Wednesday 24 November 2010

Fines – the ICO’s poker game begins

Today’s announcement that Hertfordshire County Council has accepted the fine from the Information Commissioner for its sloppy procedures that failed to prevent details of a child sex abuse case from being sent to a member of the public sets an extremely interesting precedent. And if I were a Hertfordshire council tax payer I would be furious that the Council didn’t take steps to challenge the fine. The council may well have behaved disgracefully, but is this misbehaviour really worth £100,000? That amount would probably be enough to employ another couple of workers in the Council’s Childcare Litigation Unit to help prevent more children from being abused.

I would love to know who thought it would be the easy way out, just to pay the fine and hope the matter will die away. They may have though that “it’s only public money” – but it does means that this public money won’t be able to be spent on the vital stuff that the Council was supposed to finance. Like a parking fine, the penalty will be discounted by 20% if the Council makes the payment to the Commissioner by 21 December.

Who’s going to be so accountable that they actually lose their job over this mistake? I only hope that their payment procedures are not so poor that the money isn't paid in time for the Council to take advantage of the 20% discount.

There is really serious point here, though.

The Council did not have to accept the finding. They could have appealed to what is now called the (First-tier Tribunal) General Regulatory Chamber, and at that stage the Commissioner would have been required to provide a more detailed explanation, together with some evidence, about the way the fine was set. Some words of explanation are set out in the decision notice, but I don’t see enough about how the Commissioner has quantified the harm that may accrue to an individual as a result of the poor processes that the Council had adopted.

Data controllers need to carefully appreciate the Commissioner’s thought process, as I expect that risk catalogues will now be revisited in the light of this decision – and the decision in that of A4e Ltd, also announced today, who managed to lose an unencrypted laptop containing details of 24,000 clients to whom confidential legal advice had been provided. The loss occurred during a burglary at the home of a home-worker. Despite being in the midst of a laptop encryption programme when the unfortunate article was stolen. A4e Ltd were subsequently fined £60,000 – again with a 20% discount if they pay before 22nd December.

There is a right of appeal, against both the imposition of the monetary penalty and the amount of the penalty specified in the monetary penalty notice.

Now, since I don’t know what legal advice or research has been carried out to assess how well the Commissioner had managed to quantify harm in these cases – and how his assessments match up to those awarded by judges who are required to make rulings in other liability trials, I would welcome a “friendly” appeal to the First-tier Tribunal to “sanity check” these penalties.

And could I also suggest that an experienced data protection lawyer offer his services on a pro bono (voluntary) basis to Hertfordshire County Council. The council may be incompetent, but they need all the money they can get to make life less miserable for those at risk who live in that county. That lawyer will make a real name for themselves if they manage to reduce, or quash, these initial penalty notices.

Penalty notices like this affect all data controllers, not just those who get caught.



Careful: this image is not available on Streetview


Yes it is. It’s not (quite) visible from the street – so a Google Streetview camera wouldn’t be able to capture this image as the car cruised along Water Street in Wilmslow.

So this may be its first public outing.

What is it?

It’s the extension which has just been built to accommodate all of the Wilmslow-based Information Commissioner’s staff in a single building. And the office environment is very, very different to what it was before.

Formally opened last month by local MP, George Osborne, motivational slogans are painted on the walls. Stuff about empowerment, rather than pay. Open plan. Clear desk policy. Nice coffee. New carpets. And the Commissioner works in one of the corners, rather than in an office of his own.

Minutes after taking this image (earlier today), an official from Internal Compliance scampered over to ask me who I was and what I was doing. We couldn’t think of a good enough reason for me not to keep the image, so here it is.

It makes a change from gazing at the Streetview images of babies being born, naked men in car boots, dead bodies and people wearing horses heads. Admittedly, those images are cooler!



Sunday 21 November 2010

German Data Protection gone mad

The German Data Protection regulators made a pact with Google before its Streetview service was allowed to be launched in that great country.

The deal was that the service could go live so long as people who didn’t want their properties to be visible were allowed to ask for them to be blurred.

And this image is the result. If you live in a block of flats, you have the right to mask your personal data (?) by masking the entire block. Don’t ask me what rights the other residents in the block have to insist that their flats be unmasked. It appears that in such cases, the wishes of the many (who want to be visible) can be vetoed by the actions of the few (well, by a single objector, actually).

Der Spiegel Online reports that 244,000 objections have been received - and their properties have been blurred. That’s some three per cent of the total number of properties which were captured by Streetview. The other 97% apparently aren’t sufficiently bothered to object.

But in this context, is a home really something that we would sensibly recognise as “personal data”? It looks like an inanimate object to me. I don’t know the identity of the owner (or the tenants) in the building that’s been blurred out, and I guess I never will. And nor do I want to. I just wonder what checks Google made to verify that the objector was actually owning or living in that building. And whether any of the non-objectors were consulted, too.

What is Google supposed to do when the owner of the house has, following a subject access request, decided that the information in the database is inaccurate? Does Google have an obligation to return to the area to take an updated image of a freshly painted building, or to photograph new dormer windows that have just been installed in the roof?

The mind boggles.

The Register has, helpfully, given us some indication of the checks that Google makes when it receives an instruction to blur the images of a building. Apparently, some clown contacted Google and demanded that they blur one on a street corner in Munich. Which they did. Before realising that they were actually blurring the Munich offices of, er, Google.

You can’t make it up.



Friday 19 November 2010

Who’s been a naughty file sharer, then?

It looks as though another nail is being hammered into the Digital Economy Act’s coffin. And this time it’s the Solicitors Regulation Authority wielding the hammer. So, if the SRA is getting uneasy about what some lawyers have been up to recently, I wonder what’s going to happen next.

Some lawyers have been accused of of knowingly "targeting people innocent of any copyright breach" when they sent "bullying" settlement letters to those suspected of being involved with unlawful ("illegal") broadband ISP based Peer 2 Peer File Sharing. This has come about because they gathered public Internet Protocol addresses from file transfers (uploads) on Peer to Peer networks, and used these records to get customer details from Internet Service Providers after having first obtained a court order.

Thousands of people whose addresses were subsequently obtained then received letters which suggested they were involved with copyright file sharing. Many of these letters demanded several hundred pounds in compensation for the alleged act and a further fee to cover costs. Those receiving the messages were threatened with legal proceedings if they refused to pay, which in reality rarely ever happened.

The real scandal was that the people who sent these letters (apparently) knew that IP addresses, which are assigned to your computer each time you go online, are not an effective way of determining a computer user's true identity. At least one middle aged lady received an allegation that she was involved in downloading gay pornography – which came as an awful surprise both to her and to her son, who had not previously discussed his sexuality with either of his parents.

Sensitive personal data? But whose?

We all know that Internet Protocol addresses can easily be faked, hijacked, redirected and generally abused or used in ways that can be hard to detect. And we all know that the owner of a particular internet connection, such as in case of a hotel, business or shared public/home Wi-Fi network (secure or not), may not be the individual responsible for the actual act itself.

So I wonder what Ofcom’s going to do now. I was at one meeting today to hear an official from the Information Commissioner's Office recommend that Privacy Impact Assessments be carried out for most initiatives that involve the processing of personal information. And we all know that the Information Commissioner can now carry out privacy audits on all public authorities, whether they want to learn of his views or not. Will Ofcom carry out and publish a Privacy Impact Assessment about these proposals, in order that everyone can be satisfied that the case has been made for the initiative and that all the legitimate privacy concerns have been addressed? Will the Information Commissioner demand to see one before the process which is currently under construction goes horribly wrong?

Will Ofcom really continue to tell the Internet Service Providers to keep logs of people whose IP addresses have been possibly used by someone else for nefarious purposes, in order that they can report to the copyright owners when there have been a number of similar allegations? Could the Internet Service Providers be accused of sending thousands of bullying letters, too? These providers like to send nice letters to their customers. Not letters containing threats.

And then, finally, are Internet Service Providers really expected to cut off the accounts of people whose IP Addresses have possibly been used by someone else? Is this madness?

Or will someone come to their senses and ask themselves how much angst really needs to be caused in possibly hundreds of thousands of households up and down the country, as parents realise what their offspring have actually been up to?



Wednesday 17 November 2010

Shhh – don’t mention the Commission’s data retention conference

So little notice was taken about an obscure European Commission conference on communications data retention, held back in July 2009, that the Commission is going to hold another one. This event is to be held in just a couple of week’s time, although I bet that hardly anyone will be aware that it is either being arranged, or how the items for discussion actually affect them.

The first session was attended by some 140 participants and speakers made up of representatives from law enforcement authorities, industry, civil society, regulators, academics and other examples of the usual suspects. The participant list makes great reading, as it reveals the names and contact details of some extremely interesting people, including someone from the Hungarian Special Service for National Security, and someone from the Romanian Intelligence Service. I hope these spooks weren’t using their real contact details. If they were, they might want to ask for them to be deleted before anyone reads about it.

The presentations were of the predictable sort.

A representative from KPN, the Dutch telecommunications company, commented that KPN was struggling with implementation. The Data Retention Directive was aimed essentially at telephony but has been “copied” to the internet.

A Swedish privacy activist commented that there was a great deal of controversy surrounding the Data Retention Directive when it was discussed by the European Parliament and some MEPs expressed “indignation, anger and frustration” at the way in which negotiations had been carried out between the chairmen of the big political groups and the UK presidency of the EU at the time. This activist could have been referring to Charles Clarke who, at the time, was the British Home Secretary, and would therefore have chaired the relevant meetings of the Council of Ministers.

A representative for a Belgian internet service provider commented that there is uncertainty about implementation requirements with a lack of harmonisation across the EU for pan-European operators. Implementation guidelines are needed to support providers implement interoperable vendor solutions. There is a lack of technical guidance with regard to response times, the format for delivering data to LEAs, the retention obligations with regards to transit and third party providers, centralised storage, internet telephony services and unsuccessful calls, to mention a few issues, results in diverging implementations across Member States. Also, providers' systems were built to be business-grade rather than forensic-grade, designed to retain data for billing, and making them suitable for Law Enforcement Authority investigations requires significant adaptation and expense.

Nothing new here.

And now, there is to be another conference, and many of the issues under consideration look quite significant. They include questions such as
• The purpose of data retention, and whether the retained information ought to be available for investigations into issues other than serious crime. What types of less serious crime, or frivolous crime – or non criminal acts – ought this information be available for?
• Should the rules should be extended to include web browsing, as well as electronic communications. [And whether there is much point in extending the rules if users are going to spend over half their digital lives browsing on Facebook (or Google), which may not be affected by these retention rules if they can successfully argue that they are not a Communications Service Provider. All the internet service providers will be able to record is thet the user has gone to Facebook (or Google). Not what they've done once they've got there.]
• Should the retention periods be tweaked?
• Should the range of authorities able to access this information be changed?
• How should Member States deal with requests from law enforcement agencies from other Member States?
• Should there be changes to the cost recovery rules?
• Should there be more rules to guarantee the security of these systems?

All of this is pretty heavy going for a day’s conference. And quite relevant too, I suppose, if we are to take as gospel the Home Office’s business plan, which I blogged about last Monday, which contained a commitment to complete work on its plans to develop and publish proposals for the storage and acquisition of internet and e-mail records by the end of December, in order that it can start to implement the key proposals between January 2011 and the next General Election.

Perhaps, at some stage, in the new spirit of transparency which is spreading through all aspects of Government, the Home Office will consult widely on what its position ought to be on the issues that will be discussed on 3 December in Brussels. Or, perhaps it may embark on what it might call a “targeted consultation exercise” with the usual suspects, just to make sure it is going to be able to deliver on any commitments (or comments) it makes.

But then again, perhaps the Home Office won’t consult at all. It may not even turn up.

Let’s see if it does any of these.



Tuesday 16 November 2010

Cracking the problem of cookies

The hot news (at least where I was) today was all about cookies. No mention of the engagement of HRH Prince William and Kate Middleton. The data protection community is obviously made of other stuff, and a select group congregated in central London this afternoon to work out what the Department for Business Innovation & Skills should get Parliament to approve as the law, and how Ofcom and the Information Commissioner’s Office should enforce it.

What’s the real problem, then?

Well, the European Commission is changing the rules about the way some cookies can be used, and how some types of information stored on a subscriber’s electronic device can be accessed. It appears that by next May, the UK will have fallen into line with the new regime.

Fallen into line may be a somewhat ambitious phrase – as, right now, no-one really knows what each Member State is going to do to achieve compliance with the rules. Not only are they extremely hard to comprehend, few Member States seem to have had the will so far to try to understand and propose how the rules should be implemented. So, three cheers for BIS and for the UK, and for providing leadership to the rest of the EU in this very important issue. Where we tiptoe, others will surely tread.

There appears to be no change to the law so long as the information in a consumer’s electronic device is only being accessed because it is strictly necessary to provide the user with an information society service which they had explicitly requested.

There will however be a change to the law if it is intended that information needs to accessed for other purposes. And in these cases, the subscriber will have to provide their freely given, specific and informed consent before the relevant information is accessed for these other purposes.

As you can imagine, everyone is having a wonderful time trying to work out what cookies provide stuff which is strictly necessary for the provision of the service, and what cookies might not be permitted until the freely given, specific and informed consent turns up. So, when I type a URL and press the "Enter" key, apparently some of what I see will arrive because it is what I wanted to see, and apparently some of what I see will arrive because I will have somehow consented to seeing it.

Does this matter?

It could matter if you run a website and try to make any money out of it. If all you do is provide what the geeks call an information society service, then you might be fine. Unless, of course, you use cookies for other purposes – such as counting unique users to your site, or working out what interests them on your site, so that they (whoever they are) can be served with more relevant advertising banners (that they probably won’t notice anyway). So I think it affects the Information Commissioner's own website as well as many other Government websites, as they try and do cool things like counting unique users to their site, too. In practice, though, I would expect people to adopt an increasingly flexible definition of what is strictly necessary. It could easily turn into something pretty close to what a website owner decides is simply useful to have.

What is going to happen?

Well, I think it’s likely that two separate things could happen.

First, the browser manufacturers (of whom you can count on the fingers of both hands) will probably be invited to meet and, in a concerted manner (but not in a manner that will incur the ire of the competition authorities) work out whether it’s possible to provide users with a more granular way of making choices about what types of cookies to accept, and from whom. The cool new descriptive term for this is the development of enhanced browser settings. It appears that the burgers at the European Union don’t like the concept of default browser settings, and instead want evidence that users have made choices about their settings. But, let’s get real here. How many people are really sufficiently interested and engaged in these matters to want to be provided with clear and comprehensive information about the consequences of the various browser setting choices that will be made available to them. I guess that far more people probably read the new terms and conditions on their iTunes account each time Apple changes them. And that’s not very many.

Second, the 4 million website owners (yes, there could be that many) will probably be expected to read the implementing guidance that will eventually appear on the BIS and ICO websites, and they will then be expected to work out for themselves whether it’s possible to provide users with a more granular way of making choices about what types of cookies to accept, and from whom. The cool new descriptive term for this activity is likely to be trying not to give the impression people are ignoring an incomprehensible law.

If I were a busy regulator, I would ask myself whether I should try and do a deal with, say, 10 browser manufacturers, or hold out and negotiate an understanding with 4 million website owners.

No contest, really.

I think I would start by approaching the browser manufacturers, and make so much noise that the website owners who use techniques other than cookies to access information for purposes other than to serve up the requested information on their website, begin to understand that they may have a bit of a problem. And I would wait and see if they came up with any cunning plans to become compliant with the law, and take no action - at least until anyone complained. If these web owners were causing harm to users and were not being transparent and were not getting their consent, then of course I would be down on them like a ton of bricks. But I suspect that, as a busy regulator, I might well have far more serious matters of poor compliance on my regulatory horizon. And I would want to focus on those matters, rather than waste scarce resources trying to improve behaviour that didn’t seem to be doing anyone any harm, anyway.

Perhaps, after all, I really am put of touch with the rest of society. What on earth am I really doing, blogging about cookies, when almost everyone else I know is celebrating the great news of the Royal engagement!


Monday 15 November 2010

Oh Err, a radical approach to tackling illegal internet content

I’ve just read an unusually interesting contribution to the debate on how we should deal with illegal content on the internet.

It came in the form of a speech at last month’s Annual General Meeting of the Internet Watch Foundation, and was delivered by Martin Geddes, former Strategy Director at BT and a refreshingly radical thinker about this stuff. Don't switch off yet. If your mind is broad enough to take the music of the Gorillaz, it ought to be able to appreciate what Martin is trying to say. Here’s a flavour:

The danger to the Internet industry is political. Is it inevitable the agenda will be driven by politicians rather than industry? This depends on the amount of scare stories in media. Youth usage is up, and temptation to interfere becomes too high. Just as with the ill-considered Dangerous Dogs Act of 1991, we may see the ‘Dangerous Devices Act of 2013’ as being the low point that wakes the industry up to its responsibilities.

Given the size of the threat to their ability to innovate and revenue models, surprisingly little is spent on CSR by internet and online media companies. Mumsnet, Consumer Reports, and the Daily Mail can change the political environment faster than any technology solution can adapt. There is high uncertainty on future events. These stakeholders need to be involved, educated and participate in addressing these problems.

In tackling illegal content, there are powerful lessons to follow from the worlds of drugs, political and religious extremism, and copyright piracy. Most critically, decentralised and multi-disciplinary solutions work best. This requires transparency, open source techniques, peer networks of industry practitioners, and voluntary co-operatives to take action.

The achievable mission for the Internet industry is to prevent contagion of illegal content into mainstream society. Containment of the problem is realistic, eradication in the face of multiplying technology complexity is not.

The music industry, insisted that the utterly natural human impulse to share music non-commercially constitutes theft. As a result the industry lost the moral authority it needed to preserve copyright as a social institution. It became normal and acceptable to break the law, especially for younger people. At the extreme example of this social norm breaking down, The Economist reports that the total sales of CDs in China in 2009 was only $19 million .

The Internet is an amplifier of human social behaviour. Tackling determined paedophiles through Internet blocking technology is a futile exercise. Preventing widespread access to such content is not. Fortunately the use of illegal content is rightly seen as repulsive by the great majority of people, who do not seek to find it and wish to see it actively prevented. Contagion containment fits with the wishes of ordinary Internet users, and does not require ‘1984’-like total control over the Internet.

In order to prevent contagion into the mainstream, a broader response is required.

• Political: A ‘panic button’ in social media applications or in browsers, and safe harbour law on seeing and reporting illegal content, in order to capture data about the problem from the end users.
• Economic: As the Net evolves, make the cost for Chinese and Russian sites more expensive than revenue. Make it cost the bad guys more. Tax trade with low-compliance hosting sites to reflect social harm. Make payment and content delivery networks carry more responsibility for whom they do business with.
• Social: Make corporate social responsibility (CSR) a board-level priority, to pre-empt political interference. Engage with stakeholder groups outside of the technology industry – schools, journalists, mental health care providers, even mainstream adult content providers.
• Technical: Focus on traceability and auditability in content and communications, allow for a more flexible response to be built on top of this data. Put more blocking intelligence at the ‘edge’ in the device and operating system.

Martin was perhaps at his most radical when suggesting a social role for internet service providers to play in dealing with the users of illegal internet content. Those of a delicate constitution should avoid reading the rest of this blog. As far as he was colncerned, the best response is to help the mainstream media adopt a less hysterical attitude to casual users of illegal content; it is a mental health problem that demands education, not just vilification. Work with the NHS to offer helplines, and if you block access to a site make that transparent and offer a place to get such help for those at the margin of use of illegal content. Engage people with different skills sets: epidemiologists , psychologists, and anthropologists are as valuable as network engineers.

This is strong stuff. It makes an awful lot of sense, but I wonder how many politicians have the stomach to look their constituents in the eye and explain that they are helpless because they are being asked to deal with a behavioural condition rather than an issue that will readily respond to regulation. I think its the industry that needs to exert more control over this playground, not the politicians.

But that’s never prevented politicians from trying (and frequently failing) to regulate behavioural conditions before.



Saturday 13 November 2010

Clarifying the “right to be forgotten”

One of the proposals contained in the European Commission’s recent plan to amend the data protection directive came from the premise that individuals should always be able to access, rectify, delete or block their data, unless there are legitimate reasons, provided by law, for preventing this.

Today’s image appears in a number of newspapers, and is of a group of demonstrators in triumphal poses on the roof of Millbank Tower, during the riot on 10 November. I wonder how many of them are regretting their decision to climb to the top of the building, in protest at the Government's decision to increase tuition fees for students. I also wonder if this image includes a picture of the person who hurled a fire extinguisher from the roof. It crashed to the ground inches from policemen who said they would almost certainly have been killed if it had struck them. Police Federation representatives have called for the person responsible to be charged with attempted murder. Among the 55 or so arrested in relation to the protests, ten were still at school.

Millbank Tower is designed with one wing of 27 floors and the other wing of just 8 floors. The students climbed up to the 8th floor roof - above the offices occupied by the Conservative Party, Conveniently sited next door to the MI5 Headquarters, Millbank Tower provides office accommodation for a number of high profile political and other organisations. Current and previous tenants have included the Labour Party, the United Nations, the Central Statistical Office, the Parliamentary Ombudsman Commission, the Local Government Ombudsman, UK India Business Council and the Ministry of Justice Records Management Service. And yes, it’s also the London home of the Information Commissioner’s Office.

I was out in Westminster the night after the riot with someone who also works in that building. He described how the initial frisson of excitement among the office workers quickly turned to apprehension, as they realised that the mob was attacking a very thin blue line of riot police. And then the live television pictures of rioters, inside the building and just a few floors away from where he was working, caused growing consternation. It’s really not funny when you find yourself caught up as an innocent victim of the chaos. Many of the office workers were extremely distressed. You don't expect to face an angry mob, or to fear your life is in danger, just because you share an office building with workers from a mainstream political party.

But should the people in this image be able to re-write history and demand that their personal data be deleted from the image?

The answer can only be no – and the reason must be that it is not their personal data any more.

This seems to be the logic of the Commission’s proposal, as it suggests that the right to be forgotten relates to the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when processing is based on the person's consent and when he or she withdraws consent or when the storage period has expired.

In instances such as the riot, the processing of their personal information was never based on consent in the first place. It was based on other conditions in the Directive.

And what this will probably lead to is more data controllers wondering if consent really is an appropriate condition for processing personal information, or whether they ought not rely on other conditions if they can possibly help it. At work, for example, I always prefer to use the legitimate interests of the data controller condition, rather than rely on consent. It’s a much easier test to meet for all practical purposes. And it gives me much more control over how I use information that is required for, say, coroprate, purposes.

I would hate to see more politicians, for example, trying to argue that it is appropriate that they have a right to insist that we forget about any of their previous misdeeds. Memories of the recent sleazy Parliamentary expenses scandals have not yet faded away.

Indeed, we have Wikipedia to thank us for providing us with a tool that enable us to refresh our memories every now and again. The media are currently running stories about the ease with which journalists managed to hack their way into the voicemail accounts of many high profile individuals some 5 years ago. The House of Commons Home Affairs Select Committee is currently carrying out yet another enquiry into the way the Metropolitan Police investigated the allegations.

But take a good look at the record of the Chairman of the Home Affairs Select Committee. Look him up on Wikipedia. And ask yourself how many of those allegations of misbehaviour you’ve already forgotten (or didn’t know about in the first place). If people who have allegedly behaved like that can end up as the Chairman of an influential Parliamentary Committee, then the demonstrators who are pictured on the roof of Millbank Tower probably have nothing to fear should they wish to become public servants.



Friday 12 November 2010

Depending on the kindness of strangers

It’s that time of the year when the corporate gift season gets into full swing. There can be few readers who haven’t at some stage in their career (or even this month) received a small gift as a token of appreciation for attending some corporate event or another.

Same with me.

My last two gifts were very appropriate.

First up was a data protection event sponsored by Sophos, the security specialists. As its website proudly proclaims: Trusted by 100 million users and endorsed by industry analysts as a leader, Sophos provides a full range of endpoint, encryption, email, web and NAC solutions that are simple to deploy, manage and use.

Their gift was a very handy book which, in just over 100 pages, explained in language that even my mother might understand, all a busy person really needed to know about security threats, security software, safety tips and how to avoid computer viruses. It’s the ideal primer if ever you were required to blag your way into an IT security conference and appear authentic.

Second up was a data protection event sponsored by Bird & Bird, the international commercial law firm which operates on the basis of an in-depth understanding of key industry sectors. As its website proudly proclaims: Our leading International Privacy & Data Protection Practice advises a wide range of corporate and other organisations around the world, reflecting the firm’s strengths in sectors such as Communications, Media, E-commerce, Financial Services, Health and IT.

Their gift was a pair of USB drives, suitably endorsed with the Bird & Bird logo. Woops. They weren’t in a sealed package so I wasn’t sure if they had been tampered with. (But of course I trust the team at Bird & Bird.) Nor were they encrypted USB drives – and we all know what the Information Commissioner’s Office thinks about personal data being transported when it’s not encrypted. Never mind – the session, on cookies, was being hosted by a former Deputy Information Commissioner, so surely their marketing team had checked the suitability of the gift with him before they ordered them ... Well, they certainly will do next time!

I don’t mean to be spiteful or overly critical about Bird & Bird – after all, their data protection advice is invariably of the highest quality, and they hold wonderful parties.

My point is that we data protection professionals should be careful when offering – or accepting – electronic storage media as we’ve all read the horror stories that abound. But never in my career as a recipient of corporate gifts have I been offered a USB drive that was either packaged and protected with a tamper proof seal, or accompanied with a warranty that it didn’t contain any spyware or computer viruses. And haven’t we all both received and presented a number of these USB drives to colleagues at various corporate events over the last few years?

Anyway, I am extremely grateful for both sets of gifts, and I can assure any future givers that I will most humbly thank them for their present and that I will try to make good use of it.

Especially when I unwrap the gift and it reveals itself to be a bar of chocolate.


Wednesday 10 November 2010

The Home Office can't really want to prevent behavioural advertising

Oh dear. The Home Office may have, inadvertently, published some advice a few years ago that could now, if accepted, prevent the very practice it didn’t really intend to ban.

Yesterday’s blog referred to the issues that face organisations who are keen to understand what internet users are up to, in order that they can send them relevant adverts. Some of this activity may involve understanding what a user is doing while they are surfing the internet. This is likely to involve some form of interception of their communications.

In a world where definitions are very important, the definition of what constitutes a communication is very important. A communication does not only mean a voice or a text message. It also means, thanks to changes to the e-Privacy Directive (as amended by Directive 2009/136/EC), browsing on the internet. The definition covers any information exchanged or conveyed between a finite number of parties by means of a publicly available communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information.

Back to the plot.

In the light of general concern among some people in the European Commission that British interception laws are too lax, the Home Office has decided that the hurdles over which the interceptors should jump are not sufficiently high. They’ve taken a good look, in particular, at the provisions in section 3(1) of RIPA, which allows interception to take place if both the sender and the recipient have reasonable grounds for believing that consent has been given. And they don’t like what they’ve seen.

My blog yesterday focussed on the fact that the Home Office hoped that all would be sweetness and light if it were simply to change the criteria which legitimises lawful interception. Rather than rely on the belief that both the sender and the recipient had reasonable grounds for believing that consent has been given, the Home Office was planning to up the ante to require that both sender and recipient of the communications must have consented to the interception. And, in this context, the consent would have to be freely given, specific and informed.

I pointed out that this might, in practice, be an impossibly high standard to achieve, and thus a lot of behavioural advertising activity which is currently considered lawful would suddenly become unlawful.

Having had the opportunity to reflect on this matter today, I’m even more sure that my fears are legitimate. Some types of behavioural advertising, particularly when they are carried out by third parties, rather than the user's Internet Service Provider or directly by the owner of the web page that the user is accessing, need to be looked at quite carefully. I do hope that these third parties take this opportunity to comment on the Home Office's proposals.

I’ve also just been reminded of some advice, dated January 2008, helpfully provided by a well-respected Home Office official to a privacy activist back in March 2008. (Well, I certainly respect that Home Office official.) The advice was entitled Targeted online advertising: interception of communications or not? If it is, is it lawful interception?

The advice concluded that targeted online advertising was a legitimate business activity as it was advertising undertaken with the highest regard to the respect for the privacy of ISPs' users and the protection of their personal data, and with the ISPs' users consent, expressed appropriately. And ... The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. Where advertising services meet those high standards, it would not be in the public interest to criminalise such services or for their provision to be interpreted as criminal conduct. The section 1 offence is not something that should inhibit the development and provision of legitimate business activity to provide targeted online advertising to the users of ISP services.

But the advice also noted the difficulty of securing consent from the host or publisher of a web page in order to legitimise the interception activity. Section 15 of the note uses the fatal phrase implied consent: “It may be argued that section 3(1)(b) is satisfied in such a case because the host or publisher who makes a web page available for download from a server impliedly consents to those pages being downloaded.”

But hasn’t the Home Office just argued that implicit consent isn’t sufficient, and that instead it must be freely given, specific and informed?

And if so, how is the Home Office going to dig itself out of this hole?

My cunning plan to get round this mess is to change the law to allow lawful interception if at least one of the parties (the sender or the recipient) provides their freely given, specific and informed consent, and the other party can at least be presumed to have provided their consent. It's simply not going to work if both parties have to meet the high standard of freely given, specific and informed consent.

For those who are seriously interested in this issue, I have re-published the Home Office's advice and it appears below. I apologise for its length, but it makes very useful bedtime reading.

1.Targeted online advertising enables ISPs, web publishers and advertisers to target consumers with contextually and behaviourally relevant messages based upon real time analysis of users' browsing behaviour, and done anonymously without reference to any personally identifiable information. Equally it offers ISPs' users an enhanced user experience in terms of the advertising and marketing they may be exposed to.

2. This note offers informal guidance on issues relating to the provision of targeted online advertising services. It should not be taken as a definitive statement or interpretation of the law, which only the courts can give.


** Do targeted online advertising services involve the interception of a communication within the meaning of sections 2(2) and 2(8) of the Regulation of Investigatory Powers Act 2000 (RIPA)? **

3. The meaning and scope of interception of communications is set out in sections 2(2) to 2(8) of RIPA.

4. Section 2(2), RIPA reads: "a person intercepts a communication in the course of its transmission .... if, and only if he ...... so monitors transmissions made by means of the system ...... as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient".

5. Section 2(8), RIPA reads: "... contents of a communications are to be taken to be made available to a person while being transmitted ... [in] any case in which any of the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently."

6. The provision of a service to deliver targeted online advertising will tend to involve a person (an ISP and/or a targeted advertising provider on behalf of an ISP) monitoring transmissions made by means of a relevant telecommunications system so as to make some of the contents of a communication available, while being transmitted, to a person (the ISP and/or the targeted advertising provider) other than the sender or intended recipient of the communication.

7. Targeted online advertising services operate by delivering a cookie, including a unique user identity (UID), to an internet service user's computer which supports the advertising service. The UID is processed automatically in a closed system (which does not associate an IP address with the UID). The system performs an analysis of URLs and key words from web pages which allocates the UID to relevant advertising categories. Once this analysis is completed the URLs and key words are deleted from the system. The system then uses that analysis to match advertisers' criteria and to enable ISPs' users to be targeted with advertising based on their browsing interests (which includes web pages viewed, search terms entered and responses to online advertisements).

8. For the purposes of section 2(2) and (8), "available" is likely to be taken to mean that a person could in practice obtain those contents for examination. Processing of the contents of a communication under human control will be likely to be regarded as having been made "available" to a person and will therefore have been intercepted within the meaning of RIPA.

9. Where the provision of a targeted online advertising service involves the content of a communication passing through a filter for analysis and held for a nominal period before being irretrievably deleted - there is an argument that the content of a communication has not been made available to a person.

10. Where the provision of a targeted online advertising service involves storing and processing the content of a communication in circumstances where it would be **technically possible** for a person to access the content that can be regarded as having been "diverted or recorded so as to be available to a person subsequently". This might include circumstances involving a proxy server analysing the request to view a web page, in the course of it being downloaded, and presenting the user with the web page and targeted advertising content.

11. Where the technology involves the user's browser executing a script to download targeted advertising content to complement a previously or near simultaneous download of a web page, it can be argued that the transmission of a communication ceased at the point the web page reaches the user's browser, that the end user's computer is not part of the telecommunications system and that the communication has not been made available to a person **while being transmitted**.


** To the extent that targeted online advertising services might involve interception of communications, can they be offered lawfully without an interception warrant in accordance with section 3 of RIPA? **

12. Section 3, RIPA, where relevant to targeted online advertising, creates two situations in which interception without a warrant may be lawful: section 3(1), interception with consent and section 3(3), interception for purposes connected with the operation of the telecommunications service.

13. Section 3(1), RIPA, provides that: "conduct consisting in the interception of a communications is authorised if the communication is one which, or which that person has reasonable grounds for believing is, **both**: (a) a communication sent by a person who has consented to the interception; **and** (b) a communication the intended recipient of which has so consented."

14. The provision of a targeted online advertising service to an ISP user who has consented to receive the service should be able to satisfy section 3(1)(a). Each service will have its own relevant user agreements. Where consent to receive targeted advertising is included in the user's contract and the user should be alerted to the possibility of opting out of the targeted online advertising service at regular intervals, 3(1)(a) is arguably satisfied.

15. A question may also arise as to whether a targeted online advertising provider has reasonable grounds for believing the host or publisher of a web page consents to the interception for the purposes of section 3(1)(b). It may be argued that section 3(1)(b) is satisfied in such a case because the host or publisher who makes a web page available for download from a server impliedly consents to those pages being downloaded.

16. Section 3(3), RIPA, provides that: "(3) Conduct consisting in the interception of a communication is authorised by this section if: (a) it is carried out by or on behalf of a person who provides a ...telecommunications service; and (b) it takes place for purposes connected with the provision or operation of that service ..."

17. The provision of a targeted online advertising service, contracted by an ISP as part of the service to the ISP's users, can probably be regarded as being carried out "on behalf of" the ISP for the purposes of section 3(3)(a).

18. It is arguable that a targeted online advertising service can be "connected with the provision or operation of [the ISP] service". The RIPA explanatory notes for section 3(3) state: "Subsection (3) authorises interception where it takes place for the purposes of providing or operating a postal or telecommunications service, or where any enactment relating to the use of a service is to be enforced. This might occur, for example, where the postal provider needs to open a postal item to determine the address of the sender because the recipient's address is unknown."

19. Examples of section 3(3) interception, very relevant to the provision of internet services, would include the examination of e-mail messages for the purposes of filtering or blocking spam, or filtering web pages which provide a service tailored to a specific cultural or religious market, and which takes place with user's consent whereby the user consents not to receive the filtered or blocked spam or consents (actively seeks) a service blocking culturally inappropriate material. The provision of targeted online advertising with the user's consent where the user is seeking an enhanced experience and the targeted advertising service provides that.

** Conclusion **

20. Targeted online advertising services should be provided with the explicit consent of ISPs' users or by the acceptance of the ISP terms and conditions. The providers of targeted online advertising services, and ISPs contracting those services and making them available to their users, should then - to the extent interception is at issue - be able to argue that the end user has consented to the interception (or that there are reasonable grounds for so believing). Interception is not likely to be at issue where the user's browser is processing the UID and material informing the advertising criteria.

21. Where targeted online advertising is determined and delivered to a user's browser as a consequence of a proxy server monitoring a communication to download a web page, there may be monitoring of a communication in the course of its transmission. Consent of the ISPs' user and web page host would make that interception clearly lawful. The ISPs' users' consent can be obtained expressly by acceptance of suitable terms and conditions for the ISP service. The implied consent of a web page host (as indicated in paragraph 15 above) may stand in the absence of any specific express consent.

22. Targeted online advertising can be regarded as being provided in connection with the telecommunication service provided by the ISP in the same way as the provision of services that examine e-mails for the purposes of filtering or blocking spam or filtering web pages to provide a specifically tailored content service.

22. Targeted online advertising undertaken with the highest regard to the respect for the privacy of ISPs' users and the protection of their personal data, and with the ISPs' users consent, expressed appropriately, is a legitimate business activity. The purpose of Chapter 1 of Part 1 of RIPA is not to inhibit legitimate business practice particularly in the telecommunications sector. Where advertising services meet those high standards, it would not be in the public interest to criminalise such services or for their provision to be interpreted as criminal conduct. The section 1 offence is not something that should inhibit the development and provision of legitimate business activity to provide targeted online advertising to the users of ISP services.



Tuesday 9 November 2010

Is the Home Office winning the battle for online privacy for us?

Writing in The Telegraph today, Milo Yiannopoulos has wondered whether we are winning the battle for online privacy. He thinks not, and has argued that online privacy norms are being dictated by companies with a vested interest in acquiring and selling our personal data.

His assumptions may be about to be misjudged. Help may be at hand – from the Home Office itself.

Let me explain.

We all know that the European Commission has been unhappy at the way the British Government has implemented bits of the E-Privacy Directive as it relates to interception, and that some people in Brussels have done a lot of work to try to find out just what bits of the Directive have not been fully incorporated into British law. I understand that one of the areas that has been keeping the Burghers at the Commission awake at night is the frightening prospect that the cracks which have appeared in British law are now so huge as to allow third parties to do a bit (or a lot) of intercepting in a totally unacceptable manner.

Someone has obviously got it in for Phorm and the bods who build and sell all this deep packet inspection kit that internet service providers are apparently so keen on acquiring.

It appears that the Burghers have had a look at our mighty RIPA, the Regulation of Investigatory Powers Act, and they have decided that the hurdles over which the interceptors should jump are not sufficiently high. They’ve taken a good look, in particular, at the provisions in section 3(1) of RIPA, which allows interception to take place if both the sender and the recipient have reasonable grounds for believing that consent has been given. And they don’t like what they’ve seen.

It appears that this reasonable grounds test is too easy to pass, and what needs to be done is that it should be replaced with the (higher) test which is contained in Article 5(1) of the E-Privacy Directive and Article 2(h) of the Data Protection Directive.

What am I on about?

I mean that the Burghers want to swap out the reasonable grounds test with the requirement that both sender and recipient of the communications must have consented to the interception. And, in this context, the consent would have to be freely given, specific and informed.

This appears to be a very much higher hurdle - and I’m not immediately sure how it can be achieved, in practice.

I can certainly understand how, say, the sender of a communication can consent in a manner which is freely given, specific and informed, so that all of their outgoing communications can be monitored. This is known as “one way consent” – but that is not sufficient to legitimise this interception activity. For it to be legitimate, apparently the consent has to be “two way”. But, and this is a big but, if the person doing the intercepting has no way of knowing who the sender will be communicating with until they start to communicate, then how on earth are they expected to obtain the freely given, specific and informed consent of the recipient of each of these communications?

Perhaps the Home Office’s cunning plan is to assume that since it’s pretty hard to get the recipient’s freely given, specific and informed consent to an interception on a communication they don’t even know they will receive, then all of this (unlawful) interception nonsense will simply fall away. And that Phorm will fade into oblivion and all this deep packet inspection kit (and maybe the odd cookie or two) will cease to be used for nefarious purposes. And then the internet will become a less surveilled place. And then we will all receive marketing material that is less relevant than would be the case if behavioral advertising techniques were to be permitted.

Or, perhaps I have got it wholly wrong, and that any changes to the interception legislation which are proposed by the Burghers at the European Commission will only have a limited impact. Why – well, the people doing most of this stuff won’t be based in the UK anyway, and probably won’t notice any changes to the British interception legislation. So, they could easily continue to place their spyware on our devices, and monitor our communications, after having satisfied themselves that there are reasonable grounds for believing that consent has been given.

Unless, of course, the Home Office has another cunning plan up its sleeve to enforce these new rules.



Monday 8 November 2010

The Government’s cunning plan for communications data retention

The Government has just unveiled its latest cunning plan for the retention of communications data, and the details are now available on the internet, for all to see.

In all their glory. Truly, this must be transparency of the highest order. I think the Government's intention is that Government Departments can then be held accountable for achieving outputs that accord with their published plans.

What is the plan? Well, to cut to the chase, have a look at section 5.3 of the Home Office’s business plan. Please note that it will be refreshed annually, so some of the details that are about to be unveiled in this blog may be subject to change.

Section 5.3 is entitled End the storage of internet and email records without good reason.

That’s a promising start.

The Home Office has announced that it has already started its initiative to develop and publish proposals for the storage and acquisition of internet and e-mail records, and this piece of work will end next month. So, this presumably means we will see some proposals published next month.

The Home Office will then implement key proposals, including introducing legislation if necessary, and it will start to do this next month and it will complete the work in June 2015.

That’s just before the next General Election.

No more details are publicly available. So I've saved you the trouble of having to look through the business plan for yourself.



Sunday 7 November 2010

My meaning of “fairness”

I’ve recently had an email asking me to explain what I mean when I use the term “fairness”:

In your profile you mention that you prefer the principle of fairness. Me too. But can you tell me, what you mean by fairness? It is namely an ethical, not legal category. Fairness is not defined in the DP Directive of the EU, although it says, that personal data have to be processed fairly.

Well, here goes.

My sense of "fairness" relates to balancing the rights of data controllers as well as people - and trying to cut through the confusion that some people have that just because information "relates" to them, then it must "belong" to them in the sense that they must always have rights to control that information. We somehow need to respect information which is generated within someone's private sphere and find an easier way of flagging when that "private" information has ceased to become "private" and is now "public property".

For example a person’s religious beliefs may be "private" until they publically declare them, at which time they become "public property". Someone's criminal history should (subject, say, to the provisions of the Rehabilitation of Offenders Act) should be considered "public property". I don’t see why someone who tries to profit from their “good” reputation should always be allowed to hide the “bad” bits simply because it diminishes their commercial value. Thank goodness we have some judges who are prepared to query aplications for “super injunctions” and challenge the right of “celebrities” to retain their commercial value by masking stupid (or unlawful) acts which they may have been committed casually or, even worse, wilfully.

Someone’s credit history should not be a private matter to other credit providers, so long as at the time of initially applying for credit, the credit provider had made it known that it would share details of its clients’ credit histories with other credit providers. At work I receive a small trickle of computer-generated letters from people who have poor credit records, instructing me to delete the adverse credit information once their account is back in order again. These people receive computer-generated replies explaining that the company has a right (and it exercises this right, and it has told applicants that it will exercise this right) to share factual credit information with other credit providers, so that everyone involved can have a better picture of “their” customer and decide for themselves how much credit to allow at any particular time.

At work, I’ve tried to answer questions of fair processing by creating four different categories of customer information which can be generated from our corporate systems. I’ve then asked myself if I can explain the circumstances when it is fair that the company can:
1. use this information for its own legitimate purposes, and/or
2. sell (or otherwise provide) this information to third parties so that these third parties can use it for their own legitimate purposes.

I’ve asked myself when it would be “fair” for the company to do such things when it had simply explained its intentions to individuals (using, say, a privacy policy), and when it would be more appropriate to acknowledge that the information was sufficiently sensitive for individuals to have a specific right to allow (or not, as the case may be) their information to be used for such purposes.

My four categories of customer information are:
1. general customer contact & credit details (eg their name, address, credit history)
2. account administration details (eg how they use the services which the company provides – and as the company is a communications company, I mean who the customers were communicating with, etc)
3. the content of their private communications (as the company is a communications company, I mean what they said/texted/emailed/web pages visited, etc)
4. the content of their public communications (eg the content of blogs they posted and other views which they freely published on the internet and made available to all web users (not just those who know the access password to that website).

I’ve also asked whether the answer to each question would be different if I deliberately ensured that the customer information was rendered (to the business or to a third party) in an anonymous manner, so that no-one had any way of knowing who the person (or people) were who, say, used a particular communications device to surf the internet.

It’s not necessary for me to reveal the answers in this blog, as the purpose today is to explain the process I use to ask the same question (ie “when is it fair for me to ...) when considering whether or how different types of customer information can be used. The answers, so to speak, might well comprise confidential commercial information which I would not be at liberty to divulge in a private blog anyway. So I’m not going to.

(Perhaps, if I came up with some answers to these questions when I was not working, then they might be legitimate material for a future blog, but I’m not going to be doing that today).

My point, however, is that it’s not simply a question of giving a customer an option about whether their personal details can be used for marketing purposes. If only life were that simple.

I sense that I’m going to return to this point again, as I have barely scratched the surface of the question.

Issues around the “fairness” of protecting image rights are complicated. Google have found this out recently – although the matter of how images of buildings can be considered personal data will be considered in another blog. I do find it hard to understand, however, why so much fuss is made of images of the sides of buildings captured by their Streetview service. If people really are keen to prevent the publication of images of buildings, then why they didn’t they make a similar amount of fuss a few years ago, when images of those same buildings were uploaded onto the internet from another angle - from above, rather than from ground level – thanks to Google Satellite.

Also, I'm not sure about Wayne Rooney's image rights. When you make so much money thrusting yourself in the public eye, do you really have the right to retain those rights for all purposes? One blogger recently queried how “one of the ugliest men in the world” (his description, not mine) could actually make any money out of their image rights, but I guess he had missed the point.


Thursday 4 November 2010

The Commission’s cunning plan officially unveiled

On 5th October I blogged about the European Commission’s cunning plan, as it was in its (then) draft form, to revise the Data Protection Directive. On 26th October I blogged that Statewatch had published this draft on their website, and mentioned that it was out of date as the actual plan had just been tweaked.

The latest draft version has been officially pubished, for comment, today.

So, what are the significant changes that have been made to the version that we’ve obviously been pouring over since 26th October (or before)?

Well, not many, but there are a couple of reasonably significant tweaks, which indicate the general direction of travel that the Commission is taking. It looks as though a new translator has run their finger through the text, as some passages have simply been reworded without any there being any material changes to the original meaning. Some of the language is easier to understand through. It must be a more experienced translator!

Here are the principal changes to the version that Statewatch kindly published:

1. The Commission has added a new, more business friendly, objective to the review of the rules. As well as taking into account the impact of new technologies on individuals' rights and freedoms, it will also take account of the objective of ensuring the free circulation of personal data within the internal market.

2. References to minors have been replaced by references to children.

3. Strengthened rules on data deletion will take account of the legitimate purposes for which they are needed rather than the purposes for which they were collected. This recognises the problems some organisations find themselves in when they are required to keep information for, say, surveillance purposes, even though there is no business need for its retention.

4. The concept of data portability (being able to transfer, say, pictures of friends from one social networking site to another without hindrance) is now to be permitted subject to restrictions based on technical feasibility.

5. On consent, the Commission has abandoned references to ensuring a more harmonised implementation of current rules but it has retained its task of clarifying and strengthening the rules.

6. The previous reference to minors has been dropped a an example of another type of data that could be considered as sensitive data.

7. The latest text explains that The Commission will examine the means to achieve further harmonisation of data protection rules at EU level. And it drops its earlier reason which was In order to ensure a true level playing field for all data controllers who operate in different Member States. Presumably this is because it now realises that harmonisation of rules is in the interests of individuals, as well as data controllers.

8. The latest text includes a greatly expanded section on how data controllers’ responsibility could be enhanced. It refers to
a. making the appointment of an independent Data Protection Officer mandatory and harmonising the rules related to their tasks and competences, while reflecting on the appropriate threshold to avoid undue administrative burdens, particularly on small and micro-enterprises;
b. including in the legal framework an obligation for data controllers to carry out a data protection impact assessment in specific cases, for instance, when sensitive data are being processed, or when the type of processing otherwise involves specific risks, in particular when using specific technologies, mechanisms or procedures, including profiling or video surveillance;
c. further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’.

9. New text is added on the application of the new rules to the area of law enforcement, including an undertaking to assess the need to align, in the long term, the existing various sector specific rules adopted at EU level for police and judicial co-operation in criminal matters in specific instruments, with the new general legal data protection framework. While this is a welcome step in the right direction, we have to take acount of the fact that some elements of policing in Member States has been "privatised", so it would not be fair to provide special dispensations only to people who wear police uniforms. And I am still not sure how we square the competing demands of information that is required for national security and serious crime purposes with the natural desire that some others will have to use that same information to deal with law enforcement breaches (and other misdeeds) of a much less significant nature.

10. Finally, the new text expands the previous commitment to review the role of the National Data Protection authorities. The Commission will examine:
a. how to strengthen, clarify and harmonise the status and the powers of the national Data Protection Authorities in the new legal framework, including the full implementation of the concept of ‘complete independence’;
b. ways to improve the cooperation and coordination between Data Protection Authorities;
c. how to ensure a more consistent application of EU data protection rules across the internal market. This may include strengthening the role of national data protection supervisors, better coordinating their work via the Article 29 Working Party (which should become a more transparent body), and/or creating a mechanism for ensuring consistency in the internal market under the authority of the European Commission.

I'm sure we would support any measure that helps these authorities become more credible institutions.

So, we now have a couple of months to review these proposals and send comments back to the European Commission. It’s not quite a 3 month consultation period (which is what we are used to in the UK when a Government Department asks us for our views). Instead it’s a 2 ½ month period with the Christmas holidays thrown in for good measure. Still, we Brits should be on a roll. After being all fired up to respond to the Ministry of Justice’s recent questionnaire on this subject, we ought to know what to say about this lot!



Wednesday 3 November 2010

The ICO‘s “regulatory action” against Google

The Information Commissioner has today written to Google to outline the regulatory action it intends to take because Google’s Streetview vehicles scooped up more than they bargained for when harvesting geographical information about the location of various Wi-Fi networks.

Let’s first look at the evidence the Commissioner has – as of course we are all in favour of evidence-based regulation.

The ICO's initial assessment, earlier in May of this year, following a visit by some of its officials to Google’s offices, was that, from the sample of payload date available for inspection, “the data was fragmentary and was unlikely to constitute personal data.” It’s now read new evidence, provided by Alan Eustace, Senior VP, Engineering and Research. On the 22nd October 2010 Alan posted new information about the collection of payload data on the Official Google Blog, following a detailed examination of the payload data on the discs: “Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that whilst most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.”

Perhaps the fragmentary data was obtained while the vehicles were on the move, and the larger packets were gobbled up when heavier traffic slowed their pace.

But this admission has been enough for the Commissioner to assume that since the British Streetview vehicles were being driven in the same way, using the same software as those whose discs which were inspected by the foreign regulators then, “in some instances it is possible that entire emails and URLs were captured, as well as passwords. It is my view that the collection of this information is a serious breach of the first data protection principle.”

So, no proof of a breach of the UK Data Protection Act exists, because the UK evidence has not been comprehensively examined. But, Google has been invited to sign an undertaking that it will do a lot of things it has already announced that it would do. Perhaps Google made those announcements as it suspected what actions the Commissioner's Office was likely to ask it to do anyway.

It seems like a good outcome for all concerned to me.

This is what Google has been asked to do:

• To continue and update orientation programs designed to provide Google employees with training on Google’s privacy principles and the requirements of UK data protection law;
• To institute a policy that requires Google employees to be trained on Google’s code of conduct, which includes sections on privacy and the protection of user data and the legal requirements applying to the protection of personal data in the UK;
• To enhance the core training for engineers and other important groups with a particular focus on the responsible collection, use and handling of data;
• To institute a security awareness program for Google employees, which will include clear guidance on both security and privacy;
• To institute a policy that requires engineering project leaders to maintain a privacy design document for each initiative they are working on, and a policy that such document should (a) record how user data is handled and (b) be reviewed regularly by managers; and
• To delete the UK payload data it collected, to the extent that Google has no other outstanding legal obligation to retain such data.

The only new undertaking, I think, is this one:

• Within nine months from the date of the undertakings to facilitate a consensual audit by the ICO of the above internal privacy and security practices.

I wonder how furious the provisional wing of the privacy mob are going to be if they conclude that Google’s been let off too lightly? But, as I’ve previously opined, it’s really hard to conclude that Google deliberately set out to do bad stuff, so they don’t deserve to be pilloried anyway.

Today’s letter to Google from the Information Commissioner can be found at:


Woven into the stuff of other men’s lives

This inscription appears on a bench which stands in Addison’s Walk, Magdalen College, Oxford. I saw it yesterday. The bench was donated to the college to commemorate Humphrey Slade, a former student at the College who subsequently served as the first Speaker of the Kenyan National Assembly. Just behind the bench lies a property formerly occupied by CS Lewis, author of the Narnian Chronicles. Other notable College members include Edward Gibbon (of whom I blogged last Sunday), John Betjeman, Lord Denning, and Oscar Wilde.

It’s a powerful statement: that the contribution made to society by a single person is such that their “stuff” is woven into other men’s minds. And to a significant extent, that’s what some readers of this blog may also be trying to do. As we strive to regulate, perhaps to ensure the greatest good for the greatest number, or to ensure that basic principles are observed no matter how awful might be the consequences for some, I suspect that we, too, are striving to create “stuff” that becomes part of everyday life.

It’s taken from a longer passage, crafted some 2500 years ago:

The whole Earth is the Sepulchre of famous men; and their story is not graven only on Stone over their native earth, but lives on far away, without visible symbol, woven into the stuff of other men's lives.

The saying is attributed to Pericles, a Greek statesman who lived between 495BC and 429BC. It’s hard to describe his politics in terms of social cohesion though. According to Wikipedia, he proposed a decree that permitted the poor to watch theatrical plays without paying, with the state covering the cost of their admission. With other decrees he lowered the property requirement for certain public appointments and bestowed generous wages on all citizens who served as jurymen in the supreme court of Athens. His most controversial measure, however, was a law of 451 BC limiting Athenian citizenship to those of Athenian parentage on both sides. I can think of other politicians who espoused such citizenship policies, but none who also proposed free entry for the poor into the nation’s theatres.

I suspect that those of us involved in data protection regulation would seek to ensure that our standards recognised the reality of global data flows, and that they would not embrace a “fortress Europe” approach. But I can’t imagine too many of us advocating the compulsory means testing of Subject Access Fees, to provide the poor with a right to free access to their personal information.

What also struck me during my recent visit to Magdalen College were the two plaques “In honour of those members of Magdalen College in the Second World War.” Carved in these two plaques are the names of 122 people, together with the units (or capacities) in which they served.

Most poignantly, the second plaque includes the inscription “And from Germany, H Frhr von Waldthausen Wcht.” The college was sufficiently courageous to commemorate all of its former members, not just those who were on the winning side. I found this to be a wonderful gesture. For me it showed that the college was brave enough to note that this German student’s “stuff” was also woven into other men’s lives, and that it was deserving of the same amount of respect and recognition as was the “stuff” of his companions at the College.


Tuesday 2 November 2010

Happy Birthday to my blog: 1 year old today

Rather than write about something new, I thought I might take this opportunity to assess what I actually have written about over the past year.

A few issues have really taken my attention this year – they relate to communications data retention, the Regulation of Investigatory Powers Act, surveillance, data breaches, fines and penalties when data controllers get it wrong, likely changes to data protection regulation, and of course, our old (and current) favourite, Google. I expect these matters will continue to occupy my thoughts, but I hope that they won’t be the only things that I’ll be writing about.

But that’s not all – reviewing my output over this period, I see that my mind has been drawn to a very wide range of other data protection issues. These have included the likely impact of the Digital Economy Act, notions of consent, how internet content is regulated, the Human Rights Convention, the Article 29 Working Party, training & raising awareness, as well as a host of other matters.

To try to put my output into some context I’ve created a birthday present to myself – an index of the significant blogs, which I’ve divided into 36 categories. I don’t see myself creating hyperlinks to each entry. This is enough of a guide, for the time being.

Anyway, I’ve appended it below, just in case anyone else is interested.

Applications for Mobile Devices: 10/03/2010
Article 29 Working Party: 01/08/2010, 09/08/2010, 11/08/2010, 28/10/2010
Behavioural Advertising: 06/01/2010, 13/06/2010, 21/06/2010, 22/06/2010, 26/06/2010, 29/06/2010, 23/10/2010
Big Brother Watch: 23/01/2010, 17/04/2010, 02/06/2010, 12/06/2010, 18/09/2010
Blogging rules: 13/11/2009, 25/08/2010
Communications Data Retention: 11/11/2009, 13/11/2009, 09/01/2010, 28/01/2010, 07/02/2010, 30/04/2010, 07/05/2010, 09/05/2010, 12/05/2010, 12/07/2010, 17/07/2010, 21/10/2010, 26/10/2010
Consent: 03/11/2009, 15/03/2010, 02/04/2010
Data Breaches: 07/11/2009, 28/03/2010, 01/05/2010, 05/06/2010, 15/07/2010, 13/10/2010, 19/10/2010
Data Directive - Revisions: 05/07/2010, 23/07/2010, 03/08/2010, 23/08/2010, 05/10/2010, 26/10/2010, 31/10/10
DEA / Peer to Peer file sharing: 05/11/2009, 02/02/2010, 06/04/2010, 07/04/2010, 13/10/2010
Demos: 22/03/2010
Facebook: 22/08/2010, 16/10/2010
Fining Powers & other penalties : 14/11/2009, 21/11/2009, 19/11/2009, 11/02/2010, 13/02/2010, 05/03/2010, 28/03/2010, 18/06/2010, 02/08/2010, 07/08/2010, 08/08/2010, 18/08/2010, 24/08/2010
Gen Election 2010 & Govt Policy: 17/04/2010, 20/04/2010, 08/05/2010, 13/05/2010, 19/09/2010
Global standards: 05/12/2009, 09/07/2010, 31/10/10
Google: 05/11/2009, 03/05/2010, 02/06/2010, 24/10/2010, 25/10/2010, 29/10/2010
Hoax 999 calls: 30/01/2010
Human Rights Convention: 28/01/2010
Identity Management: 24/01/2010, 20/02/2010, 01/11/2010
International Data Flows: 21/03/2010, 27/07/2010
International Data Protection Day: 29/01/2010
ICO staff & Annual Reports: 13/12/2009, 23/03/2010, 14/07/2010, 19/08/2010
Liberal Democratic Party: 16/07/2010
Location Based Services: 22/08/2010, 04/10/2010
Marketing: 11/03/2010
Privacy By Design: 10/07/2010
Registration Requirements: 07/03/2010
Privacy Policies: 13/03/2010
Personal Information Promise: 17/01/2010
Regulating Internet Content: 25/01/2010, 05/02/2010, 08/05/2010
RIPA: 26/01/2010, 19/02/2010, 28/02/2010, 27/03/2010, 14/04/2010, 19/06/2010, 20/06/2010, 30/07/2010, 08/08/2010, 26/08/2010
RFID Tags: 14/02/2010, 11/08/2010
Sharing Information: 29/03/2010
Statutory Instruments: 04/11/2009
Stockholm Programme: 12/02/2010
Training & Awareness: 28/11/2009, 15/02/2010, 19/03/2010, 20/03/2010, 17/08/2010