Mark's Digital Media and Tech Law Column

Mark Leiser: I am a PhD Candidate in Cyber Law at the University of Strathclyde in Glasgow. I have written submissions for the Leveson Inquiry into the ...

...culture and ethics of the media and for the Scottish Parliament on the use of social media during trials. My PhD is supervised by Professor Andrew Murray at the London School of Economics and focuses on the effectiveness of cyber-regulation. My research and interests revolve around main areas of Internet law and policy including internet governance & regulation, democracy, social media, privacy, and intellectual property. My PhD research focuses on developing a system of modelling to measure the effectiveness and legitimacy of Internet Regulation. I write in a personal capacity.

Read more...
23 April 2014 - 11:05am | posted by | 2 comments

HMRC's data selling plan is an exercise in contextual privacy

HMRC's data selling plan is an exercise in contextual privacyHMRC's data selling plan is an exercise in contextual privacy

The government’s revenue collecting service has announced that it is going to sell anonymous personal data to commercial entities for money.

Again the privacy advocates have gone ape, arguing that the government is making money “off of me and you”. I have read numerous accounts on how this would work, and like most stories in the online environment, they are poorly researched, scaremongering, and devoid of any critical analysis as they essentially reword each other press releases.

First of all, HMRC never said it was going to sell personal data; it said it may explore the plan to sell data. I put this down to the average punter having the common misconception that people actually own their personal data – you don’t. You give people the right to process your personal data and they own it. They trade in advertisers and let’s face it the 21st century has largely seen its economic growth from the growth in contextual and advertising sales. Already the chatrooms are awash with misinformation and speculation – from George Osborne “getting back at the lower classes for the expenses scandal” to “it’s a conspiracy to profit once more off of the poor”.

HMRC stated from the get-go that "this must be done only where there are sufficient safeguards in place to protect taxpayer confidentiality". And herein is where the problem lies. There is significant concern that small segments of anonymised data when put together will give businesses, without any real incentives to keep data safe, the ability to identify the user from the data that HMRC sells for a profit.

I am an advocate that information privacy must be understood in its social context; our understanding of privacy needs to come from analysis of the way we believe in the real world. And we should do this from analysing behaviour about the way we react to data transfers. Our policies must relate to practical application rather than be protectionist and paternalistic in nature. People complain about inappropriate, improper sharing of information rather than the sharing of information itself. Privacy concerns should not really be about control over personal information; information should be distributed according to agreed social norms and contexts. I don’t think people mind sharing their personal data with Google – as long as the return for doing so is simply anonymised advertisements based on our search and browsing history. When Google is passive in protecting our data from government spooks it crosses a proverbial line.

There are basic distinctions between the public and private sphere. The last couple of decades have seen the amalgamation of one into the other as more and more public functions have been outsourced into the private sector. We are also venturing into an exciting era of big data – an opportunity to analyse some of our largest problems and develop solutions with a level of empirical certainty. As the 20th century was the theoretical century, the 21st will be an empirical one. The problem is that our current privacy policies obscure more than clarify and the panic over these ideas only adds to the argument that we need to have a rethink about how contemporary information services should function.

HMRC will be sitting on an absolute goldmine of data. The New York Stock Exchange captures one terabyte of trading information every trading session. I would imagine that HMRC probably comes close to that, although the data will be much more varied.

Big data, like the name suggests, is a collection of data sets so large and complex it becomes difficult to manage and therefore understand using traditional hands-on database processing and data management tools. Think of it through the four Vs - velocity, volume, veracity and variety. There are currently 18.9bn internet connections. If each one of them sent a simple work identifying their present emotional state, there would be a lot of sorting through to identify any trends or to understand the collective mood of the connected world. Analysing this trove of data will could be an incredibly beneficial tool for helping identify trends. Big data scientists claim analysing this data will help solve some of the country’s most difficult issues, like welfare distribution and social empowerment to the disenfranchised. Resources can be allocated during natural and man-made disasters to those on disability benefits and provide better understanding as to the impact of development and urban planning.

Like everything technological, the utopians of societal advancement are met with the protectionism of cyber-sceptics like Emma Carr, deputy director of Big Brother Watch who said: "Given the huge uproar about similar plans for medical records, you would have hoped HMRC would have learned that trying to sneak plans like this under the radar is not the way to build trust or develop good policy.

"Given those who abuse personal information cannot be sent to jail this is yet another instance where Government should be putting proper protections in place before any more data is shared, rather than just hoping nothing goes wrong. Given the sensitivity of people's financial records it is clearly an inadequate and dangerous approach to take."

We have a right to privacy, but it is not a right of control. We don’t own our personal information and shouldn’t expect to restrict access to that information. As social norms change and conventions develop through local and general values, ends, and purposes, over time these conditions will change and the norms will evolve. But momentous changes like data scraping and HMRC seeking new revenue sources will result in knee-jerk reactions.

The rapid adoption and infiltration of digital information technologies and technology based systems will often result in a deep division between experience and expectation. When a division comes from radical change in the flows of personal information, it is experienced and protested as a violation of privacy. I would adopt professor (and president Obama’s former regulatory Czar) Cass Sunstein’s analysis and identify this as a moral heuristic – a moral principle is violated in some way, causing a sort of uneasy reaction which results in systematic errors relative to the way we feel about privacy. Here, the moral principle offended is, “one should not make money off of my personal data”. It is a personal affront to think that someone could make money off of my personal data without me being compensated for it. However, when placed in a rational context, it is suggested that most people would be comfortable with the benefits aforementioned.

Notice that Ms Carr is not actually voicing opposition to the sharing of personal data as HMRC plan to do, but rather not having the proper protections in place before any more data is shared! A safe, secure framework for transferring the data is the concern here, not the plan to sell the data.

The question still remains to be determined whether the benefits will outweigh the risk.

Don't miss out... Get your Design news by email

See all specialist newsletters

Comments

24 Apr 2014 - 08:30
tim2040

One of the problems - after care.data - is that no-one can be certain that HMRC will be honest about or even aware of the risks. Insisting that the data will be anonymised would be adequate reassurance for any rational person if it were also true. I care passionately about what happens to my identifiable data, but I don't care if Tesco mash up my purchasing history in their stores with everyone else's with a view to flogging products to people like me. The problem is that HMRC will probably be selling data that is reidentifiable, and they'll refuse to be realistic about that. They'll try to have a debate about anonymised data, and that won't be an honest debate.

If they said that there was a possibility of reidentification, explored the implications, and then consulted on what people thought about that, at least they'd start a more realistic conversation.

2
0
24 Apr 2014 - 14:30
richa10382's picture

This article is as deeply flawed as any 'scaremongering' one it attempts to rebut. Most data is normally processed on the basis of consent given to the processor, although not in this case because of the legal requirement. Still personal data once given for one purpose (tax collection) should not be processed for another, incompatible purpose.

If it can be anonymised - then it ceases to become personal data and can be traded without restriction. However, it has been repeatedly shown that true anonymisation - especially when data is combined with that from other sources, is very difficult to achieve. As pointed out above - the govt. has a poor track record in this regard.

There is also a huge societal risk here. If significant numbers don't trust this sale, they won't be truthful in giving their data in the first place, and that could lead to significantly lower tax revenues.

There could be a lot of problems if these proposals go ahead.

2
0

Please sign in or register to comment on this article.

Have your say

Opinion, blogs and columnists - call them what you like - this is the section where people have something to say. You might agree or you might not - whatever opinion you have make your views known in comments. Views of writers are not necessarily those of The Drum. If you would like to contribute a comment piece, email your idea to opinion@thedrum.com.