Wednesday, 12 May 2010

EU - Art. 29 Working Party criticises Facebook's changes, writes to 20 social networking sites

UPDATE - now see text of the Article 29 Working Party letter to Facebook and letter to other social networking sites.

The EU Article 29 Working Party, comprising EU privacy regulators and the European Data Protection Supervisor, are the latest official group to rap social networking site Facebook for its recent privacy-unfriendly changes.

In their 12 May 2010 press release "European data protection group faults Facebook for privacy setting change", they said they had sent Facebook a letter saying that "it is unacceptable that the company fundamentally changed the default settings on its social-networking platform to the detriment of a user", just "days after the company and other social networking sites providers participated at a hearing during the Article 29 Working Party’s plenary meeting in November 2009".

Following up on their Opinion on Online Social Networking of June 2009 and hearing with major social network services operators Facebook, Netlog and StudiVZ at an Article 29 Working Party plenary meeting in November 2009, the Working Party have written to 20 social networking operators which had signed the "Safer Networking Principles for the EU" (see the full list of signatories).

The Working Party focused on 3 main areas (emphasis added):

  • defaults - "the need for a default setting in which access to the profile information and information about the connections of a user is limited to self-selected contacts. Any further access, such as by search engines, should be an explicit choice of the user."
  • third-party applications - "Providers of social network services should grant users a maximum of control about which profile data can be accessed by a third party application on a case-by-case basis."
  • third party data provided by users - "Providers of social networking sites should be aware that it would be a breach of data protecion law if they use personal data of other individuals contained in a user profile for commercial purposes if these other individuals have not given their free and unambiguous consent."

See further on Facebook:

You know what else? Face-to-face time makes us happier than Facebook, according to the Happiness Barometer. And "Facebook is bad for your marriage" according to an online divorce service which found 20% of divorce petitions in their database referred to Facebook. So.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 8 May 2010

Google & privacy - response to privacy chiefs, PbD, StreetView, IP anonymisation

Google have replied to the letter from privacy regulators in Canada, France, Germany, Ireland, Israel, Italy, Netherlands, New Zealand, Spain and UK criticising Google's actions in relation to Buzz and Streetview - see Google's response letter. (Again, interestingly hosted on Scribd rather than their own Google Docs)

Google said they're "keenly aware of the trust that our users place in our services, and of our responsibility to protect their privacy. As part of this responsibility, we are committed to being transparent with our users about the information that we collect when they use our products and services, why we collect it and how we use it to improve their experience."

They recited the 5 privacy principles underlying their approach to privacy and user information across Google products (principles spoofed so well by Privacy International - my thoughts on them are in the same blog post).

Google also pointed out their efforts and tools to assist user understanding of their privacy practices to promote transparency -

    • Google Privacy Center,
    • frequently asked questions,
    • blogs on privacy issues
      • oddly enough there's no RSS/Atom newsfeed available for that page, so here's the Google privacy blogs feed URL I generated through Google Reader
    • videos on privacy,
    • their Google Dashboard to empower users to view and control their information (even the infamous Buzz) stored in their Google Account, now 6 months old
      • the letter said "on average, around 100,000 unique visitors a day check it out, 85 percent for the first time." It would be useful not just to know how many people are "checking it out", but that they can and are actually making use of it to change privacy preferences to what they as users want (not just to one of the increasingly limited range of options the provider chooses to made available - here I have in mind more Facebook's recent changes!)
      • privacy advocate and security expert Moxie Marlinspike put that better, making the point that Dashboard may in fact be antithetical to privacy - it 'only shows some of the information that are most obviously connected to a Web user. “[Dashboard's use] requires that you have an account [with Google], be logged in while using the services and maintain a persistent cookie. It’s a brilliant move on their part.”'
    • their Data Liberation Front team "whose singular goal is to make it easier for users to move their data in and out of Google products… because we believe users should use Google products for their quality, not because of their inability to remove their data."
      • that's not really a privacy point, is it? Data portability yes, and avoiding lock-in too, those are good for providing incentives to use Google - but they still need to assure us that our data will be kept secure and private!

Google acknowledged they don't "get everything 100% right — that is why we acted so quickly on Google Buzz following the user feedback we received, and said they "expressed their commitment "to ensuring that privacy is designed into our products at every stage of the development cycle. Respecting privacy is part of every Googler's job. We also have a team of seasoned privacy professionals, including legal, policy, security and engineering experts, to help guide the development of responsible privacy policies across Google"

Google also said they want to "continue working with [privacy / data protection regulator] offices and to benefit from your guidance in the future as we build privacy into new, innovative products for our users."

Google's stated commitment to privacy by design sounds good, but of course what really matters is to what extent worthy words are translated into actual action.

Google's recent revelations that its Street View vans & cars were collecting info on wifi networks as well as street photos might be seen as a step in the direction of better transparency, and so too (at least as regards government actions) Google's publication of info on government requests for data on individuals or to take down or block sites, plus their blogs about openness.

On the other hand there have been accusations that Google weren't very transparent in saying that they anonymize users' IP addresses after 9 months, when in fact they just "obfuscate" IP addresses.

Quite apart from transparency, it's vital that Google as a minimum builds into their internal procedures, as standard, a set-in-stone requirement that all new products or services like Buzz (or indeed modifications) must be vetted in advance for privacy & data protection as well as other legal issues, before they are unleashed on the wider public.

Look what happened with Google's Chrome browser, for instance, where there was a huge fuss in the blogosphere over Google Chrome's terms of service whereby apparently Google claimed a perpetual licence to use any content published or displayed by users through the browser!

It seems to me that actually that was probably just a case of no one from Legal having had a chance to properly tailor Google's boilerplate terms of service to suit a web browser product (as opposed to a web service) before it was launched - but that failure brought Google a lot of bad publicity.

Hopefully Google will have taken on board the lessons from the Chrome TOS and Buzz incidents and embed considerations of legal issues (and consultation with regulators where possible) into their business processes - including the promised privacy by design.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 7 May 2010

hNews & Value Added News, hNews tutorial - & copyright and licensing options to follow?

As previously promised, this blog post explains hNews and how to implement it on a Blogger blog like this one. Tech, not law, for a change.

While US press agency Associated Press was the prime mover behind hNews, the hNews microformat is potentially useful for other news sources and media like blogs or informational websites because it enables search engines to index news items in a more useful way, by allowing news providers to "tag" their content with machine-readable "metadata" carrying specific types of information about the individual news item and its author etc. It's been adopted e.g. by AOL.

I've tried to make this blog hNews-compliant. You'll notice the small text at the end of each blog post with copyright and attribution info, as hNews requires each "news" item to have separate licensing info, and also the shiny new "Value Added" button at the end of each post which, when you hover over it, provides some information about the blog post.

The AP Registry "employs the hNews microformat to encapsulate AP and member content in an informational wrapper that not only offers publishers a way to prime the content better for search purposes, it also includes a permissions framework that lets them specify how and when their content is to be used online."

AP said "ultimately, it could enable new ways of doing business by offering them the opportunity to let their content flow where consumers want to see it as well as a common way of analyzing use across all platforms."

What's hNews, what does it do, and how?

Basically, whenever AP publishes content, they "mark up" or, if you like, "tag" or "wrap up" the content using hNews, which is what's known as a microformat. hNews was developed by AP with the London-based Media Standards Trust to "prime the content better for search purposes", and it extends the hAtom microformat.

To people, the content reads no differently; the markup text is invisible to the human eye (unless you View Source in your browser, of course).

However, to computers, the content gains new meaning with the addition of hNews markup (metadata, to librarians & information scientists, who will know all this anyway. Note that microformats are not the same as the semantic web).

Their related Value Added News site explains the benefits of using hNews to produce what they call "value added news". Using hNews with an article will make it more machine-readable, including to search engine spiders, providing info to search engines etc about:

  • Who wrote it
  • The title of the article
  • Who it was written for
  • Whether it was edited (and who by)
  • When it was first published
  • How it has changed since publication
  • When it was last updated
  • What key subjects it is about
  • What journalistic codes of practices (if any) it adheres to
  • What usage rights are associated with the article.

(That last item is of course the bit to do with copyright licences and permissions to use the article, if any.)

There's a search engine for "Value Added News" that's in alpha currently, and if you try it you'll see it enables filtering of search results by Author, Tag, People, Organisation and Places. So far the only source it indexes seems to be And remember it's still in alpha so it won't work fully as expected yet, e.g. even if there are more than 5 results it seems to only show the first 5 with no way to move to the next page as far as I can see (at the time of writing this).

As other search engines become more microformats-aware, hopefully hNews will be ever more useful, and perhaps be used on more sites.

hNews - minimum requirements

The easiest illustration I can think of is the example news story that's been marked up with hNews with only the hNews items that are absolutely required - namely code (invisible to humans) to indicate that it's hNews-formatted ("hNews hEntry"), then to indicate which bit of the news story is the entry title, which part is the author's name, the publishing organisation ("source-org") and the date last updated ("updated").

And see another example and the Value Added News general howto.

How to add basic hNews to a Blogger blog - tutorial

There's no reason not to use the core elements of hNews as it's quite easy to make Blogger blogs, hosted on Google's service, minimally hNews-compatible in a basic way.

Below are extracts from my blog template (based on one of the standard Blogger provided templates) showing how I edited it to automatically include basic hNews fomatting for my blog posts. The new bits are in bold red, and as you can see it doesn't take much tweaking to deal with the compulsory required fields. The code is for my specific template but it won't be very different for others.

For the non-technical - to edit your template, login to Blogger, go to the Layout tab, click Edit HTML. Click "Download Full Template" to backup your template first; and note that you do these edits at your risk! You also need to check "Expand Widget Templates" before you can edit it properly.

Blogger seem to have done a lot of the work already by including hAtom markup in their standard templates. As mentioned, the extra bits I've added are in bold red (hnews, item, entry-title) -

<b:includable id='post' var='post'> <div class='post hnews hentry item'> <a expr:name=''/> <b:if cond='data:post.title'> <h3 class='post-title entry-title'> <b:if cond=''> <a expr:href=''><data:post.title/></a> <b:else/> <b:if cond='data:post.url'> <a expr:href='data:post.url'><data:post.title/></a> <b:else/> <data:post.title/> </b:if> </b:if> </h3> </b:if>

And further down, again the bits I've added are in bold red (author, source-org, updated and the new span - plus a comma space so it would read OK with my name and then the blog name); obviously in other people's blogs "Tech and Law" would be changed to something else -

<span class='post-author author dateline vcard'> <b:if cond='data:top.showAuthor'> <data:top.authorLabel/> <span class='fn'> <></span></b:if>, </span><span class='source-org vcard'><span class='org fn'>Tech and Law</span>, <span class='adr'><abbr class='locality' title='London'>London</abbr><abbr class='region' title='England'/><abbr class='country-name' title='United Kingdom'/></span></span></span>

<span class='post-timestamp'> <b:if cond='data:top.showTimestamp'> <data:top.timestampLabel/> <b:if cond='data:post.url'> <a class='timestamp-link' expr:href='data:post.url' rel='bookmark' title='permanent link'><abbr class='published updated' expr:title='data:post.timestampISO8601'><data:post.timestamp/></abbr></a> </b:if> </b:if> </span>

And don't forget to Preview it and of course Save Template once you're happy with it.

These edits mean that blog posts will now automatically include hNews info about the post's title, author's name, and date published.

You can test if it works by entering the URL of your blog post in Google's Rich Snippets Testing service - e.g. see mine.

For the optional extra fields in the body of blog posts, more work would be needed. I just cover copyright licence / usage info, further below.

The ValueAddedNews button

The code for the "Value Added" button at the end of each blog is from ValueAddedNews. I pasted their code for the "Smart" label -

<span class="vab-container"><img src=""
width="100" height="20" /> <span class="vab-popup"></span>
</span><script src= type="text/javascript"></script>

just above <span class='post-comment-link'> in my Blogger template.

There seems to be an issue with this button, because hovering over the button only displays limited info - it's not showing the info about my blog name and geographical locality (from the red, bold italicised code above), and it should.

I've contacted the hNews/ValueAddedNews people but not heard anything back so I don't know if the problem lies with their Javascript or my attempted implementation of hNews. I suspect that it's them, not me, because the Google tool picks up organisation and locality info perfectly, as it should - see this example.

Copyright licence and usage information

It remains to be seen what usage rights info will be added by hNews users.

There's general information on the item-license, with illustrations, but while the examples given include Creative Commons licences and ValueAddedNews notes that "these usage rights can be written by you, rather than those defined by Creative Commons", no examples have been given of the more restrictive kinds of licences that I suspect the traditional news industry will prefer (e.g. "No permission to copy or do anything else at all") .

Of course, the absence of a licence means (to lawyers at least) the absence of permission to copy. No explicit licence, best not copy.

I imagine people will be drafting licences (and putting them on websites to be linked to), and it will be interesting to see what their terms are.

I chose to use a Creative Commons licence for this blog. However, hNews doesn't let you link to standard usage rights from the blog generally; you have to link from each individual blog post, which is why I have copyright and licence info at the bottom of every post now. As ValueAddedNews say, each blog post or article can have different usage rights, which is useful for the various reasons they give.

In my case, I've changed my template to make usage rights virtually the same for each post - and specified that if people should quote my content, I'd like them to credit me in a particular way. The only difference is that I want them link to the exact URL of the relevant blog post (rather than to my blog generally), so the URL is different for each post.

I added the appropriate code for usage rights to my Blogger template, between

<div style='clear: both;'/> <!-- clear for photos floats -->



The code I used is below; your mileage will vary e.g. you may not want to use the same CC licence as me (and you probably shouldn't if you're not UK-based, as you may need a local licence), and you'll certainly want to change especially the bits in red to suit your own blog -

<p style='font-size:x-small; line-height:90%;'>&#169;WH. This work is licensed under a <a href='' rel='license item-license'>Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence</a>. Please attribute to <span class='attribution vcard'><a class='fn url' href=''>WH</a></span>, <span class='vcard'><span class='fn org'><a class='url' href=''>Tech and Law</a></span></span>, and link to <a class='attribution' expr:href='data:post.url'>the original blog post page</a>. Moral rights asserted.</p>

expr:href='data:post.url' is what produces the URL unique to each individual blog post.

hNews markup in the body of the post

You can also add value to individual blog posts by marking up the content e.g. I've done it as an experiment in one post to indicate, for machine-readability, the people and organisations mentioned in the post (see the data extracted from that blog post by the Google Rich Snippets tool).

For what markup to add to designate different concepts, see the hNews examples and spec.

However sadly this can't be done by just adding code to your template. You have to tediously mark up each individual element (e.g. name of individual) manually, one by one - or at least I did, in my test blog post (view source to see the <span class="vcard"><span class="org"> etc which I inserted for organisation names like ENISA - the Google tool shows all the metadata added.)

I hope that tools to facilitate hNews markup of selected text in a news article or blog post will be forthcoming, otherwise people just won't do it - it's too difficult currently.

More info on hNews

For the technically minded, this presentation is very helpful:

See also the hNews technical specification.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 6 May 2010

Online porn - economics, security, cybercrime

Researchers ran adult web sites to study security flaws, economics of the porn industry and "potential points of interest for cybercriminals", the resulting paper being Is the Internet for Porn? An Insight Into the Online Adult Industry by Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, and Christopher Kruegel.

The paper provides "a detailed overview of the individual actors and roles within the online adult industry. This enables us to better understand the mechanisms with which visitors are redirected between the individual parties and how money flows between them".

It also looks at "security aspects of more than 250,000 adult pages and… the prevalence of drive-by download attacks. In addition, we present domain-specific security threats such as disguised traffic redirection techniques, and survey the hosting infrastructure of adult sites."

The paper said, "By operating two adult web sites, we obtain a deeper understanding of the related abuse potential. We participate in adult traffic trading, and provide a detailed discussion of this unique aspect of adult web sites, including insights into the economical implications, and possible attack vectors that a malicious site operator could leverage. Furthermore, we experimentally show that a malicious site operator could benefit from domain-specific business practices that facilitate clickfraud and mass exploitation."

Their findings (emphasis added) -

"We analyzed the economic structure of this industry, and found that apart from the expected “core business” of adult sites, more shady business models exist in parallel. Our evaluation shows that many adult web sites try to mislead and manipulate their visitors, with the intent of generating revenue. To this end, a wide range of questionable techniques are employed, and openly offered as business-to-business services. The tricks that these web sites employ range from simple obfuscation techniques such as relatively harmless blind links, over convenience services for typo-squatters, to sophisticated redirector chains that are used for traffic trading. Additionally, the used techniques have the potential to be exploited in more harmful ways, for example by facilitating CSRF [cross site request forgery] attacks or click-fraud.

By becoming adult web site operators ourselves, we gained additional insights on unique security aspects in this domain. For example, we discovered that a malicious operator could infect more than 20,000 with a minimal investment of about $160. We conclude that many participants of this industry have business models that are based on very questionable practices that could very well be abused for malicious activities and conducting cyber-crime. In fact, we found evidence that this kind of abuse is already happening in the wild."

No doubt there will be many more researchers now wanting to conduct similar "realistic experiments" with online pornography sites as "the only way to reliably estimate success rates of attacks in the real-world"!

(Also - file sharing software can be used to trawl for private health and other info.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Identity fraud on the rise - CIFAS report

UK fraud prevention organisation CIFAS says identity fraud has increased 19.86% in Q1 2010 compared with the same period in 2009, with an over 20% increase in the number of victims of impersonation compared with the first quarter of 2009. But "Overall fraud levels remain consistent, with nearly 60,000 proven frauds identified in the first three months of 2010."

And there's been a 32% increase in "current address fraud", where criminals impersonate people at their current address.

"Not only must consumers dispose of physical details in a secure manner, but they must also ensure that sensitive electronic documents are kept separate from each other. Scanned documents and account details must, preferably, not be kept on computer hard drives but, more preferably, be backed up onto discs and full virus and malware protection products must be in place," said Richard Hurley, CIFAS Communications Manager.

CIFAS table (Identity Fraud includes false identity and identity theft.) -

  Jan to Mar 2009 Jan to Mar 2010 %age change

Identity Fraud – Granted
Identity Fraud – Not Granted
Identity Fraud - Total


Application Fraud - Granted
Application Fraud - Not Granted
Application Fraud - Total
False Insurance Claim 138 161 16.67%
Facility Takeover Fraud 5,856 5,617 -4.08%
Asset Conversion 87 119 36.78%
Misuse of Facility 12,991 12,235 -5.82%
Victims of Impersonation 20,730 26,874 22.86%
Victims of takeover 6,211 5,717 -8.64%

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 1 May 2010

EU data protection - internet of things, RFID

Location privacy is a big current and future issue. Assistant EDPS Giovanni Buttarelli gave a speech on "Internet of things: ubiquitous monitoring in space and time" at the European Privacy and Data Protection Commissioners’ Conference, 29 April 2010.

He discussed the data protection issues arising from the Internet of Things, with RFID "as a building block and probably "the key" component of the future Internet of Things. Therefore, I will often refer to RFID and the Internet of Things as equivalents."

The speech provided an overview of what is the "internet of things", then the steps taken by the Commission to address it, particularly legal issues, with examples, and considered to what extent the current EU data protection framework needs to be amended to continue providing adequate protection when the Internet of Things becomes a reality (accountability and 'privacy by design, and perhaps "opt-in principle at the point of sale pursuant to which all RFID tags attached to consumer products would be deactivated by default at the point of sale").

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.