The Privacy, Identity & Consent Blog

Google is under the spotlight again, and this time for something seemingly innocuous: the Privacy Rights Clearinghouse in the US is calling for the search engine giant to display a link to its privacy policy from the homepage. Surprisingly, when most credible websites have a link to their privacy policy from the homepage, Google doesn't. Google argues that the policy itself - which isn't the problem in this debate - is easily accessible with just a few clicks (or I suppose you could Google it...).

Whilst it might not apply in this particular case (I don't know what Google's reasons are for refusing to provide the link), the story highlights a problem for global companies: how to maintain a consistent privacy approach across multiple jurisdictions. A privacy policy that complies with US law might not be good enough for Germany or Canada. A policy complying with German requirements could leave a company handicapped when operating in territories where privacy laws are more permissive and customers either don't expect the same degree of privacy protection, or expect to achieve it through a different cultural approach. This is one of the big challenges for a privacy professional, and yet another reason why the subject is in fact very different indeed from information security.

A little while ago I declared a closed season on Phorm, but this story merits coverage. The UK Information Commissioner has examined Phorm's OIX and Webwise offerings, and concluded that since they have yet to launch a commercial service, it does not merit intervention, and the ICO's current position is to maintain a watch on events. However, that didn't satisfy camapaigners who object to Phorm's approach to user profiling, and as a result the European Commission is apparently considering intervention. Anti-phorm protesters will be at BT's AGM next month, and will also be demanding police intervention over Phorm's technology trials with BT (although I imagine it highly unlikely that will result in action simply because of the complexity of the legal issues and an under-resourced police force).

This battle is proving to be another demonstration of just how hard a small but motivated group of campaigners can hit major corporates when they feel their privacy has been breached. BT's handling of protesters is going to be a tipping point for the battle, so keep an eye on the news on July 16th.

First we had Top Secret Al-Qaeda analyses left on a train out of Waterloo... then financial crime plans left on a train back into Waterloo... (and all I found on my Waterloo train this week was an unexploded gym kit - somehow I feel short changed)... now Hazel Blears' constituency office admits to the loss of a laptop containing "a combination of constituency and government information which should not have been on it."

Anyone stupid enough not to have noticed the string of data loss incidents in the past six months, and the consequences for the individuals concerned, frankly deserves to be tarred and feathered and pilloried in Whitehall. Actually, why don't we propose a pillory for the 'empty' plinth in Trafalgar Square, reserved exclusively for anyone who's ignored the Manual of Protective Security? It would make a good installation piece...

Thanks to Edgar for bringing my attention to the loss of six laptops from St George's Hospital in Tooting. Apparently the machines contained 20,000 patient records, stored there because there were problems with the network. But don't worry, everything's OK, because "all the information on the laptops was password protected and personal information, such as postcodes, were hidden - although the patient's name and hospital number was shown." What on earth is that pseudo-security doublespeak supposed to mean?

I'll be applying to the Arts Council for funding to build a pillory on the spare plinth in Trafalgar Square - which should make for a good tourist attraction - and this incident definitely makes it to the candidate list for early occupants.

The BBC reports that Sainsbury's has been forced to suspend its online shopping service due to an undisclosed computer glitch. The article makes for interesting reading when you compare it to public attitudes towards public sector system failures. The BBC's concerned shopper, put out at the earth-shattering prospect of a late delivery, says "I was initially very angry but if it's a technical glitch, that's beyond their control". That has to be the most forgiving system failure comment of the year. And why? Apparently Sainsbury's is contacting affected customers and offering them £10 compensation

Most importantly, Sainsbury's is offering customers a £10 voucher for next time they shop online. Compare that with the many public sector failures of recent months, where in many cases it has been impossible to extract an apology, let alone recognition that customers might have been affected.

Here's a suggestion: next time the public sector contracts for a portal/gateway/online service, why not commission more than one front-end and get the providers to compete for consumers' business? We might, for example, choose through which gateway we prefer to submit our tax returns. The providers would be paid on a per-submission basis, and competing for our services would certainly ensure that they were reliable - or that they apologise for errors when they happen.

Dave Birch has published a short paper that summarises many of the ID card ideas he's put forward in recent years, and if you find yourself flummoxed by the depth of technical detail in other identity discussions, then this is the perfect place to start. Dave is writing from a position of authority - he and his colleagues at ConsultHyperion have designed more than one national ID scheme - and has a remarkable ability to convey complex ideas in a way that even I can understand. Read his article and have a think about what you really want from a national identity scheme.

A new market is developing in environmentally-friendly low-carbon energy management solutions for businesses. Whilst visiting a public authority recently I witnessed an innovative solution to controlling energy use by their air-conditioning systems. Here's how they've done it...

Today's Dilbert focusses (geddit?) on workplace surveillance.

The BBC is covering a survey commissioned by StrongMail, in which the company claims that "one in five [marketing professionals] said they had given out credit card details, one in seven would reveal information about customers political affiliations, and one in 10 would disclose their religious beliefs."

Now I appreciate that the marketing profession hasn't always had a good press, and that as with any profession there will always be a few mavericks, but surely the efforts of DMA and Chartered Institute of Marketing have achieved more than that? I'm going to remain very sceptical indeed about the sample of "marketing and data protection executives at 900 firms" since these are, by definition, very different job roles. Furthermore, it's sadly uncommon to encounter such a thing as a "data protection executive," since the role more normally sits at a junior level.

The only reported part that feels right is that "nearly 90% of these said the incidents had not been reported to customers." That bit rings true.

I'd very much like to see StrongMail's source data when it becomes available.

Today's been the biggest privacy news day of the year; the Poynter and Burton reviews are out, the ICO has said it will slap enforcement notices on HMRC and MoD, and there are more data loss incidents emerging. Please excuse the radio silence, but I've been focussed on delivering the Enterprise Privacy Group's response to the Identity and Passport Service consultation, and preparing for a workshop we're holding with IPS on Monday. With a stroke of luck I'll have time to prepare a full analysis of events over the weekend.

In the meantime, for those of you who don't want to read the full response, here's the wordle version.

I've just received the very best phishing email I've ever received. Look, the money arrived in my account just a couple of hours ago - all I need to do is log in to get it! I've disabled the offending URL so that this doesn't fall foul of content filters.

---

Title: PAYMENT CONFIRMATION

Dear Abbey Customer,

STUART FREEMAN made an online funds transfer to your online account.
The details of this transaction are shown below.

Transfer Date and Time: 26/06/08 at 07:34 AM
Transfer Amount: £4370.00
Transfer Description: PAYMENT

To view this transaction and your current balance, please CLICK HERE
If you have any questions related to this message or the funds transfer,
please contact STUART FREEMAN. Please do not reply to this message.

------------------------------
Sincerely,
Abbey Customer Service