The DOBlog

Blog

  • Dublin Web Summit, Data Protection, Data Quality, and Brand

    The KoolAid is being quaffed in great quantities this week in Dublin. And, having run national and international conferences in the Data Protection and Data Quality fields, I have to respect the achievement of the organisers of the Dublin Web Summit for putting together an impressive event that showcases the level of innovation and thought leadership, and capability in web, data, and all things tech.

    Yes. About that “thought leadership”…

    Data Protection

    Today’s Irish Times Business Section carries a story by Karlin Lillington about things that have been happening with her personal data at the Web Summit. An event she is not attending and has not registered for but for which she:

    • is registered as an attended
    • is listed on the media attendees list
    • has had her contact details distributed to sponsors and companies attending the event
    • has had her details shared with a social networking application that has pulled data from her Facebook profile

    In addition, she highlights that a list of ALL attendees is being distributed by the organisers if you request it through their Facebook page, but there is no opt-out for being included on this list and nothing in your registration that informs you that this will be happening.

    Emails are being sent out without people having opted-in, and not every email that is being sent out has the required opt-out. And I suspect that that may be the tip of the iceberg.

    Karlin reports that there have been complaints filed with the ODPC. My twitter stream this morning confirms that there are a number of people who I follow who have complained about how their data has been used. Many of these people would be the kind of people who you’d like to see fronting the thought leadership and innovation in web and data stuff, and they are irked at how their data is being abused.

    The DPC apparently has had previous complaints about Web Summit and has engaged with them in an “Advisory Capacity”. In my experience working with clients who have been subject to Data Protection complaints and have been investigated by the DPC, that is the Data Protection equivalent of “helping the police with their enquiries”. Web Summit has been handed rope. They have been guided and advised as to what needs to be done to be compliant (in keeping with the gummy tiger provisions of Section 10 of the Data Protection Acts which require the DPC to seek amicable resolution first and to focus on encouraging compliance rather than punish breaches).

    Dublin Web Summit has chosen, whether through a deliberate decision or a series of ego-driven and ignorance fuelled errors of judgement to ignore the advice of the DPC and continues to act in a manner that flouts the Data Protection rules that (and here’s the kicker) are not ‘nice to have’ but are guaranteed under Article 16 of the TFEU and have been subject to a number of recent tests at Circuit Court and High Court.

    Basically this is a Data Protection cluster f*ck of the highest order that illustrates one of the key problems with the “Innovation culture” in Ireland and, on the part of Government, either a blatant hypocrisy or a sociopathic ability to hold multiple contradictory positions at once. We want to promote Ireland as a great place to do business with web and data. And we want to be seen to be a bastion of increasingly responsible governance and regulation (after all, we’ve learned the lessons of the financial services collapse right? That one where we had  a Regulatory regime that was of so light a touch it could earn extra pin money touting for trade along the canal.) But for feck’s sake, don’t let the LAW get in the way of the use of TECHNOLOGY.

    Dublin Web Summit has almost certainly breached the Data Protection Acts in a variety of ways. Given that many of those breaches would appear to have been taken AFTER the DPC had given advice and guidance on what not to do. So the Web Summit organisers might want to check section 29 of the Data Protection Acts (never used, but there’s always a first time).

    Data Quality

    Data Protection and Data Quality go hand in hand. Heck, the principles for Data Protection are referred to in Directive 95/46/EC (and a variety of other places) as “Principles for Data Quality”. But on a more practical level, the approach the Web Summit has taken to obtaining and gathering their data and putting it to use has created some Data Quality problems.

    Take Karlin for example.Her contact details have been included on a media contact list for the event, touting her as someone from the media who is attending. A variety of sponsors and exhibitors at the event have apparently contacted her looking to meet at the conference. I’m guessing they’re a bit surprised when a leading tech journalist tells them she isn’t attending the event and won’t be able to meet with them.

    Also, eyeballing the “media list” I’ve found:

    • Duplicate entries (suggesting the list was created from multiple sources)
    • Organisations listed that might not be media organisations but are possibly service providers interfacing with media (new media/old media)… so VENDORS.

    The categorisation of organisations is hair splitting on my part, but the duplicate entries on a list that was being circulated to sponsors and exhibitors is indicative of a lazy and careless approach to managing data.

    How many of the people on the list are actually attending? And if you are counting the number of people attending from an organisation, are you allowing for duplicate and triplicate entries? If you are a marketing manager from a company who is ringing all these media people only to be told that they are either not attending or that they are not actually covering the tech aspects of the event but are (heaven forfend) actually exhibiting at the event yourself, how much will you trust this list next year? Will you be happy to pay for it?

    Never mind the quality, look at the tech!!

    Brand

    And this is where we come to the brand aspect of all of this. The Web Summit has made basic mistakes in Data Protection compliance even when presented with advice and guidance from the DPC. With regard to their Presdo social networking application, there are examples of it being used in data protection compliant ways (Karlin cites the le Web conference which used the same application but presented people with a code they could use to confirm their consent to their personal data being accessed and shared).

    But Dublin knows better. Dublin is the go-getter innovator. Rules schmules, Indians Schmindians.

    Which is a mantra that has disturbing echoes in the recent history of the European Economy. So it is a mantra we should, as thought leaders and innovators, be trying to distance ourselves from as much as possible. By showing how we can design privacy into everything we do in web and data and pushing the innovate envelope in ensuring balance.

    But here’s my fear. EI and the Government don’t get this. I am not aware of ANY EI incubator programme [Brian Honan informs me that Blanchardstown and Dundalk IT have had him in to talk to programmes] that provides training or briefings on Data Protection (Wayra does. I recently provided some content to help).

    My company has submitted proposals to various government backed training programmes for On-Line business, and I have got letters back telling me that Data Protection is not relevant.

    Everyone seems happy to touch the hem of the prophets of the Web and drink hungrily from the Kool Aid, repeating the mantra “Rules Schmules, Indians Schmindians”. But it is worth remembering the origins of the phrase “Drinking the Kool Aid” (hint: it didn’t work out well for the first group to do it).

    The Data Protection world globally is in a state of rapid evolution. Those who ignore the help and advice of Regulators invite penalties and brand damage. It  is time that the thought leaders of our web economy stepped back and actually thought about how they develop their brand and build trust based in the personal data economy.

    Koolaid from the Floor [an update]

    I made the mistake of watching twitter streams from the Dublin Web Summit. The KoolAid was gushing. Lots of great ideas and interesting innovation but not a single person seemed to be addressing the gorilla in the room that is Data Protection and Privacy.

    Yes, Social Engagement is important. Yes it is important to build trust and engagement with your brand. But as W.Edwards Deming famously said:

    You can’t inspect quality into a product, it’s there from the beginning.

    In other words, if you don’t start off by respecting your customers and their privacy rights, you will leave a bad taste in your customer’s mouths and sour your brand.

    That’s the weedkiller in your web branding koolaid. Drink with care.

  • Lego System and the Value Delivery System

    I love Lego. The fact that my Facebook avatar is a sinister looking “Liago” man from a Chinese clone of the famous Lego System is a little personal in-joke (and I’d love to see what their facial recognition makes of that). But I also love my daughter, who is bright, imaginative, and creative. And I hate to see anything that might curtail that and box her thinking into a gender-appropriate bucket that she might struggle to climb out of in years to come.

    That’s why I hate the fact that ‘girls’ toys are all pink. I’ve given up to an extent on the battle against all girls’ clothes being default pink. Everyone seems to think this is the way it has always been, but no it’s not. It’s new, and it has been the other way around as well. Here’s a quote from an article in the Smithsonian Institute’s magazine:

    For example, a June 1918 article from the trade publication Earnshaw’s Infants’ Department said, “The generally accepted rule is pink for the boys, and blue for the girls. The reason is that pink, being a more decided and stronger color, is more suitable for the boy, while blue, which is more delicate and dainty, is prettier for the girl.” Other sources said blue was flattering for blonds, pink for brunettes; or blue was for blue-eyed babies, pink for brown-eyed babies, according to Paoletti.

    In 1927, Time magazine printed a chart showing sex-appropriate colors for girls and boys according to leading U.S. stores. In Boston, Filene’s told parents to dress boys in pink. So did Best & Co. in New York City, Halle’s in Cleveland and Marshall Field in Chicago.

    But Lego is supposed to be different. It is supposed to allow children to think outside the box (literally as well as metaphorically). My fondest memories of childhood centre on a massive 30 litre white bucket that my grandmother bought at a time before my memory which was filled with every piece of Lego bought for my uncles, for me, my brothers and which did the rounds of ALL my cousins.35 year old Lego being played with without prefixed form or format, constrained only by our imaginations and the laws of physics, whether we were boys or girls (I’ll admit – mostly boys, but that just makes my next point more important as I do have some girls in my extended family).

    New Lego is shit. More precisely: New Lego for Girls is shit. Sexist, insulting, degrading shit. It is so shit that I will not let it in my house. Ever. Here’s why:

    Lego Friends–Silly imagination retarding lego playsets for girls.

    So.. gone are the fun Lego person minifigures, replaced with anatomically approximate figurines with long hair. Who go shopping. And hang out with their friends. And have handbags and Beauty parlours and cake shops.

    Jebus. There’s no need for any small girl to risk burning out a brain cell engaging in that ‘imagination’ thing. Keep your brain inside the small box that society is creating for you, accept the parameters and all will be well. Compare to the style of the ‘boys’ Lego (which is a slightly formulised version of the Lego I love)

    Lego that makes you think about what might be possible….

    Yes. I’m guessing the Astronaut is a boy. (I secretly suspect girl astronauts wouldn’t have sent a broken satellite into space or would have been more careful with the fragile bits when it got there).

    Lego say that their product design is based on market research and studying what girls play with. This is a mistake. This basically means that their research has essentially asked questions like:

    • “How have different genders reacted to mass market indoctrination by other toy manufacturers who are creating pre-assembled play sets? ”
    • “When faced with a choice of toys in pink, pink, or pink that establish certain female gender roles, do girls choose the astronaut (who is not an option they can chose)”

    Which, unsurprisingly has left them with the answer that girls like pink, want to have a beauty parlour, and the only space they are interested in is the one where they will be building their beauty parlour.

    This inevitably has lead Lego to creating a range of products that women find sexist and demeaning and men find to be a heretical travesty of the concept of Lego as we know it.

    What might they have done differently?

    A few years ago my friend and mentor Andrew Griffiths introduced me to the concepts and principles of the Value Delivery System, as developed by Michael Lanning at McKinsey and subsequently refined by Lanning in his own consulting work. Andrew helped knock some corners off the concepts when he was in McKinsey and gave me a first-hand insight into the power of the method.

    (Incidentally, the term “value proposition” in marketing comes from this Value Delivery System but is used today with a meaning that is less than that which Lanning first promoted it.)

    Key to the Value Delivery System method that Lanning developed is the idea of the Key Resulting Outcome that the customer wishes to have. Once that is identified, the organisation can determine how to deliver that Key Resulting outcome using their products and services. In his book, Lanning cites the development of the Polaroid Instamatic camera as a good example of a Key Resulting Outcome triggering innovation. The inventor, Mr Land, was taking photographs at his daughter’s birthday. She apparently had a tantrum when he told her she couldn’t “see the photographs now!!”, which sparked the development of a technology that shook up photography and related industries (like pharmacies and camera shops) for nearly five decades.

    I often work back from what a company is delivering through or with data to identify the Key Resulting Outcomes they are giving their customers – as a way of triggering debate about Information Strategy (a cheeky adaptation of Lanning’s method). Applying that approach to Lego’s #NewLegoforGirls I have determined that Lego believes that Parents and Children:

    1. Want imaginations constrained with pre-formed Anglo-European/Anglo-American gender roles and lifestyle expectations. Girls shouldn’t worry about being astronauts because they can own a cake shop instead.
    2. Want clear demarcation in play and interaction between children of different genders. After all, Astronauts don’t get their hair done at the salon and don’t go for cakes at the coffee shop. They’re too busy fighting aliens and fixing satellites.
    3. Want girls to identify from an early age with female body shape identity and “gender appropriate”clothing and colours (like pinks). So the “Lego Friends” figures have curves and bumps and boobs and long hair, while the traditional Lego MiniFigures have comical faces painted on, but remain blocky and androgynous apart from that (yes.. I know the minifigures have ‘wigs’ with long hair and can have bodies made with painted on dresses as much as painted on uniforms but…they’re not as ‘in your face’ about it).

    Frankly, the Key Resulting Outcomes I actually want from toys for my daughter are:

    1. Stimulate imagination and creativity
    2. Promote group play and interaction, so that skills of cooperation and planning can be developed
    3. Allow her freedom to imagine herself in any role/job/scenario she may want, whether that’s cake shop owner or astronaut
    4. Provide a format and system within which the gender biases and cultural short-hand of the marketing departments of other lazy toymakers can be set aside and open explorative play and imagination can be developed.

    Like in the old days. The way Lego used to be. Right now I fear Lego may be facing a “New Coke” moment. Parents (and dare I say it, grandparents who fought the feminist battles of the 1970s and 1980s) are sick of society and toy makers being lazy and putting the imaginations of children into boxes that are shaped by relatively recent colour charts (1940s) and ridiculously inane and sexist stereotypes of gender roles and possibilities.

    Lego should be about possibility, not pink. That is the Value that the Lego System should be delivering.

    When my daughter plays with Lego, I want her to feel free and encouraged to imagine the day she opens her Beauty Parlour/Cake Shop.

    On Mars.

    After she’s led the first successful manned mission there.

    As an Astronaut.

  • Triskaidekaphobia Cars and Information Economics

    So, the Irish Government has decided – based it would seem solely on the analysis and advice of the Society for the Irish Motor Industry- to introduce a revised licence plate system for Irish cars starting from January of next year.

    The reasoning put forward is that fear of the number 13 will hamper car sales (superstition) and people don’t like the current system because they don’t know for certain when a car was manufactured (snobbery).

    Snobbery

    To address the snobbery element first, according to comments from SIMI quoted in the Irish Independent:

    Even though 70pc of new cars are bought during the first four months of the year, some consumers believe that it doesn’t accurately reflect the real age of a new car since cars bought in January are obviously manufactured the previous year while those bought later in the year are actually made in the same year

    So. 70% of all new cars are purchased in the first four months of the year. That’s a good statistic. It means that, on average, 3.75% of all new cars are sold in each of the remaining 8 months of the year. From that a reasonable guesstimate of the value at risk in each month can be worked out.

    What is not a good statistic is “some consumers”. Is that one consumer, one consumer and their friend from the gym, 1000 consumers, or every consumer who buys a car in the first 4 months of the year? If is the latter it obviously doesn’t bother them that much or they wouldn’t buy until later in the year.

    Surely a better and more cost effective approach would be for the SIMI to educate purchasers about the manufacture and supply chain processes that apply to vehicles. Bluntly – car manufacturers don’t build cars in the hope they will sell them. That’s too expensive. They apply logistics principles to build enough to just about meet forecast demand. And no more. So a car purchased in January will not have been sitting in a storage facility for a dozen months. It will be relatively recent.

    And does the fact that it was manufactured in the previous calendar year actually matter if features, specifications, and price are the same in December 2012 versus January 2013. I know from experience that the announcement of a new model of a car affects book value, but, excluding the change of model for a moment, logistics need to be considered when we think about the idea of the year of manufacture being a real decision point for people. After all, a car manufactured in January 2013 will be using parts that were on-hand at end December 2012, that were probably ordered at the start of December 2012, and were probably being manufactured by the downstream supplier from October 2012 in anticipation of a glut of orders from car manufacturers in December/January 2012.

    The new iPhone isn’t due out for a while yet, but already there are rumours of supply chains having been ramping up for months… that’s how logistics works.

    And as the supply chain for vehicles is largely a pull supply chain (building to respond to demand), the easiest way to avoid having a car that was assembled in 2012 delivered to you as a new car in 2013 is to order it in Month 2 or 3 of 2013.

    But even then it doesn’t matter as the actual age of components going into the car will depend on the vagaries of supply chain management down the line from the dealership to the nice man in Schenzen whose company makes the screws that hold your sun visor in place.

    I can remember a few years ago looking to buy a particular model of car. The dealership didn’t have any in stock and when they (and this is the CSI moment) looked at the logistics system from the manufacturer they were able to tell me when the next one of the model I wanted would be manufactured. There was no great holding pen of stocks waiting for me to turn up and buy.

    So… I would really like to see some objective evidence that people actually give a rats ass about when their car is assembled, given that the majority of new cars are purchased in a time period when it would be logical that the supply chain inputs to the delivery of that car would have taken place in the previous year. The data does not correlate.

    Superstition

    It’s a number. Currently there are vehicles on the roads in Ireland with the number 13 in their license plate. Not in the year, but in the other element of the license plate.

    Surely insurance companies can provide data on the number of claims involving vehicles registered within the past 10 years with the number 13 in their license plate against which we can determine if superstition is borne out by evidence. If it is… brilliant, we can establish an economic value case for changing an otherwise logical and straight forward system.

    The National Vehicle database (where registration numbers come from) would likewise have data on how many cars currently have a 13 in their license plate. If people are already avoiding it then the data will be there… lots of 12s, lots of 14s, no 13s.

    If not. Then there’s no actual reason to change other than a vague (and quantified) assertion that people won’t buy new cars because they have a 13 in the license plate.

    Reality

    This sounds like a simple change. But it isn’t. Many of the systems that your licence plate goes into are old and could require systems changes to accommodate the new format. Many of these are government departments. For example:

    • National Vehicle Driver File (Dept of Transport)-  reg number and registered owner
    • VRT tax systems (Revenue Commissioners)
    • Gardaí (PULSE system, asset registers for garda vehicles)
    • Insurers
    • Car park ticketing systems such as the Pay-by-SMS service in Dublin (Local Authorities)
    • Car clamping operator systems
    • CIE (they need to log busses)
    • Car Rental operators

    It would be interesting to know if the Government commissioned any form of economic impact assessment to off-set the cost of catering to one industry lobby group for a problem that would exist in one year against the costs to the State and other private sector organisations of making systems changes to support the new format.

    Particularly given that the changes would need to be implemented before mid December to allow for them to be in place for cars being registered in January.

    The reality is that life is not like Star Trek and data is not well managed. I would doubt if there is the required metadata available to do a quick Impact Assessment on the change. At a minimum you would need to know the maximum field lengths for reg numbers in key systems. Other data required would be information on data transfers, batch processing functionality, or edit checking that might be applied to make sure that the full extent of the changes is understood and addressed to avoid any systems or process failures.

    I was involved in a lot of that kind of activity in Call Centre systems for Y2K in a former life. It is not easy if things aren’t documented. And they are never documented.

    My prediction: It this suggestion goes ahead without any rigorous impact assessment here will be at least one major process failure in January/February 2013 arising from this. It is an idea that, while it may have merits, risks being rushed in without proper impact assessment being performed or any examination of the costs of implementation across the public sector or other private sector users of this information.

    In reality there has been a tentative Value case put forward with no corresponding assessment of the costs associated with delivering that value. And a horrendously ambitious time scale to make what is actually a deceptively complicated change.

  • Daisy (chain) cutters needed

    Brian Honan (@brianhonan on twitter) has been keeping me (and the omniverse) updated via Twitter about the trials and tribulations of Wired.com columnist Matt Honan who was the subject of a Social Engineering attack on his Amazon, Apple, Gmail, and ultimately twitter accounts which resulted in every photograph he had of his young daughter being deleted, along with a whole host of other problems.

    Matt writes about his experience in Wired.com today.

    Apart from the salutary lesson about Cloud-based back-up services (putting your eggs in their basket leaves you at the mercy of their ability to recover your data if something goes wrong), Matt’s story also raises some key points about Information Quality and Data Governance and the need to consider Privacy as a Quality Characteristic of data.

    Part of the success of the attach on Matt’s accounts hinged on the use of his Credit Card number for identity verification:

    …the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

    So, Amazon view the last four digits as being useful to the customer (quality) so they can identify different cards on their account so they are exposed. But Apple considers that short string of data to be sufficient to validate a person’s identity.

    This is a good example of what I call “Purpose Shift” in Information Use. Amazon uses the credit card for processing payments, and need to provide information to customers to help them select the right card. However, in Apple-land, the same string of data (the credit card number) is used both as a means of payment (for iTunes, iCloud etc.) and for verifying your identity when you ring Apple Customer Support.

    This shift in purpose changes the sensitivity of the data and either

    • The quality of its display in Amazon (it creates a security risk for other purposes) or
    • The risk of its being relied on by Apple as an identifier (there is no guarantee it has not been swiped, cloned, stolen, or socially engineered from Amazon)

    Of course, the same is true of the age old “Security Questions”, which a colleague of mine increasingly calls INsecurity questions.

    • Where were you born?
    • What was your first pet’s name?
    • Who was your favourite teacher?
    • What is your favourite book?
    • What is your favourite sport?
    • Last four digits of your contact phone number?

    In the past there would have been a reasonable degree of effort required to gather this kind of information about a person. But with the advent of social media it becomes easier to develop profiles of people and gather key facts about them from their interactions on Facebook, Twitter, etc. The very facts that were “secure” because only the person or their close friends would know it (reducing the risk of unauthorised disclosure) are now widely broadcast – often to the same audience, but increasingly in a manner less like quiet whispers in confidence and more like shouting across a crowded room.

    [update: Brian Honan has a great presentation where he shows how (with permission) he managed to steal someone’s identity. The same sources he went to would provide the data to answer or guess “security” questions even if you didn’t want to steal the identity. http://www.slideshare.net/brianhonan/knowing-me-knowing-you)

    The use of and nature of the data has changed (which Tom Redman highlights in Data Driven as being one of the Special Characteristics of Information as an Asset). Therefore the quality of that data for the purpose of being secure is not what it once may have been. Social media and social networking has enabled us to connect with friends and acquaintances and random cat photographers in new and compelling ways, but we risk people putting pieces of our identity together like Verbal Kint creating the myth of Kaiser Sose in the Usual Suspects.

    Building Kaiser Soze

    Big Data is the current hype cycle in data management because the volumes of data we have available to process are getting bigger, faster, more full of variety. And it is touted as being a potential panacea for all things. Add to that the fact that most of the tools are Open Source and it sounds like a silver bullet. But it is worth remembering that it is not just “the good guys” who take advantage of “Big Data”. The Bad Guys also have access to the same tools and (whether by fair means or foul) often have access to the same data. So while they might not be able to get the exact answer to your “favourite book” they might be able to place you in a statistical population that likes “1984 by George Orwell” and make a guess.

    Yes, it appears that some processes may not have been followed correctly by Apple staff (according to Apple), but ‘defence in depth’ thinking applied to security checks would help provide controls and mitigation from process ‘variation’. Ultimately, during my entire time working with Call Centre staff (as an agent, Team Leader, Trainer, and ultimately as an Information Quality consultant) no staff member wanted to do a bad job… but they did want to do the quickest job (call centre metrics) or the ‘best job they thought they should be doing’ (poorly defined processes/poor training).

    Ultimately the nature of key data we use to describe ourselves is changing as services and platforms evolve, which means that, from a Privacy and Security perspective, the quality of that information and associated processes may no longer be “fit for purpose”.

    As Matt Honan says in his Wired.com article:

    I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.

    And that can result in poor quality outcomes for customers, and (in Matt’s case) the loss of the record of a year of his child’s life (which as a father myself would count as possibly the lowest quality outcome of all).

  • Qui Custodiet CAI?

    The CAI (@the_cai on twitter), not to be confused with that famous venture capital firm based in Langley Virginia, the CIA, has today announced that it wants people who have been affected by the Ulster Bank IT outage in recent weeks to provide personal data to them for the purposes of starting a Class Action http://thecai.ie/media-news/the-consumers-association-of-ireland-cai-ub-%E2%80%98class-action%E2%80%99-initiative/suit. Or Initiative. It’s not entirely clear which, for reasons to follow.

    Jebus.. where do I start on this one?

    1. I have the legal standing of a Matlock script (4 yrs UCD Law as a BBLSer but never qualified professionally) and even I know that there is NO SUCH THING AS A CLASS ACTION SUIT IN IRISH LAW. So to claim that you are going to initiate such a thing is false and misleading advertising. So the CAI has stated it is a process to gather information to provide to the Dept of Finance and the Central Bank for the purposes of calculating the losses and impacts suffered.
    2. Should this campaign ever appear in print or media adverts as a “class action” I will be lodging a complaint with the Advertising Standards Authority on the basis that any such advert would be misleading as to a significant matter of fact
    3. Journalists covering the story should pay attention to the Press Council code of practice on accuracy in reporting – do not report as being something that is about to happen something that CANNOT EVER HAPPEN. Talk to a lawyer about this and get a quote from one. Simon over in McGarr Solicitors is a good one, and Fergal Crehan BL is a frequent media commentator on legal issues whose surname is not McDermott.
    4. I think the use of the phrase “Class Action” in this context is just dumb as the average consumer doesn’t know that there is no such thing as a Class Action in Irish law, given that their legal training and skills are derived from reruns of LA Law and Boston Legal, and perhaps a few episodes of the Good Wife. Therefore I would suggest that the CAI needs to be very careful how they set and manage expectations here.

    Right, now that that bit is out of the way, it is worth considering the implications of what the CAI is proposing to do here.

    • Obtain Personal Data and potentially Personal Financial Data from individuals
    • For the stated purpose of doing
    • A thing that can not be done without a legislative change that has been long fingered… well, since I was a doe-eyed undergrad in UCD Law to be honest, unless the thing that is being done is just to forward the information on to the Central Bank and Dept of Finance.

    But the DPC is very clear that the expectation of the customer is important here – they should not be ‘surprised’ by the processing of their data. And what exactly will be presented to Government? Raw data or aggregated data? The former creates risk of ‘scope creep’ if data is left with Government and finds its way into other processes.

    I’ve put the words “Personal Data” and “Personal Financial Data” in Capitals because they are important Words of Power (to steal a term from Frank Herbert’s Dune saga, a story that has more chance of happening than the ‘Class Action’ the CAI is discussing).

    Personal Data is protected under the Data Protection Acts. It must be obtained for a specified and lawful purpose, be adequate and not excessive for the stated purpose, and it needs to be disposed of once that purpose has expired. And while you have it you have to keep it safe and secure.

    Personal Financial Data is a term that entered Irish Data Protection practice in July 2010 with the introduction of the Data Security Breach Code of Practice (which I was involved in consultation submissions on). Basically it is a surname and an account number, or an account number or data from which a surname could reasonably be inferred.

    Personal Financial Data needs to be kept safe and secure as well. And if there is even the suspicion that it has been lost, stolen, misplaced, accessed with out authority, or otherwise tampered with, the Data Controller (in this case the CAI) has a very clear duty to notify the Data Protection Commissioner and the affected Data Subjects. It too must be obtained lawfully and fairly by the Data Controller.

    So, let’s run the rule over this shall we:

    • There is a specified purpose.
    • It is not one that can be achieved in law… (Oh… there’s a problem, if people think they’re entering a process to have their day in Court).
    • The purpose for which it is being obtained cannot come into being (if it is a “Class Action” as described), therefore the data should not be retained. (OK.. fill out a form, press send, clear form, don’t send any data).
    • Given that the stated purpose cannot actually be achieved (see my earlier point about Class Actions in Irish Law) then, by definition, any data obtained for that purpose is excessive and should not be captured or retained.

    So, in short…

    IN OPERATING A PROCESS TO OBTAIN AND RETAIN PERSONAL DATA AND PERSONAL FINANCIAL DATA FOR THE PURPOSES OF A CLASS ACTION WHICH CAN NEVER TAKE PLACE UNDER THE CURRENT LEGAL SYSTEM IN IRELAND CAI ARE ALMOST CERTAINLY ACTING IN BREACH OF THE DATA PROTECTION ACTS.

    Of course, we are in the wonderful world of branding and sound-bites and the phrase “Class Action” will doubtless wind its way into UB Headquarters where it will be bounced around meeting rooms like a tribble at a Star Trek convention (I used to freak out when people mis-used the term “Duty of Care” and talked about “Precedence” when they meant “Precedents”, all without a fricking clue what the terms ACTUALLY meant in a Legal & Regulatory context – but a man on Matlock kept saying them so they must be WORDS OF POWER they told me).

    This may spark some more serious introspection about the issues involved in the Bank but won’t actually get inside a Court, which could be a problem for CAI if people submitting information to them believe that a mass litigation is the end game with money at the end of the rainbow.

    So, CAI need to be a little more up-front and explicit about the SPECIFIC PURPOSE for the data they are processing. The branding isn’t helping that and could trigger problems under the Data Protection Acts. Also, they need to be clear about WHAT data is being presented to the Government and the Central Bank. And they need to be clear about what will happen to it once the Government and Central Bank have been briefed. And then they need to be clear about when it will be deleted. Also they need to be darned sure that the security on the submission of that data is secure (hint: email is not PCI-DSS compliant).

    Yes.. lobby and campaign and organise on behalf of consumers. But in doing so don’t get so caught up in the branding, image, and soundbites of what you are doing that you forget about the rights of the, well… ummmm…, CONSUMER.

    (There is a way they can go about this without any of the problems outlined above but it will mean

    • Changing their branding and eating humble pie about the whole thing
    • Hiring me to be VERY VERY CLEVER on their behalf with some Smart Monkey Consulting â„¢

    Heck, if they want to have an independent Data Quality review of the end to end processes and impacts I am a qualified Information Quality practitioner with years of experience and two books under my belt. (Hint… the key to it all is process and information flows).

  • Olympic betting scandal and Data Protection

    An Irish athlete is under investigation less than 24hrs into the Olympics arising from allegations that they, in effect, bet against themselves.

    An anonymous source became aware of the pattern of betting and notified the authorities.

    This blog post is being written to help media commentators avoid either putting their feet in it or wasting the scarce time of the Data Protection Commissioner raising spurious enquiries about whether the disclosure of the data in this was legal.

    Bluntly – you don’t want to come out swinging against the bookies if they were acting correctly as you’ll look like a fool. And, if they were in the wrong, you don’t want to throw the Data Protection Act around like snuff at a wake as there’s enough bullshit out there about what it is and what it does to fertilise the Rose Gardens in St Anne’s Park until doomsday.

    First things first: we need to bone up on some of the law governing gambling, specifically section 11 of the Gaming and Lotteries Act 1956. That legislation makes it an offence to cheat.

    11.—Every person who by any fraud or cheat in promoting or operating or assisting in promoting or operating or in providing facilities for any game or in acting as banker for those who play or in playing at, or in wagering on the event of, any game, sport, pastime or exercise wins from any other person or causes or procures any person to win from another anything capable of being stolen shall be deemed guilty of obtaining such thing from such other person by a false pretence, with intent to defraud, within the meaning of section 10 of the Criminal Justice Act, 1951 (No. 2 of 1951), and on conviction shall be punished accordingly.

    That is important as Section 8 of the Data Protection Acts permits the disclosure of personal data where necessary to allow the prevention, detection, or investigation of a crime. In this case cheating.

    Note: I’m not saying that any cheating actually took place here, just that circumstances appear to exist which seem to require investigation of the possibility of such cheating.

    As winning bets were drawn down that might fit the bill under the Gaming Acts.

    I always advise clients to have at least two lawful processing conditions to rely on. In this case the bookmakers could probably argue the “Legitimate Interest” grounds… It is in their interest to red flag potential cheating in the placing of bets or rigging of events. And the remedy to that would be to alert the appropriate body who would in turn have a legitimate interest in ensuring the propriety of the Games.

    Of course, the complicating factor is that the information was sent to the OCI from an “anonymous email”. If the sender was an employee of the bookmakers then, if they had permission from their employer to alert the OCI then that might be an allowable disclosure. But if they aren’t an employee (for example if they work with the police and came into possession of information relating to an investigation) or didn’t have permission to disclose the details of the athlete then that could be a breach of the Data Protection Acts.

    So. Before we start chasing hares that aren’t there, let’s all step back and remember what the law actually is here. Far more important to focus on google and their ‘factual inexactitude’ on street view and the paltry resources of our DPC.

    Thus endeth the rant

  • Support your Local Sheriff–why the DPC needs us to help them help us.

    Problem Statement

    The Irish Government is tripping over itself to win FDI from the new ‘Big Data’ enterprises. Whether it is promoting Ireland as a perfect location for Data Centres (it is, apparently we’re in a temperate Goldilocks zone) or chasing flagship investments in European headquarters for companies such as LinkedIn, Facebook, Zynga Games, Twitter, not to mention the pursuit of “home grown” ‘Big Data’ firms or the development of long term residents like Apple or Amazon from ‘box packers’ or call centres to foot prints of ‘Big Data’ behemoths, the Government can’t help itself.

    And why would it. These organisations bring needed jobs, needed credibility to the Irish Economy, and much needed positive headlines for beleaguered politicians.

    Of course there is a catch. A small problem. Actually two small problems.Well actually one problem but one that is so small but so significant that it is worth mentioning twice:

    Our Data Protection Commissioner is chronically understaffed and, in my view, may lack skills and experience necessary to engage with and properly enforce EU Data Protection regulations.

    If the Government is viewing “Data” and its related services as the “New Finance” they are showing precious little evidence of having learned from the failures of the past and I increasingly believe we are facing a scenario where either

    1. A major Data Protection scandal sweeps across big name players in Ireland and the DPC is wholly overwhelmed and cannot respond appropriately.
    2. Once new EU Data Protection Regulations are in place, we find ourselves in the eye of a major Data Protection issue and the Irish DPC finds himself with no option but to cede responsibility for the investigation and enforcement to another EU Data Protection Authority under the enhanced co-operation protocols in the revised Data Protection Directive.

    (more…)

  • Describe what you do in one word…

    This is a challenge an old boss of mine used to set. He was an alpha male. The answer he was looking for was usually a variant of “lead” like “inspire”, “command” or “drink”.

    But it is a good exercise to set yourself.

    This evening I was responding to an retweet of an article I published on my company website last year. Vish Agashe retweeted this post about data modelling and Data Protection. In response I asked him if he was still finding the ramblings of a legodatapsychoeconotechnoqualitatrian interesting.

    Then it hit me. That’s a word. A bloody good word. A “kicking my dad’s arse in scrabble” kind of word. Because it almost perfectly describes me.

    Lego

    No. I am not made of plastic and if you separate my legs from my body you will find it very difficult to reattach them.

    But I spent four years half a life time ago studying law and business in UCD. From that study I developed a love of law and all things legal. In particular I developed the skills of legal interpretation and research that all lawyers need to possess.

    And, just as (if not more) importantly I developed a network of friends who are lawyers. Yes. Some of my best friends are lawyers. Who’d a thunk it?

    Data

    No. I am not an android with a positronic brain and the strength of 10 men (I wish). And if you poke me in the back between the shoulder blades I’m more likely to turn around and put you in a painful joint lock or punch you in the face than calmly power down and go lifeless (hint: if you want that, a few bottles of good wine is the best option).

    But I am obsessed with data. The capturing and creation of it, the analysis of it, the value of it. It’s what I do. I’m a Data Scientist, but in the “lives in a castle in the mountains and don’t ask about the missing corpses” sense of “scientist” (at least at times).

    Pyscho

    No. I don’t own a run down motel and I haven’t hacked a young lady to death in the shower. At least not since the dried frog pills kicked in.

    However I have been a closet psychologist for years. And once I realised that closets had very few hidden secrets (if you discount fantastical lands ruled by big lions) I turned my attention to the Human Equation in the context of change management and how we perceive and value information.

    So, BF Skinner was a lovely man who pigeons experimented on to see just how far would he go to have them support his flawed hypothesis that extrinsic reward/punishment is a key motivator of behaviour. At least that’s my opinion.

    Econo

    Last time I checked I’m not a gas guzzling American mini-van that is anything but economical to run. But, linked to my love of data and the interfaculty degree I did in law and business, I am a fan of economics and economic theory and practice. In particular I’m an advocate of the branch of economics that applies economic principles to the study of law and legal principles, and the application of economic principles to the valuation of and management of data.

    What is the value at risk?

    Where is the economic equilibrium of risk and reward/supply and demand?

    Is the economic deal fair when Entity A gives data to Entity B… what is the valuable consideration given for the exchange of assets?

    Techno

    No. I don’t play annoying 9000 beats per minute europop techno. Except for Saturdays. And even then only when there is a total eclipse of the moon.

    But I do enjoy my technology and my tools. I was the first customer in the world for Informatica’s Data Quality offering (back before it was Informatica). And I’ve coded countless Visual Basic skunkworks to do data reformatting, consolidation, reporting etc. And I do like Sharepoint and Drupal and WordPress and Unix and Linux and…..

    …  I think you get the picture. I know a few things about databases and database technology. But unfortunately not with a parchment attached to it (yet).

    Qualitarian

    it’s all about quality. Quality of outcomes for the end customer in a value chain. And quality of outcomes for the data controller, or the regulator, or society. Everything comes down to this.

    • Laws exist to regulate outcomes. Often badly
    • How we internalise and conceptualise the customer and the outcome are key to achieiving the right balance.
    • Technology is a tool to getting us there but is not a destination.
    • The economic value is the point at which things are good enough to achieve the outcome that is required… and no more… anything beyond that is a value-add luxury that we can charge premium price for.

    Now. Where’s my scrabble board?

  • Why Apple’s iOS6 changes mean increased work for Irish Data Protection Commissioner

    At Apple’s WWDC conference this week nerds, fanbois and developers were greet by the news that Apple will be shipping iOS6 later in the autumn (or “fall” for non European readers). Among the features that Apple is touting are:

    1. Ditching Google Maps for its own mapping product and GPS tools
    2. More deeply integrating Facebook with iOS, similar to the deep integration with twitter that emerged in iOS5.

    I personally have some privacy concerns about this level of integration and the potential for Apple to become even more the “Big Brother” they so eloquently mocked in their 1984 TV advert.

    Maps

    By ‘baking in’ an application (Apple Maps) that will likely require me to disclose my location to Apple in order to work (and which at first glance appears to be less useful than Google Maps), I’m getting a less good deal on which to base the sharing of my personal data. And Apple aren’t giving me a map for the good of my health or because they want me to know where I am.

    Location data is part of the “Big Data” gold rush. Traditionally it has been mobile telcos who have access to this data and can analyse it to determine a variety of offerings for customers (next time you get a “pleasantly surprising” SMS message telling you about a special offer in the coffee shop you just happen to be near, congratulations, you’ll have walked within range of a ‘geo-fence’ that will have triggered the SMS. Assuming of course you opted-in to that kind of thing. Like that voucher service you signed up to).

    Google tracks you as well when you used Google Maps on your iphone. But, in the absence of a Google login that tracking is relatively anonymous, going down at most to being able to identify that a particular device was in a particular location (unless you’re logged into a Google service on your device, in which case rest assured Google is probably making associations on the fly).

    Apple on the other hand can also link your location to your phone. And your phone is registered to you. Through iTunes. So Apple will potentially have access to a more granular level of data about who is where, when, who is near them, who they are contacting (iMessage makes your SMS free to another iPhone user… congratulations, Apple now knows who you are messaging). Apple knows what kind of music you like, what movies you rent, your demographic segment… (it’s the iTunes platform!)

    By adding maps to the mix in the iOS/iTunes platform, Apple can also tap information about you in motion – where you are travelling from, to, how fast and can probably make assumptions about your mode of transport (moving fast, not on a road, in a relatively straight line… means you’re probably on a train. Well done, Apple now knows you are probably a user of public transport).

    As CNET reporter Rafe Needleman writes:

    …the more users you have running your geolocation software, the more data you have about how fast people are moving. Apple’s adoption of its own mapping platform means it will now get access to that data from its iPhone users, assuming (and it’s a big assumption) that Apple can hurdle the privacy issues over gathering that data.

    And as Apple’s European HQ is based in Cork, it will be the Irish Data Protection Commissioner who will be in the vanguard of haggling with Apple with regard to the nature of the terms and conditions and controls that will be placed on the processing of the valuable and very identifiable personal data in question.

    Facebook

    I use Facebook. I have a Facebook profile. I am a believer in Sun Tzu’s mantra that one must know your enemy.

    By tightly integrating Facebook with iOS6 Apple potentially gets access to a valuable array of data about who you know, your interests, etc. Facebook get an easier to manage interface and a more ‘baked in’ and reflexive sharing of content and information by Facebook users.

    And the individual gets another avenue by which personal data by and about them may wind up in places they were not expecting or being used in ways they didn’t anticipate.

    Later this month Facebook will be facing into the return visit of the Irish Data Protection Commissioner who made relatively negative findings in their audit report earlier this year (but not as negative as many may have hoped). As the integration with iOS was not in the scope of their original review, I suspect it will not be on the table for discussion (at least not formally).

    But again it is the Irish Data Protection Commissioner who is in the vanguard of protecting the fundamental rights to Data Privacy which are enshrined in EU law and which Facebook, through it’s terms and conditions, extends to Facebook users everywhere outside of the US and Canada.

    And it means Apple don’t have to waste any more time and effort trying to put the bounce into Ping. They will have effectively outsourced that to Facebook. So Apple wins something. Facebook wins something. Where is the consumer’s win (and is it big enough to balance the impact on privacy).

    Evolving the Platform

    Any minute now I expect my friend Phil Simon to fire out a blog post about how Apple’s ditching of Google and locking in and locking down of Facebook represents a platform strategy play in The Age of the Platform. Apple is simply adding more “planks” to its platform, pushing out a competitor platform and reducing the incentive for another platform to start competing in devices (or at least minimising the impact of any such competition by leveraging the critical mass of the iOS/iTunes platform).

    But to stretch and mangle Phil’s Platform analogy to the nth degree, any form of large scale construction requires permits and clearance and needs to balance the utility and convenience of what is being built (whether it is a shopping mall or a social media data sucking behemoth) with the impediments it may cause to the rights and enjoyments of individuals.

    And the “Building Control Inspector” in this case will more than likely be the Irish Data Protection Commissioner.

    • With less than 22 full time staff
    • A budget of less than €1.5million

    I fear that the back-end complexity of Apple’s move to front-end simplicity may be a killer blow to the efficiency and effectiveness of the Office of the Data Protection Commissioner, which is already creaking under the strain.

    Given the influx of DataSuck Platform companies in to Ireland (LinkedIn, Facebook, Twitter, Google, Apple –admittedly here for years, Zynga etc.) the Irish Data Protection Commissioner is rapidly becoming the “Local Sheriff” in the Wild West of ‘Big Data’ exploitation for more than just the 4.5 Million people living on our little island.

    #SupportyourLocalSheriff

  • An Enforcement Reality supporting my “Penalty Points” idea

    Over my morning coffee this morning I read this story from eConsultancy.com about the UK ICO beginning ‘soft enforcement’ of the ePrivacy regulations around cookies.

    Good news: They are starting to enforce the law. They will be taking a balanced approach. I assume that the letters will take the form of Information Notices and possibly Enforcement Notices.

    Bad news: The level of breach that not complying with the Cookie provisions of the ePrivacy Directive constitutes is not likely to meet the standard of severity required for the ICO to levy a fine.

    So businesses will receive a letter. But we can be assured it will be a strongly worded one. But, given the mental discounting that management do in compliance situations, this is inevitably going to lead to precisely no change in compliance behaviour. When faced with the question “So, what’s the worst that is likely to happen?” Data Protection Officers or advisors will have nowhere to go in their persuasion. It is all carrot and no stick. And CxO level managers are pure carnivores, so carrots are not that enticing on their own.

    • There will be no financial penalty for the Cookie breach
    • Any penalty that might arise will be for failing to comply with an Enforcement notice or provide information requested under an Information Notice. But that would require another cycle or three of communication between the ICO and the infringing company.

    There is no sting in the tail. The arc that must be travelled between Breach and Penalty is too long. And as every parent of a toddler knows, there is no point putting them on the naughty step days or weeks after their valiant but doomed attempt to juggle with kittens.

    Hence the need, in my view, to have something else that allows a sting to be put in the tail, that wraps the polite letter from the ICO (or the Irish DPC for that matter) in a small brick that will get attention. In my opinion, if the EU is serious about changing attitudes to Data Protection amongst businesses it needs to ensure that the laws that are passed can be enforced with both carrot and stick so that culture and values in business will change.

    Breaches of the Cookies rules fit the bill nicely for a structured penalty system that allows for cumulative penalties to build towards a more serious fine or enforcement action. Assume, for argument, that writing a non-essential cookie without notice and consent was a 1 point offence carrying a fixed penalty notice of €120/£100 for first offence (with higher penalties for subsequent offences). Audit tools such as those developed by CookieQ.com could be used to audit the site, tot up the number of cookies, an investigator could make a judgement as to the essentialness and generate a fixed penalty notice attached to the letter.

    Perhaps the 1st offence would be a “freebie”, with a second failure leading to a penalty (after all, we want this to be fair and graduated). At some threshold (let’s say 20 points) more serious penalties would kick in (perhaps the €2million outlined in the proposed Regulation, or mandatory multi-year privacy audits such as being imposed on firms in the US by the FTC). As this is an evolving thought doodle I won’t waste time mapping specifics here.

    If the penalty points for the Cookie infringement formed part of the overall “scorecard” that a company would accumulate, adding to the risk of a more severe penalty (and the inevitability for hard core recidivists). If, as with parking tickets and speeding fines, the Data Controller had the right to appeal the fixed penalty to the Courts (at the risk of a greater penalty and increased publicity), the “mental discounting’” would need to change. This would change the conversation for Data Protection Officers and advisors when the letter comes.

    Boss: "What is the worst that they can do?

    DP Team: “Well,50 cookies being written has already cost you €5000 in fixed price penalties. You can appeal them to Court, but that carries a risk of the penalty being increased further and a conviction being recorded against you.”

    Boss: “OK, so pay the fine and then we keep going.”

     Boss: “Oh shit. Let’s fix this then”

    Just as cumulative breaches of Road safety lead to serious penalties, cumulative breaches of Data Protection rules could lead to more serious penalties.

    The benefit of this approach is it would encourage and incentivise organisations to focus on the small stuff. And as repeated studies in risk management and accident investigation have shown, the major disasters are usually a result of an accumulation of small things.

    According to econsultancy, the ICO is considering applying penalties based on a scale. It is not a significant jump from a scale for a specific penalty to a framework for levying administrative sanctions in a structured and transparent manner.