Monday 29 August 2011

Is this another legitimate use for behavioural advertising?

"Hello Gents. And Ladies. Thank you for coming to see us at the Dept of Shockingly Good Ideas today. As you know, our ministers are a bit tired of some of your customers using their smart phones to organise mayhem every now and again, and we were wondering what you have decided to do before Parliament gets even more upset."

Excuse me, Mr Official – what do you mean?

"Well, we may live in a democracy, but we can’t have these oiks using their smart phones to actually incite each other to riot – that’s just not cricket."

So can you explain what it is you want us to do?

"Can’t you develop some sort of “oik app” – you know, the sort where the smart phone cunningly realises it’s owner is an oik, so you can send them a bit of Debussy or something to calm them down when they get a bit jumpy?"

And how do you think this “oik app” would know whether its owner is an oik?

"Ah – well, we’ve been hearing about some advertisers who are getting awfully excited about all this behavioural advertising thingimny stuff. We’re not quite sure what they’re talking about, but we think it will make someone lots of money so it’s bound to work. Anyway, after exhaustive research, our consultants have decided what characteristics define most oiks, and we just want you to locate them and then send them the Debussy when the going gets tough. My dentist tells me that a good dose of “Clair de Lune” always gets his patients relaxed when they’re tense and excited, so it’s bound to do the same for them."

Now tell us, what are the defining characteristics of these oiks, please?

"Well, according to their probation officers, most of them:

- Can’t wake up (so won’t use their devices) before 10am
- Always vote for the girl contestants on X factor
- Surf for almost as long on as they do on Facebook each day
- Know the price of the latest trainers on
- Prefer hoodies to wearing beanies
- Spend more time on instant messenger than talking to anyone
- Almost had a job – once"

I’m sorry, Mr Official. We’re not allowed to do this behavioural advertising thingimny stuff without the oik’s consent, you know. And why would they want to consent if all they were going to get out of it was a bit of Debussy once in a while?

"Waddayamean consent? This is the Government talking to you now, you know. If we want you to send them a dose of Debussy, then they’re going to get a dose of Debussy. We don’t want to hear any of this “oh, what about their human rights” rubbish from the likes of you. We get enough of that from them."

I’m sorry Mr Official, but this conversation really is going too far. We’re really not keen on being accused of interfering with the basic rights of British citizens. Can’t you think of another idea to pacify your ministers?

"Well, in that case could we slip you a list of politician’s children and spouses, and ask you to turn their phones off when there’s any trouble, so they don’t end up joining in, getting arrested, and making a spectacle of themselves? They might end up with such notoriety that they'll be offered work on some tawdry celebrity reality television show. Now, that really would be unthinkable."

I’m sorry Mr Official, but not even we would want to influence what politicians’ children and spouses get up to. I suggest you have a quiet word with the politicians. Tell them it’s all about good parenting. And if they don’t want their spouses and kids to communicate with their mates, then they ought to confiscate their phones themselves – and not get someone else to do it for them.

"I see. So when I write this meeting up for Freedom Of Information purposes, I’ll explain that constructive discussions took place, and that industry officials undertook to reconsider their corporate and social responsibilities and report back to ministers in due course?"

Whatever, Mr Official. Write whatever you like. It’s still a firm “no” as far as we are concerned.


Saturday 27 August 2011

Identity assurance: my cunning plan

A brilliant idea came to me today. It’s so brilliant I can’t believe that it’s not happening already. Devishly simple. Clever. Works with current technologies. And cheap. Oh yes, and pretty convenient too.

What am I going on about?

Well, my brilliant idea came as I was reading today’s article in The Telegraph about the problems faced by the banking industry as they try to authenticate customers who want to deal with them on-line. Rosie Murray-West was writing about two-factor authentication - which prevents people from logging in to someone's online banking without physically acquiring their card reader and knowing their personal information. She reported that HSBC is the latest bank to introduce a security keypad for its online customers, saying the device is invaluable in the fight against banking fraud.

According to Rosie: “The Payments Council, which speaks for banks and building societies on this issue, is a supporter of two-factor authentication, while banks that have introduced it say that it has drastically reduced fraud. Barclays, for example, reckons that online fraud has decreased by 90pc since the card readers were introduced.” However, not all of the banks are adopting card readers, and she quoted Matthew Timms, from Santander, who explaining that they had tried to avoid giving customers a secure key because they "don't find it engaging".

Here’s my brilliant idea. Get ready. Hold onto your seats.

If customers currently don’t find a card reader engaging, perhaps they would find it an awful lot more engaging if the same card enabled the user to access on-line services offered by a number of suppliers. If the card reader is good enough for a bank, surely that same card reader would be good enough for a range of other organisations, too. Like Tesco, Waitrose, mobile phone providers, gmail, Paypal and even my utility providers. Most of us have accounts with these institutions, and it would be brilliant if their security teams might get together and create some common identity assurance strategy.

Wouldn’t it be wonderful to have a single dashboard which enabled us to decide which service providers we wished to be linked with a common authentication system? And it could remain a 2 factor authentication system – my user name for Tesco need not be the same as my user name for the mobile phone provider – but if they were paired with the same card reader, then I’m sure I would be much more inclined to carry that card around with me than if it only worked with a single provider.

Or the “card reader” could be a registered mobile phone, which received a text message containing a special PIN code that I needed to use with my user name, whatever that is for the particular service.

Brilliant idea, isn’t it !

Here’s the hard part, though. I can dream about this stuff, but I don’t really have the skills to develop it, or to deliver it. If there is anyone out there who is good at developing and delivering, then please let me know. You can keep (most of) the millions to be made from monetising the idea, I’ll be happy with a peerage. Or a knighthood.

But where do we go from here?

Answers on an email, to the usual address, please.

And no more emails about you being an associate of a former dictator with access to huge amounts of money, and all you need is my bank details to make my dreams come true.

My new mission in life is to free the world from data protection drudgery, and I’m sure that this would be a useful step in the right direction.



Friday 26 August 2011

Should web tracking really turn into a privacy time bomb?

I keep on asking myself when (and whether and how) I should enter the public web-tracking debate. When you work for an organisation that sees the benefits of Internet tracking, it can be hard to persuade others that I’ve thought things through and am reflecting my own views, rather than simply the views of my employer.

Despite the disclaimer in the About Me section on the left.

I suppose everyone has to live with this sort of assumptive baggage. If you work for the police, then “of course” you are assumed to have developed a particular (and fixed) mindset. But such assumptions about standard behaviours and values are as wrong about the police as they are for any other employer.

But why should I now start to express my views? Well, partly because my very good friends at Sophos have just presented me with an iPad, and I am coming to the device with new eyes. It’s a fresh way of doing a lot of stuff that otherwise required much larger bags to carry around the hardware and all the peripheral cables. And I’m also amazed at how easy it is to set up and get working, compared with the devices I’ve had in the past. Previously, I needed a Geek squad and a teenage nephew within earshot. Now, I can just about manage by myself. This really is progress.

Again, I am realising the benefits of trading my privacy for service. It’s a trade-off I’ve done before, but in other contexts. At boarding school, it was matron, not your mother, who looked after you when you were ill. In the army, my batman looked after my personal administration, so that I could spend more time “serving to lead”. Today, my cleaner makes my domestic affairs far more bearable than if I were to try to cope unaided. So, for the past four decades I have traded personal privacy for services that have, on balance, very greatly improved the quality of my life.

And now, I’m happy to trade free stuff and improved, more personalised, services on the internet for the fact that the people providing me with these services know more about me than my next door neighbour. And that doesn’t worry me. Nor, I think, is it likely to worry anyone else who has enjoyed various forms of communal living – especially those involving matrons, batmen and cleaners.

Yet the language used by those who are wary of the benefits of such personalised services services is subtly different. These people tend to argue that the motive for on-line tracking systems is really to deliver relevant online ads to each and every one of us — and bagging that advertising money. And that this is bad.

Some of these people go further. They point to the potential for the tracking data culled from Internet searches and surfing to get commingled with the information disclosed at websites for shopping, travel, health or jobs. And they argue that it's now possible to toss into this mix many of the personal disclosures we make on popular social networks, along with the preferences we may express via all those nifty Internet applications that trigger cool services on our mobile devices. And that this is even worse.

But do I care about the money that people (whom I’ve never met) are reputed to be making as a result of the way they are making my life easier and more relevant when I surf the Internet?

Actually, no – so long as I feel that I’m getting a great deal, too.

Having recently acquired my iPad, all I needed to do to get it working and stuff flowing was to enter my iTunes ID credentials and my Amazon ID credentials. Within just a few minutes I was ready to play. Apple and Amazon appear to have done all the hard work in the background, and, to be frank, I feel good about it. I would even be happy for them to share my credentials with the Local Authority for voting and community charge purposes, and with my local health authority for heath purposes. I want a connected life and I trust them as an identity assurer.

I can feel happy doing this because I’m a nobody. If I were a high profile individual, I’m sure I would want to take greater steps to protect myself. Of, if I was aware that attempts had previously been made to compromise my personal security, then again I might well want an extra layer of reassurance before my “identity” was used to acquire other credentials.

But, as we all embrace more thoroughly this new digital world, let’s not get too prissy about the data protection downsides. I’m one of those who want simplicity as a way of life. I don’t want to live in a world of data protection drudgery, with every website littered with “consent” pop-up boxes and reminders to change ever more complex passwords and encounter horrible log-on authentication routines. I want the apps – not the sign-on procedures.

Apple and Amazon are helping me get to my nirvana: near instant internet gratification.

Long may they last – and long may I give them the permissions they need to do the tracking that is necessary to get to this wondrous state of being.

And let’s hope that when the data protection directive is revised, those who are making the rules appreciate the value of Internet tracking to us web users. I’m sure that the decision makers who have experienced the joys of matrons, batmen and cleaners have got my point and wholeheartedly support me. But, in the new European Parliament, stuffed with decision makers and opinion formers from all corners of the European community, I’m not expecting that such concepts of the benefits of communal living - as I’ve described them - will necessarily fall on such sympathetic ears.


Thursday 25 August 2011

Solid progress on categorising cookies

While most of us have been enjoying our summer holidays, a group of people within the London Chapter of the International Chamber of Commerce have evidently been really hard at work trying to ensure that the new rules on cookies will eventually be capable of being complied with. It sounds like tedious work, but someone has to do it. I’m just so glad that it’s not me.

Anyway, today’s blog posting commemorates the brilliant work of those dedicated folk who are working behind the scenes to classify cookies into different types, depending on their function. Their aim is (eventually) to reach some common agreement on the sort of cookies that responsible data controllers ought to be able to use as a matter of course, and those which might need to be explained to the user in order that some form of permission can be obtained to legitimise their use.

It sounds like awful job,reaching a consensus on the creation of a common language that everyone can adopt. But I do hope there will be celebrations in the streets when the key players publish their proposals.

What are we likely to see? Well, I would hope that these folk agree first on the sorts of things that cookies actually do, and then they can move to the harder task of forming recommendations about which of these categories could be used by internet publishers as a matter of course, and which are deserving of greater transparency and control by internet users.

If we are really lucky, we will be offered only a few categories – as the fewer categories there are, then the fewer arguments will follow when the bun fight begins as to what categories need special attention. I have my views – but I do like to simplify things – and I appreciate that some of my learned friends prefer more complex solutions.

So what would be the best result?

Hopefully, the key players will agree that there really are just 4 main categories of cookies:

1. Basic cookies, which could not be used to gather information that could be used for marketing or remembering preferences.

2. Performance cookies, which could be used for testing designs and ensuring a consistent look and feel is maintained for the user; providing trend analysis on how users interact with the site.

3. Functionality cookies, which could remember customer selections that change the way the site behaves or looks.

4. Tracking cookies, which could identify that a user has visited a site, and then pass this information on to 3rd parties for advertising purposes.

Obviously, user consent will be required for the 4th category. But is this consent really necessary for any of the other 3 categories? I’m not sure that gaining their consent is necessary. Can any user seriously argue that they will be harmed if an internet publisher used these categories without the express consent of the user? Cummon, lets get real. Internet publishers have rights too - like the right to design and maintain a website that has the sort of functionality normal users would expect to experience.

The next phase of work ought to be about the development of the concept of privacy iconography, so perhaps we could stage a competition, say on International Data Protection Day 2012, for contestants to design a suite of cookie icons that represent each of these 4 categories.

The winner could be invited to a special dinner with members of the ICC’s working party somewhere in London. (The runner up could be invited to two special dinners with members of the ICC’s working party ... )

Anyway, as these dedicated souls continue to toil away within the ICC, they continue to have my admiration and support. I gather that the next meeting of the working party will take place within the next month, and I learn that solid progress is being made. With a fair wind, the concept may even be embraced beyond Europe’s shores, and morph into a global standard.

So, if I were someone who wanted to make their mark by creating a set of global icons that every internet user might understand, I would start sharpening my colouring pencils right now.


Friday 12 August 2011

Topical Data Breach Notices

Last night’s dream:

Ambling through what was, until a few days ago, a decent shopping street in North London, I came across a store keeper keen to meet his DPA breach notification obligations as well as rebuild his burnt-out business. What should he do, to keep the ICO off his back, he asked?

Simple, I suggested, just send all of the customers whose phone numbers you can remember the following text:

Oi – yr mates have looted my shop and probably dun a runner with yr credit application forms and ID proofs. So if u run in2 problems when u next ask for any credit, and are told 2 get different ID proofs, blame them mates and not me.


Tuesday 9 August 2011

Tracking the progress of those “do not track” browser thingies ...

"Ello, Mr Internet Browser manufacturer, I would like to buy one of those “do not track” thingies I’ve been reading about all over the internet."
I’m sorry sir – we don’t sell 'em – but we do give 'em away.

"In that case I’ll have one. But just wot does it do?"
Errr, well, it lets you set a little flag which explains to anyone who wants to take notice of it that you don’t want to be tracked.

"So does that mean that if I set it, all publishers will have to read it and take notice of wot it says?"
Errr, no. (Well, not yet, anyway.)

"Oh. So does it mean that their sites will cease to function if they come across someone like me who has one of these “do not track” thingies?"
Errr, no. (Well, not yet, anyway.)

"Oh. So does it mean that if I set it, all publishers will have to stop the operational or analytical stuff they do when I surf their websites?"
Errr, no. (Well, not yet, anyway. And probably never.)

"Oh. So does it mean that all publishers will react in the same way when they come across someone like me who has one of these “do not track” thingies?"
Errr, no. (Well, not yet, anyway.)

"Oh, but tell me. Have all of you internet browser people reached an agreement about how to develop these “do not track” thingies, so they'll all operate in the same way, so it won’t matter wot browser I’m actually using at any time?"
Errr, no. (Well, not yet, anyway.)

"Oh. But is there anyone out there trying to get everyone in the same place on this issue?"
Oh yes sir. Yes they are. There’s a bunch of awfully clever people over at the W3C organisation doing lots of fancy stuff.

"Oh. Good. And are you confident that they’ll come up with a global solution before someone in the European Commission throws a hissy fit about not enough being done?"
Dunno sir. Questions on timings and missed deadlines can always be asked by those who like to throw hissy fits.

"Excuse me, are you taking this privacy lark sufficiently seriously?"
Oh yes sir. We’re taking it really seriously. And lots and lots of people are trying to take it really seriously, too. It’s just hard to get lots of people in the same room and get them to agree on what the actual problem is. We need a common global problem before we can develop a common global understanding of what to do about it.

"And how are you developing this common global understanding of the problem?"
Well, this organisation called the W3C has had one meeting already on the subject – last April, in Princeton (New Jeresy, USA). And they’ve got two more meetings planned, one next month in Cambridge (Massachusetts, USA). And then a third meeting , arranged for the following month somewhere in California (USA) will help then get a proper global perspective on the issue.

"Waddya mean, a global perspective? Isn’t this W3C just comprised of a bunch of Americans? What about the rest of the world?"
Excuse me, sir. The W3C is comprised of a bunch of very sensible people. Its even got Sir Tim Berners-Lee, who invented the World Wide Web. You must have heard of him by now. He's not an American. Anyway, its hosted by three organizations on three continents: the Massachusetts Institute of Technology (MIT) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) in Europe, and the Keio University in Japan. So they won’t just be doing stuff to suit the Americans. They do know what they are talking about.

"Oh. So does that mean that they’re actually gonna get these “do not track” thingies to work?"
We’re not sure sir. But if anyone can, they probably can.

"Oh. So what will happen to me when I use one of your “do not track” thingies right now?"
We’re not really sure, sir. But it will give you peace of mind. You’ll have done your bit for the privacy ecosystem (whatever that means).

"In that case, I’ll have one now, please. And can I return it if it doesn’t work properly?"
Of course, sir. It’s free of charge, so we won’t need to give you your money back. If you don't like it, just turn it off and you can carry on as though nothing had ever happened.


Sunday 7 August 2011

Data controllers discovered behaving badly. Again. (Yawn)

Suddenly, it’s gone a bit quiet on the data protection news front. I mean, it has to be quiet when John Leyden of The Register and Kevin Rawlinson of The Independent feel the need to pick up some low hanging fruit by running an ICO press release about the loss of an unencrypted data stick some 5 months ago. Especially when, in this case, the stick was handed in before anyone’s personal details were compromised. Data controllers have been caught behaving badly. Again.

Should we ban the use of unencrypted data sticks? I think we’ve got as much chance of banning them as we have of outlawing the sale of deep fried mars bars.

My current hobby horse, though, is the use of privacy prompts to encourage us to take more seriously the protection of our personal information. I don’t want to write about anything I’m doing at work in this blog, as it’s currently all consuming and potentially high profile and I really have to find something else for my mind to focus on for a while.

So what did I do? I went to my gym.

And another (depressingly familiar) thought dawned, and I gave such a large sigh of despair that I’m sure it could have been heard in the reception area. What was I doing that prompted this sigh?

Actually, all I was doing was changing into my gym kit. Into the gym locker went a nice suit, good shoes, a great watch, my car keys, a wallet, and a phone – items which, when totted-up, were certainly not cheap. And everyone was doing this. And how was I protecting the items while I was to be working out upstairs? By using a combination padlock, bought from the reception desk for £5, along with (almost everyone else). How often had I changed the combination on that padlock? And how many of my fellow gym-goers hadn’t ever changed their default settings? Do we consider it right to protect say £2000 worth of stuff with a padlock costing 0.25% of its value? Or is this actually reckless?

I wondered to myself whether I should have a word with the management, to ask them to consider rolling out a campaign to warn gym goers of the inherent security risks in leaving valuable items in boxes which were only protected with 4 digit pin codes. Should the users not be prompted to change their PINs more regularly (well, at all...)? Should they not be warned of recent attempts to steal stuff from lockers while the gym-goers were mid way through their spinning classes? Could I help by designing a sticker which could be placed inside each locker door to warn, in a light hearted way, of the inherent dangers?

I had a word with a member of the management team as I was leaving. The reply was predictable – one of thanks, nut no thanks. “We tried that after a spate of burglaries a couple of years ago,” I was told. “But are customers aren't interested in the slightest about doing anything that would make it harder for some-one to break into their lockers.” But I was thanked for expressing my concern.

It seems that data subjects can act just as badly as data controllers. Again.

Later, I returned to work to dream up new ways to encourage people to change their engrained behaviours. Feeling fitter, but not really much wiser.


Saturday 6 August 2011

Taking a more detailed butchers at my breaches

How are you spending your holidays? Relaxing on some faraway beach, or preparing detailed comments on breach notification procedures, so that our friendly Eurocrats have got lots to read when they return from their summer holidays?

I wish it were the former. But I’m currently concentrating on the latter. I’ve really got to get out more.

The eagle eyed among us will know that we were set some homework for our summer holidays, to help devise cunning plans to replace one cumbersome chore (say, the notification of lots of detailed processing purposes to the national regulator) with something else. Let’s hope that this “something else” proves to be of significantly greater value than the process it will ultimately replace.

But I must not get too cynical. Hey, I’ve got to respond to 28 different questions, most of which are asking quite detailed operational queries about a process which has only recently been designed and is yet to be tested to breaking point. The deadline to report on my views (based on actual experience of a working model) is 9 September. Does it matter? Well, if I want to contribute to the creation of an initiative that is actually fit for purpose, then yes it does matter. And it a matters a great deal. I would much have preferred the deadline to be, say, 9 March 2012, so more of us could all actually know what we are talking about, rather than have the debate framed by people who just think they know what they are talking about, but who have never done it, themselves, in practice.

(I used to give conference delegates a practical example of this whenever I spoke about communications data retention. A good number of people were involved in the debate about the retention of communications data records, without them ever actually having seen a communications data record. They were brought up to believe that “traffic” records were “bad”, and should be deleted as soon as the subscriber had paid the bill. So I used to show the “traffic” record during my presentation. I would ask one delegate to hold one end of the (paper) record and I would unroll 30 sheets of A4 paper which had been sellotaped together in portrait mode to print off a single line of traffic data. The delegates soon understood the points I was making, then!)

But back to the plot.

At this special time, at the inception of something that could be quite significant, like developing a compulsory breach notification process, it’s probably time to take time to make sure that the salient issues are actually worked through in practice, rather than just theory. Where is the gathering of data controllers with actual practical experience of data breach management? Where are the opportunities for them to learn each other’s lessons? If one size won’t fit all, then what ranges of shapes should be designed to be capable of fitting in with the new rules?

I was tempted to ask whether many EC regulators had actually bothered asking Communication Service Providers for their input into the new breach notification rules, which most EC Member Stated haven’t yet bothered to implement. But I thought I shouldn’t go for such an easy question. The real question is why most EC regulators hadn’t bothered asking those who will be affected (at least, yet).

But I will offer three cheers for our chums in Wilmslow, who have taken the lead by taking steps to brief themselves on the questions that are being asked internally to the British DP telco and internet honchos. Lots of us want something to work. But, and it is a big but, we need to ensure that we don’t kill off the businesslike working relationships that grease the data protection wheels that drive good compliance in the first place.

What do I mean?

From the regulator’s perspective, I expect that the regulator does not want to change too fundamentally the close working relationship that can provide relatively easy access to the heart of a data controller, and enable them to influence the improvement of data protection standards in a spirit of mutual respect and co-operation. No-one gets much stuff done simply by writing letters opining that it is either “likely” or “unlikely” that, in a particular case, any of the Data Protection Principles were breached. What we really want to do is to focus, at a deeper level, on moving the tectonic plates of good compliance, to make improvements one the macro scale, not just the micro scale.

And from the Data Protection Officer’s perspective, they too don’t want too many tweaks to the close working relationship with the regulator. But, if the DPO is seen as simply an agent of the regulator, then their easy access to the heart of their business could be severely curtailed. And if the business fears the consequences of an improperly implemented piece of legislation, they could distance themselves from the DPO, which will ultimately make it even harder to move those tectonic plates.

In the short run, the individual will be the loser. And I don’t think that anyone really wants that.

So the key will be in how we create a breach notification process which delivers an objective. The objective, surely, has to be to reduce both the likelihood of a data breach, and of the effect that such a breach will have on an individual.

I’ll be popping up to Wilmslow next week, with some chums from the Mobile Broadband Group (ie those who actually operate the networks of cell sites which all of the mobile phone providers use) to continue discussions with the Commissioner’s officials on this very important subject. We are all very painfully aware that, given current economic constraints, the resources that will be put into meeting a breach notification requirement will be diverted from other data protection work. So, we need to make sure that we are jettisoning low-value work to enable us to deliver this type of work. And that we don’t end up jettisoning higher value stuff just to make time to complete paperwork that has no real purpose.

I have questions about the way the Brits are about to implement the domestic rules, as well as some possible solutions that I’ll want to explore over the summer with some chums. Data protection is a collegiate game, and if we really want to reposition those tectonic plates of compliance, then we’ll only achieve success if we are all pushing in essentially the same direction.