Rina Steenkamp - Privacy and technology
[What an IP address can reveal about you | 2012 Annual report of the Interception of Communications Commissioner | @metpoliceuk how twitter is changing modern policing | Online survival kit | Is your inseam a biometric? Evaluating the understandability of mobile privacy notice categories | The SANS 2013 help desk security and privacy survey | Exploring data-driven innovation as a new source of growth - Mapping the policy issues raised by 'big data' | Reconciling personal information in the United States and European Union | Data breach report 2012 | Global state of information security survey 2013 | Privacy auditing - an exploratory study | Children's online privacy protection rule | Apps for kids are data magnets; FTC rules to kick in | Patient privacy in a mobile world - a framework to address privay law issues in mobile health | Working paper on web tracking and privacy - Respect for context, transparency and control remains essential | [United States of America v. Andrew Auernheimer, Appellant's opening brief]]
A report prepared by the Technology Analysis Branch of the Office of the Privacy Commissioner of Canada.
From the introduction:
"Over the past decade, the Government of Canada has tabled various iterations of so called lawful access legislation. The latest one identified six specific elements of subscriber information which would be made available to law enforcement and national security authorities without prior judicial authorization; specifically, one’s: name; address; telephone number;electronic mail address;Internet protocol address; and local service provider identifier. [...] Proponents of previous attempts at such legislation have described such subscriber data as being similar to 'phone book' information. This document presents findings from a technical analysis conducted by the Office of the Privacy Commissioner of Canada (OPC) examining the privacy implications of subscriber information elements which are not found in a phone book: email address, mobile phone number and Internet Protocol (or IP) address."
Full text:
A report by Sir Paul Kennedy.
From '9.4 Protection of Freedoms Act 2012 (judicial approvals for local authority communications data requests):
"I have previously reported that I was unconvinced that the Government's proposal to require all local authorities to obtain judicial approval before they can acquire communications data would lead to improved standards or have any impact other than to introduce unnecessary bureaucracy into the process and increase the costs associated with acquiring the data. The Protection of Freedoms Act 2012 came into force in this respect on 1st November 2012 and regrettably the evidence that has been shared with my office to date reinforces my standpoint. [...] Local authorities have reported experiencing lengthy time delays in just obtaining an appointment with a magistrate (in the worst case 6 weeks). Other local authorities have reported that the magistrates were totally unaware of the legislation and as a result they had to provide them with advice and guidance. This is worrying, particularly considering the Home Office gave a commitment to properly train the magistrates to carry out this role."
Full text (PDF):
See also:
A report by Jamie Bartlett and Carl Miller.
From 'Challenges':
"Whether challenged on a policy, sought-after for information, or contacted to investigate an alleged crime, there was a strong expectation and requirement in many of these tweets for the police to respond. It became clear that a non-response from the police, in many different contexts, could lead to a negative outcome: an emboldened rumour, an infuriated questioner, or a neglected victim. It appears to us that the Met account has allowed many more people to engage with the police, and that many look to the feed as an important source of information. Maintaining this integrity and trust is clearly vital. However, these incidents are especially difficult to understand and act upon. Trustworthy citizen-journalism, pressing demands and revealing insights sit side-by-side with lazy half-truths, deliberate mistruths, ironies, trolling and general nonsense. Sorting through this mass of information, especially at the speed demanded by the tempo of the twitcident itself, is a formidable intellectual, technological and operational challenge. [...] Underlying this, there are legal and ethical questions - still open – as to how the police can collect and use social media information in a way that is proportionate, legal and can command public confidence and support. The official collection and use of social media information is a controversial and contested practice, especially for the purposes of intelligence and security."
Full text (PDF linked from this page):
See also:
A tool kit by Reporters without borders.
From the web page:
"This Online Survival Kit offers practical tools, advice and techniques that teach you how to circumvent censorship and to secure yo communications and data. This handbook will gradually be unveiled over the coming months in order to provide everyone with the means to resist censors, governments or interests groups that want to control news and information and gag dissenting voices."
Full text:
See also:
A paper by Rebecca Balebako, Richard Shay, and Lorrie Faith Cranor.
From the Abstract:
"The National Telecommunications and Information Administration (NTIA) has proposed a set of categories and definitions to create a United States national standard for short-form privacy notices on mobile devices. These notices are intended to facilitate user decision-making by categorizing both smartphone data to be shared and the entities with which that data is shared. In order to determine whether users consistently understand these proposed categories and their definitions, we conducted an online study with 791 participants. We found that participants had low agreement on how different data and entities should be categorized."
Full text (PDF linked from this page):
A SANS whitepaper written by Barbara Filkins.
From the Introduction:
"As help desks are ordered to help, they are ripe for others who wish to take advantage of their mission. For decades, the help desk has been a back door to enterprise network resources through social engineering - the art of trickery to get others to give up information they shouldn't. [...] Are organizations aware of the risk their help desks represent for their enterprises? If so, what measures are they taking to protect their enterprises? To find out, the SANS Analyst Program conducted an online survey of more than 900 people between January and March 2013."
Full text (PDF):
See also:
A paper by OECD.
From 'Privacy and consumer protection':
"The Privacy Guidelines define personal data as 'any information relating to an identified or identifiable individual (data subject)'. Any data that are not related to an identified or identifiable individual are therefore non-personal and are outside the scope of the Guidelines. However, data analytics have made it easier to relate seemingly non-personal data to an identified or identifiable individual (Ohm, 2010). Furthermore, big data applications may affect individuals using data which are generally considered non-personal (Hildebrandt and Koops, 2010). These developments challenge a regulatory approach that determines the applicability of rights, restrictions and obligations on the basis of the 'personal' nature of the data involved. As the scope of non-personal data is reduced, the difficulty of applying existing frameworks effectively become more acute. Many data-driven goods and services also raise issues for the application of the basic principles of data protection, such as purpose specification and use limitation. These goods and services offer opportunities for beneficial re-use of personal data, often in ways not envisaged when they were collected. They also implicitly rely on the lengthy retention of information. As such, they stretch the limits of existing privacy frameworks, many of which take limits on the collection and storage of information, and on its potential uses, as a given (Tene and Polonetsky, 2012)."
Full text (PDF linked from this page):
See also:
An essay by Paul M. Schwartz and Daniel J. Solove.
From the Abstract:
"The existence of personal information - commonly referred to as “personally identifiable information” (PII) - is the trigger for when privacy laws apply. PII is defined quite differently in US and EU privacy law. The US approach involves multiple and inconsistent definitions of PII that are often quite narrow. The EU approach defines PII to encompass all information identifiable to a person, a definition that can be quite broad and vague. This divergence is so basic that it significantly impedes international data flow. A way to bridge the divergence remains elusive, and many commentators have generally viewed the differences between US and EU privacy law as impossible to reconcile."
Full text (SSRN):
See also:
A report by Kamala D. Harris, Attorney General, California Department of Justice.
From the Executive Summary:
"California's landmark law on data breach notification, which requires businesses and state agencies to notify Californians when their personal information is compromised in a security breach, took effect in 2003. [...] The law also opened a window on privacy and security practices for companies, researchers, and policy makers. In 2012, for the first time, those subject to the California law were required to provide copies of their notices to the Attorney General when the breach involved more than 500 Californians. We received reports of 131 breaches in 2012, and we have reviewed the information submitted in order to gain an understanding of the types of breaches that are occurring, what vulnerabilities they may reveal, and what actions might be taken to prevent or reduce the likelihood of future breaches. In this report, we describe what we have seen and offer some recommendations based on our findings."
Full text (PDF):
See also:
A report by PwC.
From the press release:
"The 2013 State of Cybercrime Survey was conducted by CSO magazine in collaboration with PwC, the U.S. Secret Service and the Software Engineering Institute CERT Program at Carnegie Mellon University. The survey was conducted between March 20 and April 25, 2013. Over 500 US executives, security experts, and others from the private and public sectors responded to the survey questions."
Full text (PDF files linked from this page):
See also:
A paper by Penica Cortez and David Hay.
From the Abstract:
"This paper reports a study of privacy breaches in the U.S. from 2005-2011 to explore potential benefits of data privacy disclosure and auditing. Privacy auditing is a mechanism to help organisations to be vigilant in protecting information privacy, and to avoid penalties or damage to reputation and losing customer trust. Recently, privacy audits have been imposed on several high-profile organizations, but little is known about the benefits of privacy audits. We examined whether companies with privacy disclosures in their audited financial statements (as a proxy for privacy audits) were more or less likely to incur subsequent privacy breaches, and whether companies incurring breaches were more or less likely to make privacy disclosures."
Full text (SSRN):
See also:
Rule amendments by the Federal Trade Commission (FTC).
Summary of the 'COPPA Rule':
"The Commission amends the Children's Online Privacy Protection Rule ('COPPA Rule' or 'Rule'), consistent with the requirements of the Children's Online Privacy Protection Act, to clarify the scope of the Rule and strengthen its protections for children's personal information, in light of changes in online technology since the Rule went into effect in April 2000. The final amended Rule includes modifications to the definitions of operator, personal information, and website or online service directed to children. The amended Rule also updates the requirements set forth in the notice, parental consent, confidentiality and security, and safe harbor provisions, and adds a new provision addressing data retention and deletion."
Full text (PDF linked from this page):
See also:
An article by Jeremy Singer-Vine and Anton Troianovski (WSJ).
From the article:
"A Wall Street Journal examination of 40 popular and free child-friendly apps on Google's Android and Apple Inc.'s iOS systems found that nearly half transmitted to other companies a device ID number, a primary tool for tracking users from app to app. Some 70% passed along information about how the app was used, in some cases including the buttons clicked and in what order. [...] Data transmissions related to child-friendly apps will be subject to greater government scrutiny after July 1, when the Federal Trade Commission's new rules on children's online privacy take effect. The rules, which were adopted in December and outline how the FTC enforces the Children's Online Privacy Protection Act, or Coppa, expand the types of information considered 'personal' and, hence, protected."
Full text:
See also:
A publication by the mHealth Alliance, Thomson Reuters Foundation, Merck, and Baker & McKenzie.
From the Executive Summary:
"Amid the rapid growth of mobile network technology and infrastructure throughout the world, especially in low- and middle-income countries, the potential of mobile to support the achievement of health priorities is an area of active exploration and engagement. According to a 2011 World Health Organization report, governments cite issues related to data privacy and security and the protection of individual health information as two of the top barriers to the expansion of mHealth. Protecting personal health information that is collected and transmitted over mobile devices is essential to bringing mHealth to scale and providing a mature foundation for its continued growth. The mHealth Alliance, the Thomson Reuters Foundation, Merck, and Baker & McKenzie partnered on a project to better understand privacy and security policy issues related to mHealth and identify gaps that must be addressed to protect health data. The partnership undertook a global landscape analysis of current privacy legislation and regulation was undertaken, with a closer look at a selected group of case study countries in Africa, Asia and Latin America, to establish a baseline for the discussion and provide examples of what different approaches to privacy regulation are already in use."
Full text (PDF):
See also:
A publication by the International Working Group on Data Protection in Telecommunications.
From the Introduction:
"This paper is based on a foundation of respect for the fundamental rights and freedoms of Web users. Although it does not focus on specific technical remedies the paper does assume that the technical action of Web tracking must be lawful, appropriate and that it must operate within a strict framework of those rights. The principles of choice and control - claimed by much of industry - sit at the core of this framework, and those principles must be enacted with precision upon the pillars of clarity, transparency and accountability. The justification for the imposition of Web tracking is not self evident and thus industry and other tracking exponents must continually strive to explore solutions that bring this activity not just squarely within the framework of fundamental rights and privacy, but also in line with the imperative of Privacy by Design."
Full text (PDF):
See also:
By Tor B. Edeland, Orin S. Kerr, Marcia C. Hoffman and Hanni M. Fakhoury.
From 'Issues presented for review':
"This is an appeal from a remarkable and unprecedented criminal conviction. The government charged Auernheimer with felony computer hacking under the Computer Fraud and Abuse Act ('CFAA') for visiting an unprotected AT&T website and collecting e-mail addresses that AT&T had posted on the World Wide Web. The government also charged Auernheimer with identity theft for sharing those addresses with a reporter. This prosecution was brought in New Jersey even though neither Auernheimer, his alleged co-conspirator Daniel Spitler, nor any computer or communications were actually located in or passed through New Jersey. Finally, Auernheimer was sentenced to a forty-one-month prison term based in large part on AT&T's decision to spend approximately $73,000 to supplement e-mail notification to customers with a postal letter informing them that their privacy was not breached."
Full text (PDF linked from this page):
See also: