Sorting the sheep from the goats
The daily deluge of news stories about the use and abuse of personal data continues. Led by the US and UK governments, government-intelligence coalitions seem to have adopted the position that it’s ok to trash citizens’ rights to privacy and security because a) we shouldn’t have been surprised that they were doing this, because b) they’ve been doing it for a long time and c) and everybody else is doing it. No signs of regret, shame or apologies there then. The corporate position seems to be that their abuse of our personal data is all OK because at some point in our dealings with them we ticked “ok” to accept a user agreement designed to a) be incomprehensible and b) so lengthy that only someone with super-human powers of endurance ever makes it to the end. However, we now are discovering that ticking that box actually meant that we “agreed” to the use of our data in ways that we never imagined and certainly didn’t give our informed consent to.
One consequence of this stew of news stories is that it is easy to lump all of these different operations and organisations together in a box labelled “all as bad as the other”. I’ve done this myself. In a recent blog I listed “Google, Facebook and Microsoft” as examples of corporations exploiting their users’ personal data, implying that they were all a much of a muchness. Shortly afterwards I got an agitated email from a good friend who’s a senior development engineer at Google, protesting that lumping Google and Microsoft in the same group with respect to their policies and practices with respect to user data was inaccurate and unfair. He then detailed a series of ways in which Google offers users ways of opting out of Google’s data collection activities (more on this in a future blog) which aren’t available to Microsoft users. And being not only an authority on what he’s talking about, but also absolutely trustworthy, I’m sure he’s right. My problem however, and I’m sure that this is true of almost all of us, is that I don’t have the expertise, or the time and energy, to evaluate the trustworthiness of all of the different organisations I come into contact with.
I just have to work with a general judgment of “can I trust companies who ask me to give them my personal data?” and respond in terms of a general strategy: acquiesce or (at the moment) resist as best I am able. Wouldn’t it be useful if I could refer to someone who knew about these things to ask them what they thought about each of these companies, and how I should respond to them?
Well, there’s an interesting project which is setting out to do just that. The Ranking Digital Rights project has been set up to rank the world’s internet and telecommunications companies on how well they respect users’ rights of privacy and free expression. Created by Rebecca MacKinnon, who teaches and researches on data privacy and related rights at the University of Pennsylvania, the very first part of project is trying to work out what criteria are needed to make a judgment about the data handling policies and practices of organisations. What does it mean to say that a company (or government) is “good” or “bad” in terms of how they handle my personal data?
The project is still in its very early stages. At the moment MacKinnon is a one-woman band, being the only person working on the project. But she’s already succeeded in getting support to part-fund the project through 2014-2015 from the MacArthur Foundation and billionaire George Soros’. The Open Society Forum. [At the moment she’s also looking to appoint a full-time consultant, for six months, ideally based in Europe, to support methodology development and stakeholder engagement (if any readers of this blog are interested, see for more details)]
Currently the project is pulling together a set of case studies looking at internet companies operating in a variety of countries. They’ve already looked at companies operating in India, Russia and China and are now looking at Deutsche Telekom, not only in Germany, but also at its subsidiary companies in Hungary, Spain, India and possibly the US.
The project is hoping to have final drafts of the case studies ready by December 2013. It will then go on to finalise the ranking criteria, before moving on to the business of actually evaluating a sample of companies during 2014. The results of the work the project has done so far seem to confirm a picture of enormous variation in attitudes, policies and practices between companies, and indeed often within the same company. MacKinnon has found that differences start very early: are companies even willing to talk with her about these issues? As she notes on the project’s website: “We have encountered a range of reactions from companies: from highly enthusiastic, to curious, to neutral but willing to talk, to negative, to hostile, to indifferent, to radio silence.” The differences then continue, one particularly significant one being a frequent gap between rhetoric, in the shape of published company policies, and actual practice.
This seems to be an enormous project, but one which could be extremely useful. Just having a concise and coherent listing of what we should all be aware of when trying to decide how good, or bad, a company’s policies and practices are when they are dealing with our personal data would be an extremely useful first step, if only as a “straw man” to inform the current debate about privacy and data (ab)use. And if that could be developed further into a kind of “Which” rating of individual companies then I for one, would be very grateful.