Category: Legislation

opt-in > opt-out discussions continue….

by

19 September 2011

15:15

Leave a comment on opt-in > opt-out discussions continue….

Advertising, European Union, Legislation

I just love this quote from Kimon Zorbas, the vice president of the Interactive Advertising Bureau Europe “most Europeans were not troubled by behavioural advertising” and “Customer profiling is a basic to any business, not just online business” then in response to the opt-in clause in the EU cookie directive “if that were to happen, I am afraid it would kill a significant part of the industry.” Read more at The New York Times.

Is it not more to do with re-thinking how they do this? Come-on these advertisers have been creative in coming up with the cookie thing, and not even given the consumer a choice, they eat cookies whether they like it or not. Zorbas also said that those that didn’t want cookies “could simply block them through the industry’s Web site”.

Sure, and then we come to those zombie cookies, they are pretty creative. They never go away. I write a post on this not long ago.

I have nothing against cookies, after all they are very convenient. What I am against is that I get them without being asked, that I need to opt-out. Opting out is not always so straightforward. There are some websites where I definately do not want cookies from. There should be a button on the main page, right in from of you that states in big letters OPT-IN. And when you have done that it changes to OPT-OUT. Then you feel that you have some control. You, the customer can choose who is tracking everything that you do online.

Cloud and conflicting privacy laws

by

22 August 2011

12:46

1 Comment on Cloud and conflicting privacy laws

European Union, Legislation, U.S.

, , , ,

One of the biggest dilemmas with cloud services is that in theory it shouldn’t matter where your data is stored in the public cloud, just that it is secured appropriately, and only you get appropriate access and nobody else gets inappropriate access 😉

But it’s much more complicated. Every country has its own laws about the transparency of data stored and accessibility from nosing government authorities. The real problems occur when there is a conflict of privacy laws between different countries. So you have personal data stored in a Google public cloud, your data could be stored physically anywhere in the world. And the fact that Google is a US company means requirement to comply with US law (e.g. USA Patriot Act) for the organisation worldwide, not forgetting the regional laws where the data is physically stored. This conflicts with EU privacy law whereby the rights of the data subject are preserved.

Google have been quoted as follows “As a law abiding company, we comply with valid legal process, and that – as for any US based company – means the data stored outside of the U.S. may be subject to lawful access by the U.S. government.” Taken from Softpedia.

This could be an interesting time for organisations to set-up clouds but only in a single country in an organisation that is registered in the hosting country. Otherwise, can you really trust the data-holding authority to protect your rights as an EU citizen for example? I know I can’t!

Zoombie cookies

by

9 August 2011

16:02

1 Comment on Zoombie cookies

European Union, Legislation, U.S.

,

David S. Misell asked me to share the privacy issues of html5, and I thought that no better place to do this than by creating a post.

Html5 is really about these zoombie cookies, cookies that keep coming back from the dead, even after you’ve deleted them…. scarey or what?

According to Wikipedia “Zombie cookies were first documented at UC Berkeley, where it was noticed that cookies kept coming back after they were deleted over and over again. This was cited as a serious privacy breach. If you delete a cookie, it should remain deleted. Since most users are barely aware of these storage methods, it’s unlikely that users will ever delete all of them. From the Berkeley report, “few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe.

Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases (RLDGUID). The only way to opt out of the tracking was to use the company’s opt-out link which gives no confirmation.”

To read more techie stuff on how this annoying cookie is working go here where ars technia has written an insightful article on this.

Ringleader Digital claim on its privacy page that it only collects “non-personally identifiable information, such as browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID and web sites visited. Now the question is what happens when you link this information together?

Now according to the UK for example an IP address in isolation is not personal data under the Data Protection Act, according to the Information Commissioner. But an IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual’s name is unknown.

And there is significant discussion on this around the world. In Seattle a Federal judge ruled that IP address is not personal information, however in the EU it is understood how easily an IP address can become an element of PII.

As to my personal opinion, it’s simple… I want visibility, i.e. if I delete a cookie on my PC or mobile device, I want it deleted. I don’t want a zoombie. It could be that I like the convenience of having a cookie there, but I want the choice to delete, and when deleted I don’t want any zoombies rooming around on my devices… my devices, yes, they are linked to my very person, and have become a part of my DNA..

Dilemmas – increased Internet surveillance in wake of Oslo tragedy

by

29 July 2011

14:50

Leave a comment on Dilemmas – increased Internet surveillance in wake of Oslo tragedy

European Union, Finland, Germany, Legislation, Norway

This is the dilemma, to increase surveillance in the name of personal safety or to not do this as it violates our right to personal privacy?

Remember what happened after the terror attacks on the twin towers in New York? A whole host of privacy invading legislation was passed in the U.S., that now requires visitors to go through the inconvenience and indignity of being fingerprinted like criminals and having our faces scanned. And there is no road back, it is a one-way street. Once a practice starts it becomes accepted over time as the norm.

The UK has dragged through legislation on the mandatory issue of ID cards. Although they have not succeeded in getting this through for all UK citizens, they will… they have started with all UK immigrants who today have no choice. Most youngsters need ID in order to get accepted in most bars, so it has become a norm among this age group. All in the name of personal safety, trying to control, and control something that is not controllable.

So now officials from Finland, Estonia and Germany have called for expanded monitoring powers on the Internet in wake of the Oslo tragedy. Apparently the guilty party for this attack published a Twitter message, a YouTube video and a 1,500 manifesto linking to the buildup to these terrible crimes. Read more here.

And we are back to the dilemma thing. As a mother I am screaming out for these “expanded monitoring powers”, but as a privacy advocate I am terrified by these developments as it gives justifications for increased invasions to our private space, that is getting smaller and smaller…..

Australia Looks at Privacy (again)

by

28 July 2011

00:12

Leave a comment on Australia Looks at Privacy (again)

Australia, Information Privacy, Legislation

With the recent phone hacking scandals in the UK, politicians in Australia are asking ‘can it happen here?’ – and it is highlighting the lack of rights individuals have with respect to privacy in Australia along with the lack of powers that the Privacy Commissioner has.

Whilst there has been an increase in the number of reported data breaches, there is no legislative requirement for companies to report breaches – hence a lot of breaches are not reported.  The Australian Law Reform Commission (ALRC) have made a number of recommendations on Data Breach legislation that have (largely) not been acted on by the Federal Government.

For more details, please see the following article:

http://www.smh.com.au/technology/technology-news/thousands-of-privacy-breaches-going-unreported-20110727-1hzes.html

Good!

by

31 May 2011

16:28

Leave a comment on Good!

Legislation, Social Networking

You know we’re all guilty in some way… that is those of us that hang-out online in social networking sites of not being as good at protecting our privacy as we should. Most of this is due to the complexity of the whole process.. it really is not straight-forward. Even some of my security friends are partially public online, with changes happening on FB so regularly it is difficult with our busy agendas to keep checking our privacy settings. For example if you are using FB as a tool to keep connected to just close friends and family you should try and have your profile unsearchable both within and outside of FB. This is possible with the privacy settings available.

Well now social networking sites are being forced, at least in California of doing something about this. Read more at SF Chronicle.

Don’t miss the cookie deadline :-P

by

26 May 2011

12:10

Leave a comment on Don’t miss the cookie deadline :-P

European Union, Legislation

The deadline for EU member states to implement the new cookie law is today! And not many member states are ready to eat their cookies yet! To date, Denmark and Estonia are the only states to have implemented the amended EU Privacy and Communications Directive, which gives Internet users more control of their data and requires any company with EU customers to comply. This requirement is a provision in an amendment to the E.U.’s Privacy and Electronic Communications Directive, which was adopted in 2009.

One claimed reason for the sluggish implementation of the directive is confusion around its intended purpose, as well as how best to implement it without destroying the businesses that rely on cookie placement to generate revenue, such as online advertising networks. The most visible change is the introduction of an “explicit consent” requirement. Read more at ClickZ.

So how can this be implemented? On a technical level it’s messy because it needs to be added on. It is not a built in privacy functionality so this will result in significant inconvenience for web-users as websites seek explicit consent for cookie placement through pop-ups and other awkward mechanisms. If the privacy function for cookies…. or maybe not cookies…. were an integral function of our PC and of any web-app we happen to be interacting with, perhaps it would be more of a loyalty card function (maybe even shaking hands, representing mutual consent)…used in the physical world for relationship marketing. The customer presents a card each time the approach the checkout. Hence in exchange for sharing personal information the customer should receive certain benefits, and clearly transparency in what is being collected…

Me just brainstorming to myself a little here 🙂

We can justify our work!

by

12 May 2011

11:22

Leave a comment on We can justify our work!

Legislation, U.K.

,

I love this “A UK privacy authority has fined the solicitor behind ACS:Law £1,000 for failing to keep the personal data of at least 6,000 people secure.” Although the fine was pretty pathetic, it is still good to see numbers appearing against cost of lost personal and sensitive data as this helps us justify why we are needed! Read more at ZDNet.

What is more important is the loss to his reputation for his lax security, I can imagine that ACS business cost will be just a little bit more than £1,000 😉

Workplace privacy in the US is getting a new set of clothes

by

12 May 2011

11:14

Leave a comment on Workplace privacy in the US is getting a new set of clothes

Legislation, U.S.

Significant developments in workplace privacy law and policy in the US over the past year have left employers with a number of new obligations. Litigation in state and federal courts, state legislation and federal agency actions have all led to increased protections for employees, requiring employers to carefully consider and, as necessary, revise their workplace privacy policies and procedures.

I am not sure exactly which laws these are? Any links to relevant laws would be really appreciated!