Software updates expose users to privacy risks

SYDNEY, Australia — Canada and more than 20 other countries have issued a warning to computer users that software companies could be surreptitiously stealing personal data as they provide updates to their products online.

The warning came in a resolution, co-sponsored by Ontario, passed

at the end of a conference last week in Sydney of data protection and privacy commissioners from around the world.

Software manufacturers worldwide were increasingly using “”non-transparent techniques”” to transfer updates online, the resolution said.

These allowed the manufacturers to collect personal information stored on users’ computers, such as Internet browsing habits, without the users even being aware of it happening, let alone being able to try to prevent it.

In some cases, the commissioners warned, manufacturers could gain at least partial control over the target computers — and restrict the owners’ ability to meet legal responsibilities or to ensure the security of data.

“”This may cause particular problems in government institutions and private companies to the extent that they are under specific legal obligations how to process personal information,”” the resolution said.

Users requesting software updates online should only have to provide a minimal amount of personal data, and the download process should not involve any unchecked access to their computers, it said.

The resolution was endorsed by Heather Black, an assistant Privacy Commissioner of Canada, and more than 20 national counterparts from Australia, New Zealand, Asia and Europe.

Ontario’s invitation to take joint leadership on the issue with five European countries was in recognition of its pioneering work in a number of privacy protection areas, said Ken Anderson, the province’s deputy Privacy Commissioner.

“”We recognise that this is a worldwide problem and as we follow this up we will be expecting any company involved in software updates to comply,”” he said.

One major Ontario initiative, advanced further during the Sydney conference, was a proposed international system of certification of privacy enhancing technology, Anderson added.

“”The Ontario office is a shining light in the privacy commissioner community,”” confirmed the Sydney meeting’s chairman, Australia’s federal Privacy Commissioner, Malcolm Crompton.

“”In fact the Ontario office helped to invent the term ‘privacy enhancing technologies,’ as opposed to privacy invasive technologies.

“”They continue to do a lot of very good work in this area and we in Australia and others around the world are benefiting from this.””

During the Sydney conference, the Canadian recently appointed as chief privacy strategist for Microsoft International, Peter Cullen, promised his company’s commitment to addressing concerns over the behaviour of software manufacturers.

Cullen, a Vancouver native who joined Microsoft two months ago after 26 years at the Royal Bank of Canada, said privacy was a key part of the “”trustworthy computing”” policy outlined by company head Bill Gates earlier this year.

“”On the privacy front, we realise we’ve got to give customers more control and choice over how their information is collected and used, and in ways that are easily understood,”” Cullen said.

“”Sometimes the emotional concern over privacy tends to sort of govern the behaviour of consumers, and the down side of that from a business perspective is missed opportunities.””

Microsoft’s next Windows operating system, dubbed Longhorn after a bar in Whistler, B.C., and expected to be released in 2005, would incorporate new privacy safeguards, Cullen said.

“”It will be much more transparent, much more upfront,”” he said. “”The customer will get a lot more information about privacy as well as a lot more access to different privacy tools at the click of a mouse, as opposed to having to look two or three levels down.””

Microsoft’s stated commitment to improved privacy protections were dismissed by another participant at the Sydney conference, Cedric Laurant, from the Washington, D.C.-based Electronic Privacy Information Centre.

“”I think it is just probably just a PR motto,”” said Laurant, whose centre led a coalition of U.S. consumer groups which last year forced Microsoft to amend security and privacy promises made through its “”passport”” Internet services.

“”I think they have shown in the past that they couldn’t care less about the privacy of their users,”” he said.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+