How the new Sub-Committee on Disinformation can help strengthen democracy in the digital age

Michela.Palese (1)In April 2019 the Commons Digital, Culture, Media and Sport select committee established a sub-committee to continue its inquiry into disinformation and data privacy in the digital age. Michela Palese considers the motivations underlying the establishment of this sub-committee, its stated priorities, and how it can help confront the challenges and threats to our democratic processes arising from online campaigning.

Last month the Digital, Culture, Media and Sport (DCMS) select committee launched a new Sub-Committee on Disinformation. Its task is to become ‘Parliament’s institutional home’ for matters concerning disinformation and data privacy; a focal point that will bring together those seeking to scrutinise and examine threats to democracy.’

The new sub-committee promises to offer an ongoing channel through which to gather evidence on disinformation and online political campaigning, and to highlight the urgent need for government, parliament, tech companies and others to take action so as to protect the integrity of our political system from online threats.

Damian Collins, chair of the DCMS committee, explained that the sub-committee was created because of:

‘concerns about the spread of disinformation and the pivotal role that social media plays. Disinformation is a growing issue for democracy and society, and robust public policy responses are needed to tackle it at source, as well as through the channels through which it is shared. We need to look principally at the responsibilities of big technology companies to act more effectively against the dissemination of disinformation, to provide more tools for their users to help them identify untrustworthy sources of information, and to provide greater transparency about who is promoting that content.’

The sub-committee follows up on the significant work conducted as part of the DCMS committee’s long-running inquiry into Disinformation and ‘Fake News’, whose final report was published in February 2019.

This inquiry ran for 18 months, held 23 oral evidence sessions, and took evidence from 73 witnesses: its final report contained a series of important conclusions and recommendations.

Among these, the report called on the government to look at how UK law should define ‘digital campaigning’ and ‘online political advertising’, and to acknowledge the role and influence of unpaid campaigns and Facebook groups both outside and during regulated campaign periods. It also advocated the creation of a code of practice around the political use of personal data, which would offer transparency about how people’s data are being collected and used, and about what messages users are being targeted with and by whom. It would also mean that political parties would have to take greater responsibility with regards to the use of personal data for political purposes, and ensure compliance with data protection and user consent legislation. Continue reading

Size matters

Non-technologists may have noticed that ‘big data’ is the most recent addition to our ever-expanding lexicon of webtwopointwhateverspeak.

Big data refers to datasets that are beyond the means of ordinary software and processing power to analyse, owing to their sheer scale and complexity.  An obvious example is Facebook; the London Data Store is another.

Commercial organisations have been collecting vast amounts of data for years; Anyone that has regularly used Gmail, a supermarket loyalty card, or shopped at Amazon, will have at least an inkling of how an organisation can i) collect data and ii) use it to target them with personalised actions.

What is new, is that in many instances the supply of data that companies and government now collect or access vastly overshadows their own ability to actually process it into useful information. It’s not only computer-processing power that is lacking; a recent report by Deloitte points to a massive shortage in skilled labour. These are however short-term barriers that will be overcome by the larger organisations, either by outsourcing data analysis to countries with a surplus of quant talent, or by simply importing that skilled labour directly.

Traditional critics of data collection have made their arguments on the grounds of individual privacy. However the era of ‘big data’ has other, potentially more sinister implications. Writing recently for The Atlantic, Alexander Furnas of the Oxford Internet Institute believes we have yet to fully appreciate the macro-implications of the information age:

“Rather than caring about what they know about me, we should care about what they know about us. Detailed knowledge of individuals and their behavior coupled with the aggregate data on human behavior now available at unprecedented scale grants incredible power. Knowing about all of us – how we behave, how our behavior has changed over time, under what conditions our behavior is subject to change, and what factors are likely to impact our decision-making under various conditions – provides a roadmap for designing persuasive technologies.”

Taken in conjunction with the popularity of behavioural economics within policy-making circles (consider the UK government’s “Nudge Unit” as a case in point) the potential applications of ‘big data’ for public policy are considerable, and deserve closer scrutiny.

The man with a $30,000 computer buried in his chest

Before you ask, no, he’s not a cyborg from the future, or a genius billionaire playboy philanthropist. Although it sounds like science fiction, this is increasingly science fact for thousands of cardiac patients across America and around the world.

Hugo Campos has an Implantable Cardioverter Defibrillator (ICD) attached to his heart. He suffers from a relatively common heart condition and needs the ICD to facilitate electric therapy in the event of irregular heart activity.

The same device also streams a great deal of complex information back to its manufacturer, information that the implantee  is unable to access directly. Even though the ICD is implanted into his own chest and regularly transmits data about him out of it, Hugo has to rely solely on his doctor, who actually doesn’t have access to the complete real-time “raw data” either, instead an interpreted dataset from the manufacturer.

Personal data doesn’t get more personal than this. When Mr Campos approached the ICD’s producer and requested direct access to the information being beamed out of his own chest cavity, he was refused. (See “Top Five Excuses ICD Manufacturers Use to Justify Not Releasing Data to Patients” and also “Five Reasons Why Patients with Implantable Defibrillators Deserve Their Data”)

In response, he disabled the transmission entirely and by his own admission is now risking his health to make a political statement: “I will not be monitored remotely if I am not made part of this data loop.”

It is not clear how much and what type of data is being excluded from the manufacturer’s dataset, and consequently its ultimate usefulness is unknown. Mr Campos argues that at the very least he has the right to see it, and determine this for himself. “We get all our financial data — why is it different with health care? Patients should be empowered to take care of their lives.”

The information age has transformed our expectations. In years gone by we would trust our physicians to know best; we had little choice. Today, Hugo Campos represents a growing e-patient movement who want to break away from the total dependency inherent within the traditional doctor-patient relationship.

Of course, in order to be denied access to data, the data has to be there in the first place. Globally – nobody has precise figures – it’s fair to say that many people with high-risk hypertrophic cardiomyopathy cannot access, let alone afford an ICD, or are simply not diagnosed in time.

Nevertheless, it’s hard to shake the feeling that Mr Campos has a point.

Profit versus privacy

As recently remarked on over at the Bits blog, tech companies like Facebook are increasingly fond of making the “economy versus privacy” argument. It goes something like this:  Because they create jobs and generate growth in an otherwise bleak landscape of rising unemployment and negative growth, it would be foolish to burden innovative technology firms with privacy laws that could jeopardise these rare economic boons. Facebook has commissioned a study to this end, suggesting the company brings £2.2 billion to UK PLC and supports a further 35,200 jobs in sectors that are dependent on the popular social networking site. Their CEO Sheryl Sandberg recently commented “we want to make sure we have the right regulatory environment — a regulatory environment that promotes innovation and economic growth.” Mark Zuckerberg has in the past also not shied away from expressing his belief that privacy is no longer a social norm.

Today, the European Commission formally proposed amendments to the 1995 Protection of Personal Data Directive.  These proposals include a “right to be forgotten” clause, allowing people to delete their personal information from a website if there is no legitimate basis for the company to retain it. Facebook claims however that far from wanting to delete their personal data, most Facebook users prefer having their details retained indefinitely. According to Richard Allan, Facebook’s Director of European Policy, “they want us to give them a guarantee that data will remain available in ten or 15 years’ time so they have a record of how things changed over time.” The UK Information Commissioner’s Office (ICO) also appears sceptical of an ‘rtbf’ clause, fearing that it could “mislead individuals and falsely raise their expectations, and be impossible to implement and enforce in practice.”

Sandberg, Zuckerberg and Allan frame the privacy debate as progress and economic prosperity versus anachronism and bureaucracy. As these amendments are debated over the coming months, we will get some measure of exactly just how anachronistic privacy really is to Europeans.

Protecting Data Protection: accounting for human error

Following recent revelations made by The Mirror, Oliver Letwin has undoubtedly been forced to adopt a more conventional filing system.  On approximately five separate occasions throughout September and early October the Prime Minister’s policy advisor (and MP for West Dorset) was seen discarding handfuls of paper work into public bins close to Downing Street.  Whilst the various correspondences and documents were clearly considered to be redundant or unimportant by the MP, for The Mirror they were journalistic gold, and were therefore retrieved from amidst empty Coke cans and used train tickets.  Totalling in excess of 100 sheets, the papers allegedly relate to a diverse array of individuals (including the Dalai Lama, Philip Green, Tony Blair and Letwin’s own constituents) and topics (from “The Big society” to al-Qaeda and British security).

There is no doubting that Oliver Letwin’s actions went against protocol, eliciting an apology from the MP and described as “not a sensible way to dispose of documents” by a No.10 spokeswoman.  Indeed whilst the Cabinet Secretary, Gus O’Donnell, has stated he is satisfied that none of the papers in question were of a classified or sensitive nature, the Information Commissioner’s Office is, nonetheless, investigating the case to deduce whether or not Letwin’s actions were in breach of Data Protection Laws.

“Bin-gate” was not however the only (potential) breach of data protection to have been discovered in the past few weeks, though it certainly received the most national media attention.  A housing group based in Dorset (Letwin’s neck of the woods) was found to have emailed the personal details of 200 employees to the wrong external email address clearly breaching data protection.  Furthermore in Scotland, the Dumfries and Galloway council accidentally published the names, salaries and dates of birth of almost 900 employees (past and present) in response to an FOI request.  The information could be viewed on the council’s website for over two months and was only removed following complaints from a trade union and numerous individuals mentioned in the data. This accident broke the fundamental principles of data protection, intruding on the privacy of affected individuals and exposing them to identity fraudsters. It is telling (yet by no means surprising) that Oliver Letwin’s blunder has received so much more media attention, despite the fact that the severity of his actions is as yet unknown and potentially minimal.

Whilst the nature and consequences of these three cases differ, one common variable is present in all: human error.  Through misjudgement and mistakes the most basic principles of data protection fail to be upheld.  All too often we see politicians carrying confidential papers in transparent folders or hear of memory sticks holding volumes of important information being left on trains.  Incidents like these would not look out of place in an episode of “The Thick Of It”.  Fundamentally, Data Protection Laws are only as robust as the integrity of those entrusted to maintain and abide by them.

The Information Commissioner has recently called for the ICO to be given more powers to carry out compulsory data protection audits on local government, the NHS and the private sector, all of which have breached data protection repeatedly.  Speaking at the 10th annual data protection compliance conference, Christopher Graham stressed how important it is to ensure that those handling data concerning members of the general public are acting within the rules.  It will be interesting to see both whether his appeal is acted upon but also whether increased auditing can help identify or even minimize human errors which, given its nature, are particularly damaging to data protection.