Inside 1to1:Privacy

Wi-Fi, Eye-Spy and the unintended consequences of new technology

August 12, 2010

By Jennifer L. Saunders

Imagine taking a trip cross country or across the globe, only to lose your camera or have it stolen miles from home. Once the usual channels of recovery are exhausted, you’d probably never expect to hear about it again. Not so for privacy professional Fran Maier of TRUSTe, who received an unexpected message after the disappearance of her camera in Germany announcing her new pictures were available online.

Maier’s camera was equipped with an Eye-Fi card, which allows users to instantly upload or backup their photos. Logging into her account, Maier found geo-tagged photographs of an unknown family. Maier contacted the company but received a response indicating it would not be able to assist in contacting the family in possession of her camera and recommending she contact the authorities. Berlin police have since taken the case and notified Maier that they will attempt to identify the individuals through her copies of their photographs.

“Coincidentally, it would happen to a privacy person at a privacy conference listening to Paul Ohm talking about how little data it takes to find somebody,” Maier told Inside 1to1: Privacy, explaining that she is currently weighing the next step after contacting police and sharing her story with fellow privacy professionals.

Such features that pinpoint the areas where photos were taken down to the streets and neighborhoods, combined with photographs of individuals and the ability to connect via social networking sites with users spanning the globe, illustrate exactly what Ohm was discussing--just how easy it is to track down people’s identities, Maier said.

As Maier pointed out, her situation and similar scenarios raise a host of questions ranging from consumer privacy to company policies and even international law. While such wireless-enabled devices might provide some form of protection for consumers who have lost items or are victims of theft, there are other potential scenarios.

“All technology has unforeseen consequences,” said Peggy Eisenhauer, CIPP, founder of Privacy and Information Management Services, adding, “you can imagine all kinds of situations where this technology could ‘spill’ photos. People get new cameras all the time, and they hand down the old ones to kids, friends, parents, etc., or sell them on Craigslist or at yard sales. If the original owners don’t think to tell the recipient about these services, they would have no way to know.”

Beyond cameras, there are regularly privacy breaches involving computers, smartphones and other technology.

As Eisenhauer put it, “The reality is that any smart device--any device that has the capability of storing or transmitting data--should be formally decommissioned.”

Setting aside instances where accidental data breaches have occurred through discarded devices, the intentional access to private data made possible by technological advances is raising privacy concerns.

For example, while one incident several years ago ended with a laptop owner recovering her stolen computer by activating its Web cam, a recent case in Pennsylvania, resulted in a lawsuit against a school district after employees allegedly used a similar feature installed on the school-issued computers as a loss-prevention measure to photograph students without their knowledge or consent.

Eisenhauer and Maier both acknowledged that there can be nefarious uses for those smart devices.

“Every teen with a cell phone/camera is a potential player in the sexting/cyberbulling arena,” Eisenhauer noted. “It seems abundantly clear that kids do not understand the consequences of their use of these devices. But it’s not limited to consumers.  This issue exists in the corporate world, too. I have corporate clients that make new technologies available to workers, such as smart phones, collaboration tools/social media, but without real thought to whether the users are really capable of managing the tools.”

When it comes to online privacy, she noted, “new data collection/distribution threats emerge each day.”

For companies and individuals to protect themselves, she stressed, understanding the technology is essential.

“When you acquire a new technology, you should do a risk assessment. Part of that assessment has to be, ‘can the users actually understand the issues and manage the risks properly?’ If not, that user weakness has to be addressed as a risk of the system,” she said. “With regard to Fran’s camera, Fran is one of the few people that really can understand the risks/rewards of geotagging, Eye-Fi, etc., so it’s okay for her to have these tools. Frau X in Germany likely does not understand these things. In this case, the lack of understanding puts her at risk. It might imperil Fran or Eye-FI as well.”

With the “Internet of Things,” Maier noted, the information stored in cameras, computers or smartphones can be combined with location and identifying data, increasing not only the chances to find lost items, as in the case of her camera, but potentially for abuse.

“If I were advising a company in this area, I would tell them to try to build transparency into the model,” Eisenhauer said, using the example of automatic notices to be displayed by photo-sharing sites when images are transmitted. “If the camera user doesn’t understand the alert, she should be able to get more info about what’s happening. If the person has purchased or acquired the camera lawfully, she should be told to contact the account owner to have the service disabled/transferred.”

If the camera was found or taken, Eisenhauer suggests the company’s message should advise how to return it and alert the holder that the rightful owner has access to their photographs and locations.

In the case of her camera, Maier said, the family may have no idea their images are being transmitted or accessed, which raises questions of notification for companies that provide such services and, if a smart device is obtained without an individual’s knowledge that it was lost or stolen, potential issues if their photographs are shared.

There is confusion over how the law applies in cases like this, Maier said, especially when photos taken in Europe are being disseminated across borders through a server based in the U.S. or another non-EU country.

On the Web, “Photos are just proliferating,” Maier said, adding that with the sharing, cross-posting and archiving of images, the ability to tag photo locations and track cell phones, “These kinds of issues are going to multiply.”