In praise of regulation….

Travelling back from the Computers, Privacy and Data Protection conference in Brussels, I had a fascinating conversation with someone who was there right at the beginning of data protection. It was a conversation that revealed a great deal to me, first of all about the process towards the reform of the Data Protection regime, but more importantly about the whole process of reform.

The conversation was about the negotiations that led up to the adoption of the initial Data Protection Directive, back in 1995 – nearly 20 years ago – a process that has great parallels with the current, somewhat agonizing processes as we work towards a new data protection regime. This is something that needs proper academic study – but even at first glance the echoes are very strong. As it was outlined to me, the process had two very direct parallels with the current negotiations:

  1. Businesses were lobbying very heavily, and making predictions of total disaster: data protection was going to destroy business, ruin lives etc
  2. The UK government was supporting their lobbying – helping them directly in an attempt to undermine, weaken or possible destroy the directive.

Exactly the same seems to be happening this time around – the business lobbying is if anything even heavier and doom-laden, and the government has been laying on just as thick with speeches and reports coming thick and fast, most recently suggesting that the whole ‘regulation’ approach is inappropriate.

Now the first time around, despite the doom mongering, the business world didn’t come to an end. Data protection hasn’t brought about the end of the world as we know it – indeed, for something created nearly 20 years ago in a world where technology has been changing with incredible rapidity, data protection has, in my opinion, shown remarkable resilience and continuing relevance.

The world didn’t end….

If the world didn’t come to an end that time around, is it any more likely to this time around? It doesn’t seem likely – so we should take all the moaning, groaning and doom-mongering about the new regulation, and in particular about things like the right to be forgotten which is part of that regulation, with huge pinches of salt.

There are, of course, many other reasons that the world didn’t come to an end as a result of the introduction of data protection. The first, and perhaps most important, is that IT itself developed in such a way as to either circumvent the ‘disadvantages’ of data protection regulation, or as to make compliance with data protection easier. The latter could be said to be an advantage of the legislation – it brought about the beginnings of what’s now known as ‘privacy by design’. That is, systems were designed with compliance in mind – which is a good thing, if you believe in the aims of the legislation.

The former, that people found ways to circumvent the disadvantages, is also closely connected with the other main reason that data protection legislation didn’t cause the end of the world: many people simply ignored it, and went along their own merry way, either undetected or willing to take the consequences of any detection.

Will it be any different this time around?

All of these key factors – that systems will develop to make compliance easy or to avoid the legislation, or that people will just not bother to comply – are pretty much as likely to happen this time around as last time. IT will develop – it always does – and in all kinds of unpredictable ways. People will find ways to avoid, circumvent, or comply with the legislation in other ways – they always do. It will be the same cat-and-mouse story as before – as it is in pretty much all areas of law. Ultimately, though, life will go on.

Of course businesses moan – and of course they fear regulation, because regulation challenges them. It challenges them to change – because change is needed. That’s the real point. Regulation doesn’t arise in a vacuum, just because some bureaucrats have decided they want to wrap us all in a bit more red tape. Regulation arises, in general, because there’s a problem that needs addressing. Sometimes it arises because businesses or people have been behaving in ways that they shouldn’t, or ways that threaten the rights of others. Sometimes it arises because new technology or new situations demand it.

In the case of the new data protection regime, it’s a bit of both of these – some businesses are doing things they shouldn’t. They’re invading our privacy in ways that they really shouldn’t, and ways that do threaten our rights. And the technology has changed, and those changes need addressing. So we need a new regulation – and we shouldn’t be so afraid of it. Regulation isn’t all bad – indeed, it’s very often quite the opposite. Good, robust regulation helps those it regulates – as data protection has, in general, helped over the years.

Yes, regulation will challenge some business models – but business models NEED to be challenged. Some may even fail – but, frankly, some businesses need to fail. We shouldn’t be overly concerned by it – and shouldn’t bend over backwards to support them, as we seem to do all to often. Phorm is an example in this field which springs immediately to mind…

New regulation can help support new and better businesses – and businesses that are positive and forward-looking, that build business models that respect the privacy and rights of their customers, could find that new regulations offer new opportunities. Better businesses could get competitive advantages by behaving well, rather than by behaving badly.  It’s all too easy for systems to support the unethical businesses over those that are ethical and supportive of their customers, as the last few years have demonstrated all too graphically.

…so let’s embrace regulation – even privacy regulation – and see how it can help us, rather than fighting it and fearing it. That doesn’t help anyone. The new proposed Data Protection Regulation has a lot going for it – and being more positive about it, working with it, trying to understand it rather than trying to undermine it, is much more likely to get a good result, both for people and for businesses.

Annoyed by those cookie warnings?

…spread your anger!

I’m sure you know the warnings I’m talking about – at least you do if you’re in the European Union. Warnings that appear almost every time you look at a new page on the web, telling you that the site uses cookies, generally telling you that if you continue into the site, you’re accepting they’re going to put cookies on your computer.

Annoying, aren’t they? Patronising, perhaps? Pedantic? Pointless?

Yes, all of the above. The whole thing’s a bit silly, really. As many people who visit this blog probably realise, they’re appearing as a result of a bit of European law – often referred to as the ‘cookies directive’, but more accurately an update to the e-privacy directive (the Directive on Privacy and Electronic Communications). An annoying piece of legislation, one which even before it was passed in 2009 had been subject to pretty intense criticism – and rightly so. The drafters of the legislation deserve a great deal of criticism and a good deal of anger – it’s a bit of a pig’s ear, to be frank. So should the politicians and bureaucrats who brought it into action. Typical European busybodies, I’ve heard it said. They want to control everything we do…

…and yet, deserving though they are of a lot of criticism, they’re not the only ones who should bear the brunt of the anger, of the annoyance. Legislation, even poorly drafted and misguided legislation, doesn’t emerge in a vacuum. That’s particularly true in the case of the cookies directive – it emerged, as most law does, because there was a problem. In this case, the problem was that our privacy was being invaded, persistently and on a large scale, particularly by those involved in the online advertising industry.

Those who follow my blog may have heard me write before about Phorm, perhaps the most invasive and offensive of the behavioural advertisers, whose systems were designed to intercept your entire internet activity, track you and profile you, so as to be able to target advertisements at you. Their activities were hugely invasive of privacy – so much so that the outrage that grew about it played a key part in forcing them to abandon their business – and yet the online advertising industry bodies supported them throughout and did their very best to discourage any kind of investigation into their activities.

The cookies directive – and all those annoying warnings – has its origins in that story. Whilst privacy advocates investigated and European politicians and bureaucrats tried to first of all find out what was happening and then try to work out some kind of solution, what they got from the industry was characterised by denial, obfuscation and obstruction. Either there wasn’t a problem at all, or it would be best solved by self-regulation. Neither of those were true – and the people, politicians and bureaucrats knew it. Their equivalents in the US know it too, which is why they’re still trying to get the ‘Do Not Track’ initiative off the ground – and in the US they’re receiving the same kind of resistance as they got in Europe.

Regulators don’t like being fobbed off. They don’t like being treated without respect, or told they’re being foolish – it’s not the best way to get useful, helpful and productive regulation. Instead, it’s likely to bring about bad law – stuff like the cookies directive. Yes, it’s a stupid law – but it would never have been brought into action if the online advertisers had admitted that there was a problem, and at least tried to do something about it. If they’d shown some degree of understanding first of all that people were upset, secondly that they had a reason to be upset, and thirdly that they should do something about it, then they might have been able to head off the legislative mess that has resulted. They didn’t.

It’s not an unusual story – there are parallels with the way the newspaper industry’s far-from effective self-regulation led to the Leveson Inquiry, and may end up in over-the-top regulation of the press. If you behave badly, and continue to behave badly even when people complain, things like that happen…. and you can’t just blame the regulators.

In the case of the cookies directive – and all those annoying warnings – the online advertising industry should take their share of your annoyance and anger…..

Phorm – a chapter closes?

Another chapter of the long-running Phorm saga seems to have come to a close, with the announcement by the European Commission that they have closed the infringement case with the UK about their implementation of rules on privacy in electronic communications. In order to get this closure, the UK had, in the words of the Commission press release

‘amended its national legislation so as not to allow interception of users’ electronic communications without their explicit consent, and established an additional sanction and supervisory mechanism to deal with breaches of confidentiality in electronic communications.’

This case came about as a result of the big mess that the UK government got into over Phorm – something which I’ve written about both academically and in blogs on more than one occasion before. In essence, the government decided to back Phorm, a business which privacy advocates and others had been telling them from the very beginning was deeply problematic, and that decision backfired pretty spectacularly. The amount of egg that ended up on government faces as a result of the affair was pretty spectacular. The action of the Commission was a direct result of the admirable work of campaigners like Alexander Hanff at Privacy International, drawing on the excellent investigatory analysis by the University of Cambridge Computer Lab’s Richard Clayton and the legal work of Nicholas Bohm for the Foundation for Information Policy Research – work that was effectively in direct opposition to the government. This work led to questions to the commission, upon which the commission acted, as well as, more directly, to the collapse of the Phorm business model as its business allies deserted it and opposition from the public became clearer and clearer.

Phorm’s business model was particularly pernicious from a privacy perspective. They took behavioural advertising (which is problematic in most of its forms) to an extreme, monitoring people’s entire browsing behaviour by intercepting each and every click made as you browse, in order to build up a profile which they then used to target advertising. All this without real consent from the user, or at least so it appeared, and indeed without the consent of the owners of the websites to whom these intercepted instructions were intended to be sent. As a model it appeared to break not only laws but people’s ideas about being under surveillance – Orwellian in the extreme. It failed here – thanks to the resistance noted above – and has since failed again in South Korea, and appears to be failing in Romania (about which I’ve blogged before) and Brazil, the three places that Phorm’s backers have tried it since. In each case, it looks as though people’s resistance has been a key….

There are lessons to learn for all concerned:

1) Those of us advocating and campaigning for privacy can take a good deal of heart from the whole affair – essentially, we won, stopping the pernicious Phorm business model and forcing the UK government not just to back down but to change the law in ways that, ultimately, are more ‘privacy-friendly’. ‘People power’ proved too strong for both business and government forces in this case – and it may be possible again. We certainly shouldn’t give up!

2) Businesses need to take note: privacy-invasive business models will face opposition, and that opposition is more powerful than you might imagine. From the perspective of the symbiotic web (my underlying theory, more about which can be found here), if a privacy-invasive model is to succeed, it must give something back to those whose privacy is invaded, something of sufficient value to compensate for the privacy that is either lost or compromised. In Phorm’s case, there was very little benefit to the people being monitored – the benefit was all for Phorm or Phorm’s advertising partners. That sort of model isn’t going to succeed nearly as easily as businesses might think – people will fight, and fight well! Businesses would do better to build more privacy-friendly models from the outset…

3) Governments need to understand the needs and abilities of the people – as well as the needs of businesses and business lobby groups. People are getting more and more aware and more and more able to articulate their needs and make their views known – and to wield powers beyond the understanding of most governments. The recent resistance to SOPA and PIPA in the US is perhaps another example – though the fact that people’s interests coincided with those of internet powerhouses like Wikipedia and Google may have been even more important.

This last point is perhaps the most important. Governments all over the world seem to be massively underestimating the influence and power of people, particularly people on the internet. People will fight for what they want – and, more often than governments realise, they will find ways to win those fights. There needs to be a significant shift in the attitude of those governments if we are not to have more conflicts of the sort that caused such a mess over Phorm. There are more conflicts already on the horizon – from the judicial review of the Digital Economy Act to the shady agreement that is ACTA. There will be a lot of mess, I suspect, much of which could be avoided if ‘authorities’ understood what we wanted a bit more.  The people of the net are starting to get mad, and they’re not going to take it anymore.

Romanian re-Phorm-ation?

News has emerged this week that Phorm, the online-behavioural-advertising company about whom a great deal has been written (including by me) has targeted a new country for its latest attempt to track internet users’ every move: Romania.

Having been kicked out of the UK after a huge struggle a couple of years ago – a struggle from which civil society came out with a lot of credit, not least the Foundation for Information Policy Research and in particular the work of Richard Clayton and Nicholas Böhm, while the UK government came out with a severe amount of egg on its face – Phorm has tried to relaunch its services in a number of other countries. South Korea was the first, then Brazil, both without much sign of success, before the current efforts in Romania.

As a reminder, what Phorm’s services essentially do is ‘intercept’ the instructions a user sends as he or she browses the web – every site visited, every link followed, every click – and uses that information to build up a profile of the user, mostly to enable it to target advertising as accurately as possible but potentially (at least according to the publicity put out by Phorm during their attempts to launch in the UK) to tailor content.  In a lot of ways Phorm’s system is only a logical extension of what many other advertisers on the web do – almost everyone’s at it, from Google to Facebook to Amazon (particularly if the stories emerging about the Kindle Fire are true). There are significant differences, however, to even the most privacy-invasive services offered by the others. The most important of these is that it covers ALL your activity on the web: even the latest furore about Facebook tracking you when you’re logged out didn’t get close to that, only potentially tracking you when you visit sites with Facebook links or ‘like’ buttons.

The second difference, almost as important, is that in exchange for these immense invasions of privacy, Phorm offers you nothing except better targeted advertising – something that few people would value very much. All the others give you something quite significant in exchange for their gathering your data: Google offers you very effective search engines, mapping systems, blogging services (including the one on which this blog is hosted) and much more, Facebook provides a social networking service of huge functionality, while Amazon’s Kindle is a lovely bit of kit for a remarkably small price, one that many people enjoy. There’s a ‘bargain’ going on for your data, even if few people fully grasp that this exchange is going on. With Phorm there’s nothing – essentially, they just spy on you for their own benefit, and give you nothing in return. Indeed, they might even harm your browsing, as the ‘interception’ process can potentially slow down your web-browsing.

Phorm failed in the UK, and I for one am very glad that they did. I hope the same happens in Romania, unless they’ve changed their practices significantly. The signs so far, sketchy though they are, do not suggest that this is very likely. Just as they did in the UK, they’ve done a deal with one of the big ISPs, Romtelecom, which is a part state-owned telecoms and internet company, and are looking for business partners. Their product appears to be pretty much the same as it was before, though they do at least mention the word ‘choose’ in terms of customer actions. That ‘choice’ does not seem to amount to much in reality, and indeed there seems to be another twist: they’ve added flash cookies to the system, with the express intention of using them to re-spawn their own status cookies in case you ‘accidentally’ delete them. The precise technical details have not yet emerged: I am looking forward to finding out if they’ve learned the lessons of their previous failures and decided to do something that actually respects the individual users and gives them some kind of real consent process. I’m not exactly waiting with bated breath…

I have a personal connection with Romania – my wife’s Romanian – and that country has experienced far too much of surveillance and invasions of privacy in the past. Indeed, Romania was one of the first countries to hit out against the privacy-invasive Data Retention Directive, their supreme court striking down the implementation of the Directive in their country as unconstitutional in 2009. I am fully confident that they will find a way to fight against this latest intrusion into their privacy. Phorm may have chosen Romania as a ‘soft target’. I suspect they’ll find the reality quite different, unless they’ve seriously changed their spots….

The real challenge for IT Lawyers: the law!

Sometimes it’s tempting for an IT lawyer – or rather an academic IT lawyer – to feel that things are moving essentially in the right direction, that the subject is getting more mainstream, more understandable – and more importantly, more understood. In some ways, of course, that’s true – but in others, we need to remember that things are far from positive, and that in many ways the ‘establishment’ – the legal system, the politicians, even the public – still don’t really ‘get it’ at all. Perhaps the most important of these is the legal system. To a significant extent it seems as though the legal system – and the law – is just completely out of kilter with the reality of the IT world, and in particular the internet.

A couple of things in recent weeks have driven that home to me. Neither was surprising, but both were disappointing, particularly to those of us interested in privacy and autonomy. First of all, there was the announcement that there won’t be any prosecutions arising from the Phorm secret trials, something which has been greeted with dismay by privacy advocates. Secondly, and most recently, was the failure of the judicial review to overturn the Digital Economy Act.

In both cases, it’s easy to see how the results came about – and indeed to argue that from a precise legal standpoint the results might have been technically correct. In both – and in the case of the Digital Economy Act in particular – it shows that the legal system really doesn’t understand what’s going on in the internet, and how our online world functions. The Digital Economy Act – in its provisions concerning the policing of illegal downloading – is so clearly inappropriate that it’s hard to find an academic lawyer in the field who believes it’s appropriate or proportionate, or even who believes that it stands any real chance of being effective. Precisely the opposite. It won’t work. It misses the point. It will victimise the innocent. It shows a fundamental misunderstanding of both the nature of the internet and the habits of most of those who use it. It’s such a bad law it just makes many of us shake our heads in disbelief.

The Phorm story is a little less dramatic, but demonstrates some similar features. The CPS have decided not to prosecute – and they may be right that there might not be much chance of a result. That, however, just reveals that our legal system doesn’t have the teeth or the capability to deal with the reality of the internet – for what Phorm and BT did was something that the law should have been able to deal with. It was a serious invasion of privacy on a very serious scale – secretly tracking the entire internet activities of 30,000 people without their knowledge or consent – and yet the law seems to be incapable of dealing with it, incapable of providing people with the kind of protection that people need. The kind of protection that people have a right to expect. The law should do this – and in its current form it doesn’t.

In the grand scheme of things, neither of these two incidents are likely to matter in the end. Despite the failures of the law, Phorm still failed, brought down by a combination of the privacy advocacy of such excellent groups as the Open Rights Group and the Foundation for Information Policy Research, interventions by the European Commission, and the belated intelligence of businesses like BT who withdrew their support as they began to understand how things really work. Similarly, the Digital Economy Act is likely to end up an irrelevance, as the people who it is intended to catch find ways to sidestep it, as further legal challenges arise, and as embarrassing prosecutions fail – and something that gets closer to understanding the reality of the situation is brought in to replace it.

It feels, though, as if the legal system needs to be dragged kicking and screaming into the modern world. That’s the challenge for IT lawyers. People are thinking and writing interesting, informative and insightful things about the nature of the internet – but right now, it isn’t being sufficiently read or understood, and certainly isn’t finding its way into the mindsets of those creating or enforcing the law. It needs to be – for though other forces will (and have, in the case of Phorm) stop many of the worst things from happening, without the law being ‘fit for purpose’ everything is a struggle, and many people suffer along the way.