IDwise blog

At the end of a blog post (in Dutch) on age verification by internet forums Arnoud Engelfriet briefly addresses the issue of minors publishing personal data on the internet: (my translation)

Another issue is publication of personal data. That fourteen-year-old may publish things about himself that the parents don’t want to have online. The parents may at any time demand that this information is removed, and in many cases they can even hold the site liable because the information was published there. This follows from the Dutch Data Protection Act, which is very strict about this.

It is correct that the Data Protection Act (following Directive 95/46/EU) is rather strict where consent by minors (children under sixteen) is concerned. The Article 29 Working Party, by the way, presents a slightly more balanced view in its opinion on children’s privacy:

However, the question arises whether children who can in certain cases conclude legal acts without the consent of their legal representatives (in instances where they enjoy partial rights), can also give valid consent to the processing of their own data.
According to applicable local regulations, this might occur in cases of marriage, employment, religious matters etc. In other cases the child’s consent might be valid on condition that the legal representative does not object. It is also clear that children’s level of physical and psychological maturity must be taken into account and that from a certain age they are able to judge matters related to them. This might be important in instances where the legal representative does not agree with the child but the child is mature enough to decide in his or her own interest, for example, in a medical or sexual context. Instances where the best interest of the child limits or even prevails over the principle of representation should not be neglected, and need further consideration.

But also within the framework op the Data Protection Act there is more leeway than is often assumed.

Consider, for instance, the situation where a child less than sixteen years of age enters into an agreement. A web hosting agreement (an example given by Engelfriet) may be dubious, but using certain “free” web seervices is very common. Data that are necessary for the performance of this contract may be processed on the basis of article 8 under b of the Data Protection Act (cf. article 7 under b of Directive 95/46). Consent in that case is not an issue, and the legal guardians in principle have no role.

And what about the example in question? Is it possible for a minor to act as a controller for the processing of personal data without his parents’ consent? I would say yes, in some cases. For instance with most types of participation in an online forum, which is the situation discussed. Formally, the child is than obliged (as data controller) to ask itself (as data subject) to consent to the data processing. Normally this consent is implicit when one processes data about oneself, but here it must be given by the legal guardian. So if the parent doesn’t agree, too bad for the child. But if the parent does not explicitly oppose, maybe this is a case of implicit consent. And in many cases the parents will of course have no problem with the publication at all. Anyway: this changes the position of the forum manager. He is also a controller, and therefore cannot just deny any responsibility. The Dutch Data Protection Authority, in its Guidelines on the Publication of Personal Data on the Internet (in Dutch), says the following: (my translation)

The controller may be the owner of a website, the drafter of a personal profile, but also the owner/manager of a discussion forum. In a discussion forum, or a commenting facility under posts, readers may make contributions in which personal data are processed. In principle everyone who makes such a contribution is himself responsible for the processing of this data, but the general responsibility for fair processing lies with the forum owner/manager, since he determines the purposes and means of the processing. The website of forum owner/manager, the person who in a formal legal sense has control over the processing, offers the possibility to publish data and as a consequence has the duty to ensure fair and lawful processing of personal data.

So, as I said, the forum owner has a certain responsibility of his own. But that does not imply an obligation to first perform age verification and then ascertain consent of a legal guardian. The question as to whether it is reasonable to demand this is at the very least open to discussion. And those who take the position that it is, should then also explain why it is not also necessary to make sure of all adult forum participants whether they haven’t been placed in a trusteeship. For in those cases also article 5 of the Data Protection Act requires that the legal guardian give his consent instead of the data subject.

Most readers will have learned by now of RockYou’s massive data breach and the lousy way the company handled it. There is an interesting side to this story that I haven’t seen pointed out elsewhere.

As Bruce Schneier likes to point out, security (like so many other things…) follows the money. This excerpt from the statement RockYou issued in response to the incident provides a clear case in point:

[The breached] database had been kept on a legacy platform (…) The platform breach did not impact any advertiser or publisher information, which we maintain on a separate and secure system that is not a legacy platform.

Yes, we at RockYou care about advertiser and publisher information, because that’s where out revenues come from. Those darned users who only use system resources and bandwidth, on the other hand…

Paying cash is outdated. Within a couple of years all our payments will be handled electronically. Convenient, but also yet another blow to our privacy. That is the gist of a blog post (in Dutch) by Pieter Stuurman. But is he right? Well, yes and no…

Yes. For even though we leave our personal data with ever more shops, and there are ever more security camera’s surveilling the places where we pay, paying cash is still more or less anonymous. When in a while we pay with our debit and credit cards everywhere, we will have lost that anonymity. That does not necessarily have dramatic consequences for our privacy, though.

First of all, there is always still the chipknip (Dutch chipcard e-wallet, cf. Mondex). Sure, loading it can be traced by the bank, but paying with the chipknip is anonymous. There even exists a completely anonymous prepaid chipknip. Especially for smaller payments where privacy is important that is a fine solution. A condition for this is of course that banks do not – for instance under pressure of the government or of international standardization – cross anonymity out of the chipknip protocol.

Secondly, although it may be true that our data are recorded, that does not imply that they will automatically be accessible just anywhere to just anyone. The bank may obtain an overview of how much money we spend in which places, but which products or services we buy with it is in principle only known to the individual shop owners. There are legal restrictions on their disclosure of this data to others.

Finally, the assumption that electronic payments are by definition harmful to our privacy is incorrect. Also without using a chipknip electronic payments can in theory be performed on an anonymous basis just fine. The required techniques and protocols were developed by US mathematician David Chaum over a quarter century ago. Unfortunately he failed to successfully bring these techniques to market. Of course the infrastructure for electronic payments will not be spontaneously redesigned along these lines, but perhaps there are banks that spot a competitive edge here as consumer privacy worries are back on the rise. The most important question may be whether standards for handling electronic payments allow for the use of techniques for anonymous payments – which of course they should. Incidentally, Chaum’s techniques – as further developed by, above all, Stefan Brands – are witnessing a comeback as anonymous credentials.

So no, the predicted end of cash payments in theory need not be seriously detrimental to our privacy. But it is what may very well happen in practice just like that. And the way in which things move is not so much a matter of techical possibilities and inevitabilities, but much more of choices made by the companies, government bodies and other organizations involved. And therefore also of the influence you and I try to exert on them.

As we enter the second decade of the twenty-first century, online identity and privacy issues are rapidly becoming a topic of major interest. This post is a very brief introduction to some of the issues that I will be covering in much more detail in this blog.

Internet identification and authentication

The internet was designed back in the 1960s without  a proper identity layer. As it takes center stage as the global communication platform of choice, this lack is a major enabling factor for identity theft and cyber crime. Therefore, the need to establish reliable and convenient ways of identifying people online and authenticating their identities is recognized as one of the internet’s main challenges. At the same time, the move towards proper identification and authentication is taking the internet yet another step further away from the cybernaut sanctuary it was once perceived to be – see John Perry Barlow’s Declaration of the Independence of Cyberspace for a radical articulaton of this view. This raises issues of control, privacy and the protection of personal data. ‘Privacy’ here should not be construed in the narrow sense of secrecy (as is the case particularly in US law and jurisprudence), but rather as people’s control over their personal data and its use by others – I will further iterate this point in future posts. Advanced techniques that can help address these issues already exist (e.g. anonymous credentials) and are being further developed. Unfortunately, that does not by itself guarantee that these techniques will become part of the new online identity infrastructure that is now being designed and constructed.

E-government

Meanwhile, governments across the globe are rolling out all sorts of electronic means of identification. E-government is one of the main drivers for this trend, but as government issued eID’s mature private companies are getting more and more interested in using them for their own purposes. This raises dataveillance concerns spanning both the public and private sectors.

Social networking

Another more recent, but equally significant development is the rise of online social networking. In their quest for members (and, ultimately, shareholder value) social networks benefit – at least in the short term – from maximum public exposure of member profiles, also through search engines. As a result, members’ privacy is constantly at peril, as was evidenced only too clearly by Facebook’s recent attempt to have members make their profiles public under the guise of improving privacy. But even if in the future social networking sites do respect their members’ privacy, there will still be a major privacy problem. This is due to the privacy paradoxes inherent in social networking: even though many social networkers may in fact be privacy conscious, disclosing personal data is essential for establishing trust in relationships,  and making personal data public is very conducive to strangers with similar interest meeting each other. How these privacy paradoxes might be solved is one of the big open questions of internet privacy.

This blog

In these pages I will focus on online identity and privacy issues. Often, all these aspects will be combined in a post. At other times, I may focus on a specific privacy or identity topic to make a point. In any case, reader comments are very welcome so as to make this a living and interactive blog.