Recently in Privacy Category

Today I found a Facebook privacy vulnerability affecting dates of birth. The scenario:

• The Facebook user hides their date of birth from view
• When today’s birthdays are viewed, those who choose to publish their year of birth have their age displayed. Those who have opted to hide their year of birth in their privacy settings do not have their age published. ( http://www.facebook.com/?sk=bd )

However…

• When viewed via the Facebook mobile site, their age is published ( http://m.facebook.com/birthdays.php )

Obviously from this, the individual’s date of birth can be easily calculated.

UPDATE: I have of course notified Facebook of this privacy flaw.

In a bizarre display of Italian privacy protection, Google bosses have been found guilty for infringing the privacy of an individual who was attacked, videoed and shared online using the Google Video Service. BBC News Article Here.

Italy of course have now an interesting set of cases making various parts of ‘normal’ web activity illegal. Remember when then made all blogs illegal as they amounted to “clandestine” press?

So - what are the options now for ISPs? The technological approach could mean the masking of faces from videos automatically, using similar face recognition technology employed in Google Street View. Costly and only for the big firms. Option 2, pull out of Italy; again costly but easiest. Thirdly appeal.

This is the best option. As far as I can determine (with my limited Italian - awaiting a good translation of the judgement to land in my inbox), the judgement goes against the European Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) article which states that…

Article 12

“Mere conduit”

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:

(a) does not initiate the transmission;

(b) does not select the receiver of the transmission; and

(c) does not select or modify the information contained in the transmission.

1. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.

2. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement.

NB This is implemented in the UK as the The Electronic Commerce (EC Directive) Regulations 2002.

I do not post that I am going on holiday to any social networking site. Nor do I stand on my rooftop and shout it through a loud speaker there either. The second statement sounds obvious, but @EnglishFolkFan is quite right - people freely do this on the internet. This is far from ‘digital gumption’, more a lack of education.

The firms that have made the internet what it is today, allowing users to express themselves, do so in the knowledge that they will one day be able to earn from people’s disclosures through trending analysis and the like. Why educate to change behaviour when it will affect your bottom line? The privacy groups stance has typically been to lobby government and corporations, where the more effective solution may be to petition the user.

Social networking sites may feel much of this burden of responsibility as it is through their services that such information is relayed. However, with the controversy over Facebook’s agreements this is unlikely to happen soon. Besides…. any blogger can simply state all of this information wherever they are! Right? Wrong. Sort of.

This goes back to educating the user. If the user is educated, they won’t publish information. If they are educated, they may still publish the information if they feel ‘safe’ in the online environment where they are sharing. This may again be argued as a failure of education. For example, a Facebook event is posted online, assuming that only friends and associated people will see it, and then the Police turn up. They saw it on Facebook as did potentially many delinquents. Now there presents a problem - too much suspicion in these social services and they become unusable; too little and disaster may ensue. The trick in online privacy is attaining the correct balance of usability and privacy where you trust the provider.

Of course, if you have a virus on your computer, all of this may be useless advice.

Posted in response to BBC Digital Revolution Blog

“Popular social networking site Facebook is breaching Canadian law by holding on to users’ personal information indefinitely, a report has concluded.” — Via BBC News

This retention of data issue has been the subject of much unrest concerning websites such as Amazon, Google and Yahoo! (see the Out-law.com News Article). However, with the focus now turned on Facebook, the arguments against this sort of data retention may enter the public arena once more with huge public support.

This follows wide-scale disapproval of previous Facebook terms of service.

This site holds publications, comments and links for cyberissues, cyberlaw, e-commerce, cybercrime, online privacy and cyber-rights. Please browse through and comment where appropriate.