Monday 29 December 2014

Emergency messages: delivered in a decade

Precisely a decade ago, just as staff at the mobile telecoms were getting ready to vacate their offices for the New Years holidays, a request was delivered from the Foreign and Commonwealth Office. I was one of those who received the request.

An earthquake off the coast of Sumatra had, a few days earlier, sent a tutsamni surging across the Indian Ocean, killing more than a quarter of a million people, and rendering hundreds of thousands homeless. It caused horrific devastation across more than a dozen countries.

British Airways had very generously laid on a plane to evacuate British citizens, free of charge, from one of the hardest hit areas. But how could the Brits be advised that this flight had been arranged and was due to depart in the next 18 hours? Could the major mobile providers send a text message to its customers who were likely to be in that area? And could they send the text message as quickly as possible – preferably within a few hours, to give victims sufficient time to catch the flight?

Yes they could. And yes, they did. (Or at least, yes, they certainly tried to send the messages). No mobile operator declined on the grounds that the sending of such messages was unlawful, as they weren’t permitted by the Privacy and Electronic Communications (EC Directive) Regulations 2003, which placed restrictions on the ways that traffic data could be used to send messages to users.

Bugger the legal restrictions. What was more important was offering practical assistance to people who were victims of a regional calamity.

Shortly afterwards, and bearing in mind the practical lessons which were learnt from that incident, the FCO embarked on a series of discussions with the mobile operators about creating a more formal process for sending emergency messages to customers.

The FCO-sponsored discussions continued at what can only be described as a glacial pace. Eventually, the issue was handed to the Cabinet Office.

A couple of weeks ago, the Cabinet Office was finally able to announce the result of these discussions.  After a decade of deliberations, a consultation document has been published, proposing minor tweaks to the Privacy and Electronic Communications (EC Directive) Regulations 2003, to set up a more robust public alert system.

The deadline for commenting on the proposals is 26th January.

I don’t expect that many people will bother responding to this consultation exercise. If I were to respond, I would ask why it has taken a decade for this matter to be addressed. When an issue like this emerges, it should not take the relevant stakeholders -including the public officials - so long to react. After all, when issues relating to the retention of communications data arose earlier this year, threatening the destruction of records that were potentially of considerable value to the law enforcement and intelligence community, emergency legislation was rushed through Parliament in days. 

The third sentence of the consultation document’s Executive Summary is misleading. It is not fair to state that “in 2010 the Government committed to evaluate options for an improved public alert system in the UK” if readers are left with the impression that credit for the proposal should rest with the Coalition Government. This is just PR spin. It would have been much more accurate to state that since 2005, all Governments have dithered over how the system for sending alert messages to the public should be improved.

To use a more media-friendly phrase, they've dithered for a decade.

The main problem with initiatives like this is not in legitimizing them – but in executing them. Serious emergencies do not occur very frequently. So how will the Gold Commanders (the senior police figures who direct the emergency response teams) remember what process should be used to invoke the alert messages? How will the operational network management staff within the telecoms control rooms know that a genuine request is on its way? And how will the target recipients be sent the messages within the proposed 15 minutes? All this will require a lot of training, and regular exercising, to ensure that what ought to happen in theory actually does happen in practice.

Knowing how good the EE operational network management staff are at dealing with incidents, I’m pretty confident that my phone will receive an emergency message if I’m unfortunate enough to be in the affected area at the relevant time. Whether I’ll read it in good time is another matter.


Source:


.

Saturday 27 December 2014

My data protection predictions for 2015

I’ve been squinting into the future – and now I’m ready to face the forthcoming year with renewed vigour.

The good news, in terms of data protection standards, is that not much is likely to change in 2015. So we should carry on trying to apply the rules we already know about. Officials from the EU member states will continue to meet to consider how the current standards ought to be modified. They will be placed under increasing pressure from politicians who are keen to be seen to be raising data protection standards across the globe  - but whether citizens will actually feel better protected this time next year as a result of all this pressure is highly unlikely.

Communications Data

Petty criminals will flourish as law enforcement investigators working with local authorities (the sort that investigate dodgy dealers, con men, environmental health breaches, trading standards officials – you know the sort) will be starved of the resources that are required to obtain legal orders forcing communication service providers to supply the evidence that is so useful in securing convictions. Local politicians will increasing explain that they don’t have the funds to pay for the data requests to be approved by local magistrates, and as its only low level crime, the national media won’t bother drawing attention to the problem.

Connected Cars

Regulators will realise, only far too late, that new EU rules on mandating electronic communication devices in cars have placed users under a new level of surveillance. Although primarily designed for use in locating a car after an accident, its “always on” facility provides amazing opportunities for data controllers that have other purposes in mind.

Cybersecurity

Consumers will reduce their expectations about the extent to which their data is safe when online. The media will continue to report on large-scale cyber security incidents, increasingly committed by state actors for political and national security reasons. Regulators will be increasingly drawn onto prolonged disputes about the extent to which data controllers are reliable for security breaches that result from attacks by professional criminals and (state-sponsored) hackers.

Data Retention

Data retention requirements will feature in 2015 – but with a twist. This time, regulators will press for data to be retained for longer periods, in order that the actions of suspected offenders can be reviewed long after their deeds were committed, while the more slippery data controllers will press for data to be deleted ever faster, to prevent evidence about said organisations being potentially available to prosecutors in the event that past behaviours need to be reviewed.     

Drones

Despite continuing to drone on about drones, guidance about “safe droning”, issued in the UK by the Surveillance Camera Commissioner, the Information Commissioner, the Civil Aviation Authority and a myriad of other bodies will be blissfully ignored by many thousands of happy droners, most of whom will be entirely unaware of the laws they will continue to break.

Employment Opportunities

HR Departments will continue to see data protection as an issue that requires a lawyer on board, rather than a hands-on data protection practitioner. The focus will continue to be mainly on “what does the current law, or a possible new law, mean for the organisation?”  It ought to be “what do regulators expect an organisation to do to ensure that procedures are in place that implement the current, and possibly any future requirements, within the organisation?”

Fortress EU

EU citizens will continue to take advantage of innovative and compelling services from data controllers whose vision and ambition outstrips those who advocate the constraints of protectionism afforded by the administrators of a would-be EU super state.

Privacy

People’s expectations of what personal privacy means will continue to be shaped by the extent to which they wish to engage online. Privacy will increasing become a luxury, a privilege that will be paid for through the use of subscription-only services. The overwhelming majority of citizens will be increasingly aware of the value exchange that occurs when they consume “free stuff” – and they will remain very happy to share “their” information for the “free” stuff.

Privacy Advocates

Will continue to flourish, but towards the margins of the debate. Colourful individuals will be courted by the media, and good stories will emerge that entertain and occasionally inform the public, whose insatiable thirst for news will momentarily focus on the odd data incident. But public attention will soon move on to other stories.

The Surveillance Society

Despite the cry of frustration from law enforcement officials whose job has been made much harder by the wholly predictable (and necessary) need for communications service providers to provide better layers of encryption and security, the overwhelming majority of citizens will accept that public surveillance is a necessary way of life in the democratic part of the developed world. 


The greater integrity that democratically elected politicians (and regulators) have, the greater will be the public acceptance that surveillance will be used for benign purposes. My crystal ball was, unfortunately, unable to tell me whether the integrity of democratically elected politicians (or regulators) was likely to climb or drop in 2015.

.

Thursday 18 December 2014

The helpful - but chilling - effect of Google’s “right to be forgotten” listings warning

Does anyone fancy being advised by a “career management” specialist?

At the beginning of the week, I received an email from an organisation I had never heard of. Somehow, my CV had ended up in their hands. I had recently sent it to a couple of recruitment agencies, and one of them had evidently passed it to a “partner company.” It read:

Dear Martin

Having reviewed your CV, our Senior Consultant has asked me to contact you as he would like to meet up to talk through your current situation and career objective. We specialise in helping mid to senior level individuals across all sectors secure their next role.

He would be keen to meet in our London office this week if possible.

Please phone me on 0113 205 2860 or e-mail me to arrange a mutually convenient time to meet.

I look forward to hearing from you.

Best Regards
Alex Smith

Sounds good?

I thought so – and accordingly I spent an hour yesterday with a gentleman in London’s Cavendish Square who gave me a business card containing the details of Geoff Russell, Director, Apollo, Tel: 0113 252 2282.

We spent a pleasant hour together. I chatted about my career history, while Geoff explained that it would be useful for us to meet for a 2-hour session in the New Year to more carefully review my career options. Both sessions would be free of charge. But next time, he would explain how what Apollo’s deliverables would be, and how much it would cost if I were to join their programme.

During the conversation, Geoff explained that his company was in the “career management” business - a concept pioneered in the US by Bernard Haldane.

In a nutshell, the proposition is that Apollo would help by providing advice and enabling me to meet relevant corporate decision makers (rather than the usual HR folk) in order that I can secure the job that is right for me – for a fee.

(I don’t think that Geoff read the bit of my CV which stated that I am already a Non-Executive Director of a recruitment firm, and am therefore pretty well placed to meet relevant corporate decision makers. However, we’ll let that minor detail pass, for the moment.)

Geoff presents himself as an extremely credible executive, who has worked for a variety of organisations over the years. He reassured me that there are jobs that might well suit my interests, whatever they are. That came as a relief – particularly as I hadn’t told him what my interests were, yet.

Returning home, alarm bells began to ring. Just how did Apollo get hold of my CV? Why was there no Apollo nameplate on the front door at the Cavendish Square office? Ok, it was a shared office building. That might be the reason. But why was there no Apollo sign in the 4th floor reception area, where Geoff apparently worked three days each week? In fact, why was there no “Apollo” branding anywhere?

So, I started to do a little more research into Apollo and Geoff.

Apollo has an impressive website. Virtually every week, yet another note of appreciation from a satisfied client is posted. This is a very successful track record. But why didn’t Geoff appear to have a presence on LinkedIn? And why was he not willing to explain, during this initial meeting, precisely what Apollo’s fees might be?

Why didn’t Apollo appear to have registered its activities with the ICO? I couldn’t find the relevant entry on the ICO’s register of data controllers. Perhaps I didn't look hard enough.

Also, why were there so many worrying comments on the “whocallsme” chat forum in relation to Apollo’s phone number(s)? The comments in relation to 0113 252 3070, a number registered to a sister (or perhaps the same) company, also refer to Geoff Russell as a senior consultant, and indicate that complaints have been made to the ICO regarding potential breaches of the PECR regulations (sending unsolicited emails).

Finally, why did my searches for “Bernard Haldane” result in this unsettling article? Geoff’s sales pitch (together with the invitation to undertake a psychological test before our next meeting) was remarkably similar to Bernard’s career management approach.

The clincher was the chilling effect of the notice that Google had placed under all its search listings: “Some results may have been removed under data protection law in Europe.”

So, what else might I not know about Apollo?

I couldn’t find anything on Google’s .com site that was not already on the .uk site. But I was sufficiently spooked to check, just to be on the safe side.

The trouble is that, after all this research, I simply don’t have a sufficient level of assurance about Apollo’s business practices.  Despite the concerns I’ve unearthed, they might indeed be a perfectly sound organisation.

Fortunately, every cloud has a silver lining. The afternoon was not wasted. Apollo’s offices in central London are right next door to the John Lewis department store. So even though I don’t plan to meet Geoff again, at least I was able to do some Xmas shopping.


Update 23 March 2015
Apollo's Operations Director has written to me today, asking that I print the following paragraph - which of course I am happy to do:

I am the Operations Director of Apollo and would like to say that if anyone reading these comments would like to ask any questions about our company or the career management services we provide please call me on 0113 2052851 or email me at a.greenley@Apollo.eu.com.

We are a customer focused, ISO accredited career management company which has been operating and supporting our clients since 1997.”


Sources:
https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers

.