pages tagged ToSDRhroy.euhttps://hroy.eu/tags/ToSDR/hroy.euikiwiki2023-10-30T19:54:26ZSome comments on the EU’s draft Privacy Iconshttps://hroy.eu/posts/encryptionEuDataIcons/2023-10-30T19:54:26Z2014-11-12T16:37:57Z
<p>The European Union is currently reviewing the regulatory framework of
personal data protection. In the current draft, a standardised icon set
would be mandatory in some circumstances.</p>
<p>I’m not convinced this is the best implementation, and there’s even
one icon in the set that I’m really concerned about: “Encryption”. This
proposal could undermine years of activism in favour of better
encryption for users.</p>
<hr />
<p>As I’ve been working on Terms of Service; Didn’t Read for a couple of
years now, I have some experience and idea about how this sort of things
might work and how it compares to existing projects, especially in the
fields of “Privacy Icons” where several projects coexist and keep
raising much attention (including, it seems, from European
legislators).</p>
<p>First, some context for those who haven’t followed (feel free to skip
to the second part if you’ve followed personal data regulations updates
in the EU). In January 2012, the European Commission <a
href="http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en">announced</a>
a plan to revise data protection laws in the European Union with a <a
href="https://en.wikipedia.org/wiki/General_Data_Protection_Regulation">draft
regulation</a>. Currently, most of the European Union’s laws on the
protection of personal data come from a <a
href="https://en.wikipedia.org/wiki/Data_Protection_Directive">1995
European Union directive</a>. (Unlike a directive, a <em>EU
regulation</em> is law that applies EU-wide without the need for each
state to make their own internal legal implementation.)</p>
<p>So, this is going to be 20 years old soon. It’s quite extraordinary
that even now, the directive does not seem too far off. The intentions
are good and it’s a great thing that legislators foresaw the need to
enhance people’s privacy back then (France and Germany already had a law
for that by the end of the 1970s). But today, all this is in the middle
of <a
href="http://www.janalbrecht.eu/themen/datenschutz-und-netzpolitik/lobbyism-and-the-eu-data-protection-reform.html">a
huge battle</a>.</p>
<p>After several steps through the European Union’s lawmaking process,
the regulation is now in a <a href="https://hroy.eu/tags/ToSDR/DPRConsolidated.pdf">consolidated
draft</a>.</p>
<p>I want to focus on the draft article 13a (in Chapter Ⅲ, Section 1:
Transparency and modalities) which provides:</p>
<blockquote>
<ol type="1">
<li><p>Where personal data relating to a data subject are collected, the
controller shall provide the data subject with the following particulars
before providing information pursuant to Article 14:</p>
<ol type="a">
<li>whether personal data are collected beyond the minimum necessary for
each specific purpose of the processing;</li>
<li>whether personal data are retained beyond the minimum necessary for
each specific purpose of the processing;</li>
<li>whether personal data are processed for purposes other than the
purposes for which they were collected;</li>
<li>whether personal data are disseminated to commercial third
parties;</li>
<li>whether personal data are sold or rented out;</li>
<li>whether personal data are retained in encrypted form.</li>
</ol></li>
<li><p>The particulars referred to in paragraph 1 shall be presented
pursuant to Annex X in an aligned tabular format, using text and
symbols, in the following three columns:</p>
<ol type="a">
<li>the first column depicts graphical forms symbolising those
particulars;</li>
<li>the second column contains essential information describing those
particulars;</li>
<li>the third column depicts graphical forms indicating whether a
specific particular is met.</li>
</ol></li>
<li><p>The information referred to in paragraphs 1 and 2 shall be
presented in an easily visible and clearly legible way and shall appear
in a language easily understood by the consumers of the Member States to
whom the information is provided. Where the particulars are presented
electronically, they shall be machine readable.</p></li>
<li><p>Additional particulars shall not be provided. Detailed
explanations or further remarks regarding the particulars referred to in
paragraph 1 may be provided together with the other information
requirements pursuant to Article 14.</p></li>
<li><p>The Commission shall be empowered to adopt, after requesting an
opinion of the European Data Protection Board, delegated acts in
accordance with Article 86 for the purpose of further specifying the
particulars referred to in paragraph 1 and their presentation as
referred to in paragraph 2 and in Annex 1.</p></li>
</ol>
</blockquote>
<h2 id="why-the-encryption-icon-is-a-bad-idea">Why the “Encryption” icon
is a bad idea?</h2>
<p><strong>TL;DR</strong> Storing sensitive data in data centers without
encrypting them first is just negligence and should not be allowed.
There’s no need for an icon that probably a large majority of users will
not really understand.</p>
<hr />
<p>In the draft proposal, when personal data is collected, the person
who’s subject of that data should get information in the form of a
standardised icon. One of the icons proposed is about encryption:</p>
<figure>
<img src="https://hroy.eu/tags/ToSDR/iconEncrypt.png" alt="Everything is Safe!" />
<figcaption aria-hidden="true">Everything is Safe!</figcaption>
</figure>
<p>If the data is stored encrypted, then the data controller can display
a huge green mark next to the icon. <em>All is fine!</em></p>
<p>Except that it’s not. I can really see how this could get very, very
confusing. It is very easy to claim that something “is encrypted” and
that thus, <em>everything’s good.</em> I’ve heard this argument several
times from Google employees: <em>Google stores the data in encrypted
forms, so don’t worry</em>. But still, when Google access the data to
process it, it is decrypted by them.</p>
<p>Let’s put this in context.</p>
<p>Following Edward Snowden’s revelations, it is very clear that
encryption is one part of the solution against the intrusion in our
lives that the NSA and other State agencies in the world are pursuing.
Thus, it is crucial that users understand that <strong>there are ways to
protect their communications against the intrusion of the
State</strong>, and also from companies or criminals. This is why
initiatives such as Cryptoparties and Privacy Cafés, where people help
each other understand and use encryption techniques, are so
important!</p>
<p>But encryption does not always mean the same thing in all contexts.
It requires basic technological understanding to grasp when encryption
is simply a security good practice against criminals, and when
encryption is actually a much more powerful tool.</p>
<p>For instance, when I send sensitive information over the web (like a
financial transaction, or like my user nick and password), it is very
important that the connection is encrypted (e.g. using HTTPS);
otherwise, it would not be difficult to intercept that sensitive
information. Enabling encryption for that kind of stuff should simply be
mandatory.</p>
<p>It’s a good idea to impose security obligations over storing personal
data. But I fail to see how showing an icon to users about storing data
in encrypted form will do any good. Worse, it might even confuse people
about what encryption really means in which context, thus making it even
harder to explain why encryption is important and why tools such as
GnuPG should be improved in usability.</p>
<h2 id="is-this-standardised-icon-set-really-good-anyway">Is this
standardised icon set really good anyway?</h2>
<p>Raising awareness about privacy rights online is important. This is
what I have been doing with <a href="https://tosdr.org">Terms of
Service; Didn’t Read</a> for about two years now. I’ve seen several
variations of the Privacy Icons idea, and this implementation as
suggested by the EU draft regulation shows that getting it right is not
easy.</p>
<p>The <a href="https://hroy.eu/tags/ToSDR/DPRConsolidated.pdf">consolidated draft</a> has an annex
showing how the icons could be:</p>
<figure>
<img src="https://hroy.eu/tags/ToSDR/dataCollect.png" alt="No unnecessary data collection" />
<figcaption aria-hidden="true">No unnecessary data
collection</figcaption>
</figure>
<p>Depending on whether that’s the case, the data controller would have
to display a green or a red mark next to this icon:</p>
<figure>
<img src="https://hroy.eu/tags/ToSDR/goodOrBad.png" alt="Good or Bad?" />
<figcaption aria-hidden="true">Good or Bad?</figcaption>
</figure>
<p>In <a href="https://tosdr.org">ToS;DR</a>, we also use this approach:
for each point, there’s an iconic indication whether this is a good or a
bad thing. Only, we allow for more variations:</p>
<figure>
<img src="https://hroy.eu/tags/ToSDR/ToSDRTitles.png" alt="Good points, and bad points" />
<figcaption aria-hidden="true">Good points, and bad points</figcaption>
</figure>
<figure>
<img src="https://hroy.eu/tags/ToSDR/thumbsDown.png" alt="… and blockers" />
<figcaption aria-hidden="true">… and blockers</figcaption>
</figure>
<p>But the major problem that I have with “Privacy Icons” is that they
are too <strong>difficult to grasp</strong>. If you actually remove the
text aside the icon itself, you realise that the icon itself is
<strong>far from self-explanatory</strong>. This gets even more
<em>complex</em> with the number of icons you add.</p>
<p>These icons are not universally understood. Here’s how <em>the same
concept</em> is rendered differently by different Privacy icons
sets:</p>
<figure>
<img src="https://hroy.eu/tags/ToSDR/dataProcessing.png" alt="EU draft" />
<figcaption aria-hidden="true">EU draft</figcaption>
</figure>
<hr />
<figure>
<img src="https://hroy.eu/tags/ToSDR/dataForPurpose.png"
alt="Mozilla’s Alpha version of Privacy Icons" />
<figcaption aria-hidden="true">Mozilla’s Alpha version of Privacy
Icons</figcaption>
</figure>
<figure>
<img src="https://hroy.eu/tags/ToSDR/dataNoPurpose.png"
alt="Mozilla’s Alpha version of Privacy Icons" />
<figcaption aria-hidden="true">Mozilla’s Alpha version of Privacy
Icons</figcaption>
</figure>
<hr />
<figure>
<img src="https://hroy.eu/tags/ToSDR/DisconnectIcons.png" alt="Disconnect.me icons" />
<figcaption aria-hidden="true">Disconnect.me icons</figcaption>
</figure>
<p>Compare these with how a similar point would be addressed in <a
href="https://tosdr.org">ToS;DR</a>:</p>
<figure>
<img src="https://hroy.eu/tags/ToSDR/ToSDRTitle.png" alt="The summary version" />
<figcaption aria-hidden="true">The summary version</figcaption>
</figure>
<p>which can be expanded with a plain-English paragraph and links to
contextualise if the user wants more information:</p>
<figure>
<img src="https://hroy.eu/tags/ToSDR/ToSDRParagraph.png" alt="The plain english version" />
<figcaption aria-hidden="true">The plain english version</figcaption>
</figure>
<p>There’s probably a way somewhere to learn from these different
approaches and make an implementation that gets it right for users.</p>
<p>The EU already made such a thing possible with the <a
href="https://en.wikipedia.org/wiki/European_Union_energy_label">energy
efficiency labels</a>. (They actually were a source of inspiration for
ToS;DR <a href="https://tosdr.org/classification.html">classes</a>.)</p>
<p>Let’s hope the next proposal gets it right with an icon system that
is easier to understand and which gets rid of the confusing bits.</p>