by

Through a Glass, darkly

A friend kindly sent me a link to Robert Scoble’s recent article arguing that privacy advocates have “overplayed their hand” in expressing their concerns about Google Glass. Quite a lot of what Scoble says in his article is factually true, but there are relevant privacy factors he chooses not to mention, and parts of his argument are just rhetoric. That’s not unexpected, because he’s a media animal: he’s made a living out of being a polemicist, but we shouldn’t let that fool us into thinking that he’s presenting a balanced case, or even a comprehensive one. In the interest of good publicity, he’s dumbing privacy down to a set of (often) false oppositions.

For instance: is it both good and inevitable that public camera coverage will grow and grow? Not really. There’s no compelling reason to equate a social norm with a social good. So the assertion that “our society is already used to having cameras EVERYWHERE and we like it”  is just a bit of unverifiable nonsense. Which society? All societies in which Google Glass will be marketed?

By the way, who defines ‘public’? Does ‘public’ mean that anyone has right of access to a place? Or that everyone there has no expectation of privacy? And privacy from whom? If I’m somewhere that is covered by municipal CCTV, should I expect local retailers to have access to that footage? If I’m in a mall, owned by one company, operated by another, and franchised to yet more… who should I expect to see that footage? And should I expect it to be live-streamed to the local police station?

Privacy isn’t an undifferentiated generalisation: it is nuanced and contextual. Our expectations of privacy can be graduated, and depend on many factors that don’t make for good polemics – so Scoble ignores them.

The regulation of CCTV and other kinds of media capture is still immature, and by no means consistent. To say “in California it’s illegal to record your voice without consent” and move on, as if that both describes and solves the problem, is just laughable.

“Dear Mr Scoble,
Some jerk keeps keying my car when I park it on the street. Is it legal for me to put a video camera in the car to find out who it is?”

There’s no sound-bite answer to that question, so let’s ignore the issue…

But all that aside, there is a relevant difference between, say, my filming you using a video camera and my filming you using Glass, and Scoble knows this full well. The difference is Google, and Google’s terms and conditions. All the data captured via Glass goes to Google. I haven’t seen what rights Google claims over that data, but I doubt they are any less comprehensive than the rights it claims over any other data that passes through Google’s servers. My expectation is that it will be facially-recognised, geo-located, aggregated, linked, mined and generally exploited in ways that the people in the footage have no way to influence. After all, if there’s any kind of contract here, it’s between Google and the Glass-wearer, not between Google and third-party individuals.

Scoble’s recurrent argument is that, in focussing on Google Glass, privacy advocates are missing the point, and ignoring abuses of privacy elsewhere, such as in the “creepy” world of ‘questionable marketing techniques’; I’m sorry, Robert, but where do you think the raw data for behavioural advertising comes from? Google Glass gives Google a direct, real-time, locatable feed of data about third parties, willingly contributed by the Glass wearer. That’s the point – not whether or not there’s an “I am recording” light on the Glasses.

That’s not to say the world of data aggregation, data mining and targeted advertising doesn’t deserve critical examination – of course it does. But to argue that that absolves Google Glass from scrutiny is just sticking your head in the sand. And that probably voids the warranty on your Glasses.

by

Abit onus…

 

The late ex-PM, Margaret Thatcher, was a formidably hard worker with an acute memory (reinforced, I was told, by the simple but laborious expedient of diligently doing her homework, on this as on so many other topics – reviewing notes on people she could expect to encounter at any given function or meeting). She is said to have worked at hours when most others would sleep, and as a consequence to be frequently better informed on the topic at hand than her interlocutors expected.

I have no doubt that she cultivated, on this basis, an air of infallibility. It also doesn’t do, of course, for a politician to appear uncertain or easily swayed on any topic whatsoever. Certainly, her public persona was of someone who, while prepared to listen to advice up to a point, was unlikely to be dissuaded by it from the idea that she knew better.

Here’s where I think the hard work and diligence run into a problem. If you are certain that you usually know better than everyone around you, but behave as though you always know better, the consequences when you are wrong are that much worse. If you are incapable of recognising the times when it’s vital to take advice and act on it, it’s a lose/lose: you make a bad decision, you undermine your own credibility, you discourage further advice, you alienate qualified and intelligent advisers, and you waste the available expertise. This becomes a vicious spiral and, politically, I think we saw where it led.

by

Is the Atlantic getting wider?

Yesterday’s NYT article on US/EU consumer data protection, interviewing Commissioner Viviane Reding, has sparked interesting comment and debate, so – with thanks to @omertene for the link – and since the US and the Eurozone at least share a currency unit, here’s my 2 cents:

Richard Thomas (former Information Commissioner in the UK) described the trans-Atlantic privacy perspective as being based on feelings of “suspicion, ignorance and superiority”… before clarifying, of course, that this was true regardless of which side you started from. However, even if the feelings are similar and mutual, the reasons which underlie them are frequently asymmetric, occasionally fundamental, and possibly in some cases irreconcilable. And if you think that’s a sweeping generalisation, let me warn you that there are more to come – shot through with my opinions and questionable inferences, yes, but mostly with some basis in experience, if not objective fact.

I want to look at two main areas: the role of “rights” in privacy regulation, and the role of commercial interest.

The role of privacy

At its core, the EU’s privacy regime is based on the concept of a fundamental right to the preservation and integrity of privacy – or, as linguistic differences sometimes oblige us to put it – the quiet enjoyment of private and family life, or respect for the ‘private sphere’. The EU’s assertion that privacy is a ‘fundamental right’ often provokes a reaction of some mistrust in US counterparts I’ve spoken to. In their view there’s something suspiciously… well, socialist about it, frankly. It’s a gut feeling of unease, more than anything else; a instinct that this insistence on “rights” is a bit hippy, and rather too likely to lead to people abjuring all kinds of responsibilities too.

The corresponding EU perspective is often to be rather offended by this disparaging view of “rights” – after all, aren’t they a rather noble social aspiration? A sign of civilised progress up Maslow’s hierarchy and away from the base instincts of the market?

And here’s one of the fundamental splits. The EU, for its part, does place a lot of faith in “rights” as the basis for laws that have to apply across a diverse set of cultures, legal traditions and social norms. The US – at least from an EU perspective – puts its faith in the market and in the ability of everyman to sue. Right or wrong, the impression is that in the EU, your right to redress arises out of violation of a right, whereas in the US it arises out of a tort.

The primacy of commerce

There is also a trans-Atlantic tension over how much privilege to give to commercial interests. Again, at risk of sweeping generalisation, here are the two high-level perspectives: the EU views the US approach as prepared to write off almost any privacy-related behaviour, provided it stimulates economic activity. Commercial interest trumps all, and the use of personal data for commercial ends is, in principle, a Good Thing. This is reflected in various characterisations of personal data as a monetisable commodity, or even “the new oil”.

The idea that the commercial value of personal data is its only relevant value, though, generates unease in the European psyche.  In particular, it underlies their mistrust of ‘voluntary codes of conduct’ as the sole or principal constraints on privacy-related commercial activity. Commercial data processors, they argue, simply have too many irresistible incentives to ignore such self-regulation. If the only risk arising from commercial data exploitation falls on the data subject, then only regulation can keep data processors honest: market forces won’t do the job.

Conversely, US counterparts often see the EU as insisting too much on principle, whether or not it does any good – and with the implication that it often does harm. In particular, attempts to constrain commercial data use through privacy principles are seen as a brake on innovation and thus on economic activity. There are two European ripostes to this argument:

First, they may say, regulatory constraints do not prevent the exercise of commercial innovation – indeed, ingenuity thrives on constraint, and can be relied on to find its way round obstacles in pursuit of a commercial goal.

Second, the correct way to regulate innovation is to define, pre-emptively, the principles it must respect, and then let it run. Waiting until after the event and then relying on the courts to put the privacy toothpaste back in the tube is, in this hyper-connected age, to take irresponsible liberties with the interests of the individual and consumer.

The US counter-blast is that economic activity is the interest of the individual and consumer, and that fine and fancy privacy constraints are an unaffordable luxury if your economy just isn’t cutting it in the global market.

Again, I suspect this is an EU-US fissure that runs deep and can be bridged or papered over, but probably not closed.

In the interests of (relative) brevity, I have not touched on a couple of other significant areas: (i) the “homogeneity” of EU privacy regulation, and why that is often over-stated; (ii) the implications of relying on “harm” as a metric for privacy redress. The hope is that this post will be the first in a short series, and that we will also get informed comment from US, Continental European and Asia-Pacific contributors… And with that, over to you…

by

New ISOC Privacy Tutorials

Well, the annual Data Privacy Day (Jan 28th) has been and gone: how was it for you? Did you follow through on your brief flurry of privacy-related good intentions? Delete your Facebook account? Update your browser privacy plug-ins? (By all means, read these questions in ascending, Stewie Griffin style if it helps set the mood…). “No? Well… you’ve been knocking yourself out… you deserve a break”. ;^)

So, in my supportive way, here’s something much simpler you can do in a few easy, 5-minute bursts. My Internet Society colleagues have launched some online tutorials to help people understand and manage their online privacy, and I hope you will help spread the word. But first, a short digression about why we’re doing this.

For a while now, I’ve been grumbling about the phrase “personally identifiable information”. It has been a useful expression, but I think it has outlived its usefulness, and is now actually constraining our thinking about how to achieve good privacy outcomes for data subjects.

We need to move away from the idea that privacy is achieved by managing lists of the pieces of data that count as “personally identifiable” and ignoring the pieces that aren’t on the list. Privacy is more subtle and contextual than that, and can be impacted by data that is not currently on anyone’s list of PII.

I want to start re-defining PII as “privacy-impacting information”.

If the explosion of social, mobile and cloud-based services has taught us anything, it is that there is money to be made out of ‘big data’, especially when it can be mined for information about individuals’ behaviour, preferences and aspirations. So, if you thought your behaviour, preferences and aspirations were none of anyone else’s business, think again – they are, literally, someone else’s business.

The information in the “information economy” is… us.

We are being bought, sold, and traded in an economy whose workings are almost entirely opaque. Every time we go online, we add to a personal digital footprint that’s interconnected across multiple service providers, and we enrich massive caches of personal data that identify us, whether we have explicitly authenticated or not. Your digital footprint is invisible to you – and it’s really hard to manage something you can’t even see.

That may make you feel somewhat uneasy.

So, here are some simple and realistic privacy steps for all of us. Try them – you’ll feel better:

First, let’s revisit our assumptions about the online “bargain”

  1. Online transactions (whether retail or social) are seldom a two-party affair these days. Who else is in the transaction chain? Does a social networking service see all your private messages to your buddies? Is a retailer selling your purchase history to advertisers?
  1. There’s no such thing as a free service. More often than not, we pay by giving up information about ourselves, without appreciating its value. Understanding the bargain is key.
  1. Often these costs fundamentally change our online experience. Yes, you may get personalised recommendations – but are you also being offered (or denied) services because of data the service provider passed on to a third party? Are you being offered higher prices because of the brand of laptop you use?

Second, let’s take time to reflect on our privacy values

Our behaviour is driven by our values. When we value convenience over privacy, we set our priorities accordingly. Until we adjust the value we place on privacy, the steps we can take to preserve it will continue to seem like an inconvenience to be put off until later.

Third, let’s take some small practical steps in the right direction

The first step towards protecting our digital footprint is to learn more about it.

The Internet Society has developed three interactive tutorials to help everyone learn more about their digital footprint. Each lasts about 5 minutes and is aimed at helping all of us become more aware of how we disclose information and how we can keep it more private. Please take a look, and forward them to people you think would find them useful.

After all, if we are the currency of the new economy, shouldn’t we have a say in what we’re worth?

by

“Propusk, pazhaluysta!” – On anonymous access to Internet services

Many of you will have seen the flurry of comment about a recent ‘frank exchange of views‘ between Andy Smith of the Cabinet Office and Helen Goodman MP, about whether it is ever appropriate to give false details when asked for them online. I was fortunate enough to be present when they had a civilised re-match in the IGF session on Aspects of Identity this week in Baku.

First, let me make it clear that I am not condoning or recommending fraud. There are many contexts in which it is right to expect users to make truthful assertions of identity or other attributes. But to suggest that people should have no right to access online services unless they reliably identify themselves is simplistic and harmful. I use the word ‘right’ because these were the terms in which Helen Goodman expressed it on Tuesday:

People do not have a right to anonymous online access because “you can’t have rights without a rights-holder”… implying “identified rights-holder”.

In other words, you only enjoy rights if you are identifiable.

A moment’s reflection should persuade us that this is not true, either in the real world or the virtual one. For example:

- If I pay for goods using cash (in other words, it’s an anonymous transaction) I don’t, in so doing, forfeit my rights as a consumer. Identifiability has no role to play, here: all that is needed is a reliable assertion of legal tender.

- If I speak in a public forum, my right to free speech is not conditional on first stating who I am.

Come to that, I have no right to run someone over just because I don’t know their name. Anonymity doesn’t rescind their right to life.

I’m entitled to send a letter without identifying myself. The Royal Mail needs to see the name and address on the outside of an envelope, not the signature inside… and of course, that signature might consist of a nickname, some initials, or a smiley face, for all that matter. Similarly, there is no reason why I should not be entitled to send emails using an email address which is something other than my real name, and to close my emails with whatever epithet I see fit. That’s quite a different matter from rules about what I can legally say in the letter or email.

There are countless online contexts where an assertion of identity is unnecessary, and to insist on one is disproportionate. Why, for instance, should I have to identify myself just to read the news, or check the weather?

Online payment transactions don’t necessarily require identity either. There are mediated payment architectures using which it is quite possible to pay a merchant on behalf of a consumer without disclosing the identity of the payer to the merchant, and without sacrificing the auditability of the transaction. Again, there are cases where identification is appropriate, but plenty where it is not.

An over-insistence on authentication for transactions where it is not needed also has predictable bad consequences. For instance, if interactions are personally identifiable, they come within the scope of data protection laws; if all transactions fall into this category, the potential regulatory and compliance burden for service providers balloons out of all proportion – and so does the cost and complexity of governance.

Then there are the perverse consequences of some well-intentioned forms of authentication: if you insist that a verifiable proof of age be used to control access to ‘safe’ online chat-rooms for teenagers, you give predatory bad actors a strong incentive to threaten/bribe/cajole teenagers into allowing their credentials to be used… potentially putting them at greater risk than they were before.

And finally, there are the slightly more specialised cases, where anonymity and pseudonymity are needed to protect witnesses, undercover law enforcement officers, victims of domestic abuse, intelligence officers and so on.

In all these instances, there is a clear public interest in not insisting on authentication.

But as anyone who attended the IGF in Baku ought to appreciate, a blanket insistence on authentication for online services has a chilling effect on free speech, too. It can stifle (and even put at risk) whistleblowers, human rights campaigners, or simply those who disagree with an oppressive regime. It is disturbing when policy-makers in a democracy call for an end to online anonymity, because that gives undemocratic regimes something to point to as they lock down free speech and access to information for their own repressive purposes. As readers of my blog will know, I reserve particular scorn for the pernicious “nothing to hide, nothing to fear” argument, and it saddened me deeply to see it deployed in the Aspects of Identity session.

Returning to the question of ‘no rights without a rights-holder’: the bizarre thing is that this is the kind of neo-con soundbite that used to be touted about by the likes of Janet Daly on the Moral Maze… “you can’t have rights without responsibilities”… When of course there are plenty of individuals – infants, children, those with severe cognitive disabilities, and indeed non-human animals, whom we recognise as having rights with no – or fewer – corresponding responsibilities.

A world in which those without responsibility were held to have no rights would be a genuinely disturbing one.  I wonder if Helen Goodman has really thought through what it would be to inhabit a world in which all rights were contingent on the rights-holder (or rather, rights-claimant) being identifiable.

by

IGF2012 session: Governing Identity on the Internet

I got the chance to take part today in a workshop session at the Internet Governance Forum in Baku, and as, for once, I had made some written notes, I thought I’d get a little more mileage out of them by posting a summary here… I hope this is useful. Comments welcome, as ever.

A  1, 2, 3 of digital identity

Having listened to the very diverse views and interpretations of identity here at the IGF this week, my worry is that we’re talking about governing something that we haven’t clearly defined. So here’s a perspective on digital identity, under three headings:
1. One evolutionary sequence: how did we get here?
2. Two models of what digital identity is…
3. Three issues
1. Evolution
In the 80s, your ‘identity’ meant either your passport, or – if you were one of the few who used a computer – your account on a mainframe or (higher education) server. Siloed and incomprehensible to other systems or organisations.
In the early 2000s, it started to make sense to talk about your ‘network identity’; the collection of things that a panoptical third party could know about you, by looking at all the places where information about you was stored online (IDs, accounts, user profiles, etc.).
By the middle of that decade, federated identity was a reality, at least among large enterprises. A non-siloed digital credential that could be used to identify you to an organisation that had not issued it to you.
The current goal could be described as “Internet-scale” federation: a framework which can cater for many kinds of credential, understandable by many organisations, in different sectors, for different purposes, with different models for trust and liability. This is the aim of programs like the US National Strategy for Trusted Identities in Cyber-space and a similar initiative in the UK, for example.
In short: the goal is a digital ‘identity’ as multi-faceted and versatile as our real-life, individual identity as a person. That’s a long way from where we were 30 years ago – and we’re by no means there yet.
2. So let me describe two ways of looking at digital identity. I’ll describe the first one and then contrast its characteristics with the second. The first, I’ll call the Classic model. It is based on:
- Single authoritative source
- Credential
- Authentication
- Binary (Y or N)
- Level of assurance and a chain of trust, both of which can be formalised into procedures and assigned liability models (retroactive).
The second is what I’ll call the Emerging model. It looks like this:
- Multiple, low-assurance sources
- Attributes
- Authorisation
- Contextual and adaptive
- A web of trust, notions of mutable reputation, and quantifiable mainly in terms of risk management (predictive).
3. So, what issues does that present us with?
The Classic model is fundamentally retrospective. It’s the historical way of thinking about identity, it establishes an identity relationship between what’s happening now and a trusted event in the past, and liability is – basically – the arrangement for what you do after something has gone wrong.
As a result, one problem is that it copes badly with cases where an identity was issued for one purpose and is later used for other purposes – but you can’t stop  that from happening.
The Emerging model is future-facing. It is much more dynamic, and it is also completely compatible with anonymous authorisation. But it alters our conception of identity and trust, and relies on immature disciplines such as reputation management and contextual authorisation.
It is a model whose working parts are almost entirely hidden from the end user – where the Classic model at least (usually) requires the user’s involvement at the point of authentication. The Emerging model poses real questions of user control and consent.
And lastly, there’s a catch. This isn’t an either/or decision. We need both the classic and the emerging models – because neither, on its own, can get your digital identity close to being a reflection of your personal identity.
by

The price of pseudonymity

Paul Bernal and Lawrence Serewicz both left such thought-provoking comments on my previous post that I thought it worth a quick follow-up blog, just to keep the topic ‘live’ for a little longer.

Paul pointed out the balance between the benefits that can come from allowing anonymity/pseudonymity, and the harm that can result from making both impossible. Lawrence examined some of the many broader implications that can have for the relationship between the individual and the state. 

Language is a delicate thing, and it occurred to me that politicians will often draw a very sharp line between something which they are prepared to say, and something almost identical which they are not. For instance, I’m pretty sure I have heard a politician say something along these lines:

“A certain level of anti-social activity online is the price we pay for living in a free society”

But I can’t remember ever having heard the following:

“A certain level of anti-social activity online is the price we pay for living in a free society, and it’s a price worth paying”

Politically, it seems to be unacceptable to acknowledge that any level of bad behaviour (or crime, come to that) is a price worth paying for the social benefit of not living in a police state… and yet no-one could plausibly say it’s not the case.

I wonder why that is?