The Government's data privacy watchdog, the Information Commissioner's Office (ICO), is looking into possible privacy breaches by Facebook and UK-based booking site HotelHippo.com, that have sparked debate over the commercial use of people's personal data.
The ICO has launched an enquiry into whether Facebook broke data protection laws when it conducted a psychological study on almost 700,000 users without telling them.
Last weekend, it emerged that the January 2012 study, carried out with Cornell University and the University of California at San Francisco, manipulated the news feeds of 689,003 people to test whether those who were exposed to fewer negative stories were less likely to write a negative post, and vice versa. But the participants were not aware the research was being done.
Separately, the ICO is examining claims made by Scott Helme, an information security consultant with Altrincham-based Pentest Limited, that HotelHippo.com's website security was so poor that he was able to “easily discover a method of extracting the personal and sensitive data of thousands of customers that had used the site before me”.
In a 1 July blog, Helme said that as a customer his booking reference number was clearly shown, and he was then able to “start walking backwards through the booking reference numbers, which are sequential, and pull out the data associated with each one”, including each customer's name, address and booking details.
He pointed out: “Potential criminals know your name, address and postcode, and they also know on exactly what dates you and your family won't actually be in your house.”
Helme also found an SQL Injection vulnerability on the ID fields used in the site's URL and claimed the site's encryption levels put it in breach of the PCI (Payment Card Industry) data security standard.
The website closed down after Helme's findings were reported by the BBC and was still down at time of writing.
Helme says he had notified HotelHippo earlier of the issues, but they only acted when the BBC became involved.
“Whilst I have to applaud them for taking the affected areas of the site offline at that time, it shouldn't have to get so far before companies start taking responsible disclosures seriously,” he said. “There is a lot of customer data at risk.”
An ICO spokesperson told SCMagazineUK.com that the two cases potentially breach different ‘principles' of the Data Protection Act.
With HotelHippo, the issue at stake is simply “that organisations must keep personal data secure – whether it was easy to access other people's personal data just by changing numbers in the web browser window”.
With Facebook, the principle is “personal information must only be processed for limited purposes - so people must be clear why they are taking your personal data, people should understand that their personal data may be used for research purposes”.
The spokesperson added: “Under the Data Protection Act organisations must process personal information fairly and lawfully and it must be kept secure. This includes being open and upfront with people about how their data will be used and making sure the information is adequate and not excessive.
“We're making enquiries in both cases.”
Focusing on the Facebook case, privacy expert Giles Watkins, a partner in KPMG's cyber security team, said it highlights current uncertainty over where the boundary lies between protecting people's privacy, and allowing commercial companies to use their knowledge of customers to maximise revenue.
He told SC via email: “Most organisations understandably continue to push the boundaries around privacy as they seek to better understand their markets and customers, and to refine their offerings. It is not surprising that sometimes regulators examine whether these boundaries are occasionally crossed.”
Watkins added: “The combination of the desire to innovate and create value, coupled with a lot of ‘grey space' in global privacy regulations inevitably leads to uncertainty over what is allowable and what isn't. What will be equally, if not more, important going forwards will be what is ‘acceptable' to customers and citizens at large.
“Regulators continue to provide views and guidance on the profiling of individuals and what may be acceptable legally and importantly culturally. However, the market may well decide with their dollars, time and clicks well before regulation catches up.”
Talking to SC, Raj Samani, CTO McAfee EMEA commented, “Absolute privacy never existed and never will. We need to address three main requirements, the value of the data to the subject, transparency, and consent. Facebook is accused of acting without consent, but even if it is explicit in the terms and conditions, it may not be informed consent – which requires maturity on the part of the subject. Even then, a lot of individuals don't understand the value of their identity data. Right now it's about US$42 per person (based on IPOs/user numbers), but personal data is forecast to be worth US$ 1 trillion by 2020.
Focusing on the HotelHippo case, Roy Harris, a senior vice president at iboss Network Security, said in an email to journalists: “HotelHippo.com has been forced to temporarily check out under hacking investigations. Threats often move through networks unseen. However in this case, for personal data to be revealed by changing a unique five-figure number in the web browser is worrying.
“In this case, vigilant consumers would be none the wiser to the risk, as the website displayed several messages and trust stamps stating it was secure. The onus is now on retailers to ensure consumer safety."
In response to the claims, Facebook is quoted by the BBC as saying there was “no unnecessary collection of people's data”, while HotelHippo said: "We confirm that we have taken down the HotelHippo.com website to take some urgent action to deal with a technical situation. Privacy of customer data is our prime concern, and we are committed to ensuring this safety."