Tuesday 29 June 2010

To have and have not

No, this isn’t a review of the 1994 film starring Lauren Bacall and Humphrey Bogart.

But it does contain that immortal line "Just put your lips together and blow."

Which is quite appropriate as that’s what you have to do to get a proper sound out of a vuvuzela. Yes, it sounds awful, but I think that’s the point.

Thanks, Amazon, for supplying me with the real deal. This time, what I thought I ordered actually arrived. And fast. So I trust you. And in return, Amazon, you can carry on sending behavioural adverts to me for as long as you want.

Well, until I change my mind, anyway.

Saturday 26 June 2010

Behaving – well, perhaps not so badly after all

The Article 29 Working Party has recently issued quite a useful Opinion on behavioural advertising. It’s a handy document, just 24 pages in length, which sets out what behavioural advertising currently is, how it works, how different players are involved at different stages in the process, and finally what the current legal rules might require the various to do to ensure that the process remains lawful. By lawful, perhaps a better phrase would be “fair and transparent”.

I still have one fundamental approach with the whole concept of behavioural advertising, though. In a nutshell, these technologies are very much in their infancy, but to a large extent depend on someone pressing keys on electronic devices. While a link can quite easily be made between the electronic device and the profile that is being built up by the pressing of the keys, it’s really hard to notice when a new person starts pressing these keys. After all, how many people have pressed the keys which have created just these two paragraphs? Is it really just one? Or did I ask my neighbour to add a thought too? How will anyone (other than me and my neighbour) ever know?

Anyway, back to the plot. The Working Party considers that “Behavioural advertising entails the tracking of users when they surf the Internet and the building of profiles over time, which are later used to provide them with advertising matching their interests. While ... [it] ... does not question the economic benefits that behavioural advertising may bring for stakeholders, it firmly believes that such practice must not be carried out at the expense of individuals' rights to privacy and data protection.”

In particular, advertising network providers are obliged to ensure that the practice of placing cookies or similar devices on users' terminal equipment or obtaining information through such devices is only allowed with the informed consent of the users. The Opinion notes that settings of currently available browsers and opt-out mechanisms only deliver consent in very limited circumstances. Therefore, the advertising network providers have been asked to create prior opt-in mechanisms which requiring a positive action by users, indicating their willingness to receive cookies or similar devices and the subsequent monitoring of their surfing behaviour for the purposes of serving tailored advertising.

The Opinion recognises that no-one wants to surf the internet and be faced with a snowstorm of consent pop-up boxes each time they log onto a new web site. Therefore, a single acceptance to receive a cookie may also entail the user’s acceptance for the subsequent readings of the cookie, and hence for the monitoring of their internet browsing.

But – and this appears to be quite a big but - to keep users aware of the monitoring, ad network providers should:

• limit in time the scope of the consent;
• offer the possibility to revoke it easily and
• create visible tools to be displayed where the monitoring takes place.

This requires the “privacy by design” approach, and will no doubt take a little time to work. Let’s hope that the most significant stakeholders try to get together and deliver an approach that is consistent across the behavioural advertising ecosphere. If they were to be able to jointly develop, say the same types of logos to notify users about when behavioural advertising is taking place, and they presented users with similar ways of accepting and objecting to cookies, everyone’s lives would be much easier.

Data controllers have, over time, developed common techniques of displaying “fair obtaining” notices. Users generally see a link to a “privacy policy” at the foot of a home page, and they know what “unsubscribe” means when they get marketing emails. Can behavioural advertisers create similarly easily understood concepts? They ought to be capable of working amicably and constructively in this area. After all, it's a non-competitive issue, so the competition authorities are unlikely to prevent the big players from talking to each other.

I became more concerned when I read the parts of the Opinion which argued that as behavioural advertising is based on the use of identifiers that enable the creation of very detailed user profiles, in most cases these will be deemed personal data. Accordingly, users should benefit from the protections afforded them by the EU Data Protection Directive.

I think that the advertisers will face very considerable difficulties in working out how they might deal with a user who demands to exercise rights of access, rectification, erasure, retention, etc. This is a real minefield, and a lot more work needs to be done to explore this issue.

The Opinion notes that publishers may share certain responsibility for the data processing that takes place in the context of behavioural advertising, so they should share with ad network providers the responsibility for providing information to users.

Lots of creativity and innovation will be required here. But, as the Opinion rightly points out, “Given the nature of the practice of behavioural advertising, transparency requirements are a key condition for individuals to be able to consent to the collection and processing of their personal data and exercise effective choice.”

This debate will continue for a good while to come, and I’m sure that many stakeholders will use this document as a basic text on which they will explain why their views and interpretations differ from those of the Working Party.

For those who want to read more, the Opinion can be found at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp171_en.pdf

Tuesday 22 June 2010

Yes, I think they’ve actually gone and done it

Yesterday, I wondered just how clever Amazon’s behavioural advertising capabilities were. I set them a test. First, I had recently placed an order for a vuvuzela – the loud stadium horn, as used by soccer fans in stadiums in South Africa. Then all I had to do was to wait and see what sort of behavioural advertising messages Amazon would start sending me. Would I get adverts for products that were similar to vuvuzelas?

Today, I found out - and I’m impressed.

To put the advert in context, I had just been reading an article about a recent performance of the “Pearl Fishers” at the London Colesium, where the lead tenor, Alfie Boe, was ill, as became his understudy, so the audience were treated to someone plucked from the ENO chorus to sing the really hard bits.

At the foot of the article was a space where the webmaster had presumably provided a site for advertisers to offer readers their wares. And fancy that - guess what advert Amazon has just served in that space?

(Well, I’ve snipped it and it’s posted on this blog, for all the world to see).

Amazon has served me adverts for 12 different items, which feature:

• A CD of the Pearl Fishers, and another operatic DVD featuring Alfie Bow
• 3 items relating to the World Cup football championships in South Africa
• 2 Apple iPod Touch devices
• 2 cordless phones
• A mini speaker, computer cable and printing cartridges

And well, what a co-incidence! I wonder what 11 of these 12 items have in common – music, football championships, and devices for making noises?

Could it be that Amazon have decided to send behaviourally advertising messages to a device used by someone they know to have recently shown an interest in vuvuzelas?

I think they have.

Monday 21 June 2010

“As you like vuvuzelas, we think you’ll love these ...”

A little over a week ago (13th June) I posted a blog about on-line behavioural advertising. I had recently received an email from Amazon asking me to check out their shoe store as they had noticed that I had previously used Google to search for images of shoes on the internet.

I’m looking forward to finding out what sort of behavioural advertising I’ll be getting as a result of my very latest purchase from an on line retailer – which is pictured here. Apparently, it's a vuvuzela – the loud stadium horn, as used by soccer fans in stadiums in South Africa.

You may have heard them recently on telly.

When it arrived, all the way from Eastleigh in Southampton, the packaging just said “England Sound Horn”, so I’m not sure just how close it’s ever been to any South African shores.

Anyway, it makes a loud and awful noise. In fact, I was so impressed with the awfulness of the noise that I’ve already placed an order for a 2 foot version from another on-line retailer (this time, Amazon UK). I must have previously ordered the “short horn”. Well, I want the big one now.

But what sort of behavioural advertising messages is Amazon going to send me now? Perhaps it will be along the lines of:

As you've recently visited our store or bought similar products from us in the past, we thought we'd share with you what our customers are currently searching for in our music/sports equipment/horrible noise store. Have a look below to see what's currently hot in decibels at the moment. Don't forget to check out our Bestsellers for all the loudest products!

If I some across anything that I suspect could only have been advertised to me because of my interest in vuvuzelas, then you’ll be the first to know.

Sunday 20 June 2010

Chrome and cops and cyberspace

I had just posted yesterday’s blog when my another idea popped into my brain and got me going again. This time, it was based an article I had had read, which prompted me to think again about the implications of the advice I had given in the penultimate paragraph of that post. For those who don’t want to scroll down to read it in its original place, here it is again:

Finally, one of the most frequently asked questions from investigators involves accessing the email account of a suspect when the password to that account has come into the possession of investigators. ‘I have X’s password: can I access his email account?’ Without the informed (and preferably written) consent of the suspect, no: such action constitutes a criminal offence under the Computer Misuse Act 1990.

You see, just after posting that article I read Mike Harvey’s piece in The Times, headlined “Google launches cloud-based assault on Microsoft”. Google’s Chrome operating system will challenge Microsoft’s position in the marketplace, and may well require a significant change in police investigation techniques, too.

What do I mean? Well, basically, we’ll soon be able to buy laptops loaded with Chrome, a “cloud-based” computing system which means that we could be doing all our computing via the web rather than installing software on our PC. This has become possible because most users can access the web anywhere with Wi-Fi or 3G connections. It has become attractive because the vast majority of popular computer applications such as e-mail, Facebook and news sites are now on the web.

Will we ever need to store much stuff on our laptops again? – possibly not – so these will become cheaper and involve less hassle when we change them. We’ll still be able to access all our “stuff”, as it will be stored on a cloud server somewhere on the internet, rather than in the memory on our own devices.

Google claims that cloud-based software was a “better model of computing”. Chrome OS would be easier and more secure to use and the laptops running it would be faster to start up. A user would be able to access his or her services from any computer and any device because the services will all exist “in the cloud”, on remote servers.

Well well well. Does this pose a problem for the investigators? If they can’t seize a device and forensically examine it to see what’s stored in its memory (or cashes), does this make life harder for them? I think it might – for all but the most serious (say National Security) investigations, anyway.

If nothing is actually stored on the device itself it might question the need for the dawn raid on a property to seize hardware and arrest a miscreant on the grounds that he was being suspected of being “in possession” of unlawful software (say unlawfully obtained copyright material) , as its possible that all the miscreant might have would be a set of passwords. The contraband, as it were, could well be stored in cloud servers anywhere in the world. (And with back-up copies elsewhere, all over the world).

What could an investigator do?

Presumably, he would first fill in another of his trusty RIPA forms and shove one in Google’s direction and demand that they produce the relevant traffic data – ie whatever transmission records they have. But transmission records in respect to what? If an investigator does not know what device was used to alter the stuff on the cloud (assuming the investigator even knows what stuff is up in the cloud in the first place), then what will this RIPA demand actually demand? As I don’t work for Google, I guess I’ll never know.

Perhaps the investigator could just apply to the courts for a Production Order to be served on Google for them to pass over the relevant content. But again, if an investigator does not know who or what device was used to alter the stuff on the cloud (assuming the investigator even knows what stuff is up in the cloud in the first place), then what will this Production Order actually demand? As I don’t work for Google, again I guess I’ll never know.

And what would a British Judge do in such circumstances, when of course they have to adhere to all of our human rights legislation and permit such orders only when evidence could be adduced to assert that the request was both necessary and proportionate? Would a judge approve a “fishing expedition”?
And if a British Judge was averse to fishing, could the material be obtained elsewhere?

And here is my cunning plan – yes I think it can. But it does depend on our remaining friends with our American pals, and relations do appear somewhat muddied right now.

In the unfortunately selected words of a (perhaps soon to be former) Chairman of BP, we might be able to ask some “little people” to use their own domestic legislation to permit a more general rummage around the cloud, if the investigation is sufficiently serious. Remember, back in 2001 the 107th US Congress passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act. It’s more commonly known as the Patriot Act.

Passed by huge majorities in both Houses of Congress, the Act dramatically reduced restrictions on law enforcement agencies' ability to search telephone, e-mail communications, medical, financial, and other records; eased restrictions on foreign intelligence gathering within the United States; expanded the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities; and broadened the discretion of law enforcement and immigration authorities in detaining and deporting immigrants suspected of terrorism-related acts. The Act also expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the Act’s expanded law enforcement powers could be applied.

Dr Chris Pounder, the hugely respected authority in this area, has recently reminded us all of the subtly different approaches to the way the law can be flexed to assist investigators. He considers that the difference between the two approaches is profound. American law would, for example, permit an investigator to say “give us a range of data about transactions in a certain region” as we are investigating “terrorism” (whatever that is). By contrast, in order to comply with human rights legislation, EU investigators are only allowed to say something like “give us the data on this known entity or specific individual” in relation to “terrorism”. More details of his reasoning is available in his blog - http://amberhawk.typepad.com.

Put in these terms, it is easy to see that in the USA you can make general requests for “data” whereas in the EU you have to make specific targeted requests about individuals or entities.

So how would British investigators flex their special relationship with these pals to get Google to open their doors to the cloud from their side of the pond if the British legal system wasn’t keen on permitting access from this side of the pond? I'm not too sure, but I’m confident the wheels could be carefully oiled – once we’ve sorted out that other oily problem closer to their shores. I can’t see them looking too fondly on helping our law enforcers with fishing expeditions involving, say, BT customers until BP resolves the problems it has with all those American fishermen.

So, if its “Farewell RIPA”, it could be “Hello Patriot”, and long live that “special relationship” that no-one can quite put their finger on.

Saturday 19 June 2010

Covert cops in cyberspace

I’ve recently been reading about the pretty thorough precautions cops have to take before they log into the internet and do a bit of investigating. It appears that lots of forms have to be filled in before they fire up their browser. It may feel like the Wild West for those of us who are stung by the cowboys, but these sheriffs have to deal with a pile of paperwork first.

They have to take due account of the mighty Regulation of Investigatory Powers Act and the Police & Criminal Evidence Act. Lots of human rights to consider here, obviously. Here are some of the highlights, though – as faithfully noted by Clive and Karen Harfield in their new book from Blackstone’s, 'Covert Investigation' 2nd Edition:

Interception warrants are required if anyone intends to intercept communications whilst in the course of their transmission made via computers. Usually, intercepted material is not able to be used in British courts. However, for years, emails have been allowed to be used in evidence, when an ISPs have first been told to divert them to another server and a court has subsequently issued a production order. (See NTL Group Ltd v Ipswich Crown Court [2002] EWHC 1585)

Sometimes, it’s felt necessary to deploy investigators or victims acting on behalf of investigators, to interact with suspects via a computer either by email, webcam or in chat-rooms. Paperwork has to be completed if it is proposed to use, for the purpose of the investigation, any information obtained by the investigator as a result of the on-line relationship in circumstances in which the other party will not be aware of the investigator’s true purpose in acquiring such information. There is obviously fine line to be drawn between entrapment and lawful investigations here.

Such covert on-line investigations create the potential for nightmare scenarios- say when two undercover, on-line investigators interact on-line and begin to investigate each other. Proper procedures have to be in place to avoid this, but I suppose this is pretty hard when investigators from different agencies go the same target at the same time. I would love to be a fly on the wall when these raids eventually take place!

While there is a general unease about the use of CCTV for general policing purposes, I’m sure that everyone agrees that It is good practice to video the interaction of undercover investigators on-line for evidential integrity purposes.

Lots of paperwork also needs to be completed if it’s proposed to use an informer to obtain information via an on-line interactive relationship. But fewer forms have to be completed where the informer is asked to get information from a database to which they have lawful access. Presumably, this is why informers may be asked to use their Facebook accounts to access their friend’s accounts, especially if the friend has recently taken advantage of the new privacy settings that Facebook have allowed their users to tweak.

Different forms need to be filled in if it’s proposed to access material stored on a computer, as this constitutes interference with property.

Finally, one of the most frequently asked questions from investigators involves accessing the email account of a suspect when the password to that account has come into the possession of investigators. ‘I have X’s password: can I access his email account?’ Without the informed (and preferably written) consent of the suspect, no: such action constitutes a criminal offence under the Computer Misuse Act 1990.

So, as you can see – our investigators are required to respect human rights just as much in cyberspace as when they are exercised on terra firma. Wherever our stuff is, we have rights to which govern how the state may wish to interfere with it.

Friday 18 June 2010

People can be punnished for committing crimes in virtual worlds

I’ve recently been reading about people who have committed crimes in virtual worlds – but have been sentenced in this, real, world for their misdeeds. Two Dutch youths were sentenced for stealing virtual goods last week, while a Japanese piano player was jailed for killing her virtual ex-husband. These stories have been this supplied by my mates at http://observers.france24.com:

The 14 and 15-year-old boys forced, in reality, a 13-year-old to open his "RuneScape" account and hand over a virtual amulet and mask to the elder boy's account. Although the pair beat and allegedly threatened the victim, the boys were only charged with the theft of the imaginary items, and not for any physical abuse. In a rare case, the Leeuwarden District judge ruled early last week that "goods don't have to be material for the law to consider them stolen", and sentenced the pair to 160 and 200 hours community service respectively.

Meanwhile, a 43-year-old Japanese woman was jailed last Wednesday on suspicion of hacking into her virtual ex-husband's identity and deleting him, as he had recently divorced her virtual self on "Maple Story". If convicted, she could face a five-year prison sentence, despite having no plans to harm the real-life man behind the virtual character.

These cases have highlighted a shift in the application of law in non-real scenarios. They’ve caused bloggers to question the emotional value of virtual goods and identities. What we might originally have considered virtual is beginning to take a more physical form – and it’s being protected as such too.

Just as digital copyright owners are increasingly trying to flex their muscles, so are those who have purchased these digital goods. Where will it end – virtual courts too – will victims be able to select the cyberspace law of their choice? That will be fun. If Klingons can have their own religion (which humans can evidently associate themselves with), then perhaps we can apply to the Klingon courts for a bit of summary justice too.

I can picture it now: All rise for your judge, Mr Justice Spock ...

Sunday 13 June 2010

Hush! now how did they know that?


Am I being behaviourally advertised too? – or is it just a co-incidence?

A little while ago I was blogging about Justice Minister Ken Clarke, and carried out a “Google” Search to find some images of hush puppies, as I knew that he favoured that particular type of footwear. I used the best image I could find when I posted my update on 13 May.

I also (very occasionally) order books from Amazon.co.uk. The off script, or novel. And once or twice a DVD.

Well, just a couple of days ago, this email arrived:

Dear Amazon.co.uk Customer,

As you've recently visited our store or bought similar products from us in the past, we thought we'd share with you what our customers are currently searching for in our Shoes store. Have a look below to see what's currently hot in Shoes at the moment. Don't forget to check out our Shoes Bestsellers for all the hottest products!

How did this happen? I have not been thinking about buying shoes recently, so was amused that some computer programme had mistaken my desire to find a suitable image for my blog with an apparent interest in new footwear.

I can only suppose that Google has somehow explained to me that it has retained the right to exploit for its own commercial purposes information about search terms that have been previously entered by people using the IP address assigned to the device I am currently using, and that they have sold this information (or otherwise made it available) to Amazon.

Call me old fashioned, but I thought that Amazon only sold books and DVDs. (And cloud computing facilities). I had no idea it sold shoes. And I didn't know that Google sold this information to Amazon. Perhaps I should have known - but then again how often do we data protection folk read the privacy poicies that are created for us when we act as customers on the internet?

I wonder what connection Amazon (or Google) will come up with next.

I recently bought a copy of the script of the play “Saved”, by Edward Bond. It contains a very disturbing scene, where a baby in a pram is stoned to death in a park. One of the actors in the original 1965 Royal Court Theatre production was a youthful Denis Waterman – who is now a very distinguished actor and would certainly not wish to be associated with portrayals of such murderous violence ever again. A couple of years ago he took a prominent role in a national anti-knife crime campaign, following incidents where a number of young lads were murdered by other youths wielding knives – good for him.

But I wonder if I’m due, any time soon, to get another email from the Amazon crew – perhaps saying:

Dear Amazon.co.uk Customer,

As you've recently visited our store or bought similar products from us in the past, we thought we'd share with you what our customers are currently searching for in our Religious store. Have a look below to see what's currently hot in repeats of your favourite moments of redemption right now. Don't forget to check out our Born Again Bestsellers for all the hottest saviours!

Saturday 12 June 2010

So does it matter that Big Government is watching us?

Ian Dale chaired an extremely interesting – and potentially very significant – debate at the Institute of Economic Affairs last Thursday on the surveillance society and individual freedom. Honestly, you were warned – and you should have come along to hear it for yourself. It was one of those standing room only affairs - and well worth the effort to attend.

The speakers included Phil Booth (national coordinator, NO2ID), Philip Davies MP (Conservative), Alex Deane (director, Big Brother Watch), and Ross Clark (author, The Road to Southend: One Man’s Struggle Against the Surveillance Society). Initially, perhaps many people thought it was going to be one of those predictable occasions when everyone on the panel just agreed with each other.

Oh No.

A deep division emerged which will rumble on for some months. I predict. In his speech, Philip Davies expressed views which so provoked Alex Deane that Alex devoted his speaking slot not to making the speech he had carefully prepared, but in rebutting the points that Philip had just made. It was strong, passionate, stuff.

Why is this significant – because it’s not that often you get to hear two members of the Conservative Party airing their different views with so much passion in public. And when I say in public, I mean in a room full of bystanders, politicos, media folk, and even an internationally recognisable television celebrity.

At heart of the division was the purpose of Government, and how (or whether) surveillance can protect the legitimate interests of innocent citizens.

By all accounts, Philip Davies is an interesting politician. An MP for Shipley since 2005, he’s one of those people whose views are such that the Eurosceptic United Kingdom Independence Party did not field a candidate against Davies in the 2010 general election and campaigned for his re-election as a result of his anti-EU views. Take a squint at his Wikpiedia entry if you want to learn more about his position on a wide range of issues. I’m happy to wager good money on him remaining a backbench MP, rather than a representative of HM Government. Ever.

What did he say that so riled Alex Deane then?

Well, in a nutshell, Phillip was happy to support CCTV, the DNA Database, full body scanners and other aspects of the surveillance state on the grounds that most of these aspects didn’t actually “prevent” his constituents from going about their lawful business, and if the retention of the relevant information was used to protect his constituents, then all well and good.

If he were able, he would have his own DNA added to the DNA Database. The only reason why his DNA was not on the database was that the police had refused to take a sample as he had not been interviewed about or associated with an offence. And as far as CCTV was concerned, his constituents were crying out for more – and better – CCTV – and in as many public places in and around Shipley as was practicable. Philip then trotted the usual statistics on the range of crimes that had only been solved because the relevant surveillance material existed and had been passed on to the investigating authorities.

Alex Dean did not accept this argument, as it was his contention (broadly) that the collection of the information in the first instance was wrong. According to him, the benefits to society of any use of an extremely small part of the retained material were totally disproportionate to the detriment that was experienced by the rest of society, whose legitimate privacy rights were continually being ignored by a state who abused their ability to access the material.

Take the practice of requiring some people, as a condition of boarding a flight, to submit themselves to full body scanners in airports. Was it acceptable to run the risk that some of the images generated by passengers were going to be abused by the scanner operators - or that some frequent flyers may be caused harm as a result of repetitive scanning? Or should (selective) compulsory scanning be permitted as they increased the security of fellow passengers on the plane? While Alex argued that scanners were unacceptable (as you can’t trust the operators), Philip argued for their retention on grounds of public security.

You can see where this argument is heading. One side rejects the retention of material on the grounds that it may be abused. The other side required the retention of the same material in the hope that, subject to suitable controls, it can be used to protect the public.

And you thought that those on the Right always agreed with themselves? On issues of surveillance, evidently not.

I’m looking forward to blogging about how this issue develops.

For those suitably intrigued by what goes on within the walls of the IEA, the next event in this series will be held next Tuesday evening, where those interested in the Free Society will be joined by reps from the Adam Smith Institute, to enjoy some excellent wine and to ponder whether a big society can be a free society. Power or persuasion: what’s the big idea?

Sunday 6 June 2010

One thousand ... and still counting

Just as Anne Boelyn had her thousand days before her head got chopped off, so we now have reached the position where data controllers have managed to report one thousand breaches to the Commissioner’s Office. Will any of them suffer the executioner’s axe too?

According to my trusty guide Wikipedia, cinematically, Anne of the Thousand Days took twenty years to film because its themes — adultery, illegitimacy, incest — were then unacceptable to the U.S. motion picture production code. Well, it hasn't taken more than twenty years of data protection legislation for us to wait until the one thousandth breach has been reported. I think the ICO started counting after the great HM Revenue & Customs data breach back in October 2007. We have only had to wait until 28 May 2010. It would be nice of the ICO’s press release were also to explain just when it started counting the breaches, but never mind. Probably just an oversight.

Admittedly, the data protection breaches have not generally concerned themselves with issues as mighty as adultery, illegitimacy or incest. They’ve generally been a lot more mundane than that.

The statistic that really hits home is the percentage of data breaches that have been reported because the date media on which it was stored had either been lost or stolen. In 23% of the cases, the media was lost. In 30% of the cases, the media was stolen. So, if data controllers had adopted a “privacy by design” approach which involved the use of encryption, it seems possible that over half of all security breaches reported to the Commissioner’s Office might never been needed to have been reported in the first place.

I suppose the other statistic that really hits home is the percentage of data breaches reported by the NHS. If these figures are to be believed, they comprise 30% of all reports. Which is of course why we should not read too much into these figures. The NHS is no way as bad as that. What it does show, in my view, is that the NHS is savvy enough to be aware of the occasions when it does lose data, and sufficiently confident not to hide the figures from public view. Good on them.

I think it’s quite likely that many other data controllers are simply unaware of the losses that are occurring within their estate, and frightened of telling anyone should they do become aware of a significant breach.

I do appreciate the difficulties of practicing what you preach though. I know it’s not necessarily easy to achieve full encryption of everything, regardless of where it is, these days. I do apprecite the real pressures on people’s budgets and the horrendous problems presented to those who have to rely on legacy systems and an IT estate that is more suited to operating the Tardis than the USS Enterprise.

But think – if we could do two things in 2010, just two, what should they be? – Apply full encryption, monitor the IT boundaries, and then get down to the pub. Job done – well half of it, anyway.

Looking at the Commissioner’s press release which announced the thousandth breach, I wondered whether there was anything else we could concentrate on to pick off more “low hanging fruit”, as it’s called in corporate speak. This is what the press release thinks we should be doing:

Are you sure that you know who you are disclosing personal information to? Have you checked that they are genuine and that they are entitled to the personal details that they are asking for?
• Beware of the dangers of email. Be very careful when selecting recipients of personal information from drop down lists to get the right ones. Do not click on ‘reply to all’ and automatically include all the copy recipients in your disclosure of personal information. For more sensitive information simple email disclosure may not be sufficiently secure.
• Check that automated systems e.g. for stuffing envelopes are working properly and do some dip sampling to verify this.
• Beware of window envelopes. Make sure that only the name and address can be seen through the window.
• Check the positioning of screens particularly in open areas or by windows where they might be seen by members of the public.
• Train your staff in the risks of wrong disclosure and make sure that they don’t get careless about who they are passing information on to.

All of this seems pretty standard stuff, but I don’t think that all of these controls will necessarily result in a reportable incident should there be a failure in one of them. For example, I am hardly likely to disclose the details of a sufficiently large enough number of customers by wrongly positioning the screens in open areas. Yes, the wrong people may get to see the details of one or two customers – but hopefully not a thousand of them, which is the trigger that the Commissioner’s Office has in the past suggested as the magic figure above which a disclosure is required. And, in my experience, social engineering occurs when a miscreant is targeting an organisation for information about a specific individual (or small group of individuals), rather than just any customer whose details they can lay their hands on.

So where does this leave us? With a suggestion that we should be careful to use the “bcc” function when sending bulk emails, not the “cc” function. And that we should check envelope stuffers and letter folding machinery.

Do I hear the sound of any axe sharpening around Wilmslow yet? Don’t think so. But then again, you never know.

I doubt that Anne Boelyn heard the swoosh before it hit her fragile neck, so perhaps it's hurtling towards someone even now ...

Wednesday 2 June 2010

Have you been reading my blog, Mr Gardham?

As I was reading the Telegraph.co.uk this weekend, I caught Duncan Gardham’s article on Google, which has apparently “mapped every WiFi network in Britain.” It reminded me of what I had blogged about on 21 May. And (of course) what a number of other people had been blogging and writing about during the week, too.

There wasn’t much new to Duncan’s story, other than the quote from someone at Privacy International who thought “it will historically be viewed as a horrendous breach of law and something which a better regulator with a better understanding of the issues and the technology would never have allowed to happen.

“There should be a parliamentary inquiry which should question Google and finally get it to explain what it is up to both technically and commercially.

“The idea that it can log everyone’s wi-fi details because it is all ‘public’ is a bogus argument. It is bogus because of the question of scale and the question of integration with other information which would amount to a huge breach of our privacy.”

Some people might take this to be an attack on those chums up in Wilmslow for not properly applying the relevant provisions of either the Data Protection Act or the Regulation of Investigatory Powers Act (RIPA).

But from here on in it all gets a bit technical and legal. Arguably, the information they were collecting (ie the networks’ MAC (Media Access Control) address and SSID (Service Set-ID) number) was in the public domain anyway, because the wireless network signals extend beyond the property from which they were being broadcast) and Google was not aware of the identity of the person who was operating the equipment. If it can’t be linked to an identifiable individual, then it’s probably not personal data, so the Information Commissioner has no relevant jurisdiction anyway.

And, the provisions of RIPA may not have been breached if no interception of the actual content of a communication had occurred.

Duncan did acknowledge that the Information Commissioner’s Office wasn’t yet completely convinced that Google had goofed. As a spokesman said: “We are aware that the collection of information by Google Street View cars has raised a number of issues which we are considering. If we find evidence of significant wrongdoing, we will of course investigate and consider what action should be taken.”

This one could rumble on for as long as the Phorm debate. And it could well involve the same types of complainants, perhaps eager for a re-run if they felt they had lost their previous battles against Phorm.

Let’s sit back and see how the story develops.

Do we need to be reminded that we are still being watched?

I’ve been invited to a bash organised by the Free Society and Big Brother Watch, who have arranged an evening on the surveillance society and individual freedom. Chaired by Iain Dale (Total Politics), speakers are to include Alex Deane (director, Big Brother Watch), Philip Davies MP (Conservative), Phil Booth (national coordinator, NO2ID) and Ross Clark (author, The Road to Southend: One Man’s Struggle Against the Surveillance Society.

I’m quite interested in this event, as I don’t think that I’ve met anyone from the Free Society before. According to its website, “the Free Society (TFS) has been launched by the smokers’ lobby group Forest to give a voice to those who want less not more government interference in their daily lives.

Confronted by an ever expanding army of politicians, bureaucrats and special interest groups who seem determined to limit our freedoms through social engineering and censorship, The Free Society will discuss freedom and its limits and encourage national debate on a wide range of issues.

Our goal is a society that adopts a sensible, laissez-faire approach to social and economic affairs, trusting people to make their own decisions about how best to live their lives, mindful of the effect their behaviour may have on other people.”

Presumably this is why it likes to participate in issues relating to the environment, food & drink, free speech, motoring, smoking, surveillance and taxation. And why, accordingly, it has developed fraternal links with other campaigning bodies, including Big Brother Watch, Forest, Freedom Association, Liberty, NO2IC, Safe Speed, Save our Pubs & Clubs, and of course the Taxpayers Alliance.

It sounds as though a pretty good time is going to be had by all. Libertarianism is obviously alive and kicking in some parts of Westmninster.

And, presumably, there will be a few members of our new big Government in attendance, each eager to participate in the deliberations, which are set to be held over 5 nights this month at the Institute of Economic Affairs. For those of us who need reminding, the IEA is the UK's original free-market think-tank, founded in 1955. Free wine. It sounds fun, so I’ll be going.

So, if you are free on Thursday June 10, 2010 from 6.00pm, ask the Free Society if there’s any spare room!