Thursday, March 19, 2009

Robust privacy protection for the Future Web

Thanks to Lilian Edwards and the organisers of Web Science 2009 in Athens, I was just able to give a video presentation remotely using Skype. I talked about future Web privacy, and was even able to record the video! The wonders of teh interwebs ;)

1. The EU Data Protection Directive has aged remarkably well — especially since it is based on principles that date back to a 1973 US Health, Education and Welfare report, updated by the OECD and Council of Europe in the early 1980s.

BUT purely legal protection isn’t sustainable given:
  • Ongoing rapid increase in CPU, bandwidth, storage
  • Sensors everywhere (CCTV, mobiles, ubicomp)
  • Corporate and government data-lust (marketing/Phorm, counter-terrorism, efficiency and personalisation drives)
  • Flaky systems and insiders
  • Speed of judicial system — DNA Database case took 17 years before decision by European Court of Human Rights (S & Marper v UK)

2. The UK's Database State/Transformational Government programme shows one possible direction of travel — a National Identity Register supports databases on steroids (NHS care records, DNA, Intercept Modernisation Programme, ContactPoint, ANPR), with CCTV everywhere.

3. Web Science can help! Privacy by Design is needed:
  • Accountability for data use — explored by people like Danny Weitzner at MIT — BUT subject to legal and social changes such as greater acceptability of profiling
  • Minimisation is critical — proper requirements engineering, and design of protocols and systems that limit 2nd-party access to identifiable data
  • PETS can make a large contribution to this (like the anonymous credentials in CardSpace and Idemix)
  • Understanding user and organisational concerns eg Privacy Value Networks.

4. Immediate wins:
  • Web 2.0 encrypt cloud data for storage and processing, decrypt at client with eg Google Gears
  • Privacy-friendly advertising with client-side user-controlled segmentation and Private Information Retrieval to access adverts
  • Ubiquitous communications encryption

5. Privacy by Design is a good opportunity for Web Scientists to bring together expertise from law, computer science, political science and psychology to safeguard fundamental human rights on the Internet and throughout society.


Anonymous said...

I'm surprised about your first point. The DPA was done in a pre-net age, and it is totally outdated to how business is done these days, because it is built on a country-by-country / registered model. Data ain't like that any more.

As an entrepreneur, a reading and understanding of the directive and how it falls out in the various country DPAs says one thing: don't store your data in Europe. In the work I've seen in this area, I've seen nothing but derision for the DPA. Even people who work in privacy contexts think it is useless, and do not respect it. It is difficult for honest companies to be compliant when the advice they get is not based on a sound law and practice but on how to comply most cheaply.

Maybe, for the masses, the DPA is a successful facade that keeps them thinking that they are safe? From a business perspective, it is costs, risks and complications, pretence, distraction and ultimately no benefit to the end-user. E.g., this anonymous post :)

Ian Brown said...

The principles in the directive have proven flexible enough to last through decades of radical technical challenge. Which of them specifically do you think is outdated, with some concrete examples please? The only derision I've heard usually turns out to be from individuals who don't understand the principles.

I'm all for a market developing where some companies signal to consumers they care about their privacy, while others do not. Clearly, we need proper enforcement to prevent fig-leaf compliance.

Anonymous said...

The major principle that is outdated is that the presence of processing of data on the local server is the point of jurisdication. This principle breaches the Internet's principle of world-wide service, it creates borders rather than smooth them out. As a minor broken principle and pain, there is another rule that only a citizen/resident may process data, and this means that an organisation needs to register a party in each country where it does business, something that clearly breaches the fluidity of the way Internet data moves around. Even European businesses cannot easily move processing between branches without being large enough to be DPA-compliant in each branch. Classic raising of costs to protect larger businesses from smaller startups and foreigners, classic way to keep European businesses always behind the innovative curve.

Coupling those two rules together results in a trap. If data is moved into a country without a registered party, an illegal act is created. The upshot of this is that the law sends a strong message: if you want to stay inside the law, collect and process all data outside the EU, and never bring it in. This message applies equally to those inside and those outside. This strong message is probably why there is no proper enforcement, it would be painfully obvious if it was tried.

There are two responses that I have seen: Those that don't care simply process wherever and ignore the local law and regulation. They do it on many levels, but the core response is most businesses believe the regulators to be toothless tigers, and any slapped-on privacy icing is good enough. Of course, this is never said out loud. It is a facade, it works well enough to keep those on the user-privacy side in the belief that Europe has a strong privacy regime. Underneath the core is rotten, although I suppose it is an open question as to whether the facade is necessary to clean up the core, one rotten apple after another, or whether there is a better way to improve the privacy game.

The second response is much rarer; I've only seen it independently once. Businesses that want to be really compliant and really honest and do their due diligence work out the above trap in advance, and push their data to the USA from the beginning. They also get cheaper service there. The one solid example I know of was a startup in a privacy-conscious EU state, with full access to regulatory advice. For me, the real surprise was that the business had also acquired a local insurance contract that covered all legal costs for DPA-related issues, for something like 100 a month.

To look at a counterexample of a successful privacy law, take the Californian notification law. It chose to create its jurisdictional point on the person in California. With this, and by ignoring the location of the business and the data, it created a ripple effect that actually spread its message within a few years across 50 or so states. They were lucky of course, the DPD was written in the old city-state mentality before the Internet came along and put the cannon to the city walls.

Anonymous said...

Thinking about your comment a bit more, it may be that you are focussing on the principles, whereas the businesses focus on the law. Businesses are held to the law. It matters not to businesses whether the principles are widely agreed and a thing of wonder; what matters is what the lawyer reads in the Act, and what the regulator will pursue.

The rules of the law then breach the principles of the Internet. So what the principles of the directive may have done is proven flexible enough to allow the directive to be applied over time; but this doesn't mean that the result was good. The problem with the measurement of the result of the directive is that you are going to be only measuring good local businesses, not those that moved away, or never turned up in the first place.