Carbolic Smokeballs and software salesmen.

I’m continuing the law related ramblings, but some of you will be pleased to know I’ll rest the privacy stuff for a while.

Vinnie Mirchandani is normally a vociferous supporter of all things free-market, and the arch enemy of compliance. His dislike of the  Sarbanes-Oxley Act is legendary.

I was  surprised to read his call for stronger software industry regulation. Please read his post in full, then pop back here.

I won’t go into a discussion here on whether all regulations he suggests make sense or not, I’d like to pick up on them another day.

In part, I agree with Vinnie.  It amazes me how little direct regulation our industry has. Toys, insurance, cars, hairdriers and maps  all need testing before you can buy them, but any old idiot can set up a software company and try and sell stuff.  There is stricter certification for wiring a plug or installing toilet roll holders for a living than there is for coding software.  One of my earliest posts looks at this.

As the digital world becomes more and more vital to our personalities, our jobs, friendships, thoughts, politics and  beliefs should the web and the vast databases of information about us be determined solely by short term shareholder value?  

As software does more and more important stuff on our behalf, it is likely that it will face greater regulation. This may be no bad thing, but let’s tread cautiously.  Regulations, like technology, often bump into the law of unintended consequences. This can be a good thing in software, as may lead to Accidental Awesomeness. In law though, it tends to hurt folks it was supposed to protect, or protect things that ought to be protected. 

I will take on one of Vinnie’s points though:

Require systems integrators to be truthful

This was amplified by Nitin’s comment about outlandish sales claims.

Another one comes to my mind as a honorable mention as well:
– Regulate the advertising or hold vendors accountable for what they claim regarding profitability and efficiency. Vendors claim the moon – I cannot see any other industry where there is so much FUD and bogus claim

Software salespeople don’t live in a vacuum, and there is very little new under the sun when it comes to contract law, advertising and sales promises. To assert that software salespeople and marketeers are somehow more devious than their peers  is a tad insulting to the ‘ingenuity’ and avariciousness  of the generations of sales people that have gone before them.

Let’s head back to Victorian England. .


Contract – Offer by Advertisement – Performance of Condition in Advertisement – Notification of Acceptance of Offer – Wager – Insurance – 8 9 Vict. c. 109 – 14 Geo. 3, c. 48, s. 2.

The defendants, the proprietors of a medical preparation called “The Carbolic Smoke Ball,” issued an advertisement in which they offered to pay 100 to any person who contracted the influenza after having used one of their smoke balls in a specified manner and for a specified period. The plaintiff on the faith of the advertisement bought one of the balls, and used it in the manner and for the period specified, but nevertheless contracted the influenza:-

Held, affirming the decision of Hawkins, J., that the above facts established a contract by the defendants to pay the plaintiff 100 in the event which had happened; that such contract was neither a contract by way of wagering within 8 9 Vict. c. 109, nor a policy within 14 Geo. 3, c. 48, s. 2; and that the plaintiff was entitled to recover.

Read the full case here.

One supposes that this case could be seen as an early example of vapourware.

The law to hold “hold vendors accountable” or “systems integrators to be truthful” has been in contract law well before even the venerable Geeklawyer started out in practice.  

In my presales days  one of my best demo sessions was when the prospect videoed the complete presentation and workshop. 

The law has been clever enough to have a proper term for outlandish sales and marketing  bullsh*t. It  calls it “mere puffery.”  The presence of  video camera does tend to reduce the desire to engage in such puffery though.

Contract law and supporting legislation has developed over literally thousands of years, and courts have been largely successful at picking up unfairness in whatever happens to being bought or sold.

In UK law for instance, the practice of limited liability in IT contracts was struck down in the St Alban’s  DC v ICL case. They were able to claim damages for the cost of incorrectly calculated taxes, which were far higher than the costs of the solution. Harry Small, one of the UK’s leading computer lawyers, wrote up the facts of the case here. 

Software does create challenges for contract law, sure, as other innovations in the past have done too.  (I will return to  goods vs services  another day)

To those that argue that software and IT are a special case in contract that require unique regulation, I’d suggest that they read the classic 1996 Esterbrook Speech, Cyberspace and the Law of the Horse. Contract law has done remarkably well at protecting buyer and sellers for 1000s of years, and I’m not sure that commercial buyers of software need significantly more hand holding than the buyers of smokeballs had 120 years ago.  (Consumers do though)

I’m not a free-market zealot, but contract law is one of humankind’s most impressive creations.  


More on the Privacy-Portability conundrum

(from the cc flickrstream of dalziel 86, thankyou)

My post yesterday on Data Protection Law, Facebook and Scraping garnered more interest than my normal Enterprisey software ramblings. Dennis kindly picked up on my post twice, and I  experienced a considerable spike in traffic and commentary courtesy of  Robert. 

I’d not paid much attention the announcement, so after reading about it over at Dennis’s and Mike’s  and at techcrunch HQ I had a little browse through the website and Ben’s blog

I’m pleased to see the social networking companies getting together and discussing inter-operability issues.  These issues are important, users of these services are right to be concerned about lock in, and the inconvenience of moving from one platform to another.

Sharing is only one side of the equation though, and I would prefer the companies concerned to look at a broader collaboration. They really need to be examining the broader topics  of identity, trust and context.  I hope that they are.

I’d urge the folks involved in this effort to get in touch with the Prime Project and other research projects in this space.  Talk to these folks, for instance. Researchers have been grappling with the challenges of technology, privacy, identity, data reuse for decades. There is a tremendous amount of prior art that should and must be leveraged. This isn’t just a European thing either.  Perhaps check out  Lessig, Rotenberg, Swires,  Litan, Hahn, Cate, Shostack, Westin, Cohen, Burk, Lemley, Acquisiti, Kesan, Froomkin,Samuelson, Solove….and more.

I was a tad harsh yesterday about Alec Sander’s manifesto post, as I later found out it has the backing of one of Canada’s (if not the world’s)  leading Privacy experts, Michael Geist. Thanks and apologies Alec. Oh, and Mike at Techcrunch UK,  I got the joke, eventually. Don’t give up your day job though.

My post yesterday merely glossed over some of the issues with scraping and Facebook, but I’m glad it helped get people talking.  The issue at stake though has little to do with sharing business cards.  It goes a whole lot deeper. If you have a moment, head over and read what JP had to say. a couple of weeks ago.

I am responsible for the contact information I hold. I am accountable for that information. Accountable to friends who have trusted me with that information. And if I pass that information on without their implicit or, in some cases, explicit, permission, I am breaking their trust in me.

This, to me, is issue number one to do with any debate on information “ownership”.


And it’s a biggie.

Then via JP I came across this blog – Freedom to Tinker. Goodness. Subscribed.

Where did we get this idea that facts about the world must be owned by somebody? Stop and consider that question for a minute, and you’ll see that ownership is a lousy way to think about this issue

( Btw also You may find Bill Zeller’s comment illuminating.)

There is significant debate in legal circles about the pros and cons of privacy as a right or/and  as property. Schwarz’s paper here is well worth a read.  As Schwarz notes,

At its core, information privacy has both an individual and a
social value. Hence, I end on a note of caution: ongoing scrutiny of
regulation of personal data is needed because failure in the privacy
market can harm both individual self-determination and democratic

I do think the concept of privacy as property is a good one, especially in places where defining it as a fundamental right is nigh on impossible. There is also some good stuff over on at the Burton Group blog

I’ve suggested before that folks, especially in the US, should read Solove’s latest book. You can download the first chapter here.  I’ll also be getting this for bedside reading.

The more people start thinking about the implications of what they share, the better. Many of the US commentators on the blog felt that EU privacy law was dumb, or worse. It does have its problems, but before you consign it to the bin, check out a bit of privacy law history.  The UK information Commissioner’s website has come on leaps and bounds too. The US site EPIC, is an excellent read.

I’ll leave you with a fabulous quote, from Michelle Dennedy, Sun’s Chief Privacy Officer,  courtesy of one of the  mighty governor‘s excellent posts.

Her own little girl came up with a brilliant take on privacy and what it is:

Privacy is like grass, she told her mom. Why asked Michelle? Because it keeps the dirt from being naked… 

Facebook, Scoble, Manifestos and European Privacy Law.

Thanks to truly brilliant stream of  Auntie P.

I’m very late to this, and originally I wasn’t planning to comment on the Scoble-Facebook thingy, (see techmeme) but after seeing James Governor’s link comment,about Nick Carr’s post, I figured I’d jump in.

James said…

my take: Che? No. Scoble the Mike Huckabee of the A-list. He thinks privacy is “just a theory” but runs awesome home and webspun campaigns… aw shucks

Spot on James. (thanks also to James for getting me into this CC flickr photo thingy)

Part of Robert’s defence is that he was “only” collecting

Names and email address and birthday.

But name, email address and birthday are personal data.

Here in ye old Europe we have a pretty clear legal definition of personal information.

Personal data are defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a of the EU Data Protection Directive)

I don’t want to go into a long history of European privacy law here, but The ancient runes (1980) of the OECD guidelines are a good starting place. The seven principles governing the OECD’s recommendations for protection of personal data were:

   1. Notice—data subjects should be given notice when their data is being collected;
   2. Purpose—data should only be used for the purpose stated and not for any other purposes;
   3. Consent—data should not be disclosed without the data subject’s consent;
   4. Security—collected data should be kept secure from any potential abuses;
   5. Disclosure—data subjects should be informed as to who is collecting their data;
   6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
   7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principle

These principles eventually wound up as the foundation of the Data Protection Directive, which in turn ended up in the national law of all EU countries. They would make a good start for anyone building a terms of service for an offering that consumes personal data too.

The principles in the UK Act are defined as follows

Personal data:

  1. Shall be processed fairly and lawfully
  2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose(s)
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
  4. Shall be accurate and, where necessary, kept up to date.
  5. Processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

Robert Scoble’s actions may be perceived as noble in some quarters, but they don’t impress me. He single-handedly bashed through most of the basic principles of privacy with his scraping exercise, never mind Facebook’s terms of service. Facebook was right to take Robert on here. Facebook is subject to the provisions of European Data Protection Law. Facebook is part of the safe harbor. 

Carr nails it.

Facebook has an obligation to protect the data entrusted to it by its members. At the very least, members should have the right to decide whether or not their personal information can be scraped out of the Facebook database. Scoble did not give them that choice. That doesn’t mean that Facebook is the hero. It, like other social networks, happily scrapes information from members’ email accounts to identify possible new members. Facebook will scrape when it suits its commercial interest but will block scraping when it doesn’t. Still, in this particular case, Facebook did what it needed to do: protect the information and the interests of its members. Until controls are in place, unauthorized scraping of other members’ personal information shouldn’t be allowed.

What the Scoble affair reveals is that the issue of “data portability” is not a simple issue but a fraught one. Data scraping can make our lives easier, but it can also put us at risk.

So does Anne

Even if Scoble’s Facebook friends agreed to let him view their data on Facebook, they didn’t agree to let him take that information wherever he wants to do with what he wants. He could use a screen scraping program to grab data that they consider just-among-friends and stick it out in public without any regard for their privacy settings. You might say, “Scoble wouldn’t do that” but it’s Facebook’s responsibility to see that it doesn’t happen.

Data portability could be designed into Facebook in such a way that it doesn’t compromise user’s privacy. At the very least, an opt-in to profile sharing outside Facebook would need to be provided. Allowing uncontrolled screen scraping is not the answer

And Loren Feldman’s acerbic take is well worth a watch.  See the comments too. This one from Patrica, (who has a super  golf blog)

Though evidently there are a number of geek wannabes out there just itching to join a data martyr movement.

Hat tip gapingvoid’s twitter

You may find this article on the position of Facebook in UK law interesting. Facebook could move at speed to suspend Robert, but seem awfully unwilling to let other people voluntarily remove themselves.  I’ve rambled before about Facebook and data protection law.

Robert, no doubt, had good intentions, but he was breaking the law, both in terms of the Facebook terms and conditions, and for those Europeans lurking in his 5000 “Friends”, a good bit of data protection law too.  Processing 5000 records moves one beyond the realms of Dunbar’s law into data controller mode.

I’m glad to see blawgs joining the discussion, for instance the Canadian Privacy Law Blog.  Also I’m very pleased to see privacy manifestos emerging, such as this one over on gigaOM, but rather than inventing stuff from new, I’d propose that the web 2.0 gurus get talking with some folks who know privacy and its complexities.  It is a lot harder than it looks. 

The right to privacy is one of the most complex legal and technical issues, and not just since web 2.0.  The Germans passed privacy laws in the 1970’s and are still grappling with the balance between privacy, security, freedom of speech.  One of the most famous cases in US law is mainly about privacy rights. 

The more folks start thinking and talking about privacy, and the sooner privacy impacts buying decisions the better. 

Daniel Solove’s recent book is a damn good place to start, especially from a US perspective.

For the technical challenges, Jeff Jonas is a must read. I’d like all developers who touch personal data to read and understand Kim Cameron’s laws of Identity.

I’d love to see more from Pangloss or on this too, oh and a Geeklawyer rant would be nice too.  I hope to be at this conference next year, the 8th Privacy Enhancing Technologies Symposium (PETS 2008).  It would be even better if Facebook sent some folks along too.

A seat at the table redux

From Claudine’s excellent stream.Thanks

Over on Phil Fersht’s blog the HR navel gazing seat at the table angst session about HR’s role continues, triggered by the inflexion advisors 2008 predictions. Lots of interesting comments. Very similar to the discussion over here last year.

The brilliant Evil HR Lady Nailed it then.

What are models? Crud people, hire yourself some statisticians.

This HR angst about its role and importance, and whether it has, deserves or will ever get a seat at the table or not is rather tiresome. It has been going on ever since I started in the field in the early 1990’s, and it is about time it stopped. If HR is to get a seat at the table, then it needs to get off the therapy couch.

The other predictions from inflexion advisors are a lot more interesting. Subscribed.

Technorati tags: , ,

8 things you (probably) don’t know about me.



A tag dog. From Jimshoresart flickr. Check out his shop too.

Hmm. I’ve been tagged. By Maggie and Susan. Their wish is my command. They are not to be trifled with, those two.

Last year I did the 5 things tag, so it seems that we are now heading into inflationary times.

1. I skipped going to the South African Army. At the time it was compulsory for white males to go, but I figured that if I stayed at university for long enough, the problem of spending two years being shot at or being very very bored etc would go away. It worked. This same technique doesn’t work for tax returns though.

2. I’m a collector of useless facts. While at prep school I once stood up (aged 10) in assembly and corrected the headmaster. He had just said that Charles Lindbergh had been the first person to fly non-stop  across the Atlantic. I stood and said, “Please sir, you are wrong. It was Alcock and Brown in 1919 in a Vickers Vimmy, Lindbergh was the first solo flight.” He replied, “Otter, I bow to your superior knowledge.”  Unfortunately, most other people are not as gracious when I bore them with trivia. This does mean I’m quite good in a pub quiz.

3. I lose things. My latest loss is my jawbone. If you find it, please send it back.

4.  Before I was married, I drove an old Porsche. A 1970 911 2.2T to be precise. It was a fantastic car, if a tad expensive to maintain. A early 911 remains my dream car.

5. One of my biggest regrets is that I never really gave mathematics a proper go at high school. I disliked my teacher, so I then disliked maths. It was dumb. Today I sense a beauty in mathematics that I can’t quite grasp.

6. I was born in  England.

7. My favourite bar in Heidelberg, if not the world, is Destille.

8. My brother will probably beat anyone you know at Scrabble.

In the tradition of these meme things, one should pass it on, so I’ll tag James Farrar, Steve Mann, Mike Prosceno,and Nigel James.

Technorati tags:

Street art as a social object

I’m very taken with Hugh’s recent ponderings on the term Social Object. It is a great way to explain how marketing succeed and fails.

The Social Object, in a nutshell, is the reason two people are talking to each other, as opposed to talking to somebody else. Human beings are social animals. We like to socialize. But if think about it, there needs to be a reason for it to happen in the first place. That reason, that “node” in the social network, is what we call the Social Object.

Hugh’s blue monster is a Social Object.

Here is another Social Object in the Microsoft context.


(photo from Andreas Solberg’s excellent flickr series. Thanks)

Brings me nicely to a point I’d been planning to make about Social Objects. You don’t get to chose the Social Objects, your customers do.