Monday, May 26, 2008

Annual P&LB Conference on Data Protection

The Annual P&LB 21st Conference will be held in Cambridge 2008. The theme will be "Value Privacy, secure your reputation, reduce risk", 7-9th July 2008, St John's College, Cambridge, UK.

For further details, see

Spam, spam, spam

Courtesy of DataGuidance, this recent development was drawn to my attention:

Spam will become a criminal offence on the 26 May 2008, when the Consumer Protection from Unfair Trading Regulations 2008 will come into force. According to Schedule 1 of the new Regulations, Œmaking persistent and unwanted solicitations by telephone, fax, email and other remote media, except in circumstances and to the extent justified to enforce a contractual obligation, will be deemed unfair commercial practice in all circumstances. The maximum penalty for spamming is a two years imprisonment.

The regulations also cover Œdisplaying a trust mark, quality mark or equivalent without having obtained the necessary authorisation¹, and Œconducting personal visits to the consumer¹s home ignoring the consumer¹s request to leave¹.

The Consumer Protection from Unfair Trading Regulations 2008 implements the Unfair Commercial Practices Directive (UCPD) into UK Law.

The unusual thing is that we already have the Directive on Privacy and Electronic Communications 2002/58/EC (Art. 13) which deals with spam and is implemented in the UK Privacy and Electronic Communications Regulations, but this takes it one step further and makes it a criminal offence. Note, there are technological measures to deal with spam (not least e-mail filters) or as some prefer to use, Mailinator and SpamGourmet.


Tuesday, May 20, 2008

Data Portability

Tech Crunch has recently posted this development in the social networking sphere, which raises some questions about the ease with which personal information can be transferred from one social networking website to another.

"How much are your friends worth? That is the question behind the big debate going on around social networks and data portability. In the last ten days, Facebook, Google, and MySpace have all announced ways to let people access their data (including friends lists) from other sites, except that what they are really trying to do is erect new walled gardens by positioning themselves as the primary repository of that personal and social data. This is valuable data and none of the big players want to cede any more of it than is necessary, which is why Facebook banned Google from tapping into its members’ social data. But here’s a little secret. All of this data is already leaking out in ways that Facebook and other social networks can hardly control. Startups are finding ways around their official APIs to get the data consumers want into their own systems. For instance, Zude, a personalized Webpage service, recently launched a feature called SocialMix that lets people import friends lists, photos, profile information, status updates, comments, and other data from Facebook, MySpace, Bebo, Orkut, and hi5. (See the screen shot below, which shows my Facebook friends on Zude). “What we are doing is taking the information and normalizing it and making it available in any manner you want,” claims Zude CTO Steve Repetti. He was tired of waiting around for true data portability to arrive, so he figured out a hack to offer it on his own (and it doesn’t involve screen scraping). Taking a different approach, Minggl has found a way to access your social data through a browser plug-in. And Media6° is placing cookies through the ads themselves on Facebook to collect social data for advertisers. If you click on an ad with one of its cookies, then the same ad will be shown to all of your friends, who supposedly are two to ten times more likely to click on the ad than other people. Media6° also should be able to target Facebook members as they wander across the Web (as long as a cookie has been placed in their browsers and they come across an ad with the Media6° Javascript code embedded in it). I’ve come across other startups who claim to be able to pull profile and friend data from Facebook. Facebook can go after them and shut them down, but it is rightly more concerned about Google gaining free and unfettered access to that data. Google is the bigger competitor and the bigger threat. But in the meantime, all of these little startups are finding ways to get at the same social data being so ferociously guarded by Facebook. In fact, they already have it, and Facebook is going to have a hell of a time trying to put it back in the barn."

Whilst users may want to control their "data" (by this, their personal information) and be able to transfer this from one network to another, what is unclear is the extent to which this is happening on a large scale? Secondly, a further complicated dimension to this is that the "profile" is not necessarily about an individual, but rather friends' data being held in another social networking environment, which leads to the question of the applicability of the Data Protection Directive 95/46/EC. There is no question that the processing of data other than yourself constitutes the processing of personal data under the Data Protection Directive (or corresponding national data protection laws), but some theoretical analysis: would Art. 3.2 of the Data Protection Directive 95/46/EC (processing personal information even of friends for private purposes) (and corresponding national data protection laws) be applicable? This would depend on whether the data is easily accessible on the internet. The ECJ's decision has been fairly clear in Lindqvist that Art. 3.2 is not applicable given that the the internet is likely to be accessible to anyone. However, whilst the Data Protection Directive 95/46/EC (and the corresponding national data protection laws) are relevant, the question will now hinge on the applicability of the the exemptions as covered under Art. 9 (artistic, literary and journalistic purposes) and Art. 13 of the Data Protection Directive 95/46/EC (and corresponding national data protection laws), which will need to be considered in more scope.


Thursday, May 15, 2008

Data Retentions Directive and ISPs

Out-law has recently posted this press release concerning the Communications Data Bill which will implement the Data Retentions Directive 2006/24/EC ("DRD"):

"Phone and internet companies will soon be forced to keep logs of internet usage to be made available to the police under a new law announced by Prime Minister Gordon Brown this week.

The law, the Communications Data Bill, will implement the remainder of the European Union's Data Retention Directive.

Last October the Government enacted regulations which said that telcos must keep records of phone calls to and from land lines and mobile telephones. That requirement will be extended to records of customers' internet usage, email usage and voice over internet protocol (VoIP) records.

“The aim of the [Directive] is to ensure that certain data is retained to enable public authorities to undertake their lawful activities to investigate, detect and prosecute crime and to protect the public," said a Home Office spokeswoman.

“The first part of the [Directive] was transposed into UK law in October 2007 but the Government made a declaration … to postpone its application to the retention of communications data relating to internet access, internet telephony and internet email until 2009. So the measures referred to in the Communications Data Bill will complete the transposition of the Directive for IP [internet protocol] communications data," said the Home Office spokeswoman."

See also:

Monday, May 12, 2008

ICO Powers

According to the latest post from PL&B, the Criminal Justice and Immigration Act has received the Royal Assent, which would include strengthening the powers of the ICO to impose fines for serious breaches of the DPA 1998 -

Organisations now face substantial fines for deliberately or recklessly committing serious breaches of the Data Protection Act. The Criminal Justice and Immigration Act, which received Royal Assent (the final legislative stage) on 8 May, introduces a civil penalty rather than a criminal penalty, the result of an amendment adopted by the House of Lords last month.

The Information Commissioner can impose fines when organisations ‘knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress or damage, but failed to take reasonable steps to prevent the contravention..’

Although not what it asked for, ICO welcomes the new penalty.

David Smith, Deputy Information Commissioner said: “This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people’s personal information. The prospect of substantial fines for deliberate or reckless breaches of the Data Protection Principles will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously.

“This new power will enable some of the worst breaches of the Data Protection Act to be punished. By demonstrating that the law is being taken seriously tougher sanctions will help to reassure individuals that data protection matters and give them confidence that organisations have no choice but to handle personal information properly.

See also:

Monday, May 05, 2008

Facebook Trust

Aside from the privacy issues, there is a discussion forum taking place with Stanford students on the psychology of facebook looking at "high-trust contexts" in Facebook. Beeb has recently written an article on this project:

"A group of students at Stanford University in the heart of Silicon Valley have turned their attention towards a unique course that blends popular culture with the more time-worn principles of psychology. The Psychology of Facebook is the brainchild of Professor B J Fogg, a pioneering persuasion psychologist who founded the Persuasive Technology Lab at Stanford.

He says: "When Facebook came along I was one of the developers at the launch and what struck me was how there was this new form of persuasion. This mass interpersonal persuasion."

The latest discussion focuses on high-contextualised trust:

"These are the high-level questions we should strive to answer to understand how trust works. The materials address one or more of these questions:
  1. What Defines and Affects Trust?
  2. How Do We Act in a Trusted vs. Untrusted Environment?

  3. How Does Trust Level Compare on Facebook vs. Internet vs. "Real World"

  4. Trust Creation: Slow, Gradual, Painstaking

  5. Trust Destruction: Instant, Deadly, Spectacular

Trust as a Function of "Perception of Risk

One way to think about trust is by examining the flipside - potential downside of opening up and sharing. Trusted environment is one where our perception of risk (something bad happening) is low. Untrusted environment is one we perceive as dangerous in some way. What could affect the perception of risk:

Anonymity vs. accountability for your actions

  • Your demographics / psychographic profile (compare Gen Y vs. Boomers)
  • Comfort with the environment (sense of control)
  • Strength & number of connections (social proof is critical to trust creation)
  • Social pressure to participate (downside of being excluded)
  • Understanding the potential abuse and how to prevent it
  • Predictability of the environment"