, could be seriously dangerous and damaging.

Risks to others’ privacy

Equally worrying are the risks to those the wearer looks at. There are specific risks – anyone who knows about the concept of ‘creepshots’ – surreptitiously taken photographs, usually of young women and girls, up skirts, down blouses etc, posted on the internet – should be see the possibilities immediately. As Gizmodo put it:

“Once these things stop being a rich-guy novelty and start actually hitting the streets, the rise in creepshots is going to be worse than any we’ve ever seen before”

They’re right – and the makers of Google Glass should be aware of the possibilities. Some people are even working on developing an app to allow you to take a picture using Google Glass just by winking, which would extend the possibilities of creepshots one creepy step forward – at the moment, at least, voice commands are needed to take shots, alerting the victim, but with winking or other surreptitious command systems even that protection would be gone.

Creepshots are just one extreme – the other opportunities for invasions of privacy are huge. In mitigation, some say ‘Oh, at least you can see that people are wearing Google Glass, so you know they’re filming you’. Well, yes, but there are lots of problems with that. Firstly, should we really need to check the glasses of everyone who can see us? Secondly, this is just the first generation of Google Glass. What will the next one look like? Cooler, less like something out of Star Trek? And the technology could be used in ways that are much less obvious – hack and disguise your own Google Glass and make it look like a pair of ordinary sunglasses? Not hard for a hacker. They’ll be available on the net within a pretty short time.

Normalising surveillance

All these, however, are just details. The real risk is at a much higher level – but it may be a danger that’s already been discounted. It’s the risk that our society goes down a route where surveillance is the norm. Where we expect to be filmed, to have our every movement, our every action, our every word followed, analysed, compiled, and aggregated for the service of companies that want to make money out of us and governments that want to control us. Sure, Google Glass is cool, and sure it does some really cool stuff, but is it really worth that?

Now there may be ways to mitigate all these risks, and there may be ways that we can find to help overcome some of the issues. I’d like it to be so, because I love the coolness of the technology. Right now, though, I’m not convinced that we have – or even that we necessarily will be able to. It means, for me, I think we need to remember that just because we can do things like this, it doesn’t mean that we should.

Google, privacy and a new kind of lawsuit

Today is Data Privacy Day – and new lawsuit has been launched against Google in the UK – one which highlights a number of key issues. It could be very important – a ‘landmark case’ according to a report on Reuters. The most notable thing about the case, for me, is that it is consumer-led: UK consumers are no longer relying on the authorities, and the Information Commissioner’s Office in particular, to safeguard their privacy. They’re taking it into their own hands.

The case concerns the way that Google exploited a bug in Apple’s Safari browser to enable it to bypass customers’ privacy settings. As reported on Reuters:

“Through its DoubleClick adverts, Google designed a code to circumvent privacy settings in order to deposit the cookies on computers in order to provide user-targeted advertising. The claimants thought that cookies were being blocked on their devices because of Safari’s strict default privacy settings and separate assurances being given by Google at the time. This was not the case.”

The group of consumers have engaged noted media and telecomms lawyers Olswang for the case. Dan Tench, the partner at Olswang responsible for the case, told Reuters:

“Google has a responsibility to consumers and should be accountable for the trust placed in them. We hope that they will take this opportunity to give Safari users a proper explanation about what happened, to apologise and, where appropriate, compensate the victims of their intrusion.”

For further information – and if you want to join the action – Tench can be contacted by email at daniel.tench@olswang.com

There’s also a Facebook page for the suit: https://www.facebook.com/SafariUsersAgainstGooglesSecretTracking

What’s important here?

The case highlights several crucial aspects of privacy on the net. The first is the extent to which we can – or should be able to – rely on the settings we make on our browsers. What was happening here is that those settings were being overridden. Now it’s a moot point quite how many people use their privacy settings – or indeed even know that they exist – but if those settings are being overridden by anyone, let alone a company as big and respected as Google, it’s something that we need to know about and to fight. Browser settings – and privacy settings in general – are the key control, perhaps the only control, that individuals have over their online privacy, so we need to know that they work if we are to have any trust. A lack of trust is something that damages everyone.

The second is that the case highlights that users aren’t going to take things lying down – and neither are they going to rely on what often seem to be supine regulators, regulators unwilling to take on the ‘big boys’ of the internet, regulators who seem to take their role as supporters of business much more seriously than their role as protectors of the public. Alexander Hanff, a privacy advocate who is assisting Olswang on this case, said that:

“This group action is not about getting rich by suing Google, this lawsuit is about sending a very clear message to corporations that circumventing privacy controls will result in significant consequences. The lawsuit has the potential of costing Google £10s of millions, perhaps even breaking £100m in damages given the potential number of claimants – making it the biggest group action ever launched in the UK. It should also be seen as a message to the Information Commissioner’s Office that they are in contempt of the British public and are not doing their job.”

This last point is crucial – and it may suggest not that the Information Commissioner’s Office are not doing their job but that their job is one that needs redefining. The ICO sometimes appears to be caught between two stools – their role is more complex than just as protectors of the public. They’re not a Privacy Commissioner’s Office – and perhaps that is what we need. An office with teeth whose prime task is to protect individuals’ privacy.

What happens next?

This lawsuit will be watched very carefully by everyone in the field of online privacy. The number of people who join the case is one question – there are plenty who could, as Safari, though somewhat a niche browser on computers, is the default browser on iPhones, so is used by many millions in the UK. How it progresses has yet to be seen – there are many different possibilities. If nothing else, I hope it acts as a wake-up-call for all involved: Google, the ICO, and the public.

They’re taking over the internet!

bond_vill05There’s a big story going around at the moment: the UN’s trying to take over the internet, or some variant of that. It’s all based on the current ITU proposals at the World Conference on International Telecommunications (WCIT) currently taking place in Dubai… Lots of people – and I mean LOTS of people – are spreading this story of terror and danger. What’s at stake? Freedom of expression, anonymity, privacy, the whole openness of the internet etc etc…

…and yet I find it very difficult to get enthusiastically behind the fight, though I’m a fierce advocate of all of those things, and care deeply and passionately about the future of the internet as an open and free place. So why do I find it hard? Not because I agree with the ITU’s proposals – I don’t, I think they’re generally very bad and very unhelpful. There are, however, a few reasons:

  1. The prime characteristic of the ITU, as for so many UN bodies, is not an ability to actually do anything – let alone control or ‘take over’ anything. UN peacekeepers aren’t exactly brilliant at keeping peace, UN resolutions tend to be ignored by almost anyone who might be affected (ask anyone who pays attention to what goes on in Israel and Palestine), UN charters are aspirational at best. Whatever they do is unlikely to have any real effect – unless others want it to have an effect. The UN has some great strengths – and some of the UN bodies do excellent work – but for those strengths to come into play, they need the states involved to want them to work. The various Human Rights declarations, for example, help to set standards that were then applicable (and applied) worldwide…
  2. The ITU itself is far from the most competent of ‘secret’ organisations – for all their supposed secrecy, they just ‘gave’ the information on their DPI proposals to the excellent @Asher_Wolf when she asked them for it….
  3. What’s more, opposition to the ITU’s proposals is already huge – and if anyone imagines that the US or the EU will quickly acquiesce to whatever the ITU suggests, they really don’t understand international politics or international law
  4. To suggest that these ITU proposals offer the biggest threat to any of the issues concerned at the current moment. In every areas there are far greater threats, far closer to home.
  5. You want a threat to privacy? Look more closely at our own governments – what the UK government is proposing with the Communications Data Bill, that’s a REAL threat to privacy. What’s being revealed by the NSA whistleblower William Binney about surveillance in the US is a vastly, vastly worse than anything imagined by the ITU. Our governments don’t need the ITU in order to invade our privacy….
  6. You want a threat to anonymity on the internet? Look much more close to home – look at Facebook’s ‘real names’ policy, and the same for Google! Google are one of the strongest supporters of the fight against the ITU – and yet they still have what amounts to a real names policy for Google plus!
  7. You want a threat to freedom of expression? Look very hard at the ‘entertainment industry’, whose copyright trolls do more to block people’s expression than almost anyone else. They use notice and take down, they want ‘piracy’ sites blocked, they want to be able to block users from accessing the internet at all if there’s suspicion of piracy.

…and yet it’s the UN, and in particular the ITU that’s the target of the attacks. I don’t particularly like the ITU, and I don’t like these proposals one bit, but they won’t destroy the openness of the internet – because they won’t be able to make it happen. The others, on the other hand – our own governments, our ‘own’ industries, from Facebook and Google to the ‘entertainment’ industries, they’re already doing a lot to restrict all those freedoms that they claim to care so passionately about. Why? Because there’s money in it for them…. just as that’s the main real reason for their concerns about the ITU proposals – one part is to effectively levy a kind of tax on companies like Google. When money matters, it’s easy for industry to play the ‘good guys’. When money works the other way…..

No reason to be complacent – keep fighting!

All this ranting isn’t meant to stop people fighting the ITU proposals – we should! They should be opposed with vigour, because they’re not good at all. There are some distinctly worrying things about these proposals, and some particular risks attached. There’s the risk that they can be used to spread the idea that surveillance, that the removal of any effective form of anonymity, become the norm – and that they are allowed to spread as a result of this kind of thing. The UN is an ‘aspirational’ organisation, so ideas spread by it can be seen as somehow acceptable, and supportable – and used in some ways to ‘justify’ bad things that are happening.

This risk – of the ‘normalisation’ of this kind of thing – is something that we need to oppose, and oppose strongly. It is, however, something quite different from the suggestion that the UN is actually trying to take over the internet. That idea shouldn’t be overblown, or hyped up to the degree that it is. There’s an element in crying wolf about this too – if we keep going on about something being likely to ‘destroy the internet’ we’ll miss the real threats. I don’t want that to happen – and to an extent is is already happening, with ideas like Facebook and Google’s ‘real names’ policies not being subject to nearly sufficient scrutiny, and the copyright lobby still wielding enormously disproportionate power. Let’s get things a bit more in proportion….

Truth and lies, policy and practice…

Last week it struck me that we were entering a new phase in the way that privacy is dealt with on the net. Two of the biggest players, Google and Facebook, have made significant shifts in their ‘privacy policy’ – shifts that have got some people up in arms.

I’m not going to go through the new policies in detail – lots of people have already done that, and in Google’s case in particular close legal investigation by the French data protection authority CNIL is underway. No, what interests me is something different. Is the biggest change in both Google and Facebook’s case actually something that we should be greeting with a little more positivity? Is it just that now they’re both telling a bit more of the truth? Showing a bit more of that transparency that we privacy advocates are always talking about?

Brutal Honesty

Taking Google first, the key change in their policy, it seems to me, is that they’re admitting to data aggregation. That is, they’re openly acknowledging – indeed in some ways trumpeting – the fact that they’re now bringing together the data they gather from all the various different google services, and using it together. Google has a vast array of different services, from search to gmail, their various ‘location’ services (Google Earth, Google Streetview, Google Maps etc), YouTube, picassa, and of course Google +, so from their own perspective this makes perfect sense. Many of us in the privacy field have suspected (or even assumed) that they’ve always been doing this, or something like it – and their previous privacy policies have been vague enough or ambiguous enough that they could be read to make this sort of thing possible. Now, it seems to me, they’re being more open about it – more honest, more transparent.

That, of course, doesn’t make it any more ‘legal’ or ‘acceptable’ as a policy. Indeed, I wouldn’t be at all surprised if the CNIL investigation concludes that the new policy breaches EU data protection law – but, in reality, I wouldn’t have been at all surprised if the old policies, if investigated properly, had been in breach of EU data protection law. Even more pertinently, as I shall suggest below, I wouldn’t be at all surprised if Google’s practices, rather than they policies, were in breach of data protection law. They may well still be….

Moving on to Facebook, there is a bit of a hoo-haa about their changing the name of their ‘privacy policy’ to a ‘data use policy’. Again, it seems to me, this is actually a bit more honest, a bit more transparent. Facebook’s policy was always to use your data. Indeed, that’s the whole basis of their business model – and why we get to use Facebook for free. They give us the service, we let them use our data. For Facebook to admit that is a good thing, surely? If they’re more honest about what they do, we can make better informed decisions about whether to use them or not. If there is anyone out there who uses Facebook and doesn’t realise that Facebook are using their data – then they should be picked up and shaken, and told!

Facebook’s policy is to use your data, not to protect your privacy – isn’t it better to be open and say that?

Google’s policy is to aggregate all of your data – isn’t it better for them to be open and say that?

Policy and Practice

Finally, it should be remembered that policies are just words – what really matters isn’t what companies like Google and Facebook say they’re doing, but what they actually do. Very few people read privacy (or data use!) policies anyway. We don’t want companies to think changing privacy policies is a matter of good legal drafting – but a reflection of changing the way they actually operate, how they actually gather, hold and use our data, how they monitor us, profile us, target us and so forth.  I hope that the investigation by the CNIL looks properly at that – and that the regular FTC privacy audits of both Facebook and Google do the same. I wouldn’t say I’m exactly optimistic that they will…

….at least not this time. However, I do suspect that the increase in awareness about privacy issues by both individuals and authorities is one of the reasons that policy and practice may be getting closer. Facebook and Google seem to be being more honest and open about how they deal with privacy – because they are realising that they may have to be. We’re starting to at least try to hold them to account. That must be a good thing.

Infamy, Infamy, they’ve all got it in for me!

“Beware the Ides of March!”

These are strange times for a company who does no evil. The top people at Google must feel at times as though everyone’s got it in for them. Google already faces 20 years of privacy audits from the FTC in the US and is under fairly continuous attack by regulators in Europe – as I blogged last week, Commissioner Reding in particular seems ready to rumble. More that that, it is facing almost unprecedented and aggressive advertising and lobbying from its competitors – Microsoft in particular seems to be trying to ‘smear’ Google, as one noted blogger has put it. Google’s new privacy policy, officially in place since 1st March, has come under attack from almost everyone – not just the various regulators and their competitors but a whole range of privacy advocacy groups. Google are under attack from the top to the bottom – in the UK, privacy campaigner Alexander Hanff has launched a small claim against Google, effectively asking for his money back for the Android phone he bought before the privacy policy came in. On top of all this, the latest revelations that apps on the Android platform can access your calls and texts has sent waves of dissent and anger around the web.

Why does it look as though everyone has got it in for Google? Jealous competitors trying to bring down them down for purely selfish reasons? Sniping privacy advocates missing the point? Overzealous regulators trying to catch the biggest fish? After all, Google are the good guys! As they see it, they’ve been open and honest about their privacy policy, giving people plenty of warnings that it was coming in – far too many for some. I’ve lost count how many times they’ve tried to tell me all about it in various ways. Also from their perspective, the problems with Android are just a side effect of their ‘openness’ – compared to the ultra-controlling Apple, they give app developers plenty of freedom. As for the European regulators, well we all know they’re crazy, and their right to be forgotten is just an excuse for censorship – all Google are doing in opposing them is fighting for freedom. Excessive regulation could “stifle innovation and stall foreword progress” as Google Executive Chairman Eric Schmidt warned last week.

Are Google right and everyone else wrong? I can see their perspective – and have some sympathy with them in some ways. The glee with which their competitors have leapt upon the privacy policy furore isn’t exactly edifying, and I can’t say that I would trust Microsoft or Facebook any more than I would Google – and even the previously relatively ‘clean’ Twitter has seriously blotted its privacy copybook by selling its tweet archive to data-miners Datasift. It’s also true that European regulators can seem to have a tendency to use a sledgehammer to crack even a small nut….

….but from my perspective, at least, there’s something in each of the complaints, and the way that Google seems to be dealing with them doesn’t exactly seem positive or productive. They’ve come out fighting, complaining about regulation without seeming to ask why that regulation has happened. Regulation doesn’t come from a vacuum – if it did, it wouldn’t get support, even from the most zealous of bureaucrats. Regulation arises in reaction to a problem – sometimes it causes problems of its own, sometimes it is over the top, sometimes it misses the point, but it unless there’s a problem there to start with the regulation won’t get even close to becoming reality. Here, there IS a problem, and if Google wants to stop everyone having it in for them they need to start by recognising the problem and starting to address it. If Larry Page wants to stop excessive regulation from stifling innovation and stopping forward progress, he should know what to do.

Why did Caeser meet his doom on the Ides of March? Was it the jealousy of all those around him, each wanting to stick the knife in? That certainly seemed to contribute – but it probably wasn’t the main reason. Everyone had it in for Caesar because he’d become a tyrant. He’d stopped listening. If Google wants things to change, it has to start by changing itself. It has to understand why people are bothered by all the things it has done – and do something about them.

From a privacy perspective, Google stands at a crossroads. There have been signs that it had started to ‘get’ privacy – Alma Whitten in particular seems to have a real understanding of the issues – but at the same time there is still a sense that they want to ride roughshod over everyone’s objections. If Google choose the ‘privacy direction’, they could play a key part in shaping a more ‘privacy-friendly’ internet. They seem at times as though they’re floundering – privacy could be a chance for them to find a new role, one which would get the support, rather than the opposition, of a great many people.

P.S. For anyone that doesn’t recognise either the title of this post or the picture, it’s from that prime example of fine British film-making, Carry On Cleo. If you haven’t seen it – do!

Ready to Rumble?

This morning I attended a lecture given by European Commissioner Viviane Reding – and I have to say I was impressed. The lecture was at my old Alma Mater, the LSE, with the estimable Professor Andrew Murray in the chair, and was officially about the importance of data protection in keeping businesses competitive – but in practice it turned about to be a vigorous defence of the new Data Protection Regulation. Commissioner Reding was robust, forthright – and remarkably straightforward for someone in her position.

Her speech started off by looking at the changes that have taken place since the original Data Protection Directive – which was brought in in 1995. She didn’t waste much time – most of the changes are pretty much self-evident to anyone who’s paid much attention, and she knew that her audience wasn’t the kind that would need to be told. The key, though, was that she was looking from the perspective of business. The needs of businesses have changed – and as she put it, the new regulation was designed to meet those needs.

The key points from this perspective will be familiar to most who have studied the planned regulation. First and foremost, because it is a regulation rather than a directive, it applies uniformly throughout the EU, creating both an even playing field and a degree of certainty. Secondly, it is intended to remove ‘red tape’ – multinational companies will only have to deal with the data protection authorities in the country that is their primary base, rather than having to deal with a separate authority for each country they operate in. Taken together, she said that the administrative burden for companies would go down by 2.3 billion Euro a year. It was very direct and clear – she certainly seems to believe what she’s saying.

She also made the point (which she’s made before) that the right to be forgotten, which has received a lot of press, and which I’ve written about before (ad nauseam I suspect), is NOT a threat to free expression, and not a tool for censorship, regardless of how that point seems to be misunderstood or misrepresented. The key, as she described, is to understand that no rights are absolute, and that they have to compete with other rights – and they certainly don’t override them. As I’ve also noted before, this is something that isn’t really understood in the US as well as it is in Europe – the American ‘take’ on rights is much more absolutists, which is one of the reason they accept as ‘rights’ a much narrower range of things that most of the rest of the world.

I doubt her words on the right to be forgotten will cut much mustard with the critics of the right on either side of the Atlantic – but I’m not sure that will matter that much to Commissioner Reding. She’s ready for a fight on this, it seems to me, and for quite a lot else besides. Those who might be expecting her to back down, to compromise, I think are in for a surprise. She’s ready to rumble…

The first and biggest opponent she’s ready to take on looks like being Google. She name-checked them several times both in the speech and in her answers to questions. She talked specifically about the new Google privacy policy – coming into force today – and in answer to a question I asked about the apparent resistance of US companies to data protection she freely admitted that part of the reason for the form and content of the regulation is to give the Commission teeth in its dealings with companies like Google. Now, she said, there was little that Europe could do to Google. Each of the individual countries in the EU could challenge Google, and each could potentially fine Google. ‘Peanuts’ was the word that she used about these fines, freely acknowledging that she didn’t have the weapons with which to fight. With the new regulations, however, they could fine Google 2% of their worldwide revenue. 560 million euro was the figure she quoted: enough to get even Google to stand up and take notice.

She showed no sign of backing down on cookies either – reiterating the need for explicit, informed consent whenever data is gathered, including details of the purposes to which the data is to be put. She seemed ready for a fight on that as well.

Overall, it was a combative Commissioner that took to the lectern this morning – and I was impressed. She’s ready for the fight, whether businesses and governments want it or not. As I’ve blogged elsewhere, the UK government doesn’t share her enthusiasm for a strengthening of data protection, and the reaction from the US has been far from entirely positive either. Commissioner Reding had a few words for the US too, applauding Obama’s moves for online privacy (about which I’ve blogged here) but suggesting that the US is a good way behind the EU in dealing with privacy. They’re still playing catch-up, talking about it and suggesting ideas, but not ready to take the bull by the horns yet. We may yet lead them to the promised land, seemed to be the message…. and only with her tongue half in her cheek.

She’s not going to give up – and neither should she, in my opinion. This is important stuff, and it needs fighting for. She’s one of the ‘Crazy Europeans‘ about which I’ve written before – but we need them. As @spinzo tweeted to me there’s ‘nothing more frightening than a self-righteous regulator backed by federal fiat and federal coffers’ – but I’d LIKE some of the companies involved in privacy invasive practices around the net to be frightened. If they behaved in a bit more of a privacy friendly way we wouldn’t need the likes of Commissioner Reding to be ready to rumble. They don’t – and we do!

Facebook, Photos and the Right to be Forgotten

Another day, another story about the right to be forgotten. This time it’s another revelation about how hard it is to delete stuff from Facebook. In this case it’s photos – with Ars Technica giving an update on their original story from 2009 about how ‘deleted’ photos weren’t really deleted. Now, according to their new story, three years later, the photos they tried to remove back then are STILL there.

The Ars Technica story gives a lot more detail – and does suggest that Facebook are at least trying to do something about the problem, though without much real impact at this stage. As Ars Technica puts it:

“….with the process not expected to be finished until a couple months from now—and unfortunately, with a company history of stretching the truth when asked about this topic—we’ll have to see it before we believe it.”

I’m not going to try to analyse why Facebook has been so slow at dealing with this – there are lots of potential reasons, from the technical to the political and economic – but from the perspective of someone who’s been watching developments over the years one thing is very important to understand: this slowness and apparent unwillingness (or even disinterest) has had implications. Indeed, it can be seen as one of the main drivers behind the push by the European Union to bring in a ‘right to be forgotten’.

I’ve written (and most recently ranted in my blog ‘Crazy Europeans’) about the subject many times before, but I think it bears repeating. This kind of legislative approach, which seems to make some people in the field very unhappy, doesn’t arise from nothing, just materialising at the whim of a few out-of-touch privacy advocates or power-hungry bureaucrats. It emerges from a real concern, from the real worries of real people. As the Ars Technica article puts it:

“That’s when the reader stories started pouring in: we were told horror stories about online harassment using photos that were allegedly deleted years ago, and users who were asked to take down photos of friends that they had put online. There were plenty of stories in between as well, and panicked Facebook users continue to e-mail me, asking if we have heard of any new way to ensure that their deleted photos are, well, deleted.”


When people’s real concerns aren’t being addressed – and when people feel that their real concerns aren’t being addressed – then things start to happen. Privacy advocates bleat – and those in charge of regulation think about changing that regulation. In Europe we seem to be more willing to regulate than in the US, but with Facebook facing regular privacy audits from the FTC in the US, they’re going to have to start to face up to the problem, to take it more seriously.

There’s something in it for Facebook too. It’s in Facebook’s interest that people are confident that their needs will be met.  What’s more, if they want to encourage sharing, particularly immediate, instinctive, impulsive sharing, they need to understand that when people do that kind of thing they can and do make mistakes – and they would like the opportunity to rectify those mistakes. Awareness of the risks appears to be growing among users of these kinds of system – and privacy is now starting to become a real selling point on the net. Google and Microsoft’s recent advertising campaigns on privacy are testament to that – and Google’s attempts to portray its new privacy policy as something positive are quite intense.

That in itself is a good sign, and with Facebook trying to milk as much as they can from the upcoming IPO, they might start to take privacy with the seriousness that their users want and need. Taking down photos when people want them taken down – and not keeping them for years after the event – would be a good start. If it doesn’t happen soon, and isn’t done well, then Facebook can expect an even stronger push behind regulation like the Right to be Forgotten. If they don’t want this kind of thing, then they need to pre-empt it by implementing better privacy, better user rights, themselves.

Goo goo google’s tiny steps towards privacy…

Things seem to be hotting up in the battle for privacy on the internet. Over the last few days, Google have made three separate moves which look, on the surface at least, as though they’re heading, finally, in the right direction as far as privacy is concerned. Each of the moves could have some significance, and each has some notable drawbacks – but to me at least, it’s what lies behind them that really matters.
The first of the three moves was the announcement on October 19th, that for signed in users, Google was now adding end-to-end (SSL) encryption for search. I’ll leave the technical analysis of this to those much more technologically capable than me, but the essence of the move is that it adds a little security for users, making it harder to eavesdrop on a user’s seating activities – and meaning that when someone arrives at a website after following a google search, the webmaster of the site arrived at will know that the person arrived via google, but not the search term used to find them. There are limitations, of course, and Google themselves still gather and store the information for their own purposes, but it is still a step forward, albeit small. It does, however, only apply to ‘signed in’ users – which cynics might say is even more of a drawback, because by signing in a user is effectively consenting to the holding, use and aggregation of their data by Google. The Article 29 Working Party, the EU body responsible for overseeing the data protection regime, differentiates very clearly between signed-in and ‘anonymous’ (!) users of the service in terms of complying with consent requirements – Google would doubtless very much like more and more users to be signed in when they use the service, if only to head off any future legal conflicts. Nonetheless, the implementation of SSL should be seen as a positive step – the more that SSL is implemented in all aspects of the internet, the better. It’s a step forward – but a small one.

There have also been suggestions (e.g. in this article in the Telegraph) that the move is motivated only by profit, and in particular to make Google’s AdWords more effective at the expense of techniques used by Search Engine Optimisers, who with the new system will be less able to analyse and hence optimise. There is something to this, no doubt – but it must also be remembered first of all that pretty much every move of Google is motivated by profit, that’s the nature of the beast, and secondly that a lot of the complaints (including the Telegraph article) come from those with a vested interest in the status quo – the Search Engine Optimisers themselves. Of course profit is the prime motivation – but if profit motives drive businesses to do more privacy-friendly things, so much the better. That, as will be discussed below, is one of the keys to improving things for privacy.

The second of the moves was the launch of Google’s ‘Good to know’, a ‘privacy resource centre’, intended to help guide users in how to find out what’s happening to their data, and to use tools to control that data use. Quite how effective it will be has yet to be seen – but it is an interesting move, particularly in terms of how Google is positioning itself in relation to privacy. It follows from the much quieter and less user-friendly Google Dashboard and Google AdPreferences, which technically gave users quite a lot of information and even some control, but were so hard to find that for most intents and purposes they appeared to exist only to satisfy the demands of privacy advocates, and not to do anything at all for ordinary users. ‘Good to know’ looks like a step forward, albeit a small and fairly insubstantial one.
The third move is the one that has sparked the most interest – the announcement by Google executive Vic Gundotra that social networking service Google+ will ‘begin supporting pseudonyms and other types of identity.’ The Electronic Frontier Foundation immediately claimed ‘victory in the nymwars’, suggesting that Google had ‘surrendered’. Others have taken a very different view – as we shall see. The ‘nymwars’ as they’ve been dubbed concern the current policies of both Facebook and Google to require a ‘real’ identity in order to maintain an account with them – a practice which many (myself definitely included) think is pernicious and goes against the very things which have made the internet such a success, as well as potentially putting many people at real risks in the real world. The Mexican blogger who was killed and decapitated by drugs cartels after posting on an anti-drugs website is perhaps the most dramatic example of this, but the numbers of people at risk from criminals, authoritarian governments and others is significant. To many (again, myself firmly included), the issue of who controls links between ‘real’ and ‘online’ identities is one of the most important on the internet in its current state. The ‘nymwars’ are of fundamental importance – and so, to me, is Google’s announcement.
Some have greeted it with cynicism and anger. One blogger put it bluntly:
“Google’s statement is obvious bullshit, and here’s why. The way you “support” pseudonyms is as follows: Stop deleting peoples’ accounts when you suspect that the name they are using is not their legal name.

There is no step 2.”
The EFF’s claims of ‘victory’ in the nymwars is perhaps overstated – but Google’s move isn’t entirely meaningless, nor is it necessarily cynical. Time will tell exactly what Google means by ‘supporting pseudonyms’, and whether it will really start to deal with the problems brought about by a blanket requirement for ‘real’ identities – but this isn’t the first time that someone within Google has been thinking about these issues. Back in February, Google’s ‘Director of Privacy, Product and Engineering’ wrote a blog for the Google Policy Blog called ‘The freedom to be who you want to be…’, in which she said that Google recognised three kinds of user: ‘unidentified’, pseudonymous and identified. It’s a good piece, and well worth a read, and shows that within Google these debates must have been going on for a while, because the ‘real identity’ approach for Google Plus has at least in the past been directly contrary to what Whitten was saying in the blog.
That’s one of the reasons I think Vic Gundotra’s announcement is important – it suggests that the ‘privacy friendly’ people within Google are having more say, and perhaps even winning the arguments. When you combine it with the other two moves mentioned above, that seems even more likely. Google may be starting to position itself more firmly on the ‘privacy’ side of the fence, and using privacy to differentiate itself from the others in the field – most notably Facebook. To many people, privacy has often seemed like the last thing that Google would think about – that may be finally changing.
4Chan’s Chris Poole, in a brilliant speech to the Web 2.0 conference on Monday, challenged Facebook, Google and others to start thinking of identity in a more complex, nuanced way, and suggested that Facebook and Google, with their focus on real identities, had got it fundamentally wrong. I agreed with almost everything he said – and so, I suspect, did some of the people at Google. The tiny steps we’ve seen over the last few days may be the start of their finding a way to make that understanding into something real. At the very least, Google seem to be making a point of saying so.
That, for me, is the final and most important point. While Google and Facebook, the two most important players in the field, stood side by side in agreement about the need for ‘real’ identities, it was hard to see a way to ‘defeat’ that concept, and it felt almost as though victory for the ‘real’ identities side was inevitable, regardless of all the problems that would entail, and regardless of the wailing and gnashing of teeth of the privacy advocates, hackers and so forth about how wrong it was. If the two monoliths no longer stand together, that victory seems far less assured. If we can persuade Google to make a point of privacy, and if that point becomes something that brings Google benefits, then we all could benefit in the end. The nymwars certainly aren’t over, but there are signs that the ‘good guys’ might not be doomed to defeat.
Google is still a bit of a baby as far as privacy is concerned, making tiny steps but not really walking yet, let alone running. In my opinion, we need to encourage it to keep on making those tiny steps, applaud those steps, and it might eventually grow up…

UPDATED TO INCLUDE REFERENCE TO SEOS…

The privacy race to the bottom

I tend to be a ‘glass-half’ sort of person, seeing the positive side of any problem. In terms of privacy, however, this has been very hard over the last few weeks. For some reason, most of the ‘big guns’ of the internet world have chosen the last few weeks to try to out-do each other in their privacy-intrusiveness. One after the other, Google, Facebook and Amazon have made moves that have had such huge implications for privacy that it’s hard to keep positive. It feels like a massive privacy ‘race to the bottom’.
Taking Google first, it wasn’t exactly that any particular new service or product hit privacy, but more the sense of what lies ahead that was chilling, with Google’s VP of Products, Bradley Horowitz, talking about how ‘Google + was Google itself’. As Horowitz put it in an interview for Wired last week:
“But Google+ is Google itself. We’re extending it across all that we do — search, ads, Chrome, Android, Maps, YouTube — so that each of those services contributes to our understanding of who you are.”
Our understanding of who you are. Hmmm. The privacy alarm bells are ringing, and ringing loud. Lots of questions arise, most directly to do with consent, understanding and choice. Do people using Google Maps, or browsing with Chrome, or even using search, know, understand and accept that their actions are being used to build up profiles so that Google can understand ‘who they are’? Do they have any choice about whether their data is gathered or used, or how or whether their profile is being generated?  The assumption seems to be that they just ‘want’ it, and will appreciate it when it happens.
Mind you, Facebook are doing their very best to beat Google in the anti-privacy race. The recent upgrade announced by Facebook has had massive coverage, not least for its privacy intrusiveness, from Timeline to Open Graph. Once again it appears that Mark Zuckerberg is making his old assumption that privacy is no longer a social norm, and that we all want to be more open and share everything. Effectively, he seems to be saying that privacy is dead – and if it isn’t quite yet, he’ll apply the coup-de-grace.
That, however is only part of the story. The other side is a bit less expected, and a bit more sinister. Thanks to the work of Australian hacker/blogger Nik Cubrilovic, it was revealed that Facebook’s cookies ‘might’ be continuing to track us after we log out of Facebook. Now first of all Facebook denied this, then they claimed it was a glitch and did something to change it. All the time, Facebook tried to portray themselves as innocent – even as the ‘good guys’ in the story. A Facebook engineer – identifying himself as staffer Gregg Stefancik – said that “our cookies aren’t used for tracking”, and that “most of the cookies you highlight have benign names and values”. He went on to make what seemed to be a very reassuring suggestion quoted in The Register:
“Generally, unlike other major internet companies, we have no interest in tracking people.” 

How, then, does this square with the discovery that a couple of weeks ago Facebook appears to have applied for a patent to do precisely that? The patent itself is chilling reading. Amongst the gems in the abstract is the following:
“The method additionally includes receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the third-party website”
Not only do they want to track us, but they don’t want us to know about it, telling us they have no interest in tracking.
OK, so that’s Google and Facebook, with Facebook probably edging slightly ahead in their privacy-intrusiveness. But who is this coming fast on the outside? Another big gun, but a somewhat unexpected one: Amazon. The new Kindle Fire, a very sexy bit of kit, takes the Kindle, transforms the screen into something beautiful and colourful. It also adds a web-browsing capability, using a new browser Amazon calls Silk. All fine, so far, but the kicker is that Silk appears to track your every action on the web and pass it on to Amazon. Take that, Google, take that Facebook! Could Amazon beat both of them in the race to the bottom? They’re certainly giving it a go.
All pretty depressing reading for those of us interested in privacy. And the trio could easily be joined by another of the big guns when Apple launches its new ‘iCloud’ service, due this week. I can’t say I’m expecting something very positive from a service which might put all your content in the cloud….
…and yet, somehow, I DO remain positive. Though the big guns all seem to be racing the same way, there has at least been a serious outcry about most of it, and it’s making headline news not just in what might loosely be described as the ‘geek press’. Facebook seemed alarmed enough by Nik Cubrilovic’s discoveries to react swiftly, even if a touch disingenuously. We all need to keep talking about this, we all need to keep challenging the assumption that privacy doesn’t matter. We need to somehow start to shift the debate, to move things so that companies  compete to be the most privacy-friendly rather than the most privacy-intrusive. If we don’t, there’s only one outcome. The only people who really lose in the privacy race-to-the-bottom are us….