Wednesday 22 December 2010

Perhaps the dead deserve privacy rights after all

I’ve just read some really disturbing remarks which have been made by a police investigator who surely can’t be one of the brightest of the bunch. This person must have been authorised by someone more senior to have released such really sensitive personal information, but I really wonder whether these blokes in blue truly appreciate the way these stories are likely to hurt many of the innocent victims of personal tragedies.

What am I on about?

I’m referring to stories about the private life of a public servant who was found dead in his flat in August. The press were interested because the public servant was an intelligence officer, and the circumstances of his death were extremely unusual. His body was found in a locked holdall, and investigators were convinced that someone else had been involved in putting him into the bag. But they have not found that person (or people) yet.

From the intensive investigations that appear to have been carried out, there seems to be no reason to suggest that his death was connected to his former profession. There is no evidence of murder. He was on leave when the incident occurred, so whatever he was doing, it was in his own time, with his own money, and on his own terms. And without the intervention of any drugs or alcohol.

So why should the investigators feel that they can be so free with the details that have been unearthed over the past four months? While we know very little about what he did when he was actually at work, the police have released huge amounts of information which have enabled journalists to report on many other aspects of his private life. Details have emerged about his lifestyle in London and Cheltenham, his phone use and internet browsing activity, his shopping and social habits, and even his recent participation in educational courses at Central St Martin’s College, in Clerkenwell.

If similarly titilating details about his working life has been leaked, I'm sure that Detective Chief Inspector Jackie Sebire, who is leading the enquiry, would have been demoted to the rank of Dog Poo Inspector by now.

What rights have the police to feel that they can release such information about his personal life? Have they discussed their plans with the family and colleagues of the deceased? Do they care about how they feel? Or is this all just part of some cozy deal with the press to boast about their investigatory prowess? I really wonder if the media interest would have been of the same hysterical degree if the deceased were to have been a middle aged oil worker living in Aberdeen rather than a young intelligence officer living in Central London.

I, for one, am not at all interested in the personal circumstances of this public servant. But, if I came from a closely knit family, I would feel absolutely humiliated and appalled each time more information about this tragic incident reached the public domain. This public servant is not “public property”. He is part of a family, who love and who grieve for him, and who probably have to start the grieving process almost afresh each time more information (however trivial or true) hits the public domain. When will it end? With the coroner’s inquest, which is due to be held next February? I think not. He may well have been an intensively private person. But surely this does not give anyone the right to assume that, just because he has died, his privacy should be respected any less.

A good friend of mine still grieves each time the press print more details of their relative’s involvement in the tragic events of July 2005. In that incident, fifty-two people in addition to the four bombers were killed, and around 700 were injured.

And, thanks to the internet, this stuff simply won’t go away. These memories, half-truths and experiences, remain stubbornly accessible – and they continue be used by journalists and bloggers to generate media headlines that care not a jot about the effect the news will, yet again, have on those relatives who have been so awfully affected before.

Perhaps the French have had it right all along, affording privacy rights to the recently deceased, partly as a mark of respect to the dignity of those who remain alive. All we seem to have done is create rights for media and investigators to conspire to keep lurid stories in the media.

Stories which do little but embarrass and hurt decent people whose only sin is to have loved or to have been closely associated with one of the victims of this tragedy.


Sunday 19 December 2010

Merry Christmas

So, with the ICO's clock striking quarter past ten -
It's time for my warmest seasonal greetings, then!

Friday 17 December 2010

Support your local ICO

As I browsed through the racks of charitable Xmas cards recently, I wondered why it is that other deserving causes don’t raise money in this way. If public authorities are really facing the financial cosh, then perhaps they’ll be soon employing fundraising officers as well as audit teams.

And then I read the minutes of some recent management meetings held at the Information Commissioner’s Office, and I began to appreciate just how the new budgetary restrictions were likely to hit them.

Take the minutes of the Executive Team's meeting, held on 2 November, for example. This team is responsible for office-wide leadership, articulation of operational policies and ensuring the office is effectively and efficiently managed. Particular areas of responsibility include primary oversight of the ICO's activities, such as development of the Corporate and Business Plans. Heady stuff. What it considers must be significant, then. It noted that a further in-year reduction in grant in aid (for the ICO’s freedom of information work) had been requested by the Ministry of Justice.

Next, the participants considered a couple of issues arising from the Joint Committee meeting with trade union representatives of the 26 October. In particular it was noted that union feedback on plans to withdraw free teabags and milk had been negative but ET considered that these needed to go ahead. In addition there were concerns about the ICO exploring the possibility of charging staff for car parking. This investigative work would go ahead informed by the survey recently launched as part of a travel plan exercise. Decisions had not actually been made on whether to charge or not.

I get free hot beverages from vending machines at work, so I do appreciate the concern that such facilities are not also available to the ICO’s staff. And, as a child of an era before Margaret Thatcher removed it, I also remember drinking (but not necessarily enjoying) my free school milk. Oh, I also get free car parking too. And I would also be pretty miffed if this perk were to be removed without any corresponding increase in salary.

The next item for consideration by the Executive Team raised a smile on my face. Clarification had been sought on the listening to music by staff whilst at work. ET agreed that listening to music was acceptable if it helped staff work better and so long as it did not disturb other staff and was not inappropriate to their work (for example they were not working on a helpline). I must admit that I don’t mind listening to my own music, but other people’s musical tastes can really grate – and really interfere with my thought process. When I’m paid to think, I don’t want to be distracted by sounds I can’t control.

The real scale of the ICO’s budget challenges arise from the minutes of the Executive Team meeting held on 15 November. The Commissioner had agreed a revised paper on budgets which superseded the original financial report. The new paper highlighted that the ICO had been asked for in-year grant in aid savings of originally £160k, and now for a further £170k. This 6% overall reduction in grant in aid had a large impact on the ability of the ICO to deliver its freedom of information work this year, especially as it came late in the financial year and was hence difficult to absorb. Further reductions would be even more difficult, if impossible, to absorb.

To make the full saving it was essential that all staffing changes and recruitment decisions were agreed by Finance before coming to Executive Team, and that once agreed all offers and start dates were also agreed by Finance.

In addition it was agreed that the agency staff budget would remain as is. Other options to reduce freedom of information spend this year could be looked at if needed, in particular the need for a new handrail in Wycliffe House would be raised with the Director of Organisational Development.

Given the difficulty in making the asked for saving the need for accuracy in the apportionment model was essential. Care was needed to ensure that data protection expenditure was not wrongly attributed to freedom of information.

Data protection expenditure was also looked at. The Operations Director reported that bringing the distribution of certain notification documentation in-house was actively being considered. There was also overtime for data protection casework planned, and the possibility of starting recruitment for the new audit team.

So, what should I take from this?

Well, that the Freedom of Information teams are likely to groan under the pressure of an increasing workload and less resource. We need to ensure that not too much “Data Protection money” ends up being spent on stuff that looks awfully like FOI. Perhaps people who are skilled in both areas will end up working for FOI for, say, 50% of the time in practice, despite, say, 80% of their salary being allocated from the Data Protection pot. Just how the ICO will achieve its current vision will be interesting. Do you remember what the ICO’s corporate plan states?

By 2012 we will be recognised by our stakeholders as the authoritative arbiter of information rights, delivering high-quality, relevant and timely outcomes, responsive and outward-looking in our approach, and with committed and high performing staff – a model of good regulation, and a great place to work and develop.

It’s a great corporate plan and full of exciting ideas. Let’s hope that the current – and continuing budget restrictions don’t impede its implementation to a significant extent.

Now please remember - when next visiting Wycliffe House - take your own milk and teabags, and don't mention the handrail.



Sunday 12 December 2010

Advising within a huge arc of legal uncertainty

Stewart Room was on great form, addressing a group of Data Protection Managers at the offices of Field Fisher Waterhouse last Thursday. The conference organisers had certainly saved the best till last. His climactic address to the assembled throng of went down extremely well. As did a couple of measures of gin & tonic at a local hostelry immediately after the event.

And, once the alcohol had started to really clear my thoughts, I fell into a deep discussion with some of the conference stragglers at the drinks session. It was about the role that professional legal advisors can play when clients consider their options over tricky data protection issues. Do we clients have a problem in that we often ask these advisors the wrong question?

What I mean by this is that some Data Protection Managers are required to deal with queries quite beyond which they feel equipped. But does it help, or complicate matters, when an external advisor is engaged?

I have felt sorry for the poor bloody advisor, as they struggle to understand what it is that the client actually wants. As the Legal Manager for the Association of British Insurers a couple of decades ago, I was occasionally asked by members of its Data Protection Panel to seek advice on a particular point. I would explain to a trusted external advisor what the situation was, what sort of advice it was that I required, and that I would go elsewhere and seek other advice if the answer they gave me was not the one I needed to pay to hear. These clear, transparent, instructions worked extremely well. Closely knit teams were forged, with likeminded folk sharing the same vision, passion and prejudices. And sharing drinks, evening meals, and trips to Doncaster races. And, eventually, sharing car journeys to attend the funerals of those we had so greatly loved and respected. I still miss you so much, Shelagh.

What’s brought this on? Well, Stewart used a wonderful phrase in his session last Thursday. He spoke about Data Protection Managers needing to advise and support their business about issues that lay within a huge arc of legal uncertainty.

Significant areas of the law simply aren’t fit for modern day purposes. So, every day, we need to appreciate which bit of the law we are going to ignore - just in order that we can get the day job done. Or we need to appreciate which bit of the law we are going to interpret in a certain way today. It’s not like tax law, where you generally know where you stand. As I earn, some tax professional or other is always able to offer, with a considerable measure of confidence, advice on precisely how much of my income is going to be transferred from my control and off into the hands of Treasury coffers.

Established data protection law is far less precise than that – where it actually exists, that is. It’s not quite reached the level of mere bluster and bravado. That’s for the real charlatans. But, in our every day jobs, we often have to forget about relying on detailed facts and legal presidents (unless you actually want to have to bother about the minutia of, say, legitimising transborder data flows). I mean, we still don’t have settled views law about what the law is actually about. Has any court in the land entered the fray about whether an Internet Protocol Addresses is personal data? Or whether consent which is not “freely give, specific and informed” is really of any lesser quality than the other ways in which it can be assumed that consent has been provided?

Come on, if the tax lawyers are focussing on issues that face those who concern just those at the very summit of taxation law, what sympathy must they feel about their data protection colleagues, who are still scrambling around at base camp level?

What it means, I think, is that Data Protection Managers need to consider themselves as wading chest deep in the business of the management of risk. We are not talking about certainty here, we are talking about levels of confidence. Is the process we are considering sufficiently transparent. Or simple? Or harmless to the individual? How much information really does need to be retained to provide the service efficiently? Are we creating a service that meets the legitimate aspirations of the individual? Did they know we were going to do that? (Or that anyone else was?)

I think that questions such as these can only be met when the business has a clear appreciation of its own integrity and attitude to risk. There’s no point asking a lawyer for “information” about something as vague as data protection law if the lawyer has no appreciation of the degree of risk that the business likes to operate within. Experienced musicians are not engaged to join orchestras for particular concerts unless it’s abundantly clear what music will be played, and which score will be used. In our own sweet way, we experienced data protection professionals can all develop programmes that are tailored to meet the risk profile of their business – but surely only when the business knows what risk profile it wants.

So, professional data protection advisors may well waste lots of their time unless they get the basic question out of the way first. This is “How close do you like to sail to the wind?” Once that answer is known, the rest quite neatly falls into place.

I’m not interested in asking (or paying) for “information about the legal risks” if it means that I’ll receive a thick sheaf of documents which offer finely balanced arguments about the pros and cons of different approaches. In my experience, people working for units within a business don’t really want to know what the law is or what it might be. They want to be told what to do. In a couple of paragraphs, and in words that Homer Simpson, not Albert Einstein, can understand. And I can only tell them what to do when I’m confident that my advice has been calibrated to the degree of risk that the business is prepared to run.

So, if you ever want to work with me, please come armed with a high level of emotional intelligence. And representing a business with a settled sense of its own ethical standards.


Saturday 11 December 2010

... Or the one about the current Information Commissioner and Chris Pounder?

The following day I was off to hear the current Information Commissioner, Christopher Graham address the Data Protection Forum. You should have been there – he followed Dr Chris Pounder to the podium, and delivered an impassioned rebuttal about the gentle ribbing he had received at the hands of this particular data protection giant. Chris tells me that he’s thinking about retiring in 5 years time (probably well before the next Data Protection Directive is in force), so fight to buy your tickets to his events now. His farewell tour will be pretty spectacular. His knowledge of data protection law and the culture of privacy will not easily be replaced.

But I digress.

Christopher Graham made a number of interesting points in his presentation, which explained his vision of the role the ICO would play over the next few years. He began by setting the cultural scene, pointing to a significant shift which few are only now beginning to appreciate, and which the rest of us will latch onto with a vengeance in the coming months.

The issue is one of surveillance and who is carrying it out. Christopher’s thesis was that, previously, citizens have been concerned at the activities of the State. Think about CCTV cameras, the Regulation of Investigatory Powers Act, the Interception Modernisation Programme, GCHQ’s “Mastering the Internet” initiative, the ContactPoint database about all children, the DNA Database, the NHS spine and the information retained for long periods on the Police National Computer. These were all examples of the State developing tools to monitor its citizens. Privacy International and the rest didn’t like it very much. They asked obvious questions, such as “what’s the benefit to society? and what are the safeguards against misuse?” They were not overly impressed with the replies. But there was not much they could do about it. When the State is a monopoly provider of services, it’s not that easy to boycott them.

The interesting development over the recent months has been the transition of public awareness (to be followed by some public concern) to the surveillance activities which are carried out by private companies. And these databases, being global in nature, are significantly larger than some of the national databases I’ve already referred to. Think about behavioural advertising, Google’s Satellite and Streetview service, the data retention obligations that may fall on providers such as Yahoo, Amazon, Facebook, Gmail and the rest. And we don’t see much of an equivalent array of controls (such as those contained in the Regulation of Investigatory Powers Act to monitor the behaviour of these private activities. Where are the equivalents to the Surveillance Commissioners, with experience, audit powers and real sanctions? Is this role adequately addressed by the Privacy Regulators around the world? Why did I bother typing the last sentence?

What interests me is the role that Privacy International and the rest will play in issues relating to the privatisation of the surveillance state, either in stoking up public concern (as, say, they did in the Phorm debate), or in playing a role to reassure citizens that some of these public companies can be trusted to respect the legitimate expectations of people whose records remain in their databases. To a large extent, these companies are not monopoly providers of services (not quite, anyway), so presumably a well organised public boycott would swiftly bring about changes. It didn't take thet many people to crush Phorm. Only a few days ago my nephew told me about the tsunami of change that had recently occurred on Facebook – with people changing their main image to that of their favourite character from their childhood, as a way of identifying themselves with a topical children's campaign.

Is briefly changing your Facebook image the equivalent of wearing a red ribbon to mark World AIDS Day? I think it is. Will this craze catch on next year, perhaps with a special icon for Children in Need?, or for Help for Heroes?, or for imprisoned Nobel Peace Prize Laureates? Again, I think it might.

So, where does this leave us data protection professionals? With jobs for a long, long, time, I guess. As we seek to explain to colleagues within private companies that the “new, innovative, exciting, sticky” (but oh, so slightly intrusive) services they are creating can only work within a culture of transparency and respect for people who don’t want to participate in these new services. Well, they don’t want to participate just yet, anyway. They may come round to it in the end, but we must not be so presumptive as to believe that the citizens of this world will instinctively share the vision of the geeks who try to earn money by exploiting the links they perceive exist between people and commercial services.

As Ken Dodd used to say, “We have to woo our audiences. We can’t just expect them to like us.”


Tuesday 7 December 2010

Have you heard the one about the former Information Commissioner and the accountants?

Last night, former Information Commissioner Richard Thomas delivered the annual lecture to the IT Faculty of the Institute of Chartered Accountants in England & Wales. “Private Lives in a Database World”. Strong stuff – and greatly appreciated by the invited guests. As was the dinner, held afterwards. Can it really be eight years since he took over from Elizabeth France? Well, yes it can. And since that day, when he could remember the ICO in Wilmslow as having just one personal computer that was linked to the internet – and thus to the outside world - things have changed hugely.

A couple of points really stood out from his very thoughtful speech. And I’ve reinterpreted them, giving my own gloss on what those remarks meant to me.

First, in an area where technological advances are developing faster than even the geeks at Google can keep up, we have to be wary of legislators and regulators imposing their views on society. The old privacy controls weren’t designed to deal with the way we presently interact with each other. We have to recognise that social norms are evolving ever faster, especially with regard to the internet, and “we” need to be careful of “them” imposing their values on “us”. There is a disconnect between the digital natives, to whom a laptop is the very lifeblood of one’s existence, and those of an older “mainframe generation” for whom computing is a useful, but not necessarily an essential, part of everyday living. There really is a generational divide out there. People under 30 are far more likely to appreciate the risks associated with poor data processing practices than people over 60.

Given half a chance, legislators will prescribe standards that are unrealistic, outmoded and dated. That’s all they know. So we, the great governed, must be wary of awaiting the imposition of regulations by an elite that reacts with less subtlety than one would normally prefer. Instead, we ought to engage with the legislators before it’s too late. Otherwise, we’ll end up with unenforceable laws that most people ignore, causing the more enlightened regulators nightmares when being told off for allowing sensible people to do what they think is right, rather than rigidly practising what the law prescribes.

If there were to be a single word that accurately reflected the most practical way forward, it would be “accountability”. This digital world has become far too complex, too interdependent and frankly, too global, for national regulators to really think they can regulate it by themselves. The most logical way forward is for the data controllers themselves to step up to the mark, and assumer a greater degree of responsibility for the processes which they themselves cause. It means that they need to face the red-hot anger of the victims when things go wrong. And it means that they will have to accept that, thanks to the internet, campaigns “against” a data controller can spread like wildfire, and cause real harm to that data controller. Let’s just hope that the mob rules with a degree of common sense, then.

Richard was equally passionate about the publication of the European Commission’s recent cunning plan to amend the general Data Protection Directive. It’s fair to assume that a great deal more work will be needed to whip this incoherent shopping list of proposals (my words, not his!) into a regulatory vehicle of which the Commission can be proud. Of course, the cunning plan contained some good ideas. Especially the proposals to replace the current registration scheme with a simpler notification scheme, the promotion of privacy impact assessments and the implementation of a “privacy by design approach”. And possibly the intention to improve and streamline the binding corporate rule concept as a means of legitimising data flows between group companies. And the idea to improve police & judicial co-operation was a worthy, but dull, proposal.

But, will an enhanced breach notification process bring any meaningful redress to victims? And will it reduce the volume or significance of data breaches in future? And what’s this “right to be forgotten”, if it’s not something about ensuring that proper data retention standards exist? And why nothing significant about recognising that global data flows do and will continue to exist and that they can’t be easily regulated? Even King Canute got that point (at least as it concerned tidal flows, rather than data flows) almost exactly one thousand years ago. Or have you heard the one about the EU drafting its own “standard” privacy notice for every controller to use? Or why hardly any mention of the new principle of adequacy?

Hmmmmmm. I sense that the poor official at the Commission who has been charged with getting this Directive “sorted” will be pulling his hair out with frustration at the difficulties inherent addressing the requirements of so many different stakeholder groups. And I believe it is just one Commission official. Or perhaps one and a half. You might have thought that something this significant might have a whole army of European Commission experts busting their guts somewhere in deepest European Commissionland. But no. They’ve obviously got more important stuff to get on with.

Will history repeat itself? I recall that the first version of the original Data Protection Directive was drafted by a German (Frau Una Ihnen). And such was the uproar (mostly from the direct marketing community) that the powers that be took it away from Una and gave it to a lady from France (Madame Marie Georges). The uproar turned into a wail of anguish. And finally, the EU’s rapporteur was a Brit (An politician eager to make his mark, Geoff Hoon). By which time people were getting pretty tired of the whole affair. What a slog that was. I wonder who has the energy to face up to the European Commission this time.

But, this time it’s really important that we get it right. It’s no longer just a division of opinions between some mild mannered academics and the odd firm of international lawyers, or ten. And the direct marketing community. This time the data controllers should be willing to engage as well. The data controllers want sensible regulation – and they sense that, this time, many of the regulators are very much on their side. Many of the regulators know what's wrong with the current regime. But they do have to do what he legislators tell them.

Now, whether the legislators really “get it”, however, is a moot point. I don’t have enough evidence to persuade me that they have “got it” yet – but there is time.


Saturday 4 December 2010

Data Protecting at the IAPP Congress

I had a useful opportunity earlier this week to quiz a bunch of regulators about the different ways they dealt with Google’s wifi affair. I was keen to understand whether there was much of a thirst to adopt a more joined-up approach to either future investigations, or about the penalties. Because of limited budgets, many regulators prioritise their efforts on certain sectors and activities. But are their priotities broadly similar?

The occasion was the first congress of the International Association of Privacy Processionals to be held outside the USA. As the Europeans put it, finally here was evidence that they were putting the I into the IAPP. A couple of hundred of the usual suspects met on January 29 & 30 at an impeccably chic location, Salons de la Maison des Arts at Metiers, just a few yards from the Eiffel Tower itself. Representative bodies included the International Chamber of Commerce (ICC), French Association of Data Protection Correspondents (AFCDP), Federation of European Direct Marketing Associations (FEDMA), German Association for Data Protection & Data Security (GDD), the UK Data Protection Forum, IAPP Canada and IAPP New Zealand.

David Smith, for the UK, answered me by making the point that while the EU Data Protection regulators met frequently under the auspices of the Article 29 Working Group, and discussed issues that were of mutual interest, a very significant amount of proactive regulatory work had to be planned with the domestic climate in mind. And, as regulators had been granted different powers in the different Member States, it was extremely hard to, say, develop a co-ordinated approach on sanctions. It's mainly about local cultures, political priorities and the legal framework. One colleague in the audience murmured to me “be careful about what you wish for”, hinting that if there were to be an EU-wide approach on sanctions, life might be considerable less comfortable for UK-based data controllers than it currently is. But, in circumstances when one controller had acted in the same manner in all relevant Member States, then it made sense for the Commissioners to appoint a “lead investigator” so that at least everyone could agree on the relevant facts.

Gary Davis, Deputy Irish Data Protection Commissioner, and Yann Padova, Secretary General of the CNIL (France)broadly agreed. There didn’t seem to be much of a domestic thirst for greater international co-ordination in matters such as these.

Artemi Rallo, from the Spanish Data Protection Authority however, was more candid in admitting that there was some room for improvement in the performance of the regulators in the Google Wifi affair. He accepted that many observers found it extremely difficult to understand why they had taken such significantly different positions. It was not their finest hour. I could sense he knew what it must have felt for a European operator like Google trying to provide services which customers in a significant number of countries were evidently enjoying, and seeking, and yet which local laws seemed determined to impede.

What lessons did I take away from this as far as aspirations for an enhanced European Data Protection Directive were concerned? Not many positive ones, I fear. While there may be a sense of frustration that some areas of the current law are unwieldy and not fit for purpose , I did not detect a thirst for harmonisation, if such harmonisation was at the price of lowering current local protections.

I sense that a lot of talk is going to happen. But I can't see too many eople actually wanting to listen - and modify their own views. The policy makers are going to love it, as everyone will be talking about stuff. But no-one will be giving way. Meetings will be held. Speeches will be made. And we'll all return home wondering what the point of it all really was.

To me, the fundamental issue is that data protection standards reflect cultural standards in particular countries. But there is no possibility of harmonising data protection standards unless the cultural standards are also harmonised. And, as I am determined not to lose the flexibility which comes from adopting pragmatic approaches to solving problems, I’m as likely to join the rules-based “if it’s not specifically allowed then it’s absolutely forbidden” brigade as I am to be a teenager again.


Wednesday 24 November 2010

Fines – the ICO’s poker game begins

Today’s announcement that Hertfordshire County Council has accepted the fine from the Information Commissioner for its sloppy procedures that failed to prevent details of a child sex abuse case from being sent to a member of the public sets an extremely interesting precedent. And if I were a Hertfordshire council tax payer I would be furious that the Council didn’t take steps to challenge the fine. The council may well have behaved disgracefully, but is this misbehaviour really worth £100,000? That amount would probably be enough to employ another couple of workers in the Council’s Childcare Litigation Unit to help prevent more children from being abused.

I would love to know who thought it would be the easy way out, just to pay the fine and hope the matter will die away. They may have though that “it’s only public money” – but it does means that this public money won’t be able to be spent on the vital stuff that the Council was supposed to finance. Like a parking fine, the penalty will be discounted by 20% if the Council makes the payment to the Commissioner by 21 December.

Who’s going to be so accountable that they actually lose their job over this mistake? I only hope that their payment procedures are not so poor that the money isn't paid in time for the Council to take advantage of the 20% discount.

There is really serious point here, though.

The Council did not have to accept the finding. They could have appealed to what is now called the (First-tier Tribunal) General Regulatory Chamber, and at that stage the Commissioner would have been required to provide a more detailed explanation, together with some evidence, about the way the fine was set. Some words of explanation are set out in the decision notice, but I don’t see enough about how the Commissioner has quantified the harm that may accrue to an individual as a result of the poor processes that the Council had adopted.

Data controllers need to carefully appreciate the Commissioner’s thought process, as I expect that risk catalogues will now be revisited in the light of this decision – and the decision in that of A4e Ltd, also announced today, who managed to lose an unencrypted laptop containing details of 24,000 clients to whom confidential legal advice had been provided. The loss occurred during a burglary at the home of a home-worker. Despite being in the midst of a laptop encryption programme when the unfortunate article was stolen. A4e Ltd were subsequently fined £60,000 – again with a 20% discount if they pay before 22nd December.

There is a right of appeal, against both the imposition of the monetary penalty and the amount of the penalty specified in the monetary penalty notice.

Now, since I don’t know what legal advice or research has been carried out to assess how well the Commissioner had managed to quantify harm in these cases – and how his assessments match up to those awarded by judges who are required to make rulings in other liability trials, I would welcome a “friendly” appeal to the First-tier Tribunal to “sanity check” these penalties.

And could I also suggest that an experienced data protection lawyer offer his services on a pro bono (voluntary) basis to Hertfordshire County Council. The council may be incompetent, but they need all the money they can get to make life less miserable for those at risk who live in that county. That lawyer will make a real name for themselves if they manage to reduce, or quash, these initial penalty notices.

Penalty notices like this affect all data controllers, not just those who get caught.



Careful: this image is not available on Streetview


Yes it is. It’s not (quite) visible from the street – so a Google Streetview camera wouldn’t be able to capture this image as the car cruised along Water Street in Wilmslow.

So this may be its first public outing.

What is it?

It’s the extension which has just been built to accommodate all of the Wilmslow-based Information Commissioner’s staff in a single building. And the office environment is very, very different to what it was before.

Formally opened last month by local MP, George Osborne, motivational slogans are painted on the walls. Stuff about empowerment, rather than pay. Open plan. Clear desk policy. Nice coffee. New carpets. And the Commissioner works in one of the corners, rather than in an office of his own.

Minutes after taking this image (earlier today), an official from Internal Compliance scampered over to ask me who I was and what I was doing. We couldn’t think of a good enough reason for me not to keep the image, so here it is.

It makes a change from gazing at the Streetview images of babies being born, naked men in car boots, dead bodies and people wearing horses heads. Admittedly, those images are cooler!



Sunday 21 November 2010

German Data Protection gone mad

The German Data Protection regulators made a pact with Google before its Streetview service was allowed to be launched in that great country.

The deal was that the service could go live so long as people who didn’t want their properties to be visible were allowed to ask for them to be blurred.

And this image is the result. If you live in a block of flats, you have the right to mask your personal data (?) by masking the entire block. Don’t ask me what rights the other residents in the block have to insist that their flats be unmasked. It appears that in such cases, the wishes of the many (who want to be visible) can be vetoed by the actions of the few (well, by a single objector, actually).

Der Spiegel Online reports that 244,000 objections have been received - and their properties have been blurred. That’s some three per cent of the total number of properties which were captured by Streetview. The other 97% apparently aren’t sufficiently bothered to object.

But in this context, is a home really something that we would sensibly recognise as “personal data”? It looks like an inanimate object to me. I don’t know the identity of the owner (or the tenants) in the building that’s been blurred out, and I guess I never will. And nor do I want to. I just wonder what checks Google made to verify that the objector was actually owning or living in that building. And whether any of the non-objectors were consulted, too.

What is Google supposed to do when the owner of the house has, following a subject access request, decided that the information in the database is inaccurate? Does Google have an obligation to return to the area to take an updated image of a freshly painted building, or to photograph new dormer windows that have just been installed in the roof?

The mind boggles.

The Register has, helpfully, given us some indication of the checks that Google makes when it receives an instruction to blur the images of a building. Apparently, some clown contacted Google and demanded that they blur one on a street corner in Munich. Which they did. Before realising that they were actually blurring the Munich offices of, er, Google.

You can’t make it up.



Friday 19 November 2010

Who’s been a naughty file sharer, then?

It looks as though another nail is being hammered into the Digital Economy Act’s coffin. And this time it’s the Solicitors Regulation Authority wielding the hammer. So, if the SRA is getting uneasy about what some lawyers have been up to recently, I wonder what’s going to happen next.

Some lawyers have been accused of of knowingly "targeting people innocent of any copyright breach" when they sent "bullying" settlement letters to those suspected of being involved with unlawful ("illegal") broadband ISP based Peer 2 Peer File Sharing. This has come about because they gathered public Internet Protocol addresses from file transfers (uploads) on Peer to Peer networks, and used these records to get customer details from Internet Service Providers after having first obtained a court order.

Thousands of people whose addresses were subsequently obtained then received letters which suggested they were involved with copyright file sharing. Many of these letters demanded several hundred pounds in compensation for the alleged act and a further fee to cover costs. Those receiving the messages were threatened with legal proceedings if they refused to pay, which in reality rarely ever happened.

The real scandal was that the people who sent these letters (apparently) knew that IP addresses, which are assigned to your computer each time you go online, are not an effective way of determining a computer user's true identity. At least one middle aged lady received an allegation that she was involved in downloading gay pornography – which came as an awful surprise both to her and to her son, who had not previously discussed his sexuality with either of his parents.

Sensitive personal data? But whose?

We all know that Internet Protocol addresses can easily be faked, hijacked, redirected and generally abused or used in ways that can be hard to detect. And we all know that the owner of a particular internet connection, such as in case of a hotel, business or shared public/home Wi-Fi network (secure or not), may not be the individual responsible for the actual act itself.

So I wonder what Ofcom’s going to do now. I was at one meeting today to hear an official from the Information Commissioner's Office recommend that Privacy Impact Assessments be carried out for most initiatives that involve the processing of personal information. And we all know that the Information Commissioner can now carry out privacy audits on all public authorities, whether they want to learn of his views or not. Will Ofcom carry out and publish a Privacy Impact Assessment about these proposals, in order that everyone can be satisfied that the case has been made for the initiative and that all the legitimate privacy concerns have been addressed? Will the Information Commissioner demand to see one before the process which is currently under construction goes horribly wrong?

Will Ofcom really continue to tell the Internet Service Providers to keep logs of people whose IP addresses have been possibly used by someone else for nefarious purposes, in order that they can report to the copyright owners when there have been a number of similar allegations? Could the Internet Service Providers be accused of sending thousands of bullying letters, too? These providers like to send nice letters to their customers. Not letters containing threats.

And then, finally, are Internet Service Providers really expected to cut off the accounts of people whose IP Addresses have possibly been used by someone else? Is this madness?

Or will someone come to their senses and ask themselves how much angst really needs to be caused in possibly hundreds of thousands of households up and down the country, as parents realise what their offspring have actually been up to?



Wednesday 17 November 2010

Shhh – don’t mention the Commission’s data retention conference

So little notice was taken about an obscure European Commission conference on communications data retention, held back in July 2009, that the Commission is going to hold another one. This event is to be held in just a couple of week’s time, although I bet that hardly anyone will be aware that it is either being arranged, or how the items for discussion actually affect them.

The first session was attended by some 140 participants and speakers made up of representatives from law enforcement authorities, industry, civil society, regulators, academics and other examples of the usual suspects. The participant list makes great reading, as it reveals the names and contact details of some extremely interesting people, including someone from the Hungarian Special Service for National Security, and someone from the Romanian Intelligence Service. I hope these spooks weren’t using their real contact details. If they were, they might want to ask for them to be deleted before anyone reads about it.

The presentations were of the predictable sort.

A representative from KPN, the Dutch telecommunications company, commented that KPN was struggling with implementation. The Data Retention Directive was aimed essentially at telephony but has been “copied” to the internet.

A Swedish privacy activist commented that there was a great deal of controversy surrounding the Data Retention Directive when it was discussed by the European Parliament and some MEPs expressed “indignation, anger and frustration” at the way in which negotiations had been carried out between the chairmen of the big political groups and the UK presidency of the EU at the time. This activist could have been referring to Charles Clarke who, at the time, was the British Home Secretary, and would therefore have chaired the relevant meetings of the Council of Ministers.

A representative for a Belgian internet service provider commented that there is uncertainty about implementation requirements with a lack of harmonisation across the EU for pan-European operators. Implementation guidelines are needed to support providers implement interoperable vendor solutions. There is a lack of technical guidance with regard to response times, the format for delivering data to LEAs, the retention obligations with regards to transit and third party providers, centralised storage, internet telephony services and unsuccessful calls, to mention a few issues, results in diverging implementations across Member States. Also, providers' systems were built to be business-grade rather than forensic-grade, designed to retain data for billing, and making them suitable for Law Enforcement Authority investigations requires significant adaptation and expense.

Nothing new here.

And now, there is to be another conference, and many of the issues under consideration look quite significant. They include questions such as
• The purpose of data retention, and whether the retained information ought to be available for investigations into issues other than serious crime. What types of less serious crime, or frivolous crime – or non criminal acts – ought this information be available for?
• Should the rules should be extended to include web browsing, as well as electronic communications. [And whether there is much point in extending the rules if users are going to spend over half their digital lives browsing on Facebook (or Google), which may not be affected by these retention rules if they can successfully argue that they are not a Communications Service Provider. All the internet service providers will be able to record is thet the user has gone to Facebook (or Google). Not what they've done once they've got there.]
• Should the retention periods be tweaked?
• Should the range of authorities able to access this information be changed?
• How should Member States deal with requests from law enforcement agencies from other Member States?
• Should there be changes to the cost recovery rules?
• Should there be more rules to guarantee the security of these systems?

All of this is pretty heavy going for a day’s conference. And quite relevant too, I suppose, if we are to take as gospel the Home Office’s business plan, which I blogged about last Monday, which contained a commitment to complete work on its plans to develop and publish proposals for the storage and acquisition of internet and e-mail records by the end of December, in order that it can start to implement the key proposals between January 2011 and the next General Election.

Perhaps, at some stage, in the new spirit of transparency which is spreading through all aspects of Government, the Home Office will consult widely on what its position ought to be on the issues that will be discussed on 3 December in Brussels. Or, perhaps it may embark on what it might call a “targeted consultation exercise” with the usual suspects, just to make sure it is going to be able to deliver on any commitments (or comments) it makes.

But then again, perhaps the Home Office won’t consult at all. It may not even turn up.

Let’s see if it does any of these.



Tuesday 16 November 2010

Cracking the problem of cookies

The hot news (at least where I was) today was all about cookies. No mention of the engagement of HRH Prince William and Kate Middleton. The data protection community is obviously made of other stuff, and a select group congregated in central London this afternoon to work out what the Department for Business Innovation & Skills should get Parliament to approve as the law, and how Ofcom and the Information Commissioner’s Office should enforce it.

What’s the real problem, then?

Well, the European Commission is changing the rules about the way some cookies can be used, and how some types of information stored on a subscriber’s electronic device can be accessed. It appears that by next May, the UK will have fallen into line with the new regime.

Fallen into line may be a somewhat ambitious phrase – as, right now, no-one really knows what each Member State is going to do to achieve compliance with the rules. Not only are they extremely hard to comprehend, few Member States seem to have had the will so far to try to understand and propose how the rules should be implemented. So, three cheers for BIS and for the UK, and for providing leadership to the rest of the EU in this very important issue. Where we tiptoe, others will surely tread.

There appears to be no change to the law so long as the information in a consumer’s electronic device is only being accessed because it is strictly necessary to provide the user with an information society service which they had explicitly requested.

There will however be a change to the law if it is intended that information needs to accessed for other purposes. And in these cases, the subscriber will have to provide their freely given, specific and informed consent before the relevant information is accessed for these other purposes.

As you can imagine, everyone is having a wonderful time trying to work out what cookies provide stuff which is strictly necessary for the provision of the service, and what cookies might not be permitted until the freely given, specific and informed consent turns up. So, when I type a URL and press the "Enter" key, apparently some of what I see will arrive because it is what I wanted to see, and apparently some of what I see will arrive because I will have somehow consented to seeing it.

Does this matter?

It could matter if you run a website and try to make any money out of it. If all you do is provide what the geeks call an information society service, then you might be fine. Unless, of course, you use cookies for other purposes – such as counting unique users to your site, or working out what interests them on your site, so that they (whoever they are) can be served with more relevant advertising banners (that they probably won’t notice anyway). So I think it affects the Information Commissioner's own website as well as many other Government websites, as they try and do cool things like counting unique users to their site, too. In practice, though, I would expect people to adopt an increasingly flexible definition of what is strictly necessary. It could easily turn into something pretty close to what a website owner decides is simply useful to have.

What is going to happen?

Well, I think it’s likely that two separate things could happen.

First, the browser manufacturers (of whom you can count on the fingers of both hands) will probably be invited to meet and, in a concerted manner (but not in a manner that will incur the ire of the competition authorities) work out whether it’s possible to provide users with a more granular way of making choices about what types of cookies to accept, and from whom. The cool new descriptive term for this is the development of enhanced browser settings. It appears that the burgers at the European Union don’t like the concept of default browser settings, and instead want evidence that users have made choices about their settings. But, let’s get real here. How many people are really sufficiently interested and engaged in these matters to want to be provided with clear and comprehensive information about the consequences of the various browser setting choices that will be made available to them. I guess that far more people probably read the new terms and conditions on their iTunes account each time Apple changes them. And that’s not very many.

Second, the 4 million website owners (yes, there could be that many) will probably be expected to read the implementing guidance that will eventually appear on the BIS and ICO websites, and they will then be expected to work out for themselves whether it’s possible to provide users with a more granular way of making choices about what types of cookies to accept, and from whom. The cool new descriptive term for this activity is likely to be trying not to give the impression people are ignoring an incomprehensible law.

If I were a busy regulator, I would ask myself whether I should try and do a deal with, say, 10 browser manufacturers, or hold out and negotiate an understanding with 4 million website owners.

No contest, really.

I think I would start by approaching the browser manufacturers, and make so much noise that the website owners who use techniques other than cookies to access information for purposes other than to serve up the requested information on their website, begin to understand that they may have a bit of a problem. And I would wait and see if they came up with any cunning plans to become compliant with the law, and take no action - at least until anyone complained. If these web owners were causing harm to users and were not being transparent and were not getting their consent, then of course I would be down on them like a ton of bricks. But I suspect that, as a busy regulator, I might well have far more serious matters of poor compliance on my regulatory horizon. And I would want to focus on those matters, rather than waste scarce resources trying to improve behaviour that didn’t seem to be doing anyone any harm, anyway.

Perhaps, after all, I really am put of touch with the rest of society. What on earth am I really doing, blogging about cookies, when almost everyone else I know is celebrating the great news of the Royal engagement!


Monday 15 November 2010

Oh Err, a radical approach to tackling illegal internet content

I’ve just read an unusually interesting contribution to the debate on how we should deal with illegal content on the internet.

It came in the form of a speech at last month’s Annual General Meeting of the Internet Watch Foundation, and was delivered by Martin Geddes, former Strategy Director at BT and a refreshingly radical thinker about this stuff. Don't switch off yet. If your mind is broad enough to take the music of the Gorillaz, it ought to be able to appreciate what Martin is trying to say. Here’s a flavour:

The danger to the Internet industry is political. Is it inevitable the agenda will be driven by politicians rather than industry? This depends on the amount of scare stories in media. Youth usage is up, and temptation to interfere becomes too high. Just as with the ill-considered Dangerous Dogs Act of 1991, we may see the ‘Dangerous Devices Act of 2013’ as being the low point that wakes the industry up to its responsibilities.

Given the size of the threat to their ability to innovate and revenue models, surprisingly little is spent on CSR by internet and online media companies. Mumsnet, Consumer Reports, and the Daily Mail can change the political environment faster than any technology solution can adapt. There is high uncertainty on future events. These stakeholders need to be involved, educated and participate in addressing these problems.

In tackling illegal content, there are powerful lessons to follow from the worlds of drugs, political and religious extremism, and copyright piracy. Most critically, decentralised and multi-disciplinary solutions work best. This requires transparency, open source techniques, peer networks of industry practitioners, and voluntary co-operatives to take action.

The achievable mission for the Internet industry is to prevent contagion of illegal content into mainstream society. Containment of the problem is realistic, eradication in the face of multiplying technology complexity is not.

The music industry, insisted that the utterly natural human impulse to share music non-commercially constitutes theft. As a result the industry lost the moral authority it needed to preserve copyright as a social institution. It became normal and acceptable to break the law, especially for younger people. At the extreme example of this social norm breaking down, The Economist reports that the total sales of CDs in China in 2009 was only $19 million .

The Internet is an amplifier of human social behaviour. Tackling determined paedophiles through Internet blocking technology is a futile exercise. Preventing widespread access to such content is not. Fortunately the use of illegal content is rightly seen as repulsive by the great majority of people, who do not seek to find it and wish to see it actively prevented. Contagion containment fits with the wishes of ordinary Internet users, and does not require ‘1984’-like total control over the Internet.

In order to prevent contagion into the mainstream, a broader response is required.

• Political: A ‘panic button’ in social media applications or in browsers, and safe harbour law on seeing and reporting illegal content, in order to capture data about the problem from the end users.
• Economic: As the Net evolves, make the cost for Chinese and Russian sites more expensive than revenue. Make it cost the bad guys more. Tax trade with low-compliance hosting sites to reflect social harm. Make payment and content delivery networks carry more responsibility for whom they do business with.
• Social: Make corporate social responsibility (CSR) a board-level priority, to pre-empt political interference. Engage with stakeholder groups outside of the technology industry – schools, journalists, mental health care providers, even mainstream adult content providers.
• Technical: Focus on traceability and auditability in content and communications, allow for a more flexible response to be built on top of this data. Put more blocking intelligence at the ‘edge’ in the device and operating system.

Martin was perhaps at his most radical when suggesting a social role for internet service providers to play in dealing with the users of illegal internet content. Those of a delicate constitution should avoid reading the rest of this blog. As far as he was colncerned, the best response is to help the mainstream media adopt a less hysterical attitude to casual users of illegal content; it is a mental health problem that demands education, not just vilification. Work with the NHS to offer helplines, and if you block access to a site make that transparent and offer a place to get such help for those at the margin of use of illegal content. Engage people with different skills sets: epidemiologists , psychologists, and anthropologists are as valuable as network engineers.

This is strong stuff. It makes an awful lot of sense, but I wonder how many politicians have the stomach to look their constituents in the eye and explain that they are helpless because they are being asked to deal with a behavioural condition rather than an issue that will readily respond to regulation. I think its the industry that needs to exert more control over this playground, not the politicians.

But that’s never prevented politicians from trying (and frequently failing) to regulate behavioural conditions before.



Saturday 13 November 2010

Clarifying the “right to be forgotten”

One of the proposals contained in the European Commission’s recent plan to amend the data protection directive came from the premise that individuals should always be able to access, rectify, delete or block their data, unless there are legitimate reasons, provided by law, for preventing this.

Today’s image appears in a number of newspapers, and is of a group of demonstrators in triumphal poses on the roof of Millbank Tower, during the riot on 10 November. I wonder how many of them are regretting their decision to climb to the top of the building, in protest at the Government's decision to increase tuition fees for students. I also wonder if this image includes a picture of the person who hurled a fire extinguisher from the roof. It crashed to the ground inches from policemen who said they would almost certainly have been killed if it had struck them. Police Federation representatives have called for the person responsible to be charged with attempted murder. Among the 55 or so arrested in relation to the protests, ten were still at school.

Millbank Tower is designed with one wing of 27 floors and the other wing of just 8 floors. The students climbed up to the 8th floor roof - above the offices occupied by the Conservative Party, Conveniently sited next door to the MI5 Headquarters, Millbank Tower provides office accommodation for a number of high profile political and other organisations. Current and previous tenants have included the Labour Party, the United Nations, the Central Statistical Office, the Parliamentary Ombudsman Commission, the Local Government Ombudsman, UK India Business Council and the Ministry of Justice Records Management Service. And yes, it’s also the London home of the Information Commissioner’s Office.

I was out in Westminster the night after the riot with someone who also works in that building. He described how the initial frisson of excitement among the office workers quickly turned to apprehension, as they realised that the mob was attacking a very thin blue line of riot police. And then the live television pictures of rioters, inside the building and just a few floors away from where he was working, caused growing consternation. It’s really not funny when you find yourself caught up as an innocent victim of the chaos. Many of the office workers were extremely distressed. You don't expect to face an angry mob, or to fear your life is in danger, just because you share an office building with workers from a mainstream political party.

But should the people in this image be able to re-write history and demand that their personal data be deleted from the image?

The answer can only be no – and the reason must be that it is not their personal data any more.

This seems to be the logic of the Commission’s proposal, as it suggests that the right to be forgotten relates to the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when processing is based on the person's consent and when he or she withdraws consent or when the storage period has expired.

In instances such as the riot, the processing of their personal information was never based on consent in the first place. It was based on other conditions in the Directive.

And what this will probably lead to is more data controllers wondering if consent really is an appropriate condition for processing personal information, or whether they ought not rely on other conditions if they can possibly help it. At work, for example, I always prefer to use the legitimate interests of the data controller condition, rather than rely on consent. It’s a much easier test to meet for all practical purposes. And it gives me much more control over how I use information that is required for, say, coroprate, purposes.

I would hate to see more politicians, for example, trying to argue that it is appropriate that they have a right to insist that we forget about any of their previous misdeeds. Memories of the recent sleazy Parliamentary expenses scandals have not yet faded away.

Indeed, we have Wikipedia to thank us for providing us with a tool that enable us to refresh our memories every now and again. The media are currently running stories about the ease with which journalists managed to hack their way into the voicemail accounts of many high profile individuals some 5 years ago. The House of Commons Home Affairs Select Committee is currently carrying out yet another enquiry into the way the Metropolitan Police investigated the allegations.

But take a good look at the record of the Chairman of the Home Affairs Select Committee. Look him up on Wikipedia. And ask yourself how many of those allegations of misbehaviour you’ve already forgotten (or didn’t know about in the first place). If people who have allegedly behaved like that can end up as the Chairman of an influential Parliamentary Committee, then the demonstrators who are pictured on the roof of Millbank Tower probably have nothing to fear should they wish to become public servants.



Friday 12 November 2010

Depending on the kindness of strangers

It’s that time of the year when the corporate gift season gets into full swing. There can be few readers who haven’t at some stage in their career (or even this month) received a small gift as a token of appreciation for attending some corporate event or another.

Same with me.

My last two gifts were very appropriate.

First up was a data protection event sponsored by Sophos, the security specialists. As its website proudly proclaims: Trusted by 100 million users and endorsed by industry analysts as a leader, Sophos provides a full range of endpoint, encryption, email, web and NAC solutions that are simple to deploy, manage and use.

Their gift was a very handy book which, in just over 100 pages, explained in language that even my mother might understand, all a busy person really needed to know about security threats, security software, safety tips and how to avoid computer viruses. It’s the ideal primer if ever you were required to blag your way into an IT security conference and appear authentic.

Second up was a data protection event sponsored by Bird & Bird, the international commercial law firm which operates on the basis of an in-depth understanding of key industry sectors. As its website proudly proclaims: Our leading International Privacy & Data Protection Practice advises a wide range of corporate and other organisations around the world, reflecting the firm’s strengths in sectors such as Communications, Media, E-commerce, Financial Services, Health and IT.

Their gift was a pair of USB drives, suitably endorsed with the Bird & Bird logo. Woops. They weren’t in a sealed package so I wasn’t sure if they had been tampered with. (But of course I trust the team at Bird & Bird.) Nor were they encrypted USB drives – and we all know what the Information Commissioner’s Office thinks about personal data being transported when it’s not encrypted. Never mind – the session, on cookies, was being hosted by a former Deputy Information Commissioner, so surely their marketing team had checked the suitability of the gift with him before they ordered them ... Well, they certainly will do next time!

I don’t mean to be spiteful or overly critical about Bird & Bird – after all, their data protection advice is invariably of the highest quality, and they hold wonderful parties.

My point is that we data protection professionals should be careful when offering – or accepting – electronic storage media as we’ve all read the horror stories that abound. But never in my career as a recipient of corporate gifts have I been offered a USB drive that was either packaged and protected with a tamper proof seal, or accompanied with a warranty that it didn’t contain any spyware or computer viruses. And haven’t we all both received and presented a number of these USB drives to colleagues at various corporate events over the last few years?

Anyway, I am extremely grateful for both sets of gifts, and I can assure any future givers that I will most humbly thank them for their present and that I will try to make good use of it.

Especially when I unwrap the gift and it reveals itself to be a bar of chocolate.


Wednesday 10 November 2010

The Home Office can't really want to prevent behavioural advertising

Oh dear. The Home Office may have, inadvertently, published some advice a few years ago that could now, if accepted, prevent the very practice it didn’t really intend to ban.

Yesterday’s blog referred to the issues that face organisations who are keen to understand what internet users are up to, in order that they can send them relevant adverts. Some of this activity may involve understanding what a user is doing while they are surfing the internet. This is likely to involve some form of interception of their communications.

In a world where definitions are very important, the definition of what constitutes a communication is very important. A communication does not only mean a voice or a text message. It also means, thanks to changes to the e-Privacy Directive (as amended by Directive 2009/136/EC), browsing on the internet. The definition covers any information exchanged or conveyed between a finite number of parties by means of a publicly available communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information.

Back to the plot.

In the light of general concern among some people in the European Commission that British interception laws are too lax, the Home Office has decided that the hurdles over which the interceptors should jump are not sufficiently high. They’ve taken a good look, in particular, at the provisions in section 3(1) of RIPA, which allows interception to take place if both the sender and the recipient have reasonable grounds for believing that consent has been given. And they don’t like what they’ve seen.

My blog yesterday focussed on the fact that the Home Office hoped that all would be sweetness and light if it were simply to change the criteria which legitimises lawful interception. Rather than rely on the belief that both the sender and the recipient had reasonable grounds for believing that consent has been given, the Home Office was planning to up the ante to require that both sender and recipient of the communications must have consented to the interception. And, in this context, the consent would have to be freely given, specific and informed.

I pointed out that this might, in practice, be an impossibly high standard to achieve, and thus a lot of behavioural advertising activity which is currently considered lawful would suddenly become unlawful.

Having had the opportunity to reflect on this matter today, I’m even more sure that my fears are legitimate. Some types of behavioural advertising, particularly when they are carried out by third parties, rather than the user's Internet Service Provider or directly by the owner of the web page that the user is accessing, need to be looked at quite carefully. I do hope that these third parties take this opportunity to comment on the Home Office's proposals.

I’ve also just been reminded of some advice, dated January 2008, helpfully provided by a well-respected Home Office official to a privacy activist back in March 2008. (Well, I certainly respect that Home Office official.) The advice was entitled Targeted online advertising: interception of communications or not? If it is, is it lawful interception?

The advice concluded that targeted online advertising was a legitimate business activity as it was advertising undertaken with the highest regard to the respect for the privacy of ISPs' users and the protection of their personal data, and with the ISPs' users consent, expressed appropriately. And ... The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. Where advertising services meet those high standards, it would not be in the public interest to criminalise such services or for their provision to be interpreted as criminal conduct. The section 1 offence is not something that should inhibit the development and provision of legitimate business activity to provide targeted online advertising to the users of ISP services.

But the advice also noted the difficulty of securing consent from the host or publisher of a web page in order to legitimise the interception activity. Section 15 of the note uses the fatal phrase implied consent: “It may be argued that section 3(1)(b) is satisfied in such a case because the host or publisher who makes a web page available for download from a server impliedly consents to those pages being downloaded.”

But hasn’t the Home Office just argued that implicit consent isn’t sufficient, and that instead it must be freely given, specific and informed?

And if so, how is the Home Office going to dig itself out of this hole?

My cunning plan to get round this mess is to change the law to allow lawful interception if at least one of the parties (the sender or the recipient) provides their freely given, specific and informed consent, and the other party can at least be presumed to have provided their consent. It's simply not going to work if both parties have to meet the high standard of freely given, specific and informed consent.

For those who are seriously interested in this issue, I have re-published the Home Office's advice and it appears below. I apologise for its length, but it makes very useful bedtime reading.

1.Targeted online advertising enables ISPs, web publishers and advertisers to target consumers with contextually and behaviourally relevant messages based upon real time analysis of users' browsing behaviour, and done anonymously without reference to any personally identifiable information. Equally it offers ISPs' users an enhanced user experience in terms of the advertising and marketing they may be exposed to.

2. This note offers informal guidance on issues relating to the provision of targeted online advertising services. It should not be taken as a definitive statement or interpretation of the law, which only the courts can give.


** Do targeted online advertising services involve the interception of a communication within the meaning of sections 2(2) and 2(8) of the Regulation of Investigatory Powers Act 2000 (RIPA)? **

3. The meaning and scope of interception of communications is set out in sections 2(2) to 2(8) of RIPA.

4. Section 2(2), RIPA reads: "a person intercepts a communication in the course of its transmission .... if, and only if he ...... so monitors transmissions made by means of the system ...... as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient".

5. Section 2(8), RIPA reads: "... contents of a communications are to be taken to be made available to a person while being transmitted ... [in] any case in which any of the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently."

6. The provision of a service to deliver targeted online advertising will tend to involve a person (an ISP and/or a targeted advertising provider on behalf of an ISP) monitoring transmissions made by means of a relevant telecommunications system so as to make some of the contents of a communication available, while being transmitted, to a person (the ISP and/or the targeted advertising provider) other than the sender or intended recipient of the communication.

7. Targeted online advertising services operate by delivering a cookie, including a unique user identity (UID), to an internet service user's computer which supports the advertising service. The UID is processed automatically in a closed system (which does not associate an IP address with the UID). The system performs an analysis of URLs and key words from web pages which allocates the UID to relevant advertising categories. Once this analysis is completed the URLs and key words are deleted from the system. The system then uses that analysis to match advertisers' criteria and to enable ISPs' users to be targeted with advertising based on their browsing interests (which includes web pages viewed, search terms entered and responses to online advertisements).

8. For the purposes of section 2(2) and (8), "available" is likely to be taken to mean that a person could in practice obtain those contents for examination. Processing of the contents of a communication under human control will be likely to be regarded as having been made "available" to a person and will therefore have been intercepted within the meaning of RIPA.

9. Where the provision of a targeted online advertising service involves the content of a communication passing through a filter for analysis and held for a nominal period before being irretrievably deleted - there is an argument that the content of a communication has not been made available to a person.

10. Where the provision of a targeted online advertising service involves storing and processing the content of a communication in circumstances where it would be **technically possible** for a person to access the content that can be regarded as having been "diverted or recorded so as to be available to a person subsequently". This might include circumstances involving a proxy server analysing the request to view a web page, in the course of it being downloaded, and presenting the user with the web page and targeted advertising content.

11. Where the technology involves the user's browser executing a script to download targeted advertising content to complement a previously or near simultaneous download of a web page, it can be argued that the transmission of a communication ceased at the point the web page reaches the user's browser, that the end user's computer is not part of the telecommunications system and that the communication has not been made available to a person **while being transmitted**.


** To the extent that targeted online advertising services might involve interception of communications, can they be offered lawfully without an interception warrant in accordance with section 3 of RIPA? **

12. Section 3, RIPA, where relevant to targeted online advertising, creates two situations in which interception without a warrant may be lawful: section 3(1), interception with consent and section 3(3), interception for purposes connected with the operation of the telecommunications service.

13. Section 3(1), RIPA, provides that: "conduct consisting in the interception of a communications is authorised if the communication is one which, or which that person has reasonable grounds for believing is, **both**: (a) a communication sent by a person who has consented to the interception; **and** (b) a communication the intended recipient of which has so consented."

14. The provision of a targeted online advertising service to an ISP user who has consented to receive the service should be able to satisfy section 3(1)(a). Each service will have its own relevant user agreements. Where consent to receive targeted advertising is included in the user's contract and the user should be alerted to the possibility of opting out of the targeted online advertising service at regular intervals, 3(1)(a) is arguably satisfied.

15. A question may also arise as to whether a targeted online advertising provider has reasonable grounds for believing the host or publisher of a web page consents to the interception for the purposes of section 3(1)(b). It may be argued that section 3(1)(b) is satisfied in such a case because the host or publisher who makes a web page available for download from a server impliedly consents to those pages being downloaded.

16. Section 3(3), RIPA, provides that: "(3) Conduct consisting in the interception of a communication is authorised by this section if: (a) it is carried out by or on behalf of a person who provides a ...telecommunications service; and (b) it takes place for purposes connected with the provision or operation of that service ..."

17. The provision of a targeted online advertising service, contracted by an ISP as part of the service to the ISP's users, can probably be regarded as being carried out "on behalf of" the ISP for the purposes of section 3(3)(a).

18. It is arguable that a targeted online advertising service can be "connected with the provision or operation of [the ISP] service". The RIPA explanatory notes for section 3(3) state: "Subsection (3) authorises interception where it takes place for the purposes of providing or operating a postal or telecommunications service, or where any enactment relating to the use of a service is to be enforced. This might occur, for example, where the postal provider needs to open a postal item to determine the address of the sender because the recipient's address is unknown."

19. Examples of section 3(3) interception, very relevant to the provision of internet services, would include the examination of e-mail messages for the purposes of filtering or blocking spam, or filtering web pages which provide a service tailored to a specific cultural or religious market, and which takes place with user's consent whereby the user consents not to receive the filtered or blocked spam or consents (actively seeks) a service blocking culturally inappropriate material. The provision of targeted online advertising with the user's consent where the user is seeking an enhanced experience and the targeted advertising service provides that.

** Conclusion **

20. Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions. The providers of targeted online advertising services, and ISPs contracting those services and making them available to their users, should then - to the extent interception is at issue - be able to argue that the end user has consented to the interception (or that there are reasonable grounds for so believing). Interception is not likely to be at issue where the user's browser is processing the UID and material informing the advertising criteria.

21. Where targeted online advertising is determined and delivered to a user's browser as a consequence of a proxy server monitoring a communication to download a web page, there may be monitoring of a communication in the course of its transmission. Consent of the ISPs' user and web page host would make that interception clearly lawful. The ISPs' users' consent can be obtained expressly by acceptance of suitable terms and conditions for the ISP service. The implied consent of a web page host (as indicated in paragraph 15 above) may stand in the absence of any specific express consent.

22. Targeted online advertising can be regarded as being provided in connection with the telecommunication service provided by the ISP in the same way as the provision of services that examine e-mails for the purposes of filtering or blocking spam or filtering web pages to provide a specifically tailored content service.

22. Targeted online advertising undertaken with the highest regard to the respect for the privacy of ISPs' users and the protection of their personal data, and with the ISPs' users consent, expressed appropriately, is a legitimate business activity. The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. Where advertising services meet those high standards, it would not be in the public interest to criminalise such services or for their provision to be interpreted as criminal conduct. The section 1 offence is not something that should inhibit the development and provision of legitimate business activity to provide targeted online advertising to the users of ISP services.