Privacy

Working from home was the dream but is it turning into a nightmare?

Online surveillance comes in many forms. Some of it is as simple as 'checking in', Pagliari says, stamping your timecard in a digital sense. You might have to do your work over the cloud, and it knows when you've logged on, for instance. Tools such as Slack and Microsoft Teams report when an employee is active, and failure to open apps first thing in the morning is often taken by managers as the same as being late for work.

Other workers have reported more intense supervision. One communications worker, who asked to remain anonymous, said that her employer had recently started to require all staff to join a videoconference every morning, with their webcams switched on. Employees were told the move was to reduce the number of meetings, but many feel as though its true purpose is to ensure that they stay at their desks all day.

David Heinemeier Hansson, a co-founder of the collaboration startup Basecamp, which provides a software platform for companies to coordinate their remote workers, says he regularly has to turn down requests from potential clients for new methods of spying on their employees.

See article from theguardian.com by John Naughton

University App Mandates Are The Wrong Call

As students, parents, and schools prepare the new school year, universities are considering ways to make returning to campus safer. Some are considering and even mandating that students install COVID-related technology on their personal devices, but this is the wrong call. Exposure notification apps , quarantine enforcement programs , and similar new technologies are untested and unproven, and mandating them risks exacerbating existing inequalities in access to technology and education. Schools must remove any such mandates from student agreements or commitments, and further should pledge not to mandate installation of any technology.

See article from eff.org

Privacy campaigner Duncan McCann has filed a legal case accusing YouTube of selling the data of children using their service to advertisers in contravention of EU and UK law The case was lodged with the UK High Court in July and is the first of its kind in Europe.

It is understood that Google will strongly dispute the claim. One of its arguments is that the main YouTube platform is not intended for those under 13, who should be using the YouTube Kids app, which incorporates more safeguards.

Google is also expected to point to a series of changes that it introduced last year to improve notification to parents, limit data collection and restrict personalised adverts.

The case seeks compensation of £500 payable to those whose data was breached. But crucially it would set a precedent, potentially making YouTube liable for payouts to the estimated five million children in Britain who use the site as well as their parents or guardians.

McCann said:

It cannot be right that Google can take children's private data without explicit permission and then sell it to advertisers to target children. I believe it is only through legal action and damages that these companies will change their behaviour, and it is only through a class action that we can fight these companies on an equal basis.

The case, which focuses on children who have watched YouTube since May 2018 when the Data Protection Act became law, is backed by digital privacy campaigners Foxglove, and the global law firm Hausfeld. The case is not expected to come to court before next autumn and has been underwritten by Vannin Capital, a company which will take a cut of any compensation that remains unclaimed. The action will also depend on the outcome of another data and privacy case against Google which does not cover children.

Apple has delayed the implementation of new privacy measures designed to stop apps and websites tracking people online without their consent. The proposed policy means that apps will have to ask a user's permission to access the ad-tracking ID on an iPhone or iPad. This permission will be set to off be default.

In addition, apps will have to declare what data they collect and how they track people in Apple's App Store. Another new security feature will highlight when an app accesses information on the user's clipboard. (TikTok for instance has been caught continually scanning the paste buffer, even when in background and hence being able to capture other apps' passwords held in password managers).

The measures were due to arrive in the latest iOS 14 update in the autumn. But Apple said the changes were being delayed until the start of 2021 to give app developers and websites more time to adapt their services.

Facebook has warned that Apple's privacy plan could make one of its advertising tools so ineffective on iOS 14 that it may not make sense to offer it on iOS 14.

The ICO issued the code on 12 August 2020 and it will come into force on 2 September 2020 with a 12 month transition period.

Information Commissioner Elizabeth Denham writes:

Data sits at the heart of the digital services children use every day. From the moment a young person opens an app, plays a game or loads a website, data begins to be gathered. Who's using the service? How are they using it? How frequently? Where from? On what device?

That information may then inform techniques used to persuade young people to spend more time using services, to shape the content they are encouraged to engage with, and to tailor the advertisements they see.

For all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play.

This statutory code of practice looks to change that, not by seeking to protect children from the digital world, but by protecting them within it.

This code is necessary.

This code will lead to changes that will help empower both adults and children.

One in five UK internet users are children, but they are using an internet that was not designed for them. In our own research conducted to inform the direction of the code, we heard children describing data practices as nosy, rude and a bit freaky.

Our recent national survey into people's biggest data protection concerns ranked children's privacy second only to cyber security. This mirrors similar sentiments in research by Ofcom and the London School of Economics.

This code will lead to changes in practices that other countries are considering too.

It is rooted in the United Nations Convention on the Rights of the Child (UNCRC) that recognises the special safeguards children need in all aspects of their life. Data protection law at the European level reflects this and provides its own additional safeguards for children.

The code is the first of its kind, but it reflects the global direction of travel with similar reform being considered in the USA, Europe and globally by the Organisation for Economic Co-operation and Development (OECD).

This code will lead to changes that UK Parliament wants.

Parliament and government ensured UK data protection laws will truly transform the way we look after children online by requiring my office to introduce this statutory code of practice.

The code delivers on that mandate and requires information society services to put the best interests of the child first when they are designing and developing apps, games, connected toys and websites that are likely to be accessed by them.

This code is achievable.

The code is not a new law but it sets standards and explains how the General Data Protection Regulation applies in the context of children using digital services. It follows a thorough consultation process that included speaking with parents, children, schools, children's campaign groups, developers, tech and gaming companies and online service providers.

Such conversations helped shape our code into effective, proportionate and achievable provisions.

Organisations should conform to the code and demonstrate that their services use children's data fairly and in compliance with data protection law.

The code is a set of 15 flexible standards 203 they do not ban or specifically prescribe 203 that provides built-in protection to allow children to explore, learn and play online by ensuring that the best interests of the child are the primary consideration when designing and developing online services.

Settings must be high privacy by default (unless there's a compelling reason not to); only the minimum amount of personal data should be collected and retained; children's data should not usually be shared; geolocation services should be switched off by default. Nudge techniques should not be used to encourage children to provide unnecessary personal data, weaken or turn off their privacy settings. The code also addresses issues of parental control and profiling.

This code will make a difference.

Developers and those in the digital sector must act. We have allowed the maximum transition period of 12 months and will continue working with the industry.

We want coders, UX designers and system engineers to engage with these standards in their day-to-day to work and we're setting up a package of support to help.

But the next step must be a period of action and preparation. I believe companies will want to conform with the standards because they will want to demonstrate their commitment to always acting in the best interests of the child. Those companies that do not make the required changes risk regulatory action.

What's more, they risk being left behind by those organisations that are keen to conform.

A generation from now, I believe we will look back and find it peculiar that online services weren't always designed with children in mind.

When my grandchildren are grown and have children of their own, the need to keep children safer online will be as second nature as the need to ensure they eat healthily, get a good education or buckle up in the back of a car.

And while our code will never replace parental control and guidance, it will help people have greater confidence that their children can safely learn, explore and play online.

There is no doubt that change is needed. The code is an important and significant part of that change.

Google is changing its default settings to automatically delete some of the data it collects about users.

Web and app activity, including a log of website searches and pages visited, as well as location data, will now be wiped after 18 months.

YouTube histories - including which clips were watched and for how long - will be erased after 36 months.

The changes apply to new accounts only but existing users will soon be shown new prompts to adjust their settings.