Chapter from the book Data Ethics – the New Competitive Advantage, published September 2016.
“We’re concerned that the EC’s proposed data protection reforms will put European businesses at a competitive disadvantage in a global market, by placing restrictive controls and high cost-burdens on innovation and investment.” Such were the words from Mathew Fell, Director for Competitive Markets at the UK’s primary industry lobby organisation, the CBI.
Fell’s statement, made in 2012 just after the European Commission released its first communication on a comprehensive revision of the existing European data protection regulatory framework, shows he was particularly worried about the reform’s impact on data-driven innovation. He was not alone in his alarm over European competitiveness, and a chorus of voices from the Internet industry chimed in with similar opinions. Although the EU Commission described the reform as a way to support the European common market and the free movement of data, it also used the word ‘protection’ over 100 times in its first proposal for a reform. It was a thorn in the eye of an industry built on the movement of data.
The words we use to talk about data and innovation define legislation, policies and business processes. They’re not just words, but descriptions that guide and direct actions. The idea that data protection is a limitation to innovation has been a recurring theme not only in political debate, but in a more general digital business context. Data protection is seen as a limit to creative, innovative digital enterprise development, an additional, cumbersome legal hoop to jump through, unrelated to the needs of consumers or of digital progress in general. This is may be caused by an assumption that, when we talk about digital innovation, we’re primarily referring to innovative ways of collecting, analysing and categorising data, sharing it, or streamlining and personalising services based on it. Data protection and privacy are then essentially stop signs on the creative process highway. The obstacle you must overcome when new solutions are developed. For this reason, data protection is often only brought up at end of the innovation process, when the legal department gets involved.
Rather than being an afterthought or stopgap, privacy and data protection should become a prerequisite for business development and innovation.
The case with Pokemon GO, launched in July 2016, shows that privacy was an afterthought. Children are the primary users of the game, in which you catch Pokemons in the real world through your smartphone’s camera by using virtual reality technology. Pokemon GO didn’t put enough thought into gamers’ privacy, which quickly led to sharp criticism from security and privacy experts and spurred politicians and data protection authorities to demand answers regarding the company’s use of that data.
Harvard professor Shoshana Zuboff calls the data-driven business model the ‘surveillance business model‘ and the underlying system ‘surveillance capitalism‘, and says it’s been allowed to flourish because so far we’ve uncritically accepted the way industry giants stage the status quo in business development and innovation. As Internet users, we are asked to accept a natural order of things in which big data is the guiding star, users are ‘unpaid labour’ and our personal data is just ‘exhaust’ and of no value to us. But nothing should be taken for granted, she argues, as we still have time to change this infrastructure into a more democratic model. She calls upon European institutions and citizens to challenge the existing business model and create an alternative future. “If the digital future is to be our home, then it is we who must make it so. Against the Surveillance Capitalism of Big Data”, as she wrote in the German newspaper, Frankfurter Allgemeine.
Declarations of Independence
We can choose to view and talk about our privacy as an obstacle, or we can choose to see it as a natural part of the innovative processes. A nascent tech and business movement is doing just that. With declarations, manifestos and public statements, they promise solutions and business models that protect data privacy. They describe alternatives to the web’s dominant operating, built on non-transparent tracking of user data. It’s not a natural fact that boundless and often covert surveillance of individuals is the only way to do things online. We should, they say, insist on a different digital future by telling an alternative digital story; we must talk about other ways of doing business. Virtually all of these new companies are built on a social mission.
Ind.ie. The designers Aral Balkan and Laura Kalbag are developing ethically-designed services. Their stated mission is to create everyday things for everyday people based on socially responsible principles, which they define as ‘decentralised, zero-knowledge, and private by default’. They’ve presented an idea for a device (Indie Phone) that does just that, and they’ve developed services such as Heartbeat, a peer-to-peer social networking client for Mac OS X, and a content blocker (or as they call it a ‘tracker blocker’), Better, for the iPhone and iPad.
“We want to create a new topology of technologies grounded in individuals owning their own data”, said Aral Balkan.“The common misconception is that such systems are difficult to design and develop. They’re not, but they do require a different business and funding model.” Balkan believes that the Silicon Valley model funded by venture capital is the core of the problem. He also thinks there is a different way forward: “You won’t get billion-dollar unicorns, but you can create sustainable, long-term enterprises that sell products to people instead of selling people as products. It is possible to build systems where individuals have ownership and control of their own data, on their own devices, instead of holding it in a cloud where a corporation has ownership and control.”
Jolla. This Finnish company has designed and developed a smartphone and tablet that run on a proprietary operating system called Sailfish OS. The people behind it were originally employed by Nokia, where they developed the Linux-based operating system, Maemo. However, since Nokia decided to shut down the project and bet on Microsoft Windows’ mobile platform, they left the company and established their own. Jollas’ slogan is just one word: ‘UNLIKE’, a reference to Facebook’s ‘like’ button. With such a motto, Jolla is signalling that it’s not like other tech companies. Jolla writes on their website: “We do not share your personal data with third parties without your express authorisation. We are not building a business on monetising your personal data. We can succeed as a business when our users are happy and know that they can trust us not to share their data with others if they have not authorised it expressly.”[*]
MeWe. This social network states: “MeWe challenges the status quo by making privacy the foundation of online social experiences.” MeWe has a ‘Privacy Bill of Rights’, that, among other things, promises not to track users, profile them or give third parties access to their data. They promote the service with the MeWe challenge: “Is your social network stalking you?” An online tool shows the user how many tracking cookies are being used by social networking services like Facebook, Instagram, Youtube, and LinkedIn. Their front page campaign film shows trendy young people doing various creative free time activities with the theme ‘We are not for sale’.
ProtonMail. Declarations about privacy made by new enterprises are often recieved with enthusiasm among consumers. Mail provider ProtonMail’s crowdfunding campaign was launched in 2014 as an anti-surveillance, pro-privacy product: “We believe that privacy is a fundamental human right that must be protected at any cost. The advent of the internet has now made all of us more vulnerable to mass surveillance than at any other point in human history. The disappearance of online privacy is a very dangerous trend as in many ways privacy and freedom go hand in hand.”It was the most successful software product campaign in crowdfunding platform Indiegogo‘s history. ProtonMail’s original campaign goal was $100,000, but by the third day they had doubled that amount. After one month, it had raised over half a million dollars.
Companies can and do in fact operate with privacy as innovation, articulate their business values around an individual’s right to security and privacy, disassociate themselves from the data-driven business model, and explicitly describe their ideas for an alternative natural order in the digital business environment. They do so with slogans, manifestos and declarations most often located prominently and visibly on their websites. At the same time, a large portion of these businesses focuses on raising awareness. Several of them support or participate in campaigns in favour of privacy and data protection. Silent Circle‘s Phil Zimmermann and Mike Janke travel around the world to various tech conferences to present their view on digital privacy. Ind.ie‘s Aral Balkan is famous for his speeches on surveillance capitalism and design at events and conferences from the Big Brother Awards to the UN Internet Governance Forum.
Anti-surveillance Social Revolutionaries
One might deem such alternative tech companies to be a new category of technology revolutionaries. The original anonymity and privacy services were developed as tools for groups with the most exposure and risk: activists and critical journalists. Similarly, many privacy-enhancing services emerged in the wake of events which illustrated the democratic issues at stake in the digital era’s dominant, data-driven business model. A whole series of anti-surveillance services and anonymisation tools were launched just after the NSA surveillance revelations of 2013. And Ello, for example, came into existence after it emerged that a group of drag queens who used their stage names on Facebook had their profiles shut down due to the social network’s real name policy. Many of the missions presented by these alternative services are based on the idea of creating a fair balance of power between the individual and the institutions of society, the government, and data giants.
These tech revolutionaries describe privacy as the foundation for democracy, creativity and freedom of expression, and they see a chance for development where these values are threatened. It’s a new type of company that generally doesn’t measure its own success in common business lingo, such as market differentiation, profit and sales figures, but with terms from the world of socially conscious organisations.
Protonet. Hamburg-based Protonet’s co-founder and CEO, Ali Jelveh, took the title of Chief Revolution Officer. It’s a title he uses when he travels to talk about Protonet’s main product: a platform for project management and collaboration in a secure, private cloud service. He describes his business as a social revolution that could change the way we think and act.
Diaspora. The non-profit social network Diaspora labels itself as anti-corporate. It’s not owned by any person or entity and will never be taken over by a corporation. It states that your ‘social life will never be sold to advertisers’ and you won’t have to ‘conform to someone’s arbitrary rules.’ You can chose where your data is stored from various ‘pods’ hosted by different individuals and institutions.
Ello. One of the new social networks in 2014 was Ello, launched by a group of designers, artists and entrepreneurs. Already in a beta version, the network, according to its own data, had 3,000-4,000 sign-ups per hour and had to temporarily close down for more. They called themselves ‘Anti-Facebook’, a moniker which lived on in the many media stories that followed Ello’s launch. Reported stories described how people, tired of Facebook’s targeted and intrusive advertising as well as their real name policy, streamed from Facebook to Ello, because the latter allows users to go by aliases and rejects the ad-based business model. Ello is built on a mission statement which among others reads: “…We believe a social network can be a tool for empowerment. Not a tool to deceive, coerce and manipulate – but a place to connect, create and celebrate life. You are not a product.”
Privacy by Design
We are beginning to see companies stand out by embedding privacy protection and features at the beginning of their design processes rather than waiting until the end. Their businesses are built upon ‘Privacy by Design‘ – PbD principles. The first PbDs were developed in the 1990s by Ann Cavoukian, former Director of the Data Protection Agency in Canada.
Privacy by Design is the idea that the default setting of the service is private – private by default – and that it’s designed and developed with privacy as a point of departure, not an afterthought.
The EU’s General Data Protection Reform highlights PbD in Article 25, which also identifies a number of principles to ensure that public and private data processors implement technical and organisational measures to minimise personal data collection and handling. The concept of Privacy by Design can be used constructively, but since it has no universal definition, it can also be abused. One of the authors of the ENISA report Privacy and Data Protection by Design, Jaap-Henk Hoepman, describes how he has seen hard-core data-driven services that track their users across the board, call themselves PbD. In the report, Jaap-Henk Hoepman, along with a number of other experts, describes Privacy by Design solutions that can and should be injected into digital business development. He and his colleagues point out that many basic data protection features and functions such as encryption are ignored when services are developed due to lack of awareness and knowledge among developers.
A Business Philosophy
The Privacy by Design concept has been criticised for trying to solve a social problem with a technical solution, arguing that privacy cannot be guaranteed by technology alone. It’s a good point, considering that the main focus so far has been on how to embed data protection in technology (of which there is also a great disagreement as to which solutions actually achieve PbD in the best possible manner). However, we can also look at PbD as a business philosophy, as an innovative approach where privacy is the starting point for the various inventive processes a company initiates – from design and technological development to human resources (e.g. employee training) and corporate marketing. In this way, Privacy by Design principles become a general guideline when building alternatives to the data-driven, public-by-default business model.
Vai Kai. For Matas Petrikas, CEO of German toy company Vai Kai, whose main product is a set of Internet-connected wooden dolls, customers privacy is the basis of all design and innovation decisions. “Privacy by Design, to me, means that we take the position of the privacy-aware and concerned customer, and we build a way for them to get what they want. The needs of this specific customer must be fulfilled and our product is designed to do excactly that”, said Petrikas. For example, Vai Kai does not include a camera and microphone in their internet-connected dolls, which are private by default: “We think about privacy as a value all the time. It is part of our conversation. I assume other companies would never have had the conversation we had during our development phase that led to the conscious decision not to include a microphone,” he said. The very idea of privacy is based on values that come from within: “You can represent something only if you are aware of it. If you are not aware of data privacy, it’s not even part of your value system. We are an EU-company with our own unique view. The idea of privacy is part of our value system and it is also part of our customers’ expectations.” In particular, Petrikas sees his European customers’ growing privacy awareness as a competitive advantage for his company.