If You Need Consent To Process My Personal Data, The Answer Is No

... there are plenty of reasons for businesses and public sector bodies to process the data they hold about you, without needing your consent. These are where the processing is necessary for:

• performing a contract with you, or to take steps at your request before agreeing a contract; 
• complying with their own legal obligation(s); 
• protecting yours or another person's vital interests (to save your life, basically);
• performing a task in the public interest or in the exercise of their official authority; 
• their 'legitimate interests' (or someone else's), except where those interests are overridden by your legitimate interests or your fundamental rights which require protection of personal data. 

The General Data Protection Regulation lists other non-consent grounds apply where your personal data is more sensitive: relating to criminal convictions and offences or related security measures; or where it reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; or it is genetic or biometric data for the purpose of identifying only you; or data concerning health or your sex life or sexual orientation. National parliaments can add other grounds in local laws.

These non-consent grounds for processing are all pretty reasonable - and fairly broad. So, if you don't have the right to process my personal data on one of those grounds, why would I want you doing so?

This would seem to herald a new era in which the Big Data behavioural profiling/targeting/advertising model begins to decline, in favour of personal Apps (or open data spiders) that act as your agent and go looking for items in retailers' systems as you need it, without giving away your personal data unless or until it is necessary to do so...

Unload The "Digital Wallet" Before Someone Gets Hurt

And that's not all...

The term "e-wallet" or "digital wallet" has always caused a physical reaction. But what started as a small twitch over my left eye in November 1999 now involves diving under a table. The term has become so loaded with giant concepts like 'identity', 'privacy', 'authentication', 'security', 'payment' and 'funds' that it's simply too dangerous to wave around in meetings.

We need to focus on more of the detail if business presentations are to have any meaning and projects are to deliver anything.

The term 'digital wallet' is impossible to define, anyway. The Oxford English Dictionary has no home for it, and it's wise to ignore suppliers' self-serving, product-specific definitions. Th'internet merely yields a confusing mish-mash: [my emphasis] "a system that securely stores users' payment information and passwords..." (investopedia) and "encryption software that works like a physical wallet during electronic commerce transactions." (webopedia). Unhelpfully, the Free dictionary explains "the wallet data may reside in the user's machine or on the servers of the wallet service. When stored in the client machine, the wallet may use a digital certificate that identifies the authorized card holder." 

Such definitions are confusing because they keep jumping the rails from party to party, feature to feature and function to function, each of which has different implications for transaction flows, data flows and funds flows (to the extent payment is even involved). 

Perhaps the only consistent aspect in the use of the term 'digital wallet' is the sense that it refers to a specific individual, or at least it should be capable of doing so. Otherwise, the term means so many different things that it's useless. FinVentures defined it to mean, "A consumer owned and controlled account that can store any electronic form of what is normally held in a physical wallet, including: payment, ID, coupons, loyalty, access cards, business cards, receipts, keys, passwords, shopping lists, …etc." Indeed, a 'digital wallet' could be a feature within an application or service, or an entire application or service, a database, a set of permissions and so on. It could reside on virtually any digital device, including a smart card or just a microchip. It could enable a specific person to initiate or conclude any kind of transaction, or merely be used in the course of intiating or concluding such a transaction.

So when you next hear the term 'digital wallet', seek cover behind a large, heavy object and try to defuse the situation by asking: 

• which parties are involved;

• which party is agreeing to do what, how do they agree, what actions are taken as a result and by whom;

• where the related data is stored and where it flows; and

• where any related funds are and where they flow.

It could save a lot of time and money.

Image from Tenets in DM.

Rethinking Personal Data

As part of its 'midata' initiative to empower consumers, the department of Business Innovation and Skills has been consulting on a proposal to give the Secretary of State a general power that "might be exercised broadly or in a more targeted way" to compel suppliers to supply transaction data at a consumer’s request. In the interests of transparency, I've summarised my response to the consultation over on The Fine Print. As previously explained, I should disclose that I've been involved in the midata Interoperability Board from its inception in 2011.

On The Futility Of Cookie Consents

It's a month or so since the Cookie Law took effect and already it's an exercise in futility. I haven't clicked on a single cookie consent, yet I know my browser and hard drive are lousy with the things - both the helpful kind that improve my experience of using the web site I'm visiting, and the small proportion that feed information about me to third party advertisers.

There are two reasons for not clicking on cookie consents. 

Firstly, I don't reserve a single minute in my day for reading cookie consents. Life is short. Every second spent not reading cookie consents is a priceless investment in something potentially productive. Sleeping is a better use of time. Not reading cookie consents is in the same category as never watching American celebrity murder trials, or Big Brother or X Factor. Or... well, you get the picture. Reading cookie consents is a true waste of time.

Secondly, the Cookie Law is a one-size-fits-all requirement for user consent before setting all types of cookie - both those that will help you retweet this post and immediately return to read more, as well as those that will lead someone to conclude you have a passion biscuit recipes after you've read this post. I have no problem at all with the first kind, and it seems overkill to ask me to opt-in or out to them being set. I can clear them if I want to. And making me click "I accept" for all types of cookies doesn't even scratch the surface of the very specific, difficult challenges posed by the second kind of cookie: how and why the data about my movements is going to be shared with advertisers, and ensuring it is in fact used appropriately. Those challenges need the pragmatic, holistic attention of a WEF 'tiger team', not the overly zealous intervention of Eurocrats using data protection law as a means of delivering the single market fantasy.

Image from Jefferson Park.

When Will Control Truly Shift To The Consumer?

For those engaged in the process of empowering consumers, 2012 is already a fascinating year. So it was timely that a bunch of us met at Ctrl Shift's "Explorer's Club" to try to map the timeline for when 'customer relationship management' truly inverts and firms finally acknowledge their customers control them. 

The output of the session is being converted into an 'infographic' that will be available as a reference soon. In the meantime, here's an excellent drawing that Joel Cooper produced during the session to reflect the various themes:

Any Similarity?

Of Living The iLife, Dinosaurs and Data Portability

I'm not here to sound the death knell for Apple, but the announcement of the iCloud is a defining moment in the company's development. Will it remain a facilitator, or become an institution that exists only to ensure its own survival?

The 'cloud' or utility model for computing is not new. In fact, consumers have arguably held their data and basic applications 'in the cloud' ever since adopting public email services, blogging services and so on. What's new about the iCloud is the automated way in which all a consumer's content may be synchornised and otherwise 'managed' across all the consumer's (Apple) devices.

Seen from a hi-tech standpoint, Apple's move is typically bold and innovative. Yet the centralised omnipotence this may hand to Apple seems an attempt to reverse a 20 year trend toward enabling consumers to control their own data. In this sense, the iCloud appears to be the sort of product a major bank or telco 'dinosaur' would introduce in a last ditch effort to survive by locking-in its customers - and just imagine the complaints there'd be, given the switching challenges for consumers in those markets. So data portability is absolutely critical (along with personal data protection and security), if the iCloud is to be seen as a consumer 'enabler' rather than a predatory move by an aging institution.

But does the mainstream consider data portability to be important? I mean, I'd like to think that Apple's early, tech-savvy customer base would realise it's a bad idea to hold all your applications and data with a single provider, just as financially savvy folk realise the benefit of a fully-diversified investment portfolio. I have an iPhone and an iTunes account; but I also have a Toshiba laptop and a Dell PC. Those computers run Microsoft's Windows and Office package, and I have a Hotmail address; but I very deliberately browse with Firefox, blog via Blogger (Google), Tweet, hang out on Facebook and follow various blogs using Netvibes. And I use Spotify, not iTunes, as my main music service. In other words, I'm not going to let any one provider see, process, hold or control all my data - or even have a complete back-up or copy. That would feel closed and controlling, rather than enabling.

But, ironically, I suspect many people in the mainstream will see the need for software service diversity as a hassle or a problem to be solved by a single service provider, which is why Apple may quite genuinely see a market for the iCloud.

Does that make Apple a genuine facilitator or a dinosaur that's spotted a meal?

Image from eBandit.

Prior Consent For Advertising Cookies

The "Article 29 Data Protection Working Party", comprising representatives of EU member state data protection authorities, has published an Opinion that the ePrivacy Directive will require prior informed consent before setting a tracking cookie on a user's browser from May 2011.

As I explained in a June 2009 article for Practical Law on behavioural targeting of online advertising:

"Cookies may be either "session cookies", which are temporary and deleted as soon as you close your browser; or "persistent cookies", which are stored on your computer hard drive until they expire or you remove them. You can configure your browser to warn you whenever a new cookie is about to be stored; clear the cookies that have previously been set; and/or block specific cookies in advance. Of course, you can also choose not to visit a website or use a service whose cookies you do not want to receive."

And as I also explained, "guidance by the Information Commissioner's Office (ICO) allows presumed consent, with a clearly displayed privacy policy or other means of opt out to enable a user's refusal (Article 5(3), E-Privacy Directive, transposed by regulation 6, E-Privacy Regulations)."

But opt-out is not sufficient, the Working Party now says, and relying on users' control of browser default settings will not be considered "in most cases, as meaningful consent... Prior opt-in mechanisms are better suited to deliver (sic) informed consent."

Officials also say that consent should be of limited duration (e.g. a year), easily revoked, and consent tools should be visible where monitoring takes place. There is commentary on how web site publishers, advertisers and advertising network providers should comply. Advertising interest categories aimed at children are discouraged, and in any case prior informed parental consent is likely to be required.

Further consultation is taking place, with selected parties, though other contributions are welcome. Apparently.

In the meantime, you might look forward to a more crowded, interactive browsing experience with lots of guff about cookies, from mid-2011.

Image from Law Is Cool.

Internet Regulation Won't Stop Black Swans

I enjoyed Professor Michael Froomkin's recent "Golden Eggs" lecture on internet regulation. He foresees the future regulation of the internet being shaped by the tension between the 'Cypherpunk' vision for a distributed, democratic , libertarian environment - and 'Data's Empire' - where established institutions respond to the perceived threat of the internet by trying to create a centrally controlled environment. He cautions us not to be complacent or 'technologically deterministic'. There are opportunities for us to make real choices to avoid "killing the goose that is giving us golden eggs of innovation, decentralization, and personal empowerment".

This model does not only describe the two broad forces at work in the online regulatory environment. Generally, our individual desire to control our own experience tends to be opposed by institutions' desire to retain control of how they deal with us. Indeed, it might be said that explosive Internet adoption occurred because individuals pragmatically recognised and seized an opportunity for individual empowerment in the face of comparatively rigid institutional control in the offline world.

Yet institutions try to catch up, and the cycle continues. Michael hints at this when he notes "to a surprising extent both sets of trends have manifested themselves simultaneously. The question is whether those two trends can continue, or if instead we are witnessing the start of a collision between them." Of course, we are seeing collisions everywhere, all the time, between individuals and institutions each trying to control their relationships. Just consider all the markets, services and activities impacted by the Web 2.0 phenomenon, and the realisation that brands must become facilitators rather than institutions.

But we should also consider that 'control' is illusory. Human behaviour is not predictable and, while it may appear that people are acting in a controlled way in certain scenarios or under certain regimes, radical change is never far away. The fall of the Berlin wall and the credit crunch are two of many situations or activities which appear to be under fairly strict, central control but are in fact not - or at least not in any sustainable way. This is not a technologically deterministic view. It simply acknowledges the nature of the world. We are constantly exposed to the risk of "Black Swans" - surprise events that have a major impact which we rationalise by hindsight, as if they had been expected. Andy any inquiry into the why's and how's of such events is largely academic, albeit tantalizingly so.

So, while real regulatory choices of the kind Michael mentions may remain to be made, we should not count on those choices as having the intended effect of delivering 'control' for any sustained period of time. Regulation cannot possibly cover every eventuality, and is too slow to create, too blunt and too easily circumvented by anyone sophisticated and determined. Cryptography and the sheer volume of users and data make a mockery out of online access and content controls, centralised 'mining' and monitoring. We do rely increasingly on facilitators to find desired data and/or edit/adapt it in some way to make it more manageable for us or our devices - and these represent natural 'chokepoints' for regulators and commercial institutions, as Michael Froomkin points out. However, these chokepoints are also easily circumvented, either as described or by the rapid rise of the next facilitator or competitor, and related technological innovation.

This is not to say that those who purport to edit more actively what people see should not be subject to democratic controls over their exercise of editorial discretion. There seems to be (a somewhat surprising) acknowledgement of this in Google's decision to fund the Advertising Standards Association's efforts to regulate online marketing activity. The point is that new standards won't protect us from calamity.

The ultimate challenge, as Nicholas Taleb warns, is to minimise or avoid exposure to the potential downsides posed by Black Swans, while maximising one's exposure to the potential upside. To illustrate this in financial terms, it would be a mistake to borrow money to 'short' stocks, but worthwhile to invest a small proportion of your savings in Hollywood films. In the online world, Black Swans would seem to loom most obviously in the content arena - or perhaps fraud. Regulation is heavily focused in this area, but that is merely a signpost. We must take responsibility for our own practical choices. These include whether to share thoughtful or sordid content, to engage in copyright violation or to openly publish key personal financial data or photographs of your family. It's worth considering that the internet hasn't changed our propensity to behave well or badly, but may have amplified the outcomes.

To bring it down to a personal level, I maintain my anti-virus protection and avoid or minimise sharing what I'd regard as 'key' personal or financial data, even though there are comparatively fewer people out there who would use it to my disadvantage, since the impact their activity is so personally disruptive. However, I do acknowledge that the benefit to sharing certain limited personal transaction data - with credit reference agencies, for example, and some retail or social networks - can outweigh the downside of misuse. In these circumstances, you might think that more regulatory and commercial resource should be dedicated to quickly and efficiently restoring a person's control of their own identity once control is lost, rather than drastically limiting the availability of personal data or intervening too much in the exchange of information in social or retail networks.

Similarly, I post my thoughts and share others' because I hope they are better shared than consumed by me alone - and the (small) chance that millions might find such a thought worthwhile represents a very positive potential experience ;-). Conversely, I would not (even if I wanted to) create or share sordid content because it represents exposure to an extremely negative outcome. That said, I acknowledge a middle ground where (within reason) the assessment of what's merely in good or bad taste is hugely subjective and may change. For example, I recall being struck by the fact that 'topless bathing' was deeply frowned upon in Sydney one summer yet utterly commonplace on Bondi Beach the next. Similarly, we'll hear the last 'cautionary tales' of people losing their jobs over embarrassing photos of university hi-jinks once the 'Facebook generation' become middle managers.

The point remains, however, that we must take responsibility for our own personal vigilence, even if employers come to tolerate the odd embarrassing photo, or the government succeeds in tightening internet content controls. Those Black Swans will still be out there.

Social Networks No Playground For Bullies

Interesting post by Yasmin Joomraty on 'cyber-bullying', arising from the Keely Houghton case.

It seems clear from this case and other instances I've heard about that if someone resorts to cyber-bullying it's just the tip of the iceberg. So 'cyber-bullying' doesn't really exist as some kind of distinct evil in itself. Moreover, the bully's use of a social networking site is self-defeating, in that it arms the victim with the evidence needed to successfully fight back.

So cases like this are actually good PR for social networking services, just as, say, Betfair's standing was helped by the utility of its audit trail for those trying to clean up corruption in sport.

However, such illustrations of how evidence from online services actually helps with the detection and prosecution of crime also suggest we need to remain vigilant against the potential for the abuse of civil liberties, privacy, personal data and so on when it comes to the access and use of online data by the authorities and others.

Is Your Mobile Number in This Directory?

I was stunned to learn from El Reg, that Connectivity Limited, trading as 118800, has "worked closely with the regulatory authorities" in launching "the only directory with millions of mobile numbers" in it. When you want to track down someone's mobile number, you enter the poor unfortunate's details and if 118800 has the number, this crowd will text the person a message to call you.

WTF?! This is hardly innovative or useful to anyone except stalkers and cold callers. If I wanted people to whom I haven't given my mobile number to be able to call my mobile, I'd publish the number myself and they could Google it, or find it on Facebook or wherever. But I don't. And I stopped publishing my home number for the same reason years ago.

Naturally, one of the FAQs is "How the !*&% did you get my mobile number?" (not), and their answer is:

"Our mobile phone directory is made up from various sources. Generally it comes from companies who collect mobile telephone numbers from customers in the course of doing business and have been given permission by the customers to share those numbers."

Well, I'm sorry, but I can tell this crowd right now that NEVER in all my years of giving out my mobile number, did I foresee or intend that I was consenting to its inclusion in this type of service. And I hate that they have put me in a position where I have to go to the trouble of telling them to delete me from their systems.

The Information Commissioner is reported as saying this service is no different to the practice of selling marketing lists. But this is vastly different in scale, accessibility and because the people who sell marketing lists don't text you every time someone buys the list or wants to send you junk mail.

The Commissioner needs to get a grip.

Meanwhile, time to register the mobile number on the Telephone Preference Service.

Phoul-Mouthing the Phoul-Mouthers Who Phoul-Mouth Etc

I'm very much looking forward to a balanced, impartial, rational presentation of my balanced, impartial and rational - and very much personal - views on behavioural targeting or interest-based advertising at the SCL Information Governance Conference on 12 May.

In the meantime, I would only observe that this site is a nice illustration of the implications I discussed a few months back, of trying to build a brand that is perceived as an institution, rather than trying to build one that is perceived as a facilitator.

Phorm Town Meeting

By the end of Phorm's "2nd Town Hall Meeting" it became obvious that the company is still trying to launch a product with both hands tied behind its back.

It's structure means that Phorm's online behavioural advertising service will only be successful if internet service providers implement it, then successfully market it to individual users, advertisers and web site owners. At that point, the company says, advertisers will experience less wastage in advertising spend, content owners will find it easier to monetise content, web site owners can charge more for space, and end-users will see more relevant ads as they browse.

Exactly what this means in commercial terms is naturally unclear. And Phorm rightly points out that it would be wrong for it to release the details of ISPs' trials or take-up incentives likely to be offered to ISPs' customers, at least until the ISPs are good.. and... ready..... to...... launch....... After 7 years of development, Phorm says it has learned to be patient - a revolution in the internet space.

It seems fairly pointless to have public meetings to talk about offering "choice" when you have no product in the market and the meat of your proposition is under wraps for commercial or regulatory reasons. Nevertheless, Phorm chose the opportunity to engage in further damage limitation on the privacy front and to set the commercial context for its service with a rundown on the online advertisting market.

All the legal points have been made on the privacy front, and don't bear repeating here - though I'll summarise them at the SCL's Information Governance conference. Phorm seems to think they've all gone away, or will be made to go away by launch. Network opt-out was mentioned. Network opt-in is preferred, as is a way to block the service altogether, so that I don't need to store either their opt-in or opt-out cookies. Having to choose whether to store Phorm's opt-in or opt-out cookies is only a choice about how you use Phorm's service, not a choice between using its service and not. Phorm says the current cookie practices are less transparent than its own service will be. From a user standpoint this doesn't deal with the point that I can choose not to go to certain sites, and to clear their cookies selectively, but I can't as readily avoid Phorm's service - or choose to use it on some sites and not others - if it's being run at the ISP level. That "choice" doesn't feel very personalised at all, and personalisation is at the heart of how the web is developing. Phorm asks why the likes of [Google and Facebook] don't have "town meetings" to explain their privacy policies and settings, but I can't think of a venue big enough - and of course they do constantly explain and respond to privacy queries from their massive, global communities in a very public way, online, where everyone can participate.

Phorm also appears to be creating some kind of moral panic by saying that it is part of the solution to preserving the humble newspaper - not to mention journalistic integrity. Shock, horror: journalists are apparently being asked to insert certain keywords in their stories to help attract the right traffic to their newspaper's online ads. Apparently, if Phorm were implemented and used by [everybody] content publishers would not [have to] do this. But the newspapers I read from time to time don't seem all that averse to coupling themes and stories with advertising in their offline manifestations, so it's hardly the end of the world as we know it. And I don't see how newspapers can escape people's desire to see their content unbundled any more than the record companies could. Their challenge is to keep innovating, as Eric Schmidt told US newspapers yesterday. Phorm suggests that the major ad service operators (Google, Facebook et al) aren't entitled to their current or growing flows of advertising revenues. The market will no doubt decide, but this suggestion ignores how those companies finance their own core businesses, which millions and millions of people clearly find very compelling - apparently more so than limited bundles of "news". It also ignores the importance of search and online communities for newspapers' content, not to mention ad deals.

Ulimately, comparisons with Google and Facebook highlight the fact that Phorm is not a bottom-up phenomenon. It's something that will only happen if big telecoms providers say so, and that collides with the Web 2.0 ethos. This, coupled with the Orwellian privacy issues - whether real or perceived - makes Phorm's marketing job very much harder.

Consumers Paying For Services That Are Free

In these troubled times, we as individuals must take economics into our own hands - cut costs, repair balance sheets. And so on.

One needless expense is the purchase of complaints handling services from private suppliers when the alternative is free of charge.

Not only does that cost you money, but it also means your complaint may not be visible to the authorities. So there won't be as much pressure on the product provider to cure the problem you're complaining about.

Topical examples include:

• financial services claims management companies - why pay these guys, when the Financial Ombudsman Service (FOS) is free to consumers? The regulated product providers must pay FOS's fee for handling the dispute. That's an added incentive to resolve your complaint more quickly, and to avoid causing problems in the first place. But, as I've pointed out before, some claims management companies and law firms continue to promote services where the consumer bears the expense. There is even speculation within the industry that some product providers who've mis-sold financial services in the past are either starting up claims management companies or selling lists of affected consumers to them in order to profit from curing the problem they helped create. Your first complaint should be the product provider. But, if you aren't satisfied, then FOS is your best bet. Going to the media might sound attractive, but you shouldn't have to bear your soul in public to get a private financial matter resolved.
  

• call blocking services - sure, cold calls are annoying - especially those from an automated calling system that fails to connect anyone when we pick up the phone (known in the industry as "silent calls"). But rather than pay for a blocking service, the best solution is to help ensure the people using these systems get named, shamed and fined. That way, it's the perpetrators who will demand - and pay for - the improvements in technology that stops this happening, not you. So, before you pay for one of these blocking services, complain to Ofcom or the Information Commissioner. The Ofcom policy on the subject is here. You'll be comforted to hear that Ofcom fined Barclaycard the maximum fine of £50,000 for breaching the rules on silent and abandoned calls last month. It may not sound like much, but it will end up saving you money on a blocking service.
  

We all whinge when the Government doesn't act. But we only have ourselves to blame if they do act and we don't take advantage - and end up paying for it.

Nanny Home Office to Record Everything

The Home Office continues to build an all-seeing Nanny State at our expense, regardless of proportionality, competitive and low-cost communications or the need to conserve our taxes to support the financial system.

The proposed Data Retention Regulations require UK public network providers to retain data that identifes the source, destination, date time and length/size of every single phone call and email on their networks, as well as the type and location of the device involved. Using that data, authorities can of course find the content in, ahem, 'other systems'.

"... We [the Home Office] consider that these measures are a proportionate interference with individuals’ right to privacy to ensure protection of the public. Previous debates have concluded that the retention period is a significant factor in determining proportionality. In the draft Regulations at Annex A, we propose to continue with a retention period of 12 months."

Failing to mention, of course, that the Home Secretary can extend the retention period to 24 months, merely by written notice. And ignoring the fact that the cost is in secure storage, retrieval and deletion, for which the Home Office is now infamous.

This particular initiative has been handed to us (with Home Office complicity) by European Directive 2006/24/EC, conceived amidst the panic of the 'war on terror'. So, of course, it must be well considered and completely necessary today. It's also a natural extension of the Regulatory of Investigatory Powers Act 2000 (RIPA!) which David Blunkett introduced to such a warm welcome and which has been critical to Local Authorities' success in their war on dog-fouling [checks shoes for 3rd time today]. But just to add weight to its claim of proportionate impact on our human rights, the Home Office cites a vast empirical study undertaken by independent experts:

"During a two week survey in 2005 of data requirements placed by the police, there were 231 requests for data in the age category between 6 and 12 months old. 60% of these requests were in support of murder and terrorism investigations and 86% of the requests were for murder, terrorism and serious crime, which includes armed robbery and firearms offences."

So, we need this giant database and retrieval system for names, dates and places for every single communication on a British network in order to support about 200 data requests a month. Well, clearly the new regulations weren't needed to enable these requests to be made in 2005. And history appears not to record how critical the results were to solving a crime. Murder is an ironic justification, given how firmly the Home Office is holding the pillow over our faces. However, while the unsolved murder rate has nearly doubled over the past decade to 52, the Tory response missed a golden opportunity to justify investment in some enormous database to prove the exact time I called last night to say I'd be home to read stories. Instead, they merely blamed this rampant surge in mayhem on "police being overwhelmed with red tape, bureaucracy and government targets that distract officers from protecting the public." I feel their pain.

Ah, yes, the cost. The good news is that the taxpayer is to reimburse the network providers the "additional costs for retaining and disclosing all communications data". The Home Office claims this will amount to a suspiciously precise "£68.44m capital, £39.40m resource over 8 years", whatever that really means. Is the £39.4m perhaps an annual figure? Is it inflation adjusted? It assumes no investment in public sector systems, so that must be hidden elsewhere. Weirdly, it also assumes that electronic communications will cease in the UK in 8 years time, rather than grow exponentially. Perhaps the database will enable Plod to figure out whodunnit.

In the meantime, the Home Office claims it will avoid the disproportionate impact of all this on small firms. This assumes that either (a) there will be no more small firms providing network services in the UK (sad, but now plausible) or (b) small firms will be able to carry the cost of investing in the additional storage and retrieval systems until their requests for reimbursement are lodged with the Home Office, processed, approved and finally paid. Either way, start-ups and other competitive, low-cost network providers can't afford to play in that sort of bureaucratic game.

Next: average speed camera networks.

PS: the Society for Computers and Law response to the proposals can be viewed here.

UK Govt Backs Phorm PR Effort

It's one thing for the UK Government to support Phorm's challenge to personal privacy at EU level while defending its position in the face of European Commission concerns.

But it's quite another to be seen to selectively release to the media the portions of its letter to the European Commission that list the ways in which officials believe Phorm to be a good thing.

Bad Phorm, in fact.

It would seem that the authorities may have something to lose if Phorm isn't a success...

Bad Phorm?

Back in February, I commented on the Open Internet Exchange initiative being planned by Phorm, whereby and major ISP partners BT, Virgin Media and Talk Talk will be paid for allowing all the web browsing by their customers to be trawled for advertising purposes.

Not a lot was known about the initiative at the time, but negative news has been snowballing since, and opponents are taking to the streets. The Register is maintaining a dossier, known as "The Phorm files", and a "No Deep Packet Inspection" street demonstration is timed for BT's AGM on 16 July 2008. See also the Facebook Group "Save UK internet privace - reject ISPs that use Phorm".

Incidentally, you might wish to be more wary than usual of the Wikipedia entry on this subject.

The concerns raised are similar to those related to Facebook's "Beacon" initiative that led FB to significantly alter the functionality (though you might wish to be somewhat sceptical of that Wikipedia entry too!). The chief one being that there seems no reliable way to ensure that you are really opted-out. However, the Phorm scenario is worse than with Beacon, because the inspection, storage and use of data is at the ISP layer, making it much harder in practical terms to avoid the service than if it was operated, say, on a site-by-site basis. In other words, you can't decide simply not to visit certain sites if you doubt that the opt-out would actually prevent the abuse of your personal data. Instead, you would need to switch ISPs. However, you may not actually be able to avoid using one of the "problem" ISPs (e.g. at a friend's place, work, or via an internet cafe). And what if all the ISPs join the initiative?

Further, as the Guardian has noted, the challenge for Phorm is to reconcile two apparently contradictory statements:

"Advertisers are told that it will be able to profile the surfers, based on where they have visited, and target them through that uniquely numbered cookie. But users are told they will not be identifiable. It's the apparent contradiction in those statements that has infuriated so many."

If you are remotely concerned, now is the time to make your feelings known to your ISP, your MP, and participating advertisers.