The recent discovery of the personal information that is gathered by Sony’s PlayStation Network raises significant legal concerns. The way in which Sony deals with personal information of its customers is in clear violation of a European directive.
There are numerous points that are bothersome when reading the information that is gathered and sent by Sony’s PlayStation Network. The information that hackers uncovered in the last few days shows that any and all information that Sony can gather is sent home, including credit card information which is sent as plaintext over an unsecured line. These discoveries are in fact more than just bothersome, as they identify a clear violation on the part of Sony of the European directin 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
More specifically, the directive clearly forbids for personal information to be sent without unambiguous consent. Moreover, any personal data must be collected for specified, explicit and legitimate purposes and cannot be processed in a way that is incompatible with those purposes. The information collected must not be excessive in relation to the purposes for which they are collected. When personal information is gathered in conformity with these provisions, appropriate technical measures need to be taken to protect the personal data, in particular where it involves the transmission of data over a network. Generally speaking this means that any personal information must be transmitted in an encrypted form.
Even if Sony had complied with these provisions, which they clearly don’t, personal data of their consumers in the European Union cannot just be sent to any server of their choice. In fact, personal data that is collected in the European Union can only be transmitted across European borders with a few exceptions. One of these exceptions is to the United States, but only if the hosting provider has agreed to the Safe Harbour principles. Reports indicate that the personal data is sent to the Japan and the United states, and it seems unlikely that a Safe Harbour agreement is applicable to these machines. In any case, even had the collection and unsecure transmission not violated the directive, the personal data is not allowed to be sent to Japan.
Knowing that our rights have been violated, leaves the question how we as consumers can respond to this. The European directive 95/46 has been implemented in national laws throughout the European Union. Every member state has a data protection authority that supervises the conformance of organizations to the corresponding national laws. These supervisory authorities generally accept complaints from consumers as grounds for a formal investigation, so be sure to notify your national supervisor if you feel violated. I know I will.
Source:
http://ps3crunch.com/psn-phone-home-raises-significant-legal-concerns.html
1 comment:
oh yeah am i psychic? How could i have known 3 months before the attack and sony not know?
SIMPLE I LISTEN TO END USERS ITS NOT FUCKING ESP ITS SYMBIOTIC AND EMERGENT ENDUSER INTENT
Post a Comment