Ethics is the expression of values in actual behaviour. So when you want to do data ethics it is about practical issues, and reconsidering entrenched routines. In the past few weeks I successfully challenged some routine steps in a clients’ organisation, resulting in better and more ethical use of data. The provision of subsidies to individuals is arranged by specific regulations. The regulations describe the conditions and limitations for getting a subsidy, and specify a set of requirements when you apply for a subsidy grant. Such subsidy regulations, once agreed have legal status.

With the client we’re experimenting in making it vastly less of an effort for both requester and the client to process a request. As only then does it make sense to provide smaller sized subsidies to individual citizens. Currently there is a rather high lower limit for subsidies. Otherwise the costs of processing a request would be higher than the sum involved, and the administrative demands for the requester would be too big in comparison to the benefits received. Such a situation typically leads to low uptake of the available funding, and ineffective spending, which both make the intended impact lower (in this case reducing energy usage and CO2 emissions).

In a regular situation the drafting of regulation and then the later creation of an application form would be fully separate steps, and the form would probably blindly do what the regulations implies or demands and also introduce some overshoot out of caution.

Our approach was different. I took the regulation and lifted out all criteria that would require some sort of test, or demands that need a piece of information or data. Next, for each of those criteria and demands I marked what data would satisfy them, the different ways that data could be collected, and what role it played in the process. The final step is listing the fields needed in the form and/or those suggested by the form designers, and determining how filling those fields can be made easier for an applicant, (E.g. having pick up lists)

A representation of the steps taken / overview drawn

What this drawing of connections allows is to ask questions about the need and desirability of collecting a specific piece of data. It also allows to see what it means to change a field in a form, for how well the form complies with the regulation, or which fields and what data flows need to change when you change the regulation.

Allowing these questions to be asked, led to the realisation that several hard demands for information in the draft regulation actually play no role in determining eligibility for the subsidy involved (it was simply a holdover from another regulation that was used as template, and something that the drafters thought was ’nice to have’). As we were involved early, we could still influence the draft regulation and those original unneeded hard demands were removed just before the regulation came up for an approval vote. Now that we are designing the form it also allows us to ask whether a field is really needed, where the organisation is being overcautious about an unlikely scenario of abuse, or where it does not match an actual requirement in the regulation.

Questioning the need for specific data, showing how it would complicate the clients’ work because collecting it comes with added responsibilities, and being able to ask those questions before regulation was set in stone, allowed us to end up with a more responsible approach that simultaneously reduced the administrative hoops for both applicant and client to jump through. The more ethical approach now is also the more efficient and effective one. But only because we were there at the start. Had we asked those questions after the regulation was set, it would have increased the costs of doing the ethically better thing.

The tangible steps taken are small, but with real impact, even if that impact would likely only become manifest if we hadn’t taken those steps. Things that have less friction get noticed less. Baby steps for data ethics, therefore, but I call it a win.

I treat all ‘security questions’, especially weak ones like ‘your mother’s maiden name’ (which in my case is also a few characters short of your Deutsche Bahn example’s limit) as password fields. So I provide unique answers per website asking for them, which are generated by my password generator, and store them in my password manager. It’s an act of information hygiene, imo.

Replied to Reply to a Tweet by Eric Eggert // Sebastian Greger (sebastiangreger.net)

“Periodic reminder that not everyone has a ‘first name’ and a ‘last name'” ..and that not all names consist of six or more characters

Do you lie enough? You probably need to lie more often!
When filling out online forms that is.

Since the GDPR, the EU data protection rules, came into effect last year, many companies struggled with getting their online forms compliant. Some don’t really try, others think they’ve done it well but really haven’t, and a tiny minority actually really adapted their order flows and forms to adjust for the GDPR. (Although GDPR mostly aren’t new rules, btw, it’s just that non-compliance costs a lot more).

Since not all forms are fully compliant, I routinely fill in false information. If they don’t limit their data collection, I will take the responsibility on myself to create as much noise in their data as is prudent.

Yesterday I ordered something from an on-line retailer. The form that asked for where to send my order didn’t indicate which fields were mandatory, but clearly contained fields that weren’t GDPR compliant if they were.

I filled out only the things needed to complete the transaction, which is the delivery address, and an e-mail address or phone number to keep me informed of the process. They also asked for my birthday (we’ll send you a birthday greeting!), which at least wasn’t mandatory, and shouldn’t really be asked for such a frivolous reason.

Turns out the name (first and last name fields) of the addressee was mandatory. Not entirely unexpected, to ensure the right person at the address provided receives the package. This was after payment, and meant for the fulfilment partner. So they don’t really need a mandatory field for first name, nor a proper last name, as long as the receiver knows for who a package is.

I opted for the initials A.V.G. (the Dutch abbreviation for GDPR). And a last name that was incorrectly spelled. Previously I filled out a mandatory department name in my company as ‘Read the GDPR this form sucks‘.

20191003_100823

We probably all need to lie way more when filling out forms. Here’s the recipe.

For each field in a form

  • If it is not mandatory don’t fill it out. They are trying to get more data about you voluntarily. Unless you perceive a clear need for yourself (e.g. you want them to SMS you when the delivery van is 30 minutes away)
  • If it is mandatory, ask yourself how needed it truly is
    • if it concerns contractual aspects, your real name etc is needed. So you can rely on it later concerning warranty, tax purposes etc.
    • if there is no perceivable need, then lie, obfuscate or provide info that when read by a human is a reminder they should change their forms. “read the GDPR”… etc.

I have a Google Alert set up for my name, to find new mentions of it online. Today I received a mail that my name came up in an article in the South China Morning Post (SCMP), as part of a photo credit. This made me curious.

An article on the amount of time elderly US citizens spend behind their computer screens published August 25th, uses a photo I made it turns out.

My mom is in a Hong Kong newspaper

The photo is from 2008, and shows my mom trying her first steps on a laptop, which we gave her for her 71st birthday when she started having mobility problems. E’s hand is pointing out things in the Gmail interface. This image is available in my Flickr account, and that is how the SCMP ended up finding it (it says as much in the photo credit). They likely used the Flickr’s search filter and had it set to ‘any Creative Commons license’. And that’s where it went wrong.

SCMP is a commercial company, and my photo is licensed with Creative Commons Attribution, Non-Commercial, Share Alike. Creative Commons is a way for copyright holders to preemptively state which uses of a work are always permitted. I license all my photos, and using Creative Commons give permission for any use that isn’t commercial, as long as the result is shared the same way, and as long my name is mentioned as the author.

SCMP did mention my name (which is how I found the article), but cannot comply with the non-commercial part of the Creative Commons license, and thus should have asked for my permission before using the image. Now I’ve sent them an e-mail with an invoice, for using my photo, and another 100% added for using it without permission. Payable in 15 business days.

To my pleasant surprise the SCMP’s photo editor (whom I mailed), responded within 20 minutes apologising and promising payment.

(full disclosure: I’m a board member for Open Nederland, the association of Dutch makers that serves as the Dutch chapter for Creative Commons.)

Amexus is organising a conference on digitisation in the energy sector, and more specifically in the energy transition. Earlier this week I was interviewed at home about the role of open data in energy transition and my work with Dutch provinces on this topic.

The video, in German, has already been made available.

This from Wendy Grossman hits the nail quite precisely on its head.

The problem isn’t privacy,” the cryptography pioneer Whitfield Diffie said recently. “It’s corporate malfeasance.”

This is obviously right. Viewed that way, when data profiteers claim that “privacy is no longer a social norm”, as Facebook CEO Mark Zuckerberg did in 2010, the correct response is not to argue about privacy settings or plead with users to think again, but to find out if they’ve broken the law.

I think I need to make this into a slide for my stock slide deck. It’s also I think why the GDPR focuses on data protection and the basis for data usage, not on privacy as such.

(Do add Wendy Grossman’s blog net.wars to your feedreader.)

Read net.wars: Hypothetical risks