Taking a lead on privacy??

Two related stories about privacy and tracking are doing the rounds at the moment: both show the problems that companies are having in taking any sort of lead on privacy.

The first is about Apple, and the much discussed recent upgrade to their iOS, the operating system for the iPhone and iPad. There’s been a huge amount said about the problems with the mapping system (and geo-location is of course a huge privacy issue – as I’ve discussed before) but now there’s an increasing buzz about their newly introduced tracking controls. Apple, for the first time, have provided users with the option to ‘limit ad tracking’ – though as noted in a number of stories, including this one from Business Insider, that option is hidden away, not in the vaunted ‘Privacy’ tab, but under a convoluted set of menus (first ‘General’ settings, then ‘About’, then scroll down to the bottom to find ‘Advertising’, then click ‘Limit Ad Tracking’). Not easy to find, as even the techie and privacy geeks that I converse with on twitter have found.

This of course raises a lot of issues – it’s great to have the feature, but the opposite to have it hidden away where only the geeks and the paranoid will find it. It looks as though the people at Apple have been thinking hard about this, and working hard at this, and have come up with an interesting (and perhaps effective – but more on that below) solution, but then been told by someone, somewhere, that they should hide it for fear of upsetting the advertisers. I’d love to know the inside story on this – but Apple are rarely quite as open about their internal discussions as they could be.

There’s a conflict of motivations, of course. On the one hand, Apple wants to make customers happy, and there is increasing evidence that customers don’t want to be tracked – most recently this excellent paper from Hoofnagle, Urban and Li, appropriately entitled “Privacy and Modern Advertising: Most US Internet Users Want ‘Do Not Track’ to Stop Collection of Data about their Online Activities”. On the other hand, Apple don’t want to annoy the advertisers – particularly when the market for mobile is getting increasingly competitive. And the advertisers seem to be on a knife edge at the moment, very touchy indeed, as the latest spats over the ‘Do Not Track’ initiative have shown.

That’s the second story doing the rounds at the moment: the increasing acrimony and seemingly bitter conflict over Do Not Track. It’s a multi-dimensional spat, but seems to have been triggered by Microsoft’s plan to make do not track ‘on’ by default – something that the advertising industry are up in arms about. The ‘Digital Advertising Alliance’ issued a statement effectively saying they would simply ignore Microsoft’s system and track anyway – which led to privacy advocates suggesting that the advertisers wanted to kill the whole Do Not Track initiative. This is Jeff Chester of the Center for Digital Democracy:

“The DAA is trying to kill off Do Not Track.  Its announcement today to punish Microsoft for putting consumers first is an extreme measure designed to strong-arm companies that care about privacy.”

Chester and others saying similar things may be right – and it makes people like me wonder if the whole problem is that the ‘Do Not Track’ initiative was never really intended to work, but was just supposed to make people think that their privacy was protected. If it actually got some teeth – and setting it to a default ‘on’ position would be the first way to give it teeth – then the industry wouldn’t want it to exist. There are other huge issues with Do Not Track anyway. As the title of the Hoofnagle, Urban and Li report suggested, people think ‘Do not track’ means they won’t be tracked – that their data won’t be collected at all – while the industry seems to think what really matters to people is that they aren’t targeted – i.e. their data is still collected, and they’re still tracked and profiled, but that tracking isn’t used to send advertisements to them. For me, that at least is completely clear. Do Not Track should mean no tracking. Blocking data collection is more important than stopping targetting – because once the data is collected, once the profiles are made, they’re available for misuse later down the line.

That, far deeper point, is still not being discussed sufficiently. The battle is at a more superficial level – but it’s still an important battle. Who matters more, the consumers or the advertisers? Advertisers would have us believe that by stopping behavioural targetting we will break the whole economic basis of the internet – but that is based on all kinds of assumptions and presumptions, as Sarah A Downey pointed out in this piece for TechCrunch “The Free Internet Will Be Just Fine With Do Not Track. Here’s Why.” At the recent Amsterdam Privacy Conference, Simon Davies, one of the founders of Privacy International, made the bold suggestion that the behavioural targetting industry should simply be banned – and there is something behind his argument. Right now, the industry is not doing much to improve its image: seeming to undermine the whole nature of Do Not Track does not make them look good.

There’s another spectre that the industry might have to face: the European Union is getting ready to act, and when they act, they tend to do things without a great deal of subtlety, as the fuss around the Cookie Directive has shown. If the advertisers want to avoid heavy-handed legislation, they should beware: ‘Steelie’ Neelie Kroes is getting impatient. As reported in The Register, if they don’t stop their squabbling tactics over Do Not Track, she’s going to call in the politicians….

Someone, somewhere, has to take a lead on privacy. Apple had the chance, and to a great extent blew it, by hiding their tracking controls where the sun doesn’t shine. Microsoft seems to be making an attempt too, but will they hold their nerve in the face of huge pressure from the advertising industry – and even if they do, will their lead be undermined by the tactics of the advertising industry? If no-one takes that lead, no-one takes that initiative, the EU will take their kid gloves off… and then we’re all likely to be losers, consumers and advertisers alike….

Opt-in is no red herring…

Briefly, very briefly, Microsoft looked like being surprising but serious ‘good-guys’ in relation in Internet privacy. They announced that Internet Explorer 10 would be launched with ‘do not track’ set as ‘on’ by default. That is, that out of the box (or more likely when downloaded), Internet Explorer would be set to prevent tracking by behavioural advertisers. When I read the story, I was shocked, momentarily delighted, and then instantly cynical… and the cynic ended up being right, because within a week, and before it was launched, action was taken to stop it happening.

As Wired reported it, the new draft of the Do Not Track specification, less than a week after Microsoft’s announcement, required that the system be set to ‘opt-out’, rather than ‘opt-in’: users must make a specific decision NOT to be tracked, rather than a specific decision to allow tracking. The idea of Microsoft as heroes of privacy died a quick and sadly unsurprising death…..

Why did this happen?

…and why does it matter? Well, I’ve banged on a large number of times about the importance of ‘opt-in’ – partly because I’m in general an ‘autonomy’ person, who likes the idea of us having as much freedom of action as I can, and partly because I understand the importance of defaults. Defaults matter. They really matter. From a philosophical perspective they matter because they suggest (and even sometimes set) the norms of the society. Is our ‘norm’ that we’re happy to be tracked and surveilled? That’s what setting the default to ‘opt-out’ means. It means that ‘normal’ people don’t mind being tracked, it’s only extremists and privacy geeks that care, and they’ll find their way to turn the tracking off. I don’t know about the rest of you, but that’s a norm I don’t want to accept!

More importantly, perhaps, they matter  for a simple, practical reason: because the majority of people don’t ever bother to change their settings – so what they’re given to start with it what they’ll stick with. The internet advertisers know that, and know that very well, which is why Microsoft’s initial announcement must have sent shivers down their spines – and why they made sure that it was quickly and relatively quietly killed. They don’t want ‘normal’ people to avoid being tracked – or even to think about whether they’re being tracked, or at the implications of their being tracked.

Opt-in is NOT a red herring

At a few conferences recently I’ve been told that opt-in is a red herring, that it doesn’t matter, and that only old fuddy-duddies who really don’t ‘get it’ still care about it. At a Westminster e-Forum, the panel basically refused to answer my question about it, and tried to get the audience to laugh rather than respond. There have been good pieces written about the down side of opt-in – most notably ‘opt-in dystopias’ by Lundbad and Masiello (which you can find here), and it cannot be denied that opt-in is far from a panacea. We all know that when given terms and conditions we generally just scroll through them without reading them and just click ‘OK’ when we’re asked.

That, however, does not mean that we should abandon the idea of opt-in: it just means that we should be more intelligent and flexible about it. Find a way that emphasises the important bits about something rather than giving us page after page after page of mind-numbing legalese. Use the interactive and user-friendly nature of modern software to make the process work better – rather than make it work so badly that people ignore it.

The advertisers and others who want to track us understand this very well – and they’re almost certainly delighted that to an extent they’ve managed to shift the discussion away from the opt-in/opt-out agenda, that they’ve managed, to a great extent, to pull the wool over the eyes over even some very experienced and quite expert privacy activists into accepting their own agenda. We should not let this happen.

Defaults matter. Opt-in matters. This little story with Internet Explorer shows that the advertisers know this. Those of us working in the privacy field should remember it too.

Dogs will be dogs…

The growing furore over the gathering and retention of location data by smartphones reminds me very strongly of a joke that I heard first in the school playground many years ago. ‘Why does a dog lick his balls? Because he can.’
The same is true about smartphone operators. Why do they gather location data? Because they can. Technically, they can, because of the very nature of smartphones. Legally they can, because our laws over this kind of thing are obtuse and opaque – and because they understand the way they can get ‘consent’ through the small print of terms and conditions that no-one ever reads, let alone understands.
A lot of the discussion about the current furore has centred around the individual companies concerned, and brought out all the usual views of the merits or otherwise of Apple, Google and Microsoft – but whether you consider each of them to be fancified show-bred French poodles, friendly and loveable Labradors or ageing but far from toothless Rottweilers, they’re all dogs, and dogs will be dogs. Even the best behaved and most presentable show dog will lick his balls if he’s allowed to.
Three questions arise for me. Firstly, why are people surprised? Many people seem to be genuinely shocked by what has been revealed – even people who know a great deal about the subject. Is it really such a surprise? We’ve known about the capabilities of smartphones since they first emerged, and about the behaviour of all the companies involved for even longer. Dogs will be dogs.
The second question is whether any of it matters – and for me the answer is clear. Of course it matters, and matters a lot. That doesn’t mean that we need to panic, or need to throw our iPhones, Blackberries and HTCs in the nearest river – just that we need to aware of what is going on, and do what we can to ameliorate or manage the situation.
That brings me to the last question – what, if anything, can be done about it? Well, if we were talking about dogs, the answer would be simple: make sure they’re well trained, and well managed. If badly looked after, dogs behave badly. If they’re well trained, they can be very useful, helpful and excellent pets. They can help us in our personal lives, in our work and in many social situations – but you still need to train them and manage them. We need to do the same for the likes of Apple, Google and Microsoft. Show them who’s boss – using all the tools we can to do so. That means putting the right laws in place, but also using our powers as consumers, as advocates, and lobbyists.
If dogs know what they can do and what they can’t, they’ll behave much better. It’s very hard to train a dog not to lick his balls – and probably just as hard to train companies like Apple, Google and Microsoft not to push the limits of privacy – but it can be done. We need to tell them that this kind of thing is not acceptable – and back up what we say with the law and with our money. If we don’t want our location data gathered, we need to be clear about it.
My personal view is that we have the right not to have this kind of thing happen to us – and that we need to proclaim that right (and other rights) loud and clear.