Category Archives: Privacy and Security

Graphing privacy

Posted on by
Reply

Graph SearchLast month, Facebook announced its latest innovation: Graph Search, widely regarded as an attack on Google’s dominance in the online search market.

Graph Search is being rolled out gradually across Facebook’s billion-strong user base, and will enable people to conduct “real language” searches of Facebook users. So you can search for “people in Tunbridge Wells who like Pizza Express”, and you’ll get a list of Facebook users who live in Tunbridge Wells and who have clicked the “Like” button on Pizza Express’s website at some point.

Like almost everything that Facebook does, this has given rise to some serious privacy concerns. Web developer Tom Scott started an Actual Facebook Graph Searches on Tumblr, giving some of the more embarrassing, amusing or even alarming examples of Graph Search results.

Facebook’s response to these concerns is that Graph Search will only show information that users have agreed to be made publicly available in their privacy settings. However, Graph Search undoubtedly makes that information far more accessible and usable to the world at large. It’ll be interesting to see if any European data protection commissioners challenge Facebook’s actions here – perhaps arguing that people cannot have given properly informed consent, since Graph Search is so innovative that people could not have had it in mind when they agreed to Facebook’s privacy terms.

As I’ve written before, people tend to focus too much on what information companies hold about them. However, the real impact on privacy comes from what companies are able to do with the data they hold about you: making connections, drawing inference, building up a surprisingly accurate picture about you from what may appear only a small amount of information. You could say that Graph Search puts something of this same power of “Big Data” in the hands of ordinary Facebook users – for good or ill.

New rules for Online Behavioural Advertising

Posted on by
Reply

Bulletin on new OBA rules - click to read PDFSince spring last year, websites and advertisers have been getting to grips with the new law on obtaining consent for cookies.

One common use of cookies is for online behavioural advertising (OBA), and from 4 February 2013 websites and advertisers using OBA will have additional rules to comply with.

The Advertising Standards Authority (ASA) is taking over responsibility for ensuring that consumers are made aware of, and can exercise choice over, the collection and use of information for OBA. The ASA’s first step is the introduction of new rules on OBA which will come into force from early February.

I have prepared an article summarising the key elements of the OBA Rules which websites and advertisers should be aware of. To read this article in full please click here (PDF).

The Orwellian future of TV advertising?

Posted on by
Reply

“In America, you watch television. In Soviet Russia, television watch you!” – Yakov Smirnov

Apple's '1984' Superbowl ad The FT’s Decoding Big Data series includes the following vision of a future which will either sound dystopian or thrilling, depending on how protective you are of your privacy:

A married couple sit in their living room, arguing about the text messages she keeps receiving from an ex-boyfriend. The television, playing in the background, listens in on their conversation, detects that they are fighting and automatically selects an advertisement about a local marriage therapist for the next commercial break.

The FT observes that this faintly Orwellian concept is already technologically feasible, at least if a recent Verizon patent application is to be believed.

The claims of the patent application make for fun reading (and it’s not often you can say that about patent claims). As ever, they begin with a very broad claim on which the others are then founded:

1. A method comprising: presenting, by a media content presentation system, a media content program comprising an advertisement break; detecting, by the media content presentation system, an ambient action performed by a user during the presentation of the media content program and within a detection zone associated with the media content presentation system; selecting, by the media content presentation system, an advertisement associated with the detected ambient action; and presenting, by the media content presentation system, the selected advertisement during the advertisement break.

Or, in English: under this system, the same TV advertisements will not be broadcast to everyone watching the same programme. Instead, your TV will show an advertisement that is targeted specifically at you, based on what you’re doing in the vicinity of the TV at the time. What sort of things might those be? Claim 2 gives some examples:

2. The method of claim 1, wherein the ambient action comprises at least one of eating, exercising, laughing, reading, sleeping, talking, singing, humming, cleaning, and playing a musical instrument.

I would love to have been a fly on the wall at the meeting where Verizon and its patent attorneys brainstormed the activities people are likely to get up to while watching TV. But these are mostly solitary activities. What about where two or more people are in the same room? Claim 3 picks this up:

3. The method of claim 1, wherein the ambient action comprises an interaction between the user and another user.

In case you were wondering (possibly with a sense of dread) what sort of “interaction between the user and another user” this might include, claim 4 gets down to brass tacks:

4. The method of claim 3, wherein the interaction between the user and the another user comprises at least one of cuddling, fighting, participating in a game or sporting event, and talking.

Though perhaps this is less alarming than claim 11:

11. The method of claim 1, further comprising identifying, by the media content presentation system, one or more physical attributes associated with the user.

So when all the ads you see in future are for weight-loss products and gym memberships, you’ll know why.

Of course, a practical implementation of this is some way in the future, as internet-enabled TVs become more commonplace. Maybe it will take the semi-mythical Apple TV set to provide a platform sophisticated enough to implement this new advertising experience. And the data protection implications of such a system would also be interesting, especially obtaining informed consent from anyone watching the TV.

What all this also highlights is how the future of advertising, both on TV and online (a distinction that will itself seem quaint before too long), lies in the ability to respond in real time to users’ actions, matched to existing data about those individuals (or others in the same demographic). And that’s a reality that is already here, at least on the web.

Passwords: cracking the code

Posted on by
1

Interesting post by Willard Foxton on password security, describing how the 2009 hacking of the RockYou gaming website started a cascade of website cracking – all too easy in an era where “cryptographic feats that were the stuff of legend in the Second World War” can now “be done on your iPhone”.

Foxton summarises “current best advice” on password security as follows:

The current best advice is to have passwords composed of 20 characters, with no real words, and your gobbledegook has to include upper and lower case letters, symbols, numbers and punctuation, all randomly scattered through the word. On top of that, you need to have a different password for every site you use and change your password for all of them every three months.

I think it’s safe to say that a system whose “best practice” amounts to that is a system that is irretrievably broken.

Are there any legal implications to this? Well, the Data Protection Act requires organisations holding personal data to take:

Appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Act does not prescribe any specific security measures, but the Information Commissioner’s current advice to organisations on passwords recommends:

use a strong password – these are long (at least seven characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols.

This is some way short of the “best advice” set out by Foxton, though how much actual practical difference it makes to security may be a different matter – for now. “Appropriate” measures include striking a balance between theoretical security and practical workability, depending on the risks involved. But it would seem likely that, over time, the gap between what is “appropriate” and Foxton’s counsel of perfection will close.

Rather than tightening up password policies beyond the ICO’s recommendations, there may be a stronger case for looking at measures such as two-factor authentication. I adopted this for my personal email account after reading this chilling account of how a hacked Gmail account enabled Mat Honan’s entire digital life to be wiped out earlier this year. Google offer two-step verification for their accounts, which is relatively simple to set up and use, at least if you own a smartphone.

I’m not aware of any guidance from the ICO as yet on the use of two-factor authentication. What the ICO does insist upon, however, is the use of encryption for any mobile devices holding personal data (laptops, memory sticks, tablets). If your organisation is using such devices without encryption, you should correct this straight away – or risk joining Greater Manchester Police in the dock with a £120,000 (or more) penalty.

Cookies: what’s happening out there?

Posted on by
1

Since the end of May, website users will have noticed a flurry of popups and banner messages inviting them to read (and in some cases agree to) information about how sites use cookies.

This has arisen as website owners finally get to grips with the new law on cookies and consent (see various previous posts), which requires websites to obtain consent from users before putting cookies on their computers of mobile devices.

Over the subsequent weeks, it seems a consensus has begun to emerge among websites as to how to inform users and obtain – or, more usually, infer – consent from users.

I wrote an article recently for the Guardian Media Network that gave some background to this. My firm has also just published a briefing note (PDF) which looks in more detail at how websites can show that users have consented to the use of cookies.

The briefing note refers readers to two essential guides for compliance: the Information Commissioner’s guidance (PDF) as issued at the end of May, and the International Chamber of Commerce’s guide (PDF) to the various types of cookie used by websites, and how to comply in respect of each.

The overall message, though, is: for most websites, especially those who avoid use of “targeting and advertising” cookies, compliance should be possible without having to infuriate your users with intrusive popups.

Data protection: out with the old, in with the new

Posted on by
Reply

The widely-trailed revision to EU data protection law has been unveiled today by the European Commission, who have proposed a “comprehensive reform” to EU data protection legislation.

The fundamental change is moving from national laws made under a harmonising directive, to a single regulation which will apply directly across Europe. While it’s going to take a little while to work through all the details – and the proposal still has to be discussed and ratified by EU member states and the European parliament – the key changes as summarised in the Commission’s press release are:

  • A single set of rules on data protection, valid across the EU.
  • Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU.
  • Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.

In addition, there will be a new directive to “apply general data protection principles and rules for police and judicial cooperation in criminal matters”.

The “right to be forgotten” has been the most widely-publicised measure under consideration, and will certainly raise some tricky practical issues. However, I suspect that the biggest practical impact will come from the requirement for explicit consent, where consent is required. At present, certainly under UK data protection law, a lot of reliance is placed on implied consent; see, for example, the Information Commissioner’s guidance on the new cookies law, as discussed in a previous post. Explicit consent will greatly increase the practical burden on many businesses.

The new law, if adopted, will come into force two years after it is adopted, giving businesses and other organisations time to prepare for the new regime.

Cookies: the rules become clearer

Posted on by
Reply

Businesses and other website operators looking for a belated new year’s resolution should take a look at the revised guidance on the use of cookies (PDF) issued by the Information Commissioner’s office just before Christmas and start thinking about how to comply.

Launching the guidance, the Information Commissioner said that businesses “must try harder” in preparing to comply with the new law, which came into force in May 2011 and will be fully enforced from the end of May 2012. More constructively, the revised guidance sets out some practical measures which websites can adopt to help ensure compliance with the new law.

The new law requires websites to obtain prior, informed consent from users before placing cookies on those users’ computers or mobile devices. As the new guidance puts it, before setting cookies you must:

  • tell people that the cookies are there,
  • explain what the cookies are doing, and
  • obtain their consent to store a cookie on their device.

The only exception is where the cookie is “strictly necessary” for technical reasons. The guidance confirms that this is a narrow exception, and will not (for example) cover cookies used for analytics or to tailor a greeting when a user returns to a site.

As a start point for compliance, the ICO guidance recommends a three-step approach:

  1. Check what type of cookies you use and how you use them.
  2. Assess how privacy-intrusive your use of cookies is.
  3. Decide how to obtain consent from users.

The more privacy-intrusive your use of cookies is, the more you will need to do in order to inform users and get their consent.

Providing information

The ICO recommends that cookie information should not simply be hidden behind a link saying “Privacy policy”. Instead, links should either read “Privacy and cookies”, say, or there should be a separate link for information on cookies. The guidance gives several examples of how to make this information more prominent.

Inferring consent

One very helpful suggestion made by the ICO is that consent to placing could be inferred if a user continues to use a website after being told of the use of cookies. This would involve some kind of pop-up notification when the user first visits the site, with a confirmation that a cookie has been set if the user then continues on to another page without clicking the “refuse cookies” link.

I suspect that this approach will prove highly popular with websites, given it avoids the problem experienced by websites that require positive consent such as ticking a box before placing cookies. One analysis suggested that only around 5% of users of the ICO’s website (which follows this tick-box approach) were agreeing to cookies – a figure which would have been ruinous for many websites.

However, inferring consent does still require a clear message to be displayed to first-time visitors. It is not enough to rely on a general “Privacy and cookies”-type link.

Opportunities for consent

The ICO guidance also suggests that websites look out for opportunities to obtain positive consent from users. One opportunity comes where new registered users are asked to agree to its terms and conditions as part of the sign-up process – though existing registered users will need to be told about any change to the terms to allow for cookies.

Other opportunities may come where users set preferences or use new features for the first time: for example, a notice saying “We will use a cookie to remember this”, with a link to the cookies policy.

Analytics cookies

Analytics cookies – often for Google Analytics – are one of the most widespread types of cookie. The ICO’s position on analytics cookies is that they are not technically essential for websites, so consent will be required for them.

The ICO recognises that in some cases it is not practical to obtain consent before setting analytics cookies, as these are often set the moment a user first visits the site. However, in that case information on the use of cookies must be highlighted clearly on the site.

Having said all that, the ICO does drop a large hint that it does not regard analytics cookies as posing a serious risk to privacy. In the very last paragraph of the 27-page guidance document, they state that “it is highly unlikely that priority would be given to focusing on uses of cookies where there is a low level of intrusiveness” – which includes “first party cookies used only for analytical purposes”, provided clear information is given on the site.

Third party and advertising cookies

Third party cookies, especially those used for online advertising, are the most problematic from a privacy point of view. The ICO’s research suggests that even well-informed internet users are unaware of the distinction between first party and third party cookies – that is, cookies used by someone other than the website owner.

Information on the use of third party cookies will need to be clearly set out as part of informing users and obtaining consent. Both the website owner and the third party will want to ensure that their respective obligations are clear: if you run an advertising-supported website, you will want to ensure that the advertising provider is obliged to provide accurate and complete information on their use of cookies (so that you can put this in your own cookies information); conversely, the advertising provider will want to ensure that participating websites are compliant with the law, as otherwise this will put the advertising provider themselves in breach.

The guidance acknowledges, though, that third party cookies remain “one of the most challenging areas in which to achieve compliance”, given the higher privacy concerns over such cookies and their critical importance to online advertising.

Conclusion

It remains to be seen how the new law will operate in practice. Levels of compliance remain woefully low, so it is hard to discern any “best practice” emerging at present. However, the ICO’s guidance does at last suggest some practical ways in which websites can comply with the law without losing the benefits of using cookies.

ICO gives businesses a year to comply with new cookies law

Posted on by
Reply

As an update to my post on the new cookies law, the ICO has now published guidance on their approach to enforcement of the new law (PDF). The guidance itself can be found here (PDF).

The key point is that the ICO is giving businesses a year to comply with the new law. Full compliance will only be expected from May 2012. However, this doesn’t mean that organisations can sit on their hands in the meantime. As the ICO guidance puts it:

The Commissioner does not though condone organisations taking no action in the period up to May 2012. Organisations should be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012. If it appears to the Commissioner that particular organisations are not making adequate compliant by May 2012 he may issue them with a warning as to the future use of his enforcement powers.

If the ICO receive complaints about non-compliant cookies during this period, they will ask website owners to explain what steps they are taking to ensure compliance by May 2012.

There is still a great deal of confusion in the marketplace about what the new law means in practice and how businesses can comply. Some are suggesting that websites offering aggregated opt-outs to multiple standard cookies will be enough to comply with the law. However, the law is clear: it is not enough to offer an opt-out, however well publicised and coordinated. Users must give prior informed consent before cookies can be used by a particular website.

Hopefully over the next few months it will become clearer what approaches are seen as most effective in practice. The ICO has implemented a header on its website asking people to consent to cookies, but even they acknowledge this cumbersome and intrusive approach is not going to be appropriate for most other organisations.

Of more practical use for most businesses is the ICO’s example, in its own privacy policy, of how to set out information about what cookies are used. The table used by the ICO strikes me as a very clear and user-friendly way of informing website users about what cookies are being used and for what purpose.

Cookies: the new regime

Posted on by
Reply

Back in March, I discussed the proposed changes to the law on cookies, to require prior, informed consent before most cookies are placed on users’ computers.

The new regulations have now been published by the UK government. Regulation 6 of the snappily-titled Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amends the previous rules so that most cookies will now only be permitted if the website user:

  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • has given his or her consent.

In addition, however, the revised regulation also states that:

…consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

What does all this mean in practice? To help businesses understand what is required of them, the Information Commissioner’s Office has produced a guidance note on the new regulations (PDF). While this leaves a number of questions still unanswered (as we’ll see below), it does clarify a number of points that had been debated since the new law was first proposed last year.

1. Is your cookie “strictly necessary”?

The revised regulations retain the existing exceptions for cookies:

  • whose “sole purpose” is “carrying out the transmission of a communication over an electronic communications network”; or
  • which are “strictly necessary for the provision of an information society service requested by the subscriber or user”.

The second of these is the more important for most websites. It has been suggested that this could be interpreted quite widely, to include analytics cookies that track how people use the site: which pages they visit, how long they remain on the site, which search terms brought them there in the first place, and so on. The argument is that this enables sites to allocate resources as necessary to provide their services.

However, the guidance argues that the exception needs to be interpreted narrowly, and the cookie must relate to services “explicitly requested” by the user – not just the general functioning of the site. So a cookie to enable a shopping basket and checkout system to work would be fine. However:

The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

2. Can browser settings be used?

The reference to a website user “who amends or sets controls on [their] internet browser” has been read by some as allowing existing browser controls on cookies to be used to obtain consent. However, the ICO’s view is that:

most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie.

In addition, people may be accessing using mobile devices that do not enable them to exercise even the crude levels of control (“cookies ON” / “cookies OFF”) found in current desktop browsers.

In the longer term, more sophisticated browser settings may be developed that enable websites to obtain consent in this way. However, for now it has to be assumed that some other means of obtaining consent is necessary.

3. How can we obtain consent?

The ICO’s guidance is not prescriptive, and discusses a number of ways in which websites can obtain consent.

One option is to use pop-ups as a means of informing users about your use of cookies and to obtain their consent, but the ICO recognises that this is “potentially frustrating” for users. Other means include:

  • Terms and conditions: sites that obtain users’ agreement to their terms and conditions (e.g. upon registering with the site or making a purchase) have a golden opportunity to obtain users’ consent. However, existing users should be made aware of the changes and asked to give their consent to the new terms.
  • Settings-led consent: where a cookie is necessary in order to enable a particular website feature, then users can be told at the point they enable that feature that a cookie will be used for this purpose.
  • Highlighted text: the website’s header or footer could include text that is highlighted when the site wishes to place a cookie, so that users can then agree to this.
  • Third-party cookies: these are widely used by advertising networks, and unfortunately the ICO guidance does little more than acknowledge that this “may be the most challenging area in which to achieve compliance with the new rules”. Clearly, though, finding techniques for describing the use of third-party cookies in such a way that users are inclined to agree to them will become something of an art form in the near future.

4. So what do I need to do?

While the new legislation comes into force on 26 May 2011, the ICO recognises that there will need to be a “phased approach” to enforcement, to give websites time to comply. The ICO’s key expectation at this stage is that organisations are at least giving serious thought to how to comply.

In particular, the guidance advises website owners to:

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Decide what solution to obtain consent will be best in your circumstances.

“The key point”, they add, “is that you cannot ignore these rules.”

Over the next few months I will revisit this issue to see how websites are going about achieving compliance in practice, and what technical measures are being developed to facilitate this.

Cookies and consent

Posted on by
9

As has been widely reported, the government has confirmed that it will implement new EU regulations on the use of cookies by 25 May 2011. What does this mean in practice for website owners?

What’s the current position?

The current law on cookies works on an “opt-out” basis: website owners are required to provide “clear and comprehensive” information on their use of cookies, and users must then have the opportunity to opt out of using them. In the UK at least, it has been seen as sufficient to provide information in your privacy policy and then simply allow users to disable cookies in their web browser settings.

What’s changing?

The Citizens’ Rights Directive, adopted by the EU in November 2009, changes this to require websites to obtain prior consent for the use of cookies. Despite some confusion over what exactly the Directive meant when it was first passed, there is now an increasingly clear consensus that it requires an opt-in approach to cookies.

This has caused considerable disquiet among website owners. Cookies are essential for the operation of almost all websites, and on the face of it the new regulations will require websites to use pop-ups or landing pages to obtain consent for this from users.

This is unlikely to be popular with users, who may find their web browsing interrupted by multiple requests for consent. It could also threaten the revenues of sites who depend on income from third-party advertisers, whose operations may be hindered by users rejecting cookies used by advertisers to track browsing activity – which is, of course, precisely what the regulations are intended to do.

Does this only affect third party cookies?

Some have suggested that the new law will only affect third party cookies – such as tracking cookies used by advertisers – and that cookies used for the normal operation of a website will not be caught. This is based on an exception under the law waiving the requirement for consent where the cookies are “strictly necessary” for the operation of the website.

However, in my view most website owners will still need to comply with the new law. Where a cookie is necessary in order for a shopping basket to function, this will probably count as “strictly necessary”. However, it is doubtful whether the same can be said for other common uses of cookies, such as compiling site statistics and tracking how people use the site.

Is this actually going to happen?

I was at an event this week at which a speaker from the Information Commissioners’ Office pointed out that, while the ICO had not wanted or asked for this change in the law, “the law is the law” and the ICO is required to enforce it. There may be a “grace period” before full enforcement begins, but website operators will be expected to comply once the “technical solutions” are available for them to do so.

At present it is not clear how websites will comply with these obligations in practice. Discussions are under way to see if appropriate mechanisms can be built in to web browsers. However, websites will still need to be able to give information and obtain consent from users of older browsers or who are accessing the web by mobile phone.

So what do we need to do?

We are still awaiting the final regulations, and it also remains to be seen what technical approaches for compliance – pop-ups? landing pages? browser features? – will be developed over the coming months. Unfortunately, this does mean that website owners and developers are somewhat in limbo for the time being.

However, those developing or updating their websites should be aware of the need to build in scope for introducing appropriate consent mechanisms once the legal and technical position is clearer. And now is probably a good time to start thinking about how your use of cookies can be explained in a way that will make users want to accept them rather than reject them.