Introducing Google Buzz

Google launched what it expected would be the Twitter/Facebook competitor, Google Buzz on February 9, 2010. It was advertised as “a new way to share updates, photos, videos and more, and start conversations about the things you find interesting.” Buzz was designed to integrate with Gmail – which already had over 146 million users at the time of the launch – and other interface interaction elements with other Google products, such as Google Reader.

The service can also be accessed through supported mobile devices. The mobile version of Buzz is integrated with Google Maps, in order to let users know their location and identify other users who are around them.

Buzz was received with great interest. In the first two days after its launch, tens of millions of users created over nine million posts and comments. On average, there were over 200 posts per minute through mobile phones worldwide.

Responses

However, not all responses to Buzz were positive. Immediately after its introduction, privacy-minded users noticed that Buzz automatically set them up with followers and people to follow. This group of followers is chosen based on the contacts the user emails and chats with the most.

Another issue of concern was that the people a user follows and the people that follow the user are made public to anyone viewing the user’s profile. This is the default setting, which allows anyone who views a profile to see the people who a user chats with or emails most. The implications of this setting were worrisome to some users. For instance, a boss may discover that a subordinate has frequent email contact with executives at a competing firm.

What was distressing to most critics was that Google did not openly explain how the publicly viewable follower lists were determined. Buzz’s unclear opt-out approach put many users in the position of unknowingly sharing personal information. It is clear that Google’s choice to design the lists to show publicly by default was a strategic decision to get as many people using Buzz as quickly as possible. While it may be a helpful setting for some users, others may not feel comfortable with sharing with the world who they email or chat with most.

This glaring privacy flaw was brought to the spotlight two days after Buzz was launched, when Harriet Jacobs saw her personal information revealed to her ex-husband and his abusive friends. Unfortunately, Google automatically allowed her most frequent contacts to view her Google Reader, all the comments on her Reader, as well as her current location, workplace and other sensitive information. Her most frequent email contacts happened to be her ex-husband, his friends and other hostile blog commenters. She was unable to block these users as she never created a Google profile or Buzz profile, which left her unable to prevent them from following her.

Making Changes

Within three days of launching Buzz, Google issued a public apology and made some changes to the program in response to the widely-publicized consumer privacy concerns. It added a more visible opt-out selection to allow users to choose not to show their connections or followers on their profile. This was a rapid response to user concerns, especially when compared to Facebook’s Beacon privacy problems in 2007, which took over a month to resolve.

Although the changes were a positive step in terms of supporting user privacy rights, critics pointed out that Google did not go far enough to address immediate concerns. For instance, the selection box for sharing followers was checked by default. Since this is an option for sharing private or sensitive information, many argued that the box should be unchecked. Given its nature, it would be best to leave that as an opt-in feature.

Furthermore, the opt-out selection did not give users an adequate explanation as to what they were allowing Buzz to publish. Users were not informed that Buzz would publish the list of people they email and chat with most. Although the privacy settings could be adjusted, the problem was that most users do not know how to change these settings. The majority of users simply click “save and continue” until the application is fully set-up, unfortunately reading little of the information contained in the dialog boxes. This made it clear that Google’s changes were an inadequate response to the scope and implication of user’s concerns.

In April 2010, privacy officials from Canada, Germany, France, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the UK raised privacy concerns regarding Google Buzz, as well as other Google services. The letter pointed out that even months after its launch, Buzz was still disregarding its user’s privacy rights, despite Google’s promises to the contrary.

Opt-In vs. Opt-Out

Opt-out mechanisms give users the opportunity to express non-agreement to a specific purpose. Unless the user takes action to opt-out, the organization assumes consent and proceeds. The organization should clearly inform the users that failing to opt-out means that the user consents to the use or disclosure of information. For instance, the Google Buzz box presented users with the opt-out choice with a pre-checked box that read, “Show the list of people I’m following and the list of people following me on my public profile.”

Opt-in consent is often referred to as “express consent.” With opt-in consent, the organization presents the users with the opportunity to express positive agreement to a stated purpose. Only with the user’s action will the organization assume consent. Opt-in consent is considered the strongest form of consent. The Privacy Commissioner of Canada encourages organizations to use this form of consent wherever it is appropriate, as it is least likely to result in misunderstandings and complaints.

In the Google Buzz case, an effective opt-in statement for new users might have been a checkbox reading “Show the list of people I’m following and the list of people following me on my public profile. Right now, the list is made up of people you email and chat with most.”

Recommendations

Jennifer Stoddart, the federal Privacy Commissioner of Canada expressed her unease over how such a problematic application like Buzz was launched for public use in the first place. Stoddart did not support the decision to release Buzz in its “beta” form, as it should have demonstrated compliance with fair information principles before it was introduced. She felt it was unacceptable to launch a product that had such significant privacy issues, with the intention of addressing those problems only as they arise. This was also not the first time Google made a glaring privacy error, as Google Street View was launched earlier, without consideration of privacy, data protection laws or cultural norms.

Stoddart and the Privacy Commissioner’s Office sent Google a number of recommendations that would enable it to integrate fundamental privacy principles into its online services. The recommendations included:

• Collecting and processing only the minimum amount of personal information that is necessary for achieving the purpose of the product or service.
• Providing clear, unambiguous information regarding the use of personal information.
• Allowing users to provide informed consent.
• Creating privacy-protective default settings.
• Ensuring that privacy control settings are clear and easy to use.
• Ensuring that all personal data is adequately protected.
• Giving users simple procedures for account deletion.
• Honoring user requests in a timely manner.

Summary

This article examines privacy issues raised through the launch of the social networking program Google Buzz. It outlines some critical responses to the privacy settings and risks that the application exposes users to. The article also explores opt-in and opt-out consent mechanisms. Finally, the article takes a look at the Canadian Privacy Commissioner’s response and recommendations to Google Buzz.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Online privacy, online data collection (V.B.c.)
• End user expectations (V.C.c.a.i.)
• End user preferences, opt-in vs. opt-out (V.C.c.a.ii.)

1. “Security and Privacy Training is inadequate and poorly aligned with the different roles and responsibilities of personnel.”

Proper security and privacy education is part of the administrative safeguards needed to properly protect data. Information handlers must understand the risks facing sensitive information and their responsibilities towards maintaining the Fair Information Practices Principles. The report instructed agencies to include privacy and security training upon employment, maintain awareness through weekly tips, annual “security days” and other creative reminders. Agencies should also target individuals with more security and privacy responsibilities and provide more extensive training.

2. “Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.”

The Privacy Act of 1974 allows the sharing of information between government agencies provided the information receives the same level of protection after disclosure and the two agencies sign and follow a data sharing agreement. Failing to comply with a  data sharing agreement may allow serious breaches of a individual’s privacy. Agencies are encouraged to offer incentives for successful compliance with a data sharing agreement or contract. Agencies are also required to create detailed agreements (using Federal Acquisition Regulation Language) describing the procedures for protecting the information and assigning an individual to oversee the data sharing process.

3. “Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.”

Under the Freedom of Information Act and the Privacy Act of 1974, government agencies are required to maintain adequate records on the type or information systems they maintain and the types and uses of the information. With a few exceptions, such information must be available to the public. Improper record keeping poses a threat to the transparency of government activities and an individual’s right to access the information and agency maintains about them. Agencies should use enterprise architecture and inventories to review the type, location, and uses of information it has on record. Security controls should be developed in consideration of the inventory and all systems containing personally identifiable information should be regularly assessed to ensure the integrity and security of the data.

4. “Information is not appropriately scheduled, archived or destroyed.”

Information must be protected at all stages of its lifecycle including those when it is not in active use. The proper destruction of information is particularly important to safeguarding privacy. Information must be assessed to determine how long it needs to be maintained and whether it is permanent and needs to be archived by the NARA or temporary and needs to be destroyed. Agencies must obtain the National Archives and Records Administration approval to dispose of their records according to established record schedules.

5. “Suspicious activities and incidents are not identified and reported in a timely manner.”

Information security is an ongoing process which requires identifying and detecting potential threats. Instituting a system without following up with security checks and incident response is ignoring a fundamental part of the information security process. Agencies should develop and follow a set of procedures to identify and respond to security or privacy incidents. Response should be timely in order to be effective. Agencies should configure their computer systems to detect intrusions, monitor use, and log any incidents. Furthermore incidents should be reported to authorized personnel and agencies to reduce risk as quickly as possible.

6. “Audit Trails documenting how information is processed are not appropriately created or reviewed.”

It is not just the type of information that is collected but how it is used that is restricted to protect privacy and civil liberties. Accurate audit trails are necessary to record how information is being collected, used, maintained and disclosed by an agency. Agencies should use managed data repositories to develop and review the necessary audit trails. Those audit trails can then be used to identify anomalies, determine the status of data and destroy data when it is no longer necessary.

7. “Inadequate security controls where information is collected, created, processed or maintained.”

Security controls include technical, physical and administrative safeguards. They are the primary defense against unauthorized access and use of information. Agencies should maintain inventories of their physical property including real estate and mobile devices. Stronger controls should be applied to areas of high impact or high risk. Security procedures should be reviewed regularly (at least annually) to ensure physical access is granted only to authorized individuals.

8. “Information security controls are not adequate.”

The sole purpose of information security controls is to prevent unauthorized use and access. When such controls fail, the system must be improved or replaced to be provide adequate protection to information which is guaranteed under U.S. law. Security controls should be tested annually with higher risk systems tested more frequently. Personnel that test controls should be separate from the personnel that administer the controls regularly, to allow outside enforcement. Problems and improvements should be shared among agencies to promote awareness. All common security configurations should follow NIST guidelines. Agencies must also consider how the public availability of information affects how government information is protected.

9. “Inadequate protection of information accessed or processed remotely.”

Mobile devices and the increasing use of cloud computing technologies all government employees to access government information when working away from the office. Data must be protected equally when accessed from a computer at the agency and when accessed from a mobile device. Agencies should maintain an audit log of any information accessed or processed remotely. NIST encryption methods, two factor authentication, and automatic log outs after a certain period of inactivity should be employed. Agencies should ensure personnel understand the security risks involved with remotely accessing such information and have them sign a document denoting their privacy and security responsibilities.

10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

The E-Government Act of 2002 requires that all new information security systems conduct Privacy Impact Assessments prior to use, and periodically thereafter in order to evaluate the effectiveness of the system in protecting the information it maintains. Failing to assess new technologies for their privacy protections leaves large holes in the security of the system. Agencies should include information system planning, development and maintenance in their procedures and budgets. Systems should be purchased and implemented only when found to be cost effective in adequately protecting information. Software and hardware encryption products should be used according to the NIST certified cryptographic modules.

Summary

While there are a number of regulations such as the Privacy Act of 1974, the E-Government Act of 2002, as well as the Fair Information Practice Principles which guide the use of information by the Federal Government, such regulations are not always implemented properly. Reports such as the Common Risks Impeding the Adequate Protection of Government Information are necessary to maintain an ongoing discussion regarding information privacy and security and continue to increase security protections as technologies and threats evolve.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Common Risks Impeding the Adequate Protection of Government Information
• Information Privacy Laws for U.S. Government Practice (I.C.)

—-

Guests :

Isabelle Falque-Pierrotin (IFP) – Vice-president of the French Data Protection Authority (CNIL)

Stéphanie Lacour (SL) – CNRS researcher

Meryem Marzouki (MM) – CNRS researcher

Jean-Luc Dugelay (JLD) – EURECOM researcher

Jean-Marc Manach (JMM) - internetactu.net

—-

Man – The question is about knowing where we are aiming.  And since technologies are moving very fast, we need to look upstream but nothing plays the role of the ethics committee (CCNE) in biological science, for instance when it comes to computer science. The CNIL has a regulating role and it has nothing to do with what the CCNE does. This comparison with Science of Living is relevant to us as there are technologies we didn’t want to develop. We said by thinking upstream, we don’t want reproductive human cloning. We stop research tending to point in this direction. Is there anything equivalent in Computer Science to a technology we would not like to develop?  Though without thinking ahead, industrials would shape it and there would be calls for proposal. To me, the facial recognition can be compared to the artificial uterus: this is something which will radically change security in our society and individual freedom. It is not perfectly running but there is money for funding it. It means there was not the same thinking upstream that one can find in biological science.

MV – IFP?

IFP - Your question is one of the many reasons why the CNIL is transforming itself into something else. Google is an American company. The French people, the 30 millions of customers consuming Google services are obedient to any terms of service the company would like to apply. Today Google respects the Californian law. Some of the services, like Google Latitude (allowing one to identify people in a given spatial environment) respects the Californian law. We may believe it’s tragic, that nothing can be done because most of the big Internet companies are not French. However these companies are opened to discussion with actors like the CNIL about private data since the organization took upstream several initiatives in this field to drive them on taking measures that abide by the French national rights. For instance, in regards with Street View (mapping street photographs with districts showing views of main cities in Europe), as the CNIL was alerted early enough, faces could be anonymised so that the service conforms with the 1995 law. As a result, Google accepted to apply these measures in Europe. I would answer the question by telling that the CNIL has to work more and more in a prospective way with the service offerors so that the process of protecting data really becomes a pervasive concern. It is much more difficult than applying stricto sensu law texts relative to public filing but I think this activity shapes the future of the organization.

JLD – I would like to come back to the global aspects of these things. Among the criteria defining the research areas, there are the national and European industrial calls but there are international competitions as well. As national labs, we want to be competitive towards American or Japanese laboratories for instance, or China which goes off in many domains, like research. We would like to avoid monopolistic situations such as the ones with biometrics or video surveillance by leading competitive research in France.

MV – Another question?

Man - We talk about personal data. I was asked to confirm my presence by signing a paper when I arrived. We talk about carts and knowing what I purchase. Ethical questions are critical. With regards to information technology, we don’t really know how to set limits by preventing ourselves from investigating further in given research areas. Given techniques, politics and ethics as main parameters to be considered, the real question is perhaps not about RFID (which will be deployed and these chips will provide information about what I purchase). Why are we looking closer at Google webmail as something so interesting when incoming and outgoing messages are not safe within private servers either? All that is related to search queries and subsequent profiling activities might be a little bit more of a concern. Are not we running away from the latter by discussing RFID? Those are ethical questions to be asked. Moreover we are not at all in the same context than with biotechnologies. The means to take measures are totally dissimilar with information technology.

SL - There are several camps in this game: the government, the private companies, the citizens. I remain convinced that no solution will come from one of these three players. It might come from the government, for instance the Chinese government forced Google not to provide results for keywords like democracy. I am not sure one would like to fall into a system similar to the Chinese democracy, if I may. The fact is, politics can not be totally passive before choices. When the political decision is made, things move forward. Besides, the technology itself makes things happen. This is true with Internet and also with RFID. Developing technologies upstream, for example in Europe, by following European privacy standards, is one possible solution. As most of these technologies are developed in countries like the United States of America or Korea, where privacy has a totally different meaning, we have to face very difficult issues since privacy protection doesn’t even exist inside the technology itself. When research institutions push collaborations between technology inventors and ethicists, jurists or sociologists, we get closer to the solution. The third part of the solution belongs to each of us. I don’t think the system will be altered in the future by only one of the three ways.

JMM - Let me take another example. In computer science, for a long time, there was IBM the monster absolutely cannibalizing everything. Then came Microsoft with a fabulous business plan equipping today more than 90 or 95 percent of private person computer. Now Google has between 80 and 95 percent of the advertising market shares. Each time, for the reasons why IBM is criticized, Microsoft was and is still heavily criticized, IBM made huge losses, Microsoft is in the same losing process. Reviewing what is going on with the browser market and Internet Explorer would be enough to get convinced. Today in Europe, more than 30-40 % of customers are Firefox users; they are not Internet Explorer users anymore. I can’t see exactly how Internet Explorer will carry on its development. Internet Explorer is being lost. I don’t know how things will turn out for Google in 10 years but it is not unthinkable than Google fade away because of another company offering new services better addressing peoples’ needs and being more respectful of users. The monopolistic role of Microsoft in relation to operating systems may come to an end. The Microsoft operating systems coming along automatically with brand-new computer purchases, called compulsory sales, originated from the European trials against the company. It is well known that it is safer to run Linux instead of a Microsoft operating system given the same privacy concerns so the law project behind stopping compulsory sales would contribute in making Internet safer as well.

MM – I would like to return to the original question. I was amazed of hearing mentions about ethics, politics and techniques but nothing about rights. Given that rights should not depend on politics, at least not exclusively. Rights exist as rules applied to everybody. Data and privacy protection rights can fundamentally be split into the purpose principle and the proportionality principle. The first one is more and more flouted, as explained by JMM with the national file of genetic footprints and the extension of personal data collecting activities. The proportionality principle is still too fuzzy. When we use the flaws of proportionality such as a period of data retention as arguments in legal recourse, we are saying the length of these periods are directly proportional to the aims at stake. The purpose principle is equally inadequate, for instance, with passports, visas used in targeting foreign people, measures taken for border control, which will serve in police operations with different purposes since databases exist. The principles should be refined so that some population could be made safe. I have quoted the case of foreign people but let us talk about children. All of us were offended when we learned that 13-year-old children could be found in Edwige database. What may offend us as well when considering the French passport regulation, is how biometrics data are collected for 6-year-old children (which is not a requirement at the European level). It shows clearly how collected data can be extended and put into service for other objectives, to control other people, because young people scare (we see it with regulation law proposals about mobs). We are not here in the middle of ethical discussions of new topics without any form of consensus already made about them in the society. Let us revert to fundamental rights, this would be progress.

MV - A last question?

Woman - I would like to know what was the legal reasoning of Internet service providers, which are apparently commercial and actually accomplice of the all-in-one security trends with HADOPI in the LOPSI II law. Were not their positions during meetings meant to address these issues?

JMM -  It depends on the industry we are referring to. It is not all about the same reactions. For instance we know that Free works backwards. They launched the free wifi service access (allowing their customers to access Internet through other customers routers in wireless connections) when the HADOPI law was being discussed. When the main carriers are asked to implement some practices, they usually do it and charge the customers for doing it. Some actors of the industry like Jean Michel Planche were among the first who brought to light the issues coming with the LOPSI law and Internet filtering policies. Some individuals dare expound ideas and spread information. Most of the time, information published in the press about the government intentions come from industry leaking details when not expressing themselves ideas defending their customers. We do not have the same culture in France in comparison with the United States of America. In the USA where there is no such law like the data processing and freedom law, the fight for the customer freedoms and privacy protection is driven by the industrial. They know there is no interest for them in going against the freedom of their customers not to lose them by holding big brother-like roles. In France, the industry doenn’t maintain such policy of protecting their customers. With HADOPI, we are routed to the possibility of the filtering of Internet though professionals.

MV - IFP?

IFP - We should not end this debate on a caricature of the industry. After discussing with many of their representatives, I can stand that many of them were worried by these questions. All actors of the industry are not willing to establish security devices everywhere. There are cases when the technology provides advantages, for instance with warranty services which could be integrated in the articles we consume within RFID chips. There are industries which are sensitive to these questions. I meet with them and I think they are more and more sensitive with them as they realize it worries their consumers, it is also forming part of the sustainable development of their company reputation. It is not only theoretical. We all have this responsibility of finding a balance between security and freedom. The industry has its own role to play, which is also a positive role to be played.

MV - I ask the three of you, a few words to conclude. SL?

SL - Indeed from the collaboration of all actors may emerge the shapes of an answer.

MV - Can we rely on the rights today as a citizen when it comes to data circulation?

SL – The law tells us it is possible but we face a more complex problem when considering attentively how the law can be applied.

MV - There are obviously some vulnerabilities in the texts. MM?

MM - Again, let us return to the fundamentals and remember the Edwige case. Citizen mobilization can have a major impact in addressing other similar questions.

JMM - More and more people should stop acting paranoid and really get informed about the reality of the threats we are confronted with. The more we will look for being informed and the more we will have the right to resist.

MV - JLD?

JLD - Indeed, people should be informed so that they can have their own opinions. To make the right decisions, it is critical to master the technology, not to suffer from monopolistic situations coming with unique circumstances . I think it is important that we have a strong French and European research. Eventually I think there was interesting proposals like the creation of an ethical committee for new technologies, which is something to be widened with different actors and users.

MV - Does it exist already with nanotechnologies, SL?

SL - Something exists already with the CCNE.

MV - Thank you to all of you.

Data Protection in Europe

The European Union has the most extensive and comprehensive data protection laws in the world. In 1995, the European Commission instituted their most significant body of law known as the Data Protection Directive (95/45/EC). The directive applies to all entities that process personal data in all member states of the European Union.

E.U. Data Protection Directive Privacy Principles

The Data Protection Directive outlines privacy principles for the processing of data which include:

1)  Notice– (Article 10) The data subject must be provided with the identity of the data controller, the purposes for which data is collected and third party recipients

2)  Choice– (Article 14) The data subject may object to the processing of their personal data for the purpose of direct marketing and the disclosure of data for third parties or uses.

3)  Access and Correction– (Article 12) The data subject may request to view data an entity has on record about them and rectify, erase of block the processing of data if incorrect or incomplete.

4)  Data Quality–(Article 6) Data should be processed lawfully. It should be collected and processed for specific and legitimate purposes. Data should be timely, accurate and complete. Data that is no longer necessary should be kept in a format that is not personally identifiable.

5)  Data Security– (Article 17) Appropriate steps must be taken to protect against accidental loss, and unauthorized access, use or destruction.

Enforcement

The E.U. data directive requires the creation of a National Data Protection Authority for all member states. This supervisory authority must regulate and implement data protection laws within its country as well as investigate privacy violations. Every data controller must register with a supervisory authority before processing personal data.

Onward Transfer

In order to protect personal data when transferred to countries outside the European Union, the Data Protection Directive prohibits onward transfer to entities in non-member states unless they meet an equivalent level of protection. Agreements like Safe Harbor between the United States and the E.U. allow businesses to participate in a program that allows unrestricted international data flow as long as a businesses institutes similar privacy principles to those of the E.U.

The Data Protection Directive also has special regulations for the transfer of sensitive data such as racial or ethnic origins, political or religious beliefs, sexual orientation, trade union membership and other similar characteristics. The E.U. requires explicit, affirmative consent from a data subject in order to disclose sensitive information to third parties, not matter whether the third party is within or outside the European Union.

Privacy and Electronic Communications Directive

In 2003, the Directive on Privacy and Electronic Communications Directive (2002/58)was developed to complement the Data Protection Directive. It deals specifically with data protection and with regard to marketing messages and the growing use of digital technology and electronic communications. The Privacy and Electronic Communications Directive requires explicit consent from a data subject to send marketing messages unless all of the following criteria are met:

1)  The provider already has information on the data subject on file from a previous service or transaction

2)  The marketing message is in relation to similar services or products

3)  The data subject is given the opportunity to opt-out of further marketing messages.

The E-Privacy Directive also places restrictions on the use of marketing messages through telemarketing, automated telephone calls and faxes. The directive also requires a mechanism to opt-out of the use and receipt of cookies.

Data Protection in Canada

Canada is one of the countries closest to the European Union in terms of comprehensive  information privacy law. It uses a coregulatory framework between the government and the privacy sector to enforce data protection.

The Privacy Act of 1983

The Privacy Act of 1983 regulates the use of personal information by the Canadian Federal Government. The Privacy Act requires:

• Notice– the data subject must be notified of the information collected and its uses
• Access– a data subject has the right to view what personal information is held by a government institution and rectify erroneous information
• Consent–  data subject must provide explicit consent before information is disclosed to parties outside the control of a government institution (with a few exceptions)
• Limited Use– collected information must directly relate to the activities of a government program and may only be used for the purposes it was originally collected (with a few exceptions)
• Enforcement– the Privacy Commissioner of Canada must investigate and complaints it receives regarding privacy violations to data subjects.

The Personal Information Protection and Electronic Documents Act

PIPEDA deals with information privacy in the private sector of Canada which includes financial and health institutions. It protects all information that may identify an individual used in the course of rendering commercial services including those of nonprofit organizations.

PIPEDA incorporates the ten privacy principles outlined by the Canadian Standards Association which include: Accountability, Identifying Purposes, Consent, Limiting collection, Limiting use, disclosure and retention, Accuracy, Safeguards, Openness, Individual Access, Challenging compliance. PIPEDA requires explicit consent from individuals in order to use, process or disclose their personal information (with a few exceptions)

PIPEDA is enforced through the Office of the Privacy Commissioner of Canada or similar territorial privacy commissioners. The Commissioner is required, by PIPEDA, to investigate any privacy complaints lodged against a commercial institution and create a report of their findings.The report is sent to the organization against whom the complaint was filed with recommendations. The report is also returned to the complainant who can then pursue the matter further in the Federal Courts.

Data Protection in Asia

Data Protection across Asia is varied depending on the development and political beliefs of each country, however even counties that grant the least amount of protection have shown a concern for Data Protection and the way it affects the free flow of information.

Japan and the Law Concerning the Protection of Personal Information

Data Protection in Japan is covered under the Law Concerning the Protection of Personal Information. It was put into effect in 2005. Enforcement is regulated by ministries of each industry sector (i.e.: Ministry of Health enforces the Law in the Health industry) Each industry may place additional restrictions on the use of personal information.

Like many data protection laws, Japan’s Law requires specific and limited use of information, adequate data security and integrity, data subject notice of purpose of use, as well as access to and correction of information held by an institution. One major different in Japan’s Law is in their policies regarding disclosure. Explicit consent is required for all disclosure of information to third parties, even if the third party is affiliated with the data controlling entity.

The Asia-Pacific Economic Cooperation

APEC is a non-binding cooperative agreement between countries along the coast of the Pacific to facilitate regional trade. In 2004, APEC developed a Privacy Framework, recognizing the need for strong data protection laws to allow multinational and international business and trade to continue. Members of APEC include: Australia, Canada, Chile, China, Japan, Peru, Russia, the United States, as well as others.

APEC’s Privacy Framework outlines 9 privacy principles:

1)  Preventing Harm– Above all privacy regulations should prevent harm to data subjects from the unauthorized or misuse collection, use or disclosure of personal information.

2)  Notice– An individual should be notified regarding the personal information including what, why, how and to whom their information is collected, used or disclosed. They must also be given the choice and means to limit the use and disclosure of their information

3)  Collection Limitation– Collected information should be used for specific and limited purposes.

4)  Uses of Personal Information–Person Information should be collected with consent of the data subject and when necessary to render a service or transaction

5)  Choice– Individuals must be provided with unambiguous mechanisms to control the collection, use and disclosure of their personal information.

6)  Integrity of Personal Information– Personal Information should be complete, timely and accurate

7)  Security Safeguards–Safeguards should be created to protect against data loss as well as unauthorized, access, use, disclosure, destruction and other misuses.

8)  Access and Correction– Individuals must be able to obtain the personal information a data controller may hold about them in a timely and reasonable manner and be allowed to challenge the accuracy of the information.

9)  Accountability– Entities controlling personal information must be accountable for complying with privacy principles.

APEC is non-binding which means that there is no single supervisory authority for enforcing compliance in member states. Each member state is responsible for creating and enforcing their own information privacy regulations that adhere to the APEC Privacy Framework.

Data Protection in Latin America

Like, Asia, data protection in Latin America is inconsistent. However, many Latin American countries along the Pacific are members of APEC and comply with the APEC Privacy Framework. Furthermore, many countries have included some forms of data protection in their constitutions under the writ of Habeas Data

Habeas Data

Habeas Data literally translates to “[we command] you have the data.” It protects the right of an individual file complaints to a constitutional court regarding violations to their image, honor, privacy, and freedom of information. Legally this has translated to information privacy regulations for the government. Often similar regulations have been extended to the private sector. Habeas Data requires that an individual be able to view information on record about their person and correct any false information. Furthermore it holds a data controlling entity accountable for the integrity of data. The 1988 Brazilian Constitution was the first to include the writ of Habeas Data.

Argentina

Argentina is the only Latin American country considered adequate under the E.U. Data Protection Directive. The Argentine Constitution contains the writ of Habeas Data. In 2000, a comprehensive data protection law called the Personal Data Protection Act was implemented to protect personal data in both the public and private sector.

Under the Act, data must be collected for “certain, appropriate, pertinent and not excessive” purposes and must be collected lawfully. Data must be accurate, complete, secure and destroyed once it is no longer necessary for the purposes it was originally collected. Furthermore any activities surrounding personal data must receive explicit consent from the individual with a few specific exceptions (section 5).

The Act also prohibits the creation of files linking sensitive data with identifiable individuals and requires that no person may be compelled to share sensitive data. Much like the E.U. Data protection directive, the Act requires other countries to have adequate levels of protection before transferring data.

Chile

In 1999, Chile was the first Latin American country to implement a data protection law.  Chile uses a comprehensive law called The Law for the Protection of Private Life to govern the public and private sectors. While the Law guarantees the rights of a data subject’s to access, correction, notice, and judicial control, there is no supervisory authority and compliance is largely self enforced. Furthermore, the Law provides no protection for international transfers.

Paraguay

Paraguay includes Habeas Data in Article 135 of its constitutions which states:

“Everyone may have access to information and data available on himself or assets in official or private registries of a public nature. He is also entitled to know how the information is being used and for what purpose. He may request a competent judge to order the updating, rectification, or destruction of these entries if they are wrong or if they are illegitimately affecting his rights.” Paraguay also has its own privacy law to govern information privacy during the course of commercial business. Additionally it protects sensitive data and economic status information by requiring explicit, written consent of the data subject unless it is required by law.

In Conclusion

As technology progresses and the unrestricted flow of information across borders becomes increasingly important, countries will no longer have the luxury of avoiding data protection. In order to protect the data of their citizens, governments like the E.U. and Argentina require similar levels of protection when they transfer their information to other countries. To allow such trade to continue, countries around the globe must implement privacy policies of their own and consider how they will protect the information of their citizens as well as the personal information they receive through onward transfer. With the growth of electronic technology, information privacy has become an international issue that cannot be ignored.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Privacy and Data Protection Regulation (Foundations: I.F.b.ii-v.) including Europe, Canada, Asia and South America

—-

Guests :
Isabelle Falque-Pierrotin (IFP) – Vice-president of the French Data Protection Authority (CNIL)
Stéphanie Lacour (SL) – CNRS researcher
Meryem Marzouki (MM) – CNRS researcher
Jean-Luc Dugelay (JLD) – EURECOM researcher
Jean-Marc Manach (JMM) - internetactu.net

—-

MV – SL, would you like to take the lead?

SL – Technologies move forward very quickly. I would like to keep pace with IFP when she evokes this rapid movement but we (consumers) also have to make concrete decisions regarding these technologies. Such aspects were fundamental in the enactment of the 1978 law. When we are asked our personal data, we can still freely provide an answer to gain some advantages. Today, it is still possible to acquire simple coupons with RATP. An anonymous Navigo pass is available but the acquisition cost is a little bit higher (5 €). I am not revealing a universal solution: in this case, about RFID, I think a cape has been rounded relative to what existed before (credit card, cellular phones and other individual tracking technologies) as the existence of a chip inside a Navigo pass is well known and some may be aware of carrying these devices oppositely to the ones that will be massively deployed in the close future over the mass-market and they’ll communicate data without asking for authorizations.  This constitutes a real interesting legal issue in the way the 1978 law has been submitted to new evolving needs in 2004 requiring people’s consent as a central matter of balance: I accept providing parts of my personal data in exchange of advantages and I make a personal decision. Given technologies people carry without awareness of their presence nor whether these technologies provide our data, it becomes even more difficult for us to consent.

MV - What does your survey reveal about how the new generation of individuals perceive this concept of privacy? I imagine oscillations between generations and these technologies being more easily accepted by some age groups. Would some of you like to comment about it?

JMM - We’re referring here to the privacy paradox. On one hand people are using these technologies: notably visible on the web with social networks, Facebook and the collaborative Web, where people don’t hesitate in disclosing a lot of information. I’m wondering if you’ve heard about Google and Mark L.’s personal history.  This story appeared famously hitting the headlines at the beginning of the year. This gentleman’s portrait was issued in a French magazine named “Le Tigre”. A fellow was described in his habits exclusively from what could be found on the Web. They didn’t put him naked but it was close. So many photos, videos of his travels, and stories were posted across the Web that they managed to retrace his life. We heard about it because it exhibited the propensity of people for disclosing personal data. On the other side, when the man discovered this article published among the news, he was very, very scared.  Before the article, he didn’t descry how easily these data could be aggregated - this is the privacy paradox. Mark L. expressed himself carelessly until his voice was put in such nearly official report and he got very scared. Being particularly afraid of Big Brother doesn’t prevent anyone from using these technologies (even in enforced situations as it was mentioned early). Today obtaining a passport comes with biometrics, an anonymous Navigo pass is more expensive and so on. We are more and more urged in behaving similarly. What could be the possible extensions? We don’t exactly know. I recently wrote an article entitled “Privacy, a schmuck problem”, about a comparison made by an American team between sexual revolution and what is going on with privacy. Forty years ago, women could not wear miniskirts without being accused of incitement to rape and declaring homosexuality would provoke someone’s face smashing. Mentalities are not the same anymore. Some laws were voted. Activism led to wearing miniskirts without being indicted for incitement and telling one’s homosexuality doesn’t necessarily imply someone’s rage.

MV – Are we at a disinhibited digital stage?

JMM - What has to be clarified relates to the part of control we’ll keep for ourselves over the network. Would all this data be rendered available to merchants, policemen, public services and administration and would not there be any pending transformation of some Big Brother-like self-censored totalitarian system kinds. This is a real political issue.

MV – Do you agree? We’ll listen to your opinions and then we’ll take another question.

SL – I’m a course instructor and conference presenter on these topics: privacy protection on the Web, traceability of individuals. When I start a new course, I am generally seen as a schmuck in front of the students. They stare at me wondering what I could tell them? Things like the Internet is dangerous, especially with all the pedophiles around. By the time I close a course, students come to me and say they will terminate their Facebook profile. In general, I explain to them that it is already too late. However this effort to inform is very fruitful. People strongly react against the Edwidge file. Young people are currently no more ready than aged people to let recruiters find photos of them drunk while they run as a candidate for a job. They don’t accept it better than people of the previous generation. It is this effort where the CNIL is concentraing. It has preserved a worthwhile policy concerning traces for years and the CNIL is not the only relay. In my opinion, this information has to be loudly broadcasted.

MV - MM then JLD.

MM – I would like to return to the comparison made with the living. The CCNE gave two outstanding judgements, the first for biometrics and RFID and the second for using DNA. The DNA ruling was for paternity tests when they were introduced in the 2007 law. About facing long term problems with research projects, it has to be underlined that these projects have clauses. It started with parity between partners working on European projects. There had to be as many women working on the projects as men. Beyond these immediate palliative measures, the consent appears. Knowing if the consent is free overpasses communicating about it. And the consent is not free, not for administration nor for police filing. It is not free either for private filing. I don’t really agree with the parallel made between sexual revolution and privacy on the Web as sociologists proved the existence of a great mastership of Facebook users for their data. They are not young children but young active people (about thirty) who want to exhibit themselves by having a clear conscience. Let us return to the first TV reality show (Loft Story), we heard of it equally in the news. There were lots of exhibitions. The social consent existing behind it is the commodification of bodies and intimacy. With the living, there are debates about surrogacy. We apprehend this commodification. We can fully understand it and we can have arguments about selling a belly. I don’t ask any question now but I ask the following ones to my students. Who doesn’t use a free mailing box (Gmail, Yahoo!, Hotmail whatever)? Who doesn’t use free services? Who ever rejected giving away some personal data to take advantage of a service? One immediately receives the benefits of services while providing few details of oneself. The consciousness raising of the data collection, the possible interconnections and resulting portraiture comes later. Different reaction periods are at stake. In 1996, I offered already a solution commented as soft insanity. The fundamental question is: Can we make people happy without their consent? If we can, then we should think of an “holification” of personal data and intimacy. We are not talking about vital data but patrimonial and geolocalization data, with bodies taken as identities with their biometrics and DNA. This is very close to debates occurring with the living and body intimacy might be an argument to forbid collecting and processing some personal data even with consent.

MV - Could not we equally compare GMO with nanotechnologies? JLD, IFP and the public then.

JLD – Just a quick idea, specific clauses appeared in multimedia for disabled people so that they can access the services. We have to abide by some terms. There are cogitations in European projects with ethics committees delivering recommendations, which are sometimes a bit surprising. We have a program extracting the largest amount of information possible from a face, like age, eye color, etc… We were asked not to discriminate men from women as it was considered as not acceptable by a committee.  As a result, we didn’t work it.

MV – IFP?

IFP – I believe this concept of personal data has completely evolved. It was absolute before (protected by the 1978 law) and now it is subject to negotiation. There is a big difference today and in the way we are now referring to the capital of personal data dwelling around all of us. This approach is closely a proprietary one. Some even say they are owners of such data, and whether there is consent or not,  they should be able to do whatever they want with it. We recognize the debate of the human body: if there is consent, then we should be able to lease a belly. Some can not cut one’s harm but… We know that laws about reproduction cared for by the state, and bodies not belonging to anybody (in France) were constructed against this on behalf of higher principles. I wonder if personal data are about to be added to one’s patrimonies, since they belong of course to our intimacy. Should not we be reacting here? There are worries welling up in the polls: the first fear concerns personal data. There is confusedly something. At the same time, it doesn’t prevent them from consuming services. Some of us will wake up soon or later. Should not there be a stronger corpus of renovated and unalterable principles of privacy by letting individuals make separate choices, not just one for everything?

MV – Sir?

Man - Hello, I’m a member of the organization “Democracy and Freedom” objecting to the plan of camcorder installation in Paris. I would like to return to the technological argument. Video surveillance is clearly feeding a race for progress as we have heard with Mr. JLD. It is all about a sequel of new devices bearing the lacks of previous devices.

JLD – You see it as if applications were driving researc,h but it is not always true. We want to progress in image analysis. It is our first goal then that this analysis can serve different purposes (medical imagery, video surveillance etc.). We naturally talk about biometrics and video surveillance today but the first goal of most of researchers is not about improving specific applications. We are willing to improve audio, video and signal processing. I believe there is a little misunderstanding at this level.

Man – The problem is that technological arguments are provided by the chief constable, for instance, emphasizing the old systems obsolescence and inputs of the new devices. As I follow news about camcords, I found a funny picture of a policeman from the 60s with his stick and cape. We moved to analog camcords. As they were inefficient, we moved to digital camcords which are magnificent.

JLD – Video surveillance didn’t trigger the digital revolution. We moved from analog devices to digital devices for many reasons.

Man – Well, I want to express your participation to be a headlong rush. When talking about digital camcords, you said while someone is moving, it is difficult to see his face and a facial technology has to be developed as a compensation and so on. The next argument could be skin color and ethnical statistics from videos. We clearly discern an unstoppable dynamic here. Technology is seen as a solution, but not humans?

JLD – This discussion is very interesting, but we can get pretty far that way. For each technological progress, there are new issues (positive, and negative ones as well). I agree with you. What should we do then? Should we end research? It is a society problem.

MV – SL.

SL – I understand the argument of headlong rush. However I don’t think technologies are the main arguments of politics. For videosurveillance, we know camcords of the market are not satisfying, for instance in terms of individual spotting. Technology doesn’t tell the chief constable that what exists today will work to find Mr. X on the street Y because he attacked Mr. Z, and it won’t prevent the political decision. It is exactly the same with RFID, consisting in telling the citizens they’re taken care of and their privacy is as well. The RFID chips can be disabled, but there is a big advantage for them as consumers at check out time. The big benefit for supermarkets is about making logistical decisions and profiling consumers in real time. The benefits are a little bit unbalanced, but let us assume people can check out more quickly. Public powers aware of privacy issues could impose requirements where the chips are disabled after checkout. In the present state of things, the government has already authorized the RFID deployment over the market, but the technology can not guarantee these tags being disabled after checkout. The only way how to really disable a tag after checkout consists in breaking it.

MV – JMM.

JMM – I take the example of a company called Visiowave created by Swiss students. They wanted to carry TV on the Internet. Image compression algorithms were developed. In 2001, the dot-com bubble burst and they wondered how to earn some money. They started to think of smart closed-circuit television. Visiowave was bought by TF1 and it is quite funny that TF1 might become the world’s number one smart television channel. Since then it was sold to General Electric. I’m talking about it because Visiowave is the system sold to RATP to equip buses. What was TV became videosurveillance and might return to TV with an inverted channel (news broadcasted in buses). The same system deals with videosurveillance and advertising. There is indeed a headlong rush with these technologies creating usages depending on the market needs. Some researchers are trying various experiments and we wonder what to do with the results. By meeting the CNIL people, I notice they are facing similar issues. Technology progresses fast and the political choices in terms of regulation affects what is related to security or emotions (to get elected again) instead of willing to be efficient. Don’t we go to far? Isn’t it too dangerous? Is it too late for the politics when they start snatching at these questions?

MV – Sir, good night, a new question?

Man – My questioning concerns the company Google. Today, thanks to their free accounts, we can take advantage very easily of emails and standard searches. A panel of services, such as the calendar application, allows them to know where we are and when. Advertising is contextual. Youtube allows them to know what we watched. Google books provide them with information about what we read…

MV – What is your question?

Man – What matters the most thanks to the analytics part is that even sites consulted directly without using Google search engine, are related to logs taking advantage of google accounts if a session has been opened. What do you think of the behaviour of this company which claims today keeping “don’t be evil” as a motto?

With cloud computing, individuals with average or even basic computing skills have been able to make use of high tech applications, software and other technologies. In turn, this has increased productivity and encouraged interaction between different users and platforms. However, it has also created a nebulous area within data protection laws concerning data ownership, access and privacy rights. Far more of an individual’s information and data may be available to third parties and the public than they may realize.

What is Cloud Computing?

Cloud computing is a broad concept which contains many types of technologies, applications and systems.

The official definition from the National Institute of Standards and Technologies states: “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

More simply, cloud computing allows users to use the Internet to make use of a an application, software or service. In this way, a user does not need to have the computer expertise or the storage or networking capabilities to utilize highly technical applications.

Cloud computing contains many layers:

Cloud Clients are hardware systems which make use of the cloud. This includes Mobile clients such as the iPhone and Windows mobile and Thin Clients which have limited processing power and use network connectivity to perform most functions.  They also include Thick clients such as the typical computer which conduct many processes without connection to a network. Thick clients use web browsers to make use of cloud computing technologies.

Cloud Applications include peer-to-peer programs such as Skype, and web applications such as Twitter and Facebook. It also includes Security as a Service and Software as a Service (SaaS) which provide small businesses with security and business management related software on-demand, through the Internet.

Platform as a Service allows developers to create and support their own applications through the Internet and does not require the personal use of their own network or storage capabilities to run or host the application.

Infrastructure as Service allows users to purchase all outsourced computer services from one vendor on a per use basis instead of paying for each service individually.  

Risks Involved with Cloud Computing

Privacy Risks– In current U.S. information privacy law, particularly the Electronic Communications Privacy Act, data hosted with a third party is not as strongly protected as data stored on an individual computer or network.

• Under current data laws anything posted to Facebook or Twitter, any messages sent through Gmail or other web based email providers, any document shared with Google docs, basically any information uploaded to cloud computing services, can potentially be subpoenaed by law enforcement officials, as provided for under the Patriot Act, without ever notifying the consumer.
• Because technology has grown faster than the government’s ability to regulate it, there are fewer legal regulations protecting data in the cloud from unauthorized use and disclosure and few systems in place to investigation and prosecute violations.

Vendor Risks– As more businesses use Software as a Service to complete business functions, they need to make careful decisions regarding the vendors they use.

• Reliability– Placing data in the cloud means that a business relies on their vendor for business functions. Problems with a vendor, such as data outages, bankruptcy or legal issues may result in disruption of business activities.
• Accountability– Service Level Agreements or End User License Agreements should be signed to protect both parties. These are agreements created between the provider and consumer of a software or service which outline the responsibilities, capabilities and rights of each party.
• Transferability– While it is convenient to upload data to a cloud service so it can be accessed anywhere, such services are notorious for creating difficulties in downloading data. As of now, there are few services that allow bulk downloads, which means data may only be downloaded one or a few files at a time. Furthermore, some services may charges fees for you to download the data. This may make it extremely difficult to switch your information to another vendor.

Accountability Risks– Though data may be placed or serviced by a third party, the consumer is still responsible for the security and integrity of the data.

• Since the user will not have personal control over which individuals are given the authority to access and service their information, users should look into a vendor’s hiring and employee policies. Many cloud services deal with sensitive or protected and data and it is the responsibility of the user to make sure their information is adequately protected.
• Because data is not stored locally on the user’s computer, often the user may not know the exact location of their data. It is possible that a vendor may store data in facilities located outside the jurisdiction of U.S. or E.U. data protection laws. Users should check a vendor’s policies to make sure they comply with all information privacy regulations.  A breach to these regulations and any resulting unauthorized disclosure of a consumer’s personal information, will be the responsibility of the user and not the vendor.
• Even with the faster, more reliable, more secure systems that cloud computing offers, there may be incidents of data loss, unauthorized disclosure and misuse. Users should work with vendors that contractually allow for investigations into such incidents and have a history of looking into such incidents. Users should also be aware that investigations with cloud computing services are often extremely difficult because information is stored on various hosts and servers alongside the information of many other users as opposed to personal networks and applications which have a smaller number of storage facilities and system users.

Data Loss- While using a cloud service may prevent against the loss of data should a user’s computer or storage facilities fail, it also creates many more opportunities for the loss of data.

• Data on web based service networks is stored along with the information of hundreds, thousands or even millions of users. While encryption is widely used to protect data it does not guarantee complete safety. Wrong encryption can occur creating data that is completely unreadable and/or unrecoverable. A user has little control over the technologies and methods used to protect their data when using a cloud computing service.
• Data outages and natural disasters can wreak havoc on a user’s ability to utilize a service. In October 2009, a number of T-Mobile Side Kick subscribers lost important information such as their contacts, calendars, and other data involved with applications when Danger, a Microsoft Service, experienced outages and data loss. Users should be aware of a service provider’s policies for disaster recovery management.
• Data stored by a third party can potentially be made inaccessible or destroyed by that party. Amazon recently deleted a number of purchased copies of 1984 from Kindle users computers during a copyright dispute. While the action was not an attempt at censorship, the incident raised serious issues at the rights of e-book owners and the potential for censorship in the future.
• Similarly some services, like Flickr, limit the number of uploaded documents that can be accessed unless a paid account is purchased. Other services, such as Facebook and Myspace fail to delete photos and other data immediately after the delete request has been made, and may take months for the data to be completely removed. This denies users the ability to control the destruction of their data.

Summary:

Cloud computing has been a remarkable development in computing technology. It allows for high levels of specialization so that a small group of individuals, with expertise in a particular area can create a specific service and make that service widely available through the Internet. Such specialization has created giant leaps in technological capabilities. It has made information mobile, across locations and devices and revolutionized the way people share, store and consume information. However, it does not come without its risks. Until information privacy laws can catch up with the changes in technology, consumers must be personally responsible for learning about, monitoring, and protecting against the risks associated with sharing data in the cloud.

The other day I went to the video rental store. Yes I know. Everyone just downloads now, but I hadn’t seen “Valkyrie” and it wasn’t on our provider’s movie list anymore. I never seem to get around to these until everyone else has already moved on. So I drove to the only remaining movie rental place that is still standing and proceeded to peruse the aisles. Finally, I was ready to check out with not one, but, yes, four videos.

I go to the check-out counter. It has been so many years that we are no longer in the computer. He asks me to fill out their form. Being a member is required. Now let us remember that these are videos. The form wants the following: name, address, phone number, license number, social security number, credit card number, and signature. I pause. Are these really videos or am I in a James Bond movie and these are video-guns? How cool is that?

I start with simple questions…

Me: Why do you want my address? I’m putting this on a credit card.

Clerk: We need to know where our videos are.

Me: Hmm. How do you know I am taking this home? (OK, I’m getting a little obnoxious, but it’s true)

Clerk: I need an address.

Me: There is an awful lot of personal data on this form. Do you lock these forms up at night?

Clerk: No, but no one comes in at night.

Me: I can’t give you all this information.

Clerk: It is required to rent the video.

I pause. I think I can purchase a gun at a gun show with less information. I continue to negotiate with the clerk. He agrees that the credit card information is not required on the form as it will be entered on the order. I pause. I look at “Valkyrie”. I surmise I can purchase a used copy for the same price. I bid the very confused clerk farewell.

Man – My question is closely related to your last topic, perhaps a little bit provocative : there are politics, technics and ethics. There are ethics committees, decision makers handle politics and technicians determine what can be implemented. From what you have said since the debate started, we are quite far from responding to every ethical issues raised by new technologies. We can focus on epiphenomena but in general all of us are controlled in different ways. Mobile phone usage makes locating anybody at any time possible. I don’t see how this could be prevented. Besides, even when they can be prevented, nothing is done. For instance, I don’t know what the current status of social filing is but I don’t see it as overused…
JMM – Ten interconnections between social databases were made last year.
Man – Yes, exactly and each database has to be a social database since it contains data about individuals. I don’t know if any policeman at any police station can get access to any piece of information about anybody.

MV – Respecting ethics, JLD, you are a researcher designing new technologies. You can probably explain to us in few words what you do with faces in biometrics.
JLD – We try to integrate dynamic parameters with faces. Today, facial representation works well if camerawork is kept relatively simple (frontal, good lighting conditions etc.), which is rarely the case when people are walking along a corridor… To improve the “scoring”, we add the dynamic facial parameters, the way how one smiles, the way how one talks… combined with gaits.
MV – So, you design these instruments?
JLD – We try to get rid of these locks then…
MV – You are quibbling… You design these machines serving security and surveillance.
JLD – I don’t have such a vision. I am maybe a little bit naive as I am a scientist.
MV – I’m not blaming you… It is a fact.
JLD – I don’t have such a negative picture in mind.
MV – It’s not negative…
JLD – I find all these questions very interesting as we need to raise the possible negative aspects and I am entirely fine with it. It is great that there are people for doing it. However I see also positive aspects. About RATP, I think they do really want to improve security. Customers are asking for it, customers who are taking the RER (the transit system) everyday in the suburbs wish rightly or wrongly more security.

MV – Perhaps we will return to the perception of security a bit later. Do you, as a researcher, feel concerned about ethics and when does one start wondering about the related issues?
JLD – Rather quickly as…
MV – Basically, it may look a bit like Einstein inventing the nuclear weapon and then…
JLD – No, no… First of all, I am here for discussion. Researchers are used to discussions with other people and it is very nice. The ANR (the National Research Agency) encourages us in working with people from other areas, which we do willingly. We ask ourselves questions as citizens as well but there are different levels. Research depends on mathematical foundations, signal processing etc. which is rather independent from applications. I’m providing you with a single instance: we examine faces to recognize skin colors. There are equal requests from people developing virtual makeup software and those who want to retrieve someone’s ethnic origins. From a mathematical approach, both these requests are nearly the same. This is just an example enlightening how ambiguous research can be and how different the applications are.
MV – MM?
MM – I come to rescue my colleague, a computer scientist who risks being the bad guy in this debate.
MV – Not at all!
MM – As you referred to the ANR, we need to realize that we are aiming at more and more contracting activities in research areas. If we want simply to conduct our research with scientific goals, we have to submit our projects with the nice phrasing so to say that it can be immediately useful, for technics in security, for biometrics, for improving video surveillance, for making it smarter and then it works. We get money for conducting our research and if we don’t do this, we don’t get the money. The problem remains upstream. Above all in the following areas: in computer science, in micro electronics, in nanoelectronics now, we are forced to promote public-private cooperation, otherwise nothing is done and we fold our arms (and I say we for solidarity even if I am not in this area anymore). We fold our arms, we can not lead projects, we can not take Ph.Ds. All this makes sense and it’s comforting. I have seen myself, projects submitted to the ANR involving a partnership with the gendarmerie for experimenting filtering technics. These projects are always submitted by taking into account the best objectives in the world, for our old people not losing themselves on the bus, for producing makeup as white skins won’t react the way how coloured skins would – nevertheless there is ethnic profiling behind it. Biometrics resellers vindicate buying their products with the best arguments: for instance, on asian and african markets for improving transparency and democracy during election periods since there are no well-structured vital statistics in these countries and there is not really any voter register. So we always have the best arguments, but the root of the problem is not related to this or that technique.  Though each technique has to be investigated properly, it resides in massive, systematic usage of these techniques and their interconnections. This is where problems are originate.

MV – Short answer to take another question.
JMM – Another instance comes with the GIXEL (Electronics Industrial Group). A few years ago, a blue paper informing about what had to be done for developing the industry, was addressed to the government. According to this paper, people are scared by video surveillance technologies, biometrics, RFID and control technologies. People see “Big Brother” when told about them and this act as a brake on their business. It was explicitely written that, to develop their industry, we had to deploy RFID, biometrics and video surveillance devices with kindergartens and nurseries, so that parents and children can get used to these technologies, would stop seeing “big brother” and not to be scared anymore. When this was pointed out at one of the Big Brother Awards sessions, the blue paper was published again, with the sensitive parts removed. This is one of the issues industrials are confronted with and how they try to infiltrate into our minds. Since then, we have seen nurseries with biometrics devices…
MV – There are also these wristbands in maternities…
JMM – There are now RFID wristbands, supposedly preventing kidnapping.
MV – We’re are in the same field…
IFP – I would like to answer the question, which appears absolutely fundamental to me. In the background, we notice the rise of the technologies and we wonder what can be done. I think the situation is very different from the one we had in 1978 when the CNIL was founded. In some way, everything was quite simple in 1978. There were large scary public files. The CNIL was mainly established for controlling these files. Today the “threat” is totally decentralized. There are still these public files. M. Manach told us they keep expanding. Moreover there is personal information everywhere which are not even put together as files (this is the newest part) but are available. Each of us even offers it. The processing tools help in making scripts out of them. This is how these kind of smaller files are formed. We understand intuitively the solution has to be different. The CNIL as a regulator has to adapt and this adaptation is on its way since 2004.  But the global chain has to follow the same logic. That’s why I was insisting on individuals having a role to play in terms or personal data protection and companies as well. Each link of the chain has to play a role in terms of the security-freedom balance.
MV – We are going to develop the topic with chip usage inside companies. JLD, a few words and another question.

JLD – I agree with the fact that Europe, and France in particular, deliver invitations to tender and organize research. They influence decisions as they launch proposal invitations, but sometimes we reply to invitations which are not really expected and we suggest our own projects. For instance, I’m strongly interested in system reliability and I think it is crucial showing to the general public that systems are not one hundred percent reliable. Thalès played the game with a project aimed at demonstrating that impostures can lead to vulnerabilities in some biometric systems and soon we are going to receive the answer to our proposal.
Man – The question is about knowing where we are aiming.  And since technologies are moving very fast, we need to look upstream but nothing plays the role of the ethics committee (CCNE) in biological science, for instance when it comes to computer science. The CNIL has a regulating role and it has nothing to do with what the CCNE does. This comparison with Science of Living is relevant to us as there are technologies we didn’t want to develop. We said by thinking upstream, we don’t want reproductive human cloning. We stop research tending to point in this direction. Is there anything equivalent in Computer Science to a technology we would not like to develop?  Though without thinking ahead, industrials would shape it and there would be calls for proposal. To me, the facial recognition can be compared to the artificial uterus: this is something which will radically change security in our society and individual freedom. It is not perfectly running but there is money for funding it. It means there was not the same thinking upstream that one can find in biological science.

MV – Sir, did you have a question?

Man – What I would like to touch on, is not really a question but a topic: the human traceability inside Paris. It would be related to automated identification with RFID and biometrics.

MV – SL, isn’t it a topic you’re interested in?

SL – Indeed, this matters a lot to me. This kind of device, like a RFID chip in a biometric passport, comes from security needs. Since the 2001 attacks, it’s clearly all about protecting our countries from international terrorism so security measures are strengthened, particularly concerning our ids and at the borders. Does cropping our privacy guarantee our safety? There are very generic answers, clever surveys from philosophers, etc. about this issue. I’m not getting further into it but basically what we encounter very quickly is that these devices that are supposed to bring us safety are producing security risks. For instance, this is especially flagrant with RFID chips within passports. There are endless security issues, which means we don’t know how to secure these electronic devices properly. These issues exist because of lots of technical reasons and economic reasons as well. The technology is not mature enough presently for offering a satisfying result. On this point, we could accept the situation, as traveling documents have never really been fully secure even when it was only about a piece of paper. Convincing oneself about it would just require checking out how often the formats of such documents are renewed, for adding additional security assets. In this current configuration, we are forcing the introduction of a device which encompasses vulnerabilities and we don’t necessarily look for how to fix them because these agreements made about adding RFID chips in passports are agreements made at an international level and the United States of America was not insisting on a satisfying level of security. Another reason is that adequate investments in cryptology were not accepted. Such investment would have enabled securing these passports, or securing them further anyway. All this might look circumstantial, but the truth is that offering security means at the expense of security itself, is still annoying.

Woman – Excuse-me, just a short question… What exactly do you call vulnerability?

SL – Well, I’m going to provide you with a basic example with regards along with passports: two or three months ago, Elvis Presley crossed the Netherlands border.

JMM – I have another instance: two years ago, computer scientists created a bomb prototype which explodes exclusively nearby American passports. If you’re American and you’ve got the passport, the bomb explodes, if you’re not and you don’t own such passport, nothing happens.

MV – IFP, what about about RFID chips as we’re referring to it in the frame of Paris, as our guest was probably thinking of the Navigo pass and the occasions we have of using it?  What does the CNIL say about the data which are embedded in these chips?

IFP – Before talking about RFID I just would like to react in relation to the passports and to confirm that all discussions we have about them are not national. Of course, some decisions of standardization were taken at the international level and France had to take part in these discussions and to adapt its own (transport) titles. We made choices which are more maximalist than the ones made on the international scene, which is absolutely true but every country is heading to this kind of traveling documents. On another hand, in response to SL, I would like to mention that the market is not only originated by the state. There is a global market, there is a market of fear and technologies are there to respond to this market. All of us (individuals, states, companies) are accomplices of this market. Here is an example: the CNIL was recently seized about an organization taking care of disabled seniors with extremely reduced mobility. There is a bus picking up these people and some of them lose themselves because of being disoriented. Their families asked us about providing them with electronic tagging, instead of employing someone who would make sure each individual gets off the bus exactly at the place where he or she is supposed to. As things are kept simple this way, without worries, we would be automatically warned each time something would go wrong, each time someone would accidentally leave a perimeter of movement. We must realize, all of us are sustaining this market one way or another from our different fears. As a result, if in our opinion this market is too broad, we all (and the state particularly) have to assess our real needs about RFID.

MV - At the local level…

IFP – At the local level, of course, the CNIL is extremely vigilant relatively to this new technology allowing smart labeling. We might find it anywhere. It would allow theoretically any item communicating with you. You are in the street, you go before a poster and this poster sends you a message onto your phone asking you if you’d like to receive an advertisement or you walk before a shop, a chain store, you receive a short message and you might be interested in opting in for some services since you might get some discount in this shop… These technologies are obviously attractive for the general public. The CNIL doesn’t have a general solution for RFID but case-by-case answers depending on the variety of existing applications.

MV -Fine! We are about to see what is linked to citizen rights with SL concerning personal data in this chips. JMM, you had a reaction to share before moving forward with the next question?

JMM -About traceability at the level of Paris, there are camcords but they are not “smart” currently, not in the public area, at least. They are not paired with software capable of individual identification. But the RATP (Autonomous Operator of Parisian Transports) also has camcords belonging to its realm including buses, that are connected to a face recognition system, which is officially not activated yet. When will they activate it? Will they activate it? I don’t know. Anyway, you were referring earlier to the state of the art in terms of biometric recognition with video surveillance. It is not perfect yet. There are still many failures but many researchers are working on it. The other issue consists in the RFID chip contained in the Navigo pass which was imposed on everybody without any explanation. As a journalist, I was wondering why and I never received any answer. Nobody is telling why it was enforced. The Navigo pass stores the three last distances you have traveled. The data are deleted after 48 hours or 24 hours whereas the CNIL permits keeping them for 3 days at most. Each time the CNIL asks for some data on behalf of the police, the RATP needs an approval from a rogatory commission. The time needed to transfer this approval lets the data be deleted. Therefore, officially the RATP cannot reply positively to any police request. Today the infrastructure exists and it is all about making decisions for more traceability, keeping the data longer, activating the smart video surveillance systems and transforming the public RATP area into an even more totalitarian sphere. I said it is just about making decisions as the FNEG (National DNA File) was originally created for fighting against multi-recidivist sexual criminals and pedophiles, highly violent people. In few years, this file was extended to nearly all the crimes and derelicts. I believe that there are presently 125 or 135 crimes or derelicts which are concerned with the FNEG. So few years are enough for extending something dedicated to multi-recidivist criminals to the entire population. Maybe a particularly odious crime in the RATP area would trigger the activation of the smart video surveillance system and the traceability of anybody. It’s perhaps a political decision which might come from a news item and it depends also on the business. It’s a bit expensive. The technology is already inside the RATP anyway.

Guests :
Isabelle Falque-Pierrotin (IFP) – Vice-president of the French Data Protection Authority (CNIL)
Stéphanie Lacour (SL) – CNRS researcher
Meryem Marzouki (MM) – CNRS researcher
Jean-Luc Dugelay (JLD) – EURECOM researcher
Jean-Marc Manach (JMM) - internetactu.net

MV – Are there topics you are particularly interested since the scope is extremely large ?

Woman in audience - I would like to know about the “1000 camcorders in Paris” project (actually concerning 1226 camcorders in Paris implanted in addition to the ones already deployed today).
Is it possible for the CNIL to self-refer on this issue and call the government and the Paris Town Hall? We know the latter approved the project which is very expensive and poorly efficient. At least, this kind of information circulates at the League of Human Rights. Furthermore, do we have figures about financial fallout for companies offering these technologies, not only the political benefits but also the economic benefits for all these companies?

MM – So IFP, on behalf of the CNIL:

IFP – Indeed these surveillance devices are literally blowing up (confirmed by the referral of CNIL statistics). The CNIL is only competent for a subset of them, located in private areas (in this case, probably not those pointed out), or using biometrics and processing techniques justifying the CNIL mediation. Regarding the surveillance devices on public thoroughfares, the law of 1995 states a prefectural authorization is required to set up the devices making the global legal architecture quite opaque in the eyes of the citizens. As many of them direct apprehensions to the CNIL about video surveillance and video protection, the institution made a proposal to the government for reconsidering these questions, providing with more transparency and strengthening legal inspections as the CNIL today does not have the authority for regulating the prefectural devices.

MV – Are there business figures about these technologies? We are not going to give them in detail as doing so would be tedious. However we know very well for instance how the biometrics market pays today. Who would like to give us an answer here?

MV – MM ?

MM – Today (2009) relatively to biometrics apart from DNA (as DNA analysis constitutes another market), the market raises $3.5B and the predictions from an international group of industrials and consultants are around $9.5B in 2014. Even more important than the figures, I’d like to specify which are the sectors draining the market. At the international level, then at the european level and eventually at an operational level in France and elsewhere, we notice a market structured by the government decisions on account of the biometric passport adoption. Opting for biometric id projects will organize the market. Choosing a biometric identifier like the facial recognition (digitized faces) is forming part of the process but also at the international level is brought up the question of picking out fingerprints or eye iris scan as a second identifier. Why does it put up political and economic issues? Simply because of the nature of the world leader in fingerprint technology, our industrial champion: the Sagem Défense Sécurité group. Who was the owner of the patents over the eye iris scan at the time of these discussions held since 2002 in the middle of INTERPOL meetings? Anglo-saxon companies. Consequently, during an INTERPOL meeting in lyon, Nicolas Sarkozy, who was the Minister of the Interior, declared “the fingerprint technology is the French tradition, we are going to keep this technology” (quoted in the press). France and Germany were pro-fingerprint technology and the United Kingdom, in connection with the U.S.A., was in favor of the eye iris scan. These sectors are the ones draining the market.

MV – The tradition following the industry.