Ubicomp challenges for privacy law

Dr Ian Brown, Oxford Internet Institute

Overview

Human rights to privacy ECHR, EU Charter

Data protection law OECD, Council of Europe and EU instruments

Privacy by design

The challenges of/for ubicomp

Privacy

“the right to be let alone – the most comprehensive of rights, and the right most valued by civilized men.” – Supreme Court Justice Louis Brandeis, Olmstead v US 277 US 478 (1928)

“A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organisations to intrude on that autonomy... Privacy is a key value which underpins human dignity and other key values such as freedom of association and freedom of speech” –Australian Privacy Charter (1994)

European Convention on Human Rights

Reaffirming their profound belief in those fundamental freedoms which are the foundation of justice and peace in the world:

§8 Everyone has the right to respect for his private and family life, his home and his correspondence

§9 Everyone has the right to freedom of thought, conscience and religion

§10 Everyone has the right to freedom of expression

§11 Everyone has the right to freedom of peaceful assembly and to freedom of association with others

§14 rights and freedoms set forth in this Convention shall be secured without discrimination

Government data sinks

If data can be collected about individuals, there will be government pressure to store and access that information

E.g. PATRIOT Act National Security Letters, NSA activities within the US, EU data retention directive, National DNA Database (although see S & Marper v UK)

Encryption has little impact if governments can compel decryption

Data protection instruments

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)

Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector

EU Charter of Fundamental Rights (2007)

Data Protection Act 1998

1. Personal data shall be processed fairly and lawfully

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

4. Personal data shall be accurate and, where necessary, kept up to date

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes

6. Personal data shall be processed in accordance with the rights of data subjects under this Act

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Insider fraud

Information required Price paid to ‘blagger’ Price charged

Occupant search not known £17.50

Telephone reverse trace £40 £75

Friends and Family £60 – £80 not known

Vehicle check at DVLA £70 £150 – £200

Criminal records check not known £500

Locating a named person not known £60

Ex-directory search £40 £65 – £75

Mobile phone account not known £750

Licence check not known £250

“What price privacy?”, Information Commissioner’s Office (2006)

Definitions of personal data

“any information relating to an identified or identifiable natural person” (DPD §2a)

Relation determined by content, purpose or result (WP 136)

“account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.” (DPD recital 26) “unless the Internet Service Provider is in a position to distinguish

with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side”

“Putting in place the appropriate state-of-the-art technical and organizational measures to protect the data against identification may make the difference to consider that the persons are not identifiable”

Designing for privacy

Data minimisation key: is your data really necessary?

Limit personal data collection, storage, access and usage States have a positive duty to

design systems to protect privacy (I v Finland 2008)

“processing of location data on employees must correspond to a specific need on the part of the company which is connected to its activity” (WP 115)

Users must also be notified and consent to the processing of data – user interfaces?

Ade Rowbotham (2005)

Sensor data

Is communication uni- or bi-directional or broadcast?

Does sensor, user agent or network carry out triangulation and processing?

What resolution data can network access?

How long-lived and linkable are identifiers?

Transport pricing

Monitor all traffic centrally (London), at kerbside (W London) or deduct payment from pay-as-you-go toll cards (Singapore)? Or tax parking spaces?

Link all payment card usage (Oyster) or use unlinkable RFID tokens (Shenzen)?

MIT Technology Review (2006)

Key questions

Can ubiquitous computing designers work with the European definition of personal data?

Can inhabitants of ubiquitous computing spaces exercise informed consent over the collection and processing of personal data?

How can regulators encourage system designers to include privacy by design? “In order to make the use of the concept of ‘privacy by

design’ compulsory, the EDPS recommends that the Commission uses the mechanism of Article 3(3)(c) of Directive 1999/5/EC” (Opinion on ‘RFID In Europe’ 2007)

§3(3) 1995/5/EC: “the Commission may decide that apparatus … shall be so constructed that: … (c) it incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected”

References

S. Marsh, I. Brown and F. Khaki (2008) Privacy Engineering – Cybersecurity KTN white paper

Information Commissioner’s Office (2008) Privacy By Design

Opinion of the European Data Protection Supervisor on the communication…on ‘Radio Frequency Identification (RFID) in Europe: steps towards a policy framework’ (2007)

Article 29 Data Protection Working Party WP 136: Opinion 4/2007 on the concept of personal data WP 115: Opinion on the use of location data with a view to providing

value-added services (2005) WP 105: Working document on data protection issues related to RFID

technology (2005)