ENISA faces up to social networking risks

The European Network and Information Security Agency (ENISA) have this October published a report, compiled by a range of experts on data protection and internet security, on the risks, present and future, of social networking sites.

The report makes a number of recommendations, including the review and revision of current data protection laws in Europe. One of the most interesting future risks identified is that of ‘face recognition technology’, which could enable the possessor of the software to search the internet for all uploaded photos of a person if they have a precedent picture to start with. This is because a photo is in effect a binary identifier and as the efficiency of face recognition algorithms improve, the possibility of a comparison of large numbers of images becomes increasingly likely.

The idea that someone could access, let’s say, a persons photo on a corporate profile, and then use this technology to search for other images of that person (or at least people with similar facial characteristics) that may exist on other sites should be regarded as troubling considering the lassez-faire approach many people take to their profiles/images on social networking sites and the increase in images available.  This may pose a serious risk to a person's control of personal data. Many sites that allow people to post photos with the promise of anonymity to the general public (such as dating sites which have grown enormously in popularity) could find their users exposed by this new technology.

This is further exacerbated by the problems which arise from persons being identified by others on social networking sites, for example by tagging on Facebook, which doesn’t require consent (there is a right to remove a ‘tag’, although it is very easy to simply ‘retag’ the unflattering photo of friend/partner/colleague).

A photo may be personal data in the UK where it can be used to identify a living individual, in which case existing data protection laws would apply.  However, reviews of the law in this field will need to be on-going to keep pace with innovation.  The report is particularly worth reading for those of us who are unphotogenic, in trepidation of future technology or those wanting to know more about the risks of adding that friend on Facebook with the armoury of photos from headier days.

What's a fair share?

I hopped on the train for the SCL's data sharing seminar last night.  As well as giving me the opportunity to have a quick wander around a colourful St Pancras a week before it opens, it was a useful reminder of where we're at with data sharing and the Information Commissioner's current approach.

In part, the seminar launched the new framework code for data sharing, but more interesting were the  contributions from the speakers (Iain Bourne from the ICO and Helen Child, an experienced negotiator of high profile public sector data sharing projects).  A few interesting snippets I took away ...

• The ICO will be looking at how our existing data protection legislation could be revised in future.  Iain B agreed that the legislation is looking out of date in places and that some elements weren't working (notably the arduous task of picking a "condition" to justify any data processing and the rigmorole of notifying the ICO).  He did admit that agreeing changes with some other EU member states might be difficult, though ...
• The ICO's data sharing guidance focuses on the importance of fair processing - and the use of fair processing notices.  When I was a trainee, I was lucky enough to sit with the brilliant Shelagh Gaskill and I remember how precious and well-honed was her precedent data protection/fair processing notice and its accompanying guidance.  The Data Protection Act can be a headache for newcomers, but clearly informing data subjects what you're going to do with their data goes a long way to achieving compliance.
• Helen C reinforced the importance of addressing the details of data sharing up front, based in part on her experience with congestion charging.  What data is going to be shared (down to naming fields in the database), what will the data be used for, who will have access to it (name names), will it be passed on to anyone else?  And most importantly, don't receive data from third parties unless you know exactly what you're going to do with it.  The "just in case" approach doesn't wash ...

Wireless fight

A Canadian company (Wi-Lan Inc.) is reportedly bringing action against up to 22 firms for infringing its wireless fidelity (wi-fi) and digital subscriber line (DSL) related patent portfolio.

The companies who are facing the legal action include some of the biggest in the IT industry, such as Dell and Intel.

The case has reportedly been brought in the Eastern District of Texas Court, which has a reputation for setting quick timetables for patent disputes, and some commentators think that the Court generally favours patent owners.

No Fair!

In 2005 the EU enacted the Unfair Commercial Practice Directive (2005/29/EC). This is a broad 'catch-all' Directive, intended to plug the gaps in consumer protection law by imposing a general standard on businesses to behave fairly when they deal with consumers.

This was originally intended to become national law in all member states by 12 June 2007, but several states (including the UK) are late in transposing the Directive into national law. This is partly because the department for Business Enterprise and Regulatory Reform (formerly the DTI) has implemented a series of consultations and impact assessments on the basis that the Directive will impact upon existing UK legislation such as the Consumer Protection Act 1987.

The Directive may be of particular interest to businesses that sell to consumers online. It effectively imposes a duty not to, by action or omission, behave unfairly towards customers. The Directive gives several specific examples of unfair behaviour, such as giving misleading indications to consumers or participating in aggressive commercial practices. For example, if a business advertises at an incorrect price and refuses to sell to a customer at this price (seeking to rely on their terms and conditions in so doing) it is arguable that they may fall foul of the Directive. One noted commentator writes on The Register that this might also affect 'flogging', where businesses write excellent reviews for their own products which purport to be from third parties.

Businesses should consider their behaviour and their terms of use/website policies. The Directive is due to become law in the UK in approximately April 2008, although given that the implementation deadline has already passed, this should not be regarded as a fixed date.