Critical technological dependency requires a revised privacy policy of major service providers


The biggest lie on the Internet is when users click the 'I have read and understand the Terms and Conditions' button that service providers continually ply users with for new services and applications or updated operating systems. CEPIS is concerned that to obtain such services users are left no option but to accept their increasingly invasive privacy policy conditions, according to an 'all-or-nothing' approach. This is particularly dangerous in the realm of e-government, e-banking and e-commerce. Users of these services often have no other alternative but to engage, but in doing so they diminish their control of their own data. It is unclear whether these conditions are always lawful and proportional.

CEPIS strongly defends the principle according to which ICT technologies should guarantee the privacy of potential users prior to their introduction. Effective privacy enforcement should be guaranteed by demanding privacy by design and fostered by mechanisms that prevent the unnecessary collection of data. CEPIS therefore urges all parties and stakeholders to work together and take action to protect the privacy of European users and companies. Doing so will help generate the trust that is needed to reap the benefits that digital innovation can provide to the European economy and society at large.

A complete summary of the statement below is available here and the press release here.



Statement: Critical technological dependency requires a revised privacy policy of major service providers

1. Background

Privacy PolicyFrom a technological perspective, we live in a very interesting, ever-changing world. Major service providers are providing the citizens of this world with new operating systems and accompanying services and applications, such as Google’s Android system, Apple’s iOS and OS X systems, and Microsoft’s Windows 10 system. The built-in technology enables us to digitally explore the world. We can use numerous applications (apps), connect with one another via video and VoIP, work on documents and play games more efficiently and pleasantly. At the same time, we can read the latest news, search our traffic routes by means of elaborate (3D) maps, listen (online by streaming and downloading) to music and watch videos or TV, while we store all kinds of personal and non-personal information in the cloud, on hard disk and SSD. We are able to interact vocally or via text with the operating system and the outside world, using intelligent digital assistants like Cortana in Windows 10, and Siri since iOS 5 and OS X 10, as well as Google Now in Android, iOS, Chrome OS and Windows. In addition, service providers provide more interaction between their systems, applications and services. This is what we get from the major service providers of this world.

However, it turns out that lately we cannot get these services without accepting the ever-changing (general) privacy policy conditions of the major service providers as a type of return (of investment) favour. We have to accept these conditions prior to the usage of their services. Default settings allow large collections of data from the users of the system, applications and services. At the same time Internet connections are increasingly used wirelessly and thus everywhere we go. Where one goes can also be traced precisely by the operating system and the service provider, if we permit localisation services. Whenever we don’t allow the tracking and tracing we get less or no service.

Besides the aforementioned service providers we can also refer, for example, to major broadcasting companies like RTL. They provide television broadcasting and online video services only when we accept the quite extreme and drastic privacy policy conditions. This policy adopts a “take it or leave it” approach, which is beyond the control of the user. When we want to use the services (and who doesn´t?), we have to digitally accept the privacy conditions and hence allow excessive collection of our (personal) data. The same holds true for the use of all kinds of apps and games as well as the services Facebook has to offer. The privacy settings are not always transparent to the user and are from time to time reset by the provider or need to be reset by the user.

Meanwhile, the user of the aforementioned systems, applications and services is increasingly pushed by the major service providers to accept all kinds of updates of the systems, apps, and services. Previously, the user was given the option of installing updates. Now, we are more or less obliged to accept the latest updates. This can lead to significant problems, such as with the Microsoft Anniversary Update for Windows 10. In some cases the update caused severe system failures [1]. This shows how dependent the citizen, industries, companies and the government have become on these technologies. After updating, the user has to check the privacy settings again because they might have changed without notification. This dependency becomes a critical dependency when the government asks us - in some cases even with no other option - to use these technologies in order to interact with the government for e-government purposes, such as online tax administration and non-physical interaction with the government, which is more and more the case in, for instance, Italy and other (European) countries.

2. Concerns

CCTVGiven the increasing (critical) dependency of European citizens, industries, companies, organisations, institutions and governments on certain operating systems, applications and services, CEPIS would like to raise the general concern that the aforementioned users are left no other choice than to accept the general conditions of the major service providers of our world, such as (often inappropriate) privacy policies and no or insufficient guarantees in case of malfunction. It is no longer transparent for users whether the privacy policy conditions of these major service providers are lawful and proportional. When government, banking authorities and ever expanding e-commerce companies force us ever more into an online world, this major concern becomes even more critical. In a way, e-government, e-banking, and e-commerce diminish the control we have over our privacy and in some cases even over our democratic values [2].

In the aforementioned cases of (critical) technological dependency, the European user no longer knows where to turn to. This also leads to a lack of trust, which is harmful for economical and societal relations. In other words, the accountability for the compliance with the European General Data Protection Regulation (GDPR) [3] of these major service providers is at stake, in particular regarding their large-scale collection of personal and non-personal data of users. In the longer run this could lead to less efficiency than desired and thus more costs for the European society because of non-compliance with the European and domestic privacy legislation.

One could summarise the serious concern of CEPIS as follows. There is a growing critical dependency on certain systems, applications and services provided by major service providers and the government in order to interact with the outside world. These major service providers and the government should refrain from unnecessary data collection given this critical technological dependency. At the same time, critical updates should be implemented flawlessly.

The EU has undertaken some action on the excessive collection of personal data by major service providers. The Article 29 Working Party on data protection (also known as G29 or Art. 29 WP) is looking into the matter. The Art. 29 WP is a working party with advisory status which acts independently. It is composed of representatives from all EU Data Protection Authorities, the European Data Protection Supervisor (EDPS), and the European Commission. The working party created a Contact group in order to examine the issue of excessive collection of personal data by major service providers and conduct investigations in the various Member States concerned. At the moment, Microsoft’s Windows 10 is under investigation. The French Data Protection Authority CNIL was the first to present its findings, which can be summarised as follows: irrelevant or excessive data is collected that is not necessary for the operation of the service, there is a lack of security regarding user data in the Windows Store, there is a lack of individual consent regarding targeted advertising, there is a lack of information about cookies and no default option to block cookies for advertising, and - at the time of the investigation - data was still being transferred to the USA without a proper legal basis. On the basis of its findings the Chair of CNIL issued a formal notice to Microsoft in July 2016 to comply with the French Data Protection Act within three months. If the serious data protection breaches continue, a sanction might be issued by CNIL against the company [4] [5].

3. Recommendations

privacy recommendations1. Notwithstanding strong and efficient EU data protection, the increasing critical technological dependency on operating systems, applications and services in this era, requires new data protection mechanisms in order to prevent the hegemony and ever expanding of general privacy policy conditions of the major service providers.

2. When critical technological dependency is at stake, the European Union and the EU Member States should impose proper privacy-preserving conditions and solutions. Especially to address the prevention of unlawful and disproportional gathering of data and information in such cases. This would be a positive leap for effective EU data protection.

3. To enable the actual enforcement of the EU General Data Protection Regulation (GDPR) one should be open to alternative approaches. An appropriate level of security should be safeguarded by reliable implementation of (security) updates. An effective privacy enforcement should be guaranteed by not only demanding the facilitation of privacy by design, but also by fostering it through the introduction of new effective privacy-preserving mechanisms regarding critical technological dependencies. Hence, in order to preserve privacy in the long term, some alternative regulatory approaches targeted at major service providers will be necessary to enhance the required trust and security in the European privacy-preserving landscape.

4. There should be transparency in the handling of (personal) data in cloud computing and security. Companies should collaborate on the issue of security and regulation should define what minimum level of security can be deemed reasonable. Security competition should avoid becoming a race to the bottom, as security loses too often against cost saving.

5. The following alternative approaches should be investigated by the responsible European and domestic authorities, in particular the Data Protection Authorities:

a) The possibility of requiring a certificate of conformity as proof of compliance with the GDPR and national Data Protection Acts prior to the introduction of new operating systems, services, and applications (looking at it as a data protection drivers licence to drive safely and in a privacy-preserving manner on the electronic highway).

b) The possibility of requiring major service providers to elaborate a much more preventive strategy with respect to the privacy protection of its users e.g. by demanding much more self-regulation, self-reflection, and checks and balances regarding privacy-safeguarding and data protection prior to the introduction of new technologies, operating systems, applications and services.

c) The possibility of introducing a new permanent independent group of both legal and ICT privacy experts, that performs an independent, mandatory privacy check, under auspices of the EDPS and the national Data Protection Authorities, prior to the introduction of new operating systems, applications and services.

d) Replacing the current opt-out behaviour of the new operating systems with an opt-in model, wherein each transfer of personal data must be explicitly authorised by the user, while all defaults during installation and configuration initially prevent such transmission [5].

e) Ensuring that effectively secured communication prevents third parties from obtaining data [5].

f) Requiring service providers to inform their users clearly through a detailed documentation which data is transmitted at the selection of their individual options, and to prove that no data is transmitted to the manufacturer or to a third party without the user’s authorisation [5].

Download "Critical technological dependency requires a revised privacy policy of major service providers"



References

[1] See for instance: https://www.reddit.com/r/Windows10/comments/4vyifo/bug_windows_10_anniversary_update_tanked/d7l59nn

[2] For example, in the report “For your eyes only? Ranking 11 technology companies on encryption and human rights” of 21 October 2016, Amnesty International states that especially Skype and Snapchat protect the rights of their users insufficiently and thus compromise these rights. In order to protect the rights of ordinary citizens, peace activists and oppressed minorities everywhere in the world, and to allow them to exercise their freedom of expression, Amnesty International asks the companies involved to use and ameliorate end-to-end encryption in their apps. See:

https://www.amnesty.org/en/latest/campaigns/2016/10/which-messaging-apps-best-protect-your-privacy/;

https://www.amnesty.org/en/latest/news/2016/10/snapchat-skype-among-apps-not-protecting-users-privacy/; and

https://www.amnesty.org/en/documents/POL40/4985/2016/en/

[3] In January 2012, the European Commission proposed a comprehensive reform of data protection rules in the EU. On 4 May 2016, the official texts of the Regulation and the Directive were published in the EU Official Journal. The Regulation entered into force on 24 May 2016. However, it shall apply from 25 May 2018. See: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); See: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC

See also: Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; The Directive entered into force on 5 May 2016. The EU Member States have to transpose it into their national law by 6 May 2018; See: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0089.01.ENG&toc=OJ:L:2016:119:TOC

The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is considered a key enabler of the Digital Single Market, which the Commission has prioritised. The reform should allow European citizens and businesses to fully benefit from the digital economy. See: http://ec.europa.eu/justice/data-protection/

[4] Decision No. 2016-058 of 30 June 2016 serving a formal notice on Microsoft Corporation; See: https://www.cnil.fr/en/windows-10-cnil-publicly-serves-formal-notice-microsoft-corporation-comply-french-data-protection

[5] See: https://www.gi.de/aktuelles/zur-diskussion/detailansicht/article/unternehmen-und-behoerden-lehnen-die-nutzung-von-windows-10-derzeit-ab.html