Data protection: out with the old, in with the new

January 25, 2012 Leave a Comment

The widely-trailed revision to EU data protection law has been unveiled today by the European Commission, who have proposed a “comprehensive reform” to EU data protection legislation.

The fundamental change is moving from national laws made under a harmonising directive, to a single regulation which will apply directly across Europe. While it’s going to take a little while to work through all the details – and the proposal still has to be discussed and ratified by EU member states and the European parliament – the key changes as summarised in the Commission’s press release are:

  • A single set of rules on data protection, valid across the EU.
  • Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU.
  • Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.

In addition, there will be a new directive to “apply general data protection principles and rules for police and judicial cooperation in criminal matters”.

The “right to be forgotten” has been the most widely-publicised measure under consideration, and will certainly raise some tricky practical issues. However, I suspect that the biggest practical impact will come from the requirement for explicit consent, where consent is required. At present, certainly under UK data protection law, a lot of reliance is placed on implied consent; see, for example, the Information Commissioner’s guidance on the new cookies law, as discussed in a previous post. Explicit consent will greatly increase the practical burden on many businesses.

The new law, if adopted, will come into force two years after it is adopted, giving businesses and other organisations time to prepare for the new regime.

Filed under Data Protection Tagged with , , , , ,

Cookies: the rules become clearer

January 11, 2012 Leave a Comment

Businesses and other website operators looking for a belated new year’s resolution should take a look at the revised guidance on the use of cookies (PDF) issued by the Information Commissioner’s office just before Christmas and start thinking about how to comply.

Launching the guidance, the Information Commissioner said that businesses “must try harder” in preparing to comply with the new law, which came into force in May 2011 and will be fully enforced from the end of May 2012. More constructively, the revised guidance sets out some practical measures which websites can adopt to help ensure compliance with the new law.

The new law requires websites to obtain prior, informed consent from users before placing cookies on those users’ computers or mobile devices. As the new guidance puts it, before setting cookies you must:

  • tell people that the cookies are there,
  • explain what the cookies are doing, and
  • obtain their consent to store a cookie on their device.

The only exception is where the cookie is “strictly necessary” for technical reasons. The guidance confirms that this is a narrow exception, and will not (for example) cover cookies used for analytics or to tailor a greeting when a user returns to a site.

As a start point for compliance, the ICO guidance recommends a three-step approach:

  1. Check what type of cookies you use and how you use them.
  2. Assess how privacy-intrusive your use of cookies is.
  3. Decide how to obtain consent from users.

The more privacy-intrusive your use of cookies is, the more you will need to do in order to inform users and get their consent.

Providing information

The ICO recommends that cookie information should not simply be hidden behind a link saying “Privacy policy”. Instead, links should either read “Privacy and cookies”, say, or there should be a separate link for information on cookies. The guidance gives several examples of how to make this information more prominent.

Inferring consent

One very helpful suggestion made by the ICO is that consent to placing could be inferred if a user continues to use a website after being told of the use of cookies. This would involve some kind of pop-up notification when the user first visits the site, with a confirmation that a cookie has been set if the user then continues on to another page without clicking the “refuse cookies” link.

I suspect that this approach will prove highly popular with websites, given it avoids the problem experienced by websites that require positive consent such as ticking a box before placing cookies. One analysis suggested that only around 5% of users of the ICO’s website (which follows this tick-box approach) were agreeing to cookies – a figure which would have been ruinous for many websites.

However, inferring consent does still require a clear message to be displayed to first-time visitors. It is not enough to rely on a general “Privacy and cookies”-type link.

Opportunities for consent

The ICO guidance also suggests that websites look out for opportunities to obtain positive consent from users. One opportunity comes where new registered users are asked to agree to its terms and conditions as part of the sign-up process – though existing registered users will need to be told about any change to the terms to allow for cookies.

Other opportunities may come where users set preferences or use new features for the first time: for example, a notice saying “We will use a cookie to remember this”, with a link to the cookies policy.

Analytics cookies

Analytics cookies – often for Google Analytics – are one of the most widespread types of cookie. The ICO’s position on analytics cookies is that they are not technically essential for websites, so consent will be required for them.

The ICO recognises that in some cases it is not practical to obtain consent before setting analytics cookies, as these are often set the moment a user first visits the site. However, in that case information on the use of cookies must be highlighted clearly on the site.

Having said all that, the ICO does drop a large hint that it does not regard analytics cookies as posing a serious risk to privacy. In the very last paragraph of the 27-page guidance document, they state that “it is highly unlikely that priority would be given to focusing on uses of cookies where there is a low level of intrusiveness” – which includes “first party cookies used only for analytical purposes”, provided clear information is given on the site.

Third party and advertising cookies

Third party cookies, especially those used for online advertising, are the most problematic from a privacy point of view. The ICO’s research suggests that even well-informed internet users are unaware of the distinction between first party and third party cookies – that is, cookies used by someone other than the website owner.

Information on the use of third party cookies will need to be clearly set out as part of informing users and obtaining consent. Both the website owner and the third party will want to ensure that their respective obligations are clear: if you run an advertising-supported website, you will want to ensure that the advertising provider is obliged to provide accurate and complete information on their use of cookies (so that you can put this in your own cookies information); conversely, the advertising provider will want to ensure that participating websites are compliant with the law, as otherwise this will put the advertising provider themselves in breach.

The guidance acknowledges, though, that third party cookies remain “one of the most challenging areas in which to achieve compliance”, given the higher privacy concerns over such cookies and their critical importance to online advertising.

Conclusion

It remains to be seen how the new law will operate in practice. Levels of compliance remain woefully low, so it is hard to discern any “best practice” emerging at present. However, the ICO’s guidance does at last suggest some practical ways in which websites can comply with the law without losing the benefits of using cookies.

Filed under Behavioural Advertising & Cookies Tagged with , , , , , ,

ICO gives businesses a year to comply with new cookies law

May 26, 2011 Leave a Comment

As an update to my post on the new cookies law, the ICO has now published guidance on their approach to enforcement of the new law (PDF). The guidance itself can be found here (PDF).

The key point is that the ICO is giving businesses a year to comply with the new law. Full compliance will only be expected from May 2012. However, this doesn’t mean that organisations can sit on their hands in the meantime. As the ICO guidance puts it:

The Commissioner does not though condone organisations taking no action in the period up to May 2012. Organisations should be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012. If it appears to the Commissioner that particular organisations are not making adequate compliant by May 2012 he may issue them with a warning as to the future use of his enforcement powers.

If the ICO receive complaints about non-compliant cookies during this period, they will ask website owners to explain what steps they are taking to ensure compliance by May 2012.

There is still a great deal of confusion in the marketplace about what the new law means in practice and how businesses can comply. Some are suggesting that websites offering aggregated opt-outs to multiple standard cookies will be enough to comply with the law. However, the law is clear: it is not enough to offer an opt-out, however well publicised and coordinated. Users must give prior informed consent before cookies can be used by a particular website.

Hopefully over the next few months it will become clearer what approaches are seen as most effective in practice. The ICO has implemented a header on its website asking people to consent to cookies, but even they acknowledge this cumbersome and intrusive approach is not going to be appropriate for most other organisations.

Of more practical use for most businesses is the ICO’s example, in its own privacy policy, of how to set out information about what cookies are used. The table used by the ICO strikes me as a very clear and user-friendly way of informing website users about what cookies are being used and for what purpose.

Filed under Behavioural Advertising & Cookies Tagged with , ,

Cookies: the new regime

May 19, 2011 Leave a Comment

Back in March, I discussed the proposed changes to the law on cookies, to require prior, informed consent before most cookies are placed on users’ computers.

The new regulations have now been published by the UK government. Regulation 6 of the snappily-titled Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amends the previous rules so that most cookies will now only be permitted if the website user:

  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • has given his or her consent.

In addition, however, the revised regulation also states that:

…consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

What does all this mean in practice? To help businesses understand what is required of them, the Information Commissioner’s Office has produced a guidance note on the new regulations (PDF). While this leaves a number of questions still unanswered (as we’ll see below), it does clarify a number of points that had been debated since the new law was first proposed last year.

1. Is your cookie “strictly necessary”?

The revised regulations retain the existing exceptions for cookies:

  • whose “sole purpose” is “carrying out the transmission of a communication over an electronic communications network”; or
  • which are “strictly necessary for the provision of an information society service requested by the subscriber or user”.

The second of these is the more important for most websites. It has been suggested that this could be interpreted quite widely, to include analytics cookies that track how people use the site: which pages they visit, how long they remain on the site, which search terms brought them there in the first place, and so on. The argument is that this enables sites to allocate resources as necessary to provide their services.

However, the guidance argues that the exception needs to be interpreted narrowly, and the cookie must relate to services “explicitly requested” by the user – not just the general functioning of the site. So a cookie to enable a shopping basket and checkout system to work would be fine. However:

The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

2. Can browser settings be used?

The reference to a website user “who amends or sets controls on [their] internet browser” has been read by some as allowing existing browser controls on cookies to be used to obtain consent. However, the ICO’s view is that:

most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie.

In addition, people may be accessing using mobile devices that do not enable them to exercise even the crude levels of control (“cookies ON” / “cookies OFF”) found in current desktop browsers.

In the longer term, more sophisticated browser settings may be developed that enable websites to obtain consent in this way. However, for now it has to be assumed that some other means of obtaining consent is necessary.

3. How can we obtain consent?

The ICO’s guidance is not prescriptive, and discusses a number of ways in which websites can obtain consent.

One option is to use pop-ups as a means of informing users about your use of cookies and to obtain their consent, but the ICO recognises that this is “potentially frustrating” for users. Other means include:

  • Terms and conditions: sites that obtain users’ agreement to their terms and conditions (e.g. upon registering with the site or making a purchase) have a golden opportunity to obtain users’ consent. However, existing users should be made aware of the changes and asked to give their consent to the new terms.
  • Settings-led consent: where a cookie is necessary in order to enable a particular website feature, then users can be told at the point they enable that feature that a cookie will be used for this purpose.
  • Highlighted text: the website’s header or footer could include text that is highlighted when the site wishes to place a cookie, so that users can then agree to this.
  • Third-party cookies: these are widely used by advertising networks, and unfortunately the ICO guidance does little more than acknowledge that this “may be the most challenging area in which to achieve compliance with the new rules”. Clearly, though, finding techniques for describing the use of third-party cookies in such a way that users are inclined to agree to them will become something of an art form in the near future.

4. So what do I need to do?

While the new legislation comes into force on 26 May 2011, the ICO recognises that there will need to be a “phased approach” to enforcement, to give websites time to comply. The ICO’s key expectation at this stage is that organisations are at least giving serious thought to how to comply.

In particular, the guidance advises website owners to:

  1. Check what type of cookies and similar technologies you use and how you use them.
  2. Assess how intrusive your use of cookies is.
  3. Decide what solution to obtain consent will be best in your circumstances.

“The key point”, they add, “is that you cannot ignore these rules.”

Over the next few months I will revisit this issue to see how websites are going about achieving compliance in practice, and what technical measures are being developed to facilitate this.

Filed under Behavioural Advertising & Cookies Tagged with ,

Cookies and consent

March 17, 2011 9 Comments

As has been widely reported, the government has confirmed that it will implement new EU regulations on the use of cookies by 25 May 2011. What does this mean in practice for website owners?

What’s the current position?

The current law on cookies works on an “opt-out” basis: website owners are required to provide “clear and comprehensive” information on their use of cookies, and users must then have the opportunity to opt out of using them. In the UK at least, it has been seen as sufficient to provide information in your privacy policy and then simply allow users to disable cookies in their web browser settings.

What’s changing?

The Citizens’ Rights Directive, adopted by the EU in November 2009, changes this to require websites to obtain prior consent for the use of cookies. Despite some confusion over what exactly the Directive meant when it was first passed, there is now an increasingly clear consensus that it requires an opt-in approach to cookies.

This has caused considerable disquiet among website owners. Cookies are essential for the operation of almost all websites, and on the face of it the new regulations will require websites to use pop-ups or landing pages to obtain consent for this from users.

This is unlikely to be popular with users, who may find their web browsing interrupted by multiple requests for consent. It could also threaten the revenues of sites who depend on income from third-party advertisers, whose operations may be hindered by users rejecting cookies used by advertisers to track browsing activity – which is, of course, precisely what the regulations are intended to do.

Does this only affect third party cookies?

Some have suggested that the new law will only affect third party cookies – such as tracking cookies used by advertisers – and that cookies used for the normal operation of a website will not be caught. This is based on an exception under the law waiving the requirement for consent where the cookies are “strictly necessary” for the operation of the website.

However, in my view most website owners will still need to comply with the new law. Where a cookie is necessary in order for a shopping basket to function, this will probably count as “strictly necessary”. However, it is doubtful whether the same can be said for other common uses of cookies, such as compiling site statistics and tracking how people use the site.

Is this actually going to happen?

I was at an event this week at which a speaker from the Information Commissioners’ Office pointed out that, while the ICO had not wanted or asked for this change in the law, “the law is the law” and the ICO is required to enforce it. There may be a “grace period” before full enforcement begins, but website operators will be expected to comply once the “technical solutions” are available for them to do so.

At present it is not clear how websites will comply with these obligations in practice. Discussions are under way to see if appropriate mechanisms can be built in to web browsers. However, websites will still need to be able to give information and obtain consent from users of older browsers or who are accessing the web by mobile phone.

So what do we need to do?

We are still awaiting the final regulations, and it also remains to be seen what technical approaches for compliance – pop-ups? landing pages? browser features? – will be developed over the coming months. Unfortunately, this does mean that website owners and developers are somewhat in limbo for the time being.

However, those developing or updating their websites should be aware of the need to build in scope for introducing appropriate consent mechanisms once the legal and technical position is clearer. And now is probably a good time to start thinking about how your use of cookies can be explained in a way that will make users want to accept them rather than reject them.

Filed under Behavioural Advertising & Cookies Tagged with , , ,

Data protection: tighter rules on the way in 2011?

December 6, 2010 Leave a Comment

The European Commission last month announced plans to overhaul data protection legislation. The aim of the new legislation is to strengthen the rights of individuals and to ensure that data protection rules are more consistently enforced. However, the current proposals are likely to place an increased burden on data controllers who could face greater penalties for non-compliance.

In its discussion document, A comprehensive approach on personal data protection in the European Union (PDF), the Commission states that the revision process is intended to address a number of “specific challenges”:

  • the impact of new technologies;
  • the need for increased data protection harmonisation and legal coherence within the EU;
  • simplifying the law on international transfers of data; and
  • stronger enforcement and an enhanced role for national data protection authorities.

The overriding aim is:

to protect the fundamental rights of natural persons and in particular their right to protection of personal data.

The discussion document then sets out a number of ways in which these challenges can be addressed in order to accomplish that aim. Some of the key ones for businesses are:

  • Increasing transparency, especially in privacy policies and as regards children. This could include standard forms of privacy notice.
  • Mandatory notification of personal data breaches.
  • Increased rights for individuals to have their data deleted (the “right to be forgotten”) and to withdraw their data from a service provider’s systems (“data portability”).
  • “Clarifying and strengthening” the rules on consent to data processing, in order to ensure that truly “informed consent” is given for processing.
  • Adding new categories of “sensitive” data, such as genetic data.
  • A requirement for “Privacy by Design” covering the design, deployment, use and disposal of technologies.

Observers have pointed out a number of areas of potential difficulty. The “right to be forgotten”, for example, seems on the face of it to contain a contradiction – because companies would need to keep lists of people they were required to have “forgotten”. More pertinently, data may refer to more than one person: where you and I both feature in a group photograph on Facebook, your “right to be forgotten” may conflict with my wish for the photograph to remain available.

Similarly, it is difficult for data controllers to know they have been given “informed consent” for processing without a certain amount of information already being retained and processed about an individual. It also seems doubtful whether standard forms of privacy notice could cover the limitless variety of different ways in which personal data is used.

Conclusion

Current data protection law is far from ideal, and so an overhaul is to be expected. However, the track record on EU legislation in this area will leave many businesses concerned as to the impact of any changes. The Commission document refers to “the fundamental rights of natural persons”, but (apart from references to “enhancing the internal market dimension of data protection) says little or nothing about the role of data processing in encouraging business activity and economic growth. Some of the proposals floated in the document, such as requirements for “informed consent” and the “right to be forgotten”, could present considerable administrative challenges to data controllers.

From a UK perspective, moves to increase “harmonisation” and “coherence” for data protection are likely to mean a considerable tightening up of the law. To date the UK has tended to take a more relaxed view towards data protection issues than some other EU jurisdictions, for example in allowing “implied consent” for processing where others require explicit consent in writing.

The Commission is inviting responses to its discussion document in a consultation period closing on 15 January 2011, and draft legislation is then expected some time during 2011. It remains to be seen what form this will take, but companies whose business is based heavily on data processing will want to keep a close eye on developments over the next twelve months.

Filed under Data Protection Tagged with , , ,

Data protection penalties: the ICO bares his teeth

November 25, 2010 Leave a Comment

The Information Commissioner’s Office (ICO) has announced the first monetary penalties (PDF) under new provisions introduced into the Data Protection Act earlier this year.

Hertfordshire County Council has had a penalty of £100,000 imposed on it after faxing highly-sensitive material (in one case relating to child sexual abuse) to the wrong recipients, while employment services company A4e faces a penalty of £60,000 after losing an unencrypted laptop containing the details of 24,000 users of community legal centres. The ICO will no doubt be glad that its first use of its new powers have allowed it to send a clear signal to both the public and private sector.

For a long time the Data Protection Act was perceived to lack teeth: fines for breaching the Act could only be imposed by the Information Commissioner if a data controller breached an enforcement order put in place after a previous breach. This meant that even very serious breaches (such as when HMRC lost details of millions of child benefit recipients) could go unpunished if they were a “first offence”.

The new monetary penalties regime (s.55A DPA) allows the Information Commissioner to impose civil monetary penalties where there has been a serious contravention of the Data Protection Act (occurring on or after 6 April 2010) of a kind likely to cause substantial damage or substantial distress, and where either:

  • the contravention was deliberate; or
  • the data controller knew or ought to have known about the risk (and the likely consequences) but failed to take reasonable steps to prevent it.

The maximum penalty that can be imposed is £500,000.

The civil penalties regime significantly alters the risk profile for data protection breaches. Previously the main consequences for most organisations from a data protection breach have been reputational rather than financial. The ICO has shown how keen they are to use the new powers to make data protection a far higher priority for businesses and other organisations. Hertfordshire County Council and A4e will surely be only the first of many cases over the next few months and years.

Filed under Data Protection Tagged with , ,

Google Dashboard: full disclosure?

November 5, 2009 Leave a Comment

This morning, Google has launched Google Dashboard, a “privacy dashboard” intended to help users see what information Google holds about them across its various services.

Google is able to track a huge proportion of its account-holders’ online activities. Google has my personal emails (27,473 conversations since 2004), my personal contacts’ details, a full history of my web searches and of much of my web browsing. It knows what videos I’ve watched on YouTube, and what RSS feeds I’ve read through Google Reader.

It’s useful to have this summary of the different ways in which Google knows about us. That said, does this really tell us what Google knows? As any company in the data management business can confirm, the power of personal data comes not from the raw information, but from the ability to analyse that information in order to identify patterns of behaviour and so on.

So a criticism that could be made of Google Dashboard is that it is an example of “informing to conceal”. We are given apparently comprehensive details of the information Google possesses about us. But the real privacy concerns – not to mention the commercial value to Google of the information – comes from what they are able to deduce about us from this information: and that, not surprisingly, they are keeping to themselves.

Filed under Data Protection, Privacy and Security Tagged with , ,

The cost of online privacy

November 4, 2009 Leave a Comment

The European Commission is taking an increasingly interventionist approach towards internet regulation, particularly as regards individuals’ privacy rights. Earlier this week, the Commission announced that it was taking further steps to require the UK to fully implement EU laws on the interception of communications, while legislation currently working through the European parliament will require all websites using cookies to obtain express permission from users. These measures are particularly aimed at the restriction of “behavioural advertising” (also the subject of an OFT investigation).

In each case, the Commission claims (with some justification) to be acting in response to citizens’ concerns about their fundamental privacy rights. However, this may be a case where European citizens should have taken the old advice to “be careful what you wish for”.

It is unlikely that many people will shed tears over the fate of the Phorm “Webwise” system, which proposed to monitor web users’ activities in order to serve up advertisements matching their interests. The controversy over whether the system was legal under UK law led to the Commission’s investigation into the UK’s implementation of EU laws on the interception of communications, in particular the Regulation of Investigatory Powers Act 2000 (RIPA). The Commission has three complaints concerning RIPA:

  • the lack of an “independent national authority to supervise interception of communications”;
  • the permitting of interceptions where the interceptor has “reasonable grounds for believing” that consent to do so has been given, where EU rules require “freely given, specific and informed” consent;
  • restriction of prohibitions and sanctions for unlawful interception only to “intentional” interception only, whereas the EU law requires member states to impose liability even for unintentional interception.

If UK law has to be tightened, especially on the second and third items, this will have a considerable impact on many businesses, not just those involved in online advertising.

The proposed new law on cookies could have an even bigger impact on online advertising and the surfing experience of European web users. Current EU law requires websites to offer visitors the “right to refuse” cookies. The UK has interpreted this quite broadly, with the Information Commissioner’s guidance (PDF) taking a pragmatic approach in which it was sufficient for companies to inform users in their privacy policies and leave it to individuals to block cookies using their browser settings.

The proposed change is intended to “clarify” the original law by requiring express consent from users before a website places a cookie on their computer. It has been suggested that this will mean websites have to show a pop-up to users entering the site, explaining what cookies are used (and for what purpose) and requesting consent. As many users hate pop-ups even more than they hate online advertisements, this is likely to have a significant adverse impact on many people’s web experience, and put EU-based websites at a disadvantage compared with their international competitors.

In addition, increased refusal of cookies will make online advertising more difficult and less profitable, which will increase the pressure on websites to charge users for accessing content. Again, one wonders whether many people would prefer the current trade-off between privacy rights and availability of “free” content over a web in which they encounter pop-ups and paywalls at every turn.

The Guardian’s recent supplement on the fortieth anniversary of the internet recalled an early (1994) description of the web as a place “where pornographers and Nazis walk freely, where criminals roam unchecked and where anarchy reigns”. These developments are another reminder of how far we have come from the Wild West days of the early, unregulated web. The web is now a highly-regulated environment: it remains to be seen whether it can retain its other benefits as the effects of this regulation become more apparent.

Filed under Behavioural Advertising & Cookies Tagged with , , , , ,

Vulnerability notified

July 16, 2009 1 Comment

One of the benefits of cloud computing is that it allows applications to be updated easily without the involvement of end-users. On the other hand, one of the biggest risks of cloud computing is that it allows applications to be updated easily without the involvement of end-users, exposing them to security risks or unwelcome changes in functionality.

A small, but telling, illustration of this is a recent incident with the Google Reader Notifier. This is a small add-on for the Firefox browser that helps people keep in touch with their RSS feeds on Google Reader by putting a small notifier on their status bar. It’s an ideal application of small-scale cloud computing: it means people can keep track of their feeds in an unobstrusive manner from any computer on which they have the notifier installed. I’ve been using it for some time.

Google Reader Notifier screenshotToday, however, I noticed a new and highly unwelcome addition to my toolbar: an ugly and intrusive link to “eBay: UK Site” (see right for a similar version, from here). I had no idea where this had come from, but a quick foray onto Google revealed that the culprit was the latest update to the Google Reader Notifier. Like many others, I have now uninstalled this add-on, thus solving the problem, and a cascade of one-star reviews is likely to reduce the number of people installing the add-on in future.

This is a small incident in itself, but it does highlight a couple of issues of more general application.

  1. As browsers become more complex – complex enough to become operating systems in their own right – the number of potential vulnerabilities increases accordingly. In this case, it was a simple matter to uninstall the add-on and remove the problem – but in the meantime, those people using the add-on have had their privacy and computer security compromised.
  2. It demonstrates the need for businesses to take care in how they use cloud computing. Many free-of-charge cloud applications are of high quality and usefulness, making them tempting to use for business purposes. However, they are weak on legal protection and transparency: businesses using them may have no comeback for outages or poor service, and are vulnerable to sudden changes in the software or even in the ethics of the people providing the cloud application. Businesses need to select their cloud computing providers with the same care as conventional IT suppliers, and with the same attention to the contractual terms.

Filed under Malware, Privacy and Security Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 352 other followers