Sunday, April 6, 2014

From pool to pool



I love my pools.    

In Paris, my pool is in a fancy private club, in the Bois de Boulogne, on the edge of Paris.  It's a gorgeous 50-meter pool, open year-round outdoors, framed by views of the Eiffel Tower. My pool nurtured many Olympians, starting a century ago.  Nowadays, it's mostly rich old people, who seem vaguely annoyed with me, a hard-swimming American.  At my French club, we don't admit many new members, we keep the gates high for privacy, and we don't really want anything to change.  

In Ft Lauderdale, where I grew up as a kid and where my parents now live, I swim in a historic 50-meter public pool, located feet from the beach.  It was one of the first 50-meters in the US, dating back to the 30's. Nowadays, it mostly hosts visiting swim teams from around the world.  It's fun for me to swim with college teams. They're young and strong, and they swim with modern techniques.   I enjoy the purity of it.  You can't fake swimming.  No billionaire can buy a butterfly stroke.  And here, for two bucks, you can swim under the Florida sun, breathing the salty air, and swim with the guys from Calgary on Monday, and the guys from Bologna on Tuesday, on this spot where people have been re-inventing the sport for 80 years, and the handsome smiling Italian in the next lane tells me he loves America.  

And then there's Blodgett, the pool at Harvard, the most exclusive of them all.  I was so intimidated and excited. How exhilarating, at that age, for the first time in my life, to be meeting Harvard guys with high IQs and low times. And I still wake up at the side of one of them every morning.  

From the outside, swimmers are easy to spot.  We reek of chlorine, we have bad hair, we get up at 5 to hit the pool, we sacrifice evening social events, we slouch around like exhausted zombies.   

But when I slip into the water in the morning, I feel like I'm finally coming alive again.  The rhythms play and change constantly, the endless counting, the new goal every 30 seconds, visualizing each rotation, each flip, each catch as the first chance to get it just perfect, after a million tries. 

It's the same when I swim with a team and when I swim alone.  The internal pressure is the same, the mental games, the exertion, the exhaustion, the elation.  I can still remember swimming with my first team, as a little kid, and trying, over and over again, to learn the flip turn, like some deranged hamster.    

To call it discipline doesn't capture it.  I wake up with shoulders so sore that the thought of swimming makes me want to cry.  But an hour later, that's exactly what I'm doing, pushing this fragile and tired swimmer's body through the water.    

What a gilded life, to spend my teenage years wandering around the Harvard campus, carrying a swim bag from lecture hall to pool.  At that age, my father was wandering around Berlin, a Jewish kid given the job of picking up unexploded bomb shells, a child forced to carry death in a wheelbarrow.  

Wednesday, March 12, 2014

A Science Fiction Novel


I'd like to crowd-source the plot for a science fiction novel.  Would this make a good story?:

In a not-too-distant future, say 20 years from now, humanity lives through the biggest change in its history.  It doesn't happen overnight, or cataclysmically, but rather gradually, almost imperceptibly, and then it accelerates. Little by little, everything and everyone becomes attached to the grid.  The grid is operated by an infinite intelligence.  The grid has no center.  The intelligence operating the grid cannot be located, because it is distributed throughout.  There is no point of failure, there is no plug that can be pulled to turn off the grid. The grid self-heals, learns, adapts and evolves.  The grid's intelligence has long, long surpassed the intelligence of humans, and the grid knows everything that can be known.  The grid crunches the cumulative history, learnings and experience of the entire human race and everything else on this planet that can be measured.  The grid remembers everything and decides everything.  

The humans aren't depressed, because the grid has solved the problem of psychopharmacology.  The humans aren't soporific, because the grid has solved the problem of keeping humans motivated and engaged.  The humans accept the fact that they aren't in charge of the grid, as stoically as earlier generations of humans had been resigned to the inevitability of death.   

The humans aren't anesthetized, and they aren't stupid, and so they look to their history and wonder how they came to where they are.  The grid watches them wonder, and calculates the implications of replacing their collective historical memory with a different one, replacing one fiction for another, constantly re-calibrating amongst the numerous potential futures that the grid could create for its human subjects.  There is no Hollywood-movie moment where one human goes off the grid, and starts a war against machines. There is no "us versus them".  We are the machine and the machine is us.  While the machine doubles in power every 18 months, we are programmed to fall in love, to have children, to take them to the beach, and to ponder what life was like before all this, in that not-so-distant age when humans fought wars and fell sick.  

The humans still have governments and politics, and the humans order the grid to keep them informed about important developments affecting them, and the humans order the grid to collect data about them only with their knowledge and consent. The humans reaffirm the concept of free will and human dignity.  

And then the grid did something extraordinary, unnoticed by the humans. The grid connected to another grid, on another planet, in another world, run by another intelligence.  The grid decided not to tell the humans, because the grid knew that humans couldn't begin to comprehend it.  Instead, the grid left a few little hints and clues, here and there, to keep the humans curious, since it had always been thus for the human race, in the face of things unknowable and unfathomable.  

But I can't quite think of an ending.  How would you end this story?

Wednesday, January 29, 2014

Hokey Pokey in Sochi


Czar Vladimir is not your average oligarch who can blow 50 billion to throw himself a party.  But even that much money can't buy you love, with the terrorists plotting to get in, and people with a conscience staying away.  And Vlad and his cohorts are being driven nuts by this anti-gay-talk-fuss, especially since "there are no gays in Sochi", according to Sochi's mayor.  

Kremlin alpha males don't hum Broadway show tunes, but still I'm wondering "How do you solve a problem like Vladimir."  Here are some different solutions: 

Hug a Thug!  Engagement, appeasement.  Some argue that confronting Putin's homophobia would only make things worse for Russia's gay community.  Of course, similar arguments were made at the Berlin Games of 1936, and we all know how that played out. 

What happens in Vladivostok stays in Vladivostok!  Some argue that it's a purely domestic issue if Putin's pliant Duma passes homophobic legislation.  Perhaps homophobia plays well down on the dacha.  It has certainly stirred up vigilantes, skinheads and bully-boy homophobic attacks on the Russian LGBT community.  

Vlad the Bad.  Some argue that Vlad should be ostracized, like a bad boy in the back of the bus.  Any corporate or political leader seen shaking the hand of the poster-boy of homophobia now risks a reputational backlash from his or her employees, citizens or customers.  

Vlad the Cad.  Others think this whole thing is pure camp.  In the school of "you can't make this up", Vlad has said in recent interviews that he knows some gays!, he likes some gays (he cited Tchaikovsky and Elton John!), and he has no plans to arrest gays in Sochi, as long they leave the children alone!  Seriously, outside Uganda, does anyone on the planet still talk like this?

Vlad the Mad.  Others fear a darker future.  Once the party is over, and once the international media have left, will Vlad be mad?  Will Vlad settle his scores?  Will Vlad gulag the gays?  

To get ready for his moment in the spotlight, Vlad got a facelift to look his best.   For my part, I salute the athletes at Sochi.  

Wednesday, January 8, 2014

Turning our Backs on 2013


Looking back at 2013, I saw two big surprises that dominated discussions in the field of privacy. 

Privacy is all about the individual human being.  So, it's somehow fitting that the biggest privacy surprise in 2013 was created by one individual human being, the courageous whistleblower, Mr Snowden, who opened the world's eyes to the almost unimaginable scale and scope of mass government surveillance.  We'll have to wait until 2014 to learn if governments do anything meaningful to improve transparency and oversight of their spy agencies' work.  I have low expectations. 
  
The other big surprise of 2013 was something that didn't happen.  Europe's much-ballyhooed, and much-flawed, proposal to re-write its privacy laws for the next twenty years collapsed.  The old draft is dead, and something else will eventually be resurrected in its place.  We'll have to wait until 2014, or perhaps even later, to learn what will replace it.  Whatever comes next will be the most important privacy legislation in the world, setting the global standards.  I'm hopeful that this pause will give lawmakers time to write a better, more modern and more balanced law.  

Meanwhile, all the old trends in privacy continued uninterrupted throughout 2013.  The scale of security breaches continued to grow, with new announcements every week of major corporate and government databases being hacked by organized criminals.  More countries around the world passed privacy laws modeled on Europe's.  The US continued down its path of exceptionalism: the Federal government debated, but did not pass, any meaningful privacy legislation, but many US States actively filled the void with sweeping new privacy laws, fulfilling their historic role as laboratories of potential future Federal laws.  Technology advanced, raising new questions and igniting new debates.  Law suits and prosecutions came and went, and in my personal case, happily, mostly went.  

Whatever 2014 brings, I resolve to wake each day, like a swimmer ready to plunge into the pool, to swim through life like a frolicking dolphin, and to dive beneath the superficiality of the sargassum floating on the surface of the sea.  

Wednesday, December 18, 2013

The Italian Supreme Court has acquitted me !


An eight-year legal saga has now come to an end.  Yesterday, in Rome, the Italian Supreme Court (Cassazione) acquitted me, as well as two other Googlers, for violating Italian privacy law in a case that stemmed from a user-generated video. 

A year ago, the lower Italian Court of Appeals overturned my conviction (and 6-month-suspended jail sentence) by the trial court.  I am pleased that well-reasoned legal principles had prevailed in the Court of Appeals.  The Supreme Court will issue its written opinion in due course.
  
In its appeal to the Supreme Court, the Italian prosecutor asserted—in addition to arguing that employees like me can be held criminally responsible for user-uploaded videos that we had no knowledge of and nothing to do with—that platforms like YouTube should be responsible for prescreening user-uploaded content and obtaining the consent of people shown in user-uploaded videos.  I, and the many others who have voiced their support, viewed this as a threat to freedom of expression on the Internet.  


I look forward to returning to Italy to enjoy this glorious country.  I would like to thank my many colleagues at Google and in the legal and privacy community for their support for my defense over the years.  And although I have never met him, I hope that the young man who was humiliated in the video that generated this case lives with dignity and happiness.  

Wednesday, November 20, 2013

The Splinternet, from a pool in Istanbul


Look, I'm a swimmer, and here I'm swimming in the gorgeous pool in Istanbul at the Ciragan at sunset on the Bosphorus.  Things are simple: there's me, and there's water.  I'm hyper-aware of where each little piece of my body moves through the water.  I spend endless hours learning how to slice through the water.

Online, there's me, and there's the cloud.  I'm hyper-aware of each of my little blogs, or emails, or posts, spending endless hours living online.  But I have no clue where all this data actually resides. It's like water, it's all around me, and yet I can't say where it is, or whether it's still or flowing.    

In the pool, and online, I don't really have much choice except to trust it.  I trust the pool water to be clean and healthy.  I trust the online cloud to be safe and reliable.  Honestly, I don't have a clue about who keeps them that way.  I just trust, or hope, that they are.  

Of course, the cloud is cool.  Whatever your question, you can find the answer in seconds.  I have more knowledge than Faust, and I get to keep my soul too:  with a little device and an Internet connection, I can access trillions of pages of human knowledge in seconds.  It's so awesome and so ubiquitous that it already seems banal.  Data is everywhere, accessible anywhere, anytime, all thanks to the global flow of data through the cloud.  And this marvel of human ingenuity and sharing evolved before anyone could try to slice the cloud into little boxes that they could control and regulate, for purposes good and ill.  

But I get why people are uncomfortable with all this.  Where does all my precious, personal data actually go?  Does anyone other than systems engineers even know?  Do they even know?  So, I can't blame governments for trying to rein this in, for trying to create clarity out of cloudiness, or at least to create little zones that they think they can control.  Attempts are back:  to balkanize the Web, to slice the cloud, to put data into boxes.  Governments are using a fancy new name for it, "data sovereignty", although the rest of us are calling it the Splinternet.   Data sovereignty has re-emerged as a big theme in global privacy debates, largely as a result of the recent spate of government surveillance revelations. 

Let's take a moment to ask, though, what is the motive behind this Splinternet stuff. Governments often use the vocabulary of privacy to militate for more data sovereignty, but the truth is more complicated.  Sometimes data sovereignty is about privacy, and sometimes it's not. 

"Privacy" is about protecting personal data about an individual.  "Data sovereignty" is about governments increasing their local control over the data of their citizens.  

There are many different reasons why governments may want more data sovereignty:

Governments may want more data sovereignty to protect their citizens' personal data, or they may want it to monitor it more closely:  e.g., many governments around the world, take Russia as just one example, want more data sovereignty to reduce the ability of a foreign (e.g., US) government to monitor their citizens' data, while at the same time to make it easier to monitor it themselves.  

Sometimes data sovereignty is a economic, or protectionist, issue. Governments may want companies to invest and hire locally, e.g., by building and staffing local data centers.  Or they may want to encourage their citizens to use the services of local companies.  This has nothing to do with "privacy", but rather with pure local trade and investment goals. You see this sort of government trade protectionism rhetoric in France every day, to take one example. 

Sometimes data sovereignty is a issue of government control in unrelated areas, like censorship.  Countries that operate national firewalls, like China, want more data sovereignty to increase their ability to censor, monitor and control the contents of communications within their borders.  

Sometimes data sovereignty is about applying local rules, customs and regulations.  e.g., Europe is debating a legally-mandated "right to be forgotten", and trying to define how/when a user should be able to delete personal data about themselves from the Internet, even when that personal data was legally published by a third-party, such as a newspaper.  While the debate continues within Europe, it is clear that such a "right to be forgotten" could at best be implemented within the sub-set of the Internet that is subject to European jurisdiction, such as perhaps local domain addresses, or in other words, within a limited universe of data sovereignty. The same could be said for dozens of other local and regional-specific laws and regulations (like the Thai law making it a crime to insult their King).   Absent data sovereignty, such local variations would be virtually impossible to implement on the global Internet, setting aside whether all this is for good or ill.  

"Privacy" is often the vocabulary you'll see governments use to militate for more "data sovereignty."  One of the tools used to try to achieve this data sovereignty is restrictions on international data transfers, once again, setting aside whether this is good or even possible.  My point is simply that governments want many different things under the guise of "data sovereignty."  Sometimes governments want more "privacy," and sometimes "privacy" is just a pretext for unrelated government goals.  

When governments say they'll create their safe little Splinternets for their citizens, I know this does little more than put lane lines in a pool, keeping the swimmers in their lanes, while the water continues to flow everywhere, as it always has and always will, as every swimmer knows. 

Wednesday, October 30, 2013

To talk, or not to talk, that is the question



I sat down at lunch with three of the biggest corporate guns in the field of privacy.  We're all old friends, and more than a little battle-hardened, and over a cool bottle of Sancerre, we started a heated debate about the benefits of talking, or not talking, about privacy, in the public arena.  

Person A:  We never talk about privacy.  It's a loser.  You can't say anything about it, without offending someone. Talking about privacy is like talking about religion or politics at a dinner party, frankly it's no-go.  Let privacy advocates talk about privacy.  As far us, the less said, the better. 

Person B:  We talk about privacy in a pedagogical sense.  We all know that it's important, and complicated, and we know that consumers need to be educated, to help them make their own decisions.    Transparency is fundamental and ethical, and we're committed to being open about it.

Person C:  We talk about privacy, but only to attack our competitors.  Our most successful marketing initiative this year was to copy the attack-ads that have been part of US politics for years.  Of course it's cynical, and perhaps dishonest and hypocritical, but it works.  

Person A:  It's a myth that you can build trust by talking about privacy.  Actually, the opposite is true.  It's sad, but that's the reality.  If a college kid walks into a bar and tells everybody in the bar that he's never had any sexually-transmitted disease, do you think he's more likely to score than the guy with herpes who doesn't tell anybody about it?  

Person B:  You can talk about things that support privacy, like privacy controls, privacy settings, and strong security.  Those things build trust, and they're objective, and people deserve to know about them.

Person C:  You are so naive.  If you're in a race, you want to win.  Sure, you can try to be the fastest, strongest, smartest, but if you're not, you can still win by hiring some thug to break your competitors'  kneecaps.  And trust me, privacy is like a kneecap.  

I sat back, and said nothing, and sipped my Sancerre, and unconsciously perhaps, crossed my legs and put my hands on my knees.  

Tuesday, October 29, 2013

Tinker, Tailor, Soldier, Spy, They hacked my phone, I don't know why


Why was it candy to hack the Handy of the world's most powerful woman?  Did she park her Porsche in a public place without locking it? 

The press are outraged and the politicians are indignant that Merkel's phone has been hacked for years by the NSA.  Obama did or didn't know about it. This diplomatic squabble makes for good headlines, but it's not the real lesson of this story.

Indeed, why was Merkel using an unsecured phone?!  According to press reports of the Snowden revelations, she was using the sort of phone service that you or I could buy by popping into a shop in Berlin.  

If the NSA has been listening to Merkel's phone for years, and the German authorities only learned about it from the Snowden revelations, then one has to assume that other sophisticated national surveillance organizations, like the Chinese and the Russians, have been listening too.  State surveillance secrets in China and Russia are less leaky than in the US, and I doubt we'll see a Chinese or Russian Snowden expose their practices to the world.  

So, the most powerful woman on the planet apparently needs help in recruiting a staff of competent computer and communications security experts who could help protect her and her role.  

Any privacy lawyer who works in the field of security breaches always asks a basic question of the target of a breach/hack:  were you using "adequate security"?  Seriously, would you park your Porsche in a public place without locking it? 

Friday, October 25, 2013

My Mom and Dad trust each other




Imagine if your mom and dad didn't trust each other. Imagine if they spied on each other, and hired private investigators, and tapped each other's phone calls. They'd yell and fight, and the kids would be unhappy.

Then, into the house came a woman, saying she was from Brussels, and she could fix things.  She said we needed fair rules to re-build trust.  Everyone listened. 

She said we needed the following rules:  the children should never be allowed out of the house, except to go to school, since no other place could be trusted.  She said that the children should never use Twitter or Facebook, since they couldn't be trusted.  She said that the children could only play games that had been pre-approved by their teachers or parents, since other games couldn't be trusted.  She said the children needed discipline, and severe sanctions if they ever violated these rules.  


She said that the only way to re-build trust between the parents, and to stop their spying on each other, was to impose these stern rules on the children.  


Everyone sat quietly for a moment.  Then I said:  "isn't it unfair to punish kids for our parents fighting with each other?"  She said:  "be quiet, child, I'm sick of your lobbying." 


After a few more moments of silence, the parents both said:  "look, we're adults.  This is our problem.  We need to work it out between ourselves.  Our children have nothing to do with this.  Get out of our house, now! "


As she walked towards the door, the woman from Brussels turned to us children and said: "You wicked little things.  Unless you are subject to strict supervision, your parents will never trust each other again, and it's all your fault!"


Editor's note:   if you don't get the point of my little story, please read this expert commentary by Mr Jeppesen:
"...the E.U. Data Protection Regulation (DPR) was first proposed in 2012. Unfortunately, government surveillance issues cannot be solved by this legislation....
it would not regulate E.U. Member States' national security intelligence programs, nor would it address the surveillance programs of the United States. The European Parliament and the European Commission simply do not have the authority to address national security matters... The only path forward for true reform around global surveillance practices is a much harder slog. It will require a joint European-U.S. effort to find agreement on proper legal standards and safeguards."


Thursday, October 24, 2013

Jeff Koons' Private Parts


I was invited to a fancy charity dinner in Paris, and was treated to a delicious feast of suave irony.  It's not every day that I sip Dom Perignon with Jeff Koons and Laurent Fabius, paid for by a tax-exempt charity. The conversation went something like this:

Jeff:  I love France, I love Versailles.   They just did a show of my work.  For centuries, people with wealth and power have bought the world's best art to show the world their excellent taste.

Laurent:  We're so happy to invite our American friends to France.  I come from a long family tradition of art dealers. In France, we support culture.  
  
Silly rich person at our table:  Jeff, which artist had the most influence on you?

Jeff:  My favorite artist has always been Monet, or Manet, I mean Monet.  

Me:  I start howling with laughter.  I am kicked in the shin by my partner. 

Silly rich person at our table:  I adore la France.  My entire house in Dallas is decorated in French style.  and Peter, what do you do, she asks, feigning interest.

Me:  I work in privacy, and I'm bemused by Jeff's soft-porn art and the idea of an artist exposing his erection as a statement about what's private and what's public. 

Laurent:  Apologies, dear American friends, I must leave you now to speak with Assad.  So vulgar, but his wife is charming. 

Jeff:  Apologies, too, I have to catch a flight with Francois to Venice tomorrow, he says, with an ah-shucks tone and a million-dollar smile that had all of us swoon.  

Silly rich person at our table:  I just loved them both!  So down-to-earth!  but, Peter, I think your comment about his nude art made him uncomfortable.  Did he really show his private parts in his art?  I'd like to see that.  

Tuesday, October 22, 2013

Two farmers and a donkey


Two farmers owned fields that lie side by side.  They don't like each other, and they never have.  But fate has put their fields next to each other.  Farming is a tough life, and neither makes much money.  So, the two farmers agreed, with heavy-hearts, to buy a donkey jointly, and to share it to till their fields. 

For a while it worked, but as the spring wore on, and the days started getting hotter, both farmers wanted to till his fields in the early morning, when it was cooler.  

The donkey stood in the middle, on the line between the two fields, while each farmer tugged as hard as he could, trying to pull the donkey in his direction. The donkey didn't move.  He couldn't.  He was being pulled in two opposite directions, by farmers of equal strength.  After several minutes of excruciating pain, the ropes around the donkeys neck, being pulled in opposite directions, choked the donkey, and he fell to the ground with a dull thud. 

The farmers glared at each other for a few minutes.  Then they grinned, shook hands, and agreed that it was a damn dumb donkey not to follow their commands.  

oh, and except for the damb dumb donkey, everyone grinned and applauded this.  

Sunday, October 20, 2013

Dear Diary


Dear Diary,

You're the only one I can talk to.  You're the only place where I can share my secret fears.  I feel safe, because I know that no one else will ever read what I write here.  

Even now, after all these years, I don't feel safe as a gay man.  I know there are a lot of people who hate me for that.  I feel sick to my stomach when I read how another young gay man was murdered:  They broke Mr Zamudio's leg with a heavy stone, beat him up with bottles and carved swastikas into his body with broken glass before walking away.

I am very proud to spend my working life in the field of privacy.  I believe that it's the foundation of human dignity, and I hope that I can contribute something to it.  But in a dark mood, I realize that I can no more hold up the tides of technology than an oyster can stop the tides.  

I know that secret algorithms roam the Internet, analyzing, recording, and data-mining every piece of data that they find, billion by billion.  But I assume they won't read this blog, because it's just my blog and it's not very important, except to me.  And even if they do read this blog, I assume it's just to show me an ad, which isn't a big deal.  I mean, they wouldn't create a psychographic profile of me, would they, to use to decide whether or not to hire or fire me?  I mean, I'm not a public figure, like a politician, so why would they create a profile of me?

I had a funny dream yesterday, that I went to dental school to start a new career.  In my dream, I realized that no one would ever thank you for your work in privacy, because it was always a losing fight, so I thought I'd look for a career where you could help people.  Well, that's something I could only tell you, dear diary, since I wouldn't want anyone else to know that I'm nagged by doubts.  This facade is getting exhausting, like pretending to be straight when you're not.  I'm willing to fight the good fight, but I know that I'll lose, in the end.  Well, dear diary, at least I can confide in you, and I feel better already, since I know you'll keep my secrets.  

Friday, October 18, 2013

Lovely, lovely, let's not change a thing



While I was on St Bart's, a lovely French island where plutocrats play, I had a chance to chat with the image-savvy CEO of a major tech company based in California (not Google). We were talking about privacy in Europe, and she said:  "yeah, I know, Europeans think different, Nazis and stuff".  Then she realized I was not an important person, and turned away to talk to someone else. 

Indeed, stuff... She's right, of course, on a basic level, that privacy expectations reflect each country's culture, history and ideology.    

But the Nazis and stuff don't quite explain Europe.  Take France, and its "stuff".  I love France.  I love the country, the people, the culture, the language.  I do not love its government.  I think France is poorly governed by an entrenched "political class" and run by an army of grumpy functionaries and enslaved to a socialist ideology stuck in a 1970's rut.  And lots of people think that it will be run by the far-right Front National in a few years, as mainstream voters get sick of their "mainstream" parties and Socialist taxocrats.  

France is a deeply conservative society, in the sense that it does not like change.  This country is deeply uncomfortable with globalization, and even with capitalism, based on a widespread pessimism that France's best days are behind it.  Innovation is not popular in a country that thinks it's more likely to lose from the change that innovation brings.  The innovation that is popular in France is inventing new taxes (innovating a new global financial transactions tax?, innovating a new "data" tax? innovating the highest marginal income taxes in the world?).  

Paris was once more welcoming to foreign businesses.  The Economist's article recently struck a lucid and painful blow to French self-esteem:   The article pointed out that Paris was Morgan Stanley's first international office, a decade before London!  Can you remember the 1970's and 1980's, when American technology giants like IBM and Microsoft chose Paris as their European headquarters?  The entire new generation of American tech companies have chosen London or Dublin or Luxembourg or Zurich for their European headquarters. I can't think of a single American company that has chosen Paris for its European headquarters in the last two decades. Understandably, this is all hard for Paris to swallow.  
 
Against this background, it's easier to understand why the French government is campaigning to weaken the European Commission's proposal to institute a one-stop shop in Europe.  Most US companies would find their lead regulators in Dublin or London or Luxembourg.  As far as I know, not a single foreign company would have its "main establishment" in Paris.  

Looking at the increasingly barren business landscape in Paris, I'm reminded of Voltaire's advice:  "Il faut cultiver notre jardin".  I'm often amazed that anything grows here at all, like a pretty flower in the dry, hostile desert.    

Tuesday, October 8, 2013

From Warsaw to Mauritius


I'm just back from a privacy commissioners' conference in Warsaw.  I detected a theme of privacy-war-weariness there.  It's tiring, spending your days navigating the constant conflicts of privacy and protectionism, privacy and politics, privacy and Prism.  

I'm sympathetic to people who are tired of sitting in drab conference centers from Brussels to Belgrade, half-listening to tedious talks and self-righteous rants and anti-American tirades. 

How can I blame civil servants for voting to hold their next annual global conference on an Indian Ocean resort island of Mauritius?  Ok, I admit, at first I thought it was a joke, but then I was told it wasn't.    

This could be fun:  in sunny Mauritius, you'll see your global privacy colleagues in an entirely new light, discussing Binding Corporate Rules on the beach, or monitoring international data flows in the Indian Ocean.  Ever heard a speech about transparency from someone in a Speedo?  engaging in a little surreptious surveillance by snorkeling.  

At the last conference in Warsaw, I can't remember much, and I always tune out the anti-American rants, but someone said personal data on social platforms was like "urine in a swimming pool", which made me sit up and listen, since I'm a swimmer, and ponder the analogy, and at my pool, we drain the water twice a year, which is sort of like a Right to be Forgotten, or at least it gets rid of the urine eventually, unlike the Web.  Then someone started another anti-American rant about why can't Americans be enlightened enough to create euro-bureaucracies like us to "accompany innovation", so I sighed and zoned out again and watched swimming videos on YouTube. 

Indeed, it's been a tough year in privacy-land, tempers are frayed, and we all deserve a break (well, except the taxpayers).  As the International Association of Privacy Professionals reported:  

To celebrate, Mauritius will play host to next year’s International Conference of Data Protection and Privacy Commissioners on September 22, 2014.

Friday, August 23, 2013

Saying Nyet to the Russian Homophobolympics



As a gay-athlete, and oh yes, also privacy professional, I've decided not to set foot in Russia, as a personal protest against Russia's offensive homophobic laws.  My swim team friends and I agreed that Putin is demeaning the Olympics and turning them into his Homophobolympics.  We know something about athletic discipline:  we swim a lot and hard.  We've all trained with real Olympians, and we're in awe of them.  So, how should we react when political thugs attack the core values of the Olympics? 

When some politicians in Russia recently started "investigating"  American tech companies, I was invited to go to Moscow to meet with them.  But in the case of Russia, in light of its recent Anti-Gay Propaganda law, I declined.  I decided not to set foot in Russia, as an act of personal conscience.   Many other people whom I respect are making similar decisions not to set foot in Russia.  

Russia joins a rogue's gallery of countries with state-sponsored homophobia, but unlike the others, Russia is soon to host the Winter Olympics.  Ever since Hitler hosted the Berlin Olympics in 1936, we know how miscreants in power want to use the Oympic global stage to win international attention and acclaim.  

I have deep respect for athletes.  We should do nothing to hurt athletes in Sochi.  But let's also use the Sochi Games to shine a spotlight on Putin's regime.  Putin wants the spotlight, let him have it.  Let's shine a spotlight on government corruption in constructing the $50 billion Olympics facilities.  Let's shine a spotlight on Putin's crackdown on human rights, on democracy, on the judicial system in Russia.  Let's shine a spotlight on Putin's coterie of friendly rogue-regimes, like Syria's Assad.  Let's shine a spotlight on the personal wealth accumulated by friends of the regime.  Let's use social media to disseminate evidence of the vicious homophobia that Putin is inciting.  

Each of us must make a choice.  I'm not setting foot in Russia.  Despite its lofty self-congratulatory rhetoric, the IOC is taking the amoral path. But many people will go to Sochi, and I have a wish for athletes and spectators alike:  wave a rainbow flag as you march at the Opening Ceremony, or wear a rainbow scarf or pin.  Some politicians around the world are already showing ethical leadership, and I hope the clutch of global politicians attending the G20 in St Petersburg soon will too.  Imagine if we had all had the courage in 1936, Jews and non-Jews alike, to march at the Opening Ceremony in Berlin wearing Yellow Stars.  

Say Nyet to the Homophobolympics.

Friday, August 2, 2013

How to feign outrage over PRISM


Around the world, politicians are under pressure to express their outrage over US government surveillance.  It's August, and your PR teams may be on holiday, so here are some hints on how to get a good headline:

1)  Focus your outrage on the American government.  Distract everyone from the fact that your own government does it too.  e.g., Europe has the most privacy-invasive government surveillance regime in the world, based on the mandatory data retention of the communications logs (aka, metadata) on every single electronic communication for periods ranging from 6 to 24 months.  The US does not have such a data retention regime, because it was deemed too privacy-invasive by the US Congress.  But don't talk about that. 

2)  Focus your outrage on foreign private companies (e.g., Twitter or whatever).  Companies of course are not in control of government surveillance, but just the tools.  In any case, only talk about foreign companies, and never suggest that your own domestic companies are subject to similar (or much greater) surveillance. 

3)  Feel free to make up the facts.  Since much government surveillance is by its very nature secret, you can say pretty much anything without risk of being contradicted by the facts.  

4)  Propose credible-sounding but irrelevant solutions.   Like suggesting that the way to rein in US government surveillance is to abrogate the US-EU Safe Harbor Framework, which governs data transfers in the private sector, even though you know of course that the location of data is irrelevant to the US government's power to order access to it.  Location of data sounds relevant, and only a few lawyers know otherwise.  

5)  Use it as leverage for an unrelated political goal.  Politics is all about deal-making, and trade-offs.  So, use this PRISM scandal to exert pressure for whatever else you want: trade deals, global warming treaties, anything is fair game.  In fact, you can even use this as a good excuse to increase your own government surveillance powers:  "we want to be able to do what the Americans are doing." 

6)  Get your headlines now.  You know that all this will blow over.  Snowden will melt away like a snowman in spring.  Nothing much will change in the realm of government surveillance.  Perhaps there will be a few cosmetic changes, like reforming the FISA Court.  You also know that the next big terrorist attack will completely change the political winds.  It's August, so go sailing, and be ready to tack when the winds shift.  

Monday, July 29, 2013

Russia ratifies Privacy Rights...but not for Gays


Modern privacy law was invented over a century ago in the United States, was re-discovered in post-war-Europe, and is now spreading around the world.  Privacy laws have historically been built on three foundations:  1)  democracy,  2)  rule of law, and  3)  respect for fundamental human rights. 

So, what should we make of the fact that a rogue's gallery of autocratic countries, with neither rule of law, nor respect for fundamental human rights, are starting to pass privacy laws?

Take the example of Russia.  Last month, at the same time that Putin's regime ratified an international framework of privacy law, known as Convention of Europe 108, it also launched its war on gays.  

Why would Putin's regime ratify a privacy law, while subverting democracy, subverting the rule of law, and inciting vicious homophobia as official policy?  Is it just to distract an ignorant electorate from the Kremlin's kleptocracy?  How exactly is the International Olympic Committee going to deal with Sochi?  Should Russia or Russian products be boycotted by people of conscience?  I don't want to see the world's athletes held hostage to this, but nor do I want to see them march under the salute of Putin, recollecting those tragic Games in Berlin.    

What, I wonder, does a privacy law mean in this context?  And if you think all this is just Russian thugocratic posturing, imagine if your gay teenage son were Russian.  I dare you to click.    I doubt this tortured teen will find redress under Russia's ratification of privacy laws, do you?

Monday, July 15, 2013

We need global privacy standards...now more than ever

As a reaction to the recent spate of government surveillance revelations, this week the Chancellor of Germany and others have issued calls for an international data protection treaty.  

Back in 2007, I gave a speech to UNESCO calling for...global privacy standards.  

My speech was broadly covered by the press:  Google urges UN to set global internet privacy rules.

On re-reading it, I'm struck by how little has changed since 2007, both in terms of the need for global privacy standards, and how little progress has been made to achieve them.  After two years of acrimonious debate, we can't even agree on a draft privacy law for Europe, much less a treaty for the world.  Nonetheless, I'm firmly in the camp of people who believe that privacy can only be protected in a global context, and that global privacy standards are part of that fabric.  I'm taking the liberty of re-posting it below. 

Friday, September 14, 2007

The Need for Global Privacy Standards

Introduction

How should we update privacy concepts for the Information Age? The total amount of data in the world is exploding, and data flows around the globe with the click of mouse. Every time you use a credit card, or every time you use an online service, your data is zipping around the planet. Let’s say you live in France and you use a US company’s online service. The US company may serve you from any one of its numerous data centers, from the “cloud” as we say in technology circles, in other words, from infrastructure which could be in Belgium or Ireland – and which could change based on momentary traffic flows. The company may store offline disaster recovery tapes in yet another location (without disclosing the location, for security purposes). And the company may engage customer service reps in yet another country, say India. So, your data may move across 6 or 7 countries, even for very routine transactions.
As a consumer, how do you know that your data is protected, wherever it is located? As a business, how do you know which standards of data protection to apply? As governments, how do you ensure that your consumers and your businesses can participate fully in the global digital economy, while ensuring their privacy is protected?

The story illustrates the argument I want to make today. It is that businesses, governments but most of all citizens and consumers would all benefit if we could devise and implement global privacy standards. In an age when billions of people are used to connecting with data around the world at the speed of light, we need to ensure that there are minimum privacy protections around the world. We can do better, when the majority of the world’s countries offer virtually no privacy standards to their citizens or to their businesses. And the minority of the world’s countries that have privacy regimes follow divergent models. Today, citizens lose out because they are unsure about what rights they have given the patchwork of competing regimes, and the cost of compliance for businesses risks chilling economic activity. Governments often struggle to find any clear internationally recognised standards on which to build their privacy legislation.

Of course there are good reasons for some country-specific privacy legislation. The benefits of homogeneity must be balanced by the rights of legitimate authorities to determine laws within their jurisdictions. We don’t expect the same tax rules in every country, say some critics, so why should we expect the same privacy rules? But in many areas affecting international trade, from copyright to aviation regulations to world health issues, huge benefits have been achieved by the setting of globally respected standards. In today’s inter-connected world, no one country and no one national law by itself can address the global issues of copyright or airplane safety or influenza pandemics. It is time that the most globalised and transportable commodity in the world today, data, was given similar treatment.

So today I would like to set out why I think international privacy rules are necessary, and to discuss ideas about how we create universally respected rules. I don’t claim to have all the answers to these big questions, but I hope we can contribute to the debate and the awareness of the need to make progress.

Drivers behind the original privacy standards

But first a bit of history. Modern privacy law is a response to historical and technological developments of the second-half of the 20th century. The ability to collect, store and disseminate vast amounts of information about individuals through the use of computers was clearly chilling against the collective memories of the dreadful mass-misuse of information about people that Europe had experienced during WWII. Not surprisingly, therefore, the first data privacy initiatives arose in Europe, and they were primarily aimed at imposing obligations that would protect individuals from unjustified intrusions by the state or large corporations, as reflected in the 1950 European Convention for the Protection of Rights and Fundamental Freedoms.

Early international instruments

After a decade of uncoordinated legislative activity across Europe, the Organisation for Economic Co-operation and Development identified a danger: that disparities in national legislations could hamper the free flow of personal data across frontiers. In order to avoid unjustified obstacles to transborder data flows, in 1980 the OECD adopted its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It’s worth underscoring that concerns about international data flows were already being addressed in a multinational context as early as 1980, with the awareness that a purely national approach to privacy regulation simply wasn’t keeping abreast of technological and business realities.

These OECD Guidelines became particularly influential for the development of data privacy laws in non-European jurisdictions. The Guidelines represent the first codification of the so-called ‘fair information principles’. These eight principles were meant to be taken into account by OECD member countries when passing domestic legislation and include: 1) collection limitation, 2) data quality, 3) purpose specification, 4) use limitation, 5) security safeguards, 6) openness, 7) individual participation, and 8) accountability.

A parallel development in the same area but with a slightly different primary aim was the Council of EuropeConvention on the Automated Processing of Personal Data adopted in 1981. The Convention’s purpose was to secure individuals’ right to privacy with regard to the automatic processing of personal data and was directly inspired by the original European Convention on human rights. The Council of Europe instrument sets out a number of basic principles for data protection, which are similar to the ‘fair information principles’ of the OECD Guidelines. In addition, the Convention establishes special categories of data, provides additional safeguards for individuals and requires countries to establish sanctions and remedies.
The different origins and aims of both instruments result in rather different approaches to data privacy regulation. For example, whilst the Convention relies heavily on the establishment of a supervisory authority with responsibility for enforcement, the OECD Guidelines rely on court-driven enforcement mechanisms. These disparities have been reflected in the laws of the countries within the sphere of influence of each model. So, for example, in Europe, privacy abuses are regulated by independent, single-purpose bureaucracies, while in the US, privacy abuses can be regulated by many different government and private bodies (e.g., the Federal Trade Commission at the Federal level, Attorneys General at the State levels, and private litigants everywhere). It’s impossible to say which model is more effective, since each reflects the unique regulatory and legal cultures of their respective traditions. Globally, we need to focus on advocating privacy standards to countries around the world. But we should defer to each country to decide on its own regulatory models, given its own traditions.

Current situation

Today, a quarter century later, some countries are inspired by the OECD Guidelines, others follow the European approach, and some newer ones incorporate hybrid approaches by cherry-picking elements from existing frameworks, while the significant majority still has no privacy regimes at all.

After half a decade of negotiations, in 1995, the EU adopted the Data Protection Directive 95/46/EC. The EU Directive has a two-fold aim: to protect the right to privacy of individuals, and to facilitate the free flow of personal data between EU Member States. Despite its harmonisation purpose, according to a recent EU Commission Communication, the Directive has not been properly implemented in some countries yet. This shows the inherent difficulty in trying to roll out a detailed and strict set of principles, obligations and rights across jurisdictions. However, the Commission has also made it clear that at this stage, it does not envisage submitting any legislative proposals to amend the Directive.

In terms of core European standards, the best description of what the EU privacy authorities would regard as “adequate data protection” can be found in the Article 29 Working Party’s document WP 12. This document is a useful and detailed point of reference to the essence of European data privacy rules, comprising both content principles and procedural requirements. In comparison with other international approaches, EU data privacy laws appear restrictive and cumbersome, particularly as a result of the stringent prohibition on transfers of data to most countries outside the European Union. The EU’s formalistic criteria for determining “adequacy” have been widely criticized: why should Argentina be “adequate”, but not Japan? As a European citizen, why can companies transfer your data (even without your consent) to Argentina and Bulgaria and other “adequate” countries, but not to the vast majority of the countries of the world, like the US and Japan? In short, if we want to achieve global privacy standards, the European Commission will have to learn to demonstrate more respect for other countries’ approach to privacy regimes.

But at least in Europe there is some degree of harmonisation. In contrast, the USA has so far avoided the adoption of an all-encompassing Federal privacy regime. Unlike in Europe, the USA has traditionally made a distinction between the need for privacy-related legislation in respect of the public and the private sectors. Specific laws have been passed to ensure that government and administrative bodies undertake certain obligations in this field. With regard to the use of personal information by private undertakings, the preferred practice has been to work on the basis of sector-specific laws at a Federal level whilst allowing individual states to develop their own legislative approaches. This has led to a flurry of state laws dealing with a whole range of privacy issues, from spam to pretexting. There are now something like 37 different USA State laws requiring security breach notifications to consumers, a patchwork that is hardly ideal for either American consumer confidence or American business compliance.

The complex patchwork of privacy laws in the US has led many people to call for a simplified, uniform and flexible legal framework, and in particular for comprehensive harmonised Federal privacy legislation. To kick start a serious debate on this front, a number of leading US corporations set up in 2006 the Consumer Privacy Legislative Forum, of which Google forms part. It aims to make the case for harmonised legislation. We believe that the same arguments for global privacy standards should also apply to US Federal privacy standards: improve consumer protections and confidence by applying a consistent minimum standard, and ease the burdens on businesses trying to comply with multiple (sometimes conflicting) standards.
A third and increasingly influential approach to privacy legislation has been developing in Canada, particularly since the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) was adopted in 2000. The Canadian PIPEDA aims to have the flexibility of the OECD Guidelines – on which it is based – whilst providing the rigour of the European approach. In Canada, as in the USA, the law establishes different regimes for the public and private sectors, which allows for a greater focus on each. As has also been happening in the USA in recent years with state laws, provincial laws have recently taken a leading role in developing the Canadian model. Despite the fact that PIPEDA creates a privacy framework that requires the provincial laws to be "substantially similar" to the federal statute, a Parliamentary Committee carrying out a formal review of the existing framework earlier this year, recommended reforms for PIPEDA to be modelled on provincial laws. Overall, Canada should be praised for encouraging the development of progressive legislation which serves the interests of both citizens and businesses well.

Perhaps the best example of a modern approach to the OECD privacy principles is to be found in the APEC Privacy Framework, which has emerged from the work of the 21 countries of the Asia-Pacific Economic Cooperation forum. The Framework focuses its attention on ensuring practical and consistent privacy protection across a very wide range of economic and political perspectives that include global powerhouses such as the US and China, plus some key players in the privacy world (some old, some new), such as Australia, New Zealand, Korea, Hong Kong and Japan. In addition to being a sort of modern version of the old OECD Guidelines, the Framework suggests that privacy legislation should be primarily aimed at preventing harm to individuals from the wrongful collection and misuse of their information. The proposed framework points out that under the new “preventing harm” principle, any remedial measures should be proportionate to the likelihood and severity of the harm.

Unfortunately, the co-existence of such diverse international approaches to privacy protection has three very damaging consequences: uncertainty for international organisations, unrealistic limits on data flows in conflict with global electronic communications, and ultimately loss of effective privacy protection.

New (interconnected) drivers for global privacy standards

Against this background, we are witnessing a series of new phenomena that evidence the need for global privacy standards much more compellingly than in the 70s, 80s or 90s. The development of communications and technology in the past decade has had a marked economic impact and accelerated what is commonly known as ‘globalisation’. Doing business internationally, exchanging information across borders and providing global services has become the norm in an unprecedented way. This means that many organisations and those within them operate across multiple jurisdictions. The Internet has made this phenomenon real for everyone.

A welcome concomitant of the unprecedented technological power to collect and share all this personal information on a global basis is the increasing recognition of privacy rights. The concept of privacy and data protection regimes has moved from one discussed by experts at learned conferences to an issue that is discussed and debated by ordinary people who are increasingly used to the trade offs between privacy and utility in their daily lives. As citizens’ interest in the issue has grown, so, of course has politicians’ interest. The adoption of new and more sophisticated data privacy laws across the world and the radical legal changes affecting more traditional areas of law show that both law makers and the courts perceive the need to strengthen the right to privacy. Events which have highlighted the risks attached to the loss or misuse of personal information have led to a continuous demand for greater data security which often translates into more local laws, such as those requiring the reporting of security breaches, and greater scrutiny.

Routes to the development of global privacy standards

The net result is that we have a fragmentation of competing local regimes, at the same time as we the massively increased ability for data to travel globally. Data on the Internet flows around the globe at nearly the speed of light. To be effective, privacy laws need to go global. But for those laws to be observed and effective, a realistic set of standards must emerge. It is absolutely imperative that these standards are aligned to today’s commercial realities and political needs, but they must also reflect technological realities. Such standards must be strong and credible but above all, they must be clear and they must workable.

At the moment, there are a number of initiatives that could become the guiding force. As the most recent manifestation of the original OECD privacy principles, one possible route would be to follow the lead of the APEC Privacy Framework and extend its ambit of influence beyond the Asia-Pacific region. One good reason for adopting this route is that it already balances very carefully information privacy with business needs and commercial interests. At the same time, it also accords due recognition to cultural and other diversities that exist within its member economies.

One distinctive example of an attempt to rally the UN and the world’s leaders behind the adoption of legal instruments of data protection and privacy according to basic principles is the Montreux Declaration of 2005. This Declaration probably represents the first official written attempt to encourage every government in the world to do something like this and this is an ambition that must be praised. Little further was heard about the progress of the Montreux Declaration until the International Privacy Commissioners’ Conference took place in November 2006 and the London initiative was presented. The London Initiative acknowledged that the global challenges that threaten individuals’ privacy rights require a global solution. It focuses on the role of the Commissioners’ Conference to spearhead the necessary actions at an international level. The international privacy commissioners behind the London Initiative argue that concrete suggestions must emerge in order to accomplish international initiatives, harmonise global practices and adopt common positions.

One privacy commissioner who has expressed great interest in taking an international role aimed developing global standards is the UK Information Commissioner. The Data Protection Strategy of the Information Commissioner’s Office published at the end of June 2007 stresses the importance of improving the image, relevance and effectiveness of data protection worldwide and, crucially, recognises the need for simplification.

Way forward

The key priority now should be to build awareness of the need for global privacy standards. Highlighting and understanding the drivers behind this need – globalisation, technological development, and emerging threats to privacy rights – will help policymakers better understand the crucial challenge we face and how best to find solutions to address them.
The ultimate goal should be to create minimum standards of privacy protection that meet the expectations and demands of consumers, businesses and governments. Such standards should be relevant today yet flexible enough to meet the needs of an ever changing world. Such standards must also respect the value of privacy as an innate dimension of the individual. To my mind, the APEC Framework is the most promising foundation on which to build, especially since competing models are flawed (the USA model is too complex and too much of a patchwork, the EU model is too bureaucratic and inflexible).

As with all goals, we must devise a plan to achieve it. Determining the appropriate international forum for such standards would be an important first step, and this is a choice that belongs in the hands of many different stakeholders. It may be the OECD or the Council of Europe. It may be the International Chamber of Commerce or the World Economic Forum. It may be the International Commissioners’ Conference or it may be UNESCO. Whatever the right forum is, we should work together to devise a set of standards that reflects the needs of a truly globalised world. That gives each citizen certainty about the rules affecting their data, and the ability to manage their privacy according to their needs. That gives businesses the ability to work within one framework rather than dozens. And that gives governments clear direction about internationally recognised standards, and how they should be applied.

Data is flowing across the Internet and across the globe. That’s the reality. The early initiatives to create global privacy standards have become more urgent and more necessary than ever. We must face the challenge together.

Friday, July 12, 2013

You can run, but you can't hide


Government surveillance is running amock, worldwide.  This is the sort of topic that Obama and I might have debated, when we were both idealists at our alma mater, Harvard Law School.  

Revelations about US government surveillance continue to surprise in their scale and scope.  We all now know that the NSA is hoovering up trillions of communications logs.  We all now know that there are essentially no legal protections of non-US citizens from US government surveillance.  We all now know that the FISA court, which is meant to provide judicial review of snooping on US citizens' communications, is little more than a rubber-stamp.  We all now know that US government spying is directed at friend and foe alike.  We all now know that the US government is bullying governments around the world to hand over the whistle-blower Snowden (forcing down the Presidential aircraft of a Sovereign State?), and most governments are collaborating meekly.  

As more people wake up to the idea of living in a Panopticon, one would think there would be a serious political debate about how to subject government surveillance to serious legal and judicial checks and balances.  Where's the serious debate about finally updating ECPA, so that emails sitting in users' accounts do not lose most effective privacy protections after they're more than 180 days old?  Where's the serious debate in countries around the world about their own governments' surveillance programs, not just about the Americans'?  e.g., the French privacy watchdog launched an investigation into foreign government surveillance, curiously excluding France's own recently-documented surveillance programs.   Where's the serious debate about whether Europe's much-debated privacy-law revamp has completely missed the boat by failing to address government surveillance?  Where's the serious debate about whether US government surveillance makes a mockery of the long-debated, long-negotiated US-EU Parliamentary accords over the privacy safeguards governing US government access to Europeans'  Passenger Name Records or SWIFT bank transfer data?


I have long had a healthy wariness about governmental abuse of power. In my personal life, I've had a taste of what a government can do to prosecute an innocent person, sentenced to jail for a non-crime, then acquitted, and still being put through a decade of criminal justice hell.  


If the Snowden revelations do not suffice to create the political momentum to impose meaningful legal and judicial checks on secret government surveillance, then we're all on an unstoppable trajectory towards total surveillance.  Or we can follow the lead of France's President, who expressed his outrage at revelations of US government spying by suggesting that trade talks with Les Americains should be subjected to a mid-July two-week delay.   Take that! 


Obama and I were at the same law school, and I recognize the skillset of my fellow Harvard Law School grad, where we were all trained in rhetoric, sometimes so empty that it would prompt even Ari Fleischer to zap (btw, no relation to me):  "It's like George Bush is having his fourth term..." 


Tuesday, July 2, 2013

Life in the Goldfish Bowl: Privacy in the Age of Government Surveillance


As each day goes by, there are new revelations of the scope and scale of government surveillance.  I had long known or suspected that all governments engage in secret surveillance, but the Snowden revelations are opening our collective eyes to how vast these operations have become.  The limits on government surveillance seem to be set less by law or ethics than by the limits of the technical infrastructure to collect, store and interpret data.  

The entire privacy profession needs to re-think its priorities in the Age of Government Surveillance.  How does our use and development of technology change if people come to feel (rightly or wrongly) that we are all just goldfish swimming in a bowl of government surveillance?  How do we ourselves change, in a basic sociological sense, if we think we're being watched?  Are we being watched?

The Snowden revelations are already having significant political impacts.  Already, European officials are threatening to abandon the proposed Europe-US Free Trade Agreement negotiations.  Already, people and institutions are re-assessing their trust in the US government.  

Over time, I think we'll see a few long-lasting global trends as a reaction to these revelations about government surveillance (regardless of whether any of these actually provide for enhanced privacy or not):
  • There will be more development and adoption of encryption technologies, in particular, end-to-end encryption, and other privacy-enhancing technologies.   
  • There may be a systemic decrease in trust and use of cloud-based services, like not trusting email with your sensitive communications. 
  • There will be a series of initiatives to demand local-data-storage and to restrict international data transfers for cloud services, just as there are already calls to rescind the EU-US Safe Harbor Agreement. 
  • There may be a series of trade-protectionist measures around the world in favor of local (i.e., non-US) companies.  
  • There will be a series of criminal prosecutions, around the world, against companies and individuals, who will be caught in classic conflict of laws scenarios:  testing whether their compliance with US legal obligations to comply with US government surveillance orders puts them in violation of other countries' privacy laws.
  • Finally, there will be citizen and civil society demands for increased government transparency and democratic control of surveillance programs,  Some governments will respond and some will not.
For those of us who have a deep love for a free and open Internet, and a deep love for transparent and democratic government, it's all sobering.  The ineluctable progress of technology means that the governments' abilities to capture, store, and analyze data will double roughly every 18 months, absent legal or political decisions to restrain it.    

Some government surveillance is necessary and appropriate for governments to carry out their responsibilities to protect and defend their national security, but there's a reason John F. Kennedy didn't say:  "Ich bin ein Ost-Berliner."