I started working on an overdue post this morning and, as I started to do that, I realised it would be really helpful to first publish this guide, "Privacy law in a nutshell", as an introduction to South African privacy law (some of the principles apply elsewhere too). It is a pretty brief overview but if you are not familiar with some of the basic legal principles and considerations relating to privacy, this should help.
Google's recent privacy policy update has caused great consternation. Some commentators have expressed concern about the new policy's compliance with various privacy law frameworks (particularly the EU's data protection laws); the aggregation of users' personal information and others have made ridiculous claims about the policy being the "end of privacy as we know it". We took a close look at the new privacy policy, what has changed from October's version and what this really means for users. It turns out much of the fuss is uninformed, sensationalist and unjustified.
Essentially Google has taken a number of privacy policies spread across multiple services and consolidated them into a single privacy policy that covers personal information processing across all Google services. This isn't as simple as it sounds and its benefits are not immediately apparent. One of the disadvantages of having multiple privacy policies governing multiple services is that you can't be sure that your personal information will be handled consistently from service to service or even that all of the policies process your personal information in a way that doesn't prejudice you unreasonably. This also potentially means diminished transparency, less informed consent and greater uncertainty – all less than desirable features of a document of such importance. With a unified policy users have greater certainty as to what personal information Google is collecting and what it is doing with that personal information. To add to this, the new privacy policy continues Google's practice of writing very clear and plain policies (when I am looking for inspiration for legal terms, I often look to Google's terms for their clarity and emphasis on good, plain language).
Another thing Google does it publish comparisons between policy versions. This is part of the comparison between the October 2011 version and the March 2012 version:
Google does a terrific job purely from the perspective of transparency. Users are advised in advance what changes are going to be made and are shown not only the new policy document but also the changes from one version to the next. This behaviour doesn't receive enough attention. Not many companies go to such lengths to be so transparent about these sorts of changes.
The policy, for the most part, doesn't change the privacy framework under the previous model. Users haven't lost control over their personal information and haven't been forced to be more public than they may wish to be. This approach largely fell away a couple years after the Facebook privacy debacles. In the last year or so Google, Facebook and other services have been more careful with users' personal information and their privacy policies reflect this.
The new policy clarifies how users can "make meaningful choices about how" Google uses their personal information. Users have a couple of options available should they wish to access and review personal information Google holds; adjust their ad preferences; control who they share their personal information with and even if they choose to export their personal information from Google's services. The new policy also states that browsers can be set to block or moderate cookies but cautions about diminished functionality in its services if users choose to do so (this is the incentive for users not to moderate cookies).
A change I found very interesting is this sentence:
We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.
Previously the privacy policy allowed for personal information on an opt-out basis:
Google uses the DoubleClick advertising cookie on AdSense partner sites and certain Google services to help advertisers and publishers serve and manage ads across the web. You can view and manage your ads preferences associated with this cookie by accessing the Ads Preferences Manager. In addition, you may choose to opt out of the DoubleClick cookie at any time by using DoubleClick’s opt-out cookie.
The primary reason most commentators seem to be concerned about the new privacy policy is the following clauses:
We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.
We may use the name you provide for your Google Profile across all of the services we offer that require a Google Account. In addition, we may replace past names associated with your Google Account so that you are represented consistently across all our services. If other users already have your email, or other information that identifies you, we may show them your publicly visible Google Profile information, such as your name and photo.
...
...
We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know. We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.
We will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.
Essentially Google is consolidating the personal information it has from its users across its various services into a more complete, useful and valuable database. Previous the various privacy frameworks and notionally distinct services meant that a user could have varying exposure to personalised ads and to personal information processing. Under the more consolidated model, users can be more readily and more accurately profiled and better targeted with ads. Their experience of Google's services can also be improved where data can be shared across services (another reason for the change) to enhance users' general Google experience.
This change reflects increasing integration of Google's services into a more cohesive set of services not dissimilar to Facebook which has always been regarded as a single, multi-faceted service but one which permits personal information published through one aspect of the service to be used with other aspects of the Facebook service as well as to better target ads.
Some of the clauses are mixed bags. This next clause makes an important point that sensitive personal information won't be associated with cookies and then glosses over the implications of those cookies and other technologies like pixel tags by explaining their value in setting the correct language preferences:
We use information collected from cookies and other technologies, like pixel tags, to improve your user experience and the overall quality of our services. For example, by saving your language preferences, we’ll be able to have our services appear in the language you prefer. When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.
Google has been viewed with suspicion for some time now due to its size and presence in our daily lives. There is no question that Google uses personal information to personalise its ads and users' experience of many of its services. That said, Google works to be more transparent about its disclosure of personal information to governments (one of the times Google will hand over your personal information is in response to a valid and legally binding request from a government). Contrary to the article in a recent issue of the Star titled, "Big Brother has nothing on Google" (this article is largely a series of exaggerations, some of which are factually questionable), the new policy does not give Google carte blanche to sell user data at will. The policy is fairly clear on this point:
Information we shareWe do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply:
With your consent
We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.
With domain administrators
If your Google Account is managed for you by a domain administrator (for example, for Google Apps users) then your domain administrator and resellers who provide user support to your organization will have access to your Google Account information (including your email and other data). Your domain administrator may be able to:
- view statistics regarding your account, like statistics regarding applications you install.
- change your account password.
- suspend or terminate your account access.
- access or retain information stored as part of your account.
- receive your account information in order to satisfy applicable law, regulation, legal process or enforceable governmental request.
- restrict your ability to delete or edit information or privacy settings.
Please refer to your domain administrator’s privacy policy for more information.
For external processing
We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.
For legal reasons
We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
- meet any applicable law, regulation, legal process or enforceable governmental request.
- enforce applicable Terms of Service, including investigation of potential violations.
- detect, prevent, or otherwise address fraud, security or technical issues.
- protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.
We may share aggregated, non-personally identifiable information publicly and with our partners – like publishers, advertisers or connected sites. For example, we may share information publicly to show trends about the general use of our services.
If Google is involved in a merger, acquisition or asset sale, we will continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.
While Google has given itself the ability to exchange your personal information across its services for various reasons, it does not mention selling users' personal information to 3rd party advertisers. If anything, the policy wording tends to rule that out subject to Google's ability to disclose your personal information for those sorts of purposes if you consent to it or if the person administering the domain your Google account forms part of does something similar (Google leaves it up to those administrators to develop their own privacy framework).
Many commentators criticise Google and other companies, ostensibly on the mistaken assumption that they are entitled to a particular range of services or to be subject to terms and conditions or privacy policies they find more favourable. This is a flawed assumption. Google is a "for profit" company and, at the same time, it makes a concerted effort to strike a balance between its commercial interests and its users'. The outcomes of that effort include clearly written policies which inform users what happens to their personal information from the time they submit it to Google. The document's clarity means that users are more likely to understand it and its implications and give their informed consent to Google. That is what a privacy policy should strive for.
In addition, this policy does not make further inroads into user privacy. The general exception is the extent to which aggregating personal information across Google's services impacts on user privacy more extensively.
Google has also given users the tools to control their personal information fairly effectively by removing it, blocking its collection or correcting it. I say "fairly" because the policy also mentions that users have control over "many" of Google's services, not all of them.
Ultimately personal information is the price users pay to use Google's (and other) services and while the choice to use other services often isn't as appealing, it remains an option. Users also have tools independent of Google to help protect their privacy. One such tool is alternative browsers like Firefox which includes various settings to help protect users' privacy. Even Google's Chrome gives users the ability to better control their personal information.
Much of the new policy is a clarification of the previous version with paragraphs being restructured or otherwise amended to improve them from a usability perspective. All the hype and fuss about the privacy policy seems to be mostly bluster and much ado about very little after all.
Update: I found out about this great video on This Week in Law 147 which presents a great perspective on the policy changes:
Nastassja de la Guerre helped out with a more detailed comparison between the October 2011 and March 2012 versions and an assessment of the impact of those changes. Nastassja is a candidate attorney at Jacobson Attorneys.
When people think about online reputation management they frequently think about expression on social services like Twitter and Facebook. Equally important is the link between online sharing and reputation. Microsoft published a report last month titled "Online Reputation Management Is a Two-Way Street" which considered the impact public sharing has on reputation. The report has some interesting findings –
- While 91 percent of people have done something to manage their overall online profile at some point, 67 percent feel in control of their online reputation, and 44 percent of adults actively think about the long-term consequences of their online activities.
- 14 percent of people believe they have been negatively impacted by the online activities of others, even unintentionally so. Of those, 21 percent believed it led to being fired from a job, 16 percent being refused health care, 16 percent being turned down for a job, and 15 percent being turned down for a mortgage.
Taking more effective steps to safeguard your reputation means being more circumspect about what you share and with whom. As Microsoft's Chief Privacy Officer points out –
“Your online reputation is shaped by your interactions in the online world and spans the disparate and varied data about you, whether created and posted by you or others. This information can have a lasting presence online, and can affect your life in many ways – from maintaining friendships, to helping you keep or land a new job,” says Microsoft’s chief privacy officer Brendon Lynch.
Some practical steps you can take to better protect your reputation and your privacy include the following:
Privacy, as is secrecy, is a rarity and we share more and more each day (roughly 50 million tweets per day and Facebook had 845 million users at the end of December 2011). Moreover, there is an increasing number of services that can create aggregated profiles based on information drawn from a variety of online sources. If your reputation is important to you, it is essential that you start paying attention to what you share and think carefully about the possible ramifications for your reputation in the months and years to come.
Austrian law student, Max Schrems, has embarked on a crusade against Facebook aimed at exposing what he considers to be Facebook's misuse of users' personal information. Schrems has lodged 22 Reclamacións (I understand these to be a form of complaint) against Facebook with the Irish Data Protection Commissioner (Facebook's legal presence outside the US is in Ireland) regarding Facebook practices ranging from its Data Use Policy contents and the effectiveness of consent to the Data Use Policy to Facebook's apparent practice of collecting personal information about or relating to people who are not yet Facebook users.
These complaints raise a number of concerns about the extent to which Facebook has complied with Europe's Data Protection Directives which establish a legal framework to protect European users' personal information and privacy rights. The Irish Data Commission is either about to or is in the process of conducting an audit of Facebook's privacy practices and we should learn whether Schrems' complaints are valid in due course but what this crusade does highlight is users' responsibilities when sharing information and content on Facebook.
Facebook's Data Use Policy is fairly extensive. At one point Schrems mentions that if the Data Use Policy were reproduced with a more readable font it would be close to 20 pages. I reformatted the Data Use Policy with 1.5pt line spacing and size 11 font and it worked out to about 17 A4 pages. It is readable and extensive. The primary reason for the policy's length and Facebook's efforts to explain the policy and privacy settings in different ways is that using Facebook has seriously implications for your privacy. The sharing controls have improved drastically over the last few years culminating in a recent update which exposes publicity controls in every post.
One of the issues Schrems raised concerns about was how much information he found in his downloadable archive of his Facebook profile. Schrems' archive apparently ran to about 1 222 pages of data. I picked up concerns about how much information is contained in the archive (and, therefore, how much personal information Facebook receives and stores) and how much information he felt was not included.
Social media users are slowly coming to the realization that these free services we flock to in the tens and hundreds of millions have a lot of information about us and which we supply to them. Facebook is a great example because of its sheer size. The upcoming Timeline feature will heighten that awareness as it exposes users' profile information and interaction going about as far back as they have been members, possibly even further back if users populate their profiles with historical biographical data. The point we are heading to is that privacy as secrecy is largely a myth on the social Web. If you are active on the social Web, emphasis shifts to the extent to which you have meaningful control over your personal information and this is where Facebook has historically been pretty bad. That said, Facebook's privacy controls and its Data Use Policy have improved dramatically in the last 4 to 5 years. Facebook's anticipated deal with the FTC should firmly place control over users' profile information more in their hands than they have experienced in the past and that is a win for users.
Facebook is clearly improving its policy language and practices by being more transparent about what personal information it collects from users and what it does with that personal information as well as giving users more meaningful control over what they can do with their personal information and content in the Facebook ecosystem. Users must remember that how well their privacy is protected largely comes down to the choices they make. Failing to familiarize themselves with privacy policies and make proper use of privacy settings made available to them is no longer an option for users concerned about their privacy. If services like Facebook require more than users are comfortable sharing then they should refrain from using those services.
Facebook may have violated Europe's privacy laws as Schrems contends. We will have to wait for the results of the Commissioner's audit to make that determination. We may also discover that Schrems' much publicized campaign amounts to little more than tilting at windmills. Facebook insists that it complies with these laws and will make whatever adjustments are required should the Irish Data Protection Commissioner find it to be acting unlawfully. Hopefully this crusade will remind users just how much they share on services like Facebook and take a little more responsibility for that.
Our children are growing up with digital devices and an increasingly social Web and are, in the process, sharing their personal information, oblivious to the risks. Parents are increasingly finding themselves in foreign territory with no real idea where to begin to address their children's privacy. This post is intended to give parents an overview of the privacy frameworks in place and some of the factors to bear in mind.
This is a draft Bill, making its way through Parliament at the moment. It gives the right to privacy in the Bill of Rights more substance. The Bill focuses on privacy as in informational self-determination, as opposed to privacy as in secrecy. It establishes a framework for what personal information can be collected from whom and what can be done with that personal information. I wrote about this in my post titled "Privacy is about choice":
Privacy has become more about informational self-determination - each person's ability to decide what becomes of their personal information. Facebook has been a bit of a cowboy with users' personal information for some time now and the primary concern, as I see it, is that Facebook has decided, from time to time, to expose more of users' profile information to the public Web and make that level of disclosure a new default. It has also progressively changed its privacy policy to allow for greater transparency. What it has done is severely limit users' choices to the point where their choice has become whether to include information on their profiles or not, bearing in mind that any of their personal information could suddenly be made public.
While the Bill is still subject to change, we can draw on a few of the trends in the Bill:
Children's personal information is subject to a further requirement. By children, I am talking about children under the age of 18 (a person is legally recognised as an adult, a major, when that person turns 18 - there are exceptions, though, relating to an incapacity or inability to manage the person's own affairs). The February 2011 draft of the Bill (the current draft as I type this) requires prior consent from a "competent person" before collecting and using a child's personal information. A "competent person" is defined as follows:
A “competent person”, for purposes of paragraph (a), means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child
The position with children is different to general personal information processing because it requires prior consent from that competent person (usually a parent or guardian). In practice this can be a little tricky to obtain for various reasons. The first reason is that, when it comes to the major social networks, its not clear that the Protection of Personal Information Bill applies to those social networks. That said, the provisions dealing with data transfers outside South Africa require that countries this personal information is transferred to subscribe to similar personal information protection principles in their laws.
The Consumer Protection Act highlights another reason obtaining consent from children for collection of their personal information is tricky. As I pointed out in my post "Why Website terms and conditions matter", a website's terms and conditions is a contract between the site's visitors and users and the site owner. This implies that the parties to this contract have the legal ability to enter into a contract in the first place (this is also known as "contractual capacity"). Section 39 of the Consumer Protection Act deals with this issue when it comes to children:
Agreements with persons lacking legal capacity
39. (1) An agreement to enter into a transaction, or for the supply of any goods or services, to or at the direction of a consumer—
(a) ...
(b) is voidable at the option of the consumer, if—(i) at the time the agreement was made the consumer was an unemancipated minor;
(ii) the agreement was made without the consent of an adult responsible for that minor; and
(iii) the agreement has not been ratified by either—
(aa) an adult responsible for that minor; or
(bb) the consumer after being emancipated or becoming an adult.(2) Subsection (1) does not apply to an agreement if the consumer, or any person acting on behalf of the consumer, directly or indirectly, by act or omission—
(a) induced the supplier to believe that the consumer had an unfettered legal capacity to contract; or
(b) attempted to obscure or suppress the fact that the consumer did not have an unfettered legal capacity to contract.
What this means is that a child can enter into a contract with a social network but the parent or guardian whose consent is necessary to ratify or confirm the contract can effectively void that contract. Bear in mind that the contract here probably includes a privacy policy in terms of which the child presumably confirmed that the "competent person" concerned had consented to the social network collecting the child's personal information. The risk to the social network is that the parent or guardian would decide to void the contract between the child and the social network and, effectively, negate the consent to the social network's collection of the child's personal information. This presents a practical challenge to social networks when it comes to applying contractual terms to children's access to their services and their collection of children's personal information.
The major social networks and services like Facebook and Google's various services cater for children accessing their services. Facebook's protections are more robust than Google's in many respects. Facebook limits who can see children's Facebook activity. According to Facebook's Safety Centre –
The only people who can see what teenagers post are their Facebook friends, friends of friends and networks (like the school they attend). We maintain added protections and security settings for teenagers (aged 13-17) that ensure their profiles and posts don't show up in public search results. Similarly, if teenagers share their location through Places, only their Facebook friends can see it.
Parents should spend some time reading through the information provided in social networks' privacy information pages. Here are a couple that will probably be pretty relevant:
Parents should acknowledge that their children are digital natives. Digital is an important part of their daily lives and will be increasingly important in almost all aspects of our daily lives, including the business environment. Trying to block access to this may not work, either for long or at all. Instead parents should engage with their children as much as possible about the services they are using and educate them about the very real risks of disclosing too much information about themselves.
While many parents are unfamiliar with the services their children are using, perhaps even intimidated by those services, they should make every effort to find out more. Often this means creating their own profiles on some of these services and "friending" their kids (even though this would probably mortify your teenagers) so you can keep an eye on what they are doing. That said, children can probably manipulate privacy settings to hide their activities so it falls to parents to learn as much as they possibly can about services like Facebook, Twitter, Google+ and Mxit and what these services' privacy practices are.
Parents are users too and they should bear in mind that their social activities can comprise their children's privacy. I wrote about this is a post titled "The privacy myth" a while ago (the post's main theme is that privacy as in secrecy is a myth online) –
There are two strategies which can help mitigate the effect of the Internet on personal privacy. The first is to proactively manage your identity online. This means using services like ClaimID to create coherent and comprehensive personal profiles online and taking steps to differentiate aspects of your personality from those that either have no link to you or which are misrepresentations or misuses of your identity.
Another simple, yet powerful, strategy is to decide in advance which items of your personal information will never be disclosed online, ever. This strategy depends on the principle that what you don't disclose can't be disseminated and misused. Examples of personal information never to disclose may include your identity number, your home address, your home phone number, your children's school and so on. Particularly sensitive personal information should be closely guarded from disclosure at all times and this requires vigilance.
The major social networks have improved their privacy practices quite a bit in the last few years. There is a common perception that Facebook is inherently insecure but its worth bearing in mind that children may be more at risk when they are out and about in public compared to when they are using Facebook with their privacy settings responsibly configured.
Protecting your children's privacy is not easy and it is more about controlling what is disclosed and how its used rather than keeping it hidden altogether. That said, it can be done but it require diligence and attentiveness.
Update: I have come across a couple sites dealing with children's safety online which may be informative:
Share this article