privacy


I would have blogged on this myself, but day job deadlines mean I can’t give it the attention I would like to.  This makes grim reading. 

Instead I will lift Intrepid Ian’s post.

The Joseph Rowntree Reform Trust has this morning published our report on the UK Database State, which finds that:

  • A quarter of all major public sector databases are fundamentally flawed and almost certainly illegal. These should be scrapped or redesigned immediately;
  • The database state is victimising minority groups and vulnerable people, from single mothers to young black men and schoolchildren;
  • Children are amongst the ‘most at risk’ from Britain’s Database State, with three of the largest databases set up to support and protect children failing to achieve their aims;
  • Data sharing is a barrier to socially responsible activities. It is deterring teenagers from accessing health advice and undermining goodwill towards law enforcement;
  • Only 15% of major public sector databases are effective, proportionate and necessary;
  • We spend £16 billion a year on public sector IT and a further £105bn spending is planned for the next five years – but only 30% of public-sector IT projects succeed.

The runaway growth of public sector databases was surprising even to those of us that follow them closely. They have taken six months to catalogue.
You can see coverage of the report in the Guardian, Telegraph, Times, Independent, BBC News, Daily Mail, Metro and from Reuters.

As some of you know, I’m labouring away at what must be one of the longest part-time PhDs ever.  My research is looking at how software code and law work or don’t work together. However, there is light at the end of the tunnel.  In order to add a bit of empirical juice to will be a rather dry theoretical legal tome, I’ve decided to do a survey. 

I won’t bore you with the whole long story of the diss. here , but if you are interested in knowing more, please drop me a note and I can send you more details.

Whether it is ERP systems or toasters, software impacts much of our daily lives. We ask and demand software to do things on our behalf;  software transacts, it searches, it assesses, and in some cases it judges us.  Legal systems have evolved over centuries to codify rights and obligations in societies. Throughout history law and technology have interacted, modifying each other along the way.  It is often an uneasy relationship.

Whether it is contract law, licensing, intellectual property, privacy laws, accessibility, liability software and law interact significantly. There is a fairly large field of research looking at this relationship between code and law. (Lessig being the most famous, but there are many others)

However, not much research has focused on the role of the software developer and software firm in this relationship. So I decided to spend part of my dissertation looking more closely at the role of the software firm and the software developer in the code as law relationship. I want to ask as many software people as possible about what they understand of the law that can impact software, and what their attitudes are towards a couple of legal concepts in a software context.

It is designed to gather information about the knowledge, education and attitude of software developers towards the law related to software, and how law is or isn’t built into software. My goal is not to just have a small survey of a couple of hundred developers, but to really survey lots of them.

To do this, I want to tap as many of my readers  as I can to spread the news of the survey, and for as many of you to take the survey as possible. The more answers I can get from around the world, the richer the results will be. I will also be following up with telephone interviews with a much smaller sample group.

In this survey I have used the term software developer rather broadly. I define this to be anyone working professionally to design, build or maintain software (information technology). So if you are a product manager, solution manager, implementation consultant, systems architect, business analyst, or a systems tester, for instance, then we would be just as interested in your responses. The survey isn’t just aimed at those who code, but those who make a living from its construction and maintenance. Much of this group would fall under that definition. The Germans have a rather nice term, informatiker, but it doesn’t really translate very well.

Gartner is supportive of my PhD, this research doesn’t form part of my formal Gartner research agenda. In other words,  it isn’t a Gartner survey!

Several developer friends  have been kind enough to test the survey, and give me feedback, much of which I have incorporated in this final version. (If you tested the earlier versions, please take the test again)

Blunders and errors remain my responsibility.

Here is the survey as it stands today.

https://www.surveymonkey.com/s.aspx?sm=oxUTPWBBgFXHolONAGhAJg_3d_3d

Please take this link and spread it to your software friends. colleagues and families.

A new passport in three hours.

A consulate is a potentially stressful place, after all people don’t go there to be patriotic. They go when they have issues. 

The Consulate  team in Düsseldorf was friendly and supremely efficient.  Airports could learn something from the security team at the consulate, through, yet welcoming.

My old passport was getting very tatty. Last time I flew, the airline nearly didn’t let me fly.  My problem is that I travel too much to post it in and wait for a new one.  So I had to drive up to Düsseldorf, that took longer than the passport process.

Thanks again for great service.

It has one of these in. But I can’t blame the folks in Düsseldorf for that.

image

(photo from Kai Hendry)

 

(photo from the flickrstream of Swamibu )

It is apparently Sunshine week in United States of America, so please excuse the metaphor collision.

Over in the UK it is goodness to see nine Lords experimenting with a blog.  It is called Lords of the blog. I quote.

Apparently we are going live today. So far, our blog confessions have had a very limited audience, but now anyone may see what we have been doing.

Not that I have anything to hide. Indeed, I suspect that most members of the Lords would be only too happy if the public could and did take more notice of what we do on their behalf. Some of us spent a lengthy afternoon last Thursday debating the best way to get more people – and especially young people – interested in the way Parliament deals with their concerns, hopes and fears.

It is easy to think of the House of Lords as characters in a PG Wodehouse novel, greeting each other with what ho! chum, eating boarding school nosh, and wondering where the empire went. But that would be wrong. I’ve been lucky enough to meet a lord or two, and even though they expressed a fondness for Yorkshire Pudding, they were right on the money as far as software and technology were concerned.  I blogged some time ago about the House of Lords and RFID and the science and technology select committee .

Though the link had come from the most reliable source on all matters UK law, Geeklawyer, I wondered for a moment if this was a put up job, but no, it seems to be the genuine article. The Hansard society is lending a hand.

It is also interesting to see rather than hosting it over on a server in under the woolsack, they are running it on wordpress.com. If it had been buried in the depths of a government website somewhere, who would read it?  up on WordPress seems somehow less contrived, and less likely that  a  Sir Humphrey  is moderating things in the background.

Having these Nine Lords blog is a fine thing. I look forward to them asking some probing questions about Phorm………

(from the cc flickrstream of dalziel 86, thankyou)

My post yesterday on Data Protection Law, Facebook and Scraping garnered more interest than my normal Enterprisey software ramblings. Dennis kindly picked up on my post twice, and I  experienced a considerable spike in traffic and commentary courtesy of  Robert. 

I’d not paid much attention the dataportability.org announcement, so after reading about it over at Dennis’s and Mike’s  and at techcrunch HQ I had a little browse through the website and Ben’s blog

I’m pleased to see the social networking companies getting together and discussing inter-operability issues.  These issues are important, users of these services are right to be concerned about lock in, and the inconvenience of moving from one platform to another.

Sharing is only one side of the equation though, and I would prefer the companies concerned to look at a broader collaboration. They really need to be examining the broader topics  of identity, trust and context.  I hope that they are.

I’d urge the folks involved in this effort to get in touch with the Prime Project and other research projects in this space.  Talk to these folks, for instance. Researchers have been grappling with the challenges of technology, privacy, identity, data reuse for decades. There is a tremendous amount of prior art that should and must be leveraged. This isn’t just a European thing either.  Perhaps check out  Lessig, Rotenberg, Swires,  Litan, Hahn, Cate, Shostack, Westin, Cohen, Burk, Lemley, Acquisiti, Kesan, Froomkin,Samuelson, Solove….and more.

I was a tad harsh yesterday about Alec Sander’s manifesto post, as I later found out it has the backing of one of Canada’s (if not the world’s)  leading Privacy experts, Michael Geist. Thanks and apologies Alec. Oh, and Mike at Techcrunch UK,  I got the joke, eventually. Don’t give up your day job though.

My post yesterday merely glossed over some of the issues with scraping and Facebook, but I’m glad it helped get people talking.  The issue at stake though has little to do with sharing business cards.  It goes a whole lot deeper. If you have a moment, head over and read what JP had to say. a couple of weeks ago.

I am responsible for the contact information I hold. I am accountable for that information. Accountable to friends who have trusted me with that information. And if I pass that information on without their implicit or, in some cases, explicit, permission, I am breaking their trust in me.

This, to me, is issue number one to do with any debate on information “ownership”.

Trust.

And it’s a biggie.

Then via JP I came across this blog – Freedom to Tinker. Goodness. Subscribed.

Where did we get this idea that facts about the world must be owned by somebody? Stop and consider that question for a minute, and you’ll see that ownership is a lousy way to think about this issue

( Btw also You may find Bill Zeller’s comment illuminating.)

There is significant debate in legal circles about the pros and cons of privacy as a right or/and  as property. Schwarz’s paper here is well worth a read.  As Schwarz notes,

At its core, information privacy has both an individual and a
social value. Hence, I end on a note of caution: ongoing scrutiny of
regulation of personal data is needed because failure in the privacy
market can harm both individual self-determination and democratic
deliberation

I do think the concept of privacy as property is a good one, especially in places where defining it as a fundamental right is nigh on impossible. There is also some good stuff over on at the Burton Group blog

I’ve suggested before that folks, especially in the US, should read Solove’s latest book. You can download the first chapter here.  I’ll also be getting this for bedside reading.

The more people start thinking about the implications of what they share, the better. Many of the US commentators on the blog felt that EU privacy law was dumb, or worse. It does have its problems, but before you consign it to the bin, check out a bit of privacy law history.  The UK information Commissioner’s website has come on leaps and bounds too. The US site EPIC, is an excellent read.

I’ll leave you with a fabulous quote, from Michelle Dennedy, Sun’s Chief Privacy Officer,  courtesy of one of the  mighty governor‘s excellent posts.

Her own little girl came up with a brilliant take on privacy and what it is:

Privacy is like grass, she told her mom. Why asked Michelle? Because it keeps the dirt from being naked… 

Thanks to truly brilliant stream of  Auntie P.

I’m very late to this, and originally I wasn’t planning to comment on the Scoble-Facebook thingy, (see techmeme) but after seeing James Governor’s deli.cio.us link comment,about Nick Carr’s post, I figured I’d jump in.

James said…

my take: Che? No. Scoble the Mike Huckabee of the A-list. He thinks privacy is “just a theory” but runs awesome home and webspun campaigns… aw shucks

Spot on James. (thanks also to James for getting me into this CC flickr photo thingy)

Part of Robert’s defence is that he was “only” collecting

Names and email address and birthday.

But name, email address and birthday are personal data.

Here in ye old Europe we have a pretty clear legal definition of personal information.

Personal data are defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a of the EU Data Protection Directive)

I don’t want to go into a long history of European privacy law here, but The ancient runes (1980) of the OECD guidelines are a good starting place. The seven principles governing the OECD’s recommendations for protection of personal data were:

   1. Notice—data subjects should be given notice when their data is being collected;
   2. Purpose—data should only be used for the purpose stated and not for any other purposes;
   3. Consent—data should not be disclosed without the data subject’s consent;
   4. Security—collected data should be kept secure from any potential abuses;
   5. Disclosure—data subjects should be informed as to who is collecting their data;
   6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
   7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principle

These principles eventually wound up as the foundation of the Data Protection Directive, which in turn ended up in the national law of all EU countries. They would make a good start for anyone building a terms of service for an offering that consumes personal data too.

The principles in the UK Act are defined as follows

Personal data:

  1. Shall be processed fairly and lawfully
  2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose(s)
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
  4. Shall be accurate and, where necessary, kept up to date.
  5. Processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

Robert Scoble’s actions may be perceived as noble in some quarters, but they don’t impress me. He single-handedly bashed through most of the basic principles of privacy with his scraping exercise, never mind Facebook’s terms of service. Facebook was right to take Robert on here. Facebook is subject to the provisions of European Data Protection Law. Facebook is part of the safe harbor. 

Carr nails it.

Facebook has an obligation to protect the data entrusted to it by its members. At the very least, members should have the right to decide whether or not their personal information can be scraped out of the Facebook database. Scoble did not give them that choice. That doesn’t mean that Facebook is the hero. It, like other social networks, happily scrapes information from members’ email accounts to identify possible new members. Facebook will scrape when it suits its commercial interest but will block scraping when it doesn’t. Still, in this particular case, Facebook did what it needed to do: protect the information and the interests of its members. Until controls are in place, unauthorized scraping of other members’ personal information shouldn’t be allowed.

What the Scoble affair reveals is that the issue of “data portability” is not a simple issue but a fraught one. Data scraping can make our lives easier, but it can also put us at risk.

So does Anne

Even if Scoble’s Facebook friends agreed to let him view their data on Facebook, they didn’t agree to let him take that information wherever he wants to do with what he wants. He could use a screen scraping program to grab data that they consider just-among-friends and stick it out in public without any regard for their privacy settings. You might say, “Scoble wouldn’t do that” but it’s Facebook’s responsibility to see that it doesn’t happen.

Data portability could be designed into Facebook in such a way that it doesn’t compromise user’s privacy. At the very least, an opt-in to profile sharing outside Facebook would need to be provided. Allowing uncontrolled screen scraping is not the answer

And Loren Feldman’s acerbic take is well worth a watch.  See the comments too. This one from Patrica, (who has a super  golf blog)

Though evidently there are a number of geek wannabes out there just itching to join a data martyr movement.

Hat tip gapingvoid’s twitter

You may find this article on the position of Facebook in UK law interesting. Facebook could move at speed to suspend Robert, but seem awfully unwilling to let other people voluntarily remove themselves.  I’ve rambled before about Facebook and data protection law.

Robert, no doubt, had good intentions, but he was breaking the law, both in terms of the Facebook terms and conditions, and for those Europeans lurking in his 5000 “Friends”, a good bit of data protection law too.  Processing 5000 records moves one beyond the realms of Dunbar’s law into data controller mode.

I’m glad to see blawgs joining the discussion, for instance the Canadian Privacy Law Blog.  Also I’m very pleased to see privacy manifestos emerging, such as this one over on gigaOM, but rather than inventing stuff from new, I’d propose that the web 2.0 gurus get talking with some folks who know privacy and its complexities.  It is a lot harder than it looks. 

The right to privacy is one of the most complex legal and technical issues, and not just since web 2.0.  The Germans passed privacy laws in the 1970’s and are still grappling with the balance between privacy, security, freedom of speech.  One of the most famous cases in US law is mainly about privacy rights. 

The more folks start thinking and talking about privacy, and the sooner privacy impacts buying decisions the better. 

Daniel Solove’s recent book is a damn good place to start, especially from a US perspective.

For the technical challenges, Jeff Jonas is a must read. I’d like all developers who touch personal data to read and understand Kim Cameron’s laws of Identity.

I’d love to see more from Pangloss or on this too, oh and a Geeklawyer rant would be nice too.  I hope to be at this conference next year, the 8th Privacy Enhancing Technologies Symposium (PETS 2008).  It would be even better if Facebook sent some folks along too.

Daniel Solove called on bloggers with an interest in privacy to drop him a note, and he would send a copy of his latest book for review.  The only condition was that you posted a review.  So here is mine.

Solove is on a mission to get people thinking about privacy who haven’t really thought about it before. Anyone who has a Facebook profile, a blog, or who posts photos online, or has friends and family who do, ought to read it. As a very successful  blogger himself, he brings a practical perspective to the topic of gossip, ‘rumor’ and privacy on the Internet.

It would be a good book for parents to read, as it would able them to understand the mySpace etc dangers and benefits better. It is accessible enough that a teenager could learn from it, without being bored by a lot of legal rhetoric.  Solove writes well, with a deft touch.  It isn’t a dense academic book, although Solove is a highly respected privacy academic. Legal types may wish for more depth, but if so, then head over and read this.

The book works because it uses lots of anecdotes to explain complex issues, simply.  It covers the awkward and subtle tensions between privacy and the first amendment-freedom of speech brilliantly. It also provides an excellent quick tour through US privacy law history. (curious though that I didn’t see  Roe v Wade  mentioned)

Most of my own research into privacy has been about government and big business.  Solove makes the powerful point that there is a significant threat from your friends, lovers and colleagues too.

He effectively challenges the binary private-public divide, arguing coherently we need to understand shades of confidentially and exposure, and uses the burning man event, Washingtonienne, Article III, and other incidents to illustrate this. He eloquently explains the paradox  that we need greater privacy and recourse against unwanted exposure if freedom of speech is to thrive.  The dangers of vigilantism and shaming are given close attention.

He briefly touches on the power of technology to aid privacy protection, but he could have explored this in more depth.  He did call on social networking tools to offer stronger privacy default. This is good advice. I would have liked more on the copyright analogy.

My only significant  gripe was that the book is very US and tort centric. It made passing mention of UK tort, but it made no mention of European Data Protection Law, nor of the right to privacy in the Universal Declaration of Human Rights or other significant legal instruments.

He is more positive than I am about the future of privacy. 

In short, buy it.

Next Page »

Follow

Get every new post delivered to your Inbox.

Join 29 other followers