A case study in regulatory hypocrisy

The controversy over Google’s privacy policies is mounting. More data protection commissioners are getting in on the act. It is not that Googles policies are significantly different to those of the rest of the on-line world. It is that they attempted to make their policies coherant and intelligible. In parallel we have the news of the departure of Alma Whitten , whose breadth, depth and clarity of thinking put regulators and marketeers alike to shame.

It is always sad when the pedants and hypocrits win. But that is the way of the world. The majority of fines levied for breaches of data protection law are the result of self reporting. The Office of Fair Trade is more likely to take effective action to protect those whose data has been copied and sold, as with its recent action to withdraw the license of a pay day loan company used by impersonators . Meanwhile we are stumbling into a world where those who provide our on-line connectivity think they should to track our every communication for content and location, with or without our knowledge and consent, in case they (or the state, or a lawyer or a regulatoror a law enforcement agency) might have a use for such information. But equally they, and those who expect them to keep such information in case it might be “needed”, have no intention of being liable if that retained data is used to impersonate, defraud or abuse us.  

Hence the potentially lethal nature of the current round of regulations coming out of the EU covering data protection, identity and cybersecurity. The intentions may be laudable but the small print is in almost every case seriously counter-productive – such as plans to pass breach “notifications” to those we do not trust (regulators, law enforcment agencies, government departments and, of course, their outsource contractors) or of which we have never heard.

Yesterday I was in a meeting with a senior industry figure discussing what should be done. He suggested waiting until the situation was clearer and before mounting a step by step exercise to correct the mistakes. I said that would mean that his organisation and its peers would get stuffed and have to move operations out of the UK/EU in order to remain globally competitive – because they would face a hundred thousand compliance officers, legal advisors and information security consultants all in support of “more detailed guidance” (i.e. tick box regimes supported by thousand page procedure manuals). The jobs of the latter would, of course, be safe, retainer by receivers to dispose “safely” of the data, after everyone else had been laid off.

I suggested that, instead, those wishing to reiman in business in the UK/EU should begin with the stated objectives and seize the moral high ground by demanding that priority be given be to the actions that were actually needed. Thus the Cyber Security directive is supposedly needed to help better protect critical national infrastructure. It should therefore be focussed on critical national infrastructure, such as power grids,  communications networks, payment clearing and food distribution – and the need for demonstrable resilience in the event of of fire, flood, storm and digititis (finger trouble) as well as actual attack. Topics such as social networking should be excluded from consideration.  Things like data breach notification should be secondary to responsibilities and liabilities for action to protect customers and suppliers (i.e. up as well as down the supply chain) in the event of suspected problems.

I suggested that the need was therefore to assemble a credible cross sector, pan-European group who would call for what was actually needed in order to protect the infrastructures on which their businesses (as well as the rest of society) dependend. They should also actively block attempts to side track the directives onto that with which regulators and compliance officers were comfortable but which would do less than nothing to protect them or their customers from the risk of infrastructure failure. That is much easier said than done – but the very effort of doing so can help kill off the displacement activities which make politicians feel they are doing something although they are actually making a bad situation worse.    

Similarly when it comes to breach notification. What is the point – when the information needed to impersonate most of us is already publicly available or out “in the wild”. What we need is to make it easier to organise co-operation to find out who is collecting, collating  and reselling our data and to stop them – unless they have our consent to do so. If you have not already done so, watch Gary Kovacs, TED talk, Tracking the Trackers on behaviourial analysis.

At this point you can see just how difficult a task faced Alma Whitten and will now face her successor, Lawrence You. They are caught between a business model and a set of political assumptions – neither of which gives priority to usable and informed customer choice. They are not, however, the only ones. Since when did technology experts listen to their users – any more than suppliers listened to their customers – or party leaders to their members? The world is full of those who know best. The on-line world was. of course,  going to change all that. And we can see the electronic pigs flying past in virtual formation. 

A recession is, howver, a time when consumer power comes to the fore and real change happens – because the complacement can no longer throw money at problems.

I expect the way forward to come out of India (when the Supreme Court has just blocked add-on patents), China (which now has the world’s largest on-line communities and is run by engineers who think ahead) or Cambridge (home of the Devil’s Flamethrower) – not California (beginning to show signs of complacency) or Oxford (home of PPE and other dangerous delusions and causes which have yet to be lost).