Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2019
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Presentation Version of 21 May 2010
Proc. Human Choice & Computers (HCC9), IFIP World Congress, Brisbane, September 2010, pp. 180-184, at http://www.springerlink.com/content/q3nwp17134634g45/
Roger Clarke **
© Xamax Consultancy Pty Ltd, 2010
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/CSSD.html
The accompanying slide-set is at http://www.rogerclarke.com/DV/CSSD.ppt
This document supersedes http://www.rogerclarke.com/DV/CSSD-100205.html
A great deal of energy is wasted by civil society anguishing over the harm done to people by corporations, governments and technologies. Far too little effort is invested by public interest NGOs in 'practical activism'. This paper argues that civil society must establish Standards and Process Descriptions which clearly communicate their expectations, and which provide benchmarks against which the inadequacies of processes and the unacceptable dangers of projects and schemes can be delineated. The paper provides several examples of policy statements and templates of the kind that it is argued need to be provided.
Civil society is being overrun by the 'imperatives' of economics, technology and politics. Non-Government Organisations (NGOs) that represent the public interest score small wins from time to time. Overall, however, the last 50 years have seen massive encroachments into human freedoms in what has variously been referred to as 'the free world' and 'the advanced western economies'. Worse, the scene is set for public-private partnerships between large, powerful, transnational corporations and small, weak nation-states, to lead to a 21st century version of feudalism.
Part of the reason for this state of affairs is the failure of civil society institutions to harness their resources to good effect. A very large proportion of the energies of 'concerned citizens', and of organisations that represent them and advocate for their interests, is frittered away on dinner conversations, submissions to institutions that have no intention of taking any notice of them, conference presentations and posts to bulletin-boards that preach to the converted, and most recently those utterly ineffectual forms of vanity-press - the blogosphere and twitterdom.
In order to have real impacts on the processes of businesses and governments, civil society needs to articulate its requirements, and publish its demands as formal Standards against which the actions of businesses and governments can be assessed. Progress will have been made when the media routinely reports that a particular government proposal scores only, say, 27/100 on the Civil Society Human Rights Impact Assessment scale, and that a business project fails on, say, 10 of the 24 mandatory features of the NGOs' Business Project Assessment Standard.
During the early twentieth century, the engineering professions developed documents that declared safe threshholds for technical measures in areas such as construction. This gave rise to series of formal Standards in various national series such as those of the British Standards Institution (BSI, since 1901), the American National Standards Institute (ANSI, since 1916) and Deutsche Industrielle Normen (DIN, since 1917), and in some international contexts, such as the association of Institute of Electrical and Electronics Engineers (IEEE, since 1884/1912/1963).
Umbrella organisations emerged, in some cases to develop standards, and in others to anoint and re-publish selected national and international Standards. The International Organization for Standardization (but commonly referred to as ISO), which was established in 1947, complements several other organisations that focus on particular domains.
The large numbers of technical Standards have underpinned technological progress and many aspects of public safety. A second form emerged to complement the technical Standards. So-called 'process standards' describe organisational business processes such as complaints-handling mechanisms and quality certification.
Institutions grew up around the processes whereby Standards were developed, adopted and published. As the scale of activities grew, and their competitive significance increased, corporations and industry associations became larger players. By the last quarter of the 20th century, many standards processes were entirely dominated by corporate interests.
Even where standardisation processes are conducted by engineers in their professional rather than their corporate capacities, such as those of the Internet Engineering Task Force (IETF), non-engineering perspectives are largely excluded. One reason for this is the the highly technical nature of much of the work and the intellectual dominance, and single-mindedness, of the engineers who do it. Another is the lack of funding support for NGOs to participate in meaningful ways in standards development processes.
NGOs that represent and advocate for the interests of consumers and citizens have achieved, at best, token participation in standards processes.
This section provides brief overviews of four examples of public interest standards with which the author has been deeply involved. There is of course a range of other examples that require study in order to provide a more substantial empirical base, including documents of Consumers International, the Electronic Privacy Information Center (EPIC) in Washington DC, and London-based Privacy International.
The Australian Privacy Foundation (APF) is that country's primary public interest NGO focussing on privacy. Since 1987, it has worked variously alone, and in conjunction with civil liberties and consumer associations. Its activities were reviewed in Bennett (2008).
For many years, APF's policy contributions were primarily reactive, in the form of submissions to governments and parliaments relating to particular projects and schemes. Since 2006, it has been moving towards a more proactive stance, by formulating and publicly declaring its policy positions on particular topics, and communicating those positions in advance of projects being announced, rather than just when projects are well-advanced.
One example of an APF Policy Statement is that on 'Visual Surveillance, including CCTV'. The elements of the Policy Statement are:
Much of the Policy Statement is obvious to public interest advocates with knowledge of CCTV. Its value lies not in any claims of originality, but in its provision of clear statements, its existence as a reference-point against which each particular project can be evaluated, and its availability as a standard against which the media can report project proposals to be tenable (few) or unjustified failures-in-waiting (most).
The adoption by civil society of such a document as a formal Standard would provide community groups worldwide with a focal point for their efforts against the excesses of image and video surveillance, and a reference-point for academics and the media.
The APF has also published a Policy Statement regarding the related topic of Automated Number Plate Recognition (ANPR).
This represents a counter-balance against the joint positions of the security industry and the national security extremists who grasped for control of law enforcement communities on 12 September 2001.
Crucially, the Policy Statement does more than just point out the dangers, and rail against the opacity of process, the lack of justification, and the continual presentation of projects as faits accomplis. It presents a specific alternative, referred to as 'blacklist-in-camera' architecture, which balances the public interests in surveillance of miscreants and in non-surveillance of everyone else. Such Policy Statements can be complemented by deeper analyses, e.g. Clarke (2009).
In countries that have data protection laws in place, PPS sit oddly, and are little more than window-dressing. On the other hand, there are some benefits in organisations confronting the question of what they actually do with personal data. Industry associations provide templates, but they of course are self-serving, not privacy-protective. Law firms prepare precedents, but they are proprietary rather than published, are inevitably legalistic and difficult to understand, and serve the interests of the client not the public. Data protection commissioners publish guidelines, but these are inevitably jurisdiction-specific, and limited by both the terms of the local legislation and the imaginations and levels of commitment of the commissioner and their staff. Remarkably, however, there appear to have been few attempts by civil society to express the public's expectations of a PPS.
A Privacy Statement Template was published in Clarke (2005a), with an accompanying guide in Clarke (2005b). During the first 4 years after its publication, the template has amassed over 17,000 hits. It has been used by a number of organisations in preparing their own PPS. Its primary benefit, however, is as a standard against which the PPS of particular companies can be compared, in order to expose weaknesses. In a study of a sample of 6 representative organisations reported on in Clarke (2006a), the Statements were found to fall far short of the norms that consumers would reasonably expect in relation to the handling of personal data.
The Terms of Service that are imposed by international consumer marketing corporations are generally based on the permissive laws of the U.S.A., and fall far short of both the consumer protection laws in some other countries, and the reasonable expectations of consumers.
In 2005, I looked for an authoritative statement by the consumer movement of what they expected from marketers. I found no such document. In order to assess the Terms of Service of the same 6 companies whose PPS I had studied in Clarke (2006a), I had to prepare what I referred to as a 'Normative Template for Marketer-Prosumer Communications'. This was first presented in Clarke (2006b), and a revised version is in Appendix A of Clarke (2008).
The Template is currently being used in research into the state of consumer protection laws in Australian jurisdictions (Svantesson & Clarke 2010) . Its value can be far greater than that of a mere research tool, however. If this (or some variant of it, or replacement for it) were to be adopted by major institutions of civil society, it would provide at the very least a Checklist of the matters that companies need to address. With some further articulation, it is capable of becoming a formal declaration of expectations, and a Standard against which marketing organisations' Terms of Service can be measured - and (in almost all cases) found to be seriously wanting.
These examples of Policy Statements and Templates demonstrate that documents can be assembled that codify public expectations in relation to particular activities, and particular technologies. Several advantageous features of such documents have been highlighted.
The argument is not that these specific documents should be adopted by consumer bodies as Standards. What these mini-cases demonstrate is the feasibility of civil society Standards. They can be drafted by individuals or small working parties. The two APF documents were not only drafted but were also then negotiated, amended and adopted by a national NGO. To date, these quite recent Policy Statements have had only modest impact. On the other hand, the APF's track record is strong, having succeeded in altering the framework within which discussions of privacy law take place in Australia, through its lead-role in the promulgation of the Australian Privacy Charter (APCC 1994). This included the Anonymity Principle, which is progressively being implemented within the Privacy Principles in all jurisdictions within that country.
Industry and government have been playing the Standards game for many years. By publishing Documents that have capital letters, economic and political institutions have inculcated acceptance by the media and the public that all is well, and have thereby been able to avoid critical examination of their initiatives.
Community institutions must raise themselves from their torpor, stop wasting their time grizzling, adopt the well-proven technique of promulgating Standards, match the bravado with which business and government announce their initiatives, and attract the media into reporting the positions of civil society with the same enthusiasm that they show when they re-print media releases distributed by corporations and government agenies.
APCC (1994) 'Australian Privacy Charter' Australian Privacy Charter Council, December 1994, at http://www.privacy.org.au/apcc/
APF (2008) 'Automated Number Plate Recognition (ANPR)' Policy Statement, Australian Privacy Foundation, March 2008 at http://www.privacy.org.au/Papers/ANPR-0803.html
APF (2009) 'Visual Surveillance, incl. CCTV' Policy Statement, Australian Privacy Foundation, October 2009, current version at http://www.privacy.org.au/Papers/CCTV-1001.html
Bennett C. (2008) 'The Privacy Advocates: Resisting the Spread of Surveillance' MIT Press, 2008
Clarke R. (2005a) 'Privacy Statement Template' Xamax Consultancy Pty Ltd, December 2005, at http://www.rogerclarke.com/DV/PST.html
Clarke R. (2005b) 'About the Privacy Statement Template' Xamax Consultancy Pty Ltd, December 2005, at http://www.rogerclarke.com/DV/PSTAbt.html
Clarke R. (2006b) 'A Major Impediment to B2C Success is ... the Concept 'B2C'' Proc. ICEC'06, Fredericton NB, Canada, 14-16 August 2006, Invited Keynote Paper, at http://www.rogerclarke.com/EC/ICEC06.html
Clarke R. (2008) 'B2C Distrust Factors in the Prosumer Era' Proc. CollECTeR Iberoamerica, Madrid, 25-28 June 2008, pp. 1-12, Invited Keynote Paper, at http://www.rogerclarke.com/EC/Collecter08.html
Clarke R. (2009) 'The Covert Implementation of Mass Vehicle Surveillance in Australia' Proc. 4th Workshop on the Social Implications of National Security: Covert Policing, 7 April 2009, Canberra, at http://www.rogerclarke.com/DV/ANPR-Surv.html
Svantesson D. & Clarke R. (2010) 'A Best Practice Model for eConsumer Protection' Computer Law & Security Review 26, 1 (January 2010) 31-37
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University. He has been a Board member of the Australian Privacy Foundation since its formation in 1987, and its Chair during 2006-2010. He has also been a member of the Advisory Board of Privacy International since 2000.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 60 million in early 2019.
Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 5 February 2010 - Last Amended: 21 May 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/CSSD.html