Archive for the ‘Privacy: EU’ Category

What Google Knows: Privacy and Internet Search Engines

October 25, 2007

Search engines are the most important phenomenon on the Internet today and Google is the gold standard of search. Google evokes ambivalent feelings. It is adored for its ingenuity, simple, modest-looking interface and superb services offered at no (evident) cost. Yet increasingly, it is feared by privacy advocates who view it as a private sector big brother posing perhaps the biggest privacy problem of all times. Google is an informational gatekeeper harboring previously unimaginable riches of personal data. Billions of search queries stream across Google’s servers each month, the aggregate thoughtstream of humankind, online. Google compiles individual search logs, containing information about users’ fears and expectations, interests and passions, and ripe with information that is financial, medical, sexual, political, in short – personal in nature. How did Google evolve from being a benevolent giant seeking to do no evil into a privacy menace reviled by human rights advocates worldwide? Are the fears of Google’s omniscient presence justified or overstated? What personal data should Google be allowed to retain and for how long? What rules should govern access to Google’s database? What are the legal protections currently in place and are they sufficient to quell the emerging privacy crisis? These are the main issues addressed in this article. See SSRN page for this and additional articles here.

Complying with Israeli DP Law: Database Registration, International Transfers and Employee Monitoring

October 25, 2007

Multinational companies operating in Israel typically face several recurring data protection issues, including local database registration requirements; conditions for international data transfers; and monitoring and surveillance of employees at the workplace. This article briefly outlines the Israeli approach to each of these issues in turn, including notable recent changes and proposals for reform.

Israeli DP Law: Constitutional, Statutory and Regulatory Reform

October 25, 2007

In this article, published in the October 2007 issue of Privacy and Data Protection, I review recent changes in Israeli privacy and data protection law. The elevation of the right of privacy to constitutional status has moved the Israeli Supreme Court to extend privacy and data protection beyond the scope of the Privacy Protection Act of 1981 (“PPA”). And the PPA too is changing: driven by technological developments and the will to harmonize Israeli law with European standards, a government committee has recently proposed a wholesale reform of the statute’s data protection chapter (the Schofman Report). To increase compliance and enforcement levels, Israel has established a new data protection authority – the Israeli Law and Information Technologies Authority (“ILITA”) – to replace the former Database Registrar. I review in this article the spate of recent changes in Israeli data protection law and comment on persisting discrepancies between Israeli and European data protection.

Googled to prison?

January 30, 2007

Privacy and data protection in search engine data has taken center stage last year, with the unfortunate revelation by AOL of detailed search records of over 600,000 users (ultimately leading to the resignation of the company’s CTO), and Google’s legal battle with the US government over use of search logs for law enforcement purposes (See US District Court decision, accepting the governments request for data in part, here). Search engines collect a massive amount of highly personal data concerning our interests, hopes, desires, health, finances, travel plans, job searches and more. This invaluable asset attracts the interest not only of the government, but also of private litigants (e.g., copyright enforcement by the music industry, husband-wife custody battles), advertising companies and hackers. Hence, for example, in a recent 7th Circuit Court of Appeals case, a wireless hacker was convicted based on his Google search records. In a North Carolina case last year, a man was found guilty of murder in part because he searched for the words “neck,” “snap,” “break” and “hold” before his wife was killed. The Norwegian press reported yesterday that the Norwegian Data Protection Authority is investigating Google’s vast data storage pratices. Google responded that it can only link a search request to an IP address, not to the individual person behind such address, and in any event is not willing to pass on such information to others. The problem is that Google (and other search engines, for that matter) can personalize the data by use of cookies and additional services, such as the ubiquitous Gmail, and that even anonimized data may be linked to individuals, as illustrated by a NYT reporter in the AOL case. (I am lecturing on the topic at the upcoming annual meeting of the Israeli Internet Association on February 19).

Big Brother’s Little Brother: Your ISP

January 25, 2007

The US is debating proposed legislation requiring Internet service providers to retain data concerning user traffic for law enforcement purposes. Privacy advocates’ strong opposition to such “data retention” requirements aligns them, oddly enough, with ISPs, which fought similar requirements in Europe. ISPs are concerned with the cost burden of the mass storage and with commercial and legal difficulties such retention poses for their relations with customers. The EU adopted a new Data Retention Directive in March 2006, following the UK’s push after the London terrorist attacks. The government usually points to terrorism and child pornography as the ultimate evils which must be eradicated by online snooping. This is true, yet massive data retention subjects the vast majority of Internet users, who are innocent, to serious privacy risks. Indeed, in a precedential decision, a New Jersey state appeals court held yesterday that computer users can expect the personal information they give their ISP to remain private. A three-judge panel held a computer user whose screen name hid her identity has a “legitimate and substantial interest in anonymity,” referring to an “informational privacy” right in the state Constitution.


You leak: let us peek

January 18, 2007

More news on security breaches: California Senator Dianne Feinstein is renewing her push to set national requirements for consumer notification in the event of data security breaches, and to restrict the sale, purchase and display of Social Security numbers. Under her proposed Notification of Risk to Personal Data Act, any federal agency or business that “uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information” would be required to notify any U.S. resident whose data may have been compromised by a security breach “without unreasonable delay.” Her second bill, the Social Security Misuse Prevention Act, would prohibit the sale, purchase or “display” (intentional communication to the general public, including via the Internet) of SSNs without “affirmatively expressed consent of the individual,” either electronically or in writing. The bills feature broad exemptions, which are bound to prove controversial. Across the border, meanwhile, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) published a white paper calling for similar legislation to be introduced into Canadian data protection law (PIPEDA). Data breach notification laws are all the rage, prompting interest of regulators in the EU as well. A big question is what can consumers do with information concerning their data having leaked into unauthorized hands. One option, is, of course, suing. Yet, interestingly enough, while class action law suits have been filed against Choicepoint, LexisNexis and CardSystems Solutions, none have yet to reach judgment as of December 2006.

Oops – 100,000,000 times (for now)

December 21, 2006

A week of severe data security breaches: UCLA reported hackers gained access to a database containing personal information on 800,000 current and former applicants, students, faculty and staff. Aetna revealed a lockbox holding personal information of 130,000 health insurance customers was stolen. And Boeing reported a laptop containing personal information of 382,000 current and former employees was stolen from an employee’s car. US Privacy Rights Clearinghouse reports that the total number of personal records lost or exposed in security breaches since February 2005 now exceeds 100 million. The total maintained by the organization represents the number of records that have been compromised due to security breaches, not the number of individuals affected. Individuals may be the victims of more than one breach. However, only data breaches that result in information useful to ID thieves, such as Social Security numbers, bank account details and driver’s license numbers, count towards the 100 million mark. The reports of security breaches are a result of legislation originating in California’s Security Breach Information Act of 2003 and now adopted in about 30 additional states. Europe is still considering similar legislation. In the UK, for example, a report by Deloitte Touche Tohmatsu reveals 25 million personal records are exposed to theft and fraud annually. One of the big issues, particularly for Europe, where private lawsuits are rare and class actions uncommon, is whether individuals can actually do anything with knowledge about their data having been compromised.

RFID: A chip on your shoulder

December 17, 2006

One of privacy advocates‘ prime suspects have long been RFID systems, enabling data to be transmitted via a portable device, called a tag, to an RFID reader and processed according to the needs of a particular application. RFID, which started as a benign replacement of the barcode, allowing Wallmart to perfect its inventory control process, is increasingly appearing in privacy-compromising applications. Last week, U.S. Department of Homeland Security Secretary Michael Chertoff defended national ID cards, established by a federal law called the Real ID Act in May 2005, as vital for security and consistent with privacy rights. Among other concerns, national ID cards may carry RFID tags, despite a recent DHS advisory committee report advising against using RFID for tracking humans. More prosaic, a report by researchers at the University of Washington warns against surreptitious surveillance of joggers by their Nike+iPod Sport Kit, which consists of an RFID chip. The EU Article 29 Working Party has last year warned against the dangers of RFID in an official report. The bigger problem lurking behind RFID is that of privacy in an age of ubiquitous computing, where every object, not only cellphone but also table or spoon, is a computer. 

Spam goes “Bam”

December 7, 2006

Bill Gates predicted spam would be a thing of the past by 2006. Well, it is making a big comeback after an off year in 2005. In the last six months, the problem has gotten measurably worse. The NYT reports worldwide spam volumes have doubled from last year and unsolicited junk mail now accounts for more than 9 of every 10 email messages sent over the Internet. The negligible costs of orchestrating an attack and significant trouble of preventing one do not help. For an overview of anti-spam legislation see David Sorkin’s Spam Laws.

SPAM and phishing: The battle goes on

November 28, 2006

The European Commission calls for stronger action against spammers and spyware merchants. On the other hand, a security flaw in Google’s search appliances could expose websites using such products to phishing attacks. Microsoft has recently launched an antiphishing campaign in Europe and the Middle East, filing 129 lawsuits against alleged perpetrators.