When does customer information become a toxic asset?

Yesterday’s Daily Telegraph contained an article which made me think deeply about the extent to which a business might wish to go to prevent itself (or others) from knowing too much about what its customers were getting up to. Communication Service Providers are pretty experienced in this sort of stuff.

Just as I wouldn’t want the postman steaming open “my” letters before they are delivered to me, I would not want my internet service provider feeling they had a right to make commercial use from “my” private communications.

The article referred to the success of the Apple devices, and reported that the company was “attempting to tighten its grip on mobile phone operators by preventing them from directly selling its iconic devices.” And it was going to do this by preventing any operator other than Apple from putting a SIM card in the device.

Effectively this means that should customers want an iPhone, they will need to go on line or visit an Apple Store and deal with Apple directly, rather than go to a mobile phone outlet and take out a contract with one of the British phone networks. And how will this work in the UK – by an Apple user camping on a British network, in the same way that our phones camp onto foreign networks when we travel abroad for business or pleasure?

I suspect this means that Apple could try to make an “interconnect agreement” with one (or more) of the British networks, as the communications services contract which the customer will make will be with Apple rather than any of the current network operators. And so Apple will become a Communications Service Provider in its own right.

This throws up some interesting regulatory issues – as I am not sure if current laws would require Apple to adhere to all of Ofcom’s rules and requirements, especially if the contracts made it very clear that the customer was dealing with an entity that had its headquarters, say, somewhere else in Europe. I wonder if Apple could, say, decide to offer a pan European service with a single contract which required every user to accept, say, Irish rules (if, that is, Apple were to deem that Ireland were the best country to operate from within the EU). If the whole principle of the EU was to enable countries - and consumers – to shop and acquire services without regard for borders within the EU, then why should an international company not just choose one country and explain that if customers wanted that service, they would have to comply with the rules of just that certain member state?

While it sounds plausible in theory, I am not sure how it would work in practice. Customers, particularly in the communications sector, need lots of loving care and attention. Things do occasionally go wrong, and customers need reassuring voices on the end of a phone (or from across the counter in a well-equipped, and preferably local, shop) to help them deal with their problems.

Most mobile British networks, of course, sell some of their capacity to other providers, which is why there are many more mobile communication service providers than there are mobile network providers. So they tend to know the value in “wholesaling” capacity on the network. Then all they have to worry about is getting the technology to work. They don’t have to worry about the quirks of each individual customer who would be expected to pay someone else to use of the service that is being supplied. They don’t need small armies of people at call centres. The return on their investment is very different than if they were to have large armies of individual customers.

But how would the current service providers react to this wheeze, which appears to involve Apple wishing to take from the mobile providers customers who, through their use of the iPhone, are probably among those they would greatly like to keep. It’s an iconic brand, who take delight in offering high-specification devices, and it has millions of well-heeled and devoted followers. In terms of customer value, they probably make up a good percentage of the better customers around.

Miles Thomas, writing in Mobile Squared last August, pointed to research which has suggested that “the number of iPhones in the UK is forecast to rise 195% from 2.17 million at the end of 2009 to 6.4 million by the end of this year. The total number of iPhones in the market will top 9.4 million by the end of 2015 constituting 11% of the total devices used in the UK ... The iPhone comprised 2.7% of total active mobile devices in the UK at the end of 2009, and will rise to 7.9% by the end of this year, and hit the 10% mark around the end of 2012."

This is an impressive figure.

If Apple are able to control sales, they will obviously want to ensure that the network providers learn as little about “Apple’s” customers as possible. Using an analogy of the postal service, perhaps they’ll start to “double bag” the contents, so they can’t be steamed open in transit. Of course the law enforcement community will always want to use its RIPA powers to ensure that the bad guys don’t get away with anything naughty, so Apple will have to provide some way of dealing with the requests that will come their way. Just how a single law enforcement liaison centre, say based in Dublin, would be able to authenticate and deal with requests from officials in all manner of Member States I really don’t know. But then again that’s not my job to know.

And how Apple will deal with different communications date retention requirements in the different Member States, through its use of a central database, again I’m not too sure.

Given the problems I currently have with my internet service providers, I am so glad I have two broadband connections that feed my flat. It means that when one is down, I am able to switch to the other. I depend on the internet so much these days, and I hate being out of touch. I also quickly get frustrated when dealing with call centre staff who find my accent (and lack of technical awareness) difficult to comprehend. It would really be a leap of faith for me to say that I loved Apple and trusted Apple so much that I was prepared to deal directly with Apple, rather than a British Network Service Provider, for all of my communications needs. It’s a leap too far.

I'll stick with my Samsung Galazy S and my special deal with "Everything Everywhere." For now, at least.


Sources:
http://www.telegraph.co.uk/technology/apple/8098751/Apple-to-cut-off-mobile-operations.html
http://www.3g.co.uk/PR/August2010/number-of-iphones-in-uk-to-grow-200.html

.

Who can save us from the decline and fall of EU data protection regulation?

“Laws rarely prevent what they forbid.”

I’ve been mulling over the implications of this phrase for some time, and I have to thank Alun Michael MP for reminding me of it.

Where does it come from?

The classical scholars among us will instantly recognise it as a quote from “The History of the Decline and Fall of the Roman Empire”, written by Edward Gibbon and published in six volumes between 1776 1789.

Wikipedia reports that “As far as Gibbon was concerned, the Roman Empire succumbed to barbarian invasions in large part due to the gradual loss of civic virtue among its citizens. They had become weak, outsourcing their duties to defend their Empire to barbarian mercenaries, who then became so numerous and ingrained that they were able to take over the Empire. Romans, he believed, had become effeminate, unwilling to live a tougher, "manly" military lifestyle. He further blames the degeneracy of the Roman army and the Praetorian guards. In addition, Gibbon argued that Christianity created a belief that a better life existed after death, which fostered an indifference to the present among Roman citizens, thus sapping their desire to sacrifice for the Empire. He also believed its comparative pacifism tended to hamper the traditional Roman martial spirit.”

Interestingly, (and again according to Wikipedia) “Gibbon saw the primary catalyst of the empire's initial decay and eventual collapse in the Praetorian Guard, instituted as a special class of soldiers permanently encamped in a commanding position within Rome, a seed planted by Augustus at the establishment of the empire. As Gibbon calls them at the outset of Chapter V: The Praetorian bands, whose licentious fury was the first symptom and cause of the decline of the Roman empire... He cites repeated examples of this special force abusing its power with calamitous results, including numerous instances of imperial assassination and demands of ever-increasing pay.”

Such behaviour would obviously have diminished them in the eyes of the populous of the ancient regime.

But am I making a cheap point of associating, say, the Article 29 Working Party with the Praetorian Guard of Ancient Rome, and then arguing that any lowering of respect that the general populous of the EU has with that august body is the primary catalyst of the demise of data protection regulation?

No, I am not.

For me, the Praetorian Guard is the individual Member State of the EU – and it’s the failure of each Member State to protect the basic concept of international data protection regulation (to facilitate the free flow of information around the EU – and then the globe) which has caused the disengagement we see today.

So how have Member States failed to protect the basic concept? They need to tread very carefully in this area, if they are to be taken seriously.

I think the failings are in 3 areas, none of which will come as a surprise to people who are deeply involved with the practice – and the theory- of internet regulation. And these are areas that Alun Michael spoke about at the “Fourth Internet Governance Forum”, held at Sharm el Sheikh, Egypt, in November 2009.

The issues relate to the pace of change, the consultation process and the fallacy that legislation provides a solution in itself.

On the pace of change, we have to accept the speed with which the internet develops guarantees that our perceptions of “the future” are increasingly inaccurate. And, we have to acknowledge that the current management techniques of industry, government, and the international community are too slow to keep up with changes on the internet. Some people are bemused that not even the most basic concepts are sufficiently clear. Is an RFID tag an item of personal data? Does it become “personal data” even though the data controller has no idea who is using the umbrella with the RFID tag on it, or whether a number of people may be sharing that umbrella? Or is an RFID tag about an object, rather than a person? As we embrace an internet in which the majority of stuff being recorded relates to objects rather than individuals, its getting ever harder to work out just whether (or to what extent) the current definitions of “personal data” matter any more.

On the consultation process, we have to accept that decision can’t any longer be made just by technogeeks and regulators. Cities are not made by architects, they are made by people. And increasingly, by young people. So we must engage with young people, and create solutions that take more account of their needs than of the needs of older people. Soon, we’ll be handing it over to young people. They talk about the issues in a completely different way and there’s a real and powerful opportunity to use that talent and engagement in a positive way. But more than that – if we genuinely believe that data protection regulation is that important, we will have failed if we can’t find a language to communicate with people who simply aren’t interested in this stuff.

And it’s not just young people we need to consult with properly. I sense that the data protection community also needs to communicate to legislators who do not take an interest in this process in any way. Policymakers are overwhelmed by the issues of the day, but rarely have the luxury of feeling free to devise a proportionate response. Too many legislative proposals appear ill thought out, barely capable of surviving a cursory examination by a critical elite - who will then, like a pack of wolves, turn their attention elsewhere.

And, finally, on the legislative process, I despair of the tendency of politicians to feel that their job is done once a law has been enacted. As if many people really care (or even know) what’s on the statute book. As I remarked at the beginning of this blog, “Laws rarely prevent what they forbid.” Laws need to be accompanied by behavioural change before they can be considered a success. There are plenty of laws that we all freely ignore – and will continue to ignore. Even lawyers ignore some laws. And how do we achieve this behavioural change – as the veteran comedian Ken Dodd used to explain, by wooing an audience, not just by expecting them to find him funny. And what I really despair of a number of legislators – and some regulators too- is their misguided belief that the data protection managers of this world will do “their” work for them, by enforcing regulations that contain so much gobbledegook that lawyers have to be asked to help explain it in terms that Homer Simpson, rather than Albert Einstein, might comprehend.

Perhaps instead the regulators might take it upon themselves to "rebel" if they are expected to enforce stuff that they don't properly understand either. Wouldn't it be nice if European Parliamentarians could occasionally receive a letter pointing out the inconsistencies of the legislation they had passed, together with a polite indication that the regulators would ignore this tosh until the legislation had been simplified and the inconsistencies ironed out. That would be a turn up for the books. Perhaps we should demand that the European Parliament should always make decisions and approve laws that can be understood by a European citizen of average educational ability.

The forthcoming review of the data protection directive will give the EU an opportunity to shine. But, given its sorry history of trying to create general laws which always take account of local characteristics, I doubt that the resulting legal instruments will change the general direction of travel.

I predict that “barbarian invasions” (in terms of the influx of internet services from global data controllers whose mindsets are more attuned to the west coast of the USA rather than Europe) will continue to engulf the “Praetorian Guard” of the individual EU Member States. Remember too that Gibbon argued that Christianity created a belief that a better life existed after death, thus fostering an indifference to the present among Roman citizens, thus sapping their desire to sacrifice for the Empire. Perhaps the time has come to consider whether Google has created a belief that its services provide a “better life” to that which the EU regulators might wish to allow, thus fostering an indifference to current restrictions among Europe’s citizens, and sapping their desire to sacrifice convenience for the EU’s data protection standards.

"I want my gratification and I want it now," I hear many say.

I predict that, in my lifetime, we will see the demise of European data protection regulation, in order that global standards can take their place.


.

Official – “Google escapes prosecution”

It seems that the boys in blue have read the blog I posted on Monday, and have agreed with my analysis. Google will escape police prosecution as they’ve actually broken no (British) laws. Matt Warman, writing in today’s edition of the Daily Telegraph, did get the bit about a “small fine” wrong though – there won’t be any sort of fine (and for the reason I set out on Monday).

Matt ought to read my blog with a little more care. We don’t want journalists making silly mistakes like that, do we!


Source:
http://www.telegraph.co.uk/technology/google/8095954/Google-escapes-prosecution-over-Streetview-data.html


.

Are they still celebrating in the streets of Uruguay?

In a move that advances the interests of the European data protection community by (probably) less than a millimetre, the Article 29 Working Party has recently opined on whether Uruguay’s laws are sufficiently “adequate” to allow them to join that great community of countries outside the EU whose data protection laws have also been officially assessed as “adequate”.

Just to remind those who had forgotten (or who didn’t know in the first place), Uruguay is a tiny country located in the South Eastern part of South America with a population of about 3.5 million, sandwiched between Brazil (whose population is over 190 million) and Argentina (whose population is over 40 million, and whose data protection standards are also considered "adequate").

But hurrah – the Article 29 Working Party has taken it upon itself to address the data protection climate within Uruguay, and it has concluded that the climate does indeed meet the EU’s standards.

So, let those data flows keep flowing to Uruguay.

So who's "adequate" now? Well, the European Commission's list comprises Switzerland, Argentina, the Bailiwick of Guernsey, the Isle of Man, the Bailiwick of Jersey and Canada (as long as the recipient of the information is subject to the Canadian Personal Information Protection and Electronic Documents Act).

Israel is likely to be next. There are a few formalities that need to be gone through before Israel is actually on the list, but none of these formalities will affect (or matter to) anyone outside the European Parliament. The Article 29 Working Party has already had its say (and has finally said "yes"). We will now stifle our yawns and wait for the inevitable to happen.

Then, the European Commision will consider adding Uruguay to its list. Of course, it will first ask the European Parliament first for its views on the matter, but as there is no formal requirement for the European Commission to actually accept those views, it won't be too long before Uruguay makes it all the way, too.

Some list.


If anyone else is inclined to glance at the Working Party’s “Opinion 6/2010 on the level of protection of personal data in the Eastern Republic of Uruguay”, adopted on 12 October 2010, then feel free to point your browser to:
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp177_en.pdf

.

To engage – or not to engage?

I’ve just read a remarkable briefing paper which was prepared in June 2009 by some awfully clever bods at the London School of Economics. In 59 pages, it brilliantly sets out the challenges the Government faces as it tries to work out what to do ensure that the cops – as well as the spooks – can access our communications records when they need to prevent or detect crime.

If I were a civil servant reading this, I would be worried. Why? Because I would expect to see Government security markings on the document that were so high that even the Home Secretary wouldn’t be allowed to be photographed reading a copy. “How dare stuff like this be allowed to be read and discussed by the great unwashed?” I would expect senior civil servants to mutter.

When in printed form, the truth can hurt. A lot.

But I think we owe a vote of thanks to the LSE’s “Policy Engagement Network” for publishing this briefing paper. Well, thanks to an extent, anyway. Granted, the paper sets out the problems, but what we could really do with is a paper of similar quality which sets out the solutions. Or at least a set of potential solutions, from which the ultimate solution could be selected.

What is the Policy Engagement Network?

Its website helpfully explains that “the primary objective of PEN is to inform policy deliberation through linking academic research with pressing policy issues. To further this goal we build and nurture relationships with policy-makers, regulators, government agencies, parliamentarians around the world and international organisations. Through these relationships we are able to identify the policy areas that require the greatest and immediate attention. We bring international experts from academia, industry, government, and civil society together to inform our work so that we may bring the key ideas and knowledge into the policy-making process. 'Engagement' is the essential research strategy to our work. We host dozens of workshops every year at the LSE, and we have run forums and conferences around the world. We present our work at dozens of international conferences every year, and regularly give evidence and provide reports to Parliaments, regulators, policy-makers and industry.”

So let’s hope the Government recognises the remarkable contribution to the debate that this briefing paper makes, and cordially invites the authors to join them in their search for solutions. These guys really know their stuff. They obviously have some considerable amount of “inside knowledge” about the salient issues. So let’s leverage it, and hope they are invited to remain within the tent, as it were. Let’s get them to meet Government representatives on a regular basis, to explore solutions that nail the concerns of so many who share their fears about the capacity of the state to properly address this issue.

I think that such an initiative requires a huge leap of faith on both sides.

On the side of the Government, it probably requires some people to realise that they have to extend the circle of the “trusted few”, so that it doesn’t just include law enforcers, communication service providers and solution providers (ie consultants with software and databases to sell). The debate has to hear the voices of the representatives of civil society.

But on the other side, it also requires some people to realise that there is no place for those who just want to be in constant opposition. Opportunities to engage may well lead to an accommodation of views – which will be acceptable to the majority of stakeholders, but never to the extremists on each side of the debate. Does the Policy Engagement Network, like Sinn Féin, have the appetite to reach an accommodation with the Government? Or would it prefer to remain pure to the principles espoused by some those on its fringes?

I have no idea. But I suspect that until the Government is courageous enough to seek its active engagement in any ongoing discussions, the PEN may continue to thrive by criticising the Government’s plans.

Which, I think, is a bit silly. Especially since I am certain that, deep down, the representatives from both sides simply want to ensure that we continue to live in a just, safe and tolerant society.


Sources:
http://www.lse.ac.uk/collections/informationSystems/research/policyEngagement/
http://www.lse.ac.uk/collections/informationSystems/research/policyEngagement/IMP_Briefing.pdf



.

Statewatch “unveils” the Commission’s cunning plan for a new Directive (or not …)

Sharp-eyed visitors to the Statewatch website may have noticed a recent update. While I blogged about the European Commission’s statement on 5 October, giving just a teasing glimpse of their proposals, Statewatch has done much, much more. It has taken the huge step of posting that entire 18 page (draft) statement on the internet. Together with a 1,000 word analysis of the proposals.

For those not familiar with its work, Statewatch was formed in 1991. It is an independent, not for profit group of journalists, researchers, activists, lawyers and academics that monitors civil liberties and the state in Europe. I am not a member of this group, but do search its on-line archives now and again.

Statewatch.org receives over 100,000 visitors every month, and is a valuable and credible research resource, used by journalists, NGOs, campaigning organisations, parliaments, lawyers, activists and students.

But D’oh …

What our chums at Statewatch may not have appreciated was that the Commission’s draft was updated yesterday. I’m not sure to what extent. Not yet, anyway.

So let’s see if the final version, when it is finally published by the Commission, differs in many material ways from the one that Statewatch has just posted.

And let's hope that not too much of that 1,000 word analysis of the earlier proposals turns out to be wasted.


Source:
http://www.statewatch.org/news/2010/oct/eu-com-draft-communication-data-protection.pdf

Why Google’s snooping mishap hasn't broken British laws: some regulators do ‘ave ‘em ...

Who was responsible for creating such a whoopsie on the statute book that has resulted in Google not having broken any British laws when they evidently scooped up more than they bargained for when harvesting geographical information about the location of various Wi-Fi networks?

As the great and the good are now on their way to Jerusalem, for the Data Protection Commissioners annual conference, I’ve taken it on myself to try and work out what the issues are from the facts as I think I know them.

What are the facts?
Google has admitted that, while capturing street-level photography as part of its Street View mapping project, its camera cars also inadvertently gathered some data that was being sent across domestic Wi-Fi networks.

How did this happen?
Google’s camera cars have roof-mounted wireless antennae, which are used to create a map of wireless networks, for use in geo-location products. This technology was inadvertently based on some experimental code, written four years ago by a Google engineer, that sampled data broadcast publicly over wireless networks. Google's engineering teams have admitted a breakdown of communication that resulted in this experimental code forming part of the software used to map wireless networks. However, the company insists that it was never its intention to gather this data, and that it had never intended to use it for commercial purposes.

What sort of information was gathered?
Google “inadvertently” captured around 600GB of data in 30 countries. Among the information gathered were emails, passwords, and the addresses of websites visited by households. However, Google has stressed that none of this data has been, or was ever intended to be, used for commercial purposes.

What did Google say when the breach came to light?
Google has apologised profusely for the data breach. “We are profoundly sorry for having mistakenly collected payload data from unencrypted networks,” said Alma Whitten, Google’s director of privacy. “As soon as we realised what had happened, we stopped collecting all Wi-Fi data from our Street View cars and immediately informed the authorities. This data has never been used in any Google product and was never intended to be used by Google in any way. We want to delete the data as soon as possible and will continue to work with the authorities to determine the best way forward.” Google also said its Street View cars no longer collected any kind of wireless information.

But has Google contravened any British data protection or privacy regulations?
I think not. Here are my own views on 3 issues that keep on cropping up in the press, and where I think the commentators keep on offering the wrong answers:

Did Google process any “personal data” as defined by British data protection legislation?
Given the definition in the UK’s leading case of Durant v Financial Services Authority, no. The information it collected did not relate to living individuals that Google could identify – or that it ever intended to identify. It was simply small amounts of information which related to particular internet addresses in a particular location, ie along a public highway, at a particular time of the day. Many months ago. If this argument is accepted, then we are not talking about the misuse of personal data, so data protection legislation doesn’t apply anyway.

Could Google be fined by the Information Commissioner up to £500,000 for its behaviour?
Even if the misuse had involved personal data, the answer has to be no. The Commissioner only acquired powers to fine miscreants in April of this year, and the powers are not retrospective. Hopefully, Google’s misbehaviour in the UK, as it were, ceased well before April.

Could Google be sanctioned for unlawful interception?
Again, no. Remember, the Government didn’t feel able to take any action against BT and Phorm after allegations emerged that they had intercepted and profiled the web browsing of tens of thousands of broadband subscribers without their consent in trials in 2006 and 2007.

And this is why the European Commission have expressed their concern that the provisions of the Directive on Privacy and Electronic Communications, which prohibit "unlawful interception and surveillance without the user's consent," have not been properly brought into UK law. Among the failings, apparently, was that UK law currently contain sanctions against interception only in relation to "intentional" snooping. So, if Google were to argue that any interception was “unintentional”, and wrong, unfortunate, and certainly not sanctioned by senior Google management, then there is no British interception law that the company would have broken anyway.

I rest my case.

Sources:
http://www.telegraph.co.uk/technology/google/8085326/Google-Street-View-data-breach-A-guide.html
http://www.theregister.co.uk/2009/10/29/eu_phorm/

.