30 décembre 2011

Facebook et FTC (4)

Dans le cadre de l'accord intervenu entre la Federal Trade Commission et Facebook (billet), l'Electronic Privacy Information Center a transmis ses commentaires et, par la même occasion demande à la FTC d'enquêter sur l'application Timeline de Facebook. 

28 décembre 2011

EFF: rétrospective sur la géolocalisation

L'Electronic Frontier Foundation fait une rétrospective des évènements qui ont marqué l'année 2011 en matière de géolocalisation.

23 décembre 2011

FTC: consultation sur la reconnaissance faciale

Le 8 décembre 2011, la Federal Trade Commission a organisé une rencontre sur la reconnaissance faciale (billet 1 et 2), elle invite aujourd'hui le public à présenter ses commentaires et ce jusqu'au 31 janvier 2012. 
"Facial detection and recognition technologies have been adopted in a variety of new contexts, ranging from online social networks to digital signs and mobile apps. Their increased use has raised a variety of privacy concerns. To further the Commission's understanding of the issues, the Federal Trade Commission staff seeks public comments on issues raised at the workshop, including but not limited to:
- What are the current and future commercial uses of these technologies?
- How can consumers benefit from the use of these technologies?
- What are the privacy and security concerns surrounding the adoption of these technologies, and how do they vary depending on how the technologies are implemented?
- Are there special considerations that should be given for the use of these technologies on or by populations that may be particularly vulnerable, such as children?
- What are best practices for providing consumers with notice and choice regarding the use of these technologies?
- Are there situations where notice and choice are not necessary? By contrast, are there contexts or places where these technologies should not be deployed, even with notice and choice?
- Is notice and choice the best framework for dealing with the privacy concerns surrounding these technologies, or would other solutions be a better fit? If so, what are they?
- What are best practices for developing and deploying these technologies in a way that protects consumer privacy?"
(Source: FTC, News, December 23, 2011)
Pour plus de détails, 

FTC et la COPPA (2)

La consultation lancée par la Federal Trade Commission (FTC) relative à la Children's Online Privacy Protection Act (COPPA) (billet 1 et 2) se termine le 23 décembre 2011. 

C'est dans cette optique que l'Electronic Privacy Information Center a fait parvenir à la FTC ses commentaires. On peut ainsi lire sur le site de l'EPIC que: 
"EPIC submitted comments to the FTC on a proposed rule for the Children's Online Privacy Protection Act. The proposed rule would revise the definition of Personally Identifiable Information to include identifiers such as cookies, IP addresses, and geolocation information. The new rules also contain data minimization and deletion requirements and simplified methods of obtaining parental consent for data collection. "The proposed revisions update the COPPA Rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses," EPIC said. However, EPIC urged the FTC to further improve the rule by applying it to SMS and MMS messaging services, extending the definition of "personal information" to cover the combination of date of birth, gender, and ZIP code, and adding a data-breach notification requirement. EPIC previously testified before the Senate and filed comments with the agency."
(Source: EPIC, News, December 22, 2011)
Pour plus de détails, 


22 décembre 2011

Irlande: rapport d'enquête sur Facebook

Le Data Protection Commissioner d'Irlande vient de rendre public son rapport d'enquête sur les pratiques de Facebook en matière de protection des renseignements personnels au regard de la loi irlandaise et, par le fait même de la Directive 95/46/CE.

On peut alors lire dans le communiqué de presse que:
"this Report is not the conclusion of our engagement with Facebook Ireland.  It is rather the first significant step on a road that can place it at the forefront of the technology sector in meeting users’ legitimate privacy expectations as to how their personal data is handled and empowering them to make informed choices when sharing that information on the site.  It is the role of our Office to ensure that Facebook Ireland complies with data protection law and this report assesses that compliance. Taking a leadership position that moves from compliance with the law to the achievement of best practice is for Facebook Ireland to decide but if it continues to display the commitment I witnessed throughout the Audit process it is certainly achievable.

The Report records significant recommendations and commitments from Facebook Ireland in relation to: 
- a mechanism for users to convey an informed choice for how their information is used and shared on the site including in relation to Third Party Apps;
- a broad update to the Data Use Policy/Privacy Policy to take account of recommendations as to where the information provided to users could be further improved;
- transparency and control for users via the provision of all personal data held to them on request and as part of their everyday interaction with the site;
- the deletion of information held on users and non-users via what are known as social plugins and more generally the deletion of data held from user interactions with the site much sooner than presently;
- increased transparency and controls for the use of personal data for advertising purposes;
- an additional form of notification for users in relation to facial recognition/”tag suggest” that is considered will ensure Facebook Ireland is meeting best practice in this area from an Irish law perspective;
- an enhanced ability for users to control tagging and posting on other user profiles;
- an enhanced ability for users to control whether their addition to Groups by friends;
- the Compliance management/Governance function in Dublin which will be further improved and enhanced to ensure that the introduction of new products or new uses of user data take full account of Irish data protection law.

Facebook Ireland’s delivery on its commitments will be evaluated throughout the first six months of 2012 and as part of an agreed formal review in July of next year that will take the form of a follow-up Audit."

(Source: Irish Data Protection Commissioner, Press Release, December 21, 2011)
À suivre donc. 

19 décembre 2011

Californie: 10 ans après

À l'occasion des 10 ans de l'Office of Privacy Protection de Californie un bilan est dressé. Ainsi, on peut lire que:
"10 big privacy challenges have emerged in our first decade: 
- Identity theft: From dumpster diving to credit card skimming and social network sniffing, identity theft (regrettably) endures. 
- Data breach: California was the first state to enact a law requiring organizations to notify consumers when their personal information has been compromised. 
- Financial privacy: Californians tell financial institutions: “Ask me first!” 
- Children's online safety: Answering a culture-wide call for safe 21st century childhoods.  
- Health information privacy: Medical records are going digital. Good news for doctors, pharmacies, labs, and patients – but also some new privacy concerns. 
- Cyber security: We depend on the Internet for business, pleasure, and convenience. But it is an open network, which means it is insecure. 
- REAL ID: The specter of a national identification card appeared in 2005 with the federal REAL ID Act.
- Abandoned records: When a company goes out of business, its records (with your personal information) can turn up in storage facilities, alongside highways, or in dumpsters. 
- Social networking: We share news and photos with our far flung friends and family on social networks. But some risky practices can expose us to identity theft and other privacy harms.
- Mobile privacy: More of us every day are going to the web while on the move. How safe are smartphones and public Wi-Fi?"
(Source: COPP, Ten Year Anniversary, Decembre 2011)

Pour plus de détails, 

16 décembre 2011

Alberta: réseaux sociaux et contrôle pré-embauche

L'Office of the Information and Privacy Commissioner de l'Alberta vient de publier des lignes directrices destinées aux entreprises qui utilisent les réseaux sociaux pour réaliser des contrôles pré-embauche.  
"The Office of the Information and Privacy Commissioner of Alberta has released guidelines on the use of social media for conducting background checks on individuals. The guidelines are designed to ensure that organizations are aware of their responsibilities under the Personal Information Protection Act (PIPA) when collecting personal information via social media. 
The guidelines provide practical advice to organizations on how much information can or should be collected through social media when performing a background check and highlight that it may be challenging for organizations to meet the “reasonable” requirement in PIPA when collecting personal information through social media. The guidelines also point out the hazards associated with using social media to conduct a background check including the inadvertent collection of third party information and the inability to determine the accuracy of information. 
The bottom line for the guidelines is to remind organizations that they must not use social media to perform background checks if doing so would result in non-compliance with PIPA."
(Source: OIPC Alberta, News Release, December 15, 2011) 
Ainsi, il revient aux entreprises de répondre à la question "is a social media background check reasonale ?". En effet, l'OIPC rappelle que 
"prior to using social media background checks to collect personal information, an organization must understand its business purpose for doing so, and consider the reasonableness of doing such a check. Under PIPA, an organization must be able to establish that use of social media to collect personal information or personal employee information is reasonable for the purposes of collection. Organizations need to consider what a social media background check will provide that cannot be garnered from traditional means such as reference checks and interviews".
(Source: OIPC Alberta, Guidelines, p. 2)
Elles doivent alors se demander si 1) "are you collecting irrelevant and too much personal information ?" (p. 3);  2) "are you collecting third-party personal information ?" (p. 3); 3) "are you over-relying consent ?" (p. 4) et; 4) "are you collecting accurate information ?" (p. 4).

Pour les aider, l'OIPC dresse une liste de ce qu'il faut considérer et de ce qu'il faut éviter
What to consider (Guidelines, p. 5)
1. Determine what the business purpose is for performing a social media background check. Do you reasonably require personal information that cannot be obtained through traditional means such as interviews or reference checks? 
2. Recognize that any information that is collected about an individual is personal information or personal employee information and is subject to privacy laws.
3. Consider the risks of using social media to perform a background check. Conduct a privacy impact assessment to assess the risks. When conducting this assessment, organizations should:  
a. find out what privacy law applies and review it, ensuring that there is authority to collect and use personal information; 
b. determine whether the identified purposes for the collection and use of personal information are authorized; 
c. consider and assess other reasonable measures that achieve the same purpose; 
d. identify the types and amounts of personal information likely to be collected in the course of a social media background check, including collateral personal information about the individual and others that may be inadvertently collected as a result of the social media background check; 
e. identify the risks of non-compliance with PIPA associated with the collection and use of this personal information, including risks associated with the collection of third party personal information and actions taken based on inaccurate information; 
f. ensure that the appropriate policies, procedures and controls are in place to address the risks related to the collection, use, disclosure, retention, accuracy and protection of personal information using social media;
g. determine if the collection is authorized and obtain any necessary consents, and for current employees notify the individual that you will be performing a social media background check and tell the individual what you will be checking and what the legal authority is for collecting the personal information; and 
h. be prepared, upon receipt of a request for access, to provide access to the information you collected and used to make a decision about an employee or volunteer.  
What to avoid (Guidelines, p. 6)
1. Do not wait until after you conduct a social media background check to evaluate compliance with privacy legislation; 
2. Do not assume in advance that a social media background check will only retrieve information about one individual and not about multiple individuals; 
3. Do not perform a social media background check from a person account in an attempt to avoid privacy laws; 
4. Do not attempt to avoid privacy obligation by contracting a third party to carry out background checks; and
5. Do not perform a social media backgroud check thinking that an individual will not find ou about it. For example, an individual can use web analytics to determine what IP address accessed the individual's personal information.

Pour plus de détails, 

14 décembre 2011

Facebook et FTC (3)

Suite à l'accord intervenu entre Facebook et la Federal Trade Commission (billet), ouvert pour commentaires jusqu'au 30 décembre 2011, on peut lire sur le site de l'Electronic Privacy Information Center que: 
"EPIC launched the "Fix FB Privacy Fail" campaign to encourage the public to support improvements to a settlement between Facebook and the FTC. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. Although the proposed settlement is far-reaching, there are several ways in which it could be improved. EPIC has recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. The period for public comment on the proposed settlement ends on December 30. The campaign also allows users to sign on to the petition without using Facebook."
(Source: EPIC, Latest News, December 14, 2011)

13 décembre 2011

CNIL: étude sur les "smartphones"

La Commission nationale de l'informatique et des libertés vient de publier l'étude Smartphone et vie privée visant à "mesurer la perception des utilisateurs de smartphones sur les contenus et les données personnelles stockées sur leur téléphone" et à "décrire et comprendre les risques perçus par l'utilisateur, et les protections mises en place" (p. 2)

Cette étude révèle notamment que parmi les données stockées (p. 14)
- 89% sont des données de contacts et des coordonnées;
- 86% sont des données multimédias et du contenus exploitables (photos, vidéos, notes);
- 40% sont des données à caractère secret (codes bancaires, codes PIN, digicode).
Ou encore que les utilisateurs ont une "perception floue des "fuites" de données" (p. 15), ainsi: 
- "pour 51% des équipés smartphones les données ne peuvent être enregistrées ou transmises sans accord préalable";
- "pour 42% les opérateurs de téléphonie mobile n'ont pas accès aux informations enregistrées dans un téléphone mobile";
- "pour 46% les fabricants de téléphone mobile n'ont pas accès aux informations enregistrées dans un téléphone mobile".
En matière de protections mises en place (ou non) sur le téléphone (p. 18 et suiv.)
- "65% estiment que leurs données personnelles ne sont pas bien protégées" ... "parmi eux près de 30% disent n'avoir aucune protection sur leur téléphone";
- "seuls 31% ont activé un code de verrouillage spécifique";
- "seuls 18% ont mis en place un délai de verrouillage automatique";
- "64 % pensent que ce n'est pas possible d'installer un antivirus on n'en voient pas l'intérêt".
En ce qui concerne les jeunes et le contrôle parental (p. 22)
- 76% des parents disent ne pas avoir de contrôle rapproché des usages de leurs enfants, mais 65% disent qu'ils utiliseraient volontiers une fonction pour les localiser.
Partant, la CNIL propose les mesures suivantes: 
"1. N'enregistrez pas d'informations confidentielles (codes secrets, codes d'accès, coordonnées bancaires…) dans votre smartphone (vol, piratage, usurpation d'identité…).
2. Ne désactivez pas le code PIN et changez celui proposé par défaut. Choisissez un code compliqué. Pas votre date de naissance !
3. Mettez en place un délai de verrouillage automatique du téléphone. En plus du code PIN, il permet de rendre inactif (verrouiller) le téléphone au bout d'un certain temps. Cela empêche la consultation des informations contenues dans le téléphone en cas de perte ou de vol.
4. Activez si possible le chiffrement des sauvegardes du téléphone. Pour cela, utilisez les réglages de la plate-forme avec laquelle vous connectez le téléphone. Cette manipulation garantira que personne ne sera en mesure d'utiliser vos données sans le mot de passe que vous avez défini.
5. Installez un antivirus quand cela est possible.
6. Notez le numéro "IMEI" du téléphone pour le bloquer en cas de perte ou de vol.
7. Ne téléchargez pas d'application de sources inconnues. Privilégiez les plateformes officielles.
8. Vérifiez à quelles données contenues dans votre smartphone l'application que vous installez va avoir accès.
9. Lisez les conditions d'utilisation d'un service avant de l'installer. Les avis des autres utilisateurs peuvent également être utiles !
10. Réglez les paramètres au sein du téléphone ou dans les applications de géolocalisation (Twitter, Foursquare, Plyce...) afin de toujours contrôler quand et par qui vous voulez être géolocalisé. Désactivez le GPS ou le WiFI quand vous ne vous servez plus d'une application de géolocalisation".
Pour aller plus loin: 

12 décembre 2011

Québec: consultation du public sur le rapport de la CAI

Les citoyens et organismes qui souhaitent soumettre un mémoire sur le rapport quinquennal Technologies et vie privée: à l'heure des choix de société de la Commission d'accès à l'information, publié le 29 septembre 2011 (billet), ont jusqu'au 30 mars 2012 pour le faire.   

"La Commission des institutions annonce aujourd'hui la tenue d'une consultation générale sur le rapport quinquennal de la Commission d'accès à l'information intitulé Technologies et vie privée à l'heure des choix de société.
Les citoyens et les organismes souhaitant être entendus à cette occasion doivent soumettre un mémoire à la secrétaire de la Commission au plus tard le 30 mars 2012. Les citoyens qui ne transmettent pas de mémoire, mais qui désirent être entendus, peuvent adresser une demande d'intervention au plus tard le 30 mars 2012.
Par la suite, les membres de la Commission choisiront, parmi les citoyens et les organismes qui auront fait parvenir un mémoire ou une demande d'intervention, ceux qu'ils entendront. De plus, toute personne qui désire exprimer son opinion sur ce sujet peut transmettre un commentaire en ligne dans la page du mandat de la Commission sur le site assnat.qc.ca.
Le président de la Commission est M. Bernard Drainville, député de Marie-Victorin, et la vice-présidente est Mme Stéphanie Vallée, députée de Gatineau. La liste des membres de la Commission se trouve en annexe. Pour plus d'information sur cette consultation, on peut communiquer avec la secrétaire de la Commission."

11 décembre 2011

CPVPC: lignes directrices sur la publicité

Le Commissariat à la protection de la vie privée du Canada (CPVPC) vient de publier des lignes directrices sur la publicité comportementale en ligne qui "suppose le suivi des consommateurs en ligne au fil du temps afin de leur présenter des annonces ciblant leurs champs d'intérêt présumés" (p.1)

Le CPVPC précise que "même si la publicité peut aider à financer l'accès gratuit au contenu en ligne, ce que la plupart des utilisateurs recherchent, il est néanmoins essentiel que les pratiques de publicités en ligne respectent le droit à la vie privée et les choix en matière de consentement des personnes" (p.1), notamment au regard de la Loi sur la protection des renseignements personnels et les documents électroniques (LPRPDE)

Pour permettre aux entreprises de "s'assurer que leurs pratiques soient justes, transparentes et conformes à la LPRPDE" (p.1), le CPVPC a élaboré des lignes directrices dans lesquelles il rappelle que 
"les renseignements touchés par le suivi et le ciblage en ligne dans le but d'offrir une publicité liée au suivi comportemental d'une personne seront habituellement considérés comme des renseignements personnels" (p.2);

"un individu [doit être] informé de toute collecte, utilisation ou communication de renseignements personnels qui le concernent et qu'il y consente [et que] les fins pour lesquelles les renseignements personnels d'un individu sont recueillis, utilisés ou communiqués [doivent être] expliquées d'une manière claire et transparente" (p.2)
"obtenir le consentement dans l'environnement en ligne peut représenter des défis, mais c'est possible [et,] le consentement négatif [ou implicite] pour la publicité comportementale en ligne pourrait être jugé raisonnable" (p.2)
"si une personne ne peut refuser le suivi et le ciblage, par un mécanisme de consentement négatif, ou parce qu'un refus rendrait le service inutilisable, les organisations ne doivent pas faire appel à ce type de technologie à des fins de publicité comportementale en ligne" (p.3)
"les organisations devraient éviter de suivre les enfants ou les sites Web destinés aux enfants [étant entendu qu'il est "difficile d'obtenir le consentement éclairé d'un enfant à des fins de pratiques de publicité comportementale en ligne"] (p.3).

9 décembre 2011

FTC et reconnaissance faciale

Hier avait lieu la rencontre organisée par la Federal Trade Commission sur la reconnaissance faciale (billet / billet:programme) ... en attendant les vidéos, il est possible de lire le mot d'introduction de Jon Leibowitz ou encore de consulter les présentations ppt des conférenciers.

7 décembre 2011

APPA: sondage "vie privée et réseaux sociaux"

L'Asia Pacific Privacy Authorities (APPA) vient de publier les résultats d'un sondage portant sur l'usage des réseaux sociaux.

Les répondants ont eu à se prononcer sur les questions suivantes: 
  1. Have you ever used social networking sites (eg Facebook or MySpace)?
  2. Do you currently use social networking sites?
  3. How often do you use social networking sites?
  4. What do you mostly use social networking sites for?
  5. Do you know how to use the privacy settings on your social networking site?
  6. Have you ever changed the privacy settings on your social networking site?
  7. Who can see the information about you on your social networking page?
  8. Have you read the privacy policy and terms and conditions of your social networking sites?
  9. Would you stop using a social networking site if the site used your personal information in a way that you were not expecting?
  10. How concerned are you about how social networking sites use your information? (1 = not at all concerned – 5 very concerned)
  11. Some social networking sites track your use of the site and deliver targeted advertising to you based on your interests. How comfortable are you with this? (1 = not at all concerned – 5 very concerned)
  12. Have you had anyone “hack” or break into your social networking account?
  13. Have you regretted posting information about yourself?
  14. Have you been uncomfortable when someone has posted information about you or photos of you on a social networking site?
Dans le communiqué de presse, on peut lire: 
"A recent online survey conducted by the Asia Pacific Privacy Authorities (APPA) forum has revealed that – contrary to popular assumptions – people do care about their privacy on social networking sites.
“Most people like to talk and share information about themselves,” said the Australian Privacy Commissioner Timothy Pilgrim, speaking for all the APPA Commissioners. “But the survey shows us that people are concerned about whether they can control who sees the information they put on social networking sites”.
In May 2011, the APPA forum encouraged its members to run an online survey to find out how people used social networking sites, and whether they thought online privacy was important. More than 10,000 people responded to the survey, most of them from Mexico, Australia, New Zealand, Hong Kong and Korea. The results have just been released at the APPA meeting in Melbourne.
“Many people try to restrict access to their information. But a third of respondents told us that they weren’t sure how to use their privacy settings. This suggests that social networking sites aren’t making it as easy as they should for people to understand how to choose who sees the information they post. Constant changes to privacy settings don’t help,” Mr Pilgrim said.
Survey results also reveal that people worry about what the social networking company might be using their information for. Nearly 68% of people said they would stop using a site that used its information in a way they hadn’t expected. In addition, around 46% said they were very uncomfortable, or quite strongly uncomfortable, about sites tracking their activities in order to target marketing to them. However, nearly 62% of people confessed that they didn’t read the privacy policies or terms and conditions of the sites, often because they were too long or were incomprehensible.
The participating APPA Commissioners recognise that even where people are very concerned about their privacy, this doesn’t always translate into action.
“For example, it’s difficult for people to leave social networking sites if that’s where all the people they want to talk to are. Social networking providers need to listen to what people are saying. They should make sure they’re clear with people about what they do with their information and why, and that they treat their customers fairly,” said Mr Pilgrim."
(Source: Privacy Awareness, Media Release, December 6, 2011)
Les résultats du sondage sont disponibles à l'adresse suivante: http://privacyawarenessweek.org/2011/survey_results/summary_report_english.pdf.


4 décembre 2011

CSC: l'appel de l'Alberta ne sera pas entendu

La Cour suprême du Canada vient de rejeter la demande d’autorisation d’appel de l’arrêt de la Cour d'appel de l’Alberta dans une affaire opposant l'Information and Privacy Commissioner of Alberta à l'entreprise Leon's Furniture Limited

Voici la réaction du commissaire albertain:
Information and Privacy Commissioner Frank Work is disappointed that the Supreme Court of Canada won't hear an appel about the collection of personal information by Leon's Furniture Ltd. The Commissioner was seeking leave to appeal a decision of the Alberta Court of Appeal. 
Commissioner Work says the decision of the majority Court of Appeal seriously undermines the Personal Information Protection Act. "The decision could be used to challenge what were thought to be reasonable, nationally accepted limits on the collection of personal information by private sector organizations. We are moving backwards". 
The Commissioner says he will be writing to the Minister of Service Alberta urging the Legislature to amend the Personal Information Protection Act. "Given the time and resources that were put into implementing PIPA, it's crucial that the legislation be amended to restore the original intent of PIPA, which is the reasonable collection of personal information. I believe allowing organizations to decide what personal information they are allowed to collect and how they use that information files in the face of the original intent of the legislation".
Work adds, "This puts our law at odds with laws in other jurisdictions such as British Columbia and Canada. It means that we are off side with the rest of Canada on the meaning of personal information, and that puts the people of Alberta at a disadvantage." 
The original complaint against Leon's was that they were collecting licenses plate and driver's license numbers when customers were picking up merchandise. The company was ordered to stop the practice in an order from this office in 2008. Leon's appealed the decision and the Court of Appeal overturned the order." 
(Source: Information and Privacy Commissioner of Alberta, News release, November 25, 2011) 

2 décembre 2011

CPVPC: un prix pour Jennifer Stoddart

On peut lire sur le site du Commissariat à la protection de la vie privée du Canada que: 
"Dans le cadre des distinctions Canada’s Most Powerful Women: Top 100, la commissaire à la protection de la vie privée du Canada, Jennifer Stoddart, a été nommée l’une des 100 femmes les plus influentes du Canada dans la catégorie « chefs de file du secteur public » (en anglais seulement). La commissaire Stoddart se joint à 584 femmes qui ont reçu cet honneur attribué aux dirigeantes les plus accomplies des secteurs privé, public et à but non lucratif du Canada. Le prix est remis par le Réseau des femmes exécutives et les gagnantes sont choisies en fonction de leur vision stratégique, de leurs qualités en matière de leadership, du rendement financier de leur organisation et de leur engagement dans la communauté. Pour en savoir plus, consultez le site top100women.ca (en anglais seulement)."
(Source: CPVPC, Nouvelles, 2 décembre 2011)
Félicitations.

Europe: adapter Internet aux besoins des enfants

Dans la continuité d'un précédent billet, plusieurs entreprises se sont regroupées pour adapter Internet aux besoins des enfants et le rendre plus sûr ... parmi celles-ci on retrouve notamment Apple, Facebook, Google, Microsoft, Netlog, Vivendi. Ainsi, 
"les membres fondateurs de la coalition se sont accordés sur une déclaration d'intention, dans laquelle ils se déclarent disposés à mener des actions dans cinq domaines: 
- outils de signalement simples et solides: fonctionnalités placées en évidence et de façon reconnaissable sur tous les dispositifs afin qu’il soit possible de signaler efficacement des contenus et des contacts qui semblent préjudiciables aux enfants et de réagir avec la même efficacité; 
- paramètres de confidentialité adaptés à l’âge: fixer des paramètres qui tiennent compte des besoins des différents groupes d'âge (ces paramètres déterminent dans quelle mesure les informations concernant un utilisateur sont disponibles; par exemple si les coordonnées ou les photographies de l’utilisateur sont accessibles au grand public ou visibles par les personnes proches uniquement); 
- étendre l’utilisation des systèmes de classification en fonction du contenu: développer en matière de classification selon l'âge une approche qui soit reconnue comme valable par tous, pouvant être utilisée dans l’ensemble des secteurs et offrant aux parents des classes d’âges aisément compréhensibles; 
- accroître la disponibilité et l’utilisation du contrôle parental: promouvoir activement des outils conviviaux afin de faire en sorte qu’ils soient adoptés le plus largement possible; 
- retrait efficace de matériel pédopornographique: améliorer la coopération avec les services répressifs et les lignes téléphoniques d'urgence, prendre des mesures volontaristes pour retirer les matériels pédopornographique de l'internet."
(Source: IP/11/1485)
À l'été 2012, les entreprises entendent faire une évaluation de leurs actions ... à suivre donc.

 

1 décembre 2011

Facebook et FTC (2)

Pour faire suite à un précédent billet, on peut lire sur le site de la Federal Trade Commission que: 
"The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. [...]
The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
The proposed settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
Specifically, under the proposed settlement, Facebook is:
- barred from making misrepresentations about the privacy or security of consumers' personal information;
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order."
(Source: FTC, For release, November 29, 2011) 
Le présent accord sera final dans 30 jours, d'ici là il est ouvert pour commentaires.