2019: our year of data protection?


Prior to this year, a handful of civil society organizations and interested individuals have made a public outcry to the Nigerian government to codify a body of laws that would put mechanisms in place to protect the data of its citizens. As at the beginning of this agitation, it was perhaps difficult for the government and common citizens alike to understand what this request meant? What was data and why was everyone talking about keeping it so safe? What harm could possibly be occasioned if this data was not protected? Was it worth government resources and time to invest in data protection?

But it’s the 6th month in the year 2019 and it is looking as though Nigeria has come to terms with the need for the regulation and legislation of data protection for its citizens. In just this year, the National Information and Technology Development Agency (NITDA) has released a Data Protection Regulation and the National Assembly has concurred on and passed a Data Protection Bill which is now waiting for Presidential Assent.

But before the regulation and Bill are discussed, it will be ignorant to assume that the questions concerning what data protection is and why it is so important, have been answered.

Essentially, data protection as used in this context speaks of personal data. Personal data is simply any information about a person. It could be about a person’s family or private life, it could be about your career or profession, it also could be about one’s health such as one’s genes, health status, sex and reproductive information, it could also be your biometric information, financial information, political affiliation or opinion, gender, or even your religious beliefs.

Personal data is a big deal in this age because it’s arguably the lifeblood of the internet and digital technologies. When the information age commenced in the early ’90s and communication and commerce became more fluid by means of digital technology, data became increasingly relevant to the survival of any business or service. Businesses are beginning to profit, not just from properly analyzing data but also just from merely owning data. You probably know someone who offers to sell emails or phone numbers or other personal information. And so you have to think, ‘what is so important about my personal data that it can be sold for value?’

This is why data protection enthusiasts continue to advocate for both technical and legal frameworks to guarantee that in the midst of the data craze, the actual owners of data – you- are protected. Data protection, therefore, refers to the rules, practices, policies and safeguards put in place to ensure that personal information are collected, used, accessed, updated, and even deleted properly, lawfully, fairly and transparently.

It is almost an impossibility for this area of law or policy to be left to cooperation or self-regulation. That is, because of the commercial value of data and the sensitivity of same, it becomes irresponsible to simply demand that data custodians or controllers ‘do their best’ to keep data in their care safe, without backing it up with laws and repercussions. And perhaps this is the mindset that has informed Nigeria’s development of two data protection documents in the space of 5 months.

The Data Protection Regulation 2019 released by NITDA applies to all transactions that intend to or actually process personal information of natural persons (who are called ‘Data Subjects’) in Nigeria. The Regulation mandates that personal data shall only be collected for the lawful purpose consented to by the data subject, will be adequate and accurate information (as given) and will not be to the prejudice of any person, will be stored only for a period within which it is reasonably needed, and will be secured against all foreseeable attacks (digital and physical).

The Regulation also clearly defines what will be regarded as lawful processing of data and from its provisions it is clear that the act of purchasing and processing data from third parties is against the law unless the data subjects are aware at the time of disclosure that their data will be used for such a purpose.That is, data cannot be collected for a particular purpose and used for another. As it says in Reg 2.3 “No data shall be obtained except the specific purpose of collection is made know to the Data Subject”.

One very important provision in the Regulation is that “any medium through which personal data is being collected or processed shall display a simple and conspicuous privacy policy that the class of Data Subjects being targeted can understand.” This, therefore, means that service or product providers must develop clear privacy policies that explain what is being done with the data which would be collected or processed and these policies must be understandable by the data subjects – whether they speak English, or Igbo or Hausa, or Ibibio or any other local or foreign language. This is very important.

The Bill passed by the National Assembly is not accessible on the NASS website but pending its availability, perhaps reference can be made to a Data Protection Bill on the National Identity Management Commission’s website. The Bill also aims at providing rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information. While it is my genuine hope that the president gives his assent to the Bill, I also eagerly anticipate access to studying the provisions in the Bill.

Perhaps all of the outcries of civil society organizations culminated into prophecies which are now being fulfilled in the enactment and release of Data Protection laws in Nigeria.
Perhaps the government and its agencies have been persuaded of the urgency and importance of data protection laws and regulations.
Or perhaps it is just a response to pressure.
But the year is 2019, it is the 6th month and Nigeria has two documents which hint that the country cares about her citizens’ personal information.
Welcome to our year of Data Protection!

I Spy With My Digital Eyes – On Domestic Abuse, Protection Orders and Technology

Naomi got married at the age of 22 with many people calling the entire thing crazy. Her parents were happy though. Her marriage meant that they were going to carry their  grandchildren very soon and everyone knows that’s the ultimate hallmark of success for the average African parent. Her siblings and friends, on the other hand, worried that it wasn’t the right time, nor the right person. According to Ire, her friend since secondary school, ‘I’m not saying anything is wrong with Vincent, or with both of you getting married. But I know something is wrong – and I really wish I could place a finger on it.’

Naomi had smiled.

Perhaps she understood the concern almost everyone seemed to communicate, perhaps she did not. Two things were sure for her – she was getting married to Vincent and no one else understood him as she did.

You see, she had met Vincent in the year she turned 21, and in fact, it was the exact day she turned 21. He was having a solo dinner in the same restaurant she was having her birthday dinner and their eyes had met more than three times. But by the time she and her 5 friends had finished dinner, Vincent had left the restaurant without so much as a ‘hello’ acknowledging the connection between them. However, when they called for the bill, the waiter, instead brought a receipt and said, “The gentleman who sat at that table said to tell you ‘happy birthday’”. Naomi was grinning ear-to-ear and the teasing from her friends seemed unending.

Her parents’ house was just a 5 minutes drive from the restaurant, perhaps that was why her Uber driver angrily zoomed off after dropping her at her gate. A card trip that cost only N400! She stood at the gate fumbling with her handbag searching for the key. As she searched, she suddenly felt someone creep up behind her. Turning sharply she could not believe her eyes when she saw the guy at the table at the restaurant with the hugest bouquet of flowers and the widest smile. Creeped out, she pressed her back against the gate and stuttered, ‘Are you not… what do you….how did you…what are you’


“Relax”, Vincent replied. “Did you really think I’d leave without saying hello? I just needed to ensure that my ‘hello’ was substantiated” he winked.

Substantiated. She thought. Who the hell uses that word in everyday talk?

“Okay.” he continued. “Don’t be freaked. I know this is creepy. But I just wanted to tell you Happy Birthday and give you this.” he handed over the bouquet of flowers and a gift bag.

“Umm… Thanks?” she replied, collecting the gift and staring at him, heart still racing.

“Alright, bye,” he said. “And thank you. I’m sorry for freaking you out. My number is in the bag in case you want to communicate with me. Cheers”  And then he left.

Later on, Naomi will realize that this singular behaviour was the first sign she needed to never communicate with him. As earlier said, they went on to date, and then get married. They stayed married for 4 years but everyone who hears Naomi’s story always wonders why she stayed for that long.

Oh well, doesn’t everyone wonder why victims of domestic abuse wait for so long?

Plainly put, Naomi was viciously abused in that marriage. In the last 3 years of their marriage, Vincent took sexual, mental, emotional and psychological advantage of his wife, Naomi. He beat her sometimes to the point where it hurt her to feel the wind on her face. He would wake her in the night by choking her and would yell the most ridiculous things like ‘Why are you laughing in your sleep?! Tell me why?! Or ‘What was the message you deleted from your chat with Ire?!’.

It was insane. Sometimes, he walked from the bathroom with faeces in his hands and put it into the whole pot of stew she was cooking. He stole money from her. He banned her from seeing her parents more than once a month – and she couldn’t even see her friends at all. He twisted and broke her right arm once and then asked her to make him Pounded Yam that afternoon. He never asked for sex, he just took it. And her two miscarriages were his doing. Whenever he smoked weed at home, he would tell her to open her mouth and would puff into it – sometimes, spit into it, sometimes, pee into it. One could go on and on about the messiness that was the mind of Vincent, but that is not necessary.

Last year, Naomi finally spoke out and sought a divorce. In court, one of the reliefs she asked for was gotten from section 30 & 31 of the Violence Against Persons (Prohibition) Act 2015. In that section, it is said that the court may issue a Protection Order (what we sort of know as a restraining order). And according to Section 31, the Order may prohibit the respondent (which in this case is Vincent) from doing a bunch of things including:

  1. Committing any act of domestic violence
  2. Entering a shared household (or a specified part thereof)
  3. Entering the complainant’s residence
  4. Entering the complainant’s place of employment
  5. Or committing any other act as may be specified by the Order.

The judge granted Naomi’s application to issue such an Order. Therefore, coupled with the dissolution of the marriage, Vincent was ordered by the court not to physically, emotionally, mentally, sexually, or psychological cause or attempt to cause harm to Naomi. He was also ordered that he must neither enter her home or place of employment without express invitation. Furthermore, he was ordered that for a period of 2 years, he was to distance himself from her – constantly maintaining at least 500 meters between himself and her.

The night of the judgment, Naomi sat in a living room with her 5 friends and they drank champagne until they were all drunk. They also danced until they slept off one after the other. It was, however, the constant buzzing of her phone that woke her up. She looked at her phone screen and saw 50 messages from a strange number. She had blocked Vincent’s number a long time ago and had registered a new sim card, so she wondered who it was. Opening her message app, she froze. The messages were definitely from Vincent but that was the least of her problem. The texts indicated that he undoubtedly knew where she was. They read something like: “These girls are not your friends”They did not tell you how ugly you look in that pink bum short”You look like a hobo. So dirty and ugly“Gosh, I can even smell you from here”.

This was only the beginning for Naomi. It has been one year since the Protection Order was issued in her favor but that has not stopped her abuse. In fact, she is certain that Vincent has been on an 8-month work trip to The Gambia. But the texts won’t stop. The threats won’t stop pouring in. She constantly gets texts that say, “I know where you are” or “I know what you’re doing” or “I’ll come for you anytime now. And when I do, you won’t live to tell the story”.

Today, just as she was about to leave the house, her phone beeped and it read:  “Are you sure you want to leave right now? Seems like a good day to be run over by a car?” The digital surveillance seems unending. There is no real difference between when she was in the marriage and now that she’s out.

_____________________

I entirely painted this scenario, above, in my head. And although all characters are fictitious and similiarities to any real person (living or dead) is merely coincidental, I’ll daresay that this is the exact reality of many people.

And so I wonder, what’s the proactiveness of the law (in Nigeria) regarding scenarios such as this? Do Protection Orders envision digital surveillance in restraining abusers?

Protection Orders need to issued with the understanding that the definition of distance has now been blurred by technology. If a person is ordered not to be within meters of another person, then consideration must also be given to the fact that proximity can also be digital. And such proximity can be as dangerous as a physical one. Domestic abuse can be carried out effectively both offline and online and our  laws and reliefs have to factor this in.

In the making of this article, I googled ‘spy on my boyfriend’ and I got countless of app suggestions. These apps are apts to let me know that I can know what my boyfriend is doing without touching his phone, I can know where he is, I can read messages on all of his social media platforms and so on. More technology is being developed to enable spying and surveillance.

So I ask, what stops me from having a virtually invisible camera installed in his house if I have a Protection Order against me from entering his house? Aren’t they the same thing?

And what stops me from using GPS tracking if I have a Protection Order against stalking? Aren’t they the same thing?

There are reports upon reports of bitter exes using spyware and other forms of technology to execute abuse on their former partners. Do our Protection Orders cover that?

Well, they need to.

This was a little different kind of gem, but gem all the same. So I’ll need you to:

  1. Kindly give me some feedback in the comment section.
  2. Subscribe so you automagically get my articles in your mailbox.
  3. Share this piece with a friend (or an enemy)

The Law of Gravity and the Cloud

What goes up, must come down. But is that perfectly true of cloud computing? Understand data deletion and the use of cloud services.

Philosophers are weird.

I mean, Descartes slept in a traditional oven.

Demonax got old, thought he couldn’t take care of himself anymore and then simply stopped eating until he died.

Rousseau abandoned his 5 children because it was the fashionable thing to do in his social circle.

Diogenes lived in a small barrel in public.

Plato described man as ‘a featherless biped’

And then Diogenes plucked the feathers off a chicken and asked Plato if it was a chicken or a man. (Huh?)

So it is without shock to discover that even Sir Isaac Newton was an interesting character. At his funeral, it was said, ‘[Newton] was never sensible to any passion, was not subject to the common frailties of mankind, nor had any commerce with women—a circumstance which was assured me by the physician and surgeon who attended him in his last moments”. Uhhh… Weird much!

All that said to say that when Newton saw an apple fall from a tree, it was only natural for him not to think as the rest of us would have. Instead, he thought “why should that apple always descend perpendicularly to the ground? why should it not go sideways, or upwards? but constantly to the earth’s centre? Assuredly, the reason is, that the earth draws it. there must be a drawing power in the matter & the sum of the drawing power in the matter of the earth must be in the earth’s centre”

And it was so, that these thoughts formed the beginning of what we now learn as the law of gravity/gravitation.

Thanks to Newton, now we know that there is a force of attraction between two masses; the earth and objects in its vicinity. And that this is why we don’t float when we walk, why things drop if they are thrown, why the moon does not go on a frolic of its own, why it’s harder to walk uphill, why we trip down when we fall; and why aeroplanes are real inventions because they are built in such a way that their lift counters gravitational forces. ( I see you, Wright Brothers. )

In more simple terms “What goes up must come down!”

But I’m here to ask. “Is that really true, especially of the Cloud?” Does anything ever really “come down” from the Cloud. Is anything ever really really deleted?

First, it might be needless to say that the ‘Cloud’ being discussed here isn’t the skies or the cloud above. (this is a law-tech blog people!)

Second, it’s also important to note that the Cloud is strictly speaking, not the Internet – as many might think. The Internet is just a global network of computers that enables connectedness. The Cloud (which is actually short for Cloud Computing) is technology that leverages on the internet. It basically allows us store (and access) data or run programs using someone else’s computer via the internet. So instead of storing files on your hard drive or downloading software to your hard drive in order for it to run, you only need to connect to the internet and do that. So imagine using Google Docs online instead of using Microsoft Word which is domiciled locally (on your computer). Or imagine using DropBox to save your files, instead of your flash drive.

Cloud computing has a bunch of advantages. E.g, you don’t have to worry about viruses or any mishap to your software, or even hardware. Also, you don’t have to spend so much on storage infrastructure or on cost for software licensing (although you may have to give a periodic fee to your cloud provider – like how I pay for more space on my Google Drive and I only just got a mail telling me that my payment was declined because: insufficient funds. Poverty die!) Also, you can access your data or run these programs from anywhere; as long as you can connect to the internet. All in all, it is the make-sense thing for you to do.

But the question remains: How sure am I that data deleted from the cloud are truly deleted?

And this question is important for a number for legal reasons. A lot of privacy and security concerns arise with the advent of the cloud because – think about it – it’s essentially putting your data on someone else’s (albeit a corporate person’s) computer; possibly in an unknown location. Anything can happen and you want to be sure that if you delete any data, it is truly deleted.

On this my beautiful site, I recently talked about the right to be forgotten as contained in the GDPR vis-a-vis blockchain technology (it’s super interesting and you should check it out).

But here’s what you should know (and I’m also using the GDPR as a guide here):

  1. Your personal data is to be deleted or returned to you at the expiration of whatever service is being rendered to you. So in line with Cloud Computing, assuming I stop using my Google Drive account – I close it down. All data stored in my Drive must be deleted or returned to me.
  2. You can place a request for your data in the hand of a Cloud service provider in the event that you no longer want them to have it.

Google, a Cloud service provider, has addressed this issue as it relates to them. According to them, “When you delete your customer data, Google’s deletion pipeline begins by confirming the deletion request and eliminating the data iteratively from application and storage layers, from both active and backup storage systems’

In this explainer video on Youtube, Google further explains that ‘…when you remove information from your account, like a search from your search history or a file on Google Drive, we follow a strict process to delete it. They go further to tell us what this process is. ‘To begin, we remove the information from the product (say, ‘Google Drive’) where it was being used so it’s no longer visible for use in the product. We then immediately begin the process of removing the information from the active systems where it’s been stored. During the time it takes to delete information, our systems stop serving it.’

First, Google has confirmed something apparent, and it is that data is not totally deleted when a user deletes is from his/her own end. It’s still stored on the systems which render the cloud service.

Secondly, there has to be an intentional process dedicated to deleting the so-called ‘deleted file’ from where it is being stored with the Cloud Service provider. So imagine you use an iPhone and your pictures automatically synchronize to the iOS cloud service known as iCloud (because trust Apple to put an eye on everything. Get my joke? Get it?). Anyway, imagine you take a sensitive image (say of a naked body) and then you delete it off your phone, and for due diligence, you go to your iCloud and also delete it. Well, what Google is telling you is that the picture (most likely) still exists on the Apple’s storage computers and they’d have to delete it for it to be really deleted.

But guess what? Google isn’t even done. There’s still something they have to do to get it really really  deleted. Check this out. In continuing their explainer video, they say, “As part of our redundant systems, your information might also be in backup storage which is difficult for us to access but available for use to help our services recover in case of a disaster. Data can remain on this backup systems for up to six months. Sometimes, instead of removing information from our systems, we might anonymize the data so that it’s not associated with you”

Aren’t you just thinking, ‘wow!’.

And maybe you’re also thinking, ‘Nah. I’ll just delete my account’. Well, Google has a response to that. They say, ‘And if you delete your account, no worries, we keep your info in a recoverable state for up to one month’.

So you see that while using cloud services, data deletion is not final with the click of the delete button. The file still exists, the question is simply, ‘where?’ and ‘how accessible or vulnerableis it?‘ and ‘how soon do you also get it off your systems?‘ This is why I’ll totally encourage you as a consumer of these products and services to intentionally lookout for data erasure/retention policies of your service providers. If you’re not comfortable with their policies or they don’t even have one, you don’t have to use it.

You’ve heard where Google stands. For more details, you may check it out here

For Microsoft, theirs is here

Cheers!

And now that I’ve served so much gem, I need three things from you:

  1. Kindly give me some feedback in the comment section.
  2. Subscribe so you automagically get my articles in your mailbox.
  3. Share this piece with a friend (or an enemy)

Does Blockchain Snark at your Right to be Forgotten?

Oh! The number of questions within this question. Like, ‘what is blockchain and why does it sound mean?’ ‘What is my right to be forgotten?’ ‘WHY do I want to be forgotten?’ ‘Do I really have this right to be forgotten? Like the constitution says I do??’And what has blockchain got to do with all of this?

 

I am literally sipping water from a cold flask to calm my nerves because where do we even begin? I guess I’ll have to tell you a couple of stories first to lay some tracks for this article and also because that’s a hospitable thing to do – tell stories. The following stories are true ones:

The Murder of Walter Sedlmayr  – Germany

The above-named man with the surname you can’t pronounce was a German actor who died in 1990. He was found in his bedroom, tied up, stabbed in the stomach with a knife and hit on the head with a hammer. Three years later, his former business associates Wolfgang Werlé and Manfred Lauber, were found guilty of his murder and sentenced to prison time which has now been completed. Obviously, this story made it into Wikipedia (German and English), and it made the two ex-convicts angry. They requested that their names be taken down from both posts as it eroded their right to privacy. Requests were not quite successful because I mean, you can still see their names here.

Porn Unintended – Argentina

Virginia da Cunha is a 37 year old Argentine Singer, Actress and Dancer. In 2012, she took a bunch of sexy pictures (as celebrities are known and opportuned to) and even gave appropriate permission for same pictures to be published online. However, the pictures began to come up when ‘pornography’ or porn related words were searched on the Google and Yahoo! search engines. The celebrity sued both companies to remove these results. They were taken down. She won. (Although, I hear that the case is on appeal)

Melvin v. Reid – The United States

Melvin was just a prostitute in her former life. However, as it is with such a risky profession, she found herself being accused of murder. She went through the court motions but thankfully, the court decided that she wasn’t guilty, so she was acquitted. Melvin got herself rehabilitated and began to lead a peaceful life with a husband. Seven years later, however, a movie called ‘The Red Kimono’ was released and it was based on Melvin’s former life including the murder. The facts in the movie were not misrepresented and in fact, Melvin’s maiden name was used.

She sued the movie makers and finally, she won. The court is recorded to have said: any person living a life of rectitude has that right to happiness which includes a freedom from unnecessary attacks on his character, social standing or reputation.”

Mario Costeja González; Fighter of Google – Spain

A long time ago, Señor Mario was in some social security debts in Spain, and so a property of his was foreclosed by the government. Adverts were made in a print newspaper calling on people to come for the auction of his house, and later on, these adverts were moved to the Newspaper’s website. Because no condition is permanent, all of these money issues were eventually over and Señor Mario could continue living his life but for one problem – if you searched his name on Google forever, you’d see that he was once in debt and his house was up for auction. It was embarrassing to him (because imagine his bank or his employers doing a search on him). He reached out to the Newspaper, to Google in Spain and to the Data Protection Agency in his country, requesting that this content online be taken down. A lot of super interesting legal arguments were made in court and I’m doing everything I can not to go into them because the article is already looking long. So, let’s continue.

THE RIGHT TO BE FORGOTTEN

I believe your train of thought has followed these tracks I have laid and now you might have an understanding of what the right to be forgotten is.

 

The right to be forgotten is simply the right of a person to determine and have some control over the development of their life and of their profile narrative online. It is to be able to control information about yourself such that you’re not being perpetually or periodically stigmatized as a result of something you did or something that happened to you in the past.

It is a person’s right to have certain data deleted so that internet surfers can no longer trace them. The right to be forgotten has been defined as ‘the right to silence on past events in life that are no longer occurring.’ A lot can be said on the definition but just understand it as the power of a person to induce amnesia regarding information s/he would rather not be remembered for.

 

A noticeable trend in the stories I told earlier (and indeed other stories around this) is that the complainant or plaintiff usually refers to this right as ‘the right to privacy’. I’ll believe that that’s poorly couched, but forgivably so because the right to be forgotten is relatively new and its conceptualization is still in the works.

 

While the Right to Privacy generally relates to information which is not already publicly known, the right to be forgotten involves information already in the public domain but which needs to be erased. It’s like a ‘forgive and forget’ scenario, only with the emphasis on ‘forget.’

 

There are arguments for and against this right and of course both sides have their points.

For instance, when you consider repulsive issues such as revenge porn, child crimes, and just the sheer understanding of the frailty of man, one is prone to embrace this right. However, considering (and I speak for Nigeria) crass and dubious politicians who double as our nation’s cancer, and their penchant for literally erasing our memories either by stopping the teaching of History in schools, intimidating the media, influencing the media with fake information and so on, you might be inclined to be anti-RightToBeForgotten.

 

Currently, Argentina and the European Union are championing this right. I hear that Argentina is more of a boss at it but the EU isn’t doing badly at all. Article 17 of the GDPR (have you read my GDPR article?) states  that ‘the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following  grounds applies:’ It then goes on to list 6 simple grounds:

Picture gotten from http://i-scoop.eu/

 

Also, see this simple chart explaining the non-absoluteness of the right.

Picture gotten from http://i-scoop.eu/

Perhaps you have the same question as I did when I read Article 17 GDPR: Can Search Engines be said to be Data Controllers?

The GDPR basically states that data controllers are those who determine the purposes for which and the manner in which personal data is processed. And the Court of Justice of the European Union (CJEU) states in Señor Mario’s case that an internet search engine operator (e.g. Google, Yahoo! Bing), is responsible for the processing that it carries out of personal data that appear on web pages published by third parties. Cool stuff.

 

So, because the EU is working hard to protect citizens within its jurisdiction,  Google (and some other search engines) have created data erasure forms for EU residents to fill to have their online data wiped if they want (and of course with terms and conditions). It’s called ‘EU Privacy Removal’. It’s here. Google also added ‘Iceland, Liechtenstein, Norway and Switzerland.’ (Sorry, Nigeria and other African countries.) You can see more info on how the form works here.

NOW, BLOCKCHAIN

Well, I believe all your questions about the Right to be Forgotten have been answered. Although there are till appendages of issues on that right, I am confident that you are successfully abreast of the fundamental vibe of it. If I’m right say, “aye!”

(the ‘ayes’ have it!)

Now, blockchain.

If you’re non-technical, let me give you heads-up. EVERY article attempting to explain blockchain usually goes like this: ‘Okay, I understand this, I understand that. Yeah, that’s understood. Oh? Cool. Yeah, that makes sense. This thing is actually pretty relataboksbutwyfduwdcfdyqrsdifwqusjw;qodifiwqyphwoiudiogfwqdcjwqfexhwqdfsglwq;oiudpewqo8ydfwtf’.

 

But I’ll try my best to tell you how I understand it. Blockchain is a technology that can also be called a distributed ledger. You know what a ledger is, right? No? Okay, A ledger is a file that records financial transactions. Now picture a digital ledger that can record every valuable transaction online. That ledger is then spread across several computers and every time it is updated with a new transaction, it updates itself on every computer. (N.B. Blockchain is not bitcoin; it’s just the tech that helps bitcoin be bitcoin.) So the blockchain database is identical on every node (computer) and so it leaves a (generally) publicly accessible data trail. I mean, if you know what to do, you can access the trail.

 

Therefore, if you’ve engaged in transactions relevant to the blockchain, your data is stored in the chain – data like your address, card number, phone number could be represented on a blockchain.

Now, blockchain is like the banner of internet integrity such that the data recorded in a chain is immutable and unerasable. Although it’s mostly encrypted, it can be decoded and therefore identifiable.

But I repeat, data in blockchain is not erasable. You cannot delete the data. You, also, cannot change or edit it – because this will break the chain and make the entire concept of blockchain useless. You can only add more to the chain.

So what is the effect of Article 17 of the GDPR and the general concept of the right to be forgotten & the right to erasure on blockchain technology? I thought I was a genius when I thought of this question but it turns out many other people are thinking of it.

From my research, although there are a couple of things you can do on a private (permissioned) blockchain (like choosing to forget or throw away the encryption key for the data, or setting the transaction to an unsolvable private key thereby locking yourself and everyone else out),  there is not much nothing, you can do on a public, generally accessible blockchain except to NOT store personal data on the chain. You may choose to store the personal details of that data off the chain and then instead, store an encrypted reference to it on the chain. If anyone wants to access that reference, then the person must verify that he has the right to. If he does, he will then be referred to where the data is by a link (which won’t be on the blockchain).

 

This was one person’s suggestion. It was probably the best I saw (and take this with a pinch of salt because I do not code). This paper, however, suggests a solution developed to help temporarily store, summarise or completely remove transactions from blockchain while maintaining the chain’s consistency. I don’t know. I call on techies to read it and summarize it to me.

I’m actually tired – I’ve sat for three hours doing this article.

BUT! I enjoyed every bit of it. I love studying the clash or relation of the two powerful forces called ‘technology’ and ‘law’. Because while the law is a mulish ass demanding that it must be obeyed, technology is a fleet-footed movement with its own inherent laws. They make an interesting couple. And I hope you enjoyed the article as well.

In conclusion, maybe blockchain does NOT snark at your right to be forgotten. But it does dare you to try!

Merci.

____

 

I’ll appreciate your comments below!

Also, if you have any topics you think I should write about, please let me know with this simple form here.

Ce COOKIE n’est pas comestible

In the spirit of weird naming, I decided to title this article in a language you probably don't understand. But it basically means 'This COOKIE is not edible'. :)

Bon! Let’s get into the article.

At the risk of sounding like an unserious person, one of the things that intrigue me the most in the tech space is the art of weird-naming. For instance, check out this TechCrunch Article that discusses how startups make weird name choices. I mean, a good example in Nigeria is ‘JiJi’. If you’re Yoruba, you probably understand better why this is a weird name selection for an Online marketplace.

But, then, even apart from companies, some technologies do have funny and unrelated names.

For instance, ‘Bluetooth’.

Here’s a question: What does a tooth, so dirty, it’s blue, have to do with file sharing and communication between devices?  (P.S. The only thing a real blue tooth is sharing is oral thrush -_-). Anyway, Bluetooth was the name of a king in Norway who introduced Christianity to Denmark and Norway and united different regions and allowed for better flow of communication. Read about him here.  

Also,check out Phil Belanger (founding member of the WiFi Alliance) saying that the word ‘WiFi’ stands for nothing. Nope. Not ‘Wireless Fidelity’ According to him, “It is not an acronym. There is no meaning” Buhahahaha.

And now, in this article, we’re looking at ‘Cookie’ as an internet word. I have heard that the term may have been coined from ‘leaving crumbs of data on the internet’ or from the fortune cookie which usually has an embedded message (this might be a reach though).  Anyway, Cookie, in this regard, is also referred to as ‘HTTP Cookie’ or ‘Internet Cookie’ or ‘Web Cookie’. But or this article, we’ll just stick to ‘Cookie’.

 

What, in the web, is a cookie?!

A cookie is simply data/information sent from a website to your computer to help store your preferences or choices in order to make your future experience on the site more seamless or better tailored.

For instance, a couple of days ago, I was seriously desiring a Vinyl Player and I was like ‘Okay, Boro, you’re doing this. You’re getting yourself one’. So I went on my go-to site for weird stuff, and searched for ‘Vinyl Player’. I saw the one I wanted and then saw the price and then laughed and continued eating from hand to mouth. I, however, visited the site again today and there on the landing page and without having to search for it, I was welcomed with:

Issa Temptation
Issa Temptation

 

I’ll paint a scenario to help you better understand: You want to buy a shoe so you visit www.bestshoeseverliveth.com  You search for sneakers and scan through and finally find one that you like. You add it to your cart and proceed to payment. At payment you select ‘Naira’ as your preferred currency and then you pay. If the website uses cookie (which it’ll most likely do), a piece of information will be sent to your computer.  The website creator is the one who determines the type of information a cookie collects. In this scenario, it may just be your currency preference, but it may also be other details like:  your preference of sneakers, your Name, your card details, items you favorited but didn’t purchase. 

 

Why? Why? Why? Why? Oh Lord, Why are they saving information about me?

Well, like I said earlier, it’s generally to help you enjoy your visit to the website next time. For instance, the next time you come, you’ll probably be served with an array of sneakers and won’t be asked what currency you want to pay in anymore. Furthermore, it’s stored on your computer so that when you use that same computer to browse for stuff, the website server communicates with the cookie it has kept on your computer and tailors your experience.

Cookies are also used to present more relevant advertising (for sites that embed ads). See the notice on this site I visited today as well:

Speaking about sites that display ads, has it ever happened to you that you tried shopping for an item on a site, or you searched for something somewhere and then every other site you went in the world, kept offerings ads of those items?

Well, the general rule is first that only the same website that saved your information can read your cookie. So normally, if you visit bestdresseseverliveth.com and search for ‘red bodycon dress’, you shouldn’t expect to visit greatdresseseverliveth.com and have a flood of red bodycon dresses thrown at you in a very unsubtle manner.

However, here’s a clause. One website can actually have embedded pieces of another website.

Let’s imagine again: You visit myfirsttimehere.com for the first time. And as you scroll through the site you begin to see ads of ‘red bodycon dresses’ all over the place. Don’t be shocked, it could either be that myfirsttimehere.com embeds ads from bestdresseseverliveth.com OR, it embeds ads from a site that also gets its ads from bestdresseseverliveth.com. And so what happens in that scenario is that since bestdressesseverliveth.com already has a cookie stored in your computer, although you’re currently on myfirsttimehere.com, it’ll still be able to extract information about your preferences through that site because a bit of it is embedded on the FirstTimeHere website.

Also, it might be important to know that some websites don’t bother with the basic cookies. The idea of cookies is to store small pieces of data, but if the website intends to store more than small pieces of data, they may choose the alternative of using an ID (like a username). So what happens is that instead of storing a cookie in your computer, the website saves a unique ID in your computer and so whenever you interact with that website, the unique ID stored aligns and thus the cookie/information is saved on the website’s system and not your computer anymore. These are called ‘Third Party Cookies’.

 

This sounds like several levels of risk and invasion? Please scare me further!

LOL. Well, like all technology tools, Cookies are to be used to make stuff better; for you, to make your browsing experience better and help you use your brain less. For the website, it is to help them deliver more stellar services and help with more precise targeting of ads. But also like all technology tools (especially invasive ones like this), it can be misused.

For instance, imagine I am able to get a hold of your cookies and then communicate with the website as you. It means that I may have access to details such as your passwords, credit card details, address and so on. It’s supposed to be almost impossible for this to happen but apparently, there’s something called cross-site scripting which basically happens by inserting a script into an unsecure website and then sending the session cookie of visitors back to the insertor of the script. So when building your website or when visiting websites, it’s important to be conscious of the security of the site.

 

So what does this have to do with Law?

Well it’s simple, every discussion on data and information collection, processing and use should envisage the watchful stare of the Law. As I have said a couple of times, the right to privacy is real and information about people in your custody should be treated with diligence, intentionality and care.

The very popular guiding principles of data protection say:

personal data or information must be processed fairly and lawfully; personal data or information must be obtained only for one or more specified and lawful purposes; personal data or information must not be excessive in relation to the purpose or purposes for which they are processed; and personal data or information must be deleted when no longer necessary for the purposes for which it is collected” – Culled from the African Declaration on Internet Rights and Freedom.

That quote up there is super important so I’m going to copy and paste it down here again.

“personal data or information must be processed fairly and lawfully; personal data or information must be obtained only for one or more specified and lawful purposes; personal data or information must not be excessive in relation to the purpose or purposes for which they are processed; and personal data or information must be deleted when no longer necessary for the purposes for which it is collected”

In addition to this, it’s very important to let visitors know about the existence and use of cookies on your site.

“The collection, retention, use and disclosure of personal data or information must
comply with a transparent privacy policy which allows people to find out what data
or information is collected about them, to correct inaccurate information, and to
protect such data or information from disclosure that they have not authorised.
The public should be warned about the potential for misuse of data that they supply
Online.” – Culled from same source above.

 

In conclusion, Cookies can be used for good and for bad; web developers should ensure to use it only for good. Don’t overtly share data with third parties, don’t lie in your privacy policy, try to use the best technologies to protect data, don’t steal anyone’s data…e.t.c.

Also, because your data is yours, if you’re uncomfortable with this whole Cookie thing, learn how to disable your cookies here. You may also delete existing cookies here. 

And if you’re not sure whether your browser allows cookies, just open this tab here and you’ll know.

Fin!

*serves cold Berry Blast to go with the Cookies y’all just had*

Happy GDPR Day!

Congratulations!

If you’ve been receiving warning or anticipatory mails about the GDPR coming into force, well, congrats because you lived to see that day and it’s today.

If you’re like, ‘Okay, calm. What is GDHR or GDPH or what now?’, well congratulations as well, you’re in the right place to lessen your cluelessness.

So, on the 14th day of April 2016, a day which was an anniversary of the day the Soviet Union agreed to withdraw from Afghanistan (1988); when the heaviest hailstones ever recorded visited Bangladesh with a bang (1986); when President Abraham Lincoln was shot (1865); when the Titanic hit an iceberg in the North Atlantic (1912)… on this very day in 2016, the GDPR was approved by the European Parliament.

The GDPR is short for General Data Protection Regulation, but its long title sounds like this: Regulation on the protection of natural persons with regard to the processing of personal data on the free movement of such data and repealing Directive 95/46/EC (Data Protection Directive).

Let’s start with the phrase ‘…repealing Directive 95/46/EC Data Protection Directive’. I’d like you to imagine a Kingdom in which a technology-backward monarch is reigning. He should continue his reign but his lack of knowledge about this new technology way of life is slowing the progress of his Kingdom. The king makers have two options. They can decide to enlighten him on what technology is and how it affects his kingdom, but then that’s just so much stress.  Or they may just decide to unseat him and put in a more tech-savvy individual to take their Kingdom to glory. And that’s what that phrase has done. It has repealed a formerly existing EU Directive (which had been implemented since 1998)  and now says that once the GDPR is enforced; it will be the new monarch in charge. You can check out the old monarch here

Now what does this new king; the GDPR, have to offer us.

First, we know that although monarchs are super powerful and ought to be respected, their power, no matter how great it is, only exists over the people which they rule. So an important question would be to find out who the GDPR applies to. I mean, it was adopted and approved by The Council and European Parliament, so why is it now a ‘world thing’.

The answer is simple: The GDPR is focused on protecting the data of EU residents – that’s its focus. But now, technology has made it so that EU residents can have their data in the hands of non-EU residents. So whether or not you stay in any of the member states of the EU, as long as you process the data of one or more EU residents, you should pay close attention to what the GDPR says. 

Now, I cannot possibly write on everything in the GDPR. It’s actually an entire package of data protection regulations, so you can imagine its length and the variety of subjects it covers. I’ll however discuss some salient/interesting points I came across.

  • Did you know that in the EU, the right to protection of a person’s data is a fundamental right? Like a basic human right? Like the right to life and freedom of expression? And I think this makes sense because if you can guarantee privacy as a fundamental right, it follows that personal data protection should also be explicitly captured.
  • Also, the GDPR both protects personal data AND ensures the free flow of data within the EU. THAT, brother and sister, is the idea of TechReg. Controlling and yet advancing. In its recital/justification, the GDPR states that: 

    The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data”

  • Also, the GDPR only applies to the data of natural persons (human beings); not legal persons (like companies). Although if you’re a company collecting the data of a human being, you’re captured to submit. 
  • The GDPR does not apply when individuals are carrying out their normal personal or household activities but applies to controllers who provide the means for processing personal data for such personal or household activities. (jbwqwgvidyu. Lol).  Let me try to explain this. For instance, an EU resident goes to a store to buy some supplies for their house. The storekeeper knows everything they’ve purchased and that’s data. But the provisions in the GDPR do not apply here. The provisions will, however, apply in the situation where some technology or other mechanism is provided to store or process this harmless household and personal data. For instance, if the EU resident uses an app to create and store their grocery list; then yes, the app admin has to comply with the GDPR.
  • Remember I said that the GDPR is more concerned about the data of EU residents and would hunt you down even if you aren’t in the EU but handle the stipulated data? Well yes. You may be in some office in Ajegunle or in a corner in Ikoyi, as long as you or your business outfit is offering some goods or services to persons established in the EU (whether for a fee or for free), you must comply with the GDPR. The question then is how will they catch you? How will they know whether you’re servicing or offering goods to EU residents. Well, there are some indicators the GDPR proposes; like if your site or platform or entity uses/offers the option of certain language(s) or currencies used in one or more of the Member states of the EU, couple that with the possibility of ordering goods or services in that language or currency, or you mentioning customers/users in the EU, then there’s the presumption that the GDPR captures you.
  • A second way a non-EU resident can be subject to the provisions of the GDPR is if he’s monitoring the behavior of EU-residents. This is basically the use of data techniques to track people on the internet. And before you go, ‘Track?? Me? Pffft! Sounds like some CIA business. I can’t even track a song. LOL’. Well first of all, you can do all things (say ‘amen’). And second this just means that you’re profiling people in order to take a decision or to predict their preferences or behavior. And just in case you’re still thinking, ‘Profiling?? Ain’t nobody got time for that’, well, have you heard of ‘Cookies’ before. (I shall write about this very soon). But if you have a website that uses cookies, you’re pretty much monitoring the behavior and preferences of your visitors/users. If you want to carry out a cookie audit on your website or any website at all, visit Cookie Checker. It’s a beautiful tool.

I did one for this site
I did one for this site

So How Do I Comply with the GDPR?

Perhaps the first way to comply with the GDPR is to actually know what it says. It’s a really long read, so you might want to space yourself out and take relevant notes. You may download it here in different languages.

When you know what it says and you are armoured with its provisions, you must align yourself/your business entity/ your website to its provisions. Please note that you’re expected to be compliant by today, the 25th May 2018.

Practically, you may want to

  • Update your privacy policy so that you state in clear and unambiguous terms what data you’re processing and what you’ll be using the data for. Also, don’t just state it, let your site users give an affirmative consent (e.g. by ticking the box). Don’t use pre-ticked boxes. Also, don’t forget to include the bit about cookies, if your site is using. You may tell them that they can disable the cookies if they want. 
  • Check your mailing list and if there are persons who haven’t given affirmative consent, you may want to reach out to them to remind them and give them a deadline.
  • The GDPR requires that to collect the personal data of persons under the age of 16, you need parental consent. So you may also want to enable an age verification system just to be doubly sure. It doesn’t have to be them stating their ages, it can be ‘I affirm that I am 16 years and above’

And so on.

The GDPR is a lot! And it’s not optional especially if you fall within its scope of reach. So get two boxes of Pizza and some Zobo, get your team together, study the GDPR if you haven’t and align yourself (there’s a joke here about being aligned by the monarch ‘ruler’; the GDPR, but I can’t place my hands on it).

 

Thanks for reading!

Edit

My friend and commenter below; Kevwe, gave this awesome suggestion for self-assessment. 

If you’re a data controller (you have data in your control and care), take your self-assessment test here

If you’re a data processor (perhaps you receive data from other sources to use), take your self-assessment test here

Check here for other tests

 

I’d love to hear your comments, below!

 

 

I Bet I Wrote The Raddest Privacy Policy

WARNING: I’m about to sound weird.

For a long time, I have dreamed of the day I’d write a privacy policy.

Forces of limitation ensured that it didn’t occur to me that I could actually just write one, if I was so bent on the high that comes with privacy policies. And I have been stalling to put one together for my soon-to-be-launched social enterprise.

Yesterday, however, I decided to write one for this website and it was lit!

First, what is a privacy policy?

A privacy policy is basically a statement made by a website administrator informing visitors or users on what data will be collected from them, why and the extent of use of those data. That was the definition in my head. Now, this is the definition from Wikipedia (meanwhile, do you feel like there’s a love-hate relationship we have with Wikipedia. We go there for almost anything but it suddenly becomes unreliable when we’re writing a paper. Hypocrisy). Anyway, my boo Wiki, says: “A privacy policy is a statement or a legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy.

 

Now, why is it important to have a privacy policy?

It’s important to have a privacy policy because privacy is important and technology can be invasive. But apart from this seemingly moral reason, you’d see in Wiki’s definition that it’s a fulfillment of a legal requirement.  There are laws, international agreements and generally accepted principles that will require, encourage or guide data controllers on things like this.

Starting at home, you have the Constitution of the Federal Republic of Nigeria which provides that “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” (Section 37). Suffice to say that the draftsman probably did not envisage this right to be applicable to websites, but I’m thankful that the language is not restrictive because it does apply to every conceivable platform.

Let’s move to the International Convention on Civil and Political Rights which Nigeria acceded est. 1993. Article 17 provides that no one shall be subject to arbitrary or unlawful interference with his privacy…. This also falls within this scope.

In fact, in 2013, the United Nations General Assembly (and yes, Nigeria is represented in the G.A. est. 1960) passed a resolution (resolutions are to non-living corporate entities what decisions are to human beings) noting that the rapid pace of technological improvements will enable the use of ICTs which might enhance the capacity of government, individuals and companies to engage in surveillance, data collection and other privacy-infringing activities. So in that resolution , the Assembly called on all states to respect the right to privacy in the context of digital communications, to review procedures, practices and legislation that may enable surveillance and to ensure transparency.

There’s also the African Declaration on Internet Rights and Freedom which pointedly states that

“The collection, retention, use and disclosure of personal data or information must comply with a transparent privacy policy which allows people to find out what data or information is collected about them, to correct inaccurate information, and to protect such data or information from disclosure that they have not authorized. The public should be warned about the potential for misuse of data that they supply online. Government bodies and non-state actors collecting, retaining, processing or disclosing data have a responsibility to notify the concerned party when the personal data or information collected about them has been abused, lost or stolen.”

And if you were still in doubt as to the importance of privacy or a privacy policy, shall I remind you of GDPR!  You’ve probably gotten at least one email about the GDPR but it may seem like it doesn’t concern you, Nigerian. Perhaps, perhapsn’t. I’ll do a post about GDPR hopefully, but here’s what you should know about it.

  • It’s short for General Data Protection Regulation;
  • It comes into force on the 25th of May 2018;
  • It basically regulates the use of personal data of its specific data subjects;
  • The data subjects it envisages are EU residents;
  • But don’t be deceived and think that because you run a Nigerian entity, you’re not captured;
  • It also applies to you, as long as you process the data of EU residents; whether or not you’re in the EU or the processing takes place in the EU. As long as you offer good or services to those data subjects OR you’re monitoring a behavior that takes place in the EU, you are captured.

 

OKAY, I get the point, How then do I write a privacy policy?

Great question. There are no strict rules for the language you should employ in drafting your privacy policy. You may be angry, emotional, whatever. The idea is to just get the message across. So what is the message to be passed across?

  1. What data you’ll be collecting
  2. What you will do with the data
  3. What you won’t do with the data
  4. Laws that you’re binding yourself to/obeying/letting guide you
  5. That you’ll be updating the privacy policy from time to time.

 

Uh… are there are cool privacy policies we can emulate?

Oh sure. I’ve heard of one really cool one and it’s the one I drafted yesterday!

Check it out here

(P.S. It’s not foolproof! It’s probably more fool than it’s proof 😀 )

 

Merci!

 

Takeout: Controlling Your Personal Data on Google

You know how we’d all like to leave footprints on the sands of time? Well, what if I told you that you’re already doing that! Congratulations 🙂

 

Sooo, privacy and personal data protection have been core areas of interest for me, for a bunch of reasons. The first being that privacy is a constitutionally guaranteed human right (duh.) And also that the principle of data protection is a very important one; one that should not only be recognized by awesome data custodians in Nigeria, but should be enshrined in our laws so that the un-awesome ones would be forced to abide by it.

 

Before I go on, let’s talk a little about Data Protection. What is it?

Data protection is simply the safekeeping of information. And personal data protection as it relates to the internet and to digital platforms generally entails data custodians (those with whom your data are), employing the best technologies to keep every information that has been gathered about you, safe. Remember when I said that you’re already leaving footprints in the sands of time? Well, there’s pretty much data stored up for everything you do online. From the basic ones you can imagine; pictures you’ve shared, personal information you’ve shared and so on. To the ones you don’t want to imagine; every app you’ve ever downloaded or opened, every website you’ve ever visited and so on.

 

Personally, I think one of the beautiful components of the principle of data protection is the principle of data ownership. How that apart from the requirement for data custodians to keep data in their care safe and only use it for legitimate reasons and in legitimate ways, these data also belong to the Data Subject. (The data subject is the person whom the data is about).

Therefore, the fact of my visiting so-and-so website on so-and-so day, and the record of it, should belong to me although it’s in the care of *insert data custodian*. The implication of this principle is that, if said data is mine, then I should have control over it. Further implication then is that data custodians should provide access to data in their care to the real owners of the data in order to give them the opportunity to make decisions over it.

And this is possible with a number of multi-national data custodians like Google, Facebook and LinkedIn

For Google, you may use this Google Tool: Google Takeout  (I’m late to the show in just discovering this because it was developed in 2011)

With Takeout you have access to all your google data (pretty much everything you’ve put out or done using Google). I mean, information from your Drive, Chrome, Hangout, Maps, Keep, Photos, Bookmarks, Youtube and so on.

You choose which category of data to download (It might take a while. Mine is 2GB heavy and  is currently still downloading), and then when you see the data, you can decide to purge out the cringe-worthy ones and keep the ones you are proud of.

Google, the company, is on record to have said that it’s better to be transparent about the information being collected as opposed to not showing it at all. And I agree with that.

I’ll do a follow-up article when my data is downloaded and I’ve looked through it and deleted some data. I should also do one for my Facebook data (*shivers*)

But yeah, netizens (I hate this word but it keeps coming to my lips), should not just feel like they are in control of their data but should really be in control of their data. Perhaps there’s the question of whether the deleted data are actually deleted for real real; or the deletion is just faux you to sleep well at night (ha! see what I did there?). I shall do another follow-up article on this. 

I can’t wait for a Data Custodian in Nigeria to take up this initiative. Imagine being given access by 9Mobile to all your calls and texts since you ever started using their network and being allowed to delete some stuff. Or are there already provisions like this in Nigeria? (please let me know in the comment box if there are).

So yeah, I’ll do a follow-up article, as promised.

Ciao!