16 June 2015


Posts relating to the category tag "privacy" are listed below.

16 June 2015

The Value of Personal Information

The story that consumers and others are willing to give away information about their personal life to companies in exchange for some trivial benefit is often heard. A new research paper published in the United States undermines this belief.

Clubbers enjoying Carl Cox dj-ing in Ibiza

The Tradeoff Fallacy - How Marketers Are Misrepresenting American Consumers And Opening Them Up to Exploitation has been written by Joseph Turow and Michael Hennessy from the Annenberg Public Policy Center at the University of Pennsylvania and NoraDraper from the Department of Communication at the University of New Hampshire.

People often release information about themselves in ways that suggest little concern about disclosure and collection of their personal data.

The authors found that a large pool of Americans feel resigned to the inevitability of surveillance and the power of marketers to harvest their data. And people who are resigned do not predictably decide to give up their data. Additionally there was no statistical relationship found between being resigned to marketers' use of data and accepting or rejecting various kinds of supermarket discounts.

Read the paper and further analysis on Techcrunch.

Posted on: 16 June 2015 at 07:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 June 2015

Opinion on Data Protection in Mobile Health

The European Data Protection Supervisor (EDPS), responsible for protecting personal data and privacy and promoting good practice in the EU institutions and bodies, has published an opinion on Mobile Health.

The cover sheet from the European Data Protection Supervisor (EDPS) opinion on Mobile Health (mHealth)

Opinion 1/2015 Mobile Health (mHealth) discusses the opportunities and potential benefits of the convergence of IT and the health sector, especially the use of mobile apps. The apps can deliver health-related services through smart devices often processing personal information about health and other lifestyle and well-being information.

The EDPS was concerned the adverse effect mHealth may have on individuals' rights to privacy and personal data protection, and wanted to highlight relevant aspects that might be overlooked. It builds on existing data protection rules and draws upon the 2013 opinion adopted by the Article 29 Working Party on mobile apps installed on smart devices. It also considers the implications of the potential changes in the proposed General Data Protection Regulation ("GDPR").

The opinion's view is that the following measures, reproduced verbatim, would bring about substantial benefits for data protection:

  • The EU legislator should, in future policy making measures in the field of mHealth, foster accountability and allocation of responsibility of those involved in the design, supply and functioning of apps (including designers and device manufacturers)
  • App designers and publishers should design devices and apps to increase transparency and the level of information provided to individuals in relation to processing of their data and avoid collecting more data than is needed to perform the expected function. They should do so by embedding privacy and data protection settings in the design and by making them applicable by default, in case individuals are not invited to set their data protection options manually, for instance when installing apps on their smart devices
  • Industry should use Big data in mHealth for purposes that are beneficial to the individuals and avoid using them for practices that could cause them harm, such as discriminatory profiling
  • The legislator should enhance data security and encourage the application of privacy by design and by default through privacy engineering and the development of building blocks and tools.

In the document's conclusion, the EDPS hopes that compliance with data protection principles and rules will contributing to the full development of the mHealth sector.

Posted on: 02 June 2015 at 08:29 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 April 2015

Summary of Last Year's ICO Enforcement Action

PwC UK has published a summary of enforcement actions taken by the Information Commissioner's Office (ICO) in 2014.

Partial view of a chart from the PwC report 'Privacy and Security Enforcement Tracker 2014' showing a comparison of the number of each enforcement type undertaken by the ICO in 2012, 2013 and 2014

The Privacy and Security Enforcement Tracker 2014 summarises and comments on information originally published by the ICO on its web site concerning actions it has taken against organisations. This includes enforcement notices, monetary penalty notices, prosecutions and undertakings.

The report also summarises trends in other jurisdictions and provides information about Belgium, France, Germany, Italy, Lithuania, Mexico, Poland, Russia, Spain, Sweden, Switzerland and the United States of America.

Although the information security risk mitigations and controls required by the ICO are not summarised, for those processing personal data online, the ICO itself summarised these in May.

Posted on: 28 April 2015 at 07:17 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 April 2015

International Personal Data Transfers within AWS

The European Commission's Article 29 Working Party (Art. 29 WP) and lead authority the Luxembourg National Commission for Data Protection (Commission Nationale pour la Protection des Données - CNPD) have announced their decision of a review of Amazon Web Services in relation to the international transfer of personal data.

The Dear Mr Dubois letter

The letter states that the lead authority has analysed Amazon Web Services (AWS) "Data Processing Addendum" and its Annex 2 "Standard Contractual Clauses" which incorporates Commission Decision 2010/87/EU.

The conclusion is that "...by using the 'Data Processing Addendum' together with its annexes, AWS will make sufficient contractual commitments to provide a legal framework to its international data flows, in accordance with Article 26 of Directive 95/46/EC".

This would imply that AWS customers will be able to assume that any transfers of personal data to non European Economic Area (EEA) AWS regions will have the same level of protection as it receives within the EEA.

Posted on: 04 April 2015 at 09:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

23 January 2015

Undertaking by Office for Data Protection Act Breach

UK privacy regulator The Information Commissioner's Office (ICO) has published details of its enforcement action against shoe retailer Office.

Partial screen capture of a page from Office e-commerce website www.office.co.uk

The action relates to the unauthorised access of more than a million customer records on a legacy system that was not being protected adequately.

Office Holdings Ltd has signed an undertaking to comply with the fifth (retention) and seventh (security) data protection principles.

The undertaking requires Office to:

  • Undertake regular penetration testing of its websites and servers
  • Implement new data protection policy documents, including a retention and disposal policy for customer data
  • Provide initial and refresher formal data protection training to all Office employees
  • Implement any other security measures as necessary to protect personal data
  • Only retain personal data as long as necessary.

Office seem lucky not to have been fined. There is nothing above that they shouldn't already have been doing and "exposure of decommissioned software/services" is one of the most common classes of IT security vulnerabilities in online systems that result in failures to secure personal data identified by the ICO last May. This document was published by the ICO at about the same time as the Office incident occurred so I think other retailers have been warned and would not be treated as lightly for a similar breach now.

Posted on: 23 January 2015 at 08:34 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 January 2015

FTC Final Order Against Snapchat

Following a public comment period in May-June 2014, at the end of December the US consumer protection body Federal Trade Commission has approved a final order settling charges against Snapchat that lasts for twenty years.

Part of the FTC's final order against Snapchat Inc showing the text 'VII. IT IS FURTHER ORDERED that respondent within ninety (90) days after the date of service of this order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit an additional true and accurate written report. VIII. This order will terminate on December 23, 2034, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of: A. any Part in this order that terminates in fewer than twenty (20) years; B. this order's application to any respondent that is not named as a defendant in such complaint; and C. this order if such complaint is filed after the order has terminated pursuant to this Part.'

The charges related to how Snapchat deceived consumers about the automatic deletion of private images sent through the service.

The key FTC documents are:

The final order, 23rd December 2014::

  • Prohibits Snapchat from misrepresenting how its products or services maintain and protect the privacy, security, or confidentiality of any covered information
  • Requires Snapchat to establish and implement, and thereafter maintain, a comprehensive privacy program
  • Requires Snapchat to obtain an initial and, for 20 years, biennial assessments and reports from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession
  • Requires Snapchat to retain for 5 years records of all communications, complaints, notifications about possible order compliance failures, and assessment materials
  • Requires Snapchat to ensure it provides a copy of the order, and keep evidence of this, to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of the order
  • Requires Snapchat to notify the FTC of relevant corporate structure changes
  • Requires Snapchat to provide, within 90 days of the order, a document detailing the manner and form of its compliance with the order.

The order ends on 23rd December 2034 — an additional twenty year compliance overhead on top of the privacy program they should already have had in place.

I wonder if US consumers are also affected by the Moonpig API saga.

Posted on: 09 January 2015 at 08:42 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 December 2014

Guidance on the ASA's Online Remit Extension

The UK's Advertising Standards Authority (ASA) has had a digital remit since 2011 in the form of the CAP Code Digital Remit for Advertisements and Other Marketing Communications.

Advertisements and other marketing communications by or from companies, organisations or sole traders on their own websites, or in other non-paid-for space online under their control, that are directly connected with the supply or transfer of goods, services, opportunities and gifts, or which consist of direct solicitations of donations as part of their own fundraising activities.

Last week the ASA announced guidance on the remit extension. Broadly the new guidance explains through example cases that the ASA Council will take into account the entire context in which claims are made, in determining whether the primary purpose of the communication is to sell something and therefore whether it falls within the remit of the CAP Code.

The guidance provides six illustrative case studies that show that if the primary purpose of a web page is to sell something it is almost certain to be in scope, and how the scope can grow by including other marketing communication copy on a web site. Similarly, the context of the page in regards purpose and navigation can affect whether the remit applies, advertgames that are closely linked to products increase the likelihood of being in scope, and user generated content (UGC) can be misused so that it then becomes within scope

So I believe a claim of security or privacy that is intended to help complete a sale would perhaps fall within the remit.

Posted on: 16 December 2014 at 19:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 December 2014

On Anonymity and Accountability

A post by information security practitioner Robert Hansen titled Anonymity or Accountability raised an interesting topic.

I wonder about the language here — "safety" and "freedom" are not opposites...

I think there is a terminology problem, and some misunderstandings about privacy from this security viewpoint. But a useful discussion to have. Read more on the WhiteHat Security blog.

Posted on: 07 December 2014 at 13:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 November 2014

Two ENISA Reports on Cryptography

At the end of last week, the European Union Agency for Network and Information Security (ENISA) published two reports on the use of cryptography.

One of the tables from ENISA's report 'Algorithms, Key Size and Parameters 2014'

Algorithms, Key Size and Parameters 2014 (PDF) provides guidance on appropriate cryptographic protective measures for the protection of personal data in online systems. The report defines primitives/schemes that can be considered for use today, as well as those for new/future systems. The document is intended for technical specialists designing and implementing cryptographic solutions..

The second report, Study on Cryptographic Protocols (PDF) extends the previous report to look at how the primitives/schemes are used in cryptographic protocols.

Both reports are free to access without registration.

Posted on: 25 November 2014 at 18:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 November 2014

TRUSTe Privacy Deception and Misrepresentation

US regulator Federal Trade Commission (FTC) has taken to task self-appointed privacy certifier TRUSTe (True Ultimate Standards Everywhere, Inc.) which labels itself as "powering trust and compliance".

Partial screen capture of a page from the TRUSTe web site showing some of its web privacy certification products

In a press release issued this week, the FTC states that TRUSTe has agreed to settle charges that it "deceived consumers about its recertification program for company's privacy practices, as well as perpetuated its misrepresentation as a non-profit entity".

Apart from a $200,000 fine, the proposed extensive settlement requires "TRUSTe will be prohibited from making misrepresentations about its certification process or timeline, as well as being barred from misrepresenting its corporate status or whether an entity participates in its program. In addition, TRUSTe must not provide other companies or entities the means to make misrepresentations about these facts, such as through incorrect or inaccurate model language.".

TRUSTe CEO Chris Babel's comment about the settlement can be found on the TRUSTe blog.

The United Kingdom TRUSTe web site is http://www.truste.co.uk/ which lists many UK clients. Sadly, a Google search indicates many of their clients haven't realised what's been going on and are still promoting the label.

Posted on: 20 November 2014 at 14:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Privacy : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/privacy
Requested by on Saturday, 28 November 2015 at 04:01 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk