This video gives a nice and clear description of your right for privacy and transparency as an EU data subject. It’s not particularly entertaining but worth hanging in there. The message is important. http://www.youtube.com/watch?v=LqYlZosqpPE&sns=em
Category: European Union
opt-in > opt-out discussions continue….
I just love this quote from Kimon Zorbas, the vice president of the Interactive Advertising Bureau Europe “most Europeans were not troubled by behavioural advertising” and “Customer profiling is a basic to any business, not just online business” then in response to the opt-in clause in the EU cookie directive “if that were to happen, I am afraid it would kill a significant part of the industry.” Read more at The New York Times.
Is it not more to do with re-thinking how they do this? Come-on these advertisers have been creative in coming up with the cookie thing, and not even given the consumer a choice, they eat cookies whether they like it or not. Zorbas also said that those that didn’t want cookies “could simply block them through the industry’s Web site”.
Sure, and then we come to those zombie cookies, they are pretty creative. They never go away. I write a post on this not long ago.
I have nothing against cookies, after all they are very convenient. What I am against is that I get them without being asked, that I need to opt-out. Opting out is not always so straightforward. There are some websites where I definately do not want cookies from. There should be a button on the main page, right in from of you that states in big letters OPT-IN. And when you have done that it changes to OPT-OUT. Then you feel that you have some control. You, the customer can choose who is tracking everything that you do online.
Cloud and conflicting privacy laws
One of the biggest dilemmas with cloud services is that in theory it shouldn’t matter where your data is stored in the public cloud, just that it is secured appropriately, and only you get appropriate access and nobody else gets inappropriate access 😉
But it’s much more complicated. Every country has its own laws about the transparency of data stored and accessibility from nosing government authorities. The real problems occur when there is a conflict of privacy laws between different countries. So you have personal data stored in a Google public cloud, your data could be stored physically anywhere in the world. And the fact that Google is a US company means requirement to comply with US law (e.g. USA Patriot Act) for the organisation worldwide, not forgetting the regional laws where the data is physically stored. This conflicts with EU privacy law whereby the rights of the data subject are preserved.
Google have been quoted as follows “As a law abiding company, we comply with valid legal process, and that – as for any US based company – means the data stored outside of the U.S. may be subject to lawful access by the U.S. government.” Taken from Softpedia.
This could be an interesting time for organisations to set-up clouds but only in a single country in an organisation that is registered in the hosting country. Otherwise, can you really trust the data-holding authority to protect your rights as an EU citizen for example? I know I can’t!
Zoombie cookies
David S. Misell asked me to share the privacy issues of html5, and I thought that no better place to do this than by creating a post.
Html5 is really about these zoombie cookies, cookies that keep coming back from the dead, even after you’ve deleted them…. scarey or what?
According to Wikipedia “Zombie cookies were first documented at UC Berkeley, where it was noticed that cookies kept coming back after they were deleted over and over again. This was cited as a serious privacy breach. If you delete a cookie, it should remain deleted. Since most users are barely aware of these storage methods, it’s unlikely that users will ever delete all of them. From the Berkeley report, “few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe.
Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases (RLDGUID). The only way to opt out of the tracking was to use the company’s opt-out link which gives no confirmation.”
To read more techie stuff on how this annoying cookie is working go here where ars technia has written an insightful article on this.
Ringleader Digital claim on its privacy page that it only collects “non-personally identifiable information, such as browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID and web sites visited. Now the question is what happens when you link this information together?
Now according to the UK for example an IP address in isolation is not personal data under the Data Protection Act, according to the Information Commissioner. But an IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual’s name is unknown.
And there is significant discussion on this around the world. In Seattle a Federal judge ruled that IP address is not personal information, however in the EU it is understood how easily an IP address can become an element of PII.
As to my personal opinion, it’s simple… I want visibility, i.e. if I delete a cookie on my PC or mobile device, I want it deleted. I don’t want a zoombie. It could be that I like the convenience of having a cookie there, but I want the choice to delete, and when deleted I don’t want any zoombies rooming around on my devices… my devices, yes, they are linked to my very person, and have become a part of my DNA..
Dilemmas – increased Internet surveillance in wake of Oslo tragedy
This is the dilemma, to increase surveillance in the name of personal safety or to not do this as it violates our right to personal privacy?
Remember what happened after the terror attacks on the twin towers in New York? A whole host of privacy invading legislation was passed in the U.S., that now requires visitors to go through the inconvenience and indignity of being fingerprinted like criminals and having our faces scanned. And there is no road back, it is a one-way street. Once a practice starts it becomes accepted over time as the norm.
The UK has dragged through legislation on the mandatory issue of ID cards. Although they have not succeeded in getting this through for all UK citizens, they will… they have started with all UK immigrants who today have no choice. Most youngsters need ID in order to get accepted in most bars, so it has become a norm among this age group. All in the name of personal safety, trying to control, and control something that is not controllable.
So now officials from Finland, Estonia and Germany have called for expanded monitoring powers on the Internet in wake of the Oslo tragedy. Apparently the guilty party for this attack published a Twitter message, a YouTube video and a 1,500 manifesto linking to the buildup to these terrible crimes. Read more here.
And we are back to the dilemma thing. As a mother I am screaming out for these “expanded monitoring powers”, but as a privacy advocate I am terrified by these developments as it gives justifications for increased invasions to our private space, that is getting smaller and smaller…..
Don’t miss the cookie deadline :-P
The deadline for EU member states to implement the new cookie law is today! And not many member states are ready to eat their cookies yet! To date, Denmark and Estonia are the only states to have implemented the amended EU Privacy and Communications Directive, which gives Internet users more control of their data and requires any company with EU customers to comply. This requirement is a provision in an amendment to the E.U.’s Privacy and Electronic Communications Directive, which was adopted in 2009.
One claimed reason for the sluggish implementation of the directive is confusion around its intended purpose, as well as how best to implement it without destroying the businesses that rely on cookie placement to generate revenue, such as online advertising networks. The most visible change is the introduction of an “explicit consent” requirement. Read more at ClickZ.
So how can this be implemented? On a technical level it’s messy because it needs to be added on. It is not a built in privacy functionality so this will result in significant inconvenience for web-users as websites seek explicit consent for cookie placement through pop-ups and other awkward mechanisms. If the privacy function for cookies…. or maybe not cookies…. were an integral function of our PC and of any web-app we happen to be interacting with, perhaps it would be more of a loyalty card function (maybe even shaking hands, representing mutual consent)…used in the physical world for relationship marketing. The customer presents a card each time the approach the checkout. Hence in exchange for sharing personal information the customer should receive certain benefits, and clearly transparency in what is being collected…
Me just brainstorming to myself a little here 🙂
Yes please I would like a cookie :-P
I’ve been posting about this before, the thing on “cookie consent” in the new EU privacy law. Well now there have been some guidelines published by the Information Commissioner’s Office.
Simply advice is as follows:
We advise you to now take the following steps:
1. Check what type of cookies and similar technologies you use
and how you use them.
2. Assess how intrusive your use of cookies is.
3. Decide what solution to obtain consent will be best in your
circumstances.
The main difference in behaviour is often those using cookies to collect your behaviour data used to by default give you the option to opt-out, however now you must consent, i.e. opt-in. This is now aligned to the general collection of personal data in the EU.
Would you like a cookie?
Nice development in Holland! Bill proposal that basically states a need to request permission before downloading a cookie on you machine their is more to, read more here https://zoek.officielebekendmakingen.nl/kst-32549-3.pdf.
This is basically what the revised EU directive on data privacy demands.
Your right to opt-out of Google’s Street View service
I love what is going on in Germany during a few months now, in that almost 250,000 Germans have told Google to blur pictures of their homes on the Street View service. Which is quite right. The EU directive on data privacy gives the data subject the right to consent to any personal information being stored. I wonder why it is only happening in Germany and not elsewhere in the EU, after all it is our right as data subjects.
Who owns your personal data?
Interesting article in Network World on the difference in attitudes concerning personal data on whether you are based in the US or over in the EU.