Sir David Davis writes for The Times on how tech companies must respect privacy


As published in The Times:

Back in 2008, when I fought a by-election on civil liberties issues, many thought that my focus on privacy was old-fashioned, even eccentric.

This was, after all, the era of the internet and burgeoning social media. The younger generation happily shared their lives online, handing over personal, often intensely private data with a cavalier insouciance. Within a couple of years Mark Zuckerberg implied that privacy was dead, and it looked as if he might be right.

Yet in that same year Google’s Street View cars were caught collecting wifi data from the homes and businesses along their routes. More recently it was discovered that Google’s Android operating system was tracking users’ locations without their permission or control, and there have been numerous claims that Google Home has been turning itself on, recording conversations and uploading them to Google. Only last month it turned out that Google’s home security device Nest Guard had a built-in microphone that customers were not told about.

Zuckerberg’s Facebook was up to its own tricks, from the Cambridge Analytica scandal to handing out unauthorised access to Facebook users’ private messages, names and contact data to Microsoft, Netflix, Spotify and Yahoo. And its Onavo security app for iPhone was removed from Apple’s app store when it turned out to be siphoning off data for its own use.

This is hardly surprising. When Facebook floated its shares, most financial analysts viewed its users not as customers but as assets, the base from which they would harvest future profits. Facebook was valued at about $100 per user. Big data is big business and big money.

It is going to get worse. As the “internet of things” grows on the back of the development of smart home technology, the data will grow in size, and become even more acutely personal. With that, the strategic intrusiveness will grow.

Last month Amazon announced that it was acquiring Eero, a fast-growing wifi hardware company that makes mesh home routers. The value to Amazon? It has just bought yet another source of data about how you use wifi in your household: when and how long you use your computer, your TV, your Xbox, and even, these days, your microwave and washing machine. Because few of us have time to read all the exhaustive terms and conditions before signing up, few if any of us have given meaningful permission for this to happen. Along with voice-driven software such as Amazon’s Alexa, and the wifi hubs that typically run smart homes, these systems are passing back gigabytes of data to big business.

This wave of intrusive new tech is creeping up on the population just as social media did before, but this time people are awake to it. Three quarters of citizens now worry about the impact of these privacy invasions, nine of out of ten want to control what personal data is collected about them, and nine out of ten want tougher punishments for companies that violate their privacy. And 97 per cent of experts broadly agree.

So it is time that governments did something about it. Just punishing the odd misdemeanour when it is discovered is not enough, and GDPR demonstrates that simple privacy legislation turns quickly into a boring and not very effective box-ticking exercise. The approach needs to be both more strategic and more subtle.

At the strategic level, governments need to be much more sceptical of the benefits of the big mergers and acquisitions in the data world. They also need to be aware of Metcalfe’s Law, that the value of a network is proportional to the square of the number of nodes. This means that the market power of market leaders is vast and needs to be constrained. The Harvard professor Shoshana Zuboff’s new book, The Age of Surveillance Capitalism, characterises quite how dangerous this is. US, UK and EU powers should block more of these acquisitions at source, before the market power gets out of control.

We also need to be more subtle. These days there are limited reasons for the consumer to allow so much central data-gathering. When the smart hubs and voice recognition units were new, it required the processing power of central computers to make everything work. As Moore’s Law makes the tiny processors in the home more and more powerful, this is less and less true. The next generation of Alexa and Google units ought to be able to understand you without central help, and without feeding everything back.

We have a rare good example in the industry’s history here. When people were concerned about how exposed they were to internet-enabled access to all the personal data on their phone, Apple solved this by locking all the data on the phone in an encrypted format. It was very successful. Similarly, there is no reason our personal domestic data should not be held behind a firewall in our own homes, released only with informed consent. Governments could facilitate this by certifying whether products met a privacy “gold standard”.

Governments need to learn to go with the zeitgeist of the technology, and set the marketplace rules to favour the consumer and constrain the biggest players. This is valuable public policy in its own right, but there is also a serious first-mover economic advantage here.

The first government to do this would attract a great deal of investment and research to their country, as companies sought to develop, and profit from, a reputation for respecting privacy, a growing asset in tomorrow’s world. Even Facebook now gets this.