Digital online rights for children

Sweden is ahead of the rest of the world when it comes to children’s rights, even in the digital/online world. Read more here.

To say I felt an excitement deep in me is an understatement. It was children’s safety online which brought me into privacy. My master thesis for my MSc Information Security was on protecting children online, which led to the publication of my first book “Virtual Shadows” in 2009. This was 8 months before the birth of my daughter.

But what triggered me, was long before this, was my son who was 18 by the time I had published my first book. I often had computers at home, normally open as I was twiddling with them, and so was he since he was 10 years old.

I saw his fascination in Sim City and other highly educational games which transported him into worlds of logistics and consequences. The theme of conversation amongst the boys was which level they are reached, e.g. how a famine had broken out, bad decisions on arming, etc. Gaming was not multi-player, it was single player, and installed on a PC in those days.

What Sweden has triggered is awesome. Beyond what any country has done when it comes to human rights, not surprising considering they were the first country globally to give equal rights to children in 1971. Now in 2020, it has reached the digital world.

UK national ID card scheme to be scrapped!

Wow, I love this news that UK’scoalition government will be keeping their promises to “reverse and restrain many of the surveillance systems that have marked its citizens out as the most watched in the world,” THINQ.co.uk reports. Plans include scrapping the National Identity Register and ID card, as well as biometric passports, and expanding the Freedom of Information Act. Other coalition commitments include removing innocent people’s records from the DNA database, regulating the use of CCTV and halting the prior government’s plan to retain national records of e-mail and communications data.

This will include a proposal to “outlaw” the finger-printing of children at school “without parental permission”. It will be interesting to see how they pan out in the statistics department for Privacy International “Most surveyed countries report” in a couple of years 🙂

Beware of school authorities bearing gifts ;-)

Picked up from Jack’s tweets….

According to the filings in Blake J Robbins v Lower Merion School District (PA) et al, the laptops issued to high-school students in the well-heeled Philly suburb have webcams that can be covertly activated by the schools’ administrators, who have used this facility to spy on students and even their families. The issue came to light when the Robbins’s child was disciplined for “improper behavior in his home” and the Vice Principal used a photo taken by the webcam as evidence. The suit is a class action, brought on behalf of all students issued with these machines.

This is scandel.. read more at boingboing.

National Crime Database Raises Privacy Concerns

The (quiet) introduction of a National Police Reference System in Australia has raised concerns on the impact on privacy.  The database (run by CRIMTRAC has millions of records – including DNA and fingerprints) and is able to be accessed by all Australian law enforcement officers.  There are up to 80,000 accesses to the data per day.

For more detail, please see http://www.smh.com.au/national/privacy-fears-growing-as-police-tighten-national-grip-20100117-mecr.html.

Shedding Your Identity in the Digital Age

is the title of a new article in the December 2009 issue of Wired Magazine. For one month, Evan Ratliff shed his digital identity and tried to disappear. Wired offered $5000 to the first person who could locate him, say the password “fluke” and take his picture within the one month contest period. The premise of the contest was simple: “how hard is it to vanish in the digital age? The article chronicles his adventures on the run, and the phenomena it created on Twitter. Using the hashtag #vanish, contest participants were “tweeting” up to 600 tweets a day as they shared clues and personal information about Evan Ratliff (such as his middle name, a common question of private investigators).

I recommended you pick up the print edition of the article while still available, as it is better than the online version. Otherwise, check out the online version here.

Facebook – “That social norm is just something that has evolved over time”

According to Mark Zuckerberg, the 25-year-old chief executive and founder of Facebook, “People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people”. For him, “That social norm is just something that has evolved over time”.

Complete article here (The Guardian): Privacy no longer a social norm, says Facebook founder

Data Privacy Day 2010 is just around the corner

Data Privacy Day 2010 is occurring on January 28th. Data Privacy Day is an annual international celebration to raise awareness and generate discussion about information privacy. In 2009, both the U.S. Senate and House of Representatives recognized January 28th as National Data Privacy Day.

Over the past few years, privacy professionals, corporations, government officials and representatives, academics, and students in the United States, Canada, and 27 European countries have participated in a wide variety of privacy-focused events and educational initiatives in honor of Data Privacy Day. They have conducted discussions, examined materials and explored technologies in an effort to bring information privacy into our daily thoughts, conversations and actions.

“Despite all the benefits of new and innovative technologies, there are doubts and worries that persist about just how much personal information — our digital identity — is collected, stored, used, and shared to power these convenient and pervasive services.”

Richard Purcell, executive director of The Privacy Projects (www.theprivacyprojects.org), organizing sponsor of Data Privacy Day.

Data Privacy Day has also provided an opportunity to promote teen education and awareness about privacy challenges when using mobile devices, social networking sites and other online services.

Everyone is welcome to participate by sponsoring events, contributing writings and other educational resources, joining activities, and taking actions designed to raise privacy awareness.

More information can be found on the event website at: dataprivacyday2010.org.

EU ePrivacy Directive amendment

A recently passed amendment to the EU Privacy Directive will require Internet users’ consent before cookies can be placed on their computers. This is part of a revised ePrivacy Directive that is close to enactment, that includes improvements on security breach, cookies and enforcement. The new provisions will bring vital improvements in the protection of the privacy and personal data of all Europeans active in the online environment. The improvements relate to security breaches, spyware, cookies, spam, and enforcement of rules. The revised ePrivacy Directive must be implemented by the Member States within 18 months.

The changes introduced include:

    For the first time in the EU, a framework for mandatory notification of personal data breaches . Any communications provider or Internetservice provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them. Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation. The notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
    Reinforced protection against interception of users’ communications through the use of – for example – spyware and cookies stored on a user’s computer or other device. Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
    The possibility for any person negatively affected by spam , including ISPs, to bring effective legal proceedings against spammers;
    Substantially strengthened enforcement powers for national data protection authorities. They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

What this means is that the current laws that the data subject has increased protection online. If their personal data has been exposed, they must be notified. As such they must be informed if personal information on them is being collected, and they should have the option to opt-out (or more preferably opt-in). This is not possible with the way cookies are used today where they are just downloaded onto the users’ PCs without warning. All security to warn the user of tracking cookies are provided by the web-browser. This will now have to be included in the cookie itself.. I think. Any experts out there that know how this could work in practice, please jump in here and comment 🙂

I also read some references to how the use of RFID for the collection of personal information falls in the scope of this amendment.

And finally enforceability is key. Hence each member state must have the appropriate legilsation implemented to make this amendment effective and enforceable.

One month today since Ivy joined us!

You know today is a pretty special day. It is exactly one month since my daughter Ivy checked-out and joined us, pappa and myself in this exciting world. Exciting because it feels today as though we have come over a challenging and most beautiful month and feel a real achievement. We are learning how Ivy likes things and Ivy is getting quite at home with the way we run things.

Other things linked to privacy have been interesting since Ivy’s birth.

1. I have during the pregnancy and afterwards needed to provide blood tests on many occasions and each time need to remember to ‘opt-out’ of them holding my blood in a blood bank somewhere. I am sure I forgot to do the opt-out once, and I need to check this. This was quite annoying.

2. In my book Virtual Shadows I said that all new-borns in Sweden provide a ‘blood-spot’ that is used in research for PKU. My experience now shows that this is the case although what I didn’t know before is that you can opt-out. This is what we did with Ivy.

3. Ivy got a personal ID number assigned which arosed a conflict of emotions both as a parent and privacy avocate. As a parent a sense of pride that my Ivy really existed as a Swedish citizen in the system, as a privacy avocate.. well no explanation needed there.

4. We bought a ‘child-alarm’ as we live in a big house and we could chose between audio or audio/video. I am dismayed that I chose the latter option. My need for Ivy’s safety in the case of Ivy seems to have overriden her need for privacy. Having said that the video stores nothing, and in practice I think it was a waste of money, we normally hear her crying before the video switches itself on anyhow triggered by the noise. I still think an audio version is a good choice. The video just gives a false sense of security.

5. Sweden has centralised their health records a little like what the U.K. has been trying to do against massive public resistance. I am in principle against this, but it does have its benefits so long as you trust the data holding authorities. The benefits became apparent when access to my medical records were needed urgently when I became very ill (that led to an early arrival for my daughter :-)). Again I am faced with the conflict of my safety vs. the right for privacy, and the need to trust those holding my private information. I have no choice but to trust the Swedish authorities, but I am not sure I would trust the British authorities centralisation efforts. Here we are looking at consolidation of 64m (living) health records not just 9 million as in Sweden. Even if you did trust the British authorities to have the right intentions, in practice if the business processes are not working today, how can technologies applied to flawed business processes be expected to protect the confidentality and integrity of your personal data?