Photos to the Web

I'm always amazed how many photos I find on the Web, of friends, family or myself, that none of us knew were there. Because things on the Web, in particular, photos, can last forever, forgetfulness is one of the big new themes in the privacy debate, particularly in Europe. There's lots of discussion about how to re-introduce a human concept of memory/forgetfulness/evanescence into a technical world of computers and websites and the Internet. I'll be joining a conference on this theme next week in Brussels.

I also joined a French government-sponsored conference on this theme recently in Paris. At the conference, much was said about the risks to people to having their photos posted online, without their knowledge or consent. With some sense of irony, I noticed a bunch of photos of me were published from that conference without my knowledge or consent, like the one here, in the online photo album of the Minister, no less,...I don't mind, and I would have happily consented, but it does make an interesting point, and I re-posted it to this blog, but that was my choice. If thoughtful people sitting in a conference about the problems of posting photos online are taking photos of people at the conference and posting them online, all without their knowledge or consent, well, maybe the sociology of online photo-sharing has developed beyond the state of the debate.

Happy 80th Birthday, Dad!

The "adequacy" regime is inadequate

There are many people in Europe who would rather eat their “chapeau” than admit that non-European countries like the United States might have adequate privacy protection, based on long-standing cultural or ideological bias. In my opinion, it’s the European “adequacy” regime that has become inadequate in today’s world. It’s near the top of my list of things that need to be modernized in European privacy law. It’s a political/bureaucratic fiction that some countries provide “adequate” data protection, while others don’t, because the decision is based on criteria that have almost nothing to do with the level of data protection on the ground, in the real world. A country can’t be deemed “adequate” if it doesn’t have an EU-style data protection authority. But the idea is ludicrous to me that privacy somehow couldn’t be protected in countries without such an agency, and in fact, the vast majority of countries in the world don’t have such an agency. And whatever labels are applied, the reality, in the age of the Internet, is that data is flowing around the globe. To take one topical example, cyber attacks do not respect borders, and take no note of whether or not a target is based in a country with “adequate” data protection.

So, recently, Israel and the Principality of Andorra have been added to the EU list of “adequate” countries. They join other countries already on the list, including: Argentina, Canada, Guernsey, Jersey, the Isle of Man, and Switzerland. Stop to read that list again, and ask yourself, really, this is the global list of “adequate” countries outside the EU? Really?

In privacy terms, what’s the right way forward for the future? As I’ve said before, follow the Canadian model, and make any company/government that collects personal data responsible and accountable for protecting it, regardless of where it happens to process it. If it can’t protect data adequately in a particular country, it shouldn’t send it there. If a company decides it can adequately protect its data in Japan, but not in Bulgaria, so be it, even if EU law would suggest the contrary. Common sense should prevail for the sake of privacy.

At the beginning of each year, I make a resolution to visit at least two new countries a year. If I’m lucky, I’ll have my wish and get to visit Andorra and Israel this year. They’re both on my adequacy list.

Privacy Officers with a French accent

Since I’m based in France, I’ve recently been appointed as Google’s “Correspondant” for data protection with the French Data Protection Authority, the CNIL. The profession of privacy officers is generally less developed in Europe than the US, and indeed, the position of “correspondant” was first created in France in 2004. Like many things in France, even this private-sector role is defined and guided by the government, in the long French tradition of dirigisme:

“From now on, local authorities, public services and associations are allowed to appoint a "Correspondant Informatique et Libertés" (CIL). It is a major innovation in the application of the law, as prior pedagogy and advice are emphasized. Indeed, the data controller which appoints a CIL is exempted, in most cases, from the notification process to the CNIL. The CIL has the duty to ascertain that the information system of the organization will expand without harming the rights of the users, clients and employees.”

As a privacy professional, I’m very excited by anything that supports the development of meaningful empowerment and development for the profession. As long as the role of Correspondant avoids the trap of becoming a purely administrative function, I think it could prove to become a serious contribution to the growth of this profession in Europe.

Practice makes perfect

I recently got away for a few days to play tennis in Florida. I left with a clear conscience, thinking that 2009 was a good year at Google in terms of privacy tools.

Google launched three major industry-leading privacy initiatives that implemented the key privacy principles of transparency and choice -- interest-based advertising, the data liberation front, and Google Dashboard.

It's a great tennis facility, on Key Biscayne, with grass courts, no less. Someone builds and maintains a grass court in that unlikely climate, and it must be a lot of work. And people pay a lot of money to live in "privacy", which usually means living in a place, like Key Biscayne, where they are secluded and protected from other people. So, now that there are online privacy tools, like the ones I just mentioned, I wonder if people will really use them more. I mean, to play tennis, you have to run and serve and swing. To protect your privacy, you should hustle a little too. Someone else can build the grass court, but it's up to you to play.

Watching people walk down the street

It's just snowed in Paris, and I'm looking out my window, watching the children and the dogs play. Almost everyone walking down avenue Foch seems to be speaking on a cell phone. I doubt many of them are thinking about how their location data is being captured, stored or used.

EU countries began passing the Data Retention laws mandated by a European Directive. That means that massive databases of communications logs will now be collected and stored by communications service providers across Europe for 6 months to 2 years, for police and law enforcement purposes (France, for example, chose 12 months). This is the largest police surveillance database ever mandated in the history of humanity to date. The year ahead will define how all this is going to work in practice: who will be able to access them, for what purposes, under what controls, how should this work in a cross-border context, etc. Will other countries follow Europe down this path? For most people, I imagine, the most sensitive aspect of this is the idea that their physical movements can be tracked by the police over long periods of time.

But the mobile revolution is just starting. Think for a moment about the intersection of mobile and face recognition software. For some years, in small controlled contexts, the police have already been using face recognition software to find individuals in a crowd. Online photo albums already offer some face recognition software in the contexts of particular albums, or in the contexts of social networking sites: take a look at face.com. But reflect on the prospect of face recognition software that could be used from any Internet-connected smart phone that can photograph a face and return instant search results. Google already announced the launch of Goggles without face recognition and acknowledged the privacy concerns in applying similar technologies to identifiable human faces. There's a lot of work to do to think through the privacy design of image recognition software applied to faces. The more I think about it, the more complicated it gets.

The web is going mobile, and as Internet apps go mobile too, location-aware services will explode in 2010 and beyond. That means that location data will be captured and used. Location privacy will become a key new issue in the mainstream in the year ahead. It's been around for years in cell phones, of course, but the issues will grow exponentially in the age of proliferating third-party location aware apps. It's one thing for you to know (or be dimly aware) that your cell phone company knows where you are based on your cell phone's location, it's quite another to have a plethora of third-party apps know that too.

Mobile is where the next generation of tough privacy issues will come, I muse, as I watch people walk down a Paris street that hasn't changed much in a hundred years.

DC: discussing privacy in public

I spent a few days in Washington DC in December. While I was there, I slipped into a public workshop hosted by the Federal Trade Commission on privacy. The content of the workshop has already been covered: http://blogs.wsj.com/digits/2009/12/07/ftc-takes-on-online-privacy/

Coming from Europe, I found this sort of transparency and public consultation by a privacy regulator novel and refreshing. The FTC regularly holds public workshops, where it invites stakeholders from many different sectors (academia, advocacy, government, private sector) to discuss problems in privacy and potential regulatory responses to them. This is meant to help the FTC staff understand the issues that it will grapple with. Moreover, the FTC often issues its guidelines in draft form, for the sake of public review and comment, before finalizing them, as it has done with its privacy guidelines for online behavioral advertising principles: http://www.ftc.gov/opa/2009/02/behavad.shtm

So, in my mind, I couldn't help but contrast all this with the practices of one of the world's other great bodies of privacy regulators, the EU Working Party. The Working Party has never, to my knowledge, held a public workshop. It has never opened any of its meetings to the public, and indeed, it is very rare that anyone from outside the closed world of Data Protection Authorities to be invited to attend one of its meetings. It publishes almost no information about its agendas, other than a few sentences to describe its annual work program. It never publishes its opinions in draft form for public review and comment before finalizing them. And finally, since it only issues "opinions", rather than enforceable decisions, its work has never, to my knowledge, been subject to judicial review. Seeing the transparency of the Federal Trade Commission's public workshop in action made me appreciate the benefits of transparent and open government.