Courtesy cliparts.io

Pokémon Go and Location Privacy

There is one species Pokémon that even the most dedicated of Pokémon Go players are unlikely to ever catch, and that of course makes it all the desirable.

Privachu like to be left alone to go about their lives. They are not unfriendly and can be quite gregarious. They are also not as rare as one might think given how difficult they are to get hold of. What makes Privachu different from all other Pokémon, is that they choose when and how to reveal themselves, rather than just broadcast their location to anyone that might want to find them. And of course they will only reveal themselves to others they trust not to pass the information on to people they do not want to be found by.

OK, they don’t exist really, I’ve just made them up (though if anyone from Niantic wants to create Privachu, I am willing to be reasonable on the royalties – do get in touch).

Pokémon Go, the augmented reality mobile location based game, is currently taking the world by storm, but has been the source of some significant concern around the amount of personal data collected by the app, and how this may be shared. This is especially important because it is played largely by children.

Much of the early privacy concern focussed around the fact that users appeared to be required to give Niantic, the company behind the game, full access to their Google account (one of the main ways of registering in the game), which would include all their contacts and any documents stored in Google Docs.

However, it was fairly quickly revealed that this was actually the result of a configuration error, which was rapidly corrected, and that Niantic did not make use of or tried to access any of the extra information it didn’t need to verify the identity of the player. Nevertheless, even this short lived issue might have impacted millions of people and should provide a summary lesson in putting privacy thinking at the heart of the user experience design process.

The long term privacy issues with Pokémon Go however clearly focus on the location issue. Of course location based digital services have been around for at least as long as the smartphone itself. Aside from the obvious ubiquity of connectivity, location driven services are the smartphones killer app, the one that makes it worth all the investment in many ways.

What is perhaps different about Pokémon Go, is that it is not simply collecting location data – but it is actively incentivising large numbers of people to visit particular locations where Pokémon can be caught.

Yes there are big questions around the privacy concerns of sharing (selling) of location information with third parties, and those questions are already giving rise to investigations, notably in the USA and Germany.

What I think is more interesting is – how are decisions made about where to place PokéStops, and what Pokémon are to be found there? There is a huge potential here for a kind of targeted manipulation, the encouragement of particular audiences and profiles to visit specific locations. Niantic would be crazy if they didn’t see the potential in selling this capability, and I would be very surprised if on some level they are not already either doing it or thinking about doing it. There will be a powerful profit motive for it. Want to drive more visitors to your location? Pay for a particular Pokémon to make an appearance, or your competitor will.

Then of course there are also the unintended applications of the data. There have already been stories of crimes, even a murder, linked to the location data elements of the game. How long before the first major hack is uncovered?

Pokémon Go is going to be an interesting privacy story for quite some time I think. Not simply because of its huge popularity, though in no small part because of that, but the use of location data is only going to grow over the coming years, and the issues are only going to get more complex. The popularity of Pokemon Go and the huge data it generates, will almost certainly make it a pioneering proving ground for both the problems, and hopefully the solutions.

Meanwhile, if you’d like to know where to find Privachu, you will have to wait for them to reach out, when they have learnt to trust you.

General Data Protection Regulation Top Ten Issues

The ink is barely dry on the draft, but the  EU General Data Protection Regulation (GDPR) looks set to change the regulatory environment for personal information not just in the EU, but around the world. Its aim is to create a legal infrastructure for the use of personal data that is fit for purpose, both today and in the future.

The GDPR was designed to increase legal certainty with regards to information flows both within the EU’s borders and beyond. It also introduces stronger consumer protections, with requirements for greater transparency and accountability about how data is used by businesses, not-for-profits and governments alike.

This is intended to give individuals increased trust in data practices.  Consumer research in the last few years has shown consistently high levels of concern and lack of trust in this area, and this is believed to be a potential brake on the future growth of digital technologies.

However, in order to achieve these goals the GDPR does come with some stings in its tail. It places much greater requirements on businesses to communicate effectively with customers, and obtain much clearer consent for the use of their data.  Organisations also have to provide customer choice mechanisms, and there is a greater emphasis on documenting data processing activity. And then of course there are the fines.

At over 200 pages it is a very wide ranging instrument.  However, for those who haven’t had time to read it yet, these are what we think the top 10 issues for most organisations will be.

1.  A broader definition of Personal Data

As we predicted earlier, the scope of what constitutes ‘personal data’ has explicitly been broadened to include any information ‘relating to’ an individual. This specifically includes ‘online identifiers’ so cookies and the advertising IDs seen in the mobile eco-system will be caught up, along with anything that contributes to identifying an individual, or links to such identifying information. This has some widespread implications for online tracking in particular.

2.  A higher bar for consent

Whilst the final text shied away from explicit consent as a requirement, except when special categories of (sensitive) data are concerned, there is still much emphasis on gaining consent through active user mechanisms like tick boxes.

A key part of the test of the validity of consent is whether consumers understand what they are agreeing to, and are given a meaningful choice. There is also a significant shift in the burden of proof.  You will need to be able to provide evidence that you obtained consent from specific data subjects, which is going to require much better record keeping for many organisations.

3.  Data Protection Officers

Although not a universal requirement, many organisations will be required to appoint a Data Protection Officer (DPO) to oversee data uses and ensure compliance with the law. They will be mandatory in the public sector, but for private sector organisations the key test will be whether the organisation is involved in “systematic monitoring of data subjects on a large scale“, however it is not clear at this time how ‘large scale’ will be interpreted.

Earlier, more detailed, requirements for the skills and experience of the DPO and guarantees over their employment, have been dropped but a key issue in the short to medium term will be a lack of the right people to fill such roles.

DPOs however can be outsourced, which may create a market for new services, especially to cater for the needs of smaller businesses.  The DPO responsibilities can also be given to someone alongside other work within the organisation, as long as this does not create a conflict of interest.  So training existing staff into the role could be a viable option for many.

4.  Transparency and Accountability

The GDPR scraps the need for controllers to register with their Data Protection Authority (DPA), but replaces this with a requirement to both better inform data subjects about practices and rights, and to keep records that can be made available on request – such as in the event of a data breach or a compliance complaint.  Such records are about demonstrating that the organisation has thought through the impact of its systems and processes, and made informed choices about how to comply with the GDPR.  The Data Protection or Privacy Impact Assessment (PIA) is one example of such documentation.  It is intended that a PIA will show that an organisation has considered the risks associated with its particular personal data practices, and taken reasonable steps to control or mitigate them.

There are also new requirements on the level of detail that organisations must provide to data subjects about their practices, as well as a need to make sure that this information is both accessible and easy to understand. In particular there is a need to explain the logic behind decisions made on the basis of analysing personal data – which may have particular significance in some sectors that have relied on such processes being largely secret. Organisations are also expected to inform subjects about their rights and how to exercise them.

5.  Data Protection by Design and Default

Although references to this have been cut back in comparison with earlier versions of the text, the GDPR contains requirements that the design of systems and processes are required to give consideration to compliance with the principles of data protection. Particular emphasis is placed on the ideas of only collecting data necessary to fulfil specific purposes, discarding it when it is no longer required, and protecting data subject rights.

It also sets up the possibility for the development of certifications and codes of practice that organisations can follow to help meet these requirements.  Keep an eye for these as they develop.  In particular we expect DPAs to get involved in this area.  They will be losing their registration fees and therefore needing new sources of income.  In the UK the Information Commissioners Office (ICO) has already been developing this idea, so expect it to continue. Trade bodies are also likely to have a role to play here.

6.  The Right to Erasure and Data Portability

These new data subject rights are likely to pose challenges for many organisations. The right to erasure is a clarification of the much talked about ‘right to be forgotten’.   Although the circumstances when the right can be exercised have been made clearer, the balancing against other rights and obligations is still needed.

The right to have a copy of your data in a machine readable form to transfer to another provider may be difficult at first, but it could also lead to better systems interoperability in the longer term – which is already a growing technology trend.  In particular this provision may facilitate the development of the market for ‘personal data stores’, an idea that has long been talked about, but not yet fully realised as providers have struggled with sustainable and scalable business models.

7.  Removal of Subject Access Request Fees

Data subjects have a right to know whether or not an organisation is processing their personal data, what that data is and the purposes of the processing.  The GDPR removes the ability to charge an upfront fee for providing such information, and there is a risk requests will increase as a result of this, pushing up costs.  Current allowable fees don’t exactly cover the cost of  a Subject Access Request (SAR), but are seen as a deterrent to time wasters.  If companies are no longer able to charge fees, it is feared this could open the floodgates to many more SARs.

Companies will be allowed to charge for subsequent copies of the same data, which may reduce the risk of this to some extent. However, it may be worth investing in making sure you can respond to such requests as efficiently as possible, which will not be easy in many cases.

8.  Reporting Data Breaches

Data controllers will be required to report data breaches to their DPA, unless it is unlikely to represent a risk to the rights and freedoms of the individuals concerned. However this qualification may be difficult to judge, so in many cases, it will be safer to notify. The notice must be made within 72 hours of becoming aware of it, unless there are exceptional circumstances, which will have to be justified.

Where the risks to individuals is high, then the data subjects themselves will also need to be notified, although a specific time scale is not specified for this.  It is also worth noting that the DPA can instruct an organisation to inform data subjects if they haven’t already, so we can expect to see further guidance on the circumstances when it would be correct to do so.

9.  Fines

The GDPR very deliberately raises the bar in terms of the ability for DPAs to issue fines for breaches of the rules.  They can go as high as 4% of global turnover.  Not only are these designed to ensure data protection becomes a board level issue, by taking into account worldwide revenues, they seek to side step attempts by multinationals to engage in fine-avoidance business structures.

It is also worth noting that fines can be levied without the necessity to demonstrate harm – although the largest ones will likely be reserved for cases where data subjects have directly suffered damages.

10.  Data Processor Responsibilities

Organisations that only process data on instructions from their client are not directly covered by the current data protection regime.  Their actions were assumed to be governed by agreement with the customer who would be the data controller, and therefore directly responsible for the actions of the processor. However this all changes under the GDPR, and processors now have direct legal obligations and responsibilities.

In particular this means that processors can in certain circumstances be held directly liable and be required to pay compensation to a data subject. It will therefore become very important to establish the contractual relationships and liabilities of the different parties in a controller/processor relationship, and the costs of some services by processors may rise to offset additional risks and insurance costs.

 

We hope you find this useful.  In future posts we will look at more details of what you can do to prepare, as well as looking into each of these areas in more detail.

In the mean time, if you have any questions and would like to know more about how the GDPR might effect your business, do get in touch and we will be happy to help.

Touchnote Hack – A Notification Failure?

The personalised postcard company reported it has become the latest UK online service to have lost the personal information of millions of individuals as a result of an attack on its systems.

It seems I am one of them, but it looks like they are not planning on telling me.  This seems to me a big hole in their breach notification strategy.

I am not one of their customers, but somebody I know is and I have received postcards via their service.  So my address details are in their systems.  I know that my data is part of the breach only because the person who is the account holder told me they had received an email confirming that the information in their account was amongst the stolen records – and that includes my address.

However, Touchnote seems not to be too concerned about this, as its online notice about the incident contains the following:

We also confirm the card recipient’s name and postal address regrettably has been stolen as part of this data theft. However there is no action required by the recipient as this information alone cannot cause identity breach.

Now, I have taken care to avoid get my address information being widely available.  I opt out of the edited electoral register, and registered with the Mail Preference Service.  As a result I don’t get much promotional mail – which I am happy about as it saves everybody time and money, not to mention the environment.

I am now expecting this to change as the criminals will no doubt seek to get a return on their investment by selling my details on.

Worse than this, an obvious attack would now be to send me some mail, perhaps pretending to be Touchnote, to try and sell me some kind of identity protection.  It is not too hard to imagine how a cleverly worded letter, perhaps referencing the online news about the hack, could find enough people who would fall for some con that will result in them handing over money to the criminals. It would be even more effective if the criminals also had copies of the images used in past postcards – although this appears not to be the case.

Consider that the nature of the Touchnote service probably means the addresses of lots of elderly relatives who love to get personalised postcards of the grandchildren on holiday. There are already too many stories of the exploitation of the elderly and vulnerable in this way to not consider this a serious threat. Then of course such people also get added to ‘suckers’ lists and further monetised.

So Touchnote may be doing a reasonable job informing its customers, but logically, this represents less than half of the people who have had their information compromised.  At the moment it appears they have not thought about risks to them.

It is worth noting that under new breach notification rules in the forthcoming EU GDPR – all data subjects, have a right to be notified when a breach takes place.  Companies need to realise that this means a lot more people than just their paying customers.

Editorial Note: A correction was made at 15.30 on the date of publication.  The original article stated it was not known if Touchnote had lost uploaded photos.  It was later stated that no photos were accessed illegally in the hack. This is now clear in the article.

ashleymadison

Learning From Ashley Madison

 

The recent theft and subsequent leaking of the personal information of users of the Ashley Madison dating site for married people and its other stable brands is not the biggest data breach the world has seen in the last few years, but it is quite probably the most controversial.

Whatever people choose to think about the basic premise of the business, or the people that signed up to its services, the hacking and subsequent release of the data is illegal and quite likely to lead to serious harm for some of the users of the site.

It is therefore right that everybody who deals in the handling of personal data should look to see what they can learn from this event.

Context is King

The sensitivity of information, and therefore the lengths one should go to protect it, is often more reliant on context than the information itself.

Email addresses are personal information, yet they aren’t generally thought of as particularly sensitive or needing of close protection.  After all, they are about communication, so designed to be shared.

Stored in a database of people supposedly looking for an extra-marital fling however, is a completely different ball game.  As has been pointed out elsewhere, some of the emails leaked indicate users in Saudi Arabia, where adultery is a capital offense.  Though we don’t know it yet – the hackers may have condemned some people to death.

At the very least is seems inevitable that the marriages and careers of many people will be ruined.  It doesn’t even matter if no wrong doing took place, suspicion by the mere presence of an email address in the data, will be enough to change some people’s lives forever.

Transparency, Transparency, Transparency

Amazingly enough, the privacy policy on the site is not that long or complicated.  However, it is clear that different versions are served up to different users.  On first access I noted my location was recorded as in the UK, and I got a policy from Praecellens Limited, operating out of Cyprus.  However, I could switch my location to the USA, and then be served the policy from Avid Dating Life Inc. of Canada

What strikes me is that even a cursory reading rings huge alarm bells.  For a start the Cyprus policy, presumably for EU readers, is different, but it still uses US-style language, lots of references to PII rather Personal Data. So immediately it seems like a half-hearted job.

More importantly, it makes clear that although some information ‘may be considered as sensitive’ – the policy allows for any personal information to be sold to unspecified third parties for marketing purposes.  At the same time the policy also stresses how important privacy is to the business.

Of course we know that nobody reads privacy policies, and this seems to prove it.  I find it difficult to believe that anyone contemplating embarking on a clandestine affair would knowingly agree to such unspecified information sharing that could easily lead to legal disclosure of their use of the site.  All of which tells me that there needs to be clearer ways of surfacing this kind of information, and clearer indications of consent – something of course being called for under the EU Data Protection Regulation.

Beware the All Seeing Cookie

Running a very brief scan over a few of the public pages on the site we identified trackers from Google, Facebook and Twitter on the ‘Infidelity News’ blog.  These are all organisations that can tie online behaviour directly to real identities, meaning the site is directly leaking at the very least ‘interest’ data about identified individuals in a way that could immediately impact their wider social profiles unless they are extremely careful.

However, the site clearly ignores EU cookie law requirements for consent.  It doesn’t even notify visitors, let alone give them some control.  Yet this is very  clearly the sort of site that users might want to keep out of their browsing history.  Not giving users the option for simple controls. is not only a breach of the cookie rules, it shows either a cavalier attitude to privacy, or ignorance of the power of the cookie to identify individuals.

Privacy is not Security

It also seems despite the promises of the importance of privacy, little thought was put into this when designing the system.

Email addresses were allowed to be on the system unverified – breaking data protection rules about accuracy of data as well as opening up non-users of the system to potential harm. Although the company claims that sensitive information is encrypted at rest on disk, as noted above, in this case even emails are sensitive, and were clearly not encrypted. Or at least not encrypted well enough to prevent their release.

Similarly it has been widely reported that the password re-set feature, can be used to effectively reveal the email addresses of users registered on the site.

Some reports have suggested that the security on the site is generally better than many others, which also manages to highlight quite well that security and privacy are two different realms. I don’t know whether or not the company carried out any kind of privacy impact or risk assessment.  However, it seems obvious now that not enough attention was paid to privacy concerns in the development of the platform and its services.

A Watershed Event?

The nature of the business makes it an obvious choice target for malicious attack. If there had been more thought given to privacy, it would not have made a breach any less likely to happen, however it may have reduced the impact of it.

The very nature of the potential damage here could in fact become a force for change in the way that the law looks at privacy harms.  Most law courts reduce harm in data breaches to financial loss.  Many actions fail because direct financial harm is very difficult to establish.

In this case, financial harm is likely to be way down the priority list of members.  It will be the harm to their personal lives – in many cases irreparable – that will almost certainly been the focus of the inevitable law suits.  How the courts deal with this could open the door for the wider recognition of non-financial harms In breaches of privacy – and that may make this a watershed event.

UPDATE 24 August:

Sadly, just three days after writing this post, my worst fears appear to have come true: two Ashley Madison users who had their personal details published, have reportedly taken their own lives as a direct result. My deepest sympathies go out to their loved ones.

Carphone-Warehouse

Carphone Warehouse Data Breach – A Personal Experience

The personal information of 2.4 million customers of Carphone Warehouse and its related brands have been stolen in a cyber-attack, it emerged last weekend.

According to various accounts, the attack was discovered on Wednesday 5th August, and affected customers notified 3 days later on the Saturday.  The news then broke rapidly across the UK news media.

The company says it wrote directly to all affected customers, and the Information Commissioners Office has said it will launch an investigation.

However, this story has a personal angle for me, which I think highlights some of the issues around how such events are communicated.

I’m a Carphone Warehouse customer, I bought a phone contract from them two years ago, which was recently renewed through their related brand, Talk Mobile.  I didn’t get an email from Carphone Warehouse, but by coincidence I saw the story when it first broke on the BBC on Saturday morning.  At that time the story mentioned that customers with Talk Mobile may also have been affected.

About an hour after the story broke I got onto the Talk Mobile website, and there was no information about the breach.  I then contacted customer support via an online chat service.  They had clearly not been told and knew nothing about the breach.  I got a standard line about how they take security very seriously and my information was perfectly safe. I changed my password.

I monitored the website over the weekend but it was not until Monday that any information was published. At least it was prominent on the home page – unlike the Carphone Warehouse site which buried it in the News section.

However the messaging here was not altogether re-assuring either. It stated that ‘attempts’ were being made to contact customers, and if I ‘don’t hear’ anything I’m OK. However it gave no indication of when I might have expected to hear – so now I am in limbo.

My best guess is that I probably haven’t had my data stolen on this occasion, and of course I am happy about that.  But I am not happy that I have to rely on that best guess. My trust in the company, such as it was, has been diminished because I feel as if I have no meaningful re-assurance of safety.  I would have felt much more confident if I had received a direct message that told me:

a)      The breach took place,
b)      but my data was not lost.

It may be that they can’t be sure about b) yet, so they can’t tell me that, but I still feel left in the dark.  Data breach notification is difficult, investigations and decisions have to be made in a fast moving environment.  I know this.  I also know that the priority has to lie with those people who definitely have had their information compromised.

However, this is more than just about compliance, it is about much broader brand damage limitation.  In that context, some kind of direct message to me as a customer, even to tell me I’m probably not at risk would have been very reassuring. Anything really would be good.  I don’t think you can over-communicate in a situation like this.

This is doubly important because of the data they hold about me. Personal information I cannot change but which exposes me to identity theft if it has been lost.

Maybe the thieves did get it, but somehow I got missed off the communication list?  That can easily happen, especially when communicating in a crisis situation.

Carphone Warehouse may not have lost my information, and I will probably never know, but they have certainly lost my trust. Simply by failing to acknowledge me as a customer at a time of uncertainty.

Only time will tell if they will try to restore it again before I can leave them for someone else.

Germany Proposes Class Actions for Data Protection

One of the big differences between the USA and Europe when it comes to privacy law is in the respective enforcement regimes.

In the EU, breaches of data protection laws are investigated by Data Protection Authorities (DPAs), whose maximum powers are generally to hand out fines of a fairly limited nature.   This money either funds the activity of the DPA, or as in the case of the UK, goes into the public purse.  There is no effective redress or restitution for the victims of the infringement.

By contrast, in the USA there are several mechanisms designed to directly compensate consumers and try to ensure they are protected from future harms, notably in the case of data breaches.  The costs to companies can run into hundreds of millions in any currency, and the argument is that this can act as a significant incentive to get things right in the first place.

I have heard more than one data protection lawyer argue that some system of individual redress in European data protection law would be a significant step forward in improving enforcement.  And this was coming from people who would be as likely to represent the company in question, as they would any individual victims.

Now it seems the Germans have taken a lead, as they often do in issues of privacy in the EU, and have proposed changes to their law which will open the door to collective, or as it is commonly known, class action.

This would mean that in the case of a breach of data protection law that had an impact on large numbers of people, they would be able to appoint a representative to sue for compensation.  The idea being that the potential for this to happen, and the possible size of that compensation, should act to improve practices, especially those that might only have a small impact, but on large numbers of people.

These of course are exactly the kind of data practices that are common in new technology businesses, where risks are often little known because they are new or may be overlooked in the interests of growth and profit.

If these proposals become law, many organisations may be forced to up their game, or face huge damages to both profits and reputation.

Consumers Would Pay for Trustworthy Data Privacy

A recent survey of German consumers, often characterised as the most privacy conscious Europeans, suggests that a third of them would be prepared to pay to protect their personal data online.

As the report states, this translates to an untapped market worth around 900 million Euros – which is not to a number that can easily be ignored, even if it would be difficult to turn into a real business opportunity.

However, perhaps more damning of the state of trust in the online economy is that fact that of those two thirds who wouldn’t be prepared to pay, the main reason they gave was that they didn’t have any confidence that paying would actually protect their privacy.

Most people in the survey were aware that personal data has become the currency of the web, although an overwhelming majority didn’t support this core business model. It seems they feel that no-one is really being honest with them.

All of which gives support to the view from a recent US survey from Pew Research that consumers generally feel powerless to control their privacy online. It may also explain why 97% of the German respondents felt that regulators are not doing enough to stamp out and penalise misuse of personal data.

The Data Protection Regulation has proposed some eye-wateringly high penalties for breaches in the future.  However the real test  of the new rules will be how many companies will feel the force of any regulatory action.

The German survey suggests that regulators are going to have to go a long way to demonstrate to consumers that they are fulfilling their role of keeping companies in line.  This is much more likely to happen if there is evidence that the risk of enforcement itself is quite high.

If regulators focus on getting big fines out of a small number of very large multinationals, whilst larger numbers of smaller companies breaching the rules are left alone, then the DPR will not do its job of building much needed trust in the overall digital economy.

Data Breach by Ministry of Justice Highlights the Importance of Training

The ICO has this month issued a fine of £180,000 to the Ministry of Justice for a data breach that was caused more by a lack of training than any technical issues.

The breach in question was the result of a lost hard drive from a prison in 2013.  The drive contained unencrypted sensitive data relating to prisoners, visitors, and victims of crime.

The real failure according to the ICO’s press release, was the fact that this was an entirely preventable breach, if the prison service had been trained how to use the encryption capabilities built into the disk software.

Further compounding the error, the disk in question was part of a batch that had been supplied to prisons, specifically for its encryption functionality, following a similar data breach 2 years earlier.  The problem was that nobody bothered to tell the users, that the encryption had be turned on before the data would be secured.

In the words of Stephen Eckersley, ICO head of enforcement “The fact that a government department with security oversight for prisons can supply equipment…without properly understanding, let alone telling them, how to use it beggars belief.

It is a common belief that data losses occur overwhelmingly as a result of malicious attacks by hackers, or security failings in IT systems.  In fact, according to the latest data breach analysis report by the Ponemon Institute, 40% of UK breaches are caused by human error, which is also a higher proportion than in any of the other 9 countries covered by their report.

What this highlights is that good data protection practices are as much about training and management processes, as they are about securing IT systems.