Tumblr is where tens of millions of creative people around the world share and follow the things they love.Sign up to find more cool stuff to follow
NEW! Consumer Data Symbology: What data do companies hold?
This is the 3rd post in my series of Consumer Data Symbology.
Be sure to also check:
With the first 2 sets of symbols consumers can readily see how their information is shared with third parties, including if location information is shared. Importantly they can also see if their data is shared in an anonymous or uniquely identifiable way.
The set of symbols below talks about the 3 major categories of data. Publishers, service providers and applications could have any combination of these three symbols.
HOW YOU ACT
While visiting a website, using a service or application the owners may collect information about what you did while you were there. This might include the web pages you visited, the products you searched for, the amount of time you spent on a single page and other information related to how you behaved during the time you were interacting with the website, service or application. This information comes in a form that are similar to “tracks” left in the sand. Depending on the other symbols shown it may be that your tracks are anonymous - or they may be associated directly with you as a unique consumer.
PROFILE DATA PROVIDED
If you have joined a website and created an account then you have provided information associated with your profile. This could be as minimal as your e-mail address or could be a complete list of your friends, your interests and other. The main difference between information about “HOW YOU ACT” and “PROFILE DATA PROVIDED” is that you were asked and specifically answered questions to complete your profile.
NEW DATA FROM PROCESSING
Besides data that you provided in your profile, and information collected about how you act, some companies will take this information to create new data. For example, if you spend lots of time reading stories about movie stars and completed your profile that you like “pop culture”, a company might use that data to decide that you would like a trip to Hollywood. You never told the company you wanted to go to Hollywood and you never went to a web page about Hollywood, but the company processed your other data to create new data.
Admittedly, these symbols are some of the most volatile for those consumers who are plugged into the press. There has been so much press about “tracking” that some consumers will see this and immediately understand that they are being “tracked” and it may make them unconfortable unless they trust the brand behind the tracking.
The idea of “NEW DATA FROM PROCESSING” is an important concept as it is unclear who “owns” data resulting from processing. Does the consumer own it? - It wasn’t their data? - Does the company with the algorithm and the servers doing the processing own it? Most likely they do as they have rights to the consumers provided and tracked data as well as the processing. Consumers may understand that their data is being processed - but not all consumers will understand this and it is important to make it clear.
Tomorrow will be the final installment of the symbols: - How is the data used.
Photography and Text (c) 2011 Mobile Soul Ltd. All right reserved.
Eventually I would like to offer this content on the Creative Commons license scheme.
NEW! Consumer Data Symbology: Anonymous or Personally Identifiable
For the next 2 weeks I will begin posting my ideas for symbology that can be used to improve the way content owners and service providers can communicate to consumers about how their data is used.
Here are the first 2 symbols:
This symbol indicates that the data we hold about you includes information necessary to identify you as a speicifc consumer. It could be a means to contact you such as your email address, telephone number, credit card details or any other combination of information that could identify you specifically. Each organisation could hold a different set of information. This symbol means that any of the data described by the other symbols shown is NOT anonymous.
Organisations with this symbol should have robust security measures in place to ensure that your personal data is safe.
Only organisations you trust should be given permission to hold data that is personally identifiable.
TRIVIA: Embedded in the fingerprint symbol you can see three letters: PII - This is an industry acronym for “Personally Identifiable Information”
This symbol indicates that the data we hold is associated with a unique but random number. We do not know your identity and have no way to contact you directly. The data described by the other symbols shown is unique only to this device and this browser or application.
You should use care when accepting this symbol to ensure that you trust the organisation to honor their commitment to keep your data anonymous.
These symbols are literrally version 0.1 and I expect them to change a lot based upon the feedback and input I get from you - so please do give me feedback.
Over the next 2 weeks I will be sharing the remainder of the individual symbols that I would like to propose to the industry as means to communicate clearly and easily to the consumer - What data is held, How the data is used and How data is shared.
At the end of 2 weeks I will provide you with access to a demonstration of how I believe the EU Cookie Directive and Do Not Track functionality could be enhanced to ensure a) that consumers have a clear understanding about their data and b) that publishers and service owners have a new method to build improved consumer relationships.
Want to know the current scoop on me?
Check out: http://about.me/troy.norcross
Researcher: Facebook's Timeline will be boon for hackers
Facebook’s new Timeline will make it even easier for criminals and others to mine the social network for personal information they can use to launch malicious attacks and steal passwords, a researcher said today.
According to Facebook CEO Mark Zuckerberg, Timeline is “the story of your life,” Timeline, which Facebook unveiled yesterday at a developer conference and plans to roll out to users in a few weeks, summarizes important past events in a one-page display. That has experts at U.K.-based Sophos concerned. “Timeline makes it a heck of a lot easier [for attackers] to collect information on people,” said Chet Wisniewski, a Sophos security researcher. “It’s not that the data isn’t already there on Facebook, but it’s currently not in an easy-to-use format.” Cybercriminals often unearth personal details from social networking sites to craft targeted attacks, noted Wisniewski, and Timeline will make their job simpler. “And Facebook encourages people to fill in the blanks [in the Timeline],” said Wisniewski, referring to the new tool’s prompting users to add details to sections that are blank. Because people often use personal information to craft passwords or the security questions that some sites and services demand answered before passwords are changed, the more someone adds to Timeline, the more they put themselves at risk, said Wisniewski. “Remember the hack of [former Alaska governor] Sarah Palin’s account?” asked Wisniewski. “That hacker found the answers to her security questions online.” A former University of Tennessee student who bragged it took him just 45 minutes of research to reset Palin’s Yahoo Mail account password was convicted on multiple federal felony counts last year. Hackers can also use what they find on Facebook and elsewhere to craft convincing emails that include malware or links to malicious sites, noted Wisniewski, even if the individual is not the target. “It may be about the fact that you work for RSA [Security],” he said, referring to the emails sent to low-level employees at that firm earlier this year. Those emails, which included malware embedded in Excel spreadsheets, gave attackers a foothold on RSA’s network. The criminals then scoured RSA’s systems and stole confidential information about its popular SecurID authentication token technology. Others, not strictly hackers, could use Timeline to quickly dig up dirt as well, said Wisniewski. “Someone could use it to gather information to harass you, or someone at work competing for your job could use it,” he said. “The more you put in there to make it complete—and we’ve been conditioned to finish forms—the easier it is for someone with ill intent to gather information about you,” said Wisniewski. Although current Facebook privacy settings will apply to the Timeline—letting users decide who sees what—and the Timeline can be edited to remove an embarrassing past, Wisniewski was pessimistic about users’ decision making. “Call us paranoid or prudent—we’re paid to worry about this—but for 99 percent of people, the danger doesn’t even cross their mind,” said Wisniewski. In an unscientific survey Sophos ran on its website today, nearly 50 percent agreed that the Facebook Timeline worried them, while about 17 percent said they liked the idea or would get used to it. Wisniewski admitted that the poll probably doesn’t reflect most Facebook users’ opinions. “They’re doubly self-selected,” he acknowledged, “first for taking the survey and second because they’re concerned enough about security to go to our website.”
Developer Claims Mailbox iPhone App Has 'No Data Protection'
AppAdvice / Joe White / April 24, 2013
Mailbox is an attractive, popular email app for the iPhone, and back in February we gave it a positive review. However, it would appear that while Mailbox features an impressive design and user interface, its data protection and security leave rather a lot to be desired. In fact, according to one developer, Mailbox effectively “has no data protection.”
The opinion is that of Subhransu Behera, who describes Mailbox as “a security fail.” Using the simple iExplorer app, which allows users to view an iOS application’s Documents and Library directories on a desktop computer, Behera was able to pull up a file of unprotected email attachments that is located in the Documents directory.
[Health & Privacy] Doctor, Doctor, Gimme The News – Just Not Via Text…
Text messaging lets healthcare providers communicate with patients in simple and timely fashion. But it may violate privacy laws, write attorneys Cory Fox and Lynn Sessions from law firm BakerHostetler:
“According to a recently published report in the American Journal of Public Health, text messages containing protected health information (PHI) would be impermissible under the HIPAA Security Rule (Security Rule) unless the covered entity either removed PHI from the message or complied with the Security Rule’s administrative, physical and technical safeguard requirements.”
In plain English: the laws intended to keep our confidential health information from falling into the wrong hands may prevent us from using today’s technology to communicate with our doctors.
What to do? Providers who want to communicate via text with patients have a couple of options. First, they should make sure they don’t include protected health information in their messages. But that might not be particularly useful for either party, explain Fox and Sessions:
“[G]iven the broad definition of PHI (which includes information in any form or media, whether electronic, paper, or oral that could be used to identify an individual and that ‘relates to’ the provision of healthcare to that individual), excluding it from a text message altogether could diminish the message’s usefulness. Moreover, excluding PHI from a text page could cause confusion and lead to medical errors.”
The second option is equally problematic: analyze the risks of transmitting confidential patient information via text, and take steps to reduce those risks:
“The primary risk most covered entities face when seeking to employ text messaging and text paging is the risk that the PHI in the message could fall into the wrong hands… One Security Rule protection that could mitigate such risks is the use of encryption technology. However, due to the current state of technology, encrypting text messages or text pages may not be reasonable and appropriate for all covered entities. Thus, covered entities may need to implement alternative measures equivalent to encryption in order to comply with the Security Rule, including policies and procedures specifically related to text messaging and text paging, best practices, and workforce education.”
Come to think of it, there’s probably a third option that most doctors and healthcare providers are choosing: just say “no.” At least until the federal government figures out a way to bring 21st century health care into the 21st century.
And where does all of this leave the patient? Probably on hold with the doctor’s office…
Read the full update, Can Covered Entities Utilize Text Messaging and Text Paging Without Violating HIPAA? – BakerHostetler»
Find more on HIPAA Data Protection laws at JD Supra»
Facebook Wins Court Challenge In Germany Against Its Real Names Policy
Facebook has won a court challenge against its real names policy in Germany. Yesterday an administrative court in the North of Germany granted Facebook’s request for “suspensive effect” against a ruling made by Schleswig-Holstein’s Data Protection Commissioner that Facebook was violating German and European law. http://dlvr.it/2y3Vzv @suryaray
California Ups the Ante on Consumer Data Protection
While several states – and the federal government – consider strengthening legislation to protect consumers against data breaches, identity theft, and other privacy violations, California is taking action.
Earlier this month, California Attorney General Kamala Harris created a new “Privacy Enforcement and Protection Unit.” From law firm Morrison & Foerster:
“The Privacy Enforcement and Protection Unit will be organized under the state’s new eCrime Unit, which was formed in August, 2011 and will centralize a number of existing California Justice Department programs intended to enforce privacy laws, combat identity theft, educate consumers, and create partnerships with private industry under one umbrella.”
1. The new agency has a very broad mandate:
“The Privacy Unit will enforce laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. In addition to online privacy regulation, the Privacy Unit will investigate data breaches, identity theft, and violations of offline health, financial, and government privacy regulations.” (California Steps Up Privacy Efforts with New Privacy Enforcement and Protection Unit by Wilson Sonsini Goodrich & Rosati)
2. This is only the beginning:
“Harris has made online privacy protection a major focus of her administration, and the creation of the new Privacy Enforcement and Protection and eCrime Units are just two of her initiatives aimed at fighting online crime and protecting consumer privacy.” (California Attorney General Creates Privacy Enforcement and Protection Unit; Increased Enforcement Likely by Morrison & Foerster LLP)
3. Penalties can be severe for businesses that violate consumer privacy:
“With the Privacy Unit in place, actions enforcing California’s data privacy regulations, which are among the strictest in the nation, are certain to increase… ‘The Privacy Unit,’ according to Attorney General Harris, ‘will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.’ Based on prior comments from Harris, such enforcement may include prosecutions under California’s Unfair Competition Law and/or False Advertising Law, which imposes penalties of up to $500,000.” (Law & Order PEPU: California’s new Privacy Enforcement and Protection Unit by Mintz Levin)
Additional privacy law updates:
• Cops Can Read Your Text Messages Without a Warrant - Lawyers.com
• Access Denied: Public Agencies and the Release of Public Records - Dinsmore & Shohl LLP
• STAR Test Results Delayed Due To Security Breach - Kronick, Moskovitz, Tiedemann & Girard
• MAC and IP Addresses: Personal Information? - Fraser Milner Casgrain LLP
• EPIC Demands Evidence of TSA Body Scanner Rulemaking - Electronic Privacy Information Center
• EPIC Recommends Protections for Use of Commercial Facial Recognition Technology - Electronic Privacy Information Center
• First Circuit Holds Bank May Be Liable For Customer Losses from Cyber Attacks - BuckleySandler LLP
• EPIC Calls on FCC to Require Mobile Phone Carriers to Protect Privacy - Electronic Privacy Information Center
• NIST Proposes Update To Mobile Device Security Guidelines - BuckleySandler LLP
• Connecticut Amends Data Breach Notification Statute - Scott & Scott, LLP
• EPIC Objects to Facebook Settlement, Cites Failure to Benefit Class Members - Electronic Privacy Information Center
• Police Accessing Private Cell Phone Data at a Stunning Rate - Lawyers.com
• EPIC Urges FTC to Develop Meaningful Privacy Protections for Mobile Services - Electronic Privacy Information Center
• Preventing Or Responding To Data Security Breaches: Is Your Information Safe? - McNees Wallace & Nurick LLC
• Connecticut and Vermont Security Breach Amendments Demonstrate a Growing Trend: AG Notice Requirements - Morrison & Foerster LLP
• You Are Not Safe Online! - Lawyers.com
Follow @Privacy_Law on Twitter»