The Information Commissioner's Office (ICO) has updated its guidance relating to the use of tracking technologies under changes to the UK's Privacy and Electronic Communications Regulations (PECR) which came into force last year, but which began to be enforced last saturday, 26th May 2012.

Version 3 is an update to the version issued last December, and provides further information on "implied consent". The guidance is accompanied by a blog posting and video presentation.

Client-side, or local, storage is an area of concern for privacy and security. Therefore I was keen to attend the latest meeting of the London Web Performance Group titled HTML5 and Localstorage - Storage in the Browser at the Lamb Tavern (building c1780, but on the same site since 1309) in Leadenhall Market on Wednesday evening.

I almost changed my mind as I was also tempted to attend another local event on the same evening about NoSQL for Java Developers. Anyway I was very pleased I went to the client-side storage event, but it was so well-attended I almost did not have a seat. As usual, Stephen Thair (@TheOpsMgr) had done a great job organising the event.

Andrew Betts (@triblondon) described his experiences developing HTML5 applications for mobile devices, avoiding native code whenever possible, so that content could be available when the device is offline or in poor signal areas by using client-side storage. He described the pros and cons of using HTTP cookies, Indexed Database API (IndexedDB), Web SQL Database (WebSQL), local storage (key/value store) and Application Cache (or AppCache). Well the answer of which to use is "all of them". Andrew described how the FT.com application makes use of each type's advantages, to combine together into a responsive and network-robust application suitable for the most frequent and demanding of users. Therefore cookies are used for session management, AppCache for a default fallback page, local storage for static content such as HTML scaffolding, JavaScript and style sheets, and IndexedDB/WebSQL for the HTML content of pages. Thus they manage to fit the application into the HTML5 constraints imposed by different operating systems.

He explained many of the techniques used to circumvent mobile network and device-specific issues, but also explained how they managed to squeeze extra storage by compressing content as ASCII or base64 encoded data into JavaScript's UTF-16 double-byte encoding. It is a very clever piece of optimisation, which could also be used for code obfuscation. Details in the presentation slides.

I think users of client storage will have to be careful if it might be determined to be tracking technology. In the FT.com application case, this client storage is not offered to casual web site users, but only to those who have installed the app, are registered and log in. Thus there are opportunities to obtain consent, over and above any warning the device may offer. We are expecting to hear more about the ICO's plans for enforcement of the new regulations at a press conference this morning. Other HTML5 security issues are of course still a concern here. I was slightly troubled by one feature mentioned.

The presenter's slides are now available.

The UK's Information Commissioner's Office (ICO) publishes details of its prosecutions, monetary penalties, undertakings and enforcement notices.

This week, two additional undertakings were published:

• Brecon Beacons National Park Authority for disclosure of personal data via its web site in two separate cases (undertaking, 18th April 2012)
• Toshiba Information Systems UK Ltd for unrestricted access to the personal data of 20 customers on its web site over a two-month period (undertaking, 17th April 2012)

The Toshiba incident is interesting because it specifically mentions lack of access control and the weakness of insecure direct object references. There's a good write-up about the Toshiba issue on the Web Application Security - From the Start blog.

The other most recent ICO actions relating to web sites (rather than paper, laptops, USB devices, email, fax, etc) were:

• Durham University's disclosure of personal data via its web site (undertaking, 1st March 2012)
• Dumfries and Galloway Council's disclosure of employee personal data online (undertaking, 17th October 2011)
• Child Exploitation Online Protection Centre (CEOP) and the Serious Organised Crime Agency (SOCA) for lack of encryption in transit of extremely sensitive data when using a web form (undertaking, 15th September 2011)
• Lush Cosmetics personal data and cardholder data loss via its ecommerce web site (undertaking, 9th August 2011)
• Andrew Jonathan Crossley/ACS Law loss of data from its web site (monetary penalty notice, 10th May 2011)

What can we learn about the ICO's specific expectations for organisations' online application compliance with the seventh data protection principle to protect against unauthorised and unlawful processing, accidental loss, destruction, and/or damage? The enforcement notices above suggest:

• There must be a policy for processing of personal data and staff must be made aware of it and given training which is monitored (Durham University)
• There must be a policy for the retention, storage and use of personal data and staff must be trained how to follow the policy (Brecon Beacons NPA)
• Publication of information must not contravene any relevant legislation regarding information disclosure (Brecon Beacons NPA)
• Some personal data (organisation dependent) must never be published on a website (Durham University)
• Access to personal data must require authentication and must have adequate authorisation checks (Brecon Beacons NPA, Toshiba, Dumfries and Galloway Council)
• Security of personal data must be considered when selecting suppliers of services (Andrew Jonathan Crossley/ACS Law)
• Third parties involved with developing/maintaining/operating web sites must be made aware of their requirements and responsibilities for protecting personal data (CEOP/SOCA)
• Contracts with third parties must define data protection responsibilities (CEOP/SOCA)
• There must be regular checks to ensure web sites remain secure, and any potential weaknesses must be identified very promptly (CEOP/SOCA)
• There must be measures in place, appropriate for the potential harm that could occur, to prevent accidental personal data loss (Andrew Jonathan Crossley/ACS Law)
• The risk to online systems must be re-assessed as threats change (Andrew Jonathan Crossley/ACS Law)
• Compliance with data protection and IT security policies must be verified and monitored (Durham University, Dumfries and Galloway Council)
• Expert advice must be sought when large amounts of personal data are being stored, processed or transmitted online (Andrew Jonathan Crossley/ACS Law)
• The findings of audits and security reviews must be assessed by management and implemented or the risk formerly accepted (Dumfries and Galloway Council, CEOP/SOCA)
• There must be technical measures to detect authorisation failures (Toshiba)

We can also draw additional expectations from the ICO's Data Sharing Code of Practice section on security. Those might be summarised as:

• Technical security measures must be appropriate for the system in use and the type of data held and processed (Data Sharing Code of Practice)
• When data encryption is used, it must be selected, implemented and managed appropriately (Data Sharing Code of Practice)
• The most common security risks must be identified (Data Sharing Code of Practice)
• There must be suitable access control (authentication, authorisation and session management) with appropriate assignment of privileges based on a "need-to-know" basis (Data Sharing Code of Practice)
• Information in transit must be protected (Data Sharing Code of Practice)

These are just my own interpretation and of course. They will not be all the ICO's expectations, but are the ones which we are now aware of. Additionally, data in online applications may also be exposed in related processes (often email, or transfers between systems, and during development, testing and operation where data may exist on paperwork, in mobile devices and in archives & backups). Examine the other enforcement notices for the ICO's expectations in these other channels.

If you want to keep up-to-date with application (and other) data loss incidents that subsequently lead to regulatory action in the UK (typically by the FSA or ICO), use Breach Watch. For further afield, the Web Hacking Incident Database (WHID).

What functionality do your applications include to support subject access requests? During operation and after decommissioning?

At the end of last month the UK's Information Commissioner's Office (ICO) published updated guidance on what is meant by the term "disproportionate effort" under an organisation's obligation to comply with subject access requests.

The ICO recognises that searching for personal data on live systems should be easier, that doesn't negate the need to identify relevant personal data in terminated, offline, backup and archival systems and locations. Data controllers can only use the "disproportionate effort" qualification in respect of "supplying a copy", not in regard to "locating" the information in the first place.

Under the UK's Data protection Act 1998, organisations processing personal data must comply with the eight data protection principles

So, apart from ensuring the personal data your applications are processing is being processed fairly and lawfully, has been obtained for one or more specific purposes, is adequate, relevant and not excessive, is accurate and, where necessary, kept up to date, is not be kept for longer than is necessary, is processed in accordance with the rights of data subjects and is secure... do you applications allow for accurate data identification and extraction? How do your applications track where data are exported to?

Quite a collection of requirements there then.

ENISA, the European Network and Information Security Agency, has published a report on the economics of privacy.

Study on Monetising Privacy - An Economic Model for Pricing Personal Information examines approaches used to analyse the interaction of personalisation, privacy concerns and competition between online service providers. The report describes existing work on the economics of privacy, discusses a theoretical model and the results of experiments to validate versions of different the model.

The research found that consumers are making economic decisions based on personal data exposure, but there is a need for flexibility from regulators and transparency in services, to enable a more efficient privacy market.

It's not just lambs that are bouncing around madly this March.

The UK's Information Commissioner's Office (ICO) kindly gave a period of grace to allow organisations to align their operations with the guidance concerning updates to the UK Privacy and Electronic Communications Regulations (PECR). The 26th May 2012 is not far away now.

Although guidance has been available since May 2011, with an update issued in December, it seems many organisations have not done anything, or are unsure what to do, or do not know what is required. In a blog post last week on E-Consultancy.com, the replies to EU Cookie Law: Three Approaches to Compliance give an air of desperation and a feeling that no-one wants to jump first.

Some of the comments are reasoned and practical, but there seems to have been much denial, and a need to place the blame somewhere else (Europe?), instead of proactively complying with the law, and helping individuals to protect their privacy. The comments from Lord Manly, Mike O'Neill, Carlton Jefferis and Russ add some welcome sanity to the hysteria.

Of the three suggestions made in the blog post for gaining compliance, none suggest avoiding the use of tracking technologies. And of course, it isn't just cookies, despite the headlines. As mentioned previously, technologies include:

• HTTP cookies
• Local Shared Objects (LSO) i.e. Flash cookies
• userData in DHTML Behaviors
• data in a Google Gears database
• data in an Indexed Database API
• local data storage in mobile applications
• HTML5 storage

...and anything similar that exists now or in the future.

I think the time to lobby is well past, and the time for action is about to run out. There are services/products that address some of the issues, but to do this properly in a way that covers all similar technologies probably requires building greater consideration of the issues into your own development and change control processes. Post-implementation sticky tape won't really do.

From May 2012, the ICO will be "accepting complaints" from users, and will then contact web site owners to ask them to respond to the complaint and explain what steps they have taken to comply with the regulations.

The regulator for premium rate services (PRS) in the UK, PhonepayPlus (PpP), has issued new consolidated guidance for when premium rate is used as the mechanism for application-based payments.

Application-Based Payments provides guidance relating to the obligations in the PhonepayPlus Code of Practice (as a PDF). The guidance is not binding and does not form part of the Code of Practice, but instead provides information on how compliance with the Code can be achieved.

The guidance is concerned with outcomes from the Code:

• Transparency and Pricing - [2.2] "That consumers of premium rate services are fully and clearly informed of all information likely to influence the decision to purchase, including the cost, before any purchase is made."
• Password Protection and Security - [2.3] "That consumers of premium rate services are treated fairly and equitably." and [2.4] "That premium rate services do not cause the unreasonable invasion of consumers' privacy."
• Complaint Handling - [2.6] "That consumers are able to have complaints resolved quickly and easily by the Level 2 provider responsible for the service and that any redress is provided quickly and easily."
• Method of Exit - [2.3] That consumers of premium rate services are treated fairly and equitably.

The guidance suggests how pricing and other key information should be presented before downloading an application & for purchases within an application, information where a service can be accessed on more than one device or channel, fermium services, how to provide a method of exit, consumer consent to charging, password protection and practices for handling complaints. It also discusses misleading promotions and virtual currencies, and most importantly that mobile-based payment service providers should ensure their services are compatible with every technical platform and/or device on which they are promoted.

One issue in particular is worth highlighting. Paragraph 7.2 of the guidance says that if malicious software (malware) is found, then a tribunal under the Code may not be likely to consider any proof of consent for charging to be robust enough.

If you are developing applications that rely on premium rate charging mechanisms, read the guidance with care. PpP has sharp teeth. In a recent case unrelated to this guidance, two companies were each fined £100,000 for placing adverts for premium rate services on typo-squatting hostname websites which looked like other popular websites.

Even if your applications do not fall within the controlled PRS covered by PpP, there is still a lot of useful good practice information for other consumer services in the Code and related guidance documents.

Does it frustrate you seeing inaccurate or unjustified claims such as "this website is secure", "we use a secure server" and "your privacy and security is paramount to us". Or privacy-related claims like "your personal data is stored safely, securely and anonymously" and "we will not share your data with any other organisation". How are misleading claims about a software application's security any different to misleading claims about medical benefits or eco-friendliness, inaccurate descriptions, and unsubstantiated testimonials, etc of other consumer products and services? I don't believe they are.

Without a standard kite mark or agreed security, privacy and trust labelling standards, how do consumers know what is the truth about the security of the web sites, mobile apps and other software applications they are using. Well, for the moment we could do with some more accuracy & honesty about security and privacy claims.

We may not have much legislation relating to securing software applications, but the Advertising Standards Authority (ASA) has had a digital remit since last year.

So, apart from the requirements to secure personal data (Principal 7 of the Data Protection Act) and to protect privacy in electronic communications (Privacy and Electronic Communications Regulations responsibilities and obligations), and other sector-specific regulations concerning information security and privacy such as from the Financial Services Authority (FSA), Medical Research Council, and Payment Card Industry Security Standards Council (PCI SCC), marketing claims themselves are regulated. Therefore a claim about security or privacy is regulated.

The relevant sections in the Committee of Advertising Practice's UK Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code) seem to be:

• Misleading advertising
  • 3.1 Marketing communications must not materially mislead or be likely to do so.
  • 3.2 Obvious exaggerations ("puffery") and claims that the average consumer who sees the marketing communication is unlikely to take literally are allowed provided they do not materially mislead.
  • 3.3Marketing communications must not mislead the consumer by omitting material information. They must not mislead by hiding material information or presenting it in an unclear, unintelligible, ambiguous or untimely manner. Material information is information that the consumer needs to make informed decisions in relation to a product. Whether the omission or presentation of material information is likely to mislead the consumer depends on the context, the medium and, if the medium of the marketing communication is constrained by time or space, the measures that the marketer takes to make that information available to the consumer by other means.
  • 3.7 Before distributing or submitting a marketing communication for publication, marketers must hold documentary evidence to prove claims that consumers are likely to regard as objective and that are capable of objective substantiation. The ASA may regard claims as misleading in the absence of adequate substantiation.
  • 3.11 Marketing communications must not mislead consumers by exaggerating the capability or performance of a product.
• Database practice
  • 10.1 Personal information must always be held securely and must be safeguarded against unauthorised use, disclosure, alteration or destruction.

Complaints can be made to the ASA concerning advertisements within their remit, including the online remit which includes "marketing communications on companies' own websites". And the companies don't need to be using a .uk domain — they just have to be registered in the UK.

If you are an organisation with online marketing material and are UK-based, you need to ensure your security & privacy copy does not contravene CAP to avoid possible sanctions and adverse publicity, and at the same time builds user trust, and encourages them to report suspicions & concerns to you as easily as possible in a timely manner.

As a consumer, if an online channel has any marketing claims about security & privacy which you think contravene CAP, the ASA's complaints process can potentially be used to improve standards in this area.

In response to last month's proposals for reform to data protection legislation by the European Commission, the UK's Ministry of Justice has announced a call for evidence on the proposals.

The call for evidence is seeking information from data controllers, data processors, rights groups, information policy experts and others on what might be the impacts and benefits of the potential changes. The aim is to provide the Government with information it can use during the forthcoming negotiations relating to the proposed framework.

Let's hope this helps to develop a practical, workable framework. Whatever the outcomes, building privacy concerns into systems and processes from the start will reduce the subsequent administrative burden. Have your say now — rather than when it is too late. Responses can be submitted by post, email and using the online form to answer the questions:

• How will the proposals affect you, or the bodies you represent?
• Wherever possible we would like quantifiable costs and benefits and real-life examples of the potential impact of the proposals.

The call for evidence closes on 6th March 2012.

Yes, had you forgotten it's Data Privacy Day tomorrow? See StaySafeOnline for events in the US and Canada. Not sure why it's a Saturday — maybe to give the weekend journalists a story they can prepare in advance, and then take the day off.

While there is a programme of events, data protection has been in the news this week following the publication on Wednesday of the European Union's proposed reform of data protection legislation, promoted under the banner of aiming:

There has been extensive documentation and justifications published to accompany the draft directive. There is of course plenty of coverage elsewhere, and I would recommend reading the following:

• Initial response from the ICO on the European Commission's proposal for a new general Data Protection Regulation, UK Information Commissioner's Office
• EDPS welcomes a "huge step forward for data protection in Europe", but regrets inadequate rules for the police and justice area European Data Protection Supervisor
• Pan-EU consistency in data protection reform welcome, but burden on business a problem, says expert, Out-Law.com

So, what does it mean? For now, these are just proposals, and what will eventually be made into law will be something very different. But it does indicate the way things are going, and is a reminder to website and application owners & developers of the need to take privacy considerations into their projects now, since the cost of changes later may be prohibitive. And, they should be doing this already, but there may be more obligations for those processing personal data in the future. There is potentially more complex functionality required for tracking consent, achieving data portability, handling withdrawal of consent and undertaking data removal.

And, there is the topic of mandatory notification of "serious" breaches.

Data Privacy Day might be a day of reading after all.