Easy for privacy to be lost in the clouds

PlayStation users don't have to be told it's privacy awareness week. As they're waiting for their lives to restart - sorry, their online gaming to be restored - they may be feverishly checking their credit card accounts in case any mysterious transactions appear.

According to a blog posting by Sony communications director Patrick Seybold, the hackers got away with not only the profile data on PlayStation Network and Qriocity systems, and "we cannot rule out the possibility" that credit card data was taken.

The breach is not only a great opportunity for the original hackers but for the phishers, who will be even now rejigging their templates to hook in gullible gamers.

Seybold warned that Sony will not contact its users in any way, including by email, asking for credit card numbers or other personally identifiable information, and that when service is restored, people should log on and change their user name and passwords.

Privacy Commissioner Marie Shroff issued a similar warning, and she is also sounding the alarm about a cavalier approach to privacy among many public and private sector organisations.

A survey of 50 large businesses and government agencies, including Air New Zealand, Fonterra, trading banks and government ministries, found many of them are starting to use overseas cloud computing providers to store or process information.

However, many don't check the overseas service providers use and management of the information, and "the people whose information it is often don't have a clue where the information is or how it's controlled".

Agencies frequently don't have policies about how customers' information can be used, and many are unaware of how things like the use of mobile internet or devices like smartphones takes information away from their control.

"Many businesses and government agencies do not see the use of these devices as involving overseas infrastructure, which it usually does," Shroff says.

Her office is using the survey to develop guidance on mitigating the risks involved in using cloud services.

The cloud most people are probably familiar with is social networking sites, and taking a few moments to do the survey put up by the Asia Pacific Privacy Authorities might encourage you to change their privacy settings, if not your online behaviour.

A lot of the advice from the APPA seems obvious but is too often ignored: think about what a future employer or partner might think about the information that you share; set up "friend" groups to control the access different people in your life have to your personal details; location-based check-ins can be risky - do you really want everyone to know that no one's home?

Location is what is creating another privacy storm, with people waking up to the fact that Apple, Google, Microsoft, telecommunications carriers and who knows who else are collecting and storing huge amounts of location-based data.

Use your smartphone and you are giving away your location through GPS, wi-fi proximity, cell tower triangulation and probably user check-in services.

Organisations are trying to work out how they can make money from that data through contextual advertising, new services, or extension of social networking.

There are sound technical reasons for collecting location data: it means a quicker response time if a phone can reference a local file to access a cell tower, rather than launch a new search for connection options.

But it adds to the pool of information available for carriers to onsell to marketers or provide to spy agencies - and don't complain, you authorised it when you clicked on the network access agreement without reading the small print.

It can also create hazards for travellers.

A former Apple employee, Pete Warden from Data Science Toolkit, and University of Exeter researcher Alasdair Allan discovered that for the past year Apple's iOS 4 operating system has been storing location data from iPhones and iPads in an unencrypted file, which is synchronised to iTunes or any back-up device.

Lose your iPhone, or get it seized by authorities, say when you are crossing a border, and your movements for the past year are immediately trackable.

It's one of the reasons Free Software Foundation founder Richard Stallman won't have a cellphone.

He's also not too keen on Facebook, warning users they are its product, rather than its customer.

The Electronic Frontier Foundation has similar concerns, tracking how over the years Facebook's privacy policy has morphed from one which offered users simple and powerful controls over their personal information to one which allows it to hand more of its users' information to advertisers and business partners.

adamgifford5@gmail.com