Facing up to Facebook
I spent a number of hours last night reading and rereading the report from the Irish Data Protection Commissioner on their Audit and Investigation of Facebook. At over 200 pages it was not for the faint hearted but it did set out clearly the findings and the areas of gap and weakness which were identified, as well as a number of surprising twists where Facebook had, almost by accident, started to do things in a sensible manner respectful of privacy.
However, despite the statement from Facebook and the positive tone adopted by the Irish Data Protection Commissioner in media comment, this was not a clean bill of health for Facebook. This was a statement of gaps, with a clear message that the gaps need to be addressed rapidly in advance of a July 2012 rematch. Facebook may not have a bloodied lip from this encounter but the organisation has had (yet another) wake up call to the need to do Privacy better and to do it by design rather than happy accident.
Of course, the Data Protection Commissioner does not come off unscathed in this report either. On my reading of the report there were a number of instances where the operation of Facebook processes contravened either the Data Protection Acts or the ePrivacy regulations. Each of these instances represented a cluster of prosecutable events. But this opportunity seems to have been missed, or at best deferred until another day. As a Privacy professional I am somewhat disappointed by this apparent failure to push the agenda resulting in a somewhat limp, albeit broadly welcomed, outcome.
The key question is What next?
Facebook has given undertakings to the DPC to have taken certain actions by January and to have completed or be demonstrably progressing other actions by July 2012. Will the DPC issue enforcement notices in 2012 if these undertakings have not been complied with?
Will we see the David of the Data Protection Commission (total staff less than 20 and a total budget in 2009/2010 of less than €1.5million to run a Data Protection Authority in a country that is host to some of the most complex data processing companies in the world and wants to entice more in) staring down the giant of Facebook armed only with the pebble of SI336 of 2011 and the slingshot of the Data Protection Acts 1988 and 2003? Given that Facebook’s global turnover is estimated at being in the region of US$1.5 billion. Given that their recent settlement with the FTC requires them to keep their privacy nose clean, they would doubtless fight any prosecution to the fullest as it affects their core business.
So, our under resourced, under funded, and increasingly overstretched Data Protection Commissioner seems to be wisely avoiding fights that it would find costly to win. But in this it is possible that they are playing for time.
While the national government here seems to have been happy to long finger Data Protection reforms (to the point that we were 8 years late enacting the legislation to support Directive 95/46/EC) the noises from the European Commission are that the long awaited revised Directive will actually arrive in January as a Regulation. This will change the nature of the DPC’s role as they will become in effect the local outpost of a larger, more standardised and federalised Data Protection regime.
This will result in larger penalties for breaches. It will also introduce increased requirements for transparency around data processing, including clearer obtaining of consent and clearer documentation of internal controls and processes.
All of which are elements of the findings in the Facebook Audit.
The next question is What now?
The Data Protection Commissioner has stated that this report is the beginning of a longer term and long running series of engagements with Facebook. In other words, they will be working them over regularly to raise standards. With the Regulation expected to take until 2014 to come into full effect, this would give ample time to fix the problems that have been found thus far and any new balls of crazy that the Facebook cat would care to spit out on our collective shoes.
Of course, this would require the Government to step up to the plate and properly resource the DPC and begin to promote Ireland as a good place to run compliant businesses. The era of light touch/no touch regulation of Data Protection needs to come to an end as we move into the era of Balanced Privacy.
Turd Polishing
In the course of a twitter conversation with Jim Harris I used the phrase “turd polishing” to describe what happens when organisations try to implement check-box based data governance or Compliance programmes, or invest in business intelligence or analytics strategies without
- fixing the data which under pins those strategies
- addressing the organisational cultural and structural issues which have lead to the problem in the first place.
- The cultural message is that data job isn’t as important as the Day Job
- The management practice is to game the system (why take all your staff off the phones to do the learning when you have one person on the team who knows it who can do the exams for everyone with their logins?)
- Management look only at the easy numbers (the easily gathered test scores at the end of an assessment period).
- If management seek to rule by fear or quota (“hit these numbers and those numbers or else….”)
I’m a big science fiction fan. I make no apologies about this fact. One of my favourite science fiction characters is The Doctor, the lead character in the
The 9th Doctor
BBC’s iconic series of the same name. In a genre that often falls for the easy charms of technology to drive a story, The Doctor (a 930 year old, two-hearted time travelling Time Lord from the Planet Gallifrey) invariably highlights and thrives on the Human Factor – the innate potential, ingenuity and power of the human beings (a lesser species) who he befriends, protects, and travels with.
Over the years I’ve tried to adopt and adapt some of the principles of The Doctor’s approach to leading Information Quality and Governance change projects:
There is nothing that can’t be solved by confectionery
The good Doctor in a number of his incarnations (4th, 6th, 7th, and 8th as memory serves) was renowned for, in moments of high tension, proffering some confectioneries (specifically Jelly Babies) to help lighten the mood and distract thought. They were an incredible tool that enabled him to befriend others and buy time to develop cunning plans. Doctor Who Jelly Babies (video montage)
The key lesson is that it is often useful to have a “quirky” way to break down barriers and get conversations going. The Doctor has Jelly Babies. I’ve used various props. Kathy Hunter of DQM Group made extensive use of home baked cakes and biscuits when she was in a previous role to help open conversations.
It’s Bigger on the Inside
The Doctor’s space ship/time machine is a Blue Box. It is a Blue Box because the advanced circuitry that let it change appearance to blend in in different timelines got stuck on “Blue Box” on a trip to London around 1963 (the year the series was first broadcast). The thing about the Blue Box is that it is “bigger on the inside”, a fact that The various companions’s to The Doctor remark on whenever they enter the Blue Box for the first time. Bigger on the Inside (Youtube) . Invariably, The Doctor takes the surprise in his stride, often forgetting how big a shot it is to people when they see the size of his Blue Box for the first time.
The Doctor’s Blue Box is called the TARDIS, which stands for Time and Relative Dimensions in Space. By being able to engineer time and space The Doctor’s race, the Time Lords could build infintely large space craft that could fit into a small space (like the back of a props van on a TV show).
What’s the parallel with Information Quality? Well, those of us who have worked in Information Quality often forget that it is a discipline that is very much “bigger on the inside”. When people look at Information Quality from the outside, they might be forgiven for thinking that it has the general dimensions of a Blue Box (so to speak) and it is only when they venture inside that they realise there’s more to it than meets the eye. If your perception of IQM is that it is Data Profiling and some Cleansing, it can be quite a shock when you uncover the Change Management challenges, the human psychology issues, and the legal and regulatory issues that can affect Information Quality strategies.
Often we hard-core practitioners take it for granted that its is bigger on the inside, because we’re on the inside looking out.
People First, Technology Second
Quite apart from the long running love affair The Doctor has had with the Human Race, every adventure winds up with The Doctor being outrageously brilliant as a Time Lord, but more importantly inspiring and encouraging brilliance in his Companions and others around him. Whether it is calling in favours from old enemies (in return for some jelly babies perhaps) or rallying demoralised troops in the face of battle or unnatural enemies, The Doctor puts people first, often appearing willing to sacrifice himself to protect others.
Technology is applied in innovative and outlandish ways to meet the objective of protecting people. Even The Doctor’s trusted sonic screwdriver is not used as a tool in its own right but as a means of enabling things to happen and for information to be gathered to support decision making.
From an information quality management point of view it is important that we remember this lesson – the technology should not dictate the solution and, ultimately, it is people who are the brilliant and innovative sources of solutions to problems. A Data Profiler will tell you that the data looks broken. A human being will figure out the best solution (new business rule, new tools etc).
In short, to paraphrase The Doctor: “People are FANTASTIC!!”
Conclusion
I’m very much of the view that we can learn a lot from arts and literature about ourselves and who we can aim to be in how we approach things. Science fiction TV programmes are no different to the works of Shakespeare in this regard. Perhaps we can achieve more sustainable successes in our Information Quality travels by learning some lessons from The Doctor:
- Everybody likes Jelly babies – (what is your equivalent?)
- Not everyone can see that this is actually Bigger on the Inside… and when they step into the world of Information Quality it can be a bit of a shock to the system.
- Technology doesn’t fix things. People fix things, occasionally using technology to get there. Remember that people are FANTASTIC!!
Over the years I’ve done a lot of work in the area of Regulatory Compliance and Information Quality. Whether it is Data Protection, Information Quality, Governance or Compliance, it is important to bear in mind that what we are dealing with a Quality Management System:
- Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
- Information Quality programmes involve, by definition, the implementation of a Quality Management System
- Information/Data Governance… well, that’s another form of Quality Management System
- Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.
In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:
- Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
- Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
- Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.
Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.
Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.
Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.
At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.
A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.
Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.
Expelling the Papal Nuncio
A few days ago my friend Simon asked me to jump in and give him a hand admining a Facebook group he first set up in 2009 in response to some of the reports that had been published into clerical sexual abuse in Ireland. These reports highlighted a catalogue of blocking, interference, and general institutionalised non-cooperation with investigations by the State authorities.
The recent publication of the Cloyne Report highlighted still further that there was a clear policy of non-cooperation and basic lip service being paid to child protection standards within many areas of the Irish Roman Catholic church, at the initiation of, with the support of, and with the backing of the Vatican State’s senior diplomat to Ireland, the Papal Nuncio. That this culture has spanned the tenure of multiple holders of the post over the past number of years (Guiseppe Lazzarotto [Nuncio from 2000 to 2007] blocked cooperation with inquiries on the grounds that ‘diplomatic channels had not been used’, Luciano Storero [Nuncio from 1995 to 2000] warned Bishops against implementing measures requiring mandatory reporting of child abuse) speaks to an institutional failure on the part of the diplomatic representatives of a foreign state to respect the laws of the Irish State and co-operate with enquiries into horrific cases of systemic and systematic abuse.
And that is why I was only too happy to help Simon out. It’s not that I am anti-religion, anti-church, anti-priest, or anti-catholic. Those who know me well know my personal beliefs. I don’t feel it is relevant to share them here, because in parallel with my personal religious and philosophical beliefs I have a very strong belief that international relations between States must be grounded on trust, or at least respect. I do not believe it is acceptable for a diplomatic representative to place themselves above or outside the law of this State without there being clear consequences for the office holder and the office itself.
Had the Danish Ambassador conspired systemically to block investigations into the alleged criminal activities of Danish citizens I’d be calling for him to be expelled as well.
The fact that the Papal Nuncio holds a special senior position in the Diplomatic Corps in Ireland is doubly troubling to me. The Nuncio is the Dean of the Diplomatic Corps, effectively feted as the most senior diplomat on the Ferro Rocher circuit. And all while the office of the Nuncio has, for over two decades, facilitated the breaking of Irish laws and conspired to block and frustrate investigations of those alleged offences.
So. What I’m asking the Irish Government to do is to take action to remove the special standing of the Papal Nuncio immediately. They should then take the necessary steps to expel the Ambassador from the Vatican City State (the legal entity not the religious body).
Finally, the Irish Government should also withdraw the invitation to the Pope to visit. Bluntly, we can’t afford it as the return on investment compared to other State visits from countries with diplomatic representation here simply isn’t there. When the Pope visited the UK it cost over GBP12 million (EURO14 million) before the policing costs were factored in. The combined visits of Obama and the Queen came to around €30 million in total.
The United States as a population of over 300 million people. Fair enough only around 15% of them have passports, but that’s still a potential pool of 45 million travellers who might stop off in Ireland on their vacations. The UK has around 62 million people sitting a 1hr Ryanair flight away from us. So, the potential pool of possible tourists who can come from the UK and US as a result of the State visits in May is around 100 million people. So, it would have cost us €0.30 per head to target that population.
The Vatican has a population of 826 people (source: CIA Factbook). Spending €12million on securing the Pope’s visit would cost us €14528 per capita to sell Ireland as a tourist destination to the population of the Vatican. Even if it cost us a quarter of what was spent on the UK visit, we’d still be spending over €3,000 per potential traveller to sell into a market that I’m sure Failte Ireland are already reaching through their advertising spend in Italy.
The recent furore about the News of the World and other tabloids engaging in unauthorised access voicemails I thought it might be worth pondering the potential Irish legal situation. Now, I’m not a lawyer. This post is intended to work through some of the relevant legislation and the potential issues that might arise in Irish law. It is not legal advice. I fully expect members of the Irish legal blogging community to leap in and make comments and corrections as needed.
The law
There are a few pieces of legislation in Ireland that would come into play here:
- The Data Protection Acts 1988 and 2003
- The Criminal Damage Act 1991
- The Criminal Justice (Theft and Fraud Offences) Act 2001
- The Postal and Telecommunications Services Act 1983
- Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
- The ePrivacy Regulations 2011 (http://www.dataprotection.ie/documents/legal/SI336of2011.pdf)
The Data Protection Acts
The Data Protection Acts require that personal data be obtained and processed fairly.
Journalistic exemptions to this and other provisions of the Acts exist under s22A, but only insofar as there is an actual intent to publish a story or other work based on the information which has been obtained. So… if a journalist and/or a private eye in the pay of a newspaper were to obtain personal information about Celebrity A on foot of a fishing trip through the voicemails of celebrities A through F when there was no intent to publish a story about Celebrity A until such time as the information was obtained, then the journalist might not be able to rely on their exemptions under the Acts. The protection of the right to Freedom of Expression is only protected where there is an intent to actually express something, and if the publication of that story is in the Public Interest (which is a thorny topic I won’t delve into here).
Criminal Damages Act 1991 and Criminal Justice (Theft & Fraud Offences) Act 2001
Journalists who engage in unauthorised access to voicemails may also be committing an offence under the Criminal Damages Act 1991. This Act makes it an offence to access information without authorisation and to modify that information whether or not that modification has an adverse effect. Listening to a voicemail modifies the content and nature of the information (at the very minimum changing a flag from “new” to “listened to”. The Act does make use of the word “computer”, which would suggest to a lay person that it would only be an issue if a device meeting the traditional view of a computer was used. However the term is undefined and as such it is open-ended as to what type of device might meet the legal test of a “computer”. In that regard, the definition applied in the Data Protection Acts (“a device operating automatically in response to instructions”) might be relevant.
So… accessing a voice mail box (which is itself stored on a device operating automatically in response to instructions computer of some sort) without permission and listening to the recording is likely to be a criminal offence in Ireland, given the breadth of the definitions in play.
This is doubly so when the Criminal Justice (Theft and Fraud Offences) Act is taken into consideration. It provides for an offence of “dishonestly” using a computer or causing a computer to be used within the jurisdiction of the State. The big question to answer here is
- What’s a computer?
- What’s dishonest?
It might be argued that going on a fishing trip for personal data without any prior formed intent to publish a specific story about a specific individual could constitute dishonesty.
The 1983 and 1993 Acts
Section 98 of the 1983 Act deals, in the first instance, with a general prohibition on the interception of “telecommunications messages”. In short… it’s illegal except in certain defined circumstances. Interception is defined as being
“listening to, or recording by any means, or acquiring the substance or purport of, any telecommunications message without the agreement of the person on whose behalf that message is transmitted by the company and of the person intended by him to receive that message”
The term “telecommunications message” is not actually defined in the legislation, which creates an interesting situation when you consider that this Act was drafted in the early 1980s when there was no digital voice mail, no email, limited use of fax services, and (importantly) when there was only one company laying cable and connecting people to a telecommunications network in Ireland. Significantly, the 1983 Act only applies to telecommunications services which require a license… which would exclude a lot of on-line communications tools such as VOIP, web-based email or IM chat.
The 1993 Act deals essentially with phone tapping and interception of postal packets. The legislation is couched in terms suggesting that data at rest (e.g. a voice mail recording sitting on a server or an email sitting in in a mail host somewhere) may not be covered.
Digital Rights Ireland argued in 2009 that the framework in place under the 1983 and 1993 legislation most likely did not cover most on-line activities and as such there was, strictly speaking, no clear legislative prohibition on the interception of SMS, email, VOIP etc., technologies which simply did not exist at the time the legislation was being drafted and as such probably left the State falling short of their obligations under the ePrivacy Directive.
The European Commission rejected DRI’s submission at the time
Electronic Privacy Regulations
The new electronic Privacy Regulations place mobile phone operators in an interesting position with regards to phone hacking. The means by which voicemails were accessed, in the main, appears to have been default voicemail passwords being left unchanged. This is a security weakness in mobile phones and, for that matter, fixed line services which provide a voice mailbox service.
For example, for most mobile phone operators, the default password for a voicemail account is 0000. In many fixed line systems, the password might be 1234. Failing to change this password leaves the data which is being recorded in the mailbox unsecure.
The complication in Irish law for the telcos is that section 4 of the EPrivacy Regulations (SI 336 of 2011) requires providers of electronic communications services to
- Ensure appropriate security safeguards so that data is only accessed by authorised persons, with respect to the state of the art and cost of implementing (section 4(1))
- Ensure that the security measures can protect against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure (section 4(2)(b))
Section 4(4) is the doozy I feel.
In the case of a particular risk of a breach of the security of the public communications network, the undertaking providing the publicly available electroniccommunications service shall inform its subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to betaken by the relevant service provider, any possible remedies including an indicationof the likely costs involved.
My reading of that section is that mobile phone and landline operators who apply default passwords to voicemail accounts need to be more proactive about alerting customers to the risk and, ideally, implement a process which mitigates or eliminates the risk (such as having a randomly assigned password associated to a voicemail that is SMS’d or posted to the customer – just like bank security codes for on-line banking). I’ve asked the Data Protection Commissioner about it and it appears that my reading is, by and large, correct.
And as the SI implements an EU wide directive this could get interesting in light of the NoTW noises.
Conclusion
The world of telecommunications and person to person linking using tools like VOIP, SMS, Instant messaging, voice mail, email, and “Unified Communications” which we find ourselves in today was almost unimaginable even fifteen years ago. I can recall when I started working with a large telco in the summer of 1997 that digital voice mail was a massively new fangled thing, had you told me that I would be getting voicemails emailed to me from a virtual VOIP phone system which I could open and read or listen to on my mobile phone I’d probably have laughed.
But that is what we do every day now.
The legislation may not have kept pace. However, where the legislation has caught up, providers of telecommunications services need to do their bit to raise awareness and understanding of how the world may have outstripped the law (at least for now).
I invite any comments or corrections from more learned colleagues.
Three strikes – you’re out(?)
I’ve recently been pondering the 3-strikes process which is used by eircom to police illegal content uploaders and the Data Protection implications of same. [By way of full disclosure, I used to work there in a role that involved me analysing processes and finding out where they were broken and potentially non-compliant with host of regulations. That said, given that when employed there a big part of my job was to call b*llshit on defective processes and get them fixed or killed, I would not consider myself an apologist for eircom].
The process (as I understand it) is this.
- A person goes onto torrent site and seeds a torrent with copyright protected material.
- As part of seeding the torrent, their IP address is published in the torrent service.
- A 3rd party company monitors torrents and flags to eircom IP addresses and details of copyrighted materials that are being seeded.
- eircom checks the IP addresses provided against the IP addresses in use by customers at the time of the seeding and a letter is produced informing the customer that copyright protected content was being distributed illegally via their account. They are given three chances to prevent this distribution before their account is suspended.
So. What is happening here? An illegal act is being committed in a public place (IP addresses are published in the torrent service). This public data is passed to an ISP who seeks to associate the IP address with a named ‘controller’ of the service, who is then advised that an illegal act was committed using their service and advising them to ensure that the activity ceases. Music labels are not told of the offenders. Personal data of eircom customers is not transferred to music labels.
No data is passed about individual customers to any 3rd party by eircom. eircom acts on public data compiled and processed by a 3rd party on their behalf. Eircom processes this information in order to enforce sections 5.5 and 5.6 of the Terms and Conditions which govern their Broadband service.
The analogy I would draw is with the system for enforcing speed limits using traffic cameras. If your car is on the motorway doing 135kmh and you are snapped by a traffic camera in a GATSO van operated by a private company working on behalf of the authorities, your car registration number and the record of the speed you were doing when snapped is sent for processing against the vehicle licensing database which associates the registration number with a named person (the registered owner of the car). A few weeks after you are snapped you receive a letter in the post with a copy of the photograph, details of the speed, and details of the fine you will have to pay.
An illegal act, in a public place, where a publicly visible identifier can be recorded, which can then be associated with other information to identify the nominated responsible person for the conduct of that vehicle. The parallel is, at least to me, very clear.
It is also very clear that in both the Broadband case and the Traffic camera case that there are certain evidentiary controls that need to be in place to ensure that data is being processed fairly and accurately and appropriate safeguards need to be in place to ensure that data is not processed or disclosed unlawfully.
For example, eircom recently had an issue where a number of customers received warning letters about downloading which did not relate to them. The root cause was a failure of a server to update to Summer Time from Daylight Savings time, meaning the timestamps associated with IP addresses were out by an hour. Accurate timestamping and recording of location data of traffic cameras is also important, as the Australian State of New South Wales and the US city of Long View discovered recently.
Of course, it is important to point out that eircom did not send personal data about Customer A to Customer B. They simply attributed, erroneously, the actions of Customer A to Customer B.
The Data Protection Acts do not provide a shield behind which people who commit offences can hide. The right to Privacy is not an absolute one and must be balanced. So long as the processing of the data is done in a manner which does not infringe privacy or result in unwarranted disclosure of personal data companies have a legitimate interest in ensuring that they can enforce the terms and conditions of contracts that are entered into.
Where people chose to commit an illegal act in a public manner, or where through neglect or lack of domestic control they allow such acts to be committed, then a polite but firm reminder of their duties as parties to the contract is to be expected. Where that reminder is provided without personal data being disclosed to 3rd parties (as was the case previously) then this is a half-way house that balances competing rights but which must be kept under constant scrutiny to ensure that there is no scope creep, function spread, leakage or abuse.
As the May Bank Holiday draws to a close, I’d like to remind customers of Bank of Ireland that they should take a careful look at their account balances this week if they have been using laser (debit card) or ATM services over the weekend. If you do find you’ve been ‘double-dipped’, please let me know via this blog.
Double Dip - Nice Confectionery but leaves a bitter taste if it happens to your bank account
Laser-like accuracy
Word reaches me this morning of yet another incident of Bank Of Ireland double-dipping laser card transactions on or around a Bank Holiday.
BOI will, doubtless, claim that this is a once off and hasn’t happened before. That’s what they said the last time (when it had actually happened before). Furthermore, I hope that BOI are more certain this time as to the root cause (last time out it was variously “retailer error” or “a software upgrade glitch”).
And hopefully their process for catching “shadow transactions” which lead to the double-dipping will kick into play and actually refund the customers affected (which if this glitch is on the scale of their 2009 one could be up to 200,000 card holders).
For reference the relevant blog posts are:
http://obriend.info/2009/09/09/bank-of-ireland-double-charging/
http://obriend.info/2009/09/09/bank-of-ireland-double-charging-a-clarifying-post/
http://obriend.info/2009/09/10/bank-of-ireland-overcharging-another-follow-up/
http://obriend.info/2009/10/28/bank-of-ireland-again/
The issue also featured over on IQTrainwrecks.com.
My €0.02: This issue appears to manifest itself around Bank Holidays. This suggests a batch load process or some human triggered action doesn’t work correctly when there is a Bank Holiday. Having a process to detect the double-dipped transactions is not a fix, as if it doesn’t work (as seems might be the case here) then the incorrect data gets through.
BOI might want to pay attention to Ferguson v British Gas, which while a UK case, could be arguable precedent for the view that Irish Courts won’t care how complex your IT systems are if a customer is impacted through a failure of your systems to process information correctly.
BOI need to identify the precipitating root cause of this problem, based on the data they have available… I’d start with looking at the dates of incidents (BOI should have more data than newspaper headlines to go on) and seeking to confirm or disprove the ‘Bank Holiday hypothesis’.
Relying on a ‘scrap and rework’ kludge that might itself fail is not a sustainable approach to ensuring information quality or quality of customer service.
Doing the right thing
So, imagine for a moment that you have just found out about a technology that, according to the sales person, will have an immediate impact on preventing children being abused, tortured and worse. Imagine you’ve been told that it won’t require you to do a thing, that it will operate “out there” (possibly in “The Cloud”) and perform its function on your behalf without you having any need to actually do anything yourself to put the processes in play.
How much would you, personally, pay for such a technology? €1 a month? €5 a month? €10 a month?
What if it turned out that:
- The technology actually didn’t stop the hurt or damage to children, just made it a little harder for people who paid for access to images of that to get at it and, at best, curtails demand slightly
- Was relatively easily circumvented using free or low cost tools
- Had been found not to work in other countries where it had been made available, with innocent individuals and businesses suffering due to poor quality data existing in the processes which meant they were tagged as “offending” and were being closed off from their market (in the case of businesses) or from their legitimate personal activities (in the case of individuals).
That’s what the Irish police have asked ISPs to do with their recent requests to implement IP filtering, outlined by Digital Rights Ireland today. IP Filtering has been found be ineffective in the Netherlands, has had declining effectiveness in the UK, and doesn’t actually address the problem of the images being accessible on the Internet. In Australia a leaking of the black list revealed valid businesses that had no child porn content, with almost 50% of the list being unrelated to the target intent of controlling access to images of child pornography (thanks to DigitalRights.ie for the linked to stories).
A far more effective approach is to get the images removed from the sites that are hosting them. Perhaps this is problematic and onerous. Let’s look at some statistics:
- Of the 72 requests to remove images of child pornography made by the UK’s Internet Watch Foundation in 2010, a paltry 100% were complied with in a geological “few hours” (source: BBC report on IWF’s Annual Report)
- Researchers in Germany working with AK-Zensur.de found that the 3 active sites on the sample of watch list data they worked with were taken down within 90 minutes of requests being made to hosting companies and/or domain registrars. In each case the images had been blocked but were still on-line for up to 2 years.
So… making requests to the hosting providers tends to be effective at removing the problem at source. Indeed, a draft EU Directive is calling for exactly that approach to be taken.
Which leaves us back at the start, asking the question about how much you’d be willing to pay to have such a technology in place to block access to sites. Because a price will have to be paid in some way and in some form. On one hand, Irish telcos are not exactly awash with cash at the moment and the implementation of any blacklisting process will require some governance and resourcing (both technology and people) which will come at a price. Currently there is no proposal that the State would contribute to this cost, and the model of the Data Retention regulations would suggest that no such stipend would be forthcoming.
So the cost of web filtering would likely have to be borne by the ISP. Which would mean either higher bills or reduced investment in other areas as the money would have to be found somewhere (it is worth remembering in this context that eircom is currently trying to restructure its debts and cut costs by €92million). So, realistically, the costs will emerge somewhere on your bill. How much are you willing to pay for technology that doesn’t achieve its goals?
The other price to pay is the privacy cost.
The Garda proposal is, to my reading, an outrageous trampling of personal privacy rights while they take a lump hammer to swat a fly. In essence, they amount to a “guilty until proven innocent” position where inadvertent access will need to be explained by way of the ISP giving EVEN MORE data to the Gardaí about an individuals browsing history. As Digital Rights Ireland point out in their letter to the Data Protection Commissioner about these measures, such disclosures might actually be illegal in and of themselves under other legislation. And if your domain name can identify you as an individual there is always the potential for your personal reputation to be damaged if you are put on the blacklist in error given the text of the “stop page” message.
- What ever happened to “Adequate, Relevant, and Not Excessive”?
- And how bullet proof are you against malicious uploading of content to your website anyway?
It would seem that the only entity not incurring a cost in the entire equation is the Gardaí, as their letter does not outline any form of “right of reply”, any avenue for validating or correcting entries on any black list which might be created, or any form of judicial oversight or regulation of the powers which the Gardaí are taking upon themselves in this context. Who do I contact if my business site is compromised, becomes a host for offensive content (if only for a few hours until it is spotted and removed) and is blacklisted? What steps have the Gardaí taken to ensure that they don’t mirror the Thai experience, where a blacklist introduced to control access to child pornography has experienced “scope creep” to include any criticism of the Royal family, or the Australian experience where, according to one expert:
“It seems to me as if just about anything can potentially get on the list”
Doing the right thing is very important. But equally important is doing the thing right. Internet filtering is ineffective as a tool. It is the equivalent of telling one part of a town they can’t shop in B&Q while the rest of the town sates their bricolage requirements at the “banned” store.
An analogy to the Garda proposal is this: Anyone entering certain areas of the country (“black-zones”) would be overtly tagged as probable criminals by reason of their being in that location. They might even be given a badge to wear at all times as a result. Where they are ‘just passing through’, the probable criminal will need to provide evidence of their normal habitual movements to the authorities so they can satisfy themselves that the visit was accidental or as a result of an unexpected detour. Residents will not be told about their status as a “black-zone” and will have no ready right of appeal or opportunity to challenge the designation. Visitors will be told they are about to enter a “black-zone” that hosts criminal elements and activity by way of a large sign on the side of the road.
Would that be acceptable in Irish society?
Internet blocking is ineffective. The current proposal lacks sufficient checks and balances, and may even require ISPs and telcos to break other laws to comply. It will inevitably result in innocents being tarred as offenders. Data Protection principles (such as “Adequate, Relevant, and Not Excessive” are being blatantly ignored to implement an ineffective solution.
Far better is to shut down the shop by removing the images at source and invest time, energy, and resources into a more transparent effort to manage this issue.
