Money’s short, times are hard, here’s your Brexit Christmas card

27 December 2018
Brexit

Sometimes the medium is the message and the backstory is the story. Here is one.

At the beginning of December, 10 Downing Street ran a campaign of media pushes for its Brexit deal, with one major sector targeted per day. December 1 was designated as the day for the tech and digital sector, when we would be told why losing our legal foundation, client markets, and employees would be in our interest.

Naturally, it didn’t go to plan, as Politics interfered with politics.

From that false start, DCMS was free to unleash a media push consisting of the usual half-hearted, tubthumping platitudes completely devoid of substance or detail.

It fell to the momentary Secretary of State for Digital, Jeremy Wright QC, a man who was proud to reject the internet and all its works until it became his job, to put his name to the push. He didn’t use DCMS’s own real estate on gov.uk to sell the deal, or any of the open source publishing platforms available to him at any time. Instead, he chose to make his push from behind a premium paywall in the Telegraph, a broadsheet which has lurched so far to the hard right that someone best described it as having cut a line of Thatcher’s ashes and snorted it, and which precisely no-one in the tech industry reads as a source of news.

Screen capture of the media push from behind a premium paywall, published with all the sincerity of a story queued for 12:01 AM

You may think I’m being flippant here, but I am not. Because here’s the thing.

Government ministers should not be making official policy statements on any subject from behind premium newspaper paywalls.

Not now.

Not ever.

Not on any subject.

Not when the future of an industry is at stake.

And not, absolutely not, when the person making the announcement is under a moral obligation to show leadership of the industry he claims to lead by using the tools they create to speak to them on their level.

So what did the paywalled announcement have to say? Well, unless you hand your personal data over to the Telegraph to be exploited through their shiteous interpretation of “legitimate interests”, or pay for a subscription, the official policy statement on your future is not available to you.

Unless, of course, you’re a geek, and you view source on mobile, cut and paste the code into your notetaking app of choice, and strip away a few dozen formatting tags to read it.

Click to read the full statement

Reflecting the UK’s strengths as world leader in technological innovation, our future relationship with the EU will include new arrangements on digital and data – supporting these fast-evolving, creative sectors and helping to build the best conditions for new digital businesses to start-up and scale-up.

These specific arrangements will cover a wide range of areas including e-commerce, telecoms and emerging technologies which together highlight the increasing importance of digital trade globally.

Earlier this week we published statistics showing the vital contribution the digital and tech industries make to our economy. They are worth more than £130 billion to the UK annually. The latest figures also show we exported more than £18 billion of digital services to the EU in 2016 and imported close to £11 billion. The trade body for the industry techUK has backed our deal alongside global tech giants such as Microsoft.

At the heart of the deal are commitments to make sure the millions of firms which rely on the instant exchange of data across national borders have confidence they will be able to trade without restrictions.

Data is the lifeblood of the digital economy and thanks to it and the use of online platforms we’ve seen huge improvements in how we travel, do our shopping and access our banks. This means our holiday booking is straightforward, we have greater choice in online shopping, and companies can provide services to their clients at ultra-fast speed.

We estimate three-quarters of the UK’s service exports to the EU rely on data flows, so it is absolutely essential this continues unhindered post Brexit.

It’s not just tech firms that rely on data flows. It underpins businesses big and small and in every sector of the economy – from video games makers to fintech companies, mail order firms to manufacturers. Many companies are now dependent on services such as cloud computing to power their services, while others use data to programme and test new technology to solve problems we will face in the future – from an ageing society to curing disease. And those businesses want certainty.

The deal negotiated by the Prime Minister not only delivers certainty, but it also sets out new and specific arrangements on digital and data.

In the wake of the Cambridge Analytica and other data scandals which have raised public concern, it reaffirms our commitment to high data protection standards. The UK and the EU have agreed to put in place arrangements on personal data so it is protected and can be processed safely and securely. This means that once the implementation period is over, we can continue to reap the economic benefits that come from the free flow of data.

This deal will guarantee open and liberalised telecoms markets and prevent anti-competitive practices, including from major suppliers, to give both consumers and business access to the digital infrastructure they rely on to operate across the world.

With its commitment to protect against unjustified barriers to digital trade and create an open and secure online environment, we are confident the deal delivers on our promises to help new technologies evolve and encourage innovation in the economy.

I don’t know what sort of professors you had, but I would have failed any course where I tried to pass that off as the sum total of what I had to offer.

Now, let’s be fair. The announcement was not only covered in the Telegraph. It was also covered in, uh, Computer Weekly, Government Computing, and Further Education News. (No, me neither.)

Those PR-ified announcements carried endorsement quotes from three bodies – you know the ones, the usual suspects – which are either funded by government, or are so materially and structurally close to government, that they do not qualify as legitimate independent groups, no matter how badly they try to pretend otherwise. One of them was mentioned in the Telegraph statement, leading Sky’s Rowland Manthorpe to correctly pick up on the real story of the media push – ably assisted by Mike Butcher – which was DCMS choosing what it wants to hear, choosing who it wants to hear from, and choosing where it wants to hold that conversation.

As for DCMS tagging organisations which are vehemently against its Brexit plan in its promotional tweets, as if to imply that those organisations were thumping the tub in an approved manner? It would have been headline news in a more innocent era, like 2016. Not now.

That, then, is your Christmas card from Brexit Britain. And you’re tired, and drained, and worn out, and resigned to defeat. But you need to open up a can of I Ain’t Having This and keep going, because your industry is being driven towards a cliff by Jeremy Wright and his sycophants, and if what you’ve read above doesn’t make you angry for your sector’s future, you’re as unqualified to work in tech as they are.

What's next?
For more on the substance of regulation throughout the transition, please visit my side blog at afterbrexit.tech.

Facts are stubborn things

23 October 2018
Accessibility

I do a lot of public speaking to open source project contributors about the cultural differences within ecosystems and teams. I do that not to drive people apart, but to help them recognise those differences, and to inspire them to overcome them for the good of their projects and end users. (Apparently I’m not too bad at it.)

Most of my talking is around the concept of privacy, but everything I discuss on stage is equally applicable to accessibility. There are reasons for that. You see, you might think that privacy and accessibility are universally respected concepts and values. Truths we hold to be self-evident. They are not.

Within tech and digital, there is a mindset which views both concepts with negative hostility. Privacy and accessibility, after all, are the two aspects of web development most strictly defined and required by legislation. And that alone, in the strange world of the filter bubbles of the tech elite, is used to twist those values into an insult to everything they believe.

The mindset in question is what’s known down the pub as the Silicon Valley libertarian mentality – the one which, at this point in our industry’s history, holds all the money and power. What you have to understand is that this mindset neither respects privacy and accessibility nor honours those who expect it. Cultural values which may seem obvious to many of us, instead, set off three very deep triggers for those who uphold that mentality.

First, privacy and accessibility requirements trigger the perception of government interference in the form of legislation.

Second, privacy triggers offense to the sense of entitlement to and over others’ data without consent.

And third, privacy and accessibility requirements trigger the belief that compliance threatens the right to innovate without requiring inclusion.

Now throw in the fact that many of the compliance requirements in their way come from Europe and you might as well have slapped them in the face.

For balance, I follow several US libertarian/right leaning tech groups, and the contempt they spit for privacy and accessibility would knock you out of your chair. They do not see the values of privacy and accessibility, the benefits to users, or the positive results for their own businesses. They only see government infringing on their freedoms. End users, and any sense of duty of care over them, aren’t even in the picture. Tech has a reputation of being very left-leaning, and that is generally true of those on the proverbial agency floor. But tech leadership, in its heart of hearts, is moving hard to the right.

These cultural differences aren’t just present in the largest projects, social networks, and tech businesses. They are in every project. They are in yours.

My tech community is currently living through the real-time manifestation of this cultural divide. A new and innovative product has been created, and a new and innovative product must be shipped. In its current state, it will not achieve the accessibility compliance requirements that its end users need. The fact that those accessibility requirements are grounded in law does not help its supporters’ cause: it makes it worse. The law is getting in the way of innovation, so both the law and the value it requires have been disrespected in a way that has damaged the entire project’s reputation. No matter. The innovation must be allowed to proceed, and the legal concerns are, officially, FUD. End of story, now stop talking the project down and get behind it, saboteurs.

Thing is, those end users are still standing at the finish line, waiting for us to support them.

For those of us whose privacy work has already been on the receiving end of the disrespect which characterises this cultural divide, we have little more to offer our accessibility friends other than knowing sighs. What we’d really like to offer, though, are some shipped tickets and completed roadmap goals. Our privacy tickets, you see, got punted along with theirs; they were standing in the way of innovation too. The mindset we are up against doesn’t do happy middle ground.

What that mindset does do, though, is talk a lot about opportunity. On that we can agree. There are opportunities to learn from these mistakes, and to bridge these cultural divides, for the good of all projects. One way to bring some good out of bad would be for projects to create clear advocacy statements and declarations of values which include privacy and accessibility as foundational elements outside legal requirements. Integrating privacy and accessibility as project foundations is, in a crafty way, calling the Valley mentality’s bluff: if these values have their negative legal connotations and threats stripped away, project leaders are left with the obligation to explain how they will honour the users who expect them, and to do so in a transparent and accountable manner.

(I even started a GitHub repo to define what project privacy means outside legal requirements, and you’re welcome to join in.)

Fighting that battle, though, is a matter for the time and consciences of project leadership. For those of you who have always viewed privacy and accessibility as powerful tools for user protection and empowerment, and have continued to support your teams through all the attacks and humiliations, it is up to you to continue demonstrating that quiet leadership in everything you do.

And right now, let me tell you: you’re doing great.

On speaker travel expenses, or, why enough is enough

5 September 2018
ex-oss

A couple of months ago my life fell apart in a morning. Being self-employed, I had two figures in the bank, which wasn’t enough to be able to afford a train ticket to safety; a kind soul bought me one. On that train to a safe place, still very much in shock, I put up a donation form and tweeted it. The funds that came in were literally the difference between having a roof over my head and sleeping rough.

The next day, having not slept at all, I had to take some of those funds and book a train, a hotel, and a flight. Not for safety or shelter, but for conference talks I’d already committed to giving, at conferences which do not cover speaker travel or accommodation.

If I’d had doubts in my mind about having to pay hundreds of pounds per year out of pocket just to do my job, that betrayal of those supporting me sealed the decision.

The day after that, I parked myself in a Waterstone’s cafe to show up for office hours for my contract and I got back to work.

Three weeks in hotels and four months in a filthy homeless unit then followed. I had no internet. I still turned up for my fucking job every day. Even if the people I was working for didn’t.

Fast forward a few months later. I’m in my new permanent home, out of homelessness. My new place, as fate would have it, is the home of my dreams, but it’s cost me. I lost all my furniture in the eviction, and I still don’t have my worldly possessions back. I’ve had to buy everything from scratch – dishes, the fridge, the bed, the table I’m sitting at, the hardware I needed to assemble them. My home doesn’t have floors either, just bare, stained, seriously squeaky floorboards covered in Ikea boxes, which my big feet trip on about once every five minutes. In short, I’ve got a lot more expenses coming up just within my four walls, and I need a job to pay for them. But in order to get money in, I have to put money out. A lot of it.

I had applied to speak to an international conference at a time when I thought I would still be in that contract to pay for it. As it turns out, I opted not to renew that contract, and rightly so. But it left me facing a £600 bill out of pocket for barely 48 hours abroad, to give a conference talk which absolutely needs to be given, when I’m just getting on my feet again.

We can’t go on like this. Any of us.

It’s not the conference’s fault, nor is it the fault of the stellar organising team. They actually agree with me on all of this. This is just the system we all work in.

I don’t really expect to be paid to speak; it’s only happened once.

But we work in an industry where you pay to get to where you want to speak, you pay to stay where you want to speak, and when you ask for help, you’re told that you’re “volunteering”.

I don’t think I have to present my credentials as a speaker. My daughter even jokes with me, “are you going to be in the country at the end of the week?”, the punchline being the moment of fleeting panic where I genuinely wonder if I am.

Those credentials qualify me to call bullshit on the official line that putting a measurable percentage of your income as a self-employed individual back into travel and accommodation is “volunteering”.

Here’s why.

The exact same talk. Two people. One is employed as a remote worker by an agency. The other is a self-employed woman (who doesn’t want to be self-employed, but that’s another story) who has just come out of homelessness (hello).

The first one has their travel and accommodation covered. As a salaried employee, their time for research, preparation, and delivery is covered. They also get paid holidays, sick pay, insurance, and a weeklong company gathering in the sun a few times a year. Their company enthusiastically tweets and blogs about their talk.

The second one hasn’t had a paid sick day or holiday since 2005, has to take on wee jobs they really don’t like to pay the bills, and their slides are perpetually late because they’re constantly having to beg around for money to be able to present them. No company promotes their talk. Sometimes, in fact, companies they’re contracting for troll it.

The first one’s conference talk is a business trip.

The second one’s conference talk is “volunteering”.

Exact same talk.

The taxman wouldn’t buy it. Why do we?

No project, whatever their organisational structure or ethos, has the right to define who is and who is not a professional based on how they pay their bills. No project has the right to imply that you are working against it by asking for support. And no project has the right to imply that the stress caused to you by their rules on funding are in fact a mental health issue, and that you should go look after your “wellbeing” instead.

So to bring this story full circle, PHP Yorkshire – where I spoke earlier this year on PBD, and hope to speak at again next year – has agreed to sponsor my expenses to get to next week’s talk.

This is how dysfunctional the ecosystem has become. Conferences which pay for speaker travel are paying for speakers to get to conferences which don’t.

Controversial? Yes. A controversy we need to have? Absolutely.

I can’t wait to get there next week. I’m going to love it. I’m looking forward, in particular, to discussing opportunities to work in tech policy and advocacy on behalf of the projects and companies in attendance, so that I can actually do the work I want to do rather than constantly scouting for expenses.

I think we’ll all be better off for it.

So going forward, if you want me to speak, you’re going to need to get me there.

Of course I value your project, and your ethos, and your community. But from now on, I value myself more.

Pulling the plug on legal compliance plugins

17 April 2018
Professionalism

Working on WordPress.org’s GDPR compliance team is providing a good opportunity to look at other issues not necessarily related to one piece of legislation, but which impact the .org ecosystem all the same. Amongst other things, we are taking a look at the plugin developer guidelines to see where we can strengthen and clarify what they say about the ways data should be structured and protected. While we were thinking about the plugin guidelines, I took the opportunity to kill off a problem I have ranted against on conference stages for years.

I worked with the .org plugin review team to have Section 9 of the plugin development guidelines, Developers and their plugins must not do anything illegal, dishonest, or morally offensive, amended with the following line:

  • implying that a plugin can create, provide, automate, or guarantee legal compliance

and with that, an issue which has always troubled me as a real risk to the integrity of the ecosystem has been shot down.

Going forward, plugins can, and certainly should, clarify that they can help a site administrator with aspects of a compliance issue, whether that is a front-end process or a back-end workflow. But claiming that a plugin is legal compliance, or can make it happen by mere activation, is no longer allowed.

As Mika Epstein and I wrote in the email explaining the change:

Sadly, no plugin in and of itself can provide legal compliance. While a plugin can certainly assist in automating the steps on a compliance journey, or allow you to develop a workflow to solve the situation, they cannot protect a site administrator from mistakes or lack of compliance, nor can they protect site users from incorrect or incomplete legal compliance on the part of the web site. In short, plugins are helpful tools along the legal compliance journey, but should never be presented as a solution, nor should they give users a false sense of security.

We also wrote a FAQ for developers whose plugins have been identified as potentially being in violation of the new rule.

So what does this change mean in the long run?

First, and most importantly, it means the days of plugins claiming to be the click-and-install solution for everything from GDPR to accessibility to contracts, either inadvertently or on purpose, is over.

For WordPress, it means the risk of reputational damage from this kind of abuse of the ecosystem is diminished, albeit within the plugin repository it can control.

For developers, it means working a little bit smarter. It’s not in any developer’s interest to be held responsible for a site’s compliance failure based on the promises made in a plugin’s description.

And for everyday site administrators, it’s a bit of tough love for tough times. Compliance matters like accessibility, VAT, and privacy should not be left to a 60 second search of the plugin repo. If you want a plugin to make your business legally compliant for you, you’re asking the wrong question.

Not a bad outcome for a few days’ work.

Many thanks to Mika Epstein for talking me through the idea and taking it to the team for quick action. And with that, it’s back to work.

Named Persons II: Scotland’s next mass civilian database

24 March 2017
UK policy

Last week I was chatting with some rather cracking professional digital rights activists. The conversation included my attempt to get them, from their London/English perspective, to understand the different cultural approach to mass data collection and databases that we live with here in Scotland. All too often, data collection projects which would be seen as violations of privacy, data protection, and the right to private life anywhere else are seen as “unquestionably legitimate and benign” here.

That is not just my opinion. Last summer the UK Supreme Court struck down the Scottish Government’s Named Person legislation, a mass data collection and sharing regime involving every child under the age of 18. The data collection (for the children’s benefit, because won’t somebody think of the children) would allow the whole of the Scottish public sector to obtain huge amounts of data on children, parents, and their private lives not for the purposes of safeguarding, but for “ensuring wellbeing” – a wooly phrase for bringing social engineering into every home.  The Supreme Court judgement used the actual word “totalitarian” to describe the government’s aims.

The Scottish Government is determined to implement the legislation regardless and is redrafting it for its second iteration.

In the meantime, they have announced plans for a second mass data collection and sharing database, which once again is presented as being in the public interest.

Won’t somebody think of the OAPs

Yesterday the Herald published a piece titled Grey Matters: Scotland’s police aim to build database of dementia sufferers.

The story began:

POLICE hope to build a database of Scotland’s dementia sufferers as they try to speed up their searches for vulnerable elderly people who go missing.

If this was anywhere else in the world, the phrase “Police hope to build a database” would have been the story itself.

But this is Scotland.

It continued:

Senior officers have long warned that finding confused pensioners who “wander off” is taking up an increasing amount of their time and resources. […]

Now the force is looking at keeping detailed records of such high-risk people – such as where they or their children went to school or where they lived as a child. […]

Experts are currently assessing a pilot project in Lothian and Borders division, including Edinburgh’s suburbs, where notes are kept on potential missing persons. [emphasis mine]

[…] The pilot project, which officers hope will get approval to be rolled out nationwide in the summer, is designed to help police pin down where an old person may have gone.Chief Inspector Lex Baillie, the officer in charge of missing persons, explained: “We are talking about things like where their children went to school, where their parents are buried or where their spouse worked.” It can take too long to get such information after a person is reported missing, sources suggest. […]

Police Scotland is currently looking at ways of reconfiguring its services to reflect the new reality that four out of five of its work is not related to crime, but to broader issues of vulnerability. Officers, however, recognise that finding people, including missing elderly people, involves many of the same detective skills as solving crime.

Let’s pause there.

What is happening here is that the police are seriously proposing that the families of people with dementia provide every possible detail, biographical fact, and anecdotal nugget that might provide clues to their loved one’s identity if they ever wander off. That information will include details about homes, schools, streets, parents, spouses, children, grandchildren, workplaces, and anything of note that they think a lost person with dementia might find themselves talking about if they are located safely.

Aside from the fact that this database would be an identity theft goldmine involving the personal information of millions of people, it is planned to go ahead despite the statement that “Police Scotland is currently looking at ways of reconfiguring its services to reflect the new reality that four out of five of its work is not related to crime.”

If that is a passive-aggressive way of saying “we are wasting our time on non-criminal issues,” why would you want to add mass data collection and retention on individuals who are neither involved in or suspected of criminal activity?

The Herald continued:

The force is currently working with other partners, such as social work departments, on two other pilot projects for missing people, including NHS patients and young people in care.

This work is being carried out in conjunction with the Scottish Government. A spokesman said: “We have been working in partnership with Police Scotland leading experts in the field of missing people to develop Scotland’s first national framework for missing people….As part of this approach, Police Scotland has worked with community partners to deliver three pilots – on looked-after children who go missing from residential or foster care; adults who go missing from care homes in Scotland; and patients who go missing from NHS care in Scotland.

“The pilot evaluations will inform our work in finalising the framework to ensure evidence-based best practice can be adopted across Scotland. We anticipate the framework being launched by the summer.”

We’ve got lots of “working in partnership”, which is Scottish for “job creation”, but what is missing is public consultation and objective scrutiny. This is all being done behind closed doors, by people who use language such as “finalising a framework to ensure evidence-based best practice” as code for “we know best and what we are up to is none of your business.”

Questions need to be asked

The Herald clearly disappeared up its own backside with this one, so here are the questions that responsible journalism would have asked:

  • Why do Police Scotland want to take the lead here? They come in only if and when the possibility happens (e.g. the person with dementia goes missing.) Why are they so keen to build a mass database?
  • Given Police Scotland’s appalling track record on data misuse, some of which I have personally experienced, what safeguards will be put in place?
  • Who will have access to that database?
  • As the database will be in the hands of the police, what other public records will it be linked to?
  • What rights will family members have over the inclusion of their personal information on a police database?
  • Is this voluntary or mandatory? The amount of “partnership working” suggests it may start as a voluntary pilot scheme but move on to mandatory.
  • Why is digital solutionism (e.g. build a database) being presented as the solution to a problem that has nothing to do with technology: people wander off from homes they should not be living in because there is not enough adequate sheltered and community care for the elderly?
  • Why is the Herald citing the deaths of three people with dementia – just three – as justification for a database potentially involving data records on millions of people?
  • What happens when a person with dementia is found alive and provides answers that are not in the database?
  • What happens when a person with dementia is found dead, as happens, and all that data collection was for naught?
  • What happens when mass data collection on people with dementia and their families does absolutely nothing to stop the problem from happening in the first place?

I’m glad that Open Rights Group are hiring a Scotland Director because this is the kind of thing that civil society needs to fight tooth and nail.

Until then, the usual cadre of hand-wringing do-gooders – the kind that phone you at home at 9 PM steaming drunk braying “you neeeed my help” – will, no doubt, come out in force in support of this idea, as will the Scottish Government-sponsored third sector executives who know how their mortgages are paid.

If they truly wish to press on with the idea, they should focus their energies on improving it  – keeping it out of the hands of the police, for one thing, and ensuring that the data is not linked to other public records, for another – rather than biting their tongues so they do not bite the hands that feed them.

But let’s look at the bigger picture here.

Only in Scotland would the creation of a police database holding thousands of personal details on people and their families, despite having no links to crime whatsoever, be created without public consultation, presented as a positive benefit to society, and then cheered on by our supplicant media.

As Scotland faces a second independence referendum it’s troubling to note that there are those who seem quite happy to aspire to building a nation where civil liberties are viewed as an obstacle to public order.

I am not one of them.

The idea that mass data collection and retention by the police is in the public interest because it could, somehow, predict and negate what might come out of the mouth of a wandering soul with dementia suggests that in Scotland, it is not the patients who have lost their minds.

Update 3 March

Today the Herald has published a follow-up piece titled “Police handle tide of “concern for wellbeing” about people with dementia and poor mental health“.

The piece stated that

Last week we revealed that missing persons officers were looking at keeping a data base of the habits and history of elderly people with dementia and other vulnerable people, including the mentally ill. (emphasis mine).

There was nothing said about mental health in the 23 March piece introducing the police database.

In a fortnight, public sector scope creep has roped in tens of thousands of additional subjects for the database.

Instead of spotting that inconsistency and challenging it, the Herald, for reasons known only to itself, has chosen to stick to the Scottish custom of “working in partnership” and not rock the boat.

So who is “mentally ill” enough to merit a place on the database? What conditions will get you put on it? What data sources will these records be pulled from? As with the dementia sufferers, will details of their personal histories, families, and relationships be added to the database “just in case?” What about consent? What about accuracy?

Where are the questions? Where are the people asking the questions? What’s the matter with you, Scotland?

A bit of personal history here. When I became a mother in 2006, someone somewhere in the system – I never knew who and I never knew why – recorded me as being “likely to suffer from postnatal depression”, despite me never having had any mental health issues then or now. How did I find out about this? My health visitor accidentally left my records next to the changing mat at the new mums’ social group. (If you stick a file folder with my name on it next to the wipes I’m generally going to look at it.) My health record stated I was “vulnerable” and “likely to struggle to cope” because I was “not from Scotland” and have “no family here.”

That – wiping my kid’s arse – was how I learned that my basic biographic details had been used to make a parochial judgement about me without my knowledge or consent.

Much to their seeming disappointment I was hunky dory about new motherhood, aided in large part by a baby so chilled out she practically wore sunglasses. Nevertheless, I spent three months being asked “Are you sure you are okay? Are you really sure?” by health visitors who were determined to believe that my answer of “really, I’m fine” was a cry for help because it was delivered in an accent that didn’t sound like theirs. Finally they got the point and sodded off to what I can only hope were mothers less fortunate than me who really did need the help.

We have a health and social care system that will make judgements about you without your knowledge, without your consent, and hell, without talking with you first. They will put you on lists. They will misclassify you as “vulnerable”. They will record you as having mental health issues even though you do not.

And now, apparently, they want to put you on a police database too.

Just in case.

A woman’s place is in the House (of Commons)

23 March 2017
Brexit
For more on Brexit and tech policy, visit my dedicated side blog at https://afterbrexit.tech.

Parliament carried on as usual today. Parliament carried on because the people of this country had questions that needed answers.

In Parliament’s first hour of business on the morning after, I was one of them.

Hansard records that my MP, Kirsten Oswald, put my question forward as this:

T8. My constituent Heather Burns works in the digital economy. She has only ever known a borderless, connected world of work. Can the Secretary of State reassure her that he understands the difficulties that Brexit is likely to cause for this very globally focused industry? What action is he going to take to prevent problems from occurring? [909447]

Liam Fox answered:

One problem that we have faced in recent times is that although the European Commission has been relatively forward-leaning on digital issues, European Union members have prevented the Commission from taking forward some of the measures of liberalisation that would, in fact, help this country and others. As we leave the European Union, we will want to see what advantages there are for the United Kingdom in liberalising our economy, especially so that the digital economy and e-commerce can flourish.

That is part and parcel what we have come to expect from the May government.

The issues I discussed with Kirsten at her surgery, and have subsequently elaborated on with her staff, are about the problems that Brexit and its related uncertainty are causing and will cause for our industry.

Liam Fox twisted our EU membership into the problem itself, and presented Brexit as the solution.

We knew we were going to get that. We knew that.

But we had to show up in Parliament, put the questions forth, and make the effort.

We’ve done that. And now it’s time to roll our sleeves up and work harder.

The Brexit white paper on digital: a very short post

6 February 2017
Brexit
For more on Brexit and tech policy, visit my dedicated side blog at https://afterbrexit.tech.

And so we had the government’s Brexit white paper, a document so vapid that it inspired my MP to tweet that it reminded her of a high school student stretching out an essay to meet the required word count.

Eagle-eyed readers spotted the date stamps on many pages of the PDF version indicating that the paper had been finished between 3 and 4 AM on the day it was due to be published. That stunt was funny when I pulled it in uni. It isn’t funny when it is the work of a government supposedly setting out “a vision of an independent, truly global UK and an ambitious future relationship with the EU.”

As always, I read the document to see what it said about specific policies relating to tech and digital. As always, it was a very quick read.

Existing digital laws

1.1 To provide legal certainty over our exit from the EU, we will introduce the Great Repeal Bill to remove the European Communities Act 1972 from the statute book and convert the ‘acquis’ – the body of existing EU law – into domestic law. This means that, wherever practical and appropriate, the same rules and laws will apply on the day after we leave the EU as they did before.

We knew that.

Digital Single Market

8.18 The Single Market for services is not complete. It seeks to remove barriers to businesses wanting to provide services across borders, or to establish a company in another EU Member State, through a range of horizontal and sector-specific legislation. This includes the mutual recognition of professional qualifications. The EU’s Digital Single Market measures are designed to ensure the regulatory environment keeps pace with the evolving digital economy.

That answer would be like me asking “what is the future of the library I am writing in at the moment” and being told “a library is a building which holds books.” Someone stayed up all night to write that.

Data protection (GDPR)

8.38 The stability of data transfer is important for many sectors – from financial services, to tech, to energy companies. EU rules support data flows amongst Member States. For example, the EU data protection framework outlines the rights of EU citizens, as well as the obligations to which companies must adhere when processing and transferring this data. There is also an ongoing consultation regarding the free flow of data, including considering whether legislation is necessary to limit Member States’ requirements for data to be stored nationally.
8.39 The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.
8.40 As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.

This means that we will be going into GDPR, as we have already been told. The question is what happens after GDPR. I and many others have concerns that Theresa May – the most surveillance-mad Prime Minister ever to hold the office in peacetime – would seek to water down data protection, or even scorn EU-compliant data protection standards, for the sake of a US-style self-regulatory approach which satisfies her authoritarian appetites.

And that’s yer white paper lot.

For their part, TechUK published a diplomatic response to the paper politely thanking the government for its complete lack of clarity and its ongoing commitment to leaving the industry suspended in uncertainty.

It’s gonna be a long couple of years.

A fresh round of government evasions on digital, Brexit, and the Digital Single Market

6 February 2017
Brexit
For more on Brexit and tech policy, visit my dedicated side blog at https://afterbrexit.tech.

There were some intriguing developments announced regarding the UK’s Brexit negotiations and the Digital Single Market strategy on Friday the 20th of January. I can’t imagine why we all missed it.

These developments came in a report published by the Business, Energy, and Industrial Strategy Committee of the House of Commons. The full report is fourteen pages in pdf, also available in one page of six-point type.

Keen readers will recall that the committee’s predecessor, the Business, Innovation and Skills Committee, published a comprehensive and surprisingly critical report on 18 July (the transition week between David Cameron and Theresa May) which took the government to task on the digital economy. That report made several recommendations and demanded clarification on important digital and tech issues.

The report released on 20 January contained the government’s response to the Committee’s recommendations made in July.

Without reading a word of it, that fact alone should give you a sense of what the government’s response looks like. It has taken them six months to answer simple questions and as you will see, the answers, for what they are, say very little. It’s as if “taking back control” was really about Theresa May’s well-publicised control freakery and not the wider economy. Who would have guessed that?

For this post I have picked out the usual points of interest.

Measuring the digital economy (miscounting)

The miscounting of the digital economy, and all those who work within it – a consequence of outdated economic taxonomies that have only been reviewed a handful of times since World War II – is the root cause of many of our industry’s political difficulties. You can read my previous rants on it here.

In July the committee said:

…[w]e recognise the difficulty of measuring the digital economy, but the Government should look to the work of the Office of National Statistics, and explore ways of collecting real-time data in the digital economy, and ensure that established Standard Industrial Classification (SIC) codes are agreed and used, in different parts of the digital economy.

The government replied:

The Government is also working with international colleagues to define the digital economy and to influence the standard industrial classifications (SICs) at an international level so that they reflect the changing nature of the economy in a way that works for the UK.

This is a typical May government non-answer. What international colleagues? What workings? What meetings? What sessions? Where are the working papers, the draft taxonomies, the calls for input? What does “in a way that works for the UK?” mean in the context of a system which is inherently international?

Nothing done without us is for us, yet the government here takes a parental tone that they know best.

The Government’s Digital Strategy

This pertains to the absurd saga of the government sneaking in a three-week consultation about the domestic digital strategy over Christmas break 2015 and then doing nothing with the results, conveniently blaming Brexit.

In July the committee asked:

We look forward to the publication of the Government’s Digital Strategy, in the summer of 2016 (six months later than expected), which should explain how the Government will build on its success. We regret this delay, and call on the Government to explain the reasons for it, and why they initiated a three-week consultation over the Christmas break on what the Government should include in the strategy.

The government’s January answer is so self-servingly evasive it is almost admirable.

We are already among the most digitally connected countries in the world with a globally successful digital economy. Following the decision of the British people to leave the European Union, we have been engaging closely with the digital industries to understand their priorities, and will continue to do so. At the Autumn Statement, the Chancellor underlined the Government’s continued support for innovation and technology with the announcement of an additional £2 billion of public spending on R&D a year by 2020–21 and a £1bn investment in digital infrastructure. We will continue to work with industry to ensure that our digital and industrial strategies help boost growth and productivity across the country and across the economy.

Yes, they completely ignored the original question.

Now it gets interesting. The committee had also asked:

The Government must also explain how the Digital Strategy will be affected by the referendum result. It should also set out in its reply and in the Digital Strategy a list of specific, current EU negotiations relating to the digital economy.

The government responded:

The decision taken by the British people to leave the European Union will clearly change our relationship with the EU, but it will not stop our progress toward a more digital economy. The decisions around priorities for the renegotiation will be taken by the Prime Minister in due course.

So there is your government digital strategy. Theresa May is the strategy. L’etat c’est moi.

The government response now comes to the list of the specific, current EU negotiations they claim to be involved in:

We are currently involved in the following EU negotiations related to the digital economy:

  • Reforming the European Copyright Law package
  • Electronic Communications Framework Review
  • Services Package, as part of the Single Market Strategy, including the Services notification procedure
  • General approach on geoblocking
  • General approach on Consumer protection Co-operation
  • Digital Single Market VAT (e)-package (VAT on e-commerce, e-publications, e-books) (HB note: VATMOSS)
  • Free flow of data initiative (HB note: this means GDPR)
  • Legislative Proposal on Services Passport

That is news to every one of us.

The government says they are involved in these negotiations but there is no transparency, there is no indication of who is doing the work, there is no detail available, there is no progress report, and the list itself had to be dragged out of the government by Parliament.

“Taking back control” and so forth.

Digital Single Market

In July the committee pulled no punches:

The decision to leave the European Union risks undermining the United Kingdom’s dominance in this policy area. We could have led on the Digital Single Market, but instead we will be having to follow. The Government must address this situation, to stop investor confidence further draining away, with firms relocating into other countries in Europe to take advantage of the Digital Single Market… the Government needs to address the issue of whether businesses will be able to access the European Single Digital Market, if they want to do so. In broader terms, we recommend that the Government sets out in its digital strategy the implications of withdrawal from the European Union, in reference to specific, current EU negotiations relating to the digital economy.

The government has responded:

While we remain a member of the EU we will continue to play a role and represent the interests of the British people. This includes taking an active part in and influencing negotiations regarding the Digital Single Market and ensuring that British views are heard in the debates. Government will need to consider all factors carefully in implementing the decision of the British people, but access to the single market will be one of the most important issues to address…

We will be considering all options to ensure that digital companies can make the most of our trading relationships with the rest of the world.

Did you catch what they did there? The government responded to the committee by repeating their question back to them in the way that made it look like an answer. Where the Digital Single Market is concerned, this tactic seems to be catching. Just look at what the Brexit white paper published last Thursday had to say about the DSM:

8.18 … The EU’s Digital Single Market measures are designed to ensure the regulatory environment keeps pace with the evolving digital economy.

Really: that was all it said about the DSM. The government did not say what we are doing with it. They repeated the definition of what it is and called it an answer.

We recognise that Britain is leaving the EU. We recognise that negotiations are complex and delicate. We recognise that these things take time.

We also recognise when the government is taking the piss.

A plain English guide to the EU public sector accessibility directive

5 December 2016
Accessibility

Earlier this year I wrote about the EU’s superb directive on the accessibility of public sector websites and apps.

On 26 October the European Parliament formally approved the Directive, and 2 December the full legal text was published in the Official Journal of the European Union.

Better web accessibility in public services across Europe is ready to go.

What follows here is a plain English explanation of what the Directive sets forth to improve public sector accessibility across Europe.

This Directive should not be confused with the European Accessibility Act, which is a completely separate law dealing with a completely separate issue.

What is the definition of “public sector web sites and apps?”

There is always a danger of splitting hairs over what exactly qualifies as a “public sector web site and app”. My concern was that arms’ length organisations, quangos, and special commissions – groups which are entirely government-funded but frankly pretend they are not – would exempt themselves from accessibility requirements.

For the purposes of this accessibility directive, a public sector body means “the State, regional or local authorities, bodies governed by public law, or associations formed by one or more such authorities or one or more such bodies governed by public law, if those associations are established for the specific purpose of meeting needs in the general interest, not having an industrial or commercial character.”

That being said, the Directive exempts NGOs, which are “voluntary self-governing bodies” providing services that are “not essential to the public, such as services that are not directly mandated by State, regional or local authorities…”

This sweeps arms-length organisations and quangos into the scope of the Directive.

Clever.

Accessibility standards and “presumption of conformity”

The Directive requires public sector web sites to “ensure that public sector bodies take the necessary measures to make their websites and mobile applications more accessible by making them perceivable, operable, understandable and robust.”

This is to be achieved by the requirements set forth in clauses 9, 10, and 11 of European standard EN 301 549 V1.1.2 (2015-14).

Until a specific harmonised standard is specified, European standard EN 301 549 V1.1.2 (2015-04) should be considered the minimum principle.

The concept of the “presumption of conformity” means that public sector web sites and apps do not need to be rebuilt from scratch to conform with the Directive, nor does a new set of rules need to be retrofitted onto the back.

A public sector web site or app which has already been built to, and meets the requirements of, a recognised accessibility standard will be considered to be in conformance with this Directive.

The Commission is allowed to amend the Directive in future to note a new minimal standard, such as any update to EN 301 549 or to an alternative European standard which might replace it.

The Directive does not specify any specific technology for use in any specific application.

Harmonisation

The Directive sets forward a minimum base standard for compliance, monitoring, and evaluation across Europe. Member states are permitted to introduce additional requirements for public sector accessibility on a national basis as they see fit.

Exemptions

There are several exemptions within the Directive. These include:

  1. Office documents, such as spreadsheets and PDFs, published before 23 September 2018;
  2. Pre-recorded live video posted before 23 September 2020;
  3. Live video (for example, a live press conference);
  4. Online maps and mapping services, as long as there is an accessible version providing essential information for navigational purposes;
  5. Third-party content which the public sector body has no control over;
  6. Reproductions of items in heritage collections which are too fragile or expensive to digitise;
  7. The contents of extranets and intranets published before 23 September 2019;
  8. The content of web sites and apps which are considered archival, meaning they are not needed for active administrative purposes and are no longer updated or edited;
  9. The web sites of schools, kindergartens, and nurseries, except for content pertaining to administrative functions.

Disproportionate burden

This is a remarkably pragmatic piece of legislation. Within certain situations, the Directive acknowledges the concept of a compliance burden so disproportionate that it would “jeopardise the body’s capacity to…fulfil its purpose”. (If only we’d had such pragmatism over VATMOSS.)

In deciding whether accessibility compliance on any given web site would impose a disproportionate burden, the public sector body must consider its size, resources, and function; the estimated costs and benefits for the public sector body in terms of the web site audience with disabilities; and the frequency of use and lifespan of the web site in question.

If accessibility compliance for a web site or app is deemed to carry a disproportionate burden, the public sector body must explain this, providing a full explanation, within the web site accessibility statement.

Accessibility statements

Web sites and apps which fall under the Directive must have a detailed, comprehensive, and clear accessibility statement. The statement must describe compliance efforts specific to the Directive; it should not be a self-serving declaration of the “we passed it through a checker” type.

The accessibility statement must also include:

  1. an explanation of any parts of the site which are not accessible, which should include links to any possible alternatives;
  2. a description and link to a feedback mechanism for accessibility concerns; and
  3. a link to the defined enforcement procedure being established under the Directive where people can raise a formal complaint if they feel their feedback has not been respected.

The Commission plans to draft a “model accessibility statement” to use an example. Here’s gov.uk’s example, based on the EC example.

The accessibility statement must be accessible. This should be obvious but sadly it has to be said.

Monitoring and reporting

The Directive requires member states to periodically monitor affected sites for compliance. To achieve this, the Commission will set forth a methodology (in other words, a process) for member states to use to evaluate compliance. This methodology must be on the books by 23 December 2018. The Commission is keen on this methodology being uniform across all member states in order to provide an accurate picture of compliance across the board.

The monitoring methodology must describe:

  1. How frequently web sites and apps will be evaluated;
  2. What will be tested, and how;
  3. What mobile content will be tested, inclusive of updated versions of apps;
  4. How accessibility conformance will be demonstrated, directly referencing technical specifications and standards;
  5. How areas for improvement will be identified and communicated to public sector bodies; and
  6. How regular automated and manual testing will be used in conjunction with periodic evaluations to ensure compliance outside formal audits.

From 2021, member states must submit a report to the EC every three years describing their monitoring, compliance, and enforcement efforts.

Enforcement

Does this Directive have teeth? That depends on the member state. Under the Directive, member states must select a body responsible for enforcement, and charge them with creating an “adequate and effective” enforcement procedure. This could include the possibility of submitting complaints to an ombudsman, the selected enforcement body, or any other national authority competent to deal with the complaint.

Remember, this is Europe. The Directive calls for setting up procedures “in order to avoid systematic recourse to court proceedings” in the first place. Enforcement will be a process of constructive evaluations, not adversarial lawsuits.

Review

The Commission will carry out a review of the Directive’s progress by 2022. This will include a look at monitoring and evaluation efforts; an examination of enforcement procedures carried out; and a review of technical advances we may see between now and then which could change the scope of the Directive.

When do these rules go into effect?

The accessibility directive is staggered across four deadlines. These deadlines give member states a lead time of nearly five years to get their acts together.

First, member states must implement the Directive into their national legislation by 23 September 2018.

Second, member states must apply the Directive to the web sites of public sector bodies created after 23 September 2018 by 23 September 2019.

Third, member states must apply the Directive to the web sites of public sector bodies created before 23 September 2018 by 23 September 2020.

Fourth, member states must apply the Directive to mobile apps of public sector bodies from 23 June 2021.

Any questions?