"ComplianceSpeak"

Google's Street View product looks set to ruffle privacy feathers and perhaps gain some valuable insight into legal interpretation of the UK's privacy laws.

Simon Davis of Privacy international is reported on the BBC website as saying

"In our view they need a person's consent if they make use of a person's face for commercial ends,"

I'm not sure that 'for commercial ends' is the crux of the issue, but rather whether Google can rely on any specific exemption from the Subject Information Provisions. After all, newspapers use images of people in the street for 'commercial means', it's just that they can (often) apply an exemption from subject information provisions on the basis of journalism (DPA 98 S 32).

So what is Street View, is it Art, Journalism or Literature? Mmm, none of the above me thinks, although having a special purpose linked to a concept as vague as 'Art' is bound to encourage strenous debate. Have a read of Tolstoy 'What is Art' and see if you can claim that Street View creates a specific emotional link between artist and audience, one that "infects" the viewer.

Like Privacy International, I think Google are on some thin ice here,

Whilst working on a Privacy Policy for a client, we did some more research on this issue. One of the policies we looked at was from the Adobe company who refer to this issue specifically.

Take a look at their 'take' on this here ...

"You will be deemed to have been made aware of, and will be subject to, the changes to the Privacy Policy after such notice has been posted with the following exception:"

Looks like assumed consent to me. What exception could this be?

"... if at the time you provide personal information to Adobe you limit how such information will be used to communicate with you, either by Adobe or by third parties, Adobe will not change your preference in this regard without your express consent."

Now that seems a whole lot fairer (and more in the spirit of DPA98).

So Adobe have restricted (quite dramatically) on what basis they can continue on assumed consent, whilst it seems many other organisations have not.

No doubt there will be a lot of  'ambulance chasing' in the next few weeks of data encryption sales; and I'm not  one to look a 'gift horse in the mouth'. 

As HMRC and the government reel from  the Child Benefit data loss disclosure, I'm sure they will receive a great many  'have we got a solution for you!' offers; perhaps ours will be one of  them! So why the reluctance to encrypt  data? Had 'those two discs' that went missing in the internal post been  encrypted, this whole story would have been akin to a  damp sparkler on a wet  bonfire night.

I'd like to suggest that it's because the business  case for 'on-the-fly' whole disc encryption simply has not been  made.

"It's too difficult, too expensive,  users won't use it!" RUBBISH.

That's like saying it's too difficult to stay in  touch with relatives overseas; the world's moved on, VoIP has  sorted out the distant 'relies'. Similarly, the World's moved on in the field of  encryption technology and ISVs like Mobile Armor have seriously addressed the  barriers to encryption adoption.

Take a look at how it can be achieved ... tomorrow could be  your day in the media spotlight!

When Banks move the 'goal posts'

Is it legal for banks (and other data controllers) to make significant changes to the manner in which they process personal data and not seek a 'positive signifying action' that the data subject consents to such use (changes) of their personal data?

This practice seems to happen all the time, with Egg Bank being the latest to change the way it uses my personal data.

They change the terms and conditions, send an email and then assume that I have consented to the changes. Rather along the lines of, 'we may change our privacy policy from time-to-time; it's up to you to read it and tell us if your not happy'.

12.4 We may
transfer your Personal Information to a Group company, Linked Supplier
or subcontractor or person acting as our agent in another country so
long as they agree that your Personal Information will receive the same
levels of protection as we are required to give it in the UK. You
consent to having your personal data transferred by us, or others
processing on our behalf or their agents, to regulators, authorities
and law enforcement agencies in other countries (including countries
outside the European Economic Area having less stringent data
protection requirements than those within it) if the disclosure is
required by the laws or regulatory rules of those countries.

What is a 'Linked Supplier' and what do they do with my data for example?

The world moves on, I know, and mergers and acquisitions are part of Life, but there is legislation out there and I'm not entirely sure the banks are playing by the rules.


Time to call the Commissioner!

THE Royal Academy of Engineering has published a "challenging report" that questions the growth of surveillance technology and the way in which this technology impacts our quality of life. How, for example, can citizens buy ordinary goods and services without having to prove who we are, and divulge private information to Governments and businesses.

In the report, "Dilemmas of Privacy and Surveillance - challenges of technological change", the academy looks at the far reaching implications of surveillance and data management technologies.

"Engineers' knowledge and experience can help to 'design in privacy' into new IT developments," says Professor Gilbert. "But first, the government and corporations must recognise that they put at risk the trust of citizens and customers if they do not treat privacy issues seriously."

To download a copy of the report, follow this link.

As reported by Jack Grimston: Timesonline April 1st, 2007

This report in the Sunday Times obviously caught my attention, being one of the areas that iCompli have specialist solutions to prevent.

"ONE of Britain’s top independent schools is under police investigation over allegations of pupil bullying involving the use of internet images of torture, murder and child pornography."

Using a combination of text and image based software monitoring tools, schools are perfectly capable of managing this and AVOIDING the harm and damage that is done.

Whilst it is can be difficult to 'forensically' place a person at the keyboard (false log-ins etc.) it is NOT difficult to be aware of the occurrence of this activity and to pro actively deal with these types of so-called 'cyber abuse'. When schools, or any organisation for that matter, profess to being vigilant, I wonder how they technically deliver such vigilance? How do they monitor all internet access, including the overseas border who uses their own laptop to web conference with their parents in Hong Kong?

“We are always vigilant and thorough in any matter linked to child protection, to the welfare and safety of pupils and to their pastoral care,” the head teacher said.

With care, thought, and yes investment in monitoring tools, the pastoral care of our children can be greatly enhanced.

We cannot expect to give our technology-wise children safe access to THE most unregulated, media-rich environment on the planet without professional monitoring.

"Will email marketing make you a registered sex offender"
"Sending offensive emails can land you on the UK Sex Offenders' Register"
"Racy emails could land sender on Sex Offender List"

Really ... Seems to me that there has been rather too much headline searching here. 

The recent introduction of The Sexual Offences Act 2003 (Amendment of Schedules 3 and 5) Order 2007 no doubt has important connotations, and it's clear that the law now makes it possible for someone to become the subject of a Sexual Offences Notification Order (SOPO) as a result of their email activity. But is it likely that sending your friends 'THAT' picture of Jordan is going to have on the Sex Offenders' List? OF COURSE NOT!

What then is the real message behind the headlines?

I consider there are three clear messages; 1. society is increasingly less tolerant of sexual offences, 2.   increasing use of electronic surveillance means there is no place to hide, the equivalent I suppose of clamping down on 'digital sex tourism', and 3. legislation is catching up with technology, closing down any loopholes that existed in law.

I once sat in a bar and jotted down all the snippets of conversation that rose above the background 'gobbling turkey' noise.  I wondered if I could get a sense of people or place from those snippets.  It was a long time before the next flight!

I've decided to start something similar!  Just a list, but then the web is full of those, of ludicrous SPAM subject lines that are supposed to entice me to open unsolicited mail. Above all the email 'noise', could there be some genius out there?  These are all genuine SPAM filter catches, believe it or not.

Feel free to send me your best SPAM subject lines and append this blog.

THE LIST

spoonful brainwashing

good morning iamjustsendingthisletter

make your fat friends envy you

Blog crap smell

Wish could quietly dating Versace

Bet spiritually

Can’t stand sex all night long?

Please summarize your experience in the nuclear power field other than as a Fire Marshal if applicable.

He played some Christmas music and Howard said that they're going to hell for that.

Earth's Crust Missing in Mid-Atlantic

teleprompter then heinz

Was Larry Ellison (Oracle CEO) right when he said "Your privacy is an illusion"?

Do we have a right to privacy that ensures that even the 'deepest' investigation of our computers ensures our surfing/electronic activites remain private?

We are set to find out what the US courts think in a classic David/Goliath battle as Michael Crooker takes on Microsoft and HP, who he claims, failed to protect his privacy by allowing FBI agents to recover his browsing history after he had deleted the History files.

Microsoft says it makes no claims about erasing the internet history tracks; deletion not being the same as erasure.

Whatever you may feel about the reasons Mr Crooker was detained and his PC investigated (sale of illegally modified firearms), many will feel that the likes of Microsoft and HP should do more to explain to their customers exactly what their software does and does not do.

Take a look at guidance from the UK Information Commissioner on the use of 'cookies' and the legal requirements of the Privacy & Electronic Communications Regulations (PECR);

"The mechanism by which a subscriber or user may exercise their right to refuse continued storage should be prominent, intelligible and readily available to all, not just the most computer literate or technically aware. Where the relevant information is included in a privacy policy, for example, the policy should be clearly signposted at least on those pages where a user may enter a website. The relevant information should appear in the policy in a way that is suitably prominent and accessible and it should be worded so that all users and subscribers are able to easily understand and act upon it"

Notice the emphasis on making the technology side comprehensible to ALL.  When a piece of software, like Internet Explorer, is capable of processing sensistive data e.g. information relating to sex, sexuality or sexual health, shouldn't the risks be explained to the customer in a way that is  ... prominent, intelligible and readily available to all, not just the most computer literate or technically aware?

Well done Norwich Union!

Got a very speedy response back from NU, who clearly have got their finger on the pulse!

Here's what they said ...

"Further to your email earlier today thank you for bringing this issue to our attention so quickly.  We are extremely sorry for any upset this has caused to those who received it.

At Norwich Union we are committed to providing a first class service and we hate junk e-mail as much as you do.  We have a rigorous internal process designed to ensure that all our customer communications comply with advertising standards and the Law. Unfortunately, in this instance, the omission of our normal “unsubscribe” facility was not noticed.

We have discussed this with the company who broadcast our emails for us and as a result of this conversation and the recommendations received we have implemented the following actions with immediate effect:

1.    We have removed anyone who has complained from receiving any future email marketing communications
2.    All future marketing emails will include the opt out option.

We sincerely apologise again for any inconvenience this may have caused to those who received the email it certainly was not our intention to upset anyone. 

If any customers who received this would like to unsubscribe from future marketing communications they can contact us at the following e-mail address. They will need to use the e-mail address which they would like us to remove from future mailing lists and state ‘unsubscribe’ in the subject box."   webmaster@norwich-union.co.uk

Thank you, is what I said.

A word of warning to others

If you're going to outsource your electronic contact to an agency, make sure that your agency selection process includes finding out about their knowledge of current contact legislation. There are many agencies out there who really do know their stuff, but even the best will usually admit to being a 'bit rusty' when it comes to the law.  Try them out on Regulation 8 of the Electronic Commerce (EC Directive) Regulations 2002 SI 2013 or the recent changes to the Companies Act 2006; you have got a 'proper' footer haven't you?

Regulation 8 of the Electronic Commerce (EC Directive) Regulations 2002 SI 2013??

"A service provider [that's you the sender of the message] shall ensure that any unsolicited commercial communication sent by him by electronic mail is clearly and unambiguously identifiable as such as soon as it is received [in other words, no 'Hi message from Andy' in your subject lines].