Transcript Social Networking and Privacy: What if anything has

Social Networking and Privacy Protection:
What if Anything has Changed?
ソーシャルネットワーキングとプライバシー保護
もし突然変化が起きたら?
Lecture to Meiji University, Graduate School of Commerce and Japanese
Society of Information and Management, August 9, 2011
Justifications for Privacy Protection
• As a Right of the Person
–
–
–
–
The “Right to be Let Alone” (United States)
La Vie Privée (France)
Privatsphäre (Germany)
Puraibashii (Japan?)
• As a Political Value
– A Check against Powerful State and Private Organizations
• As an Instrumental Value
– To ensure that the right data are used by the right people for the right purposes
– To build “trust” in e-commerce and e-government
REGULATING PRIVACY: DATA PROTECTION AND PUBLIC POLICY IN EUROPE AND THE
UNITED STATES 1992
JAPANESE TRANSLATION, BUNSHINDO (1994)
The Information Privacy (Data Protection) Principles
• Accountability
• Purpose identification
at time of collection
• Informed consent for
collection
• To limit use and
disclosure (finality)
•
•
•
•
Retention limitation
Data quality
Data security
Openness about
policies and practices
• Individual access and
correction
These principles appear in:
• Comprehensive data protection laws in
around 40 countries
• Sectoral Legislation in
information intensive industries
• International agreements from
Council of Europe, OECD, European Union, AsiaPacific Economic Cooperation
• Self-regulatory codes and standards
The Governance of Privacy: The Privacy ‘Toolbox’
•
International Instruments
–
–
–
–
–
–
–
•
Regulatory Instruments
–
•
Data protection law in over 40 countries
Self-Regulatory Instruments
–
–
–
–
•
Council of Europe Convention (1981)
OECD Guidelines (1981)
EU Data Protection Directive (1995)
APEC Privacy Principles (2004)
Mercosur
Organization of American States (OAS)
International Management and Technical Standards
Codes
Standards
Seals and Marks
Privacy Impact Assessments (PIAs)
Technological Instruments
–
–
Privacy by Design
Privacy-enhancing technologies
Lessons learned in 40 Years of Data Protection Policy
• There is a convergence of policy goals and common consensus on what it
means for the responsible organization to protect personal data – the fair
information principles.
• An increasing recognition that a diversity of instruments is necessary
• Information privacy (data protection) is more than information security
• Rules must be “technology neutral”
• Comprehensive information privacy/data protection law is essential –
public and private sectors, manual and automated data
• BUT it is not sufficient – law must be combined with self regulatory and
technological solutions, and it must be supported by sympathetic public
opinion, supportive organizational cultures and civil society advocacy
WWW.PRIVACYADVOCATES.CA
Challenges from Social Networking…..
"People have really gotten comfortable not only
sharing more information and different kinds,
but more openly and with more people…That
social norm [privacy] is just something that has
evolved over time.”
Marc Zuckerberg, CEO Facebook, March 2010
“If you have something that you don’t want
anyone to know, maybe you shouldn’t be doing it
in the first place.”
Eric Schmidt, CEO Google, December 2009
http://www.vincos.it/world-map-of-social-networks/
Top three Social Networking Services (SNS) by Region
COUNTRIES
SNS #1
SNS #2
SNS #3
AUSTRALIA
Facebook
Twitter
Linkedin
CANADA
Facebook
Twitter
Linkedin
FRANCE
Facebook
Twitter
Skyrock
GERMANY
Facebook
Twitter
Xing
ITALY
Facebook
Badoo
Twitter
JAPAN
Mixi
Gree
Mobagetown
RUSSIA
V Kontakte
Odnoklassniki
LiveJournal
SPAIN
Facebook
Tuenti
Badoo
UNITED
KINGDOM
Facebook
Twitter
Linkedin
UNITED STATES
Facebook
Twitter
Linkedin
Adapted from www.vincos.it (June 2011)
www.internetworldstats.com
SNS vary along a number of
dimensions
Interactivity
• WEB 1.0
• WEB 2.0
• SYMANTEC
WEB
Breadth of
expected
social
networks
Intensity of
expected
interactions
Level of
permitted
and
expected
identification
NEW PRACTICES AND OLD STORIES
新しい理論と古い話
• FUNCTION CREEP ファンクション・クリープ
• CORPORATE OPACITY 法人組織の不透明さ
• CORPORATE MISMANAGEMENT AND
SLOPPINESS 組織運営といい加減さ
• INTRUSION AND SURVEILLANCE 偵察と監視
Function Creep
ファンクション・クリープ
“Function Creep is what occurs when a technology
designed for a specific purpose ends up serving
another purpose which it was never planned to
perform”
ファンクション・クリープとは、特別な目的の為に
デザインされたテクノロジーが、当初の計画から
“脱線”した全く別の目的を果たす事である。
Citizen vigilantism
Insurance claim enforcement
Employee screening
Political accountability
CORPORATE OPACITY
組織の不透明さ
Defaults
Facebook Recommended Privacy Settings, July 2011
Facebook privacy settings, July 20, 2011
CORPORATE MISMANAGEMENT AND
SLOPPINESS
組織運営といい加減さ
INTRUSION AND SURVEILLANCE
偵察と監視
Risks to Privacy
プライバシーに対するリスク
•
•
•
•
•
Cyber-stalking ネット上のストーカー
Cyber-bullying ネット上のいじめ
Reputational Damage 名誉毀損
Identity Theft 個人情報窃盗
Commercial Exploitation 詐欺的商法
(from www.cippic.ca)
SO WHAT IS BEING DONE?
THE UNITED STATES
• Complaints to Federal Trade Commission, December
2009 and May 2010 by Electronic Privacy Information
Center and broad coalition of public interest groups
• Complaint to FTC (June 2011) about online tagging using
facial recognition
• 2011 California Social Networking Bill
CANADA
•
•
•
•
On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic (CIPPIC)
filed a complaint with the Privacy Commissioner of Canada concerning the
“unnecessary and non-consensual collection and use of personal information by
Facebook.”
On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in
contravention” of Canada’s Personal Information Protection and Electronic
Documents Act.
September 2010, Privacy Commissioner announced that Facebook changes
“reasonable and meet expectations of Canadian law”
October 2010 Privacy Commissioner launched a fresh investigation into the privacy
policies of Facebook Inc. after it was revealed that some of the most popular
applications had been transmitting the personal information of users to dozens of
Web tracking firms.
• Articles 25 and 26 of the EU Data Protection Directive (1995)
95/46/EC
• Personal data should not be transferred outside EU unless an
“adequate level of protection” which requires:
– Basic content principles: Purpose limitation; data quality and
proportionality; transparency; security; rights of access, rectification
and opposition; restrictions on onward transfers
– Procedural/enforcement principles: good level of compliance with the
rules; support and help provided to individual data subjects;
appropriate redress provided to the injured party
• Administered by Article 29 Working Party of Supervisory
authorities
European Union Article 29 Working Party
• SNS providers are data controllers under the Data Protection
Directive. They provide the means for the processing of user
data and provide all the “basic” services related to user
management (e.g. registration and deletion of accounts).
SNS providers also determine the use that may be made of
user data for advertising and marketing purposes - including
advertising provided by third parties.
(Opinion June 2009)
Safer Social Networking Principles for the EU (2009)
• “Principle 6: Enable and encourage users to employ a safe approach to
personal information and privacy. Providers should provide a range of
privacy setting options with supporting information that encourages users
to make informed decisions about the information they post online. These
options should be prominent in the user experience and accessible at all
times. Providers should consider the implications of automatically mapping
information provided during registration onto profiles, make users aware
when this happens, and should consider allowing them to edit and make
public/private that information where appropriate. Users should be able to
view their privacy status or settings at any given time. Where possible, the
user’s privacy settings should be visible at all times.”
Developed by SNS providers in consultation with the EU Commission
http://ec.europa.eu/information_society/activities/social_networking/docs/s
n_principles.pdf
Art. 29 Opinion on Consent (2011)
• “According to the European data protection
authorities, consent requires the use of mechanisms
that leave no doubt of the data subject’s intention to
consent. Therefore only statements or actions, not
mere silence or inaction, can constitute valid consent.
For example, when a data subject registers with a
social network and the default settings of his or her
profile make all personal information viewable to all
‘friends of friends’, it cannot be inferred that this user
has given his or her consent.”
http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/2011_
en.htm
Directive 2009/136/EC: A New Cookie
Rule?
"Member states shall ensure that the storing of information, or the gaining of access
to information already stored, in the terminal equipment of a subscriber or user is
only allowed on condition that the subscriber or user concerned has given his or her
consent, having been provided with clear and comprehensive information, in
accordance with [the Data Protection] Directive 95/46/EC, inter alia about the
purposes of the processing.”
Recital: “"Where it is technically possible and effective, in accordance with the
relevant provisions of [the Data Protection Directive], the user's consent to
processing may be expressed by using the appropriate settings of a browser or
other application…. Exceptions to the obligation to provide information and offer
the right to refuse should be limited to those situations where the technical
storage or access is strictly necessary for the legitimate purpose of enabling the
use of a specific service explicitly requested by the subscriber or user.”
What has changed in 20 years?
• Technological change
–
–
–
–
•
•
•
•
Miniturization
Distribution
Convergence with the material
Biometric identification
The routine capture of personal data
Globalization
The pressures for securitization
The difficulty of distinguishing between personally
and non-personally identifiable data
What has not changed?
• The values (personal, political and
instrumental)
• The deep and abiding concern for people
everywhere about their privacy
• The basic principles in information privacy law
• The obligations of corporations and
government to abide by those principles
In Conclusion
• Social network users care about their privacy
ソーシャル・ネットワーク利用者のプライバシーに
ついての心配
• Even if they didn’t, it wouldn’t alter the
obligations of data users to process personal
data in conformity with privacy principles
仮にプライバシー問題への危惧が少なくなろうとも、
データ利用者が原則的なプライバシー取り扱い
法に従わければならないという義務は変わらな
い
THANK YOU VERY MUCH
どうもありがとうございました
www.colinbennett.ca