{"version":"1.0.0","segments":[{"startTime":8.865,"endTime":10.275,"body":"Good evening everyone."},{"startTime":11.115,"endTime":13.275,"body":"I have a question for you."},{"startTime":14.935,"endTime":18.755,"body":"Do you consider yourself to be a thrill seeker?"},{"startTime":22.305,"endTime":30.442,"body":"Are you the kind of person who engages in extreme online activities like sharing personal"},{"startTime":30.442,"endTime":35.325,"body":"information with others in order to receive their approval?"},{"startTime":37.055,"endTime":41.438,"body":"The Gresham College lecture that you're listening to right now is giving you knowledge and"},{"startTime":41.438,"endTime":45.822,"body":"insight from one of the world's leading academic experts making it takes a lot of"},{"startTime":45.822,"endTime":46.115,"body":"time."},{"startTime":46.615,"endTime":49.821,"body":"But because we want to encourage a love of learning, we think it's well worth"},{"startTime":49.821,"endTime":50.035,"body":"it."},{"startTime":50.975,"endTime":54.991,"body":"We never make you pay for lectures, although donations are needed, all we ask in"},{"startTime":54.991,"endTime":55.795,"body":"return is this."},{"startTime":56.385,"endTime":58.835,"body":"Send a link to this lecture to someone you think would benefit."},{"startTime":59.215,"endTime":63.098,"body":"And if you haven't already, click the follow or subscribe button from wherever you are"},{"startTime":63.098,"endTime":63.875,"body":"listening right now."},{"startTime":64.935,"endTime":66.555,"body":"Now let's get back to the lecture"},{"startTime":68.945,"endTime":75.749,"body":"Or perhaps you're the kind of person who uses apps to build emotional connections across"},{"startTime":75.749,"endTime":78.925,"body":"the ether and enhance your physical pleasure."},{"startTime":80.235,"endTime":87.997,"body":"Perhaps you're someone whose habits are formed by the crest for rewards and dopamine hits,"},{"startTime":87.997,"endTime":94.725,"body":"or who uses technology to experience emotion, excitement, and an influx of feeling?"},{"startTime":96.775,"endTime":100.685,"body":"Would you see yourself as a risk taker?"},{"startTime":102.035,"endTime":110.213,"body":"Someone who willingly exposes themselves to the possibility of loss or injury, who flings their"},{"startTime":110.213,"endTime":118.391,"body":"hard-earned cash through thin air, who broadcasts their opinions and shows solidarity for others, who"},{"startTime":118.391,"endTime":126.569,"body":"checks in on social media at the airport bar, or at a holiday destination, thereby"},{"startTime":126.569,"endTime":134.747,"body":"telling potential burglars that they're not at home who entrust their personal information to numerous"},{"startTime":134.747,"endTime":142.925,"body":"people they have never met and who permit those same people to track their movements?"},{"startTime":144.385,"endTime":149.57,"body":"Now of course there are now very few of us who have not done at"},{"startTime":149.57,"endTime":151.645,"body":"least some of these things online."},{"startTime":151.825,"endTime":159.767,"body":"And indeed I would go so far as to say that we are all now"},{"startTime":159.767,"endTime":167.71,"body":"digital thrill seekers and risk takers to some degree managing the risks that we take"},{"startTime":167.71,"endTime":173.005,"body":"in pursuit of those thrills entails protecting their digital components."},{"startTime":173.705,"endTime":176.845,"body":"And as users, we are partly responsible for this."},{"startTime":177.295,"endTime":184.207,"body":"There are measures that we as individuals can take to improve both our security, that's"},{"startTime":184.207,"endTime":191.12,"body":"who can have access to our accounts and our devices and our privacy, what we"},{"startTime":191.12,"endTime":193.885,"body":"share and who can see it."},{"startTime":195.185,"endTime":200.81,"body":"Now, we looked at both of these in my lectures last year and if you"},{"startTime":200.81,"endTime":206.435,"body":"want to know more about those topics specifically, please do check out my lectures on"},{"startTime":206.435,"endTime":208.685,"body":"cybersecurity for humans and on encryption."},{"startTime":211.225,"endTime":218.098,"body":"By signing up to services such as social media and online retailers, we agree to"},{"startTime":218.098,"endTime":221.765,"body":"their terms and conditions, their T's and C's."},{"startTime":222.425,"endTime":230.168,"body":"We sign a contract with them in which we consent to their processing our personal"},{"startTime":230.168,"endTime":230.685,"body":"data."},{"startTime":231.025,"endTime":238.565,"body":"And this means that those service providers also have a responsibility to protect this data."},{"startTime":239.955,"endTime":248.752,"body":"Data protection regimes and regulations enforce that responsibility and they also give us rights as"},{"startTime":248.752,"endTime":253.445,"body":"data subjects the humans described by that data."},{"startTime":254.395,"endTime":261.565,"body":"Knowing and exercising those rights is not a trivial matter, but it is possible."},{"startTime":262.585,"endTime":270.103,"body":"And for us just as much for the organizations that process our data information is"},{"startTime":270.103,"endTime":270.605,"body":"power."},{"startTime":273.505,"endTime":281.736,"body":"Our digital information is a value to a diverse array of service providers, retailers, and"},{"startTime":281.736,"endTime":282.285,"body":"advertisers."},{"startTime":282.555,"endTime":288.431,"body":"When we supply our email addresses to an online shop or service, it gives them"},{"startTime":288.431,"endTime":291.565,"body":"a means to send us offers and updates."},{"startTime":292.945,"endTime":298.795,"body":"If I give them my date of birth, they can target tailored offers to me"},{"startTime":298.795,"endTime":299.965,"body":"around my birthday."},{"startTime":301.195,"endTime":308.892,"body":"Marketing emails often include pixels, HTML code that tracks when they are opened and also"},{"startTime":308.892,"endTime":312.485,"body":"when someone clicks through to a website."},{"startTime":313.175,"endTime":321.807,"body":"These tools give brands the ability to measure engagement with their advertising campaigns, search engines,"},{"startTime":321.807,"endTime":324.685,"body":"social media, video sharing platforms."},{"startTime":324.875,"endTime":332.303,"body":"They store the content we share, but also data about the content we view engage"},{"startTime":332.303,"endTime":334.285,"body":"with and search for."},{"startTime":336.185,"endTime":343.445,"body":"And many flavors of online provider make extensive use of cookies, small text files that"},{"startTime":343.445,"endTime":348.285,"body":"are downloaded onto your device when you visit a website."},{"startTime":348.895,"endTime":354.422,"body":"These can save you time by doing things like remembering what you have in your"},{"startTime":354.422,"endTime":358.845,"body":"online shopping basket or parts of pages to help them load faster."},{"startTime":360.425,"endTime":366.656,"body":"But they can also track your browsing history to gain insights into your interests and"},{"startTime":366.656,"endTime":369.565,"body":"things you might be persuaded to purchase."},{"startTime":370.305,"endTime":377.345,"body":"And this is the business model that certainly until very recently, um, big tech has"},{"startTime":377.345,"endTime":384.386,"body":"thrived upon by learning more about our likes on their platforms and our browsing habits"},{"startTime":384.386,"endTime":385.325,"body":"off them."},{"startTime":385.755,"endTime":393.605,"body":"They've been able to sell ads to brands on the premise that they can target"},{"startTime":393.605,"endTime":401.455,"body":"them more effectively to people who have already looked for cars raincoats guitars, for example,"},{"startTime":401.455,"endTime":406.165,"body":"Google Monetizes our web searches through a similar process."},{"startTime":406.705,"endTime":413.968,"body":"It sells ads that are prioritized as sponsored results when we search for a specific"},{"startTime":413.968,"endTime":421.232,"body":"item or a particular interest as an indication of just how extensive this digital marketing"},{"startTime":421.232,"endTime":422.685,"body":"ecosystem has become."},{"startTime":423.015,"endTime":427.165,"body":"Let's compare two visual overviews five years apart."},{"startTime":427.905,"endTime":434.922,"body":"So this first graphic was produced in 2015 and you can see that the landscape"},{"startTime":434.922,"endTime":441.939,"body":"was already fairly densely populated, but just five years later in 2020, it was so"},{"startTime":441.939,"endTime":447.085,"body":"crowded that even marketing people needed a map to navigate it."},{"startTime":447.935,"endTime":454.205,"body":"There are 8,000 companies and solutions represented here."},{"startTime":454.305,"endTime":456.925,"body":"It is very big business indeed."},{"startTime":459.145,"endTime":466.554,"body":"Now, online services would say that their terms and conditions inform users of what handing"},{"startTime":466.554,"endTime":473.963,"body":"over their personal data means and that those users have a choice whether or not"},{"startTime":473.963,"endTime":475.445,"body":"to accept them."},{"startTime":476.665,"endTime":483.908,"body":"You may be not entirely surprised to hear, however that the vast majority of us"},{"startTime":483.908,"endTime":491.152,"body":"do not read those terms and conditions in a survey by the European Commission, as"},{"startTime":491.152,"endTime":498.395,"body":"many as 90% of Brits and the same average proportion of Europeans reported that they"},{"startTime":498.395,"endTime":505.639,"body":"always accept the terms and conditions of online providers, but only 21% had read them"},{"startTime":505.639,"endTime":506.605,"body":"in full."},{"startTime":507.665,"endTime":514.527,"body":"In a similar study conducted in the US, just 9% reported that they always read"},{"startTime":514.527,"endTime":518.645,"body":"a company's privacy policy before agreeing to the terms."},{"startTime":520.235,"endTime":526.152,"body":"Well, the sheer length of these policies would appear to have something to do with"},{"startTime":526.152,"endTime":532.07,"body":"this in 2020 digital bank think money compared to the word counts of the terms"},{"startTime":532.07,"endTime":536.805,"body":"and conditions for 13 of the most popular apps in the uk."},{"startTime":537.225,"endTime":546.099,"body":"And these ranged from just under 5,000 words for Google Meet to over 18,000 words"},{"startTime":546.099,"endTime":554.973,"body":"for Microsoft teams, the total word count for the apps reviewed came to a whopping"},{"startTime":554.973,"endTime":555.565,"body":"128,415."},{"startTime":556.185,"endTime":562.427,"body":"And that as the academics amongst you will know, is longer than most PhD thesis,"},{"startTime":562.427,"endTime":567.005,"body":"certainly mine included and I was a very wordy humanities student."},{"startTime":569.385,"endTime":575.452,"body":"If we were being rather cynical about this, we might argue that it's to the"},{"startTime":575.452,"endTime":581.52,"body":"benefit of online providers not to have too many users enforcing their rights to opt"},{"startTime":581.52,"endTime":581.925,"body":"out."},{"startTime":583.625,"endTime":590.459,"body":"But once we know how digital tracking and profiling works that are things we can"},{"startTime":590.459,"endTime":597.293,"body":"do to stop it, we can unsubscribe from marketing emails that we no longer want"},{"startTime":597.293,"endTime":598.205,"body":"to receive."},{"startTime":599.665,"endTime":605.777,"body":"We can use a tool like this one developed by rightly, which sends companies clear"},{"startTime":605.777,"endTime":609.445,"body":"instructions to delete our contact details from their databases."},{"startTime":610.905,"endTime":615.045,"body":"We can opt out of all but the strictly necessary cookies."},{"startTime":616.025,"endTime":621.788,"body":"And if you have an Apple device, you can block third party cookies and invisible"},{"startTime":621.788,"endTime":623.325,"body":"pixels in your email."},{"startTime":625.465,"endTime":631.789,"body":"If we do continue to accept all, we should at least be able to satisfy"},{"startTime":631.789,"endTime":636.005,"body":"ourselves that we've done so consciously and not through ignorance."},{"startTime":636.705,"endTime":638.845,"body":"Why is this so important?"},{"startTime":639.195,"endTime":647.274,"body":"Well, because as we shall see, not only is the data collected on us very"},{"startTime":647.274,"endTime":651.045,"body":"revealing indeed, sometimes it's not even correct."},{"startTime":653.325,"endTime":654.855,"body":"Information is power."},{"startTime":655.615,"endTime":655.695,"body":"Remember."},{"startTime":656.195,"endTime":662.295,"body":"And there are tools that can help us identify what online services have on us."},{"startTime":662.995,"endTime":668.016,"body":"And I've included some links to some of them in the text accompanying this lecture"},{"startTime":668.016,"endTime":670.695,"body":"so you can try them out for yourselves."},{"startTime":672.045,"endTime":680.086,"body":"Meta formerly known as Facebook, Google, Microsoft, apple X, formerly known as Twitter and Amazon,"},{"startTime":680.086,"endTime":687.055,"body":"they all allow users to download copies of the data held on them."},{"startTime":688.635,"endTime":696.754,"body":"And these downloads contain data that we have generated and shared, but also inferences made"},{"startTime":696.754,"endTime":704.873,"body":"from that data about who we are and the likely advertising audiences that we belong"},{"startTime":704.873,"endTime":705.415,"body":"to."},{"startTime":707.155,"endTime":715.089,"body":"So here are some things that X, formerly known as Twitter has inferred about me,"},{"startTime":715.089,"endTime":717.205,"body":"all 377 of them."},{"startTime":718.505,"endTime":724.11,"body":"Now this is from my professional account, so it's not surprising that there are interests"},{"startTime":724.11,"endTime":725.605,"body":"linked to my work."},{"startTime":725.665,"endTime":728.685,"body":"And I've colored these in blue and you can see highlighted."},{"startTime":729.345,"endTime":737.651,"body":"Um, they include artificial intelligence, cybersecurity data, privacy and protection, internet of things and virtual"},{"startTime":737.651,"endTime":738.205,"body":"reality."},{"startTime":738.505,"endTime":739.525,"body":"So that's not bad."},{"startTime":741.585,"endTime":748.289,"body":"We can add in, in magenta a selection of media outlets that have featured me,"},{"startTime":748.289,"endTime":754.993,"body":"um, that have tweeted about me, accounts that I know I follow for professional reasons"},{"startTime":754.993,"endTime":761.697,"body":"and places that I've worked so much so sensible, but it then starts to get"},{"startTime":761.697,"endTime":763.485,"body":"a bit more personal."},{"startTime":764.465,"endTime":773.235,"body":"And in green are some of my real life non-work interests, archeology, dance, electronic and"},{"startTime":773.235,"endTime":774.405,"body":"folk music."},{"startTime":775.395,"endTime":775.685,"body":"Dogs."},{"startTime":776.315,"endTime":778.045,"body":"Dogs and dogs."},{"startTime":778.385,"endTime":779.485,"body":"And Tupperware."},{"startTime":781.405,"endTime":785.005,"body":"Tupperware actually \u003claugh\u003e, that does seem a bit odd."},{"startTime":786.175,"endTime":787.525,"body":"Where has that come from?"},{"startTime":789.145,"endTime":794.477,"body":"And what I started to see as well and that I've highlighted in red are"},{"startTime":794.477,"endTime":799.81,"body":"lots of names presumably of celebrities that I just don't recognize, but also some things"},{"startTime":799.81,"endTime":803.365,"body":"that I have no interest in or I actively dislike."},{"startTime":803.705,"endTime":807.325,"body":"So I'm gonna let you draw your own conclusions about which is which."},{"startTime":807.985,"endTime":810.365,"body":"But we have college sports, Dr."},{"startTime":810.585,"endTime":818.885,"body":"Who, James Bond, Olympic weightlifting, star Trek, San Francisco Giants and U2."},{"startTime":822.155,"endTime":829.317,"body":"There was something about this that I couldn't quite put my finger on and then"},{"startTime":829.317,"endTime":836.48,"body":"it suddenly dawned on me that one might describe at least some of these interests"},{"startTime":836.48,"endTime":839.345,"body":"as well a bit stereotypically blokey."},{"startTime":841.275,"endTime":847.345,"body":"Could it be that the platform's algorithms had identified me as a man?"},{"startTime":849.055,"endTime":855.745,"body":"Sure enough, \u003claugh\u003e, this is precisely what X'S advertising models have inferred about me."},{"startTime":855.965,"endTime":858.585,"body":"And here's my profile photo for comparison."},{"startTime":860.485,"endTime":867.029,"body":"The logical and therefore likely explanation for this is that I work in the IT"},{"startTime":867.029,"endTime":873.574,"body":"industry where the stereotypical profile is a male who is into science fiction and who"},{"startTime":873.574,"endTime":877.065,"body":"either lives or wants to live in California."},{"startTime":880.365,"endTime":886.312,"body":"To be fair, I do also interact with people who regularly post about these subjects"},{"startTime":886.312,"endTime":887.105,"body":"and interests."},{"startTime":887.285,"endTime":892.919,"body":"And on that note, I would like to thank Professor Daniel Dressner of the University"},{"startTime":892.919,"endTime":895.925,"body":"of Manchester for the particular prominence of DR."},{"startTime":896.185,"endTime":897.805,"body":"WHO in My Results."},{"startTime":900.025,"endTime":905.56,"body":"Now, as you may remember, if you listen to my lecture on encryption last year,"},{"startTime":905.56,"endTime":907.405,"body":"privacy is a human right."},{"startTime":908.115,"endTime":914.005,"body":"It's enshrined in Article 12 of the Universal Declaration of Human Rights no less."},{"startTime":915.785,"endTime":922.397,"body":"In 2018, the UN's High Commissioner for Human Rights published a report urging states to"},{"startTime":922.397,"endTime":926.805,"body":"implement laws and institutions for the protection of personal data."},{"startTime":928.185,"endTime":936.738,"body":"In 2021, the UN Conference on Trade and Development, they found that 137 out of"},{"startTime":936.738,"endTime":945.291,"body":"194 countries had put such legislation in place and four months foremost amongst these has"},{"startTime":945.291,"endTime":953.845,"body":"been the eus general Data Protection Regulation, GDPR, which came into force in May, 2018."},{"startTime":955.225,"endTime":963.76,"body":"It applies to any organization that processes the data of EU citizens regardless of where"},{"startTime":963.76,"endTime":966.605,"body":"that organization is physically located."},{"startTime":968.345,"endTime":974.929,"body":"For now at least it's still in force in the UK because it was adopted"},{"startTime":974.929,"endTime":976.685,"body":"before the UK left."},{"startTime":976.945,"endTime":984.886,"body":"The EU GDPR sets out our rights as data subjects and these are the right"},{"startTime":984.886,"endTime":992.828,"body":"to clear and transparent information on the processing of personal data, whether or not it"},{"startTime":992.828,"endTime":996.005,"body":"has been obtained directly from us."},{"startTime":997.875,"endTime":1000.365,"body":"That subordinate clause is quite curious, isn't it?"},{"startTime":1000.365,"endTime":1006.898,"body":"It suggests that other people may be sharing our personal data and the eagle eyed"},{"startTime":1006.898,"endTime":1013.431,"body":"of You may have noticed that the Facebook signup page that I showed a few"},{"startTime":1013.431,"endTime":1016.045,"body":"minutes ago told us as much."},{"startTime":1016.305,"endTime":1023.645,"body":"It informed us that other users may upload our contact information from their address books."},{"startTime":1026.065,"endTime":1030.879,"body":"We also have the right to obtain a copy of any personal data held on"},{"startTime":1030.879,"endTime":1032.805,"body":"us via a subject access request."},{"startTime":1033.425,"endTime":1040.311,"body":"We have the right to have inaccurate personal data corrected, which hopefully includes the erroneous"},{"startTime":1040.311,"endTime":1044.444,"body":"belief that I am an enthusiast of Olympic weightlifting."},{"startTime":1046.105,"endTime":1051.392,"body":"We have the right to have data erased where certain conditions are met, and this"},{"startTime":1051.392,"endTime":1054.565,"body":"is also known as the right to be forgotten."},{"startTime":1055.865,"endTime":1060.085,"body":"We have the right to obtain portable data for reuse."},{"startTime":1060.385,"endTime":1066.858,"body":"In another context, the right to object to processing of our personal data where this"},{"startTime":1066.858,"endTime":1073.331,"body":"is in connection with tasks carried out in the public interest in the exercise of"},{"startTime":1073.331,"endTime":1079.805,"body":"official authority in the legitimate interests of others or for the purpose of direct marketing."},{"startTime":1080.705,"endTime":1087.415,"body":"And we have the right not to be subject to a decision based solely on"},{"startTime":1087.415,"endTime":1089.205,"body":"automated processing or profiling."},{"startTime":1089.255,"endTime":1093.005,"body":"Think machine learning, artificial intelligence."},{"startTime":1095.265,"endTime":1102.445,"body":"So these read as powerful means to hold data controllers to account in practice."},{"startTime":1102.675,"endTime":1108.952,"body":"What it requires is for each of us to contact a provider directly whenever we"},{"startTime":1108.952,"endTime":1111.045,"body":"want to exercise our rights."},{"startTime":1112.025,"endTime":1117.275,"body":"The data controller has to respond within a month unless they can demonstrate that they"},{"startTime":1117.275,"endTime":1121.125,"body":"need more time or there is no merit in the request."},{"startTime":1122.305,"endTime":1129.332,"body":"And if the request is not answered to our satisfaction individuals in the 28 EU"},{"startTime":1129.332,"endTime":1136.359,"body":"member states as they were in 2018, can complain to their National Data Protection authority"},{"startTime":1136.359,"endTime":1137.765,"body":"in the uk."},{"startTime":1138.145,"endTime":1140.565,"body":"That's the Information Commissioners' office."},{"startTime":1140.705,"endTime":1147.525,"body":"The ICO national authorities have the power to fine data controllers."},{"startTime":1148.125,"endTime":1154.407,"body":"Likewise, if it's demonstrated that they have not acted in accordance with the core principles"},{"startTime":1154.407,"endTime":1155.245,"body":"of GDPR."},{"startTime":1155.625,"endTime":1161.605,"body":"And these include lawfulness, fairness, transparency, and accuracy."},{"startTime":1163.135,"endTime":1168.045,"body":"Fines can be as large as 4% of total annual turnover."},{"startTime":1168.555,"endTime":1176.222,"body":"That may not sound like very much, but for companies like Google and Microsoft whose"},{"startTime":1176.222,"endTime":1183.889,"body":"respective annual turnovers are 300 billion and 200 billion US dollars, this is no means"},{"startTime":1183.889,"endTime":1186.445,"body":"some and fines do happen."},{"startTime":1188.265,"endTime":1196.056,"body":"In May of last year, 2023 meta formerly Facebook was fined 1.2 billion euros by"},{"startTime":1196.056,"endTime":1203.848,"body":"the Irish Data Protection Commissioner for transferring the personal data of European users to the"},{"startTime":1203.848,"endTime":1206.965,"body":"US without adequate data protection mechanisms."},{"startTime":1207.705,"endTime":1217.291,"body":"And in 2021, the Data Protection Commission in Luxembourg find Amazon 746 million euros for"},{"startTime":1217.291,"endTime":1221.765,"body":"targeting ads at people without proper consent."},{"startTime":1223.555,"endTime":1230.923,"body":"This concept of consent is central to our data rights, but it can sometimes be"},{"startTime":1230.923,"endTime":1238.291,"body":"difficult to ensure that it is meaningful in practice on services like search engines and"},{"startTime":1238.291,"endTime":1239.765,"body":"on social media."},{"startTime":1240.235,"endTime":1248.012,"body":"Rejecting the terms may mean having access to less information than other people or being"},{"startTime":1248.012,"endTime":1250.605,"body":"isolated from our peer networks."},{"startTime":1251.555,"endTime":1257.165,"body":"When our use of it is so essential to knowledge acquisition and community building."},{"startTime":1257.835,"endTime":1261.925,"body":"Sometimes our choice can feel like no choice at all."},{"startTime":1263.985,"endTime":1269.797,"body":"And this is particularly true I think given that some of the companies who process"},{"startTime":1269.797,"endTime":1273.285,"body":"our data are less visible to us than others."},{"startTime":1273.895,"endTime":1281.305,"body":"These are the data brokers companies who scrape personal data often from publicly available sources"},{"startTime":1281.305,"endTime":1286.245,"body":"like the electoral register and pages on the open web."},{"startTime":1286.705,"endTime":1291.818,"body":"And then they combine it in lists that they then sell on so that their"},{"startTime":1291.818,"endTime":1294.205,"body":"clients can use it for marketing purposes."},{"startTime":1294.715,"endTime":1302.679,"body":"They include credit reference agencies like Experian, Equifax, TransUnion, and an investigation by the UK"},{"startTime":1302.679,"endTime":1310.644,"body":"Information Commissioner in 2018 found that these agencies were not sufficiently transparent with consumers about"},{"startTime":1310.644,"endTime":1316.485,"body":"how their data would be used when they performed credit checks."},{"startTime":1317.025,"endTime":1321.005,"body":"And it also identified several other areas of concern."},{"startTime":1322.145,"endTime":1328.528,"body":"Now, as a result, all three companies were served with preliminary enforcement notices by the"},{"startTime":1328.528,"endTime":1329.805,"body":"data protection authority."},{"startTime":1330.305,"endTime":1336.889,"body":"And this led to Equifax and TransUnion making improvements to their products and even withdrawing"},{"startTime":1336.889,"endTime":1338.645,"body":"certain products and services."},{"startTime":1338.825,"endTime":1342.365,"body":"So sometimes these authorities do have teeth."},{"startTime":1343.315,"endTime":1349.09,"body":"Just recently I have started to spot a pattern that suggests my data may have"},{"startTime":1349.09,"endTime":1354.865,"body":"been sold by data brokers and it all seems to center on the suburb of"},{"startTime":1354.865,"endTime":1356.405,"body":"Ston in Greater Manchester."},{"startTime":1357.245,"endTime":1360.325,"body":"I have no link to this place whatsoever."},{"startTime":1361.185,"endTime":1366.972,"body":"So imagine my surprise when last month I received an email from solicitors, um, addressed"},{"startTime":1366.972,"endTime":1372.76,"body":"to a married couple who were not me and enclosing some very official looking documents"},{"startTime":1372.76,"endTime":1377.005,"body":"for a house that they were in the process of buying."},{"startTime":1378.945,"endTime":1384.669,"body":"Now, I dunno about you, but for me, buying a house was one of the"},{"startTime":1384.669,"endTime":1388.485,"body":"biggest and most personal events in my life so far."},{"startTime":1389.025,"endTime":1395.611,"body":"And if information about my purchase had been shared with a complete stranger by my"},{"startTime":1395.611,"endTime":1398.685,"body":"legal representatives, I would be quite concerned."},{"startTime":1399.705,"endTime":1405.057,"body":"As some of you, uh, the regulars will know I am something of a digital"},{"startTime":1405.057,"endTime":1410.409,"body":"busy body and I saw it as my duty to notify the sender of the"},{"startTime":1410.409,"endTime":1415.405,"body":"error with some added emphasis that I hoped would result in them taking action."},{"startTime":1416.045,"endTime":1421.595,"body":"Rereading this email, I think I've struck a really nice balance between friendly and mildly"},{"startTime":1421.595,"endTime":1421.965,"body":"threatening."},{"startTime":1423.305,"endTime":1426.285,"body":"Hi, you've sent this to me by mistake."},{"startTime":1427.335,"endTime":1430.205,"body":"Could you please remove my email address from your records?"},{"startTime":1430.925,"endTime":1432.165,"body":"I never gave it to you."},{"startTime":1432.545,"endTime":1438.128,"body":"And I work in data protection, so this is pretty worrying given the personal documentation"},{"startTime":1438.128,"endTime":1439.245,"body":"you've sent me."},{"startTime":1439.945,"endTime":1445.574,"body":"You may want to consult the information commissioner's office as this may constitute a breach"},{"startTime":1445.574,"endTime":1446.325,"body":"of Mr."},{"startTime":1446.385,"endTime":1446.965,"body":"And Mrs."},{"startTime":1447.225,"endTime":1448.205,"body":"X's personal data."},{"startTime":1448.795,"endTime":1452.125,"body":"Best tatar for now, professor Victoria baes."},{"startTime":1454.085,"endTime":1460.685,"body":"I sent this email three weeks ago and I have yet to receive a response"},{"startTime":1460.685,"endTime":1461.565,"body":"under GDPR."},{"startTime":1461.915,"endTime":1466.656,"body":"They have one more week to respond to me before I can report this to"},{"startTime":1466.656,"endTime":1467.605,"body":"the information commissioner."},{"startTime":1468.025,"endTime":1471.045,"body":"So the clock is very much ticking."},{"startTime":1472.985,"endTime":1480.716,"body":"Now look, it could be that this was an honest mistake, but I had a"},{"startTime":1480.716,"endTime":1484.325,"body":"vague memory of something similar happening before."},{"startTime":1484.545,"endTime":1492.458,"body":"And sure enough, in my inbox, there are emails going back to 2010 from different"},{"startTime":1492.458,"endTime":1499.845,"body":"estate agents offering me properties in Ston Auto to value my house in Urmston."},{"startTime":1501.875,"endTime":1507.95,"body":"Each time I've responded that I want to be removed from their database, but they're"},{"startTime":1507.95,"endTime":1509.165,"body":"kept popping up."},{"startTime":1509.705,"endTime":1516.049,"body":"And this suggests that I may be on a common list used by estate agents,"},{"startTime":1516.049,"endTime":1521.125,"body":"perhaps supplied by data brokers based on information that they have trolled."},{"startTime":1521.595,"endTime":1527.29,"body":"That said, if you are someone formerly known as Victoria Baes, living in the Earnston"},{"startTime":1527.29,"endTime":1532.986,"body":"area of Greater Manchester and currently in the process of buying a property, could you"},{"startTime":1532.986,"endTime":1535.645,"body":"please stop giving people my email address?"},{"startTime":1536.095,"endTime":1536.565,"body":"Thank you."},{"startTime":1540.945,"endTime":1546.505,"body":"Personal data can of course be much more sensitive than an email address."},{"startTime":1546.805,"endTime":1553.025,"body":"It can be data that defines us or even makes us who we are."},{"startTime":1553.845,"endTime":1562.261,"body":"Um, GDPR, the European legislation identifies special categories of data which are subject to additional"},{"startTime":1562.261,"endTime":1563.945,"body":"conditions for processing."},{"startTime":1564.515,"endTime":1574.421,"body":"These concern are racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union"},{"startTime":1574.421,"endTime":1581.025,"body":"membership, genetics and biometrics, health, sex life and sexual orientation."},{"startTime":1581.765,"endTime":1589.265,"body":"And in my lectures this year, we've considered how an ever increasing number of connected"},{"startTime":1589.265,"endTime":1596.265,"body":"devices generate process and store medically sensitive data and data about our sex lives."},{"startTime":1597.445,"endTime":1603.107,"body":"We share this kind of data with private companies much more frequently than we might"},{"startTime":1603.107,"endTime":1603.485,"body":"realize."},{"startTime":1604.345,"endTime":1611.075,"body":"For instance, if we use an app to help us with our mental health guided"},{"startTime":1611.075,"endTime":1617.805,"body":"meditation journaling or to connect with therapists, we are routinely sharing health related personal data."},{"startTime":1619.215,"endTime":1627.712,"body":"Apple Health allows users to generate a medical ID complete with blood type allergies, medical"},{"startTime":1627.712,"endTime":1632.245,"body":"conditions and medications for sharing with emergency responders."},{"startTime":1633.305,"endTime":1640.525,"body":"And along with its competitor Fitbit, it allows menstruating users to track their cycles."},{"startTime":1642.925,"endTime":1651.254,"body":"Researchers at Privacy International and coding rights discovered that several period tracking apps encouraged users"},{"startTime":1651.254,"endTime":1659.583,"body":"to log additional lifestyle information, including when, how and how often they have sex and"},{"startTime":1659.583,"endTime":1661.805,"body":"their birth control habits."},{"startTime":1662.635,"endTime":1668.456,"body":"They also found that some of these apps were sharing data with third parties, including"},{"startTime":1668.456,"endTime":1668.845,"body":"Facebook."},{"startTime":1670.025,"endTime":1676.727,"body":"And this kind of data is being viewed in a new light since in 2022,"},{"startTime":1676.727,"endTime":1683.43,"body":"the US Supreme Court overturned the legal ruling that a woman's right to terminate her"},{"startTime":1683.43,"endTime":1687.005,"body":"own pregnancy was protected by the US Constitution."},{"startTime":1687.005,"endTime":1690.325,"body":"That's a ruling that is more often known as Roe v."},{"startTime":1690.515,"endTime":1695.485,"body":"Wade in US states where abortion is now illegal."},{"startTime":1696.465,"endTime":1704.05,"body":"Law enforcement can compel providers such as online pharmacies and social media platforms to disclose"},{"startTime":1704.05,"endTime":1707.085,"body":"user data relevant to an investigation."},{"startTime":1707.785,"endTime":1714.794,"body":"And as research by ProPublica has found some online pharmacies that retail abortion pills share"},{"startTime":1714.794,"endTime":1721.803,"body":"data with Google that can potentially identify customers which could then be requested from Google"},{"startTime":1721.803,"endTime":1723.205,"body":"by the authorities."},{"startTime":1724.235,"endTime":1726.045,"body":"Even before Roe v."},{"startTime":1726.115,"endTime":1732.719,"body":"Wade was overturned, meta reportedly disclosed the private messages of a 17-year-old girl and her"},{"startTime":1732.719,"endTime":1739.324,"body":"mother facing criminal charges in Nebraska for carrying out an abortion after 20 weeks of"},{"startTime":1739.324,"endTime":1739.765,"body":"pregnancy."},{"startTime":1741.225,"endTime":1744.885,"body":"Now, in this case, the content sought was actually on Facebook Messenger."},{"startTime":1744.905,"endTime":1751.784,"body":"It wasn't on a third party app, and the investigators served a search warrant on"},{"startTime":1751.784,"endTime":1758.205,"body":"the company issued by a court in my previous lecture, sex and the Internet."},{"startTime":1758.225,"endTime":1763.794,"body":"We looked briefly at the 2015 hack of dating site, Ashley Madison, which is known"},{"startTime":1763.794,"endTime":1766.765,"body":"for connecting people who want to have affairs."},{"startTime":1768.225,"endTime":1774.185,"body":"The hackers threatened to publish the personal data of users, including their real names, their"},{"startTime":1774.185,"endTime":1777.365,"body":"home addresses, and their credit card payment details."},{"startTime":1777.705,"endTime":1781.325,"body":"And they demanded the immediate closure of the service."},{"startTime":1782.435,"endTime":1787.005,"body":"When this didn't happen, they published the data of millions of users."},{"startTime":1788.505,"endTime":1796.155,"body":"And among that data were users who had paid Ashley Madison's parent company to close"},{"startTime":1796.155,"endTime":1799.725,"body":"their accounts and delete their personal information."},{"startTime":1801.015,"endTime":1807.24,"body":"Their appearance in those stolen data sets suggested that the platform had retained the personal"},{"startTime":1807.24,"endTime":1811.805,"body":"data even of those people who had paid them not to."},{"startTime":1812.945,"endTime":1819.901,"body":"Now this breach happened before the general data protection regulation came into force in the"},{"startTime":1819.901,"endTime":1820.365,"body":"eu."},{"startTime":1820.535,"endTime":1827.383,"body":"Under the current regime, the company would potentially have failed to honor the right of"},{"startTime":1827.383,"endTime":1832.405,"body":"individuals to have their data erased that right to be forgotten."},{"startTime":1834.725,"endTime":1841.212,"body":"Millions of us have also shared our genetic data with private companies by taking DNA"},{"startTime":1841.212,"endTime":1841.645,"body":"tests."},{"startTime":1842.705,"endTime":1850.528,"body":"Um, 14 million so far with 23 and me and over 25 million with ancestry"},{"startTime":1850.528,"endTime":1858.352,"body":"DNA consumer genotyping opens up the possibility to profile our dispositions to certain health conditions"},{"startTime":1858.352,"endTime":1862.525,"body":"and it gives us insights into our heritage."},{"startTime":1863.275,"endTime":1869.582,"body":"Some users have discovered their birth parents and other close relatives by permitting companies to"},{"startTime":1869.582,"endTime":1871.685,"body":"perform this kind of analysis."},{"startTime":1873.345,"endTime":1882.035,"body":"In 2015, researchers at Princeton Center for Information and Technology policy noticed that the privacy"},{"startTime":1882.035,"endTime":1890.726,"body":"policy of ancestry.com appeared to give the company permission to use customers genetic information for"},{"startTime":1890.726,"endTime":1891.885,"body":"advertising purposes."},{"startTime":1893.645,"endTime":1901.045,"body":"ancestry.com has since changed this policy to exclude advertising from how it uses genetic information."},{"startTime":1901.045,"endTime":1909.866,"body":"However, it does still state that they share these inferences, which quote are derived from"},{"startTime":1909.866,"endTime":1918.688,"body":"personal information such as to suggest familial relationships and to create consumer profiles for the"},{"startTime":1918.688,"endTime":1922.805,"body":"purposes of research, product development and marketing."},{"startTime":1923.385,"endTime":1931.045,"body":"And examples of this include quote your ethnicity estimates, traits and genetic communities."},{"startTime":1932.105,"endTime":1939.116,"body":"The company defines genetic communities as groups of ancestry, DNA members who are connected through"},{"startTime":1939.116,"endTime":1944.725,"body":"DNA, most likely because they descend from a population of common ancestors."},{"startTime":1945.945,"endTime":1953.235,"body":"So those of us who have taken their test seem to have agreed albeit tacitly"},{"startTime":1953.235,"endTime":1960.525,"body":"and perhaps unwittingly to being served online ads on the basis of our genetic makeup."},{"startTime":1963.095,"endTime":1970.308,"body":"Now, it can often be difficult and arguably it's disingenuous to disentangle data protection on"},{"startTime":1970.308,"endTime":1974.155,"body":"the one hand from cybersecurity on the other."},{"startTime":1974.415,"endTime":1980.435,"body":"If data is secure, it is by definition better protected."},{"startTime":1981.345,"endTime":1988.826,"body":"When an organization suffers a cyber attack, it needs to be able to satisfy the"},{"startTime":1988.826,"endTime":1996.307,"body":"authorities either that no personal data has been compromised or failing that, that the required"},{"startTime":1996.307,"endTime":2003.788,"body":"protection measures had been put in place in December of last year, 23 and me"},{"startTime":2003.788,"endTime":2009.275,"body":"confirmed that hackers had stolen ancestry data on 6.9 million users."},{"startTime":2010.375,"endTime":2017.046,"body":"And in a letter sent to a group of victims, the company's lawyers stated quote"},{"startTime":2017.046,"endTime":2023.717,"body":"that the incident was a result of user's failure to safeguard their own account credentials"},{"startTime":2023.717,"endTime":2027.275,"body":"for which 23 and me bears no responsibility."},{"startTime":2028.775,"endTime":2035.275,"body":"The hackers appeared to have gained access by reusing stolen login credentials for other services."},{"startTime":2035.425,"endTime":2043.504,"body":"It's a type of attack known as credential stuffing, but they didn't do this 6.9"},{"startTime":2043.504,"endTime":2047.275,"body":"million times, they compromised around 14,000 accounts."},{"startTime":2048.705,"endTime":2056.094,"body":"Because of the way the platform works, they were able to gain access also to"},{"startTime":2056.094,"endTime":2063.485,"body":"the data of customers who had automatically shared data with their hacked DNA relatives 23"},{"startTime":2063.485,"endTime":2070.875,"body":"and Me responded by resetting all user passwords and requiring everyone to use multifactor authentication."},{"startTime":2071.175,"endTime":2076.155,"body":"So there was an additional barrier to logging in over and above a password."},{"startTime":2077.375,"endTime":2083.831,"body":"But if that additional authentication had already been in place before the incident, far fewer"},{"startTime":2083.831,"endTime":2087.275,"body":"accounts would've been compromised in the first place."},{"startTime":2087.815,"endTime":2094.568,"body":"And one could also argue that the company had a duty to air gap that"},{"startTime":2094.568,"endTime":2101.321,"body":"user data shutting off linked data for relatives where there were indications of account compromise"},{"startTime":2101.321,"endTime":2108.075,"body":"red flags such as logging in from an unexpected location or from an unexpected device."},{"startTime":2109.535,"endTime":2116.09,"body":"Now I would be the very first person to advise people to use different strong"},{"startTime":2116.09,"endTime":2118.275,"body":"passwords for all their accounts."},{"startTime":2118.275,"endTime":2123.775,"body":"And in fact, some of you may remember we produced a cyber safety video on"},{"startTime":2123.775,"endTime":2127.075,"body":"precisely this topic, which you can find on YouTube."},{"startTime":2128.375,"endTime":2134.395,"body":"But in this case, I would say blaming users for an attack of this scale."},{"startTime":2134.655,"endTime":2143.026,"body":"And impact is not only not in keeping with the spirit of data protection, it"},{"startTime":2143.026,"endTime":2149.165,"body":"smacks of a conscious attempt to deflect attention according to GDPR."},{"startTime":2149.665,"endTime":2152.605,"body":"Our faces are also personal data."},{"startTime":2153.305,"endTime":2161.405,"body":"The increasing use of live automated facial recognition in public places has understandably proved to"},{"startTime":2161.405,"endTime":2162.485,"body":"be controversial."},{"startTime":2163.105,"endTime":2169.547,"body":"And of particular concern is the practice of scanning people's faces and processing their facial"},{"startTime":2169.547,"endTime":2172.125,"body":"data without their knowledge or consent."},{"startTime":2172.575,"endTime":2174.485,"body":"Hence the massive sign."},{"startTime":2175.785,"endTime":2182.113,"body":"In a high profile case in 2020, a court heard that South Wales police had"},{"startTime":2182.113,"endTime":2188.441,"body":"captured half a million faces, quote, the overwhelming majority of whom were not suspected of"},{"startTime":2188.441,"endTime":2189.285,"body":"any wrongdoing."},{"startTime":2190.505,"endTime":2198.821,"body":"Facial recognition is also being discovered by accidents in unusual places such as vending machines"},{"startTime":2198.821,"endTime":2200.485,"body":"on student campuses."},{"startTime":2201.705,"endTime":2209.493,"body":"Online companies like Clearview AI that scrape billions of publicly available images of people's faces"},{"startTime":2209.493,"endTime":2215.725,"body":"from websites, social media, again without their knowledge or consent for processing."},{"startTime":2215.945,"endTime":2222.165,"body":"By law enforcements are now coming under increasing scrutiny by national regulators."},{"startTime":2224.325,"endTime":2231.205,"body":"Scrutiny intensifies also when big tech companies seek to acquire smaller providers."},{"startTime":2231.825,"endTime":2239.24,"body":"So when Facebook now meta bought WhatsApp in 2014, it informed the European Commission that"},{"startTime":2239.24,"endTime":2246.656,"body":"it would not be able to conduct reliable matches between Facebook users accounts and WhatsApp"},{"startTime":2246.656,"endTime":2247.645,"body":"users accounts."},{"startTime":2248.425,"endTime":2254.467,"body":"So it meant that they couldn't join the two data sets together and enable deeper"},{"startTime":2254.467,"endTime":2256.885,"body":"insights into users lives and behaviors."},{"startTime":2258.345,"endTime":2265.556,"body":"But in 2016, WhatsApp updated its terms of service and its privacy policy and they"},{"startTime":2265.556,"endTime":2271.325,"body":"included the possibility of linking WhatsApp users phone numbers to Facebook accounts."},{"startTime":2272.305,"endTime":2280.69,"body":"As a result, the EU find Facebook 110 million euros for providing incorrect information during"},{"startTime":2280.69,"endTime":2283.485,"body":"the investigation of the merger."},{"startTime":2286.025,"endTime":2291.82,"body":"If you wear an Apple watch, you will be used to the idea that data"},{"startTime":2291.82,"endTime":2294.525,"body":"is shared with your other Apple devices."},{"startTime":2295.945,"endTime":2302.279,"body":"If you own a rival Fitbit Tracker, you may not know that Google now owns"},{"startTime":2302.279,"endTime":2306.925,"body":"Fitbits and therefore has access to your health and fitness data."},{"startTime":2308.715,"endTime":2315.365,"body":"This merger was originally announced in 2019, but it was completed only in 2021."},{"startTime":2315.385,"endTime":2322.943,"body":"And that's because the European Commission investigated the acquisition and the chief focus was on"},{"startTime":2322.943,"endTime":2330.501,"body":"whether Google's access to Fitbit data would give their advertising business an unfair advantage over"},{"startTime":2330.501,"endTime":2331.005,"body":"competitors."},{"startTime":2332.115,"endTime":2338.434,"body":"Both Google and Fitbit were quick to reassure the public that Fitbit data would not"},{"startTime":2338.434,"endTime":2341.805,"body":"be used to target Google ads at them."},{"startTime":2343.065,"endTime":2350.596,"body":"But had the EU not explicitly banned this, it's entirely possible that this safeguard may"},{"startTime":2350.596,"endTime":2352.605,"body":"not have been introduced."},{"startTime":2355.395,"endTime":2359.085,"body":"Data is captured by connected devices in our homes."},{"startTime":2359.955,"endTime":2367.641,"body":"It's processed on providers servers and it's sometimes shared across services as the owner of"},{"startTime":2367.641,"endTime":2372.765,"body":"both Ring Doorbell Technology and Alexa Echo Smart Speaker Technology."},{"startTime":2373.665,"endTime":2381.499,"body":"Amazon processes video recordings of users' properties and it uses voice recordings to train its"},{"startTime":2381.499,"endTime":2387.245,"body":"speech recognition, its natural language systems, but also for targeting adverts."},{"startTime":2388.345,"endTime":2395.654,"body":"Our smart home device data is also of interest to and requested by law enforcement"},{"startTime":2395.654,"endTime":2402.963,"body":"authorities when so much of our very personal and very sensitive data can be processed"},{"startTime":2402.963,"endTime":2410.273,"body":"on servers in other countries, it makes sense for data protection regimes to be international"},{"startTime":2410.273,"endTime":2417.582,"body":"or at least approximate so that each of us can be assured that our data"},{"startTime":2417.582,"endTime":2424.405,"body":"will be protected to a similar standard wherever it is and wherever we are."},{"startTime":2425.665,"endTime":2431.769,"body":"And one of the reasons why the EU legislation why GDPR is held up as"},{"startTime":2431.769,"endTime":2437.874,"body":"the gold standard of data protection is that it applies to everyone who wants to"},{"startTime":2437.874,"endTime":2443.165,"body":"process the personal data of EU citizens wherever that processor may be located."},{"startTime":2443.745,"endTime":2451.188,"body":"And it required the countries that adopted it to introduce the same level of legal"},{"startTime":2451.188,"endTime":2451.685,"body":"protections."},{"startTime":2454.185,"endTime":2460.549,"body":"So seen through this lens, the UK government's proposal of a new data protection and"},{"startTime":2460.549,"endTime":2466.914,"body":"digital information bill may be viewed as an expensive attempt to reinvent the wheel in"},{"startTime":2466.914,"endTime":2469.885,"body":"a post Brexit flexing of national sovereignty."},{"startTime":2470.065,"endTime":2475.045,"body":"And indeed, that is exactly how the government introduced it in 2022."},{"startTime":2475.795,"endTime":2484.279,"body":"Primary legislation that will harness our post Brexit freedoms to create an independent data protection"},{"startTime":2484.279,"endTime":2484.845,"body":"framework."},{"startTime":2485.545,"endTime":2491.302,"body":"And one of its publicized promises is that it will reduce the number of annoying"},{"startTime":2491.302,"endTime":2493.605,"body":"cookie popups that we see annoying."},{"startTime":2493.835,"endTime":2494.605,"body":"They may be."},{"startTime":2495.125,"endTime":2503.303,"body":"I would agree with that entirely, but reducing the number of opportunities we have to"},{"startTime":2503.303,"endTime":2511.482,"body":"exercise our rights to object to being profiled through our online browsing habits doesn't seem"},{"startTime":2511.482,"endTime":2515.845,"body":"to me to be the most just solution."},{"startTime":2517.305,"endTime":2523.502,"body":"The intention, I think may be to give the consumer a more convenient experience, but"},{"startTime":2523.502,"endTime":2529.699,"body":"this should not be at the expense of their right to control how their personal"},{"startTime":2529.699,"endTime":2531.765,"body":"data is collected and processed."},{"startTime":2532.095,"endTime":2539.486,"body":"Personally, I would prefer to have the opportunity to consent or reject every time that"},{"startTime":2539.486,"endTime":2540.965,"body":"data is requested."},{"startTime":2541.825,"endTime":2549.295,"body":"The alternative is a one-time blanket consent, and that can open up opportunities for organizations"},{"startTime":2549.295,"endTime":2556.765,"body":"to use data in ways that subjects may not have originally intended or agreed to."},{"startTime":2558.065,"endTime":2564.045,"body":"Now this draft legislation is being scrutinized in the House of Lords right now tomorrow."},{"startTime":2564.665,"endTime":2571.035,"body":"In fact, if you would like to follow it live online, it has the potential"},{"startTime":2571.035,"endTime":2577.405,"body":"to give people in the UK different personal data protections to people elsewhere in Europe."},{"startTime":2578.305,"endTime":2582.365,"body":"So it is worth all of us keeping a very close eye on."},{"startTime":2583.185,"endTime":2590.172,"body":"Um, incidentally, this is the annoying cookie popup on the government's website about the legislation"},{"startTime":2590.172,"endTime":2594.365,"body":"that proposes to do away with annoying cookie popups."},{"startTime":2594.745,"endTime":2598.834,"body":"So it's good to see that for the time being at least they are still"},{"startTime":2598.834,"endTime":2599.925,"body":"complying with international law."},{"startTime":2601.785,"endTime":2608.222,"body":"Now, it may be tempting to feel like we as individuals can't do anything about"},{"startTime":2608.222,"endTime":2614.659,"body":"the business model that was famously described as surveillance capitalism by Shoshana Zuboff in her"},{"startTime":2614.659,"endTime":2616.805,"body":"book of the same name."},{"startTime":2617.705,"endTime":2620.725,"body":"But there are people fighting our corner."},{"startTime":2621.895,"endTime":2626.245,"body":"There are those state, national, and international regulators."},{"startTime":2626.775,"endTime":2634.771,"body":"There are civil society organizations, particularly those focused on privacy surveillance and freedoms of expression"},{"startTime":2634.771,"endTime":2642.768,"body":"and information investigative journalists like Carol Kawada who first exposed that the data of millions"},{"startTime":2642.768,"endTime":2650.765,"body":"of Facebook users had been collected by consulting firm Cambridge Analytica without their informed consent."},{"startTime":2651.545,"endTime":2657.677,"body":"And an honorable mention must go to Max Schrems, an Austrian lawyer who first started"},{"startTime":2657.677,"endTime":2661.765,"body":"filing complaints against Facebook when he was still a student."},{"startTime":2663.315,"endTime":2670.787,"body":"Between 2011 and 2013, Schrems filed a total of 22 complaints with the Irish Data"},{"startTime":2670.787,"endTime":2676.765,"body":"Protection Commissioner about the operations and policies of Facebook's European data controller."},{"startTime":2677.265,"endTime":2683.467,"body":"And the last of these concerned the export of European users data to the US"},{"startTime":2683.467,"endTime":2689.67,"body":"in light of claims by Edward Snowden that the Prism Surveillance program enabled the US"},{"startTime":2689.67,"endTime":2692.565,"body":"National Security Agency to access this data."},{"startTime":2693.025,"endTime":2699.781,"body":"And this eventually led to the European Court of Justice declaring the legal basis for"},{"startTime":2699.781,"endTime":2706.538,"body":"these transfers invalid, which meant that the EU and the US had to go back"},{"startTime":2706.538,"endTime":2712.845,"body":"to the drawing board and agree a completely new framework for transatlantic data transfers."},{"startTime":2715.225,"endTime":2723.095,"body":"If we have the chance to do this all again, would we design the global"},{"startTime":2723.095,"endTime":2730.965,"body":"data ecosystem differently so that humans could have greater control over their own personal information?"},{"startTime":2732.755,"endTime":2737.489,"body":"Well, the inventor of the worldwide web, Tim Burner's Lee certainly thinks that we still"},{"startTime":2737.489,"endTime":2737.805,"body":"can."},{"startTime":2738.505,"endTime":2743.525,"body":"And in 2016, he launched solid social linked data."},{"startTime":2744.195,"endTime":2751.897,"body":"It's a protocol that allows individuals to store their data securely in pods on decentralized"},{"startTime":2751.897,"endTime":2752.925,"body":"web servers."},{"startTime":2753.225,"endTime":2759.627,"body":"And I couldn't resist the temptation to show you an image of a futuristic space"},{"startTime":2759.627,"endTime":2766.03,"body":"pod, but of course, in reality it's more like a folder, sorry, pod owners control,"},{"startTime":2766.03,"endTime":2769.445,"body":"which people and applications can access their data."},{"startTime":2770.345,"endTime":2775.885,"body":"And that means it's a user centric rather than a company centric model."},{"startTime":2776.985,"endTime":2783.858,"body":"The government in Belgium is currently trialing use of pods so that citizens can share"},{"startTime":2783.858,"endTime":2787.525,"body":"their education certificates and their medical records securely."},{"startTime":2788.025,"endTime":2795.893,"body":"So a user friendly solution for consumers may not be too far off, but for"},{"startTime":2795.893,"endTime":2799.565,"body":"the time being, there are no shortcuts."},{"startTime":2799.665,"endTime":2800.045,"body":"I'm afraid."},{"startTime":2800.145,"endTime":2805.308,"body":"For those of us who want to exercise our rights over how our personal data"},{"startTime":2805.308,"endTime":2806.685,"body":"is collected and processed."},{"startTime":2807.075,"endTime":2812.672,"body":"It's up to each of us to decide how much we are willing to share"},{"startTime":2812.672,"endTime":2815.285,"body":"with tech companies and other service providers."},{"startTime":2817.225,"endTime":2823.735,"body":"And it seems that there is potential for us to reframe the deal from one"},{"startTime":2823.735,"endTime":2830.246,"body":"in which we just trade privacy for convenience to one in which our willingness to"},{"startTime":2830.246,"endTime":2836.757,"body":"let companies see into our lives is matched by transparency on their parts about what"},{"startTime":2836.757,"endTime":2843.268,"body":"they do with our data and a greater willingness to let us see under the"},{"startTime":2843.268,"endTime":2845.005,"body":"bonnet of their operations."},{"startTime":2845.505,"endTime":2851.892,"body":"And this is certainly a common theme that's emerging from recent online safety and consumer"},{"startTime":2851.892,"endTime":2855.725,"body":"protection legislation, both in the UK and in Europe."},{"startTime":2857.975,"endTime":2862.605,"body":"Meaningful consent relies on us being properly informed."},{"startTime":2863.065,"endTime":2868.981,"body":"And while this can be a little labor intensive, it's too important for us to"},{"startTime":2868.981,"endTime":2870.165,"body":"sleep walk through."},{"startTime":2870.905,"endTime":2878.064,"body":"The more we as single individuals exercise our rights, the greater our chance of holding"},{"startTime":2878.064,"endTime":2881.405,"body":"accountable The organizations who process our data."},{"startTime":2882.065,"endTime":2887.896,"body":"We don't of course all have the tenacity or the legal training of a Max"},{"startTime":2887.896,"endTime":2888.285,"body":"Rems."},{"startTime":2888.945,"endTime":2895.367,"body":"You don't all have to be a data protection busy body like me, but we"},{"startTime":2895.367,"endTime":2898.365,"body":"can all be our own digital defenders."},{"startTime":2899.185,"endTime":2907.447,"body":"The dominant business model depends on the commodification of the details of our lives and"},{"startTime":2907.447,"endTime":2912.405,"body":"on people, individuals acquiescing to that in sufficient numbers."},{"startTime":2913.985,"endTime":2921.838,"body":"But there is a financial cost to companies attached to processing our subject access requests"},{"startTime":2921.838,"endTime":2928.645,"body":"an average of 20,000 pounds for each one according to a recent report."},{"startTime":2929.825,"endTime":2937.396,"body":"So if we were feeling collectively devilish, we might perhaps even devalue the business models"},{"startTime":2937.396,"endTime":2944.967,"body":"simply by exercising our data rights by showing companies and governments that we care about"},{"startTime":2944.967,"endTime":2952.538,"body":"the amount of data collected and our rights to object, we certainly stand a greater"},{"startTime":2952.538,"endTime":2959.605,"body":"chance of transforming it into something fairer, more transparent, perhaps even more privacy focused."},{"startTime":2961.025,"endTime":2968.341,"body":"So the choice over how much of your life you share is yours and it"},{"startTime":2968.341,"endTime":2969.805,"body":"needs to remain."},{"startTime":2969.865,"endTime":2974.155,"body":"So, so come on, let's do this."},{"startTime":2975.225,"endTime":2976.755,"body":"What are we all waiting for?"},{"startTime":2979.495,"endTime":2980.565,"body":"Thank you very much."},{"startTime":2985.785,"endTime":2989.565,"body":"Is it possible to track where our data is or is it too late?"},{"startTime":2990.625,"endTime":2993.767,"body":"So it's all very well saying, oh no, I I don't want my data shared,"},{"startTime":2993.767,"endTime":2994.605,"body":"but who's got it?"},{"startTime":2995.625,"endTime":2995.845,"body":"Yes."},{"startTime":2995.905,"endTime":3000.064,"body":"So, um, I didn't have time to talk about it in the lecture, but um,"},{"startTime":3000.064,"endTime":3004.223,"body":"in the accompanying text, um, there are various tools that you can use it to"},{"startTime":3004.223,"endTime":3006.165,"body":"firstly find out who's got your data."},{"startTime":3006.665,"endTime":3011.853,"body":"So that, um, the screenshot that I showed of rightly other tools are available, but"},{"startTime":3011.853,"endTime":3017.042,"body":"this is one that, um, analyzes your email inbox, um, to identify all the people"},{"startTime":3017.042,"endTime":3021.885,"body":"who you know are, are sending you emails and therefore have your email address."},{"startTime":3021.955,"endTime":3024.285,"body":"It's, it's just kind of a, a time saving tool."},{"startTime":3024.665,"endTime":3029.061,"body":"Um, as a security person, as you can imagine, I was a little bit nervous"},{"startTime":3029.061,"endTime":3032.285,"body":"about allowing it to scrutinize the metadata in my personal email."},{"startTime":3032.705,"endTime":3036.502,"body":"Um, but you'll be pleased to hear that in their terms of service, they do"},{"startTime":3036.502,"endTime":3040.299,"body":"state very clearly, um, that they don't look at the contents and that you can,"},{"startTime":3040.299,"endTime":3042.325,"body":"you know, rescind, uh, your permissions, et cetera."},{"startTime":3042.545,"endTime":3046.205,"body":"So I took one for the team so I could show you on screen."},{"startTime":3046.745,"endTime":3048.365,"body":"Um, so lots of tools like that."},{"startTime":3048.625,"endTime":3051.965,"body":"Um, there are some, um, browser extensions."},{"startTime":3051.965,"endTime":3054.805,"body":"There's one for Mozilla, Mozilla monitor."},{"startTime":3054.975,"endTime":3060.346,"body":"Again, I'm not, I'm not pushing particular solutions, but there are ones that will look"},{"startTime":3060.346,"endTime":3064.285,"body":"for, um, where your data has been scraped by data brokers."},{"startTime":3064.665,"endTime":3068.937,"body":"And I think that's the, the most difficult one really, because if you know you've"},{"startTime":3068.937,"endTime":3073.209,"body":"got a Facebook account, you know that Facebook's getting your data, um, what you can"},{"startTime":3073.209,"endTime":3077.481,"body":"also do in all of those social media services and your email is go into"},{"startTime":3077.481,"endTime":3080.045,"body":"your settings, go into the settings on your phone."},{"startTime":3080.065,"endTime":3085.577,"body":"If you do nothing else, go into the settings on your phone and see, you"},{"startTime":3085.577,"endTime":3088.885,"body":"know, for those different services, what are they sharing."},{"startTime":3089.105,"endTime":3096.383,"body":"So when you download, um, the um, data archive from Facebook from Meta, it shows"},{"startTime":3096.383,"endTime":3098.325,"body":"you your ad preferences."},{"startTime":3099.265,"endTime":3103.876,"body":"Um, and then you can go through a privacy checkup tool to control that data"},{"startTime":3103.876,"endTime":3107.565,"body":"and get it locked down so that you're not sharing as much."},{"startTime":3107.945,"endTime":3113.42,"body":"Now, if you are the kind of person who thinks that convenience is more important"},{"startTime":3113.42,"endTime":3115.245,"body":"than privacy, that's okay too."},{"startTime":3115.945,"endTime":3118.685,"body":"I'm a security person, I want you to lock all of your stuff down."},{"startTime":3119.185,"endTime":3123.424,"body":"Um, but it's okay to think, well actually I want the web to remember when"},{"startTime":3123.424,"endTime":3125.685,"body":"I've got something in my online shopping basket."},{"startTime":3126.065,"endTime":3126.845,"body":"You know, no one"},{"startTime":3126.845,"endTime":3127.445,"body":"Cares what my"},{"startTime":3127.445,"endTime":3127.925,"body":"Deal is."},{"startTime":3127.925,"endTime":3132.096,"body":"No, when it is, that's, so if that's your decision, that's fine, but please, I"},{"startTime":3132.096,"endTime":3136.267,"body":"think my only wish would be that you engage with it actively and you make"},{"startTime":3136.267,"endTime":3139.605,"body":"that decision rather than letting somebody else make that decision for you."},{"startTime":3140.115,"endTime":3142.845,"body":"Yeah, please engage brain before clicking cookies."},{"startTime":3143.585,"endTime":3143.805,"body":"Yes."},{"startTime":3143.805,"endTime":3147.067,"body":"Um, so a couple of questions from anonymous people here, which a a little bit"},{"startTime":3147.067,"endTime":3147.285,"body":"linked."},{"startTime":3147.405,"endTime":3150.005,"body":"I think the, the first one is, uh, actually it's not anonymous."},{"startTime":3150.035,"endTime":3154.46,"body":"This was from Andrew, uh, Eson who asked were the fines levied on the big"},{"startTime":3154.46,"endTime":3156.525,"body":"data companies for GDPR offenses actually paid."},{"startTime":3157.665,"endTime":3158.645,"body":"So that's the first question."},{"startTime":3158.715,"endTime":3161.205,"body":"Just, I dunno the answers you keep thinking."},{"startTime":3161.345,"endTime":3165.518,"body":"And the second one is a anonymous person says, well, finding Facebook a hundred million"},{"startTime":3165.518,"endTime":3169.692,"body":"euros, which sounded quite a lot to me for lying about his data capabilities in"},{"startTime":3169.692,"endTime":3170.805,"body":"WhatsApp seems pretty poultry."},{"startTime":3171.395,"endTime":3175.6,"body":"Well, there's lots of rich people in the city of London, so probably it is"},{"startTime":3175.6,"endTime":3179.245,"body":"poultry for this person, um, are penalties just the cost of doing business,"},{"startTime":3180.135,"endTime":3180.485,"body":"Right?"},{"startTime":3180.665,"endTime":3180.885,"body":"Yes."},{"startTime":3180.885,"endTime":3182.005,"body":"So I'll take those two together."},{"startTime":3182.145,"endTime":3186.009,"body":"Um, and, and thank you Andy for your question and thank you for for, um,"},{"startTime":3186.009,"endTime":3186.525,"body":"joining in."},{"startTime":3186.645,"endTime":3190.986,"body":"I know Andy offline, so it's nice to have some, some real people in our"},{"startTime":3190.986,"endTime":3191.565,"body":"digital world."},{"startTime":3192.225,"endTime":3198.357,"body":"Um, so you will be unsurprised to hear that big tech companies employ teams of"},{"startTime":3198.357,"endTime":3202.445,"body":"lawyers and outside counsel to fight the judgments against them."},{"startTime":3202.865,"endTime":3206.093,"body":"And one of the reasons why it can take a really, really long time for"},{"startTime":3206.093,"endTime":3208.245,"body":"fines to be paid is that they do get contested."},{"startTime":3208.475,"endTime":3213.325,"body":"They do sometimes, um, get shot down, but generally speaking they'll be fine."},{"startTime":3213.325,"endTime":3214.285,"body":"Something for something."},{"startTime":3214.865,"endTime":3219.975,"body":"Um, and I think to some extent because with the public authorities, I, I mentioned"},{"startTime":3219.975,"endTime":3225.085,"body":"this in the, in the handout, but not in the lecture with the public authorities."},{"startTime":3225.705,"endTime":3231.338,"body":"Um, even if, uh, a, a company is successfully fined that money will go back"},{"startTime":3231.338,"endTime":3235.845,"body":"to the treasury, it doesn't come back to you as data subjects."},{"startTime":3236.185,"endTime":3237.845,"body":"It comes back to you as data subjects."},{"startTime":3238.105,"endTime":3243.083,"body":"If you bring a civil lawsuit, which is something that's been happening in the, in"},{"startTime":3243.083,"endTime":3248.062,"body":"the us you'll be unsurprised to hear quite a lot, um, where users are potentially"},{"startTime":3248.062,"endTime":3252.045,"body":"gonna be in for some money, particularly for the Cambridge Analytica scandal."},{"startTime":3252.525,"endTime":3252.605,"body":"Hmm."},{"startTime":3252.865,"endTime":3256.8,"body":"Um, so, but not outside of the US because that's where the civil lawsuit has"},{"startTime":3256.8,"endTime":3257.325,"body":"been brought."},{"startTime":3257.585,"endTime":3262.685,"body":"It does raise a really interesting question about, you know, is there a different way"},{"startTime":3262.685,"endTime":3267.785,"body":"to do this so that the money doesn't just go back to a government treasury,"},{"startTime":3267.785,"endTime":3272.885,"body":"it goes back to the people who've been affected In terms of the sums, I"},{"startTime":3272.885,"endTime":3277.985,"body":"think the answer to both of those questions is actually that sometimes the rulings are"},{"startTime":3277.985,"endTime":3279.005,"body":"symbolic enough Mm-Hmm."},{"startTime":3279.905,"endTime":3283.605,"body":"For even large tech companies to change their policies."},{"startTime":3284.705,"endTime":3289.988,"body":"And sometimes it's the symbol that's more important than the amount, even if the amount"},{"startTime":3289.988,"endTime":3291.045,"body":"looks absolutely whopping."},{"startTime":3291.635,"endTime":3291.925,"body":"Okay."},{"startTime":3291.925,"endTime":3292.205,"body":"Yeah."},{"startTime":3292.465,"endTime":3293.085,"body":"Now I've got time."},{"startTime":3293.105,"endTime":3294.005,"body":"Two quick ones I think."},{"startTime":3294.005,"endTime":3295.765,"body":"Um, so the first one is an interesting one."},{"startTime":3295.765,"endTime":3300.199,"body":"If you are based in the United Kingdom and we are giving this lecture from"},{"startTime":3300.199,"endTime":3304.633,"body":"the United Kingdom, would you recommend to withdraw consent for the NHS to share our"},{"startTime":3304.633,"endTime":3307.885,"body":"health data, even for research purposes or to improve their services?"},{"startTime":3308.465,"endTime":3310.165,"body":"So this is a hot topic for Brits."},{"startTime":3310.255,"endTime":3311.725,"body":"We're all members of the NHS."},{"startTime":3311.725,"endTime":3313.565,"body":"I don't think you can not be a member of the NHS."},{"startTime":3313.985,"endTime":3314.885,"body":"Um, I guess not."},{"startTime":3315.625,"endTime":3317.565,"body":"So what should we do?"},{"startTime":3319.185,"endTime":3322.445,"body":"So for me, this is all about informed consent."},{"startTime":3322.585,"endTime":3327.345,"body":"And this is all about having, you know, being asked to give your consent every"},{"startTime":3327.345,"endTime":3329.885,"body":"time it's required by a different research agency."},{"startTime":3330.185,"endTime":3334.854,"body":"So if I think about, um, during covid ID the vast majority of us, I"},{"startTime":3334.854,"endTime":3339.523,"body":"would wager willingly gave our data to the Zoe Study and, you know, various other"},{"startTime":3339.523,"endTime":3342.325,"body":"folks because we knew it was gonna help people."},{"startTime":3342.785,"endTime":3347.463,"body":"But we also understood that it would be for those limited purposes that, you know,"},{"startTime":3347.463,"endTime":3352.141,"body":"my data on my exercise and my eating habits wasn't suddenly going to end up"},{"startTime":3352.141,"endTime":3352.765,"body":"being commercialized."},{"startTime":3353.585,"endTime":3354.245,"body":"You would hope."},{"startTime":3354.985,"endTime":3363.344,"body":"Um, there have been some potentially controversial partnerships between the NHS and some, um, big"},{"startTime":3363.344,"endTime":3367.245,"body":"tech companies and some technology intelligence companies."},{"startTime":3367.945,"endTime":3372.81,"body":"Um, and, and I think that's, it's a good example for me of why I"},{"startTime":3372.81,"endTime":3375.405,"body":"don't wanna give a blanket consent to somebody."},{"startTime":3375.885,"endTime":3379.651,"body":"I want them to come back to me every time they want my data for"},{"startTime":3379.651,"endTime":3380.405,"body":"a new purpose."},{"startTime":3380.505,"endTime":3385.581,"body":"And that's a really important part of GDPR, certainly, and as we brought it into"},{"startTime":3385.581,"endTime":3388.965,"body":"UK legislation, is you give consent for a specific purpose."},{"startTime":3389.105,"endTime":3393.445,"body":"If that purpose changes, the data controller has to come back to you Yeah."},{"startTime":3393.445,"endTime":3394.165,"body":"And ask you again."},{"startTime":3394.315,"endTime":3394.605,"body":"Yeah."},{"startTime":3394.605,"endTime":3397.005,"body":"Blanket consent is so last century, don't you think?"},{"startTime":3397.005,"endTime":3397.165,"body":"Yeah."},{"startTime":3397.235,"endTime":3397.525,"body":"It's,"},{"startTime":3397.675,"endTime":3398.605,"body":"It's very 20th century."},{"startTime":3398.655,"endTime":3399.205,"body":"Right, right."},{"startTime":3399.205,"endTime":3399.405,"body":"Okay."},{"startTime":3400.045,"endTime":3402.885,"body":"I have a question from Professor Danny Dresner."},{"startTime":3403.065,"endTime":3403.285,"body":"Aha."},{"startTime":3403.505,"endTime":3403.725,"body":"Yes."},{"startTime":3403.985,"endTime":3405.285,"body":"Who you referred to in the lecture."},{"startTime":3406.145,"endTime":3410.326,"body":"Should I be looking to enforce my right to have my  for all things"},{"startTime":3410.326,"endTime":3410.605,"body":"Dr."},{"startTime":3410.745,"endTime":3413.285,"body":"Who edited out of this lecture, \u003claugh\u003e?"},{"startTime":3414.645,"endTime":3418.895,"body":"I mean, he absolutely can do, but, um, I know Danny quite well and, um,"},{"startTime":3418.895,"endTime":3421.445,"body":"I think he's very keen to have any publicity."},{"startTime":3421.825,"endTime":3423.165,"body":"Oh, so \u003claugh\u003e."},{"startTime":3423.425,"endTime":3423.645,"body":"Oh."},{"startTime":3424.345,"endTime":3426.645,"body":"So Danny, if you don't mind, I'm gonna keep this one"},{"startTime":3426.645,"endTime":3426.805,"body":"In."},{"startTime":3426.865,"endTime":3428.805,"body":"Oh, that's a wounding way to end."},{"startTime":3429.035,"endTime":3429.325,"body":"Feel"},{"startTime":3429.325,"endTime":3430.485,"body":"Free to fight me in"},{"startTime":3430.485,"endTime":3431.205,"body":"The courts \u003claugh\u003e."},{"startTime":3432.465,"endTime":3437.396,"body":"But a brilliant, that's a brilliant end to a really, uh, wonderful and fascinating, uh,"},{"startTime":3437.396,"endTime":3437.725,"body":"hour."},{"startTime":3437.945,"endTime":3439.405,"body":"So Victoria, thank you very much."},{"startTime":3439.775,"endTime":3440.685,"body":"Thank you everyone."}]}