Should you be doing that? Social media, ickiness and privacy
This is an old post written long before GDPR. I really need to do an update…
Let me be absolutely clear. I am not a lawyer. I know a little about technology and I have been thinking about these issues for a while. But being an avid reader of Jack of Kent does not substitute for actual qualifications in legal practice.
A couple of years ago at BlueLightCamp Andrew Fielding pitched a session asking “when does social media use get ‘icky’”?
It’s a good question.
He was really thinking about a public sector comms team, say a police force. What are the limits of what they should be getting up to on Twitter? Is it OK to run searches for mentions of your local town? What about going back through the messages posted by someone tweeting about your local town? What about running a search on LinkedIn to find out more about them? What about building a file on them?
(There is no suggestion that Andrew or indeed anyone in public service comms is doing these things, this is a thought experiment).
Clearly (at least hopefully, clearly) there is a point when the normal use of these technologies for engagement and customer service steps over a line.
My initial response was to suggest that organisations should publish a policy on what they will or won’t do on social media. I started something off on PenFlip.
My thinking on how a policy should be framed has evolved a bit since then.
The view that it is necessary or desirable to have a policy covering these areas is not widely shared. I don’t know of any public body that has a policy covering these issues and when I talk to people working in digital comms they are surprised and sometimes angry at my position.
My starting point is that citizens have a right to expect the state to respect their privacy within reasonable limits. Chapter 2 of David Anderson’s Report of the Investigatory Powers Review provides a nice primer on privacy generally (how often do you read that sentence?)
In fact the right to privacy is enshrined in the European Convention of Human Rights (Article 8). This Article does allow the state to infringe your right to privacy when it is legal, reasonable and proportionate to do so. This is one of the issues at the heart of the debate around investigatory powers. The debate (and rightly) is focused on the powers the state should have to have a look at things you have chosen to keep private.
What I’m concerned with is the limits the state should have to look at things you have placed into a public sphere. There is a perfectly coherent argument to the effect that if you have chosen to put information into a public forum, you should accept the consequences. That makes some assumptions about the nature of the public spaces online. Is your Facebook update public like graffiti or public like a chat down the pub. As a society we would be much more relaxed about the council monitoring messages sprayed on walls than we would about them hanging around in pubs on the off-chance that they will hear something interesting.
I think that, in reality, some online spaces are public like graffiti and others are public like the pub.
I would like to see public bodies thinking through these issues and helping their staff understand what is acceptable and what is ‘icky’.
The three areas of relative ickiness
There are a set of actions that should be uncontroversial. It is a good idea for organisations to use social media for customer relations, policy development and to be “networked”. They should respond to messages clearly sent to them (or written on their page). They should seek out statements that are clearly intended for a wide audience: blog posts, comments on the local paper website, Tweets using relevant hashtags. All this helps organisations to understand their online community and should be encouraged.
Need to be authorised and limited (icky)
There are a set of actions that are not part of a public body’s investigatory functions but should be thought through and only undertaken within limited circumstances. To me these become relevant when the organisation becomes more interested in individual people.
Here are a couple of examples (again thought experiments not real world):
The comms team is asked a couple of interesting questions on Twitter from a new account. They wonder if this is a new blogger. Keeping track of who is writing about matters relevant to the authority is part of the job of the comms team. So they visit their profile but the information there is opaque. They want to do some more investigating, reading back through the Twitter timeline, searching for the name / user name on other accounts.
Social workers are working with a family. Dad is not happy following a meeting with social workers. There is concern that he might encourage people to harass the social workers in question. In order to understand the potential threat to their staff a team leader wants to search Facebook and keep an eye on Dad’s profile and maybe the profiles of his friends.
To my mind neither of the proposed actions are things that public bodies should be doing routinely. Given the specific circumstances they seem to me to be potentially reasonable and proportionate.
So I would suggest that they should be authorised on a case by case basis by someone reasonably senior. We are not in an area where warrants are necessary but we are in an area where the potential infringement of people’s privacy has to be considered and balanced with the need to (in these cases) protect public employees or provide better public services.
Constitutes investigatory action (beyond icky)
Beyond these actions are a whole set of actions where public employees are undertaking formal investigations for the detection or investigation of crimes. The Chief Surveillance Commissioner thinks there should be a policy covering social media:
“I strongly advise all public authorities empowered to use RIPA to have in place a corporate policy on the use of social media in investigations.” Annual Report of the Chief Surveillance Commissioner to the Prime Minister and to the Scottish Ministers for 2013–2014 para 5.33
Personally I think a policy covering the use of social media overall would make the most sense: these things are generally permitted, those things must be authorised, these other things are dealt with under RIPA-like procedures.
Don’t we have better things to worry about?
While we attempt to dissuade the government from granting far-reaching powers to the police and security services to break into computers and messaging systems this may seem like a distraction.
One does not discount the other. We should strike a sensible balance between security, utility and privacy all the time, not just when people remember to whack up the privacy settings.
I am also aware that I could potentially unite the “Human Rights gone mad” brigade with the “JFDI” digital engagement gang.
I am also aware that I’ve been focusing on public bodies here. This is deliberate because, as I understand it, public bodies are directly bound by Article 8: it is a right that protects you from the state. All of the things I have described can be undertaken by anyone, in any country.
Should your district council be able to find out less about you than a Chinese company?
All I can say is. These seem like relevant issues. We have not sorted them as a society. Talking about them seems like as good a way of approaching them as any.
Originally published at benproctor.co.uk on December 13, 2015.