Wednesday, 14 September 2011

UK transparency & privacy review

The independent review of the impact of UK government transparency on privacy, commissioned by the Cabinet Office and led by Dr Kieron O'Hara, is now out:

Comments are invited, to privacyreview@cabinet-office.gsi.gov.uk. No deadline date seems to have been given. (The public consultation on open data, launched in August,  is still open - deadline 27 Oct 2011.)

Conclusions

  • Privacy is extremely important to transparency. The political legitimacy of a transparency programme will depend crucially on its ability to retain public confidence. Privacy protection should therefore be embedded in any transparency programme, rather than bolted on as an afterthought.
  • Privacy and transparency are compatible, as long as the former is carefully protected and considered at every stage.
  • Under the current transparency regime, in which public data is specifically understood not to include personal data, most data releases will not raise privacy concerns. However, some will, especially as we move toward a more demand-driven scheme.
  • Discussion about deanonymisation has been driven largely by legal considerations, with a consequent neglect of the input of the technical community.
  • There are no complete legal or technical fixes to the deanonymisation problem. We should continue to anonymise sensitive data, being initially cautious about releasing such data under the Open Government Licence while we continue to take steps to manage and research the risks of deanonymisation. Further investigation to determine the level of risk would be very welcome.
  • There should be a focus on procedures to output an auditable debate trail. Transparency about transparency – metatransparency – is essential for preserving trust and confidence.

Recommendations

"…which are intended to implement these conclusions without making too strong a claim on resources":
1. Represent privacy interests on the Transparency Board.
2. Use disclosure, query and access controls selectively.
3. Include the technical paradigm.
4. Move toward a demand-driven regime.
5. Create a data asset register.
6. Create sector transparency panels.
7. A procedure for pre-release screening of data to ensure respect for privacy.
8. Extend the research base and maintain an accurate threat model.
9. Create a guidance product to disseminate best practice and current research in transparency.
10. Keep the efficacy of control in the new paradigm under review.
11. Maintain existing procedures for identifying harms and remedies.
12. Use data.gov.uk to raise awareness of data protection responsibilities.
13. Investigate the Vulnerability of Anonymised Databases.
14. Be transparent about the use of anonymisation techniques.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 16 August 2011

Google's ICO privacy audit out

The UK Information Commissioner's Office has published the results of its consensual data protection audit of Google Inc's privacy processes, initiated as a result of the Google Streetview collection of wifi payload data.

The audit was based on a desk-based review of relevant documentation, an on-site visit at Google Inc in London on 19 and 20 July 2011 including interviews with staff, and an inspection of selected records.

Verdict - there's been progress in Google's privacy procedures, but more improvements are needed.

For more info -

For anyone interested, there's a full Guide to ICO data protection audits.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 7 April 2011

Libel reform - free seminar 13 April

First in a debate-style Media Law Seminar Series from Centre for Commercial Law Studies, Queen Mary, University of London and City Law School, City University. This series "will focus on the cutting edge legal issues affecting all forms of popular media."

"This house believes that the English libel laws are unfit for purpose in the Twenty-First Century."

Date: 13 April 2011 - 6-8pm

Venue: Queen Mary, University of London 67-69 Lincoln's Inn Fields London WC2A 3JB

Free, but you have to register - e-mail your full name, your company name and position to k.zaim@qmul.ac.uk. Deadline 12 April.

2 CPD points.

Via http://www.law.qmul.ac.uk/events/.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 1 April 2011

"Outsouring" to "loud computing"

It may be 1 April but these typos I found are real; perhaps worth adding to the eggcorns database?

Those wary of staff discontent about "outsouring" -

- will still have heard much about "loud computing"-

- which probably beats "clod computing"!

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 30 March 2011

Census sabotage?

Privacy or confidentiality concerns about the UK 2011 census? The census director's careful choice of words quoted in ComputerWeekly certainly seems noteworthy - "The UK Statistics Authority and the Office for National Statistics will never volunteer personal information for any non-statistical purpose…". So, they won't offer it to just anyone off their own bat, but they'll give it if - made to? Told to? Just asked to?

Apart from data protection or privacy worries, others are uncomfortable about the contractor engaged to process the census, Lockheed Martin. So the ingenious recommendations by Peace News on How to Fill In Your Census Form without Lockheed Martin Profiting may well be taken up by some.

It's (possibly unintentionally) absolutely hilarious - with suggestions like -

  • don't fill the census form in online
  • "accidentally change a digit of your telephone number and ditto for an email address"
  • send written queries to the FREEPOST address, perhaps direct to the Director
  • make small changes to names so you know the source of any "data protection failure"
  • and oh they might have scanning issues if

    "- The form was wrongly inserted in the envelope;

    - A different envelope has been used;

    - The outer bar code has been covered before the form was put in the envelope;

    - Some or all of the outer bar code’s white spaces were filled in with black pen or otherwise obliterate.."

  • not to mention that scanner paper feeds can "go temperamental" if there -

    "a) could be things like post-it notes, loose bits of paper and other detritus, stains, obviously unreadable barcodes, etc.

    b) could be of the form of additional staples, tears, folds, creases, spots of stickiness such as a marmalade spillage or a fragment of bluetack, improvised repairs of torn sheets with sellotape, additional pieces of paper glued to the side, etc"

  • bar codes on the form - "can be rendered ineffective by neatly filling in some or all of the white gaps between the bars of with a black pen or entirely covering with stickers – do not use post-it notes for they are easily removed. Do not allow any complete horizontal strip (however narrow) of the complete barcode to remain. (Many people “blacked in” or obliterated bar codes to great effect on Poll Tax forms in 1989-1991 and greatly increased their processing costs). Make sure you don’t miss any other codes and serial numbers."
  • tick both boxes "Male" and "Female", or “Jewish” and “Sikh”…
  • "Refusing to answer such questions [considered intrusive or privacy-invasive] could, in principle, cost you £1000 and will make no difference whatsoever to Lockheed Martin. It will be more effective to tick a few random boxes and write some random stuff in the text sections, then cross it all out again, and write something like “I don’t understand this. Please explain” This will take up time to deal with in the processing centre. You cannot be fined for not understanding a question or for being confused by it and you have made the effort."
  • "It is easy to make a mistake or even to forget to answer a question – we are all human after all. No problem: just write to the processing centre (Addressed to “Census Processing Centre” in whatever place name you remember from the form) to tell them to put it right on your form. A considerable amount of clerical work could be involved… If you supply a missing answer, keep a copy of your letter so that you can prove that you made a real effort to comply with your legal obligation to answer all questions."

I won't go on. You can finish the article direct, it's an amusing read.

Ironically, I know at least one person who's done some of the things they've suggested - not through any intention to muck up the form, but just because their situation is unusual (though not that uncommon), and they didn't think the form was clear or helpful enough as to how they were meant to complete it, hence crossings out galore!

Via Peter Judge, eWeek.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 19 March 2011

UK data protection register to be opened up further?

Just saw, the ICO are consulting on allowing their entire Data Protection Register to be downloaded "in a reusable format", in the spirit of open data and transparency. Respond by emailing consultations@ico.gsi.gov.uk - closing date 31 March 2011.

This register has info about those who've registered with the UK Information Commissioner's Office as "data controllers" of personal data. (Not the details contained in the personal data which they control, just limited info about the controllers themselves.) You can currently search the Data Protection Register online. For example here's the info on Google UK and Google Inc.

The consultation is about the impact which making the whole register downloadable as a single data set would have on individuals on the register, where the ICO say -

However, a number of entries on the register relate to individuals, such as sole traders, and there are therefore data protection considerations. For example, is it fair that data collected for a statutory purpose is made available in a form that could make it more widely available and usable?

We want your views on what the impact on individuals would be if the register was available to download as a dataset, in a re-usable format, in its entirety.

Personally I think the requirement for notification / registration is somewhat red-tapish, as the info in the register's not that informative and yet it's a hassle and cost for those who have to register, but the law is what the law is.

I didn't spot any consultation on the format that they plan to use. I wonder what format that will be?

Responses will be published but if you think your response is confidential, explain why and they'll consider that if they are asked to reveal it, but can't guarantee to keep it confidential. Though

….The ICO will process your personal data in accordance with the Data Protection Act 1998 and in the majority of circumstances this will mean that your personal information will not be disclosed to third parties.

Just as an aside - I'm never clear when I see references to closing dates of "X" - do they mean before X? On X? By close of business on X? I'm probably being A-type here, but personally I would like all consultations to say, "by 17.30 GMT on X".

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 11 March 2011

Privacy vs security & crime - lecture

Mr Hielke Hijmans, European Data Protection Supervisor's Office, will discuss "Data Protection in Europe’s Area of Security and Justice" this Monday 11 Mar 2011, 7pm, London as part of Queen Mary School of Law's Criminal Justice lecture series. Drinks from 6.30pm.

From the flyer:

9/11 has reconfigured the relationship between security and privacy. The post- 9/11 era is marked by the proliferation of mechanisms for the collection, analysis and exchange of personal data for security purposes at EU level. EU databases (such as the Europol Information System and the Schengen Information System) have been created and expanded. The exchange of personal data between national police authorities has been strengthened. The private sector has been increasingly called on to cooperate with the State in the field of data transfers. This lecture will explore the implications of these developments and assess the extent to which the European Union has developed an adequate legal framework on data protection to address security concerns.

Those interested in privacy and data protection law, particularly in the context of crime, law enforcement and national security, may want to attend.

Details and to book a place.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 7 March 2011

Youngest female racing driver in UK seeks sponsorship

Zoe Wenham, only 16 and racing in the Volkswagen Racing Cup, is seeking sponsorship. I wanted to help spread the word, though this is clearly not my blog's usual subject matter! When not racing she's studying for A levels in IT, Maths, Physics and Business Studies. Via Women in Technology newsletter.

More info, email zoewenham@hotmail.co.uk, site http://www.zoewenham.com/, Twitter @zoewenham - and also she'd welcome general suggestions or thoughts on her sponsorship portfolio.

Coincidentally, a friend and I were just chatting t'other day about females in Formula One (my friend likes watching, I have to say I'm not a sporty person myself).

There's a dearth of women in racing (the position seems even worse than with women in law). We wondered if that was partly because those narrow, form-fitting racing cars are built to suit the male form - normally they're not designed for wide hips to squeeze in, or, if I may say so, chestage - so do they indirectly exclude females that way?

If it's possible to have privacy by design (or not), isn't it possible that there is some kind of gender exclusion through race car design…? Does anyone with any Formula One engineering experience know?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 14 February 2011

Privacy - Council of Europe consults on modernising Data Protection Convention 108 - deadline soon

The Data Protection Convention 108 is being updated for the realities of modern technologies and globalisation. 10 March 2011 is the deadline for putting views to the Council of Europe's T-PD expert committee on their list of 30 consultation questions.

I won't repeat the list here; they dealt with ETS 108's objects, scope, definitions, protection principles, rights and obligations, sanctions and remedies, applicable law, position of data protection authorities / regulators, transborder data flows, and the role of the committee. As you'd expect, they include the topical issues of privacy by design, proportionality, data security breach notification, location privacy, accountability, and should there be defined rights to privacy, data protection and anonymity.

Anyone who wishes can email them with thoughts or comments at data.protection@coe.int, before 10 March 2011. Here's their full list of papers about the modernisation. Also of interest - European Data Protection Supervisor Peter Hustinx's recent speech on new European rules on data protection, regarding the modernisation of Convention 108.

For those unfamiliar with this 1985 treaty on privacy and data protection, Convention ETS 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data has been ratified by all the EU countries and some other, mainly European, countries, including Switzerland. It was very influential eg on the EU Data Protection Directive, which is itself also being reviewed.

Report on issues with Convention 108

The Council of Europe (not the same as the EU) had commissioned an expert report on the challenges raised by developments since the convention was first promulgated.

The 2-part report released in November 2010 was written in French. It makes interesting reading for anyone interested in privacy or data protection laws and how they can or should be adapted to keep pace with technological and societal changes.

I've attempted automatic English translations using Google Translator Toolkit as my French is non-existent, ja si oui yep. The translations aren't perfect but they're good enough to give a decent idea of the gist, at least to me. The only edit I made was to change "master file" to "controller of the file"; I had no time to fix the formatting oddities.

Below are links to the rough English translations I ran of the November 2010 Report on the lacunae of the Convention for the protection of individuals with regard to automatic processing of personal data (ETS No 108) resulting from technological developments, by Jean-Marc Dinant and (in the case of Pt 2) Dinant and Cécile de Terwangne, Jean-Marc Moiny, Yves Poullet, Jean-Marc Van Gyzeghem and the CRID.

I've also embedded the automated English translations below for a sneak preview. The French titles link to the French originals.

I've provided links to translations in both HTML and Google Docs format, because with the Google Docs version you can use the "File -> Download as" menu to download the document in Word DOC, RTF, PDF or ODT to read offline, if that's more convenient for you. Be warned that they're quite large files so may take a while to download.

Part 1

Rapport sur les lacunes de la Convention n° 108 pou r la protection des personnes à l’égard du traitement automatisé des données à caractère personnel face aux développements technologiques Partie I - T-PD-BUR (2010) 09 (I) FINAL

English translations of Report on the lacunae of the Convention for the protection of individuals with regard to automatic processing of personal data (ETS No 108) resulting from technological developments - T-PD-BUR (2010) 09 (I) FINAL, by Jean-Marc Dinant - in
HTML Webpage format, or
Google Docs format.

 

Part 2

Rapport sur les lacunes de la Convention n° 108 pou r la protection des personnes à l’égard du traitement automatisé des données à caractère personnel face aux développements technologiques Partie I - T-PD-BUR (2010) 09 (II) FINAL

English translations of Report on the lacunae of the Convention for the protection of individuals with regard to automatic processing of personal data (ETS No 108) resulting from technological developments - T-PD-BUR (2010) 09 (II) FINAL, by Jean-Marc Dinant, Cécile de Terwangne, Jean-Marc Moiny, Yves Poullet, Jean-Marc Van Gyzeghem and the CRID - in
HTML Webpage format, or
Google Docs format.

 

Note - the Council of Europe did not reply to my emailed request for permission to translate the French texts. If any owner of the copyright in those reports objects to these translations, please let me know and I will delete them.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 31 January 2011

IM & chat privacy - deletion of logs or accounts

Deleting your IM account or chat logs seems tough or impossible with most popular IM services. So Matija Šuklje discovered in looking at popular instant messaging or chat clients / systems, where he reported as follows -

  • AIM - almost impossible to delete account - he didn't mention what happens to logs.
  • ICQ - can't delete account, and yes indeedy it seems all copyright / intellectual property in everything you post using ICQ are thereby belong to them!
    • By the way the link he gave on his blog was to different terms. The extract he quoted was in fact from ICQ's acceptable use policy, and it sez what he sed. At least today it does:

        You agree that by posting any material or information anywhere on the ICQ Services and Information you surrender your copyright and any other proprietary right in the posted material or information. You further agree that ICQ LLC. is entitled to use at its own discretion any of the posted material or information in any manner it deems fit, including, but not limited to, publishing the material or distributing it.

  • MSN / WLM - logs kept forever, he says, but it's easy to delete the account.
  • YIM - account can be deleted, again that doesn't mean logs are deleted. 

(Most people already know about Gtalk / Gmail chats being spied on by a Google employee. You can have off the record chats which, one hopes, can't be monitored.)

He says he's moving over to XMPP (Jabber) only, on Gabbler, away from proprietary IM protocols, perhaps understandably.

See also, for anyone interested in this area, Google's data retention periods for some of their services.

EU legislators and privacy regulators are, as previously presaged, now considering introducing a "right to be forgotten", or right of oblivion, into EU data protection law. If they do no doubt it is likely to give people the right to delete their accounts and to insist that their logs are deleted once they cancel or terminate their accounts. Not just IM or chat, but probably other types of online accounts too.

This area is pretty topical right now - there's even an entire book, Delete: The Virtue of Forgetting in the Digital Age (summary) by Oxford University Prof Viktor Mayer-Schönberger, which for anyone who's not come across it yet "looks at the surprising phenomenon of perfect remembering in the digital age, and reveals why we must reintroduce our capacity to forget".

Aka - "Your compromising or embarrassing pics on Facebook or videos on YouTube could scupper forever your chances of being hired, promoted, elected etc forever, so what should we do about it"? Introduce self-destructing text eg using Vanish, or expiration dates for digital photos?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 26 January 2011

A theory of privacy? Free talk, London

Thurs 3 Feb A Quest for a Theory of Privacy 6-7pm, by Prof Michael Birnhack. Register for a free place, form's at the bottom of the page - again at the Institute for Advanced Legal Studies.

From the blurb:

…too many (in legal, policy-making, technological and popular circles) have given up searching for a privacy theory. This talk would make the case that a privacy theory is much needed… that can best explain what is going on [with new technologies - RFIDs, biometrics, location tools, airport body scans etc] and more importantly, can guide us as to what should—or should not—be done. The talk will discuss these issues, as well as some of the existing theories and their shortcomings. I shall argue that the best understanding of privacy is a reinvigorated theory of privacy as human control over oneself.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 24 January 2011

Open source software & third party IP

Free talk on Management of Open Source Software and Third Party Intellectual Property by Sean Egan, CTO, CM-Logic at the British Computer Society's offices, Tues 25 Jan 2011, London 1800-2100.

You have to register but it seems to be open to all.

From the blurb it's mainly about managing the risks of incorporating open source code into proprietary software or reusing other code in proprietary software, which "can compromise intellectual property rights, create unknown royalty obligations, and introduce hidden security risks", as well as licensing risks of course. CM-Logic's involvement in this area is that they provide solutions to "help organisations detect, track and manage the use of mixed-origin code".

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 23 January 2011

Privacy - what's 'in' or 'out'?

The Future of Privacy Forum's first annual list of privacy ins and outs, for 2011.

Very US-centric, not surprisingly, but interesting. Has anyone got suggestions for EU privacy ins and outs?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 17 January 2011

Privacy: data protection myths & misses

Misconceptions about EU laws on data protection, in ORGzine, published recently. I based it on work for my presentation at BarCampLondon8.

The final version edited out some things, including my side note, which I hereby reinstate, that the title is a tribute to that well known kid's blooper, "A myth is a female moth"!

And please note my caveat that the article was meant to be mainly about the UK, rather than other EU Member States.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 13 January 2011

Find ECJ (European Court Justice) cases quickly from the case reference

Form to find ECJ (European Court of Justice) cases from the case number and year on the Eur-Lex site, which has judgments in much more user-friendly format than the more commonly-used Curia site.

Had to host it on a blogspot.com domain to get it to work, so it's on a different blog. No time to sort out the CSS, yet so apologies for the poor alignment.

Have also added to that blog, in much more usable format, my previously-blogged but now improved form to find PDFs on the sites of the UK Information Commissioner's Office (ICO) and Article 29 Working Party, from their old links.

If you'd saved or bookmarked links before their recent site changes, that form may save you some time trying to find the new links that replaced the broken ones.

Please feel free pass on the form links to lawyers / law librarians / anyone else you think may find them helpful.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 11 January 2011

Privacy and intellectual property: how far should the law reach to protect copyright

Talk at the Institute of Advanced Legal Studies, London next Monday 17 January 2011, 18:00 - 19:00 - http://www.sas.ac.uk/events/view/8049 - by James Michael, Associate Senior Research Fellow, IALS; Editor, 'Privacy Laws & Business International'. Looks interesting and certainly very topical.

Free, but you have to register.

According to the site, the speech is going to be on "what copyright holders can do in tracing those suspected of breaching copyright by file-sharing music and other products", including

Those interested might also be interested these blogs about studies on online copyright enforcement vs data protection/privacy in UK, Netherlands and Poland and in Austria, Belgium, France, Germany, Spain and Sweden.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.