Archive

Posts Tagged ‘privacy’

Google amends its Terms of Service

April 16, 2014 Leave a comment

google logoWith most privacy laws you can pretty much do what you want provided you are up front about it. The key is the ‘informed consent’ of the user.

Google has been getting grief from legislators who claim that the complexity of its privacy policies make it impossible for users to be informed, and difficult for them to opt out if they do not consent.

One continuing argument is over Google’s scanning of email content in order to provide targeted advertising to Gmail users. The nub of the argument is that claimants say they have not given consent to this scanning while Google’s response is that consent is implied by use.

Now Google has made its practices explicit with a Monday addition to its terms of service. It has added a new paragraph:

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.
Google Terms of Service

I think Google was correct in reality if not legality when it claimed that consent was implicit in use — most if not all users are perfectly aware that email content is scanned electronically. The new paragraph makes this explicit: informed consent is now given by use of Google services.

What I still find interesting is that this consent is said to apply to received emails. If a non-Google user sends me a message, how is that user giving consent for the message to be scanned by Google? Is it realistic for non-Gmail users to read Google’s terms of service before emailing a Google user?

I don’t believe it is. So who owns the content: the sender or receiver? Copyright would suggest it is the sender — in which case this amendment to the terms of service will go some way, but not all the way, towards solving Google’s privacy issues.

Categories: All, Security Issues

United States Trade Representative threatens the EU

April 7, 2014 Leave a comment

UsvsEUThe United States is accustomed to getting its way internationally through trade threats. One method is the Special 301 Report Watch List, which is an annual list of countries which the US believes are failing in their duties towards copyright protection (specifically, US copyright protection). Once included in the Priority Watch List, a foreign country is liable for legal and/or trade sanctions. The Special 301 Report is compiled by the Office of the United States Trade Representative (USTR), and is seen as a method of bullying recalcitrant nations into conformity with US preferences.

This is not the only annual report from the USTR. It also produces the Section 1377 Review which examines international compliance with telecommunications trade agreements. This too, perhaps because it has become entrenched in the USTR way of doing business, can take a bullying tone. The latest report was released on Friday – but I would suggest that it thinks again if it believes it can bully the European Union at this stage of EU/US relations.

Background
Following the Snowden revelations on NSA/GCHQ spying, the now former head of Deutsche Telekom, René Obermann, proposed in November 2013 that Europe should establish a Schengen-routing and Schengen-cloud. The idea was that any communication from one point in Europe to another point in Europe should never leave Europe; and that personal European data should remain within Europe. This latter would effectively remove the existing safe harbour agreement with the US.

‘Schengen’ was chosen specifically as a mechanism for excluding the UK. The Schengen Area comprises 26 European countries that have abolished border control for Europeans between common borders – the UK has always remained outside of this agreement. As Die Welt described in March, the ‘Schengen-routing’ is intended to be “a defensive measure against the encroachments of the Anglo-Saxon intelligence on European internet users.”

Germany’s Angela Merkel and France’s François Hollande (that is, the central axis of the European Union) have declared support for the idea.

USTR’s Section 1377 Review
At the end of last week the USTR released its 2014 Section 1377 Review. On cross-border data flows it has two concerns: Turkey and the EU.

In Turkey, in the run-up to the recent local elections (‘won’ by Prime Minister Erdogan’s AKP party) and ahead of the presidential elections in August, the government has been tightening its grip on and control over the internet. USTR is concerned over restrictions on data flows and will seek “to ensure that data flows supporting legitimate trade can expand unimpeded.”

In Europe, the report notes that

DTAG [Deutsche Telekom AG] has called for statutory requirements that all data generated within the EU not be unnecessarily routed outside of the EU; and has called for revocation of the U.S.-EU “Safe Harbor” Framework, which has provided a practical mechanism for both U.S companies and their business partners in Europe to export data to the United States, while adhering to EU privacy requirements.

Well, obviously, this is a false statement. The safe harbour agreement requires that US companies holding European data do not pass that data to any third-party – but clearly they do pass it to the NSA and law enforcement. The report continues,

The United States and the EU share common interests in protecting their citizens’ privacy, but the draconian approach proposed by DTAG and others appears to be a means of providing protectionist advantage to EU-based ICT suppliers. Given the breath [sic] of legitimate services that rely on geographically-dispersed data processing and storage, a requirement to route all traffic involving EU consumers within Europe, would decrease efficiency and stifle innovation. For example, a supplier may transmit, store, and process its data outside the EU more efficiently, depending on the location of its data centers. An innovative supplier from outside of Europe may refrain from offering its services in the EU because it may find EU-based storage and processing requirements infeasible for nascent services launched from outside of Europe.

This is riddled with emotive language and inaccuracies. Draconian? Protectionist advantage? (Now I freely accept that DTAG will be looking for commercial opportunities, and that it is not a company I personally wish to use. From personal experience, I will never have dealings with T-Mobile again. But it is interesting that it seems to be willing to trade the US market for the European market.)

And the inaccuracies… Europeans would suggest that the US has shown scant regard for anyone’s privacy, while it is the US that delivers protectionist advantage (sometimes via economic espionage) to its own companies. Secondly, it completely misrepresents the proposals. European point-to-point communications should stay within Europe (that’s the ‘routing’); while personal data should not leave Europe (that’s the ‘cloud’). But the USTR is lumping the two together into some form of balkanised European intranet completely cut off from the rest of the internet. In reality, it should have little effect on legitimate trade between the EU and US.

It is not, for example, nearly as draconian as the US exclusion of Huawei from the US markets without any proof of actual threat (other than economic).

Then comes the USTR threat:

Furthermore, any mandatory intra-EU routing may raise questions with respect to compliance with the EU’s trade obligations with respect to Internet-enabled services. Accordingly, USTR will be carefully monitoring the development of any such proposals.

In reality we should not take this too seriously. It’s a form of lobbying – perhaps the first of much more to come – and we already know that USTR is not averse to lobbying on behalf of US industry. But it does show that the US is beginning to take the Schengen threat seriously. The UK should too. In the meantime, it should be said that US industry is not without its European allies. Neelie Kroes, the European Commissioner in charge of the European Digital Agenda, has said: “It’s not realistic that we can keep data in the EU, and the trial could jeopardize the open Internet.” Neelie Kroes is the commissioner who recently tried to redefine ‘net neutrality’ to suit big telecoms companies, only to have her definition rejected by the European Parliament.

Categories: All, Politics, Security Issues

Microsoft’s new secret weapon: listening to its customers

March 29, 2014 Leave a comment

I am not Microsoft’s greatest fan. It is a dinosaur stuck on the beach while the fleeter of foot are soaring through the clouds. The reality is that it has no, and has never had, any visionaries. Even its domination of the desktop was more down to luck and sharp practices than genuine vision.

It was lucky that Gary Kildall rejected IBM’s overtures, else there would never have been an MS-DOS; and it was sharp practices that killed off Digital Research — its one serious and technically superior competitor. It was lucky that Apple demonstrated the value of Xerox Parc research and paved the way for Windows. It was lucky Jobs was so far ahead of his time he thought he could have a walled garden in the ’80s; and almost destroyed Apple in the process.

But it was sheer arrogant blindness that made Gates think he could ignore the internet. For the last two decades Microsoft has been forced into playing catch up; but catch up never works if you don’t have the vision to get ahead of the competition.

Now, in just one area, Microsoft is showing visionary signs that could differentiate it from all of its competitors. Microsoft has started listening to its customers rather than imposing its will on its customers.

While Facebook is telling everyone that they don’t want privacy, Microsoft is listening and saying, OK, we will give you privacy. While Google is fighting the European Union over privacy and cloud storage, Microsoft is listening to the EU and saying, OK, we can accommodate and store European data in European data centres.

Now, it’s not as simple as that. The US government can still demand customer data from Microsoft’s European data centres simply because Microsoft is a US company. But it’s making that data much more defensible, and telling the EU that it is willing to cooperate rather than fight.

Similar over privacy. When it became clear last week that Microsoft had, quite legally, searched the emails of one of its customers concerning the theft of Microsoft IP, it knew there would be privacy issues. It immediately said two things: firstly that it would in future get a pseudo warrant from an independent lawyer who had previously been a judge, and secondly that it would include its own searches in future ‘transparency reports’ (the ones that publish the number of law enforcement searches).

It wasn’t enough for the privacy advocates who pointed to the hypocrisy of criticising NSA warrantless surveillance and then doing its own.

To Microsoft’s great credit, within a week, it has listened, heard and understood. Brad Smith announced yesterday,

Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
We’re listening: Additional steps to protect your privacy

Is this a new Microsoft — the genuinely ‘listening’ company? It no longer dominates the world’s operating systems, and is losing ground on desktop office software. But it seems to be doing one thing that none of its competitors are doing. It is listening to its customers, and giving them what they want. That alone, over the next few years, could catapult Microsoft back into a leading position.

Categories: All, Security Issues

If it’s not outright lies, it is downright deceit: the NHS and patient data

March 23, 2014 Leave a comment

I had to visit the hospital the other day. I’m not going to say why, because that’s private, personal and confidential. Suffice it to say that the condition isn’t one that I wouldn’t tell my mother; but it is one that I’d prefer potential employers and insurers know nothing about unless I tell them (it’s probably nothing anyway). I would most certainly not want the pharmaceutical industry to know — the drugs they offer make the (possible) condition much worse, and introduce new ones.

But I don’t need to worry, do I? At the bottom of the hospital appointment letter, in bold type, is the statement:

All personal information about you is kept confidential at all times and is only shared when necessary to support your care and treatment. If we want to use your information for any other purpose, with the exception of when the law requires us to do so, we will talk with you and obtain your consent. If you have any concerns regarding this, please talk to the person providing your care and treatment.
(see grammatical note at the end of this post)

But that’s a lie. While the government wants to start centralizing our GP records in the autumn, it is already doing so with HES (Hospital Episode Statistics). These are already held by the Health and Social Care Information Centre (HSCIC) which is where all of the records will eventually be held. According to the HSCIC website,

HES is a data warehouse containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England.

This data is collected during a patient’s time at hospital and is submitted to allow hospitals to be paid for the care they deliver. HES data is designed to enable secondary use, that is use for non-clinical purposes, of this administrative data.

It is a records-based system that covers all NHS trusts in England, including acute hospitals, primary care trusts and mental health trusts. HES information is stored as a large collection of separate records – one for each period of care – in a secure data warehouse.

We apply a strict statistical disclosure control in accordance with the HES protocol, to all published HES data. This suppresses small numbers to stop people identifying themselves and others, to ensure that patient confidentiality is maintained.

Compare the two statements. It is perfectly clear that the hospital is lying. But the reality is, so is HSCIC.

Back in 2012, the marketing firm PA Consulting bought a copy of the HES data.

So we bought the data and installed it (with certain security restrictions) on our own hardware… [But querying the data took too long.] The alternative was to upload it to the cloud using tools such as Google Storage and use BigQuery to extract data from it… Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds.

(That document seems to have been removed from the PA site, or hidden away. Anyway, I can no longer find it, and have to rely on the copy I have. It seems to have been replaced by a press statement from PA here and another from HSCIC here in a coordinated release. Neither of these should satisfy any patient.)

Ask yourself this: how can maps be produced without location data? What is location data if it is not personal identification information? How can data be transferred to a third-party (Google cloud) and stay within the Data Protection Act. Remember that several different data protection regulators in various parts of Europe, including our own, have challenged Google over its privacy policy — and several have already fined Google the maximum possible for being in breach of European data protection laws.

The HES data sold by the government is pseudonymised — but still includes postcode and age (PA denies that it received DOB or address, but doesn’t specify whether that included ‘age’ and ‘postcode’). In other words, standard HES data specifies very clearly exactly who 98% of the patients actually are and where they live.

And then there’s Beacon Dodsworth, a firm that “provides geographical information system (GIS) mapping software and marketing technology to clients in a wide range of industries” including Estee Lauder, Trinity Mirror Group and Boots. It says

Hospital Episode Statistics (HES) have now been integrated with our P2 People & Places people classification thanks to some hard work from our clever developers.

This means you can now better understand the health needs of local communities and populations and identify trends and patterns in order to target health improvement more effectively.
http://www.beacon-dodsworth.co.uk/site/data/hospital-episode-statistics

So we seem to have a system that quite readily sells our hospital records to any marketing company that will pay for them, and then allows those marketing firms to advertise the ability to target us on the basis of our health. And at the same time, the NHS itself tells us something completely different: that the data is only seen by those involved in our treatment.

Now Ross Anderson, chair at the Foundation for Information Policy Research; Phil Booth, coordinator at medConfidential; and Nick Pickles, director at Big Brother Watch, have all filed a complaint with the ICO requesting that the issue be examined in relation to the Data Protection Act.

It will be interesting to see how the ICO can reconcile what to everyone else is a clear but hidden breach of confidential patient data — and the Data Protection Act — with this government’s desire to sell and share everything about us to anyone willing to pay for it, irrespective of our own wishes. Because the one thing we can be very sure about in all of this is that the ICO will do all he can to avoid doing anything at all.

grammatical note
The first sentence is a complete statement. The second sentence is also a complete sentence. There is nothing in the second sentence to indicate that it qualifies the first sentence. There is nothing in these two sentences from which a reasonable patient could infer that it really means, “We will not share your personal data with anyone other than the centralised government database operated by HSCIC, with whom we will always provide all of your details all of the time, and over which we have not the slightest control nor responsibility for your personal data.

Categories: All, Politics, Security Issues

Lobbying against data protection reform will now concentrate on national governments

March 13, 2014 Leave a comment

Well, the European Parliament voted overwhelmingly in favour of reforming the Data Protection Directive with a new Regulation that ensures standard data protection rules across the entire EU, strengthens people’s privacy, increases sanctions against transgressors, and provides some rights to have personal data removed from databases. It is not yet, however, a done deal since the Council of Ministers (that is the EU’s national governments) must also agree.

Industry lobbying against national governments will now intensify. Here’s an article from PharmaTimes published two days ago:

The multi-stakeholder Healthcare Coalition on Data Protection has stepped up pressure on lawmakers in the EU to preserve, re-instate or clarify research-friendly provisions in the European Commission’s proposal for a General Data Protection Regulation.

Why?

According to the Royal College of Physicians, the net impact of the LIBE amendments has been to introduce much more stringent requirements for explicit consent to use personal data for health or scientific research than under current legislation.

Furthermore, the EU totally irresponsibly demands that personal data used for research purposes (which they want to take without asking us) be “anonymised or, if that is not possible for the research purposes, pseudonymised under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects.”

This, according to the Healthcare Coalition on Data Protection “would make much valuable research involving personal data at worst impossible and at best unworkable.”

So why do they need to know who we are? To improve our health (not to mention the pharmaceutical industry’s profits, and indeed, it doesn’t mention them) through data-driven approaches.

These include large disease databases, personalised medicine, medical imaging, eHealth, mHealth, human genome decoding, disease prediction, biobanks, biomarkers and many more.

I’m not sure why they need to know who I am for any of that other than ‘personalised medicine’; and frankly I’d rather get my personalised medicine from my GP than through an advertising campaign delivered to my door by the pharmaceutical industry… who knows who I am, where I live, how old I am, what’s wrong with me, my sexual preferences and any past (or present) STDs, whether I’m pregnant or have had an abortion, and probably (through alignment with other databases) how much I can spend on medicine. All of which they want to know without asking my consent.

Categories: All, Politics, Security Issues

Message to Mr Obama: Do not underestimate European anger

February 20, 2014 Leave a comment

Introduction
The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.

Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.

To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.

But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.

Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.

FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?

Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.

Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations

So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.

This is not the behaviour of a country that is taking Europe seriously.

Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.

Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)

Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.

Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)

Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.

So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.

Categories: All, Politics, Security Issues

The dangers of automation

February 17, 2014 Leave a comment

I got this Skype message this morning from a much-loved and well-respected colleague:

spacer

job

spacer

Well it was news to me; so I asked what made him think that. He sent me a link; and that link led me to this:

spacer

privstat

spacer

And so it continues – I am mentioned 28 times on this page.

I quickly checked my emails to see if some rich aunt had passed over and left me a new website in her will; but all I could find were a few other opportunities:

…my name is Michael Smith and I want you to assist me received huge sum of (Ten Million Five Hundred Thousand United States Dollars) for Investment purpose in your country and am willing to offer you 40% of the total sum for your great support. You might also wonder how i got your contact, I got it through the internet when i was looking for a trust worthy person i can trust to handle this project.

and this

spacer

auntie

spacer

(yes, there was my rich aunt in all her glory still very much alive), and this

…a woman with the name (Ms. Gail Jackson) Came to Our Office with an Application Stating That she is your sister and You Gave Her the Power Of Attorney to Be the Beneficiary of Your Outstanding Contract Award Funds. She Made Us To Believe That You Are Dead And That She Is Your Next Of Kin…

That last one was worth $5.6 million; but sadly it was mistaken identity – I’ve never had a sister.

The reality is probably less interesting. It’s probably a new site under development. The developer is using a privacy statement template, and where it says ‘enter your name’, he entered mine. Or maybe all of the variables are in a separate file and are merged automatically; but in this instance they’ve got out of sync.

Sadly, I do not have a new gig with wossname; and I have no idea how my name became so elevated. But it is gratifying, nevertheless…

Categories: All, Security Issues
Follow

Get every new post delivered to your Inbox.

Join 127 other followers