Sunday, 24 July 2011

Another nudge for privacy icons

I’ve been so busy recently that I have not had time to properly record a significant development in what I’m sure later historians will call the evolution of privacy iconography. On July 14th our chums at Speechly Bircham formally unveiled the results of some research that Professor Andy Phippen, of Plymouth Business School, had carried out, into the behaviours and attitudes of young people toward online technology and privacy.

Some 4,115 schoolchildren in the Plymouth area took part in a survey on Data Protection Day 2011. And, just like their parents, it’s clear that they readily engage with online social media, sometimes they struggle with the policies that are supposed to be in place to protect them, and they are aware of the need to protect their data, but are not always equipped to do so.

The report is worth reading because it gives a valuable insight into the minds of people for whom the internet is going to play an overwhelming role in their lives. But when reading some of the findings, I did have to pinch myself to remind myself that I was reason about a group of schoolchildren, rather than adults. After all, read this (abridged) summary, and tell me whether their parents would be any more likely to offer different views. To be honest, I think the responses would be very similar:

“Our respondents were asked whether they had ever read a privacy policy. In total 40% of respondents had, meaning 60% of young people have not read the privacy policies of the web sites they use. Boys are likely to have a more relaxed attitude toward data and data sharing, although this is far from irresponsible with the vast majority still believing their data should only be seen by friends and family and parental consent was necessary all scenarios presented about where their data might be exposed. When those who had not read a policy were asked why not, there were a variety of responses. 32% said they didn’t know what a privacy policy was, with 23% saying they didn’t know where to find it. A quarter felt they were too complicated, and another quarter did not feel it important.

Those who do engage in privacy policies may understand what is presented and think they are important. However, the majority of our respondents hadn’t seen a policy for a number of reasons. They were also asked what might be done to improve privacy policies and a large number of children said privacy policies should be made more simple with “less words”.

However, it was also clear that our respondents felt that privacy on social networking was important, with the vast majority (85%) saying that social networks should have the strongest privacy settings by default and an even larger majority (94%) feeling that clear rules were needed to help with the removal of photos and videos posted without consent.

What our data does clearly highlight is the need for education at a primary school level. While the use of social networking used to be considered something for secondary aged pupils our data shows that the majority of primary aged pupils also engage. However, it also shows that primary aged pupils are potential more vulnerable as a result of not being aware of privacy policy or where to find it. While they are generally more protective of their data, the change in attitude at secondary age does suggest that without effective education at a primary school level, there is potential for more risky behaviours in adolescent life.

The data also shows that while not all of our population felt privacy policies were complicated there was a great deal of confusion around them. They were also very clear that service providers should provide the most private settings by default.

While our population did not come across as naive around data protection issues, they were clearly not as well informed as they could be, and felt they needed help from service providers in ensuring “their” data was protected.”

This ought to be taken as a wake-up call for the data controllers to try harder to make their policies clearer to everyone. How? Simple – with more pictures. If IKEA can explain how to put a chest of drawers together in a series of cartoons, surely soon will come the day when the more responsible data controllers will develop a common set of images to explain some of the more basic data processing concepts.

But, and this is a huge but, how on earth can group some of the largest (and most responsible) data controllers, whose very DNA prevents them from working closely with other data controllers, ever come together and work on such a hugely important project in an atmosphere of mutual respect? I doubt whether there is an area large enough to accommodate the egos, which naturally will have to be left outside of the negotiating room if any meaningful progress is to happen. It could even be thought unlawful, in EU competition terms, for some of them ever to be seen in the same room together. So how will they get to agree on sets of common images?

These largest data controllers are organisations controlled by people whose every instinct is to offer the very best service to their customers. But in a fiercely competitive way. So, if the concept of privacy iconography is really going to fly, I can see it taking off because a group of stakeholders who are not data controllers have come together and shown the way.

Do I mean a group of regulators? Not necessarily. But perhaps groups of consumers.

Let’s have some competitions , say in the art schools, for privacy icons that could be taken up by the global players. Let’s not leave it up to the likes of Google, Facebook, Microsoft, Apple or Yahoo. Let’s see what the customers come up with.

Today’s customers – or tomorrow’s customers – the very young people who contributed to this fine report.


Saturday, 23 July 2011

Managing data breaches – the human factor

No-one ever seems to write about what effect breach management can have on the people actually tasked with managing the breach. I’m incredibly fortunate to be able to have experienced a couple of incidents where bad people have acquired and abused confidential personal information, and so I do appreciate what a toll it can take on those living at the centre of the storm, those who are managing the incident.

A great deal of early activity is accompanied by a rush of endorphins around the body. Everyone feels energised and up-beat at the prospect of dealing with something slightly out of the ordinary. The key players are surrounded by others who are keen to learn more about the incident, and particularly to learn how they might be affected by the incident. Just what was it that went on? Did it happen on their watch, or was the incident the result of issues that had actually occurred before they were in post? And what can they do to help? The 24 hour media means that new developments are reported at an astonishing pace.

The second wave of activity is accompanied by a sense of endurance – the pressure remains, and as people become more aware of what it is that they are required to do, the tone of the responders changes. From high level principles to a more granular approach - now more detailed plans need to be developed, and all of the consequential issues need to be addressed. Life gets more difficult, as decisions have to be taken on who should be doing what. It’s not just about words, the plans have to turn into concrete actions.

The third wave of activity is accompanied by a sense of exhaustion – the pressure not only remains but it builds, if the key players aren’t able to keep their energy intake high enough. Somehow, as well as this crisis management stuff, people have to eat, sleep, get other important pieces of work done, and give their brains enough time to focus. I can find it really hard just to focus on a single issue at a time, and make a decision. I’ve found that if I concentrate on too many things at once, the brain paralyses and I can’t make good decisions. Or any decisions, actually. But this is no time for self doubt. This is a time for relying in instinct and the good will of colleagues with whom a great working relationship has been built up over the previous months.

In essence, it’s a time for fully appreciating the need for team work. And letting everyone in the team know that they are all appreciated, and that others are depending on them to play the role that has been assigned to them. The business has to prepare itself for the questions that will be asked by the potential victims of the breach, when the business is in a position to share whatever news it has with the victims.

But before this must be developed a common narrative. Everyone must be clear about what happened, how it came about that it might have happened and, criticically, why the business has decided that this is the time to notify victims or potential victim.

If I were a victim, I would want the business to be able to explain to me how it had affected me, and what I could do to learn more about the incident, or make sure that the effects of the incident could be mitigated. I am sure that I would feel let down – so the business will have to reassure me that their current business processes are sufficiently robust that these unfortunate incidents can’t happen again. I’m going to be impressed by the ability of the business to look after me, and really give me a sense that they care about me. And that will take a lot of effort.

So, to look after a victim, the business has to prepare itself. And this can involve a considerable amount of teamwork from people who have never played in that team before. But, if the business has values which allow people to work closely together in a non-judgemental manner, and the business culture is one which truly cares about its customers, then the business is in a good place. Just how customers will react is another matter. And one which I won’t discuss in this blog posting.

If I have a key learning to take away from the breaches I have had the honour of dealing with, it would be that the immediate personal needs of those managing the incidents can be overlooked. They are only human, too. They are not machines that will continue to operate at maximum efficiency 24/7. The human body needs time to recover from what turns into an extremely traumatic process. It needs to be rested, fed and watered, regularly. It is not designed to operate in a highly stressed environment for extended periods of time.

I feel I know what it’s like to operate in a war zone. And now I want some rest and recuperation, before another period of intense activity commences.


Friday, 15 July 2011

One down ...

Within hours of my posting yesterday’s topical ditty, one of the people pictured in the accompanying photo had resigned. I wish to make no comment on her resignation, other than to hope that my blog caused her no further personal embarrassment than had already been generated by recent media reports.

And to note that, presumably, the forthcoming public enquiry will reveal much more information about the role that she has actually played in the unlawful trade in confidential personal information over the last decade.


Thursday, 14 July 2011

Today’s topical ditty

I’ve learnt that my voicemail’s been hacked
But how could my PIN have been cracked?
My anger is mounting
So the days I am counting
Until the person who did it gets sacked.

Tuesday, 12 July 2011

The data protection boating song

I’m at work today. I’m not at the 24th annual Privacy Laws & Business international data protection conference, currently taking place at St John’s College in Cambridge. My place is taken by a work colleague who is far brighter than me. I’m sure she’ll take lots of notes, and we’ll catch up in a few days time.

This means I’ll miss the complimentary punting on the River Cam – which I greatly enjoy.

But even if I can’t be there, hopefully one or two of the more interpid punters will get their crews to sing this boating song, respectfully dedicated to all my friends who are at that event.

Data protectors together,
What a wonderful wheeze,
Glorious weather,
Shade off the trees,
Confering whenever,
People meet in threes,
Confering whenever,
People meet in threes.

Heather may be more clever,
Elaine may make more row,
But we'll data protect for ever,
Steady from stroke to bow,
And nothing in life shall sever
Friendships that are forged now,
And nothing in life shall sever
Friendships that are forged now,

Twenty years hence this conference
May tempt us from office stools,
We may be slower on the uptake
And seem to many, old fools,
But we'll still meet together
Hearing from Stewart and from dons,
But we'll still meet together
In the splendour of St Johns.


Grateful thanks to William Johnson Cory, author of the Eton Boating Song. His version, together with the piano accompaniment, was first performed on 4 June 1863. It’s not yet clear when (or if) this version will ever be performed!


Monday, 11 July 2011

Blagging: more stick – or a bit more carrot?

The Information Commissioner has been playing his cards pretty close to his chest recently.

While media and legal commentators have been basically living in the television and radio studios these past few weeks, as the current scandal about the methods used by the gutter end of the press to obtain their source material for tittle-tattle just grows by the day, his Office appears to have been relatively silent on the whole affair.

They have presumably been keen to ensure that real evidence is unearthed before they offer their opinions about the situation.

What does the ICO’s website currently say?

Its front page says only this:

"'What price privacy?' report

In 2006 the ICO laid two special reports before Parliament. 'What price privacy?' and its follow up report 'What price privacy now?' uncovered an extensive illegal trade in confidential information, also known as blagging. The report made recommendations to government and industry in an effort to halt a serious threat to individuals’ privacy.

Phone hacking is a matter for the police but the act of blagging personal information is an offence under section 55 of the Data Protection Act.

Read the ICO's 'What price privacy?' report and our follow up 'What price privacy now?' report ."

The story is moving so quickly, with new and more astonishing revelations emerging almost by the hour, that it’s probably best to take a vow of silence right now. Enough noise is being made by others. We all know what the law is – what we now need are the facts and it will then become pretty clear pretty quickly just who is culpable for what.

But them so what? Will these revelations herald a behavioural change among all journalists, the likes of which newspaper proprietors have never seen before? I’m not sure – and then again I’m not sure that I really just want to see change legislated on a group of journalists, the vast majority of whom I am sure are just as appalled as the rest of us at the behaviour of an extremely small number of them.

In the same way that I’m hoping that a new Data Protection Directive won’t be marked by a huge increase in regulation and fixed rules, I do hope that journalists won’t face a sea of statutory regulation which saps the life blood out of decent, hard working professionals who strive to give deserved areas the oxygen of publicity.

We all know that decent people, in whatever profession (be it data protection or journalism) will strive to work to high standards, whatever the rules are. And we all know that a small minority of sneaky people will use devious tricks to bypass whatever rules are in place.

So let’s not lose the plot. Let’s not just cry for stronger rules – when what we actually want to achieve is a behavioural change. And to change behaviours, among decent folk, I find that we do need carrots as well as a good stick.



Sunday, 10 July 2011

Ah! So that’s where I’m supposed to have seen it before

No prizes were won in last Wednesday’s competition, which invited the plucky winner to be the first to tell me where the quotation on the left could be found.

It wasn’t supposed to be too difficult, but it obviously was. Or, more likely, no-one wanted to have been the recipient of my heartfelt congratulations. Perhaps I ought to have offered as a prize some money, or chocolate.

Anyway, putting everyone out of the suspense, I can reveal that the quotation can actually be found on page 85 of the Information Commissioner’s 2010/11 Annual Report – which was, co-incidentally, also published last Wednesday.

What? You mean you haven’t read it all (yet)?

Never mind. Enjoy the read – and remember, when you get to page 85, there’s only one more page to go.



What happened to the advertiser’s boycott in the NOTW today?

The scant regard to proper data protection standards paid by former employees of the News of the World resulted in the inevitable hemorrhaging of support for that organ, and its ultimate demise today.

One of the issues which emerged over the past few days was whether advertisers would wish to place adverts in that newspaper in future. Some companies announced that they were withdrawing their advertising, while others explained that they were considering their position.

In the end, what did happen?

The newspaper itself, all 68 pages, contained no paid adverts. Where there might have been commercial adverts, the space was occupied with messages about registered charities.

So far, so good.

But, tucked into my edition, bought from my local newsagent, was a sealed plastic bag, containing the newspaper’s award-winning magazine Fabulous, together with separate flyers promoting deals from Virgin Media and from Vodafone. My sealed bag may well have just been distributed in the North London area. I simply don’t know. And it could have been prepared well before the advertisers had decided what stance to take as far as the main newspaper was concerned.

The 76 page magazine itself contained full page adverts for Olay (p 2), L’Oreal (p 12), Tesco (p 17, 20-21, 26), Boots (p 25), Ribena (p 30), Sleek (p 42), Nivea (p 46), Jenny Craig (p 55), Vodafone (p 58), Sure (p 67), O2 (p 75) and Sky (p 76).

It will be interesting to see if there is any adverse customer reaction to these adverts. Perhaps there really is a difference between an advertising boycott of a newspaper, and an advertising boycott of a newspaper's magazine, even when it is sold as an integral part of that newspaper.

But, if all the money earned by the magazine’s proprietors for this edition is to be donated to charitable causes, then perhaps it’s all to the best.


Saturday, 9 July 2011

Cookies – the current mess is even being reported by the BBC

When the BBC decides that a data protection issue is sufficiently important to draw public concern to it through an article on its news website, people usually begin to sit up and take notice.

So I was delighted to read Michael Miller’s article, published yesterday, under the headline “Cookie: monster? How will business cope with new laws”.

As he wrote, “By any yardstick the implementation of the EU's Privacy and Communications Directive by its member states has been poor.

When the deadline to implement it passed in May only Estonia, Denmark and the UK had taken steps to bring it into law.

Denmark has now decided to puts it draft rules on ice indefinitely and the UK has given firms a year to comply.

To give the UK's Information Commissioner's Office its due, its guidance on the law is probably the most comprehensive of any member state so far.”

He pointed to the confusion that exists between those cookies which are apparently acceptable, and those for which consent may be required. We all know that most cookies perform basic functional tasks like storing your login details or personal preferences. But what’s permitted and what’s a bit iffy? In other words, what’s “strictly necessary” (and how on earth can we illustrate this phrase with practical examples that normal people can understand)?

There is still dispute among the legal fraternity as to whether a cookie that enables an online shopping basket to function is fine, but a cookie that remembers you prefer your website in English rather than French is not.

As Michael remarked, "Marketing professionals argue cookies are misunderstood and most actually enhance the consumer experience, allowing people, for example, to be directed to a Hilton hotel rather than Paris Hilton. (Or indeed, vice versa.)”

Critically, however, we need to reflect on the comments of Paul Carysforth, a partner at Amaze, which runs online marketing campaigns for companies like Unilever, Lexus, Toyota, Coca-Cola and Dyson.

"Cookies are the primary means by which all online businesses determine the return on their investment," he says.

"Without cookies it would be almost impossible for companies to understand their ROI and in particular isolate which strategies are delivering a positive return, and which would hamper investment and innovation."

I think the ICO is finding this now, if the objection rate for their Google Analytics cookie is still running at 90%.

But how can anyone run an international campaign properly when the cookie rules are so different in the various Member states?

"In the Netherlands there is discussion about whether consent must be 'unambiguous', which might make browser settings - a convenient way of getting consent - less likely to be acceptable," says Matthew Norris, global head of technology and media at the insurer Hiscox.

"German and French legal commentators use the term 'opt in' and that is more draconian than the UK, where the Information Commissioner's Office has specifically said that UK law does not amount to a requirement to opt in," he says.

There is talk in some places of a 'double opt in', where consumers would have to click on two separate links to give their consent.

I agree with Eduardo Usturan’s view that a double click policy would be fatal to online commerce.

Let’s hope that the strain on enforcement doesn’t cripple the regulators, who obviously have far more significant issues on their hands.

Politically, though, I think the confusion needs to be resolved pretty quickly. If the authorities are seen to be incapable of taking a co-ordinated approach, then surely this does not bode well for the forthcoming review of the entire Directive.

Here is a glorious example of an institution (the European Commission) creating a set of incomprehensible rules, and then sitting back as the frustration (and then blame) focuses on the regulators – who are really only charged with trying to enforce them.

Will history repeat itself as the wider review of the Data Protection Directive takes place? Especially, given the very different privacy expectations which exist in each of the Member States?

Or, turning the question on its head, how can it not?



Friday, 8 July 2011

Hail, the internet censor

A very respectable crowd was drawn to the Adam Street Club last night to commemorate the departure of the Chief Executive of the Internet Watch Foundation. The IWF has been combating child sexual abuse content on the internet since 1996, and a number of the earliest stakeholders were in attendance. These were people who acted when it was technically illegal to do what needed to be done to catch the real criminals. The crowd included some of the key officials who arranged for the law to be changed, through the Sexual Offences Act 2003, to give IWF staff (and certain investigators working for the communication and internet service providers) a legitimate basis on which to access, review and act on the grossly indecent images that were being circulated.

The IWF is the UK’s Hotline for reporting criminal online content – for child sexual abuse content hosted anywhere in the world; criminally obscene adult content hosted in the UK; and non-photographic child sexual abuse images hosted in the UK. It’s led the field in this area, and there are now very few civilised countries that have not followed this model. We owe a great deal of thanks to those who were prepared to stick their own reputations on the line by taking a leading role to persuade their colleagues what was really in the best interests of the internet industry.

One of the things you quickly learn in this area is that the trusted players operate by sharing their values and by sharing their confidences. So I’m not going to breach any confidences, by revealing just what was said last night, either about or by, the departing Peter Robbins. But when the history of European internet censorship is written, a pretty large chapter will be devoted to the debates which fiercely raged over a decade ago, and how a consensus emerged about the need to ensure that the right of free access to ideas and information on the internet is a qualified right, rather than an absolute right.

The debate carries on today, and at the club last night was someone who represents the next sector pushing for censorship. No need to mention names, (or the sector) as the discussions are still continuing behind closed doors. My heart tells me that we are, in the UK , moving towards a form of judicially approved internet censorship. And, the libertarian that I am, finds it hard to argue with the general direction of travel, so long as the censor is accountable and acts in a way that enables their decisions to be judicially reviewed.

Should we allow people whose values encourage violence and intimidation to those who wish to live in liberal democracies the privilege of being able to spread their poison widely on the internet? Or should we do what we can to fight those who are determined to undermine us? My instincts are to fight, and if that means preventing their ability to spread their ideas on the internet, then so be it.

It’s not about politics, it’s about living in a society amongst decent people. We have a great deal to thank the IWF for, to the past 15 years, to prevent decent people from being harmed. And let’s look forward to the next 15 years, as the arc of internet censorship is everso slightly widened, to ensure that it deals with the new forms of sickening ideas that some people seen happy to spread.



Wednesday, 6 July 2011

Privacy: the buck stops where?

Privacy is a red hot issue in the UK this week. I’ve never known a time when the issue has had so much attention, focused on both by the media and the politicians in Parliament. Even at the very moment the Information Commissioner was discussing his 2010/11 Annual Report, published today, in a webinar rather than a press launch, no doubt to large numbers of eager viewers, politicians in an emergency Parliamentary debate were referring to his predecessor’s “What price privacy” report, published in May 2006. And also to his predecessor's “What price privacy now” report, published six months later.

This week I’ve been waking up to the privacy issues by listening to the Today programme on Radio 4, and then getting ready to sleep by watching the latest privacy story on the Newsnight programme on BBC 2. And it's dominated the reporting on BBC News 24.

And last night’s mashup event held at the offices of the GSM Association in Central London, drew a good crowd to consider the world of mobile privacy. It focussed on what giving the user control over their privacy means, and looked at how companies are going about this, who is leading the way and who is just trying to exploit you.

When will it end?

And what is to be done?

My thoughts on this issue were printed in a conversation I recently had with a journalist and reported in the 22nd June edition of SC Magazine. I was commenting on remarks made by former Head of Enforcement at the ICO, Mick Gorrill, on whether someone should be employed as a full time data security “champion”. Mick said “You should have someone nominated for data security, as if you have accountability you will take notice of what the ICO is saying and put policy and procedure into place.”

I was reported (correctly) that I believed what Mick meant was regardless of the size of the operation, a business owner needs to make sure that there is a line of accountability for all elements of the enterprise.

As far as I was concerned, I I did not find that the concept of a team sharing responsibility works particularly well , as I prefer the concept of individual accountability, as you need to know who can make decisions when there is a difference in views.

Here are some of my quotes:

“When things go wrong, it is helpful to know who has previously had responsibility delegated to them to ensure that whatever went wrong shouldn't have gone wrong.”

“Auditors use the phrase ‘what gets counted gets done'. I think we should start to use the phrase ‘the person accountable for ensuring the good-working of this system is…'. Once individuals take personal responsibility for processes, they tend to look after them.”

Other people who were interviewed seemed to support my remarks.

I’m fortunate, I suppose, in that my privacy has rarely been breached in a manner that has profoundly affected me. But when it has happened, I’ve been bitterly upset and have really felt let down. If I share a confidence with someone I expect it to remain confidential. And, when people share their coincidences with me, I try my hardest to respect them. This means that I also temper my behaviour to ensure that I don’t misbehave (too much). But I am human – and ready to apologise for my mistakes.

Co-incidentally, today I was sent a copy of the official summary of an event I had attended a couple of months ago (and blogged about on 22nd May). The impressive introductory blurb to the summary explained that “We are at a critical point in history where the conflict between information security, privacy, freedom of information, legislation, regulation and the evolving use of IT and communications technologies is becoming visible. This could well be due to a lack of understanding of the key issues by all parties.

This being the case, it is our collective responsibility as policy makers and information security professionals to cultivate a greater understanding of the key issues faced by information stakeholders and owners. Dtex Systems recently brought together some of the UK’s leading professionals to openly discuss the issues facing public and private sector organisations, the media and regulators, to consider the implications on individuals, organisations and the media.”

And, much to my surprise and delight, prominently featured in one of the principal images of the event was ... yours truly !



Hmmm, where I have I seen this before?

Today's competition is easy peasy - the winner is offered my heartfelt congratulations. No money, or chocolate, sorry.

All you have to do to win is to be the first person to contact me through any of the channels people normally use to contact me.

And you simply have to provide me with the correct answer to this question:

Where can the quotation on the left be found?

Sunday, 3 July 2011

Even Sir Francis Drake had some sensitive personal data

Off to Plymouth today to prepare for a business meeting tomorrow. First stop though was a trip to that glorious institution, the Plymouth Gin Distillery. You can pay £6 to tour the site and sniff the aromas straight from the still, in continuous use since 1793. Brilliant value. Later, I headed to the famous Plymouth Hoe (a Hoe is an ancient term for a high ridge), and saw two monuments to Sir Francis Drake. The first (pictured) commemorates his voyage around the globe – the first by an Englishman - sailing out on December 13 1877, and returning on the famous Golden Hind, on April 4 1581. The second, a much larger edifice, stands a hundred yards away, and marks that fateful day on 19 July 1588 when the Spanish Armada were first sighted on the horizon, and Drake’s bowling match on the Hoe had not yet finished. The golden letters etched on the monument describe what happened next: “He blew with his winds and they were scattered”.

I like Susan Drake’s description of the man. Apparently, Francis: "was no paragon. He was very human with his faults and failings. Drake was ruthless, vainglorious, an attention seeker and tended to boast. On some of his voyages, he was accused as being too fond of his own ideas and uncollegial". But ... "We should admire his patriotism, his loyalty to his country and his affectionate attachment towards his town of Plymouth. Drake was always the first to make financial donations towards public projects. His care extended beyond the grave, since he made Plymouth and its poor beneficiary of his will".

Have I got anything in common with Francis Drake? Not really – not much more than the fact that we were born within 15 miles of each other, and I quite like my own ideas, too. And he did know something about data protection - Queen Elizabeth I ordered all written accounts of his voyage around the globe to be considered classified information, and its participants sworn to silence on pain of death; she intended to keep Drake's activities away from the eyes of the Spanish, who were not on the best of terms with her.

It might have been “sensitive” information then, but it certainly isn’t now. It’s not the category of the information; it’s the context in which it was being used (or likely to be abused) that is important.

If the forthcoming review of the Data Protection Directive decides that an individual’s location information should be elevated to the status of sensitive personal data, then it won’t be the first time that location information has been considered to be worthy of greater protection. But when you add where someone is, or they have been, and what they have spent, and what they earn, together with the usual list of stuff which is considered to be sensitive, we’ll soon be reaching that tipping point – where almost everything is sensitive. And if almost everything is to be treated as being sensitive, it really means that nothing is sensitive. The longer the list of stuff that individuals are supposed to give their explicit consent to, before anyone else processes it, the greater is the chance that people will not actually realise what it is that they are consenting to.

Many of us, when we surf the internet, just want a service. We expect to be presented with a list of terms and conditions and we expect to click the “accept” button without reading them so we haven’t really got a clue as to what it is that we have really consented to. But, for the most part, it is of absolutely no consequence as nothing harmful happens. Welcome to the real world. Bad guys may be out there; but generally, they’re not.

Wouldn’t it be refreshing to see a new concept of sensitive personal data – one where the context of the information is more important than the category of the information?

We may get there sometime, but probably not anytime soon.



Saturday, 2 July 2011

Waiting for a new definition of “necessary” cookies from the ICO?

If it’s really true that 90% of visitors have refused the Information Commissioner's Office permission to understand more about the visitors to its website, I wonder if this heralds some new thinking about what cookies are actually “strictly necessary” for a website to be able to function properly.

And when we think of it, surely the ICO’s website must be one of the more trusted websites out there in cyberspace. It can’t just be the privacy anoraks who visit it. Surely real members of the public seek out its advice too. But if 90% of visitors don’t trust the ICO to safeguard their privacy by only putting “safe” cookies on a visitor’s device, then what on earth is going to happen when other webmasters, (say those operating the other 100 million or so EU websites) get around to giving visitors cookie choices.

When I blogged about this subject on 22 May, I quoted the ICO’s first attempt at guidance, which was before it had any evidence about the likelihood that users would object to analytics cookies: The use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

Perhaps the new thinking will develop from an argument which runs along the line that, for webmasters to be able to publish information on websites, they need to acquire the resources that are necessary to keep the site properly maintained. They surely have a right to have information about the location of the devices used by visitors, and track where visitors go on their site, to make the experience more enjoyable for visitors, and more beneficial for the webmaster. Surely every webmaster wants to design his site so that it easy to navigate, and he has a legitimate right to know how popular the various parts of his site are.

Developing this argument slightly further, webmasters may also appreciate that public access to a website costs money. Some of this money can be recovered by people who use some of the real estate on the website to offer advertising to visitors. But those who offer the advertising space may well seek information about visitors in order that they can serve the most effective adverts. If the advertisers are denied access to the services offered by Google analytics, it could be uneconomic to continue to operate the website. And if that is the case, surly such cookies would be “strictly necessary” for the provision of that service.

The UK chapter of the International Chamber of Commerce has already created a working group to look at the UK cookie consent requirements, and will hopefully sort cookies into categories that are going to be easy for webmasters to manage, and still fair for users who choose to visit the relevant websites.

Thank goodness we have a few months to figure this stuff out. We may need every one of the 12 months that the Commissioner has kindly given us.

European commissioner Neelie Kroes has also warned European webmasters that they need to agree on a do-not-track standard by mid-2012.

But I won’t be betting much on the prospects of getting general agreement on the meaning (and the implementation) of such an imprecise standard throughout Europe within a year.



Recent SPAM campaigns – fair obtaining, or dodgy dealing?

Some of Fleet Street’s finest journalists are writing about a data protection story that could shake some of the more established tenants of data protection law to its core. Lots of people have received messages suggesting that they have had a recent accident and might wish to seek compensation. This British SPAM saga, which has given me plenty of material to blog about recently, is reaching an interesting stage. More and more details of the people behind the recent campaigns are coming to light. And, from what I can tell, the investigative journalists have been trying hard to understand just who benefits from these practices. I bet that not a single voicemail was hacked as the journalists tracked their suspects. Good, old fashioned techniques seem to be paying off, instead.

There are some rumours that it is people within the insurance industry itself who may be behind some of the messages, inviting people to claim compensation for injuries they may recently have received. How can this be the case? When I studied for my professional insurance qualifications, the first lesson I learnt was that insurance law incorporated the concept of uberrima fides – they were contracts of utmost good faith. This means that all parties to an insurance contract are to observe the highest ethical standards. It’s not like a normal contract, where the concept of caveat emptor (let the buyer be aware), figures.

So, if it is the case that the details of potential victims of an accident have had their details shared with third parties, just how have they given their explicit consent to the sharing of this sensitive personal data? I’m sure that teams of highly paid lawyers have been on hand to advise how this is the case - even though the victims themselves may not have been aware of having given any consent.

Let’s be clear about this. Insurers know what their data protection obligations are. They have a well resourced trade body (the Association of British Insurers), and its Data Protection Panel has always been comprised of some of the most highly experienced and ethical people in the business. If any advice offered by the ABI’s Data Protection Panel has been wilfully ignored by others in the insurance business, well then we’ll soon see whose going to be accountable for that.

Communication service providers don’t condone these practices, and try to do whatever they can to prevent it. They’ll all be taking a good look at their current systems soon, to work out whether any other form of collaboration is required to protect their customers from such mischief.

The journalists have a great sense of timing – in just over a week, many of the usual data protection suspects will be gathering at St John’s College, Oxford for the 24th annual conference organised by Privacy Laws & Business. Representatives from the insurance industry, consumers, European and International regulators will gather for 3 days of intensive and stimulating debate. Statements will be made, either on the conference floor, in the college bar or on a punt (I kid you not, this conference includes complementary punting) about this mischievous practice. Those behind these dodgy campaigns will soon realise how foolish it was to behave in this way, just at a time when the European Commission was trying to identify popular targets to hit when tweaking the Data Protection Directive.

If the current rules and remedies don’t appear to be sufficiently capable of deterring such shoddy behaviour, it’s possible that the new ones will. But just what else the new rules snare as the Commission strains to catch this particular type of mischief won’t be clear for some time.

I don’t think these dodgy dealers could have picked a worse time (for them) to misbehave.



Data Protection – as an opera?

If you are quick, and can get to London Coliseum in the next few days, you are going to be lucky enough to witness a data protection treat. This is Two Boys, Nico Muhly’s first opera, jointly commissioned by the English National Opera and the Metropolitan Opera in New York. It’s not for the faint hearted – it cries out for a different audience, one which is familiar with the shadowy world of internet chatrooms and the psychosexual crimes committed under the various identities assumed there. It’s an opera which has as its theme on the nature of identity, and the power of the internet – so as far as I am concerned, it’s an opera about data protection. If you want to know more about social networks, get over to the ENO.

I won’t give anything away, other than to remind the more astute members of the audience that there exists a spooky similarity between the plot and events which took place in 2003 northern England. And the only other thing I’ll say is that it really brings to life one of the points made by during the ICO’s anonymity seminar on 30th March (see my earlier blog). At that event, Barry Ryan, of the Market Research Association, spoke about the power of verbal ticks to give away one’s identity. Perhaps Nico Multy was in the audience.

Of course, many plays have also had mistaken identity as their theme – but I’m not too sure how many have been able to incorporate the internet as well. Last night I was at the Hampstead Theatre to see the Propeller Company’s brilliant production of The Comedy of Errors. This must surely be one of the earliest British plays with mistaken identity as its central theme. It’s an all male Shakespearean company, incorporating an amazing South-American style band, which even accompanies you to the bar during the interval. Bawdy, hilarious, stunningly theatrical, and wonderful modern touches made everyone but the most dyed-in-the-wool traditionalist roar with laughter. Probably better than the original 1594 production. Catch both shows if you can.

You see, data protection can be fun - and cultural - and it’s high time that we commemorated these aspects too, as well as its darker sides.