Friday, January 13, 2006

Another case of privacy invasion

I came across this recent press release about Apple's popular iTunes software. It was disconcerting to find that the software could send information about computer users' playlists back to Apple.

The new music software includes a 'MiniStore' window, which provides recommended links to Apple's music download service when a listener actively clicks on a song in their personal playlist, including songs that haven't been purchased from the iTunes store.

To provide those recommendations, the software sends information about the selected song, such as artist, title and genre, back to Apple. But the software also transmits a string of data that is linked to a computer user's unique iTunes account ID, computer experts have found.

Because iTunes users typically sign up for the music store with an email address and a credit card number, the account ID number could in theory be linked to that information, as well as a user's purchase history, said Apple expert Kirk McElhearn, who has published several books on Macintosh computers.

If one looks at the data protection principles under the Data Protection Directive (Art. 6), this provides that:

1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

2. It shall be for the controller to ensure that paragraph 1 is complied with.

What is unclear is why users were not informed about the fact that information about their playlist could be sent back to Apple. Irrespective of whether consent has been given, it certainly appears that information collected about its users and redirected to the company goes against some of the data protection principles.

Furthermore, the Directive on Privacy and Electronic Communications 2002/58/EC provides that such use should only be allowed for legitimate purposes with the knowledge of the user concerned. Art. 5(3) states that:

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
Recital 24 of the same Directive provides that:

Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

I do not want to dwell on this too much, but for those interested in this area, see Spyware watch and Wikipedia's definition of spyware.

The UK Information Commissioner has also issued some guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003 that implements the Directive on Privacy and Electronic Communications 2002/58/EC.

No comments: