Wednesday, 31 March 2010

EU comms regulatory framework - useful texts

If you work in comms, this book (I won't say booklet as it's 312 pages long!) just out from the EU may come in handy, especially for telecomms lawyers: Regulatory framework for electronic communications in the European Union, as at December 2009 i.e. taking into account the new EU telecoms reform package.

It's very comprehensive and contains the texts of relevant consolidated EU legislation on the regulatory framework for networks and services, and also on frequency policy, from Directives and Regulations to Decisions and Notices.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 25 March 2010

Health records privacy - Wall Street Journal article

Wall Street Journal article "Your Medical Records Aren't Secure" by Deborah J Peel. psychiatrist and founder of Patient Privacy Rights, on the US position in relation to electronic medical records, advocating that technologies protecting patients' right to consent to the sharing of their personal data (i.e. PETs) should be required.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Comms - wireless broadband, cable etc - OECD

For the comms people out there, the OECD have recently published a few papers on telecomms related issues - relating to the work of the OECD Working Party on Communication Infrastructures and Services Policy (CISP):

  • Wireless Broadband Indicator Methodology, 18 March 2010, a new structure for measuring and comparing the number of wireless/mobile broadband subscriptions across countries (for categorising differences in terms of bandwidth and data/bit caps and comparing prices). It will form the basis for wireless data collection and reporting by the OECD to measure development of wireless broadband connections across countries, and was devised following discussions with countries and telecommunications firms.The indicator is made up of three major components: satellite, terrestrial fixed wireless, and terrestrial mobile wireless. All components include only connections with advertised data speeds of 256 kbit/s or greater.
  • Revision of the Methodology for Constructing Telecommunication Price Baskets, 18 March 2010, i.e. the OECD methodologies for comparing retail prices of telecommunication services for the purpose of assessing the prices to consumers and businesses in member countries.
  • Developments in Cable Broadband Networks, published 23 March 2010, by Mr. Hyun-Cheol CHUNG of the OECD’s Directorate for Science, Technology and Industry -

      "The position of cable operators within the pay TV market has changed drastically in recent years. Although video service remains core to the cable industry’s business model, cable TV’s market share has been dropping significantly with intense competition from direct broadcast satellite services (DBS), Internet protocol Television (IPTV) services, digital terrestrial television services (DTT) and finally from over-the-top (OTT) service providers that supply video over an existing data connection from a third party. Cable still has a strong market position for video, particularly because of its existing relationships with content providers but the market is likely to become more competitive as other substitutable offers become available over a range of media….

      The threat to cable from non-traditional video sources has pushed cable operators to upgrade their networks to support higher bandwidth data services and new video content and applications and the transformation has been rapid. Over the past ten years, cable companies in the OECD have transformed themselves from providers of analogue video services to providers of an array of advanced digital communications services…

      Although all-fibre or all-IP network architecture may be a longer-term reality for cable operators, the cable industry is moving toward greater use of fibre in its last-mile infrastructure….

      One of the key areas where cable operators have looked for revenue growth has been voice services… Video-on-demand services have also become an important revenue generator for cable companies…. Both cable and telecommunication companies are pursuing multiple-play offers to reduce churn and boost average revenues per user.

      The triple-play packages which are commonly marketed by cable operators include fixed-voice services but the shift away from fixed-line telephony to mobile has led to some cable operators now including mobile voice services within their packages…"

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 23 March 2010

"Private lives: a people’s inquiry into personal information" - Demos report

The ICO website mentioned the publication of "Private lives: a people’s inquiry into personal information", a 146-pg report by Peter Bradwell of thinktank Demos, which was supported by the UK Information Commissioner and Consumer Focus.

This paper, published on 21 March 2010, deals with what people think about the use of their personal information and privacy, looking specifically at the use of communications data, targeted advertising and the use of medical records information:

"It sets out the findings of Demos' 'People's Inquiry into Personal Information', revealing the opinions and ideas expressed over 13 hours of deliberation."

It's new enough even to mention Google's Buzz privacy fiasco as an example of the privacy challenges identified.

Some excerpts from the conclusions, which affirm the focus on consent and transparency advocated by the Article 29 Working Party in their Future of Privacy paper (emphasis added):

"The desire for transparency and the meaningful capacity to choose shows that the use of personal information becomes problematic, and is seen to involve a problematic transfer of power, where it is used by others either in ways that are unknown to the people that it affects or that deny them a chance to accept or reject it. Our participants were data pragmatists to the extent that they considered information personal wherever there was a perceived harm. That included cases where the consequences were unknown or opaque. Transparency was important not just to improve consent but also to alleviate fears of the unknown.

The presence of transparency and the ability to make informed choices were the conditions under which participants accepted personal information use. The members of this People’s Inquiry into Personal Information have sent a clear message about the best way to take advantage of the benefits of personal information use at the same time as dealing with significant uncertainty about the potential risks involved. They wanted an emphasis on transparency, the capacity to control and mitigate for possible and sometimes unforeseen harms, coupled with more guarantees about security. Our findings suggest that organisations should presume that people want the means to make informed decisions, based on clear and easily understood information about the consequences, about when information about them is shared and how it is used.

The participants’ demands are largely for the robust applications of existing principles of data protection….

The findings have a number of implications for decisions about how to govern the database society. Firstly, it is time to take the need for greater clarity and transparency seriously. One example would be the relationship between pubic and private sector. The inquiry did not cover the extent to which public and private sectors overlap in practice. But the attitudes to the two, dependent as they were on perceptions of motive, suggests that there is a need to clarify the relationship between government and private sector in the context of personal information use, especially where data handling is undertaken by the private sector on behalf of a public sector body. Not doing so puts at risk the faith people place in the public sector’s motives and undermines their ability to decide whether information use is acceptable.

This means being clear about contractual relationships where the private sector is carrying out personal information processing, and it extends to many areas in which public and private overlap, for instance in the case of personal medical records. We did not cover the question of alternative providers for electronic medical records explicitly, but the findings on control and consent suggest that providing access to the private sector in this context should be based on an explicit choice by the patient for those organisations to have access to the records…"

The finding that private individuals want control and transparency in relation to their personal data doesn't seem to be anything startling, but it won't hurt to confirm this and remind policy makers about it!

The need for more "robust application of existing principles of data protection" is exactly what I've suggested before - current principles do I feel largely cover what people need and expect, but the problem is that the laws still have yet to be policed and enforced properly, with meaningful sanctions for non-compliance, in order to be effective. The focus needs to be more on that, rather than on bureaucratic filings and registrations.

I've only had time to skim the pamphlet so far, but it certainly looks like a worthwhile and well-written read.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 22 March 2010

EDPS calls for privacy by design for social networks, RFID, advertising; & accountability

The European Data Protection Supervisor Peter Hustinx has issued an opinion on "Promoting trust in the information society by fostering data protection and privacy" of 18 March 2010,  for the European Commission's new European Digital Agenda.

He advocates the adoption of privacy by design (PbD) both generally as well in specific areas such as social networking (privacy-friendly defaults etc).

From the press release of 22 March 2010:

"the opinion discusses the measures that could be either undertaken or promoted by the European Union to guarantee individuals' privacy and data protection rights when making use of information and communication technologies (ICTs). Radio Frequency Identification (RFID), social networks, eHealth, eTransport are only a few examples.

The opinion emphasizes that trust is a core issue in the emergence and successful deployment of ICTs. Those technologies offer great opportunities and benefits but they also carry new risks. Ensuring that the use of ICTs does not jeopardize individuals' fundamental rights to privacy and data protection is a key factor to secure users' trust in the information society."

The conclusions in the opinion (emphasis added) are:

"He recommends the Commission to follow four courses of action:
a) Propose to include a general provision on Privacy by Design in the legal framework for data protection. This provision should be technology neutral and compliance should be mandatory at different stages;
b) Elaborate this general provision in specific provisions, when specific legal instruments in different sectors are proposed. These specific provisions could already now be included in legal instruments; on the basis of Article 17 of the Data Protection Directive (and other existing law);
c) Include PbD as a guiding principle in Europe's Digital Agenda;
d) Introduce PbD as a principle in other EU-initiatives (mainly non legislative).
116. In three designated ICT areas, the EDPS recommends the Commission to evaluate the need to put forward proposals implementing the principle of Privacy by Design in specific ways:
a) In relation to RFID, propose legislative measures regulating the main issues of RFID usage in case the effective implementation of the existing legal framework through self-regulation fails. In particular, provide for the opt-in principle at the point of sale pursuant to which all RFID tags attached to consumer products would be deactivated by default at the point of sale;
b) In relation to social networks, prepare legislation which would include, as a minimum, an overarching obligation requiring mandatory privacy settings, coupled with more precise requirements, on the restriction of access to user profiles to the user's own, self-selected contacts, and providing that restricted access profiles should not be discoverable by internal/external search engines;
c) In relation to targeted advertising, consider legislation mandating browser settings to reject third party cookies by default and require users to go through a privacy wizard when they first install or update the browser.
117. Finally, the EDPS suggests the Commission to:
a) Consider implementing the accountability principle in the existing data protection Directive, and
b) Develop a framework of rules and procedures to implement the security breach notification provisions of the e-Privacy Directive, and extend them to apply generally to all data controllers."

I'm not sure how well rejecting third party cookies by default would work, but a wizard would certainly help. Personally, I think any wizard would be needed not just on first installation or updating but generally, to help people understand how to deal with third party cookies.

For more from the EDPS recently see the EDPS guidelines on video surveillance.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 19 March 2010

Data Protection Directive - reform proposals due by end 2010

In a speech yesterday Vice-President Reding said (emphasis added):

"I will present a legislative proposal reforming the Directive before the end of the year and I will consider establishing the principle of "privacy by design.""

"The new legal framework should address new challenges of the information age, such as globalisation, development of information technologies, the internet, online social networking, e-commerce, cloud computing, video surveillance, behavioural advertising, data security breaches, etc," she also said.

In relation to the Charter of Fundamental Rights, her first priority area was:

"First, we need to protect the privacy of our citizens in the context of all EU policies. This includes when it comes to law enforcement and crime prevention. And this also applies when it comes to our international relations."

This certainly gives us an indication of the likely slant of the proposed revisions to the EU data protection framework.

See also other blog posts about EU data protection, in particular the Article 29 Working Party's consultation response in their "Future of Privacy" paper with their views on how EU data protection laws should be updated, and a hint from Reding about requiring opt-in.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 17 March 2010

CCTV - EDPS video surveillance guidelines

The EDPS has just issued guidelines on video surveillance, aimed at EU institutions but they may be of wider interest.

They comprise:

"a practical set of Guidelines to European institutions and bodies on how to use video-surveillance responsibly with effective safeguards in place. The Guidelines set out the principles for evaluating the need for resorting to video-surveillance and give guidance on how to conduct it in a way which minimises impact on privacy and other fundamental rights."

Issues covered by the guidelines include privacy by design, whether video-surveillance should be used e.g. availability of lawful grounds & use of webcams, selecting, siting and using the system, retention period, restricting access to the recorded footage of images & films, security measures, transfers and disclosures of the data, how to provide info to the public about the surveillance (signs & notices etc), and how to deal with access requests by members of the public regarding surveillance general or recordings specifically, accountability & audits, outsourcing and third parties.

Those wanting model text will be pleased to see there's appendices with example wording for a video surveillance policy and "on the spot" data protection notice.

For those not familiar with the EDPS, the European Data Protection Supervisor is the authority which supervises compliance by EU bodies and institutions with EU data protection requirements, and those bodies now have till 1 January 2011 to bring their existing surveillance systems into line with the new guidelines.

See the EDPS papers of 17 March 2010:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 16 March 2010

Consumer Rights Directive - and opt-in?

In Vice President Viviane Reding's speech yesterday on a proposed EU Consumer Rights Directive was this statement:

"It also introduces, for the first time, an EU ban on pre-ticked boxes on websites, so that consumers consciously decide what they do and do not agree to."

Does this suggest a move towards requiring deliberate opt-in rather than opt out, in relation to individuals' consent to the use for marketing etc of their personal data on the data protection front?

Most pre-ticked checkboxes I've seen on online shopping websites tend to deal with consent to pass on info to affiliates etc, certainly.

Reding's opinions will be influential as she is the Commissioner who's leading the current moves to update the EU Data Protection Directive following an oddly low profile public consultation late last year. (See also her views on security and data breaches.)

It'll be a long time before anything happens though, as there isn't even consensus yet on how to deal with the key general issues raised in relation to the proposed Directive.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Going to the ECHR, ECJ, NHS

Some other helpful notes from the Parliament website recently, written in plain English non-legalese:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 15 March 2010

MySpace markets users' data

From the New York Times:

"MySpace has taken a bold step and put a large quantity of bulk user data up for sale on startup data marketplace InfoChimps. Data offered includes user playlists, mood updates, mobile updates, photos, vents, reviews, blog posts, names and zipcodes. Friend lists are not included. Remember, Facebook and Twitter may be the name of the game these days in tech circles, but MySpace still sees 1 billion user status updates posted every month. Those updates will now be available for bulk analysis."

US video rental/download outfit Netflix were sued for breach of privacy (and words being had with them by the US Federal Trade Commission) for releasing "anonymised" user data as part of a(nother) contest to improve their recommendation engine. They recently settled the lawsuit and reached an agreement with the FTC. Update - now see also the open letter to Netflix from the authors of the original de-anonymization paper, Arvind Narayanan and Vitaly Shmatikov

It seems MySpace haven't been deterred by Netflix's experience. How easy will that data be to deanonymise, e.g. inclusion of zipcodes? (and latitude & longitude too).

More info in the New York Times article.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Website blocking doesn't work - research

The Digital Economy Bill debates are becoming quite topical - e.g. they will be featured on the BBC 1 Panorama programme tonight "Are the Net Police Coming for You?".

So I thought it was worth drawing attention again to a study on internet blocking which I'd blogged previously, which was published in October 2009 - "Internet Blocking: Balancing Cybercrime Responses in Democratic Societies" (PDF, 222 pgs) which concludes that attempts to block web content often backfire:

“Technically, it is difficult. Legally, it is problematic. Above all, it represents a real threat to the free transfer of information and conflicts with basic democratic principles.”

For a summary, see the 16 October 2009 press release on the research paper.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 14 March 2010

What's the "wash-up"?

The UK general election draws near. Pending proposed legislation may get sorted out in the pre-election "washup" (hopefully that won't include the misguided Digital Economy Bill, unless certain toxic clauses are deleted from it? See Light Blue Touch Paper's excellent explanation of what's wrong with the current incarnation of the Bill, in technology terms; and this too).

There's a helpful note explaining what is a washup, and what's the wash-up procedure, on the Parliament website.

It was designed for MPs (as was the note explaining "percentages"), so presumably the rest of us will be able to understand it too!

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 10 March 2010

Verifying identity, identity relationships and identity cards

I've previously emphasised the importance of verification (data dozen for privacy-protective identity management systems, and how identity theft can be facilitated by lack of proper verification).

An excellent article by English lawyers Nicholas Bohm and Stephen Mason on "Identity and its Verification" is well worth reading (via Bruce Schneier.)

While the article was triggered by proposals by the Council of Bars and Law Societies of Europe to introduce an "identity card" for European lawyers its scope is much broader, looking at what is "identity" and what's involved in verifying identity, with some general observations about identity cards.

Their conclusions:

"Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question 'Identity with what?' An enquirer equipped with the answer to this question is in a position to tackle, on a rational basis, the task of deciding what evidence will be useful for the purpose. Without the answer to the question, the verification of identity becomes a sadly familiar exercise in blind compliance with arbitrary rules.

In short, identity cards will not solve the problem of establishing identity relationships. Identity cards for lawyers will also risk creating costs, burdens and liabilities for lawyers and their professional bodies without conferring any countervailing advantage either on them or on society."

That last paragraph in particular of course applies to identity cards generally, not just ones for lawyers.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 9 March 2010

Social media - video of Polis "reality check" seminar

Discussion of 4 March 2010 at London School of Economics between social networking experts Michael Pranikoff from PR Newswire, Molly Flatt from 1000 Heads and Tomas Gonsorcik from London Interactive, with Polis director Charlie Beckett.

Also of possible interest: my write up of a previous LSE discussion on the future of the internet with representatives from Google, Facebook etc (with link to MP3 of the discussion).

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 8 March 2010

How to commit identity theft

Bob Walder of Gartner recounts, from Gartner's Identity and Access Management (IAM) Summit, the true story of Bennett Arron who was the victim of identity theft:

"It all started with a mail-shot from a home shopping catalogue company to an old address, which allowed the unscrupulous person now residing at that address to place an order and open an account with the home shopping company. That credit account allowed him to acquire a mobile phone or two. From there it was not too difficult to open bank accounts and obtain credit cards – all in Bennett Arron’s name.

The end result was Arron, who had already given notice on rented accommodation to buy a house, failed to acquire a mortgage, couldn’t rent another property, couldn’t get a line of credit, burned through savings and ended up penniless and living with parents with his pregnant wife. It took him two years to clear his name, by which time property prices had tripled and he could no longer afford to buy a house anyway!"

Arron appeared in a documentary for Channel 4 where at a local shopping mall he social engineered 18 (out of 20) people to give him their personal details, credit card numbers etc, by pretending to be someone advising on the dangers of identity theft!

He also proved how easy identity theft can be, using the example of politician Kenneth Clarke. Walder reported that:

"Arron applied for a duplicate birth certificate in Clarke’s name, and within 3 days it arrived. Using that, he applied for a duplicate driving license from the UK Drivers & Vehicle Licensing Authority (DVLA), which took just a couple of weeks to arrive. As part of this process, the DVLA requested photographs for the license which had to be authenticated on the reverse with a statement from a trusted, non-family member that this was a true likeness of Kenneth Clarke. This Arron completed himself using a false name. Something of a root trust issue, here, I think….

Naturally, with a birth certificate and driving license Arron could have gone on to open various accounts, building up to bank accounts and credit cards. Scary stuff. One good thing came from this – it is now no longer acceptable to use a birth certificate as the sole means of ID when applying for a UK driving license. Wonder if they have plugged that photo certification loophole too?"

It's real life examples like these that bring home how our society has a very long way to go yet in protecting citizens against identity theft. A root trust issue, indeed. As I mentioned in my suggested Data Dozen of identity management for privacy, proper verification of the base information has to be the foundation.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 7 March 2010

"Cloud cloud maybe" video - cloud computing history as you've never seen it before

Never mind the Gartner hype cycle, you know a topic like cloud computing has peaked when video takes on it start proliferating.

There was the Hitler spoof video on cloud computing security I mentioned recently, and now we have this rap-style video, stuffed full of cloud references, which is actually an ad by cloud provider Vembu Home.

It's a canter through the history of cloud computing rather than a parody, though given the title it seems like it's meant to be more a parody of Vanilla Ice's "Ice Ice Baby".

Trivia - that song landed Vanilla Ice in trouble as he had used a sample of the bassline from Queen's song "Under Pressure". The bassline here is rather similar, it even starts on the same note, so one hopes Vembu haven't made the same expensive mistake as Vanilla Ice! The last note of Vendu's bass riff actually differs by a tone, probably deliberately; let's hope for Vembu's sake it's enough…

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 5 March 2010

Forrester's privacy heat map

Interesting - Forrester's interactive privacy & data protection heat map (via Broadstuff) -

There's also a list view -

And how does the UK do? Not too well, caution...

The USA too -

Both those countries share the exclamation mark "government surveillance" warning with, well, the Russian Federation and China.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 3 March 2010

The Privacy Dividend - business case for privacy & data protection-friendly systems, & the financial value of personal data

Today the UK Information Commissioner's Office is launching The Privacy Dividend: the business case for investing in proactive privacy protection - a paper commissioned in 2009 "which provides organisations with a financial case for data protection best practice".

Interestingly, it aims to provide a way to estimate the monetary value of "personal information", and the financial cost of data security breaches and data losses (emphasis added, footnotes omitted):

"The total value of personal information to the organisation may be hundreds, thousands or millions of pounds, but the data brought together in Figure S1 appears to suggest a typical commodity value per record is likely to be in the £10-£100 range. The value to other parties who do not have a legitimate interest in personal information appears to range from a few pence to £100.

From a person-centric viewpoint rather than an organisation-centric one, the value of an individual's own information could be much higher, typically in the £100 to £1,000 range per person. If we consider financial fraud, where there are data published, a recent UK survey10 suggests that the average financial loss per victim is £463. While any one individual person might be able to recover some or all of this loss, this will not always the case.

In addition to this loss, an estimate should include the time and expenses of the person affected, and other resultant non-financial harms… the average cost to the victim (the sum of their financial loss and the time and effort needed to correct the results) amounts to between £476 and £1,054, or say between £450 and £1,050. To this should be added an allowance, say £50, for the other expenses and potential harm effects not otherwise included, giving a total average value in the range £500 to £1,100."

There's even appendices with: Value of personal information calculation sheet (from perspectives of organisation, individual, other parties and society), Privacy failure costs calculation sheet, Privacy protection benefits calculation sheet.

On the basis that money makes businesses sit up and take notice, putting it in financial terms is a good approach.

From the ICO press release of 3 Mar 2010:

"The report explains how to put a value on personal information and assess the benefits of protecting privacy. It includes practical tools to help organisations prepare a business case for investing in privacy protection…

This report provides organisations with the tools to produce a financial business case for data protection ensuring privacy protection is hardwired into organisational culture and governance.

Practical tools to help organisations prepare a business case for investing in privacy protection include:
• Guidance on the steps involved in a privacy protection scheme to assess the costs and benefits
• Guidance on creating business cases for implementing a new system or changing an existing system
• Calculation sheets to assess the value of personal information and put figures to the business case."

The report was prepared by John Leach of John Leach Information Security Ltd and Colin Watson of Watson Hall Ltd, after feedback on their discussion document.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 2 March 2010

File-sharing software may expose your private health & other data

It seems that "Healthcare professionals who take patient information home to personal computers containing peer-to-peer file-sharing software are jeopardizing patient confidentiality" because "some vendors use software containing dangerous sharing features", according to the authors of a study "The Inadvertent Disclosure of Personal Health Information through Peer-to-peer File Sharing Programs".

Prof. Khaled El Emam, Canada Research Chair in Electronic Health Information, and his team "used popular file sharing software to access documents they downloaded from a representative sample of IP addresses. They were able to access the personal and identifying health and financial information of individuals in Canada and the United States. The research for the study was approved by the CHEO ethics board…. During their research on this project, El Emam said he and his colleagues found evidence of outsiders actively searching for files that contain private health and financial data. “There is no obvious innocent reason why anyone would be looking for this kind of information,” stated El Emam. “Very simple search terms were quite effective in returning sensitive documents.”"

From the paper (emphasis added):

"We modified an open source peer-to-peer file sharing client to automatically search multiple peer-to-peer file sharing networks, and download and organize the files. This modified client performed a wild card search for all document files (Word documents, Outlook email files, PDF files, Access database files, and Excel spreadsheets). Whenever a match was found, the file was downloaded to a repository and its originating IP address recorded. The main networks that were targeted for search were FastTrack, Gnutella, and eDonkey. The specific tool we modified is called ShareAza… Files that came from IP addresses outside the USA and Canada were discarded…"

The paper also:

  • describes examples of peer-to-peer file sharing client features that encourage the inadvertent sharing of files (p.149), and
  • makes some recommendations (p.156) for managing risks from inadvertent disclosure from peer-to-peer file sharing clients.

The research was obviously only in a medical context, but it seems to me that if installing filesharing software on your computer exposes you to bad hat hackers searching your computer files for health information and (as the researchers mentioned) financial information, unbeknownst to you, it also exposes you to all sorts of other privacy intrusions too. Scary.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 1 March 2010

Fair use & take-down - dancing baby victory

US mum Stephanie Lenz sued Universal Music for issuing a notice to YouTube to take down her video of her toddler dancing cutely (with Prince's song "Let's Go Crazy" playing), when, she argued, she posted the video for friends and family and the presence of the music in the video was fair use and hence she didn't infringe US copyright law. She claimed they issued the takedown notice in bad faith.

Reuters now reports that a Californian district court judge has granted partial summary judgment to Lenz, rejecting Universal's arguments that Lenz acted in bad faith with "unclean hands" in trying to sue them for damages.The Reuters report says:

"The case is important because it raises the question of whether a media company can be held liable for pursuing a takedown without a full consideration of fair use. The decision by the court last Thursday is very technical and examines damage claims under a statutory code that deals with liability when misrepresentations are made about infringing works online."

See also EFF page (who supported and assisted Lenz) - not yet updated in light of these developments, it seems, but the Wikipedia page about this case links to the full text of the judgement: LENZ v.UNIVERSAL MUSIC CORP. I've not had the chance to read it yet.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.