ITsecurity
twitter facebook rss

Industry Two Faced over Privacy

Posted by on May 29, 2014.

As an advocate I have spent a great deal of my time over the past six years taking part in roundtables, consultations, forums and conferences and during that time I have witnessed first hand the relentless push by “Big Data” corporations to dilute the fundamental right of privacy in order for those same corporations to continue to reap vast profits from their unfettered and largely unregulated data collection practices.  This isn’t something these companies even try to hide – from Brussels, to Washington DC even as far away as Shanghai, these corporations send their squads of lobbyists to the “front line” where they use their near unlimited funds to spread their propaganda.

Their message to regulators, legislators, commissioners and politicians is always the same – “The world economy is in crisis and we can fix it, but if you force us to ask permission to harvest data the Internet economy will collapse.” and it is nothing short of a moral panic.  I have witnessed this so many times it doesn’t even phase me anymore when I see it – it is simply “business as usual”.

But there is something very worrying about it – it works.  As we saw in Europe with what were incredibly sensible changes to the ePrivacy Directive requiring explicit informed consent for using tracking technologies in order to profile Internet users – the entire premise was sabotaged by a deliberate and focused campaign by these same “Big Data” corporations.  It started with excessive lobbying in industry friendly countries like the United Kingdom – which has a remarkable history for a complete lack of regulation of personal data abuses by corporations.  The United Kingdom sent a memo to then Commissioner Viviane Reding, expressing concerns that the changes to the regulation should not be so strict and that “technical” solutions such as web browser controls, should be permitted as a means of indicating consent; this was a far cry from the wording of the text which required consent to be explicit and informed and Commissioner Reding rightly responded with anger:

Second, the question of cookies. Now the Commission was, like Mr Harbour, surprised that certain Member States appeared to call the agreed text on cookies into question. Let me be very clear: we agreed with Parliament, and we believe that the final text is unambiguous. First, there must be clear and comprehensive information to users on the basis of which second users must give their consent. That is that and that should be applied now in the Member States. I do not appreciate it that after everything has been agreed, some like to manoeuvre in order not to keep 100% to the agreements pacta sunt servanda in politics.

(Source:  Electronic Communication Networks and Services Debate (Second Intervention) ( 18:05:05 > 19:00:58) November 23rd, 2009)

Still, despite Commissioner Reding’s resolve, the final text amended to the Directive was somewhat watered down removing the requirement for it to be “prior” informed consent which effectively allowed the status quo to remain as regulators then decided that the text allowed for Opt Out as opposed to its intended meaning which was for Internet users to Opt In to being tracked.  This was not an independent decision made by the regulators however, despite the fact that they are supposed to be independent of the state.

The Information Commissioners Office in the UK, led the way after being coerced by Department of Culture, Media and Sport under the reign of Ed Vaizey after Google wrote to them suggesting that they not follow the intended interpretation of the Directive and instead allow consent to be determined by whether or not users had blocked third party cookies in their browser settings (a setting that the vast majority of Internet users do not even know exists).  You can read all about that sordid affair along with the Freedom of Information Act documents which exposed it here.  This is the same Google which was later sued in the UK (case ongoing) after being found to be circumventing browser settings which users had enabled to block the use of the same third party cookies!

Moving forward a little in time and we find ourselves at the W3C and their “Do Not Track” group (which I should add was made up of an overwhelming majority of representatives for “Big Data” corporations) and one can find another story of sabotage with the sole intention of maintaining the status quo First you have to understand that the group was only formed after both the Federal Trade Commission (FTC) and the European Commission threatened to take action at the regulatory level if the industry did not devise a suitable self regulation model, so Do Not Track was born but it was never intended to actually work.

Credit where credit is due, this was a brilliant strategy by the industry – they knew that no regulator would take any action whilst there was an ongoing Do Not Track process so this was a perfect opportunity for them to force a regulatory vacuum on third party tracking.  They managed to keep the process going for almost 3 years before civil society finally had enough and walked away from the process after coming to the realisation that a consensus would never arrive.  After almost three years of meetings and discussions, the industry would not even agree to a definition of tracking, so how was the process ever expected to yield results – it wasn’t, it was a play and the FTC and European Commission fell for it hook, line and sinker.

The score was now 2-0 for “Big Data”.

While the battle was being lost in the US over Do Not Track, across the Atlantic in Europe, “Big Data” were defending their other front with a barrage of lobbyists pounding Brussels’ political quarters like the Blitz.  Money was poured into an attempt to prevent changes to the European General Data Protection Regulation (GDPR) (a move spearheaded by Vice President Vivianne Reding at the European Commission) which sought to further rein in their data collection practices. For months and months the battle raged with lobbyists infiltrating political groups to actually draft amendments to the Regulation directly on behalf of the corporations paying their fees.

Then just under a year ago, on June 5th 2013, Edward Snowden shook the earth with his revelations about US government surveillance at a level never previously disclosed (and continues to do so to this day).  Stories of the NSA tapping into Internet data cables and working with “Big Data” corporations to monitor and profile civilians at a level many consider to be way beyond legal.  Big names like Microsoft, RSA, Google, Facebook, Skype and many others were exposed as having assisted in these massive breaches of our human rights and in many cases profiting from doing so by charging administrative fees for providing access to their data (data about you and me and just about every other person on the planet).  The world community was angry and hit back, demanding more answers, demanding transparency and demanding oversight – the response from industry was a number of publicity stunts aimed to make it look like they are the good guys, the victims if you will.

They filed legal challenges to allow them to disclose more information about the secret warrants and orders they receive for data – knowing full well that it would achieve nothing of meaning, but hey, it was a time for damage limitation so they did what they had to do.  Still it didn’t prevent a complete collapse of trust for US based tech products and service with billions in losses projected for cloud services alone and with companies like IBM expecting poor results caused directly by the damage to their reputation these revelations are responsible for.

A coalition was formed by eight of the world’s tech giants to reform government surveillance:

The undersigned companies believe that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.

While the undersigned companies understand that governments need to take action to protect their citizens’ safety and security, we strongly believe that current laws and practices need to be reformed.

Consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight, we hereby call on governments to endorse the following principles and enact reforms that would put these principles into action.

(source: https://www.reformgovernmentsurveillance.com/)

So here we have a coalition of the corporations which have been exploiting loopholes in privacy regulations for over a decade in order to fill their coffers at the expense of our fundamental rights – using the same data mining, data modelling, interception of communications and surveillance as the governments they now stand against for doing the same.  Not only are they hypocrites but they invented many of the techniques and technologies that facilitate the practices they are standing against and whilst they form a coalition against privacy invasive programmes by governments in Washington DC, they continue to lobby against privacy reforms which will protect fundamental rights in Brussels.

The level of hypocrisy is beyond repugnant it is a direct attack on the intelligence of every single human being on the planet.  To those of you who think the privacy war (and yes it is a war) can be won via cosy roundtables or forums where all parties can discuss the issues and reach consensus whilst sipping rich coffee or expensive bottled water and nibbling at sweet pastries in Brussels and Washington DC – you are wrong, because this is just another sleight of hand.  Whilst you are sat in those meetings and consultations, highly paid lobbyists are sat in the offices of MEPs, Congressmen, Senators, Commissioners and Regulators spreading economic moral panic or making promises of riches never before seen – you are losing this war.

It is not a fair fight – there is no altruism, most of the civil society groups themselves are funded by the same corporations paying the lobbyists.  You can not win this war by being nice and polite because you are not fighting it on equal terms, with an equal arsenal and an equal budget.  The “Big Data” corporations are not your friend, they don’t want to be buddies, they want to have the freedom to do whatever they want in order to make a profit and if you truly believe they will do no evil, you are as naïve as they think you are.

The only way forward in this war which stands any chance of a victory for fundamental rights, is to compete.  You either have to put as much money into lobbying as the industry is, or you need to create competing technologies and services to force a paradigm shift.  The first option is impossible because no NGO or even coalition of NGOs can match the budget of global industry and the latter, albeit not impossible, is incredibly difficult when those who do innovate and compete, then sell themselves to the first “Big Data” company that flashes them a billion dollars and stock options.  Let us hope that the latter is replaced with those who genuinely want to create change rather than make a fast buck, before we lose all the rights we fought so hard for in wars past.


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

3 thoughts on “Industry Two Faced over Privacy

  1. DNT is, was, and always will be a complete mirage.

    More effective options include browser counter surveillance software that can actively disrupt unwanted tracking, by corrupting and erasing the identifiers/ cookies/ LSOs/ fingerprinting that the ad/tracking industry scams depend on.

    Then it doesn’t matter whether the do not track request is respected or ignored. The resulting data is more or less worthless.

  2. While I agree with much of what Alex says, I would argue for a slightly more nuanced strategy. Though reasonable privacy supporting proposals like the e-privacy directive and the W3C Do Not Track process have faced defiance, big company financed propaganda and manipulation, they have not been completely bludgeoned into submission. The complexities of the underlying technologies together with contradictions created by the different industry responses to privacy concerns have led to opportunities to ensure that people regain control of their data. All browsers now support the ability to set the Do Not Track signal,
    and the technical portion of the standard is effectively complete. The remaining battle is now for an internationally recognised level playing field for compliance in which Do Not Track is respected by all companies, large and small, and results in what everyone knows it should mean – no PII collection, no tracking, no use of cookie or other UIDs to collect data about individuals without their consent. Although Alex is right about the genesis of Recital 66, the badly named DNT “User Granted Exception API” (i.e. consent browser settings API)fits it like a glove and gives a simple standard way for 1st party websites to register user consent and signal it to their 3rd parties. The Do Not Track standard together with the well founded body of Data Protection and privacy rights law in Europe, including the e-privacy directive, is the basis of an internet for people and ethical business, no longer just blind corporate profit.

    • Alexander Hanff on said:

      The problem is Mike, that Do Not Track is not a standard, it is not enforceable and it will not be respected by industry. We have seen time and time again that the industry will refuse to accept Do Not Track if it is enabled by default and a host of corporations have already stated they will not comply with DNT signals.

      Now for other readers, Mike and I know each other very well and I know the work Mike put into the Do Not Track process run by the W3C and work he is still doing – we are good friends. That said, there is no point having a technical system that is unenforceable and is being ignored. There are no consequences for parties refusing to comply with the signal which makes it redundant. Further to that point – there is still no agreement as to the definition of tracking and industry have made it clear they intend to continue harvesting behavioural data even if they do stop presenting targeted advertisements based on those profiles. This is not acceptable Mike and never will be.

      Do Not Track was never supposed to succeed, I sat in enough closed door sessions in DC and Brussels to understand that – it was merely a process for industry to create that regulatory vacuum I mentioned in the article to allow them to continue what they were doing for another 3 years and give their lobbyists more time to destroy the reforms in GDPR.

      Thanks for the comment all the same Mike and keep up your good work.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Alexander Hanff, Expert Views, News_privacy | Tags: , , , , ,