IBLS Speaker's Corner : online privacy

How Are You Handling Personal Information?

Maricelle Ruiz — Sun, 15 Jul 2007 15:43:00 GMT

Banks, retailers, recruiters and other organizations must adopt adequate measures to protect employee and client data immediately or else risk prosecution. In fact, the United Kingdom’s Information Commissioner recently announced it had found 12 firms, including Barclays and NatWest, in breach of the Data Protection Act and had ordered them to sign formal undertakings. Leading telecom company Orange has also been found in breach of this regulation, according to Commissioner Richard Thomas.

“How can laptops holding details of customer accounts be used away from the office without strong encryption?” Commissioner Thomas asked during the recent launch of his agency’s latest annual report. “How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?”

The Information Commissioner’s Office (ICO) enforces the UK’s Data Protection Act 1998, the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003, and the Environmental Information Regulations 2004. The Data Protection Act requires organizations to manage personal information responsibly, while the Privacy and Electronic Communications Regulations support the aforementioned Act by regulating the use of electronic communications for unsolicited marketing to individuals and organizations. The Freedom of Information Act, meanwhile, gives people the right to access information held by public authorities; and the Environmental Information Regulations provide access to environmental information held by public and private bodies.

“The collection of biometrics and other personal information as a weapon in the fight against terrorism and serious crime, the increased sharing of our personal information to improve public services, and ever more inventive forms of electronic marketing, are all examples of ways in which this private space is under challenge,” the ICO reports states. “Legitimate aims are, for the most part, being pursued but protecting the privacy of our personal information in a measured and responsible way has never been of more importance. The existence of a law is not, on its own, enough to achieve this. The law must be applied in practice.”

ICO emphasizes the need to follow the principles established in the Data Protection Act. Personal information must be: fairly and lawfully processed for limited purposes; adequate, relevant and not excessive; accurate and up to date; kept no longer than necessary; processed in line with individual rights; secured; and transferred to other countries with adequate protection. Actually, ICO has been involved in the investigation of the Society for Worldwide Interbank Telecommunication (SWIFT) issue.

According to the ICO report, in June 2006, the agency along with several data protection authorities in the EU and worldwide received a complaint about “alleged covert disclosure” of information on EU nationals, specifically UK citizens, to the United States by the international financial messaging service. After determining at the EU level that the information had been transferred “in a manner contrary to fundamental data protection principles,” ICO has asked UK financial institutions to consider measures needed to comply with data protection standards. ICO also advises companies on privacy enhancing technologies; radio frequency identification tags; and marketers in particular about the Privacy and Electronic Communications (EC Directive) Regulations 2003, among other technical and legal advice.

A spokesman for the UK’s John Lewis told the BBC the department stores don’t collect data in ways in which specific customers are readily identified. “It’s more about trends and protecting their interests – if there was a fraudulent transaction, picking it up because we have an insight into their sort of habits,” the spokesman explained. The BBC also provided government advice on how individuals may protect themselves from identity theft, reportedly costing the UK government £1.7 billion a year and each victim 300 hours to solve. Among the tips are the following:

• Rip or shred all documents containing personal information.
• Keep personal documents in a safe, in the bank or at your lawyer’s office.
• Do not provide financial information via email or telephone.
• Equip your computer with anti-virus, anti-spyware and anti-spam programs.
• Don’t write down or save passwords; and stay away from obvious passwords.
• Check financial statements and credit records regularly to detect irregularities.
• Redirect mail to new addresses.

Victims should contact the police and their banks right away and keep track of all documents and hours spent solving this crime. Meanwhile, when signing an undertaking, a person generally doesn’t have to admit the acts accused of. However, if the promise not to engage in these acts in the future is broken, the signatory will be in contempt of court and may be imprisoned.

ASK THE EXPERT: Help! How Is Webcamming Regulated?

IBLS Editor — Thu, 12 Jul 2007 16:27:00 GMT

Ian Garcia of ClickDreamsOnline.com in the United States (Avon, Indiana) asks:

I am starting a webcamming service in Avon, Indiana, and hired a professional service to build my website. But one thing I wasn’t counting on was that when it came to supplying the content, I was expected to do this myself. I am not a lawyer, and my Google search was disappointing in trying to find one locally. The language in section 2257, privacy policy, etcetera, requires one. Can someone point me in the right direction in finding an office that can handle this problem, and can this type of service be handled over the Internet, or does it require my presence at an office?

ASK THE EXPERT: Does My Company Have The Right To Read My Email?

IBLS Editor — Tue, 26 Jun 2007 14:18:00 GMT

Wendy Garcia from The Philippines (Quezon City) asks:

I work for a large corporation in the finance department. In connection with the investigation of suspected embezzlement, my employer looked at my saved e-mail at work. Then, from some forwarded messages, discovered my home e-mail address, and convinced the Internet service provider to allow the company access to that e-mail as well. Does the company have the right to read e-mail at work? What about my private e-mail at home? pls answer my question asap thanks

Another Cyber Attack Hits Europe

Maricelle Ruiz — Wed, 13 Jun 2007 12:15:00 GMT

When Estonia suffered a series of cyber attacks in recent months, US official John Negroponte told the Financial Times: “We need to prepare ourselves because this is likely only to become more of an issue in the future.” Well, the future is here. And the wave of cyber attacks has moved from Eastern to Western Europe. It has recently been disclosed that around the time Estonia was under cyber attack, an important Spanish domain-registration company was also waging a battle against unknown cyber pirates. The Cyber Terrorism Division of the Spanish Police is investigating the incident. If identified, the hackers involved could be prosecuted for blackmailing a company to prevent the disclosure of confidential information.

There seems to be a disagreement regarding the severity of the situation. While some reports claim that the private data of hundreds of thousands of Internet users is in the hands of criminals, the leading Spanish company in the domain registration and web hosting business, Arsys, has issued a statement denying this information. Executives concede the company has experienced what they describe as “a security incident, compromising some client data.” However, they say, none of the data in question involves email, bank account or credit card passwords and therefore, they claim there’s no risk of illegal access into bank or email accounts.

According to Arsys, hackers reportedly stole FTP codes, enabling them to insert a link to an external server containing malicious code, in the web pages of some clients. As soon as the company detected the incident, executives say it eliminated the link from the web pages, notified affected clients and boosted security measures across the board. To comply with legal requirements, executives add the company has reported the incident to the Cyber Terrorism Division of the Spanish Police. They confirm the incident is under investigation and may end up in court.

The attackers reportedly used servers located in the United States and Russia. According to the latest Symantec Internet Security Threat Report, the United States is the top country for malicious threat activity, accounting for 31% of the worldwide total, followed by China (10%), Germany (7%), France (4%), United Kingdom (4%), South Korea (4%), Canada (3%), Spain (3%), Taiwan (3%) and Italy (3%). Meanwhile, law enforcement authorities have detained a Russian teenager suspected of involvement in the Estonian cyber attacks. The youth reportedly called for massive cyber attacks against Estonian servers in Internet forums.

Expert Input Sought on Belarusian Information Law

Maricelle Ruiz — Wed, 06 Jun 2007 12:26:00 GMT

The Government of Belarus is in the process of adopting a law on information, informatization and protection of information in that Eastern European country. Belarus intends to combine national and self-regulation to guarantee the right to receive and exchange information, including governmental data, while protecting individual privacy and national security. Think tank E-Belarus is seeking expert advice on the matter to measure the impact of the law; identify positive or negative aspects of it; and determine whether any provisions are missing from the text. Please post an expert comment on the proposed law on this blog. Your input is most appreciated by the parties working on this initiative.

The proposed Law of the Republic Of Belarus “On Information, Informatization and Protection of Information” designates the powers of public officials in this area; guarantees the right to information as long as it isn’t abused; establishes the types of information available, including public and confidential information; and sets the parameters regarding the use of personal and professional data and state secrets. It also regulates the provision and distribution of information, including data held by state bodies posted online; and demands the prompt distribution of public information upon electronic request. Furthermore, the proposed law sets the legal requirements of owners and users of data and systems, including the rights and responsibilities of parties regarding data protection.

Under the proposed law, the President and the Council of Ministers will define and implement the country’s information and privacy policies. The State Center on Informational Security and the National Academy of Sciences will come up with technical measures to protect information and keep a registry of the providers of said data. The Ministry of Communication and Informatization will regulate the sector and ensure the implementation of international treaties and the upgrading of technology. State organizations will guarantee the understanding of information technologies and resources and the timely receipt of public information.

Information may not be used to overthrow the Government, threaten the Country’s territorial integrity, or promote social, religious or racial hostility, according to the proposed legislation. The distribution of individual data should be limited to ensure personal privacy; maintain state and professional secrets; and guarantee the integrity of ongoing court cases. Holders of personal information must take measures to protect the data and seek subject authorization to distribute it. The distribution of data infringing upon the honor, dignity and business reputation of an individual or corporation is prohibited. Individuals or corporations have the right to take legal action to prevent the disclosure of their private information.

Furthermore, the planned standard states that information distributed in Belarus must clearly identify its owner and distributor, who in turn must comply with users’ right to refuse this data. Public data should be made available via email upon request promptly unless the information may harm national security or private interests. It should also be provided on the Internet. Websites of state organizations must include contact information, organizational structure, appointment times for citizens and the laws regulating said organizations. They may not contain political propaganda or ads. Both public and private sites must take adequate measures to protect personal data. A state registry on informational systems should be in place.

In addition, the proposed law establishes that international informational networks accessible from Belarus should respect national legislation. Belarusian email recipients have the right to verify senders of these communications. There are no limitations to the international exchange of information within Belarus as long as Legislation of the Republic of Belarus on Provision of Information and Protection of Intellectual Property is observed. The rights of the owner of the information contained within a database are also protected. The Government of Belarus, meanwhile, may limit or suspend the international exchange of information if deemed necessary.

Finally, it states that the users of information have the right to access personal data and use informational systems as long as they don’t abuse this right or the rights of others using these systems. Agreements should be in place to regulate the rights of owners of the information and the distributors. Agreements should also outline legal responsibility for the misuse of information. Physical protection of informational systems; cryptography; and data access controls should be in place. Violation of any of the provisions of this proposed law, slated to go into effect six months after official publication, will lead to disciplinary, civil, administrative or criminal responsibilities.

To view the full draft of the law in English, please visit:

http://www.e-belarus.org/docs/informationlawdraft.html

ASK THE EXPERT: How can I stop my ex from harassing me on the Internet?

IBLS Editor — Wed, 30 May 2007 11:48:00 GMT

Tanja Walke from the United States (Tampa) asks:

My ex put pics on the Internet & phone number without my permission. What can I do?

E-mail Wiretap is Permissible…For now

IBLS Editor — Wed, 02 May 2007 12:22:00 GMT

IBLS Contributor: Odia Kagan, Partner, Shavit Bar-On Gal-On Tzin Nov Yagur Law Offices – Tel Aviv, Israel, okagan@sbilaw.com, writes:

An amendment to the Australian Telecommunications (Interception) Act makes it easier for the police and state authorities to read citizens’ e-mails and text messages.

On December 8, 2004, the Australian House of Representatives passed the Telecommunications (Interception) Amendment (Stored Communications) Act 2004 which amends the Australian Telecommunications (Interception) Act of 1979, with regard to electronic messages (e-mail) and text messages (SMS).

Telephone conversations – Yes; Recorded Messages – No

This law, the Australian government’s third attempt to amend the said Telecommunications (Interception) Act, enables the police, several Federal and State authorities, private investigators, Internet service providers and other business owners – to access e-mail messages, SMS messages, and voice messages which are temporarily stored during transfer – without a telecommunications interception warrant, even in cases the suspected offence is not grave in nature.

The amendment to the act classifies the interception of these messages, which are found in temporary storage, as an exception to the general prohibition of the interception of telecommunications which is set forth in the Telecommunications (Interception) Act. Under the amendment to the act, unlike the legal situation which preceded it, access to such information would be granted to any entity with legal access to the equipment in which the information is stored. It would no longer be necessary to acquire a warrant for the interception of the messages. Rather a simple search warrant would suffice.

Despite the current legislative trend, this amendment is not “technologically neutral” as it awards different treatment to the interception of telephone conversations and other “live” conversations, including a facsimile transmission, with regard to which a separate telecommunications interception warrant would still be required.

Thus, the interception of a telephone conversation, data communications (such as: GPRS) and e-mail messages in the course of being transferred – requires a separate telecommunications interception warrant. However, the interception of recorded voice messages, and SMS or MMS (video/picture) messages which are saved in the memory of the cellular telephone, as well as stored e-mail messages – does not require a separate warrant.

National Security v. the Privacy of the Citizens – National Security Prevails

Those who oppose the Amendment argue that it disrupts the appropriate balance between the right of citizens to privacy and the needs of the law enforcement authorities. The objection is mainly to the permission granted to the authorities to read e-mail messages which had not yet reached their intended recipient and had not yet been read by them. The argument is that the usage of a regular search warrant is not fitting for this purpose because a search warrant was intended to enable the receipt of physical evidence, not to grant access to personal communications.

Irene Graham, executive director of Electronic Frontiers Australia, an organization which promotes civil liberties in the electronic age, does not understand the need for this amendment. Her view, as quoted in Sam Varghese’s article published in the Sydney Morning Herald on December 10, 2004 is that “if a warrant was needed it would take just 20 minutes over the phone to obtain one, then why are these additional powers needed?”

The supporters of the amendment justify the need for it with the state of national security which changed after September 11. In the discussions of the bill, the representatives of the police emphasized the need which exists, in the electronic age, to acquire fast access to stored electronic information, in order to prevent its deletion. An additional advantage of this law, stated Attorney General Phillip Ruddock, in an interview for a Findlaw Australia article published on December 7, 2004, is that it will enable network administrators to review stored communications for viruses and other inappropriate content.

An e-mail during transmission – is not “stored communications”

In a previous article, I discussed the controversial Councilman case which was handed by a US Federal Court. In this case, a business owner, who was also an Internet Service Provider, intercepted his customers’ e-mail message in order to make a commercial gain from the information found in the message. The US Court of Appeals for the First Circuit decided that this case did not constitute a violation of the Federal Wiretap Act because an e-mail message in “temporary storage”, conducted in the process of its transfer to its destination is “stored communication” and thus a separate interception warrant is not necessary in order to intercept it. This decision was widely criticized and it was vacated by the Court pending a re-hearing of the case.

The Australian law treats the temporary storage of an e-mail message during transmission as “live communication” for which a separate telecommunications interception warrant is required. In the explanation for the bill it was stated that storage of an e-mail message during transmission, which is highly transitory in nature and constitutes an integral part of the technology used for the transmission of the message – is not sufficient for making the message “stored communications” which are not protected by the act.

We shall meet again in a year

In the discussions which preceded the legislation of the amendment, different opinions were voiced and true concerns were expressed with regard to the amendment’s possible effect. Therefore, and especially as this is an innovative field which had not been regulated previously, the Australian Parliament decided that after one year from the date the amendment goes into affect (upon the receipt of the Royal Assent) an inquiry and review of the Act’s provisions will be conducted and the need to amend them will be examined based on the experience which had accumulated during the first year since the legislation of the Act

**Reprinted with permission from the Israel Bar Association Website (www.israelbar.org.il) where it was published on February 13, 2005. This article was originally published in Hebrew in NFC (www.nfc.co.il) on January 4, 2005 (http://www.nfc.co.il/archive/003-D-8550-00.html?tag=14-59-59 )

Ms. Kagan specializes in Internet and IT law. Her articles on these subjects are published regularly in professional publications of the American Bar Association and the New York State Bar Association as well as in national Israeli websites. Ms. Kagan authored the Israeli Chapter in the book “Cybercrime and Security” published worldwide by Oceana Publications, a division of Oxford University Press. A graduate of the Law Faculty of Tel Aviv University, Ms. Kagan is a member of the Israel and New York Bars, is qualified as a Solicitor in England & Wales and is also admitted as legal practitioner in New South Wales, Australia.

Stop! Private Information Ahead

IBLS Editor — Tue, 17 Apr 2007 16:46:00 GMT

IBLS Contributor: Odia Kagan, Partner, Shavit Bar-On Gal-On Tzin Nov Yagur Law Offices – Tel Aviv, Israel, okagan@sbilaw.com

California initiates a far-reaching change in the protection of online privacy. It is expected that this law will have far-reaching implications as it applies to the owners of certain commercial websites or to providers of online services worldwide.