Resolution on Automatic Software Updates

25th International Conference of Data Protection Privacy Commissioners Sydney, 12 September 2003

This resolution was adopted on Friday 12 September 2003

Resolution

The Data Protection Commissioners of Germany, the Czech Republic, Italy, the State Data Protection Inspectorate of the Republic of Lithuania, the Information and Privacy Commissioner of Ontario and the Swiss Federal Data Protection Commissioner propose that the International Conference resolve that:

1. The Conference notes with concern that software manufacturers worldwide increasingly use non-transparent techniques to transfer software updates to users' computers.
In doing so they

can read and collect personal information stored on the user's computer (e.g. browser settings, and information on the user's browsing habits) without the user being able to notice, to influence or to prevent it,
may gain at least partial control over the target computer thereby restricting the ability of the user to meet his legal obligations and responsibilities as a controller to ensure the security of any personal data he may be processing,
change the software installed on the computer which will then be used without any required testing or clearance and
may bring about malfunctions in the updated computer without the possibility to identify the update as the cause.

This may cause particular problems in government institutions and private companies to the extent that they are under specific legal obligations how to process personal information.

2. The Conference therefore calls on software companies

to offer procedures to update software online only at the user's initiative or request, in a transparent way and without allowing unchecked access to the user's computer;
to ask for the disclosure of personal data only with the informed consent of the user and insofar as it is necessary to carry out the online update. Users should not be forced to identify (as opposed to authenticate) themselves before they can initiate the download process;
to provide for freedom of choice by offering online updates only as an alternative to other (offline) means of software distribution such as CD-ROM.

3. The conference encourages the development and implementation of techniques to update software which respect the privacy and autonomy of computer users.