Internet privacy breaches sound alarm bells for worried businesses

Differences between EU proposals on data protection and those in the US raise a number of questions

Attendees wear Google Glass while posing for a group photo during the Google I/O developer conference in San Francisco last May. In some cases, governments themselves are responding to privacy worries. Last week, Brazil changed its proposed data-protection law to require that citizen data be hosted within Brazil, prompting complaints from Facebook and Google. Photograph: Justin Sullivan/Getty Images
Attendees wear Google Glass while posing for a group photo during the Google I/O developer conference in San Francisco last May. In some cases, governments themselves are responding to privacy worries. Last week, Brazil changed its proposed data-protection law to require that citizen data be hosted within Brazil, prompting complaints from Facebook and Google. Photograph: Justin Sullivan/Getty Images

For businesses, the twin issues of data privacy and protection have never had a higher profile. International data surveillance concerns for individuals and business have been in the headlines for weeks, following the revelations of large-scale US and UK data-spying programs such as Prism by former US government IT contractor Edward Snowden.

Meanwhile, the regulatory oversight by the Irish Data Protection Commissioner of online giant Facebook has drawn global attention as has the fast- tracking here by the Government of a proposed EU-wide data protection regulation during Ireland's recent EU presidency.

High on the agenda is concern about where data is held and who can legally access it, especially with so many companies moving to the cloud and servers located globally. Businesses however are also concerned about possible costs and disruptions associated with data-protection regulations, especially as such laws are very different in the US and Europe.

Some fear those differences, and US laws allowing surreptitious access to data, will force businesses to operate in different frameworks on either side of the Atlantic or abandon one market or the other.

READ MORE

For example, earlier this year at the RSA Data Security conference in San Francisco, Trevor Hughes, head of the US-based International Association of Privacy Professionals, said in a presentation that he thought the "right to be forgotten" in the proposed EU data- protection regulation – which would require businesses to delete a person's data on request – would be daunting for companies.

In some cases, governments themselves are responding to privacy worries. Last week, Brazil changed its proposed data- protection law to require that citizen data be hosted within Brazil, prompting complaints from Facebook and Google.


Privacy issues
All of these wide-ranging privacy issues have been clocked by Irish businesses, says information security consultant Brian Honan, who has advised businesses and government departments in Ireland, Britain and Europe.

He feels any company that has taken its data-protection security seriously will not have been totally surprised by Snowden’s revelations of US and UK surveillance, “but I do think . . . that the extent to which it’s happening has taken companies by surprise”.

Company concerns aren’t just about governments accessing data on servers, he says. Data-retention legislation in Britain and elsewhere, including Ireland, requires the storage of phone call and internet usage data for residents for up to two years.

Indeed, concerns about surveillance and data access should not just be focused on the US and UK, says Dr Darius Whelan, lecturer in law at University College Cork.

“People sometimes used to say, don’t do business with the States because their data protection isn’t as strong as Europe’s. But as people delved into that and discovered programmes like Echelon [a US- UK digital spying programme from the 1990s] and data-retention laws, it seems Europe is not all that great either.

“Europe has always had a false sense of superiority towards the States that isn’t borne out by the evidence,” he says. “We need to be careful about pointing fingers.”

Nonetheless, the EU does have stronger privacy protection – and more regulation – on the books, he acknowledges – yet this can cause concerns.

“At least at a macro level, there can be a perception that Europe is more difficult to trade in, from a privacy perspective, and Europe needs to be aware of that – but I do think that [extra protection] is a good thing,” he says.

The EU has argued that its proposed data-protection regulation, which would be consistent across all member states, will make doing business in the EU much easier, taking out €2.3 billion in annual costs for businesses.

However Britain’s ministry of justice has predicted net costs to business of between £80 million and £320 million a year. However, the vast majority of businesses have little to no ability to measure costs, going by a May study from Britain’s data protection regulator.

It indicated over 80 per cent of 506 businesses polled could not quantify what they currently spent on data protection, and almost 90 per cent had no notion what they might need to spend under the proposed EU regulation.

Honan sees the same confusion about the demands, as well as associated costs, of legislation in Ireland. “I have clients struggling to understand the current regulations,” he says.

His clients are also concerned about proposed requirements, such as to have a data protection regulator in-house.

“Many would believe they should have that already, if a company is doing data protection correctly. Invariably, there is going to be a certain amount of cost.”

One trend he is seeing is clients pushing for better and more explicitly defined contracts and deals from cloud providers, especially multinationals. The big multinational cloud providers already offer European clients an EU-based cloud, as EU clients need this to comply with data protection regulations.

He notes however that companies have to rely on assurances about the privacy of data from US-based companies – companies that “still have to comply with US regulations” on data access.


Changing landscape
Such uncertainty is enabling some European companies to see opportunity amid the changing privacy landscape, offering not just European but US and other global customers, services and cloud space under more protective EU privacy regulations.

"There are opportunities for European companies and service providers to promote themselves as being more privacy-oriented than the US, and other countries such as China, " Honan says. "It is a market gap and the privacy laws here are the most stringent in the world." He is aware of several start-ups in Ireland and elsewhere hoping to move into just such a niche.

Privacy and data concerns may also open the door a bit more for open source solutions, both Whelan and Honan say, as the code for open- source applications is freely available and generally examined carefully by many coder eyes for possible security flaws and surveillance “back doors”.

“But open source isn’t a panacea in itself,” Honan warns. “It all depends on how good the eyes are that are looking at the code.” He advises his own clients: “As a business, you need to think what are [your] security and privacy requirements and then think, what are the best places to host that.”

Whelan believes it is too early to tell if the greater awareness about data privacy will alter the business market or change consumer behaviour.

“Whether in the long term it all makes a big difference is hard to predict, but businesses and consumers can definitely change things over time.”


For your eyes only: Google patents 'pay-per-gaze' technology
Google has received a patent on its Google Glass for a "pay-per-gaze" technology that raises further privacy issues for users.

It puts forth an idea for pay-per-gaze advertising – a way in which people interacting with ads in the real world could be analysed in the digital world.

In the patent, which was filed in May 2011 and granted last week, Google claims that “a head-mounted gaze tracking device” – presumably Google Glass – would send images and the direction the person wearing the device was looking to a server. The system would then identify real-world ads the person wearing the gadget had seen, allowing Google to then charge the advertiser.

As Google notes in the filing, advertisers can be charged a fee based on whether a person looks directly at an ad in the real world, and the fee can change based on how long they interact with the ad.

Google does not show any advertising in Glass. It goes so far as to forbid app developers from selling apps or ads, too.

But there have been suggestions that Google will eventually show ads and the company has consistently said it expects Glass to be profitable.