You Might be Interested In

South of the border, Sony Music recently settled with the U.S. Federal Trade Commission (FTC) after the FTC filed a suit against Sony claiming the company had violated children’s privacy rights.

Last Wednesday, the FTC accused Sony of being in violation of the Children’s Online Privacy Protection Act, or COPPA, by collecting, maintaining and disclosing personal information of children under the age of 13 without parental consent.

The FTC estimates that Sony collected the personal information of about 30,000 children on 196 websites operated by Sony Music. That includes names, addresses, mobile phone numbers, e-mail addresses, dates of birth, ZIP codes, usernames and gender. But that’s not all:

“Many of these sites also enable children to create personal fan pages, review artists’ albums, upload photos or videos, post comments on message boards and in online forums, and engage in private messaging.”

The following day, Sony and the FTC announced the suit had been settled, with the company agreeing to pay a fine of $1 million, put in place a screening process that complies with the FTC rules and hire a Web compliance officer to monitor the issue. The fine is reportedly the largest settlement for a case involving COPPA, which came into effect in 2000.

One way (and a fairly simplistic way at that) to view this settlement is that it works out to about $33 for each child’s information.

But these kids – and the rest of Sony’s website visitors – may see the value of their information in another way. A recent study by IBM found that people – and especially younger people – were willing to trade away their information for incentives like free high quality music or videos, discounts to favourite stores and air travel or hotel points:

“Close to 60 percent of total respondents were willing to provide information about themselves — such as age, gender, lifestyle or communications preferences — in exchange for something of value. Younger respondents had fewer concerns about revealing personal preferences, and a sizeable portion of participants over the age of 45 were also willing to share information about themselves. However, all respondents indicated the need for perceived value and incentives as a trade-off to provide personal information.”

And finally – what’s your information worth on the black market?

Cybercrime is big business – now reportedly even bigger than the international drug trade. In this world, credit card information can be bought and sold for as little as $1, and entire identities can be purchased for $5.

So how much is your information worth? As much as you care to protect it.

In 2000, this 15-year-old hacker brought down some of the most heavily visited websites on the net: Amazon, eBay, CNN, Yahoo!. At the time, reports claimed the hack caused a billion dollars’ worth of damage to these companies.

Since that time, cybercrime has become big business, with some reports suggesting it’s on par with or bigger than the illicit drug trade. Identity theft features prominently in this underground frontier, with credit card information and entire identities up for sale by the thousands.

Tonight, CBC is airing Web Warriors, a one-hour documentary with an exclusive look at the world of hackers, and the cyber-sleuths who pursue them. If you miss it on TV, the entire documentary is available on CBC’s site as well.

And on the subject of teenage hackers, we’d like to point you towards Little Brother, the novel for young adults by BoingBoing blog coeditor Cory Doctorow. Little Brother takes place in the not-so-distant future where a group of teens use technology to protest the ever-increasing government surveillance around them. It’s a story that looks at hacking, jamming and surveillance, and offers insight into the privacy vs. security debate…all through the eyes of a 17-year-old.

The popularity of mobile computing is skyrocketing – from teenagers to business travelers, hand held devices such as Blackberrys, iPhones and smart phones allow users to surf their favourite sites, manage their relationships within a social network, review work documents or download music.

Using traditional privacy protections such as passwords on your handheld device is a step in the right direction, but there are a number of other privacy concerns that are worth considering.

According to a CTV news report, personal information is turning up in refurbished handheld devices being purchased by Canadian consumers.

Reselling refurbished devices, whether by a large company or an individual on EBay, is a common practice. Many people also donate or recycle their unwanted electronic equipment, but never really know where those old handhelds may end up.

Sensitive files stored on handhelds can provide a wealth of personal information or valuable company data.

Despite their widespread use, the full privacy implications of losing a device are still largely unknown. A lost or stolen handheld can expose personal data to unintended parties, and this could be used for illicit or simply mischievous purposes.

As well, some devices appear to be susceptible to unauthorized access – whether through the carrier’s network, the phone’s built-in WiFi capabilities or with the intervention of a nearby Bluetooth device.

So how can we protect privacy while using mobile devices?

• First off, always use the built-in password protection. Use a strong password, with a combination of lower case and capital letters as well as numbers.
• Remove sensitive files from handhelds once you are finished using them.
• If you have to keep sensitive files on a mobile device, encrypt the file, install a correctly configured firewall and/or password protect the file.
• If your device is Bluetooth enabled and you do not use it, disable the feature.
• When you upgrade your device, take the time to wipe it of personal information. A quick search will provide resources that will show how to clean a device such as a Blackberry or an iPhone. Installing anti-theft software on a device can allow a user to erase personal data remotely and even render the device unusable if it is ever lost or stolen.

There’s a further risk involved in mobile computing, a risk that we are in the process of evaluating: the privacy protections found (or absent) in the third party applications (apps) now common on handheld devices.

By their very design, apps installed on or downloaded to mobile devices may put personal data at risk.

It appears that apps are being built by a range of developers – from students to multi-national companies. As you would expect, these developers can have very different standards when it comes to accessing and protecting your personal information.

• Before installing an app, check out the developer. You may need to make a personal judgment about whether you trust them with access to your device and your information.
• Check your favourite apps for safeguards like password protection.
• When you change your password on a non-mobile application (the web site), make sure the app reflects that change.
• Make it a habit to log out of apps on a regular basis.

Mobile computing offers the opportunity to carry more of your life around in your pocket. Taking a bit of time to secure your device and personal information can help safeguard your privacy.

The social networking site Facebook has been under scrutiny lately for lax security with its applications feature. Applications in Facebook are created by third-party software developers and are run on third-party servers. These applications can take many forms – a quiz, a game, or just another way to reach out to friends – but the common feature in all is that they allow software developers to access Facebook users’ personal data.

And while Facebook says it advises its users to “employ…precautions” when downloading applications, any Facebook user will tell you that most applications simply won’t work if you don’t agree to give the developer access to your information.

BBC’s technology program Click decided to test out this security flaw by creating its own Facebook application meant solely to “steal the personal details of you and all your Facebook friends without you knowing”. The application took them three hours to create and allowed them to not only collect personal information about the Facebook user who had downloaded the application, but all of his friends as well.

Click’s experiment suggests that the concerns of privacy advocates (including those of us at the Office of the Privacy Commissioner) that the applications feature on Facebook exposes users to significant privacy risks, are warranted.  As well, the collection and use of this data by third-party developers could mean that some developers aren’t complying with PIPEDA, Canada’s private sector privacy legislation.

Something to think about the next time you feel like throwing a sheep.

Last year, IT security firm Sophos ran an experiment on Facebook to demonstrate just how willing people were to hand over their information to potential ID thieves. They created a fake profile page on Facebook for a small green plastic frog and sent out 200 friend requests to other Facebook users. Eighty-two of those people responded, and in doing so, divulged personal information like their email address, birthdate, workplace or school location, and phone number – all useful details for the aspiring identity thief.

Every year, thousands of people are victims of identity theft and young people are increasingly becoming prime targets – not surprising when you consider how much of our day-to-day activities are conducted online. As part of Fraud Prevention Month, we’ve put together a little cheat-sheet with advice on how to prevent identity theft online. We hope you download it – and stay away from little green frogs you don’t otherwise know.

As we close out 2007, we’d like to sound a note of caution for privacy rights in Canada. We are lucky to have a variety of protections for personal information and data at the territorial, provincial and federal levels. Nevertheless, the Commissioner took a moment last week to highlight some of the steps that need to be taken by individuals, corporations and the government in the face of continuing challenges:

“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” said Commissioner Stoddart. “The coming year will be another challenging one for privacy in Canada.”

What challenges, you may ask? Privacy International, a London-based non-governmental organization, issued their annual report on privacy protection world-wide. Canada was one of three countries recognized as a world-leader, but we were criticized on several fronts:

• Federal commission is widely recognised as lacking in powers such as order-marking powers, and ability to regulate trans-border data flows
• Variety of provincial privacy commissioners have made privacy-enhancing decisions and taken cases through the courts over the past year (particularly Ontario)
• Court orders required for interception and there is no reasonable alternative method of investigation
• Video surveillance is spreading despite guidelines from privacy commissioners
• Highly controversial no-fly list, lacking legal mandate
• Continues to threaten new policy on online surveillance
• Increased calls for biometric documents to cater for U.S. pressure, while plans are still unclear for biometric passports

This week, we’ve been speaking to the media* about an incident at the Passport Office: a person using their online application form found that they could access others’ personal documents by changing one variable in the URL displayed in their browser. The Globe and Mail and Slashdot report that this was likely the result of an error in the code behind the web page – or an omission in the code.

We’re still looking into the incident, but thought it was valuable to point out that not all data breaches are caused by fraud or theft. In some cases, personal information is left exposed because employees and organizations have left their data management systems unsecured.

They may have not updated their systems to the latest encryption standard, they may not require their employees to think up robust passwords, or they may have made a decision to wait for a more stable version of the software.

In the end, however, these organizations and their employees are making decisions about security of their clients’, customers’ and colleagues’ personal information.

And sometimes that personal information leaks out.

At that point, a software or hardware issue becomes a matter of personal concern. The appropriate reaction from an organization is contrition and an expressed dedication to resolve the breach quickly and fully.

Oh, and a commitment to reforming the personal or organizational habits that led to the lax security in the first place.

*As you may have noticed, “we” generally refers to Colin McKay, the Director of Communications. Other employees have blogged, and we expect more of their work in coming weeks.

In case you missed it, last night the CBS News program 60 Minutes discussed the data breach at TJX (also known as TJ Maxx, Marshalls, Winners and Home Sense). Our report on the data breach can be found on our site. Further to our report, TJX announced they had, in fact, lost the information for 90 million cards.

An interview with Jennifer Stoddart, the Privacy Commissioner of Canada, led the program. The video is available on the CBS site.

Are youth really this clueless about their digital footprint? The Information Commissioner’s Office in Great Britain has just released the results of a survey of British youth ages 14-21. “Six in 10 have never considered that what they put online now might be permanent and could be accessed years into the future.”

In fact, some youths online make conscious decisions to reveal personal information to expand their network of “friends:

“Two thirds (eight in 10 girls aged 16-17) accept people they don’t know as ‘friends’ on social networking sites and over half leave parts of their profile public specifically to attract new people.”

There is a perception that, in general, young people do not pause to consider the implications of their activities online. This can result in cyber-bullying, strained relationships with your real life friends, uncomfortable conversations with your parents, or even your future employers.

“Initial thoughts – who cares? Subsequent thoughts – omg!!!” (Female, 14, Scotland)

For that reason, the Information Commissioner’s Office has launched a site aimed at young Britons. It is one more piece of help in a growing community of resources like the Media Awareness Network (who have launched a useful french-language site), ThinkUKnow and others.

When privacy advocates try to imagine their idea of the worst possible data breach, I doubt they could think up this catastrophe.

Last month, a British government agency, Her Majesty’s Revenue and Customs, lost a copy of the records for over 7 million families, or 25 million individuals, who receive child benefits.

Diskettes with the records were apparently sent by in-house courier across London – breaking departmental standards – and were never received.

The diskettes included a trove of information, including names, addresses and dates-of-birth of the children, and their national insurance numbers. Some of the records may have included the bank details of parents claiming child benefits.

As a result, Paul Gray, the chairman of HM Revenue and Customs, resigned.

It appears several HMRC protocols were broken:

• the data records, while password protected,  should not have been shared in the format used;
• when the data was shipped, no record was made of its departure, and no proof was required of its delivery; and
• senior management was not informed of the loss for another three weeks.

The impact – even if the records are found to have been simply misplaced and their delivery unrecorded in some sub-office – has been profound.

Child benefit recipients are having their accounts monitored for signs of fraud.

Financial institutions across the country have had to begin reconstructing transactions completed since the data breach to make sure fraud hasn’t already taken place. This is a costly and time-consuming exercise.

The sheer scale of the data lost is staggering. The fact that a junior official apparently had the access to this information is disturbing – but that official’s apparent disregard for the security of such a vulnerable population is shattering.

The message for governments everywhere is clear: even in an organization clearly aware of the sensitivity of its data holdings, even with management dedicated to organizational efficiency and responsibility, the security of vital personal data cannot be taken for granted.

A failure of apparently rote safeguards, process or procedure can have potentially devastating consequences: for vulnerable populations, for their families, for civil servants, and possibly for governments.