Social Networking and Privacy Protection: What if Anything has Changed?

ソーシャルネットワーキングとプライバシー保護もし突然変化が起きたら?

Lecture to Meiji University, Graduate School of Commerce and Japanese Society of Information and Management, August 9, 2011

Justifications for Privacy Protection

• As a Right of the Person– The “Right to be Let Alone” (United States)– La Vie Privée (France)– Privatsphäre (Germany)– Puraibashii (Japan?)

• As a Political Value – A Check against Powerful State and Private Organizations

• As an Instrumental Value– To ensure that the right data are used by the right people for the right purposes– To build “trust” in e-commerce and e-government

REGULATING PRIVACY: DATA PROTECTION AND PUBLIC POLICY IN EUROPE AND THE UNITED STATES 1992

JAPANESE TRANSLATION, BUNSHINDO (1994)

The Information Privacy (Data Protection) Principles

• Accountability• Purpose

identification at time of collection

• Informed consent for collection

• To limit use and disclosure (finality)

• Retention limitation• Data quality• Data security • Openness about

policies and practices

• Individual access and correction

These principles appear in:

• Comprehensive data protection laws in around 40 countries

• Sectoral Legislation in information intensive industries

• International agreements from Council of Europe, OECD, European Union, Asia-Pacific Economic Cooperation

• Self-regulatory codes and standards

The Governance of Privacy: The Privacy ‘Toolbox’

• International Instruments– Council of Europe Convention (1981)– OECD Guidelines (1981)– EU Data Protection Directive (1995)– APEC Privacy Principles (2004)– Mercosur– Organization of American States (OAS)– International Management and Technical Standards

• Regulatory Instruments– Data protection law in over 40 countries

• Self-Regulatory Instruments– Codes– Standards– Seals and Marks– Privacy Impact Assessments (PIAs)

• Technological Instruments – Privacy by Design– Privacy-enhancing technologies

Lessons learned in 40 Years of Data Protection Policy

• There is a convergence of policy goals and common consensus on what it means for the responsible organization to protect personal data – the fair information principles.

• An increasing recognition that a diversity of instruments is necessary• Information privacy (data protection) is more than information security• Rules must be “technology neutral”• Comprehensive information privacy/data protection law is essential –

public and private sectors, manual and automated data• BUT it is not sufficient – law must be combined with self regulatory and

technological solutions, and it must be supported by sympathetic public opinion, supportive organizational cultures and civil society advocacy

WWW.PRIVACYADVOCATES.CA

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people…That social norm [privacy] is just something that has evolved over time.”Marc Zuckerberg, CEO Facebook, March 2010

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”Eric Schmidt, CEO Google, December 2009

Challenges from Social Networking…..

http://www.vincos.it/world-map-of-social-networks/

Top three Social Networking Services (SNS) by RegionCOUNTRIES SNS #1 SNS #2 SNS #3AUSTRALIA Facebook Twitter LinkedinCANADA Facebook Twitter LinkedinFRANCE Facebook Twitter SkyrockGERMANY Facebook Twitter XingITALY Facebook Badoo TwitterJAPAN Mixi Gree MobagetownRUSSIA V Kontakte Odnoklassniki LiveJournalSPAIN Facebook Tuenti BadooUNITED KINGDOM

Facebook Twitter Linkedin

UNITED STATES Facebook Twitter Linkedin

Adapted from www.vincos.it (June 2011)

www.internetworldstats.com

SNS vary along a number of dimensions

NEW PRACTICES AND OLD STORIES新しい理論と古い話• FUNCTION CREEP 　ファンクション・クリープ• CORPORATE OPACITY 　法人組織の不透明さ• CORPORATE MISMANAGEMENT AND 　

SLOPPINESS 組織運営といい加減さ• INTRUSION AND SURVEILLANCE 　偵察と監視

Function Creepファンクション・クリープ“Function Creep is what occurs when a technology

designed for a specific purpose ends up serving another purpose which it was never planned to perform”　ファンクション・クリープとは、特別な目的の為にデザインされたテクノロジーが、当初の計画から“脱線”した全く別の目的を果たす事である。

Citizen vigilantism

Insurance claim enforcement

Employee screening

Political accountability

CORPORATE OPACITY組織の不透明さ

Defaults

Facebook Recommended Privacy Settings, July 2011

Facebook privacy settings, July 20, 2011

CORPORATE MISMANAGEMENT AND SLOPPINESS組織運営といい加減さ

INTRUSION AND SURVEILLANCE偵察と監視

Risks to Privacyプライバシーに対するリスク• Cyber-stalking　ネット上のストーカー• Cyber-bullying　ネット上のいじめ• Reputational Damage　名誉毀損• Identity Theft　個人情報窃盗• Commercial Exploitation　詐欺的商法

(from www.cippic.ca)

SO WHAT IS BEING DONE?

THE UNITED STATES• Complaints to Federal Trade Commission, December

2009 and May 2010 by Electronic Privacy Information Center and broad coalition of public interest groups

• Complaint to FTC (June 2011) about online tagging using facial recognition

• 2011 California Social Networking Bill

CANADA• On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic (CIPPIC)

filed a complaint with the Privacy Commissioner of Canada concerning the “unnecessary and non-consensual collection and use of personal information by Facebook.”

• On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act.

• September 2010, Privacy Commissioner announced that Facebook changes “reasonable and meet expectations of Canadian law”

• October 2010 Privacy Commissioner launched a fresh investigation into the privacy policies of Facebook Inc. after it was revealed that some of the most popular applications had been transmitting the personal information of users to dozens of Web tracking firms.

EUROPE• Articles 25 and 26 of the EU Data Protection Directive (1995)

95/46/EC

• Personal data should not be transferred outside EU unless an “adequate level of protection” which requires:

– Basic content principles: Purpose limitation; data quality and

proportionality; transparency; security; rights of access, rectification and opposition; restrictions on onward transfers

– Procedural/enforcement principles: good level of compliance with the rules; support and help provided to individual data subjects; appropriate redress provided to the injured party

• Administered by Article 29 Working Party of Supervisory authorities

European Union Article 29 Working Party

• SNS providers are data controllers under the Data Protection Directive. They provide the means for the processing of user data and provide all the “basic” services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes - including advertising provided by third parties.

(Opinion June 2009)

Safer Social Networking Principles for the EU (2009)

• “Principle 6: Enable and encourage users to employ a safe approach to personal information and privacy. Providers should provide a range of privacy setting options with supporting information that encourages users to make informed decisions about the information they post online. These options should be prominent in the user experience and accessible at all times. Providers should consider the implications of automatically mapping information provided during registration onto profiles, make users aware when this happens, and should consider allowing them to edit and make public/private that information where appropriate. Users should be able to view their privacy status or settings at any given time. Where possible, the user’s privacy settings should be visible at all times.”

Developed by SNS providers in consultation with the EU Commissionhttp://ec.europa.eu/information_society/activities/social_networking/docs/sn_principles.pdf

Art. 29 Opinion on Consent (2011)

• “According to the European data protection authorities, consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. Therefore only statements or actions, not mere silence or inaction, can constitute valid consent. For example, when a data subject registers with a social network and the default settings of his or her profile make all personal information viewable to all ‘friends of friends’, it cannot be inferred that this user has given his or her consent.”

http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/2011_en.htm

"Member states shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the Data Protection] Directive 95/46/EC, inter alia about the purposes of the processing.”

Recital: “"Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user's consent to processing may be expressed by using the appropriate settings of a browser or other application…. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.”

Directive 2009/136/EC: A New Cookie Rule?

What has changed in 20 years?

• Technological change – Miniturization– Distribution– Convergence with the material– Biometric identification

• The routine capture of personal data• Globalization • The pressures for securitization• The difficulty of distinguishing between personally and

non-personally identifiable data

What has not changed?• The values (personal, political and

instrumental)• The deep and abiding concern for people

everywhere about their privacy• The basic principles in information privacy law• The obligations of corporations and

government to abide by those principles

In Conclusion

• Social network users care about their privacyソーシャル・ネットワーク利用者のプライバシーについての心配• Even if they didn’t, it wouldn’t alter the obligations

of data users to process personal data in conformity with privacy principles仮にプライバシー問題への危惧が少なくなろうとも、データ利用者が原則的なプライバシー取り扱い法に従わければならないという義務は変わらない

THANK YOU VERY MUCHどうもありがとうございました

www.colinbennett.ca