Category: privacy

New Privacy Survey released

Simon Davies, AKA Privacy Surgeon, and the London School of Economics have a great new survey of privacy predictions for 2013 out now. Key quote from the press release:

“More aggressive action by companies to monetise personal information through advertising will inevitably fuel further controversy, while consolidation of markets such as social networking may induce emerging players to engage dangerous privacy practices.”

Whether 2013 is the tipping point in this regard that the survey suggests or not, it is certainly the case that various ‘lines in the sand’ are being crossed on a regular basis at the moment and if the public aren’t as concerned as the experts surveyed for this report, then privacy may even lose even its tactical utility as a way of opposing surveillance, let alone mean the same thing to most people as it used to.

Is Google taking a stand?

According to Wired’s Threat Level blog, Google is taking a rather tougher stance towards the US federal government when it comes to requests for cloud-stored data for investigations. The company is now, it says, asking for judicial warrants from state organisations. As Wired points out, even though this might seem ethically sound, it is dubious legal ground as the US Electronic Privacy Communications Act allows the federal government access to such documents without a warrant. And yet, no court challenge has yet been made by the government to Google’s stance.

So what is going on here? Is Google serious about taking on ‘the feds’ in favour of users? Is this new pro-user line by Google merely contingent and once something ‘really important’ is demanded, the company would cave in? Is there some other kind of backroom deal? Is Google actually being rather cynical because the company knows that the NSA can access everything they have anyway (and probably by arrangement – after all, the NSA helped Google out a lot in its battle with China’s authorities)? I suspect there is much more to this apparently casual revelation…

The Unbearable Shallowness of Technology Articles… or, what Facebook Graph Search really means.

Wired has a feature article about Facebook’s new search tool. The big problem with it is that its vomit-inducing fawning over Facebook’s tech staff. In trying to make this some kind of human interest story – well, actually the piece starts off with Mark Zuckerberg’s dog, you see, he is human after all – of heroic tech folk battling with indomitable odds to create something amazing – what in science fiction criticism would be called an Edisonade – it almost completely muffles the impact of what a piece like this should be foregrounding, which is about what this system is, what is has been programmed to do and where it’s going.

And this is what Graph Search does, very simply: it is a search engine that will enable complex, natural language interrogation of data primarily but not limited to Facebook. So instead of trying to second-guess what Google might understand when you want to search for something, you would simply be able tell you what you ask. And because this is primarily ‘social’ – or about connection, and you should have already given up enough information to Facebook to enable it to ‘graph’ you so that it knows you, the results should supposedly be the kind if things you really wanted from your query. Supposedly. An FB developer in the article describes this as “a happiness-inducing experience” and further says, “We’re trying to facilitate good things.” However what this ‘happiness’ means, just like what ‘friendship’ means in the FB context, and what “good” means, just like the use of ‘evil’ in Google’s motto, is rather different than how we might understand such a term outside these contexts.

In the article, one example demonstrated by the developer is as follows:

[He] then tried a dating query — “single women who live near me.” A group of young women appeared onscreen, with snippets of personal information and a way to friend or message them. “You can then add whatever you want, let’s say those who like a certain type of music,” [he] said. The set of results were even age-appropriate for the person posing the query.

So when Mark Zuckerberg is quoted in the article saying that Graph Search is “taking Facebook back to its roots”, he seems to mean creeping on girls, as was, let us not forget, the main intention of the early Harvard version. Doesn’t this generate exactly the concern that the notorious ‘Girls Around Me’ app encountered? As the title of my favourite tumblr site has it, this isn’t happiness. Or it’s the happiness of the predator, the pervert and the psychopath.

But more fundamentally, this isn’t about privacy, or even online stalking. In fact, in many ways, both are side-issues here. This is about control and access: control over my information and how I access other information, not just on Facebook but in general. To me, the plans outlined for Graph Search look worrying, even outside of my idea of what would constitute happiness, because they have nothing to do with how I use Facebook or how I would want to use it. I don’t use Facebook as my gateway to the Web and I am never going to. As Eli Pariser pointed out in The Filter Bubble a couple of years back, that would both be limiting of my experience of the Web (and increasingly therefore of my communications more broadly) and give one organisation way too much power over both that experience and the future of the Web. But this does seem to be how Facebook wants it to be, and further, I suspect that, just like Bill Gates before him with his .NET initiative and other schemes, and just like the walled garden locked-in hardware that Apple produces, Zuckerberg is more interested in Facebook colonizing the entire online experience, or layering itself so entirely, tightly and intimately over the online world that the difference between that world and Facebook would seem all but invisible to the casual user.

These developments are dramatic enough in themselves. Never mind fluffy stories of heroic techies and their canine sidekicks.

Oxford taxi cabs will record your every word…

Just when you thought that having just about your every move recorded in the UK was bad enough, Oxford City Council, which runs the city I once called home, has decided that all taxi cabs in the city will record both sound and vision, and these records will be kept for up to 28 days, just in case.

People often ask me ‘where do you draw the line?’. Well, you absolutely draw the line at recording private conversations without a specific justification. Generalized audio surveillance is not just a step over the line, it leaps over the line, lands far beyond it and keeps running.

This is just wrong. No qualification.

It seems that despite having got rid of one government with authoritarian surveillance tendencies, the same impulses are alive and well in local government in Britain. Perhaps the councillors who voted for this would first like to have audio surveillance in their offices, cars and houses, you know: just in case…

GPS tracking goes mainstream

There is increasing evidence that US police forces are now using GPS tracking devices regularly and with impunity. Following court rulings at different levels which have left the legal situation unclear with only the Supreme Court left (this coming week), police forces across the country have been slapping GPS trackers on thousands of private vehicles, without warrants, and until recently, without the knowledge of those being tracked.

However, Wired‘s Threat Level blog has been reporting on the growing numbers of cases of Americans who have discovered GPS trackers on their cars, and in one particularly bizarre case, a device that was replaced by undercover officers while the Wired reporters were in the vicinity, having just removed and photographed the original device!

There are many pictures and manufacturers’ detail on Threat Level. Here are a couple…

GPS tracker in place:

GPS tracker disassembled showing souped-up longlife battery, including manufacturer’s details:

One of the more perplexing things about the use of these devices is what recourse the US citizen has when they discover them. If they are placed ‘legally’, do you have the right to remove or indeed to disassemble them? What would be done if they are removed? The experience of Wired would suggest that the device would be replaced, but how many times could this go on? At what point would the state take some kind of legal action to attempt to prevent the removal of a device? In the case of location tracking devices that are known about but unable to be legally removed, surely you have a situation that becomes equivalent not to simple (if it is even simple) unwarranted surveillance, but to electronic tagging.

Corporate Privacy Redux

The Supreme Court of the USA has unanimously decided (pdf) that “corporations do not have “personal privacy” for the purposes of exemption 7(C) [of The Freedom of Information Act].”

This is a welcome decision which should set back further efforts by corporate bodies to claim ‘human rights’ as a justification for avoiding their responsibilities under laws mandating transparency and accountability.

Marc Rotenberg points us to a welcome for this decision from Senator Patrick Leahy of Vermont.

Good news all round for once.

UK consultation on CCTV: a weak brew?

The UK government has released a consultation document on a ‘Code of practice relating to surveillance cameras’ (CCTV). The closing date for comments in May 25th.

I will go through the document in more detail but there are several initial things to note here:

1. I am interested first of all in the fact that the camera systems are refered to as ‘surveillance cameras’ rather than ‘security cameras’ or ‘safety cameras’ as in many situations I have encountered around the world.

2. This is merely a step toward a state code of practice. The government had promised to ‘regulate’ CCTV, and what many people might have legitimately expected from such a promise was legislation, in other word a statutory footing for surveillance cameras and legal controls. A code of practice is very much at the weak and volunteeristic end of ‘regulation’ if it is regulation at all. The proposed Code itself is really quite weak and presaged on “gradually raising standards to a common level.” with nothing that is mandatory.

3. The document proposes another ‘Commissioner’ to govern surveillance cameras, a ‘Surveillance Camera Commissioner’. This government, despite its avowed attempt to reverse the proliferation of Quangos, seems to want to create another one. One would think that this would naturally fall under the remit of the Information Commissioner, but it appears that the Tory attacks on the ICO (which have been going on in newspapers like The Times for some years and have now spread to other libertarian groups) have been having some effect. Does Britain need another Commissioner in the area of information, surveillance and privacy? I don’t think so. I think we need to clarify the roles of existing Commissioners, and reduce their number – provide adequate budgets and better guidance and division of labour. I suggested a few weeks ago that splitting the ICO into a Surveillance and Privacy Commissioner (which would incorporate the data protection function and absorb all the existing micro-commissions like Surveillance, Interception of Telecommunications and now this new proposed Surveillance Camera Commissioner) and a separate Freedom of Information Commissioner, would be the best solution.

4. The consultation document acknowledges that camera surveillance has increased too rapidly in Britain and has eroded privacy and been overly intrusive. That’s a start. However it also hedges this quite strongly by saying that the government does not intend to limit law enforcement’s abilities. I am not sure the two things are compatible – but I will have to examine the proposals in more detail.

5. The document acknowledges that “CCTV does not always provide the benefits expected of it” but explains this as largely down to technical and operation reasons rather than anything more fundamentally problematic. This is not necessarily justified by evidence or particularly insightful.

6. The document acknowledges that Automatic Number Plate (Licence Plate) Recogntion (ANPR / ALPR) is largely unregulated too and that it connects to all kinds of databases, yet proposes little more than auditable data trails.

7. The document mentions both flying drone cameras / Unmanned Aerial Vehicles (UAVs) and helmet-mounted cameras, but assumes mistakenly that these are ‘niche and novel’. If this can still be said to be true, it will not be for much longer, and the document is overly dismissive of the immediacy of this issue.

8. The document is way too cautious and has the fingerprints of a ‘Sir Humphrey’ bureaucratic avoidance of anything that might ‘frighten the horses’, motivated as it claims to be by “the wish to avoid imposing unreasonable or impracticable bureaucratic or financial burdens on organisations” and recommending “an incremental approach.” It is too late for incrementalism, about 20 years too late in fact.

At first glance, the consultation document appears to be a rather weak brew rather than the strong medicine that is required.

Death to the ICO?

Chris Parsons draws my attention to a blog posting on the very swish and refurbished Privacy International site (nice job BTW – I will check in regularly). Simon Davies argues in this post for the ‘assisted suicide’ of the UK Information Commissioner’s Office (ICO) because it has become a ‘threat to privacy’. The bases for this argument are several, namely that:

  1. “the legislation that underpins the Office is narrow and in places regressive”;
  2. the ICO is “a quasi judicial regulator that sees its role as protecting data rather than people”, which leads to timid decisions;
  3. the ICO is sometimes “ill-informed… and almost always out of step with the more proactive and advanced regulators overseas” especially when it comes to technology;
  4. its complaints procedure is slow and frequently pointless;
  5. there are too many surveillance-related commissioners in the UK (the Surveillance Commissioner, the Interception of Communications Commissioner, the Equality & Human Rights Commission etc.)
  6. it is disconnected from “an information environment dominated by companies which appear to be largely exempt from local protections for citizens.”

Now, I’ve done some work on commission for the ICO, and therefore you might expect me to defend it from these criticisms. But in fact, I find much to agree with here, as well as some points with which I disagree, and much to ponder.

On the side of agreement,the ICO, like much of government, is undoubtedly technologically rather backward. When, in the Report on the Surveillance Society, we wrote about the way in which governments were behind the times, this was as much a message for them as for parliament or the executive. Maybe it is down to funding, maybe to institutional inertia, maybe deliberate choice, but the ICO has still has not taken serious steps to remedy this as Simon points out, and relies largely on occasional external reports, many of which are in any case general rather than specialist, to update it.

I also agree with the charge that the ICO has been relatively powerless in the face of the rise of corporate surveillance. This is not surprising given its origins as an arm’s-length regulator of government, and some of the particular issues of concern – like whether it took the Google wireless hacking episode seriously enough or made the correct decisions – are far from obvious. But one can clearly contrast the relatively activist stance of even quite bureaucratic Privacy Commissioners like the federal Canadian body over Facebook, with the ICO. It has in the recent past taken some serious actions against illegal private sector surveillance – for example the bust of a notorious blacklisting firm – but this direction appears to have fizzled out. Not being privy to internal policy discussions, I am not sure why.

Then there are some areas in which the criticisms are valid, but which may not be directed at the right target.

The first of these is the proliferation of Commissioners of various kinds – and incidentally, we have thankfully been spared the birth of yet another one with the cancellation of the ID Cards scheme. I have also been arguing for the merging of all the various surveillance-related quangos for a long time. The reason so many of them exist is partly because of the piecemeal way in which British legislative process occurs. There are rarely comprehensive Acts covering broad areas, instead existing institutions, however inappropriate to the job needed, are often merely supplemented or modified. The other reason is of course the ongoing effort to protect certain parts of the state from serious scrutiny, in particular the intelligence services and political police.

The second is that, fundamentally, it seems clear that British data protection and privacy legislation is generally archaic and not up to the job. Neither is its Freedom of Information legislation, even though it was a massive advance on the culture of secrecy that preceded what in retrospect may have been one of New Labour’s most important measures.

However, I am not sure that either of these points are in themselves a criticism of the ICO but rather of the legislation which created it, and the governance environment in which it has to operate. The way in which the ICO came about, through a rough fusion of old Data Protection and newer Freedom of Information functions produced a lumbering Frankenstein’s monster made of parts and bits, kept going on a drip-feed of limited funding, something that was never going to be capable of what campaigners expected of it. The same could be said partially of the critique of the complaints procedure, itself is a widely shared opinion and one with which I would not take issue. However, how much of this is down to the limited funding and staffing, and once again, the foundational legislation which hampers as much as empowers the ICO to do much of what we outsiders would want them to do?

Then, some of the criticisms are more personal opinion, with which I am sure many in the ICO would disagree, particularly the idea that the ICO does not care about people. Both Simon and I know many people in the ICO personally and whatever our political differences with them, the idea that they are heartless data bureaucrats with no interest in people is a rather unhelpful and hyperbolic caricature, as is the idea that the ICO is an ‘enemy of privacy’. The ICO had a legally mandated job to do first and foremost and it needn’t, legally, go beyond that at all. Yet it has. The interventions that the previous Information Commissioner, Richard Thomas, made on surveillance in particular were absolutely vital in adding a new level to a debate that had previously, despite the best efforts of activists, campaigners and researchers, been of more marginal concern. One could argue that surveillance and privacy would never have become such a topic parliamentary debate, let along an election issue, without his advocacy. Certainly it hasn’t gone far enough, but is has hardly, during this period at least, acted as a stereotypically uncaring bureaucracy.

So what of the solutions?

Simon advocates only one: that the government “scrap the data protection functions of the ICO and building a new Privacy Act that creates a true watchdog with a broad mandate.” It is hardly surprising that Privacy International see the ‘privacy’ element as the most important one here. Simon will also not be surprised to discover that I disagree with him on this. In fact, my argument for a while has been that privacy cannot justifiably be prioritised over other forms of human informational rights. In addition, the concept of ‘human rights’ in general does not deal with everything about information relationships, positive or negative, and the many elements of those information relationships between state, citizen and corporation cannot be so arbitrarily separated.

I would therefore argue that a comprehensive Information Act, which covered citizens’ rights to information (their own, and that generated by government and corporations), their rights of privacy and the more general parameters of what the state and companies may know of those who information this is and how they are allowed to do so (i.e the limits of surveillance). I agree that ‘data protection’ is an out-of-date concept. But ‘privacy’ does not, and cannot, replace it, at least not alone. Privacy Commissioners, where they exist, find themselves dealing with a lot more than privacy and end up becoming ‘surveillance’ or ‘information commissioners’ in practice or by stealth, and in some cases an emphasis on privacy over all else can hamper legitimate needs to know (as has been true in the case of family members of elderly patients with dementia in Canada for example).

My conclusion about what a new Information Act would contain in terms of the regulatory bodies has something in common with Simon’s view, but I have two options. One is the creation of a single mega-regulator – a real Information Commissioner that covered all the areas of our information relationships with the state and corporations that would be able to go after corporations, local and national government over issues of their secrecy, transparency and accountability, and our privacy and informational needs. It wouldn’t just merge the existing ICO, Surveillance Commissioner, Interception of Communications Commissioner and so on), but start with new legislation and a new structure.

The other option would be a merge all the existing bodies but create two new ones to replace them: a Surveillance and Privacy Commissioner, to cover all of the areas of state and corporate intrusion into the lives of citizens, but also a Freedom of Information Commissioner, to cover the equally vital areas of state and corporate transparency and accountability. Privacy without FoI, whether together in one organisation or separate, is altogether too defensive an approach to what we can expect from the state.

And whichever route one took, the organisation(s) should have a wider range of powers built in and required – research (including technological foresight), advocacy, assessment, response and enforcement functions – with protected funding and legally binding decision-making capability. I think we would all be in agreement on that…

Facebook learns nothing

Having been strongly criticised over its ‘Places’ feature for its lack of understanding of the concept of ‘consent’ in data protection, and why ‘opt-in’ is better for users than ‘opt-out’ when it comes to new ‘services’ (i.e: ways they can share your data with other organisations), Facebook is doing it again.

Between today and tomorrow, the new Facebook feature called “Instant Personalization” goes into effect. The new setting shares your data with non-Facebook sites and it is automatically set to “Enabled”.

To turn it off: Go to Account>Privacy Settings>Apps & Websites>Instant Personalization>edit settings & uncheck “Enable”.

(Or of course, you can just ‘Turn Off All Platform Apps” too!)

The really important thing is that if your Facebook Friends don’t do this, they will be sharing info about you as well. So, copy this and repost to yours…

(Thanks to Lorna Muir for this alert)

Corporate Privacy?

I’ve been arguing a lot recently that individual privacy, state secrecy and corporate confidentiality should be regarded as clearly separate things. Keeping this separation is important precisely because it stops organisations which we should expect to be open to inspection and accountable to us, from using ‘privacy’ as an excuse for avoiding such inspection. Philosophically, the distinction should be clear, but legally it may not be so obvious. One problem however lies in the nature of the whole notion of ‘incorporation’, which in its very language already assigns certain individual human attributes to organisations. And corporations are very much aware of this.

Marc Rotenberg points me to a very interesting legal test case in which the Electronic Privacy Information Center (EPIC) in the USA is currently involved. This case originally started when in 2008 the Federal Communications Commission ruled that corporations could not use ‘privacy’ as a reason to reject Freedom of Information requests. In 2009, a court overruled this decision. And now the FCC, ironically aided by EPIC, an organisation which frequently finds itself challenging rather than supporting the state on such issues, is seeking to have this ruling overturned in the Supreme Court.

This strikes me as a vital case, not just for the USA, for other jurisdictions where corporations will be observing the outcome and seeking to bring similar challenges if they can. If privacy, and indeed any other fundamental human right, is to mean anything it can neither be granted to companies who find it simply a convenient cover for a desire for confidentiality, nor to states who seek to maintain secrecy. Clearly there is information possessed by corporations and by states that might have elements that could be damaging to personal privacy. Private individuals acting in a corporate or state capacity may perhaps in some clearly delineated circumstances have the right not to be personally identified, even more so for individuals from outside the organisation concerned, but the ‘what’ of the information should still not, by association with an individual expressing a desire for privacy or anonymity, acquire the protection of privacy.