Support your Local Sheriff–why the DPC needs us to help them help us.

Problem Statement

The Irish Government is tripping over itself to win FDI from the new ‘Big Data’ enterprises. Whether it is promoting Ireland as a perfect location for Data Centres (it is, apparently we’re in a temperate Goldilocks zone) or chasing flagship investments in European headquarters for companies such as LinkedIn, Facebook, Zynga Games, Twitter, not to mention the pursuit of “home grown” ‘Big Data’ firms or the development of long term residents like Apple or Amazon from ‘box packers’ or call centres to foot prints of ‘Big Data’ behemoths, the Government can’t help itself.

And why would it. These organisations bring needed jobs, needed credibility to the Irish Economy, and much needed positive headlines for beleaguered politicians.

Of course there is a catch. A small problem. Actually two small problems.Well actually one problem but one that is so small but so significant that it is worth mentioning twice:

Our Data Protection Commissioner is chronically understaffed and, in my view, may lack skills and experience necessary to engage with and properly enforce EU Data Protection regulations.

If the Government is viewing “Data” and its related services as the “New Finance” they are showing precious little evidence of having learned from the failures of the past and I increasingly believe we are facing a scenario where either

  1. A major Data Protection scandal sweeps across big name players in Ireland and the DPC is wholly overwhelmed and cannot respond appropriately.
  2. Once new EU Data Protection Regulations are in place, we find ourselves in the eye of a major Data Protection issue and the Irish DPC finds himself with no option but to cede responsibility for the investigation and enforcement to another EU Data Protection Authority under the enhanced co-operation protocols in the revised Data Protection Directive.

Continue reading

Describe what you do in one word…

This is a challenge an old boss of mine used to set. He was an alpha male. The answer he was looking for was usually a variant of “lead” like “inspire”, “command” or “drink”.

But it is a good exercise to set yourself.

This evening I was responding to an retweet of an article I published on my company website last year. Vish Agashe retweeted this post about data modelling and Data Protection. In response I asked him if he was still finding the ramblings of a legodatapsychoeconotechnoqualitatrian interesting.

Then it hit me. That’s a word. A bloody good word. A “kicking my dad’s arse in scrabble” kind of word. Because it almost perfectly describes me.

Lego

No. I am not made of plastic and if you separate my legs from my body you will find it very difficult to reattach them.

But I spent four years half a life time ago studying law and business in UCD. From that study I developed a love of law and all things legal. In particular I developed the skills of legal interpretation and research that all lawyers need to possess.

And, just as (if not more) importantly I developed a network of friends who are lawyers. Yes. Some of my best friends are lawyers. Who’d a thunk it?

Data

No. I am not an android with a positronic brain and the strength of 10 men (I wish). And if you poke me in the back between the shoulder blades I’m more likely to turn around and put you in a painful joint lock or punch you in the face than calmly power down and go lifeless (hint: if you want that, a few bottles of good wine is the best option).

But I am obsessed with data. The capturing and creation of it, the analysis of it, the value of it. It’s what I do. I’m a Data Scientist, but in the “lives in a castle in the mountains and don’t ask about the missing corpses” sense of “scientist” (at least at times).

Pyscho

No. I don’t own a run down motel and I haven’t hacked a young lady to death in the shower. At least not since the dried frog pills kicked in.

However I have been a closet psychologist for years. And once I realised that closets had very few hidden secrets (if you discount fantastical lands ruled by big lions) I turned my attention to the Human Equation in the context of change management and how we perceive and value information.

So, BF Skinner was a lovely man who pigeons experimented on to see just how far would he go to have them support his flawed hypothesis that extrinsic reward/punishment is a key motivator of behaviour. At least that’s my opinion.

Econo

Last time I checked I’m not a gas guzzling American mini-van that is anything but economical to run. But, linked to my love of data and the interfaculty degree I did in law and business, I am a fan of economics and economic theory and practice. In particular I’m an advocate of the branch of economics that applies economic principles to the study of law and legal principles, and the application of economic principles to the valuation of and management of data.

What is the value at risk?

Where is the economic equilibrium of risk and reward/supply and demand?

Is the economic deal fair when Entity A gives data to Entity B… what is the valuable consideration given for the exchange of assets?

Techno

No. I don’t play annoying 9000 beats per minute europop techno. Except for Saturdays. And even then only when there is a total eclipse of the moon.

But I do enjoy my technology and my tools. I was the first customer in the world for Informatica’s Data Quality offering (back before it was Informatica). And I’ve coded countless Visual Basic skunkworks to do data reformatting, consolidation, reporting etc. And I do like Sharepoint and Drupal and WordPress and Unix and Linux and…..

…  I think you get the picture. I know a few things about databases and database technology. But unfortunately not with a parchment attached to it (yet).

Qualitarian

it’s all about quality. Quality of outcomes for the end customer in a value chain. And quality of outcomes for the data controller, or the regulator, or society. Everything comes down to this.

  • Laws exist to regulate outcomes. Often badly
  • How we internalise and conceptualise the customer and the outcome are key to achieiving the right balance.
  • Technology is a tool to getting us there but is not a destination.
  • The economic value is the point at which things are good enough to achieve the outcome that is required… and no more… anything beyond that is a value-add luxury that we can charge premium price for.

Now. Where’s my scrabble board?

Why Apple’s iOS6 changes mean increased work for Irish Data Protection Commissioner

At Apple’s WWDC conference this week nerds, fanbois and developers were greet by the news that Apple will be shipping iOS6 later in the autumn (or “fall” for non European readers). Among the features that Apple is touting are:

  1. Ditching Google Maps for its own mapping product and GPS tools
  2. More deeply integrating Facebook with iOS, similar to the deep integration with twitter that emerged in iOS5.

I personally have some privacy concerns about this level of integration and the potential for Apple to become even more the “Big Brother” they so eloquently mocked in their 1984 TV advert.

Maps

By ‘baking in’ an application (Apple Maps) that will likely require me to disclose my location to Apple in order to work (and which at first glance appears to be less useful than Google Maps), I’m getting a less good deal on which to base the sharing of my personal data. And Apple aren’t giving me a map for the good of my health or because they want me to know where I am.

Location data is part of the “Big Data” gold rush. Traditionally it has been mobile telcos who have access to this data and can analyse it to determine a variety of offerings for customers (next time you get a “pleasantly surprising” SMS message telling you about a special offer in the coffee shop you just happen to be near, congratulations, you’ll have walked within range of a ‘geo-fence’ that will have triggered the SMS. Assuming of course you opted-in to that kind of thing. Like that voucher service you signed up to).

Google tracks you as well when you used Google Maps on your iphone. But, in the absence of a Google login that tracking is relatively anonymous, going down at most to being able to identify that a particular device was in a particular location (unless you’re logged into a Google service on your device, in which case rest assured Google is probably making associations on the fly).

Apple on the other hand can also link your location to your phone. And your phone is registered to you. Through iTunes. So Apple will potentially have access to a more granular level of data about who is where, when, who is near them, who they are contacting (iMessage makes your SMS free to another iPhone user… congratulations, Apple now knows who you are messaging). Apple knows what kind of music you like, what movies you rent, your demographic segment… (it’s the iTunes platform!)

By adding maps to the mix in the iOS/iTunes platform, Apple can also tap information about you in motion – where you are travelling from, to, how fast and can probably make assumptions about your mode of transport (moving fast, not on a road, in a relatively straight line… means you’re probably on a train. Well done, Apple now knows you are probably a user of public transport).

As CNET reporter Rafe Needleman writes:

…the more users you have running your geolocation software, the more data you have about how fast people are moving. Apple’s adoption of its own mapping platform means it will now get access to that data from its iPhone users, assuming (and it’s a big assumption) that Apple can hurdle the privacy issues over gathering that data.

And as Apple’s European HQ is based in Cork, it will be the Irish Data Protection Commissioner who will be in the vanguard of haggling with Apple with regard to the nature of the terms and conditions and controls that will be placed on the processing of the valuable and very identifiable personal data in question.

Facebook

I use Facebook. I have a Facebook profile. I am a believer in Sun Tzu’s mantra that one must know your enemy.

By tightly integrating Facebook with iOS6 Apple potentially gets access to a valuable array of data about who you know, your interests, etc. Facebook get an easier to manage interface and a more ‘baked in’ and reflexive sharing of content and information by Facebook users.

And the individual gets another avenue by which personal data by and about them may wind up in places they were not expecting or being used in ways they didn’t anticipate.

Later this month Facebook will be facing into the return visit of the Irish Data Protection Commissioner who made relatively negative findings in their audit report earlier this year (but not as negative as many may have hoped). As the integration with iOS was not in the scope of their original review, I suspect it will not be on the table for discussion (at least not formally).

But again it is the Irish Data Protection Commissioner who is in the vanguard of protecting the fundamental rights to Data Privacy which are enshrined in EU law and which Facebook, through it’s terms and conditions, extends to Facebook users everywhere outside of the US and Canada.

And it means Apple don’t have to waste any more time and effort trying to put the bounce into Ping. They will have effectively outsourced that to Facebook. So Apple wins something. Facebook wins something. Where is the consumer’s win (and is it big enough to balance the impact on privacy).

Evolving the Platform

Any minute now I expect my friend Phil Simon to fire out a blog post about how Apple’s ditching of Google and locking in and locking down of Facebook represents a platform strategy play in The Age of the Platform. Apple is simply adding more “planks” to its platform, pushing out a competitor platform and reducing the incentive for another platform to start competing in devices (or at least minimising the impact of any such competition by leveraging the critical mass of the iOS/iTunes platform).

But to stretch and mangle Phil’s Platform analogy to the nth degree, any form of large scale construction requires permits and clearance and needs to balance the utility and convenience of what is being built (whether it is a shopping mall or a social media data sucking behemoth) with the impediments it may cause to the rights and enjoyments of individuals.

And the “Building Control Inspector” in this case will more than likely be the Irish Data Protection Commissioner.

  • With less than 22 full time staff
  • A budget of less than €1.5million

I fear that the back-end complexity of Apple’s move to front-end simplicity may be a killer blow to the efficiency and effectiveness of the Office of the Data Protection Commissioner, which is already creaking under the strain.

Given the influx of DataSuck Platform companies in to Ireland (LinkedIn, Facebook, Twitter, Google, Apple –admittedly here for years, Zynga etc.) the Irish Data Protection Commissioner is rapidly becoming the “Local Sheriff” in the Wild West of ‘Big Data’ exploitation for more than just the 4.5 Million people living on our little island.

#SupportyourLocalSheriff

An Enforcement Reality supporting my “Penalty Points” idea

Over my morning coffee this morning I read this story from eConsultancy.com about the UK ICO beginning ‘soft enforcement’ of the ePrivacy regulations around cookies.

Good news: They are starting to enforce the law. They will be taking a balanced approach. I assume that the letters will take the form of Information Notices and possibly Enforcement Notices.

Bad news: The level of breach that not complying with the Cookie provisions of the ePrivacy Directive constitutes is not likely to meet the standard of severity required for the ICO to levy a fine.

So businesses will receive a letter. But we can be assured it will be a strongly worded one. But, given the mental discounting that management do in compliance situations, this is inevitably going to lead to precisely no change in compliance behaviour. When faced with the question “So, what’s the worst that is likely to happen?” Data Protection Officers or advisors will have nowhere to go in their persuasion. It is all carrot and no stick. And CxO level managers are pure carnivores, so carrots are not that enticing on their own.

  • There will be no financial penalty for the Cookie breach
  • Any penalty that might arise will be for failing to comply with an Enforcement notice or provide information requested under an Information Notice. But that would require another cycle or three of communication between the ICO and the infringing company.

There is no sting in the tail. The arc that must be travelled between Breach and Penalty is too long. And as every parent of a toddler knows, there is no point putting them on the naughty step days or weeks after their valiant but doomed attempt to juggle with kittens.

Hence the need, in my view, to have something else that allows a sting to be put in the tail, that wraps the polite letter from the ICO (or the Irish DPC for that matter) in a small brick that will get attention. In my opinion, if the EU is serious about changing attitudes to Data Protection amongst businesses it needs to ensure that the laws that are passed can be enforced with both carrot and stick so that culture and values in business will change.

Breaches of the Cookies rules fit the bill nicely for a structured penalty system that allows for cumulative penalties to build towards a more serious fine or enforcement action. Assume, for argument, that writing a non-essential cookie without notice and consent was a 1 point offence carrying a fixed penalty notice of €120/£100 for first offence (with higher penalties for subsequent offences). Audit tools such as those developed by CookieQ.com could be used to audit the site, tot up the number of cookies, an investigator could make a judgement as to the essentialness and generate a fixed penalty notice attached to the letter.

Perhaps the 1st offence would be a “freebie”, with a second failure leading to a penalty (after all, we want this to be fair and graduated). At some threshold (let’s say 20 points) more serious penalties would kick in (perhaps the €2million outlined in the proposed Regulation, or mandatory multi-year privacy audits such as being imposed on firms in the US by the FTC). As this is an evolving thought doodle I won’t waste time mapping specifics here.

If the penalty points for the Cookie infringement formed part of the overall “scorecard” that a company would accumulate, adding to the risk of a more severe penalty (and the inevitability for hard core recidivists). If, as with parking tickets and speeding fines, the Data Controller had the right to appeal the fixed penalty to the Courts (at the risk of a greater penalty and increased publicity), the “mental discounting’” would need to change. This would change the conversation for Data Protection Officers and advisors when the letter comes.

Boss: "What is the worst that they can do?

DP Team: “Well,50 cookies being written has already cost you €5000 in fixed price penalties. You can appeal them to Court, but that carries a risk of the penalty being increased further and a conviction being recorded against you.”

Boss: “OK, so pay the fine and then we keep going.”

 Boss: “Oh shit. Let’s fix this then”

Just as cumulative breaches of Road safety lead to serious penalties, cumulative breaches of Data Protection rules could lead to more serious penalties.

The benefit of this approach is it would encourage and incentivise organisations to focus on the small stuff. And as repeated studies in risk management and accident investigation have shown, the major disasters are usually a result of an accumulation of small things.

According to econsultancy, the ICO is considering applying penalties based on a scale. It is not a significant jump from a scale for a specific penalty to a framework for levying administrative sanctions in a structured and transparent manner.

The customer conundrum

I’m a customer of a few on-online services. I have really liked using Tweetdeck for the past few months (hang on… years… eek). The problem is that I’m busy. Nuts busy. I’ve a business, a family, and a strange compulsion to sleep maybe a few minutes or three every day or so.

I’m a voracious reader and idea gatherer. This is the problem I’m facing now. Tweetdeck/twitter has put a massive pool of people at my disposal who are sticking post-it notes under my nose every few seconds saying “Hey, you might like this. Click through and read it”. And I do. And I get lost in clicks-ville as I wander through related content.

Continue reading

An open letter to Viviane Reding

Dear Commissioner Reding,

I’m writing to you as an EU Citizen who is passionate about data, is use, its quality, and its protection. I’m not writing to you as the Managing Director of a company that offers Data Protection training and consulting services, but in the interests of transparency I think it best to disclose that that is my day job.

I am writing to you about the new Data Protection Regulation. In particular I’m writing to you about the penalties contained in the current draft proposal. Frankly I think they suck. I don’t think they’ll have the effect that you think they will have. I’m basing my opinion on a number of bases:

  1. I have worked in Regulatory Operations in a Regulated industry that you are familar with, telecommunications.
  2. I’m a keen student of human psychology and economics, particularly the psychology and economics of risk and reward.Understanding this “theory of psychology” is important in the world of Information Quality.
  3. I like to observe and learn from other industries and areas of life to see what can be applied to improving quality systems for and the governance of information.
  4. I’m the parent of a toddler. This might not appear immediately relevant but, in the context of Data Protection, my immediate experiences dealing with a stubborn personality in development who is programmed to push boundaries and infuriate me with apparent disregard for the standard of behaviour expected of her all too often find their parallels in the management teams and staff of organisations I’ve worked with.

Taking these elements together I am afraid that 5% of Global turnover will not work as a penalty. It’s a great soundbite but will, in practical terms, amount to little more. There are a few reasons for this.

Continue reading

Newspaper Licensing Ireland–a revisit

So, late last night I wrote a post about NLI and their link license fee nonsense.

In that post I decided to focus on the non-compliant behaviour of an organisation setting itself out as being the arbiters of compliance with copyright when it came to the data protection/privacy compliance obligations that they appear to either be unaware of or consciously ignorant of (I presume the latter).

I clearly stated that I wasn’t going to talk about the economic impact of inbound links to websites from the point of view of driving search engine relevance, getting sites onto the first page of Google, and generally providing a basis for establishing valuation models for on-line advertising.

It’s not my area of expertise, so I thought it best not to say anything.

But today I searched for “Newspaper Licensing Ireland” in Google.

I was pleasantly surprised to see that, apart from content by or directly about Newspaper Licensing Ireland, there were articles by Broadsheet.ie, McGarrSolicitors, and your humble scribe.

On page 1 of Google. In the top 6 things returned for that search string. In less than 24 hours.

What made this happen? Links. Lots of loverly links being spread through websites and social media networks like, as I described them last night, the “footnotes on the Internet”.

This is what helps drive traffic to websites, making them more valuable pieces of virtual real estate within which to place advertising.

Charging people a fee to put up a sign post to your shop makes no economic sense in the bricks and mortar world. It makes even less sense in online.

After all, links are more properly called “Universal Resource Locators” (URLs). And in this way they are exactly the same as sign posts. They tell people, uniquely, where to find a particular resource. Just like a footnote in book.

Will NLI start charging license fees for those as well? If so, I’m fudged completely as my last two books have LOADS of footnotes in them.

Newspaper Licensing Ireland–a return

The last post was a little long and analytical. Having reread the great post on McGarrSolicitors.ie I thought I’d reframe my Data Protection take on this in terms that might be more familiar.

Personal Data is being processed via your website without an appropriate Privacy Statement and without any communication of the purposes for that processing. Furthermore, the failure to have such a privacy statement on your site which references the use of Google Analytics is a breach of Section 8 of the terms and conditions that apply to Google Analytics. Failure to obtain consent for the use of the cookies written by Google for the purposes of Google Analytics is a breach of SI336.

You are breaking the law; you risk exposing your company to investigation and prosecution, with financial penalties and brand damage ensuing. Processing personal data without it being obtained fairly for a lawful purpose, and writing 3rd party cookies without consent is illegal and breaches a fundamental Human Right in the European Union.

What do you think?

I may be over egging it a little. I need a cup of tea now and a good sit down.

Newspaper Licensing Ireland– some thoughts

This post is about the website of Newspaper Licensing Ireland, who have recently written to a non-profit organisation whose aims I wholeheartedly support, seeking license fees for linking to newspaper content published on the internet by the newspaper publishers. McGarr Solicitors, who are acting for Women’s Aid, have published a detailed analysis of the situation and the questions raised on their website, which I link to in the confidence that the McGarrs won’t come looking for a pound of flesh in return.Sticky buns perhaps, but nothing worse.

I will ignore the fact that this action seems to be in ignorance of the way the Internet works, particularly with regard to search engine optimisation and page ranking where relevance and significance of content, and hence it’s positioning in Google searches and the value of the real-estate for on-line advertising purposes. I’ll ignore how the use of links simply tells people to “look over here – I found this interesting, so you might to”. I’ll ignore the fact that links are effectively the footnotes on the Interweb that tell people where your source was for a thing. 

(But if you do want to actually understand this aspect, the Wikipedia entry on Search Engine Optimisation has a reference to the Google PageRank algorithm and how it works (at a high level). And Dr. Cathal Gurrin in Dublin City University did his Doctoral thesis on the topic.And I’m sure someone somewhere has done an economic analysis of link density [the number of inbound links to a site] but I can’t be bothered to look for it tonight.)

What I will talk about here is the fact that, when I went to the NewsPaper Licensing Ireland site (which I won’t link to… just in case) to see what the potential cost to an SME with 0-10 employees would be. I still don’t know the answer.

I’d expected a form that would take certain inputs and churn them around to spit out a ball park figure. I’d expected to see something that would relate the license cost to, for example, the average hits or distinct site visits on the SME company site per month (to make the cost meaningful as those stats are the foot fall of the Web).

What I didn’t expect was to be asked for a contact name and the name of the company on that form. Company name I’m not to concerned about. But the contact name…

…that’s personal data. Therefore under s2 of the Data Protection Acts it must be obtained for specified and lawful purpose and must be fairly obtained. So I went looking for a Privacy Statement (there was none). So I turned on my cookie checkers to see what was being written by the site to my device wot is connected to a public communications network (and therefore would be a cookie within the meaning of SI336 and as such would require consent unless necessary for the service I’m trying to avail of).

My tools revealed that NLI are using Google Analytics on their site. In a manner which is in breach of the Terms and Conditions of use for Google Analytics which state very clearly in Section 8:

8. PRIVACY

8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:

“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.  By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”

The emphasis in bold is mine. What Google requires is for people using GA to put in place a Privacy Statement but that that Privacy statement needs to clearly detail the use of Google Analytics, the fact of data transfer to the US, the purposes to which the data will be used etc.

NLI have no such Privacy statement, and no such text, so no mechanism to confirm my consent to the cookies that are being written by Google Analytics.

So, the site is operating in breach of SI336 and Google’s terms and conditions, and is effectively breaching contractual conditions governing the use of Google’s services and the fundamental right to Personal Data Privacy as enshrined in Article 16 of the Lisbon Treaty.

All of which I’d never have considered looking at at all if they weren’t sending threatening letters to a charity that exists to help and protect women experiencing domestic violence.

Culture of Compliance

So, Phil Hogan believes that the vast majority of people in Ireland want to be compliant with legislation, specifically the Household Charge. Perhaps a first step to ensuring that compliance would be for the Minister to ensure that the Household Charge is being implemented in a manner that is compliant with the Data Protection Acts. That would have meant

  1. Early consultation with the Data Protection Commissioner to identify and mitigate Data Protection risks in the Household Charge legislation
  2. Early consultation with the Data Protection Commissioner to ensure that appropriate mechanisms for data sharing were given effective legislative support within the Household Charge legislation
  3. Ensuring clarity about the current and proposed future uses for the (significant) amount of data which is being gathered as part of the registration process
  4. Ensuring that the use of PPS Numbers as part of the registration process was clearly and demonstrably being approached in a manner that complies with the requirements of the Social Welfare Consolidation Act 2005
  5. Ensuring clarity about who the Data Controller is for the Household Charge scheme (it appears to be de facto the Department at this point, despite the text on the Privacy Statement on their website).
  6. Communicating early and often with the public about the charge, its legal basis, the purposes to which data that is being collected will be put to etc. etc.

Instead we have a Minister announcing on national radio that the Government is backing him in reviewing all relevant legislation, including the Data Protection Acts, to allow the Household Charge to be collected. Thankfully the Data Protection Commissioner’s rebuttal of that utter nonsense has been getting more air time since, but I thought it might be worth a quick examination of why the Minister’s comments were total poppycock.

Continue reading