Ashley Madison, the press and data protection

For those whose affairs were not exposed to the world by the recent data theft from the Ashley Madison site, curb your schadenfreude and moral superiority. Very few of us lead such morally immaculate lives that some of our past or present would not be equally embarrassing if disclosed.

Such hacks and theft of data are sadly unsurprising. I have written before of the dangers of storing embarrassing photos and other material in the Cloud and in other places where they could become accessible, and of the need to protect Cloud and other accounts robustly.

What has shocked me, though, is that the data that was stolen is already being used by journalists, radio show hosts, and others to ‘out’ people – particularly those already in the public eye – who had allegedly used Ashley Madison. Even that story on the BBC website explicitly named an MP whose email address had allegedly been among the stolen data, but who denied any association with the site.

If someone stole a diamond, and you were to buy that diamond and sell it on, then you are as guilty as they. Yet when someone steals highly sensitive personal data, disseminating and publishing some of that data seems not just permissible, but fair game (and no doubt editorial congratulation).

Legal protection

As an overseas site, Ashley Madison is not subject to European or British law, but some of these issues, and those which I raised recently about Google’s privacy policy, make my thoughts turn to our own European and national laws intended to protect sensitive and personal data – in the UK, the Data Protection Act (DPA) of 1998.

Yes, 1998 – the year that Google was founded. Ten years before NASA’s OpenNebula became the first open-source product for deploying private and hybrid Clouds. When the DPA was being drafted, most personal data stored by commerce was hidden away in mainframes, well isolated from the Internet. Indeed the Internet was then only accessible to around 14% of the UK and 30% of the US population. The Nokia 5110 was at the leading edge of mobile phones, and tablets were either Mosaic or taken for headaches.

UK law is now seen as an implementation of the EU Data Protection Directive of 1995, which in turn was based on recommendations made by the OECD thirty-five years ago, in 1980. Although reform was proposed in 2012, the European Commission hopes – I suspect vainly – to reform rules in the EU this year, with a new directive.

Among the major and highly relevant issues which the 2012 proposals already fail to address are:

  • dealing in improperly disclosed sensitive data, as we have seen following the Ashley Madison theft;
  • measures to prevent data aggregation destroying anonymity;
  • ensuring proper use of data irrespective of imposed privacy policies, to which very few individuals actually give free or informed consent;
  • ensuring compliance with EU law by services which are operated from outside the EU, but provided to the EU.

1 + 1 = 3

‘Data aggregation’ is a classic example of a problem that has arisen with the increasing availability of large datasets. It is common practice that, once personal identifiers are removed from databases such as the Electoral Register, legal constraints on their use are relaxed. However it is extremely easy for an organisation to acquire other databases (with some or all personal identifiers removed) which they can merge with the information, say, from the Electoral Register, and process to enable identification of individuals.

This is an established issue in the process of anonymisation, that deanonymisation can occur intentionally, or by those who have been able to acquire an anonymised database because it has not been as well protected as it would have been if it had contained personal identifiers. Yet all the time the individuals whose data is being deanonymised may be completely unaware of that process, assuming that their personal identifiers had been removed.

Tracking and weaving

Some of the most contentious issues arise from the acquisition of information about us and our online activities, and the subsequent use of that information in online advertising. Although there are schemes under which you can opt out of such tracking activities, the whole issue is one in which we do not have a choice except to accept (lack of) privacy policies imposed in inaccessible legal documents which often seem to be the culmination of a corporate lawyer’s Doctorate of Laws thesis.

When we shop, our food packaging has to include standard compositional information which we can grasp at a glance. There is a desperate need for clear, truthful, and complete declarations as to what information is being extracted from our browsers and other systems, and what is done with it. And rather than give us the option of using the service with those conditions, or not using it at all, we need a statutary right to be able to opt out of yielding personal information – just as in the halcyon days of 1998 we were able to put a cross in the box which said that our details could not be passed onto others.

High priority

For most politicans, these matters are very low down even on the most libertarian agenda. However there are many important commercial and governmental matters which are coming to a head. Public confidence in data protection is, I think, at an all time low. Those who used Ashley Madison or any of the many other services which have become compromised of late would be bound to agree.

In the NHS, there are plans to anonymise new clinical databases in order to sell them off to commercial organisations. The unions see this as another step in removing protection, and in ‘privatisation’ of the NHS. However the NHS’s own reputation (along with most other government departments) is appallingly bad, for an organisation whose primary role is protection of the individual, and which is supposed to uphold the highest standards of data protection, in the Caldicott Principles.

There are a lot of potential disasters in the offing. Now is the time to bring the law thoroughly up to date, enforcing the standards that the public needs, and everything that has happened over the last twenty years.

Or there could be much schadenfreude over future embarrassment caused to MPs and MEPs by failed data protection.