Archivo de la etiqueta: Orbitz

FB-AlmightyYes, the image that tries to illustrate this post is really crude and concocted; it’s not meant to be a meme, and it wasn’t even made using proper imaging software. Perhaps someone with the time and skills may take it upon his/herself to improve on it. However it might help get a point across.

Since Monday last week media outlets, ranging from Forbes, the Times and the WSJ to CNN EXPANSIÓN, have reported on a so-called “study” conducted by Facebook’s data scientists on hundreds of thousands of “randomly selected users”, by manipulating the amount of positively or negatively charged posts made visible to them in their timelines, with which they were allegedly looking to establish how emotions spread on social media.

Although this remark’s probably been flogged to death already, I’m certain that social science and literature majors across the world are (again) going: “If he were alive, George Orwell would say “I hate to say I told, BUT I TOLD YOU!””. The machinery of the “Minitrue” in his novel “1984” would pale in comparison to the Web 2.0, and even more so the “Internet of Things”.Episodes such as the panic raised by Orson Welles’s broadcast of “War of the Worlds” or the viral hoaxes of the late 90s and early XXth Century seem like child’s play now, compared to the episodes of panic and the threats to privacy posed by social media.

Facebook’s lawyers ought to be smelling a(nother) class action brewing miles away…Oh, no, wait! The Electronic Privacy Information Center has already filed a complaint with the Federal Trade Commission on account of this episode,claiming that “At the time of the experiment, Facebook did not stat in the Data Use Policy that user data would be used for research purposes. Facebook also failed to inform users that their personal information would be shared with researchers”. So where exactly does that fin in the “How We Use Information we Receive” section of their Data Use Policy?

“For example, in addition to helping people see and find things that you do and share, we may use the information we receive about you:
  • as part of our efforts to keep Facebook products, services and integrations safe and secure;
  • to protect Facebook’s or others’ rights or property;
  • to provide you with location features and services, like telling you and your friends when something is going on nearby;
  • to measure or understand the effectiveness of ads you and others see, including to deliver relevant ads to you;
  • to make suggestions to you and other users on Facebook, such as: suggesting that your friend use our contact importer because you found friends using it, suggesting that another user add you as a friend because the user imported the same email address as you did, or suggesting that your friend tag you in a picture they have uploaded with you in it; and
  • for internal operations, including troubleshooting, data analysis, testing, research and service improvement.”

This episode just adds to the social network’s poor privacy track record, tracing back to the “Beacon” shortly after its inception, which has now again put it in hot water, as it did in the episode that ended with the 2012 consent decree entered into with said FTC, and adds to privacy and ethics concerns raised by other technology companies and seemingly rouge scientists in their employment, such as the one about Google Street View picking up information from unencripted WiFi networks, which got it fined by Germany, and Orbitz’s profiling of PC and Mac users, pointing to how easily (and perhaps even dangerously) online media could manipulate us users on a global scale.

While it seems likely for Facebook to hold that the study was fair game under the blanket consent that must be granted to sign up for and continue to use the service (when its Terms of Use and/or Privacy Policy are modified or updated), privacy activists and common sense are likely to contend that notion. This instance will undoubtedly be hotly debated in court in more than one jurisdiction; that raises (again) a question of Internet law that has been debated since its early days: whether or not Internet-based businesses are under obligation to abide on a global scale by the laws of each and every jurisdiction their operations might extend to, which is a daunting thought for undertakings that can reach any corner of the world with Web access. That point of law has been taken a stab at by courts since the Tribunal de la Grand Instance ruled against Yahoo! in the 2000 case of la Ligue contre le Racisme et l’Antisemitisme c. Yahoo! Inc, to the more recent one where the Supreme Court of British Columbia enjoined Google from displaying links to search results for the sale of infringing software.

However the issues at the core of those cases are more complex than Facebook’s instance. I see no difficulty in Facebook sorting out where the users singled out for its trials reside in order to secure their consent prior to their engagement in them. And that’s the question at the core here: whether or not Facebook erred by not having done so. General consensus, whether stemming from public opinion, ethical guidelines or the law is it did. While product testing is an every-day need and reality in business, when a product or service has the ability to mess with people’s minds there ought to be a heightened duty of care, and of accountability, on the part of the product or service provider, given the harm it may inflict upon the subjects involved, the people near them and even their communities.

The atrocities of World War II yielded the Nuremberg Code, which lays down the principles of ethics to be met in all human experimentation that are (to be) followed in such undertakings and extend to everyday medical practice, and which cornerstone is voluntary and duly informed consent of the subject(s), which appears to have been largely absent here. Granted, whereas psychiatry is medical practice, psychology is not. However Standards 3.10 and 8.02 of the Ethics Code of the American Psychological Association prescribe as follows:

3.10 informed consent

(a) When psychologists conduct research or provide assessment, therapy, counseling, or consulting services in person or via electronic transmission or other forms of communication, they obtain the informed consent of the individual or individuals using language that is reasonably understandable to that person or persons except when conducting such activities without consent is mandated by law or governmental regulation or as otherwise provided in this Ethics Code.

8.02 informed consent to research

(a) When obtaining informed consent as required in Standard 3.10, Informed Consent, psychologists inform participants about (1) the purpose of the research, expected duration, and procedures; (2) their right to decline to participate and to withdraw from the research once participation has begun; (3) the foreseeable consequences of declining or withdrawing; (4) reasonably foreseeable factors that may be expected to influence their willingness to participate such as potential risks, discomfort, or adverse effects; (5) any prospective research benefits; (6) limits of confidentiality; (7) incentives for participation; and (8) whom to contact for questions about the research and research participants’ rights. They provide opportunity for the prospective participants to ask questions and receive answers.

An important conclusion stems from the above: informed consent in the practice of psychology is not the same as a privacy notice under US laws, regulations and/or ethical standards. The same is true under the Code of Ethics of the Mexican Psychology Society, which article 118 states that informed consent must be obtained whether for therapy, research or other procedures. It is also not the same as a “consent notice” or “aviso de privacidad” as provided for in the Mexican privacy law. This refers back to the question a few paragraphs above: was Facebook under obligation to abide by the laws and regulations of the domicile of each and every single one of its almost 700,000 users targeted in its “study”? That will be the subject matter of another entry herein; at this point the last idea I want to convey as far as Mexican privacy law and practice go is the following:

Although the requirements of voluntary informed consent in the practice of medicine and psychology may overlap, as the investigation and MXN$485,700.00 fine assessed by IFAI, the Mexican data protection authority, fined WTC Sports Clinic, a physical therapy and outpatient surgery clinic, show, the means to secure such consent as per each of the laws and regulations governing each area of practice do not suffice to meet with the requirements of the others, so that practitioners in the aforesaid fields need proper legal advice in order to avoid failing to comply with the novel legal framework for privacy, which provides for a consent notice as additional to that mandated by the Regulations (Normas Oficiales Mexicanas) which require that letters of written informed consent be included in each patient’s file and that such consent be included in human research protocols as a requisite for their authorization by the Mexican health authority, which is also a mandate of the Regulations to the General Health Law in Health Research (article 14, Roman numeral V).

Cookie MonsterEl escalonamiento con el que la regulación mexicana en materia de protección de datos personales ha sido emitida ha supuesto para los Responsables del Tratamiento de Datos Personales la necesidad de hacer trabajo adicional para implementar su cumplimiento normativo  correctamente.

Desde el 5 de julio de 2010, fecha en que fue promulgada la Ley Federal de Protección de Datos Personales, y hasta el 21 de diciembre del 2011, mucho después de transcurrido el plazo de un año previsto en el Artículo Tercero Transitorio de esa Ley para que dichos Responsables expidieran sus Avisos de Privaciad, hasta que tras un largo periodo de comentarios públicos en la Comisión Federal de Mejora Regulatoria, fue expedido el Reglamento correspondiente, todos los requisitos para esos Avisos de Privacidad que posteriormente fueron denominados como Integral y Simplificado estaban contenidos en los artículos 8, 15, 16, 36 y 37 de la Ley.

Esos requisitos se limitaban a:

  1. Identidad y domicilio del Responsable;
  2. Información que se recaba de los Titulares de los Datos Personales tratados;
  3. Finalidades del tratamiento de datos;
  4. Ppciones y medios para que los Titulares limiten el uso o divulgación de sus Datos Personales;
  5. Medios para ejercer los Derechos ARCO;
  6. Las Transferencias de datos que se efectúen;
  7. El procedimiento y medio por el cual el Responsable comunicará a los Titulares los cambios al Aviso de Privacidad, y
  8. Consentimiento, ya sea tácito o expreso.

…y fueron incrementados por el citado Reglamento, por ejemplo con la obligación prevista en su Artículo 112, por virtud del cual aquellos Responsables que lleven a cabo el Tratamiento de Datos Personales en procesos de toma de decisiones sin que intervenga la valoración de una persona física deben hacerlo explícito entre la Finalidades de dicho Tratamiento, al igual que el requisito derivado del último párrafo del Artículo 14 del citado Reglamento, de acuerdo con el cual cuando el Responsable utilice mecanismos en medios remotos o locales de comunicación electrónica, óptica u otra tecnología, que le permitan recabar datos personales de manera automática y simultánea al tiempo que el titular hace contacto con los mismos, en ese momento se deberá informar al titular sobre el uso de esas tecnologías, que a través de las mismas se obtienen datos personales y la forma en que se podrán deshabilitar..

Lo anterior fue clarificado a través de los Lineamientos para el contenido y alcances de los Avisos de Privacidad, emitidos por la Secretaría de Economía con fundamento en el artículo 43, fracción III, de la Ley, el cual la facultó para coadyuvar con el IFAI en la emisión de los mismos, cuyo Lineamiento Trigésimo Primero requiere que cuando el Responsable utilice mecanismos en medios remotos o locales de comunicación electrónica, óptica u otra tecnología, que le permitan recabar datos personales de manera automática y simultánea al tiempo que el titular hace contacto con los mismos, en ese momento deberá informar al titular, a través de una comunicación o advertencia colocada en un lugar visible, sobre el uso de esas tecnologías y sobre el hecho de que a través de las mismas se obtienen datos personales, así como la forma en que se podrán deshabilitar, salvo que dichas tecnologías sean necesarias por motivos técnicos, obligando asimismo a incluir en el Aviso de Privacidad la información requerida por el Reglamento de la Ley y la de los propios Lineamientos, entre ella, los datos personales que se recaban y las finalidades del tratamiento.

Una de las maneras más obvias para darse cuenta de que un Responsable ha mantenido en uso un Aviso de Privacidad Integral en medios remotos, como una página de Internet, desde la promulgación de la LFPDPPP o el vencimiento del plazo para implementar ese medio de cumplimiento con el Principio de Información es la omisión de la referencia al uso de cookies, web beacons y otros recursos similares en el referido Aviso.

¿Por qué la necesidad de incluir la mención del uso de mecanismos como las “Cookies” en el Aviso de Privacidad? La entrada en Wikipedia para Cookies explica que estos archivos fueron concebidos originalmente para identificar a los usuarios y diferenciar el comportamiento de los sitios de comercio electrónico al realizar compras en sitios de comercio electrónico; por ejemplo pueden ser usadas para “…control de usuario: cuando se introduce el nombre de usuario y contraseña, se almacena una cookie para que no tenga que estar introduciéndolas para cada página del servidor. Sin embargo, una cookie no identifica solo a una persona, sino a una combinación de computador-navegador-usuario”, pero que además de pueden ser usadas para rastrear el movimiento del usuario a lo largo de las páginas web visitadas, búsquedas realizadas, etc.

Desde que Internet se volvió un medio financiado fundamentalmente a través de la venta de publicidad el perfilamiento de usuarios se ha vuelto una necesidad para compañías como Google, Yahoo! y Microsoft. Sin embargo puede tener implicaciones importantes para los usuarios en cuanto a privacidad y acceso a oportunidades. El perfilamiento de usuarios podría

Una nota del Wall Street Journal el año pasado explica, por ejemplo, cómo Orbitz distingue entre usuarios de PC y de Mac para ofrecer antes a estos últimos servicios con precios más altos que a los primeros, asumiendo que quien invierte en una Mac es más proclive a optar por servicios “high-end” y, por lo tanto, más caros. Se han hecho también estudios que apuntan al incremento en el riesgo de que el perfilamiento de usuarios a través de diversos medios, incluyendo Internet, podrían resultar en discriminación. La posibilidad de combinar información de fuentes como registros públicos, reportes de crédito, historial de consumos y ubicación podría prestarse a limitar el acceso a bienes y servicios buscados en Internet si sus oferentes optaran por segmentar ese acceso en función del género, edad, nivel socio-económico y consumo de los usuarios.

De ahí que para lograr una verdadera autodeterminación informativa la autoridad de protección de datos personales haya requerido a los Responsables revelar el uso de tecnologías para obtener datos personales a través de Internet y la manera para deshabilitarlas.

El siguiente video de YouTube ilustra, por ejemplo, cómo Google utiliza y almacena las cookies e información obtenida de ellas en su motor de búsqueda. Por otra parte, el Washington Post publicó hace unos días una nota sobre cómo la Agencia de Seguridad Nacional de los EE.UU.A. se vale de esas mismas cookies para identificar y ubicar blancos de hackeo y vigilancia. De particular relevancia es lo indicado en los siguientes párrafos de la nota, que daría tranquilidad a la inmensa mayoría de los usuarios de Internet:

The intelligence agencies have found particular use for a part of a Google-specific tracking mechanism known as the “PREF” cookie. These cookies typically don’t contain personal information, such as someone’s name or e-mail address, but they do contain numeric codes that enable Web sites to uniquely identify a person’s browser…

The NSA’s use of cookies isn’t a technique for sifting through vast amounts of information to find suspicious behavior; rather, it lets NSA home in on someone already under suspicion

Compliance Report

Compliance and Ethics Powered by Advanced Compliance Solutions


Startup and Technology News

Xavier Ribas

Derecho de las TIC y Compliance

Marcus Kazmierczak

Take To Task

Analyzing the Nonsense

Business & Money

The latest news and commentary on the economy, the markets, and business


Canal de difusión con los medios.

Martha Salamanca Docente

Blog de TICs, Redes Sociales y Multimedia Educativo

Devil's Advocate Crib

Just another site

Investigating Internet Crimes

An Introduction to Solving Crimes in Cyberspace