Lee & White

Cloud computing, it is a hot topic these days. But what is it all about?

Basically, it describes technologies to deliver software as a service. The cloud provider provides processing power, software, data access, and storage in order to deliver services to the consumer of the cloud services.

How does it look from your end of the screen? Compare it to your water supplier; at the end of the day, the average user would probably require that when he turns on the tap, water comes out. The more concerned user would be a bit more interested in the quality and origin of the water coming out.

A better parallel with regard to your data however would be the attended cloakroom. You would arrive at the theatre and hand your coat to the cloakroom attendant in exchange for a numbered ticket. After the show, you would hand the ticket to the attendant in order to have your coat returned.

So as a user (the data subject), you would hand your personal data to a company (the data controller) you trust, and this company would store your data or process it in ‘the cloud’ through his cloud provider (a data processor).

If the attended cloakroom is unattended (after closing hours) or in case of an emergency, you could browse through the coat hangers in the cloak room and find your coat. What if it wasn’t there, what if the cloakroom had ‘outsourced’ storing the coats? You would appreciate a sign saying ‘We outsource our coat storage to external sites in x, y and z’. You could still go to x, y and z and retrieve your coat.

With data however, nobody is guaranteeing that the data is stored completely in one location, it might be distributed over multiple data stores. It is also not guaranteed that the data is stored only once, only that it is stored at least once. And no guarantees that if data is deleted or moved, it is physically removed or erased in the original location.

So what can we learn from this short story:
It is vital that everybody involved knows where the data resides, handles it with care and only for as long as needed and wanted, keeps it safe from abuse, and deletes it when no longer needed.

Data Controller

• Draw up and adhere to rules regarding handling personal data. (data handling procedures)
• Draw up and implement procedures to allow data subjects to execute their legal rights under the Data Protection Law.
• Ensure your subcontractors abide by the same rules you impose on yourself.
• Inform your data subjects of these rules, be transparent. (privacy statement)
• Audit yourself regularly to check adherence to your rules and the Data Protection Law.
• Audit your subcontractors to check the above.
• Be vigilant!

Data Subject

• Read the information provided by the data controller before handing over your personal data.
• Execute your legal rights under the Data Protection Law.
• Stay in control of your personal data, know who is using it and what for.
• Be vigilant!

And finally. if in doubt, do not hand over your personal data and look for another provider.

The time has come. High time, in fact - given the numerous intentional and ignorant breaches that has occurred in the last decade.

Many organisations in Belgium, especially in the private sector have frequently set aside matters of data protection on the ground that no one ever gets caught in Belgium, and even if one was found out, the low risk of a fine meant that to spend resources (both monetary and manpower) was a waste of time. Profits are essential - and budgets are limited.

Coupled with the fact that the Privacy Commission's powers are quite restricted (having a mainly advisory role...), and seeing the lack of bite in previous breaches, complying with the duties set out by the Data Protection Law is just an unnecessary expense which no data controller in the business world wants to indulge in.

On December 7, 2011 in Brussels, Viviane Reding, Vice President of the European Commission, EU Justice Commissioner revealed plans to strengthen data protection by the choice of a type of legal instrument, new data protection rights and a new tool to ensure compliance with the new single data protection law in Europe.

As part of the effort to ensure greater data protection compliance, the powers of Data Protection Authorities in member states are to be strengthened so that they are able to effectively sanction breaches of the law.

In order to assist the authorities to enforce the new laws, a new Data Protection Board will be created from the current Article 29 Working Party. "When the reform will enter into force, a new European Data Protection Board will be created from the current Article 29 Working Party. Given its enhanced future responsibilities the Board should have an efficient and dedicated secretariat. How to do it? I think that this secretariat should be hosted by the European Data Protection Supervisor's office which would be a cost-effective solution drawing upon the ready-made experience of that office." said Reding.

She also went on to assure that it was not the intention of the European Commission to take over the enforcement of the data protection rules. "Last but not least, let me stress that the European Commission has neither the intention nor the means at its disposal to take over your role as interpreters and enforcers of data protection rules on the ground, or as decision-makers on individual cases. On the contrary, with the reform, you will have a fully independent secretariat at your disposal and better tools to develop a common legal doctrine."

The proposals for the new regime will also include the following:

• Individuals will get more rights that will be enforceable in the online environment and simultaneously, data controllers will be subject to stricter obligations.
• The principles of data minimisation and privacy by design will be strengthened.
• The right to be forgotten and the right to data portability are to be included.
• Adequate protection of children against abusive profiling or tracking on the internet.
• The administrative burden of compulsory notifications on personal data processing is to be reduced and prior checks are to be limited only to cases where they bring real added value. However, privacy impact assessments for risky processing will be introduced so that data protection is not undermined.
• Data breach notifications to be extended to all sectors and the role of data protection officers in the public sector and in large companies and in companies with risky processing will be strengthened.

If all goes well, and the proposals outlined become part of the new legal framework, EU will have a very promising data protection regime and data controllers will have little choice but to put protection of personal data first on their business agenda and make room in their limited budget to comply.

The electronic identity card or eID is the statutory or legal identity card in Belgium. Every Belgian citizen in Belgium above 12 years of age has an eID. In addition, foreigners, both within the EU and non-EU citizens residing in Belgium, having fulfilled the necessary residing requirements of the country, are also given an eID. With this eID, you are able to prove your identity and travel within the EU countries.

And it does not stop there. The eID, with a pincode, has a microchip which contains information not visible on the card itself such as one's address and electronic data (known as digital certificates). These certificates confirm your identity when you use the eID card reader. Through the eID, you can:

• prove your identity on the Internet
• place an electronic signature
• apply for official documents and fill in official forms
• and more...

Whilst anyone with an e-card reader can read the details on an eID by inserting the eID into the card reader and using the publicly available software, not everyone may - without a legitimate purpose and with the consent of the data subject. 

The presentation or submission of the eID card is not governed by the Data Protection Law. However, once the information on the identity card is read, copied or manually recorded, processing of personal data has taken place and is subject to the application of the Data Protection Law.

As such, it is of primary importance to establish that there is a legitimate purpose for the reading of the eID. Where the information is visible on the eID card to the naked eye, and sufficient to achieve the relevant purpose, the data controller should only copy/process that information and should not proceed with an electronic reading of the chip. This is because, as earlier stated, the microchip contains both information already visible on the card as well as hidden information which may not be necessary for the relevant purpose. If the data controller reads the information contained in the chip anyway, he is then processing irrelevant and excessive information unnecessary for his purpose(s) and is in breach of the Data Protection Law.

Hence, if you happen to be asked for your eID to be read by the card reader, which seems to be quite common in registering for mobile phone subscriptions and tenancy agreements, do exercise your right to know the specific purpose for reading your eID, and if the information required is visible on the card without having to read the chip, then do know that the data controller has no ground for making this request.

Despite many obvious reasons for ensuring both technical and organisational security measures within a company, many companies (don't be surprised) are yet to implement these.

Unrestricted access to server rooms (for purposes which will set you on the floor laughing, but sadly true), sharing of passwords between colleagues, unlocked cabinets, messy desks with confidential information displayed for all eyes, non-secure company websites collecting personal data, and so on. If you're nodding to all these as you read, then you've got a company who is in breach of the Data Protection Law.

Now, last week on the news, Sony Pictures was humiliated when hacking group LulzSec claimed it had accessed unencrypted personal data of SonyPictures.com and Sony BMG's Websites in Belgium and the Netherlands. According to the group, getting the information was not that complex - gaining access to SonyPictures.com with a single SQL injection.

"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," they claimed. "This is disgraceful and insecure: they were asking for it."

According to Beth Givens, director of Privacy Rights Clearinghouse, the attacks on Sony would seem to indicate lax practices on Sony's part. "These repeated Sony attacks are an object lesson for all companies," she said. "Sony has reported that it uses industry standards for security. If that's true, then perhaps it is time to re-evaluate and even go beyond such standards." (Read more: cnetNews)

It is clearly another lesson to be learnt. But, are companies learning or ignoring this important legal and moral duty to its customers? How many companies will take the appropriate security measures now, or will it depend on the budget and short term profit?

It would seem strange, and even overbold to admit that there are times when sharing is not an action deserving praise, but such situations do arise - particularly on the Internet. 

Let us use the most popular social network of our time as an example - Facebook. Facebook is all about sharing. One of the main reasons for its use is to share content with others such as pictures, videos, comments, sharing links and so on. In most instances, we share such content with the people we know on Facebook. We let our friends and family know what we're thinking about, what we ate, our current location (via Blackberry etc)...   

And then there are those who add strangers to their list by the dozen. You should see the amount of friends on the list of some of these people - running up to a thousand!  And how well do they know the people they 'friend' on their list? There are many who do not even consider the profile of their requestors before adding them to build up their list of friends. A social experiment conducted recently affirms the problems with sharing on the social network. Indeed, we would never share our personal information with strangers, so why do we do this on a social network?  

Sharing our personal information (even with friends) should be carefully considered. For example, sharing your location so that people know exactly where you are at a particular time leaves you quite vulnerable. There are users who boldly upload pictures of their passports and airline tickets with every bit of confidential information visible for all to see. Caution is certainly thrown to the wind in these cases. It is indeed a pity when people think that crimes such as identity theft and the likes are far-fetched and "only happen to others". 

Whilst it can be argued that, we were all once strangers to the other before friendship develops, the fact still remains that what one sees on the social network may not always be the truth. And be it with friends or strangers, danger lurks. For example, there have been several cases where teenagers befriend strangers through Facebook and the likes, and end up being raped. The cases come from all around the world - stretching from Malaysia, Indonesia, India and the UK.  

In fact, as Facebook admits in its Privacy Policy, even after one removes information from his/her profile, or deletes his/her account, copies of that information may remain viewable elsewhere to the extent that it has been shared with others (such as friends downloading and storing the pictures you have uploaded) and that the information might be reshared by others. So, are you still the master of your life or are you cheating yourself out? 

Undoubtedly, social networks such as Facebook have their good use - reconnecting with old friends, keeping in touch etc. However, with everything in life, caution is necessary. Use these tools wisely. 

And let us not forget about bloggers - especially mothers who blog about - every - single - thing. Yes, children's names, ages, birthdays, likes, dislikes, outings, things planned - e.v.e.r.y.t.h.i.n.g. They do not realise how much they have exposed their families and themselves to danger and abuse. Writing a blog may seem like a private journal - a personal diary, but it is in fact far from p.r.i.v.a.t.e. It is a publication on the Internet - visible to a few or to all (whichever is opted for) and remains on servers which the blogger does not have control over. 

Therefore, although sharing is one of life's basic skills, sharing yourself away in these instances is at a very heavy cost and hardly deserving of praise.

Epsilon, the largest global online marketing company that manages communications for a number of the biggest international firms in the world, announced that it has suffered a breach in their e-mail system on March 30th, resulting in the theft of millions of customer data. It is said to be the largest data theft in history.

"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system," Epsilon said.

Epsilon sends out an estimated 40 billion permission based emails yearly on behalf of their 2,500 clients and brands which include some prominent names such as Citi, JPMorgan Chase, Capital One, Mariott Rewards, TiVO, Walgreens, McKinsey, and Kroger. It was initially believed that the breach had only affected customers of Kroger but it is likely that more companies are affected as more companies confirm that they have their data stolen as well. Clients of Epsilon have already begun to take steps to protect their customers by warning them of potential fraudulent emails.

"The information that was obtained was limited to email addresses and/or customer names only," claims Epsilon, and though this may be true, it is all the information needed for a hacker to gain more sensitive information by sending out phishing emails to subcsribed customers. Scams such as this have high success rates as they prey on gullible and uninformed users.

How does it work? Simple.

Take this scenario as an example. SJ, a customer of company XYZ subscribes to receive email notifications of their promotions. She receives an email with the latest products available, and clicks on a link assuming it would take her to the information page for a product she is interested in. What she is unaware of is this - it is a fraudulent email and clicking on that email takes her to a hoax page where she is prompted to enter her personal information. As she is oblivious to this deception, she submits her details, falling into the scammer's trap.

There are other simpler ways too. Such emails could be embedded with a virus that affects a user's computer by simply opening the email.

It is highly important that you are cautious and wary of whom, and to where you give your personal information; how your personal information is handled; and what security is in place to protect your information. A reputable company, and one that values its customers' privacy will inform on their data processing practices. It is their legal duty. You will find this in their Privacy Statement - if they do not have one, be wary. You are, by law, empowered to query such companies, and their third parties on the type and purpose of information kept about you. You have the right to access your information, and to request that this information be deleted where necessary.

You can approach sharing your personal data in two ways:

Some people absolutely refuse to use applications such as Facebook, Twitter and LinkedIn.

Others simply register with these sites in order to stop others from stealing their identity and using it to impersonate them. Other people go all out and share their whole life, successes and woes, likes and dislikes, and publish it for everyone to see.

The same goes for user profiling. Some people do not mind that their every move is being traced and companies build extended profiles on their habits, likes and dislikes whilst others have a high Big Brother feeling and absolutely avoid using most, or even any of the electronic tools we have at our disposal these days.

It is quite impossible to avoid being tracked, as every move you make on the Internet, using your fixed or mobile phone, credit and debit cards, bank transfers, purchases, driving on the highway and walking in public places, is monitored, registered, analysed, mashed up, stored and used for a multitude of purposes. Even if you do not use electronic tools yourself, the movements of your car are still registered by the numerous intelligent camera's, even your face gets recognized by surveillance cameras. Tourists take geotagged snapshots with you as accidental passerby, and Facebook puts your name to your face.

In fact, it is actually quite undesirable to have people move 'under the radar' so to speak as it opens the door to illegal, antisocial and unwanted activities and removes the feeling of social control.

The data protection law empowers us to retain control on who handles our personal data and what they can use it for. It also allows us to stop people or entities from processing our personal data if we have good reason to do so.

The benefits of user profiling are many. Instead of having to actively search for information and goods that interest us, companies can present us with relevant and interesting information and goods and not bother us with information that does not interest us. It is like the baker who knows which kind of bread you like and the tailor who knows your size and taste and helps you find the perfect garment in no time at all.

Of course, there are also possible abuses with user profiling - such as criminals knowing when people are not at home.

In conclusion, user profiling has many advantages and disadvantages, but it is here to stay and cannot be avoided.

It is up to us, the general public or data subjects as we are called in data protection law, to keep a grip on our information, to exercise our rights and to keep arming ourselves with the necessary legal arms to keep abuse at bay.

The data protection law must not be seen as restricting the use of personal data, but as a means to install trust and order between the data controller and the data subject. It leaves us with many ways to help us use personal data correctly for a long term relationship between customer and supplier.