Saturday, April 26, 2008

Social networking

Having returned from a roundtable discussion on social networking and identity and privacy at Leuven, ICRI, a few things to draw attention:

1) The International Working Group on Data Protection (pdf) has issued a report on social networking with the following:

"With respect to privacy, one of the most fundamental challenges may be seen in the fact that most of the personal information published in social network services is being published at the initiative of the users and based on their consent. While ”traditional” privacy regulation is concerned with defining rules to protect citizens against unfair or unproportional processing of personal data by the public administration (including law enforcement and secret services), and businesses, there are only very few rules governing the publication of personal data at the initiative of private individuals, partly because this had not been a major issue in the “offline world”, and neither on the Internet before social network services came into being. Furthermore, the processing of personal data from public sources has traditionally been privileged in data protection and privacy legislation."

Some points from the same report:

"Regulators

1. Introduce the option of a right to pseudonymous use – i.e. to act in a social network service
under a pseudonym –, where not already part of the regulatory framework.

2. Ensure that service providers are honest and clear about what information is required for the
basic service so that users can make an informed choice whether to take up the service, and that users can refuse any secondary uses (at least through opt-out), specifically for (targeted) marketing. Note that specific problems exist with consent of minors (note the work of the data protection commissioners)

3. Introduction of an obligation to data breach notification for social network services. Users will only be able to deal especially with the growing risks of identity theft if they are notified of any data breach. At the same time, such a measure would help to get a better picture of how well companies secure user data, and provide a further incentive to further optimise their security measures.

4. Re-thinking the current regulatory framework with respect to controllership of (specifically third party-) personal data published on social networking sites, with a view to possibly attributing more responsibility for personal data content on social networking sites to social network service providers (on this point, the Data Protection Directive is fairly clear about the obligations of data controllers)

5. Improve integration of privacy issues into the educational system. As giving away personal data online becomes part of the daily life especially of young people, privacy and tools for informational self-protection must become part of school curricula." (note the work of the data protection commissioners)"

2) Discussion on the changes made to the existing Electronic Communications Framework: has focussed more on:

– breach notification provisions - not merely the remit of ISPs, and network operators, but extended to
– better protection against spam and malware, particularly on strengthening the powers of ISPs against spammers
– better enforcement

3) Phorm was discussed briefly - the UK ICO has already indicated that opt-in consent of users will be required before the ISPs could use this:

"Phorm and the ISP will also have to comply with the Privacy and Electronic Communications Regulations 2003 (PECR) even where they do not process personal data. Under Regulation 6 of PECR a user must be informed when a cookie is placed on their computer, given clear and comprehensive information about the purpose of the storage and given the ability to refuse it being placed on the system. The information we have seen so far indicates that users will be informed by the ISP about the use of cookies as part of the process of being told about the service and given a choice about whether or not to participate. Users will also be able to configure their internet browser to block all cookies from Phorm and therefore prevent any profiling without a cookie being loaded. How this operates in practice will not be apparent until the trials by the ISP get underway or the product is rolled out but it should be possible for the ISPs and Phorm to achieve compliance with Regulation 6.

Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.

Whether or not the deployment of the Phorm products raise matters of concern to the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns. The Commissioner welcomes the efforts Phorm is making to engage with concerned technical experts and believes that it is only by allowing its technology to be subject to detailed scrutiny by independent technical experts that it will be able to prove their assertions regarding privacy which will be important for the commercial success of the product."

See also:



No comments: