«

»

Aug
11
2010

Inspector Gadget—Privacy Issues and “The Case of the Missing Camera”

By Fran Maier
President
TRUSTe

map

Most people by now have an idea of how important it is to protect the information on their PCs. But PCs aren’t the only things that store data or connect to the Internet. Smart phones, digital cameras, gaming consoles and a whole range of “web-enabled” gadgets can transfer or share your information. And it’s not just the hardware. Mobile applications, social applications, networked games, and other software also put your private data at risk of exposure.

For example, look at what happened to me just last month. My digital camera was lost or stolen at the Ritz Carlton bar in Berlin. I was devastated. Not only was my nice new toy gone but along with it the many pictures of the boys and I biking around Berlin were lost forever. Then a few days ago, I received an email that said 73 photos had been uploaded to my Eye-Fi account. Eye-Fi is an SD memory card that wirelessly transfers photos to your PC or uploads them to the Eye-Fi service or your favorite photo-sharing site. It also geo-tags them, which is quite handy.

I immediately went to the new album and, to my surprise, saw pictures of a very blond family—not my family—enjoying my camera on an Alpine vacation. Unfortunately, the card didn’t upload the biking pictures that I had taken in Berlin. Some of the pictures were geo-tagged as well, so I knew the general area where my camera was now held hostage.

I’d like my camera back. I’d like my pictures back. But more importantly, this highlights the privacy issues around gadgets that connect to the Internet. Even if the transmitting or sharing is in your control—and even if you chose to “opt in” to a service—you could lose your device, forget your settings or sell the device without considering the information you have on it or what apps on the device may still share information. Or, as in the case of the newfound “owners” of my camera, a device in your possession may be communicating to the world without you knowing it.

What can you do? Here are some guidelines for consumers and companies.

Consumers

1) Know Your Gadgets — Understand their capabilities and what information they may be collecting. It also pays to know what options you may have around sharing your information, such as whether your gadget will notify you or ask your permission before accessing and transmitting your information data.

2) Demand Choice — Mobile or web-enabled devices should require you to opt-in to sharing information, especially personal data, location information, photos, and the like. You should also have the persistent ability to change those choices. When you purchase or activate a new device or software application, make sure that the default settings are not defaulted to transmitting or sharing information without your consent.

3) Secure Your Device — Remember that when you lose a device the information on it can also fall into the hands of unsavory individuals. Take advantage of any options available for remotely turning off your device or swiping it clean. For example, with the iPhone, Apple offers a remote find and “remote wipe” as part of its MobileMe service. Of course you have to choose to use this feature and enter a password. Additionally, you should remember to back-up your information.

4) Clean Your Gadget — Before selling a used phone, iPad, iPod, MP3 player, computer, camera or any electronic device that has a memory, be sure to swipe it clean. Remove the memory card. Most computers provide a way to reformat and wipe clean personal data.

5) Share Location Information Carefully. It’s great to have check-ins and tag pictures of where you’re at and also be able to find your friends. But on the flip side are stalkers, thieves and others who may not have your best interests in mind. Don’t broadcast the fact that you’re on vacation, for example.

6) Share Friend/Family Information Carefully — While you might be fine with having all of your information transmitted widely, your friends and family may not have the same inclination. Be especially careful with photos and information of children.

7) Remember Anonymity Only Goes So Far. Even if you think you are anonymous, on a dating site, or in photo galleries, unsavory players can potentially identify you by putting together a number of data points, such as location, what your T-shirts says, people with whom you are associated, and what you bought. Anonymity can be lost.

8) Check Stuff You Buy (or Find). Be sure that it isn’t enabled to share your information based on the prior owner’s settings.

9) Do Unto Others. If you find yourself with someone else’s data, consider what you’d what want them to do with your information.

10) Share this Advice. We’re all in this together, we can all educate one another.

Businesses (Makers of Devices and Applications)

1) Provide Transparency — Make it clear how the device works and what it transmits or shares.

2) Provide Choices — Set the defaults to a privacy-protecting level. Make consumers opt-in to sharing or transmitting information.

3) Provide Security — To the extent possible, provide ways for consumers to protect their information on a device. These features can include physical protection, password controls, remote management, etc. Try to make these easy to access and use.

4) Understand Data Sensitivity. Recognize that your software and gadgets may have sensitive information (financial and health data, for example). Take extra care to secure and educate your customers

5) Design for or Build in Privacy — Make sure someone on the product and development teams (not just the legal or regulatory compliance teams) understands privacy implications.

6) Require Your Partners to Protect Privacy — Ensure that your partners live up to your requirements, which includes monitoring them for compliance.

7) Have a Privacy Policy — Be sure that it accurately reflects your practices and your commitment to providing privacy and choices. (TRUSTe can help develop and certify your privacy policy and program.

8) Be Accountable —Provide consumers a way to contact you as it relates to your device. Monitor your systems—continuously. Consider working with a third-party such as TRUSTe for consumer dispute resolution.

9) Understand the Differences of International Privacy Law — Some countries might be much more restrictive about what can be shared or transmitted and others. Other countries might want rights that intrude upon your customers privacy. Be sure you understand.

10) Share this Advice. Like consumers, bussinesses and other organizations need to learn and embrace best practices. TRUSTe will help.

Comments