Facebook moves the goalposts

This week we've heard more rumblings of discontent from Facebook users - they're unhappy that the social networking site has moved the goalposts over the much-hyped "user vote" on changing Facebook's Terms and Conditions.

The story first emerged last February, when Facebook casually mentioned that it had granted itself a licence to all its users' content in perpetuity, even if they deleted their account. Cue a predictable collective wailing and gnashing of teeth from millions of users who, almost by definition, are pretty clued up on the web.

The backlash prompted a partial backdown from Facebook, who attempted to mollify its members by saying that it would agree to drop the proposal if 25 per cent of users voted against.

This week, that threshold has quietly been raised to 30 per cent. What's more, a significant number of Facebook users have been disenfranchised by the decision to allow votes only from those who've used their accounts in the last thirty days.

Simon Davies of Privacy International is so confident that the 30 per cent threshold won't be achieved that he's promised to eat his shorts if he's wrong. (As if there wasn't already a good enough reason to get voting - Ed.)

At the time of writing, 73.11% of respondents have voted against Mark's Terms of Use, but unfortunately "only" 284,473 have voted in total - barely a tenth of one per cent of Facebook's 200 million regular users.

So Zuckerberg is really expecting 60 million users to vote? And isn't he concerned that the respondents, while still so "few", should be so overwhelmingly opposed to his plan?

Here at Data Grub, we're rather disappointed with the preternaturally young Facebook CEO. Changing the rules like this is pretty childish, after all, and we reckon he could do much better.

Zuckerberg really needs to take lessons from a master manipulator, such as the late Saddam Hussein or even the Dear Leader Kim Jong-il himself. We'd love to see the People's Democratic Republic of Facebook announce that 99.8% of members had voted in favour of the rule change, on a 100% turnout.

Read Zuckerberg's plans for Facebook here.

Construction firms to mount the scaffold?

The information commissioner Richard Thomas has come down like a ton of bricks on a group of British builders who allegedly bought secret personal data about potential employees.

Construction companies Balfour Beatty, Sir Robert MacAlpine, Laing O'Rourke and Costain are among those alleged to have bought data about workers' trade union activities from one Kerr, Ian, operator of the shadowy-named "Consultancy Association".

Kerr has apparently spent 15 years amassing an "extensive intelligence database" of thousands of construction workers with details of union activities stretching back to the 1980s. Samples of comments on these workers include: "Poor timekeeper, will cause trouble, strong TU [trade union]"; "Sleeper, should be watched"; and, simply, "Do not touch!".

Workers could not challenge inaccurate information because the information was held without their knowledge or consent.

Richard Thomas says that more than 40 construction companies paid Kerr a retainer of £3,000 a year for his "consultancy services", with a further fixed fee for each worker they wanted checked.

The good news is that officials from the Information Commissioner's Office (ICO) raided Kerr's office and removed the entire contents of the database, as well as invoices - up to a value of £7,500 - from companies in the construction business.

Steve Acheson, an electrician from somewhere north of Watford, believes he was one of the workers on the database, and that this was behind the fact that he's only had 36 weeks' employment in the past nine years. "It affects your character and demeanour," he said. "I'm hoping that because of this brilliant success I'll be able to get my family life back and it will open the doors for me and others to get back to work."

Of course, this is all still sub judice, but the commissioner will be bringing a prosecution against Kerr. We'll keep you posted.

Data Grub is sure that Mr Kerr will be found innocent, because we cannot believe that anyone would be capable of such repugnantly unethical behaviour as robbing people of their livelihoods for personal profit.

(We should point out that some of the construction firms, including Laing O'Rourke and Morgan Est, say that they "inherited" payments to Kerr after they had bought up other constuction companies, and have since ceased paying him. Data Grub.)

IAB's Guide To Good Behaviour

We're pleased to see that the Internet Advertising Bureau (IAB), the trade body for online advertisers, has finally launched its Good Practice Principles for behavioural advertising.

Drawn up in collaboration with companies like Google, Phorm and NebuAd, the IAB's best practice guide is, remarkably, the first set of self-regulatory guidelines to set good practice for companies that use users' online browsing behaviour to target ads that are relevant to individual users' interests.

An accompanying website, http://www.youronlinechoices.co.uk/, will help consumers to understand what online behavioural advertising does and (crucially) doesn't do.

The core of the Principles is formed by three commitments: Notice, where companies that collect online data must inform users that data is being collected; Choice, which says that companies must provide an opt-out; and Education, whereby they must let consumers know exactly how the information is being used and how they can opt out.

And not before time, think we. The debate surrounding online behavioural advertising has for too long been dominated by single-issue campaigners relying on hearsay, misrepresentation and misinformation to argue that behavioural targeting infringes individuals' online privacy.

That's not to say that some developments (not least BT's secret and most-probably illegal trials of Phorm's Webwise technology without users' knowledge or consent) haven't done real damage to the industry in the eyes of the general public.

That's why we welcome the IAB's Good Practice Principles which, as well as advising on best practice approaches to online behavioural targeting, provide consumers with the information they need to make an informed decision about whether they want to take part in any new service.

The Information Commissioner's Office (ICO) have voiced their support, saying that 'a joined-up approach to promoting transparency, choice and education makes good sense.'

Getting the thumbs up from the ICO, who know their stuff, is one thing; changing the public's perception of online behavioural targeting is quite another, especially given the bad press that it's garnered over the last couple of years. Whether or not it succeeds in its aim of educating the public about behavioural targeting, the code of conduct is certainly a step in the right direction for the industry.

Taken along with another piece of recent news, we could be seeing something of a fightback from the targeted ad industry. Last week, Phorm unleashed its lawyers on Which?, which had published a press release highlighting opposition to their service. Nothing very surprising there, except that following the legal intervention, Which? immediately pulled the offending release from its website (though not before the story had been covered in several publications). It seems that some of the information in the release was inaccurate enough to be defamatory; Which? is now "working with Phorm" to correct the release.

If consumer champions and all-round experts Which? can't get its facts right, what hope for your average Internet user? That's one reason, at least, to welcome the IAB's new code of practice.

David's Damascene Conversion

Here at Data Grub we’ve so far held off from writing about ID cards, in part because this long-running saga has been so comprehensively covered in most mainstream media.

But we couldn’t let the Rt Hon David Blunkett get away with Tuesday’s speech at, of all places, Essex University. Blunkett, the original panegyrist of ID cards in this country, used his speech in part to propose scrapping compulsory ID cards.

So, what prompted David’s Damascene conversion, especially given that he’s often expatiated on the benefits of ID cards in his News of the World column and was at one point trousering a decent sum as adviser to Entrust, a company interested in bidding to run the UK card scheme?

Well, let’s not get ahead of ourselves. Blunkett went on to recommend that all UK citizens be required to have a fancy biometric passport which is, in effect, an ID card with a handy notebook attached for shopping lists. (Let’s be honest, when was the last time Bermondsey Bob needed a visa?)

Blunkett proposes that ID cards be voluntary but that biometric passports – which contain exactly the same information and will be linked to exactly the same database – will be compulsory. That way, the government can spin ID cards as a handy “mini-passport” that fits snugly into your wallet.

But even if compulsory passports are merely ID cards in disguise, one wonders what his rational is for jumping horses now, especially given that the current Home Secretary is still keen on the cards. Could it be that he wants the law on the statute books before the Tories’ inevitable election in 2010?

Blunkett and his successors have been trying to get make ID cards mandatory for donkeys’ years, but couldn’t do so until a large proportion of the population started carrying them voluntarily.

That’s clearly not going to happen in the next 12 months; but plenty of people have passports – make them compulsory and you’ve got your ID database system sorted.

Of course, all this completely ignores the question of whether ID cards might not, in fact, be quite a Good Thing after all. In spite of the government’s claims that they will prevent benefit fraud and halt terrorists in their tracks, Data Grub remains to be convinced of their utility.

Should Jacqui Smith decide to take Blunkett’s advice by making passports compulsory, it’ll be interesting to see if she employs the traditional ID card arguments (fraud, terrorism) or if Labour spins it some other way.

Watch this space.

Clayton makes a suggestion

Enough has been written about the House of Lords' report into surveillance in Britain, so today we'll be returning to Microsoft's latest version of Internet Explorer.

We've written previously about IE8's notorious InPrivate function, the sole purpose of which is to keep the wife from knowing about the surprise holiday / present you've bought for her online. According to Microsoft, anyway. Let's face it, they weren't going to dub the function "PornCloaking+" were they?

But still, there's nothing inherently evil about InPrivate.

What does cause concern is IE8's "Suggested Sites" feature, which allows users (in Microsoft's words) to "discover websites you might like based on sites you've visited". By activating the service in your browser, you consent to send various data about your browsing activity to Microsoft. This could include the URLs of visited sites, search terms and form data, as well as information that could potentially identify individuals, such as a user's IP address.

It's the classic trade-off: you agree to give up personal data in return for a service. But since users are fully aware of what data they'll be giving up and are able to give their informed consent to the service, this shouldn't present a privacy problem, should it?

Unfortunately for Microsoft, Suggested Sites has attracted criticism from the esteemed Richard Clayton, the Bill Bryson-lookalike and doyen of Internet privacy campaigners.

Dr Clayton says Microsoft must be clearer about explaining the risks, as well as the potential benefits of the service. He points out that full URL sharing via Suggested Sites poses a privacy and security risk and in particular warns that Microsoft should avoid sharing data submitted by surfers with other users of the service.

The risks hinge upon the fact that Microsoft will get the full URL of the site you visit. In some cases, this is essential - knowing that you visited blogger.com ain't going to help Steve Ballmer to suggest sites, but a visit to blogger.com/animals-do-the-funniest-things will help him to point you in the direction of some cutesy squirrel pics.

But sometimes, a full URL may hold clues to your identity, give permissions to others to access the site, or compromise your privacy or security in some other manner, says Clayton.

It's not so much that a Microsoft employee might one day go rogue and start stealing these sensitive URLs; it's the possibility that Microsoft hands the URL to someone with similar tastes and these users visit the exact places that you go to. "Suddenly all that "security through obscurity", the pious hope that no one could possibly guess that URL, goes up in
smoke," says Clayton.

Dr Clayton is a Cambridge academic and an eminently sensible, if somewhat cautious, voice in a debate which is all too often conducted by shrill, ignorant or ill-informed comentators.

Clayton doesn't want to score cheap points by gratuitously slating Microsoft - he merely points out that they could do better, by minimising the data transfer, and only obtaining longer URLs for the sites, like blogger.com, where it actually matters.

In the meantime, they should honest and transparent about the potential risks.

But Clayton's comments do have a silver lining for Microsoft: he points out that selecting the InPrivate mode automatically disables Suggested Sites, even if users have opted in. So, at least they can claim another alternative use for Pr0n-Mode...

A day for quiet reflection

Yesterday was European Data Protection Day; this blog held a one day's silence as a gesture of respect to the millions of pieces of personal and sensitive data that have been lost in the last year.

Across the continent people gathered in their hundreds of thousands, coming together in their workplaces, in their communities, in the fields, in the hills and in the streets, to mark this most solemn and momentous day of data.

I need not tell you what an emotional day it was for us all.

Some of us may have brushed aside manly tears as we reflected on the 182 per cent rise in card cloning and phishing in the second quarter of 2008 compared with the same period in 2007; others may have stifled their sobs over the $2.8bn cost of phishing attacks; still more wept -openly and without shame - for the 44 per cent of small businesses that have fallen victims to identity fraud through phishing, internet scams and data theft.

But all were united in their fervent hope that 2009 finally marks the year when the UK's government pulls its bloody finger out and puts a stop to departments' haemorrhaging of our personal and sensitive data.

Fat chance...

A load of nonce-sense

If the first law of marketing is that sex sells, the first rule of tabloid journalism is that paedos shift papers.

Things may have quietened down a bit since the 2000 moral panic, when the News of the World whipped up a hysterical mob of mouth-breathing simpletons into an orgy of vigilante violence, but tabloid editors still know that their barely-literate readers love a good “hate” almost as much as a new Lizzy Duke sovereign ring.

So it’s no surprise to see yet another paedo story in today’s Sun, with the baffling headline: “Internet pervert charges rap”. In a nutshell, the story concerns comments made by the chief executive of the Child Exploitation and Online Protection (CEOP) Centre which "slammed" (criticised) Internet Services Providers (ISPs) for charging child abuse investigators to access their data.

The way that the Sun spins it, cynical ISPs are making an easy profit from the authorities hunting down Britain's biggest nonces. Naturally, the Sun is sympathetic to CEOP’s chief executive, Jim Gamble, who believes that ISPs should waive these charges in the public interest.

Balance has never been the Sun’s strongest suit. If it were, they would have pointed out that under the Regulation of Investigatory Powers Act (RIPA) ISPs are entitled to charge the police for reasonable costs for data retrieval and that in the last four years, the Government has paid ISPs and telcos £19m for its agencies’ growing demands for access to communications data. This information was obviously deemed by the Sun to be of no interest to its audience, even to its more intellectual readers who don’t need to use their index fingers to read a newspaper.

Interestingly, CEOP’s share of this £19m amounts to around £170,000 – less than one per cent of the total paid to ISPs. With CEOP having made just shy of 10,000 requests, the average cost of each request works out at less than £18.

Why, then, is the Sun focused purely on paedophile investigators, when all regular police forces and government agencies are charged, fairly and under UK law, for using ISPs’ time and resources?

As Malcolm Hutty, policy chief at the London Internet Exchange (Linx) points out, "Regular police forces investigate extremely serious crimes using communications data, including murder, rape and kidnapping, and they believe they are better served by cost recovery. We don't believe that the situation becomes different for child abuse cases merely because they are investigated by a specialist national unit."

But here we come to the second law of tabloid journalism: never let the facts get in the way of a good story.