Sunday, 31 October 2010

Who can save us from the decline and fall of EU data protection regulation?

“Laws rarely prevent what they forbid.”

I’ve been mulling over the implications of this phrase for some time, and I have to thank Alun Michael MP for reminding me of it.

Where does it come from?

The classical scholars among us will instantly recognise it as a quote from “The History of the Decline and Fall of the Roman Empire”, written by Edward Gibbon and published in six volumes between 1776 1789.

Wikipedia reports that “As far as Gibbon was concerned, the Roman Empire succumbed to barbarian invasions in large part due to the gradual loss of civic virtue among its citizens. They had become weak, outsourcing their duties to defend their Empire to barbarian mercenaries, who then became so numerous and ingrained that they were able to take over the Empire. Romans, he believed, had become effeminate, unwilling to live a tougher, "manly" military lifestyle. He further blames the degeneracy of the Roman army and the Praetorian guards. In addition, Gibbon argued that Christianity created a belief that a better life existed after death, which fostered an indifference to the present among Roman citizens, thus sapping their desire to sacrifice for the Empire. He also believed its comparative pacifism tended to hamper the traditional Roman martial spirit.”

Interestingly, (and again according to Wikipedia) “Gibbon saw the primary catalyst of the empire's initial decay and eventual collapse in the Praetorian Guard, instituted as a special class of soldiers permanently encamped in a commanding position within Rome, a seed planted by Augustus at the establishment of the empire. As Gibbon calls them at the outset of Chapter V: The Praetorian bands, whose licentious fury was the first symptom and cause of the decline of the Roman empire... He cites repeated examples of this special force abusing its power with calamitous results, including numerous instances of imperial assassination and demands of ever-increasing pay.”

Such behaviour would obviously have diminished them in the eyes of the populous of the ancient regime.

But am I making a cheap point of associating, say, the Article 29 Working Party with the Praetorian Guard of Ancient Rome, and then arguing that any lowering of respect that the general populous of the EU has with that august body is the primary catalyst of the demise of data protection regulation?

No, I am not.

For me, the Praetorian Guard is the individual Member State of the EU – and it’s the failure of each Member State to protect the basic concept of international data protection regulation (to facilitate the free flow of information around the EU – and then the globe) which has caused the disengagement we see today.

So how have Member States failed to protect the basic concept? They need to tread very carefully in this area, if they are to be taken seriously.

I think the failings are in 3 areas, none of which will come as a surprise to people who are deeply involved with the practice – and the theory- of internet regulation. And these are areas that Alun Michael spoke about at the “Fourth Internet Governance Forum”, held at Sharm el Sheikh, Egypt, in November 2009.

The issues relate to the pace of change, the consultation process and the fallacy that legislation provides a solution in itself.

On the pace of change, we have to accept the speed with which the internet develops guarantees that our perceptions of “the future” are increasingly inaccurate. And, we have to acknowledge that the current management techniques of industry, government, and the international community are too slow to keep up with changes on the internet. Some people are bemused that not even the most basic concepts are sufficiently clear. Is an RFID tag an item of personal data? Does it become “personal data” even though the data controller has no idea who is using the umbrella with the RFID tag on it, or whether a number of people may be sharing that umbrella? Or is an RFID tag about an object, rather than a person? As we embrace an internet in which the majority of stuff being recorded relates to objects rather than individuals, its getting ever harder to work out just whether (or to what extent) the current definitions of “personal data” matter any more.

On the consultation process, we have to accept that decision can’t any longer be made just by technogeeks and regulators. Cities are not made by architects, they are made by people. And increasingly, by young people. So we must engage with young people, and create solutions that take more account of their needs than of the needs of older people. Soon, we’ll be handing it over to young people. They talk about the issues in a completely different way and there’s a real and powerful opportunity to use that talent and engagement in a positive way. But more than that – if we genuinely believe that data protection regulation is that important, we will have failed if we can’t find a language to communicate with people who simply aren’t interested in this stuff.

And it’s not just young people we need to consult with properly. I sense that the data protection community also needs to communicate to legislators who do not take an interest in this process in any way. Policymakers are overwhelmed by the issues of the day, but rarely have the luxury of feeling free to devise a proportionate response. Too many legislative proposals appear ill thought out, barely capable of surviving a cursory examination by a critical elite - who will then, like a pack of wolves, turn their attention elsewhere.

And, finally, on the legislative process, I despair of the tendency of politicians to feel that their job is done once a law has been enacted. As if many people really care (or even know) what’s on the statute book. As I remarked at the beginning of this blog, “Laws rarely prevent what they forbid.” Laws need to be accompanied by behavioural change before they can be considered a success. There are plenty of laws that we all freely ignore – and will continue to ignore. Even lawyers ignore some laws. And how do we achieve this behavioural change – as the veteran comedian Ken Dodd used to explain, by wooing an audience, not just by expecting them to find him funny. And what I really despair of a number of legislators – and some regulators too- is their misguided belief that the data protection managers of this world will do “their” work for them, by enforcing regulations that contain so much gobbledegook that lawyers have to be asked to help explain it in terms that Homer Simpson, rather than Albert Einstein, might comprehend.

Perhaps instead the regulators might take it upon themselves to "rebel" if they are expected to enforce stuff that they don't properly understand either. Wouldn't it be nice if European Parliamentarians could occasionally receive a letter pointing out the inconsistencies of the legislation they had passed, together with a polite indication that the regulators would ignore this tosh until the legislation had been simplified and the inconsistencies ironed out. That would be a turn up for the books. Perhaps we should demand that the European Parliament should always make decisions and approve laws that can be understood by a European citizen of average educational ability.

The forthcoming review of the data protection directive will give the EU an opportunity to shine. But, given its sorry history of trying to create general laws which always take account of local characteristics, I doubt that the resulting legal instruments will change the general direction of travel.

I predict that “barbarian invasions” (in terms of the influx of internet services from global data controllers whose mindsets are more attuned to the west coast of the USA rather than Europe) will continue to engulf the “Praetorian Guard” of the individual EU Member States. Remember too that Gibbon argued that Christianity created a belief that a better life existed after death, thus fostering an indifference to the present among Roman citizens, thus sapping their desire to sacrifice for the Empire. Perhaps the time has come to consider whether Google has created a belief that its services provide a “better life” to that which the EU regulators might wish to allow, thus fostering an indifference to current restrictions among Europe’s citizens, and sapping their desire to sacrifice convenience for the EU’s data protection standards.

"I want my gratification and I want it now," I hear many say.

I predict that, in my lifetime, we will see the demise of European data protection regulation, in order that global standards can take their place.


Friday, 29 October 2010

Official – “Google escapes prosecution”

It seems that the boys in blue have read the blog I posted on Monday, and have agreed with my analysis. Google will escape police prosecution as they’ve actually broken no (British) laws. Matt Warman, writing in today’s edition of the Daily Telegraph, did get the bit about a “small fine” wrong though – there won’t be any sort of fine (and for the reason I set out on Monday).

Matt ought to read my blog with a little more care. We don’t want journalists making silly mistakes like that, do we!



Thursday, 28 October 2010

Are they still celebrating in the streets of Uruguay?

In a move that advances the interests of the European data protection community by (probably) less than a millimetre, the Article 29 Working Party has recently opined on whether Uruguay’s laws are sufficiently “adequate” to allow them to join that great community of countries outside the EU whose data protection laws have also been officially assessed as “adequate”.

Just to remind those who had forgotten (or who didn’t know in the first place), Uruguay is a tiny country located in the South Eastern part of South America with a population of about 3.5 million, sandwiched between Brazil (whose population is over 190 million) and Argentina (whose population is over 40 million, and whose data protection standards are also considered "adequate").

But hurrah – the Article 29 Working Party has taken it upon itself to address the data protection climate within Uruguay, and it has concluded that the climate does indeed meet the EU’s standards.

So, let those data flows keep flowing to Uruguay.

So who's "adequate" now? Well, the European Commission's list comprises Switzerland, Argentina, the Bailiwick of Guernsey, the Isle of Man, the Bailiwick of Jersey and Canada (as long as the recipient of the information is subject to the Canadian Personal Information Protection and Electronic Documents Act).

Israel is likely to be next. There are a few formalities that need to be gone through before Israel is actually on the list, but none of these formalities will affect (or matter to) anyone outside the European Parliament. The Article 29 Working Party has already had its say (and has finally said "yes"). We will now stifle our yawns and wait for the inevitable to happen.

Then, the European Commision will consider adding Uruguay to its list. Of course, it will first ask the European Parliament first for its views on the matter, but as there is no formal requirement for the European Commission to actually accept those views, it won't be too long before Uruguay makes it all the way, too.

Some list.

If anyone else is inclined to glance at the Working Party’s “Opinion 6/2010 on the level of protection of personal data in the Eastern Republic of Uruguay”, adopted on 12 October 2010, then feel free to point your browser to:


Tuesday, 26 October 2010

To engage – or not to engage?

I’ve just read a remarkable briefing paper which was prepared in June 2009 by some awfully clever bods at the London School of Economics. In 59 pages, it brilliantly sets out the challenges the Government faces as it tries to work out what to do ensure that the cops – as well as the spooks – can access our communications records when they need to prevent or detect crime.

If I were a civil servant reading this, I would be worried. Why? Because I would expect to see Government security markings on the document that were so high that even the Home Secretary wouldn’t be allowed to be photographed reading a copy. “How dare stuff like this be allowed to be read and discussed by the great unwashed?” I would expect senior civil servants to mutter.

When in printed form, the truth can hurt. A lot.

But I think we owe a vote of thanks to the LSE’s “Policy Engagement Network” for publishing this briefing paper. Well, thanks to an extent, anyway. Granted, the paper sets out the problems, but what we could really do with is a paper of similar quality which sets out the solutions. Or at least a set of potential solutions, from which the ultimate solution could be selected.

What is the Policy Engagement Network?

Its website helpfully explains that “the primary objective of PEN is to inform policy deliberation through linking academic research with pressing policy issues. To further this goal we build and nurture relationships with policy-makers, regulators, government agencies, parliamentarians around the world and international organisations. Through these relationships we are able to identify the policy areas that require the greatest and immediate attention. We bring international experts from academia, industry, government, and civil society together to inform our work so that we may bring the key ideas and knowledge into the policy-making process. 'Engagement' is the essential research strategy to our work. We host dozens of workshops every year at the LSE, and we have run forums and conferences around the world. We present our work at dozens of international conferences every year, and regularly give evidence and provide reports to Parliaments, regulators, policy-makers and industry.”

So let’s hope the Government recognises the remarkable contribution to the debate that this briefing paper makes, and cordially invites the authors to join them in their search for solutions. These guys really know their stuff. They obviously have some considerable amount of “inside knowledge” about the salient issues. So let’s leverage it, and hope they are invited to remain within the tent, as it were. Let’s get them to meet Government representatives on a regular basis, to explore solutions that nail the concerns of so many who share their fears about the capacity of the state to properly address this issue.

I think that such an initiative requires a huge leap of faith on both sides.

On the side of the Government, it probably requires some people to realise that they have to extend the circle of the “trusted few”, so that it doesn’t just include law enforcers, communication service providers and solution providers (ie consultants with software and databases to sell). The debate has to hear the voices of the representatives of civil society.

But on the other side, it also requires some people to realise that there is no place for those who just want to be in constant opposition. Opportunities to engage may well lead to an accommodation of views – which will be acceptable to the majority of stakeholders, but never to the extremists on each side of the debate. Does the Policy Engagement Network, like Sinn Féin, have the appetite to reach an accommodation with the Government? Or would it prefer to remain pure to the principles espoused by some those on its fringes?

I have no idea. But I suspect that until the Government is courageous enough to seek its active engagement in any ongoing discussions, the PEN may continue to thrive by criticising the Government’s plans.

Which, I think, is a bit silly. Especially since I am certain that, deep down, the representatives from both sides simply want to ensure that we continue to live in a just, safe and tolerant society.



Statewatch “unveils” the Commission’s cunning plan for a new Directive (or not …)

Sharp-eyed visitors to the Statewatch website may have noticed a recent update. While I blogged about the European Commission’s statement on 5 October, giving just a teasing glimpse of their proposals, Statewatch has done much, much more. It has taken the huge step of posting that entire 18 page (draft) statement on the internet. Together with a 1,000 word analysis of the proposals.

For those not familiar with its work, Statewatch was formed in 1991. It is an independent, not for profit group of journalists, researchers, activists, lawyers and academics that monitors civil liberties and the state in Europe. I am not a member of this group, but do search its on-line archives now and again. receives over 100,000 visitors every month, and is a valuable and credible research resource, used by journalists, NGOs, campaigning organisations, parliaments, lawyers, activists and students.

But D’oh …

What our chums at Statewatch may not have appreciated was that the Commission’s draft was updated yesterday. I’m not sure to what extent. Not yet, anyway.

So let’s see if the final version, when it is finally published by the Commission, differs in many material ways from the one that Statewatch has just posted.

And let's hope that not too much of that 1,000 word analysis of the earlier proposals turns out to be wasted.


Monday, 25 October 2010

Why Google’s snooping mishap hasn't broken British laws: some regulators do ‘ave ‘em ...

Who was responsible for creating such a whoopsie on the statute book that has resulted in Google not having broken any British laws when they evidently scooped up more than they bargained for when harvesting geographical information about the location of various Wi-Fi networks?

As the great and the good are now on their way to Jerusalem, for the Data Protection Commissioners annual conference, I’ve taken it on myself to try and work out what the issues are from the facts as I think I know them.

What are the facts?
Google has admitted that, while capturing street-level photography as part of its Street View mapping project, its camera cars also inadvertently gathered some data that was being sent across domestic Wi-Fi networks.

How did this happen?
Google’s camera cars have roof-mounted wireless antennae, which are used to create a map of wireless networks, for use in geo-location products. This technology was inadvertently based on some experimental code, written four years ago by a Google engineer, that sampled data broadcast publicly over wireless networks. Google's engineering teams have admitted a breakdown of communication that resulted in this experimental code forming part of the software used to map wireless networks. However, the company insists that it was never its intention to gather this data, and that it had never intended to use it for commercial purposes.

What sort of information was gathered?
Google “inadvertently” captured around 600GB of data in 30 countries. Among the information gathered were emails, passwords, and the addresses of websites visited by households. However, Google has stressed that none of this data has been, or was ever intended to be, used for commercial purposes.

What did Google say when the breach came to light?
Google has apologised profusely for the data breach. “We are profoundly sorry for having mistakenly collected payload data from unencrypted networks,” said Alma Whitten, Google’s director of privacy. “As soon as we realised what had happened, we stopped collecting all Wi-Fi data from our Street View cars and immediately informed the authorities. This data has never been used in any Google product and was never intended to be used by Google in any way. We want to delete the data as soon as possible and will continue to work with the authorities to determine the best way forward.” Google also said its Street View cars no longer collected any kind of wireless information.

But has Google contravened any British data protection or privacy regulations?
I think not. Here are my own views on 3 issues that keep on cropping up in the press, and where I think the commentators keep on offering the wrong answers:

Did Google process any “personal data” as defined by British data protection legislation?
Given the definition in the UK’s leading case of Durant v Financial Services Authority, no. The information it collected did not relate to living individuals that Google could identify – or that it ever intended to identify. It was simply small amounts of information which related to particular internet addresses in a particular location, ie along a public highway, at a particular time of the day. Many months ago. If this argument is accepted, then we are not talking about the misuse of personal data, so data protection legislation doesn’t apply anyway.

Could Google be fined by the Information Commissioner up to £500,000 for its behaviour?
Even if the misuse had involved personal data, the answer has to be no. The Commissioner only acquired powers to fine miscreants in April of this year, and the powers are not retrospective. Hopefully, Google’s misbehaviour in the UK, as it were, ceased well before April.

Could Google be sanctioned for unlawful interception?
Again, no. Remember, the Government didn’t feel able to take any action against BT and Phorm after allegations emerged that they had intercepted and profiled the web browsing of tens of thousands of broadband subscribers without their consent in trials in 2006 and 2007.

And this is why the European Commission have expressed their concern that the provisions of the Directive on Privacy and Electronic Communications, which prohibit "unlawful interception and surveillance without the user's consent," have not been properly brought into UK law. Among the failings, apparently, was that UK law currently contain sanctions against interception only in relation to "intentional" snooping. So, if Google were to argue that any interception was “unintentional”, and wrong, unfortunate, and certainly not sanctioned by senior Google management, then there is no British interception law that the company would have broken anyway.

I rest my case.



Sunday, 24 October 2010

Alma rides to the rescue

Every calamity provides an opportunity for someone to shine through.

So, following the launch by privacy authorities across the globe of investigations of Google's WiFi data collection, it’s time for Alma Whitten to show (more of) us what she’s made of. Alma has recently been appointed director of privacy for both engineering and product management. "Her focus will be to ensure that we build effective privacy controls into our products and internal practices," says Alan Eustace Google’s senior vice president of engineering.

"She has been our engineering lead on privacy for the last two years, and we will significantly increase the number of engineers and product managers working with her in this new role."

Google has also vowed to increase privacy training among its employees. "We’re enhancing our core training for engineers and other important groups (such as product management and legal) with a particular focus on the responsible collection, use and handling of data. Beginning in December, all employees will also go through a new information security awareness program, which will include "clear guidance on both security and privacy.What's more, engineering project leaders will keep a document detailing the privacy design of each project they work on. This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team."

This is great news – and a well deserved appointment for a really nice person. I first met Alma about a year ago, while we were both working on a privacy initiative run by the think tank Demos. I was so impressed with her (many) abilities that I even blogged about her, with an ode penned in honour of her remarkable achievement in spearheading the development of the Google’s “Dashboard” control panel, which was unveiled at the Data Protection Commissioner’s conference in Madrid last November.

I don’t know if she’ll be attending next week’s Data Protection Commisisoner's conference, which will be held in Jerusalem. But if she is, and the spirit takes everyone, then may I suggest that they charge their glasses and wish her all the best in her new role. And, if the more musical among the fraternity wish to break into song, then can I suggest the following ditty, which can be sung to the tune of the “Battle Hymn of the Republic”.

I can do better than that – I can reproduce my blog posting for Friday 6 November 2009 right here:

According to my dictionary, an "ode" is "a lyric poem marked by lofty feeling and dignified style". So the following bit of doggerel is not an ode. But it is (somewhat) respectfully written - in homage to Google’s new “Dashboard” control panel, which enables people to more easily access and adjust their own privacy settings. The Dashboard was launched a couple of days ago, at a Data Protection conference in Madrid on 4 November.

I also (very) respectfully pay tribute both to Alma Whitten, Google’s software engineer for privacy & safety, while imitating the style (and using many of the phrases) of Julia W Howe who, during the American Civil War, wrote the original verses of the "Battle Hymn of the Republic" in single evening at the Willard Hotel, Washington DC, on 18 November 1861. That's almost exactly 148 years ago.

This blog was crafted during the course of a single evening, too. And it shows.

I hope Alma won't be offended. I certainly don't mean to offend her. I met Alma last week at the Demos event in Bradford (which sparked my 2 November blog) and really enjoyed her easy manner, professionalism and deep commitment to fairness and transparency. She's one of Google's shining stars!

Mine eyes have seen the glory of the coming of the Board;
It’s a simple way of knowing how your preferences are stored;
And soon it will be winning every privacy award;
It’s truth is marching on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! The truth is marching on.

I've heard Alma speaking softly to a hundred data champs
They have builded her a platform for the evening dews and damps;
I can view her presentations by the dim and flaring lamps;
Her day is marching on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! Her day is marching on.

I have read a fiery press release which really makes you feel
“You journalists are ignorant and just don’t get the deal”;
Let the Hero, born a woman, crush the serpent with her heel,
Since Alma’s marching on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! Since Google's marching on.

Alma's helped to build a Dashboard where the picture is complete;
She is sorting out the hearts of men before they start to tweet;
Oh, with self control, now plead with her: Come photograph my street;
Our Alma’s marching on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! And Google marches on.

In the beauty of the lilies she was born across the sea,
With a glory in her bosom that transfigures you and me:
As she works to make men useful, let us work to make men free;
While Alma marches on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! While Google marches on.

She is coming like the glory of the morning on the wave,
She is wisdom to the mighty, She is honour to the brave;
I will start to use her Dashboard if you promise to behave,
As Alma marches on.
Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! Yes, Google marches on.


Saturday, 23 October 2010

Behavioural advertising chaff

I understand that, during their get together in Jerusalem next week, some of the more passionate members of the data protection fraternity plan to let others know just how extremely unhappy they are about all this behavioural advertising stuff they experience each time they log onto their chosen web sites. Apparently, there needs to be more laws and restrictions, blah blah blah, to protect the digital innocents. And the not so digital innocents.

If people really are so unhappy about what they evidently consider to be an unfairly intrusive and awfully invasive technology, can I suggest a simple sway of confusing the behavioural advertisers, and ensuring that rather than receiving adverts that may be slightly interesting, they can instead have their screens cluttered up with material about which they have no interest whatsoever.

It’s a simple technique, and one which takes just a few minutes to practice.

All you have to do, once you have finished surfing the web for the sites you want to see, just spend a few minutes each day surfing random sites that you would never usually access. That’s going to confuse the hell out of the clever programmers who develop complex algorithms whish try to tailor adverts about stuff they think you are actually interested in. If you can spend, say, just 10 minutes a day surfing stuff you are not interested in, then the adverts that will be invariably served are likely to be less relevant, so you can rest assured that there is no central “big brother” data base that knows what you are really interested in.

Just as fighter jets emit lots of metallic chaff to put the heat-seeking missiles off their scent, we too can emit sufficient electronic chaff to put the behavioural advertisers off the scent. If we wanted to, that is. Hey, perhaps some cunning oik will develop an application for us to use, which will run in the background of our usual browsing activity, to cloak what we are really doing with a veneer of respectability.

Will this concept catch on?

Let’s wait and see.

We can judge its success by the sort of adverts that will be served whenever we visit our favourite websites. The less relevant these adverts are, then perhaps the more effective is the chaff. But then again, if the adverts aren’t that effective, then the webmasters will have to think of other ways of monetising their sites. Like creating paywalls – which are likely to deter us from visiting our favourite sites.

Who pays to access the timesonline these days when you can get all you need from the (free) on-line versions of the Daily Telegraph, Guardian and Daily Mail?

So is behavioural advertising really that bad – especially if it helps to keep serving us all with the stuff we want for free? If we are to believe the more passionate members of the data protection fraternity, then perhaps it is a bad thing. And perhaps we ought to put our hands in our pockets to protect our privacy.

Oh yeah - and just how many of us are going to want to do that?

Thursday, 21 October 2010

Securing communications records to fight terrorism

So there we have it. We now know a little more about what they were talking about when the representatives of the Conservative and Liberal Democratic parties met immediately after May’s General Election to discuss the basis on which a Coalition Government would operate. The Coalition Agreement contained a commitment to "end the storage of internet and email records without good reason", but at that time no-one I asked actually seemed to know what those words meant.

Well, we know a little bit more now.

According to the Police Oracle website, “MI5 has begged for a new database to help intercept terrorist emails, texts and calls - and its Internet Modernisation Programme will get £400million extra.”

Presumably, this is the same “programme” that was mentioned on page 44 of the “Strategic Defence & Security Review”, published earlier this week. That review identified areas in which the Government needs to adapt its strategy for countering international terrorism (CONTEST) in order that the approach was proportionate, fair and effective.

And what did the Review actually say? It said that it would:

“Introduce a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain communication data and to intercept communications within the appropriate legal framework. This programme is required to keep up with changing technology and to maintain capabilities that are vital to the work these agencies do to protect the public. Communications data provides evidence in court to secure convictions of those engaged in activities that cause serious harm. It has played a role in every major Security Service counter¬terrorism operation and in 95% of all serious organised crime investigations. We will legislate to put in place the necessary regulations and safeguards to ensure that our response to this technology challenge is compatible with the Government’s approach to information storage and civil liberties.”

I don’t see anything wrong with the introduction of legislation to put the necessary safeguards in place. After all, in the context of the current public inquest into the obscene terrorist events of July 2005 where, daily, new horrific details are broadcast to the nation, I would want to ensure that our spooks have everything they required at their fingertips to reduce the risk of similar scenarios occurring again. I would love to ensure that their technical and surveillance capabilities were at least as extensive as those enjoyed by the actors in the BBC TV series Spooks, who are currently saving the nation every Monday evening.

The trick, as ever, is trying to work out what else is allowed to be done with the communications records while they are being retained for the purposes of detecting and preventing terrorism and serious crime. While the records exist, is it also permissible to allow them to be used for the purposes of detecting and preventing frivolous crime?

Evidently we are happy for CCTV to be used to convict ladies who plop cats into wheelybins, although I doubt whether that was the original purpose of that particular CCTV surveillance system.

But how will the Government tweak our much loved RIPA to ensure that public authorities only use communications data for the purposes that we, the great unwashed, would all find acceptable? And, if the Government were to tweak RIPA to remove powers from certain public authorities, then how can we all be assured that those authorities would not be tempted to go behind the back of the Government and obtain that very same communications information by using other statutory powers that the Government had forgotten they had given them?

Let’s wait and see.

Perhaps, if they get any spare time together over the next few months, we should ask David Cameron and Nick Clegg to revise the original text of the Coalition Agreement. They may find it convenient to turn the commitment to "end the storage of internet and email records without good reason", into a commitment to "start the storage of internet and email records with a good reason".

No doubt, when many of the greatest and most distinguished of the International Data Protection community get together next week in Jerusalem for the 32nd International Conference of Data Protection & Privacy Commissioners, some participants will be talking about this. A few Data Protection Commissioners may even think it’s time for the Article 29 Working Party to write another opinion about it. But we all know their opinion. And we all know who’s ignoring their opinion. So, let's not expect them to spend too much of their time at the conference opining on it again.


Tuesday, 19 October 2010

Another Ministerial Data Breach?

Most of us know what it’s like when we are asked to provide advice on reducing the likelihood of data breaches. “Encrypt your electronic files”, we say. And “always take proper care of your paper files too. After all, the Information Commissioner’s Office is pretty hot on data breaches these days. Just take a look at the Commissioner’s latest press release, which castigates a doctor at North West London Hospitals NHS Trust who left medical information about 56 patients on the tube in May of this year.

Apparently, the doctor printed out personal and diagnostic information about patients to use in audit work, undertaken at home outside normal working hours. Shortly after leaving the tube station, the doctor realised the information had been left on the train and returned to inform the station supervisor. The documents were subsequently found by London Transport at the train’s termination point, and were retrieved by the doctor. There is no indication that anyone had accessed these highly confidential and sensitive papers, detailing people’s medical history, while they were left unattended on the train.

However, the Commissioner has still managed to get the Chief Executive of The North West London Hospitals NHS Trust to sign a formal undertaking outlining that the organisation will ensure that personal data is processed in accordance with the Data Protection Act. In particular the Trust has agreed to adopt pseudonymisation techniques, meaning that personal details like patient’s names, will not be contained in print outs.

Nice one.

But, what does the image above show? It's copied from today’s on-line edition of The Daily Telegraph – and is a photograph of Danny Alexander, the Chief Secretary to the Treasury, being driven into Whitehall with an open copy of the Comprehensive Spending Review on his lap.

This is the review that is supposed to be unveiled before Parliament tomorrow. The parliamentarians will be mightily miffed that photographers have been able to snap away at some of the confidential details before they were made known to them. We’re not supposed to know until tomorrow that there is to be a reduction in public sector workforce numbers of 490,000 by 2014-2015. In accorfdance with Parliamnary tradition, our Parliamentary lords and mastters are supposed to be told before we, the great unwashed.

Will Danny Alexander be among those who will lose his job over this gaffe? I think that’s unlikely – after all, he is, as The Telegraph helpfully reminds us, “just the latest minister to be caught out by photographers carrying documents in Whitehall.

The Housing Minister Caroline Flint revealed forecasts of a 10 per cent plunge in property prices when she carried confidential briefing papers into Downing Street in a clear plastic folder in May 2008.

In 2009, the Met Assistant Commissioner Bob Quick had to resign after displaying secret notes that led to a suspected Al-Qaeda operation being brought forward."

I do hope David Cameron reads that lot the riot act at the beginning of the next Cabinet meeting. If Christopher Graham can get the Chief Executive of The North West London Hospitals NHS Trust to sign a formal undertaking when the personal details of 56 people were not seen by anyone other than the people who were actually supposed to see them, then surely the Prime Minister can provide us all with a formal undertaking that the Government will do its best to protect the plans that will siginficantly affect the livelihoods of half a million people.

It’s a pity the document didn’t name them all. The ICO would have had a field day, then!

Who needs to worry about cybercriminals when we let Ministers be driven around in cars reading confidential paper documents? And if Ministers can't be bothered to feel accountable for breaches of this nature, then why should Chief Executives consider signing undertakings for lesser mishaps?

Saturday, 16 October 2010

My verdict: Go See “The Social Network”

I was extremely impressed with “The Social Network”, which has just opened in all good cinemas. Rush to see it and marvel at the way the site that Mark Zuckerberg is so closely identified with was created.

So how old is Facebook? I was stunned to appreciate that it was just in September 2003 that the germ of an idea cropped into his mind and he began work to develop the concept, prior to its actual launch in February 2004. What else happened in September/October 2003 – what can I use to jog my memory? I’ve tried to recall other events that happened around that same time – but it’s not easy to find anything really memorable incidents. Michael Howard was about to be elected Leader of the Conservative Party, the IRA were decommissioning more weapons, there was a war in Iraq, and it was the second anniversary of the 9/11 attacks in America.

And what’s the film about? Well, it basically just tells a story of a Harvard University geek who gets dumped by his girlfriend, reeks revenge by writing a pretty savage blog about her, and then (still drunk) hacks into many of the college computers to amass an address list of Harvard students who subsequently get invited to a website which invites people to rank the Harvard University girls in order of their sex appeal. Needless to say, it becomes so incredibly popular that it brings down the university’s servers within hours. By the time Zukerberg is sober, it’s time to face the university authorities. It’s also time to face a new range of challenges from a wide range of people – and as the Facebook concept grows, he drifts away from his best friend and business partner.

I won’t say much more about the film, other than to note the way in which the prospect of making vast amounts of money can generate so many disagreements between super smart people. Its brilliant fun, and I am delighted that the key players in the story have so generously allowed the film makers to present such a “warts and all” perspective of what must still, for some, be an experience where the scars have yet to propertly heal.

I know how hard it is to write about the “recent past”. Some time ago I wrote a book (still accessible if you know where to point your browser on the internet) about the first 15 years of the Terrence Higgins Trust, a charity set up to respond to the HIV/AIDS crisis that hit the globe in the early 1980’s. The problem I faced was trying to write about key people in a way that was both interesting and credible.

During an extensive research period I met a good number of them. Many of the early figures in the AIDS crisis were people who were passionate about the cause, and threw themselves into the task of creating an effective response. A tremendous amount of good work was done by these people, and occasionally they fell short. I found it incredibly hard to write a narrative that reflected the good work done, while not mentioning too much of the not-so-good stuff that could well have harmed their reputations in their current fields.

I would not want to repeat that task.

So, the screenwriters of “The Social Network” have my great admiration for their courage and persistence in coming up with a creditable narrative which shows these incredibly rich people in not always the best light, behaving in ways that many of our own leading lights might get their lawyers to prevent us from knowing about.

One of the best things about the film is that is shows the power of the internet – as a force for good as well as for embarrassment. It is clear, from the first few minutes, that Mark Zukerberg knows only too well that the internet can be used to post material that causes embarrassment to others, and shame to the person who posted it. But, and it is a big but, the internet also creates so much pleasure for so many people. Can 500 million users really be wrong? That’s how many registered users there were as of July 2010. I think not.

The users can act stupidly once in a while – but hey, can’t we all. Yet, if faced with a choice between a word without social networking sites and a world with Facebook, I know which one I would go for. Every time.

Wednesday, 13 October 2010

A new name for a Data Breach?

Lunch today with Dr Larry Ponemon, thanks to the extremely generous hospitality of Ashley Winton at White & Case. No, that’s not him in the picture at the foot of this blog entry. Nor is it an image of Ashley White. Think on.

For those of you who don’t know, the Ponemon Institute conducts independent research on privacy, data protection and information security policy. It enables organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations.

The Ponemon Institute is also the parent organization of the Responsible Information Management (RIM) Council. The RIM Council draws its name from the practice of Responsible Information Management, an ethics-based framework and long-term strategy for managing personal and sensitive employee, customer and business information. Members of the Council represent a cross-section of Fortune 500 companies and are champions of privacy and data protection in their organizations. Through working groups and special projects, they create practical solutions to the privacy and data protection challenges faced by organizations.

In my humble opinion, Larry is one of the great gods of data protection – and his annual “cost of data breach” reports are generally considered the leading authority on the subject. So, it was a rare priviledge to meet the great man again, and to hear a preview of the latest figures. I won’t tell you what they are as I don't know if they have been officially published yet, and I don't like to leak material on this blog ... but the figures do continue to make a compelling case for preventative action to be taken now, rather than wait and deal with the stuff that flows from feeling obliged to issue a data breach notification to all and sundry.

Over lunch today, Ashley White argued that breach notification was more firmly on the EU’s agenda than it has ever been before, even though European regulators don't appear to have an agreed view about how big the breach ought to be before it has to be notified to anyone. I was more worried that, given the steady flow of breach notices that Americans seem to get, thanks to “consumer-friendly” US laws, there’s precious little evidence that these laws have actually changed behaviour and led to a reduction of data breaches in the US. So, if it's not working over there, why import it over here?

I was also worried how sanguine these Eruocrats are that data controllers actually know what data has been lost when there has been a loss. My experience of dealing with people who have lost (encrypted) laptops or (encrypted) data sticks is that they didn’t have a complete idea about what was on the media. Not much of an idea at all, actually, let alone a complete idea. And I really wouldn’t want to face the ire of an apoplectic “data subject” (horrible phrase that it is) who demanded to know if “their own” data had been lost if I didn’t actually have any proof that it had, indeed, been lost.

Anyway, back to the plot. My real aim over lunch today was to start a campaign to change the phrase data breach to something more meaningful. What is a data breach, anyway? It’s a phrase that seems to belong more in the “Cold War” environment of the 1960’s, when an intelligence breach signified that someone had learnt about something that they should not have known. I don’t think the mere loss of information is sufficient to warrant the use of the term breach. I could “lose” a CD or data stick by seeing it fall out of a window of a railway carriage door and then watching it getting crushed on the tracks by an oncoming train. I may have lost the data, but no-one else is going to get harmed – so why on earth should that be a reportable data breach? We wondered what alternative terms might be more appropriate. A “Reportable Data Incident?” No. Too many words.

What would Frank Spencer have said about such a calamity? In the seminal television series “Some Mother’s Do Have Em”, broadcast between 1973 and 1978, he never actually uttered the phrase "Ooh Betty”. He did say "Oooh..." and made references to having "a bit of trouble", or to the cat having done a "whoopsie" (on one occasion, in his beret). A Data Ooooh? Or a “Data Whoopsie?” No, these won’lt do.

Or what would Homer Simpson have said about such a calamity? Should we report "data d’oh”s? No, I don’t like that term either.

After much deliberation, I have come up with a new term - which describes an unfortunate mistake – and it does have a date protection connotation. It’s named in honour of the Rapporteur of the original Data Protection Directive, who subsequently left the European Parliament to become a British MP, then was appointed Defence Secretary, Transport Secretary, Leader of the House of Commons and Labour Party Chief Whip, before disgracing himself (in the eyes of many, me included) in the recent MP’s expenses scandal. All that good work, then an enormous mistake that will live with him (and the rest of us) or a very long time. Yep, stand forward Geoff Hoon.

So, rather than reporting “data breaches”, let’s consider reporting on “data hoons” instead.

When should ISPs contact “their” customers to warn them about naughty behaviour?

Chris Williams has been reporting in The Register today that Virgin Media subscribers whose computers are part of a botnet can expect a letter warning them to tighten up their security, under a new initiative based on data collected by independent malware trackers.

Apparently, Virgin Media will match lists of compromised IP addresses collected by the Shadowserver Foundation, among others, to its customer records. Those with infected machines will be encouraged to download free security software to remove the malware and protect their connection in future. Virgin Media says it expects to send out hundreds of letters per week initially, with plans to expand the campaign based on customer feedback.

It’s funny that Virgin Media can be prepared to do this, yet other ISPs are unhappy at carrying out basically the same data matching exercise – but so that it can pass the IP Subscriber information on to the people who want to stop illegal file sharing. Will Virgin be as happy to sneak on its customers to the likes of ACS:Law? Does it care as much about people who are responsible for paying the bills of internet accounts used to unlawfully download copies of Spooks as it evidently does about devices that are sucked into botnets?

We may find out soon.


Tuesday, 5 October 2010

The European Commission's cunning plan

The European Commission has just unveiled it's cunning plan for a new Data Protection Directive, which has been given the glorious title of "A comprehensive strategy on data protection in the European Union."

You may be reading about these proposals for the first time. It won’t be the last time, and I suspect we’ll all be thoroughly sick of them by the time the Member States get their opportunity to implement the final version of the new Data Protection Directive.

The initial explanation of the (18 page) cunning plan goes on for almost 1,000 words. Some of the proposals appear to be very useful, and are very welcome. Other proposals don’t appear to make much sense - but perhaps it’s me that simply doesn’t get it, or that I can’t see how they can possibly be implemented.

So, fellow Data Protectors, let’s all have a good read of this and mull it over until we lose the will to live!

It is understood that the proposed actions by the Commission are:

- The Commission will consider how to ensure a coherent application of data protection rules, taking into account the impact of new technologies on individuals' rights and freedoms;

- The Commission will consider introducing a general principle of transparency in the legal framework; introducing specific obligations for data controllers on the type of information to be provided and on the modalities for providing it, including in relation to minors; drawing up one or more EU standard forms ("privacy information notices") to be used by data controllers;

- The Commission will examine the possible modalities for the introduction in the general legal framework of a general personal data breach notification, including the addressees of such notifications and the threshold beyond which the obligation to notify should apply;

- The Commission will therefore examine ways of:

a) strengthening the principle of data minimisation;

b) improving the modalities for the actual exercise of the rights of access, rectification, erasure or blocking of data (e.g., by introducing deadlines to respond to individuals' requests, by allowing the exercise of rights by electronic means or by providing that right of access should be ensured free of charge as a principle);

c) strengthening the so-called "right to be forgotten", i.e. the right of individuals to have their data deleted/removed when they are no longer needed for the purposes for which they were collected or when, in particular, processing is based on the person's consent, when he or she withdraws consent or when the storage period consented to has expired;

d) guaranteeing "data portability", i.e., enabling an individual should be able to withdraw his/her own data (e.g., his/her photos, medical records or a list of friends) from an application or service and transfer them into another one, without hindrance from the data controllers;

- The Commission will explore the possibility for co-financing awareness-raising activities on data protection via the Union budget; the need for and the opportunity of including in the legal framework an obligation to carry out awareness-raising activities in this area;

- The Commission will examine ways of ensuring a more harmonised implementation of current rules on consent; clarifying and strengthening the rules on consent;

- The Commission will consider whether other categories of data should be considered as "sensitive data", for example genetic data; certain types of data that, in specific cases, could also be considered as 'sensitive', for example, data related to minors;

- The Commission will therefore consider the possibility of extending the right to bring an action before the national courts to data protection authorities and to civil society associations, including consumer associations; assess the need for strengthening the existing provisions on sanctions, for example by explicitly including criminal sanctions in case of serious data protection violations, in order to make them more effective.

- In order to ensure a true level playing field for all data controllers who operate in different Member States, the Commission considers that further harmonisation and approximation of data protection rules need to be provided at EU level. The Commission will examine the means to achieve this;

- The Commission will explore different possibilities for the simplification and harmonisation of the current notification system, including the possible drawing up of a uniform EU-wide registration form;

- The Commission will examine how to revise and clarify the existing provisions on applicable law, including the current determining criteria, in order to improve legal certainty, clarify Member States' responsibility for applying data protection rules and ultimately provide for the same degree of protection of EU data subjects, regardless of their geographic location and of the location of the data controller;

- The Commission will examine elements to enhance data controllers' responsibility;

- The Commission will examine means of further encouraging self-regulatory initiatives, including the active promotion of Codes of conduct; explore the feasibility of establishing EU certification schemes (privacy seals) for privacy aware Technologies;

- The Commission will consider the extension of the application of the general data protection rules to the areas of police and judicial cooperation in criminal matters, including at domestic level, while providing for the necessary limitations (e.g. concerning the right of access) and derogations (e.g., to the principle of transparency); examine the need for introducing specific provisions, for example on data protection regarding the processing of genetic data for criminal law purposes or distinguishing the various categories of data subjects (witnesses; suspects etc); assess the need to align, in the long term, the existing various sector specific rules adopted at EU level for police and judicial co-operation in criminal matters in specific instruments, to the new general legal data protection framework; launch, in 2011, a consultation of all concerned stakeholders about the best way to revise the current supervision systems in the area of police cooperation and judicial cooperation in criminal matters, in order to ensure effective and consistent data protection supervision on all Union institutions, bodies, offices and agencies;

- The Commission intends to examine how to improve and streamline the current procedures for international data transfers, in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations; to clarify the Commission’s adequacy procedure and better specify the criteria and standards for assessing the level of data protection in a third country or an international organisation; to define standard data protection clauses to be used in international agreements, contracts, binding corporate rules or other legally binding instruments;

- The Commission will continue to promote the development of high data protection legal and technical standards in third countries and at international level; seek to secure that the international actions of the Union are grounded on the principle of reciprocity of protection enjoyed by data subjects, and in particular ensure that data subjects whose data are exported from the EU enjoy the same rights (including judicial redress) in third countries as third country nationals enjoy within the EU (reciprocal treatment); enhance its cooperation, to this end, with third countries and international organisations, such as the OECD, the Council of Europe, the United Nations, and other regional organisations; closely follow up the development of international technical standards by standardisation organizations such as CEN and ISO, to ensure that they usefully complement the legal rules and to ensure operational and effective implementation of the key data protection requirements;

- The Commission will examine how to strengthen, clarify and harmonise the status and the powers of the national Data Protection Authorities in the new legal framework (including art. 29 WP).

[I'll update this blog with a link to the official document when it officially exists]

Monday, 4 October 2010

Oops – someone actually likes location based services!

In a quite unusual way, someone has upturned the apple cart. Someone has actually published an article enthusing about location based services. One in the eye for the privacy wonks here. Who is this upstart? And how dare he enthuse about something lots of people can’t wait to trash at the International Conference of Data Protection and Privacy Commissioners, to be held in Israel later in the month.

Still, I suppose you can’t have it all. You have to expect the odd dissenting voice just once in a while. Like from someone who actually gets the concept of the new generation of location based services.

So who is this miscreant and what is it that he’s saying?

Take a look at Benjy Lanyado’s article “ Are guidebooks facing extinction?” which appeared in yesterday’s edition of The Observer. Marvel at the way he describes the way that “Twitter tips, up-to-the minute websites and customised apps bursting with locals' advice are all changing the way we travel.” And how it means the end of the printed guidebooks.

The image above, lovingly ripped off from the Observer, shows travel writer Benji Lanyado in Vienna looking at a map. He doesn’t bother with huge guidebooks any more. As he puts it:

Four weeks ago I visited Manchester on a short break. I took a change of pants and socks, a spare T-shirt and my mobile phone. When I arrived in the city, I told Twitter that I was hungry, and within minutes I was gorging on corned-beef hash thanks to a recommendation from a fellow Tweeter. I held my phone up to Piccadilly Gardens, turned on an app, and its Wikipedia entry flashed across my screen, overlaid on to the grass in front of me through the camera in my phone. I opened another app, and dozens of local suggestions were hovering around me. There was a bar 288m from where I was standing where I'd get a free drink if I mentioned a secret word to a barman called Angus.

About 18 months ago, I started travelling with Twitter. I headed off on assignments without planning a thing. I began in Paris, where I arrived at the Gare du Nord and began slinging questions into the ether. For 48 hours the people of Twitter guided me around the city, from backstreet art galleries in obscure eastern suburbs to glorious belle époque eating halls in Montmartre. Every tip was tailored to my exact time and location. I wasn't recommended any old restaurant for dinner either – I was urged to go to one within a 10-minute walk of where I was standing. I've been on regular “Twi Trips” ever since and am never disappointed with what is recommended… from genteel picnics on Oxford college lawns to transvestite cabaret clubs in Blackpool.

And now my expectations of what the web can do for travel is changing again. The last year has seen the proliferation of location-based apps, tailored to be permanently aware of where their users are. When you open Foursquare, the trailblazer of the new wave, the GPS in your phone tells the app where you are standing and displays dozens of tips within a few minutes of your precise location. It can even tell you who is in them – users are encouraged to "check in" wherever they are in order to accrue points and badges. It's geeky, but it's working – the game element is catalysing Foursquare’s 's exponential growth. The site counted its 3 millionth user in August, less than two months after it passed the 2 million mark. On Yelp, another location-based app, nearby destinations are also rated by users, and you can choose the most popular gallery or bar or restaurant closest to where you are standing.

What once required hours of rifling through guidebooks, or Googling into the provincial nooks of the internet, is now attainable in an instant. And increasingly we don't need to find the information. It can find us.

Having convinced the online public to reveal who they are (through social networking sites such as Facebook) and what they are doing (via Twitter), the web's latest question is significantly more zoomed in: where are you? Location-specific information is what we want, especially when we are travelling. In a survey conducted for the World Travel and Tourism Council, 63% of travellers revealed that they used a mobile map service on holiday, significantly more than any other web service – including social networks, blogs, podcasts and the rest. The number one travel-related search term in the UK is Google Maps, and has been for a long time.

The location apps seem to be feeding from our desire to be more adventurous when we leave our homes. According to Tim Hughes, an internet travel industry expert, after 15 years of online travel being about transactions, "We are moving from answering closed questions – how much for a ticket to New York? – to answering open ones – where should I go next?" It seems we are getting more open to ideas because we know just how many ideas are out there via a few clicks on your phone.

And soon perhaps we won't even have to click. Siri, an app billed as "the personal assistant on your phone" and currently available in the US only, weaves together listings from dozens of services – flight finders, restaurant recommendations, taxi services, live music – and pulls them into a single place. Robert Scoble, an American tech evangelist, ran a blog post in February proclaiming that "if you miss Siri, you'll miss the future of the web". You don't type into Siri; you talk to it. The app gradually learns to understand your voice, and can process multifaceted requests, such as: "Where is a romantic Italian restaurant with a table at 8pm close to where I am?" It even helps you when you mess up your words. When asked to "Take me drunk, I'm home", Siri will order a taxi to arrive at exactly where you are standing.

Not a mention in this article about the evils of data mining – or surveillance, or how bad stuff can happen to people who just want to have fun. I find it so refreshing to read, just once in a while, about the positive side of location based services, rather than about all the countermeasures that need to be put in place to prevent harm being caused to anyone!

Benjy makes a number of other points in his piece too – and to read it all, you can find the article at