Thursday, 27 June 2013

TTIP: how to lobby the EU and US, etc – Sidley cloud computing roundtable

TTIP

At the June Sidley cloud computing roundtable, held under the Chatham House Rule, one major topic discussed was the proposed EU-US Transatlantic Trade & Investment Partnership, aka TTIP.

In TTIP, both cloud computing and data protection law will be horizontal issues spanning specific areas such as financial services, telecommunications services, computing services and global standards. It isn’t yet clear how the draft Data Protection Regulation will affect TTIP. Or indeed vice versa.

However, in terms of lobbying the EU and US on TTIP, a very helpful outline was given by Yohan Benizri. Some of this may seem self-evident, but I think it’s still useful to set it out.

Participating in consultations is very important, but that’s not in fact the most effective tool available to stakeholders. It seems that direct engagement with negotiators is more likely to lead to better results.

TTIP negotiators, on the European Commission side, will include Ignacio Garcia Bercero and Damien Levie, in DG Trade (under De Gucht), but other DGs, such as DG Connect and Justice (for cloud and privacy/data protection issues) will also be involved. DG Trade is playing a leading role, but positions and text will be developed in close cooperation with other DGs.

On the other side of the Atlantic, Dan Mullaney will probably be the key person, working with Mike Froman (USTR).

The best approach, again at the risk of stating the obvious, is to explain the issues and their (even if speculative) potential implications, and then suggest draft text or drafting changes to address those issues. In other words, don’t just raise the problem, but offer a possible solution too.

Forming ad hoc coalitions of organisations with common interests may also be useful, to voice collective concerns to both the EU and US sides. Indeed, suggesting the same text to both USTR and EU may help.

Other topics

More generally regarding the draft Data Protection Regulation, some EU governments have reportedly expressed the view that the draft legislation might not go through at all, because the vast gulf between the Council and the European Parliament may make agreement between them, at least within the next year or so, seem unlikely. (Of course, others have also expressed this view, eg Chris Pounder at Amberhawk, with Lionel de Souza at Hogan Lovells reporting the French government’s serious reservations about the draft Regulation.)

Also discussed at the roundtable were the EU cloud strategy including cloud standards; and competition law issues, notably the actions against Google in relation to search (and now see Google’s subsequent blog on the subject).

Full disclosure: I gave the firestarter presentation on the EU cloud strategy at this roundtable. I used to work for Sidley. But Sidley didn’t pay me for my participation, or for this blog. This blog is, obviously, mine alone.

Monday, 24 June 2013

Personalised pricing exists, dear OFT

The OFT's report on personalised pricing, which came out in May, said there was no evidence 'that retailers use information collected about individuals to offer higher prices to specific customers', eg websites tailoring their prices to the individual or adjusting prices based on visitor behaviour.

Actually, there is evidence. Due to being away, I couldn't respond to their call for information before the deadline. But now I want to recount my experience last year with a well-known travel web site. It should be reproducible, if the OFT or anyone else wants to try it (maybe not from an OFT IP address, in case they're smart enough to try to detect that and adapt!).

Search for a particular flight on a large travel site, eg from London to city X between particular dates and maybe back too. Select the dates etc, then note down the price quoted. Don't delete your cookies.

Next day (or maybe a few hours later), go back to the site using the same browser. Now, repeat the same search and selections. You'll find that the price quoted may well be higher. You might think, oh well, it's just because general prices have changed in those few hours? Think again.

Try this. Delete your cookies (and clear your browser cache for luck), then repeat the same search and selections, or else do so in a different browser which you haven't used before to visit the same site. You may find that the price is back to the original price!

This happened to me when I was searching for flights last year. I tried it again with different options, and had similar results, days later - ie higher prices on repeat searches, unless I had deleted cookies first. So this is certainly evidence that some sites are using personalised pricing at least some of the time.

I've had a similar experience on Amazon where a repeat search did not reveal that the price had been lowered for that product, but searching via a different browser showed a price decrease. However, it could have been a coincidence in that case, as I've not been able to reproduce that, though a friend has reported similar experiences. All this does mean that when I search on Amazon I'll make sure I'm not logged in first, and will be clearing cookies in between searches even if I have to login to complete a purchase.

So, beyond the OFT's letter to over 60 'leading online businesses', there's lots more that the OFT could investigate, if they want to try mystery shopping. I hope they will. This isn't just a data protection issue, it involves consumer protection more generally too.

Links:

Monday, 17 June 2013

Twitter's 2FA login verification: more security, less privacy from Twitter?

Twitter's recent rollout of two-factor authentication (which it called 'login verification') may help a bit (not necessarily!) to protect your Twitter account against being hacked. But beware - it will give Twitter rights to use your mobile phone number, even if you don't tweet using your smartphone.

This is why. When you go to your Twitter account settings and scroll down to Account security, it says you must add a phone to your Twitter account in order to require a verification code for sign in:

image

Notice that Twitter's "add a phone" page says nothing about what Twitter can do with your mobile or cellphone number:

image

So let's look at Twitter's privacy policy to see what they can do with your mobile number

image

The relevant parts, highlighted above, are these:

"You may provide information to customize your account, such as a cell phone number for the delivery of SMS messages. We may use your contact information to send you information about our Services or to market to you."

and

"We may use your contact information to help others find your Twitter account, including through third-party services and client applications. Your account settings control whether others can find you by your email address or cell phone number."

In other words, these mean that, if you give your mobile phone number to Twitter, intending it to be used only for security purposes:

  1. Twitter can use it to market to you eg send you marketing SMS text messages!
  2. Twitter can use it to help other people track you down on Twitter if they know your phone number (even if you tweet using a pseudonym), unless you disable that in your account settings. But how? I have no idea, as I've not added my phone to Twitter, precisely for these two reasons. The settings I can see without adding my number don't seem to disallow others from finding me via my mobile number. There's an Account setting that says 'Let others find me by my email address', but not one that says 'Let others find me by my phone number'. Does that setting deal with both? I've no idea - it's not clear.

The good news is that it seems Twitter will limit sharing or giving your phone number to anyone else:

image

There's still the caveats though - unless required by law, etc etc.

Let's contrast this with Yahoo!'s practice:

image

The outlined text says, about your phone number: "We'll keep it secure and only text you if you need help with your account".

So Yahoo! get points for saying, at the point they ask for your number, that they won't use your number to market to you. But, they lose points for not making it clear whether they may share or give your number to others. Their privacy policy, like Twitter's, says they'll limit sharing - unless there are court orders or 'to establish or exercise our legal rights or defend against legal proceedings', or 'We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!'s terms of use, or as otherwise required by law', etc.

Now consider Google's similar procedure:

image

This says that "Google will only use this number for account security". Yeeesss! That is exactly what someone who is privacy-conscious like me wants. Although Google introduced 2-factor authentication some time ago, I didn't sign up for it until Google started displaying this message, and now I have. Maybe Google are finally learning to try to be a little more privacy-friendly, after the Buzz and Safari debacles.

But much as I'd like to use 2FA for Twitter, I'm not giving Twitter my mobile number, no way no how - not until Twitter emulates Google and assures me that my number will be used only for authentication and other security purposes. Only. Given the recent opinion on purpose limitation from EU privacy regulators the Article 29 Working Party, doing that would seem to be a sensible move on Twitter's part.