Another Facebook fiasco – here we go again

 

From vnunet.com 16/07/08:

Facebook has accidentally revealed personal information about its members.

The social networking site divulged the dates of birth of many of its 80 million active users, even those who had requested that the information remained confidential.

Graham Cluley, senior technology consultant at Sophos, explained that the information was exposed during a public beta test of Facebook's new design.

"I was shocked to see people's full date of birth revealed, even though I knew they had their privacy set up correctly to supposedly hide the information." he said.

I’m not even the slightest bit shocked at this news; in fact, I’m surprised it wasn’t something more serious. With the social networking/web 2.0 wave that has swept the world in the last year and a half, people have thrown all sorts of personal information up on social networking sites without much regard to the consequences.

My gripe here is the principle and not the specific circumstances: revealing someone’s date of birth is hardly the end of the world but let’s not forget, it wasn’t meant to happen. What other personal information that people have entrusted with social networking sites might leak out to all and sundry? This is just the tip of the iceberg, people. It really is.

And BTW, what’s the deal with the new design: it doesn’t look that much different to me. Worst of all, from what I read, it’s going to mean even more Facebook oriented apps and widgets coming down the pike. You mean there weren’t enough already?! Oh great!

Facebook, Privacy, Risks – you know what’s coming

From Outlaw.com 21/07/09:

Jennifer Stoddart's office has investigated the social networking website's use of personal information and has found that Facebook is not clear enough about how users can control their information or restrictive enough in restricting other companies' access to it.*

The Commissioner's office said that the company needed to be more transparent.

"Social networking sites can be a wonderful way to connect. They help us keep up with friends and share ideas and information with people around the globe," said assistant commissioner Elizabeth Denham. It is important for these sites to be in compliance with the law and to maintain users’ trust in how they collect, use and disclose our personal information*.”

The investigation found that users were told on Facebook how to deactivate accounts, but not how to delete them*. Only deleting accounts actually removes personal information from Facebook's servers.

* My emphasis

Seeing as I haven’t engaged in any Facebook-bashing for a while, I thought I’d throw this post up. This topic actually reminds me of a paper I wrote for a competition earlier this year concerning the future of social networking services and the privacy of their respective users. Alas, I didn’t win though still believe I made some excellent arguments throughout (it was probably a touch too forward-thinking and conceptual for them).

In it I argued that for social networking services and privacy to co-exist in any meaningful way together, the first and crucial step was to raise awareness and educate users about the risks they faced and the tools at their disposal to manage those risks.

With informed users, I reckoned, not only would there be less online stupidity with people failing to appreciate the dangers and the full effects of their actions but it would allow for the harnessing of market forces to successfully regulate social networking providers. In short, where users were well-informed enough to choose a service which offered safe connectivity, prized security and respected users’ privacy, the respective social networking services would compete with one another on this front; security would become less of a trade-off with functionality and more of a function in its own right. For the average, less technically au fait user, well, they would be influenced by those in the know and the herd theory would operate to result in an exodus of users from services which didn’t pass muster on the security/privacy front.

There was a lot more to the paper than that, obviously, and it was heavily weighted on the side of regulatory theory rather than black letter law – perhaps that’s why I didn’t win – but I think many of the ideas I advanced are still good. I may publish it myself via Law Actually given time.

Trouble on Myspace? Dial 999

From Gizmodo.com 02.04.08 

Social networking sites like Facebook, Bebo and MySpace may soon have to carry a '999' emergency link to improve the safety of kids online.

In a 73-page draft of a report due to be published on Friday by Home Secretary, Jacqui Smith, the sites will have to carry ads for the emergency services so that kids can call if they feel they are being targeted by potential abusers.

Experts contributing to the report claimed that youngsters are at risk from 'sexual grooming' by paedophiles, bullying and online fraud.

I'm not quite sure how practical and effective this suggestion is, quite honestly but at least the Government are examining the problems poses by social networking for young web users.  Undoubtedly, they want to be seen to be doing something, but whatever the reason, this issue is too important to ignore. 

I can't help feeling that better education of the risks involved, coupled with technological advances to help filter or restrict some of the more dangerous elements of the sites would be a more effective way to go.  I mean, blocking the site completely is more of a sure-fire way of removing the danger, but, sadly, if a kid wants to do something which their parents have forbidden, they'll generally find a way of doing it.  After all, they could opt for something as quick and straightforward as using the site at a friend's house whose parents don't block access to the site.

Better education, awareness and guidance are crucial because the whole point about online grooming is that the kids rarely recognise they're in danger.  Sticking an online banner ad up saying 'Dial 999' is going to have little effect on this problem, surely?  Save, perhaps, for tripling the number of hoax emergency calls.

In related news, Ofcom have today reported that around half the children using the net in the UK have profiles on social networking sites, despite the policies those site have in place to discourage and prevent pre-teens signing up.  In a somewhat trite observation, Ofcom noted from their research that such users are not particularly concerned with such issues as online privacy.  Oh really?

Weekly roundup

There’s a lot making the news recently that I’ve felt the need to post about in the last 7 days, but haven’t had the chance. So, there’s nothing else for it but to release another ‘round-up of the week’ with 5 hot picks of unrelated, random stories that have caught my eye.

ICO re-states preventative not hard-line enforcement role - From outlaw.com 19.03.08

The ICO said that it would concentrate more on the avoidance of this risk than strict enforcement of the law. "We are not seeking compliance with the law as an end in itself," it said. "Making our vision a reality means minimising data protection risk for individuals and society. The law is the main tool we have at our disposal to achieve this, but we go further and promote good practice."

"We cannot address all areas of data protection risk equally, nor should we attempt to do so," it said.

Maybe the ICO feel they are trying to do too much - to be all things to all people. Perhaps, they feel, you can’t wholeheartedly work as an advisory body for the public and data controllers as to the data protection law and actively enforce these laws as well.

But this isn’t a time for the ICO to start getting worried about being perceived as too hard line, police-like or even interventionist. Excuse me, ICO – if you start shying away from cracking down on data protection issues, who, exactly is going to pick up the slack? Perhaps, even, this announcement is more politically motivated; a bid aimed at increasing their budget. Who knows? Either way, with more data being created, processed and stored than ever before, the need for effective enforcement is greater than ever.

Bimbo Game - Officially dubbed a ‘virtual fashion game’ this online atrocity has really hit the headlines in the last week or so. And seriously, this stuff just kills me.

People said that First Person Shooters and other action games are harmful for children - so what about this one?  Surely, this type of game could do an immeasurable amount of damage to young web users.  At least FPSs and other games of an extreme nature - such as the Grand Theft Auto franchise - are obviously dangerous. Still, at least you know what you’re getting with those. The risks presented by games such as Bimbo are more subtle and, therefore, arguably more hazardous. After all, gam es which play and even feed on people's insecurities, doubts and fears can never be a good thing. But by perpetuating the dangerous, misguided and unrealistic illusion of size zero body sizes via a game designed for kids makes it something all together worse.

Then again, maybe I shouldn’t be so surprised. If such things as Zwinky the toolbar exist, what’s more logical than a game where your slut-up your bimbo, sh*g your way to money and puke your way to a skeletal shell.

EULA slip-up prevents Windows users from installing safari

Apple got their act together after news of the EULA detail was embarrassingly bandied about the net and now have changed with wording to allow Windows users to legally install Safari. If you’re running iTunes, you might not even have a choice, given that Steve Jobs has seen fit to use the software update function to push out the latest version of Safari, Apple’s web browser. For what it’s worth, Safari does a nice job of text rendering but other than that, it’s a definite also ran behind Firefox and IE. Given the lack of customisation and innovative features Safari boasts, probably behind Opera, too.

Adobe finally release online version of Photoshop

Dubbed Photoshop Express, this watered down online version of the best-of-breed graphics software was released this week. I heard about the project over a year ago and have been eagerly awaiting its release. Early signs are interesting, though not necessarily encouraging. I have to admit I was hoping for a slightly more full-featured offering than Adobe seem to have released at this stage. It’s clearly pitched more towards competing with Piknik and other such programs, tied closely with online storage and sharing of digital photos, rather than being a hardcore graphic manipulation program.

 

And finally, vnunet reports that “just one in 10 adults in the UK trusts the government with their personal information, according to a study commissioned by Data Encryption Systems (DES).” Well, tell us something we don’t know.

More Facebook trouble afoot?

From vnunet.com 25.03.08

Security researchers claim to have uncovered a new wave of attacks in which profiles on Facebook are used to post images of child torture.

The attack was reported by Chris Boyd, director of malware research at FaceTime Communications.

Boyd claimed in a blog posting to have discovered multiple instances of the attacks in which accounts were stolen and used to post photos on other pages.

"I am still trying to process this, but one of my close contacts has confirmed there is someone going around either hijacking, hacking or phishing user accounts on Facebook, then randomly uploading pictures of child torture to their funwall," he wrote.

I really wanted to put the series of Facebook-related posts to bed by now. It seems like I've been blogging my feelings about the social networking site and other news stories relating to it all too frequently in the last few months. That said, there's a lot that merits discussion when it comes to the darker side of Facebook.

Regarding this latest story, account hijacking is always a big risk for any large site with sign-in facilities. When you get so many users, trouble often ensues: you become a bigger target for hackers, users still insist on choosing insecure passwords, 3rd party applications often bring in unwanted security threats etc. Still, Facebook just seem to be making a bad name for themselves. What with Facebook's plan last year to sell their users' personal information and the multitude of privacy issues that I've highlighted previously on law actually, here's to hoping that the millions of users that flock to Facebook everyday, soon wake up and smell the coffee.

With so many applications being written for Facebook now - coupled with users' propensity to litter their pages with them - it was only a matter of time before trouble reared its head. And let's face it: Facebook is a potential hotbed for all kinds of malware and vulnerabilities to thrive; a digital ambush just waiting for the millions of FB users around the world to sign in and join the party. Arguably, Facebook should be doing more to actively guard against vulnerabilities that its users are subjected to. It would be much better for security purposes if all Facebook apps needed to go through a strict verification process and be 'signed' by Facebook before release. Creativity and freedom for developers must sometimes take second place behind ensuring a safe and secure experience. For instance, what Apple have elected to do with 3rd party applications for the iPhone - since recently announcing they would officially release an SDK for developers - is a credible paradigm that Facebook would do well to mimmick.

'Rate my Cop' website causes a stir

From CBS13.com 9/3/08:

Police agencies from coast to coast are furious with a new website on the internet. RateMyCop.com has the names of thousands of officers, and many believe it is putting them in danger.

Kevin Martin, the vice president of the San Francisco Police Officers Association, agrees. "Will they be able to access our home addresses, home phone numbers, marital status, whether or not we have children? That's always a big concern for us," he said.

Creators of the site say no personal information will be on the site. They gathered officers' names, which are public information, from more than 450 police agencies nationwide. Some listings also have badge numbers along with the officer's names.

Rebecca Costell says, in a statement, that the site helps people rate more than 130,000 officers by rating them on authority, fairness and satisfaction. She adds, "Our website's purpose is to break the stereotype that people have that cops are all bad by having officers become responsible for their actions."

At first glance, this is disturbing on so many levels. Having said that, seeing how many other ‘rate my..’ sites are around, maybe it was only a matter of time before something like this reared its head. While it could represent a security risk, I suppose, many will argue that if the information is limited in scope and available from other sources anyway, there can’t be too much harm in it. It all comes down to the extent of the information available. Names and numbers are one thing; photos, home addresses, vital statistics and the school their kids go to is quite another.  Still, the perceived security risk that the website poses has got Sacramento County Sheriff John McGinness considering letting his officers use aliases when on duty. 

But why shouldn’t they be rated – it goes on internally to some extent? Regular police officers are hardly operating clandestinely, hold a position of high responsibility and authority and are directly accountable for their actions. What’s more natural, then, for them to be rated by the public they serve? You never know, it might even help members of the public to re-establish a connection with the police and get the local community rallying behind their local bobby. Then again it might just alienate the local constabulary even more than they were before.  The biggest question, though, is whether people would ever care enough to vote.  Unless an officer was spectacularly bad, I can't see anybody taking the time and trouble of rating a name on a website. 

I doubt we’ll have to worry about it; I can’t see the idea taking off in the UK somehow. But, still, you never know.

Citibank Identity Theft

I first saw Citibank’s series of hilarious commercials back in 2004 when I was out in the US over the summer.  While Citibank – like all banks at the moment – aren’t faring so well, this might be just the time for a light-hearted blast from the past.  Who said bank commercials can’t be fun?

Privacy Law – In Need of a Legislative Broom?

From Outlaw 03/02/09:

Parliament will investigate privacy law in the UK and may give the law a 'nudge', Justice Minister Jack Straw has said. A select committee of MPs will look into how the law has developed and how it is being implemented by courts, he said.

How has the law developed? I can think of some fairly colourful responses to that. For the present, however, I think the following would all be particularly apt:

· Slowly  · Painfully  · Inconsistently  · Awkwardly

· Incoherently 

There are a bunch of other words I could include but a list has to stop somewhere. Of course, many of these descriptions are also applicable to how the law has been implemented by the courts.

“Historically, the UK has not had a law of privacy, but one has emerged in recent years that has combined confidentiality laws covering the exchange of information with human rights laws protecting the right to a private life.

Courts have ruled in several cases that the publication of information violates these laws, and
these judgments will form the basis of future rulings.

That case law was ferociously attacked last year by powerful Daily Mail editor Paul Dacre [in the aftermath of Mosley v NGN Ltd [2008] EWHC 1777] who condemned the fact that it had developed through the courts and not through Parliament.

Straw has told Parliament's Joint Committee on Human Rights, though, that a committee of MPs will look into the development of the law.”

Recent developments in privacy rights in the context of ‘celebrity newsgathering’ have illustrated that the law has now swung to opposite end of the spectrum whereby the courts have been inclined to attach more weight to the individual’s right to privacy than to the right to freedom of expression for the press. This change has happened relatively quickly: in 2002 both the Flitcroft and Theakston cases saw a ‘naming and shaming approach’ for celebrities caught in compromising situations robustly endorsed by the courts. Since Campbell and now Mosley, however, the approach has clearly changed.

The current test which evolved out the wealth of jurisprudence in this area essentially involves examining whether the individual had a reasonable expectation of privacy in all the material circumstances. If that is the case, there is then a need to move on to balance the right of privacy under Article 8 of the ECHR with the right to freedom of expression pursuant to Article 10. An inherent part of this balancing act is determining whether there is countervailing public interest that can justify the intrusion.

Mr Justice Eady has come in for a lot of ‘stick’ in recent times – not least in the aftermath of the Mosley decision. Eady J has had heard the majority of high-profile cases in this area and because of this, it’s no surprise that he was very much at target in Dacre’s scathing attack last year.

The Times notes how far-reaching Mr Justice Eady’s contributions to this area of law are perceived to be:

“Mr Dacre told the audience at the Society of Editors’ annual conference in Bristol that the judge’s “amoral” judgments, in this and other defamation and libel cases, were “inexorably and insidiously” imposing a privacy law on the press.”

Moreover, “[Dacre accused Eady J] of bringing in a privacy law by the back door: the judge, he said, had used the Human Rights Act against the age-old freedom of newspapers to expose moral shortcomings of people in high places.”

So what’s the Justice Minister’s take on privacy?

Again from the Times:

Lord Lester of Herne Hill, one of the Joint Committee members, asked Mr Straw where he stood on privacy: the Mail interview, Lord Lester said, gave the impression that Mr Straw would like to weaken the Human Rights Act, “so as to make it easier for the press to make unwarranted attacks on personal privacy”.

Straw did not say where he stood — other than backing the forthcoming privacy review. But he did indicate support for the Act’s critics. “Those of us keen to ensure that the legacy of the Human Rights Act continues and thrives need to be alive to that criticism — and respond to it,” he said.

The realisation of privacy rights under English law is essentially achieved via a blatant shoehorning of privacy rights into the law of breach of confidence. Have Parliament finally recognised the need for a legislative broom to sweep clean the detritus of confusion which plagues the law relating to privacy?

Without doubt, it’s high time for a review at the very least and considering afresh whether legislating is the way to go. Whether this leads to a ‘Privacy Act’, though, is another matter entirely. Ironically, this area of law has weathered greater uncertainty than it’s currently plagued with and it could be argued the courts are actually demonstrating a greater degree of creativity and recognition of wider societal issues when adjudicating than ever before. For instance, the case of David Murray v Big Pictures Limited [2008] EWCA Civ 446. involving photos taken of J.K. Rowling’s son as well as the application of the Harassment Act 1997 in respect of compromising photos published on an aggrieved former-lover’s Facebook profile illustrate that the jurisprudence is developing in a way that is factoring-in modern technologies and the privacy implications that the internet and social networking brings with it.  The equivalent could certainly not have been said in the early days of wiretapping by police nor in how the courts dealt with early forms of harassment via telephone.

Now, though, privacy issues seem to rank much higher on the list of priorities.  Currently, privacy concerns have been elevated to an all time high by virtue of the rise of the internet as a publishing medium, the Web 2.0 phenomenon and society’s voracious appetite for celebrity gossip which has fuelled the ever-more aggressive and intrusive behaviour of the press.  Also, in direct response to the Mosley case, perhaps it’s been recognised that the jurisprudence has developed in a direction which is now no longer deemed suitable and legislation is required to ‘nudge’ it back on track.

The use of the ‘legislative broom’ may help in certain areas to sweep clean and clear up the awkward uncertainty such as the apparent conflating of the right pursuant to Article 10 of freedom of expression with the ‘public interest defence’ in some judgements.  Whether privacy law which is more favourable to the press is the right approach to be taking going forwards, however, seems less clear.

In any event, the Times concludes: If legislation is mooted, then it will be an irony to think that Mr Justice Eady himself — when on the Calcutt committee that reported in 1990 on privacy — favoured a privacy law. The difference is that any new law would not be seeking to curb the press but to free it.

Solicitors From Hell -- Real life experience

A curious little matter dropped onto my desk last week - one of many at the moment, actually; there just don't seem enough working hours in the day.

Essentially, it seems that we provided communication services to firm of solicitors who are now subject to an Intervention under s35 and Schedule 1 of the Solicitors Act 1974.  We were approached by the firm who are acting as Intervention Agents on behalf of the Solicitors Regulation Authority to confirm detailed information about our client and re-direct their phone lines to the offices of the Intervention Agents. Initially, I found out, these requests were made via a phone call to the support dept. and then, when information was not forthcoming from that member of staff, a firmly word fax hinting that they were on the cusp of applying for a court order to compel us to provide the information required.

Being the most cautious of all risk-averse people, my data protection spiny senses were initially sent into overdrive at the mere thought of all this.

I did a little research as to exactly what our obligations were, checked out the firm acting as Intervention Agents and the firm being investigated.  My preliminary research bore their fax and phone calls out.

A quick flick through the Solicitors Act didn't seem to reveal anything as to what our obligations were to provide this information and how it sat with the relevant Data Protection legislation. I was left with no alternative then, than a rummage through the depths of the Data Protection Act, something I hadn’t done in well over a year, since early on in my LLM. It didn’t take me long to find that this situation pretty much fell squarely under s31 of the Act, covering exemptions from the Subject Information Provisions in relation to regulatory activity.

So that was more or less that then.  I was shocked at how prominently the firm being investigated featured on the web from previous clients who’d had their fingers burnt.  Perhaps unsurprisingly, I also found that they were featured on the Solicitors From Hell website. I’d not heard of this site until last Thursday; since then, I’ve noticed that Charon QC and Aimless Wanderer have both mentioned it. I should imagine that a lot of lay people out there believe that all firms of solicitors should feature on that site!!

Still, this bit of excitement made a change from drafting and reviewing endless contracts, resolving number portability conundrums and advising on stuff under the Communications Act – plus strategising how to prod, poke or otherwise coerce OFCOM into action over a specific issue.