Strasbourg, 5 November 2010 T-PD-BUR (2010) 09 (I) END
OFFICE OF THE ADVISORY COMMITTEE OF THE CONVENTION FOR THE PROTECTION
OF INDIVIDUALS WITH AUTOMATED
OF PERSONAL DATA
22nd Meeting 15-17 November 2010 Strasbourg, Room G04
Report on the shortcomings of the Convention No. 108 r power protection of individuals with regard to automatic processing of personal data deal with technological developments
PhD in computer
Research director at the Center for Law and Informatics Research
The views expressed in this article are of responsibility in upholding the author and do not necessarily reflect the official position of the Council of Europe.
Document prepared by the Secretariat
Directorate General of Legal Affairs and Human Rights
TABLE OF CONTENTS
1. New microwave telecommunication networks 3
2. The explosion of geolocation 4
3. The invasion of cookies or the disappearance of untraceable 5
4. Social networks 6
5. A functional approach to the concept of personal data 6
6. The controller of the file 8
7. A success story? 9
1. New microwave telecommunication networks
The first decade of the 21st century has seen a spread ever-increasing speed of new telecommunication networks, while the growth of the Internet, both in terms of speed and mobility and ubiquity, continued apace, the least developed countries.
Various wireless short-range (a few centimeters and several tens of meters and we will call in the following "micro-networks), mainly to networks like WiFi, Bluetooth and RFID, have recently developed without great caution with respect to data protection and privacy of their users.
Wifi interfaces are widespread today in laptops and mobile phones fitted progressively. There is a convergence in practice between "laptop" and mobile phones. The first set of increasingly telephony using VoIP applications like Skype. The latter allow more and more to their users, not only calling, but also to surf, receive and send emails or even access social networks via the Internet. These networks represent a major threat and today insufficiently taken into account in relation to the traceability of users, or more broadly in relation to human carriers of these terminals connected to these new networks. These risks can be summarized as follows:
- Loss of control: the lack of a physical connection type Wired for these new networks makes their problems and disconnection operation invisible even to an informed user.This problem is particularly troublesome for the RFID chips that operate without batteries, and whose tiny size of the order of several millimeters, not helping the user to detect their presence. As these chips are used in particular for the fight against theft in stores, they obviously have no interest in making these chips visible since a potential thief could tear or damage.
- Lack of confidentiality: the three networks mentioned above are not systematically quantified.Particularly in regard to the WiFi network, it is relatively easy for third to capture and read the traffic between a wireless terminal and wireless access point
- Possibility of traceability: Even when communications are encrypted, the electronic serial number static team a wireless access point, an RFID chip or a Bluetooth mobile remains generally human-readable.These devices are server type, ie of that, technically, they automatically respond to a connection attempt, even if it is unreasonable and not acted upon, by sharing electronic serial number unique (GUID = Global Unique Identifier). In general, it is technically possible to read a serial Bluetooth, the MAC address of a WiFi card or the serial number of an RFID chip, even without starting a real communication
In conclusion, these new networks widely and whose growth is exponential in the years to come, so technical and allow invisible tracking each individual terminal equipped with a WiFi interface, Bluetooth or RFID, unbeknownst to its owner even when the terminal equipment is not voluntarily activated.
2. The explosion of geolocation
The capture of a serial number of a wireless terminal can take place through a computer equipped capacity of geographical location, typically a system GPS1. Because these new micro networks are increasingly connected to the terminals themselves are also connected to the Internet, the IPv4 address is renewed momentum randomly and regularly no longer provides effective protection against the traceability of network users telecommunications. Indeed, it is often possible to identify a serial number or a unique tag-specific micro network used. The fusion of these micro-networks with the global internet leads as silent and inevitable to monitor more and more systematic tracking of individuals.
We must analyze the risks of this geolocation holistically. It is more than knowing where an individual is at a particular time
- This system applied to a large proportion of the population can know who a person is determined and thus be able to map out family relationships, professional and friendly to everyone.
- Many places are imbued with special significance.Knowledge is well beyond the mere information. Number 25 of the main street of a big city is a priori not very meaningful unless we know it is a mosque, a psychiatric hospital, a local union a police station or court.
- The trajectories of an individual are typical of a certain type of behavior.It is thus possible to know if a person stops in front of a window or if she jogged. Inside a department store, the trajectories of individuals are representative of purchasing behavior.
This geographic location can also be coupled with systematic monitoring of users' online behavior we described précédemment2. The coupling of two systems (online profiling and geographical location) is technically facilitated by the interconnection of networks of microphones geolocation with terminal used to connect to the Internet.
The GPS system is a purely passive: a GPS chip picks up signals from geostationary located several tens of thousands of kilometers and emits no signal.The chip continuously calculates the distance between the satellites that elleconnaît position and calculates, by triangulation, exact location (within meters). Privacy issues are not related to the GPS itself, but the storage and transmission of geolocation data from the terminal by incorporating the GPS chip.
2 Poullet, Yves & Jean-Marc Dinant Report on the implementation of Data Protection Principles To The worldwide telecommunication networks information self-determination in the Internet era Expert Report at the attention of the Council of Europe, Strasbourg, 200 4 http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/
3. The invasion of cookies or the disappearance of untraceable
Cookies were constructed to allow traceability of Web users, notwithstanding the change of address or IP sharing the same address between several utilisateurs3. This tracking may be needed for electronic transactions online but technically only the direct session cookies are justified for this purpose. However, this poses a problem today, what are cookies and persistent cookies by third parties and the resulting persistent cookies by third parties that monitor traffic transclusivité. In this registry, the world champion title is undoubtedly due to its Google Analytics system continuously collects traffic (URL and therefore the content) traffic to most sites Internet4.
However, until recently, a browser settings to allow the informed user to block third party cookies. It is noteworthy that no conventional browser does block the transclusivité (ie dl'incorporation automatic content by third-party sites unknown to the user (contactability) and communications traffic data to these third party sites (observability)). Blocking persistent cookies third party acting solely on traceability. Two important elements have challenged the marginal control of traceability.
The first questioning of this opportunity that has the advanced user to block cookies in the HTTP protocol of the Web was prompted by the appearance of Flash cookies. Macromedia diffused on a global scale FLASH technology as a plug-in that is installed on most common browsers. This plug-in has a clean operation and management system independent data that can be used as a cookie system. In this case, the blockage effected by the browser itself is wholly irrelevant. It is possible for the expert user to find a response to this strange behavior of the plug-in that has this ability so to read and write data on the mass memory of the terminal. However, as Flash cookies are little known and blocking as the approach requires technical knowledge, this type of blocking is not used.
A second phenomenon casts doubt on cookie blocking third-party user warned. For mobile phones in general and for the Apple iPhone in particular, there is a tendency for major Web sites to develop their own application. While their website could be used via a standard web browser like Firefox, many companies (Amazon, Facebook, Google, some newspapers) develop and distribute their own application. This application uses the HTTP protocol but the user no longer has the ability to block cookies and even less transclusivité.
In the same vein, the systematic incorporation of MAC5 address in the IP version 6 (IPv6) increases (ra) significantly and in secret tracking capabilities of surfers on Web sites. Despite a change of IP address and contrary to the current IP version 4 (IPv4), each IPv6 address will contain the unique serial number of the NIC of the computer. This risk far greater than persistent cookies from third parties, currently remains
3 S ystem NAT present on most terminals and wireless ADSL router that allows domestic seve rs different users to simultaneously use a single IP address on the Internet
4 Study of Berkeley bearing on a sample of 400,000 sites in May 2009 showing that 88% of them utililisent Analytics
5 Medium Access Control.Serial number unique to each device iveaun global Ethernet as For example, the card and wireless terminals, network cards.The Bluetooth chip is often rproduisent serial number of the Ethernet card of appareilsurlequel they are.
insufficiently taken into account by the authorities for data protection. An IPv6 alternative generating a random address exists and has been approved by the W3C.
In general, there is so much lower than the walls that allowed the user warned of fight against traceability on the Internet are being slowly but surely eroded.
4. Social networks
If at the end of the twentieth century, email and chat were the means of interpersonal communication the most popular on the Internet, we have seen develop social networks that are a natural evolution of technology blogs of yesteryear. Social Innovation is here: where blogs focused on an issue or theme, social networks are focused on individuals. Soon, these social networks have become a way to get in and make themselves known on the Internet. The designers of these social networks have rapidly developed specific applications that allow others to browse the network and intervening on the profiles that are stored in the manner permitted by users and the network designer. These social networks are generally free false, ie user pays for their social network through its advertising exposure. Policies to protect the privacy of these networks are generally dictated by the site designer who can help those concerned to set up, to some extent it determines the visibility of stored information vis-à-vis third parties.
Historically, laws regarding the protection of personal data focused on the twin concepts of personal data and "controller of the file" or "controller". These two concepts seem to have now become both too vague and too narrow to lead to effective regulation of the right to respect for privacy within technology and uses the ever-changing information society and communication .
5. A functional approach to the concept of personal data
Any data related to an individual typically identifies a characteristic of the latter. This data may be biographical and / or plotter.
In the first case, the data pertaining to an individual said something against this person, eg a fact, a gesture, or a course purchase, it is a property of the person who may be shared between several individuals. For example, being Catalan Corsican is a personal data of each and every Catalan Corsican. It is a given "biographical" in the etymological sense, ie information which (d) writing life or more exactly a slice of life, a characteristic of an individual. The challenge here is the knowledge of one or more characteristics of an individual in a particular context.
In the second case, the data relates to an individual and is a unique feature or a single value of some variables that distinguishes so some of the other individuals within a population. And an IP address identifies a person uniquely to a
donné6 time. This is a unique ID (Unique Identifier). This identifier is not a problem when it comes to identifying an individual in a particular context (number in a bank account number, patient in a hospital, number of students in a university, number of citizens in a administration, in a number of affiliated trade union, etc.). However, in practice, these identifiers are local but rarely are rapidly becoming global, ie d multicontextuels. This is called Global Unique Identifier (Global Unique Identifier). Such traceability enables identification of the same person in several different context. The challenge here is knowledge multicontextuelle a single individual.
Contactual data are a third type of data. An email address, postal address, the URL of a "wall" on a social site to allow another to communicate content to an individual identified by a given contact. Thus, for example, knowledge of an email address could identify several Web pages related to the same individual. The challenge of this latter type of data is the contactabilité, or the technical possibilities of a third party from injecting information content (including advertising) in a mailbox or on a screen. In this context, it is naturally of marketing it is and, more specifically the individual's control over its advertising exposure.
This functional division of the data actually three distinct types of personal data which are substantially different. It is, more precisely, properties of personal data. Thus, an email address type "john.smith @ coe.int" combines the three properties described above. We can know that John Smith works at the Council of Europe. Typing in your email address on a search engine, you can find information associated with them and finally will allow mail address to contact John Smith, possibly for publicity purposes
Very (too?) lengthy discussion took place long ago on the nature of personal data to the IP address or cookies. It is noteworthy that the apparent importance of this debate is linked to this confusion among businesses, particularly multinationals. Article 8 of the ECHR does not protect the privacy of the man identified or identifiable. Any person not even identified or identifiable entitled to such protection. The right to protection of personal data does not exhaust the right to protection of privacy. Thus, for example, the ubiquitous surveillance of people in public places or private property by means of video surveillance is indeed an intrusion into the lives of the people filmed, even though they remain unidentifiable with a clever blurring their faces .
In other words, in our view, there is no data about an individual who identifies him or so fescue or so biographical or not to allow contact.
It should be noted that some of these problems are already considered by some European directives which do not seem to have an equivalent in the Council of Europe. Thus, for example, the EC Directive 95/46 provides for the right to object to direct marketing without any justification. EC Directive 2002/58 regulates the use that may be of emails and files to use it for commercial purposes or to consent to the possibility of exercising a right of objection on the part of the person concerned. EC Directive 2006/24 sets out exhaustively the traffic data to be retained by telecommunications operators, in derogation from the Directive 2002/58. Etc.
6 This is true in general if not utilisateurn'utilise NAT. In the case of a NAT allowing the simultaneous sharing of a single IPaddress between several people (a school, a family member, guest of a hotel, etc.), the authentication methods IP addr ess a group of people.
It should be noted that these provisions of European Community law demonstrate greater pragmatism and claim to protect the privacy and personal data. We can also note that the email protection as much benefit to corporations than individuals.
In conclusion, it became less and less relevant to ask whether this or that data is personal data but rather to identify the risks posed to the use of data from the technologies of information and communication in a particular context by a user and make a response in principle.
In our opinion, the most sensitive data are now globally unique identifier hardware (electronic serial number) or software (cookie) insofar as, being firmly attached to a telecommunication terminal, they allow the traceability of a same user in different contexts. Using these unique numbers should be restricted to the terminal. They should not have to pass into the telecommunication networks, in the absence of appropriate safeguards.
The traffic data should also enjoy a special status. In European law, the principle of immediate destruction or anonymization of traffic data is entered in Article 6 of Directive 2002/54. Notwithstanding this general principle, operators, based on Directive 2006/24 are forced to keep a limited number of data for a limited period and solely for the prosecution and the search for criminal offenses. It is intriguing to note that Google now collects real-time traffic data throughout the Web on an individual basis and for commercial purposes (direct marketing to Google reported more than six billion U.S. $ in 20097) while similar collection is expressly prohibited telecom operators for the detection and prosecution by the police for criminal offenses. What other words, a powerful actor Internet daily collection and de facto far more personal data for commercial purposes that can and does do the police services, through the operators, for the fight against violations of public safety.
6. The controller of the file
Both the Directive 95/46, Convention 108 distinguished two people responsible for data processing: the controller (controller of the file) and the subcontractor.
This categorization does seem more appropriate. The world of ICT and new specialized jobs were created. Other trades will emerge tomorrow.
To achieve complete this regulation, it is necessary to adapt the legal regime based on the business of the company that collects, stores or transmits data relating to individuals.
We also fully aware that this regulation is currently facing a problem of private international law. Like the consumer law, data protection (which is something more important to the consumer law) should it not be that of the person concerned and not that of establishing the company that collects, stores or transmits that data? This will be discussed in detail in our second game.
7 See in this regard " Profits up sharply for Google "in Le Monde, 16 October 2009 http://www.lemonde.fr/technologies/article/2009/10/16/benefices-en-forte-hausse-pour-google_1254699_651865.html
Under public pressure, some major players (FaceBook, Google) have sometimes changed their policies on privacy, but such a mode of regulation by trial and error does not appear satisfactory. Attacks increasingly subtle cons protection of personal data privacy and cons of Internet users are motivated by economic considerations of major players in the Internet and generate, as a side effect, problems with social costs carried by society as a whole.
On this point, we find that the financing of many tools of the Information Society and Communication (search engines, social networks, email, ...) is based on advertising. The key argument of advertising, namely the free Internet, is revealed in the analysis flawed. If this is the advertising that funds the internet, it is obviously necessary to ask who is financing the advertisements. Far from receiving a free Internet, the consumer is actually paying twice. He pays first in kind by being profiled, analyze and manipulate both its conscious that in his unconscious. The consumer pays a second time by buying the product or service promoted and thus the cost of which is inevitably included in the final price.
Many authors have reflected on the commodification of personal privacy and personal data. It now seems that the protection of privacy is a fundamental freedom. And it is because it is a fundamental freedom that privacy can, to some extent and under certain conditions will monetize. Similar to the image rights coined by the show biz stars, each individual should be able not only to refuse or accept advertising exposure but also monetize cons of hard cash. It would be desirable that access to the information society and communication is no longer conditioned by a de facto obligation to comply with behavioral analysis and injection of advertising content but can be paid by the consumer through a financial contribution these services without commercials could be made accessible to citizens by Internet service providers, with a modest financial contribution and flat included in the cost of Internet subscription. Indeed, if one brings the benefit of Google roughly the number of Internet users concerned, we realize that access to Google's services could be made for a price of around one euro per user per month, without the benefit of Google be affected significantly.
7.A success story?
A We believe that the modern mobile phone network remains an example to follow for the protection of privacy in the heart of integrated technology.On the one hand, mobile terminals must (on pain of not being approved and therefore impossible to sell) include the Calling Line Identification Restriction. This feature allows any user, even beginners, to hide his phone number to the person she calls. Technically, you should know that this number is still technically passed, allowing, for example emergency services, as provided by or under law, to proceed with the caller identification services.
The mobile telephone devices also have an electronic serial number called IMEI (International Mobile Equipment Identity).This serial number is transmitted to the operator of the telephone network itself. The network operator does not transmit technically this serial number on the mobile device of the recipient of the telecommunication. However, under Directive 2006/24, operators must keep this identification data. These technical features allow the user real control over the mobile phone. He can hide his phone number and manages its traceability and contactabilité. His communication is encrypted and is not easily observable by a third party.
We can see some consensus about the principles of protection of privacy and personal data (ontology of privacy: control observability, traceability and contactability; principle of finality (data contextualization) ), much research on the "privacy by design" is underway.
We believe that the challenges facing current and future law should apply differently to all the players in the information society and communication, as the role they play and the type of data they are called upon to treat. On the information highway, the traffic is not enough, he must produce vehicles, the technology that implements these principles of protection of the driver. "If the technology Is The Problem, The Technology May Be The Answer ..."