Speaking to Lords – FAQ

People seem quite interested in how the trip went. Since I’m too sleepy to have anything qualifying as a coherent, synthesized opinion, FAQ format seems like the strongest play.

How Did It Go?

I think it went quite well. Of course, it’s hard to nail down short term success criteria for conversations with parliamentarians. A meeting like that is not going to end with a legislator standing up and saying “I agree. Let’s go pass a law.” Things like this are an exercise in advocacy: “Here is my opinion of the situation and the options under discussion for its remedy,” followed by others giving their versions of the same thing.

I do feel, though, that my opinion was listened to, understood, and amplified by others. The room included, in addition to invited experts and press, at least half a dozen Lords, and 3 or 4 MPs, so I am also confident that I was heard by people in a position to act on what they hear.

What Did You Say?

A couple of things. I said that this kind of data collection is not something users can be expected to understand and, if they did understand it, not something they have much ability to avoid.

I said that in many markets, even developed ones like Canada and Britain, there isn’t enough choice in ISPs to make “voting with your wallet” a realistic option for people who find this kind of surveillance invasive.

I said that the technological mechanisms for preventing this are prohibitively expensive (in the case of things like “universal SSL deployment”), largely ineffective (since traffic analysis would still be possible), and brittle (opt-out cookies assume you never switch computers or browsers, that you never reinstall or move houses, that you won’t be worn down to the point of surrender by the Nth attempt to opt out).

I said that, historically, anonymized data isn’t. The AOL data was blown wide open, for instance, and that was just search terms, not browsing history. I said that however ironclad Phorm’s current processes may be, this kind of data collection being done by multiple companies over any interesting period of time will almost certainly result in anonymity failures.

I said that the collection of this information is insidious, that however noble and scoped the initial goals, it tends towards exploitation because it is too valuable not to.

After saying a chunk of that in a single burst, I got some applause from some of the people in attendance which felt odd, but certainly seemed to suggest that I had struck a chord.

What are the Lords Like?

Parliamentarians, really, since there were MPs there, but in any event I was impressed, particularly by Baroness Miller, who organized the event.  She was exceptionally good at running a room – at ensuring that legislators’ questions were answered, at bringing digressions back around to the central themes, and ensuring that multiple voices were heard. As a group, they were forthright but unapologetic about their lack of technical knowledge (that’s not their job), and asked clear questions aimed at understanding the legislative implications of various details.

Were there Swords? Powdered Wigs? Snuff Boxes?

People from the UK know that their legislators are basically like other legislators, albeit with more exciting titles. To the rest of us though, the whole thing sounds very romantic, and we entertain positively ridiculous notions like this. No swords, no wigs, no “Yes, your exalted worshipfulness.”  The houses of parliament are guarded by perfectly normal police officers with perfectly normal frowns and perfectly normal assault rifles, but very little pomp.

What about the Building?

Imagine that your great great great grandparents and their friends had all the money in the country, and decided to build a place to hang out. Imagine that since then, it’s where everyone decided to put their cool stuff.  Imagine walking through rooms, separated by wooden doors older than calculus. Imagine those rooms are alternately filled with statues, murals, statues in front of murals, framed masterworks, and leather bound books about anything that could matter. Imagine that there are entirely different paths, staircases and elevators for peers of the realm than for everyone else.  Imagine that you could fit your current house inside the Queen’s entrance and have room to fly a kite from the roof.

It is a nice building.

Would you do it again?

Yes.  Yes I would.

I still think that legislating technology is fraught with peril. The way to mitigate that peril is not to run away from it, though, but to be a voice for the kind of change we want, and against the kind of change we don’t.

Is the Bowmore 17 you brought back tasty?

Yes.

10 comments

  1. Thanks, Johnathan, for voicing our concerns. I think that any use of my traffic by the ISP is disgusting. You are quite right that I don’t really have a choice when it comes to ISPs either (they are infrastructure, and therefore a natural monopoly/oligopoly). ISPs are like roads.

    As to your “legislating technology”: There’s an easy resolution to your apparent inner conflict: There’s no need in legislating technology itself, but in setting the base rules. German Supreme Court (Bundesverfassungsgericht, judging about constitution) has ruled in the 1980s, inferred from basic “human dignity” that data about me is *mine*, my property, no matter who collected it how or stores it, and I have the right to decide what happens with it. It’s a very simple rule, and one that I seems natural and I feel is inherently right. Given that it’s so basic and natural, it can set rules for many questions which otherwise provide a moral dilemma. It also doesn’t legislate technology itself, merely what parties are allowed to do in general.

    Based on that rule, Phorm would be illegal (as opt-out), but automatically inspecting packets and sorting them based on HTTP vs. BitTorrent (irregardless of ports used, but packet headers) would be fine, as long as that information is not stored nor other legal stakes impacted.

    I think that rule “data about me is mine” is so fundamental, natural and universal that it should apply world-wide.

    FWIW, Universal Declaration of Human Rights http://www.un.org/Overview/rights.html
    Article 12.
    * No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

  2. Sorry for above, I accidentally pasted more than I wanted and didn’t notice it.

  3. Nice work, I’m glad it went well. I wonder though if you were aware of all the accidental exposure of public data by government departments recently in Britain and if that’s why your point about how anonymous data will get out struck such a chord.

  4. I believe that we’re getting very confused – Sir Tim hasn’t really helped with his comments.

    He simultaneously says that he doesn’t want the fact that on the Web he looks for or reads information on a particular medical condition to reach his insurance company, but then in the next breath says that he has no objection to targeting of advertising based on behaviour and says it’s gathering data from the Internet net pipes that he objects to. He seems quite confused about what he objects to.

    I think we need to approach this from a privacy point of view, rather than from a technology point of view, because that approach is causing the confusion and won’t end up with our privacy being protected.

    I would like to see a regulator who could:
    – enforce a set of privacy requirements on companies that gather Internet behaviour (regardless of whether it comes from browser plugins, ISP boxes, search engines, advertising)
    – informed consent before behavioural data is gathered, however I recognise that many companies cannot meet this requirement easily (see recent Google announcement of an opt-out regime).
    – no means no – if I opt out, there should be no data collected on me, not even anonymised data
    – compulsory breach notification, even of so-called anonymised data
    – right of audit by the regulator
    – requirements for privacy impact assessments to be conducted by qualified third parties

    All this talk of snooping makes good headlines, but there’s “snooping” going on at the browser, the banner ad and the web apps and it’s not going to be helpful if DPI-based behavioural targeting is somehow outlawed but those who gather behaviour from the browser, from the banner advert or from the web application are allowed to continue without being reined in.

    I also believe that your comment that even if Phorm’s processes are iron-clad, other companies may not be, therefore let’s outlaw the entire practice, to be an example of the muddled thinking and one that we couldn’t apply in any other area of commerce. It’s actually an argument for regulation, strong regulation, based on a standard equivalent to whatever iron-clad processes everyone agrees on.

  5. @Ben – I edited your comment to include what I think you meant to paste – let me know if I got it wrong.

    @Mossop – I was aware, though I didn’t draw direct attention to it. You’re right though, I’m sure it’s a point that many people had top of mind.

    @Nym – Is that you, Kent? Whoever you are, you’re strawmanning something fierce, and equivocating in ways that Kent did. I have a relationship with a web site, and they implicitly gather information about my visits there. How they choose to use that data and whom they choose to sell it to is a matter for me to work out with them, and there I *do* have substantial ability to vote with my feet. I don’t have the same expectation from my ISP. They are, by definition, a common carrier that I expect to move my traffic without trying to monetize its private contents, just like I expect the phone company not to listen to my calls in order to sell my data to bulk mail operations.

    If you’re not Kent, you may be gratified to know that the CEO of Phorm was making very similar attempts to equivocate site ad campaigns with ISP-level surveillance, in the name of saving our poor journalistic institutions, who need stronger ad revenue to survive. The appeal to the virtue of journalism was emotional sleight of hand, and the equivocation with web site ads (which *someone* in the consumer-supplier relationship has control over) was transparently silly.

    If there’s value here, make it opt-in and let the market decide. The frailties of opt-out mechanisms (multiple browsers, multiple machines, multiple physical connection locations) are all okay in the opt-in case because the default is that my privacy is protected, rather than the default being that surveillance persists. If I do break the opt-in, I ought to notice the drop in relevancy and take steps to restore it. Informed, opt-in consent makes this a much less pernicious technology.

  6. Ha! No, I’m not Kent. Why does everyone throw accusations of being a Phorm shill at anyone who looks at the wider picture?

    >I have a relationship with a web site, and they implicitly gather
    >information about my visits there. How they choose to use that data
    >and whom they choose to sell it to is a matter for me to
    >work out with them

    This argument should be about privacy not technology.

    I completely fail to see why a banner ad on a web site gathering behavioural data is any different than an ISP.

    Don’t like the web site/ISPs practices – vote with your feet.

    Don’t want to be monitoring? Don’t opt-in to the ISP behavioural monitoring, or opt-out of the web site’s behavioural monitoring.

    The problem is that the technologists are looking at this through a technologists eyes, not realising that the vast majority of web users have no idea what web sites *OR* ISPs might do with their data. The privacy requirements are exactly the same.

    I notice you haven’t commented at all on my proposals for privacy – you’ve just focused on Phorm… Not a Google employee, perhaps, are you?

  7. @Johnath

    nym didn’t strike me as being Kent at all 🙂

    In fact, he struck me as being making some eminently sensible points about the contrast between BT (behavioural tracking, not the ISP) per se, and the Phorm DPI approach as an implementation of this.

    For me, BT breaks into two separate parts; the collection of information to create a personal profile of the web user, and the serving of ads to that web user based on the profile.

    nym seems to be arguing that pretty much all collection techniques are an invasion of privacy, so irrespective of whether we like or don’t like internet ads, or don’t care either way, we, and particularly TBL, ought not to like ads served on the basis of BT. I’ll buy that.

    But I think I know why TBL made the distinction he did; the collection mechanism enshrined in the unpreventable, unknowable[1] man in the middle approach of DPI embedded in the ISP’s system is an order of magnitude worse than collection at the website end, so it’s important that it be stopped without confusing the issue about whether advertising, BT or not, is a good thing or not.

    And we certainly do not want the big guns like Google weighing in if the issue is seen as BT, which Google now seem set to do, winning their case, and thus letting the pernicious DPI providers of BT slide in under the radar with them.

    Nonetheless, like nym, I’m unhappy about BT in any form, and I have already voiced my unease on BadPhorm (http://www.badphorm.co.uk) that a couple of things I thought we had a beef with Phorm about, namely needing to opt-out, rather than opt-in, and to maintain an opt-out cookie to keep thing so, are not being objected to when Google do them.

    And even though Google are not a physical man in the middle, As DPI techniques are, you can argue that they are a man in the middle if they stick around once your conversation with a website gets going, even if the website lets them; it’s kind of like the old days when telephone calls had to be connected manually by the operator, and as if the called party secretly said the the operator ‘Hey, it’s OK, you can keep listening in’.

    But then I don’t think that Google’s new approach is any more obtrusive than using tracking cookies in the first place; it’s the same collection mechanism they’ve been using for a long time past, so all they are doing new is using that info to shape the serving of adverts.

    And I don’t like being tracked, and I use countermeasures against it. Because at least I can.

    But no, we mustn’t let Google get away with this unregulated. If I was a conspiracy theorist (which I’m not) I might postulate that Google secretly started NebuAd and Phorm so Google could threaten us with something so bad that what Google want to do seems benign by comparison 🙂

    But I actually think NebuAd and Phorm did that for Google without even being asked; and we mustn’t breathe a sigh of relief that Google are ‘only’ proposing what they are proposing.

    [1] The proponents of DPI say they will let you opt out, and they tell you the limits of what they are doing. For now. Allegedly. But since both Phorm and NebuAd conducted stealth trials, with some ISPs conniving at this also, would you trust any of them further than you could throw them?

  8. @nym – … the vast majority of web users have no idea what web sites *OR* ISPs might do with their data. The privacy requirements are exactly the same.

    No, they are worlds apart.
    If those with a little technical knowledge don’t protect the ignorant internet user, who do you expect to do it?
    A website can choose to host a script which shares its visitors’ data with an advertising network.
    With the ISP model, the website no longer has a choice. Those who do not want to share their visitor data can only partially protect that data by using ssl. Those websites who already have an agreement with an ad network are now also, without any choice, supplying their data to the ad network that the ISP is working with. The only way non-ISP ad networks and their website partners can protect some of the data they collect is by going the ssl route themselves.
    It is not only the individual who needs their data protected. The data businesses collect about their visitors and customers is exceedingly valuable data to that business and the last thing any business can afford is for some snooping ISP to help themselves to that data and pass it to rival businesses, just so that the ISP can add an extra pound of flesh to its revenue stream.
    When a website hosts the script from an ad network it is easy to block those scripts and the cookies they leave. Even the non-cookie tracking can easily be blocked.
    When the ISP hosts the script neither end of the communication has any say about what is happening in the middle.
    There are lots of snooping manufactures. Even well known network names like Alcatel-Lucent and Cisco use them. All claiming innocence because they don’t collect your name and address.
    This does have nothing to do with advertising and everything to do with snooping. Educate yourself and then protect yourself and help protect the rest of the world.
    As for your Google comment: if you are not happy with Google giving you a free tool to search the web in exchange for allowing them to earn advertising revenue, stop using Google. There are plenty of other businesses to choose from. Your choice.
    There is no such thing as a free lunch. Even soup kitchens have someone paying for them.

  9. @nym – Sir Tim isn’t confused about what he objects to – you don’t understand his points. He’s not against targeted advertising per se as this quote from him proves: “Targeted advertising is an improvement, but there’s so many ways of doing it without messing up [the internet].”
    You don’t even need to build a profile on someone to target them with adverts – if I were to look at a page on cars, it would be reasonable to assume I was interested in cars and appropriate to show me a car related advert. There you go – targeted advertising with no profiling and no privacy implications. It would arguably be more effective because it would show me an ad related to what I was thinking about at that moment which may not be something that would show up on my profile.
    This argument IS about privacy – DPI is just a particularly egregious way of breaching it on the internet. You say you don’t see a difference between a web site you visit gathering information about you and your ISP doing it? Do you feel the same about a company you phone recording your details and your phone company listening into your conversations or a company you write to for a brochure recording the fact that you did so and the Royal Mail opening your post?
    Ultimately users will have the final say on this – they will simply install ad blockers and nobody will benefit – ISPs, advertisers or users (who will lose the ad supported sites they currently visit). There is already increased interest in ad blocking plugins and, by pushing ISP snooping, advertisers are only going to encourage more of that – ultimately risking killing the goose that lays the golden eggs.