Thursday 14 December 2017

What does the BBC mean by "control"?

A charming email arrived from the BBC the other day. They want to make it easier for DMossEsq to sign in to his account. And they want him to be able to sign in orally – no more fuddy-duddy typing.

So the subject of the email is "Talk your way into the Beeb"? No. It's "Important changes to the BBC Privacy and Cookies Policy".

Bit boring. But let's take a look:

We’ve made some changes to the BBC’s Privacy and Cookies Policy. We’ve done this so that we can introduce new features, while protecting your data and putting you in control of what happens to it.

You can view the updated Privacy and Cookies Policy by going to and searching for our Privacy and Cookies Policy or by clicking on the link below.

View updated Privacy & Cookies policy

The BBC Privacy and Cookies Policy turns out to be 5,000 words long and to comprise 20 clauses.

Clause 4 lists 11 uses to which the BBC may put DMossEsq's personal information. Most of these are unimpeachable.

For example, the BBC may use DMossEsq's personal information for analysis and research to assist with marketing and strategic service development. DMossEsq has no objection to this use of his personal information. But it is odd to describe this as a case of him having "control of what happens to [his personal information]".

It would make sense for the BBC to say "thank you, DMossEsq, for providing us with the data to help us with our strategy". It makes no sense to say that DMossesq is "in control of that data".

On those rare occasions when the hermit DMossEsq leaves his mountaintop eyrie in Merton and goes abroad, the BBC warn him at clause 4 that he may be subjected to "online behavioural advertising". Which suggests that the BBC are forever monitoring his behaviour so that they are ready to offer him appropriate advertisements as soon as he is overseas. DMossEsq has no control over that monitoring. The BBC know that and it is silly of them to pretend that he has.

Clause 7 says that the BBC "may use information which we hold about you to show you relevant advertising on third party sites (e.g. Facebook, Google, Instagram, Snapchat and Twitter)". And clause 8 says "we may share [some data] with third party sites (e.g. Facebook, Google, Instagram, Snapchat and Twitter)".

DMossEsq can opt out of this sharing. Good. But hang on a minute. Facebook, Google, Instagram, Snapchat and Twitter don't display advertisements for free. They like to be paid. Presumably by the BBC. Are they being paid with money taken from DMossEsq's licence fee? Or with DMossEsq's personal information? Or both? And what else are Facebook, Google, Instagram, Snapchat and Twitter doing with his personal information?

Clause 13 assures DMossEsq that he can always find out what personal information of his is held by the BBC on the sole condition that he give them even more of it. Specifically his passport details, driving licence details, birth certificate, ..., and £10. It's hard to see any way round this. But again it seems peculiar to describe it as DMossEsq being in control.

Clause 15 tackles cookies. The BBC's own cookies. And third party cookies:
To support our journalism, we sometimes embed content from social media and other third party websites. These may include YouTube, Twitter, Facebook, SoundCloud, Vine, Instagram, Pinterest and Flickr. As a result, when you visit a page containing such content, you may be presented with cookies from these websites and these third party cookies may track your use of the BBC website. The BBC does not control the dissemination of these cookies and you should check the relevant third party's website for more information.
"The BBC does not control the dissemination of these cookies". Oh good. DMossEsq isn't in control and neither is the BBC.

DMossEsq could delete these cookies. If he remembered to. And had the time. But then the service wouldn't work, more than likely. Or it might work today but not in a year's time.

DMossEsq's "control" could rely on not having a BBC account at all. But then what does he do when the BBC say, as they inevitably will, that, in order to protect the children or stop tax evasion, DMossEsq can only avail himself of BBC services if he has an account?

Perhaps there's no alternative. But that's not the point. The point here is that DMossEsq is obviously not in control of his own personal information whereas the BBC say that he is.

"Aha", says the bright girl in the second row, "you can use the do-not-track (DNT) option in your web browser, that'll put you in control". Nice idea but no silver star – the BBC tell us at clause 16 that "this website does not currently respond to DNT requests".

Mind you, that could change. As we learn at clause 18. In fact the whole privacy and cookies policy could change at any time, "so you may wish to check it each time you submit personal information to the BBC". Very amusing. DMossEsq wants to search iPlayer for an hour or two of Lucy Worsley but before doing that he'll just quickly plough through 5,000 words looking for any changes since the previous version. Who is controlling whom?

Does anybody remember where we started? It seems hours ago but the BBC wanted to tell DMossEsq how to log in more conveniently.


Updated later that same day, 11:37

As per the above, someone in the BBC sent all us accountholders an email saying "we’ve made some changes to the BBC’s Privacy and Cookies Policy. We’ve done this so that we can introduce new features, while protecting your data and putting you in control of what happens to it" whereas an examination of the BBC Privacy and Cookies Policy quickly establishes that we accountholders have no control over the personal information we give the BBC.

If that email had been written by BBC News DTrumpEsq would have been all over it. Control? Fake news.

"Control" is just the wrong word.

The BBC are not normally imprecise. What causes them to be imprecise in this case? Let's allow ourselves two guesses.

Firstly, the BBC want to sound nice. They're paying us the compliment of pretending to be controlled by us. Give it another day or two and, who knows, the BBC may go further and tell us that we have been "empowered" by handing over our personal information to them.

Second, almost everyone else pretends that their identity management scheme allows the user to be in control of their own personal information, so why shouldn't the BBC join in, follow the herd, take cover in the crowd and do the same?

Take Mydex, for example. It's been years since DMossEsq has bothered to look at Mydex. They never could answer the question how handing over your personal information to other people gave you control of it and they still can't but they still make that promise: "Complete control You decide what you store, see and share". Perhaps the BBC are copying Mydex.

Or take the Government Digital Service's GOV.UK Verify (RIP), for example. "Users are ... in control of when their information is passed to a government service" – no we're not. Nor are we in control of our own personal information when GOV.UK Verify (RIP)'s "identity providers" send our personal information all over the world to their subsidiaries and sub-contractors and agents. Perhaps the BBC are copying GDS.

GDS pretend that GOV.UK Verify (RIP) abides by the nine sets of privacy principles devised by the UK's Privacy and Consumer Advisory Group. In fact it flouts the lot of 'em. Including no.1, user control, "I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them".

No-one can make good on that promise. Not Mydex. Not GDS. And not the BBC. So it's silly to make the promise in the first place. Control is not on the menu. Stop pretending that it is.

It's just as silly as GDS's other pretence that GOV.UK Verify (RIP) is, without qualification, "secure". It can't be and everyone knows that it can't. The pretence undermines confidence and trust ...

... like GDS's other other pretence, that "frictionless" means good. It doesn't. It means voluntary enslavement.

And then there's the other other other pretence that apps are good for you. They aren't. Not necessarily. A lot of the time, an app is just a virus by another name.

Our guesses as to the aetiology of the control promise may be wrong but the promise is anyway misleading and demeans the BBC. It's nearly Christmas. Can we look forward to a BBC retraction?

If the BBC want another example to follow, they could do worse than Barclays Bank, whose terms and conditions say:
If you, or someone with authority over your account, asks us to share your information with third parties, we're happy to do so, but it's important you know that we, as your bank, will have no control over how that information is used. You will need to agree the scope of use directly with the third party.
And the Barclays privacy policy, which says:
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
GDS and the BBC don't have much experience of managing personal information. Or of talking to their parishioners like grown-ups. They could learn a thing or two from Barclays, who do.

No comments:

Post a Comment