Today’s advice from DCMS shows that the UK has no intention of implementing any form of meaningful consent for tracking from advertising companies.
Cookies weren’t meant to be used like this. They were designed to help a website know if you’d logged in, or placed items in a shopping basket, by tracking who you were. Unfortunately this tracking has been extended to profile your movements around commercial sites purely to help advertisers.
Because profiling people’s interests without consent is morally reprehensible, and an attack on our fundamental right to privacy, the EU chose to legislate to require consent. The new “Cookie” Directive however, omitted the word “prior” from the definition of consent. Advertisers – and now the UK government – are arguing that “browser settings may give consumers a way to indicate their consent to cookies.”
However, Ed Vaizey states:
in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken. This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing.
That is, basically, forget it. Consent is impractical, so is implied by your browser settings when you permit cookies, so you’ve agreed to be profiled.
For the record, I haven’t agreed to be profiled. Have you?
The Protection of Freedom Bill introduces a number of measures to help protect our fundamental right to privacy, particularly creating new Commissioners to deal with biometrics and CCTV, but did not seek to address many of the long-standing complaints about current protections.
A number of helpful amendments have been tabled to probe the government’s position on the Information Commissioner and data protection laws. Tom Watson MP, who is on the Bill Committee, has so far suggested three crucial reforms supported by the Open Rights Group and other privacy organisations.
These essentially try to move the UK’s current Data Protection Act in line with EU law and the Data Protection Directive.
Implied or explicit consent
The first amendment removes the idea of “implied consent”, moving to “explicit consent”, as required by the Directive. This means users must show they know what they are signing up to when handing over their personal data.
Powers of entry
The second suggested change would give the Information Commissioner a power of entry to inspect data protection practices, equipment used to process data and fine processors found not to be complying with data protection laws.
The third amendment removes the need to show that actual personal or financial harm has been caused for a data protection offence to be committed, allowing for a wider notion of distress or ‘moral harm’, again in line with the DPD.
Other reforms needed
We hope Tom will be allowed to table further amendments, backed by Privacy International, No2ID, Archrights and Genewatch, asking for more fundamental reforms to deal with the fractured and multiplying number of regulators dealing with privacy, as well as a tidy-up of the definition of personal data. We’ll let you know if and when they’re published.
ORG's interest in this area stems from the possible privacy implications of changes to voter registers, and also the chance that modernisations are the first step to introducing online forms of voting, which we would oppose.
The event was bookended by talks from Deputy Prime Minister Nick Clegg MP (LibDem) and his junior minister Mark Harper MP (Conservative). They both clearly knew their briefs and were keen to push forward the move to individual voter registration and ditch household registration as soon as possible. There's no doubt that the 'head of a household' registering everyone as he sees fit is archaic and prone to fraud (and it would typically be a 'he'). ORG has long called for a move to individual voter registration as a way to prevent fraud in our electoral system.
However, tied into much of these changes is the use of data matching. Indeed how data matching is being used already and will be used even more was a common theme throughout the event. There seemed to be little concern for this amongst most attendees. That the existing electoral roll is used for 'anti-fraud initiatives' wasn't much concern to most because it should only affect those who have done something 'wrong'. Yet if we accept that the existing roll is vulnerable to fraud, as the modernisers seem to, then how reliable are the inferences made using its data? Also we muddy the use of the register from being purely about elections to all sorts of other potential uses.
An electoral services officer there told me how officers used to loudly proclaim how registering to vote wouldn't lead to the data being shared with tax, immigration or any other parts of government. Now that's all gone, the officer said, and in the small print on the back of the form you are told that it is (quite legally) shared across local and central government, as well as with credit agencies, of course.
The next step will be to use other sources of data, particularly the national insurance database, to infer who isn't on the electoral roll but should be. This seems worthy, of course we want to help people get registered to vote. Yet... one of the reasons why a new national identity scheme was proposed by the previous government was because none of the existing registers were particularly accurate. Of course nothing is 100% perfect, but the national insurance database is known to be full of inconsistencies and one wonders what new problems will be introduced with a head-long dive into data matching.
The benefits of a more secure electoral system will only be delivered after a huge amount of work understanding the processes, standardising forms and data formats as well as engaging with the very significant number of stakeholders interested in electoral registration. The government also seem undecided on what they will be most closely monitoring as the changes proceed: Will it be voter turnout or the estimated voter registration rates? Because, if all else remains equal, more people on the register may mean lower turnout percentages. Is that something they are willing to countenance after spending £104 million on this programme? What does success look like for the ministers working on this?
We hope that more sensitivity to the privacy and data quality issues of data matching will develop. Also, with a decision still yet to be made on whether a centralised online register (CORE) will be built, ORG remains wary of whether steps will be made towards online voting as a 'natural progression' from this work. We remain vigilant.
Some commentators are speculating that the new budgets for Intercept Modernisation Programme (IMP) are not what they might seem, but something smaller and less instrusive. We are certain that IMP is back on the cards, however.
On Wednesday, Julian Huppert MP asked David Cameron:
Can the Prime Minister reassure the House that the Government have no plans to revive Labour's intercept modernisation programme, whether in name or in function, and that he remains fully committed to the pledge in the coalition agreement to reverse the substantial erosion of civil liberties and to roll back state intrusion?
... We are not considering a central Government database to store all communications information, and we shall be working with the Information Commissioner's Office on anything we do in that area.
This is very telling. Our Prime Minister had a chance here to state plainly that no such plans was being considered. Instead, he ruled out what was ruled out by Labour.
Labour, after all, abandoned plans to intercept Internet traffic and create a centralized database. What they chose to delay was a plan to intercept communications data and have ISPs store it.
Mass interception and storage of data are both highly intrusive and we believe illegal under EU law. The current Data Retention Directive – which requires ISPs to “retain” communications data – is under challenge and could be ruled illegal. Several member states have already rejected it as unconstitutional as mass data retention breaches their citizens’ privacy rights.
Interception goes a step further. It is difficult to see how mass, pre-emptive interception could or should be legal. But that doesn’t seem to be worrying the officials in the Home Office who want IMP, whatever the colour of the government.
It is vital that MPs and Ministers stand firm against the views of these officials. If you haven’t already, please sign our petition to demand that Cameron, Clegg and Theresa May protect our privacy.
On Tuesday, I spoke on behalf of ORG at an event organized by Eric Joyce and Julian Huppert on behalf of the All Party Parliamentary group discussing the Digital Economy Act.
Walking into the room, it felt rather like a replay of the debates we had prior to the Act. Many of the same faces were there, including the ever-present Richard Mollett, speaking on behalf of the BPI, and others including the Federation Against Software Theft and other rights holders. Richard welcomed Org in his customary way, we sat down on oppsite sides of the room, and shortly afterwards the meeting began.
But it didn’t turn out to be a re-run of the same old points. What we heard was a growing range of voices against the Act. This wasn’t just ORG and Consumer Focus making our complaints about people’s rights, data protection, the bodged draft code and the clear breach of human rights that interference with communications presents. This debate included Coadec and Steve Lawson making some impassioned pleas on behalf of digital innovators and independent artists. And to follow them came a large number of citizens who had come to the meeting of their own accord.
You don’t usually get people speaking on their own behalf at these debates, and still less do you get artists. Steve’s points were especially well-made: he outlined how it is now possible for an artists to make an income by keeping their copyright and selling music directly to fans, while also building reputation. He pointed out how badly the old intermediaries have served many artists, and how for him, the new model was much more hopeful and sustainable.
Similarly, Coadec’s Jeff Lynn, representing digital businesses, was able to articulate the problems many of their members suffered by restrictive licensing by the traditional copyright industries. This is a point often raised by ORG, but needs to be echoed by groups like Coadec.
Encouragingly, there were some new faces among the MPs, attending. Kerry McCArthy has blogged about the meeting here.
We also heard libraries state the difficulties of the model the Act has imposed, alongside people working for digital inclusion, pointing out how much of a nonsense it is to push inclusion alongside potential disconnection measures.
More worryingly, there is an assumption among some that we will move to these punishments. We do not assume that, but it’s up to us all to make sure it doesn’t.
So, let’s welcome the appearance of artists and digital businesses at the centre of this debate. Let’s hope their voices are increasingly listened to, alongside citizen groups like ourselves, Liberty and Consumer Focus.
Over 300 people are booked to attend ORGCon and tickets are running out fast so get yours now!
ORGCon is your crash course in digital rights. This one-day conference will deliver everything you need to get campaigning on issues like the Digital Economy Act and the Database State.
As well as stellar speakers James Boyle, Cory Doctorow and Tom Watson, there'll be contributions from Liberty, NO2ID and Big Brother Watch.
See the full programme here.
When? Saturday 24 July, 1030 - 1830
Where? City University, City University London, St John St, EC1 4 London
Sessions will include
There are a limited number of tickets for this bonanza event.
When? 24 July, 1030 - 1800
Where? College Building, City University London, St John St, EC1 London
In the fifth of our series on the challenges the new government faces, William Heath, looks at personal data. William is the founder of Mydex CIC and of Ctrl-Shift Ltd, is ORG founder #427 and former chair of Open Rights Group.
A vital key to reforming public services for the new coalition administration will be provided by a new approach to personal data.
On public data Labour's legacy is a promising start. Thanks first to Ed Mayo & Tom Steinberg (Power of Information Review), then and substantially to Tom Watson and Richard Allan, finally to Gordon Brown and TBL the policy of opening up public data is taking hold. Data about inanimate objects: maps, finance and statistics paid for by the taxpayer is being set free for our greater utility and economic benefit.
But authoritarian New Labour's legacy on personal data is lamentable: ineffectual, wasteful, unjust, often arguably illegal.
A decade ago the same government's policies were quite good. But by 2005 the "Transformational Government" policy was a mutant child of the post 9/11 War on Terror and what was recently described to me as "the big Siebel lie".
The first fallacy is that amassing unthinkable amounts of data – the US wants a Yottabyte of Sigint by 2015 – delivers public safety better. Many of us would rather see a sound economy and just society based on respect and equality.
The second fallacy is that organisation-centric "customer relationship management" gives people what they want cheaply, without active participation or control by the individual. It doesn't: it disempowers and frustrates people, who are turned off and walk away from such so-called "relationships" in droves.
The new administration has emphatically said "enough of this nonsense".
It has started by cancelling the benighted ID Scheme and childrens' database ContactPoint, tightening policy on DNA retention and ruling out the unreasonable level of global data retention that the proposed Intercept Modernisation Progamme would require. The NHS national programme, vetting programmes, intrusive transport databases can all expect careful scrutiny and substantial revision.
Assuming the "No to" in No2ID will now prevail, what do we say "Yes" to?
Remember: the challenge is to save a great deal of money – 40% per department seems to be the benchmark; to protect and even improve essential services, above all health and education; and not to go soft on law & order.
Martha Lane Fox is right to say this means making everything available online, and switching off the offline alternatives. It sounds harsh, but it's not. Where people depend on intermediaries, the carers can use the online service.
Having cancelled the ID Scheme, we need to grasp the nettle of on-line identifiers for public services. This should include a capability for online power of attorney. The way forward needs to conform to Cameron's laws: consistent and convenient, under the user's control and without shedding data where it does not belong.
This world is moving very fast, as those behind OpenID, OAuth and the Open Information Exchange OIX are aware. There's now a valuable range of verified online identity and authentication service providers: credit reference agencies and account-based services from banks, payment services and phone companies.
The new UK administration can draw on the rapid policy improvements in the US. First it withdrew government from online ID provision and instead invited third parties to act as online ID providers for all online public services. Now it is evolving a "trust framework" so parties are appropriately accredited. Next it is drafting an ambitious National Strategy for Secure Online Transactions in which government will act as catalyst for a trusted identity framework nationwide based on independently verified but individually controlled personal data.
Of course the UK's Lib-Con coalition should copy this. But it can also leap-frog it.
The turning point is the simple but radical acceptance of a deep truth: people should own and control their personal data, including how it drives public services. UK public services need to reflect the reality that individuals know their own circumstances, preferences, needs and future intentions best. In the end it's always down to the individual or the carers on whom they depend to sort it all out anyway.
As well as the sort of third-party online IDs policy now at work in the US this requires:
That adds up to more than "tell us once" for a selection of public services. It's tell anyone once, or many times just what you want to tell them and no more. Plus you can stop when you want.
Technically this is not a huge task given contempory tools. Several UK entrepreneurs have done it (including one in which I declare an interest). The real task is starting the network effect, where organisations agree to start to receive valuable feeds of data from individuals.
The UK needs now to do a couple of trials of this. There are huge benefits to be had if we can learn the right lessons in time.
The underpinning for this thinking comes substantially from Doc Searls and his Project VRM at Harvard. But we've barely begun to work out the implications for UK public services. How should the NHS best work with user-held and controlled health records? Remember - these will be real "health" records, featuring exercise and diet as well as episodes of illness. How should education and the jobs market work to best effect with user-driven records of life-long learning and experience?
User-driven records and "volunteered personal information" will have profound impact on welfare, travel, censuses, policy formation, consultations. That's just in the public sector. Research by Ctrl-Shift suggests the market for "volunteered personal information" arising from the individual overtakes the national market for display advertising in 2017 to become worth £20bn a year by 2020: ten Google UKs. And it's the same for Europe, the US and the world.
There's a specific task of working the implications of such a change through every sort of public service that depends on personal data. Will it work? What is involved in taking it forward? What are the risks?
The potential rewards are immense. It's not just that, like BP, we need to stem the toxic leakage, in our case of personal data from government. Nor that we need to cut the cost of maintaining government's huge data sets, and restore people's trust in what goervnment does with personal data. The real wins come when public services are driven more directly by more accurate data sets, and can be more closely aligned only to needs which really exist. Imagine the "just in time" revolution of 1970s car manufacturing applied to public services. But the saving we have to make mean we'll need nothing less than that.
The key is to invite individuals to help government do it: participatory public services.
ORG founder Dan O'Brien always said "they stole our revolution; now we're stealing it back". Computers started at the centre. But it was only when they were also put in the hands of individuals, and the two worked together, that we started to see what is really possible. That's where we're headed: a Big Online Society.
In the fourth of our series on the challenges the new government faces, Lilian Edwards, academic and ORG advisory council member, looks at the big privacy challenges, and particularly the review of data protection now starting in the European Union
"Day One: In what used to be the Big Brother House, Nick and Dave have decided to dismantle the database state" (quote from @futureidentity on Twitter, aka Robin Wilton)
Well, hello and welcome to the new politics – we hope. My fellow bloggers have got here well before me in wondering what the change of leadership might mean, if anything, for repeal of the Digital Economy Act – but there’s still a lot to celebrate (and of course pick at) in the realm of privacy and civil liberties. Many of us have felt unduly (and rather disbelievingly) pleased these last couple of days to see the dream list of civil liberties we’ve fought so long for seeing the light of the ConDemNation shopping list.
So far, pretty much the entirety of the Lib Dem’s pre-election Freedom Bill seems to have been essentially cut and pasted in, including of digital special interest:
It is, as in the old joke about 10,000 lawyers at the bottom of the Mariana trench, what you might call not a bad start. Some of the provisions , as noted elsewhere, have particular significance in the light of what is going on in Europe right now, namely, the long awaited review of the Data Protection Directive (DPD), the primary instrument which regulates informational privacy throughout Europe.
The principles of the DPD remain strong, but many acknowledge the implementation in practice is broken, as the Directive has fallen between the Scylla of ever greater public sector data collection and mining to (allegedly) combat terror and crime; and the Charybdis of private sector data collecting to create a revenue stream for “web 2.0”, particularly in the shape of targeted advertising schemes like Phorm.
Data retention in particular has been controversial; DP law says data should be retained no longer than necessary to fulfil the purposes for which it is collected, while states, including notoriously the UK’s former government, have pushed for as long a period of retention as they could get away in the name of law enforcement. The rolling back of data retention signalled above will thus require input into the EU DPD reform process; with the UK hopefully finding itself joining the ranks of countries like Germany and Romania which have opposed the Data Retention Directive as unconstitutional or invasive of privacy.
What more do we want from the European review? Three issues stand out which are not mentioned in the list above.
First, we have to think about what redress ordinary citizens and users can get in response to abuse of their personal data. DP law in theory provides for individual civil actions, but in practice these are rare to non-existent. It would be better to think of data breaches as a pollution of the data environment, with civil enforcement carried out by group (or “class”) actions lead by national data protection or consumer authorities, backed by far more stringent criminal penalties to deter data breaches than currently available. Extension of mandatory security breach notification from the telecoms industry to all sectors needs looking at too.
Secondly, what users increasingly want more than financial compensation are two things: first, an easy way to know what data is held about them; and second, an easy way to get that data deleted with no need to prove damage or abuse. The first can be met by mandatory schemes on online subject access, the second by a principled approach such as the French so-called “right to forget”. Both public and private sector must be forced to get in line behind these simple steps, although the marketing industry especially will no doubt put up strong opposition.
Thirdly, the headlines are alive again with yet another Facebook privacy scandal. Social networking sites are brilliant for communication, for campaigning, for expression and identity; but they do not have to be anti privacy to meet these functions (as the new experimental Diaspora may sometime show).
Users of sites like Facebook mainly sign away control of their personal data as the price of admission to the site, mostly without a thought or a glance; DP thus offers almost no protection as it is trumped by “consent”. Yet in other types of consumer contract, like sales, insurance and employment, the law says that users should be protected from simply signing away their rights, and that only certain types of contract terms are allowed.
Why should SNS contracts not be so regulated to provide minimum standards of data control and security for users, as well as transparency? This could be done by negotiating authorised standard contracts with industry, possibly implemented via standards or codes rather than primary law to allow speedy revision as and when.
Such contracts should in particular specify that privacy settings on social networks be set by default at a minimum protective level to combat consumer ignorance and inertia and the fact that privacy controls are typically hidden and impenetrable - a good example of the concept of “privacy by design” Viviane Reding has said she is considering introducing into the Directive.
Finally and perhaps most importantly, data protection simply cannot be enforced while national DP watchdogs are starved of the cash and personnel they need to manage an enormous task of supervision and education and take on the crucial job of leading test and group cases. But proper resourcing needs not more law but political will. That must come from ordinary users making it clear that contrary to whatever Marc Zuckerberg may think, privacy really does matter to them. It’s not ALL about the economy, stupid.
Complaints by the Open Rights Group and others last year to the European Union Commission about Phorm, the technology that looks inside web traffic to profile users for advertising, have now resulted in further legal threats against the UK government from by the EU.
Yesterday, the EU restated their position that the UK was not complying with EU law in three areas:
Specifically, the Commission has identified three gaps in the existing UK rules governing the confidentiality of electronic communications:
- There is no independent national authority to supervise interception of communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications.
- The current UK law – the Regulation of Investigatory Powers Act 2000 (RIPA) – authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK law provisions do not comply with EU rules defining consent as freely given specific and informed indication of a person’s wishes.
- The RIPA provisions prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas the EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not.
The UK has two months to reply to this second stage of the infringement proceeding. If the Commission receives no reply, or if the response presented by the UK is not satisfactory, the Commission may refer the case to the European Court of Justice.
This is quite unusual. For instance, threats of infraction proceedings against UK for non-compliance with the EU definition of ‘personal data’ have been dragging on since 2004, without any real sign that the UK would be taken to court. The case is certainly not the subject of regular press releases.
The UK government meanwhile is not making any comment, and Freedom of Information requests are being turned down.