A risk management approach to… no, you know what? Just wear a damn mask already.

I know plenty of risk management experts. I’m not one. But I know enough to know that mask-wearing when indoors with other people is a no-brainer. Not to mention just the decent thing to do.

I’ve spent a fair amount of time wrestling with risk assessments, mostly to do with corruption and data protection: planning them, doing them, revising them, advising on them, responding to them. I know plenty of people who’re far more expert in assessing and managing risk than I am. But I’ve learned enough to prize some of the fundamentals. And to realise how they can be applied more generally.

Say – just for instance – to how us normal human beings should respond to Covid, the easing lockdown, and any attempt to get back to a new normal. Particularly where facemasks are concerned.

The experts will wince at the next bit, when I try to boil down the bare basics of risk management into easy-to-digest chunks for the hard of thinking (like me, in this regard). Apologies in advance for how simplistic this is.

But fundamentally you assess risk and respond to it in three stages.

First, you work out what your risks are. Forget about whether they’re everyday or one-in-a-million for a minute. What could go wrong – not for any organisation, but specifically for yours? In a large organisation this can be a mammoth task, involving questionnaires, interviews, meetings and lord knows what else. But for small groups it’s essentially a test of imagination, and being honest with yourself.

Secondly, For each risk, try to assess how much you should worry about it, which is primarily about answering two questions:

  • How likely is it that it could happen?
  • And how bad would it be if it did?

Everyone will have their own way of combining these two factors – often there’s a three- or five-step measure for both probability (the first question) and impact (the second), and some kind of matrix to tell you what combinations you should really worry about. But often a RAG (red/amber/green for high/medium/low) rating is good enough, where you focus particularly on anything amber/red or with two reds (although depending on the circumstances green/reds and amber/ambers may at least need a bit of thought).

Third and finally comes the really important bit: what do you do about it. The classic four choices (not all of them exclusive, of course) are:

  • Avoid: just don’t run the risk at all. A company, for instance, could decide simply not to do business in certain jurisdictions.
  • Transfer: insure against it, so someone else picks up the tab. For anyone who drives a car, this will sound familiar.
  • Mitigate: what steps can you take to reduce the risk? How well will any given mitigant work? The best mitigants, of course, help with more than one risk.
  • Accept: sometimes you just have to suck it up. Particularly for relatively low-impact risks, this may be the only cost-effective answer.

So what does this have to do with mask-wearing? (And yes, I know we were told for months that it wasn’t worth it, that the evidence for it being helpful was marginal at best, that it didn’t really protect you from other people. Although how much of that was solid and how much was really about mitigating – there we go – the disastrous and negligent PPE shortage is anyone’s guess.)

Well, let’s walk through the steps.

  1. The risk is obvious. It’s getting Covid when in an enclosed space with people other than my household. Or giving it to someone in the same environment. (OK. Two risks. Easy to overlook the second one, though.)
  2. Impact: really high. Yes, I or the person I give it to might get lucky. (And yes, I already did – given that my dose of The Bug was horrible for a couple of weeks and now seems to have wholly departed. I’m humbled by how fortunate I was.) But those odds suck. Probability: also pretty high. And – what’s worse – impossible to calculate with any reliability, given that neither I nor anyone else will know we’re infectious until it’s far too late to avoid hurting people. I’m calling this Amber-Red at least, and probably Red-Red.
  3. Response: can I avoid it? Short of becoming an anchorite, no. Can I transfer it? No. Insurance won’t stop me from dying. Can I just accept it? Well, maybe if it was just about me – but it’s not. This is about the large and fundamentally uncalculable risk I pose to others. Call me judgmental, but prioritising my freedom if it puts others at grave risk just seems unutterably selfish and inhuman.

So what’s left? Mitigation. What can I do? I can wash my hands. Effective and easy. I can keep my distance. Less easy – yes, I’m looking at you, the gin-in-a-can buyers in Aldi yesterday who insisted on standing 18 inches from my back in the queue yesterday while laughing raucously. And problematic in some jobs and workplaces. But no reason not to do it to the extent reasonably possible.

And masks. Yes, masks. I can’t help noticing that most of the countries who are beating this thing take mask-wearing as a given. Japan, in particular, which was late as we were in taking concrete steps to protect its citizens, seems to have done surprisingly well. A place where mask-wearing to protect others when you’re sick is regarded as about as basic a propriety as not being naked on public transport. (I realise there are a number of other potential reasons for Japan having escaped our fate. But the consistency across habitual mask-wearing states is interesting.)

Even if – as some suggest – the benefit from masks is marginal, marginal makes a pretty big impact when multiplied across a multi-million-strong population. And where R is close to 1, or ticking above it, marginal becomes even more important. Literally (and imagine how much it pains a pedant like me to use that word) a life-and-death difference.

I recognise there will be medical reasons not to. I recognise it’s hard or impossible for small kids. I recognise (from personal experience) how damned annoying it is with fogged-up glasses.

But what it comes down to is this: I am my sister’s keeper, my brother’s keeper. I don’t know if I’m dangerous to them. I can reduce the chances of me hurting them by putting a mask on when indoors with others, at minimal cost to myself. So I’m going to. Please do likewise.

(Note: from everything I’ve seen, this is fundamentally an inside problem, not an outdoors one. I tend not to mask up when I walk down the street, or run, or cycle (although I do everything I can to keep my distance), and I wouldn’t blame anyone else for doing likewise. But in a shop, or an office, or a place of worship, or anywhere else which is indoors… well, just put the thing on, OK?)

A corruption hypothetical.

When people claim the UK is “clean” (usually while denigrating somewhere else) it always makes me angry. Because corruption creeps in everywhere, and never more so than where when people are convinced it doesn’t exist…

Imagine the following synopsis of a news story:

  • A property developer in a legendarily corruption-prone country – let’s call it Bribeia for the sake of argument – wants to build something that needs planning permission.
  • So he donates a chunk of cash to the coffers of the ruling party. As part of this donation, he gets to come to a rubber-chicken, thousands-a-plate fundraiser and hobnob with ministers.
  • He ends up sitting next to one such minister, and tells him about the development, urging that it be approved. The minister is non-committal, but they swap mobile numbers.
  • They then exchange multiple text messages. The minister continues to be carefully non-committal in his text messaging, but the developer tells him that he needs the approval by a deadline to avoid paying a whopping tax bill to the local government – coincidentally run by the main opposition party.
  • The non-committal communications notwithstanding, the minister tells his civil servants not only to approve the development, but to make sure it’s done in time to avoid the tax.

You’re all smart people, so you’ll all have instantly recognised that this is the Jenrick-Desmond affair, albeit transplanted elsewhere.

But tell me honestly. I mean it: do tell me, whether on Twitter, LinkedIn or otherwise. If this chain of events happened in a country in the bottom half of the TI CPI, would you hesitate for all that long before regarding both the developer’s conduct and that of the minister as potentially corrupt?

And if that’s the case for Bribeia, why’s it any different here?

(I’ll leave it as a thought exercise for the reader to analyse Desmond’s conduct in the context of Section 1 of the Bribery Act, pausing only to note that the person who is given or promised the advantage doesn’t have to be the same person as the one who performs a function improperly, but also noting that it might be tricky to prove intent. Similarly, an interesting academic exercise is to imagine that Desmond was indeed dealing with a Bribeian minister (that is, a foreign public official) rather than a UK one, and assess his conduct in the context of section 6. Although from what I’ve read, the test at s6(3)a)(ii) looks unsatisfied.)

Privacy: one step forward, one step back.

A quick hit here to memorialise two privacy-related bits of news: a German court bans Facebook from tracking you elsewhere, but US Republicans try – again – to ban encryption that actually works.

Like many people, I barely use Facebook. And when I do, I only do so when using Incognito (Chrome) or Private Browsing (Safari). It’s annoying logging in each time (albeit less so with 1Password). But it stops Facebook from doing something I viscerally loathe: tracking everything else I do, everywhere else, thanks to tracking code and cookies.

I get that this may make me a paranoid tin-hat type. I’m OK with that. Just like I’m OK with blocking ads which rely on adtech, preventing videos from auto-playing, and generally trying to stop a simple text website from downloading an extra double-digit MB load of data so they can show me ads so intrusive that I never want to go back to the site in question. (I’m fine with ads. I like free stuff, paid for by advertising. But adtech-delivered ads are essentially a conman’s dream. And from a data protection/privacy perspective, I have grave doubts about whether adtech is lawful. So I’m very happy to screw with it.)

Which makes a German court’s decision to reinstate a ruling banning Facebook from combining its own data with that from other sites into so-called “super-profiles” very interesting. The ban was at the behest of Germany’s Cartel Office, and the judge’s ruling (press release in German here) said there wasn’t any serious doubt over whether Facebook was (a) dominant and (b) had abused that position – particularly by getting information from non-Facebook sources.

The ruling only applies to Germany, of course. But this does seem to be the first time that cross-site tracking and data collection has been seriously set back. Which may make things slightly hotter for adtech’s widespread consent-less collection of personal data, legally speaking – although the dominance question doesn’t necessarily arise, of course, the ruling nonetheless explicitly addresses, in resolutely negative terms, what Techcrunch calls “track-and-target” and what writers like Shoshana Zuboff and many others call surveillance capitalism. It does so by noting that a significant number of Facebook users would prefer not to be tracked and targeted, and a properly-functioning market would allow them that option. It’s hard to see how the same can’t be said for adtech in general.

Less encouraging, and far more predictable, is US Senate Republicans’ move to introduce legislation (the LEAD Act – seriously, these acronyms…) to “end the use of warrant-proof encrypted technology by terrorists and other bad actors“. As almost any even slightly encryption-savvy person will know, this translates to “making encryption stop working securely”. Simply put, if – as this legislation would appear to require – a service provider keeps a key to your comms so it can give it to law enforcement, then end-to-end encryption is done and your comms aren’t secure any more. As Ars Technica puts it, “Encryption doesn’t work that way.” Anyone claiming it does is either ignorant or acting in bad faith. No real middle ground there.

John Gruber points out that describing the bill as “a balanced solution” as its proponents do because the key would only be handed over with a court order is hogwash. If a key exists, it becomes a target. “That’s how the law works today,” he writes. “What these fools are proposing is to make it illegal to build systems where even the company providing the service doesn’t hold the keys.”

Fools seems like a generous description. It presupposes good faith. I’m not sure I’d go that far.

Being a father without a father: the pleasure and pain of Father’s Day.

Sussex, late May, 2014.

Father’s Day is bittersweet.

Sweet, because my wife and daughter are blessings past compare, proof if any were needed that God, fate or the universe can forgive our failings and give us a life far better than we deserve.

And bitter because I no longer have a father to celebrate.

I lost him on 27 September 2014. I remember our last day together just the two of us, in late May that year: as we trod the West Sussex countryside, the limp from his 2012 stroke present but no longer dominant, talking and walking as we had so many times, ending on a bench outside his village’s church as we watched the birds swoop overhead. I remember our last phone call a few days before it happened, his voice a whisper, drained as he was by six weeks of radiotherapy. I remember his funeral in the cathedral in Winchester, whose bishop he’d been for 15 years, struggling to keep my voice clear and level as I read from the book of Ephesians (the end of Chapter 3 and the start of Chapter 4).

Almost six years on, the loss has long passed into normality. And aside from an ache that he never got to see his grand-daughter grow into the amazing person she’s becoming, mostly it doesn’t hurt too bad.

But one thing still stabs home. His death came just as I was considering – very late in life – becoming a lawyer. It was four months later that I started studying law. Two years later I started bar school. Four years later I became a pupil at Outer Temple. And five years later that I became a tenant.

And it hurts that he wasn’t a part of that decision. Because before every one of my significant, life-changing career calls till then, I’d always sought him out. And we’d walked. And talked. And asked and answered questions. And pondered in silence, the only sound our footfalls and nature around us. It was a part of my process. And it was gone.

He’d have loved the vicarious thrill of me becoming a barrister. Every millimetre of it, through GDL, BPTC, pupillage and tenancy. He’d have found it fascinating. Asked thoughtful questions. Wanted genuinely to understand the how and the why. And, I can’t but think, that having him do so would probably would have made me a better lawyer.

Perhaps that’s why, in fact, I didn’t really talk about the experience with my family (other than my wife and daughter, of course), until the BPTC results came through and I knew pupillage lay ahead. The thought of doing so without my dad being there was just – wrong, somehow.

So here I am. I made it. I love it. But every so often, as I encounter some abstruse but fascinating legal point and my face breaks into a smile as I ponder the sheer beauty of the reasoning around it, just for a split second, I think: you know who’d have loved to talk this one through? And the smile flickers.

Still, in some ways he’s at my shoulder. If I consider an argument that isn’t properly grounded, or a tactic that isn’t honourable, I can almost hear him gently asking me why I’m going that way. Not always, but sometimes. And that voice is usually right. And takes me back to that bit of Ephesians, which tells us to “live a life worthy of the calling you have received”. Yes, I know it’s talking about another kind of calling altogether. But still, it rings true.

So here’s to you, my father. Rest in peace. Rise in glory. Be blessed. I know I am.

Apple’s tin ear to competition timing.

I’ve been using Apple products my whole adult life. But that doesn’t make me a cheerleader. And on the very day a competition investigation was announced, Apple did something so apparently boneheaded that they‘re rightly being called out.

I do have a slim legal figleaf for writing this post, albeit not one born of any particularly deep legal insight. But some things demand comment. And Apple’s treatment of HEY, a new email service, is one of them.

(The legal figleaf is about whether this treatment is a symptom of broader behaviour which violates EU competition law. Scroll down to get to that bit.)

I can’t remember which of Patrick O’Brian’s Aubrey/Maturin books it was (one of these days, a start-to-finish reread beckons – my late dad introduced them to me, and it’ll be one more way of communing with him somehow). But in one of them, Stephen Maturin – never a one for hierarchy or cant – expresses his disdain for patriotism, at least in its early 19th-century format.

It “generally comes to mean either my country, right or wrong, which is infamous, or my country is always right, which is imbecile“, he tells Jack Aubrey. [UPDATE: It was Master and Commander, the first in the series.]

Personally, I’m fine with patriotism. I’m a patriot, so long as that encompasses being honest about my country’s flaws and misconduct and wanting them fixed. But no-one but a charlatan could deny that Maturin’s characterisation is, far too often, spot on.

Tech has traditionally suffered from a similar tendency. Windows vs MacOS. Google vs everyone. iPhone vs Android. PlayStation vs Xbox. Facebook vs – well, probably common decency and humanity? (That one’s an outlier.) The flame wars and arrogance besetting tech arguments are painfully legendary. While lots of us (most, even) manage to recognise that our preferred system, app, platform isn’t perfect, and can and should learn from its competition, the sheer ugliness of tech-on-tech “conversations” (huh) gets unutterably wearing. Even setting aside its truly poisonous emanations, such as the misery inflicted on women and minorities by #Gamergate and similar foulnesses.

All this is really a preamble to explain that while I’ve used predominantly Apple kit my entire adult life – from Mac SEs at college, to PowerBooks including the wonderful Pismo, then a succession of MacBook Pros and Airs; iPhones of varying types ever since the 3G; and best of all, a sequence of iPads that have genuinely, radically, revolutionised the way I can and do work – I’m not a fanboi. (My friends from the Windows/Android side of the fence who’ve ribbed me for years are I hope honest enough to recognise this. As I do about them. I’m lucky in my friends.)

And so when Apple does something truly boneheaded, to put it as gently as one can, its friends need to call it out.

It’s come to a head through what could be a coincidence, although it’s a pretty telling one. On the same day that the European Commission announced an investigation into possible breaches by Apple of EU competition law involving the App Store and Apple Pay, HEY, a new email app by the people who brought you Basecamp, is facing getting kicked off the App Store because it sells subscriptions other than through an in-app purchase.

This boneheadedness has been brewing a long while. Apple charges a 30% cut on purchases through its App Store on iOS. (And on the Mac, although apps can be directly downloaded there, so it’s slightly different.) Apps in theory can’t route around that by selling subscriptions or licences elsewhere. Except for the ones that can. The classing of who can and who can’t would be laughable to anyone who wasn’t suffering from it – Reader apps? Really? And an unwritten business-vs-consumer divide? Come on. Dieter Bohn called it out as a prime example of the No True Scotsman fallacy, and I think he’s right (his piece for The Verge, which is excellent, is here). John Gruber, meanwhile, pointed out that the biz-consumer divide was both artificial and unworkable, and – just as bad – a betrayal of Apple’s own history.

The hypocrisy, both in HEY’s case and elsewhere, is impressive. Loads of email apps sell subscriptions elsewhere. Basecamp, for heaven’s sake, sells subscriptions through its website. That’s its business! The “Reader” definition is woolly at best. It often feels far more as though whether you get pushed around like this depends on how big you are. HEY isn’t the first, by a long way. But it’s the latest. And perhaps the timing may finally make a difference.

If I sound angry, that’s because I am. Apple’s 30% App Store tax is way, way too high. Its application is (put neutrally) sporadic. And – and here comes the legal figleaf – while I know very little about competition law (a terrifyingly technical field; try someone like Monckton Chambers for that), I really want to read what EU antitrust specialists are thinking about this.

Because to a very shaky first approximation, I wonder whether an argument could be made that Apple’s App Store policies breach Article 102 of the TFEU, which bans improper exploitation of market dominance, as follows:

  • The relevant market here isn’t all smartphones (Apple would probably walk home on that one, given that 85% of phones are Android) but iOS devices, on the basis that for a majority of their users substitution for another brand isn’t really an acceptable option given both -reference and platform lock-in.
  • Needless to say, Apple is dominant in the iOS market…
  • That dominance exists within the EU’s internal market, since iOS devices are sold across the region.
  • The dominance affects trade between member states, since a developer in Austria will routinely sell its app to customers in Malta. And so on.
  • Its pricing is excessive – in that it is 10 times what, for instance, a credit card processor might charge – and also discriminatory, in that its rules (as described above) seem to be arbitrary.
  • And it abuses its dominance by imposing an exclusive dealing obligation – by preventing anyone from accessing iOS users other than through the App Store, or more narrowly preventing them from charging other than through the App Store.

I’m pretty sure any genuine competition lawyer is going to read the above back-of-an-envelope analysis and laugh till they choke. There is no doubt acres of relevant authority which shows I’m foolishly misreading Article 102. Aside from anything else, the relevant market point is a massive what-if. But it’s not a bad place to start. (If anyone’s seen any good stuff on Twitter or elsewhere about this, from a legal analysis perspective, do let me know – whether via email or Twitter. I haven’t had time to go looking this past 24 hours owing to other deadlines, but I want to learn about it.)

And whether I’m right or not, this leaves a really foul taste in the mouth. Apple’s a commercial firm, and will do what’s best for it. No illusions on that score. But its leaders always used to say that making money was what happened as a by-product of building great things, not an aim in itself. I can’t see how this possibly matches up to that aspiration. Not even close.