The Internet and Privacy Debate

Full Debate: Read Full Debate

The Internet and Privacy

Damian Hinds Excerpts
Thursday 28th October 2010

(14 years, 1 month ago)

Westminster Hall
Read Full debate Read Hansard Text

Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.

Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Damian Hinds Portrait Damian Hinds (East Hampshire) (Con)
- Hansard - -

I join in congratulating my hon. Friend the Member for Harlow (Robert Halfon) on securing the debate, and the Backbench Business Committee on continuing its programme of ensuring that such topics as this, which need a fuller airing, get one.

I want to take a slightly different angle by focusing briefly on some of the commercial aspects of the matter, and the business models of the leading web property operators that we are mainly concerned with in the debate. It is important to understand the motivation behind some of the issues that have emerged. At the outset I want to make it clear that, like my hon. Friend the Member for Harlow, I am both a user and an admirer of Google, Facebook and similar companies. I am also a capitalist, and I do not think that the pursuit of profit is a bad thing. However, even in free-market liberal democracies—in fact especially in such democracies—we take a legitimate interest in companies’ activities and power, and how those things may act for or against consumers’ true interests.

I do not need to repeat all the ways in which the internet makes the world a better place. In terms of productivity, communication, research, accessibility and so on, it is fair to say that the world has changed dramatically since a great Briton, Tim Berners-Lee, invented the world wide web. In commerce, the web makes markets more efficient by making it easier for buyers to find sellers and vice versa, and search engines, including pay-per-click marketing, play a big role in that. Because of the competitive auction nature of pay per click, there is a natural upward pressure on costs, which over time transfers more value to web intermediaries. Ultimately, of course, that has to be paid for by someone, and that someone—quelle surprise—is the consumer.

Those new costs have been affecting the public sector as well. In the answers to parliamentary questions that I tabled to seven Departments, it turned out that in 2009-10 £5.5m of taxpayers’ money was spent on pay-per-click advertising for the Government. That was an increase of more than 70% on the previous year. Given that much of that went on things such as swine flu awareness, one might question whom exactly the Government were competing against for those search terms, and indeed why search engines needed financial inducement at all to make such information available readily and easily to the general public.

Although we speak generically of search engines, anyone who has worked in online marketing will confirm that in reality there is only one show in town: that show, of course, is Google. If you push them, people know that Google is a commercial enterprise, but in my experience in business and anecdotally people do not tend to think of themselves as customers of Google. They choose to use Google much as they choose to walk down the public street. It is just there; it is what people do. I suggest that, deliberately or otherwise, Google reinforces that image of itself with, for example, its very plain home page, and particularly the term “sponsored links” that appears above its adverts. It makes them sound like some sort of charitable exercise, contributing to the inevitable costs of running a website. Of course they are not sponsored links, but highly targeted advertisements, which are a very big generator of profits.

I am sure that most hon. Members are aware that the formula used to determine placement on a search engine’s page is CPC x CTR. That means the cost-per-click bid multiplied by the click-through rate. Search engine executives will explain that that is the best formula to optimise the user experience and make sure that the content that appears is the most salient. Hon. Members who were particularly sharp at GCSE maths will also have spotted that it is the optimal formula for maximising the profit per available square inch on the screen.

Although Google operates many businesses, it is those adverts that generate the $23bn of global revenue for the company—the vast bulk of its overall sales. Google started life as a technology play, but today—let us be clear—it is a marketing, sales and advertising company. Why is that relevant to privacy? Because knowing more and more about people achieves two things. First, accumulating data and information on more and more things in one place creates—and protects—a position whereby that place is the default place to go to look for stuff. That is ultimately more attractive to advertisers, who pay the bill. Secondly, and even more importantly, it makes better targeting of the adverts possible. That in turn creates even more value for advertisers.

There is nothing wrong with good targeting. Anyone who has worked in marketing will say that trying to understand the customers better is central to the exercise, and people have always done it. Direct marketing, list marketing, or just plain old junk mail have been around an awful long time; and more recently, of course, loyalty cards have helped companies to fine-tune and hone their targeting. However, the internet is a different medium, and it is meant to put people more in control. Given that the issues that we are discussing are relatively new, and certainly not universally understood, there are questions about how consumers want to be targeted for marketing.

In pay-per-click marketing, there is a transition over time from active search, which is what most people associate with Google, when they think about it, towards contextual marketing, and ultimately to behavioural and characteristic marketing. Active search marketing is what happens when people actively search for x. In the search returns, as well as x, they will also get adverts for various other things, and commercial enterprises. Contextual marketing is what happens when people go to a website and all around it are ads for other things that are related to that website, whose content has automatically been worked out. Behavioural and characteristic marketing is not about what someone is looking for or at; it is just about the person. It is targeted marketing based on things about that person that they have themselves explicitly revealed, things that can reasonably be inferred, or things that can be guessed about them from their behaviour—what they have bought, what other websites they have looked at, and so on.

All three types have their place and will often be valued by consumers as well as advertisers. The first sponsored link on a search returns page is often the one the person is looking for, and that saves them looking further. Someone who is looking at a travel agency may well welcome an advertisement for a guidebook to the place they are going to. I do want to be told when tickets become available for a tour by a band I particularly like. I am perfectly happy for Amazon to recommend to me a reading list based on things I have bought from it before. However, there are also important issues to do with protecting consumer sovereignty.

First, there is a question of the use of explicitly revealed information. People who reveal information about themselves on, for example, a social networking site—various hon. Members have mentioned this—may not realise that such details will be used in order to sell to them. They may also not know about the cross-ownership between different web properties, which means that what they reveal on one site may be used by another. There is also the potential for scraping, which was alluded to by my hon. Friend the Member for Harlow.

Secondly, there is a considerably bigger question about information that people have not explicitly revealed about themselves. That may be characteristics, such as where they live and whether they live in a big house, or behaviours, such as the websites they have visited or the television channels they have watched. Web operators will give all sorts of assurances on such points. They have privacy policies and customer charters and say things like, “Don’t be evil.” Then along comes the BT Phorm case, which has been alluded to, or the Google Street View snooping case, and they serve to remind us of the potential that exists.

Indeed, in the case of media that are as dominant and as ubiquitous as some of the web properties that hon. Members have talked about today, I do not believe that relying on individual companies’ privacy policies is sufficient or appropriate. Although we do not want unnecessary regulation or to stifle what is still a very dynamic sector in which this country has a leading role, we need to consider two key things. First, we need to institute explicit rules on the usage of personal revealed information for marketing purposes. For example, it might be standard to have an explicit, active and time-limited opt-in for the use of personal data for marketing purposes. Given the fast-moving nature of the sector, such issues need to be constantly revisited, as my hon. Friend the Member for Milton Keynes North (Mark Lancaster) suggested.

Secondly, we need to bring in seriously punitive fines for the use of non-actively revealed personal data, including behavioural data. That will seriously focus the minds of people who are engaged, or potentially engaged, in such activities and ensure that those abuses never have to be apologised for again. The sort of independent commission and voluntary charter that my hon. Friend the Member for Harlow referred to may well be the ideal route. If not, this is a very legitimate area for Government intervention, and I look forward to hearing what my hon. Friend the Minister has to say on the matter.

--- Later in debate ---
Ian C. Lucas Portrait Ian Lucas
- Hansard - - - Excerpts

Indeed. One problem with a Law Society or BMA model, with respect to the hon. Member for Harlow, is that although that would be an appropriate way to proceed for some of the organisations involved in collecting such information—they are responsible professional organisations and would act responsibly—unfortunately, it would not be appropriate for all. Other organisations might take a much more laissez-faire approach—if I dare use that phrase in the presence of so many Conservatives—and would not deal with the issue responsibly. I am concerned that a self-regulatory system might not be as effective as we would like.

Damian Hinds Portrait Damian Hinds
- Hansard - -

Does the hon. Gentleman not agree that there are many different versions of and variations on self-regulation? For example, the Advertising Standards Authority model is completely different from that of the BMA. Surely it is possible to design a model to have the right amount of independence as well as teeth, so that it gets the respect and compliance that we want.

Ian C. Lucas Portrait Ian Lucas
- Hansard - - - Excerpts

That may be. We are at the beginning of a debate, and I am setting out my personal views at this juncture. When I conclude, I will agree that we need to examine the matter in more detail, but those are my concerns about a self-regulatory framework. With fines, for example, it is difficult to create an effective system that imposes large financial penalties on companies that do not wish to pay them. If the fines involve hundreds of thousands or even millions of pounds, only the force of law will be sufficient to ensure that the necessary action is taken.

--- Later in debate ---
Lord Vaizey of Didcot Portrait Mr Vaizey
- Hansard - - - Excerpts

I understand the hon. Gentleman’s point, but I want to see self-regulation and voluntary action by organisations on the internet. That is a theme that I want to develop in my speech—I have only one hour and 10 minutes remaining, so I will try to speed up a bit. We have a code of practice that many companies say they adhere to, so that information should be made available to consumers. Critical momentum could be built up if more well-known and legitimate websites signed up to the code, made that plain on their home pages and allowed consumers to see what that code states.

Damian Hinds Portrait Damian Hinds
- Hansard - -

Does the Minister agree that the Information Commissioner’s 36-page document is challenged, in terms of length and density, only by the typical set of terms and conditions found on most websites? One baby step, perhaps as an interim stage towards the developments that we all want to see, might be to encourage all websites to produce a much simpler version of their terms and conditions—perhaps only half a page, explaining in clear English the sorts of uses to which their data will be put.

Lord Vaizey of Didcot Portrait Mr Vaizey
- Hansard - - - Excerpts

I could not agree more with my hon. Friend. I used to be a lawyer; he used to be a marketer. Marketers are far more useful to society than lawyers. The trouble is that the terms and conditions are written by lawyers who want to cross every t and dot every i to protect their own back in every eventuality. What the consumer wants are easy-to-understand guidelines. That is something that I want to look at with the major internet service providers and websites. I shall expand on that point later in my remarks, probably at about 10 minutes past 5.

The Information Commissioner’s enforcement powers under the Data Protection Act 1998 and the Privacy and Electronic Communication (EC Directive) Regulations 2003 include the issuing of information notices to request information so that he can establish whether legislation is being complied with by an organisation. He can issue enforcement notices if he is satisfied that a data controller—that is, a website—has contravened or is contravening the legislation, for example by failing to process data fairly and lawfully. In addition, the Information Commissioner can issue a civil monetary penalty of up to £500,000 for serious breaches of the Act, although that power only came into force in April 2010. That is an important point, given that I am about to speak about Google Street View and the controversy that surrounds it.

My hon. Friend the Member for Harlow made it clear that part of his reason for calling this debate was to discuss Google Street View and the harvesting of data. Although my hon. Friend the Member for Dudley South (Chris Kelly) is not a civil libertarian, he pointed out that that was possibly the greatest breach of privacy in the history of this country, given the huge amount of data that were collected, although I am not sure that it ranked with the two CDs that went missing from the Inland Revenue.

I am able to update the House on the position. The ICO learned from Google in May that, in addition to the mapping exercise that it was supposed to be undertaking, its Street View cars had unintentionally collected payload data from unsecured wi-fi installations as they passed. It is the Information Commissioner’s job to consider whether in such circumstances there has been a breach of the law. He has been considering the issue and, importantly, has been discussing it with information commissioners in many other countries, including Canada, which my hon. Friend the Member for Dudley South mentioned.

Given that Google reported the breach, the best practice at that point would have been to delete all the data. However, as the Metropolitan police were considering whether the breach warranted an investigation, the data have been kept for evidential purposes. I understand that the police have decided that it would not be appropriate to launch a criminal investigation, so I will meet the Information Commissioner next week to discuss what next step he intends to take in respect of the data, and Google’s breach of data protection. I do not want to pre-empt what the Information Commissioner will decide to do, but normally he would work with the organisation that has committed the breach and put in place mechanisms to ensure that it does not happen again. What is clear is that the Information Commissioner does not have the power to levy a fine because, as I said earlier, that power did not come in until earlier this year.

It is interesting to note that the Federal Trade Commission, which has also been investigating Google’s breach, issued a letter yesterday pointing out that it, too, will not pursue Google on the matter on the basis that, in a series of public round-table events that the FTC hosted during the summer of 2010,

“Google has recently announced improvements to its internal processes to address some of the concerns raised”,

including

“appointing a director of privacy for engineering and product management; adding core privacy training for key employees; and incorporating a formal privacy review process into the design phases of new initiatives. The company also publicly stated its intention to delete the…data as soon as possible”,

and gave assurances that none of the data would be used

“in any Google product or service, now or in the future.”

The other lesson that should be learned from what happened with Street View is that we are in uncharted territory. As the small smart cars with large cameras appeared in our streets, little action was taken by anyone. We took it in our stride—well, my hon. Friend the Member for Milton Keynes North (Mark Lancaster) reminded us that his constituents took action by blockading one of the cars.

My recommendation is that when an organisation undertakes an exercise of that kind in the future, the ICO should put in place ground rules and discuss with it what measures will be taken, so that the organisation does not inadvertently breach data protection rules. I certainly think that if an organisation such as Google decides in the future to undertake a harvesting procedure of that kind, that is what the Information Commissioner should do.

Hon. Members also raised concerns about companies that search the web looking for adverse comments made by customers or staff members on blogs or social networking sites. My hon. Friend the Member for Harlow said that that was out of order. With the greatest respect, I would say to him that that is possibly an example of where we seem to believe that doing something on the internet is wrong when doing something like it offline would be acceptable.

For example, people post comments online. When they do that, they put them into a public space, if they decide not to put in place any privacy settings. They have to comply with the law in the United Kingdom as it stands—the comments cannot be defamatory. This is a matter of judgment for the individual company in terms of its reputation and relationships with its employees and customers, but there is nothing technically wrong in searching websites to see what comments have been made about an organisation. Indeed, as my hon. Friend the Member for Dudley South said, almost poetically, which one of us has not entered their own name in a Google search?

--- Later in debate ---
Lord Vaizey of Didcot Portrait Mr Vaizey
- Hansard - - - Excerpts

In terms of the UK Council for Child Internet Safety, I think that the issue needs to be addressed. As a matter of principle, we all accept that children deserve greater protection than adults do, whether offline or when accessing content online. We will continue to look at that.

Let us make no bones about it. As the hon. Member for Bath made clear, the key issue is not necessarily the harvesting of data on shopping habits, but the harvesting of data without consent or knowledge. There are some who say for example that Phorm, the company with which BT carried out an experiment, was providing a perfectly legitimate commercial service in allowing organisations to monetise their presence on the web by targeting adverts at certain consumers; if a consumer is particularly interested in a type of car, that advert could appear on screen while they are reading a web page. The website—for example, The Guardian or The Observercould charge more for that advertisement and, therefore, monetise its online content. That is a legitimate argument, but huge concern was generated because there was no transparency. It was done without consumers’ knowledge and it was unknown what would happen to the data once they were collected or whether they would be transferred to third parties. At the heart of the debate is, above all, transparency over what data organisations harvest and the opportunity for the consumer to choose to opt in.

Damian Hinds Portrait Damian Hinds
- Hansard - -

Does the Minister agree that such an opt-in must be an active opt-in? The ability not to have cookies exists on just about everybody’s computer, but how many people understand it? It is a different proposition to have to say, “Yes, I want to be marketed at; I want people to know my preferences.”

Lord Vaizey of Didcot Portrait Mr Vaizey
- Hansard - - - Excerpts

That is an important part of the debate. I shall talk later about the regulatory framework on e-privacy on which we are consulting, and it will be interesting to see the public’s response. There is certainly a strong argument that the consumer should not only be able to opt in, but know about their right to do so.

We are implementing changes to the e-privacy directive that strengthen privacy regulations in the online world, as part of our implementation of the European framework on electronic communications. We are consulting on those proposals, which could lead to changes to the privacy and electronic communications regulations and strengthen the Information Commissioner’s enforcement powers.

The directive has three key elements. First, effective, proportionate and dissuasive penalties will be introduced for any infringement of the directive’s provisions. Secondly, as part of the implementation of the revised e-privacy directive, we are also consulting on notification procedures for personal data breaches. We propose to ensure that the ICO issues guidance on any change to that notification mechanism and that the guidance will be the subject of a future consultation by the Information Commissioner. Thirdly, other changes to the e-privacy directive address problems with cookies, including any attempt to store information or gain access to stored information in a user’s equipment—using cookies—by requiring the informed consent of the user.

The provision covers legitimate practices that enable the use of many popular websites as well as illegitimate practices, such as spyware and viruses, which are also addressed in other legislation. The Government’s consultation on the implementation of the changes closes in December, and we will publish our response in spring 2011. The new measures will come into force on 26 May 2011.

Implementation of the electronic communications framework is not the only change that we are considering. Following the Lisbon treaty, as well as repeated calls to update the EU’s data protection directive, we expect the European Commission to publish a draft comprehensive instrument for data protection in mid-2011. The new instrument may cover all activities within the scope of European Union law. To inform the UK’s position for those forthcoming negotiations, the Ministry of Justice carried out a call for evidence for three months this summer to gain views on how the current legislative framework is working. Taken as a whole, those changes will usefully strengthen the regulatory framework governing privacy on the internet and will tackle some of the concerns expressed today.

As hon. Members have indicated throughout, there is a fundamental debate about the nature and scope of regulation. Business and the individual have a role to play in ensuring that both users and businesses are aware of their rights and responsibilities online. There is huge scope for self-regulation. The Internet Advertising Bureau has shown how industry can learn from consumer reaction and respond to consumers’ concerns by developing good practice principles. It has developed a website—www.youronlinechoices.co.uk—dedicated to informing consumers about behavioural advertising and offering a simple opt-out mechanism, which it proposed in March 2009, and this country’s advertising industry was the first in Europe to come up with a self-regulatory practice.

Discussions continue to take place between industry bodies at European level. Clearly, greater consumer awareness will help to address many of the concerns raised today and, with the Information Commissioner and industry, we will help with that in so far as is practicable.

I have spoken for almost 40 minutes, so it is time to draw my comments to a close. As a result of this debate and the thinking that went into preparing my comments, I intend to write to the major ISPs and websites, such as Google and Facebook, asking for a meeting. I want to discuss with them not just the general issue of people being aware of what data they may inadvertently be making available online, but the opportunity for redress.

I was struck by the comment from my hon. Friend the Member for Milton Keynes North about the women’s refuge centre whose address was put online, and it was then unable to persuade the organisation that was carrying that information to remove it. That organisation had not deliberately put the information online; it was simply the vehicle on which the information was available. There may be all sorts of reasons why it was difficult to take that information down. It may be that having taken it down, the address simply popped up again elsewhere, but the fact that no meeting or dialogue could take place worries me greatly. I suspect that most hon. Members in the Chamber have had conversations with constituents who have seen information about them online and have simply not known where to turn.

Nominet, the charity that is responsible for internet domain names, runs an extremely effective mediation service, so that people who are disputing the ownership of an internet domain name may be involved in a low-cost process to discuss how to resolve that dispute. It is certainly worth the Government brokering a conversation with the internet industry about setting up a mediation service for consumers who have legitimate concerns that their privacy has been breached or that online information about them is inaccurate or constitutes a gross invasion of their privacy to discuss whether there is any way to remove access to that information. I am sure that many internet companies will say that that is almost impossible, but when one hears stories such as that told by my hon. Friend the Member for Milton Keynes North, one wants at least to attempt to give consumers some opportunity to have a dialogue with internet companies, as they would be able to do if a newspaper had inadvertently published that information.

I hope that hon. Members have found my comments helpful and that I have been able to put into context what is happening with Google’s breach of data on Street View. I have set out my thoughts about personal remarks on the internet, establishing the regulatory regime for cookies and setting out the process that the Government are undertaking to strengthen privacy regulations on the internet alongside our European partners.