Smart meters and privacy

Belatedly, I’ve spotted a good post on the Big Brother Watch blog, here, on the subject of smart metering of utilities such as electricity, gas and water. I tried to leave a comment, but for some reason it got rejected… so here you go:

An awful lot of this debate needs to hinge on transparency. If smart metering is ‘something “they” do to “us” for “their” reasons and benefit’, it will run into considerable opposition, fail to generate the buy-in of household energy consumers, and therefore ultimately fail to reduce energy consumption/carbon footprint etc.

That principle has to guide the energy companies, as they consider design factors such as:

– what are the full range of purposes for which energy consumption data is collected, processed and shared with other organisations?

– what’s the balance of interests between the householder, the energy supplier and third parties?

– exactly what data items are collected by the meters?

– how much of that data is transmitted to the energy supplier?

– how much of it is visible to the householder?

– what degree of control does the householder have over what data is sent and what is kept solely for the householder’s use/convenience?

I really worry when I see the Director of Energy UK, on behalf of the UK Energy Industry, quoted as saying, essentially, “consumers’ security is paramount, and all information will be handled in strict accordance with the Data Protection Act”.

Frankly, if those are the success metrics, the privacy outlook is grim.

1 – Security is not the same as privacy, and a system can be designed to provide great security but trample all over users’ privacy. Privacy needs to be an explicit design goal in its own right from the outset.

2 – Data Protection law applies to the subset of data currently classed as “personally identifiable”… and there is still plenty of argument over what that means. As others have pointed out, you don’t need to personally identify someone in order to burgle their house when energy consumption data indicates they are not at home. DP law is an interesting starting point, but is not sufficient to guarantee a privacy-respecting implementation which protects householders from the range of possible threats.

I am also increasingly wary of promises such as that offered by Mark Daeche of First Utility, who says that information should be “secure and anonymous”. The work, particularly, of Vitaly Shmatikov and Arvind Narayanan has made it increasingly clear that anonymisation of consumer data is extremely hard to guarantee. Their papers should be required reading for anyone involved with supposedly “anonymised” datasets – required, but probably not reassuring. (See Arvind’s excellent blog here, aptly named “33 Bits of Entropy”, for well-informed and well-reasoned thoughts on data and privacy).

The question of “entropy” in personal data is going to be a key one, as we speed ever faster into the world of grids, sensors and smart devices. As I mentioned in a Tweet earlier today, it means that, as a perverse consequence, the more users pare their electricity consumption down to the bare essentials, for instance, the more identifiable the resulting usage pattern will be.

Guardian Tech interview with Eric Schmidt

Some of my readers are probably old enough to remember the occasion in 1984 when President Ronald Reagan stepped up to a microphone for a sound check and uttered the memorable words:

“My fellow Americans, I’m pleased to tell you today that I’ve signed legislation that will outlaw Russia forever. We begin bombing in five minutes.”

This week’s Tech Weekly audiocast on the Guardian site (here) includes a brief interview with Eric Schmidt (it’s in the first 10 minutes, followed by analysis/discussion from the Tech Weekly team).

In the excerpt, Eric Schmidt explains to Jemima Kiss how Google happened to capture some network traffic as its rather inaccurately-named camera cars “sniffed” wireless SSIDs as well as StreetView image data.

Unfortunately – at least on the basis of this part of the interview – I am still not convinced that Mr Schmidt really has as firm a grasp on the privacy issue as I would have hoped for from Google’s CEO. Here’s why:

1 – the problem of cross-border jurisdiction. One of the examples Schmidt cites, of ‘how much data we all happen to disclose’, is that of mobile phone location data. He describes it as a ‘legal requirement’ that your ISP should be able to locate your mobile phone (in case it is needed for emergency services, for instance). As I understand it, that is a legal requirement in the US, but not in the UK, for example. I don’t claim to know which jurisdictions do and don’t require it, but that’s beside the point – the point being that the legal status of your mobile phone location data varies by jurisdiction.

When the CEO of a company with Google’s global reach and colossal processing capacity uses examples which suggest he thinks the regulatory regime is homogenous world wide, that does not instill confidence. Not all countries have the same cultural, legal or regulatory approach to privacy as the US, and it is dangerous to proceed on the assumption that they do.

2 – the issue of privacy and harm. At one point, Schmidt essentially argues that we need to keep the wi-fi data snarfing in perspective, and bear in mind that, as no harm has arisen out of it, it’s not really a privacy breach. Again, if one is in Schmidt’s position, I think that is a very dangerous position to espouse. For instance, there is (as yet) no indication that harm has arisen from the UK HMRC “2 CDs” data breach… so is that entirely privacy neutral? Of course not; it would be absurd to conclude that absence of provable harm means that no action need be taken as a result of the HMRC data breach.

Harm is one factor in assessing actual or potential data breaches, but it is absolutely not a sufficient metric for gauging privacy risk.

And finally, there’s the question of Google’s reaction to the wi-fi incident. What will they do as a result? Well, according to Schmidt’s comments, it’s predominantly a matter of “education” and addressing the fact that “people don’t like it”.

Those are part of the picture, for sure – but again, they are not enough. There are laws in this area – and if those are not given due consideration, the fact of whether or not people like your behaviour is somewhat secondary.

The point of my opening reference to Reagan is that often it’s not just a question of what is said, but by whom and in what context. It may well be that Schmidt’s heart is in the right place and has “Don’t be evil” tattooed on it – but I come back to the point that, because of the post he occupies, his pronouncements on these topics have a very particular weight and resonance. On that basis, I think we are entitled to less about ‘educating us about why we should like it’, and more about building respect for our privacy into Google’s business model.

O’Reilly gets contrarian on Facebook privacy

[This is a slightly extended re-post of a comment I left on Tim O’Reilly’s blog, here.]

First, I should make it clear that I congratulate Tim O’Reilly on managing a contrarian post which is thought-provoking without being inflammatory… a balance which is hard to strike on this topic.

I have to say, though, that over-all I disagree with Tim’s argument. We are (or should be) way past the stage, with social networks, of just innovating “because it’s possible”; a more evolved attitude is to ask not just whether we can do something (because after all, these days online, pretty much anything is possible) but rather whether we should do it. Innovation does not trump ethics.

By comparison, think what the reaction would be if, instead of personal data, Facebook’s raw material was genetically modified bacteria. Would we really be happy for them to be playing around with a 400 million-person petri dish, all in the name of “innovation”?

No – if Mr Zuckerberg wants to push his agenda of “radical transparency”, he should be doing it with the knowing, informed and explicit consent of whatever subset of users want to take part, not with the vast majority of users who don’t have the information or the tools with which to make rational decisions about the privacy of their information online – and who, in many cases, signed up under a radically different set of terms to those which have since replaced them.

As a more general principle, what this suggests to me is no different from what has been happening for decades in other fields of innovation (and I think of things like medicine, nuclear physics, gene technology and so on): we are quite accustomed to having discrete and very different governance regimes for the “research and development” phase and the “mass consumer roll-out” phase. Facebook’s model (and the one Tim O’Reilly seems keen to endorse) it that it’s OK to conflate the two, treat the “mass consumer roll-out” phase as your personal horde of lab rats, and innovate in ways which put them at risk.

My former colleague Michelle Dennedy, then CPO at Sun Microsystems, used to advise organisations to treat personal data like toxic waste. From that perspective, I don’t think what Mr Zuckerberg is doing with 400m people’s personal data is at all healthy. Not for the individuals concerned, and ultimately not for the rest of us either.

Missing the point on Facebook and privacy

B.L. Ochman writes here about Facebook’s privacy issues, arguing that actually, the fault lies with all of us for consistently oversharing on the internet, rather than with Facebook. While admitting that Facebook has made a PR mess of the way it has introduced and communicated some of its changes, the article says, in part:

“People have made a lot of terrible decisions about what they put online for as long as the internet has existed. It’s about time everyone realized that you shouldn’t put anything online that you wouldn’t want an employer, the government or your mother to see. Facebook never made those decisions for anyone! “

Well, as far as it goes, that’s true – but it paints a picture which is partial in two crucial aspects; those of purpose and informed consent.

“Social networking” sites (and I have ranted often enough about why I object to that phrase) create a false reality which users are only too happy to collude in: the illusion that when you go online, just you and your buddies are interacting. In fact, of course, not only are you not alone, there is a third party in the room whose commercial interests lie explicitly in re-selling the byproduct of your social interactions.

Awareness of that fact is growing, thanks in part to the current publicity Facebook’s privacy-eroding policies are generating, but not, it must be said, through any informative disclosure by Facebook, to users, about their role in its business model.

Ochman makes the case that we have all been making poor privacy/disclosure decisions for years. Well, if that’s so evident, it should be correspondingly obvious how to design systems to help users make better privacy decisions. One cannot credibly argue that Facebook is an example of that.

[Thanks to @N_Hickman for pointing me to the B.L. Ochman article]

XML Summer School 2010, Oxford

Do you sometimes find yourself watching the commercial break during a TV programme and thinking “sanitary pads? volumizing mascara? chocolate flavoured diet bars? Strange – I thought I quite liked this programme, but I am obviously not supposed to, judging by its target demographic…”?

Well, with any luck, I am not about to induce the same feeling…

The XML Summer School is an event I was introduced to by two former colleagues at Sun Microsystems – Eve Maler and Lauren Wood – both of whom have been formative influences on it since its creation in 2000. The principle is very simple: you assemble a ‘faculty’ of experts, give them topics to lecture on, add congenial surroundings and extra-curricular activities, and stir in a generous mixture of participants. The result, in my experience, is quite exceptional…

There is deep technical expertise in abundance, in domains ranging from cognitive science, software and user interface design through to the nitty-gritty of RESTful applications and XML Schemas. There are also plenty of opportunities to engage with the faculty members, whether facilitated by a pint or a punt, so this is a very long way from the run-of-the-mill classroom course. As what I can only assume is a bit of (relatively) non-technical light relief, I will be talking about future directions in digital identity and privacy, as part of the Web Services and Identity course.

The whole thing is ably masterminded by John Chelsom, an experienced software developer and entrepreneur, who asked if I would extend this invitation. I am delighted to do so:

XML Summer School
5th – 10th September 2010
St Edmund Hall, Oxford.

The XML Summer School is a unique event for everyone using, designing or implementing solutions using XML and related technologies. Our speakers are some of the world’s most renowned XML practitioners and teachers, who enrich the learning experience with their enthusiasm and expert knowledge, and are always on hand to make sure that delegates receive the very best XML training available.

As always, the XML Summer School is packed with high quality technical XML training for every level of expertise, from the Hands-on Introduction through to special classes devoted to XSLT, XQuery, Semantic Technologies, Web Services and Identity. The Summer School is also a rare opportunity to experience what life is like as a student in one of the world’s oldest university cities.

To find out more and to register your place on the XML Summer School please visit

Dr John Chelsom
Partner, Eleven Informatics LLP

So there we have it; I’ll be there along with John and the rest of the faculty, and I hope you can join us at “Teddy Hall” in September!

Privacy and SSIDs – in more than 140 characters

[ I don’t normally do this, but I’d like to point to Steve Wilson’s comment on this post, because I think his analysis is exemplary. The quote Oscar Wilde – “I wish I’d said that” ;^) ]

I really value the immediacy and ‘connectedness’ of Twitter, but now and again I get into a Twitter discussion which really suffers from having to be conducted in 140-character bursts. I was in one earlier today with @dakami and @roessler which arose from news coverage of Google’s admission that they had been ‘inadvertently’ collecting wireless network data in the course of capturing Streetview images.

To be fair to Dan Kaminsky, I did rather open things up by describing him as “disingenuous” – in that what he was reported as saying (here, on the BBC site) boiled down to “well, if you broadcast wireless data, you can hardly be surprised if someone picks it up”. Dan pointed out via Twitter that actually that quotation had been somewhat selective, and that the article did not accurately portray the real thrust of his comment, which was more along these lines:

“Given that WIGLE and Skyhook have both been mapping wireless networks since the turn of the millennium, it’s a bit daft to treat Google as an egregious offender in this area”.

(I hope I’ve done Dan’s position justice here – I’m extrapolating from a couple of tweets…)

OK – so here’s my position in the kind of detail which Twitter really doesn’t lend itself to.

First; fair enough – as Thomas Roessler pointed out (also via Twitter) – is there a real privacy issue in logging the SSIDs of wireless networks? Arguably not – particularly as one has the option not to broadcast an SSID in the first place. However, I struggle to see the utility of logging domestic SSIDs, or indeed commercial ones, if they are not the SSIDs of networks intended for public access. Who stands to benefit from that data? And if it is anyone other than the owner of the network, what’s the deal with that?

Second; similarly, Dan rightly points out that an SSID is something which is broadcast… so it’s perhaps a little churlish to gripe when someone notices it. On the other hand, even in my not-very-densely populated neighborhood, there are half a dozen ‘visible’ networks. For the sake of the people who I do wish to be able to connect to my domestic wifi network, it is more convenient to have a broadcast SSID which distinguishes it from the others. Under some circumstances, it might also help them avoid getting suckered into connecting to a rogue access point.

Third; there’s the matter of intent. I set up a domestic wireless network for a very clear, well circumscribed purpose: it is there so that members of my household can share access to the cable connection. That’s all. I didn’t install it, or name it, so that it could be plotted on a map. It is there for a specific purpose which is limited to my immediate family. As such, particularly if interfered with, it engages Protocol 1, Article 1 of the European Convention on Human Rights (ECHR) – “the entitlement to quiet enjoyment of one’s possessions”. By default, that is the legal position.

Now, I fully accept that, as far as the SSID alone is concerned, and given that it is a broadcast value and that broadcasting it is a matter of choice, it is arguable that no harm arises from collecting and publicising it. I still question what the utility is of doing that, for domestic networks.

However, the point is that that is not what Google were obliged to own up to, because what the German authorities uncovered was that they had also been capturing data packets from domestic networks, not just identifiers. In that case, we’re not dealing with just the ECHR – we’re talking about unauthorised access to computer systems, which (in the UK) is an offence under the Computer Misuse Act.

You might retort that it’s the network owner’s fault anyway for being stupid enough to leave their network unsecured. I have two issues with that response.

1 – The fact that I have left a window open does not make it less of an offense to climb into my house and steal my stuff. It might affect my insurance status, but it doesn’t mean theft is not a crime.

2 – There is no contract of any kind in place between companies like Google, WIGLE, Skyhook etc and the householder whose data is being recorded through these initiatives. As the German instance makes clear, there are regional and national differences of view as to what the ‘rules’ are, in the absence of such a contract. For my part, I simply note the practical difficulty faced by the householder in making his/her preference known. For example, if I wished to make it clear that I do not consent to unauthorised access to my domestic wireless network, there is no mecanism for “posting” and explicit notice to that effect, in the way that I might post a ‘please keep out’ sign at the boundary of my property.

As long as the householder has no viable technical means of making his/her preferences known, I would argue that the default should be a presumption of privacy, not a presumption that such data is free to be broadcast to the world.

Some of you may have seen danah boyd’s presentation at SXSW this year. I wasn’t there myself, but have since been lucky enough to see a video of it (authorised, I hasten to add…). One of the many points danah made with admirable clarity was this: taking data which is in the public domain and making it more public (for instance, by broadcasting it widely, or making it globally accessible where it was not before) is not privacy neutral. Actually she put it more strongly and said that it is a violation of privacy.

What I think we need to learn – from companies like Google, WIGLE, Skyhook and others – is that privacy is seldom a binary concept. It does make sense, as danah has done, to describe some data as ‘public’ and other data as ‘more public’. It does make sense to talk of graduated consent to disclosure, rather than bald ‘consent’ or ‘refusal’. And it makes sense to think in terms of conditional disclosure, not just free-for-all or nothing.

Privacy, when it comes down to it, is not a technological construct: it is a personal, social and cultural construct, and a nuanced one at that. Inescapably, as more of our lives are technically-mediated, we face the challenge of mapping that shaded, complex social view of privacy onto a rather crude, binary set of tools. Companies like Google have shown themselves to be fantastic innovators in so many ways; it’s time they turned that ingenuity to the privacy question.

UK jobless total continues to rise…

As I reported yesterday, the new Coalition government spelled disaster for the employment prospects of Elizabeth Henderson, the human face (sic) of the UK ID Cards Scheme.

Regrettably, the jobless total seems set to soar still further, since if there’s no ID Card scheme, there’s not much need for an Identity Commissioner either. Bad news for the relatively recently appointed Sir Joseph Pilling.

Rumour has it that his office is already politely cancelling his upcoming engagements.