Social Networking and Privacy Protection: What if Anything has Changed? ソーシャルネットワーキングとプライバ シー保護 もし突然変化が起きたら ? Lecture to Meiji University, Graduate School of Commerce and Japanese Society of Information and Management, August 9, 2011
Justifications for Privacy Protection As a Right of the Person – The “Right to be Let Alone” (United States) – La Vie Privée (France) – Privatsphäre (Germany) – Puraibashii (Japan?) As a Political Value – A Check against Powerful State and Private Organizations As an Instrumental Value – To ensure that the right data are used by the right people for the right purposes – To build “trust” in e-commerce and e-government REGULATING PRIVACY: DATA PROTECTION AND PUBLIC POLICY IN EUROPE AND THE UNITED STATES 1992
The Information Privacy (Data Protection) Principles Accountability Purpose identification at time of collection Informed consent for collection To limit use and disclosure (finality) Retention limitation Data quality Data security Openness about policies and practices Individual access and correction
These principles appear in: Comprehensive data protection laws in around 40 countries Sectoral Legislation in information intensive industries International agreements from Council of Europe, OECD, European Union, Asia- Pacific Economic Cooperation Self-regulatory codes and standards
The Governance of Privacy: The Privacy ‘Toolbox’ International Instruments – Council of Europe Convention (1981) – OECD Guidelines (1981) – EU Data Protection Directive (1995) – APEC Privacy Principles (2004) – Mercosur – Organization of American States (OAS) – International Management and Technical Standards Regulatory Instruments – Data protection law in over 40 countries Self-Regulatory Instruments – Codes – Standards – Seals and Marks – Privacy Impact Assessments (PIAs) Technological Instruments – Privacy by Design – Privacy-enhancing technologies
Lessons learned in 40 Years of Data Protection Policy There is a convergence of policy goals and common consensus on what it means for the responsible organization to protect personal data – the fair information principles. An increasing recognition that a diversity of instruments is necessary Information privacy (data protection) is more than information security Rules must be “technology neutral” Comprehensive information privacy/data protection law is essential – public and private sectors, manual and automated data BUT it is not sufficient – law must be combined with self regulatory and technological solutions, and it must be supported by sympathetic public opinion, supportive organizational cultures and civil society advocacy
"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people…That social norm [privacy] is just something that has evolved over time.” Marc Zuckerberg, CEO Facebook, March 2010 “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Eric Schmidt, CEO Google, December 2009 Challenges from Social Networking…..
Top three Social Networking Services (SNS) by Region COUNTRIESSNS #1SNS #2SNS #3 AUSTRALIAFacebookTwitterLinkedin CANADAFacebookTwitterLinkedin FRANCEFacebookTwitterSkyrock GERMANYFacebookTwitterXing ITALYFacebookBadooTwitter JAPANMixiGreeMobagetown RUSSIAV KontakteOdnoklassnikiLiveJournal SPAINFacebookTuentiBadoo UNITED KINGDOM FacebookTwitterLinkedin UNITED STATESFacebookTwitterLinkedin Adapted from www.vincos.it (June 2011)
SNS vary along a number of dimensions Interactivity WEB 1.0 WEB 2.0 SYMANTEC WEB Breadth of expected social networks Intensity of expected interactions Level of permitted and expected identification
NEW PRACTICES AND OLD STORIES 新しい理論と古い話 FUNCTION CREEP ファンクション・ク リープ CORPORATE OPACITY 法人組織の不透明さ CORPORATE MISMANAGEMENT AND SLOPPINESS 組織運営といい加減さ INTRUSION AND SURVEILLANCE 偵察と監 視
Function Creep ファンクション・クリープ “Function Creep is what occurs when a technology designed for a specific purpose ends up serving another purpose which it was never planned to perform” ファンクション・クリープとは、特別な目的 の為にデザインされたテクノロジーが、当初 の計画から “ 脱線 ” した全く別の目的を果たす 事である。
THE UNITED STATES Complaints to Federal Trade Commission, December 2009 and May 2010 by Electronic Privacy Information Center and broad coalition of public interest groups Complaint to FTC (June 2011) about online tagging using facial recognition 2011 California Social Networking Bill
CANADA On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint with the Privacy Commissioner of Canada concerning the “unnecessary and non-consensual collection and use of personal information by Facebook.” On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act. September 2010, Privacy Commissioner announced that Facebook changes “reasonable and meet expectations of Canadian law” October 2010 Privacy Commissioner launched a fresh investigation into the privacy policies of Facebook Inc. after it was revealed that some of the most popular applications had been transmitting the personal information of users to dozens of Web tracking firms.
Articles 25 and 26 of the EU Data Protection Directive (1995) 95/46/EC Personal data should not be transferred outside EU unless an “adequate level of protection” which requires: – Basic content principles: Purpose limitation; data quality and proportionality; transparency; security; rights of access, rectification and opposition; restrictions on onward transfers – Procedural/enforcement principles: good level of compliance with the rules; support and help provided to individual data subjects; appropriate redress provided to the injured party Administered by Article 29 Working Party of Supervisory authorities
European Union Article 29 Working Party SNS providers are data controllers under the Data Protection Directive. They provide the means for the processing of user data and provide all the “basic” services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes - including advertising provided by third parties. (Opinion June 2009)
Safer Social Networking Principles for the EU (2009) “Principle 6: Enable and encourage users to employ a safe approach to personal information and privacy. Providers should provide a range of privacy setting options with supporting information that encourages users to make informed decisions about the information they post online. These options should be prominent in the user experience and accessible at all times. Providers should consider the implications of automatically mapping information provided during registration onto profiles, make users aware when this happens, and should consider allowing them to edit and make public/private that information where appropriate. Users should be able to view their privacy status or settings at any given time. Where possible, the user’s privacy settings should be visible at all times.” Developed by SNS providers in consultation with the EU Commission http://ec.europa.eu/information_society/activities/social_networking/docs/s n_principles.pdf
Art. 29 Opinion on Consent (2011) “According to the European data protection authorities, consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. Therefore only statements or actions, not mere silence or inaction, can constitute valid consent. For example, when a data subject registers with a social network and the default settings of his or her profile make all personal information viewable to all ‘friends of friends’, it cannot be inferred that this user has given his or her consent.” http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/2011_ en.htm
"Member states shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the Data Protection] Directive 95/46/EC, inter alia about the purposes of the processing.” Recital: “"Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user's consent to processing may be expressed by using the appropriate settings of a browser or other application…. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.” Directive 2009/136/EC: A New Cookie Rule?
What has changed in 20 years? Technological change – Miniturization – Distribution – Convergence with the material – Biometric identification The routine capture of personal data Globalization The pressures for securitization The difficulty of distinguishing between personally and non-personally identifiable data
What has not changed? The values (personal, political and instrumental) The deep and abiding concern for people everywhere about their privacy The basic principles in information privacy law The obligations of corporations and government to abide by those principles
In Conclusion Social network users care about their privacy ソーシャル・ネットワーク利用者のプライバ シーについての心配 Even if they didn’t, it wouldn’t alter the obligations of data users to process personal data in conformity with privacy principles 仮にプライバシー問題への危惧が少なくなろう とも、データ利用者が原則的なプライバシー 取り扱い法に従わければならないという義務 は変わらない
THANK YOU VERY MUCH どうもありがとうございま した www.colinbennett.ca