The year 2011 is almost over and it’s a wonder that we have some semblance of a private life. From the Playstation Network Security Fiasco, Canada’s Bill C-52 aka “online spying” and Facebook tracking cookies, our personal information is more out of our control than ever before. Here are what I consider the top online privacy issues consumers faced this year and what we learned from each of them.
Playstation Network Security Breach
In April, Sony experienced one of the largest security breaches in history. Hackers managed to obtain the personal information of tens of millions of of members on the Playstation Network. Names, birth dates, e-mail addresses were stolen exposing its customers to identity theft. Although they discovered the breaches on April 17 and 19th, Sony disclosed it a week later to much outrage from the public outrage. The Federal Privacy Commissioner of Canada, Jennifer Stoddard, expressed her displeasure of not being informed immediately as over 1 million Canadians were affected.
“I was very disappointed that Sony did not pro-actively notify my office of the breach,” Ms. Stoddart said, according to the text of a speech she delivered in Stratford, Ont., that was posted on her website. “However, since my office contacted Sony, the company has been very co-operative.”
After numerous false starts, it wasn’t until June 2011 that the Playstation Network fully resumed service, hwever this was not the end of the company’s troubles. The Huffington Post reports that before the hacks, Sony laid off a “substantial percentage” of employees in their Network Operations Center who were responsible for security and that it was more concerned with protecting its confidential information than of its customers. Due to the delays in notification and lay offs in its security, Sony is in a midst of several class-action lawsuits; it is estimated that it will cost $171 million to clean up the mess which includes dealing with upgrades to the security hardening of the Playstation Network, lawsuits, insurance, downturn in sales, and compensation for its customers.
What Did We Learn?
When a privacy breach occurs, the lack of transparency will most often get you in the end. Inform your customers as soon as you have confirmed that their information is at risk and if need be tier the response. i.e. those who are the most vulnerable to identity theft should be contacted first, however you’re obligated to inform your customer base and identify the steps you are taking to investigate and resolve the issue. Also if you’re planning on maintaining databases that are accessible over the Internet containing identifiable information from your customers, your security staff shouldn’t be where you’re considering skimping on.
On the consumer side, using prepaid credit cards should be considered options when subscribing to services that requires one to be stored. This reduces your exposure the number is ever ever stolen.
Bill C-52 “Lawful Access” aka Online Spying
The fall of 2011 unfortunately looks like an exciting time for privacy advocates and watchdogs. In August/September, fuel was set to the fire regarding Bill C-52 and its lawful access provisions which allowed law enforcement officials to request identifiable information from ISP providers without requiring a warrant. Every Privacy Commissioner in Canada opposed the bill, but the interesting battle appeared in print in one of Canada’s national newspapers, The National Post. The Privacy Commissioner of Ontario, Ann Cavoukian faced stiff opposition from the Minister of Public Safety, Minister Vic Toews who compares the information being requested similar to looking what is found the phone book. What the Minister forgot to mention that the information isn’t publicly available meaning not everyone has access it thus Ann
Cavoukian’s stance that it is private information that should be protected. OpenMedia.ca, Canada watchdog for an open and fair Internet, also contributed to the highly publicized campaign to place a halt on the lawful access provisions. Although the provisions were pulled, the Conservative Government continues to advocate the need of these additional powers to protect its citizens.
What Did We Learn?
When introducing a bill that actually tramples over the rights of Canadians and also puts a big gaping hole in PIPEDA, its probably a good idea to consult the privacy commissioners across the countries who specialize in this area. Minister Toews ended up taking his debate in public forums where he got raked over the coals by privacy advocates across the country. We also learned that watch dogs such as OpenMedia.ca are essential to assist the public and bring issues that affect your use of the Internet to light.
As a strong advocate for online privacy, I’ve written an article on why privacy matters – a response to many people telling me if I have nothing to hide I should have nothing to fear from law enforcement authorities. However beyond those wishing to cloak illegal activities, there are many reasons why you may wish to keep something private. An embarrassing moment, sexual orientation, and other factors could impact your public, private and political lives. Your personal and private information is the currency of the information age, so be vigilant about protecting it.
The Affects of Privacy Breaches Linger
Although the Pennsylvania’s Lower Merion School District has agreed to pay $610,000 to settle lawsuits related to the school’s practice of spying on students via school-issued laptops back in October 2010, additional suites were filed in June 2011. The original investigation revealed that over 30,000 photos were taken illegally through the misuse of anti-theft software that activated webcams without the knowledge of the user.
What Did We Learn?
Use common sense; if you have software for a specific purpose, unless you have first hand knowledge that someone’s life is imminently in danger or is committing a heinous crime, you probably should not be re-purposing it for something else without getting permission or legal counsel first. Also privacy breaches are the gifts that keeps on giving – it’s difficult to squash emotional suffering especially when children are involved; be prepared to endure the situation for years. Ensure you’re being upfront with the capabilities of the equipment you’re providing as part of your school curriculum and only use if for its specific purpose – don’t improvise being a criminal investigator unless you’re asked to by law enforcement.
Social Networks and their Privacy Settings
LinkedIn introduced new a new privacy option that you had to opt-out of instead of opt-in. The professional social network introduced a “Social Advertising” setting that allowed companies that you like or recommended to post related ads to your friends with your photo or other personal information making it appear you’re officially endorsing them.
Facebook didn’t leave 2011 unscathed with it’s privacy settings. If you’ve ever synched your phone with Facebook you may have noticed you have unwanted friends in your contact list who may/may not be on Facebook. Facebook thought that since you’re synchronizing your friends list to your phone that you’d want your phone contacts to be in Facebook. It would have been nice if they asked since you’ve just uploaded personal information of people who you’ve probably don’t have permission to do so in the first place. You inadvertently breached their privacy :S Luckily BGR has a write up on how to undue this.
In other Facebook news, the social network giant recently settled with the FTC surrounding complains that its privacy practices were misleading and shared user data when explicitly told not. They are now under audits for the next 20 years and is required to make all changes that would expose user data to be “opt-in” only instead of the other way around.
What Did We Learn?
Social networks, especially free ones, need your personal information in order to assist generate ad revenue from their sponsors. Like it or not, you’ve joined them and in doing so have given up some control over your personal information (if you have fake information, then what’s the point if no one can find you?). Make it a point to review your privacy settings at least twice year to ensure that only the data you want shared is being shared.
Facebook Tracks Night and Day – Even if you’re not a Member
Facebook officials are now acknowledging that the social media giant has been able to create a running log of the web pages that each of its 800 million or so members has visited during the previous 90 days. Facebook also keeps close track of where millions more non-members of the social network go on the Web, after they visit a Facebook web page for any reason.
So, yes they’re tracking you if you’re a member of their service. However they track you when you’re logged off; they even track you when you’re not a member. So you don’t even need to have an agreement with them and they’re monitoring your web surfing habits away from their site. This has sparked US Senators to want to hold hearings to understand the issue further and the social network is facing illegal wire-taps in multiple states with their tracking cookies.
Mark Zuckerberg, the CEO of Facebook, attempted damage control by saying Microsoft and Google collect data behind their users’ back as well, but the interview with doesn’t do much to give the company any sympathy. It just comes off as sour-puss, finger pointing.
What Did We Learn?
When playing the PR game, don’t point fingers at your competition. You’re the one under the microscope and you should be trying to appear sympathetic to those who have concerns. Mark could have said that all Facebook was trying to do is to provide the best experience possible and that they’re sorry if they went a little too far.
For future software developers and corporations entering the social network space, just because you can track someone doesn’t mean you should; consider analog examples when thinking about implementing an electronic tracking solution. i.e. if I’m a store owner and I cannot track you when you leave my store, most likely I’m crossing the line if I’m tracking you when you’re away from my website.
The Privacy Breach that Went Away Quietly
If you’re a Delta Privilege member, you may be aware that Delta Hotels had a privacy breach of its membership database. The only reason why I know about this incident was because my details were exposed; if you actually try googling, you won’t find any information on the Web, nor will you have found any press coverage at all. The breach was with a database that was supposed to have been decommissioned in 2002 and the letter that was sent to was quite clear on the steps that they went through:
- Contacted Privacy Commissioners
- Indicated that my credit card information was expired.
- Provided and e-mail address to contact them for more information.
- On a follow up e-mail exchange I uncovered that they tiered their customer response based on potential identity threat victims. Since my credit card information expired (and I’m no longer using that card), I was considered to be on the lowest risk category.
What Did We Learn?
Delta Hotels demonstrated that it has (or quickly assembled) a privacy response group who could identify the data that was stolen and segmented customer list to identify those who should be notified immediately and those who could wait based on risk. Although I wish I was informed earlier, I can’t argue with the steps they took. Based on the lack of public awareness and press, the Federal Privacy Commissioner appears to be pleased with the efforts of the hotel chain for notification and response. Act quickly and inform regulators as quickly as possible to seek guidance – hopefully this will reduce a PR nightmare to a wimper. The other lesson learned is to ensure your data retention policies are being adhered to – the 8 year old database should have been destroyed a long time ago if it was no longer in use.