Thursday, 20 November 2014

A paradise for perverts and peeping toms

I work up today with the dulcet tones of Information Commissioner Christopher Graham whispering in my ear. No, he wasn’t literally in the room, but he was on Radio 4’s Today programme, expressing his concern at a new website, hosted well outside the EU, of evident interest to perverts and peeping toms.

Basically, the site claims to provide a live feed to a large number of insecure webcams, all around the world. The address of the site is freely available online, so there’s no need for me to mention it in this blog. 

At noon today, I took a quick squint at the site. There were feeds from 584 webcams allegedly situated in the UK. Most of them were really boring – showing what was going on in bars, bike sheds, garages, fish tanks, offices and one particularly fetching shot of a pool table in an empty room. And yes, a few cameras were feeding live images from people’s bedrooms, living rooms, kitchens and gardens.

As can be seen by the images that are so easy to scrape from the internet, someone (in Bedford) was still in bed. Can you recognise them? Surely, not that many people in Bedford have an enormous Spiderman motif stencilled on their bedroom wall. Several dogs on captured on several webcams were fast asleep, too, but this one (in Crawley) was the most photogenic. The images gave been deliberately cropped to remove material that might more readily identify the subjects – but you get my drift. They ought not be so readily available. The owner of the webcam in Bedford particularly needs to improve their security controls, before even more embarrassing images can be shared with the world (+dog).

I’ll take down this image tomorrow, once I’ve made my point, and I’ll replace it with images that contain less potentially sensitive material. (I’ll remove it immediately if the person responsible for the webcam in Bedford lets me know that they’ve sorted out their webcam's security, as really I don’t want to cause needless anguish.)

Earlier images of the dog and the person asleep have now been removed, to respect their dignity. They've been replaced with less interesting images.  I've made my point about how easy it is to embarrass the innocent.


Wednesday, 19 November 2014

Data protection web domains for sale


Wanna buy some data protection web domains?

One careful owner?

(Not me, by the way – but I do know who it is.)

Evidently, data protection domains are hot.  Some are so hot that the mere hint of them becoming available causes data protection webmasters to tingle with excitement.

So here it goes – I’ve got some sensation news to announce.

If you’ve ever dreamt of owning a great data protection web domain, then start raiding your piggy bank, as the following domains are available to a discerning owner:

All reasonable offers are evidently going to be considered. I had thought of obtaining them as the main raffle prize for the Crouch End Chapter of the Institute of Data Protection's xmas party next month, but then I heard how much the seller thought that someone would pay for them.

And what do you think would be a reasonable price for the above package?

Answers, please, to the usual address.

Lovely jubbley.

Image credit:

Tuesday, 18 November 2014

Sleepwalking into a single DP regulatory authority

The arguments currently going on about the how citizens might expect their rights to be upheld by the "One Stop Shop" point in one direction – perhaps the only way to end the potential for bickering between the data protection regulators of each EU member state will be to impose a single regulatory authority on any EU country that wishes to remain within the EU.

As Europeans (generally) use the same currency to pay for their goods and services, then they ought to be able to use the same tools to protect their privacy rights, too.

This is probably why it has taken so long for agreement to be reached on who should next be appointed European Data Protection Supervisor, as I suspect that the endgame is for the EDPS to supervise a good deal more than just the European institutions.

Will this be a problem?

Certainly not for those who believe in the European dream, of a European superstate, headquartered in Brussels, with satellite offices in what will eventually become “former independent countries.”

This vision provides citizens with an equivalent layer of protection wherever they live. Their fundamental rights (whatever this actually means in practice) will be equally protected, regardless of whether an incident occurs in Cyprus, Poland or Latvia.  

And a single, mighty regulator, might start to be a match for the global data controllers, who might feel slightly more constrained in how they engage with European customers.

As Freddie put it:

One dream  One soul, one prize
One goal. One golden glance of what should be
It’s a kind of magic
One shaft of light that shows the way
No mortal man can win this day
It’s a kind of magic

(You get my drift)

Quite how plucky nationalists might respond to a single Data Protection authority is not clear. Will they be outraged at what they could perceive to be another loss of sovereignty? Another lump carved out of the subsidiarity principle? Or will they grudgingly accept that if rights are to be granted by a European Parliament to grateful European citizens, then they all ought to be able to exercise these rights in equal measure, regardless of the attitudes taken by their national Governments?

In the end, I suppose it depends on whether citizens feel more comfortable with their rights being upheld by someone they’ve possibly heard of (like the ICO), rather than a more remote set of officials who they will hardly ever get to see (even on TV) because of the huge territory they would be expected to cover. 

Just what is it we want from our regulators? Currently I sense there are a range of cultural approaches to the art of public regulation within Europe. 

Do we want someone who we can engage with, or someone who will just tell us that we’ve done wrong?

I know what I would like – but I also think I know what I’m more likely to get, should a single European regulatory authority emerge.

Image credit:


Sunday, 9 November 2014

HP’s untimely data breach

A good friend of mine very recently left Hewlett Packard. He had spent 36 years and 6 months at the company.

It not nice to see an experienced privacy manager leave a firm – particularly when, just after he left, a rather unfortunate data breach occurred. HP’s employee payroll’s information (including the National Insurance numbers, addresses and salaries of some 1000 people), was sent to an unknown party by accident.

The ICO has been informed.

Evidently, all is not lost. An HP spokesman quickly assured the media that: “HP is fully committed to protecting personal information and protecting privacy in all of our operations. We take any instances of a potential compromise seriously and will work to address any concerns as necessary.”

I’m glad that HP is fully committed to protecting personal information. Hopefully, their commitment might stretch to employing an experienced and qualified privacy professional in the UK in due course, to replace the one they’ve just lost.

If anyone from HP wants to get in touch with someone who has experienced a high-profile data breach, and needs to appreciate just what they ought to be doing to rebuild trust in their brand, please feel free to give me a call.

Please note that HP’s data protector software product is not associated in any way with this data protector blog.



Friday, 7 November 2014

My evening with Edward Snowden

The invitation arrived the day before yesterday. Last night, I was bidden to a discrete basement venue in a luxury hotel in Knightsbridge, past several layers of (unobtrusive) security, with a small group that included Baroness Martha Lane-Fox, fellow blogger Paul Stanies (he of Guido Fawkes fame) and the GSMA’s globetrotting privacy guru, Pat Walshe.

Drinks and nibbles were consumed before we were ushered into a state-of-the-art screening room for a private viewing of Citizenfour, the recently released documentary that will undoubtedly become required viewing for spooks and for all people interested in American (and British) surveillance programmes.

In January 2013, documentary maker Laura Poitras started receiving encrypted emails from someone identifying himself as “citizen four”, who was ready to reveal the NSA’ s and GCHQ’s covert surveillance techniques.

In June 2013 she and journalist Glenn Greenwald flew to Hong Kong to meet this man, and she brought her camera with her. The film that results from the tense encounters is a real thriller, revealing far more about Edward Snowden that I had expected to learn.

Filmed as it actually happened, we are in the hotel room when Snowden passes to Greenwald the electronic files that have had such a seismic impact on the NSA and GCHQ. We see how it is done, and we can only marvel at how easy it is to transfer so much information so quickly.

More importantly, we get a better insight into why Snowden did what he did. What comes across (in this documentary, at least), is Snowden’s concern at what he considers to be the unconstrained nature of the NSA’s capabilities. Where is the accountability, the oversight, or any sense of honesty or humility amongst those who apparently determine how everyone’s communications are constantly evaluated? It’s not very evident in this film.

Snowden’s personality is very different from that of Julian Assange, who we see fleetingly, when Julian’s team arrange for Snowden to be spirited out of Hong Kong, en route to a safer country, via Moscow. Snowden frequently tells the journalists he is briefing that he does not want to be the story. He wants his electronic files to be the story – and to that extent he is presented as someone who is happy to be acknowledged as the person who revealed the surveillance programmes the world, but not someone who wants to take very much credit for doing so. But he is certainly not ashamed of what he did. 

After the film, a very useful discussion was held with some of the people who were linked with the production team.

The lesson, at least for the UK’s next attempt at introducing legislation to update the Regulation of Investigatory Powers Act, is pretty clear. Those who monitor the work carried out by investigators must be seen to be operating more independently from the investigators. This can be done, pragmatically, by increasing the distance between the “Single Point of Contact” and the investigator.

If an even greater sense of independence is required, how can such an “air gap” be created?

Perhaps, by spinning the SPOCs (and telecommunications intelligence units) out of the police forces and into a body like the Independent Police Complaints Commission. That way, the Interception of Communications Commissioner’s inspectors could routinely inspect the work of the IPPC, as well as that of individual police forces.  And the pubic won’t need to worry that some policemen are simply marking the homework of other policemen. (Which is what David Davis MP is always going on about.)

But will confidence-building measures like this prevent citizens from turning, in their droves, to companies like F-Secure? I doubt it. Their super-simple online privacy and security tools are causing more than just a few headaches for the investigators who, just a short while ago, used to rule the electromagnetic waves.

Its so easy (and cheap) to become relatively invisible and anonymous on-line these days.   

And if the (American) investigators continue to be portrayed as being unaccountable and unconstrained, they will only have themselves to blame if public opinion turns against them.