We’ll Fight Any PRISM Requests – HP
HP won’t back down from a fight with US law enforcement and it supports controversial EU data privacy proposals, says European privacy lead Daniel Pradelles
The tech industry needs to tighten up on privacy, with vendors building it into products by design, says Daniel Pradelles, HP’s privacy officer for EMEA. He also thinks that regulators need to take a slightly different tack – ruling on the purpose of a given product, not the underlying technology.
The current furore around privacy seems to be leaving HP unscathed. While Google and Facebook face criticism from all sides, HP has not been implicated in the PRISM controversy. Pradelles made good capital from that when we spoke to him in London this week and promised that if the NSA came knocking for HP customers’ data, he would fight them.
Different from the rest?
Different from the rest?“We are different from most US companies,” he assured us. “We believe that privacy is a fundamental human right. It is not negotiable and has to be respected
“Data protection is a competitive advantage. It is good for business!”
Privacy is under pressure, as new technologies such as cloud and the Internet of things (IoT) gather more data from us, and handle it more fluidly. But he thinks that if privacy is breached, it is the technologies and their markets that will suffer: “If companies do not address this in the right way, very simply, some technologies will fail.”
This is more than just a marketing pitch – it’s an actual difference, he says: “Facebook and Google are lobbying against the proposed European Privacy Regulation – but we are lobbying for the Regulation.”
We pointed out to Pradelles that maybe Google and Facebook take a different position because they are successful in social media, and their business requires them to use personal data. “It is true that the situation is less critical for HP because we are not this sort of social media business,” he concedes. “Nevertheless concerns like privacy by design and privacy by default are applicable everywhere.”
Clear regulations needed
Pradelles wants to see clear rules for privacy, which provide strong protection and foster creativity. However, he is against things being too prescriptive, saying it should focus on the purpose of a business product or service – not its underlying technology; “what needs to be done, not how to do it.”
Regulations should be tight enough to rule out nonsenses like the situation with email spam, he says. “In the UK, direct marketing has to be opt out. In France and Germany, it is opt in. The rules are derived from the same concept but the implementation is completely different.”
But if it gets too specific, it only covers one technology and won’t adapt to new ones: in his view, the EU Cookie Directive should be the Tracking Directive, because the industry will find plenty of other ways to track users alongside cookies.
Regulation or self-regulation?
“There is a battle between the self-regulation approach and the regulation approach,” he says. “Regulation provides certainty, but is very often not flexible enough to cope with new technology and new practices. Self-regulation is quicker to adapt to new technologies, but sometimes provides some uncertainty.” Self-regulation can lead to variation between different business sectors for instance.
Pradelles wants to see a middle way which he calls “the accountability approach”. He wants regulation to set a baseline of concepts, and organisations to be accountable for what the way they do business in practice. “When you are accountable, you can demonstrate how you operate to the regulators or to certified agents.”
Google fell foul of self-regulation when it implemented Street View without thinking the privacy angles through, he says. “I am not a lawyer, I am an engineer, and I fully understand how engineers think. They want to develop a fantastic product, and don’t think further sometimes. From the beginning the brilliant technical guys designing it should have thought what would happen if Street View took a picture of two people together in the street.”
He thinks firms should aim for ‘privacy by design’, in which potential risks are considered right from the start of developing a new product: “This way of thinking should have been in the DNA of the company.”
Intriguingly, he says that HP has a tool it uses internally, called “Privacy Advisor”, which helps developers go through a process of assessing the privacy impact of any new product. It’s going to stay as an internal tool, he says, because other organisations have different requirements and develop very different kinds of products.
What about penalties?
But accountability isn’t going to be enough when doing the right thing conflicts with business benefits, we suggest. What sort of penalties should be applied?
“That is typical financial accountant thinking,” he counters. “As we know the drawback of this approach is when you have a big scandal. The cost to the brand image is far more than a few hundreds of thousands of pounds.”
Still, regulations should have appropriate fines, he says, and they should be “graduated”, to include series of options including warnings and inspections.
To make that work, he wants regulators involved much earlier – and closer – in product design. “We should not any more work with the traditional legal approach of a big stick. We need to have a very close open relationship between the industry and the regulators.”
For instance, he reckons that, before implementing Street View, Google engineers should have talked it through with regulators in France, Germany and other countries, “to let them know what they are planning, so they can do it in a way which is compliant to the law”.
That sounds completely alien to the way web companies work: ideas are thrown out quickly to see if they work, rather than mulled over for a long while. Pradelles says HP already consults in this way with regulator, but the example he comes up with is definitely in a different league from Street View.
“Two or three years ago, we had a question about the fingerprinting technology implemented in portable PCs,” he says. “The French regulator CNIL wanted to understand how it worked. We brought two experts to Paris for a technical discussion with CNIL. They wanted to know how the fingerprint was encrypted and how it was stored.”
He maintains that firms like Google could do their development with regulators looking on: “The regulators are a lot better and a lot smarter than they were before. They know they need to understand more about the new technologies, protect the individual, and ensure that innovation is possible.”
PRISM and surveillance
HP has not been approached at all by the PRISM programme, he says, but HP’s clients are often concerned about the risks of having their data accessed by the US government, under the Patriot Act and related legislation.
He takes a strong line for the future: “Our position is if we ever have any such requests, we will use any possible judicial possibilities to challenge this request – especially if there is a gag order to make this confidential. This is a formal policy from HP.”
The gag orders, which Google and Facebook are fighting, are open to challenge in the US under the First and Fourth Amendments. HP is ready to take that route if necessary – and would like the US authorities to take a more sensible option to avoid the issue, he told us.
“We strongly recommend to the US government to use the appropriate multilateral agreement between governments.”
Governments do need access to private information, he said. But it should be done in line with the democratic rules, he emphasised. It should also be done in a way which is – to return to the standard he wants to apply to businesses – accountable.
Our lead image comes from a video interview at viEUws
