Monday 31 January 2011

Dog poo and the DPA

We all know that dog fouling is an anti-social behaviour. And we all know that the powers that be take a dim view of officials using their surveillance powers under the Regulation of Investigatory Powers Act to investigate the stuff. Well, to monitor the owners of the pooches who poo, anyway.

Our local council officials have come up with a cunning plan. Will they use the mighty RIPA to investigate such offences? Oh no. To do so would obviously be disproportionate. But, they have found another piece of legislation that can be flexed to serve their needs. Instead, they will use the Data Protection Act to bring the miscreants to justice.

I saw this sign earlier today, clearly warning that CCTV may be used to gather evidence against individuals who allow their dogs to foul the land. This “fair processing notice” was fixed to a lamp post – but far too high for any small or medium sized dog to read. Anyway, hidden at the top of the lamp post, I thought I saw a tiny CCTV camera.

So, you dog walkers of Crouch End. You have been warned.

Our council officials have ways and means of tracking down the offenders.

Even when they’re not allowed to use RIPA.


Sunday 30 January 2011

The MoJ gets our views on a new DP Directive

I celebrated Data Protection Day 2011 the same way as I did 2 years ago – by attending an event at One Great George Street. That first bash was hosted by the Information Commissioner, who used the occasion to launch the Personal Information Promise. I was so determined to ensure that my company was recorded as the first to sign the thing that I made sure that the document our Chief Executive signed was actually dated the day before the date of the formal launch!

This year’s event was hosted by our chums at the Ministry of Justice, who use the occasion to publish the response to their Call for Evidence on the current data protection legislative framework in the UK. That consultation exercise ran from July to October 2010, generating a series of workshops, 163 responses and an awful lot of paperwork. The event was also used to gather more views on the position the MoJ should take as it embarks on the latest review of the Data Protection Directive. Well done MoJ. It’s got those officials well up to speed, and they must be better briefed than any other national delegation.

What worries me slightly is what happens next. Our team may know what they want, and the priority in which they want to negotiate the points away, but who will they be negotiating with, and what demands will those other teams be bringing to the table?

I sense that there is just one other national team that’s gearing up for the review, and that’s the Germans. Why? – Because German politicians have only recently reviewed German Data Protection Law, and no doubt they will be very keen to ensure that whatever European Directive is passed will allow them to keep the very high standards that the Bundestag (German Parliament) has legislated for. These standards are not the same as British standards. Oh no. I think it’s fair to suggest, though, that many responsible German data controllers are finding it hard to adopt their business systems to meet these new standards. I sense a growing unwillingness among my German colleagues to introduce new types of information services simply because it’s so hard to work out how to make them comply with the new law. But how hard will the Germans negotiate to protect something they can’t work with already?

Why does this stuff matter? Because surely it would be in no-one’s interest (in the EU) to make compliance so burdensome that the only people to benefit were global companies based outside the EU. Thanks to cloud computing and the internet, you don’t need a physical presence in a Member State to do business there. We know what the trend is. We know what happens when internet betting companies realise its more tax efficient to operate from Gibraltar rather than Glasgow. They transfer their operations there. And the same could happen in a global context should the Data Protection review result in another legal instrument that wasn’t fit for its purpose.

This point was brought home to us all very clearly at the MoJ’s event on Friday. In a brilliantly astute move, both David Smith (Assistant Information Commissioner) and Baroness Sarah Ludford MEP had been invited to address the assembled gathering of about 100 of the usual data protection suspects.

David was his usual self, demonstrating his deep understanding of the fault lines in the current legislation, but taking care to point out its considerable strengths too. We often gloss over the extent to which the current Directive has helped raise standards, influenced other jurisdictions to develop similar standards, with rules that have (generally) been capable of being applied to new technologies, and how it has even encouraged EU regulators to harmonise their opinions about many issues. And David was also crystal clear in what the ICO wanted in future: greater clarity (and simplicity) in the scope of the law, a high level of protection, a better level of accountability by data controllers, with a focus on risk reduction not bureaucratic form filling, and simple but effective rights for individuals, and (finally) sensible rules on international data transfers.

The regulators have got it.

Job done? No. No way.

As Baroness Ludford spoke, I sensed a new atmosphere in the room. We were now hearing from an MEP, a person who passionately believed that the European Parliament had a voice in these things too. It is clear that we ignore these creatures at our peril. My most valuable insight into the day was the extent to which we all have to redouble our efforts to make sure that these powerful people actually know what they are talking about, and that they fully appreciate the consequences of any amendments they may propose. Sarah freely admitted that she and her fellow European Parliamentarians needed more assistance as they crafted amendments that could well make their way into the final text of European Directives. They don’t have parliamentary draftsmen available to help them get the words right. "We are amateurs and there is not good enough impact assessments of amendments put by MEP’s, only the Commission", she said.

So, the prospects of the European Parliament creating a legal instrument that is clear and simple, given the political bargaining that will inevitably go on until the very last minute, are slight. Let alone a legal instrument that will meet the needs of both people who wish to have greater control of their own personal information, and companies who also see this very same information as their own property (because it they acquired it in a fair and transparent manner).

Our call to arms is simple. Support our MoJ negotiators. Because if we don’t, we could have an awful lot to lose. Our political masters may glide through the Ministry of Justice en route to another political appointment every now and again. But Belinda Crowe, the MOJ’s Information Director, and Kevin Fraser, the Head of EU/International Data Protection, are unlikely to be so lucky. They should be in their posts for the whole ride – so let’s make sure we brief them until we’re blue in the face.

And at the same time we need to brief the other national delegations about our concerns. Oh yes, and we must not forget the importance of briefing the MEP’s, who think they already know a bit about data protection, too.



Saturday 29 January 2011

Voicemail hacking – what’s the crime?

My naughty step is getting so crowded I’m thinking of ordering a larger one. As the media continues to publish reports about victims of (alleged) voicemail hacking, I thought I would try and tease out some of the issues that need to be addressed as the investigators work out whether and which bits of the law have been broken.

“Voicemail hacking” is a strange phrase, which has emerged over the past few years to describe an activity which is certainly naughty, but strangely quite hard to define in terms of the laws which have been broken. And it’s important to know which laws have been broken, as only then will the miscreants know what punishments they are likely to get.

You can get a prison sentence (of up to 2 years) for unlawful interception. But you can get a much longer sentence for committing an offence under the Computer Misuse Act. Ten long years, actually. As well as an unlimited fine.

I don’t think it’s possible to say that everyone who who commits a voicemail hack is always guilty of the crime of unlawful interception. This is because the Regulation of Investigatory Powers Act defines the offence of unlawful interception in a very narrow way. Those awfully clever Parliamentary draftsmen used language that was so complicated in its construction that everyone forgot how hard it might be to actually apply it in real life.

Let’s look a little closer at the problem.

The problem arises in Section 2 of the Act, which provides that a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—
(a)so modifies or interferes with the system, or its operation,
(b)so monitors transmissions made by means of the system, or
(c)so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,
as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.

So far so good. Its a crime to intercept a communication if its in the course of its transmission. This means its definitely a crime to intercept and record, say, live calls between two people.

But, what happens when the caller has simply left a message on a voicemail? Can it be argued that the communication is still being transmitted? Or does the transmission end when the caller leaves the voicemail, which the intended recipient will listen to later?

Subsections (7) and (8) try to address this knotty problem. Here are the words that were used, then I’ll try and explain the intention:

Subsection 7 provides that For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.

Subsection (8) provides that For the purposes of this section the cases in which any contents of a communication are to be taken to be made available to a person while being transmitted shall include any case in which any of the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently.

What I take this to mean is that the Parliament tried to put communications into 2 categories. The first category relates to communications in transit. The second category relates to communications that have been transmitted and are being stored in a voicemail box. If I’m right, a miscreant commits the crime of unlawful interception if they access the first category of messages, but not the 2nd category. The 2nd category is another sort of crime – a Computer Misuse Act type of crime, if you fancy committing a criminal offence; or perhaps a breach of confidence, if you fancy committing a civil offence.

While this appears to be an elegant distinction in theory (well done, you clever Parliament), I don’ t think that anyone, at the time, actually thought about the problems the police (or other litigants) were going to encounter in trying to investigate and prosecute these offences.

The trouble is that the records which the prosecution will have to rely on to establish their case may well not exist. Do records actually exist which show whether a caller
• Dialed a phone number and was put through to the calling party’s voicemail box?
• Left a message on the voicemail box?
• Used a PIN number to access the stored voicemails?
• Listened to any of the stored voicemails which had previously been heard by the intended recipient?
• Listened to any of the stored voicemails which had not previously been heard by the intended recipient?
• Deleted any of the stored voicemails?

And what about the person whose account had been “hacked”? How would they know that a message which had previously been left for them had actually been opened, listened to and subsequently deleted by the miscreant? Where’s the evidence that might warn them that some mischief had occurred?

I’m really not sure. I suppose it would help if a careless miscreant were to keep detailed records of precisely what they had done. I’m not sure whether any other types or records exist that would provide the evidence – to meet the test required before it can be adduced in criminal trials.

I mentioned the Computer Misuse Act earlier. It creates a couple of quite useful offences. I’m not as familiar with this piece of legislation as I am on RIPA, so am relying on the accuracy of material published by the Intellectual Property and Technology team at UK law firm Freeth Cartwright LLP.

The Section 1 offence “Unauthorised access to computer materials (hacking)” provides that someone is guilty of the offence if:
• he causes a computer to perform any function
(a) with intent to secure access to any program or data held in any computer
(b) or to enable any such access to be secured
• the access he intends to secure, or to enable to be secured, is unauthorised

The Section 3 offence “Carrying out unauthorised acts in relation to a computer” provides that someone is guilty of the offence if
• he does any unauthorised act in relation to a computer;
• at the time when he does the act he knows that it is unauthorised; and
• either the person intends that the act will have a certain result (discussed next) or the person is reckless as to whether or not the act will have that certain result.

The 'certain result' referred to in bullet point 3 above is any of the following:
• impairing the operation of any computer
• preventing or hindering access to any program or data held in any computer
• impairing the operation of any such program or the reliability of any such data
• enabling any of the above to be done

This means that a miscreant commits a Section 1 offence by unlawfully listening to a stored voicemail message, and a Section 3 offence by deleting it. The maximum penalty for Section 1 offences is a custodial sentence of up to 2 years and an unlimited fine, while a person who commits a Section 3 offence faces a custodial sentence of up to 10 years and an unlimited fine.

So, why bother with interception offences if a prosecutor can get a heavier sentence under the Computer Misuse Act?

Again, it’s the same problem. The actual evidence of misbehaviour is really hard to come by.

Perhaps some extremely expensive lawyers have looked at this issue and they have advised the less reputable members of the investigative media that voicemail hacking is certainly naughty, but actually quite hard to detect.

Lessons for those who want it make it harder for others to compromise their voicemail accounts:

• Ask callers to consider whether they actually need to leave a voicemail message (why don’t they send a text instead?)
• Check voicemail boxes frequently (so that the saved messages are heard shortly after they have been created)
• Delete messages once they have been read (so that there is less material for a miscreant to find)
• Change Voicemail PINs regularly (just as we do with our other passwords ... )



Sunday 23 January 2011

The Supervisor and the Spice Girls

Peter Hustinx has been at it again. No, not like Italian PM Silvio Berlusconi. The European Data Protection Supervisor has issued his opinion on the EU’s cunning plan to revise data protection law. And he's provoked a bit of a debate. He’s accepted the global nature of data flows, and sees great merit in some form of binding global rules on data protection. And he suggests that many of the practical difficulties in ensuring compliance can be addressed by data controllers adhering to an “Accountability” principle.

He’s also bang on the money with his observation that technological developments since the introduction of the original Directive mean that in many cases this has led to fundamental changes in the way personal data of individuals are being processed. The information society can no longer be considered as a parallel environment where individuals can participate on a voluntary basis, but has become an integrated part of our day to day lives. [paragraph 37]

And on the following paragraph he points out that the framework must also bring more legal certainty for companies and for individuals. They must understand what is expected from them and be able to exercise their rights. This requires that the legal arrangements are precise.

He also makes a plea for harmonisation, opining that the level of harmonisation under the present Directive has been judged as less than satisfactory (a diplomatic understatement here, perhaps).

The Communication recognises that this is one of the main recurrent concerns of stakeholders. In particular, stakeholders stress the need to enhance legal certainty, reduce the administrative burden and ensure a level playing field for economic operators. As the Commission rightly notes, this is particularly the case for data controllers established in several Member States and obliged to comply with the (possibly diverging) requirements of national data protection laws. [paragraph 49] Peter also wants the current notification system to be simplified.

All good stuff.

Then, in paragraph 65, he suggests that a Regulation would reduce room for contradictory interpretations and for unjustified differences in the implementation and the application of the law. Hmmmmm - this means that whatever comes out of the Commissioner will be the law. An interesting concept – but what happens when the EU publishes something that even the Member States can’t agree on what it means. Like the current debate on cookies. Do we really need the consent of the user in each and every case, or can the settings on their browsers be taken to reflect their wishes? You currently get different answers to this pretty fundamental question, depending on which side of the English Channel you are.

But then it goes a bit haywire when we get to digesting the likely impact of his comments about transparency – at paragraph 71 Peter argues that transparency is of paramount importance in any data protection regime, not only because of its inherent value but also because it enables other data protection principles to be exercised. Only if individuals know about the data processing, they will be able to exercise their rights. I think he then starts to spoil his argument, by suggesting requirements

1. for a controller to provide information on data processing in a manner which is easily accessible and easy to understand, and in clear and plain language. The information should be clear, conspicuous and prominent. The provision could also encompass the obligation to ensure easy understanding of the information. This obligation would render illegal privacy policies which are opaque or difficult to understand.
2. to render the information easily and directly to data subjects. The information should also be permanently accessible, and not after a very short time disappear from an electronic medium. This would help users to store and reproduce information in the future, enabling further access.

The classic problem I’ve faced with regulators is that while they want “their” material to be provided in this way, they then get a little surprised when the result is a text which is so long that no-one reads the stuff. Data Protection. Consumer Credit. Distance Selling. Other health warnings and safety advice. Terms and conditions. Operating instructions. Add that lot up and you’re well on your way to a decent sized novella. To be honest I would prefer to read the opening passages from the Rime of the Ancient Mariner – or the Prologue to the The Canturbury Tales – in its original Middle English – than the regulatory stuff.

It is an ancient Mariner
And he stoppeth one of three
‘By thy long grey beard and glitterying eye,
Now, wherefore stopp'st thou me?

Marvellous stuff. As is this:

A Marchaunt ther was with a forkyd berd
In motley on high on hys hors he sat
Up on his hed a flaundres beuer hat
Hys boots claspyd feyer and fetously
Hys resons he spack ful solempnely
Shewynge alway the incresse of hys wynnynge

But I digress (slightly).

My main concern is that Peter wants the rules on consent to be expanded, but fails to point out what the consequences should be if people decide not to acquire sufficient knowledge to be able to supply this consent. If someone clicks a “consent for marketing button” on the internet without truly knowing the full consequences of that click, has the data controller committed an offence when they subsequently use appropriate information for, say, marketing purposes?

We all know that, according to the Directive, for consent to be valid it must be informed, freely given and specific. It must be an informed indication of the individuals’ wishes by which he signifies his agreement to personal data relating to him being processed. The way in which consent is given must be unambiguous.

Peter comments at paragraph 81 that it is not always clear what constitutes true, unambiguous consent. Some data controllers exploit this uncertainty by relying on methods not suitable to deliver true, unambiguous consent. So, he wants more rules on the concept of “express consent.”

He’s suggested

1. New rules to broaden the situations where express consent is required, currently limited to sensitive data.
2. Adopt additional rules for consent in the on-line environment.
3. Adopt additional rules for consent to process data for secondary purposes (i.e., the processing is secondary to the main processing or not an obvious one).
4. In an additional legislative instrument ... determine the type of consent needed, for example, to specify the level of consent on the processing of data from RFID tags on consumer products or on other specific techniques.

Bring back the Spice Girls.

In future perhaps we’ll have multi layered levels of consent. Just like when I want to delete electronic files and Microsoft sends me a message are you sure before it consigns it to the cyber furnace, we’ll have to devise new scripts that legitimise marketing. I expect the Commission to require pop up messages on all computer screens every now and again saying:

So you want the marketing?
Are you sure?
Are you really really sure?

And the recipient can type back

I’ll tell you what I want what I really really want
I wanna a, I wanna a, I wanna a, I wanna a,
Really really wanna ze dem adds right now.



Monday 17 January 2011

Consent – and on-line marketing

Moves are afoot to change the Data Protection Directive to strengthen the rights of individuals. While there can be nothing wrong with that, if we are not careful, life could me made much harder for those who need a little bit of help to know what can be useful to them – but are too lazy to get it.

What am I on about?

I’m referring to that old concept of electronic marketing. The current rules require that people need to consent to electronic marketing before any such activity can take place. The problem is that the definition of “consent” (ie something that is freely given, specific and informed) requires a certain level of engagement by the individual. And what happens if that individual can’t be bothered to engage?

I expect the privacy activists to argue that marketing can only take place when the individual has become so engaged with the issue that they freely, specifically and deliberately do something which allows the marketing activity to commence. Perhaps they don’t just have to tick the “send me marketing material” box on each website. Perhaps they also need to take a quiz so that they can prove to the world that they really do know how the marketing will happen, who will be doing the marketing, and who will be using all the information that is generated as a result of the marketing. Yep. I know it’s a strange concept. Explaining to people how the on-line marketing industry currently works is hard. Even to clever people. And that’s because it’s complicated.

If I were really lucky, I might be able to find someone who could create an explanation that, say, Lisa Simpson might just about get. But who can create explanations simple enough for Homer Simpson to understand? Not me. But I’m sure Homer would have a sense of humour failure if he were to miss an on-line promotion for his favorite Duff beer.

So what can privacy professionals do to make explanations simple enough for people like Homer Simpson to understand? Is it going to be sufficient to ask people for permission to send them direct marketing information, without expecting them to know precisely “how” the marketing will be generated? I’m allowed to buy cars without having to prove I know about what goes on under the bonnet. So perhaps I should also be able to go on line and be served marketing stuff, without having to prove that I know just how the advert (or the creative, in marketing terms) was selected.

We also have to bear in mind the fact that many marketing campaigns are run for people who are quite anonymous to the person doing the marketing. The internet creates huge amounts of data about devices that are connected to the internet, and they don’t (and can’t) always differentiate between different people who may use a device when it’s connected to the internet.

Some people are really worried about this, and I’m currently involved in an exchange of correspondence with someone who has written about the ambiguous definitions of personally identifiable information. They have pointed out that “the more someone knows about us, the bigger is the damage we can suffer or the more vulnerable we are to them.” I’m not sure that actually is the case as far as electronic marketing goes – at least just yet.

What might happen if I wanted to book an advertising campaign to promote more sales of Duff Beer, for example? I might well just ask my ad broker to send ads to websites which had advertising spaces which may be read by users of devices who had previously identified themselves as being:
(a) not minors
(b) interested in cartoon characters
(c) had previously been served (and preferably had clicked through) alcoholic adverts

I don’t need to know who these people actually are. After all, I’m not going to know their identity when they pop to the shops to buy some cans of Duff anyway. And nor do I care that I don’t know who they are. So how much do they need to know about how marketing works before they can read an advert that I would like to send to them?

I’m not after an excuse to behave badly. I just want to work out what I can do to give Homer Simpson what he needs, in a way that Homer would be happy to have it, in a way that Homer would understand it, and also in a way that enables a responsible data controller behave properly.


Sunday 16 January 2011

Back to the ID card debate

The UK Identity Card legislation may have been formally scrapped, but work is continuing behind the scenes to create what looks like, feels like, and acts like ... identity cards.

Why is this? It’s simple. It’s because it’s still necessary to develop some form of identity governance both in the public and the private sector to drive down costs and improve quality of service.

The latest organisation to publish a paper on the subject is EURIM, the well respected independent UK based Parliament-Industry group. This group (to which I ought to declare that I belong) brings together politicians, officials and industry to help improve the quality of policy formation, consultation, scrutiny, implementation and monitoring in support of the creation of a globally competitive, socially inclusive and democratically accountable information society. It helps set the agenda, stages constructive debate and reports on progress. EURIM does not undertake lobbying activities, nor does it make a case on behalf of individual companies. Its purpose is simply to better inform policy making in the public interest. When there appears to be an 'industry view' on an issue, EURIM takes that as a starting point for an evidence-based and critical approach to informing wider debate and policy making.

What’s the problem? Well, from a public sector perspective, there remains the potential for organised crime to defraud the tax and benefits systems through identity theft, using electronic attack vectors and malicious code similar to that used against banking, unless effective identity governance structures and counter measures are at the heart of the new systems. The emerging catchphrase is “security by design, not afterthought.” Last year, the National Fraud Authority estimated the cost of Fraud to the public sector at nearly £18 billion p.a. and rising . That is more than four times the cost (under £4 billion) to Financial Services.

The really good thing about EURIM’s papers is that they are short. This one is just one page in length. Short enough for lots of people to read and understand. Probably too short for the eurocrats in Brussels, but hey, we live in the real world here in London. Most busy politicians will read a single page (if pushed). None of them are likely to have the time to read anything much longer unless their assistants have highlighted the really important stuff with a marker pen.

EURIM also produced a diagram setting out why an ID card scheme might benefit the community at large. I’ve reproduced it here.

For those who don’t have time to read the entire document, I’ve reduced the most important bits to a series of “tweets”:

Government has to rationalise the many systems that it uses to identify its employees and contractors, and for its dealings with citizens, residents and visitors, in order to cut costs, reduce fraud and improve national security.

Trusted, reliable identities are a prerequisite for security and accountability in the online world. Globalisation and the Internet have made identity and identification unnecessarily complex and weak, to the detriment of security.

There are five roles for Government:
(1) as an identifier of citizens, maintaining trusted voter registration system
(2) as a deliverer of services, to minimise wastage and fraud
(3) as a guarantor of standards, acceptance of accountability and risk
(4) as an employer for cost-effective cross-departmental systems; and
(5) as market-maker, driving credible and acceptable interoperability rules

Unless work starts soon, the UK will become overly reliant on identity governance systems over which we have little or no serious influence.

Managing highly reliable identity can cost hundreds of pounds per year per identity. But these costs should reduce as solutions are developed which enable global as well as domestic interoperability.

Now, whether this proposal can get achieve the support of our friends at NO2ID, BigBrotherWatch or the Coalition Government is another matter. It’s probably a bit too early for a “Coalition U-Turn” just yet, but give it a few more months for the anti-ID card lobby to drift away, and then we may well see renewed determination for “something” from within Government circles.

As Vicky Pollard might say: “ID Cards? Yeah but no but yeah but no but yeah but no but ... but all right then – perhaps yeah after all”



Saturday 15 January 2011

Panic stations at Marsham Street?

If there exists a journalist with better contacts in the government/security/privacy/ISP/ arena than Chris Williams, I have yet to meet him (or her). I don’t know how he sources his material, but if you ever wanted the low down on the arguments that are really happening within the Home Office on stuff relating to communications data retention, privacy and security, then Chris is the man you would want to have a drink with. Or several. Until I met him, I was so impressed with the range of stories he had pumped out through “the Register” that I was convinced that he was actually a team of people, rather than an individual journalist.

And now I hear that Chris is leaving The Register, having covered that patch for that organ for long enough.

Is this a case for rejoicing in the corridors of Marsham Street? Will we see members of the “Fifth Floor’s Finest” celebrating by dancing on their desks and cracking open another packet of fig rolls?

I think not.

Chris hasn’t gone away, you know. He’s taken his redoubtable investigative skills over to The Daily Telegraph, where his articles will immediately reach a much larger audience. Will he change his position on many of the issues that have caused an element of frustration within the Home Office? Probably not. Will he retain his contacts and remain close to the heart of many surveillance issues that could open more wounds within the Coalition Government? Quite possibly.

So we should expect to hear a lot more from Chris.

If he can write articles that get members of the great privacy blogosphere really upset, then just think what he can do with his wider reach into Middle England.

And if I had anything to keep discrete about in the government/security/privacy/ISP/ arena, then I would be afraid. Very afraid.



Excuse me – do you know about "your" data breach?

It won’t be too long before telecoms companies and internet service providers are faced with the prospect of dealing with mandatory breach notification rules. I only hope that these new rules don’t actually divert valuable management time and resources to dealing with the real issues – which relate to making sure that victims understand how committed the data controller is to limiting the damage which may be caused as a result of the breach, and ensuring that changes are made to the relevant processes to reduce the likelihood of such an unfortunate incident happening again.

A report by ENISA, the EU’s cyber-security agency, has just been published, which makes a number of recommendations. Perhaps the aim is to ensure that those same rules which would work in the telecoms sector could be rolled out to other sectors with relative ease in due course. Those who like to place a bet on the next sectors to face breach notification rule are tossing their Euros at the financial and the health care sectors and small businesses.

Yes I have read it. All 38 pages. And, for brevity, I’m going to reproduce below the summary produced by The Register which set out key concerns raised by telecom operators and DPAs interviewed by ENISA. They include:

• Risk Prioritisation – Interested parties want breaches categorised according to risk levels to avoid ‘notification fatigue’. Graded responses should be applied depending an the level of risk. A one size fits all approach would be counterproductive.
• Communication Channels – Operators wanted assurances that applying by breach notification rules and reporting slips would not result in damaging their brands. The concern is that those that report problems, in compliance with the rules, will be "punished" by earning a reputation for poor security while those that do nothing will avoid tarnishing their reputation.
• Resources - Several regulatory authorities have other priorities beyond the handling of breach notification and there were concerns this could lead to over-stretching of resources, leading to possible problems in enforcement and other areas.
• Reporting Delay - The report identified a split between service providers and regulators on deadlines for reporting breaches. Regulators want short deadlines whereas service providers wanted to be able to focus their resources on solving the problem, before they dealt with the regulatory fallout of any breach.
• Content of Notifications - Another area of disagreement. Operators want to make sure the notification content avoided unduly alarming customers, who might be inclined to think the worst about any breach. Regulators, meanwhile, advocated complete transparency.

The comments on the rules, from what I have seen, appear to concentrate on the “process” of notification. But let’s take a step back, first. If we’re not careful, we’ll end up wasting resources. Who really wants to create an overly bureaucratic machinery that is designed to ticks boxes, not cure the underling problem. We can all see where this is leading – to an avalanche of notifications to regulators who are powerless to react because they don’t have the resources (or possibly the inclination) to deal with each notification it gets.

What really interests me is in trying to understand what the point of notification is. Is it about creating a process, or is it about creating an atmosphere of empathy with the victim? Or is it to encourage data controllers to change their behaviours?

If notification is to achieve its purpose, then we have to understand what this purpose is.

Given the experience of the past 15 years, we can all appreciate what a waste of time routine notification of data processing purposes is to regulators. So why on earth is it thought that routine notification of breaches to regulators would serve any useful purpose?

If a data controller is to be punished for any failure to notify a regulator of a breach, then I think its incumbent upon the regulator first to explain what benefit will be derived from having reported the breach in the first place.

Perhaps this is where a new “Accountability” principle comes in. Perhaps data controllers should concentrate on discussing breaches and their consequences with the victims, rather than regulators. And, rather than liaising with the regulators as a matter of course, they should devote the vast majority of its resources to sorting out the current problem. And only inform the regulators about exceptional breaches, rather than run of the mill beaches.



Sunday 9 January 2011

“Actually, internet user, I know where you’ve been”

Is this what internet users need to be told as surf the internet? Because, if we are to believe what webmasters like Guido Fawkes are bragging about, then perhaps we should all be wary about revealing too much of our past when we visit the internet sites which are capable of capturing such information.

To give you an idea of what these cookies are capable of telling a webmaster, read the explanation in the blog posted by Paul Staines, the webmaster behind Guido Fawkes. He didn’t start his blog purely to understand what his readers had been doing before they surfed to his site. No. The primary motivation for the creation of his blog was purely to make mischief at the expense of politicians and for the author’s own self-gratification. His alter ego, Guido, sees himself as a campaigning journalist who publishes via a website. He campaigns against political sleaze and hypocrisy. He doesn’t believe in impartiality nor pretend to it. Guido has frequently broken stories that have gone on to dominate newspaper pages. He often gets stories out before broadcasters. The blog is read widely in the Westminster political village and in newsrooms.

The blog was once the Guardian’s political commentary blog of the year and has won numerous new media awards Guido had never heard of before nor in all likelihood will ever again. Guido regularly appears in those wanky annual lists of media movers and shakers. He claims to pay no attention to them, but secretly always likes it when he is ranked higher than the BBC’s Nick Robinson.

This is what he said about those who visited his site during 2010, in a posting last week:

Across all distribution platforms last year the blog had approaching 30 million views and Guido would like to thank you readers who make this blog possible.

Where do you all come from? Overwhelmingly direct from browser bookmarked favourites, secondly via referrals from Google and the lesser search engines, thirdly via RSS feed readers. The next biggest source of traffic is from Guido’s own mailing list which was ahead of even Iain Dale in terms of click-throughs. He’ll be missed though, nearly 1 in 20 visitors to this blog last year came via Dale’s Diary…

In descending order of magnitude the Spectator, ConservativeHome, and the Telegraph’s blogs provide a lot of traffic and we thank them. Twitter and Facebook in comparison were relative laggards – Twitter for all the hype sends barely one tenth the traffic to Guido that his own email list generates. Social media gurus might reflect that Guido has largely withdrawn from Facebook, which sucked up his content and gave little back – traffic for their advertisers rather than Guido’s advertisers. The economics of blogging means that without reader traffic there would be no advertisers and without them there could be no content.

What I wonder is just what cookies were used by Guido to track his visitors. When I go shopping in real life, in, say, a shopping mall, the shopkeeper has no knowledge of where I’ve just been, so (presumably) I’m treated just like any other potential customer. No favours. Just a “Hello Sir, and how can I help you today” kind of attitude.

I wonder what the shopkeeper’s attitude were to be if they were able to track my recent whereabouts. How different might the shopping experience be then? “Hello Sir, and by the way, here are some holiday destinations we think you might like, and as a special gesture we’ll lower the price of those very same hotels displayed by the provider you’ve just visited by 5%, just for you.”

Surveillance or what?

Of course, if we were feeling mischievous, we could also use our knowledge that these internet retailers are assessing us on the basis of where we have come from by, say, coming from places which might confuse them. If, say, we were always to visit certain websites from the official website of Prince William and Prince Harry, the retailers might get awfully excited. Just which member of the Royal Household might be trying to get a special offer this time? – Should they offer that special discount, just in case the browser is someone really special? By the time we’ve given our actual details, it ought to be too late – we could have been offered the special “Royal Discount” and the webmaster ought not be able to go back on their word.

So, if anyone wants to join in the fun, try logging onto new websites from

And let’s see if, on 1 January 2012, Guido Fawkes comments on the huge increase in interest in his website from apparently Royal circles.

Before we get too excited, there is a slight possibility that the new rules on cookies will encourage some webmasters to be more transparent about the type of cookies that are in current use, and what users might do to disenable them, if they were so inclined. Call me old fashioned, but I really doubt that the rule changes will have that much of an impact. Most internet users don’t read current privacy policies (and they probably don’t care anyway).

Of course some people will remain extremely angry about the way information about “them” is being captured - and I’m sure that many of the people doing the capturing will argue that they have no idea who or even how many people are sharing the device which contains the cookie, so it’s not really personal data, anyway.

Source: posting Saturday, January 1, 2011