The author Jeffrey Rosen said, ‘privacy is not a technological decision but a political one’. I would say that understates the issue. It is a question of world economics and international law. Businesses need to review how their online brand and reputation might depend on how their ICT business model is built in consideration of consumer privacy.
One possible unintended consequence of the consumerisation of IT is that businesses will have to stop preying on consumers and listen to their concerns.
I remember the days when the internet was a research and communications network for academic and military use, paid for from a US defence budget. When the US government withdrew from funding the internet the door was opened for its commercial use.
Led by the pornography and gambling industries, new businesses were developed which needed technologies for delivery of video content and secure payment. These had no need for privacy, in fact it got in the way, as technologies were developed to track usage and target consumers for unrequested advertising. The rest of the business world jumped on the ecommerce bandwagon and those that didn’t have recently left empty shops on many high streets or disappeared.
This proposition has grown relentlessly as the collection of user context and behavioural information and reselling it for profit has become an industry. The majority of Google revenue comes this way and most of the ‘pillars’ of the internet (Microsoft, Facebook, Amazon etc.) have a similar model.
Evolution of customer relationship management (CRM) systems into behavioural tracking, search engine optimisation (SEO) and other technologies feeding into big data silos continue with no mention of the customer any more. Companies like Double Click, AdBrite, Omniture and many others can combine online activity with offline data, creating detailed profiles and serving advertisements based on users’ behaviour (not just their personal data).
Monitoring of behaviour change is now so sensitive that it can detect whether a woman is pregnant before she knows herself. Even the smallest companies are now using these analytics to understand and target consumers.
As people increasingly use the internet for health, financial, social and other services, deeply sensitive personal information becomes available. People search for the most intimate things on the internet on the understanding that it is secret but are now uneasy at seeing advertising related to these searches. Often these can be related to searches by other users of the same PC which might cause family rifts or embarrassment.
Defences saying ‘we anonymise personal data’ are meaningless if two or more personal credentials are held as the rest can be rebuilt from big data repositories.
Business and consumer issues
Why are our business economics dictated by the advertising industry? Is competition so fierce that companies have no choice other than to spy on consumers and bombard them with targeted advertising?
There are signs of a consumer revolt which I shall come to later but the Google CEO Eric Schmidt was once quoted saying, ‘There is what I call the creepy line. The Google policy on a lot of things is to get right up to the creepy line and not cross it.’
This begs some questions. 1. What is the other side of the creepy line and 2. Why does Google decide where it is? He now refers to Google as a country, on the clear understanding that he is negotiating with many national government agencies to transfer the data on their citizens.
Olswang, an international law practice representing UK citizens challenging Google’s use of their personal information, has had to take the case to California. Even so in a radio interview Google said the case was ‘trivial’.
Is it ethical for a company CIO to develop business systems for the sales and marketing department based on customer tracking while his CISO is trying to protect their employees from targeted spearphishing and their business data from the consequent loss?
BYOD and MDM implementations focused on protection of corporate data on mobile devices rarely protect the employees from tracking. In fact they add another layer of observation from the business itself and still leave the employee vulnerable from targeted malware.
Studies show that most users resent the installation of MDM software on personal phones and many bypass it if they can. Businesses acknowledge the ‘human right’ to make personal calls from work without monitoring, they even have an ‘acceptable use’ policy for internet use at work but still compromise employee privacy.
Government and citizen issues
Unlike many countries the UK has no government-issued electronic identity credential for its citizens. In these countries this ‘eID’ can be used to guarantee identity and underpin online transactions with a greater level of trust. In Europe the EU STORK and STORK2 projects have defined a framework for international interoperability and are in the process of testing it.
UK Cabinet Office activities to develop a UK government eID credential to enable delivery of the new Universal Benefit to citizens online are close to fulfilment. A trial is underway based on commercial identity providers and some of these already have considerable amounts of financial and personal data for their credit reference activities. There are being carried out under government scrutiny and with complete transparency.
Recent revelations about the activities of government security agencies on both sides of the atlantic have shown that commercial sources of citizen data are being used widely in anti-terrorist and crime-fighting contexts. Many legal challenges are underway but the fact remains that citizens were unaware of this use of their data and are demanding stronger privacy.
Opportunities for change
The citizen kickback has started. On the weekend of October 26 - the 12th anniversary of the signing of the USA Patriot Act - thousands of people will go to Washington, D.C. to protest against unconstitutional surveillance.
At the recent meeting of the UK Internet Governance Forum, a presentation from 14-15 year old students indicated their concerns about anonymity and privacy on the internet. They have conducted an international privacy survey with the children’s security awareness organisation Childnet. This will be presented by them at the annual IGF conference in Bali 22-25 Oct 2013.
These results might cause concern amongst businesses relying on an ‘advertising pays all’ funding model continuing into the future as this internet native generation rejects it. BCS is also presenting a paper which is directly relevant to ‘human rights / freedom of expression’ these can be viewed on http://www.intgovforum.org/cms
As a citizen / consumer I would like to know:
- Why is a simple, tracking and algorithm-free search engine not available?
- Why can I not browse in private?
- Why can’t I switch off more than 80 per cent of tracking cookies?
- Why do all my mobile apps ask permission to use personal data and location whether they need it or not?
- Why is my phone IMEI being used to track me even if I have location switched off?
- Why should I pay for bandwidth used to track me and deliver advertising I don’t want?
And I haven’t mentioned malware.
In an effort to define the fine line between legitimate and illegal usage of the internet and clarify what is personal data, legislators and regulators have been working hard to catch up. The latest EU regulation has enhanced many definitions of what is personal, particularly in the mobile context and is in a rush to complete it before the European elections next year.
This has more teeth to enforce penalties of up to 2 per cent of global revenue on companies that breach the regulations. Free subject access requests are available for users to find out what data is held on them (currently costs £10.00 in UK) and definitions of mobile personal data have been enhanced to cover all aspects of user context not just location.
Just as users record commercial TV programmes and skip past the advertising on replay an internet equivalent will come.
The advertising-funded model will have its day and those building IT infrastructure and business systems which rely on it should start considering another model. I often reflect whether as much is spent on this sophisticated marketing technology as protecting against its dubious outcome.