Archives for privacy

WhatsApp violates International Law – aparently

February 1, 2013 by tim in Observation | Leave a comment

I thought when I signed up to WhatsApp that it was strange it accessed my entire address book.  Now, the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority say this breaches international privacy law.

WhatsApp, one of the world’s top five best-selling apps, is an instant-messaging application for smartphones including Apple’s iPhone and RIM’s Blackberry.  It provides a free internet alternative to SMS, or text messaging, sending more than a billion messages every day.

According to a press release:

The instant-messaging application requires users to provide access to their complete address book, including users and non-users, the report states. Dutch DPA Chairman Jacob Kohnstamm said, “This lack of choice contravenes (Canadian and Dutch) privacy law. Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.”

There seems however, to be some controversy over how far a Dutch remit can stretch:

Bird & Bird Partner Gerrit-Jan Zwenne told the IAPPs Daily Dashboard, “Clearly the Dutch DPA thinks it has extra-territorial powers. The implications are far-reaching, as this would be no different for other DPAs in the EU. If this interpretation of EU data protection law is right–many doubt that–all national DPAs could investigate any non-EU-based controller that provides apps to EU nationals.”

In several earlier posts, I have talked about the presumption behind some national regulators and the confusion they cause in the name of bringing clarity.  This looks like it might be another example…

Regulation’s stated objectives v. likely consequences; mismatch #248

January 31, 2013 by tim in Insurance 2.0, Insurance user manual, Observation | Leave a comment

I found this Mondaq article – discussing the impact on US Discovery of EU Data Protection and Discovery Blocking Statutes – on Advisen – free registration required. Though I realise it is not to everyone’s taste, I think it is fascinating… I am a layman but it appears to be a helpful outline of those laws – and is current as at December 2012.

One paragraph though, really caught my eye. It is stuck away in the middle so, to save you looking for it:

On January 25, 2012, the European Commission published a draft “General Data Protection Regulation,” a proposed reform that would significantly change data protection laws and regulatory schemes across Europe.17 The proposed reform seeks to reduce the confusion caused by the fragmented approach companies currently face when dealing with DPAs across the member states of the EEA. The proposed reform seeks to strengthen data privacy protections. It stiffens penalties for noncompliance and expands the reach of the law to all companies seeking to process data belonging to EU residents, regardless of the company’s location. The Commission hopes to obtain the agreement of all member states by June 2014 so that the regulation can take effect by June 2016.

I know this isn’t exactly news but it always strikes me as hilarious (in that slightly manic use of that term) that laws designed to ‘reduce confusion’ almost always also seem to end up tightening them. And, in seeking to ‘reduce confusion’ by ‘expanding the reach of the law to all companies seeking to process data belonging to EU residents, regardless of the company’s location’, the new law can only possibly add to the confusion that already exists.

What has any of this got to do with insurance? This constantly shifting legal landscape, the almost impossibility of remaining within the law everywhere it matters and the resulting need to defend against (for example) regulatory and competitor challenges are key risks some insurance policies can now deal with. A few companies buy such policies directly, some assume their GL covers this (which it doesn’t) and others rely on their D&O which, to be fair, can deal with some of this. But, being a purist about D&O, I am not sure that is where this exposure should be addressed.

PS. “I am not sure that” is British understatement which, in the US for example, would be translated as: “really?”

Aaron Swartz

January 14, 2013 by tim in Observation | Leave a comment

In addition to writing the initial RSS code and being a founder of Reddit, this video is a good explanation of why so many are talking so sadly about Aaron Swartz’s death.

Retrospective permission

February 12, 2012 by tim in Observation | Leave a comment

In the UK, when we ask for permission to do something we have already done or started to do, we seek what we call retrospective permission.  And we usually only ask for such permission after we have been caught doing it already – whatever ‘it’ is – or are about to be caught…

In this case, ‘it’ is the following:

The U.S. government is seeking software that can mine social media to predict everything from future terrorist attacks to foreign uprisings, according to requests posted online by federal law enforcement and intelligence agencies.

I don’t wish to downplay the privacy, semantic or data volume challenges of the proposal discussed in this ABC article but does anyone believe this isn’t happening already?

So, does ‘retrospective permission’ work the same in American?

Would you freely share cyber security information with Government?

January 30, 2012 by tim in Risk Management | Leave a comment

This article from Sci-tech today discusses a new report due out in a couple of days from The Constitution Project.

According to the article, the report will discuss how:

The federal government’s plan to expand computer security protections into critical parts of private industry is raising concerns that the move will threaten Americans’ civil liberties.

In a report for release Friday, The Constitution Project warns that as the Obama administration partners more with the energy, financial, communications and health care industries to monitor and protect networks, sensitive personal information of people who work for or communicate with those companies could be improperly or inadvertently disclosed.

I am sure the concern about the exposure of personal information is genuine but it seems to me that the real threat is to the efficacy of a cyber risk sharing initiative proposed and supported by Government.

In my experience, of all the entities firms are willing to share information with, Governments are at the bottom of the list.

Data Threat Clearinghouse – old idea

December 6, 2011 by tim in Network Security, Risk Management | Leave a comment

After my post yesterday about the UK’s Cyber Security Strategy comes news today about possible US legislation to create a Data Threat Clearinghouse.  This is far from a new idea – even I have been advocating something like this for more than 10 years.  The surprising bit about this news is that the scope of the proposal seems so limited.  When cyber risk is so variable, complex and dynamic, they only want to deal with data threats?

Maybe I should read the proposed legislation…  I’ll come back on that.

But that aside, why leave whatever this entity is about to Government?  As I said here, you don’t leave Governments to share what they choose with you.  For all sorts of reasons and in almost any context, sharing works better when the master chooses what to share with the servant, not the other way round.

The private sector needs its own approach here.

Up-date:  I have now read the proposed US legislation and though what is proposed is a great idea, I would change my summary above as follows:

The private sector really badly needs its own approach here.

Why?  If I have understood how proposed Bills are drafted, it comes in 2 parts.  The first calls for the establishment of a National Cybersecurity Authority and the second, for a National Information Sharing Organization.

My first concern is that the scope of the proposal is too narrow.  The Bill is an amendment of the Homeland Security Act, so its admitted focus is on Federal systems and critical infrastructure and the threat posed to those by terrorism.  Clearly this is a valuable cause as terrorism is a significant threat but it is far from the only one; motivations are many and various.

My second concern is that ‘we will get what we are given’.  There is much talk of a willingness to share information – but that is caveated always by the discretion of the Secretary.  So, the concerns I expressed above about Governments only sharing what they choose to share are confirmed as being baked into the proposal.

Third, Governments are not the most dynamic of entities.  The draft bill (just 37 pages for both proposals) discusses minutiae like compensation and retention bonuses for the staff of the new agency…  Really?

Unless the private sector is willing to rely on Government to give it too little, too late, it needs to come up with a better plan of its own.

Privacy, schmivacy…

December 4, 2011 by tim in Observation | Leave a comment
I read this article this morning and I basically agree with the sense of the article – that I find it difficult to get as excited as some seem to manage about the latest privacy ‘outrage’, whatever it might be from one day to the next.  That said, as I explained in my comment reproduced below, I nonetheless have something of a dilema with privacy.  Here is some of that dilema described.

On the one hand, it seems to me many privacy complaints are terribly self-serving. For example, the US Supreme Court this week is looking at the case of a pilot who took social security benefits from one Government Agency because of ill-health and then told another Agency that he was healthy.

He sued the Government – accepting he lost nothing but the criminal fine he agreed to pay – because of the emotional distress he suffered when the separate Government Agencies joined the dots to uncover his duplicity.

On the other hand, I can completely understand why he was duplicitous; he was hiding HIV.  For me, this highlights the difficult problem of privacy vis a vis Government.

We used to be able to rely on Governments only to know what we told them and there was something of an unspoken game of hide and seek going on; we told them what we had to tell them but nothing more. Right now, that relationship is shifting fundamentally and in a few years, I expect it will seem bizarre that we ever thought we could hide anything.

And that gets to the heart of the ‘who is serving who?’ argument.  It is also why the work of the EFF – and others – should be so important.

Trouble is, their work – and that of so many other entities in the same space – seems tacitly to acknowledge the right of Government to take what it likes, rather than for us to be able to choose what to share.

And at the same time, Facebook is teaching us to share more and more richly than ever before.

Talk about many moving parts – and all heading in the same direction.

So my dilema is that, while the latest outrage may not bother me, the overall direction of travel is another thing.

The social graph is neither

December 1, 2011 by tim in Observation, Social technology | Leave a comment

I think this article – one of the best I have read anywhere – explains:

  • the discomfort I feel with Facebook, however much I use it;
  • the difficulty I have in understanding where ‘social’ is going; and
  • why I am really struggling to write part 2 of this post.

Unreasonable expectation of privacy?

November 22, 2011 by tim in Observation | Leave a comment

Can you imagine a sometime, slightly well-known UK politician being upset that their autograph in a 50 year old first edition of a quite interesting book should be used to sell said book?

No, me neither.  But that is what this Washington Post story – from Omaha, Nebraska – is about.

Rare and old books have been sold at least as much for the scribbles on and in them as their original content for ever; that their marketing should now include Internet marketing is no surprise but should that really expose the seller to potential liability?

Hm…  Interesting case to watch.

Converging EU and US approaches to privacy? Maybe…

November 9, 2011 by tim in Observation | Leave a comment

Last week I was at the PLUS convention in San Diego.  While I was speaking about the Globalisation of Privacy, I also got into a debate with someone about the difference between EU and US approaches to privacy legislation.

Our discussion concerned the differences in approach between EU and US regulations.  The opinion was expressed to me that US regulators are not particularly concerned with what information companies collect but are concerned with what is done with that data.  In the EU on the other hand, the regulatory focus starts with the collection of data – and the extent to which informed and specific consent needs to be given by the ‘donor’.

I agreed with the part about the EU but argued that it is impossible to de-couple what is collected and what is done with it in the way that was being suggested about the US approach.

News this morning that the FTC has fined two companies, one for their deceptive data capture practices and another for its deceptive tracking practices, somewhat bears me out.  The news may also point however, to the subject of the panel I spoke on – that privacy legislation may take increasingly similar approaches around the world, even if concepts of privacy are currently very different.

← Older posts