Not yer average privacy policy (& what about third party cookies / web beacons?)

Deutsch | Español | Français | Italiano | Português | 日本語 | 한국어 | 简体中文

Hot on the heels of starting a couple of new blogs (A Health Experience, A Human Experience) on topics not related to consumer technology in order to keep this blog more targeted, I decided I ought to revamp my privacy policy and extend it to all 3 blogs, and make the link much more prominent (see the right sidebar).

Here's my new privacy policy.

It's a bit tongue in cheek but hopefully more readable for non-techies and non-lawyers than most, and hopefully it's also accurately compliant with both English and US requirements.

If anyone thinks otherwise or has any other comments, please let me know.

In fact I think it's more compliant than most because I decided I needed to factor in the use of blog widgets, in my case MyBlogLog and Delicious tagometer, as well as Google AdSense, Google Analytics and Statcounter of course. And the use of Google / Blogger for search, and logging in for comments.

(With thanks to Out-Law's cookie laws and data protection guides, the ICO's privacy notices code of practice and privacy policy, and the EFF privacy policy - I figured if anyone has tight privacy policies, the ICO and EFF will!)

The third party widgets issue - cookies / web beacons

It's an interesting question how you can write a proper privacy policy or privacy notice for your blog or site when you include third party widgets / Javascript which plant cookies or web beacons on your visitors' computers.

Your privacy policy needs to cover their cookies or web bugs. But - you can't control what their scripts do!

Some of them provide enough information about what info their widgets collect and what use they make of that information, but others don't, or don't do enough - e.g. Google AdSense is fine (except for being unclear about web beacons - do they or don't they?), but Yahoo only give info about MyBlogLog's Recent Readers widget, not the click tracking, and nothing at all about the Delicious Tagometer. For more details about this lack of clarity, see my new privacy policy. (If anyone from Google or Yahoo! is reading this, maybe you could get it looked at?)

If the third party widget provider doesn't give you, the blog owner, enough info about their data collection, all you can do is refer your visitors to the third party's own privacy policy. But if theirs is incomplete, who is responsible by law, who gets lumbered with the swingeing fine?

Hopefully it'll be them, the third party widgeteer, not you, the mere blog owner. But if you voluntarily chose to include their widgets on your blog, could you be held responsible?

Maybe the safest, least risk-averse approach would be simply not to include third party widgets from any site that doesn't properly explain their widgets' personal data collection and use, even though that would really limit the features on your blog.

I really don't know the answer to that. If enough bloggers ask Google, Yahoo etc to clarify their widget usage, maybe they will? We can but hope.

Tags: blogging, privacy policy, privacy policies, privacy notice, privacy notices, Improbulus, A Consuming Experience

Identity theft: is your personal data for sale on the internet? Lucid Intelligence, Garlik etc

Deutsch | Español | Français | Italiano | Português | 日本語 | 한국어 | 简体中文

This post has turned into a short overview (rather than review) of a couple of digital identity monitoring sites, after the Times reported that:

• Over 4 million Britons’ identities are for sale on the Net.
• Some 1/4 million British bank & credit card accounts have been hacked into.

It seems most of the data has been obtained by phishing - tricking people into emailing their user / password details by pretending to be the bank etc, and corporate / organisational emails and passwords have also been compromised. (See also this write up of a fascinating overview of various kinds of cybercrime and how the criminals do it). Bad practices by banks etc don't help. (Talking of bad practices T-Mobile UK actually ask you to email them your customer services password, unencrypted of course, when you email them for help!)

What triggered the article was info provided by a British company Lucid Intelligence which has built up a database of personal data traded over the Web - put together over the last 4 years by retired senior Metropolitan Fraud Squad police officer Colin Holder.

Have your personal details been stolen? Lucid Intelligence database

The Times article says Mr Holder intends to “offset the cost [of building the database] by charging members of the public for access to his database to check whether their data security has been breached”

But the Lucid Intelligence website itself says the searching is free, so the article isn’t quite accurate there. Searches cost nothing, but further information will be charged for. Their FAQ clarifies:

“Searches of the Lucid database will be free. If there is a hit for the information that you search for, we will show you a limited summary of what is held. A key part of that information will be an evaluation of the risk that that data poses to you. If you wish to see the full report with all of the data that we found, a £10 administration fee will be levied. This creates a search profile that you can come back to for a year from the date you request the full report. As we add data to the database, existing search profiles will be updated with new, matching data.”

Note that if you want to try searching their database you have to give them your full name and address plus either your email address or full postal address with postcode. You don't have to do both.

On the usability front, later searches offer a choice of Address or Email search, making it clear you don't have to give both addresses - but the initial search doesn't which makes people think you have to enter both postal and email addresses. They ought to provide the dropdown on the initial search too.

Also, while they do say on the search page that you may have to try variations on your address e.g. abbreviations, they don't explain whether you ought to try variations on your name or not (e.g. initial or full word, middle names etc).

You can search anyone's details that you know, not just your own - they don't require any kind of identity verification before you search. Though they do before you actually sign up.

Without signing up with them you could still do the usual Data Protection Act "subject access request" thing to ask for any info they have about you, but that will cost you a "minimal charge to cover Administration charges" - their FAQs don't say how much but as I recall it's £10 max though it can be more in some cases (according to Google's cache of the ICO webpage - the site itself seems to be down.)

Garlik

Now this sort of service isn’t new.

The strangely named Garlik have for some time been selling a paid monitoring "Data Patrol" service - for businesses as well as individuals - that keeps an eye out for subscribers’ details being sold on the internet.

I think Lucid have been much cleverer in the way they've gone about marketing their services - not only because of the free publicity they've got through the Times and others through the "Scare 'em" approach that plays on fears about the security of personal data, but also because they let you do the initial search free of charge.

Garlik don't even offer one initial free search, or a cheap short trial, so personally I've never tested their service despite the illustrious history of the people behind them (see also my summary of Garlik CEO Tom Ilube’s comments in a RSA discussion Is Privacy Dead?). As with "experience goods" generally, it's simple diginomics - no free sample has been offered of a service whose value to me is uncertain in advance of my trying it, so I'm not willing to fork out £45 for a year's subscription. I'd be interested to know what people who've tried them think.

Lucid's name is a lot more "You can trust me to help you" than "Garlik", too.

I don’t know how profitable Garlik are in terms of their core services – but I notice that they’ve recently announced the open sourcing of their RDF semantic web platform 4store, developed in-house to underpin their identity protection and fraud prevention services, and will offer support and consultancy services to organisations wanting to use it.

It will be interesting to see how these and other identity monitoring and identity protection services develop, and their rate of take up as people become more nervous about identity theft.

(Times article pointed out by Open Rights Group newsblog).

Tags: identity theft, personal data, review, reviews, Garlik, Lucid Intelligence, data monitoring, Improbulus, A Consuming Experience

Your privacy: cloud computing report & tips; privacy notices & ICO consultation

Deutsch | Español | Français | Italiano | Português | 日本語 | 한국어 | 简体中文

1. Cloud computing and your privacy

The World Privacy Forum on 23 February 2009 published:

• a report “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing” (26 pgs, see also their summary of the report), with
  
  
• cloud computing privacy - tips for consumers (and also for business and government) – nothing unexpected, like “Read the Terms of Service. Then read the Terms of Service again”!

For those not familiar with the term, ”cloud computing” is basically where your data is stored and available online e.g. Facebook, YouTube, Flickr, emails on Hotmail etc. Very convenient as you can login from anywhere you have a Net connection, but it involves risks to your privacy and private information.

To quote from the WPF summary (my emphasis):

“The report finds that for some information and for some business users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared. Even when no laws or obligations block the ability of a user to disclose information to a cloud provider, disclosure may still not be free of consequences.

In its analysis and discussion of relevant laws, the report finds that both government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information. A cloud provider’s terms of service, privacy policy, and location may significantly affect a user’s privacy and confidentiality interests.”

The report’s warnings on cloud computing and privacy seem particularly timely given the recent furore over Facebook’s Terms of Service or TOS allowing them to keep and use all your data even after you closed your account (see e.g. New York Times report and BBC reports and Facebook’s resulting “Bill of Rights and Responsibilities”). And, last year, there was a furore over the TOS for Google’s new Chrome browser too.

Using Chrome isn’t exactly the same as putting your data and information into the “cloud”, granted. But the Chrome TOS incident illustrates the same general issue. And in fact these issues aren’t new, even in relation to cloud computing – e.g. the Pew Internet and American Life project issued a memo on the use of cloud computing applications and services in Sept 2008, noting their increasing popularity amongst Americans but that “their message to providers of such services is: Let's keep the data between us.”

So, for instance, some time back I blogged about:

• Facebook’s Hotel California where you could never delete your account once you joined (now fixed),
• Blogger’s Play which displayed bloggers’ uploaded images in a slideshow, and
• the importance of checking the TOS of your physical PO box provider if you want to stay anonymous) – yes, the issues aren’t even exclusive to the virtual world.

But the fuss clearly illustrates users’ increasing awareness of the fine print in the TOS of Web / internet services and their increasing concern about the risks to their privacy.

About time too, I say.

2. Privacy notices & your personal details – ICO consultation

As another sign of the growing realisation that this kind of problem needs to be addressed properly, on 12 January 2009 the UK information regulator, the Information Commissioner’s Office, had launched a consultation on a new draft Privacy Notices Code of Practice “designed to help organisations provide more user friendly privacy notices”. Particularly on their websites, of course, but it relates to all organisations that collect / store personal information about people.

To quote from the ICO (my emphasis):

“The ICO believes that some existing privacy notices contain too much legal jargon and are written to protect organisations, rather than to inform the public about how their information will be used… we want to ensure that privacy notices provide clear, user friendly information to the public about how their personal details will be used and what the consequences of this are likely to be”.

Not surprising and again about time too, I say!

If you do it by the closing date of 3 April 2009, us mere members of the public can respond on the draft Code of Practice on Privacy Notices too (e.g. if you don’t think it goes far enough to protect private individuals) - see the consultation page and their consultation response form (not a Web form but in RTF, and you have to save it in Word format and email it to consultations@ico.gsi.gov.uk).

If these issues interest you, you may also be interested in:

• email spam and your privacy
  
  
• (by way of some light relief) that "data protection" can be abused by organisations too, as an excuse to refuse to give you information that you're actually entitled to get, usually from laziness or ignorance or excessive red tape rather than malice, but who knows...
  

Tags: privacy, cloud computing, data storage, privacy notices, confidentiality, personal information, ICO, Information Commissioner's Office, Code of Practice, privacy policy, World Privacy Forum, WPF, terms of service, TOS, Improbulus, A Consuming Experience