Social networking

Having returned from a roundtable discussion on social networking and identity and privacy at Leuven, ICRI, a few things to draw attention:

1) The International Working Group on Data Protection (pdf) has issued a report on social networking with the following:

"With respect to privacy, one of the most fundamental challenges may be seen in the fact that most of the personal information published in social network services is being published at the initiative of the users and based on their consent. While ”traditional” privacy regulation is concerned with defining rules to protect citizens against unfair or unproportional processing of personal data by the public administration (including law enforcement and secret services), and businesses, there are only very few rules governing the publication of personal data at the initiative of private individuals, partly because this had not been a major issue in the “offline world”, and neither on the Internet before social network services came into being. Furthermore, the processing of personal data from public sources has traditionally been privileged in data protection and privacy legislation."

Some points from the same report:

"Regulators

1. Introduce the option of a right to pseudonymous use – i.e. to act in a social network service

under a pseudonym –, where not already part of the regulatory framework.

2. Ensure that service providers are honest and clear about what information is required for the
basic service so that users can make an informed choice whether to take up the service, and that users can refuse any secondary uses (at least through opt-out), specifically for (targeted) marketing. Note that specific problems exist with consent of minors (note the work of the data protection commissioners)

3. Introduction of an obligation to data breach notification for social network services. Users will only be able to deal especially with the growing risks of identity theft if they are notified of any data breach. At the same time, such a measure would help to get a better picture of how well companies secure user data, and provide a further incentive to further optimise their security measures.

4. Re-thinking the current regulatory framework with respect to controllership of (specifically third party-) personal data published on social networking sites, with a view to possibly attributing more responsibility for personal data content on social networking sites to social network service providers (on this point, the Data Protection Directive is fairly clear about the obligations of data controllers)

5. Improve integration of privacy issues into the educational system. As giving away personal data online becomes part of the daily life especially of young people, privacy and tools for informational self-protection must become part of school curricula." (note the work of the data protection commissioners)"

2) Discussion on the changes made to the existing Electronic Communications Framework: has focussed more on:

– breach notification provisions - not merely the remit of ISPs, and network operators, but extended to
– better protection against spam and malware, particularly on strengthening the powers of ISPs against spammers
– better enforcement

3) Phorm was discussed briefly - the UK ICO has already indicated that opt-in consent of users will be required before the ISPs could use this:

"Phorm and the ISP will also have to comply with the Privacy and Electronic Communications Regulations 2003 (PECR) even where they do not process personal data. Under Regulation 6 of PECR a user must be informed when a cookie is placed on their computer, given clear and comprehensive information about the purpose of the storage and given the ability to refuse it being placed on the system. The information we have seen so far indicates that users will be informed by the ISP about the use of cookies as part of the process of being told about the service and given a choice about whether or not to participate. Users will also be able to configure their internet browser to block all cookies from Phorm and therefore prevent any profiling without a cookie being loaded. How this operates in practice will not be apparent until the trials by the ISP get underway or the product is rolled out but it should be possible for the ISPs and Phorm to achieve compliance with Regulation 6.

Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.

Whether or not the deployment of the Phorm products raise matters of concern to the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns. The Commissioner welcomes the efforts Phorm is making to engage with concerned technical experts and believes that it is only by allowing its technology to be subject to detailed scrutiny by independent technical experts that it will be able to prove their assertions regarding privacy which will be important for the commercial success of the product."

See also:

• Light Blue Touchpaper: The Phorm Webwise System
• UK ICO - Webwise and Open Internet Exchange
• UK Privacy and Electronic Communications Regulations 2003
  

Data notification breaches

The European Data Protection Supervisor has called for a data breach notification law (via Out-law) -

"The privacy watchdog for EU institutions has called for a planned requirement for telecoms companies to publish details of information security breaches to be extended to banks, businesses and medical bodies.

The European Commission has proposed a data breach notification law which would force telecoms companies to tell customers when personal information had been lost. The requirement was among other proposed changes to the Privacy and Electronic Communications Directive published last autumn.

The European Data Protection Supervisor (EDPS) has said that if the proposal is designed to help prevent identity theft it must be extended to include banks, businesses and others.

"While the EDPS is pleased with the security breach notification system … he would have favoured their application at a wider scale to include providers of information society services," said the EDPS's response. "This would mean that online banks, online businesses, online providers of health services etc would also be covered by the law."

Proposals to reform the European Electronic Communications Framework is likely to take place in Autumn this year. The main proposals to amend the Directive on Privacy and Electronic Communications 2002/58/EC include the following:

- introducing mandatory notification of security breaches resulting in users’ personal data being lost or compromised;

- strengthening implementation provisions related to network and information security to be adopted in consultation with the Authority;

- strengthening implementation and enforcement provisions to ensure that sufficient measures are available at Member State level to combat spam;

- clarifying that the Directive also applies to public communications networks supporting data collection and identification devices (including contactless devices such as Radio Frequency Identification Devices);

- modernising certain provisions that have become outdated, including the deletion of some obsolete or redundant provisions.

Some clarity is further given under the proposals over the use of spyware:

"In Article 5(3): this ensures that use of “spyware” and other malicious software remains prohibited under EC law, regardless of the method used for its delivery and installation on a user’s equipment (distribution through downloads from the Internet or via external data storage media, such as CD-ROMs, USB sticks, flash drives etc.)."

However, other than this, it should be noted that this can easily be removed by anti-spyware software (see this article) and stopbadware project.

See also:

• Commission's Proposal
  
• UK ICO Guidance on Data Security Management (pdf)
• Schneier's posting on Security-breach notification laws

Data Protection Developments

The latest issue of E-Commerce Law Reports (Vol. 7 Iss. 5 April 2008) is now available, which includes:

PRIVACY

In 'Promusicae v Telefónica', the European Court of Justice rules on the obligation of member states to order the disclosure of personal data on copyright infringers in civil actions (on the case of Promusicae v Telefónica, this has been discussed in a recent SCL article)

BROADCAST RIGHTS

In 'Karen Murphy v Media Protection Services', a pub landlord loses her appeal over the broadcast of live FA Premier League football matches using a foreign satellite system which is capable of decoding and broadcasting foreign satellite signals.

SUBJECT ACCESS RIGHTS

In Ezsias v Welsh Ministers, the High Court sets out the obligations placed on data controllers when faced with subject access requests under the Data Protection Act.

PUBLIC ACCESS

In an application to the Administrative Court by The Times, The Guardian and Financial Times, the Court applies a purposive construction to the CPR in facilitating public access to court documents.

BROADCAST RIGHTS

In 'The FA Football Association Premier League Limited v QC Leisure', the High Court considers the use of Article 81 of the EC Treaty as a defence to allegations of circumventing the cost of broadcasting FA Premier League matches using foreign satellite systems

DOMAIN NAMES

In MySpace, Inc v Total Web Solutions Ltd, MySpace wins the right to the 'myspace.co.uk' domain name, despite the respondent registering it approximately six years before MySpace was founded.

PATENTS

In 'Ingenico v Pendawell', the UK Intellectual Property Office revokes the patentability of an electronic payment system using assessment criteria which is at odds with European Patent Office caselaw.

IMAGE RIGHTS

In Grütter v Lombard, the South African Supreme Court of Appeal delivers a judgment paving the way for recognition and protection of image rights under South African common law.

PATENTS

In 'Astron Clinica Limited', the UK Patents Court considers whether patent claims could ever be granted for computer programs.

Ofcom's Study into Social networking

Having returned from a 2-day conference, Surveillance and Society, held at University of Sheffield (more to follow at a later stage), there has been a recent study published by Ofcom on Social networking. Some of the results stems from attitudes to social networking websites (no surprises about the likely usergroups):

Social networkers differ in their attitudes to social networking sites and in their behaviour while using them. Ofcom’s qualitative research indicates that site users tend to fall into five distinct groups based on their behaviours and attitudes. These are as follows:

• Alpha Socialisers (a minority) – people who used sites in intense short bursts to flirt, meet new people, and be entertained.
• Attention Seekers – (some) people who craved attention and comments from others, often by posting photos and customising their profiles.
• Followers – (many) people who joined sites to keep up with what their peers were doing.
• Faithfuls – (many) people who typically used social networking sites to rekindle old friendships, often from school or university.
• Functionals – (a minority) people who tended to be single-minded in using sites for a particular purpose.

Non-users of social networking sites also fall into distinct groups

Non-users also appear to fall into distinct groups; these groups are based on their reasons for not using social networking sites:

• Concerned about safety – people concerned about safety online, in particular making personal details available online.
• Technically inexperienced – people who lack confidence in using the internet and computers.
• Intellectual rejecters – people who have no interest in social networking sites and see them as a waste of time.

Although privacy was not given a high priority, some of the reasons that Ofcom has identified:

• a lack of awareness of the issues;
• an assumption that privacy and safety issues have been taken care of by the sites themselves;
• low levels of confidence among users in their ability to manipulate privacy settings;
• information on privacy and safety being hard to find on sites;
• a feeling among younger users that they are invincible;
• a perception that social networking sites are less dangerous than other online activities, such as internet banking; and, for some,
• having consciously evaluated the risks, making the decision that they could be managed.

Whilst one is not wholly convinced about the lack of awareness, given that the ICO has published guidelines on the use of social networking, the use certainly has become more mainstream.

See:

• Ofcom: Engaging with social networking sites