The Web We Wanted And The Web We Got

The Cambridge Analytica controversy has brought into sharp focus a discussion about the kind of Internet that we want. Has the Internet stayed true to the vision of the early cyberpunks, and if not, how do we get it back? Can the genie be put back in the bottle?

Over the last six years, the Internet has become dominated by the walled gardens of Facebook and Google. Google has started to build walls around its content, and no longer linking to the sources that the content was originally built on.

Facebook is a hydra-headed monster whose own CEO doesn’t seem entirely aware of the extent to which its own tentacles extend around the Web. If Mark Zuckerberg himself isn’t sure whether Facebook tracks users that don’t have an account, how are ordinary users meant to know?

What isn’t always obvious is that up until 2010, the Web had more or less remained true to its original purpose. Businesses set up eCommerce sites using tools such as WooCommerce, fan forums flourished on topics as diverse as MLB and woodworking, and personal sites could be set up on a cheap Virtual Private Server.

Asking where all this stuff went is often framed as pining for a lost, parochial era of Geocities sites and MySpace pages, but it’s more fundamental than that. The diversity of the Internet is directly tied to the success of this open approach.

Much of Facebook is built in PHP, a free software language that has been widely ported, and that can be deployed on most web servers and almost every operating system and platform, free of charge. If the Web doesn’t remain open, technologies that underpin the Web’s security, accessibility, innovation and competitiveness won’t belong to us anymore. They will belong to Facebook.

For now, no-one is preventing you from setting up your own web server. But money talks, and ISPs are already starting to offer customers subsidized plans with free access to large companies which pay them. The principle of Net Neutrality is a foundational one for the Web because it dictates that ISPs are unable to set consumers a higher price to access independent websites.

Eroding Net Neutrality would mean that there would be very little economic incentive to have a smaller website, as it would be literally inaccessible to people with an ordinary Internet connection. eCommerce retailers have already begun shifting stock towards Amazon in order to appease the aggregators.

Since 2010, when Facebook and Google really started depriving independent publishers and websites of the oxygen of search and social traffic, the independent blogosphere has withered on the vine. Less traffic an less commenting means less incentives to post, which means fewer posts. It’s hard to name a successful small blog that started in the last five years.

Back in the days of Geocities, sharing content online was an arduous affair that often involved transferring FTP files to and from a server. The first version of Blogger was FTP-based and lacked features such as web-standards compliant templates, individual archive pages for posts and posting-by-email.

Facebook’s business model is really quite simple: it removes the technical hurdle involved in publishing content online, and provides a way for people to connect with each other. It then sells ads against the content.

When the friction was removed in posting content online (remember ‘frictionless sharing’, which enabled apps to post to a users Wall without consent?), people posted an enormous amount to Facebook. Users don’t care if content is centralized or decentralized, they just want it to be easy.

Any other business that has got close to Facebook’s level of ubiquity has focused, laser-like, on making sharing simple. As recently as 2010, GigaOM predicted that the idea that apps are sharing a continuous stream of our activity will seem as commonplace and uncontroversial as the original news feed.

Whatever the solution looks like, it can’t involve a return to the days of FTP. Blockchain solutions may appeal to techno-geeks, but they are way too complicated for most people to use.

It would be easier than ever for a firm like Apple to own content distribution, storage and entry through an app. There wouldn’t be a lot of money to be made in it, but Apple doesn’t make a lot of money from supporting SMS and implementing iMessage either. But we will all benefit from an Open Web.

The GDPR and You: What Businesses Need To Know

The upcoming General Data Protection Regulation will be the largest change to European privacy laws in 25 years and will come into force across all EU member states from 25th May 2018. For many companies, significant changes will be needed to comply with the regulation, and we are already halfway through the implementation period. Much of the attention around the GDPR has focused on the threat of sanctions (and the sanctions are hefty, at 4% of worldwide turnover or €20million).

Instead of seeing the GDPR as a threat, companies should see the GDPR as an opportunity. The GDPR implementation period gives companies the chance to take a step back and think about how they handle personal information, and how they can do it better in the future. In a post-GDPR world, consumers are likely to be much more privacy-aware than today, and their expectations will be higher.

This post sets out the key changes in the Regulation and answers many of the questions businesses have around GDPR.

Why the GDPR, and why now?

The GDPR is being brought in as a replacement for the 1995 Data Protection Directive, and refreshes it to keep pace with the way data is used today. Its aim is to protect the privacy and security of data collected by organizations across the European Union. This is important because as consumers we hand over sensitive information as part of our daily lives: whether we’re booking a flight, accessing online banking, or buying some clothes. The GDPR is intended to give customers more transparency and control over how their data is used.

GDPR is not impacted by Brexit

Let’s make one thing clear, Brexit isn’t going to be a factor in GDPR compliance. Although Britain has voted to leave the EU, the GDPR rules will still apply. Any business that holds identifiable information on any EU citizen will need to be aware of their obligations under GDPR.

Personally Identifiable Information (PII) is changing

Or rather, the term PII does not appear in the GDPR at all. Instead, the GDPR makes reference to “personal data.” This is significant for North American companies in particular, as PII refers to a narrow range of data such as name, address, birth date, social security number and financial information such as credit card numbers or bank accounts.

Personal data, on the other hand, as defined by the EU, refers to a much wider range of information, as seen in Recital 26 of the GDPR. This could include social media posts, photographs, lifestyle preferences, and, thanks to a recent landmark ruling in the European Court of Justice, IP addresses. Rather than selecting on a set of pre-defined attributes, the GDPR is concerned with whether an individual is in principle identifiable by a set of data.

The onus is on data controllers to define potential re-identification paths, and working with suppliers and processors to ensure that the services they provide help you meet your obligations under the GDPR.

Data Breach notifications

As Troy Hunt of breach database HaveIBeenPwned has pointed out, some companies, when faced with data breaches, have been less than timely in acknowledging and notifying customers about data breaches. GDPR ensures that in most cases where there has been a data breach, the company affected will need to notify both the Information Commissioner and the affected customers.

In theory, this should make us all a lot safer. Many data losses happen as a result of human error, so the threat of sanctions is likely to mean that instead of risk it, companies instantiate a much more formal internal review process.

Chief Privacy Officer

Under Article 37 of the GDPR, companies must appoint a Chief Privacy Officer if they are a public authority, where the core activities of the authority involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data” (such as revealing racial or ethnic origin, political opinions, religious or philosophical beliefs).

Although Article 37 does not specify any precise credentials, it says this official should have “expert knowledge of data protection law and practices.” It would be a good idea to get a head start on appointing one, as individuals with the required expertise will command a premium as the deadline approaches.

The Penalties

The GDPR will apply to any companies (including US ones) who have European customers, so it’s not going to be feasible for anyone to ignore the GDPR. The penalties (both financial, and to corporate reputation), are too great.

For smaller businesses in particular, the penalties even for a “less serious” breach of the regulations (€10 million or 2% of turnover) could be enough to force a company out of business. However, because fines are set by the Information Commissioner’s Office, businesses can reduce their exposure to the GDPR by following existing best practices such as ISO 27001.

Smaller organizations will also need to bring themselves into compliance, as well as implementing more general best practices around information security. Over the coming weeks, months and years we are likely to see plenty of guidance from the Information Commissioner’s Office on how businesses can prepare for and implement the GDPR. However, with the deadline for implementation coming up fast, it’s never too early to begin preparations.