Archive for May, 2011

Hot issues in Privacy & Security

Posted by fgilbert on May 23rd, 2011

Top ten list of issues presented by Francoise Gilbert as part of her Conference Chair address, at the PLI Privacy & Security Conference in San Francisco, May 23-24, 2011.

# 10 –
In the US, numerous privacy and security bills in the pipeline
Greater compliance burden expected

# 9 –
Abroad, new data protection laws enacted

# 8 –
Security breach continues to be top concern in the US and
More security breach notice laws are developing abroad
Cost of breach expected to increase everywhere

# 7 –
EU data protection 2.0
Back to the drawing board with new rules

# 6 –
Tracking and profiling entering the red zone

# 5 –
Tempest in the EU cookie jar

# 4 –
Everything mobile
Geolocation major source of privacy issues

# 3 –
Cloud computing saves money
But brings new legal headaches

# 2 –
Privacy by design, Right to be forgotten, Smart grid
New legal constraints or technical opportunities?

# 1 –
Privacy and security fiascos becoming very expensive
Million-dollar damages in privacy or security suits and enforcement actions

A copy of the presentation is available here.

New UK Cookie Rule Tough to Swallow

Posted by fgilbert on May 10th, 2011

The United Kingdom’s Information Commissioner’s Office (ICO) has published an “advice” that explains the new rule for the use of cookie technologies for websites and mobile applications that are subject to the UK laws. As of May 26, 2011, companies will no longer be permitted to rely on consent implied from browser settings. They must obtain the user’s prior affirmative consent to the use of most cookies.

The ICO’s Advice invites companies to promptly conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain users’ consent. The ICO makes it clear that it expects companies to come up with a plan of action that shows that they have considered their obligations and that they have a realistic plan to respond to the new requirements and achieve compliance.

According to the ICO’s press release, this Advice was published in order to prompt organizations to start thinking about the practical steps that they need to take to respond to this new requirement. The ICO intends to provide additional guidance as innovative ways to acquire users’ consent are developed.

The New Rule, in Brief

The new Cookie Rule requires that UK website and mobile applications obtain their visitors’ affirmative consent to the use of cookies. This rule results from the implementation of the 2009 Amendment to the 2002 EU’s Privacy and Electronic Communications Directive into the UK laws. It will amend Regulation 6 of the Privacy and Electronic Communication Regulations 2003 (PECR).

Businesses and other entities will be permitted to use cookie technologies only if the user of the site or application (a) has received clear and comprehensive information about the purpose for the cookie in question; and (b) has given his or her consent to the use of the cookie. Once a user has consented to the use of a particular cookie, there is no need to ask permission each time the website needs to access that cookie. Cookies that are “strictly necessary” for the service requested by the user are not subject to the prior consent requirement.

The new rule requires that website obtain informed, affirmative consent to the use of almost any cookies that it would wish to install on a user’s machine or mobile device. The restriction applies both to the installation of the cookie and the subsequent access to the information stored on the cookie. Except for a small category of cookies that are “strictly necessary” for the proper operation of a site, or for providing a service requested by the user, such as shopping-cart type feature, all other cookies, including those that are used for analytics purposes require prior specific consent. Of course, flash cookies are also subject to the notice and consent requirement.

Until browser technology has made progress, it will not longer be possible to rely on browser setting as a method to show user’s consent. Even though the rule allows consent to be signified by the users amending or setting controls on their browsers, the ICO’s Advice clearly states that given the current state of technology, using browser settings is NOT a satisfactory method for expressing consent. The ICO’s Advice discusses several methods that might be used to implement the notice and consent requirement.

The ICO envisions a sliding-scale approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice. The ICO also suggests a tailored approach as opposed to the “one-size-fits-all” approach, commonly used currently in website privacy policies. The different models for expressing consent proposed by the ICO tend to be specific to a particular type of cookies, and the particular circumstances of its use.

The Basic Requirement

The previous rule on using cookies by UK entities – which was set out in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) – required that users be informed about the existence of cookies, and be given the opportunity to refuse the storage of, or access to, the cookie information stored on their computers. Most companies provided the relevant information in their website privacy statement, and informed their users that, by changing their browser settings, they could arrange to block cookies.

Under the new rule, companies must still provide clear and comprehensive information about the use of cookies. However, the cookies may only be placed on a machine or device after the user has given his affirmative consent.

The Exceptions

  • Repeated uses: The consent need not be given each time. Under the new rule, if the same information is stored or accessed by the same entity, regarding the same user, on more than one occasion, the consent need to be obtained only once.
  • Transmission of communications: Notice and consent are not required for a limited number of cookie categories. Cookies that are required for the sole purpose of carrying out the transmission of communications over an electronic networks are exempt from the notice and consent requirement.
  • Cookies that are “strictly necessary” : Cookies that are “strictly necessary” for the provision of a service requested by the user are also exempt from the notice and consent requirement. According to the ICO’s Advice, “strictly necessary” means that the use of the cookie must relate to the service explicitly requested by the user. The exception is narrow. It would apply, for example, to a cookie that is used in ecommerce applications when a user has selected goods to purchase and clicks the ‘add to basket’ or ‘proceed to checkout’ button, to ensure that the site remembers what was chosen, and post the information on the check-out page. On the other hand, as explained by the ICO, the exception would not apply, for example, to cookies used to track users to make the website more attractive because it remembers the users’ preferences, or cookies are used to collect statistical information about the use of the website.

Browser Settings Not An Approved Method

The rule allows consent to be signified by the user amending or setting controls on his or her browser, or by using another application or program to signify consent. However, the ICO does not agree that using browser settings is currently a satisfactory method to express consent.

The ICO recommends that organizations refrain from using browsers as a means for obtained consent because currently most browser settings are not sophisticated enough to allow a website to assume that the user has consented to the use of cookies. In addition, mobile application and other technologies do not rely on browsers.

How to Implement the New Rule

The ICO anticipates a phased approach to the implementation of these changes, and recommends that companies use the following steps:

  • Identify what types of cookies are used and why: Companies should conduct an audit of their website to determine what cookies or data files are used and for which purposes. This would allow identifying which cookies are strictly necessary and might not need consent.
  • Assess how intrusive these cookies are: The most intrusive cookies should be addressed first. For example, cookies that involve creating detailed profiles of an individual’s browsing activity are intrusive – the more privacy intrusive an activity, the more priority should be given to getting meaningful consent.
  • Identify the best solution for obtaining consent: For each category of cookies or uses, the best method for gaining consent should be identified. The most privacy intrusive activities will require that the most information be provided to the user.

Suggested Methods for Obtaining Consent

The ICO’s Advice provides a detailed analysis of the different methods available to obtain the user’s consent. It recommends more specific, targeted approach. Cookies used for analytics purposes and cookies shared with third parties are likely to cause the most significant problems.

1 – Pop ups and similar techniques

Pop-ups may be used to ask for consent. However, this practice may be annoying if numerous cookies are used. Thus, the ICO cautions that the use pop ups or ‘splash pages’ may become frustrating if too frequent.

2 – Terms and conditions

Consent could be obtained when a user first registers or signs up. In this case, the ICO recommends to make users aware of the changes and specifically that the changes refer to the use of cookies, then asking them to tick a box to indicate that they consent to the new terms. Specific information should be provided.

3 – Settings-led consent

Some cookies are deployed when a user chooses how the site works for them each time they visit the site; for example, a particular language, the size of the text displayed on the screen, the color scheme, or a “personalized greeting”.

In these cases, consent could be gained as part of the process by which the user confirms what she wants to do or how she wants the site to work. At that time, the user should be told that by allowing the website to remember her choice, she is also consenting to set the cookie.

4 – Feature-led consent

In the same manner as above where the user conducts a specific activity, there are circumstances were tracking technologies are stored when a user chooses to use a particular feature of the site such as watching a video clip, or when the site remembers what the user did on previous visits, in order to personalize the content that the user is served.

In these cases, the user is often invited to open a link, click a button or agree to the functionality being ‘switched on’. The ICO suggests to ask for the user’s consent to set a cookie at this point.

As for prior example, it should be made clear to the user that by choosing to take a particular action, certain things will happen that will be interpreted as the user’s consent. If the anticipated use of tracking technology is complex or intrusive, it will be important to provide more specific information. In particular, as discussed below, users should be told whether some features are provided by a third party.

5 – Analytics and other functional uses

Many websites collect information about access to, and use of the site, and time spent on a page. While the ICO acknowledges that cookies used for analytics purposes might not appear to be as intrusive as others that might track a user across multiple sites, it nevertheless requires consent.

In this case, the ICO’s Advice suggests that companies should make information about the use of analytics cookies more prominent, particularly in the period immediately following implementation of the new Regulations. In addition, the ICO also suggests that website should give more details about the use of these cookies, such as a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.

If the information collected about website use is passed to a third party this information sharing must be made absolutely clear to the user. Any options available should be prominently displayed and not hidden away.

6 – Third party cookies

Finally, the ICO’s Advice addresses the use of third party cookies. When a website displays content from a third party from an advertising network or a streaming video service, this third party may send its own cookies to the user. While the process of obtaining consent for these cookies may be more complex, the ICO opines that nevertheless the user must be made aware of what is being collected and by whom. This is a challenging area for which the ICO expects that more research will be needed to find workable solutions.

How about the Remainder of the European Union?

The remainder of the European Union is also required to implement the new rules on the use of cookies that were outlined in the 2009 Amendment to the 2002 ePrivacy Directive.There is currently a lot of confusion throughout the European Union on how to interpret and implement this 2009 Amendment. The Advice published by the United Kingdom’s Information Commissioner’s Office clarifies the very confusing and controversial amendment.

It is highly likely that the ICO’s Advice will serve as guidance or a model to other data protection authorities who have been facing the same issues and need to implement the 2009 Amendment into their national laws. Thus companies that may not be subject to the UK laws, but otherwise do business in the European Union should read and understand the ICO’s Advice, as a way to prepare for their obligations to comply with the national laws of the countries where they operate.

Conclusion

The amendment to the UK rules comes into force on 26 May 2011. As a result of the implementation of this amendment into the UK laws, companies that operate websites in the UK must obtain informed consent from visitors to their websites and mobile applications in order to store and retrieve information on users’ computers through cookies or similar tracking technologies. Companies must provide clear and comprehensive information about the purpose for each cookie; and obtain the prior explicit consent to the use of the cookie. Until browser technology has made progress, browser settings can no longer be used as a method for expressing consent. While the ICO envisions a “sliding scale” approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice, it also expects companies to delve promptly into implementation of the rule.

At a minimum, companies should promptly update their website privacy statements to clearly and conspicuously explain how cookies are used. In a second phase, companies should conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain the requested consent.

The ICO has indicated clearly that it intends to enforce the new rule. While it concedes that full implementation will take time, the ICO wants companies to make every effort to start working on their use of cookie, and be prepared to provide tangible proof of their efforts to comply with the new rules.

Failure to Protect against SQL Injection Attack deemed an “Unfair Practice”

Posted by fgilbert on May 4th, 2011

A proposed Federal Trade Commission consent order applicable to Ceridian Corporation, establishes that failure to protect against potential SQL injection attacks is an “unfair practice” actionable under Section 5 of the FTC Act. Despite representations that it maintained “worry-free safety and reliability” and that it had a security program designed in accordance with the ISO 27000 standard, the company’s security system had several flaws. Among other things, Ceridian failed to use readily available defenses to SQL attacks. When a successful SQL attack caused the exposure of sensitive personal information of nearly 28,000 individuals, the FTC initiated an enforcement action.  This action lead to the development of the proposed FTC consent order, which was published on May 3, 2011.

Ceridian operates the Powerpay website, and provides payroll processing, payroll-related tax filing, benefits administration, and other human resource services. Customers enter their employees’ personal information, Social Security numbers, dates of birth, home addresses, bank account and other information on the website. This information is transmitted to Ceridian’s computer network, where payroll amounts are computed, payroll checks are processed, and direct deposits initiated.

Ceridian stored personal information in clear, readable text for an indefinite period of time, and failed to employ reasonable measures to detect and prevent unauthorized access to personal information. Hackers executed an SQL injection attack on the Ceridian system. These deficiencies allowed the SQL injection attack to succeed, and the personal information of individuals to be exposed.

The proposed FTC consent order is consistent with prior consent orders issued in similar circumstances. What makes the Ceridian case interesting is the list of acts and deficiencies that the FTC identifies as having created vulnerabilities and that should have been avoided. The FTC complaint against Ceridian notes in particular the following security deficiencies:

  • Storing information in clear, readable text;
  • Storing information indefinitely, and for longer than needed;
  • Failure to assess the vulnerability of the system to known or reasonably foreseeable attacks such as SQL injection attacks;
  • Failure to use readily available, free, or low-cost defenses to SQL attacks; and
  • Failure to employ reasonable measures to detect and prevent unauthorized access to personal information.

This list provides examples of the minimum measures that the FTC expects from a security system intended to protect personal information such as financial information or social security numbers. Of note, in particular, is the need to have in place systems and defenses that resist SQL injection attacks and other known or reasonably foreseeable attacks.
The proposed consent decree establishes a 20-year supervision period, during which Ceridian will be required to obtain and provide, or make available to the FTC, on a biennial basis, an assessment and report from a qualified third-party professional, certifying that it has in place a security program that meets or exceeds specified requirements, and that provides reasonable assurance that the security, confidentiality, and integrity of personal information in the company’s custody is protected. The security program must contain administrative, technical, and physical safeguards appropriate to Ceridian’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Ceridian to:

  • Designate one or several employees to coordinate and be accountable for the information security program;
  • Identify material risks to the security, confidentiality, and integrity of personal information and assess the sufficiency of any safeguards in place to control these risks;
  • Design and implement reasonable safeguards to control these risks;
  • Regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
  • Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information of Ceridian’s clients;
  • Require service providers by contract to implement and maintain appropriate safeguards; and
  • Evaluate and adjust its information security programs in light of the results of testing and monitoring, and of any material changes to operations or business arrangements.

For over 10 years the Federal Trade Commission has had an active, leading role in defining the basic requirements for the collection, use, storage, disclosure and protection of personal information. During this period, the consent decrees issued by the Federal Trade Commission have identified the security practices that the FTC deems unacceptable. These consent decrees provide a clear view on the expectation of the regulators.  With Ceridian, it is now established that protecting against SQL injection attacks is an essential, basic, requirement for a reasonable information security program.

Posted in FTC