Privacy and data protection resources

Click the banner for the site map of NoticeBored.com, the information security awareness service

A Popular Mechanics article on digital privacy covers a broad swathe of issues in their inimitable Boys’ Own style.

Kevin’s Security Scrapbook blog often points out nifty little spy gadgets you can buy on the highstreet - cameras in pens, cellphone bugs, that sort of stuff. A September blog posting pointed out the privacy and commercial confidentiality issues with wireless microphones often used in conference facilities, including teleconferences, meeting rooms and board rooms, which transmit low power FM signals that can often be picked up by an scanner within a few hundred metres: since most are unencrypted, eavesdroppers can listen in to whole thing.

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, originally published way back in 1980, continues to guide the development of privacy laws and regulations, and generally frames the associated public policies and discussions, today. For example, the Council of Europe: Convention For the Protection of Individuals with Regard to Automatic Processing of Personal Data influences EU privacy laws. The American Institute of Certified Public Accountants (AICPA)’s Generally Accepted Privacy Principles (GAPP) bear a remarkable similarity, as does advice from the Canadian Marketing Association.

European Privacy and Human Rights 2010 is an EU-funded study comparing privacy laws and practices across a supposedly harmonized Europe: there are clearly differences in the ways that the OECD guidelines and the EU’s recommendations on privacy and data protection are currently being interpreted. A citizens’ gu ide to data protection in the European Union gives an overview of the legislation. Further afield, the Australian Privacy Foundation lists privacy laws in about 30 countries and the Global Internet Liberty Campaign (GILC) periodically surveys privacy laws worldwide.

Understanding Privacy by law professor Daniel Solove deconstructs privacy concepts to develop a taxonomy that helps us analyze privacy issues. For a taster of the book and taxonomy, read ”I’ve got nothing to hide” and other misunderstandings of privacy.

Does your organization know what to do if it discovers a privacy breach? Are you fully primed and ready to react professionally?

Legal opinions may well vary and there are probably certain exceptions (IANAL) but photographing pretty much anything, including private property, from a public place may be legal: over-enthusiastic security guards and officials who harass or assault photographers photographing them and their buildings from the public sidewalk are skating on thin ice, not least as the photographers may well capture evidence of the attack. Do your corporate security guards appreciate the limits of their powers?

The US DOD has released an online training module about protecting PII (Personally Identifiable Information). The presentation format and style (simple graphics with a formal script spoken aloud) is rather stilted, dry and basic, but is presumably more effective at getting the awareness messages across to the intended audiences than alternative approaches. See what you make of it.

The Direct Marketing Association offers a simple point-and-click method of generating a website privacy policy to suit your requirements. Here’s another. The resulting policy may not be sufficiently comprehensive or accurate (your legal people should review it, for example) but is an extremely easy way of creating something to start with.

The Business Privacy Law Handbook (Charles Kennedy, 2008, ~US$119 from Amazon) is a survey of business privacy law in the US and the changes that field is undergoing, for business managers and those advising them. Despite occasional shortcomings in some areas, the book provides a detailed, up-to-date and quite comprehensive overview of American privacy law.

Protect Your Privacy - How to Protect Your Identity as well as Your Financial, Personal, and Computer Records in an Age of Constant Surveillance (Outwitting) (Duncan Long, 2007, ~US$11 from Amazon) claims to offer “Everything you need to know about how to protect your computer security, financial privacy, telephone privacy, identification, freedom of movement, and more!”.

Bruce Schneier wrote “Increasingly, you leave a trail of digital footprints throughout your day. Once you walked into a bookstore and bought a book with cash. Now you visit Amazon, and all of your browsing and purchases are recorded. You used to buy a train ticket with coins; now your electronic fare card is tied to your bank account. Your store affinity cards give you discounts; merchants use the data on them to reveal detailed purchasing patterns.” An excellent piece summarizing the privacy issues we face today.

The Privacy Forum discusses personal privacy and related issues, while PogoWasRight is a curiously-named blog with a high privacy content.

A son traced his father through clever detective work using services and information available on the Internet - fair enough you might think ... except that his father donated sperm anonymously.

Users of Google Street View see ground-level views of selected city streets - and anything going on at the time the photographer passed. The NY Times mentioned images of bikini-clad women, a man scaling a gate, a man entering a porn shop and readable vehicle number plates. For years, Google’s vehicles have been collecting WiFi Access Point SSIDs as well as photos. There are other privacy concerns associated with Google’s services e.g. Google’s desktop search utility was previously slammed for disclosing details of the contents of users’ C: drives on the Web. See what Google’s privacy policy means in this video.

Case notes on children at risk in Essex, England, found their way on to eBay despite the secure data destruction processes that were supposed to prevent this kind of thing.

The UK Information Commissioner offers advice on the privacy implications of CCTV. Carnegie Mellon University Data Privacy Lab’s Surveillance of Surveillance (SOS) project investigated the use of technology such as CCTV to track members of the public. Webcams that allow parents to monitor their children’s kindergartens etc. (“kindycams”) have been challenged on privacy grounds.

Be careful what you mutter to yourself when you’re put ‘on-hold’, especially if the telephone is being recorded. The other party’s microphone may be muted but yours isn’t.

US-CERT Cyber Security Tip on privacy.

Detailed ‘strategic overview’ (if that’s not a contradiction) on privacy.

The need to protect confidentiality of personal medical information whilst allowing medical professionals legitimate access to the data, is gradually being enshrined in law. The US Health Insurance Portability and Accountability Act (1996) (HIPAA) and UK Data Protection Act (1998), for example, impose mandatory requirements on organizations gathering, processing and using medical data to protect the privacy of individuals whose data they hold.

Related NoticeBored links collections