Of Cobblestones, Solomon, Paula, Gunter, Joseph and the GDPR.

I’ve been reading a fair bit of software vendor marketing and press from around the world about the GDPR. It seems to me that a lot of it misses the point. GDPR is seen as a compliance burden, an unwelcome dose of EU bureaucracy or at best a useful opportunity sell security software.  It is perhaps useful to reflect on why the GDPR and its predecessors in data protection legislation came into being.

I was walking to the train station in the rain this morning, and I paused for a moment by the pair of  Stolpersteine (tripping stones) on the corner of the street where we live. I’m not sure why I took the picture today,  perhaps they glistened from the drizzle.  I  wondered what Salomon and Paula were like, what were their hobbies and their foibles, did they watch football or play tennis together, what jobs did they do, was she left handed, who were their friends, what colour was his favourite tie,  did he make puns that made her smile, did she play Chopin on piano so that the notes drifted down the street on the breeze, did they hold hands as they walked beside the Neckar on that summer’s evening for the last time?

stolperstein image. two next to each other. Deutsch family.

Gunter Demnig began this art project in 1992. The first stone was laid in Salzburg, Austria, and now there are over 27,000  plaques across  22 countries, and growing.  Think of it as a distributed  museum.   They all follow the same format, size and font.  In situ, on the doorsteps of houses, for me they are more powerful and poignant than any centralised memorial or museum. They bring an uncomfortable intimacy and they force me to think about  how easily such an evil could come into being.  (check out more about the stones  here).

The GDPR exists to protect our data (and our person)  from abuse.

This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. (Article 1 (2) GPDR) 

Software has the potential for enabling goodness, yet it can also empower evil. Software can encourage democracy, but it can undermine it too. Software can level the playing field, or it can entrench privilege.   The power of software to find, sort and group people is both awesome and awful.  It is a mighty thing that we wield.

As an industry we need to see people’s data as something to treat with care and respect. The GPDR is a long overdue firm nudge for us to remember that.

One of the pioneers of artificial intelligence,  Joseph Weizenbaum, fled Berlin for the US as a child in the 1930’s.  I suspect there is a stoplerstein for his family on a street in Berlin. His book, Computer Power and Human Reason, should be required reading for all those building software.

““The computer programmer is a creator of universes for which he alone is the lawgiver. No playwright, no stage director, no emperor, however powerful, has ever exercised such absolute authority to arrange a stage or field of battle and to command such unswervingly dutiful actors or troops.”

We proclaim gleefully that software is eating the world, and data is more valuable than oil, so it is high time the software industry took its human rights responsibilities more seriously.

I, for one, welcome the GDPR.

Advertisements

Customers, colleagues, Facebook, Twitter, LinkedIn and my writing day.

I have been spending the last few months deep in accessibility law, testing, standards, universal design, GDPR, the early history of business computing and of course my old friend, Sarbanes Oxley. I am an expert on Heidelberg and Sandton coffee shops, and I have spent far too long debating the value of one font over the other, and merits of footnote or in-text citations.  This week I have finally felt the adrenaline kick that comes from writing several competent pages and seeing a couple of pieces start to fit together. Long way to go though.

By the way, if you do any kind of research work, get hold of the tool called Mendeley. It is genius.

While I’m no longer in hurly burly of product management at SuccessFactors – Facebook, Twitter and LinkedIn keep me abreast of what’s up back at the farm.

It was cool to read that Employee Central had hit the 2000 customer mark. Whenever I see those milestones I think back to the early customers without whom EC would not have 100 customers, never mind 2000.  Earlier this week, Liezl’s Facebook gave me a detailed account of  her visit with a South African customer to Timken, one of those early adopters.

But what prompted me to write this was a new connection today on LinkedIn.  Tim Gregory, the Director of HR Ops at Corning sent me a connection invite. While I had been involved in the early stages of the Corning project, I’d not actually met Tim.  We had a nice online chat, and he was cool with me quoting him about their go live.

I’m the Director of HR Operations here at Corning Inc – we went live with SF in July (23 countries, 12 languages, 70 integrations, all modules – except learning).

Not to over state it… but yet we’re pretty euphoric over here.

While 2000 is a cool number. Corning as happy campers is even better. Thanks Tim, you made my day.  I’m going to be following up with you on the blockchain thing.

Now, time to get back to this pile.

image1

Conferences, comedy, clouds and contracts.

Continuing my attempts to bring Shakespeare into as many posts as I can….

Let specialties be therefore drawn between us,
That covenants may be kept on either hand.

(Taming of the Shrew  II. i. 127-8)

A couple of weeks ago, I presented at the HR Technology Conference in Chicago, the topic being SaaS Contracts:  how not to get ripped off.  I made an animation to start the presentation, as talking about contracts can be a bit dry.

 

If the embedded version doesn’t behave,  watch it here.    My goal was to show the naivete of the typical buyer when dealing with a smooth salesperson. In the space of about 2 minutes, the buyer makes at least 9 major blunders. See if you can spot them. It is supposed to be funny, but I’ll let you be the judge of that.

A week or so after the event I did a podcast  on the Bill Kutik Radio Show, where I go into a bit more detail.  Have a listen here.  I’m not a lawyer, so this doesn’t constitute legal advice, but I’m saddened by the ignorance on the side of the buyer, and the willingness of the seller to exploit that. That is business, I guess.

Or as Camillo said in   The Winter’s tale:

You pay a great deal too dear for what’s given freely.

Also we have a lot of research on how to buy cloud/SaaS solutions.  Gartner clients should definitely check out Alexa Bona’s  research. Whether buying or selling, getting a fair contract is best in the long run.

(I’m very impressed with the Xtranormal tool for animation. I checked with their legal folks on usage, what a pleasure to deal with them).

Sunlight, process, systems, moats, tennis courts, flipping, heatmaps, mashups and flat screen TVs.

image

From the cc flickrstream of sludgegulper Thanks!

I have been watching and reading about the goings on with the UK parliamentarian expenses with a mixture of incredulousness, dismay, horror, and anger. This is a grave insult to the UK tax payers, and a blow to global democracy.  Corrupt politicians around the world can sleep easy. One man’s moat is another man’s Wabenzi.

Other than all the information about moat cleaners, tennis courts, duck shelters, large screen TVs, iPhones for husbands, 200 mile taxi rides, tax advisors, and mortgage payments on mortgages that no longer existed, I was struck by the absolute lack of process and systems to manage the expenses. The inefficiencies and the lack of control are astounding. 

The problems are bigger than technology, The whole process needs a complete overall, but essentially we are talking about some basic compliance procedures. Workflow approvals, automated routing of claims out of policy, electronic receipt management,and SOD (separation of duties).  Even simple expense management system would go a long way to stopping this sort of abuse happening again. Rules can be easily automated and enforced, and with a bit of configuration, even issues such as flipping and claiming for trivia could be managed.

Driven out of a good process system, the data could also be easily mashed up with consumer analytics tools such as Google maps, and a simple query tool, allowing concerned citizens the right to audit.

Indeed, there has been a wave of excellent mashups and analytic reports based on the data that has been released and collated.

image

image

Charles Arthur over at the Guardian has a closer lookTony Hirst’s blog gives an excellent account on the technical efforts needed to do this. Looking at what he has done with essentially free software. It is interesting to see how various technologies and techniques have been deployed. more here.  It is a fascinating study for anyone interested in analytics and data visualization. It does make the analytics offerings of many of the software vendors I cover seem rather dowdy, but that story is for another day.

Shining a bit of sunshine on the issue by opening up the data  is the best remedy. After all, when I last looked, parliamentarians work for the citizens.

Launching a survey.

As some of you know, I’m labouring away at what must be one of the longest part-time PhDs ever.  My research is looking at how software code and law work or don’t work together. However, there is light at the end of the tunnel.  In order to add a bit of empirical juice to will be a rather dry theoretical legal tome, I’ve decided to do a survey. 

I won’t bore you with the whole long story of the diss. here , but if you are interested in knowing more, please drop me a note and I can send you more details.

Whether it is ERP systems or toasters, software impacts much of our daily lives. We ask and demand software to do things on our behalf;  software transacts, it searches, it assesses, and in some cases it judges us.  Legal systems have evolved over centuries to codify rights and obligations in societies. Throughout history law and technology have interacted, modifying each other along the way.  It is often an uneasy relationship.

Whether it is contract law, licensing, intellectual property, privacy laws, accessibility, liability software and law interact significantly. There is a fairly large field of research looking at this relationship between code and law. (Lessig being the most famous, but there are many others)

However, not much research has focused on the role of the software developer and software firm in this relationship. So I decided to spend part of my dissertation looking more closely at the role of the software firm and the software developer in the code as law relationship. I want to ask as many software people as possible about what they understand of the law that can impact software, and what their attitudes are towards a couple of legal concepts in a software context.

It is designed to gather information about the knowledge, education and attitude of software developers towards the law related to software, and how law is or isn’t built into software. My goal is not to just have a small survey of a couple of hundred developers, but to really survey lots of them.

To do this, I want to tap as many of my readers  as I can to spread the news of the survey, and for as many of you to take the survey as possible. The more answers I can get from around the world, the richer the results will be. I will also be following up with telephone interviews with a much smaller sample group.

In this survey I have used the term software developer rather broadly. I define this to be anyone working professionally to design, build or maintain software (information technology). So if you are a product manager, solution manager, implementation consultant, systems architect, business analyst, or a systems tester, for instance, then we would be just as interested in your responses. The survey isn’t just aimed at those who code, but those who make a living from its construction and maintenance. Much of this group would fall under that definition. The Germans have a rather nice term, informatiker, but it doesn’t really translate very well.

Gartner is supportive of my PhD, this research doesn’t form part of my formal Gartner research agenda. In other words,  it isn’t a Gartner survey!

Several developer friends  have been kind enough to test the survey, and give me feedback, much of which I have incorporated in this final version. (If you tested the earlier versions, please take the test again)

Blunders and errors remain my responsibility.

Here is the survey as it stands today.

https://www.surveymonkey.com/s.aspx?sm=oxUTPWBBgFXHolONAGhAJg_3d_3d

Please take this link and spread it to your software friends. colleagues and families.

Facebook, Scoble, Manifestos and European Privacy Law.

Thanks to truly brilliant stream of  Auntie P.

I’m very late to this, and originally I wasn’t planning to comment on the Scoble-Facebook thingy, (see techmeme) but after seeing James Governor’s deli.cio.us link comment,about Nick Carr’s post, I figured I’d jump in.

James said…

my take: Che? No. Scoble the Mike Huckabee of the A-list. He thinks privacy is “just a theory” but runs awesome home and webspun campaigns… aw shucks

Spot on James. (thanks also to James for getting me into this CC flickr photo thingy)

Part of Robert’s defence is that he was “only” collecting

Names and email address and birthday.

But name, email address and birthday are personal data.

Here in ye old Europe we have a pretty clear legal definition of personal information.

Personal data are defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a of the EU Data Protection Directive)

I don’t want to go into a long history of European privacy law here, but The ancient runes (1980) of the OECD guidelines are a good starting place. The seven principles governing the OECD’s recommendations for protection of personal data were:

   1. Notice—data subjects should be given notice when their data is being collected;
   2. Purpose—data should only be used for the purpose stated and not for any other purposes;
   3. Consent—data should not be disclosed without the data subject’s consent;
   4. Security—collected data should be kept secure from any potential abuses;
   5. Disclosure—data subjects should be informed as to who is collecting their data;
   6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
   7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principle

These principles eventually wound up as the foundation of the Data Protection Directive, which in turn ended up in the national law of all EU countries. They would make a good start for anyone building a terms of service for an offering that consumes personal data too.

The principles in the UK Act are defined as follows

Personal data:

  1. Shall be processed fairly and lawfully
  2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose(s)
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
  4. Shall be accurate and, where necessary, kept up to date.
  5. Processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

Robert Scoble’s actions may be perceived as noble in some quarters, but they don’t impress me. He single-handedly bashed through most of the basic principles of privacy with his scraping exercise, never mind Facebook’s terms of service. Facebook was right to take Robert on here. Facebook is subject to the provisions of European Data Protection Law. Facebook is part of the safe harbor. 

Carr nails it.

Facebook has an obligation to protect the data entrusted to it by its members. At the very least, members should have the right to decide whether or not their personal information can be scraped out of the Facebook database. Scoble did not give them that choice. That doesn’t mean that Facebook is the hero. It, like other social networks, happily scrapes information from members’ email accounts to identify possible new members. Facebook will scrape when it suits its commercial interest but will block scraping when it doesn’t. Still, in this particular case, Facebook did what it needed to do: protect the information and the interests of its members. Until controls are in place, unauthorized scraping of other members’ personal information shouldn’t be allowed.

What the Scoble affair reveals is that the issue of “data portability” is not a simple issue but a fraught one. Data scraping can make our lives easier, but it can also put us at risk.

So does Anne

Even if Scoble’s Facebook friends agreed to let him view their data on Facebook, they didn’t agree to let him take that information wherever he wants to do with what he wants. He could use a screen scraping program to grab data that they consider just-among-friends and stick it out in public without any regard for their privacy settings. You might say, “Scoble wouldn’t do that” but it’s Facebook’s responsibility to see that it doesn’t happen.

Data portability could be designed into Facebook in such a way that it doesn’t compromise user’s privacy. At the very least, an opt-in to profile sharing outside Facebook would need to be provided. Allowing uncontrolled screen scraping is not the answer

And Loren Feldman’s acerbic take is well worth a watch.  See the comments too. This one from Patrica, (who has a super  golf blog)

Though evidently there are a number of geek wannabes out there just itching to join a data martyr movement.

Hat tip gapingvoid’s twitter

You may find this article on the position of Facebook in UK law interesting. Facebook could move at speed to suspend Robert, but seem awfully unwilling to let other people voluntarily remove themselves.  I’ve rambled before about Facebook and data protection law.

Robert, no doubt, had good intentions, but he was breaking the law, both in terms of the Facebook terms and conditions, and for those Europeans lurking in his 5000 “Friends”, a good bit of data protection law too.  Processing 5000 records moves one beyond the realms of Dunbar’s law into data controller mode.

I’m glad to see blawgs joining the discussion, for instance the Canadian Privacy Law Blog.  Also I’m very pleased to see privacy manifestos emerging, such as this one over on gigaOM, but rather than inventing stuff from new, I’d propose that the web 2.0 gurus get talking with some folks who know privacy and its complexities.  It is a lot harder than it looks. 

The right to privacy is one of the most complex legal and technical issues, and not just since web 2.0.  The Germans passed privacy laws in the 1970’s and are still grappling with the balance between privacy, security, freedom of speech.  One of the most famous cases in US law is mainly about privacy rights. 

The more folks start thinking and talking about privacy, and the sooner privacy impacts buying decisions the better. 

Daniel Solove’s recent book is a damn good place to start, especially from a US perspective.

For the technical challenges, Jeff Jonas is a must read. I’d like all developers who touch personal data to read and understand Kim Cameron’s laws of Identity.

I’d love to see more from Pangloss or on this too, oh and a Geeklawyer rant would be nice too.  I hope to be at this conference next year, the 8th Privacy Enhancing Technologies Symposium (PETS 2008).  It would be even better if Facebook sent some folks along too.

Copyright, EFF Open Rights Group, and forming an opinion on digital rights.

Video here, if not visible.TEDtalks session

I think I’ve read everything that Larry Lessig has published, and I saw him live a few years ago at the Oxford Union. This TED talk is one of his best. Restricting presenters to 20 minutes is a good discipline, at least in this format. Lessig is a master of using multimedia to delight and enhance his message, and his images leave an indelible residue in the back of your mind. Next time you hear a brass band, you will think of Lessig, and the need for copyright reform.

As adults we form opinions and take positions on issues such as war, abortion, death penalties, speed limits, drinking ages, the environment, human rights and so on. It is part of what defines us as human beings. It is time we did the same with copyright. Understanding copyright and intellectual property generally, and forming your own opinion about them is vital. I believe that as adults, we have a responsibility to understand copyright, its good bits and its problems, and have an informed opinion.

As politicians blog,  and use youTube, Twitter and the like, it is also time we heard from them about what they think of copyright. When you decide who to vote for, you assess their positions on a whole slew of factors, I’d ask you to add copyright to that list. I notice that John Edwards has come out in favour of net neutrality, but I’d love to know what his and the other candidates’ positions are on copyright and patents…

Some people have heard of the EFF, and indeed an EFF sticker on the Mac Book is rather trendy in digerati circles.

from pixelm

It is worth spending some time over on the EFF site, and on Chilling Effects. The EFF is primarily focused on the US issues, but these are important for the rest of us, as US law and lawlessness has global repercussions.

If I’d been to Berlin for web 2.0, I would have listened to Cory Doctorow’s presentation on copyright. Instead, I’ll have to rely on Stephanie Booth’s notes.

Support the Open Rights Group

It is timely that my favourite law blogger, Geeklawyer, mentioned Org, ( Open Rights Group. ) This is the UK equivalent of EFF.  According to the said Geeklawyer, who is sometimes reliable…

Jolly good job too. As it’s 2007 report shows it has more than lived up to its promise and done some magnificent work for such a new and minimally funded organisation. For example so far it has influenced the Gower report, helped shine an unwelcome spotlight on the farce of e-voting in the UK and counterbalanced the gross dissembling of the shadier parts of the copyright industry. It’s now a central media resource for journalists needing more balance in their reports – something desperately needed.

I’ll quote from the report here.

Further, digital technologies are affecting citizens’ ability to exercise their existing legal rights
effectively, as some segments of the private sector have increasingly looked to government to extend their rights in an effort to prop up outdated business models. And digital technologies may also generate new possibilities for public (non personal) data, though the UK government has tended to corral public sector information, limiting its exploitation and thus creative and economic opportunities.
For too long, there has been little informed public debate in the UK about any of these issues. Media coverage and policy-making has largely been driven by agendas set in Whitehall and corporate board rooms and there was no organisation in the UK defending citizens’ digital rights

For those more technically inclined, James Governor has this to say.

ORG is now looking for more money and more members as it further professionalises. So if you’re in the UK sign up. The EFF is nice and all, but the ORG is looking after local issues. In fact I am going to go make a donation right now!

(Actually I think James and Geeklawyer ought to meet!)

Check out the ORG  wiki here.  The board and advisory council of ORG has some serious heavy hitters on it, including the drummer of Blur, one of the Cluetrain authors and several top legal academics.

You may read the EFF and ORG stuff, and come to a view that you don’t agree with them, and that copyright is fine the way it is, or even that Disney etc need more rights. That is your democratic right. But I’d ask you to form an informed opinion.

The civil rights battles of this century will be fought online – by groups of passionate,technologically keen, articulate volunteers like ORG.” — Cory Doctorow, author

There is more to the copyright question than copying music.