Prism & Tempora – O tempora, o mores!

Thoughts on lack of democratic oversight, transparency and data protection by Kimon Zorbas, CEO, IAB Europe

The revelation of the internet surveillance programmes operated by the USA’s NSA (Prism) and the UK’s GCHQ (Tempora) are indeed something that many of us working and are interested in or even just follow cybersecurity (policy) suspected existed in the one or other form. Not that I claim I knew any of those details and the vast extent of surveillance, but it was no real surprise that secret services and law enforcement agencies intercept communications. It is the logical extension of Echelon (the European Parliament adopted a report on 11 July 2001 and a resolution on 5 September 2001) and it seems we see the same deep collaboration of the five countries (AUS, CAN, NZ, UK & USA) that set up their secret information sharing and intelligence cooperation many decades ago.  What I am very surprised about is the extent of government surveillance (apparently even undersea transmission cables are tapped, a highly complex and difficult undertaking).

It is fair to assume that other European countries have similar surveillance programmes, not to mention those countries with less democratic tendencies.

While many details about the workings of surveillance programmes remain opaque and probably will remain so, the key point is that all these programmes were approved and agreed without engaging in a proper and transparent democratic process. Just to compare: in the pre-internet age letters were sacrosanct. Intercepting and reading a letter was not such an easy thing for policy makers and secret services to do – they needed a warrant on the basis of laws that were adopted by parliaments.

A more structured, transparent and democratic approach was adopted at European Union level following the attacks on the World Trade Center in New York on 11 September 2001.  The attack certainly heralded the arrival of a massive change  in western culture; it impacted on the way we deal with our freedoms and it also coincided with the vast uptake of the internet.

In the wake of  “9/11”, policy makers pushed hard to improve the quality, safety and security of documents, culminating in the introduction of serious security measures such as biometric passport and data retention laws. The data retention debate was important for our society to create a process whereby we can discuss threats, measures to address these, the limitations or impact on personal freedoms and liberty (also on data protection), proportionality and other important questions.

The implementation of Data Retention Directive laws national level has led to interesting debates, which have demonstrated the differing approaches different states have taken – impacted to a large extent by whether the country had suffered a terrorist attack or not – and compared to debates in UK and Spain, which had experienced a number of security threats due to terrorism.

The main point was: we had a democratic and transparent process. Now, some would say that passing laws publicly that safeguard national security and counter terrorism are too sensitive and discussing these issues and threats publicly undermines the effectiveness and efficiency of surveillance programmes.

First, I do not believe this is true. It is likely that some terrorists are stupid and don’t expect surveillance. Others, are smarter and do expect surveillance. The first group will be caught fast, the second group deploys strategies and tactics to circumnavigate detection by authorities.

Second, if we subvert the democratic process, we run the risk of losing public support and becoming like those we combat (the United States’ reputation suffered from detaining people in Guantanamo without due legal process).

Third, western democracies have developed processes to discuss sensitive issues and agree on measures to combat crime, including terrorism in parliaments.

Taking all this into account, we need to start discussing some important questions:

Is the data protection review in Europe the right instrument to fix the problems we face? Probably not. Is the call to have one legal instrument for law enforcement and industry the right approach? Will we stop mass surveillance altogether and limit surveillance to individual cases? For which crimes do we want to use intelligence obtained through mass surveillance?  Would Prism be appropriate and proportionate to combat ordinary crimes, such as illegal downloading? Probably not. Will surveillance only be used to combat serious crime or just terrorism? Can western democratic governments commit to not engaging in industrial espionage against each other and even jointly protect European companies against such attacks? Can we commit to not creating profiles with sensitive information that are then used to, for example, blackmail politicians into compliance? Can European member states agree to grant all European citizens the same rights and not discriminate against citizens from other EU countries? The European Parliament’s Echelon resolution provides a good basis to start from.

These are all very important questions and they should to be discussed in the public domain – publicly – and not behind closed doors. Of course this doesn’t mean that the functioning of the deployed measures and analytics and algorithms must be disclosed publicly. But massive surveillance without passing a democratic and transparent process is simply unacceptable.

It is time to rethink security, threats and how we manage freedoms in the internet age. Let’s start a proper and structured debate to strengthen our democracies and societies and find answers that can be supported and accepted by our representatives in the European Parliament.

If we fail to deliver this, secret services and government will undermine trust in the digital world – the trust companies have built and worked very hard to earn from consumers and is the basis for responsible data processing. Leading European company representatives have already warned about the impact this scandal has on the uptake of cloud services.  Industry is transparent in the democratic process – debating with all stakeholders in a structured process. It’s time for the spooks to follow.

 

Good Morning Brussels – The Brave New World Online

Posted by IAB Europe on 02/04/13
Tags: , ,  

Empowering online users – A blog post by Jean-Baptiste Rudelle, CEO & Co-Founder of Criteo

Criteo’s approach to online advertising is user-centric. Empowering users to make informed choices and enabing them to access non-filtered online services is fundamental. We provide users with clear, meaningful and prominent information about our service, data management practice and their ability to express choices through simple mechanisms. We believe that users need to be informed at all stages of their online navigation and have the ability to express their choice.

Our approach consists of displaying the right ad, at the right time to the right user. It serves interests of publishers for inventory optimisation, advertisers as we take the risk of buying impressions and increase their return on investment, and users as we display ads that are likely to be relevant to their interests. Our business model is aligned with the user’s interest as we charge our advertisers on a cost per click (CPC) basis. Advertisers only pay if the user clicks on the ad: it entails automatic display capping – we are not going to buy impressions indefinitely for a user who shows no interest in the ad displayed.

How should the user be informed?

Informed choice needs to be based on easily accessible information that is relevant for the user. Criteo was one of the first (if not the first) player to insert an “i” into its banners giving access to detailed and user friendly information explaining in writing and visually why the user is seeing the ad.

Accessible information needs to address the following questions: How long is my data retained? For what purpose? Is my data allowing my identification? Is my data sold? Is my data combined with other data? And what services am I going to receive and how can I deactivate this service? Specifically for Criteo, users are interested in knowing whether we are in a position to identify them –  for  example do we have access to the name’ or ‘surnameof someone who browses on retailers’ websites? Or are we able to know it?  We provide users with transaparency on what information we collect and what information we know.

Users are unlikely to understand the distinction between first or third party cookies, Html 5 storage or fingerprinting. It is the service they receive together with the service provider’s data management practice that matters.

How can users define their preferences?

Criteo favours transparency and choice. Users need to have the ability to disable our service. Criteo provides an easily accessible link so that users can disable its services. Users have the option to disable our services permanently or temporarily for one specific advertiser – they choose.

Criteo also engages in self-regulation initiatives mainly initiated by the IAB and IAB Europe (Internet Advertising Bureau), NAI (Network Advertising Initiative) and EDAA (European Digital Advertising Alliance). In an effort to harmonise the industry’s approach to interest based advertising, these organisations provide online platforms that enable users to disable services of the providers integrated – and also to understand the benefits of online advertising which allows access to free content, display of more relevant ads to users and fosters online economic growth.

How can users be fully empowered?

User trust depends on transparency and a consistent online experience. Self-regulation initiatives actively support user empowerment by always placing the user in control of his or her choices. Information and user options need to be harmonised across browsers and devices so as not to confuse users.

Users’ experience through different browsers should be consistent in terms of choice. Does it make sense for the user to have different default settings that they don’t understand or control? And that prevent access to services without the user knowing and controlling his preferences? Interest based advertising is served to the user, not to browser makers. We believe users needs to decide; it is the user that browses on websites and is served interest based advertising, not third parties.

Assuming that third party cookies and interest-based advertising are harmful for the user’s privacy is in conflict with principal of net neutrality. Net neutrality is fundamental for the online ecosystem and serves innovation and competition, for the benefit of users. Users want to access online services without third party filtering. Filtering of online services needs to be justified by the law, administrative decisions, security risks or, determined by the end user.

About the Author - Jean-Baptiste Rudelle, CEO & CO-FOUNDER of Criteo

JB is a serial entrepreneur with a combination of tech and business experience. In particular, he was the founder and CEO of K-Mobile Kiwee. Throughout the 2000s, this company rapidly became one of the leaders in the emerging mobile content market, before being acquired by American Greetings Interactive in 2004. Prior to that, JB held various senior consulting positions for Roland Berger and Arthur D. Little. He started his career as an engineer for Philips and Lucent.

About Criteo

Criteo is the global leader in digital performance display advertising and currently partners with over 3000 international advertisers. Every day on a pure cost-per-click basis – where advertisers only pay for results – Criteo generates millions of high-quality leads through dynamic and relevant advertising. As a privately held predictive ad-technology company, Criteo continues to invest significantly in technological innovation and talented people, while expanding its global footprint. Currently operating in more than 30 countries across North and South America, Europe and Asia from 15 international offices and employing more than 800 people.

Good Morning Brussels is the sound of the European digital advertising industry in Brussels. This is the second in a series of posts by captains of the European online digital industry looking at how to overcome Europe’s innovation challenges.

 

Good Morning Brussels: Waking up European Innovation

Europe faces many innovation challenges. Venture capital is not easy to come by and credit is expensive and difficult to get. When compared with the US where risk-taking is part of the culture, Europe has a more conservative culture that is driven by fear of failure.

So, why is it so hard to get a start-up off the ground in Europe? Why is it so hard for Europeans to be entrepreneurial? How can easing administrative burdens encourage innovation and entrepreneurship in Europe?

If we compare the tools and the strengths of the most successful digital entrepreneurs in the world today, most of them come from the United States. We all buy books on Amazon, trade on eBay, share pictures on Flickr or Tumblr, we chat on Messenger, we socialise on Facebook, we Google, we Youtube and much more. All these things are done using American technological innovations and platforms.

So, what does the US have that we don’t have here in Europe? They have a uniquely successful technology hub, Silicon Valley, that has not been emulated in Europe. They attract top talent and pay highly competitive wages. Plus, there is a singular American dream to be the best and most innovative. This dream is supported by the highest political office, the President. In his victory speech after the election last year, Barack Obama reminded Americans that everything is possible and he called on Americans to put the United States back on top. Have we ever heard such an elegant call to action inviting Europeans to build the big dream from President Barroso or President Van Rompuy

The other challenge remains the European Single Market. In the United States they can reach a scale 250 to 300 million people and thus make their platforms profitable. With this fast pace of scaling possible in the US market, a natural next step is expansion. Entrepreneurs in the US look to expand across the Atlantic through the UK, to a logical first port, and then into the Continent. By comparison, local initiatives quietly simmer in Europe and rarely reach scale, let alone entertain notions of expansion. Unless these Start-ups move their businesses offshore early on they can’t access what they need for growth.

The European Single market is a nice concept, but language is a huge barrier to its successful completion. This is particularly challenging for Start-ups where platforms change daily. To make a company viable across Europe, every change creates significant additional costs and requires a massive investment of time because it needs to be in at least 24 languages. Then there’s cross-border marketing. The markets of Europe are vastly different. In Europe companies roll-out in country by country – first Germany and then France etc. This generates a massive time lag in scaling potential – not to mention the high costs of marketing, which means less money for investment in innovation.

Europe is overly bureaucratic. For example, a Greek company recently wanted to set up an eCommerce business to sell Greek food abroad, but it was impossible to get the Greek banks to give them facilities to accept payments online. This demonstrates that Europe just is not ready for innovative businesses, we’re just not used to it – we don’t have the infrastructure in place to facilitate it. In the end the Greek company used Paypal to facilitate its cross border payment facilities.

Legal costs are an additional impediment. This is due to the fact that laws are transposed differently in member states. The reality is that even if Europe has one law, companies still need to operate according national laws. When we add to this the general distrust amongst European consumers about eRetail, the soil appears to be nearly barren when it comes to potential for innovation.

But that is not to say that there is no potential to create successful model for innovation and entrepreneurship. We can we create a single platform in Europe that builds on the ingredients of scale, identification of talent and harnessing funds from the public-private partnerships. And, while language diversity is something that is holding us back, it can also become an advantage by putting together the finest minds. For example German ingenuity and Greek creativity could create surprising results given the right environment to share ideas and knowledge.

The European Commission’s DG Enterprise and Industry is investigating how to tap European innovation. Their newly launched programme called, Doing Business in the digital age: the impact of new ICT developments in the global business landscape, brings together industry to help figure out how to shape the EU vision and strategy. Together we are focussing identifying all the hurdles to innovation and entrepreneurship and finding ways to remove them.

From my point of view there is a very simple recipe for success. We should focus on identifying one or two European champions and develop this talent. What Europe needs is entrepreneurs like the founders of Spotify and Skype – and the right levers to keep this talent in Europe. We don’t need many champions, just one or two to lead a new generation of young and brilliant entrepreneurs. Success will come from commitment to and investment in young talent.

2020 must be our target. We must deliver all the ingredients of the Digital Agenda for Europe by 2020. Europe should be brave and we must be vocal. We must grow world-leading talent. This will automatically spark the European dream. This European dream will go beyond cultural borders. We could have a Greek or a Danish digital champion who is supported through a centralised incubation system. This will start the ball rolling and others will quickly follow.

This is not an impossible dream. Like great sports winners, where one gold comes others soon follow. If we invest now by 2020 there will not only be eBay and Amazon but we will have some new European platforms. If we don’t move now the risk is that China will beat Europe to the punch. Today, the Chinese dragon is only feeding his appetite on his content and population. There is little desire to expand Baidu, Tudou, Sina or QQ, but it’s still early days.

Meanwhile, Russian digital businesses have long arms. Yandex has just started their expansion. They have four thousand engineers and entrepreneurs eager to learn and they are funding an expansion into Turkey – an 80 million market – with a view of going head-to-head with Google. If they succeed then they might well enter into Europe.

This is a reality check for Europe. If the Chinese dragon starts to expand, Uncle Sam is already dominant globally, and the Russian Roubles all do the same and Europe doesn’t start to get organised, what place will we have in the digital economy of tomorrow?

Europe has already suffered severe losses in the hardware segment of the ICT sector. If we lose the internet battle our future does not look bright. This is more than a wake up call. We have to act. We have all the ingredients, everything is here: employment, talented people, a population that is heavily engaged online. Citizens are ready to start contributing to the online economy. But we need a common vision for Europe. We just need one or two objectives – let’s develop one or two European entrepreneurs into major global players.

We must create a platform, a digital EU incubator, and invite the twenty seven member states to bring three of their most innovative start ups or companies into the champions league. This incubator is a place where substantial public-private funds are invested and where mentors with a track record can provide the necessary know-how and framework for success and development for scale.

If we build an incubation super-platform, the chosen few will be supported by all means necessary to achieve world-wide reach. Only a couple will succeed but we have to accept that some failure is part of deal. If we pump everything we can into creating European digital champions in the next eight years others will surely follow.

Penned by Alan Heureux, President of IAB Europe

Good Morning Brussels is the sound of the European digital advertising industry in Brussels. This is the first in a series of posts by captains of the European online digital industry looking at how to overcome Europe’s innovation challenges.

Time to Talk about Striking the Balance on Data Protection

A number of positive approaches have been presented to overcome the European Commission’s very strict Data Protection Regulation Proposal. Ensuring that consumers are protected remains an important consideration when thinking about data protection but, as Seán Kelly, Rapporteur in the ITRE Committee (EPP), reflected in his keynote remark during IAB Europe’s Engage with Policy event in Brussels on 19 February, “being pro-business is being pro-consumer. The two are not mutually exclusive.”

Pseudonymous data is one recommendation that is gaining traction. Germany already enshrines pseudonymous data in law and it has proven effective. It makes sense for the Commission to now endorse it. Pseudonymous data is important because it helps organisations, particularly websites to understand what users look for on their website, and at the same time it is non-identifiable so in that sense secures and protects consumers’ identities. Importantly, that concept is privacy by design and default per se.

Malcolm Harbour, MEP and Chair of the IMCO Committee, pointed out that companies must have clarity. The opportunities if we get it right, he said, are that Europe will finally have a common unified framework across the whole of the European market place. “We should encourage companies to exploit that marketplace because they are confident that what they are doing in managing data is acceptable everywhere. That means they can hold data in different countries and, they can manage their online presence and allow cross border activity and make Europe a dynamic and vibrant market,” he pointed out.

Online advertising today is about customisation and relevance. It is about giving advertising an informational value, about building long lasting customer relationships in a virtual environment, about the consumer surplus and creating a Win-Win. A comprehensive McKinsey study carried out on behalf of IAB Europe revealed that the consumer surplus of ad based internet services amounts close to 40 Euros a month per household and all together Euro 69bn worth of services to users.

The outcome of the negotiations on data protection has the potential to reshape the digital industry, as well as many traditional sectors. Europe’s future as a place for innovation and growth based on the ongoing digital revolution. We have to create jobs in Europe – the online sector offers at least 400.000 jobs and if we copy what Sweden has done then we have the potential for another 1.5 million jobs in Europe. But we have to ensure the right conditions are in place – and the data driven economy is part of the solution.

Explicit consent is the centre piece of the Commission’s draft Proposal. Adina-Iona Valean, MEP and shadow rapporteur shared the concerns of Harbour and Kelly saying, When talking about explicit consent we have heard that consumers will find this unfriendly and unhelpful if they have to read 30 pages of legal content. This is not the best way to inform consumers about what will happen to their data.”

The opportunities presented by the digital world for consumers and for businesses and the economy, and for the society at large are great. A vital digital industry is a key driver for the competitiveness of the European economy. And, that there is still a European digital industry which would be adversely affected should the proposed European Commission draft not strike the right balance.

Video interviews with MEPs working on the data protection dossier can be found here:

Listen to Malcolm Harbour’s view on data protection here

Hear what Seán Kelly has to say about the relevance of data protection in the EU here

Adina-Iona Valean, MEP, speaks about the impact of data protection on business here

A View from Romania on Making Data Protection Business and Consumer Friendly

Posted by IAB Europe on 06/02/13
Tags: ,  

IAB Romania invited MEP Adina Valean, ALDE member to join leading Romanian online industry representatives for a meeting in Bucharest in January 2013.  Ms Valean – Shadow Rapporteur of the European Parliament’s Industry, Research and Energy Committee on the proposed Data Protection Regulation, which is due to update the Data Protection Directive – presented her views to industry following heated debates amongst stakeholders about how to effectively balance the European data protection rules.

The question is how to legislate in a way that effectively protects consumers and allows businesses to continue innovating and providing better online services to their customers?

IAB Romania outlined how local digital businesses would be affected by the draft proposal. For example, an explicit consent for most data processing and provisions that would oblige users to go through a series of click-through events and logging-in processes, when accessing websites only lead to click-fatigue and are also detrimental to website owners. This undermining the monetisation of websites and website optimisation in terms of being able to meet users’ needs.

IAB Romania argued for a more flexible approach of the legislative proposals, as per Ms Valean’s objectives – to reach a balance between the user’s interests and digital industry. These amendments will ensure that websites can still rely on advertising revenue to fund high-quality content and, analytics that allow websites to better understand what users want on their sites and provide them with the content where they expect it.

Ms Valean welcomed the Romanian digital industry views saying, “Along with all the European liberals, I support a kind of regulation that protects the privacy of the users and facilitates their access to the desired websites. I encourage the online industry to self-regulate and to educate the public with respect to website interaction. As a liberal, my main focus was to support the private initiatives of the online industry.”

About the data protection regulation initiative:

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

 

 

 

 

 

The Business Case for Data Protection

Posted by IAB Europe on 28/01/13

Today is European Data Protection Day. As the transition to the online, data-driven economy gathers speed, it’s a good reminder for the business community that we have to earn the trust of the people that use our products and services through good business practices and strong privacy controls.

But at a time when the information and communications technology industry is one of the few sectors of the European economy that is still growing, the European Commission’s proposal for a new Data Protection Regulation threatens to unravel the digital ecosystem, putting jobs and growth at risk, and potentially stifling Europe’s capacity to innovate.

That’s why the Industry Coalition for Data Protection (ICDP), a coalition of 15 leading trade associations representing a broad spectrum of European, American and Asian businesses, is sounding the alarm about Europe’s data protection rules, under revision at the moment in Brussels.

Current proposals undermine our ability to deliver high-quality products and services, tailored to the needs of our customers. If implemented, they would have an immediate effect on the financial viability of online businesses, expected to account for 5.3 percent of GDP in G20 countries by 2016.
The proposals will also limit business’ ability to innovate in the future. Ultimately, European consumers will have less choice than consumers in other parts of the world, who will enjoy a greater choice of products and services that are more closely tailored to their needs.

As ever more consumers discover the benefits of the Internet, their demands have become more sophisticated and specialised. In addition, cloud technologies offer great promise for Europe, with estimates indicating that the cloud could create more than one million new jobs and several hundred thousand new small- and medium-sized enterprises in the EU, and drive down the cost of ICT for the public and private sectors. Businesses must have the freedom to innovate and cater to these demands if they are to stay competitive in a global market.

But equally, all businesses—large and small, European and foreign—must invest heavily in ensuring that users’ privacy is responsibly managed. ICDP member companies invest substantial resources today in research to develop privacy-enhancing technologies and optimised business processes, making privacy by design a reality today.

We understand and agree that it is time to revise privacy regulations – the world has moved on since they were first written in 1995. But European policymakers, in their haste to push forward new data protection rules, are not giving adequate consideration to the practical implications of their proposals. They have not adequately considered the rich variety of activities that depend on data collection and processing. Nor do they take into account the speed of changes in technology and the business environment, and the impact on Europe’s competitiveness and capacity to innovate.

The current proposal provides few meaningful new rights or protections to consumers, but it does significantly increase red tape and jeopardize the European digital economy. As written today, we believe the Commission’s proposal requires further debate.

What Europe needs is a balanced, fair, and business-friendly framework for data protection in the 21st century. That means regulation that supports innovation and technological development while serving the needs of consumers who want high-quality, competitively-priced products and services, provided by companies that have earned their trust. The data
protection framework should focus on accountability—not overly prescriptive legislation.

We believe in a Europe of innovators and forward-looking consumers; the European Commission and Parliament should join us.

Posted by the Industry Coalition for Data Protection

Members of the ICDP include:
Association for Competitive Technologies (ACT), American Chamber of Commerce to the EU (AmCham EU), BSA | The Software Alliance (BSA), DIGITALEUROPE, European Digital Media Association (EDiMA), European Multi-channel and Online Trade Association (EMOTA), European Publishers Council (EPC), European Internet Services Providers Association (EuroISPA), Federation of European Direct and Interactive Marketing (FEDMA), GS1, IAB Europe, Interactive Software Federation of Europe (ISFE), Japan Business Council in Europe (JBCE), TechAmerica Europe and the World Federation of Advertisers (WFA)

 

 

 

Advertisement