thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Thursday, May 24, 2007

Privacy Self-Regulation and the Changing Role of the State

My new working paper is just out. I have looked at the changes in the regulation (or "governance") of data protection, with a special focus on the different forms of new governance mechanisms. Building on Lawrence Lessig's work on "Code and Law" and also on previous research on the governance of privacy done by Colin Bennett and Charles Raab, I distinguish between social codes (contracts, self-regulatory schemes etc.) and technical codes (privacy-enhancing technologies). This is the abstract:
Privacy Self-Regulation and the Changing Role of the State. From Public Law to Social and Technical Mechanisms of Governance

This paper provides a structured overview of different self-governance mechanisms for privacy and data protection in the corporate world, with a special focus on Internet privacy. It also looks at the role of the state, and how it has related to privacy self-governance over time. While early data protection started out as law-based regulation by nation-states, transnational self-governance mechanisms have become more important due to the rise of global telecommunications and the Internet. Reach, scope, precision and enforcement of these industry codes of conduct vary a lot. The more binding they are, the more limited is their reach, though they – like the state-based instruments for privacy protection – are becoming more harmonised and global in reach nowadays. These "social codes" of conduct are developed by the private sector with limited participation of official data protection commissioners, public interest groups, or international organisations. Software tools - "technical codes" - for online privacy protection can give back some control over their data to individual users and customers, but only have limited reach and applications. The privacy-enhancing design of network infrastructures and database architectures is still mainly developed autonomously by the computer and software industry. Here, we can recently find a stronger, but new role of the state. Instead of regulating data processors directly, governments and oversight agencies now focus more on the intermediaries – standards developers, large software companies, or industry associations. And instead of prescribing and penalising, they now rely more on incentive-structures like certifications or public funding for social and technical self-governance instruments of privacy protection. The use of technology as an instrument and object of regulation is thereby becoming more popular, but the success of this approach still depends on the social codes and the underlying norms which technology is supposed to embed.

Friday, May 18, 2007

Identity and the Government - the missing link 2.0

Update: Phil Windley notified me that I misunderstood him (corrected below). I still wonder where the links between governments' activities around online identification and the internet identity developments from the geek and corporate communities are being discussed and thought through. Any hints?

The identity 2.0 folks don't think about government-issued identity cards and the developments going on in Washington and other capitals. At the end of the Internet Identity Workshop that just took place in Mountain View (California), its organizers Kalyia Hamlin and Phil Windley gave an interview to the video podcaster Eddie Codel from LunchMeet ("meeting geeks over lunch"). With one question, he hit the mark of what I as a political scientist am interested in:
How do the identity issues that are being adressed here and are being worked on related to the national level - government, passport control, national id card, that kind of stuff? Can what we do here influence that?
The answer from Phil:
Conceptually, there are certain relationships. And certainly, if you ask people here, they would [not: don't, RB] have opinions on that. What tends to be worked on here tends to be fairly specific to the user-centric identity.
If we agree there is a conceptual link, then people might want to start thinking about this a bit deeper. I mean, has anybody ever heard of code and law and all the rest? It seems that there still is too much of a distance between the West coast geeks and the East coast politicos, at least in the identity field. I am waiting to see what happens when the U.S. congress starts enacting laws that regulate online identity, like this one. Will Identity Commons open an office in Washington like the EFF did last year - finally?

Wednesday, May 16, 2007

Icons of Privacy

Analogue to the Creative Commons licenses that use lawyer-readable, machine-readable and human-readable formats, there has been some movement towards developing a similar approach for data privacy. The P3P protocol already combined the lawyer-readable plus machine-readable approaches, and the privacy bird browser extension was a first raw attempt to graphically display if a web site's P3P privacy policy is conform with your own privacy preferences.

More recently, there have been attempts to design more meaningful icon sets that symbolize the different uses of personal data by web services. The first example I am aware of was presented by Mary Rundle from the Identity Commons Working Group on Identity Rights Agreements last year at the UN Internet Governance Forum (see the pdf of her presentation here, the icons and the idea are on slides 7 and 8).

Now (apparently inspired because I told him about this), Matthias Mehldau from the popular German blog has designed a whole set of private data usage symbols. It's spreading heavily in Germany's blogosphere at the moment, and he calls for designers and privacy experts to develop this version 0.1 further. It's licensed under a creative commons by (not: nc) license. Click on the picture to enlarge.

Disclaimer: I also blog at

Update, 6 November 2009: Christopher Parsons from the University of Victoria is now also thinking about this. Worth a read.

Update, 14 January 2010: Now some folks around in Washington, DC are also working on this.

Update, 3 October 2012: Alexander Alvaro, liberal Member of the European Parliament and in charge of the upcoming data protection regulation for his group, has proposed privacy icons in a conceptual blogpost titled "data protection lifecycle management".

Update, 7 October 2012: Aza Raskin presents the alpha release of an icon set based on the work around the activities.

Update, 9 October 2012: The rapporteur of the European Parliament for the new data protection regulation, Green MEP Jan Philipp Albrecht, has endorsed the idea of layered policies and privacy icons in his Working Document 2, which summarises the state of debate in the lead civil liberties committee. Disclaimer: I am senior policy advisor for him and work on data protection, among other things.

Update, 22 November 2012: The icon set from Mozilla has been finalised in a hackathon. A few hundred websites' privacy policies have already been categorised and inconised. Several browser plugins now allow you users to get a quick overview of which data is collected, for how long, and what happens with it: Firefox, Safari, Chrome.

Update, 14 January 2013: I just discovered another icon set, this time from May 2012 and from some folks at Yale University.

Tuesday, May 15, 2007

CardSpace's Privacy Problems - now confirmed at OECD

Ben Laurie reports this interesting exchange of opinions on how Cardspace is breaking the (privacy-enhancing) "Laws of Identity", developed by Microsoft's Cardspace architect Kim Cameron:
At this OECD workshop on identity management, Fred Carter, of the Office of the Information and Privacy Commissioner, Ontario, spoke on “Functional Requirements for Privacy Enhancing Systems”. At one point he listed privacy protecting identity management systems, which he broadly defined as those following Kim’s seven laws. The list was short, just PRIME and Credentica … note the absence of CardSpace. So, I just had to ask: “does this mean that you believe CardSpace does not obey the seven laws?”. His reply? “Yes”. Chris Bunio, a Senior Architect for Microsoft, was present. He did not dispute the claim.
More detailed explanations are in Ben's new paper on selective disclosure.

I would add: While Cardspace, if implemented in a specific way, can be privacy-enhancing (much better than the Liberty stuff), the recent moves towards convergence with OpenID will weaken the privacy features of the system. And it will make the normal users think that one ID system is just like the other, so they can directly pick the totally privacy-unfriendly OpenID, which gets much more and broader attention at the moment.

Privacy and Identity debate gains more traction

A few nice things happened in the last weeks that make me hope the privacy and identity camps are converging. Maybe not on common positions yet, but in common discussion spaces at least:

First, Dick Hardt from Sxip Identity was in Germany and says:
Identity is a hot topic in Germany. The first European Identity Conference started today, and I am giving a keynote tomorrow morning. The Germans seem very sensitive to invasion of privacy (...).
In a video interview the Elektrischer Reporter did with him, the latter raised some concerncs I had voiced the week before. Nice to see this is being picked up.

Then, Udo Neitzel and I went to Montreal to the Computers, Freedom and Privacy conference, where we spoke on two panels about privacy and identity, together with folks from the privacy world (Gus Hosein from Privacy International, Caspar Bowden from Microsoft) and the identity crowd (Paul Madsen from Liberty, Cristian Pacquin from Credentica). Kim Cameron from Microsoft was giving a keynote, and "Identity Woman" Kaliya Hamlin was actively taking part (she should have sat on at least one of the panels herself - Wired by the way calls her a "privacy activist"). We had interesting discussions on OpenID as "Baby SAML" or how Microsoft's moves towards OpenID and using Cardspace for federation will make their system even less privacy-enhancing. Kim seemed not convinced, but at least we got him thinking. More importantly, the old privacy and crypto gurus at CFP finally seem to understand that identity management is something they really, really should care about more.

Stefan Brands is again on the forefront of this development. He just published a new research paper that attempts to bridge the privacy and identity camps. This is from the conclusion:
Contrary to popular misbelief, identification and privacy are not opposite interests that need to be balanced. Advances in modern cryptography allow for the construction of compact user identifiers that combine all the benefits of noncertified self-generated identifiers with those of certified user identifiers while eliminating all of their respective drawbacks. It may be too much to ask that legislators, systems designers, and privacy activists intimately familiarize themselves with these modern technologies for user identification. However, it is important that they take note of their capabilities, in order to avoid stretching preconceived notions about identification and privacy that hold true in the physical world into the electronic world, where they no longer hold.

Tuesday, May 01, 2007

Identity 2.0 in TV 2.0

The great German video podcaster Mario Sixtus a.k.a. "The Electrical Reporter" did an interview with me on digital and analogue identity management and the problems I see with recent developments in this field. Only German, I'm sorry.