vol 6 issue 6

Data Protection and Privacy Issues

13 June 2011
By Dmitri Vitaliev, Christopher Graham and Peter Hustinx
Share |
Ryan Giggs

Data protection under the spotlight

Should modern society adapt to digital reality? We look at the issues, and canvas the opinion of two key government supremos.

'You have zero privacy; get over it.' So said Scott McNeally, chief executive officer of Sun Microsystems back in 1999. For the greater part of last century we have been worried that expansion of technology will mean by default the extinction of privacy.

There is sound evidence to support this notion. A mobile phone needs to know where you are in order to make or receive a call. A website must be served to your IP address should you wish to access it. CCTV cameras record not just criminal activity but all movement throughout the day.

Authenticating our identity gets more complicated and personal as criminals innovate to bypass the system. Internet advertisers – the financial backbone and one of the main reasons for the Web's success – are collecting all sorts of user data with blatant disregard for privacy and almost zero regulation.

Advanced data-mining and analysis technology is limiting the individual's ability to control what information is stored about him or her by governments and corporations. Technology that can profile and track behaviour is changing the relationship between citizen and state, consumer and business. And regulation of this burgeoning information industry has proved difficult.

This was publicly illustrated in relation to the super-injunction taken out by football player Ryan Giggs to block publication of details of an alleged affair. Users of the Twitter social networking site defiantly named Giggs in a pattern already established in support of 'Twitter Joke trial' defendant Paul Chambers.

Chambers' January 2010 mistake had been to vent on Twitter about the threat to his holiday of an airport's snow-bound closure; he gave the airport a week to get its act together, 'otherwise I'm blowing the airport sky high!!' Arrested under the Terrorism Act for his choice of rhetoric, Chambers received digital support from an avalanche of users who duplicated his tweet, thereby directly challenging the perceived injustice. The duplications ran with the inspired hashtag '#ImSpartacus'.

Faced with a similar popular revolt, Giggs' representatives attempted to force Twitter to disclose personal account details of users who posted this information – a seemingly mammoth amount of 'private' information. However the latest privacy storm turns out, and however such information is used, it changes the '#ImSpartacus' ideal, and tees up the question for future users: is privacy a necessary price to pay for progress and to defend freedom of speech?

Records and losses

The Passenger Name Record (PNR) is a database used by all airline companies, containing the personal details of every commercial and private air passenger. The database includes the passenger's full name, date of birth, home and work address, telephone number, email address, credit card details, IP address if booked online, as well as the names and personal information of emergency contacts. In May 2004, the US negotiated an agreement with the European Union to process all PNR data of people departing from or arriving at their airports. In 2007, the Bush administration suddenly exempted the Department of Homeland Security from the Privacy Act and permitted the organisation not to respond to requests for personal information they held on EU citizens.

American writer Stewart Brand's adage 'information wants to be free' is proving true and problematic for the principles behind data protection. Governments have a questionable track record in keeping this information safe. In October 2007 HM Revenue & Customs lost the details of 25 million child benefit claimants stored on two unencrypted discs; the Department of Transport lost three million records of its drivers... the list goes on and on.

In the US, the Transport Security Administration lost a check-in laptop with unencrypted personal data of 33,000 passengers; the Military sold one of its hard drives on eBay with detailed information about a system used to shoot down missiles in Iraq, along with security policies, facility blueprints, and the ever popular list of employee Social Security numbers.

Corporations have not fared much better in holding on to their users' personal data. During a recent conference in San Francisco, data researchers, Warden and Alasdair Allen, presented their findings on the latest iPhone operating system update that forced the handset to record the GPS location coordinates of all Wi-Fi networks the phone could access throughout the day, and later on upload this information to the user's iTunes program. Location-based tracking had moved from the domain of law enforcement into the everyday user's hands. Both Apple and Google were questioned in the US Senate last month over the use of location data in their popular mobile handsets, while Sony's PlayStation Network suffered a disastrous 70 million member hack.

It is hard to imagine how governments and corporations with a similar track record can be trusted to continue to handle and mine our personal data. Yet these governments keeping coming up with schemes to share data – most famously the National ID card scheme and the sharing of public health records with the private sector – before invariably dropping them.

WikiLeaks and whistle-blowing

It was more than just diplomatic pride that was hung out to dry on the clothesline of public debate following the last WikiLeaks scandal. Department of Defence engineers and military commanders who designed and implemented the SIPRNet for sharing classified information in a 'completely secure environment' were licking their wounds, inflicted by an inevitable component of most information systems – the human. The leak itself and subsequent editorial work by WikiLeaks volunteers, applied to the data before its public release, exemplify the topics of debate around data protection.

How did a low-ranking intelligence officer in the US Army get access to years of classified communications, and was it a result of a system design fault or yet another argument against centralising sensitive information whilst hoping that nothing will go wrong?

The 9/11 Commission Report found that the lack of intelligence-sharing between the various departments as one of the security apparatus' greatest failings. Almost two million users were granted access to the Department of Defence's own secure worldwide network.

The proposal must have caused some grey hairs for the techies whose standards for security policies usually demand tight controls, strict access restrictions and limiting the availability of information to any one user account. The SIPRNet could not have it both ways – the confidentiality of data passing through its network was breached by the very users it was designed to serve. The threat model for leaking secrets from an information system (technology + policy / number of users) is a troubling one.

Regardless of their efforts towards total transparency, WikiLeaks members were forced to realise that they had a responsibility to ensure the privacy and thereby security of numerous people whose personal details were mentioned in the Afghan, Iraqi and Diplomatic Cables leaks.

CJ Hinke, director of the Freedom Against Censorship in Thailand group and a member of the WikiLeaks advisory board, explained to E&T: 'The process of posting leaked documents relies on stripping all identifying information. There are many personal identifiers which we examine in each document for exclusion such as names, locations, affiliations, dates and time, etc. We don't have expertise enough to identify possible targets for retribution within the leaked documents.

'This is precisely why we partner with traditional news media for public releases... WikiLeaks doesn't trust the minimal data protection laws enacted by nation-states, rightly so. If we happen to offend a government, those laws are quickly forgotten. This could nowhere be more true than the US. We erred in all instances on the side of caution. If it could be concealed and encrypted, we made it happen... All donation information is stripped. Lists of staff and volunteers are encrypted as well as having personal responsibility to keep them secure. All communications among WikiLeaks insiders use different sorts of encryption, from simple SSL to PGP to external, encrypted services such as Jabber.'

Right to forget

Earlier this year, courts in Spain launched a legal attack on Google's unwillingness to remove search links to websites displaying outdated information. A Spanish citizen was initially charged with criminal negligence and later acquitted. A Google search on his name however brings back results about his arrest. Spain has legislation specifying 'the right to be forgotten'. Some 90 court orders were filed against Google on behalf of Spanish citizens, and as Paloma Llaneza, a data protection lawyer representing some of the plaintiffs, explained for the Outlook Series: 'The truth is, we very much care about privacy and about data protection. And especially because Google is addressing its services to the Spanish country. They are using a '.es' domain name, they are translating everything into Spanish and they are tailoring their services for our country, so they have to be prepared to comply with Spanish law – that's all.'

The European Commission has followed suit in trying to bring about legislation updating its outdated 1995 Data Protection Act. Justice commissioner, Viviane Reding, emphasised the need for adequate rules to protect the privacy of Web users, stating that the right to control, access and delete personal information online ought to be guaranteed in the digital world of today. However enforcement of these restrictions is a problem. Websites are hosted on servers all around the world and each is governed by their own (if any) local legislation. Only those who can afford the time and costs of going through the legal system to mandate a deletion of their personal data may see any chance of success.

Our actions and participation in an information society should evolve in parallel with technology. Regulation and enforcement of the law will eventually catch up to reflect the unshakeable belief in the need for privacy. The lack of an 'off' switch for the information tap means we must ensure that access to personal data is restricted by legislation and protected by encryption. *

Share |

Christopher Graham, UK Information Commissioner

Few things have kept data protection regulators worldwide on their toes more in recent years than the advances we've seen in technology and the Internet. From the rise of social networking to cloud computing, the way we manage personal information has undergone a transformation in the last decade. We now routinely put information about ourselves and our friends online for others to view; we allow phone companies to check our location to find out where the nearest cinema is; we might store information 'in the cloud' rather than on a server or computer. And we pay for products and services using PIN codes rather than signatures.

The landscape has shifted considerably, but the regulation has remained largely the same. The Data Protection Act 1998 is still the essential tool my staff use everyday to determine if an organisation or business is complying with the data protection principles set out in the Directive 95/46/EC, on which UK legislative framework is based. In an age where more information is stored about us online, the public has an even higher expectation that its data will be kept secure. It's my job to make sure public rights continue to be upheld.

As we all do more online, the risks that personal data might be compromised are ever more significant. Recent breaches involving the Sony PlayStation and Epsilon have made people very concerned about any suggestion that their data might have been hacked. Although it isn't my job to look at hacking ' that is a criminal matter for the Metropolitan Police ' if personal data has been lost then we'll want to know what safety measures were in place and whether they were adequate. The penalties if something has gone seriously wrong can be significant ' since last April I've had the power to issue penalties of up to '500,000 for the most serious incidents. We've issued five so far and there are more in the pipeline.

The launch of new applications naturally makes the media and public ask questions about what privacy measures are in place. The recent publicity around Apple collecting location data has shown that people want to understand what information is being held about them and why. That's why building in good privacy functions and being up-front in privacy notices is key to giving consumers what they want ' the assurance that they are in control of what happens to their information.

This right to be able to choose what is collected about us has been the driving force behind the European Commission's directive on the use of cookies technology. On 26'May new rules came into force in the UK meaning businesses and organisations that run websites will now need consent from visitors in order to store and retrieve information on users' computers.

The government is implementing the new Privacy and Electronic Communications Regulations in the UK and it will fall to me, as Information Commissioner, to regulate the new rules. This is a challenging task and has sparked a lively debate about just what the law will mean in practice for UK websites. In one corner, we have developers and website owners who have said this new law will have a detrimental impact on websites, making browsing the Internet a less enjoyable experience. Meanwhile, in the opposite corner, we have privacy campaigners and consumers who want to exercise their right to disallow websites from tracking their choices. As both referee and mediator, I have to strike the right balance between the two. A mutually agreeable outcome, while challenging, is by no means impossible.

We've recently published advice to give organisations an early opportunity to think about how they will comply with the new rules in a way that works for them. This is all very much a work in progress and we are still working with the government and developers to investigate the solutions that updated browser software might offer in the future. We would welcome comments from others who have examples to share about how they are putting the cookies requirements into practice.

2011 is proving to be a bumper'year for new technologies coming on the market ' many of them with significant implications for data protection. I've appointed a principal technology adviser who is going to be chairing a new Technology Panel made up of industry experts across a range of sectors to focus on the privacy implications of new products. We want to be sure that the technology companies who promise to change our lives for the better can also live up to their obligations to protect our personal information.

Peter Hustinx, European Data Protection Supervisor

It should be no surprise that issues around privacy and personal data are increasingly visible in the EU policy agenda. Our societies are ever more dependent on the continuous and widespread use of information and communication technologies. While this may be a source of economic growth, it also raises the need for more effective protection. 

That is a key focus in the current review of the EU legal framework for data protection. Its main instrument – the Data Protection Directive from 1995 – now requires some maintenance. When it was adopted, the Internet was still rather invisible and in any case far from its present highly dynamic reality. One of the purposes of the review is therefore facing the challenges of new information technologies and globalisation.

A second important factor is that the protection of personal data is now explicitly recognised as a fundamental right, and not only binding on EU institutions, but also on the member states when acting within the scope of EU law. The EU treaties now also provide for the adoption of general rules on data protection. This in itself requires an update of the existing legal framework.

A third factor is that data protection has now become such a relevant factor for other important policy fields that it can somehow be considered as a critical success factor for these other policies. So “getting it right” is important for different stakeholders. Data protection is a condition for trust in e-Health, e-Government and e-Commerce, and also for trust among member states when exchanging their sensitive data.

All these reasons have led to a much greater awareness and political sensitivity of the need for better and more effective data protection. So what may be expected? In the EU, we will see a strong emphasis on a more comprehensive approach, covering all policy fields, including areas such as police and justice. This will lead to a more horizontal approach without distinctions between different policy fields that do not fully correspond with reality.

Secondly, this is not the time to reinvent data protection. It has already been invented and is now recognised as a fundamental right. Instead much attention will be given to making data protection more effective in practice. This means a greater emphasis on implementation and enforcement of data protection principles and on the delivery of data subject’s rights.

Another point in this context is the need for greater harmonisation of rules across the EU. The present diversity of national rules – even within the scope of the directive – is not helpful for effective data protection and counterproductive.

Thirdly, more effective data protection also requires a strengthening of the three main roles in data protection: those of the data subject, the responsible organisation and the supervisory authority. Data subjects should be enabled to exercise their present rights more easily and should be given a few additional rights to protect their interests where needed.

Data controllers should be mandated to take all necessary measures to ensure data protection rules are complied with. This is the “principle of accountability” that would require data controllers to be able to demonstrate that they have taken all appropriate measures to ensure compliance.

The principle of “privacy by design” would fit in the same approach: controllers should be able to demonstrate that appropriate measures have been taken to ensure that privacy requirements have been met in the design of their systems. At the same time, it is likely that mandatory notification of ‘security breaches’ will be introduced more generally as an incentive for better security.

Independent supervisory authorities should be given resources and powers of enforcement that are equivalent in all member states. They should also be allowed to use their powers more strategically, including the possibility to be more selective, for instance concentrating on substantial risks or systematic wrongdoing. At the same time, we must provide for other means of private or collective enforcement.

A legal framework that would provide for all these elements would be much better in the position to deal with the challenges of technological change and globalisation. The growing international dimension would ideally require a global consensus on data protection principles and standards.

It is therefore also important to develop more interoperability, not only of technical features, but also of the legal mechanisms that are used to provide protection to our citizens.

Top 5 privacy tips

Use a different browser for Google searches and your Google services. Web history will not be linked directly to your account.

Use Google's encrypted search to protect your query from the ISP and all intermediaries. https://encrypted.google.com

Use plug-ins for Firefox to force SSL connections with websites https://www.eff.org/https-everywhere

Use a web proxy to hide your IP from Google searches http://the-cloak.com

View and restrict browsing, chat history and all personal details stored about you on your account's dashboard www.google.com/dashboard

The personal data Litmus test

Personal data should be collected only for specified, explicit and legitimate purposes.

The persons whose data are collected should be informed about these purposes and the identity of the controller.

Any person concerned should have a right of access to her/his data and the opportunity to change or delete data which is incorrect.

Appropriate remedies should be available to put things right, including compensation through competent national courts where appropriate.

Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1408

"What the Scottish independence referenda could mean for engineers and engineering on both sides of the border"

E&T jobs

E&T Marketplace

The essential source of engineering products and suppliers.

E&T podcast

Tune into our latest podcast

iTunes logo

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T