Archive for the ‘Data Privacy’ Category

EU cookie law: UK government crumbles?

Posted: March 27, 2012 in Data Privacy, Government and Public Sector, Industry News, Web Analytics
Tags: , , , , , , ,
0

 

 

 

With just over a month until the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 is enforced, it was high time that an organisation with the weight to set a precedent got off the fence and took a serious position on the matter.

Who better than the UK’s Government Digital Service?

I’m not sure I expected the UK government to be the one to lead the charge on cookie law compliance, and I’m certain I didn’t expect them to be the ones to argue that web analytics are “essential”, but that’s exactly what they’ve done with their snappily titled Implementer Guide to Privacy & Electronic Communications Regulations (PECRs) for public sector websites.

So does it stand up to scrutiny? And more pressingly, does it get the rest of us out of a potentially difficult situation?

The government’s argument

The Government Digital Service (GDS) takes the view that web analytics are “essential to the effective operation of government websites” and that “at present the setting of cookies is the most effective way of doing this”.

Further, they feel that web analytics cookies are “minimally intrusive” and that “their usage tends to be controlled by the first-party” (emphasis theirs).

Finally they point to a statement in the Information Commissioner’s Guidance on the rules on the use of cookies and similar technologies which would appear to seal the deal:

Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action.

Does it stack up?

The title of the GDS’s blog post, It’s not about cookies, it’s about privacy, echoes sentiments expressed in my own recent article on privacy and the cookie law for the LBi bigmouthmedia blog: Joe Public does not, on the whole, have a firm grasp of online privacy, and we don’t have to look very hard to see stark contradictions between popular belief and patterns of behaviour.

So getting hung up on the technology isn’t the point; we must instead concern ourselves with the end result.

Still, laudable as it is, the GDS’s concern for the spirit rather than the letter of the law doesn’t stop them from protecting their own priorities, relying largely on the ICO’s statement that they’re “unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action” to justify doing little to change their current analytics implementations.

Like private sector website owners, they’re not terribly keen on obtaining informed consent, either, calling it “disruptive to the user experience”, by which they mean, of course, that practically nobody will consent.

They’re not explicit about how they’ll address this problem, but they will apparently seek to “raise the awareness levels amongst users of government websites about the uses and functions of cookies”.

The other sticking point is that elsewhere in the quoted Guidance document, the ICO advises that analytics cookies are “unlikely to fall within the exception” and defines “the exception” as applying only to cookies which are “for the sole purpose of carrying out the transmission of a communication” or which are “strictly necessary” (as distinguished from “reasonably necessary”).

In other words it could go either way and, like many organisations considering their cookie options, the GDS seems set to take a gamble that the ICO won’t crack down on analytics.

That’s not a position I’d have expected the government to take and, as an ex-local government officer myself, I have some sympathy with whichever poor soul had to write the risk assessments.

Of course, one could take a view that their aims of assuring the “best possible user experience” and encouraging “citizens to use more cost-effective channels for accessing government services” means that what’s good for them is good for their users, but that seems like the thin end of a wedge and an argument that would be unlikely to cut much ice with the ICO were a private company to be the first to make it.

Via: http://econsultancy.com/uk/blog/9416-eu-cookie-law-uk-government-crumbles?utm_medium=email&utm_source=daily_pulse

Better mobile and internet services for Europe now introduced (European Union)

Posted: May 25, 2011 in Data Privacy, Government and Public Sector, Industry News, Information communications technology, Mobile Internet, Telecommunications, Uncategorized
Tags: , , , , , , , , ,
0
European Union, Brussels (European Commission)

Image by kfcatles via Flickr

Posted By ] RAY CLANCY

Expats in Europe, especially those who travel between countries will benefit from new rights and services regarding mobile phones and the internet from today (Wednesday May 25).

New European Union telecoms rules to ensure a more competitive telecoms sector and better services for customers are implemented. They include the right for customers to switch telecoms operators in just one day without changing their phone number, the right to more clarity about the services customers are offered and better protection of personal data online.

New oversight powers for the European Commission and regulatory powers for the Body of European Regulators for Electronic Communications (BEREC) will create more regulatory certainty and help telecoms operators to grow in a single, pan-European telecoms market. The EC said it has worked closely with member states to seek swift implementation of these EU rules and will consider launching infringement proceedings against those who do not implement them on time.

‘Citizens and businesses should take full advantage of the opportunities these new rules give them to get more competitive telecoms services. I will do my utmost to help them to do so. If these rights are not made available in practice, I will take the measures necessary to fix that situation,’ said Neelie Kroes, vice president of the European Commission for the Digital Agenda.

The rules also introduce a maximum length of 24 months for customer’s initial sign on contracts and an obligation on operators to offer 12-month contracts. This will allow customers to switch more easily to a different operator if they find a better deal and gives clearer information on services to which a customer is subscribed.

Consumer contracts must also give information about minimum service quality levels. In particular, internet subscribers must be given information about traffic management techniques and their impact on service quality, as well as any other limitations such as bandwidth caps, available connection speed or the blocking or ‘throttling’ of access to certain services such as Voice Over Internet Protocol.

Contracts also must give details of compensation and refunds available if these minimum levels are not met.

They also give improved online privacy and safety including better protection against personal data breaches and spam as well as mandatory notifications for personal data breaches and better information and consent requirements for storing or accessing information in users’ devices such as cookies not related to the service currently accessed.

Other new elements in the package include better access to emergency services including 112, Europe’s single emergency number.

The Commission said it is closely following the implementation of the new telecoms rules by member states and will use its full powers, recently enhanced by the Lisbon Treaty, to ensure full and timely implementation of the EU’s updated telecoms rules in national law.

The revised EU rules on telecoms networks and services were formally adopted by the European Parliament and Council in late 2009. The Parliament and Council agreed that the rules must be implemented into the national laws of the 27 Member States by 25th May 2011.

Via: http://www.expatforum.com/european-union/better-mobile-and-internet-services-for-europe-now-introduced.html

Google Sued Over Tracking Code In Android Apps

Posted: May 10, 2011 in Data Privacy, Developers, Industry News, Location Based Services, Mobile Ad Networks, Mobile Advertising, Mobile Applications, Mobile Privacy
Tags: , , , , , , , , ,
0
Image representing Android as depicted in Crun...

Image via CrunchBase

Posted By ]  Thomas Claburn InformationWeek

Google and mobile advertising metrics companies Flurry and Mobclix were sued last week in San Jose, Calif., for allegedly harvesting location data and device identification numbers, and for “introducing a computer contaminant,” code that reports metrics.

The lawsuit, filed on behalf of plaintiff Juliann King, claims the companies violated federal computer fraud law and California laws governing computer crime and business conduct, in addition to breaching an implied contract.

The complaint asserts that Android users have downloaded apps that include embedded information-harvesting code–APIs for gathering advertising and app usage metrics–that sends detailed information about users, including their locations and unique mobile identifiers, to mobile advertising companies. This information, the complaint claims, is then used to track, profile, and personally identify users.

Past news reports about Android app security appear to have led to the lawsuit. The complaint cites findings by corporate and academic security researchers that reveal, for example, that half of 30 Android apps tested “transmitted the user’s physical location and, in some cases, phone number, to defendants, without disclosing such transfer to the user, for purposes unrelated to the advertised purpose of the app and, in most cases, in plain text.”

Google declined to comment on pending litigation. The company has defended its handling of location sharing on Android devices, noting that Android location sharing is opt-in and that Google provides “notice and control over the collection, sharing, and use of location.”

Flurry, and Mobclix did not immediately respond to requests for comment.

The complaint arrives amid growing unease about data collection and privacy. Last month, Apple was forced to defend its handling of location data after researchers raised questions about the presence of a Wi-Fi hotspot database stored on iPhones. Apple has since released a code update to address the issue.

Lawmakers have been mulling limits on online data collection for months and on Friday, Senator Jay Rockefeller (D-W.Va.) said he planned to introduce Do-Not-Track legislation, which requires companies to honor consumer choice when consumers say they do not want their online activities tracked.

While some of Google’s competitors like Microsoft have voiced support for a Do-Not-Track law, Google itself has not. Google relies on data to monetize the free services it provides and has consistently defended its stewardship of user data and the utility of anonymized aggregated data to improve its services.

Venkat Balasubramani, an attorney with Seattle-based law firm Focal PLLC and a contributor to Eric Goldman’s Technology & Marketing Law blog, characterized the suit as a rehash of tracking cookie lawsuits in a mobile context. “I think this is just seizing on the public reports and zeitgeist,” he said in a phone interview.

The lawsuit’s assertion that the inclusion of mobile metrics code in an app constitutes trespass isn’t likely to get very far, he suggested, noting that past claims that spam is equivalent to trespass because it slows machine performance have been shot down. The lawsuit’s characterization of the apps as engaging in “unauthorized access” in violation of federal and state laws face similar challenges, he said, noting however that courts have shown willingness to treat access that exceeds authorization as a violation of the Computer Fraud and Abuse Act in some contexts.

Balasubramani explained in an email that such suits typically have a hard time in the absence of some showing of specific harm. He allowed that one outcome of this and similar cases might be stronger efforts by companies like Flurry and Mobclix to elicit promises from developers to use advertising reporting code in an acceptable manner. But he also observed that such companies usually have explicit and lengthy terms of use policies that require developers not to misuse the power of code.

Via: http://www.informationweek.com/news/internet/google/229403062