Columns

Apple and Sony Privacy Woes Point to Legal Holes

Privacy Commissioner of Canada Jennifer Stoddart generated considerable attention yesterday for a speech that calls for new powers to allow for “significant, attention-getting fines” in light of the Sony PlayStation Network security breach. The speech was similar to one delivered in January, when Stoddart put order making power, fines, and naming names squarely on the table I wrote about the speech here).

My weekly technology law column (Toronto Star version, homepage version) notes that privacy officials have long warned about unseen consumer privacy risks, yet the issue has rarely generated significant political attention in Canada with potential reforms languishing for years without action. Recent high profile privacy incidents involving two of the world’s most popular consumer electronic companies – Apple and Sony – could help change that as millions of Canadians awaken to the privacy risks associated with undisclosed tracking and security breaches.

Apple was first in the spotlight last month after researchers disclosed that the company quietly installed a database on iPhone users’ computers that collected their geo-location activities. With Apple waiting nearly week to respond, millions wondered why the company gathered the data without offering users the opportunity to opt-out, whether their information was disclosed to any third parties, and how the data could be collected on their computers without any security safeguards.

Apple ultimately acknowledged that it was collecting the location information even when consumers opted-out of the iPhone’s location services functionality. The company promised a software update that would respect user opt-outs and would cease backing up the location information on their computers.

The Sony incident involved one of the largest consumer security breaches in history. Six days after shutting down its PlayStation Network due an “external intrusion”, the company began advising more than 75 million account holders that their personal information, including user profiles, birthdates, passwords, purchasing history, and credit card information, had been stolen.

The sheer scope of the security breach may be unprecedented since Sony appears to have stored all this information together (thereby allowing for easy linkages), much of it without encryption. Given the need to reissue credit cards and safeguard against identity theft and other misuse, the ultimate cost of the breach could run into the hundreds of millions of dollars.

While both companies were at pains to declare their concern for user privacy – Apple characterized itself as “one of the leaders in strengthening personal information security and privacy” and Sony noted that it “takes information protection very seriously” – lax security safeguards and delayed public notifications provide little reason for consumer confidence.

Indeed, it has become increasingly apparent that consumers must be the frontline guardians of their own privacy by rotating passwords, only providing personal information that is strictly necessary for the services they use, and opting-out of unnecessary disclosures to third parties.

Even with such measures, risks from security breaches and poor privacy practices remain a reality. Countering these risks requires tough regulation and enforcement so that companies prioritize consumer privacy and face serious consequences when failures occur.

Yet on the legislative and enforcement front, much more can be done. Canada still does not have a mandatory security breach disclosure requirement, so the Privacy Commissioner of Canada learned about the Sony breach through news reports. Moreover, Sony’s decision to sit on the information for days without informing the public carries no legal consequences under Canadian law.

In stark contrast to the U.S., privacy lawsuits are also relatively rare in Canada. Within days of the Sony security breach disclosure, a California lawsuit seeking class action status was filed arguing the company did not take “reasonable care to protect, encrypt, and secure the private and sensitive data of its users.”

Apple’s failure to respect user opt-out requests from collecting geo-location information similarly raises few ramifications under Canadian law. Although the Privacy Commissioner could launch an investigation, there is no real prospect of penalties or fines under the current law. Canadians may expect better of Apple and Sony, but the law has thus far failed match those privacy expectations.

9 Comments

  1. Crockett says:

    I am not a database entry …
    I hate to say it but the US perpencity to sue anything that moves in this case may have some validity. I say that with a grain of salt but these companies entrusted with our personal information have a high responsibly to safeguard it.

    In another blog, Sandy Crawley pointed me towards a book called ‘I am not a gadget’. I have read the first chapter and the writer is quite interesting. An artist at heart, he also has a wider perspective on the impact of technology on our lives, I look forward to the rest of the book.

    The obvious premise I have got so far is that the big tech companies are amassing greater power and control over our lives (similar to how the the creative industries did in the past). Part of this is our fault as we often too easily hand over more of ourselves than we should.

    The recent high profile breaches of trust should make us stop and think as well as have these same companies think about their responsibly and practices.

  2. DPI and mandatory tracking
    The big thing that pops in to my mind is the DPI and mandatory tracking our illustrious government would like to force ISPs to implement, not that I thing it’s at all feasible. But, if it were, isn’t there a huge potential for breach of privacy here? Really, if the ISPs can do it, any respectable hacker group is going to be able to do it.

  3. Graham J says:

    Apple did not breach privacy
    Your summery of the iPhone location database issue is inaccurate.

    The database was not “quietly installed,” it is part of the operating system as has been since at least version 3. This database does not store “location activity” but rather caches information about the location of cell tower and WiFi hotspots as part of the AGPS location system.

    Apple did not acknowledge they they collect this information, they acknowledged that phones store the information. It is not sent to Apple or anyone else.

    The issue was that this data was not regularly deleted and that it was backed up along with other databases. This is changed in the new 4.3.3 update. There never was a privacy issue, the issue was that of data retention which can become a privacy issue if someone gains access to it.

  4. end user says:

    @Graham J werote: Apple did not acknowledge they they collect this information, they acknowledged that phones store the information. It is not sent to Apple or anyone else.

    Read #8 http://www.apple.com/pr/library/2011/04/27location_qa.html

    From reading seems the ithings also collect time stamps with the tower locations. Why would you need time stamps? Unless you plan of using that data and sell it to your other customers, you know advertisers.

  5. It is not clear to me that starting a class action lawsuit is anything but symbolic. So far no one has ever won such a suit, and most such suits have been thrown out of court before they have even had any evidence. So US law doesn’t necessarily give much more protection than ours. True, there is mandatory data breach notification in most states, but did Sony disclose any more quickly there because of it? And were Canadians prejudiced in practice because we don’t have such a law (yet)?

    I agree with the basic theme here that we have to watch out for our information. Probably laws on secure data storage would be more useful than on breach notification – but PIPEDA already requires personal information to be kept secure. Maybe there needs to be a rule about statutory damages, i.e. damages that don’t rely on proof of actual loss.

  6. Graham J says:

    @end user – You would need timestamps to remove older entries in the database.

  7. Nice information is given on Apple Ans Sony companies
    ====================================
    online dating

  8. online dating
    online dating

  9. Systems need to be designed to prevent privacy breaches
    Tough data breach laws with significant consequences for perpetrators are part of the mix but without some real thought into how systems can be designed with privacy/data protection rights considerations as a top priority (or even condition precedent) I fear that these solutions will at best remain a patchwork of reactions that won’t safeguard the right to privacy and data protection. One way forward would be to impose mandatory privacy by design (see e.g. http://www.edps.europa.eu/…/10-03-19_Trust_Information_Society_EN.pdf or the Kerry-McCain Bill in the US).