Archive

Posts Tagged ‘fundamental right’

Do you know what is your child’s age requirement to sign up online?

May 27, 2013 1 comment

As the Internet permeates every aspect of the economy and society, it is also becoming an essential element of our children’s lives. While it can bring considerable benefits for their education and development, it also exposes them to online risks such as access to inappropriate content, harmful interactions with other children or with adults, and exposure to aggressive marketing practices.

Children online can also put their computer systems at risk and disseminate their personal data without understanding the potential long-term privacy consequences.

In addition, there are other risks for children using online environments, such as:

Privacy risks

-cyber-bullying

-cyber-stalking

-age-inappropriate content

-online grooming

-identity theft

-emotional implications.

Beside support and guidance from parents when using the online environment, an appropriate mental development and understanding is important for a child when using an online platform. For these reasons, in both the United States and the European Union, a minimum age requirements for accessing the “online world” was set as a legal requirement.

E-Crime Expert thinks that the minimum age requirements a child should meet when signing up for an email account, Facebook, etc., should be a topic of interest for parents. For these reasons, we researched the minimum age requirements on some of the most popular online sites and platforms.

The Children’s Online Privacy Protection Act (COPPA) in United States applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children’s privacy and safety online including restrictions on the marketing to those under 13. While children under 13 can legally give out personal information with their parents’ permission, many websites altogether disallow underage children from using their services due to the amount of work involved.

In the European Union, the European Commission released in January 2012, a Proposal on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

This Proposal has specific requirements with regards to Children. They deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child.

“Article 8
Processing of personal data of a child

For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. The controller (i.e. the person in charge with the collection, use and disclosure of personal data) shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology”.

Following, are the minimum age requirements for children using different Internet websites or Social Networking Services and other online platforms:

facebook-age-restriction

 1.      Facebook:

How old do you have to be to sign up for Facebook?

In order to be eligible to sign up for Facebook, you must be at least 13 years old.

The minimum age requirement on Facebook is more or less enforceable. Simply lying about your birthdate easily circumvents the policy.

The Children’s Online Privacy Protection Act (COPPA) mandates that websites that collect information about users aren’t allowed to sign on anyone under the age of 13. As a result, Facebook’s Statement of Rights and Responsibilities require users of the social network to be at least 13 years old (and even older, in some jurisdictions).

According to MinorMonitor, over 38 percent of children with Facebook accounts are 12-years-old and under. Even more worryingly, 4 percent of children on Facebook are reported to be 6-years-old or younger, which translates to some 800,000 kindergarteners on Facebook.

These results come from a survey of 1,000 parents of children under 18-years-old who use Facebook. The company provides a free, web-based parental tool that gives parents a quick view into their child’s Facebook use, including potential dangerous activities such as the friending of online predators, cyberbullying, violence, drug and alcohol use, as well as sexual references.

2.      Google:

Age requirements on Google Accounts:

  •  United States: 13 or older
  •  Spain: 14 or older
  •  South Korea: 14 or older
  •  Netherlands: 16 or older
  •  All other countries: 13 or older

Some Google products have specific age requirements. Here are a few examples:

  • YouTube: When a YouTube video has been age-restricted, a warning screen is displayed and only users who are 18 or older can watch it. Learn more about age-restricted videos.
  • Google Wallet: 18+
  •  AdSense: 18+
  •  AdWords: 18+

3.      Yahoo

When a child under age 13 attempts to register with Yahoo!, they ask the child to have a parent or guardian create a Yahoo! Family Account to obtain parental permission.

Yahoo! does not contact children under age 13 about special offers or for marketing purposes without a parent’s permission.

Yahoo! does not ask a child under age 13 for more personal information, as a condition of participation, than is reasonably necessary to participate in a given activity or promotion.

Yahoo! is concerned about the safety and privacy of all its users, particularly children. For this reason, parents of children under the age of 13 who wish to allow their children access to the Yahoo! Services must create a Yahoo! Family Account. When you create a Yahoo! Family Account and add your child to the account, you certify that you are at least 18 years old and that you are the legal guardian of the child/children listed on the Yahoo! Family Account. By adding a child to your Yahoo! Family Account, you also give your child permission to access many areas of the Yahoo! Services, including, email, message boards and instant messaging (among others). Please remember that the Yahoo! Services is designed to appeal to a broad audience. Accordingly, as the legal guardian, it is your responsibility to determine whether any of the Yahoo! Services areas and/or Content are appropriate for your child.

4.      Hotmail

As on Hotmail’s Terms of Use is no reference to the age requirements to join the service, we did our own registration and it appears that 13 is the age requirement for joining Hotmail, as shown below:

I.                   Attempt indicating the user is 6 years old

Step 1   

1

Step 2                        

2

Step 3

3

 

II.                Second attempt, indicating the user is 13 years old.

Step 1

4Step 2

5

 

5.        MySpace 

  • You must be at least 13 years old to have a Myspace profile
  • If you’re under 16 years old, you’re not allowed to list your age as over 16 and make your profile public (your profile must be set to private)
  • If you’re under 18, you’re not allowed to list your age as over 18
  • Users under 18 are not able to make changes to their listed age

Notes & Tips

  • If you break any of the above rules, MySpace will be forced to delete your profile for safety and security reasons (it’s all in their Terms of Use)

6.      Skype

Skype not directly sets up an age restriction within their Terms of Use.

“Jurisdiction’s Restrictions: If the law of Your country prohibits You from downloading or using Skype Software because You are under the age limit or because the Skype Software is not allowed in Your country, please don’t use it”.

According to this, for US the minimum age requirement is 13 + (COPPA).

7.      LinkedIn

PRIVACY POLICY, 18!

In terms of LinkedIn’s Privacy Policy:

 ”Children are not eligible to use our service and we ask that minors (under the age of 18) do not submit any personal information to us or use the service.”

8.      Twitter

Age screening on Twitter

Age screening is a way for brands and others to determine online whether a follower meets a minimum age requirement, in a way that is consistent with relevant industry or legal guidelines. This makes it easier for advertisers and others with content not suitable for minors (e.g. alcohol advertisers) to advertise on Twitter.

There apparently, is now age restriction for setting up an account on Twitter (as we set it up without being asked about our age). See below:

Step 1

6

Step 2: Done!

7

For more advice on how children could stay safe online (you could also share this with your child), click here to visit the material E-Crime Expert specially created for this purpose.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Categories: Awareness, Child online protection, Cybercrime, Data Protection, Facebook, Google, Hotmail, Identity theft, Information security, Internet, LinkedIn, Privacy, Social Media, Twitter, Yahoo, YouTube Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Teaching Kids About Identity Theft

May 13, 2013 5 comments

Today, E-Crime Expert is pleased to introduce Nancy Parker, who is a freelance writer which loves writing articles on opinions and social awareness. Nancy is a frequent contributor for http://www.enannysource.com.

According to Julie Myhre*:

Identity theft occurs when someone gets a hold of someone else’s personal information and poses as that person or uses that information to create their own fake identity. This information can be a full name, social security number or a bank account number“.

For children, identity theft occurs a little differently. Child identity thieves are looking for their victim’s Social Security number. Since children don’t have any credit history, it makes it easier for thieves to use their Social Security number and a false birthday to open credit cards.

Read bellow this interesting interview conducted by Michelle LaRowe:

“Identity theft is a real problem and, sadly, children are not exempt from having their identities stolen. Recently, I connected with Julie Myhre, who covers identity theft for NextAdvisor.com, and here is what she had to say.

eNannySource: How does identity theft happen?

Julie: Identity theft occurs when someone gets a hold of someone else’s personal information and poses as that person or uses that information to create their own fake identity. This information can be a full name, social security number or a bank account number. It’s usually easier for identity thieves to get information about an adult because adults have a lot of personal information about them; however, it is important to also remember that children can be victims of identity theft too. There are a lot of different ways that adults can be hacked; some of these include not having privacy settings on social media, clicking on phishing emails or pop-ups, losing a wallet, throwing away documents that contain personal information, and ATM or credit card skimming, among others.

For children, identity theft occurs a little differently. Child identity thieves are looking for their victim’s Social Security number. Since children don’t have any credit history, it makes it easier for thieves to use their Social Security number and a false birthday to open credit cards. The unfortunate part about this is that people who were victims of child identity theft don’t usually realize it until they are older and trying to apply for a credit card or loan. Thieves usually gather children’s personal information from sports team applications, school documents and any other documents that would have your child’s Social Security number on it.

eNannySource: How is it prevented?

Julie: There are a lot of different steps that you can take to prevent identity theft. One of the major ways to prevent identity theft is to sign up for an identity theft protection service. Most of these services monitor your personal information regularly and alert you if they notice any suspicious or possibly fraudulent activity. A good amount of these services also offer family plans, which will allow you to protect your whole family – including your children – from identity theft.

Some other options to prevent identity theft include shredding all documents that contain yours or your child’s personal information, checking your bank accounts and credit card statements regularly, monitoring your credit report and, lastly, knowing what you and your child post online. A lot of people don’t realize how much information they post about themselves and their family on social media. It’s fine if you want to include some personal information – such as your full name and photo – but make sure that you set your profile to private. Monitor what you and your child post on social media, and check the privacy settings regularly – at least monthly.

eNannySource: What basic things can parents teach children to avoid identity theft?

Julie: Parents should teach their children about identity theft in a similar manner that they teach them about strangers. If you think about it, it’s essentially very similar – someone you don’t know is trying to take something from you. Parents just need to teach their children that their personal information is private and they should not reveal any of it to people they don’t know. Children won’t understand the details of identity theft, so it’s important not to go into too many details. The bottom line is personal information should be kept personal, and it’s important that parents recognize that and teach it to their children.

eNannySource: What age do parents have to start worrying about identity theft?

Julie: Parents should begin to think about ways to protect their child from identity theft as soon as their child has a Social Security number.

eNannySource: Is it worth investing in some type of protection?

Julie: Yes, in most circumstances identity theft protection is worth the investment. The value of identity theft protection isn’t necessarily in the active personal information monitoring, because the reality is that people can do that part themselves. Instead, the value lies in the identity theft recovery that these services offer. In the instance that yours or your child’s identity is stolen while you’re signed up for an identity theft protection service, you are provided with all the information and tools you need to recover yours or your child’s good name. Identity theft protection services represent you when you’re dealing with the banks, credit bureaus and creditors. It lightens the load on the victim’s side and helps alleviate the nightmare of identity theft. The identity theft recovery assistance is a valuable tool to have if yours or your child’s identity is stolen.

eNannySource: What about the Internet? What are the top tips for parents of kids who use the Internet?

Julie: The most important tip that parents need to follow when their children use the Internet is to monitor what your child is doing and posting on the Internet. Have open communication with your child and make them aware that they shouldn’t be putting any personal information on the Internet – even if it’s your home address in a private message to a friend. Check in with your child and make sure these rules are being followed on all platforms, including the computer, cell phone and tablet. Check your child’s privacy settings on their phone and social media once a month to make sure the information they post on the Internet is set to private”.

*Julie Myhre is the Content Manager at NextAdvisor.com. You can review identity theft protection reviews and learn more about identity theft on the site.

To read the original post and find more about Julie, please click here.

This interesting interview nicely connects to one of E-Crime Expert‘s blog post, called: How secure is your Child’s Social Security Number?

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Categories: Awareness, Child online protection, Credit card fraud, Cybercrime, Fraud, Identity theft, Information security, Internet, Privacy, Scams Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

18 Blogs with Techniques for Preventing Identity Theft

April 30, 2013 3 comments

Our concern for privacy and information security aims to cover most of our daily life areas from IT, Social Networking Services, Online Commerce, to children or why not nannies.

For this reason, E-Crime Expert is glad to have NannyWebsites.com as a guest today.  NannyWebsites.com is the most comprehensive guide for nannies seeking advice, support and information. It helps gaining resource for nannies, nanny employers and those interested in in-home childcare on the web. You can check out their website here.

The blog post bellow is provided by NannyWebsites.com.

“Identity theft has become an increasing problem as our world shifts to being more online and mobile.  Many people feel like there is no way to keep their information safe should someone want to steal it.  Is this the case, or are there things that you can do to make your information harder to steal?  These 18 blog entries touch on what you can do to protect your identity online, at work and when you are out and about living your life.  The press is doing an admirable job of bringing scams to light so that the public can be better informed and thus better able to protect sensitive information.  To learn what you need to know to keep your personal information safe, keep reading.

Online

With more and more people shopping and banking online, keeping your information safe from thieves becomes both more important and more difficult.  Avoid common or easy to guess passwords, as many times you are making the thief’s job easier.  For more online safety tips, take a look at these six blog posts.

At Work

While your employer likely has their own security measures in place, you still need to make sure that you are keeping your personal information safe from hackers or other co-workers.  When you go to a meeting make sure that your desk and computer are locked.  Don’t get your personal e-mail on your work computer, as that information can stay in that computer, even if you delete it.  To learn more important safeguards, read these six blog articles.

Out and About

If you pay for your gas and other snacks with a credit card that you can tap and go, you may want to stop using it.  While it’s a convenient way to pay for things, it’s also an easy way for a thief to pick up the credit card number at the same time.  When you are out for dinner and you pay the bill by sending your credit card with the waiter, you may want to keep an eye on him.  Specialized equipment designed to steal credit card numbers in a hurry have been found in various restaurants.  Check out these six blog articles and learn more about identity theft scams going on today and how to avoid becoming a victim.

To read the original Article click here.

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Categories: Awareness, Child online protection, Cybercrime, Information security, Internet, Privacy, Scams, Social Media Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,

SHODAN, the search engine: is it “scarry” or not?

April 12, 2013 27 comments

E-Crime Expert presents to you today a search engine which is totally different (in functionality and scope) than the ones we are used to (i.e Google, Bing etc).

For us  (E-crime Expert), Shodan has a positive value as it uncovers security vulnerabilities. Used by others (i.e. cybercriminals), Shodan could have a negative side as enables access to different systems (routers, webcams, etc) which have little or no security protection.

According to the description available on their main page here, “SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners”.

Web search engines, such as Google and Bing, are great for finding websites. Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content.

How to use it:

Create and login using a SHODAN account, or Login using one of several other options (Google, Twitter, Yahoo, AOL, Facebook, OpenID).

Login is not required, but country and net filters are not available unless you login.

Basic Operations:

Filters
-country: filters results by two letter country code hostname;

-filtering by country can also be accomplished by clicking on the country map (available from the drop down menu);

-mouse over a country for the number of scanned hosts for a particular country.

-filters results by specified text in the hostname or domain net;

-filter results by a specific IP range or subnet operating system;

-search for specific operating systems port: narrow the search for specific services;

After the search returns some entries (webcams located in a certain area), just click on one of those entries and you will have instant access to what that webcam records live (Fig 1).

Figure 1.

01

Examples:

Note:
E-Crime Expert will try contact all the owners of these vulnerable systems in order to report their security issues and advise how to protect their devices with appropriate passwords and security measures.

Please watch the video or read our material on how to create a stronger password.

1. Run a search for all existing default passwords, as shown in Figure 2.
Having access to the password, one could enter the router’s settings and change them or even more, use the router as a back door to access any device connected to it such as a computer, printer, etc.

Figure 2.

02

2. Once we selected a webcam, click on it and wait for the live footage to play.
What we see is an intersection which could be considered as a public space. The live feeds record everything live (Fig. 3).

Figure 3.

033. The access is granted regardless the geographical location: E-Crime Expert had access to a webcam located in Russia from a computer located in North America (Figure 4).

Figure 4.

04

4. We next tested a webcam which was recording someone’s home front steps for security reasons perhaps. But the issue here is how that camera’s angle is recording as you can also see the next neighbor’s front alley, car and probably anyone entering their house (Fig. 5).

Figure 5.

05

5. Next example is more intrusive as transmits live feeds from a restaurant where clients could be identified along with the staff members. The purpose of this camera is theft protection but due to its non-existing security measures, now anyone on the Internet could check who came at that restaurant and at what time, transforming the purpose of that camera into a monitoring one (Fig. 6).

Figure 6.

06

6. Not surprisingly, the next webcam becomes even more intrusive by showing live the staff member working in a convenience store, with a “from behind the counter” view. Anytime the staff opens the money drawer, everyone having access to this webcam (available worldwide as shown in this blog post) could approximate how much money is available there. Beside the privacy invasive aspect of the clients and also of the staff member, potentially, could also lead to robberies or similar attacks (Fig. 7).

Figure 7.

photo 07

7. Last examples is the most intrusive and concerning one as it transmits live video streaming from someone’s home. It is intrusive because most probably the guests visiting this person are not aware of the webcam, and also because the footage is now available not just to the security company in charge of protecting this home, but also to virtually anyone on the Internet. The second concerning aspect is that anyone could see what is available on the kitchen counter whether a large amount of cash or cheques or other valuable goods. This again, could lead to robberies or other violent crimes (Fig. 8).

Figure 8.

08

Conclusions:

SHODAN aggregates a significant amount of information that is not already widely available in an easy to understand format.

SHODAN collects basic information about the websites, the information “from the inside”, data covering the so-called back-end (simplified information about the type of your server software versions, and so on). On the one hand, it is therefore an excellent data base for those involved in security – but on the other, it is also a source of information for cybercriminals.

The Shodan software runs 24 hours a day. It automatically reaches out to the World Wide Web and identifies digital locators, known as internet protocol addresses, for computers and other devices. For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan.

From a privacy perspective, there on the World Wide Web could be some available information accessible to the regular people by simply running a search, which it is not necessarily to be regarded as publically available information, such as the webcam in someone’s home, in a store, gas station etc. This is not publically available information from a legal perspective but it actually becomes available to anyone as some monitoring systems have little or no security measures. According to most international privacy legislation, a surveillance camera should be installed and used just on a legal basis and after a privacy impact assessment is done (as a best practice). That legal basis strictly refers to the purpose of why that camera is used for which definitely does not grant worldwide access to the footage, except where in question is a public space (i.e. park, street, etc).

Even though in question is a public domain under surveillance, there are cases when footage or pictures of those public spaces record more than the public space itself (i.e. Google maps litigations for capturing more than the streets, etc).

The Privacy Impact Assessment is specifically done (among others) to make sure that no unauthorized person has access to the footage recorded by a surveillance camera. Being able to publically find this footage on the Internet, is outside the Privacy and Security requirements and measures in place for a surveillance camera located either within a public space (with the potential of recording private areas as well) and or in a household which is by definition a private space. Probably some of these surveillance cameras are installed by the household owners, aiming to act as a theft protection and consequently be accessible just by the police or other law enforcement entities.

Contrary, by having access globally to this kind of footage, does not align with most of the international existing privacy legislation.

Once again, E-Crime Expert has taken this opportunity (SHODAN – search as a positive tool) to asses current privacy and security issues.

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Categories: Authentication, Awareness, Cybercrime, Data Protection, data transfer, Google, Identity theft, Information security, Internet, Privacy, search engine, Social Media Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

WHAT TO DO WHEN YOUR EMAIL GOT HACKED OR COMPROMISED

February 5, 2013 2 comments

E-Crime Expert explains in this blog post the steps to be taken when your email or Social Networking Site has been hacked or compromised.

When someone’s friends or close contacts start telling that they are receiving emails or messages that one never sent, or when appears online content that one never posted, it could mean that another person has gained illegitimate control over this individual’s email or Social Networking Site.

If this happened, in order to limit the damage and the possibility of spreading malwares/viruses to others, firstly the passwords to all accounts that have been compromised and to other important accounts should be changed*, and also notifications to all contacts regarding that they may receive spam messages that appear to come from the compromised account, should be sent.  

It could also happen that one cannot access his/her account anymore because a password has been changed.

If this happen, bellow are provided the contact details for the most popular email and Social Networking sites providers:

yahoo-logo

* Hacked account – click here:email-icon

* Account is sending spam – click here: email-icon

* Help Center – click here: telephone-logo

Gmail_logo

* Hacked account – click here: email-icon

* Inaccessible account – click here: email-icon

wave4hotmail

 * Hacked account – click here: email-icon

* Inaccessible account – click here: email-icon

* Help Center – click here: telephone-logo

twitterlogo_web

* Hacked account – click here: email-icon

* Inaccessible account – click here: email-icon

facebook-logo

* Hacked account – click here: email-icon

* Help Center – click here: telephone-logo

youtube_logo-copy1

* Hacked account – click here: email-icon

TIPS:

* How to choose a strong password:

Watch video : “Creatting a strong password video tutorial”

Read blog post: “Tips for a better, stronger password”

Frequently check your account activity/log in history as explained in this blog post: “Does anyone snoop in your email account? Find out”

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Categories: Authentication, Awareness, Child online protection, Cybercrime, Data Protection, data transfer, E-mail, Facebook, Google, Hotmail, Internet, LinkedIn, Privacy, Social Media, Twitter, Yahoo, YouTube Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,

Data Protection: one Directive and two perspectives

December 4, 2012 Leave a comment

Data Protection: the economic value and the fundamental human rights perspectives

Related to our latest Blog post on Privacy vs Data Protection, today E-Crime Expert presents a short history and rational behind the Data protection legislation in the European Union.

Did you think that the EU Data Protection legislation was drafted and proposed by the European Union’s Directorate General Justice (because of its Human Rights dimension)?Actually, it was not as the Directive 95/46/EC was drafted and proposed by the DIRECTORATE GENERAL FOR INTERNAL MARKET AND SERVICES DG MARKET.

Why? In order to find out please read bellow the rationals described in the Preamble of the Directive 95/46/EC:

The establishment and functioning of an internal market in which, in accordance with Article 7a of the European Union’s Treaty, the free movement of goods, persons, services and capital is ensured require not only that personal data should be able to flow freely from one Member State (MS) to another, but also that the fundamental rights of individuals should be safeguarded. In other words, there should be a proper balance between the free flow of personal data and the protection of fundamental human rights.

Furthermore, the economic and social integration resulting from the establishment and functioning of the internal market leads to a substantial increase in cross-border flows of personal data between all those involved in a private or public capacity in economic and social activity in the MemberStates and the exchange of personal data between undertakings in different Member States is considerable increasing. Also, the increase in scientific and technical cooperation and the new telecommunications networks in the Community necessitate and facilitate cross-border flows of personal data.

Considering the difference in levels of protection of the rights and freedoms of individuals (privacy), with regard to the processing of personal data afforded in the Member States, it could prevent the transmission of such data from the territory of one Member State to that of another Member State, which constitutes an obstacle to the pursuit of a number of economic activities at Community level, distort competition and diminishes the economic value of a such exchange of data.

Last but not least, in order to remove the obstacles for the flow of personal data, which is vital to the internal market, it is aimed to ensure that the cross-border flow of personal data is regulated in a consistent manner that is in keeping with the objective of the internal market.

Considering the above rationales as outlined in the Preamble of the Directive 95/46/EC, we can easily observe that the Data Protection legislation in the EU does not manly has a human rights dimension but an economic one as the Directive 95/46/EC was drafted and proposed by the DG Market and not by the DG Justice or DG Home, aiming to not only stop but to increase the free flow of data between the Member States by giving legal certainty to the EU citizens and providing a legal framework uniformly implemented among the MS.

The second part of this Blog Post continues with the Directive 95/46/EC human rights dimension  by explaining data protection terminology, principles, rights of data subjects and data transfer mechanisms.

 1)      data protection terminology and definitions

  • ‘personal data’ = any information relating to an identified or identifiable natural person (‘data subject’); and who can be identified:
    • directly
    • indirectly,
    • in particular by reference to an identification number
    • or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
  • ‘processing of personal data’ = any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as: collection, 
    • recording,
    • organization,
    • storage,
    • adaptation or alteration,
    • retrieval,
    • consultation,
    • use,
    • disclosure by transmission,
    • dissemination or otherwise making available,
    • alignment or combination,
    • blocking, erasure or destruction;
  • ‘personal data filing system’ (‘filing system’) = any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
  • ‘controller’ = the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;
  • ‘processor’ = a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  • ‘third party’ = any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who (e.g. subcontractor), under the direct authority of the controller or the processor, are authorized to process the data;
  • ‘recipient’ = a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not;
  • ‘the data subject’s consent’ = any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

 2)      Principles related to data protection:

  • processed
  • fairly (data subjects informed) and
  • lawfully (based on a legal act)
  • collected for:
    • specified,
    • explicit
    • legitimate purposes
    • no further processed in a way incompatible with those purposes
  • adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected
  • the data subject has unambiguously given his consent
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • processing is necessary for compliance with a legal obligation to which the controller is subject
  • processing is necessary in order to protect the vital interests of the data subject
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed

 3)      Information to be given to the data subjects (fair processing)

  • the identity of the controller and of his representative, if any;
  • the purposes of the processing for which the data are intended;
  • any further information such as
    • the recipients or categories of recipients of the data,
    • whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,
    • the existence of the right of access to and the right to rectify the data concerning him

4)      Rights of data subjects:

  • Right of access
  • Right to object
  • Right to modification
  • Right to deletion

 5)      Notification

  • Those processing personal data shall provide that the controller or his representative, if any, must notify the supervisory authority (of a member states) before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.

 6)      Transfer mechanisms:

  • Freely to Canada, Argentina, whole EU, etc BUT not to US (does not confer the same level of data protection as EU-because of the Patriot Act)
    • Binding Corporate Rules (for US. Set of rules agreed by the EU Commission when transferring data outside EU)
    • Safe Harbor Agreement (for US that certifies those part of this agreement comply with the EU data protection rules)

 Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

 

Categories: Data Protection, European Union, Privacy Tags: , , , , , , , , , , , , , , , , , , , ,

Privacy versus Data Protection

November 27, 2012 6 comments

Today, E-Crime Expert presents the main similarities and differences between privacy and data protection concepts mainly from two different legislative perspectives:  Canada and the European Union (EU), and briefly from the United States (US).

Also, this blog post provides the main privacy and data protection legislative acts from Canada and EU as a useful resource for those interested or working in this field.

Last but not least, you could find bellow the full EU Data protection revision 2012 package.

I.      US versus EU versus Canada

-The United States (US) and European Union (EU) have different concepts regarding personal information and private data, such as Privacy in the US versus Data Protection in the EU.

US’s approach to privacy focuses on narrowly applicable legislation.

  • sector-based,
  • with a mix of legislation,
  • regulation and self-regulation,
  • focusing on the protection of personal information by specifically addressing a particular industry sector (i.e. medical information, online transactions, credit check, etc)
  • regulating data collected by the federal government

EU has a more comprehensive approach.

  • set of rights and principles for personal data treatment (processing),
  • without considering that the data is held in the public or private sector,
  • protects just natural persons not legal entities
  • the relation between data protection and the economic value as a proper balance between fundamental rights and free flow of information (which has economic value).
  • by granting data protection as a fundamental right, the aim is to protect the individuals but also to encourage the free flow of information, giving data subjects legal certainty and encouraging them to not negatively affect the exchange of information and data

-Canada – similar level of protection to the EU one.

  • Privacy is regulated by the government at the federal and provincial level:
    • The Privacy Act (federal level for private information held by the gov),
    • PIPEDA (federal level for private sector),
    • PIPA (provincial level for private sector, Alberta for example),
    • FOIP (provincial level for public sector, Alberta for example),
    • HIPA (federal level for health information),
    • HIA (provincial level for health information, Alberta for example)
  • The difference between Canada and EU
    • Canada’s legislation regulates both organizations and individuals privacy rights and access
    • EU’s legislation regulates the individuals’ rights (no organizations)
    • Canada gives to the individual the right to access their data or other individuals’ or organizations data along with their privacy protection right under the same Act (The Privacy Act, FOIP)
    • EU gives to the data subject the right to protection of their personal data under one single act (Directive 95) and to access data for public interest under the Transparency Regulation (1049)-no others personal data could be accessed in the private sector (just for law enforcement)
  • Canada enacted different acts for different data categories (private-PIPA, public-FOIP, health-HIA, children-Child, Youth&family enhancement act, etc)
  • EU has the same Legislative Act (e.g. Directive) but with different degrees of protection and limitations based on the data categories sensitivity (identification, medical, criminal, etc).
  • Canada sets forth a minimum time for information retention when EU sets forth a maximum time for data retention
  • in Canada information sharing is done based on Information Sharing Agreements (local, federal, international)
  • in EU the data transfer has three layers of protection for exchange locally within the same institutions, bodies, organizations, between EU member states, or internationally (with third countries).

 II.      Privacy versus data protection

  • The concept of privacy and data protection is not the same.
  • Data protection has a privacy dimension, but it is narrower in scope than the privacy concept, “as the privacy encloses more than personal data” (i.e. private life, private home, private correspondence, etc.)
  • From a different angle, it encloses a wider area, “since personal data are protected not only to enhance the privacy of the subject, but also to guarantee other fundamental rights, such as the right to freedom of expression, or the right to know what data is gathered about you,  to have access to your data, to ask for modification or deletion of your data, etc”
    • Furthermore, data protection gives individuals the right to know
  • What personal data is collected,
  • on what legal grounds,
  • how it is used, for how long it used and kept,
  • and by whom.
    • specifically grants data subjects with the rights to access, modify,   update or ask for deletion of such data

 III.      EU legislative framework

IV.      EU Data protection revision 2012 (to reflect the new technological developments and to provide a consistent legislative framework across EU):

Click here to access the new proposed EU Data Protection regulation

  • It was proposed a Regulation versus the existing Directive. A Regulation is better, as it is immediately and more uniformly implemented into the Member States national law.
  • Data subjects
    • increasing responsibility and accountability – companies would have to notify their clients of any theft or accidental release of personal data
    • clarifying that where someone’s consent is required before a company reuses their personal data, they need to give that consent explicitly – people would also have access to their own private data and be able to transfer it to another service provider more easily
    • reinforcing the ‘right to be forgotten’ – people will be able to have their personal data deleted if a business or other organization has no legitimate reasons for keeping it
    • applying EU rules when personal data is processed outside Europe – people would be able to involve the national data protection authority in their country, even when their data is processed by a company based outside the EU
    • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services
  • Good for business
    • A single set of rules would encourage a more consistent application of the law across the EU. Businesses would have clear rules on how to treat personal data
    • Companies would only have to deal with a single national data protection authority in the EU country where they have their main operations (saving businesses an estimated €2.3bn a year)
    • The obligation of appointment of a data protection officer for organizations with 250 employees and over (private sector
    • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data
    • Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours)
    • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed
    • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens
    • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company
  • Better enforcement
    • The new rules would give national data protection authorities powers to enforce the EU rules more rigorously
    • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data. For the new Directive click here.
  • Next steps
    • The proposals is aimed to encourage more online commerce by improving consumer trust – contributing to economic growth and job creation. The new Data protection proposed legal framework (Regulation+Directive) must be approved by the European Parliament and Council before becoming law.
  • Commission Proposals on the data protection reform: legislative texts

Source: Directorat General Justice of the European Commission

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

Categories: Awareness, Canada, Case law, Data Protection, European Court of Justice, European Union, Facebook, Google, Internet, Privacy, Social Media, Uncategorized, United States Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Privacy risks: shopping online/ordering over the phone

September 12, 2012 2 comments

E-Crime Expert presents to you today a classic video on how private information flows over the Internet, could be gathered from different sources (medical, shopping, work, etc), or it could be provided by mistake by the data subjects themselves (individuals). What it could be done with all this private information is concerning if not scary.

I will let the readers draw their conclusion on this video and I am encouraging you to submit your opinion to the “Comments” section of this blog. This video needs no other presentation, it is self-explanatory.

Video: Ordering Pizza:

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Categories: Awareness, Data Protection, Facebook, Google, Internet, LinkedIn, Privacy, Social Media Tags: , , , , , , , , , , ,

Training and workshops

June 19, 2012 Leave a comment

E-Crime Expert as a legal consultancy specialized in the fields of data protection, privacy, cybercrime, and the Internet, offers the following services:

  • Drafting of notification and documentation for personal data processing, transfer, compliance
  • Legal mechanisms for the cross-border transfers of personal data
  • Privacy Impact Assessments

Now, E-Crime Expert is offering also training session, workshops, tutorials and talks tailored to specific audience such as:

  • Corporate

 
 
 
 
 
 
 
 
  • Various events and conferences
 

 
 
 
 
  • Seniors
 

 
 
  • Teenagers
 

 
 
  • Children
 

 
 

If interested, please contact us at: dan@e-crimeexpert.com

Categories: Awareness, Cybercrime, Data Protection, Facebook, Google, Identity theft, Internet, Privacy, Scams, Social Media Tags: , , , , , , , , , , , , , , , , , , , , , , , ,