Should you be doing that? Social media, ickiness and privacy

 

Let me be absolutely clear. I am not a lawyer. I know a little about technology and I have been thinking about these issues for a while. But being an avid reader of Jack of Kent does not substitute for actual qualifications in legal practice.

Ickiness

A couple of years ago at BlueLIghtCamp Andrew Fielding pitched a session asking “when does social media use get ‘icky’”.

It’s a good question.

He was really thinking about a public sector comms team, say a police force. What are the limits of what they should be getting up to on Twitter? Is it OK to run searches for mentions of your local town? What about going back through the messages posted by someone tweeting about your local town? What about running a search on LinkedIn to find out more about them?  What about building a file on them?

(There is no suggestion that Andrew or indeed anyone in public service comms is doing these things, this is a thought experiment).

Clearly (at least hopefully, clearly) there is a point when the normal use of these technologies for engagement and customer service steps over a line.

My initial response was to suggest that organisations should publish a policy on what they will or won’t do on social media. I started something off on PenFlip

My thinking on how a policy should be framed has evolved a bit since then.

The view that it is necessary or desirable to have a policy covering these areas is not widely shared. I don’t know of any public body that has a policy covering these issues and when I talk to people working in digital comms they are surprised and sometimes angry at my position.

My position

My starting point is that citizens have a right to expect the state to respect their privacy within reasonable limits. Chapter 2 of David Anderson’s Report of the Investigatory Powers Review provides a nice primer on privacy generally (how often do you read that sentence?)

In fact the right to privacy is enshrined in the European Convention of Human Rights (Article 8). This Article does allow the state to infringe your right to privacy when it is legal, reasonable and proportionate to do so. This is one of the issues at the heart of the debate around investigatory powers. The debate (and rightly) is focused on the powers the state should have to have a look at things you have chosen to keep private.

What I’m concerned with is the limits the state should have to look at things you have placed into a public sphere. There is a perfectly coherent argument to the effect that if you have chosen to put information into a public forum, you should accept the consequences. That makes some assumptions about the nature of the public spaces online. Is your Facebook update public like graffiti or public like a chat down the pub. As a society we would be much more relaxed about the council monitoring messages sprayed on walls than we would about them hanging around in pubs on the off-chance that they will hear something interesting.

I think that, in reality, some online spaces are public like graffiti and others are public like the pub.

I would like to see public bodies thinking through these issues and helping their staff understand what is acceptable and what is ‘icky’.

The three areas of relative ickiness

Generally acceptable (not really icky)

There are a set of actions that should be uncontroversial. It is a good idea for organisations to use social media for customer relations, policy development and to be “networked”. They should respond to messages clearly sent to them (or written on their page). They should seek out statements that are clearly intended for a wide audience: blog posts, comments on the local paper website, Tweets using relevant hashtags. All this helps organisations to understand their online community and should be encouraged.

Need to be authorised and limited (icky)

There are a set of actions that are not part of a public body’s investigatory functions but should be thought through and only undertaken within limited circumstances. To me these become relevant when the organisation becomes more interested in individual people.

Here are a couple of examples (again thought experiments not real world):

The comms team is asked a couple of interesting questions on Twitter from a new account. They wonder if this is a new blogger. Keeping track of who is writing about matters relevant to the authority is part of the job of the comms team. So they visit their profile but the information there is opaque. They want to do some more investigating, reading back through the Twitter timeline, searching for the name / user name on other accounts.

Social workers are working with a family. Dad is not happy following a meeting with social workers. There is concern that he might encourage people to harass the social workers in question. In order to understand the potential threat to their staff a team leader wants to search Facebook and keep an eye on Dad’s profile and maybe the profiles of his friends.

To my mind neither of the proposed actions are things that public bodies should be doing routinely. Given the specific circumstances they seem to me to be potentially reasonable and proportionate.

So I would suggest that they should be authorised on a case by case basis by someone reasonably senior. We are not in an area where warrants are necessary but we are in an area where the potential infringement of people’s privacy has to be considered and balanced with the need to (in these cases) protect public employees or provide better public services.

Constitutes investigatory action (beyond icky)

Beyond these actions are a whole set of actions where public employees are undertaking formal investigations for the detection or investigation of crimes. The Chief Surveillance Commissioner thinks there should be a policy covering social media:

“I strongly advise all public authorities empowered to use RIPA to have in place a corporate policy on the use of social media in investigations.”  Annual Report of the Chief Surveillance Commissioner to the Prime Minister and to the Scottish Ministers for 2013-2014 para 5.33 

Personally I think a policy covering the use of social media overall would make the most sense: these things are generally permitted, those things must be authorised, these other things are dealt with under RIPA-like procedures.

Don’t we have better things to worry about?

While we attempt to dissuade the government from granting far-reaching powers to the police and security services to break into computers and messaging systems this may seem like a distraction.

One does not discount the other. We should strike a sensible balance between security, utility and privacy all the time, not just when people remember to whack up the privacy settings.

I am also aware that I could potentially unite the “Human Rights gone mad” brigade with the “JFDI” digital engagement gang.

I am also aware that I’ve been focusing on public bodies here. This is deliberate because, as I understand it, public bodies are directly bound by Article 8: it is a right that protects you from the state. All of the things I have described can be undertaken by anyone, in any country.

Should your district council be able to find out less about you than a Chinese company?

All I can say is. These seem like relevant issues. We have not sorted them as a society. Talking about them seems like as good a way of approaching them as any.

How to reduce the FOI burden on local government

Secret

(photo is: Secret Comedy Podcast 06 – 2 August 2013 by Amnesty International UK used under CC BY 2.0)

 

As reported by the Press Gazette, the LGA has provided evidence to the Freedom of Information Commission [PDF].

The LGA is disappointingly negative about FOIA, seeing it as a a cost to authorities rather than a boon to their communities.

It prompted me to get round to a blog post I’ve been meaning to write for a while, reflecting on my experience of making an FOIA request to every council in the country.

Asking for data

I wanted to know some things about the usage of council websites. I wrote a report about websites based on this data.

It is reasonably trivial to run a mailmerge and issue an email to every council and I was conscious that this would generate work in each authority so I tried to pick a small number of datapoints that it would be easy to obtain.

I’ve never issued an FOIA request before (though I’ve answered plenty) and I did feel a bit of a sense of guilt/fear when I pressed go.

This was assuaged somewhat by receiving a response within an hour (well done Cardiff) and exacerbated by receiving a call from a web manager apparently wanting to know what lay behind my request. I was a bit taken aback but when other people contacted me (in a less defensive way) I wrote a blog post explaining what I was up to.

Not that bad in the end

And I have to say the vast majority of councils responded promptly and in an extremely helpful manner. A small minority had a much more defensive attitude and some councils attached very restrictive licences to the data (despite the obligation, in England and Wales, to provide datasets under open licences).

A very small number (sadly I didn’t keep an accurate count of this) of councils responded to say “We already publish this”. Now to be honest, it was less convenient to me when they did this because it usually involved me in more work. But I was still delighted because it’s clearly such a sensible thing to to.

Gold star goes to East Sussex who just give you the login details of read-only account for their Google Analytics account.

It would be easy to publish this

It is technically trivial to publish data from Google Analytics (the tool used by the majority of councils). Website data is not secret, not personal and its publication is of benefit to the sector and potentially to the wider community.

And if it had been published the cost to the public sector of my report would have been marginal to nothing.

In fact the only reason not to publish this data is a cultural inclination not to tell people stuff.

The way to reduce the FOIA “burden” on local government is to answer people’s questions before they ask them.

And if local government routinely published its non-personal data then it would have a stronger argument when raising concerns about the cost of FOIA compliance.

What the evidence tells us

In fact the LGA evidence to the FOIA Commission reveals a sector stuck in a suspicious, closed, and secretive culture.

 

Which suggests, of course, we need the FOIA even more than before.

Oh. And and what chance do closed, suspicious, secretive organisations have of being effective in the digital age?

(Don’t answer that)

My initial reactions to Techfugees

CVOkOeuWIAAyLyD

Image was lifted from @asalvaire ‘s Twitter stream I hope they don’t mind.

I spent 2 December 2015 at the Techfugees conference in London, UK. I was wearing my Standby Task Force hat (mostly).

These are my instant reactions on the train back home.

1. Wow.

There is a lot going on. Amazing energy, talent and thought going into all sorts of innovative solutions. It was an amazing, invigorating, mind-numbing day.

2. This is a complex situation.

Now I know that’s a statement of the blindingly obvious but we have very fluid flows of refugees from a range of different countries entering Europe by very changeable routes and then making their way around in countries they know little about before claiming asylum in potentially other countries. Each country has its own state and civil society structures, cultural attitudes and legal complexities. As well as languages. And then there’s the politics. And this is just to get people to the stage of claiming asylum. If they are accepted as refugees they face, potentially, years of challenges such as dealing with trauma, learning a new language, understanding a new culture, integrating into their new communities on top of the usual stuff people want to to, falling in love, raising familes, earning money, having a laugh.

The app that fixes that is going to be very impressive.

3. There is an urgent need to make it easy for people (and let;s just start with refugee agencies) to be able to work out what support and help is available to whom and where. This is not really a technical issue it just needs a bunch of people to focus on gathering and presenting the data (well not just that but that is a necessary task).

4. Facebook and WhatsApp are already being used for an amazing amount of coordination by refugees (and their friends and family) themselves. Let’s not reinvent the wheel. Let’s add gears and steering.

5. In the UK let’s not lose sight of the fact that one fundamental underlying problem is the shortage of affordable housing. Let’s build more houses.

6. From a Standby Task Force perspective Google Hub Info looks utterly awesome. It goes on the long list of things I want to play with (but very near the top). https://github.com/google/crisis-info-hub

7. We frame refugees as a problem (it’s a crisis haven’t you heard?). And by definition refugees are people fleeing persecution. We heard from the excellent Hassan today that he would never have left Syria if it was safe. But refugees are also an opportunity, people with skills, ideas, energy. Imagine if we could see them as an opportunity for our communities, and our economies.

Imagine.

8. I really like spending time with geeks and looking at these problems as service design issues. I think that’s a useful way to think about things.

But the politics matters too.

9. There are many potential users of the potential and actual projects that are spinning out here. We need to make sure we stay close to the users. Which is easier said than done when so many of them are constantly moving.

10. People are amazing.

That is all.