Tuesday, 31 January 2012

Help fund a policy organisation

I never thought it would be easy and I knew I didn't have all the answers.

The challenge is to find ways to fund the kind of research and advocacy we're doing here at Open Digital without becoming enslaved by any single person or organisation.

If you can help in any way, by:
  • Spreading the word
  • Employing the services of our consulting arm, Open Digital Consulting (bound by charter to donate at least 50% of its profits to the policy organisation)
  • Becoming a donor, shareholder or both
 Please get in touch: support@opendigital.org or see more information on our Standardised Personal Data License project.

The funding conundrum

As I said at last Wednesday's Digital Surrey, as an organisation we must avoid some of the pitfalls of other groups working on digital policy.

Read more about some of the pitfalls of policy funding here.

Data ethics - why should your business care?

What's in it for your business, when much of our work seems to be focussed on public interest?

Because I firmly believe public concern must be embraced by any digital business aiming for sustainability.

The long term interest of any sustainable business is closely aligned with the interests of its consumers. It's as simple as that.

If you want to make money from the processing of, and trade in, data about individuals you will benefit from the trust and support of those individuals.

Acting in a highly ethical manner is the key to gaining trust, and even ethical businesses need help and support convincing the world of their ethical credentials.  If your business aims to do more than make a quick buck it needs to take proactive steps towards understanding the issues.

Our organisation's own plan for long term sustainability

My plan is to make Open Digital a sustainable self-funding organisation, but it will take time to get to this stage, and therefore we need cash help getting there.

I believe the organisational structure will then promote policy research in the public interest through semi-independent oversight of the policy organisation by our Policy Advisory Council (PAC).

Our structure also minimises the impact of cash dependency.  Our founding charter guarantees the policy organisation will receive 50% of the profits from the consulting business, and the PAC gets to decide how this is spent.

Open Digital -  structured to promote community interest
But my plan requires Open Digital Consulting to be profitable, and that won't happen overnight.  Hence my decision not to launch as a non-profit, but to offer shareholders willing to stand by the whole organisation a chance to share in the long term profits.

The first 9 months

For a fledgling policy organisation with only very weak connections to the political scene we've had an amazing start.  I attended ministerial meetings with Communications Minister Ed Vaizey to discuss web blocking, plus a 5-minute interview on Sky News' Jeff Randall Live on the same subject.

Our first report (pdf) was referenced in print on page 2 of the Financial Times and has been cited in numerous other reports.  I've been quoted on privacy, security and copyright issues in most major computer magazines.

I'm also told that our paper arguing against the government's plans for a Public Data Corporation (pdf) helped persuade decision makers inside the Cabinet Office to shelve the plans, opting instead for a more open approach to public data.

Aims and forthcoming projects

(More information on our Standardised Personal Data License project)

Our long term goal is to improve trust in digital products and services for the benefit of all; we believe this can be done whilst maintaining the principle of a free and open internet through fair market competition.

One of the barriers to trust we have identified is clarity and transparency over what data about us is being gathered and how that data is being used and traded.

Only through clarity and understanding can consumers make informed choices about what level of personal information to share with any given service.

If personal data is the new digital currency, a catchphrase many are using, we currently have a confusopoly in the market place.

In a confusopoly, the "price" of using the service is transparent, but too confusing for consumers to understand.  Therefore consumers make bad choices, and less than ethical businesses are able to profiteer.

A project we hope to launch over summer aims to iconify privacy, bringing clarity to users to help cut through the confusopoly.  It's been tried before, but that is not going to stop us:

Note, the icons pictured are just examples. We want to rank privacy on a simple scale of 1-6, maybe adding additional information to distinguish between passive tracking and active data gathering.

The final icon design will be decided through a community project, and that itself introduces a challenge of ownership in the end result. We need intellectual property in the icons to prevent misuse, but the community needs to see that Open Digital will never profit unduly from a community project.

We therefore propose to hold the intellectual property in the icons in trust.


If you run a business or are a reasonably wealthy individual with an interest in privacy, trust or digital policy, please consider becoming a donor-shareholder.

Significant shareholders get a seat at the table of our truly unique organisation, and a chance to share in half the profits if we achieve our aims.

Alternatively, if your business wants insight or training on any digital policy area, please consider using the services of Open Digital Consulting.  Part of our fee will go towards supporting our policy work.

And above all, if you like what we're doing, please spread the word and get involved.  Tell us about your concerns. Email contact@opendigital.org or engage with us on Twitter: @open_digital.

The funding conundrum

Funding a policy organisation in a way which provides reasonable independence and allows fair reward for those researching policy areas is the most significant challenge Open Digital faces.

Some think tanks stand accused of becoming enslaved to their backers, afraid to stray into policy areas their backers find uncomfortable; and, occasionally, promoting the vested interests of their backers.

Sponsored reports inevitably lead to research and advocacy following the money. And because incumbents have the most cash to spend, the policy areas incumbents want examined get examined. But who stands up for the innovators, emerging businesses and the public?

Academic organisations generally act with independence, but are often slow off the mark for analysis and research into rapidly evolving technology.

Civil society groups also play an independent role; but, reliant on public donations, its necessary for such groups to create a certain level of noise in order to maintain support, and sometimes the message gets lost in the noise.

And for an organisation attempting to influence public policy, it is simply wrong for us to charge for access to reports and white papers.  Research which affects public policy must be open to public scrutiny, it's as simple as that.

Read about our funding plans here.

Thursday, 26 January 2012

Polarised debate over EU data protection must be a wake up call for big data corps, they can't have it both ways

There are deep and complex issues to be discussed regarding EU plans for an overhaul of data protection regulation.  Whilst I don't want to rush to judgement on the detail, one thing is clear from the BBC's technology correspondent Rory Cellan-Jones' blog - it's really put the wind up Google:
A senior executive at the search firm told me that two industries which depended on data, advertising and the web, were just about the only things a sclerotic European economy had going for it, and now both were in danger of being strangled by bureaucracy. 
"The data protection directive sees data as a bad thing," said the executive
Whilst many see the combative approach of EU commissioner Viviane Reding and her equally bullish partner-in-crime-come-potential-adversary "Steelie" Neelie Kroes as a good thing - a positive part of a fight for control over our data as the only language the big data corporations understand is the law - I have some sympathy for Google's apparent frustration.

I don't believe confrontation leads to good law, and by good I mean law which is effective in its aim, proportionate in scope and is not overburdensome to enforce - enforcement burden: level of policing required, economic cost of red tape and infringement on personal freedom/autonomy.

Part of my criticism of digital intellectual property enforcement legislation (SOPA, PIPA, ACTA and DEA) is the way these laws were conceived and drafted; in a confrontational environment.  All attempt, in varying degrees, to regulate an industry - the internet industry - without extensive consultation with the industry they're trying to regulate.

In fact in many cases the internet industry was deliberately excluded from the process, in other cases public consultations were carried out only to ignore serious objections from credible voices within the industry.

The internet, its relationship with society and with commerce is incredibly complex in nature. In no other complex industry would governments attempt to regulate without extensive consultation with the industry (e.g. banking, medicine).  Concerns about regulatory capture noted, it is equally unacceptable to completely exclude from the discussion those with the best insight and understanding of the problem the regulation attempts to solve.

UPDATE 12:53: note I said "exclude from the discussion." Granted companies can lobby and respond to consultations, but I see opportunity for meaningful and constructive dialogue between all stakeholders. Only through such dialogue can we hope to achieve a better understanding of the problem, and only then can laws be drafted to solve the problem. The process as it stands is confrontational.

Data protection and digital privacy are serious legitimate issues of public concern.  But unless legislation is workable one of three things will happen.

Either regulation will be ignored and eventually abandoned due to enforcement burden; or, data companies will exit the EU yet continue to collect/process/sell data on EU citizens due to the elastic nature of the online jurisdiction - and still turn a profit without an EU presence, robbing EU states of any economic benefit; or, EU businesses and citizens will be denied the benefit of technological advances and low-cost services because of the effective outlawing of certain data practices.

Yes we need to do something as a society to address legitimate concerns, but I personally feel that something has to acknowledge both the scale of the problem and the limited impact legislation can have.

Does the EU data protection regime "see data as a bad thing?"

I believe we need to radically rethink our approach to digital privacy and data protection.  The harm spectrum is broad and our current understanding narrow, with a lot of grey in the middle.

We need to separate the two concepts of personal data and privacy. They are fundamentally different. We need to work with the internet industry as a whole to draw the boundaries on privacy to prevent intrusive monitoring of what are clearly private actions.

But there is a possibility we need to scale-back our data protection demands in some areas when it relates to data captured in the online equivalent of a public space.

Yet my sympathy for Google and other technology giants is tempered by their unwillingness to date to engage with privacy advocates and fund a broad cross-section of community-led policy research.

Yes there is self interest, because Open Digital needs financial support to reach our self-funding goal (see slide 9 from my presentation at Digital Surrey last night), but I hear this from many advocates involved in the digital privacy debate: only this morning I saw, from Privacy International advisory board member Alexander Hanff:
I'm about as happy with a state-driven approach to privacy as I am with a corporate free-for-all. At the heart of the debate is an issue that affects everyone, globally, whether or not they have access to the internet - because the ramifications for global trade and societies around the world if we get this wrong are enormous.

Any sustainable business must see that a key part of sustainability is building trust with its customers, and that relationship is the focus of our research into digital privacy (see slide 7 from my presentation at Digital Surrey last night).

Big corporations can't have it both ways, they must either support independent initiatives to understand the problem with the aim of coming to a broad consensus on what data protection legislation is needed, or risk bad laws stemming from a frustration with the way a fledgling personal data industry has behaved so far.

Wednesday, 25 January 2012

O2 sends your phone number to every website you visit, should you be bothered?

In a word, yes; I very much think this matters.

Why? Because at the very least it allows any website operator to capture your telephone number and potentially use it to send you spam texts or marketing calls.

UPDATE 25-Jan 13:29: Twitter user @alanbell_libsol reports the problem as fixed and I can confirm it's fixed for me too.

The problem

We have confirmed that UK mobile phone network O2 sends your mobile phone number to each website you visit.

The O2 problem was reportedly spotted by @lewispeckover and has been a known issue in the security industry for 2 years, see Collin Mulliner's 2010 CanSecWest talk.

We know the issue also affects at least one operator using the O2 network, GiffGaff.

We have also confirmed the phone number is sent even if you connect your computer or tablet to the internet via your phone, ie tethering.  This strongly indicates the phone number is being injected at some point in O2's network.

Personal data?

What can someone do with your mobile phone number? On its own, not a lot.  They can call you out of the blue, or send you junk texts.

But think how many websites you visit know quite a lot about you, such as your real name, your address, your hobbies, likes and interests? I choose not to disclose my phone numbers to social networking sites because I don't want to be contacted by strangers by phone selling me things I might be interested in.

Tuesday, 24 January 2012

Norwegian Data Inspectorate rules use of Google Apps by companies breaches Norweigian law, cites US Patriot Act

Datatilsynet, The Norwegian Data Inspectorate has effectively outlawed many corporate uses of Google Apps within Norway on privacy grounds.

Reports are only just emerging (in Norwegian) that a "Notice of Decision" dated 16th January (pdf, Norwegian) states that Norwegian companies that make use of Google "cloud" services, (known locally nettskyløsning - essentially Google Apps) with its standard terms "violate the law".  

It is unclear at this stage whether the opinion will be challenged in the courts.

The Norwegian authorities cite the US Patriot Act, which gives "U.S. authorities the ability to monitor terrorist suspects without charge or trial" amongst the reasons why a US-led data protection initiative known as US-EU Safe Harbor was insufficient in itself to guarantee compliance with strict Norwegian data protection laws.

Readers are reminded that Norway is not a full member of the EU, but, as a member of the European Economic Area, complies to all relevant EC directives.

The Norwegian ruling comes 18 months after Danish Data Protection Agency reportedly ruled that sensitive personal information could not be stored on Google's cloud platform (Danish) when Odense Municipality planned to use the service to manage student schedules. 

It also comes at a difficult juncture for Google after revelations cloud data was improperly accessed by Google employees in Kenya in order to "boost its own business".


The intervention of the Data Inspectorate stems from a complaint "by an individual" against the municipality of Narvik, a relatively small city whose administrative body was the first government agency in Norway to move to Google Apps, according to Digi.no, an Oslo-based tech blog.

The main issues of the complaint seem to relate to:
  • Where in the world data will be stored, including backup copying, and what protection is available in these countries
  • Whom at Google has access to the stored data
  • Whether it is possible for Narvik Municipality to conduct data "safety" audits for the data stored in the Google cloud - essentially what co-operation from Google was required for a satisfactory audit to be conducted
Inspectorate opinion

The ruling relates to the use of Google's email service by the municipality of Narvik, but the principles outlined extend to other Google cloud services.

To summarise, the Inspectorate found Google does not offer terms and conditions that meet Norwegian law, has no mechanism in place to offer local or customised Ts & Cs, plus the Inspectorate did not have access to sufficient technical information to show adequate data protection measures were in place to allow personal data to be exported to countries outside the European Economic Area.

Therefore the use of Google Apps by Norwegian companies (plus, presumably, any foreign-owned company with a Norwegian presence) to process personal data would put those companies in contravention of three sections (13, 15 and 29) of Norway's Personal Data Act 2000.

Monday, 23 January 2012

Don't be sucked into supporting a flawed proposition in an artificially polarised copyright debate

The language in the increasingly hostile battle over online copyright infringement resembles that used in the war on terror or the war on drugs:
"wherever you are around the world, we're going to after you"
Alarm bells should be ringing. Drugs and terrorism ruin lives (in a biological sense). There's no comparison to the commercial problem of designing a market intervention suitable for the digital age to protect those who invest in the creative arts.

Also, arguably, neither war has worked. Ioan Grillo, in his book El Narco, documents the shifting power struggle in the battle to control the supply of illicit drugs and the social and economic impact of various enforcement strategies, including the chilling effect on communities demolished as the powerful slog it out.

Absurd as it may seem, I do see parallels with copyright infringement. If the world's most powerful nation struggles to control supply of a clearly dangerous physical product, how the hell do they expect to police worldwide availability of an intangible product with no known health issues?

There's a lot wrong with the approach to copyright enforcement advocated by many major rights-holders.

But now, with what can only be described as a massive escalation in hostilities, there's a real danger moderate rational-thinking people are being sucked into supporting one of two logically and morally flawed positions; pushed into taking sides in an incredibly complex debate, or backing unhelpful and retaliatory actions of questionable legality (on both sides), simply because one side makes more sense than the other.

Madness, since we're not dealing with a binary debate.

Monday, 16 January 2012

Open Digital will join global protest against copyright anti-piracy overreach, Weds 18th Jan

Today our Policy Advisory Council voted unanimously in favour of Open Digital joining a global protest against two US bills to tackle copyright infringement that we feel go too far.

The motion was simply "should we join the protest?" All six members voted in favour.

Here's what I told PAC members when I proposed the blackout:

Wednesday, 11 January 2012

What happened when a police force commissioned a neighbourhood policing app? Find out on 25th January

Open Digital are proud to sponsor this month's Digital Surrey with a fascinating talk from Surrey Police's Chief Superintendent for Neighbourhoods Gavin Stephens.

Book your free place here 

Gavin will be introducing the Surrey Police App, currently available for iPhone (and soon to be available for Android) and will be joined by Angus Fox,  Director of social collaboration software firm Multizone who developed the app.

We will hear about the commissioning and deployment of the Surrey Police App, which connects residents to their neighbourhood police teams, as well as a range of topics from government issues to the social impact on neighbourhoods and public concerns such as privacy.

The University of Surrey will be hosting the event with sponsorship from the Open Digital Policy Organisation.

Unfortunately space is limited and previous demand has been considerable. Please let us or the organisers know if you have to drop out for any reason - this also helps Digital Surrey keep such events free to attend.

Monday, 9 January 2012

Lego's augmented reality kiosk - great use for AR without the lag or fiddle factor

This is worth sharing, it's only the third time I've been excited by an application for augmented reality (AR). 

Like the other two applications (goggles for emergency services and the Xbox Kinect), the Lego AR kiosk satisfies three main criteria: it serves a purpose, is low on fiddle factor and the AR application operates with minimal lag.

Many other applications fall over on one or all of these hurdles. I find most phone-based AR like Layar slow to initialise, laggy and fiddly to use.

AR applications for desktop tend to lack purpose and have some fiddle involved in setting up a webcam. 

The Lego AR kiosk is a great idea and we could see similar kiosks appearing in shops around the world.

(ht @PaulBaldovin)

Friday, 6 January 2012

The 2009 failed prosecution by the Met's Obscene Publications Unit for a written fantasy/horror story

Via Twitter I followed the trial of Michael Peacock, acquitted this afternoon in Southwark Crown Court on 6 counts of distributing obscene DVDs under the Obscene Publications Act 1959.

The prosecution was widely condemned by the liberati of Twitter, and the acquittal therefore welcomed as an important victory against state censorship on a moral level.

But if you sympathise with Peacock, it's worth sparing a though for Darryn Walker and what is probably one of the most important failed UK prosecutions in the history of the internet.

In 2007 Mr Walker published a fantasy/horror story about the torture, mutilation and rape of members of pop group Girls Aloud on a Usenet Newsgroup.  (The story remained for at least a year under the alt.sex.stories hierarchy but has, from a precursory check today, since disappeared.)

Shocking and disturbing, sure - but should such fiction be illegal? And when it's hidden in some internet backwater where's the harm?

And, since the story involved selling body parts of the dismembered songstresses on eBay one can only assume the work contained a level of comedy and/or satire.

Soon after publication, an 18-month legal ordeal which saw Darryn lose his civil service job was started by the most unlikely moral guardians of The Daily Star:
"We can reveal that Interpol has been notified to help track down the man behind the bizarre work"
Daily Star, 26th July 2007
The Daily Star claimed Girls Aloud members were being "stalked by a vile internet psycho".  Sensationalised in the mainstream gutter press brought the story to a whole new audience.