Columns Archive

Apple and Sony Privacy Woes Point to Legal Holes

Appeared in the Toronto Star on May 1, 2011 as Apple, Sony security slips show flaws in our laws

Privacy officials have long warned about unseen consumer privacy risks, yet the issue has rarely generated significant political attention in Canada with potential reforms languishing for years without action. Recent high profile privacy incidents involving two of the world’s most popular consumer electronic companies – Apple and Sony – could help change that as millions of Canadians awaken to the privacy risks associated with undisclosed tracking and security breaches.

Apple was first in the spotlight last month after researchers disclosed that the company quietly installed a database on iPhone users’ computers that collected their geo-location activities. With Apple waiting nearly week to respond, millions wondered why the company gathered the data without offering users the opportunity to opt-out, whether their information was disclosed to any third parties, and how the data could be collected on their computers without any security safeguards.

Apple ultimately acknowledged that it was collecting the location information even when consumers opted-out of the iPhone’s location services functionality. The company promised a software update that would respect user opt-outs and would cease backing up the location information on their computers.

The Sony incident involved one of the largest consumer security breaches in history. Six days after shutting down its PlayStation Network due an “external intrusion”, the company began advising more than 75 million account holders that their personal information, including user profiles, birthdates, passwords, purchasing history, and credit card information, had been stolen.

The sheer scope of the security breach may be unprecedented since Sony appears to have stored all this information together (thereby allowing for easy linkages), much of it without encryption. Given the need to reissue credit cards and safeguard against identity theft and other misuse, the ultimate cost of the breach could run into the hundreds of millions of dollars.

While both companies were at pains to declare their concern for user privacy – Apple characterized itself as “one of the leaders in strengthening personal information security and privacy” and Sony noted that it “takes information protection very seriously” – lax security safeguards and delayed public notifications provide little reason for consumer confidence.

Indeed, it has become increasingly apparent that consumers must be the frontline guardians of their own privacy by rotating passwords, only providing personal information that is strictly necessary for the services they use, and opting-out of unnecessary disclosures to third parties.

Even with such measures, risks from security breaches and poor privacy practices remain a reality. Countering these risks requires tough regulation and enforcement so that companies prioritize consumer privacy and face serious consequences when failures occur.

Yet on the legislative and enforcement front, much more can be done. Canada still does not have a mandatory security breach disclosure requirement, so the Privacy Commissioner of Canada learned about the Sony breach through news reports. Moreover, Sony’s decision to sit on the information for days without informing the public carries no legal consequences under Canadian law.

In stark contrast to the U.S., privacy lawsuits are also relatively rare in Canada. Within days of the Sony security breach disclosure, a California lawsuit seeking class action status was filed arguing the company did not take “reasonable care to protect, encrypt, and secure the private and sensitive data of its users.”

Apple’s failure to respect user opt-out requests from collecting geo-location information similarly raises few ramifications under Canadian law. Although the Privacy Commissioner could launch an investigation, there is no real prospect of penalties or fines under the current law. Canadians may expect better of Apple and Sony, but the law has thus far failed match those privacy expectations.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

Comments are closed.