Posts Tagged ‘Privacy and the net’
Facebook forced to tighten privacy rules
Posted by: Gadget Boy in Technology on August 27th, 2009
Users' control over personal data will be increased following complaints from Canada's privacy commissioner
Facebook has been forced to give its users more control over how much of their personal information is shared with the social networking site and the makers of the games and quizzes they download onto their profile pages, in the latest move to increase online consumer protection.
The move, which comes in response to complaints from Canadian privacy officials, is part of a growing trend to clamp down on the use of personal data by social networking sites and the software developers who use them to distribute their applications. It could have repercussions for other sites such as MySpace and even Twitter.
As consumers are given more and more power over the use of their information, it reduces the potential ability of companies such as Facebook to make money supplying that information to advertisers. In the past, the company has come under fire for its own use of users' information to target advertising.
After a year-long review from the Office of the Privacy Commissioner of Canada, Facebook has agreed to give users more information about how it uses their data for advertising, and to change the default settings of its privacy controls – which many users leave unaltered – to better reflect users' preferences.
It is also tightening up on the information available to third parties about its users. Facebook, founded by Harvard dropout Mark Zuckerberg, pioneered the use of downloadable applications, opening up its site so anyone could produce a program. They started as silly games, such as throwing sheep or pies at other friends, but have evolved considerably, and as part of the downloading process users have to allow them access to all their information such as date of birth, marital status and what groups they belong to on the site.
Now Facebook has accepted this needs tightening up. The changes, which Facebook will introduce over the next year, will affect all 250 million Facebook users worldwide, including those in the UK.
Application developers will have to specify which categories of data the software needs, so users can decide accordingly. Specifically, the application will have to tell users why it wants very sensitive information, such as date of birth. Users will also have to specifically approve any access Facebook applications have to their friends' information. Such access still would be subject to the friend's privacy and application settings.
"Application developers have had virtually unrestricted access to Facebook users' personal information," privacy commissioner Jennifer Stoddart told reporters today. "The changes Facebook plans to introduce will allow users to control the types of personal information that applications can access."
Elliot Schrage, vice-president of global communications and public policy at Facebook, said: "Our productive and constructive dialogue with the commissioner's office has given us an opportunity to improve our policies and practices in a way that will provide even greater transparency and control for Facebook users.
"We believe that these changes are not only great for our users and address all of the commissioners' outstanding concerns, but they also set a new standard for the industry."
Facebook will update its privacy policy so it provides users with more information about how to delete their accounts and how its advertising programs work.
Office of Fair Trading to investigate targeted ads and pricing online
Posted by: Gadget Boy in Technology on August 20th, 2009
OFT investigation to consider user data in targeted and behavioural advertising online, and price comparison sites
The Office of Fair Trading is to launch an investigation into how the habits and personal information of web users are used to target internet advertising.
Competition regulators said they had been prompted to launch the study, which could ultimately lead to an industry code of practice, because of a need to "update the understanding of consumer harm that arises from potentially misleading advertising and pricing" on the internet.
The OFT inquiry, entitled "Advertising and Pricing market study", will look at a number of areas of online pricing and advertising including price comparison websites and the use of personal data in website advertising.
"It will evaluate which advertising and pricing practices are most detrimental to consumers, taking into account the growth of the use of the internet for online shopping, information provision and advertising," said the OFT.
The OFT added that there is a strong chance that the final decision on the scope of the study – which is calling for submissions from interested parties until 18 September – is likely to include an examination of behavioural advertising.
"We are also considering including the use of personal information in advertising and pricing," said the OFT. "In particular, we may look at behavioural advertising where information on a consumer's online activity is used to target the internet advertising they see. We may also examine the practice of tailoring prices to individual consumers on the basis of their personal data."
Behavioural advertising has been seen as a potentially lucrative revenue generator by companies looking to make use of web interactivity to learn more about users' browsing habits and personal information in order to better target ads and products. One of the most controversial companies in this sector is Phorm.
Phorm has attracted criticism from campaigning groups and former partners such as BT have pulled out of the service.
Phorm's technology has been the subject of numerous investigations.
In September the City of London police announced that they had completed an investigation of Phorm and found no evidence of illegal activity, paving the way for the new ad targeting trial to begin.
Similarly a government investigation, by the Department for Business, Enterprise and Regulatory Reform - now Business, Innovation and Skills - reached the conclusion that Phorm did not breach European laws on data protection.
However, Phorm is now at the heart of European Commission infringement proceedings against the UK for failing to uphold privacy laws in line with European Union regulations.
The controversial company is also currently the subject of a Crown Prosecution Service investigation into privacy breaches, although law firm Pinsent Masons argues that the company may well be cleared in this inquiry.
Heather Clayton, senior director of the OFT's consumer market group, said: "The way that businesses advertise and price goods and services constantly evolves, and we need to keep up to date on how consumers view these adverts, and the types of advertising and prices which may mislead. Before starting our study, we want to understand from consumer groups, businesses and other organisations which areas they think we should focus on."
• To contact the MediaGuardian news desk email editor@mediaguardian.co.uk or phone 020 3353 3857. For all other inquiries please call the main Guardian switchboard on 020 3353 2000.
• If you are writing a comment for publication, please mark clearly "for publication".
Henry Porter: Spying on your email
Posted by: Gadget Boy in Technology on August 3rd, 2009
The communications industry has condemned government plans to force them to monitor your calls, emails and internet usage
Government plans to outsource official spying, forcing communication service providers like BT to retain personal communications data – records of all phonecalls, emails, texts and internet connections – have been severely criticised by the industry expected to do ministers dirty work for them.
In a submission to the Home Office as part of a public consultation, internet firms have candidly labelled the plans as "an unwarranted intrusion into people's privacy" and have suggested people were deceived about the extent of the government's ambitions to monitor the country's communications data. According to the Sunday Times, the London Internet Exchange which represents 330 firms including BT, Virgin, and Carphone Warehouse, says that the proposals are deceptive. "We view the description of the government's proposals as 'maintaining' the capability as disingenuous: the volume of data the government now proposes [we] should collect and retain will be unprecedented, as is the overall intrusion into then privacy of the citizenry."
This represents the unanimous view of the firms that are to replace the £12bn data silo planned before the crisis in public finances. The new policy announced in April by the unlamented former home secretary, Jacqui Smith, was presented as a concession to those concerned about intrusion, as well as a response to the new reality of the economic situation. The revised scheme, which has been urged by "Surveillance Central" – GCHQ in Cheltenham – will cost £2bn, still great chunk of taxpayers' money to be throwing around these days.
But the cost is not really the issue. The policy is one of the foundation stones of the surveillance state – a society in which data from people's movement, travel abroad, spending habits and communications are retained by government and its agencies – and is an indicator of the profound contempt and mistrust this government has for the public. It represents as great an intrusion as the national identity register, the central database planned with the ID card.
"These new proposals," says the industry submission, "suggest an intention to capture anything and everything, regardless of the communications [method] used. We have grave misgivings about the technical feasibility of such ambition."
"We are not aware of any existing equipment [an internet company] could purchase that would enable it to fulfil a legal obligation to acquire and retain such a wide range of data as it transits across their network … in some common cases it would be impossible in principle to obtain the information sought."
The internet providers make another crucial point. If this system goes ahead, it would represent a mass breach of the Human Rights Act which guarantees a right to privacy. Given the government's failure to respond to European judgments against the retention of innocent people's DNA we can hardy expect another huge breach of the public's rights to bother Home Office civil servants.
But we should be really worried. This scheme is among the greatest of the current threats to our free society and it is important that the Internet Exchange has raised concerns about privacy so clearly. As the ISPs point out, there is no guarantee that the methods proposed to store our communications data will be secure, for as soon as you start gathering information in large databases it becomes vulnerable to hackers, abuse by government agencies and of course incompetence.
We should remember that the essence of the government's proposal is this: ministers plan to seize our information using our money for their benefit. That's like paying someone, who has broken into your home, to read your private letters.
An online censorship model
Posted by: Gadget Boy in Technology on August 2nd, 2009
In comparison to other countries, the UK's internet censor is starting to look positively trustworthy
Be careful what you wish for, that's the old proverb, and as new and different censorship regimes evolve around the world I begin to wonder whether we Brits haven't been a little harsh on the Internet Watch Foundation (IWF) – our own homegrown attempt to expunge child porn from the internet.
Over a decade ago, the UK's Internet Service Providers' Association decided that it needed to do something to stem the flow of material featuring the sexual abuse of children. It set up the IWF according to a very simple brief, if it's indecent – and hosted in the UK – report it to the relevant authorities. If it's hosted abroad, add it to a block list. (When this is incorporated into filtering software –routinely applied by almost all UK-based ISP's – access by UK surfers is blocked.)
Lord Carter's Digital Britain report praised the IWF and its "notice and take down" system as being widely regarded internationally as a model. Less than 1% of child abuse material on the net is now tracked back to this country.
Over the past year or so, other countries have been putting in place their own systems: Romania, Denmark, the Czech Republic and Finland have all joined the blocking club.
In Belgium, and Germany, debate focused on whether judicial oversight sould be brought into the process of identifying abusive material. The IWF test is whether it is "potentially indecent", on the basis of police guidelines. Critics have long argued that this is a recipe for allowing the police to make law.
Both these countries – New Zealand too – toyed with the idea of automatically reporting individuals to the police if they tried to access a blocked URL, despite the fact that such an attempt might be for wholly innocent reasons.
There remains a question of just how accurate a "secret" list can be – both here and abroad. During the last 12 months, a series of documents leaked to Wikileaks – has shown that without exception, every single block list has included URLs that simply don't belong on the list: a fork lift truck company in Denmark; anti-censorship sites in the Czech Republic and Australia. The UK is unlikely to be uniquely free from error in this matter.
Although the UK is apparently alone internationally in opting for the slightly quaint, non-governmental route. In other countries, internet blocking is established by law and run either by the police (as in Germany) or other bodies associated with censorship (Australia). The Carter report notes issues over funding – but doesn't quite grasp the nettle by recommending that the IWF be brought inside the state apparatus.
But is a state-run blocking system really the right way to go? On the question of blocking, while we Brits have politely accepted the existence of the IWF, anti-censorship campaigns in other European countries have focused on just how easy it is to quickly close down abuse sites through the simple expedient of asking ISPs to do so.
In Germany, campaigners proved their point by doing just this: they identified ISPs that were hosting indecent material and tested the system by emailing them with a request to remove it.
Disagreement continues to be the order of the day for more controversial topics – such as adult pornography – but supporters of this approach argue that the taboo on child-based material is so universal that international agreement should be relatively easy.
This obsession with setting up a complex apparatus for blocking or, as in Australia, filtering at source, could be said to raise questions as to whether governmental motives are quite as pure as claimed.
Although there are certainly issues with the IWF approach, ironically, however, just as our model starts to look a little a bit worn around the edges, it may turn out to be rather less threatening – when it comes to civil liberties – than the more "efficient" models used elsewhere.
Facebook should compete on privacy
Posted by: Gadget Boy in Technology on July 15th, 2009
Reassuring people about privacy makes them more, not less, concerned. It's called "privacy salience", and Leslie John, Alessandro Acquisti, and George Loewenstein – all at Carnegie Mellon University – demonstrated this in a series of clever experiments. In one, subjects completed an online survey consisting of a series of questions about their academic behaviour – "Have you ever cheated on an exam?" for example. Half of the subjects were first required to sign a consent warning – designed to make privacy concerns more salient – while the other half did not. Also, subjects were randomly assigned to receive either a privacy confidentiality assurance, or no such assurance. When the privacy concern was made salient (through the consent warning), people reacted negatively to the subsequent confidentiality assurance and were less likely to reveal personal information.
In another experiment, subjects completed an online survey where they were asked a series of personal questions, such as "Have you ever tried cocaine?" Half of the subjects completed a frivolous-looking survey – "How BAD are U??" – with a picture of a cute devil. The other half completed the same survey with the title "Carnegie Mellon University Survey of Ethical Standards," complete with a university seal and official privacy assurances. The results showed that people who were reminded about privacy were less likely to reveal personal information than those who were not.
Privacy salience does a lot to explain social networking sites and their attitudes towards privacy. From a business perspective, social networking sites don't want their members to exercise their privacy rights very much. They want members to be comfortable disclosing a lot of data about themselves.
Joseph Bonneau and Soeren Preibusch of Cambridge University have been studying privacy on 45 popular social networking sites around the world. (You may not have realised that there are 45 popular social networking sites around the world.) They found that privacy settings were often confusing and hard to access; Facebook, with its 61 privacy settings, is the worst. To understand some of the settings, they had to create accounts with different settings so they could compare the results. Privacy tends to increase with the age and popularity of a site. General-use sites tend to have more privacy features than niche sites.
But their most interesting finding was that sites consistently hide any mentions of privacy. Their splash pages talk about connecting with friends, meeting new people, sharing pictures: the benefits of disclosing personal data.
These sites do talk about privacy, but only on hard-to-find privacy policy pages. There, the sites give strong reassurances about their privacy controls and the safety of data members choose to disclose on the site. There, the sites display third-party privacy seals and other icons designed to assuage any fears members have.
It's the Carnegie Mellon experimental result in the real world. Users care about privacy, but don't really think about it day to day. The social networking sites don't want to remind users about privacy, even if they talk about it positively, because any reminder will result in users remembering their privacy fears and becoming more cautious about sharing personal data. But the sites also need to reassure those "privacy fundamentalists" for whom privacy is always salient, so they have very strong pro-privacy rhetoric for those who take the time to search them out. The two different marketing messages are for two different audiences.
Social networking sites are improving their privacy controls as a result of public pressure. At the same time, there is a counterbalancing business pressure to decrease privacy; watch what's going on right now on Facebook, for example. Naively, we should expect companies to make their privacy policies clear to allow customers to make an informed choice. But the marketing need to reduce privacy salience will frustrate market solutions to improve privacy; sites would much rather obfuscate the issue than compete on it as a feature.
Bruce Schneier is BT's chief security technology officer
BT drops Phorm after customers cry foul over privacy
Posted by: Gadget Boy in Technology on July 5th, 2009
• Controversial online technology is dumped
• Group behind system in talks with overseas firms
BT has quietly ditched a controversial system that tracks the internet habits of its customers, developed by the technology firm Phorm, which has been attacked as online snooping by privacy campaigners. BT was a key player in the development of Phorm's Webwise system, which uses information about which sites an internet user visits to target them with relevant advertising on subsequent pages.
It carried out secret tests of the technology in 2006 and 2007 which are now the basis of a European commission investigation into the UK government's failure to protect its citizens online. Last year BT carried out a proper consumer trial of Phorm's technology. The results have been keenly awaited, not just by management at Phorm – whose chairman is former chancellor Norman Lamont – but by its other two potential partners, Virgin Media and TalkTalk.
But BT has decided not to proceed with rolling out Webwise to its 4.8 million broadband customers, dealing a heavy blow to AIM-listed Phorm. The company, which has received complaints from customers about Phorm, said the decision was down to its need to conserve resources as it looks to invest £1.5bn in putting a next-generation super-fast broadband network within reach of 10 million homes by 2012. Privately, however, BT bosses have been increasingly concerned about consumer resistance to advertising based on monitoring users' online behaviour and specifically about the backlash against Phorm.
"We continue to believe the interest-based advertising category offers major benefits for consumers and publishers alike," said a spokesman for BT. "However, given our public commitment to developing next-generation broadband and television services in the UK we have decided to weigh up the balance of resources devoted to other opportunities.
"Given these commitments, we don't have immediate plans to deploy Webwise today. However, the interest-based advertising market is extremely dynamic and we intend to monitor Phorm's progress …before finalising our plans."
The news will throw the spotlight on Virgin Media and TalkTalk, which recently snapped up rival internet service provider Tiscali. Between them, BT, Virgin Media and TalkTalk control about three-quarters of the UK broadband market.
Virgin Media is understood to remain interested in the concept of behavioural targeted advertising, not least for use with its video on demand service, and is in talks with a number of potential technical partners. But the internet service provider is understood to have cooled on the idea of using Phorm's technology.
TalkTalk, meanwhile, has said it is keeping an eye on Webwise but any implementation would have to be done solely on an opt-in basis – customers would not be automatically connected to the service – and the company currently has no time–scale for deployment.
A spokesman for Phorm said BT's decision was not the end of the world, not least because it has been expanding overseas and is now in talks with potential ISP partners in 15 other countries. This year the company announced a trial of its technology with KT, South Korea's largest ISP, and another overseas deal is expected to be announced shortly.
"It is not a great surprise to us, to be honest. It has been a long process and we have never had a definitive date on a launch," said a spokesman. "Phorm is not just dependent on a UK model with one ISP."
But it is the latest in a series of setbacks for Phorm, which has become something of an internet industry bete noire. Amazon recently "opted out" of Webwise, saying it did not want traffic to its websites monitored by ISPs that sign up to use the technology. Google and Bebo are also considering opting out, potentially depriving Phorm of crucial information about internet users' tastes.
The UK government is also understood to have opted its domain names – such as www.direct.gov.uk – out of Webwise amid concerns about privacy. Although ISPs, media companies and even some politicians see Phorm as a way in which UK companies can claw back some share of the internet advertising market from the clutches of Google, the web's creator, Sir Tim Berners-Lee, has criticised it as unjustifiable online snooping.
Shining a light on the shadowy Misc 13
Posted by: Gadget Boy in Technology on September 2nd, 2009
Why the debate about information sharing should concern more people than readers of government papers
How time flies. It's three years since I reported in the Guardian that, in the quest for "transformed", IT-based government, ministers were planning to overturn a basic principle of data protection .
My report followed a briefing from a cabinet office official who told me it had been decided that sharing personal data was fine unless it had been explicitly prevented. This policy, couched in more cautious language than my report, featured in a "vision statement" in September 2006.
My article mentioned that the new policy had emerged from a cabinet committee called Misc 31. That reference intrigued at least one reader. In April 2007, David Bowden, a solicitor who operates under the name Lobby and Law, put in a request for six sets of information concerning Misc 31, including minutes since the committee was formed.
Bowden must have realised he was pushing his luck – ministerial communications enjoy an infamous exemption from the Freedom of Information Act (FOIA). However, he argued that exemptions are not mandatory and that there was a strong public interest in the issue.
The information commissioner's office wasn't impressed. Turning down the initial request, it ruled that although there was a public interest in greater accountability, the conventions of cabinet government came first. "Great weight" was attached to the protection of collective responsibility, the polite fiction that all ministers agree with every government line. Revelations of ministerial exchanges, as well as "any differences of opinion" would put that in peril.
Bowden took his case to the information tribunal. He claimed 25 grounds of appeal, including, provocatively, that Misc 31's work looked like an attempt to cook up, behind closed doors, a data regime contravening European laws. This, he claimed, amounted to a prima facie case of wrongdoing – in which case the FOIA would support disclosure.
The cabinet office didn't like that one bit. At the appeal tribunal, it fielded evidence from a senior mandarin, Dr Robin Fellgett. He dismissed the wrongdoing claim, saying the work of Misc 31 "proceeded on an understanding that any data-sharing had to be in accordance with the Data Protection Act". Fellgett said ministers would be reluctant to put forward dissenting views if they knew they were to be made public.
The tribunal agreed, ruling that the type of information Bowden wanted represented a classic illustration of the "safe space" needed for making government policy. As you'll have guessed by now, the appeal was turned down.
So, there we have it. Misc 31 was wound up in 2007, when Gordon Brown became prime minister, and has not been directly replaced. It looks as though we will have to wait until 2037 to find out what was discussed.
Is this the end of the matter? I don't think so. The tribunal's report includes the extraordinary statement that there was no compelling public interest in disclosing Misc 31 papers because "there is no doubt in the tribunal's view that the public was sufficiently well informed not only about the fact of Misc 31's existence, but also of its aims and functions".
Flatteringly, one reason for this assertion was my 2006 Guardian report; the tribunal also cited the 2005 Transformational Government strategy itself.
This is not good enough. The debate about information sharing by public bodies should concern a lot more people than readers of government papers, or even the Guardian. Ministers are always calling for a mature public debate on the topic. As the information tribunal reminds us, the conventions of cabinet government mean that a cabinet committee is not the right place to hold such a public debate. So, where is?
Comment, Data protection, guardian.co.uk, Politics and technology, Privacy and the net
No Comments