Lobbyists: who pays the piper…

A few weeks ago I experienced first hand the role of lobbyists, when I saw them do their best to start steering the CREATe project in their own direction (see my blog here). In the time since then, two more issues have come up that have highlighted their significance – and why we need to be concerned. We should be looking much more carefully at their activities.

Copyright lobbyists

To recap, at CREATe it was the lobbyists for the ‘content’ industry – what might loosely be called ‘copyright’ lobbyists – who were trying to ensure that the project, which is amongst other things looking at copyright reform, did not dare to challenge their assumption that ‘piracy’ needs to be stomped on above all things. The copyright lobby is a very powerful one indeed, and has had huge influence on the policies of governments worldwide – in the UK, they still seem to have a firm grip on all the major parties, and were the key behind the controversial Digital Economy Act. They are, however, only one of the lobby groups that we should be watching.

Advertising industry lobbyists

The second emerging issue concerns another key lobby – the online advertising industry. For privacy advocates like me, the advertising industry as often been a bit of a bête noire – behavioural advertising in particular generally works through significant invasions of privacy – but their recent activities in relation to the ‘Do Not Track’ initiative have been concerning. They’ve been fighting tooth and nail to block Microsoft’s idea that DNT should be ‘on’ by default on Internet Explorer – and according to Alexander Hanff they’ve also managed to co-opt privacy advocates to help undermine the DNT specification itself, allowing for ‘de-identified’ tracking without any kind of consent.

There’s a long way to go on this one, but I’m far from alone in thinking that they’ll manage to pretty much entirely neuter DNT. As security expert Nadim Kobeissi put it in a blog post yesterday, DNT is becoming ‘Dangerous and Ineffective’. We can largely thank advertising industry lobbyists for that.

‘Internet Industry’ Lobbyists

The third and potentially most worrying of all the recent lobbyists activities to emerge is the story of US ‘internet industry’ lobbyists working to undermine the draft Data Protection Regulations. As the Telegraph reported:

“Tory MEPs ‘copy and paste Amazon and Google lobbyist text'”

As I also experienced first hand at the Computers, Privacy and Data Protection conference in Brussels earlier this month, industry lobbyists particularly from the US are very concerned by the proposed Data Protection Regulation, partly because as drafted it would allow them to have the power to actually fine industry groups a meaningful amount of money – 2% of their global turnover – the kind of fine that would actually make a difference, and could actually make them change their activities.

Making changes….

That’s the key – indeed, the key for all three of the lobbying stories above. A resistance to change. The copyright lobbyists don’t want to have to change either their business model or their approach to enforcement. The advertising industry don’t want to have to change their privacy-invasive way of tracking people. The ‘internet industry’ companies don’t want to have to change their way of gathering and using people’s personal data. And in all three cases, they don’t seem to really care what people want or care about. In the copyright lobbyists example, as I noted in my blog at the time, they seem to be resisting even the gathering of evidence. In the other two cases, I suspect the same is true – because the more evidence that comes out, the clearer it is that people do care about privacy and don’t want to be tracked.

It’s not US vs EU

One of the most common arguments made in these cases is that it’s some kind of a Transatlantic conflict – a ‘cultural difference’ between the US and the EU. We in Europe are trying to ‘impose’ our values onto the US. Is it true? Well, the most recent evidence suggests otherwise – indeed, it suggests that people in the US care every bit as much as people in Europe do about privacy. According to a recent survey, 77% of Americans would select ‘do not track’  if it were available – putting them above many European countries, below only France. As David Meyer put it: ‘Think Europeans are more into data privacy than Americans? Think again.”

I suspect he’s right – and the divide isn’t a Transatlantic one. It’s a divide between individuals everywhere and the industry lobbyists. Lobbyists, by their nature, look out for those they’re lobbying on behalf of. Of course they do – that’s their job. We need to understand that – and act appropriately. What the lobbyists do should worry us – because they don’t serve our interests. Who pays the piper calls the tune – and it’s not us!

That’s not to say that they don’t have legitimate interests – they do! What the industries they represent do is crucial for all of us, for the future of the internet. However, it does need to be balanced, and right now it looks very much out of balance.

Google, privacy and a new kind of lawsuit

Today is Data Privacy Day – and new lawsuit has been launched against Google in the UK – one which highlights a number of key issues. It could be very important – a ‘landmark case’ according to a report on Reuters. The most notable thing about the case, for me, is that it is consumer-led: UK consumers are no longer relying on the authorities, and the Information Commissioner’s Office in particular, to safeguard their privacy. They’re taking it into their own hands.

The case concerns the way that Google exploited a bug in Apple’s Safari browser to enable it to bypass customers’ privacy settings. As reported on Reuters:

“Through its DoubleClick adverts, Google designed a code to circumvent privacy settings in order to deposit the cookies on computers in order to provide user-targeted advertising. The claimants thought that cookies were being blocked on their devices because of Safari’s strict default privacy settings and separate assurances being given by Google at the time. This was not the case.”

The group of consumers have engaged noted media and telecomms lawyers Olswang for the case. Dan Tench, the partner at Olswang responsible for the case, told Reuters:

“Google has a responsibility to consumers and should be accountable for the trust placed in them. We hope that they will take this opportunity to give Safari users a proper explanation about what happened, to apologise and, where appropriate, compensate the victims of their intrusion.”

For further information – and if you want to join the action – Tench can be contacted by email at daniel.tench@olswang.com

There’s also a Facebook page for the suit: https://www.facebook.com/SafariUsersAgainstGooglesSecretTracking

What’s important here?

The case highlights several crucial aspects of privacy on the net. The first is the extent to which we can – or should be able to – rely on the settings we make on our browsers. What was happening here is that those settings were being overridden. Now it’s a moot point quite how many people use their privacy settings – or indeed even know that they exist – but if those settings are being overridden by anyone, let alone a company as big and respected as Google, it’s something that we need to know about and to fight. Browser settings – and privacy settings in general – are the key control, perhaps the only control, that individuals have over their online privacy, so we need to know that they work if we are to have any trust. A lack of trust is something that damages everyone.

The second is that the case highlights that users aren’t going to take things lying down – and neither are they going to rely on what often seem to be supine regulators, regulators unwilling to take on the ‘big boys’ of the internet, regulators who seem to take their role as supporters of business much more seriously than their role as protectors of the public. Alexander Hanff, a privacy advocate who is assisting Olswang on this case, said that:

“This group action is not about getting rich by suing Google, this lawsuit is about sending a very clear message to corporations that circumventing privacy controls will result in significant consequences. The lawsuit has the potential of costing Google £10s of millions, perhaps even breaking £100m in damages given the potential number of claimants – making it the biggest group action ever launched in the UK. It should also be seen as a message to the Information Commissioner’s Office that they are in contempt of the British public and are not doing their job.”

This last point is crucial – and it may suggest not that the Information Commissioner’s Office are not doing their job but that their job is one that needs redefining. The ICO sometimes appears to be caught between two stools – their role is more complex than just as protectors of the public. They’re not a Privacy Commissioner’s Office – and perhaps that is what we need. An office with teeth whose prime task is to protect individuals’ privacy.

What happens next?

This lawsuit will be watched very carefully by everyone in the field of online privacy. The number of people who join the case is one question – there are plenty who could, as Safari, though somewhat a niche browser on computers, is the default browser on iPhones, so is used by many millions in the UK. How it progresses has yet to be seen – there are many different possibilities. If nothing else, I hope it acts as a wake-up-call for all involved: Google, the ICO, and the public.

If you “can’t” leave Facebook…

I’ve been posting a lot about Facebook recently. I gave ‘10 reasons to leave Facebook‘ a few weeks ago – but for many people that seems either to be impossible, or very, very difficult. So, what can you do if you ‘can’t’ leave Facebook, and you want to minimise your privacy risks? After the new stuff on Facebook’s Graph Search (see my blog posts here and here), now the revelation that people on Facebook will no longer have the option to avoid being ‘searchable’, this is becoming more and more important.

So what can you do? Well, here are twelve suggestions from me – I’m sure there are many more…

  1. Check your privacy settings. Really check them. Lock them down as tight as you can – but remember that they only control what other users can see, not what Facebook can see or use for their profiling of you.
  2. Prune your ‘friends’ list down to an absolute minimum. With Graph Search this is particularly important – it seems as though Graph Search will assume that if you’re ‘friends’ with someone then all your data is available for full analysis for search by those friends. If they’re just people you met once, or were in the same year as at school or college, would you really trust them with your most intimate details?
  3. Never press the ‘like’ button ever, ever again. The ‘like’ button is another of the profiling keys – and could effectively give permission for those whom you like to access your data.
  4. Do a serious deletion job on your photographs – Graph Search will search them, facial recognition may be applied, and not just to you but to anyone in the photos. If you have a friend (a real one) who’s in one of your photos, it’s not just you who’s being subject to privacy risks.
  5. Think before you post any more photos – same reasons, really. Do you really need to ‘share’ that picture? If you don’t, don’t! And if you ‘need’ to, is there a way to do it other than Facebook?
  6. Never use geolocation again – at least not on Facebook. If you’re given the option to allow any application to know your location, say no! Geolocation is a tool that’s immensely useful at times – when you’re using maps, or other transport apps (for train timetables etc) but most of the time it’s really not necessary at all.
  7. Check the apps you use to access Facebook on your phone or tablet – there are all kinds of risks associated with apps that people simply don’t think about. The settings may be very different from what you think – again, think geolocation, think photo tagging.
  8. Think about when you post, as well as what and why. Posting at night, for example, could profile you as a ‘night owl’, for whatever reason.
  9. Don’t play games on Facebook – play them somewhere else. Games are primarily used for profiling, and may have privacy risks attached that are not immediately obvious.
  10. Don’t sign into any other service ‘via Facebook’ if you have the option. All you’re doing is allowing the two services to share data, to add depth and strength to their profile.
  11. Sign out of Facebook whenever you’re not using it – don’t leave it running in the background when you do other stuff. When you’re signed in, you can be giving permission to Facebook to track or follow other activities. Now they might be doing that anyway, but you shouldn’t give them the legal excuse to!
  12. Keep ‘work’ and home separate on Facebook if you can. It may not be easy….

Finally, though, think again about whether you really do need to be on Facebook. You may need to – or you may want to – but if so, you should manage your risks and be as ‘savvy’ about it as you can.

Facebook Graph Search: Privacy issues….

thumbs-downI wrote yesterday about Facebook’s new ‘Graph Search’ system – in particular, about the way in which it is intended to convince people to put more and better data onto the system, and to lock them and businesses further into the Facebook system. What I didn’t talk about much was privacy…. not because there aren’t privacy issues with the new system, but more because there are so many privacy issues that it’s hard to know where to start.

One of the most interesting things is that as a part of the launch, Mark Zuckerberg has been very keen to stress that privacy is built into the system, even releasing information suggesting that the reason he went with Bing rather than Google for the web-search part of the service is that Google weren’t ‘privacy-friendly enough’ for him – see this piece in the Guardian. Why did he do that? Well, in one way I’m glad he did because it shows that he knows that people care about privacy, and that Facebook doesn’t exactly have the greatest reputation about privacy, to put it mildly. However, I’m far from convinced that what he’s been saying means very much – because the essence of Facebook Graph Search makes privacy very, very hard to achieve.

There are many things to mention – I can’t even get close to covering them all in one post. I’ll start with the very purpose of the system. Zuckerberg gave an example of a possible search: “people who like fencing and live in Palo Alto”. It doesn’t take much of a stretch to turn that into something distinctly creepy: “Single women who live in Palo Alto, work in Menlo Park and ‘like’ public transportation.” You can take it a lot further than that – which is why many commentators suggest that the system could be a stalker’s dream. Facebook already allows things that point in that direction: the scrutiny of other peoples’ profiles is one of the points of the system. Graph Search takes that to another level…

Secondly, the idea of the ‘built-in privacy’ that Zuckerberg talked about is that ‘stuff’ is only searchable if you’ve let friends see it anyway. There are big problems with that. Firstly, it relies on people understanding and using Facebook’s notoriously over complex privacy settings – which is quite something to rely on. Secondly, it assumes that if you’re willing to let your friends see or know something, then you’re willing to let it be aggregated, analysed, searched, sorted and so forth… which is of course what Facebook do anyway, but I would be very surprised if many Facebook users realise this. For that, and other reasons, I suppose we should welcome Graph Search – it demonstrates graphically what Facebook actually does with your data.

Thirdly, Zuckerberg made the point that photos and location information would be part of Graph Search – again, something that we should all have known, but I’m not sure people have fully understood. Combine this with facial recognition, and with the new smartphone Facebook apps that will automatically post photos you take with your camera onto Facebook, complete with location stamp, and you get a whole new scale of possible intrusion. Add this to the stalking capabilities noted above, and you’ve got quite a tool…

The point with a lot of this is that it’s all becoming the default – which is clearly the intention. As I noted in my previous post, Graph Search will work best if you ‘give’ Facebook all your information – and Facebook is providing the tools to let you give them it all. Moreover, they’re making it easier to give that information than not to give that information. They want all your data… and not just to give you a better service. They want it because they can use it to make more money…

….which brings me to the final privacy point. Zuckerberg makes the point again and again that in some ways you are in control of privacy, by using your privacy settings. You decide who sees what. However, that’s not really true at all. You may decide which other users get to see which bits of your data – but Facebook gets to see it all. Facebook gets to analyse it, to profile you through it, to effectively share it with its partners, to use it to categorise you for advertisers, or for others pretending to be advertisers. You may have more privacy from other people – but to Facebook, you are transparent, and have no privacy at all. Graph Search doesn’t really change that – but it should make it clearer that it is the case, and what some of the implications are.

I wrote over the holiday season my ‘Ten Reasons to Leave Facebook’. For me, Graph Search adds an eleventh – and makes some of the other ten even clearer than before. It’s not going to convince me to re-join Facebook. Quite the opposite: it makes it crystal clear to me that I was right to leave when I did.

Facebook Graph Search: It’s about the data!

Little Shop of Horrors lost endingThe first thing to ask whenever Facebook (or indeed any other business) releases a new product or service is what’s in it for them. In the case of Facebook’s new ‘Graph Search’, as in most things Facebook, the answer’s pretty direct: it’s about the data. Graph Search, though it may seem to be just a cool new way of finding stuff, could also turn out to be a very clever way of Facebook gobbling up even more data than before – as well as trying to squeeze even more value from the data that’s already out there.

It comes at a time when Facebook might be facing a new situation – they may be reaching saturation point in terms of user numbers, at least in their prime markets. Figures seem to be suggesting that they are losing users – apparently down 600,000 in the UK and 1.4 million in the US – and though those figures need to be taken with a decent pinch of salt, they do at least suggest that the era of unrelenting user number growth for Facebook may be over. What that means for Facebook, particularly after their less than stellar IPO, is that the pressure’s on to make more money from existing users. They need money, and for that money they need data! They’re like the plant in Little Shop of Horrors, continually shouting out ‘Feed me!’. They need to be fed, so they can grow, and the more they grow, the more they need to be fed.

Firstly, its important to understand what Graph Search does. As the BBC’s Rory Cellan-Jones puts it, Graph Search is a “new way of mining the information your friends, and their friends”. Essentially, as it’s been described, it takes the data about you, and about your ‘friends’, and uses it as a source from which to search – giving you back stuff that your ‘trusted’ friends either use, or ‘like’, or something along those lines. Where it can get stuff off Facebook, it gives you that – and if it can’t find relevant stuff, it goes to Bing, and does a web search instead. You can search for whatever you want – the examples given by Zuckerberg were things like “people who like fencing and live in Palo Alto” or “films my friends like” or “restaurants recommended in New York” – but the possibilities are endless, and Cellan-Jones highlighted the possibilities of using it as a sort of ‘dating search’: companies like eHarmony etc will be quaking in their boots.

Still, how is this about data? Well, if Graph Search takes off, it will have a number of implications:

  1. When people search, they reveal stuff about themselves – they effectively add more stuff to their profile. That’s one of the reasons Google do so well – having information about what people are interested in is key. Each search term entered on Graph Search is more data for Facebook – and a potentially more accurate profile of the user.
  2. Graph search will work better for people if their own profile is better – that is, the more data you put up about yourself, the more ‘personalised’ your Graph search will be. Facebook will be sure to let people know that, to persuade them to enter more and more data.
  3. There have already been hints made that you might want to put more data up to ‘help’ your friends when they use Graph search. Of course the people it really helps are Facebook – they want more of your data – but the altruism, the sociability, will doubtless be stressed. Be a good friend – put more data up! Tell people what you like!
  4. Businesses will start to realise that if people are using Graph search, they need to be on Facebook – and they need to get people to ‘like’ them even more than before. The ‘like’ button is already a big deal – this will make it more so. Businesses will be pushing you to ‘like’ them even more than before…. which means yet more data to Facebook, and more ‘permission’ given for that data to be used. Do you know what you’re consenting to when you press ‘like’?
  5. The more businesses are on Facebook, the more individuals have to be Facebook to manage those business pages – it’s another ‘lock in’. I know many people who say ‘I’d love to leave Facebook, but I have to be there to manage my business’s page’. That will only increase…

For Facebook, it’s a ‘win-win’ scenario. They get more data – and potentially better data, as people might focus on refining their profiles in order to get ‘better’ Graph Search results. They get more uses – and hence more money – from their existing data. They get others – individuals and businesses – to do both their selling and their data gathering for them. They lock people into their business model even more.

There’s another interesting issue for me. Google are under pressure for not making their searches ‘neutral’ enough – for possibly prioritising businesses that they make money from, or downgrading rivals or so forth. They deny that this is happening, and claim their search algorithm is ‘neutral’. Facebook Graph Search by design prioritises businesses and others on Facebook – it doesn’t even pretend to be neutral. Should it? And if it can exist in this form, why shouldn’t Google be allowed to be less than neutral? Of course there are vast differences between the services, but I have a feeling this may open up an already squirming can of worms even further.

I should note that this is only a first set of thoughts on Facebook Graph Search – and I haven’t even talked about privacy yet! What actually happens to it may be very different from Mark Zuckerberg’s dream. It could be a distinctly damp squib – much of the reporting has suggested people are underwhelmed by it. I hope so, because the one thing, more than any other, that I don’t want to see on the internet is one service dominating. The net needs to be open, it needs to be varied, it needs to be flexible and it needs to be dynamic. If we all do the same thing, or all use the same service all the time, that is far less likely to continue.

Search Engines, Search Engine Optimisation – and us!

Last week, Google announced that it was making SSL encryption the default on all searches for ‘signed in’ people. They announced it as a move towards better security and privacy, and some people (myself included) saw it as a small but potentially significant step in the right direction. Almost as soon as the announcement was out, however, stories saying exactly the opposite began to appear: the blogosphere was abuzz. One of the more notable – one that was tweeted around what might loosely be described as ‘privacy circles’ came in the Telegraph. “Google is selling your privacy at a price” was the scary headline.

So who was right? Was it a positive move for privacy, or another demonstration that Google doesn’t follow its own mantra about doing evil? Perhaps, when you look a little deeper, it was neither – and both Google and those who wrote stories like that in the Telegraph have another agenda. Perhaps it’s not what happened with SSL, but that agenda that we should be concerned about. The clue comes from looking a bit closer at who wrote the story in the Telegraph: Rob Jackson, who is described as ‘the MD of Elisa DBI, a digital business measurement and optimisation consultancy’. That is, he comes from the Search Engine Optimisation (SEO) industry. What’s happening here isn’t really much to do with privacy as far as either Google or the SEO industry – it’s just another episode in the cat-and-mouse story between search engines and those who want to ‘manipulate’ them, a story that’s been going on since search engines first appeared. The question is, how do we, the ordinary citizens of cyberspace, fit into that story. Do we benefit from the ongoing conflict and tension between the two, a tension which brings about developments both on both a technological and business level – or are we, as some think is true in much of what goes on in cyberspace, just being used to make money by all concerned, and our privacy and autonomy is neither here nor there?

What’s really going on?

As far as I can see, the most direct implication of the implementation of SSL encryption is that Google are preventing webmasters of sites reached through a Google search – and SEOs – from seeing the search term used to find them. Whether those webmasters – let alone the SEOs – have any kind of ‘right’ to know how they were found is an unanswered question, but for the webmasters it is an annoyance at least. For SEOs, on the other hand, it could be a major blow, as it undermines a fundamental part of the way that they work. That, it seems to me, is why they’re so incensed by the move – it makes their job far harder to do. Without having at least some knowledge of which search term produces which result, how can they help sites to be easier to find? How can they get your site higher on the search results, as they often claim to be able to do?

I have little doubt that they’ll find a way – historically they always have. With every new development of search there’s been a corresponding development by those who wish to get their sites – or more directly the sites of their clients – higher up the lists, from choosing particular words on the sites to the use of metatags right up to today’s sophisticated SEOs. Still, it’s interesting that the story that they’ve been pushing out is that Google is ‘selling your privacy for a price’. That in itself is somewhat misleading. A more honest headline might have been:

‘Google is STILL selling your privacy for a price, but now they’re trying to stop us selling it too!’

Google has, in many ways, always been selling your private information – that’s how their business model works, using the terms you use to search in order to target their advertising – but with the SSL move they’ve made it harder for others to use that information too. They themselves will still know the search terms, and seems to still be ‘selling’ the terms to those using their AdWords system – but that’s what they’ve pretty much always done, even if many people have remained blissfully unaware that this was what was happening.

There’s another key difference between Google and the SEOs – from Google, we do at least get an excellent service in exchange for letting them use our search terms to make money. Anyone who remembers the way we used to navigate the web before Google should acknowledge that what they do makes our online lives much faster and easier. There’s an exchange going on, an exchange that is at least to an extent mutually beneficial. It’s part of the symbiotic relationship between the people using the internet and the businesses who run the fundamental services of the internet that is described in my theory of The Symbiotic Web. With SEOs, the question is whether we – particularly in our capacity as searchers – are actually benefiting at all.

The business of Search Engine Optimisation

Who DOES benefit from the work of SEOs? Their claims are bold. As Rob Jackson puts it in the Telegraph article:

“One leading SEO professional told me that Google is essentially reverse-engineered by the the SEO professionals around the world. If they were all to stop at once, Google wouldn’t be able to find its nose.”

It’s a bold claim, but I suspect that people within Google would be amused rather than alarmed by the idea. Do we, as users, benefit from the operations of SEOs? On the face of it, it appears unlikely: searchers want to find the sites most relevant and useful to them, not the sites whose webmasters have employed the best SEOs to optimise their sites. Excellent and relevant sites and services get pushed down the search list by less good and less helpful sites who have used the most advanced and effective SEO techniques. And it’s our information, our search terms, that are being used by the SEOs.

There is, however, another side to the business, and one that’s growing in significance all the time. The idea that we are just ‘searchers’ looking round the web for information and interesting things is outdated, at least for a fair number of us. We also blog, we have our own private sites – and often our own ‘business’ sites. And we want our blogs to be read, our sites to be found – and how can this happen unless there is a way for them to be found.

SEOs might say that this is where they come in, this is where they can help us – and this might well be true to an extent. I for one, however, would like my sites to be judged on their merits, read because they’re worth reading and not just because I’ve employed a bit of a wizard to do the optimisation. I’d like search to be fair – I don’t want my services to be at a disadvantage either to those who have a commercial tie-in with Google or to those who are paying a better SEO than mine. I want a right to be found – when I want to be found.

Do I have a right like that? Should I have a right like that? Cases like the Foundem case have asked that, but I don’t think we yet have an answer, or at least what answers we have have been inconclusive and hardly heard. Perhaps we should be asking it a bit more loudly.