call +44 20 7096 1079

Blog


May 17, 2013 | Javier Ruiz

Shakespeare: on the mark for open data, misses on privacy and transparency

The independent review on public data prepared by Stephan Shakespeare, chair of the Data Strategy Board, has just been published. Much of what Shakespeare recommends is very good stuff, and includes things that ORG has been proposing for some time. But we have some disagreements, particularly on the analyses and proposals around privacy.

UK Government CO2 emissions 2011 (actual volume)

We will not cover every recommendation. The full text including an executive summary can be found HERE.

National Data Strategy

Shakespeare looks at the big picture and proposes a National Data Strategy that overcomes the current fragmentation and piecemeal approach. This would be based on a clear principle of citizen ownership, and reach both government departments and the Trading Funds that sell high value data. The initial focus would be on education, health, economic and public administration data.

We will have to wait until the official response to know whether these recommendations are accepted by government. Previous attempts to crack the trading funds have been slow to progress. The review is accompanied by an economic study carried out by Deloitte that estimates the cost of opening the trading funds at £143 million. The benefits from opening all PSI are calculated at £1.8bn in direct value with wider social benefits of £6.8bn. This is not the first such report, and previous calculations have simply not been accepted by those responsible at BIS. 

But will it work in practice?

These proposals will inevitably be compared with changes in US policy. Obama’s recent executive order on Open Data sets the bar very high. The order sets clear guidelines for engagement, reporting and moving on from a similar cherry-picking approach. But both in UK and USA the problem has been implementation. The order from Obama demands that departments index all their data, but in the UK government bodies supposedly have had an obligation to build comprehensive asset inventories for some time, and failed to do so. 

The recommendations do not explain how this will change. There are some excellent proposals to improve the governance of open data with a review of the complex structures. ORG has direct experience of engaging with the proverbial right and left hands, and has raised this issue with policy makers. But it may not be enough. The US seems to take a stronger line and will force departments to open.

Private sector data

Other positive proposals centre on the data from private companies. Shakespeare proposes an environment where public and private sector support each other and share data. We think this is good as long as it does not involve personal information. We support calls for companies to share data on private-public partnerships, but the proposed mechanism of procurement clauses may not be enough. Changes to FOI law would have been preferable.

Also very much in line with ORG’s thinking is the idea that private data derived from the activity of citizens is co-owned by them and should return value to citizens while respecting private investment. Midata is presented as an example, but this is a narrow understanding of the implications of this. We need wider governance models for both public and private data.

Transparency vs Growth

Less positive is the exclusive focus on economic growth, against transparency and accountability. This separation is artificial and problematic, and risks that if the economic benefits are disputed the whole policy could be endangered. Instead, transparency and accountability should be recognised as the basis for a public interest data policy, with economic growth building upon these.

The review does not completely avoid the topic. Calls for “systematic and transparent use of administrative data” in policy are very welcome. We agree that we should embed this in an improved democratic process of consultations and impact assessments.

Trust and privacy

It is good that privacy is given a lot of consideration, but we have to disagree on some of the analyses and recommendations. In the review the main privacy risks of public data can be divided into those affecting identifiable data and those around anonymous data. Shakespeare recommends a “pragmatic policy on privacy” based on two main pillars: 

Technological measures

He proposes sandbox technologies with restricted access control for selected groups such as researchers. This implies that the data is not fully opened, as it would cover personal and pseudonymous data. While a good idea in principle, there are issues around governance.

Anonymisation is seen as the main vehicle to convert personal data into open data. Although the review acknowledges that anonymised data receives stronger protection in other European countries, it does not properly explore the implications of the growing mountain of evidence that anonymisation in itself does not provide long term protection. It simply refers to the work of the ICO, which has developed a Code of Practice of Anonymisation and an expert network. 

There are good ideas for better complaints system - we propose a responsible disclosure framework - and some consideration of opt-outs, but these are not properly developed.

Self regulation with stronger penalties

It is slightly disappointing that citizens’ privacy remains being perceived a hurdle, instrumentally required in order to build trust rather than as a fundamental right. 

According to Shakespeare, citizens have an “unrealistic degree of expectation” of the capacity of those who hold their data to truly protect it, and this inhibits innovation. He proposes a “privacy through accountability” model that would shift the responsibility to ensure that citizens are not harmed to the re-users rather than the primary holder of the data, which currently bears the main responsibility. This is proposed by Mayer-Schönberger and Cukier in their book Big Data.

These proposals follow a model similar to ICO Code of Practice of Anonymisation, where if the organisation holding the data follows procedures and tries its best, they won’t be held fully responsible for re-identification by third parties. 

This self-regulation model would be coupled with stronger penalties for misuse, including criminal sentences. This has been a demanded for some time by the ICO and privacy groups, and it appeared again at the Leveson inquiry. The European Data Protection Regulation currently discussed in Brussels contemplates stronger fines based on revenue, rather than the paltry fixed amounts the ICO can currently adjudicate. 

But a fundamental issue not tackled by these proposals is that citizens have to rely on the ICO for fines or punishment, and have no power to demand compensation. Allowing for class action on damages would be a good addition to fines and punishment. It would also be important lo look at the wider impacts, for example in relation to profiling and discrimination law, where no data breach will take place.  

The review makes sensible proposals about better guidance and privacy impact assessments. Ethical guidelines for researchers, also proposed by Shakespeare, are certainly a good idea, but we cannot agree that “best practice guidelines should be enough”. Non enforceable systems should build on top of a strong baseline of statutory data protection. Also, rather than an industry self-regulation approach, we would prefer a multi-stakeholder governance model that involves the data subjects as well.

In any case, privacy regulation is a veritable legal supertanker and such fundamental changes to basic principles of accountability of data controllers will be limited both by EU level legislation and other international processes. The Shakespeare review may have benefitted from broader consultation with civil society groups.

Other reactions on the web

The Guardian: The Shakespeare review: what's the future of UK open data?

Open Knowledge Foundation: positively received

Open Data Institute: ODI calls for government to act fast in response to Shakespeare Review

Paul Maltby (Head of Transparency at the Cabinet Office) on core reference data

 

 

 

[Read more]


May 14, 2013 | Ed Paton-Williams

Naked Citizens: Protect your Privacy!

Imagine you opened your door tomorrow morning and found hundreds of naked people there waiting for you. Now what if they all started telling you what they thought about something you’d assumed not many people cared about. Naked people...talking about data protection? It’s safe to say it’d get your attention.

After a little sit down and maybe once everyone had covered themselves up a bit, you’d probably want to find out just why all these people had turned up at your door. You’ve just put yourself in the shoes of your MEPs who are receiving postbags full of cards just like this one.

Naked Citizens Postcard

People from across Europe are sending postcards like this to their MEPs asking them to support new proposals protecting our privacy and giving us control over what happens to our data.

Join them right now - click here to send your postcard! You can choose the message and how it looks and everything.

Big business isn’t standing by though. They are flooding the normal democratic process with lobbying to get the plans watered down and strip us of our right to privacy. It wants to keep on profiting from our most intimate data.

Take Everything Everywhere, reported this week to be selling the data of their 27 million mobile customersto the polling company Ipsos MORI. EE customers’ personal details could have been revealed to the police without their consent. EE say that the data has been anonymised but it is often possible to re-identify people from anonymised data.

Phone companies like EE have been pushing particularly hard against the new data protection plans. It’s not hard to see why. They wouldn’t be able sell their customers’ data without their consent.

As they stand, the new regulations would help make sure we control what happens to our data, not the big corporations making money from data about our personal lives. Here’s what the new laws would mean for you. 

  • You’d be able to decide who gets access to your data, what they can do with it and who they can give it to. You could delete your data or move it wherever you like, whenever you like.
  • Your data would be protected whenever you could be identified. This includes so-called pseudonymous data that could still single you out despite being stripped of personal identifiers such as names and addresses.
  • Services that want to use your data would have to get your explicit consent beforehand so there’d be no more vague or easy-to-misunderstand ‘agreements.’
  • There would be severe penalties when the rules were broken to help deter companies from misusing your data and infringing your privacy.

But all this is under threat. If the big corporations and their armies of lobbyists get their way, the new law won’t have any teeth and companies will just keep on invading your privacy.

Help stop their full frontal assault on our personal data! Please send a postcard to your MEPs.

Read more about the amendments to the Data Protection regulations that would threaten citizens' privacy in this report put together by digital rights organisations from around Europe.

[Read more]


May 13, 2013 | Jim Killock

EE and sale of user data: does Anonymisation work?

This afternoon, EE called ORG to ask us about our blog. They did not question the article, but confirmed that it is their belief that IPSOS MORI employees misrepresented what the data they are offering can do.

They said in response that “most” of the data is large, aggregated datasets, of around 50 users. However, their customers currently don’t know how and when their data might be aggregated or made available in an anonymised form.

Anonymising datasets rarely prevents re-identification. For instance, Nature highlights research showing “in a dataset where the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier's antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.”

Cambridge research on network identification shows similar kinds of results.

In response to these publicly-aired concerns, the CEO of Ipsos Mori offered data to researchers:

Ben Page, Ipsos MORI ‏@benatipsosmori
@PlanetJamie39 @PaulbernalUK @patrick_kane_ I don't see why not. Should publish peer reviewed paper on this data

But there are other answers to the problem, other than waiting for a public outcry. These are

  1. Ask for users’ permission before offering their anonymised data. Make this legally required in data protection, helpfully being debated right now.
  2. Open anonymisations techniques for peer review. Then the best brains can help spot mistakes. Such approaches take place in security software, e-voting software, and of course in Open Source software more widely.
  3. Offer “responsible disclosure” mechanisms for people to explain when they see mistakes, so data providers can stop the problem.

Mobile companies are not the only people playing with fire in this way. There are also government data initiatives, which are even more worrying, looking at personal health data, education and benefits data.

If you want to do something today, why not ask your MEP for strong data protection, as a first step?

[Read more] (2 comments)


May 13, 2013 | Jim Killock

EE selling your data to pollsters and police

The Sunday Times has published an explosive piece about an exclusive deal for the sale of customer data between mobile operator Everything Everywhere and polling organisation Ipsos Mori, who in turn have tried to sell the data to the Met Police.

The details that have emerged since imply that access to the data is partially controlled by use of “anonymisation” - a controversial practice which many people believe to be highly circumventable in practice.

According to the Sunday Times (Paywall), the data offers the following insights:

  • Gender, age and postcode of users as well as friendship networks, plus calling circles, customer interests (eg sport, film, news) and activity at work or at home
  • Calls data, including time of day call is made, number called, duration of call and customer location to a 100-metre radius
  • Data on texts, including time of day it is sent and location of customer
  • Mobile web and app usage, including domain name of sites visited, session length, duration on site, previous and next sites visited and amount of data uploaded and downloaded during session
  • Customer location, which is determined by call records or mobile phone ID, to an approximate accuracy of 100 metres, and profiles of customers, potentially including spending patterns.

Access to such data normally requires personal consent in data protection law. This is why
Ipsos Mori have been quick to reject claims that the data would allow for any individual to be singled out (Press Release).

Ben Page, the CEO of Ipsos Mori, has taken to Twitter to assure critics that their data only provides aggregates of 50 people within a 700 sqm area, or "across a time period", showing "mas[s] movements of people - but not individuals". The data is "anonymised" by EE and according to Page it would allow the Met to know "what travel, crime, info sites people look at when in West End for example, but anonymously".

However, the Sunday Times article contains details of conversations between Ipsos Mori and the Met about the ability to track individual protesters after a demonstration. This would be surveillance on a par with the Snoopers’ Charter and it is perhaps unlikely that a major company would commit such major privacy blunder. However, what employees are doing or saying is another thing.

The Sunday Times’ evidence is that employees are making such claims: this must be investigated by the ICO, or a police force other than the Met. After all, T-Mobile’s employees (now part of the EE group) got into trouble in 2009 by selling customer data - thus we do not have confidence that official positions are without doubt representative of practice on the ground.

However, even if the most serious claims turn out not to be true, the incident reveals a massive loophole in UK data protection law, parallel to practices in the USA that are seeing anonymised or pseudonymised data being sold and reused on a massive scale and in the developing world: for instance Jana obtains data from millions of developing world mobile phone customers.

The deal is part of growing trend by companies to make money out of data they collect in the course of carrying their businesses. Credit card companies, car manufacturers, and of course, mobile phone operators are creating secondary revenue streams.

Ipsos Mori argue that their system is compatible with EU data protection, but this may not be the case. Telefonica launched a similar service, but withdrew it from Germany. In Germany customers would have to give their consent for this kind of data use, but not in the UK. This is a good example for why we need the new European Data Protection Regulation. 

The attempt by big business to remove anonymised personal data from your control is one of the central battlegrounds in the new Data Protection Regulation, being debated in Europe right now.

Companies including EE and other telcos are arguing that consent should not be necessary to resell data or access to third parties. While that may be a business opportunity, it is also one that is already undermining trust between consumers and business in the USA and the UK.

The EE deal with IPSOS MORI and subsequently the police is as good example as any why we should be supporting the new Data Protection Regulation and resisting attempts by big business to remove the need for consent to anonymise your data. 

Today what was previously thought of as a technical question showed itself to have very clear and disturbing consequences. Let your MEPs know that you need them to protect your data rights, by sending a postcard through the Naked Citizens campaign site.

Update: EE called us this afternoon to talk about what happened. We promised we would write back with the policy asks we have for anonmymisation techniques.

[Read more] (2 comments)


May 10, 2013 | Jim Killock

BT Sport Channel: what does it mean for the Internet?

Today's news about BT's new sports service certainly doesn't mean the end of the Internet, but the changes we are seeing, where Internet providers are providing parallel content delivery services does change the dynamics in the industry in a worrying way.

The changes are more worrying because the convergance of content delivery and ISPs is happening at different levels of the industry, not just at BT. Sky has bought Telefonica's broadband business for instance. TalkTalk has Plus TV.

Here are a few problems that changes may present:

  1. As BT becomes closer to content providers, their attitude to self-regulatory copyright measures may change. We see this already with Sky particularly, but also Virgin to an extent, being more open to these kinds of proposals than companies who don't provide content.
  2. The choice in investment between IP-based delivery of cable-like TV and improving Internet services in general might become more confused. If BT find they make most money from their IPTV services, might this change their investment priorities away from improving Internet speeds and reliability? Yet it has been claimed by BT and others that delivery of IPTV services is their best means to secure funds to improve UK networks. Their argument seems counter-intuitive.
  3. IPTV services will compete with similar services delivered on the Open Internet, such as Netflix and Lovefilm. For consumers, competing open Internet services might be a better bet, as they do not tie consumers into broadband contracts and can be always viewed from different networks. Is it better for consumers that investment goes towards competing Internet platforms, or competing IPTV platforms?
  4. For BT, reducing 'churn' of customers is great, but 'churn' is competition and makes ISPs live in a very competitive market. Loss of a competitive environment is probably not great. US customers certainly don’t like it.
  5. Lastly, there is the worry that the incentives for traffic shaping that lead to anti-competitive barriers on our networks are increasing in none too subtle ways. Could this lead to a serious 'net neutrality' debate in the UK?

[Read more] (2 comments)


May 09, 2013 | Jim Killock

Ofcom research into online infringement

Ofcom today released their latest research into people who infringe copyright and what kinds of factor influence behaviour change.

We haven't had time to analyse the report (PDF) in full, but a few things stood out. They say in the key findings:

  • The Top 10% Infringers accounted for just 1.6% of the 12+ internet user population, but were responsible for 79% of infringed content. The Top 20% infringers, accounting for 3.2% of 12+ internet users, were responsible for 88% of infringements.
  • Infringers were more male, 16-34 and ABC1 than the general internet population. However, the Top 20% Infringers were even more likely to be male and 16-34 than the Bottom 80%. (We used the Top 20% Infringers rather than the Top 10% Infringers as the larger sample size makes comparisons more robust).
  • Despite their high levels of infringement, the Top 20% Infringers also accounted for 11% of the legal content consumed.
  • The Top 20% Infringers also spent significantly more across all content types on average than either the Bottom 80% Infringers or the non-infringing consumers (£168 vs. £105 vs. £54 over the six month period covered).

They go on to add:

Generally, the data from the survey showed that as people consumed more infringed files they also consumed more legal files, and spent more on legal content.

  • Further assessment on price-sensitivity for music showed that the optimum price infringers were willing to pay (either for single downloadable tracks, or for particular premium subscriptions) generally increased as the volume of infringed content increased. (Although the optimum subscription price was below that currently charged for the first premium tier of a number of UK music streaming services, many also offer free versions, albeit with some service restrictions or limitations).
  • This optimum music price was mapped alongside banded illegal consumption in order to estimate potential additional monthly spend (lost revenue) if all infringed content was paid for at this price.
  • The data suggest that improvements to legal alternatives could potentially convert some music infringers to pay for their content (either by track or monthly) if the price was right. However, the relationship between infringement and spend is complex and the claims people make when asked questions about their likely future behaviour given changes to their options do not always closely reflect their real-life behaviour.

This is interesting, because it does rather point towards the increasingly understood relationship between supply and demand as being a key driver for infringement, rather than the claims of "morality" and lack of punishments that drove the Digital Economy Act, for instance.

The report tries to show how effective letter writing might be, and with what types of behaviour; but it is clear that letters, even threatening ones, look far less effective than market changes, such as better or cheaper services.

Ofcom are the body charged with implementing the Act and overseeing the sending of letters as the basis for legal actions by rights holders.

We'll be looking at the report in more detail, of course.

 

 

[Read more]


May 08, 2013 | Francis Davey

Orphan Works - the new law in the UK

Social media feeds have been full links to alarmist stories about a recent change to UK copyright law that allows for the licensing of orphan works.

Photographers have been particularly concerned after one site (which I won't dignify with a link) used the headline "ALL your pics belong to everyone now". So much alarm has been created that the UK's intellectual property office felt moved to publish a PDF debunking some of the myths that have arisen. I was waiting until the Enterprise and Regulatory Reform Act 2013 was published on the government's legislation website before making my own comment.

The problem of orphan works is well known. Copyright lasts for a long time. In the UK it will usually be for 70 years after the death of the author. Discovering the author of a work to discover whether it is, or is not, protected by copyright can be difficult, let alone discovering the present owner of that copyright in order to ask them for a licence. The effect of that is that many works are either not used, or used only by organisations that care little about copyright on the ask forgiveness not permission principle.

There are radical solutions to this problem, for example we could require that copyright owners register their copyrights in order to enforce them, as the United States did until relatively recently. Or we could adopt William Patry's more modest proposal where no registration would be required for an initial, but relatively short, copyright term. To extend the life of a work's copyright, the copyright owner would be required to register. Such a system would make it very easy to discover who was the owner of a work older than the short initial period of copyright, but of course there would be administrative costs associated with it. Legislators have been more timid in their response.

The European Directive

One solution that has already been enacted is the European the orphan works directive (2012/28/EU), although the UK does not have to transpose it into UK law until 29 October 2014.

The orphan works directive is an exceptionally modest provision. Its beneficiaries are public libraries, education establishments, museums and archives. Any institution wishing to use an orphan work must first carry out a "diligent search" in good faith from "appropriate sources". The directive itself lists some "appropriate sources" which would have to be searched, but member states may add to the list, which varies depending on the type of work involved.

Records have to be kept by the institutions of their diligent searches which must be sent to their national government which in turn must make the results available on a publicly searchable website (good to see that governments are beginning to understand open data). This ought to make it easy for copyright owners to discover whether one of their works has been designated as an "orphan" and, having found out, make sure that oprhan status is rescinded.

Institutions may only use the works to achieve their "public-interest missions" and may only charge in order to recover costs of copying or making available to the public. They may not exploit the works commercially.

Canada

The orphan works directive tries to maintain the broad integrity of copyright by delegating the task of carrying out a diligent search and managing the orphan works system to trusted public institutions. By contrast Canada has been using an orphan works law which relies on a central authority, theCopyright Board of Canada.

Section 77 of the Canadian Copyright Act 1985, entitled "owners who cannot be located", requires anyone seeking a licence for what we call orphan works to satisfy the Copyright Board that they have made "reasonable efforts to locate the owner". The Board may then issue a non-eclusive licence on any terms it chooses to specify. According to their brochure they will usually require the payment of a licence fee, which will be paid to a collecting society. If the owner of the copyright appears within 5 years of they expiry of the licence, they may claim the licence fee. Where the fee was paid to a collecting society, the society will pay the owner.

The Board do not issue very many licences - roughly 22 a year since 1990Not all applications for a licence are accepted. Whether "it works" in Canada I do not know, but copyright has clearly not come to an end there.

The United Kingdom

So where does that leave us? Section 77 of the Enterprise and Regulatory Reform Act 2013 introduces a new section 116A of the Copyright, Designs and Patents Act 1988 concerned with orphan works. Section 116A is a mere skeleton. It allows the government to make regulations that would allow someone (an authorised person) or alternatively some people to be chosen by someone designated for the purpose, to grant licences to orphan works. The content and circumstances of the licences we do not know. All we do know is:

  • a work will not be an orphan work unless a diligent search is made for the copyright owner
  • what counts as a "diligent search" will be defined in the regulations
  • the licences may not be exclusive
  • nor may they be granted to a person authorised to grant licences

Now in theory this means we could end up with a Wild West system where there was little real control over licensing of orphan works. The regulations could be very lax on what counted as a "diligent search" and very generous about the licensing terms. That is always a risk with open-ended legislative provisions (and why they should not be used by Parliament).

The reality, according to the intellectual property office, is that we will end up with something similar to the Canadian system. Licences will not be free. Copyright owners will be able to claim fees that have been paid. There will almost certainly be a fairly tight and prescriptive description of what counts as a "diligent search". It will not be enough simply to look at the metadata on a photograph, shrug one's shoulders, and go ahead.

Extended Collective Licensing

In parallel to section 116A is a new 116B which will allow collecting societies in sectors where they now organise (eg books and music) to be given permission to license works that they do not have any existing right to license - eg where they do not own the rights and the author has not given the society permission to license them. This is not an orphan work provision. It applies even though the society knows full well who the author of a work might be. I mention it because it has been mixed into some of the reports about the orphan works provisions.

I have my doubts about extended collective licensing, but it will at least be an "opt out" system. No-one has to participate if they do not want to. In a sector where most licensing is direct (author to user) such as photography, there may never be such a system as the intellectual property office has indicated.

Consultation

The intellectual property office tell me that there will be extensive consultation on the detail of any regulations. Anyone having an interest in these provisions should make sure they engage with the consultation or join with others to represent them collectively. I am sure the open rights group will be making representations.

Reposted from Francis Davey’s blog under a CC-NC-AT licence. Francis Davey volunteers for ORG in our legal group, ORG Law

 

 

[Read more] (3 comments)


May 08, 2013 | Jim Killock

Snoopers' Charter: dead or just sleeping?

ORG, our supporters, Liberty, Privacy International, No2ID and Big Brother Watch will be celebrating a victory today, with the withdrawal of the Snoopers' Charter from the government's legislative programme.

What's left is a promise to find 'proposals' (PDF, p74) to ask mobile companies to record user data in a similar way to other ISPs. This may still go beyond the basic principle of recording data for business purposes, and allowing lawful access to it when necessary, but is a long way from the original proposals for sweeping trawls for data, plus engines to analyse it.

However, we have not removed the underlying assumption that recording information about everyone's phone and Internet communications is necessary to combat terrorism. As Duncan Campbell in our Digital Surveillance report notes, the recording of communications data is pretty novel, dating to the 1990s. It is not a 'principle' that data must exist and be accessed. Furthermore, there are alternatives to recording everything, particularly, as Caspar Bowden notes, targeted preservation of data concerning suspects.

What will not go away is the fear of politicians of getting surveillance of criminals wrong. They usually prefer to cover their backs, which in this case means surveil everything, just in case. This may be nonsense in practice – police have too much data and cannot use it, as Sam Smith observes.

We also need to ask how and why these policies for extreme forms of mass surveillance keep coming back, with little challenge internally. They frequently look expensive and barely workable – key components such as decryption of data, man in the middle attacks and the use of 'black boxes' to reassemble communications data were dropped; while others were scaled back during discussions with the Joint Committee that examined the proposals last year. Why was legislation proposed by the Home Office, if their understanding of the technologies they would have to deploy was so flaky? And what exactly did they spend £400 million on?

Data retention laws mean that innocent citizens are already having their Internet communications recorded 'just in case' thanks to the Data Retention Directive. This is thankfully under challenge, in Austria and Ireland, and due to be pushed to the European Courts. There is little evidence that data retention is truly useful or necessary. There is plenty to point to it being unlikely to conform with human rights standards.

[Read more]


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail