QuickLinks - Data Protection (privacy)

recent items

Issue no. 385 - 21 March 2008

• Web creator rejects net tracking (BBC)
  The creator of the web has said consumers need to be protected against systems which can track their activity on the internet. Sir Tim Berners-Lee told BBC News he would change his internet provider if it introduced such a system. Plans by leading internet providers to use Phorm, a company which tracks web activity to create personalised adverts, have sparked controversy.

Issue no. 384 - 24 February 2008

• Call to scrap children's database (BBC)
  The government faces calls to scrap a database containing the details of every child in England after a report said it could never be secure. The report, by accountants Deloitte and Touche, was ordered after last year's missing data discs crisis. ContactPoint will begin operation in September or October this year, five months later than planned. It will list the name, address and date of birth of every child in England and contact details for their parents, doctors and schools. Every child will be given a "unique identifying number".

• DE - StudiVZ-Chef fordert runden Tisch zum Datenschutz im Web 2.0 (Heise)
  Der Geschäftsführer von StudiVZ, Marcus Riecke, hat sich bei einer Diskussion mit Schülern zum 2. Europäischen Datenschutztag an der Robert-Jungk-Oberschule in Berlin für die Einberufung eines runden Tischs zum Datenschutz im Web 2.0 ausgesprochen. Andere Plattformanbieter, Hüter der Privatsphäre, Werbetreibende, Jugendschützer und Innenpolitiker sollten zusammenkommen, um Rahmenbedingungen für soziale Netzwerke und andere Plattformen im Mitmach-Web abzustecken. Dabei sei etwa der "Zielkonflikt zwischen Daten- und Jugendschutz" bei der Frage der Speicherung von Logfiles der Nutzer zu erörtern.

• EU - EC plans biometric border checks (CNET News)
  Visitors to Europe will face biometric screening and automated security checks under proposals for a shake-up of EU border controls. Under plans to strengthen checks at European borders laid out by the European Commission, international travelers would also have their stay logged and monitored by an electronic system, which could become operational by 2015.

• EU guidelines on RFID aim to protect privacy (Reuters)
  RFID chips embedded in items ranging from pets to retail products will have to be deactivated at the point of sale to protect purchasers' privacy under draft guidelines proposed by the European Commission. A public consultation is being launched into the "soft law" guidelines that EU information society and media commissioner Viviane Reding hopes will be adopted by the European Union executive to be applied in all the bloc's 27 member states. The consultation will be open until 25 April. The Commission services will then analyse the received contributions and put forward a draft Recommendation for adoption before the summer of 2008.

• Google argues against calling IP addresses "personal data" (Ars Technica)
  European data protection leaders are considering a plan that would make IP addresses "personal information." Google wants to make sure it doesn't happen, and today it took the fight to the blogosphere. In a new public policy posting, Google software engineer Alma Whitten made the case that IP addresses aren't so much personal information as potentially personal information. Many IP addresses assigned to consumers don't reliably map to a single machine (due to the wonders of DHCP), and even when they do, it's only the machine and not the person who is identified. Google clearly hopes to avoid a "black-and-white declaration that all IP addresses are always personal data."

• Personal data privacy 'at risk' (BBC)
  Millions of people are leaving themselves open to identity theft when using social networking websites, according to the consumer group Which? Members of sites such as Facebook can join large networks which reveal personal information to thousands of others on the network. Which? says people are at a greater risk of being targeted by fraudsters than they think.

• UK - Facebook faces privacy questions (BBC)
  Facebook is to be quizzed about its data protection policies by the UK Information Commissioner's Office. The investigation follows a complaint by a user of the social network who was unable to fully delete their profile even after terminating their account. Currently, personal information remains on Facebook's servers even after a user deactivates an account. Facebook has said it believes its policy is in "full compliance with UK data protection law".

• UK - Marks & Spencer ordered to encrypt data after laptop theft (OUT-LAW News)
  Marks & Spencer broke the law when it allowed the details of 26,000 employees to be held on a laptop without the protection of encryption, according to the Information Commissioner's Office (ICO). The laptop, and the information on it, has been stolen. The retailer must ensure that all laptop hard drives are encrypted by April of this year. If it fails to comply with an enforcement notice issued against it by the ICO it could face criminal charges.

• UK - Watchdog calls for 'reckless data-breach' offence (ZDNet.co.uk)
  The Information Commissioner's Office has called for amendments to UK data-protection laws, including making "reckless" data breaches an offence. In a document submitted to governemnt submitted to government, information commissioner Richard Thomas called for the Data Protection Act (DPA) to be amended to include a penalty for data controllers "knowingly or recklessly failing to comply with the principles" of the DPA.

Issue no. 383 - 27 January 2008

• EU - Do internet companies protect personal data well enough? (EP Press Service)
  Claims that big internet companies, such as Google or Yahoo, track the on-line behaviour of millions of users, so as to be able to sell the resulting data to on-line advertisers, raise difficult issues, such as whether these data could also be used for other purposes that violate personal privacy, said data protection, industry and consumer protection bodies at a public hearing held by the Civil Liberties Committee on 21 January. see also EU Official: IP Is Personal (AP). IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said.

• MySpace Bug Leaks 'Private' Teen Photos to Voyeurs (Wired)
  A backdoor in MySpace's architecture allows anyone who's interested to see the photographs of some users with private profiles - including those under 16 - despite assurances from MySpace that those pictures can only be seen by people on a user's friends list. Info about the backdoor has been circulating on message boards for months. Since the glitch emerged last fall, it has spawned a cottage industry of ad-supported websites that make it easy to access the photographs, spurring self-described pedophiles and run-of-the-mill voyeurs to post photos pilfered from private MySpace accounts.

• Social sites prove hard to leave behind (BBC)
  Thousands of final-year students who've put a lot of information on social networks are starting to worry about what potential employers may find if they take a look. But one student at Nottingham Trent University has found just how hard it can be to leave one of the networks, MySpace.

• UK - Facebook faces privacy questions (BBC)
  Facebook is to be quizzed about its data protection policies by the Information Commissioner's Office. The investigation follows a complaint by a user of the social network who was unable to fully delete their profile even after terminating their account. Currently, personal information remains on Facebook's servers even after a user deactivates an account. Facebook has said it believes its policy is in "full compliance with UK data protection law".

• UK - Ministry of Defence lost three unencrypted laptops (ZDNet.co.uk)
  Secretary of state for defence Des Browne has admitted that the laptop lost by the Ministry of Defence containing details of up to 600,000 defence personnel was not encrypted, and also that services personnel have previously lost two more laptops containing similar unencrypted recruitment information. On 9 January, the unencrypted laptop was stolen from a recruiting officer's car which had been left overnight in a car park in Edgbaston, Birmingham. The information on the stolen laptop included 3,700 people's bank details, as well as other data on up to 600,000 people, including their names. Approximately 153,000 people also had data including addresses, passport details, national insurance numbers, driver's licence details, doctors' addresses and National Health Service numbers compromised.

• UK - TV presenter hoist with own petard (Press Association)
  Top Gear presenter Jeremy Clarkson has admitted he was wrong to brand the scandal of lost CDs containing the personal data of millions of Britons a "storm in a teacup" after falling victim to an internet scam. The outspoken star printed his bank details in a newspaper to try and make the point that his money would be safe and that the spectre of identity theft was a sham. He also gave instructions on how to find his address on the electoral roll and details about the car he drives. However, in a rare moment of humility Clarkson has now revealed the stunt backfired and his details were used to set up a £500 direct debit payable from his account to the British Diabetic Association. see also Twice bitten: acts of stupidity can lead to identity theft (Cnet).

• UK - Whitehall staff face laptop ban (Press Association)
  A new ban on Whitehall staff removing unencrypted laptops containing personal data from their offices has begun. A massive operation to ensure that civil servants comply with the new rule, laid down by Cabinet Secretary Sir Gus O'Donnell on Monday night, is now under way. As well as communicating the policy to all staff, departments will have to ensure that officials can continue to do their jobs within the constraints of the ban.This is likely to involve the encryption of large swathes of data.

Issue no. 382 - 6 January 2008

• Big Brother gets bigger, says global privacy study (CNet)
  According to a new international privacy report, governments around the world are increasingly invading the privacy of citizens with surveillance, identification systems, and archiving of private data. Driven by concern over immigration and border control, countries have been quick to implement database, identity, and fingerprinting systems, according to the 2007 International Privacy Ranking report. See also UK is Europe's worst in privacy league (Info4Security).

• EU - EDPS expresses serious concerns about EU PNR proposal (RAPID)
  The European Data Protection Supervisor (EDPS) has issued his Opinion on the recent proposal of the Commission for a Council Framework Decision on the use of Passenger Name Record (PNR) data for law enforcement purposes. The proposal involves obligations for air carriers to transmit data about all passengers on flights to or from an EU Member State. The Opinion emphasizes the major impact the proposal would have on privacy and data protection rights of air passengers. While acknowledging that the fight against terrorism is a legitimate purpose, the EDPS expresses serious concerns about the necessity and proportionality of the proposal which, in his view, are not sufficiently established in the proposal. In addition, the EDPS takes a critical stance on the lack of clarity in relation to various aspects of the proposal, in particular the applicable legal framework, the identity of the recipients of personal data, and the conditions of transfer of data to third countries.

• UK - Millions of L-drivers' data lost (BBC)
  The details of three million candidates for the driving theory test have gone missing, Ruth Kelly has told MPs. Names, addresses and phone numbers - but not financial data - were among details on a computer hard drive which went missing in the US in May. It belonged to a contractor to the Driving Standards Agency, the transport secretary told MPs.

Issue no. 381 - 8 December 2007

• EU - Public Security, Privacy and Technology: (RAPID)
  Technology developments can enhance the protection of privacy and at the same time allow law enforcement authorities for a secure and timely access to information, including personal data. The Conference on Public Security, Privacy and Technology, organised by the European Commission brings together public and private sectors representatives to discuss this topics. See Closing speech on Public Security, Privacy and Technology by Franco Frattini, European Commissioner responsible for Justice, Freedom and Security. Programme.

• Facebook in privacy U-turn over Beacon (FT)
  Privacy advocates declared victory after Facebook, the social networking website, moved to placate users concerned about the intrusiveness of its new Beacon advertising system. Changes to Beacon will allow users to "opt-in" to sharing information through the service, which broadcasts purchases made on outside websites to Facebook users' friends.

• UK - Data breaches misunderstood by gov't, say Lords (Silicon News)
  The government has failed to understand the threat to the continued growth of the internet posed by cyber crime, according to the influential House of Lords Science and Technology Committee.

• UK - Government offers reward in hunt for lost data (Guardian)
  The government has offered a £20,000 reward for the safe return of two missing CDs containing personal details of half the British population. The Metropolitan police, which has been heading the search for the data, has asked thousands of government workers to check their desks and homes "in case the package or discs have turned up".

• UK - Ministers under fire over records (BBC)
  The UK government's "basic competence" has been questioned by the Tories after the loss in the post of computer discs with 25m people's personal details on them. The child benefit data on them includes names, ages, bank and address details.

• UK - Police target rubbish tips in hunt for missing data discs (Scotsman)
  POLICE hunting for the two missing data discs containing sensitive data about millions of people have searched rubbish tips in London, Scotland Yard said. The discs, containing 25 million child benefit claimants' personal details, went missing when a junior official sent them by courier in the internal mail from the Child Benefit office in Washington, Tyne and Wear, to the National Audit Office in London on October 18.

• UK - Watchdog: Protecting data is not 'rocket science' (ZDNet.co.uk)
  In the wake of the largest-ever data breach to hit the UK, the Information Commissioner's Office has criticised the apparent lack of technological safeguards in government departments and called for "privacy-enhancing technologies" to be built into future projects.

• UK - Young warned over social websites (BBC)
  Millions of young people could damage their future careers with the details about themselves they post on social networking websites, a watchdog warns. The Information Commissioner's Office found more than half of those asked made most of their information public.

Issue no. 380 - 30 September 2007

• FR - Is the IP address still a personal data in France? (EDRI)
  Two decisions from the Paris Appeal Court held that collection of IP addresses does not constitute a processing of personal data, and consequently was not subject to CNIL prior authorization, as required by the French Data Protection Act. In the mean time, the Advocate General of the European Court of Justice, in case C-257/06 Productores de Música de España (Promusicae) v. Telefónica de España, an entirely separate case lodged for reference by a Spanish Court under the preliminary ruling procedure, took the position that the EU legislation on personal data protection should prevail on the Community law on e-commerce, copyright protection and IP enforcement.

• Google calls for international privacy laws and policies (OUT-LAW News)
  The head of privacy at Google is urging the governments of the world to adopt a unified set of privacy laws to protect personal data online. A non-binding framework that is already used by Asia Pacific nations is recommended for global use. Google calls for web privacy laws (BBC) .

• Google's Gmail cookie vulnerability exposes user's privacy (CNET News)
  The "ethical hacking" group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users. "This can be used to forward all your incoming e-mail," Pure Hacking security researcher Chris Gatford said. "It's just a proof of concept at the moment, but what they're demonstrating is the potential to use this vulnerability for malicious purposes."

• Learning to live with Big Brother (Economist)
  These days, data about people's whereabouts, purchases, behaviour and personal lives are gathered, stored and shared on a scale that no dictator of the old school ever thought possible. Most of the time, there is nothing obviously malign about this. Governments say they need to gather data to ward off terrorism or protect public health; corporations say they do it to deliver goods and services more efficiently. But the ubiquity of electronic data-gathering and processing - and above all, its acceptance by the public - is still astonishing, even compared with a decade ago. Nor is it confined to one region or political system.

• Who's afraid of Google? (Economist)
  The world's internet superpower faces testing times. Rarely if ever has a company risen so fast in so many ways as Google, the world's most popular search engine. The list of constituencies that hate or fear Google grows by the week. And now come the politicians. Libertarians dislike Google's deal with China's censors. Conservatives moan about its uncensored videos. But the big new fear is to do with the privacy of its users.

Issue no. 379 - 2 September 2007

• Facebook users pretty willing to add strangers as 'friends' (News.com)
  IT security firm Sophos has released the results of its Facebook ID Probe, a test to see just how many users of the site are willing to divulge highly personal information to potential identity thieves. The results, to say the least, show that more than a few Facebook members might not be taking their privacy seriously enough. Sophos created a fake Facebook profile, and randomly requested 200 members to be friends with 'Freddi.' Out of those 200, 87 accepted the friend request and 82 of those gave 'Freddi' access to "personal information" such as e-mail addresses, dates of birth, addresses and phone numbers, and school or work data.

• Second Monster hack affects millions (vnunet.com)
  Monster.com has admitted that the number of job seekers on its website who had their personal data stolen is greater than the 1.3 million originally reported. Monster.com kept the original attack secret for five days before alerting users to the problem. The company's database holds around 73 million CVs. Iannuzzi claimed that only a few hundred had cancelled their accounts, along with a "handful" of employers.

• UK - Honesty the best online policy (BBC News)
  Columnist Bill Thompson says firms should tell customers when their computer security has been breached. UK organisations have no legal duty to tell if personal data has been compromised. The situation may change, if the House of Lords Select Committee on Science and Technology has its way. They have spent the last year looking at internet security and how it affects us all and they published their final report, called Personal Internet Security.

• UK - Press Complaints Commission raps paper over online video (OUT-LAW News)
  The Press Complaints Commission (PCC) has issued its first ever ruling on video content published online by a newspaper. It said that the Hamilton Advertiser breached school pupils' rights to privacy with a video of an unruly classroom.

Issue no. 378 - 5 August 2007

• EU - EDPS - Data Protection Directive should be fully implemented (EDRI-gram)
  The EDPS (European Data Protection Supervisor), Peter Hustinx, issued on 25 July 2007 an opinion on the European Commission communication regarding the improved implementation of the EC Data protection directive (95/46), considering that the Directive should not be amended and asking for its full implementation before applying any changes.

• EU - MEPs fear that new PNR agreement fails to protect citizens' data (EP Press Release)
  The European Parliament looked into the recent agreement signed by the EU-US administration for the transfer of air passengers' data and concluded in its resolution that the new deal still fails to offer an adequate level of data protection and it has been concluded without any involvement of parliaments from both sides, lacking democratic oversight. While recognising the difficult conditions under which the negotiations took place, MEPs regret that the EU-US agreement for the transfer of Passenger Name Records (PNR) is 'substantively flawed', in particular by 'open and vague definitions and multiple possibilities for exception'.

• EU - Our data retention is not data protection watchdogs' business, says Google privacy boss (OUT-LAW News)
  The retention of search engine query data is a security matter and not one for Europe's data protection officials, according to Google's global privacy chief. Google said that it had to keep the records because the Data Retention Directive demanded it, but the Article 29 Working Party said that the Directive does not apply to search engines.

• EU finds clerical solution to PNR privacy concerns (OUT-LAW News)
  A new passenger name records (PNR) deal was announced this week by the EU and the US. It covers how much information can be handed to US authorities about passengers on flights from Europe to the US and the conditions on which it was kept. The US won major concessions from the EU, winning its demands to keep data for far longer and the ability to pass it on to other US agencies. The EU appeared to win one argument, reducing the amount of data transferred. However, the reduction of the number of data fields handed to US security services announced by the European Union was achieved by squeezing almost the same amount of data on to fewer lines. The news undermines what was seen as a concession won by EU negotiators.

• Google cookies will 'auto delete' (BBC)
  Google has said that its cookies, tiny files stored on a computer when a user visits a website, will auto delete after two years. They will be deleted unless the user returns to a Google site within the two-year period, prompting a re-setting of the file's lifespan. The company's cookies are used to store preference data for sites, such as default language and to track searches.

• Search sites tackle privacy fears (BBC)
  User worries are driving search firms to let people manage how much data they reveal when they visit the sites. The top four search sites, Google, Microsoft, Yahoo and Ask, have unveiled plans to cut how much data they hold and how long they store it. Going furthest Ask said it would let users search without surrendering any data about themselves and their PC.

• UK - Caught on camera and found on Facebook (BBC)
  Facebook, the social networking website, is being used as a disciplinary tool by university authorities. Staff at Oxford University are searching the website, collecting photographs of students who they say have broken rules on post-examination celebrations, and handing down fines. The student union has branded the move a "disgraceful" intrusion into privacy and has e-mailed every common room advising how to prevent dons viewing the photographs.

• UK - Data retention law passed (OUT-LAW News)
  UK telecoms companies will have to keep phone call logs for a year under a new law to come into force in October. The law does not apply to records of internet activity, such as web surfing, email and Voice over Internet Protocol (VoIP) phone calls. The Data Retention (EC) Regulations transpose into UK law most of the European Union's Data Retention Directive. The Regulations will come into force on 1st October, two weeks after the deadline set by the EU, but they will not apply to internet traffic data. The Directive allows member states to extend the rules to internet data at a later date, provided these rules are in force by 15th March 2009.

• US - Appeals court dismisses suit against NSA spy program (CNET News)
  In a setback for foes of a controversial Bush administration wiretapping program, a federal appeals court threw out an American Civil Liberties Union lawsuit that alleged illicit snooping on Americans' calls and e-mails.

Issue no. 377 - 5 July 2007

• BR - YouTube wins "supermodel sex on the beach" case (Ars Technica)
  A Brazilian judge has ruled in favor of YouTube, Globo Comunicações e Participações, and Internet Group do Brasil (iG) this week in a case involving Brazilian model Daniella Cicarelli and a sex video. Cicarelli and her boyfriend, Tato Malzoni, had sued YouTube after a video of the couple having sex on a public beach in Brazil appeared on the site. The pair argued that YouTube was violating their privacy. Judge Gustavo Santini Teodoro ruled that the couple's privacy claims were unfounded and ordered Cicarelli to pay fees to each of the defendants.

• EDPS letter to incoming Portuguese presidency: fundamental rights are not captives of security (RAPID)
  Peter Hustinx, the European Data Protection Supervisor, sent letters to the Portuguese Ministers for Justice and Interior. Hustinx requested the upcoming presidency to ensure sufficient consideration of data protection implications before Council initiatives are adopted. It seems that a number of agreements on new anti-terrorist measures have been concluded without fully considering the impact on fundamental rights. To help the Council avoid that from happening, the EDPS makes himself available as an advisor so that the Council can adopt effective as well as legitimate new policies.

• EU - Data retention laws do not cover Google searches (out-law.com)
  Google is not bound by the Data Retention Directive when it comes to search engine logs, Europe's data protection committee has said. Google has used the Directive to justify keeping data, but OUT-LAW has learned that the law does not apply. Google has come under increasing pressure in Europe to anonymise its server data, but the company says that it will wait until 18?24 months have passed before anonymising. Among its reasons for this was the Data Retention Directive.

• EU - Google agrees changes on privacy (FT)
  Google has made fresh concessions to European Union data protection officials, agreeing to limit the amount of time it keeps users? personal search data to 18 months. The US internet group also said it would "radically redesign" its policy on keeping information from "cookies" or identifier programmes on individual computers.

more items

QuickLinks consists of

• a free newsletter appearing approximately every two to three weeks. The newsletter is distributed by electronic mail through an "announcement only" mailing list.
• a Web site with frequent updates, an events page, news items organised by category as well as chronologically by issue and full text search.