LinkedIn is being sneaky over your privacy settings!

Just in case this hasn’t come to your notice yet, but linkedin has the right to use your photos for advertising if you don’t opt-out šŸ™

Read more here. There is already discussions in progress on which privacy laws it is potentially breaking.

To opt-out you need to do the following:
1) go to your name on the top right hand corner and select settings from the drop down
2) select account on the settings page (bottom left)
3) under privacy controls, select manage social advertising
4) untick it > save

A little belated, but thanks to Eoin Fleming for the tip, more than 10 days ago!

Your right to opt-out of Google’s Street View service

I love what is going on in Germany during a few months now, in that almost 250,000 Germans have told Google to blur pictures of their homes on the Street View service. Which is quite right. The EU directive on data privacy gives the data subject the right to consent to any personal information being stored. I wonder why it is only happening in Germany and not elsewhere in the EU, after all it is our right as data subjects.

Freedom of speech in China

This is a privacy blog, however there are times when the right to freedom of speech and personal privacy overlap somewhat. Hence I am sure that I am not alone in feeling delighted at the award of the Nobel prize to Chinese dissident Liu Xiaobo (åˆ˜ę™“ę³¢).

There is more: on October 11, 23 Chinese Communist Party elders known for their pro-reform positions, including Mao Zedongā€™s former secretary Li Rui (Ꝏ锐) and former Peopleā€™s Daily editor-in-chief Hu Jiwei (胔ē»©ä¼Ÿ), submitted an open letter to the Standing Committee of the National Peopleā€™s Congress, formally Chinaā€™s highest state body, calling for an end to restrictions on expression in China. Read more at the China Media Project.

And where is your personal data in the cloud?

I’ve been working an awful lot on security and privacy in the cloud lately, surprise surprise ;-), and the thing that is really an interesting problem when it comes to the privacy of data being held, is precisely where the data is physically? This presents some challenges, for example not many countries outside of the EU have equivalent privacy legislation implemented, so if personal data from the EU is stored in the cloud, the hosting country needs to have equivalent legislation or some workaround to protect data both physically and legally. ComputerWeekly.com have a pretty good high level article on this. Also to get a feel of how privacy legislation is working worldwide. The article (p.17) published by ISSA (December 2009, and reprinted later by IAPP July 2010) may be a worthwhile background read. Be aware that there has been an update to this directive since, e.g. the “cookie directive”. I will publish more on this later.

More on behavioural marketing (in the US)

The Interactive Advertising Bureau and other advertising groups behind the industry’s self-regulatory privacy initiative are getting ready to officially launch a new trade organization. This means that you will see a special icon that consist of an i inside a triangle turned on its side to resemble a play button. In the past, Web companies tended to use privacy policies to notify people about tracking and behavioral targeting, but those policies have been criticized as lengthy and dense. Read more at Online Media Daily.

The use of Phorm surfaces privacy law flaws in the UK

Some interesting conflict. The EU is taking the UK to court for not taking appropriate measures to protect their citizens’s privacy i.e. the UK law does not protect personal privacy as strongly as EU laws demand. Most of this has come about because of the use of Phorm in the UK. Phorm invented a technology for ISPs to use to track users’ web use in order to serve them ads that were related to the recorded internet activity. ISP BT used this technology without telling users, which led to complaints to UK regulators and the Commission that this broke privacy laws.

It is interesting because it highlights some flaws in the UK privacy laws. Read more at out-law.com

Background on Phorm follows (an extract from Virtual Shadows book):
“During 2008 there was growing controversy about interception of peopleā€™s web traffic in the UK. At the centre of the storm is the ā€˜patent-pendingā€™ technology of a new company called Phorm. The drivers behind this are not government authorities but three of the main players in the telecommunications space. BT, TalkTalk and Virgin all signed up to use Phorm, which targets adverts to users based on usersā€™ web browsing habits. Phormā€™s proprietary ad serving technology claims to use anonymised ISP data to deliver the right ad to the right person at the right time, the right number of times. This means that end-users will receive advertising that is tailored to their interests in real time. Keywords in websites visited by a user are scanned and connected to advertising categories and then matched to particular adverts. That data may include sensitive personal data, because it will include the search terms entered by users into search engines and these can easily reveal information about such matters as political opinions, sexual proclivities, religious views and health.

Phorm anonymises identities: each user is given a persistent random ID, so that each time they browse, the same ID is used to collect information on their habits over a period of time, but Phorm cannot see the link between this ID and the natural identity. Phorm uses the ID to deliver tailored advertisements in their browser. This ID is used to distinguish the user from the millions of others on the internet and it does not contain any information about the user themselves or their computer. Users will have the choice to opt-in or opt-out of this service. TalkTalk has said it intends to make Phorm an opt-in system, whilst as of Spring 2008 the two other ISPs had not yet decided.

If a user is given a persistent ID, this means that whenever the user accesses the ISP, the ISP can see the link between the assigned ID and the userā€™s natural identity. The persistent ID is not encrypted as it is in the form of a cookie. To ensure ā€˜separation of dutyā€™ the system will enable the ISPs to prevent Phorm from knowing the userā€™s natural identity. This means that the ISPs will hold the persistent ID assigned to natural users and Phorm will receive the browsing habits attached to the persistent ID. If this is the case one could argue that the Phorm system is not based on anonymity, but it is in reality based on controlling the release of information.

According to an open letter sent to the UK Information Commissioner on 17 March 2008 (Fipr 2008), the Foundation for Information Policy Research4 have claimed that the online advert system Phorm is illegal and contravenes RIPA.

Fipr believes Phorm contravenes the Data Protection Act, in that users have to opt-out rather than opt-in, and RIPA, which makes the interception of any transmission across a public telecommunication system illegal without the explicit consent of users. (Exceptions are when police are investigating a serious crime such as kidnapping and need to listen in to conversations between a family and the criminals, although even they must first obtain an authorisation under RIPA.)”