Finding a single place where you can find data protection legislation that exist in Asian countries requires a bit of work (especially for English translations of the legislation). I have compiled a list of countries which currently have data protection legislation so that we can cut down on the amount of time spent scrolling through search results on Google. Hop over to this page for the list.
Hopefully this will be useful for everyone out there.
Tuesday, 29 May 2012
Friday, 25 May 2012
Hollywood instructs us on facial recognition
I can watch the same movies I like or enjoy over and over again.
When I heard about SceneTap and the hoo-haa it caused in the US, the movie Minority Report came to mind (just to be clear: SceneTap is not like the technology which is portrayed in the movie. I will try to explain that further down). Anyway, back to the movie: Tom Cruise walks past a wall of interactive advertisements, the retinal scans identify him, and the displays call out his name, and serve up customised advertisements. Hollywood always gets it early. For those who can't remember the scene, here is the clip from Youtube.
Now, we are being told that the facial detection technology deployed by SceneTap and the bars which are partnering with SceneTap does not identify individuals (it just makes its best guess on whether you are male or female and your age, and the data collected does not seem to be able to identify you as an individual) and does not store images of individuals. It is not facial recognition, it is facial detection. You can read SceneTap's CEO's open letter to San Francisco where he explains this.
The fact that SceneTap got a lot of heat for this is probably a reflection of where we are now in the privacy discussion (i.e. general distrust of companies among consumers, and companies not doing enough to bring privacy awareness to their customers - hence customers are caught by surprise, and generally no one likes to be caught by surprise in a bad way). That said, there is probably a ton of facial recognition done by government and police agencies around the world which we are probably not aware of. We know that Britain does this. Singapore is going to adopt facial recognition at its immigration checkpoints, and so is Japan. Expectedly, in both instances, the salespitch for facial recognition was faster passport control and, of course not surveillance. Want to get through immigration faster? Come get your face scanned. How many of you would choose the shorter immigration line which has facial detection?
And we can probably all see where this is going to end up. Once facial recognition gains acceptance (and it will eventually as you should never underestimate the ingenuity of companies in incentivising you to give up your personal data, and greed or ignorance in human nature in taking the bait), and facial recognition is deployed in a public and commercial setting, it would have to pass the various requirements of data protection regimes. That would include:
Now, only if they can get the teleporter right.
When I heard about SceneTap and the hoo-haa it caused in the US, the movie Minority Report came to mind (just to be clear: SceneTap is not like the technology which is portrayed in the movie. I will try to explain that further down). Anyway, back to the movie: Tom Cruise walks past a wall of interactive advertisements, the retinal scans identify him, and the displays call out his name, and serve up customised advertisements. Hollywood always gets it early. For those who can't remember the scene, here is the clip from Youtube.
Now, we are being told that the facial detection technology deployed by SceneTap and the bars which are partnering with SceneTap does not identify individuals (it just makes its best guess on whether you are male or female and your age, and the data collected does not seem to be able to identify you as an individual) and does not store images of individuals. It is not facial recognition, it is facial detection. You can read SceneTap's CEO's open letter to San Francisco where he explains this.
The fact that SceneTap got a lot of heat for this is probably a reflection of where we are now in the privacy discussion (i.e. general distrust of companies among consumers, and companies not doing enough to bring privacy awareness to their customers - hence customers are caught by surprise, and generally no one likes to be caught by surprise in a bad way). That said, there is probably a ton of facial recognition done by government and police agencies around the world which we are probably not aware of. We know that Britain does this. Singapore is going to adopt facial recognition at its immigration checkpoints, and so is Japan. Expectedly, in both instances, the salespitch for facial recognition was faster passport control and, of course not surveillance. Want to get through immigration faster? Come get your face scanned. How many of you would choose the shorter immigration line which has facial detection?
And we can probably all see where this is going to end up. Once facial recognition gains acceptance (and it will eventually as you should never underestimate the ingenuity of companies in incentivising you to give up your personal data, and greed or ignorance in human nature in taking the bait), and facial recognition is deployed in a public and commercial setting, it would have to pass the various requirements of data protection regimes. That would include:
- if facial recognition is deployed (for example in a store), the individual will need to be informed of the deployment and use, and the purpose for which the images are collected and processed. Imagine having to read or listen to a list of things which the store will do with your images. On that note, I can't see facial recognition on billboards a la Minority Report working within current data protection regimes. How would you be informed of the purpose if you are just walking down a hallway?
- for some countries, collection and processing would also require the consent of the individual and one would have to consider whether consent must be expressed or deemed. For example, does walking into the store, being informed of the use of facial recognition, and continuing to shop in that store after being informed constitute deemed consent? Or imagine having to opt-in when you walk into a store. Perhaps to incentivise you, the store will give you an additional discount off your purchase if your face is scanned.
- The collection and processing must be lawful and not beyond the purpose for which the images and information were collected. Imagine if the store sold cosmetics and took an image of you, noticed the existing blemishes, wrinkles and dark spots on your face, and that store then aged that image for an additional 5, 10 or 20 years so that they can customise their direct marketing efforts at you with appropriate beauty products in 5, 10 and 20 years time (on that point, ageing the image might run into the data protection obligation to maintain accurate personal data).
- how long will the store be able to retain the images? Most data protection regimes limit the retention of personal data to a reasonable period or no longer than is necessary. Would the store need to delete the images once you left the store? How about the details about the date and time of your visit (currently, they would only know about our visits when we actually make a purchase in-store)?
Now, only if they can get the teleporter right.
Tuesday, 22 May 2012
The Blogger App License Agreement and the Links to Nowhere
Being new to blogging, I decided to check out Blogger's mobile app for the iPhone. I also decided to read the license agreement for the Blogger mobile app hoping that there would be some hidden prize in the terms and conditions or that there would be some bizzare terms like what Gamestation did by requiring users to "surrender your immortal soul" in return for downloading a game from their website. I did not find any bizzare terms or freebies, but noticed something else.
Here are two screenshots of the license agreement for the Blogger mobile app.
Can you spot the problem with the license agreement?
On my iPhone, clicking on the links lead me to a blank screen. Just to be sure, I tried to get to the URLs on my laptop, but they led me to an error page.
Why? Most of the links have a typographical error. If you have not spotted it by now, the hyperlinks are missing various letters. For some, they are missing "o" in the ".com" (in the case of Australia and Singapore). For others, they are just missing the whole ".com" (e.g for Armenia). Canada, for example, is missing "om" in the ".com". Russia is missing both the ".com" and the "u" in ".ru". The errors are repeated throughout the license agreement document.
Now, what does that all mean? Have I been provided with the means and opportunity to read and review the terms of service, and have I been afforded the chance to consider the purpose of Google processing my personal data. Probably not. Am I bound by the terms of service given that the links don't work and I will have to do a bit of guessing in some cases to figure out what the correct link is? Probably not either. Are the Google terms of service enforceable against me in my use of the Blogger mobile app? I doubt so as they were never presented to me.
Does it really mean much in practice in this particular instance? Again, probably not much as Google can update the terms and conditions with the correct hyperlinks from time to time and deliver it as an update to the app, and will run the argument that continued use of the app would mean acceptance of those updated terms. And truth be told, most users don't read these terms and conditions anyway (in the two examples I linked to, Gamestation had estimated that 88% of people did not read the online terms; and more than 3000 people did not get the US$1,000 prize in the PC Pitstop clickthrough agreement because they did not read the agreement), and presumably would not be bothered much by their inability to access terms and conditions as they did not bother read them in the first place! It also does not mean much to me personally as I did not install the Blogger mobile app in the end.
However, this is not to say that making mistakes in your clickwrap or browserwrap or appwrap agreement (or any agreement for that matter) is of trite consequence. Drafting errors can lead to unforeseen liability (especially if the protections in the hyperlinked terms and conditions which you were hoping to rely on do not exist).
In any case, it is slightly amusing to spot the slip-up. I might just email Google to inform them about it.
Saturday, 19 May 2012
"... you’ve got to ask yourself one question: "Do I feel lucky?" Well do ya, punk?"
For those who remember Clint Eastwood in Dirty Harry, you would have easily recognised the title to this post. And for those who don't know or can't remember, and for pure entertainment value, here is the whole shebang:
Well, you may be wondering what this has to do with anything tech, privacy or legal (other than Dirty Harry enforcing his form of justice).
Just based on some anecdotal observations over the past week after talking to various people, I get the feeling that people's attitudes towards privacy and data protection laws (and compliance with them) range from blissful ignorance to ambivalence to over-confidence:
Perhaps it is due to the fact that I am in Singapore which to-date does not have a data protection law of general application on its statute books and not much of a tradition in privacy protection (though it is currently in the midst of introducing a data protection law).
Anyway, all that led me to think about the various things which could happen if a breach of a local privacy law occurred. It will come as no surprise to some that certain countries in Asia have pretty harsh penalty frameworks for privacy breaches. We are not just talking about fines levied at the organisation, but in some cases personal liability for directors, officers and employees and in some countries that may include jail time (though on the topic of fines, the jaw-dropping potential for a financial penalty of 2% of annual worldwide turnover suggests that EU data protection regulators may soon be fitting out with larger calibre guns).
Hyperbole? Exaggeration?
Well, some of us will remember the 4 Google executives who were found guilty of violating Italy's privacy code (note: the matter is currently on appeal). If you don't already know of Peter Fleischer's run in with the Italian police, take some time to read it. Now, imagine having your senior executives (or yourself, if you are the relevant executive in-country) arrested on the street in certain countries. If the Italians can do this, I am sure some of us will know of more than one Asian country which could easily go down this path as well, and you definitely will not be getting police officers wearing Armani that's for sure.
So it is on that note that I thought that it would be useful to find out where in Asia you might find yourself locked up for primary data protection breaches, and compare that with a sample of regimes in Europe (just some quick caveats: I am not including breaches of secondary offences like a failure to provide information or correct information to the regulator, and I have left out the countries which do not have or are not proposing general data protection laws yet. Also, jail times reflected are the maximum periods that can be imposed. Finally, the list is not exhaustive and is not meant to be legal advice ... whew).
A few comments:
"I know what you’re thinking: "Did he fire six shots, or only five?" Well, to tell you the truth, in all this excitement, I’ve kinda lost track myself. But being this is a .44 Magnum, the most powerful handgun in the world, and would blow your head clean off, you’ve got to ask yourself one question: "Do I feel lucky?" Well do ya, punk?"
Just based on some anecdotal observations over the past week after talking to various people, I get the feeling that people's attitudes towards privacy and data protection laws (and compliance with them) range from blissful ignorance to ambivalence to over-confidence:
"I don't think it will be enforced that seriously"
"I hope that it won't happen to me"
"let's just put a privacy policy in place"
"we are a US / European company and I am sure we are compliant".
Perhaps it is due to the fact that I am in Singapore which to-date does not have a data protection law of general application on its statute books and not much of a tradition in privacy protection (though it is currently in the midst of introducing a data protection law).
Anyway, all that led me to think about the various things which could happen if a breach of a local privacy law occurred. It will come as no surprise to some that certain countries in Asia have pretty harsh penalty frameworks for privacy breaches. We are not just talking about fines levied at the organisation, but in some cases personal liability for directors, officers and employees and in some countries that may include jail time (though on the topic of fines, the jaw-dropping potential for a financial penalty of 2% of annual worldwide turnover suggests that EU data protection regulators may soon be fitting out with larger calibre guns).
Hyperbole? Exaggeration?
Well, some of us will remember the 4 Google executives who were found guilty of violating Italy's privacy code (note: the matter is currently on appeal). If you don't already know of Peter Fleischer's run in with the Italian police, take some time to read it. Now, imagine having your senior executives (or yourself, if you are the relevant executive in-country) arrested on the street in certain countries. If the Italians can do this, I am sure some of us will know of more than one Asian country which could easily go down this path as well, and you definitely will not be getting police officers wearing Armani that's for sure.
So it is on that note that I thought that it would be useful to find out where in Asia you might find yourself locked up for primary data protection breaches, and compare that with a sample of regimes in Europe (just some quick caveats: I am not including breaches of secondary offences like a failure to provide information or correct information to the regulator, and I have left out the countries which do not have or are not proposing general data protection laws yet. Also, jail times reflected are the maximum periods that can be imposed. Finally, the list is not exhaustive and is not meant to be legal advice ... whew).
| European country | Imprisonment term | Asian country | Imprisonment term | |
| Austria | Yes (1 year in the situation where a person uses the data to make a profit or to harm others) | Hong Kong | Yes (2 years) | |
| Belgium | Yes (3 months to 2 year imprisonment for repeat offences or breach of prohibition on processing personal data) | India | Yes (3 years) | |
| Bulgaria | No | Japan | Yes (6 months for failure to follow a corrective order) | |
| Czech Republic | No (though there is criminal offence punishable by imprisonment created under the criminal code for unauthorised processing in connection with public administration) | Malaysia | Yes (various durations for various offences, but maximum up to 3 years) | |
| Denmark | Yes (4 months) | Singapore | Yes (3 years but only for offences where no penalty is expressly provided for) | |
| Finland | Yes (1 year) | South Korea | Yes | |
| France | Yes (5 years) | Taiwan | Yes (5 years) | |
| Germany | Yes (2 years, and like in Austria, in the situation where a person uses the data to make a profit or to harm others) | |||
| Ireland | No | |||
| Netherlands | Yes (up to 6 months in limited situations) | |||
| Spain | No | |||
| UK | No |
A few comments:
- Attribute it to cultural differences but you get the sense from the table that there is a consistent possibility of imprisonment in Asian countries for breaches of the local privacy law.
- to be fair, just looking at the penalty framework and the top-line penalty amount or maximum jail sentence would not be useful in itself. You would have to consider the practice and the culture in which the regulator operates, and any precedent which the regulator may have set in previous enforcement actions. And to-date, I don't know of instances where directors, officers or employees of a company have gone to jail for privacy breaches where they were not personally involved in.
- that all said, regulators are getting more serious with enforcement and penalties
Saturday, 12 May 2012
This is why I write ...
A good friend asked me today why I am writing all this. Good question and yes, it was a bit remiss of me not to give my reasons why I started this blog.
The truth is: I like learning about new stuff (and there is a ton of stuff out there which I don't know about, and probably never will), and writing helps me think about it and crystallise my thoughts in a way that just talking about it does not. So, when I read an article or piece of news that makes me go hmmmnn ... at least now I have a place to have a go at it.
Why privacy? Why technology?
These are things which I studied and liked in school. When I was in law school, we had to pick the subjects we wanted to study in our third and fourth years. I picked subjects that were about IP law and IT law. I picked my subjects based on the topics that I liked even if that meant that the examinations were back-to-back on the same day (I think the examination for Medical Law and Ethics and International Conflicts of Law were on the same day ... I really liked that last subject and how it was taught ... but that is another topic for another day). The subjects that I liked in school didn't really give neat or clean-cut answers (like Medical Law and Ethics and English Literature at A levels) ... which if you think about it, is what privacy currently is ... an amorphous lump of general data protection principles, no neat answers, and privacy meaning different things to different people.
That all lead me to becoming a TMT lawyer (for those not familiar with the acronym, telecoms, media and technology). So why not write about something that I am vaguely familiar with, that I read about everyday, and that I am interested in? Hopefully, the stuff that I write about has some semblance of logic and reason, and that you may find mildly interesting or useful.
To my friend, thanks for spending the time to read and for the comments.
And to you reading my blog, thank you for your interest. Feel free to leave a comment, challenge my views or just say hello. :)
The truth is: I like learning about new stuff (and there is a ton of stuff out there which I don't know about, and probably never will), and writing helps me think about it and crystallise my thoughts in a way that just talking about it does not. So, when I read an article or piece of news that makes me go hmmmnn ... at least now I have a place to have a go at it.
Why privacy? Why technology?
These are things which I studied and liked in school. When I was in law school, we had to pick the subjects we wanted to study in our third and fourth years. I picked subjects that were about IP law and IT law. I picked my subjects based on the topics that I liked even if that meant that the examinations were back-to-back on the same day (I think the examination for Medical Law and Ethics and International Conflicts of Law were on the same day ... I really liked that last subject and how it was taught ... but that is another topic for another day). The subjects that I liked in school didn't really give neat or clean-cut answers (like Medical Law and Ethics and English Literature at A levels) ... which if you think about it, is what privacy currently is ... an amorphous lump of general data protection principles, no neat answers, and privacy meaning different things to different people.
That all lead me to becoming a TMT lawyer (for those not familiar with the acronym, telecoms, media and technology). So why not write about something that I am vaguely familiar with, that I read about everyday, and that I am interested in? Hopefully, the stuff that I write about has some semblance of logic and reason, and that you may find mildly interesting or useful.
To my friend, thanks for spending the time to read and for the comments.
And to you reading my blog, thank you for your interest. Feel free to leave a comment, challenge my views or just say hello. :)
Thursday, 10 May 2012
Flashback: Mobile spam and criminals
Just a few days ago, I wrote about the mobile spam threat and the real threat of mobile spam being criminals who are using spam to get into mobile phones (predominantly smartphones) given the wealth of information being stored on those phones, the lack of security software on mobile phones and the lack of mobile security awareness among users.
So, I read with interest a post a few days later on Naked Security (a Sophos blog) which described a real example of a text message containing a link to a scam being sent to mobile phones. It is not clear whether the link would just lead you to a scam, or whether clicking on the link would expose the user's mobile phone to malware. If you look at the screenshot on the blog, the spam was simple at one level but clever at the social engineering level as the text in the message contained a link which looked like it came from Apple (the scam relies on users not reading the whole URL carefully).
It would be interesting to know whether this scam could be even more devious with WAP push which allows you to mask the URL. So, could you mask http://www.scamsite.com/ with the text http://www.apple.com/ (instead of http://www.apple.com.text.won.com/ in the Sophos example which will be a dead giveaway to a careful reader that it is a scam) in a WAP push? Will dig around and update if I find anything.
If anything, it just goes to show that you should be wary of clicking or responding to anything which you don't recognise.
So, I read with interest a post a few days later on Naked Security (a Sophos blog) which described a real example of a text message containing a link to a scam being sent to mobile phones. It is not clear whether the link would just lead you to a scam, or whether clicking on the link would expose the user's mobile phone to malware. If you look at the screenshot on the blog, the spam was simple at one level but clever at the social engineering level as the text in the message contained a link which looked like it came from Apple (the scam relies on users not reading the whole URL carefully).
It would be interesting to know whether this scam could be even more devious with WAP push which allows you to mask the URL. So, could you mask http://www.scamsite.com/ with the text http://www.apple.com/ (instead of http://www.apple.com.text.won.com/ in the Sophos example which will be a dead giveaway to a careful reader that it is a scam) in a WAP push? Will dig around and update if I find anything.
If anything, it just goes to show that you should be wary of clicking or responding to anything which you don't recognise.
Tuesday, 8 May 2012
Getting elephants to dance: The burden of ensuring privacy in mobile apps
A few days ago, Macworld (and a few other sites) ran an article on a panel session during the 2012 State of the Mobile Net conference. You can listen to the audio recording which can be found on the conference website here. It makes for great listening.
The crux of the discussion seems to be focused on who should bear responsibility for enforcing privacy restrictions and controls and on limiting information that apps can collect. There was some discussion on who might this be: developers, mobile network operator, app marketplace operators or consumers.
A lot of the discussion revolved around placing the bulk of the responsibility on the app developer, the app marketplace and the consumer. At some points of the discussion, shared responsibility among the various players in the value chain was mooted.
I think the discussion could be framed by the types of apps which we are concerned about: (i) malicious apps (malware) whose main intent is to steal and use personal information and (ii) apps which inadvertently or without ill-intent obtain and use personal information unknown to the user. You would have some common solutions and approaches to both but some different solutions to either problem.
So, in the case of apps falling within category (i), the issue really would be one of mitigation and security (and multiple layers of it). The solution here would not be one of focusing on creating standards for app developers to follow, or placing responsibility on app developers as the premise of that solution is that the developer is without ill-intent (and I agree with Todd Moore's rejection of placing too much responsibility on the app developer on this narrow point). The malicious developer would find many ways and means to upload his malicious app on the app marketplace of his choice, and would definitely find attractive ways to entice users to download the app.
So, the first layer of prevention would be at the level of the app marketplace in its review of the app (this is important as most infections come from app markets - primarily Android marketplaces). But that can be easily circumvented by malicious developers creating different identities and uploading malicious apps using the new identity. And there is a real commercial incentive for the app marketplace operator to push the app out quickly onto the marketplace as there is revenue share involved (which may militate against any in-depth review).
The next layer of prevention (and most powerful but most illusive) would be education at the consumer level as downloading the app and granting permissions is ultimately the consumer's choice. In life, that would translate into various things our parents taught us: "Don't walk down dark alleys/that neighbourhood/that street at night" "If it is too good to be true, it probably is". However, I think everyone will agree that education is really an uphill task. First, who is going to conduct the education (the app developer? the social media site? the app marketplace operator?) and who will bear the cost? Second, consumer habits and as Ashkan Soltani mentions in the conference "behavourial economics". How many consumers when wanting a game or RSS feed aggregator or social networking app, will download it regardless of the levels of access permissions being requested for by the app?
The next layer of prevention is really by installing mobile security software to minimise the risks (though we know that only a small proportion of users actually have security software or use security software on their mobile phone). Also, I think there may be some doubt as to the effectiveness of the current slate of mobile security software given the limited access to APIs given to developers (which would include security software vendors).
The last aspect of an approach to this issue would be the deterrent effect of a criminal prosecution (i.e effective enforcement of regulations). This of course assumes that you could find the individual in question and prosecute. As with most criminal activity, stopping malicious apps and their unfortunate consequences will be impossible, and most steps or solutions are merely steps in mitigation.
Where apps fall into the second category (that is apps which inadvertently or without ill-intent obtain and use personal information unknown to the user), the premise would be that these developers are well-intentioned but perhaps unenlightened (privacy-wise), clumsy or careless, and that the developers are incentivised to engage in a scaleable and repeatable business model. As such, I would agree that having certain standards (enforced by the app marketplace operator) would be helpful. Why the app marketplace operator? For the simple reason that they hold the key to the monetary incentive that the developer depends on, and the developer falling within this category would be eager to ensure compliance with these standards to obtain that reward. As a thought, if app marketplace operators required app developers to implement Privacy by Design and made this as one basis for approving the app, this would be very helpful (I don't think the costs of implementing this would dent the profits Apple and Google make - though it may be difficult for some third party stores).
In addition, and specifically for Android, users should be allowed to change permission settings after installation instead of the current situation where permission settings cannot be changed after installation. Education would of course be important here as well though with the same issues which are mentioned above. Effective enforcement of regulations would be effective here as legitimate developers would be wary of penalties.
I think one of the things which the panelists did not acknowledge enough was the responsibility at the O/S level. For example, the consolidated.db controversy with the iOS where location data (or approximate location data) of users could be gleaned from the consolidated.db file which was stored unencrypted on the desktop when the user's iPhone was synced. No app was involved. Just something that Apple didn't know or consider was an issue until it was pointed out to them.
Ultimately, an interesting discussion with a lot of issues to think about. Ideally, the solution to this would be a holistic approach which involves commercial and technical co-operation between the various stakeholders (whether developers, handset manufacturers, mobile network operators), standards, regulations and effective enforcement of the regulations, and education. That however would require a number of large organisations with sometimes conflicting interests to co-operate. And we all know how difficult it is to get elephants to dance together.
The crux of the discussion seems to be focused on who should bear responsibility for enforcing privacy restrictions and controls and on limiting information that apps can collect. There was some discussion on who might this be: developers, mobile network operator, app marketplace operators or consumers.
A lot of the discussion revolved around placing the bulk of the responsibility on the app developer, the app marketplace and the consumer. At some points of the discussion, shared responsibility among the various players in the value chain was mooted.
I think the discussion could be framed by the types of apps which we are concerned about: (i) malicious apps (malware) whose main intent is to steal and use personal information and (ii) apps which inadvertently or without ill-intent obtain and use personal information unknown to the user. You would have some common solutions and approaches to both but some different solutions to either problem.
So, in the case of apps falling within category (i), the issue really would be one of mitigation and security (and multiple layers of it). The solution here would not be one of focusing on creating standards for app developers to follow, or placing responsibility on app developers as the premise of that solution is that the developer is without ill-intent (and I agree with Todd Moore's rejection of placing too much responsibility on the app developer on this narrow point). The malicious developer would find many ways and means to upload his malicious app on the app marketplace of his choice, and would definitely find attractive ways to entice users to download the app.
So, the first layer of prevention would be at the level of the app marketplace in its review of the app (this is important as most infections come from app markets - primarily Android marketplaces). But that can be easily circumvented by malicious developers creating different identities and uploading malicious apps using the new identity. And there is a real commercial incentive for the app marketplace operator to push the app out quickly onto the marketplace as there is revenue share involved (which may militate against any in-depth review).
The next layer of prevention (and most powerful but most illusive) would be education at the consumer level as downloading the app and granting permissions is ultimately the consumer's choice. In life, that would translate into various things our parents taught us: "Don't walk down dark alleys/that neighbourhood/that street at night" "If it is too good to be true, it probably is". However, I think everyone will agree that education is really an uphill task. First, who is going to conduct the education (the app developer? the social media site? the app marketplace operator?) and who will bear the cost? Second, consumer habits and as Ashkan Soltani mentions in the conference "behavourial economics". How many consumers when wanting a game or RSS feed aggregator or social networking app, will download it regardless of the levels of access permissions being requested for by the app?
The next layer of prevention is really by installing mobile security software to minimise the risks (though we know that only a small proportion of users actually have security software or use security software on their mobile phone). Also, I think there may be some doubt as to the effectiveness of the current slate of mobile security software given the limited access to APIs given to developers (which would include security software vendors).
The last aspect of an approach to this issue would be the deterrent effect of a criminal prosecution (i.e effective enforcement of regulations). This of course assumes that you could find the individual in question and prosecute. As with most criminal activity, stopping malicious apps and their unfortunate consequences will be impossible, and most steps or solutions are merely steps in mitigation.
Where apps fall into the second category (that is apps which inadvertently or without ill-intent obtain and use personal information unknown to the user), the premise would be that these developers are well-intentioned but perhaps unenlightened (privacy-wise), clumsy or careless, and that the developers are incentivised to engage in a scaleable and repeatable business model. As such, I would agree that having certain standards (enforced by the app marketplace operator) would be helpful. Why the app marketplace operator? For the simple reason that they hold the key to the monetary incentive that the developer depends on, and the developer falling within this category would be eager to ensure compliance with these standards to obtain that reward. As a thought, if app marketplace operators required app developers to implement Privacy by Design and made this as one basis for approving the app, this would be very helpful (I don't think the costs of implementing this would dent the profits Apple and Google make - though it may be difficult for some third party stores).
In addition, and specifically for Android, users should be allowed to change permission settings after installation instead of the current situation where permission settings cannot be changed after installation. Education would of course be important here as well though with the same issues which are mentioned above. Effective enforcement of regulations would be effective here as legitimate developers would be wary of penalties.
I think one of the things which the panelists did not acknowledge enough was the responsibility at the O/S level. For example, the consolidated.db controversy with the iOS where location data (or approximate location data) of users could be gleaned from the consolidated.db file which was stored unencrypted on the desktop when the user's iPhone was synced. No app was involved. Just something that Apple didn't know or consider was an issue until it was pointed out to them.
Ultimately, an interesting discussion with a lot of issues to think about. Ideally, the solution to this would be a holistic approach which involves commercial and technical co-operation between the various stakeholders (whether developers, handset manufacturers, mobile network operators), standards, regulations and effective enforcement of the regulations, and education. That however would require a number of large organisations with sometimes conflicting interests to co-operate. And we all know how difficult it is to get elephants to dance together.
Friday, 4 May 2012
The mobile spam threat?
Bloomberg recently ran a piece on mobile spam texts reaching 4.5 billion. You can read it here. It cites the eye-catching number of 4.5 billion spam messages in 2011 in the US, an increase of 45% from the previous year. It sure caught my attention until I realised that the 4.5 billion messages form only 0.001% of the 2.3 trillion text messages which were sent in the US in 2011 (check out the CTIA's statistics here). So, is mobile spam really a problem?
As always, it depends on how you look at it and who you talk to. Let's take the second point first.
To the developers of anti-spam and mobile security software, it would be a definite yes. The mobile phone and tablet is the vast untapped market with promises of incredible growth. Unlike desktops and laptops, it is common for an individual to have multiple mobile devices and a tablet to boot. Even children have mobile phones and tablets. The Bloomberg article also made mention of the potential in that market. For consumer groups, it would also be a yes but this would be more on the basis of the failure to obtain consent, and the nuisance factor.
For the network operators and other service providers in the value chain, you might get some polite nods as SMS is still a large revenue generator for them with estimates of SMS revenue making up more than half of the worldwide mobile messaging market. At the same time, it does cost the network operators time and money to deal with subscriber complaints about spam. However, I don't think they will want to bite too hard on the hand that feeds them (at least not until they figure out how to replace that revenue). Same thing for marketers who use the mobile channel for targeted and contextual marketing. The mobile channel allows them to reach an audience in real-time with advertisements which are relevant to the audience.
Different perspectives will generate different opinions.
Personally, I feel that the size of the mobile spam problem will not reach the gargantuan size of email spam (spam email is about 90% of all email traffic globally). To some extent, it is a self-limiting problem. This is because the cost of sending email spam (estimated at about US$0.00007 per spam email) is much lower than sending an SMS (which is still in range of cents or half of a cent). That would limit the volume of spam.
That being said, the nature of the mobile spam is potentially in my view, more insiduous than email spam. The real issue, I feel, is not the nuisance factor or the fact that people know your mobile number or that you don't want to buy anything from that person. The real issue lies in the security threat initiated by the spammer with a more criminal intent. The mobile spam message could contain a link which if clicked, would lead the phone browser to a compromised or malicious website or download malicious payload onto the mobile phone. What makes the threat much worse for users is that most users of mobile phones do not download or use any form of mobile security software (as compared with their desktops and laptops). At the same time, more users are using their mobile phones for banking, payments and for storing personal, sensitive or business information. The value of that information would be very attractive to the spammer with more criminal intentions.
While there are no easy solutions to the security threat caused by mobile spam, I think that it would not be addressed through anti-spam legislation which is really aimed at spammers with a real intention to market or offer goods or services. The spammer with criminal intent would not be deterred by such legislation. More useful would be education (as most users are very unaware of mobile phone security) and commercial arrangements where more network operators (acting as partners of the security software vendors) bundle mobile security software with the smartphones, and co-operation between the OS developers and the vendors to minimise vulnerabilities in the OS.
As always, it depends on how you look at it and who you talk to. Let's take the second point first.
To the developers of anti-spam and mobile security software, it would be a definite yes. The mobile phone and tablet is the vast untapped market with promises of incredible growth. Unlike desktops and laptops, it is common for an individual to have multiple mobile devices and a tablet to boot. Even children have mobile phones and tablets. The Bloomberg article also made mention of the potential in that market. For consumer groups, it would also be a yes but this would be more on the basis of the failure to obtain consent, and the nuisance factor.
For the network operators and other service providers in the value chain, you might get some polite nods as SMS is still a large revenue generator for them with estimates of SMS revenue making up more than half of the worldwide mobile messaging market. At the same time, it does cost the network operators time and money to deal with subscriber complaints about spam. However, I don't think they will want to bite too hard on the hand that feeds them (at least not until they figure out how to replace that revenue). Same thing for marketers who use the mobile channel for targeted and contextual marketing. The mobile channel allows them to reach an audience in real-time with advertisements which are relevant to the audience.
Different perspectives will generate different opinions.
Personally, I feel that the size of the mobile spam problem will not reach the gargantuan size of email spam (spam email is about 90% of all email traffic globally). To some extent, it is a self-limiting problem. This is because the cost of sending email spam (estimated at about US$0.00007 per spam email) is much lower than sending an SMS (which is still in range of cents or half of a cent). That would limit the volume of spam.
That being said, the nature of the mobile spam is potentially in my view, more insiduous than email spam. The real issue, I feel, is not the nuisance factor or the fact that people know your mobile number or that you don't want to buy anything from that person. The real issue lies in the security threat initiated by the spammer with a more criminal intent. The mobile spam message could contain a link which if clicked, would lead the phone browser to a compromised or malicious website or download malicious payload onto the mobile phone. What makes the threat much worse for users is that most users of mobile phones do not download or use any form of mobile security software (as compared with their desktops and laptops). At the same time, more users are using their mobile phones for banking, payments and for storing personal, sensitive or business information. The value of that information would be very attractive to the spammer with more criminal intentions.
While there are no easy solutions to the security threat caused by mobile spam, I think that it would not be addressed through anti-spam legislation which is really aimed at spammers with a real intention to market or offer goods or services. The spammer with criminal intent would not be deterred by such legislation. More useful would be education (as most users are very unaware of mobile phone security) and commercial arrangements where more network operators (acting as partners of the security software vendors) bundle mobile security software with the smartphones, and co-operation between the OS developers and the vendors to minimise vulnerabilities in the OS.
Thursday, 3 May 2012
The Reveal: Singapore introduces its proposed Personal Data Protection Bill
Singapore has taken another step towards the introduction of data protection legislation by publishing the responses the Singapore Ministry of Information, Communication and the Arts (MICA) had received during its second (and in all probability, final) round of public consultation. The details and the rationale for introducing the legislation can be found here and here. All things considered, the draft legislation does try to strike a reasonable balance between the interests of the individual and businesses. This is clear from the drafting and the various exceptions. However, as would be expected, a lot of the detail awaits to be fleshed out in guidelines that will be issued by MICA (especially around what constitutes consent and what is "reasonable"). On that note, I suspect that MICA may take a leaf out of the UK ICO's page.
It is unlikely that MICA will make many substantive changes at this late stage (having committed considerable time and resources in considering the first round of submissions, drafting its considered response to the submissions, and drafting the proposed data protection legislation). As such, I found it a bit curious why some organisations chose to only make submissions at this second round of public consultations and not at the first round where their submissions would have mattered more. For instance, in the first round of public consultation, MICA had not intended to make a distinction between data processors and data controllers - which would have meant that all the obligations and restrictions in the proposed data protection law would have applied to data processors (which would have been out-of-step with other international precedents) . In response, a few major IT companies that provide outsourced IT solutions made it crystal clear in their submissions during the first round of consultations why this would not be a good idea. MICA subsequently agreed to the inclusion of a distinction between data controllers and data processors when it issued the draft data protection legislation.
At this stage, MICA would have already committed to the principles, concepts and scope of the proposed law, and it would take serious lobbying or manifest error for the policy team and drafters to change their minds in a major way. Perhaps some minor tweaks here and there but certainly not drastic changes like stepping away from the penalty framework which some organisations continue to object to.
It is unlikely that MICA will make many substantive changes at this late stage (having committed considerable time and resources in considering the first round of submissions, drafting its considered response to the submissions, and drafting the proposed data protection legislation). As such, I found it a bit curious why some organisations chose to only make submissions at this second round of public consultations and not at the first round where their submissions would have mattered more. For instance, in the first round of public consultation, MICA had not intended to make a distinction between data processors and data controllers - which would have meant that all the obligations and restrictions in the proposed data protection law would have applied to data processors (which would have been out-of-step with other international precedents) . In response, a few major IT companies that provide outsourced IT solutions made it crystal clear in their submissions during the first round of consultations why this would not be a good idea. MICA subsequently agreed to the inclusion of a distinction between data controllers and data processors when it issued the draft data protection legislation.
At this stage, MICA would have already committed to the principles, concepts and scope of the proposed law, and it would take serious lobbying or manifest error for the policy team and drafters to change their minds in a major way. Perhaps some minor tweaks here and there but certainly not drastic changes like stepping away from the penalty framework which some organisations continue to object to.
Subscribe to:
Posts (Atom)