The news was on in the background. I was paying little attention. But I caught the following. It was Wikileaks, and some be-suited mandarin commented: “It was a private conversation between the United States ambassador and the King of Saudi Arabia. A private conversation!”
That’s what’s wrong today. This dislocation between public servants and what they are. They are public servants paid by the public to serve the public. By what right does an ambassador believe he can keep from his employers, us, what he says on our behalf to foreign dignitaries? He cannot and must not.
This absurd arrogance is rampant in all democracies, and all levels of bureaucracy. From members of parliament fiddling their expenses and being annoyed when found out; to park keepers officiously and offensively saying where we can and cannot walk on the land we own and upkeep with our taxes; to the policemen who strike legal demonstrators with vicious sticks that we pay for, even when fallen. The list goes on and on and on.
Public servants need to be held to account. They have to do what we want, whether they are presidents, prime ministers or park keepers, or be sacked. But they seek to protect themselves with secrecy. Secrecy that leads to illegal wars that kill thousands upon thousands of people. Secrecy that leads to our money propping up banks and bankers who prefer to pocket it rather than lend it back to us. Secrecy that leads to health scares that lead to our money stockpiling drugs that aren’t necessary, aren’t wanted and aren’t used.
Only by breaking this cult of secrecy, this bureaucratic arrogance, and by making our servants accept that they are our servants and not our masters will we maintain democracy. And only Wikileaks seems capable of doing this. So rock on, Wikileaks: you are a greater defender of democracy than those we pay to defend it.
The UK’s Information Commissioner has finally used his new powers and imposed financial sanctions on wrongdoers.
The first penalty, of £100,000, was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.
The second monetary penalty, of £60,000, was issued to employment services company A4e for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
This has provoked a range of different reactions. “It’s good to see the ICO showing its mettle for the first time, sending a clear message that it is completely unacceptable to be cavalier with private and confidential sensitive information,” said Graeme Stewart, public sector business development director at Sophos.
Ed Macnair, CEO of Overtis, is slightly more critical, “At first glance this looks like the ICO has real teeth. However, in the case of the stolen laptop, the penalty is less than £3 for each lost record. When you consider the fact that A4e is a £145 million company, the breach has had a higher impact on the 24,000 individuals whose confidential information has been lost.
“Similarly, this council had clearly not learned from the first devastating security breach and continued to use the same insecure channel for sharing highly sensitive information. The technology is there to prevent information from being stored in unencrypted format and to tightly control the faxing, sending and printing of confidential information. Let’s hope that the ICO’s action encourages other organizations to urgently review their policies and procedures.”
This is closer to my own views. £60,000 to a large company is nothing – it will be less than the cost of some decent security software and staff awareness training. So in fact the ICO is saying it’s cheaper to lose the data than to protect it.
And in the case of the council, as I’ve said before, it’s the public what pays. It’s silly to fine a public body because public bodies don’t have any money: only the body public has money, and it’s the body public, you and me, that has to foot the bill. My view is that people who lose personal data should also lose their job: and that should apply as much to the CEO as the clerk. I asked Ed Macnair, whose company develops user activity management and monitoring software that can prevent such leaks, if the ICO is worth its cost.
“Absolutely,” he replied. “While you make a good point that a government office imposing fines on public sector bodies is ultimately penalising the tax payer, there are many hundreds of private sector organisations that are also storing personally identifiable information on UK citizens. Many of them are doing so in a sloppy manner, using systems that are highly vulnerable to accidental data loss or deliberate theft.
“Loss of personal information that has been entrusted to an organisation is a breach of trust and causes a great deal of distress to the people affected. I think the imposition of fines is a step in the right direction. While a £100k fine may seem disproportionate to the damage caused by organizations breaching the Data Protection Act, it sends a strong signal that the Information Commissioner is ready to wield his power.
“I think that since the ICO gained its increased powers in April, the UK has held its breath to see whether Christopher Graham would act. He has acted. This should serve as a strong warning to any other organisation, in the public or private sector, that still hasn’t put the policies, processes and technology in place to safeguard UK citizens’ data.”
I repeated my view that fines don’t really hurt anyone (unless they are personal fines), and that really, heads should roll.
“When it comes to culpability,” he replied, “I do believe that fining the organisation is the right approach. I don’t believe it is fair to fine individual employees because often they are simply trying to get on with their jobs and the data breach is caused by them doing something in a rush, without following policy. The organisation has a responsibility to set policies; educate staff on safe data handling; and to set up systems, processes and technology to prevent these policies from being breached. Pinning the blame on individuals would negate the responsibility of company directors who should be putting the policies, procedures and technology in place to prevent breaches occurring. That said, where an employee has maliciously flouted policy and succeeded in damaging their organisation’s reputation by leaking personal identifiable information, then this should be dealt with in the same way as any act of serious professional misconduct.”
This is why I want a smartphone:
- I want my computer with me at all times
- I want instant access to the internet; anywhere, anytime
- I want all those wonderful apps you can get for a smartphone, either free or at a tiny fraction of the cost of the equivalent on a laptop or desktop
What I don’t want a smartphone is for – a phone. Why should I want another phone? I’ve got a mobile phone. It’s more than adequate. I speak into it, and I hear from it. It’s a perfectly adequate phone. So all I need or want from the smartphone is the computer – not the phone.
But can I have a smartphone without the phone? Can I he…
Well, wait a minute, maybe I can.
All I need is a SIM free smartphone. Provided I have access to wi-fi broadband, such as at home, where I have already paid for access to the internet, then I can use wi-fi to hop onto my prepaid broadband.
But it gets better, because I can then use Skype to get free VoIP telephony while I’m at home. And, come to think of it, according to their latest television adverts, if I subscribe to BT Internet, then I qualify for free use of thousands and thousands of BT wi-fi hotspots all over the country – so I can get free VoIP telephone conversations on a SIM free smartphone in an increasing number of situations and places. I’ll be able to keep my existing dumb smartphone pay-as-you go for emergencies when I can’t access a BT hotspot.
Now I totally accept that this is just theory, and that BT’s hotspots will be a long way from giving me adequate VoIP telephony just yet. But maybe the hotspots is BT’s way of fighting back at the microwave mob… Maybe, with more and more people using mobile phones instead of BT’s landlines, BT is beginning to be a bit concerned. And maybe, just maybe, the free wi-fi hotspots is a plan to stop the rot. I do hope so.
(Sadly, I have to admit that this is all theory. I don’t have a smartphone, SIMful or SIMfree, so I don’t know if this would actually work. The theory sounds good though… Anyone?)
First off, this is not a report on something; it’s a proposal to do something. I do wish these overpaid bureaucrats would get things right.
However, and finally, the European Parliament, in the name of Philippe Juvin and the Committee on the Internal Market and Consumer Protection, has seen sense. Since Europe has proven incapable of defeating spammers, it is switching to aiding and abetting them.
A new Draft Report on the impact of advertising on consumer behaviour
Calls on the Commission to (among other things)
- require advertisements sent by e-mail to contain an automatic link enabling the recipient to refuse all further advertising;
So here’s my plan. I’m going to keep sending you legitimate adverts for silly things. But in accordance with EU requirements, I shall place the following at the bottom of each mail:
We do our best to offer you useful and attractive goods at the very best possible value. We hope you agree. However, if you decide that you no longer wish to receive our offers, in accordance with EU law, you can visit our website (clickhereandwevegotyou.com) and click the Unsubscribe (Gotcha) button. This will prevent any further correspondence from us.
Nevertheless, despite this silly suggestion, the draft report is designed to counter the threat of ‘unfair advertising practices'; and that in itself cannot be bad. But here’s another proposal:
The European Parliament,
Having regard to this and that, and whereas this and bearing in mind that,
- Deplores the development of ‘hidden’ internet advertising that is not covered by the UCPD (C2C relationships), in the form of comments posted on social networks, forums and blogs, the content of which is difficult to distinguish from mere opinion;
- Suggests that the Member States encourage the emergence of forum observers/moderators who are alert to the dangers of hidden advertising;
Is this proposal really suggesting that Member States encourage the emergence of some form of thought police to patrol social networks and decide whether someone’s opinion is not just an opinion but a devious form of hidden advertising? Jesus wept!
And despite interfering and poking its nose where it doesn’t belong, the report simply fudges the really important issue where it should be clear. Behavioural advertising. It should simply say that there must be no behavioural advertising without the full, informed and active approval of the target. Instead, it fudges the issue:
- Voices its concern about the routine use of behavioural advertising and the development of intrusive advertising practices (such as reading the content of emails, using social networks and geolocation, and retargeted advertising);
Is this document a serious proposal (in which case Phillipe Juvin should be deselected from the European Parliament for wasting taxpayers’ money), or is it largely a PR exercise designed to show off Phillipe Juvin’s Leftist credentials (in which case Phillipe Juvin should be deselected from the European Parliament for wasting taxpayers’ money)? Either way, I hope someone with a bit of a clue gets to redraft it before it goes too far.
Hardly a week seems to pass without me saying that the ICO is a waste of time – and therefore money. Our money. It needn’t be, but it is.
Last month I discussed The ICO: a guard dog that won’t bite and hardly barks; and I concluded on a story about the NHS losing personal and private patient information:
Obviously there’s no point in fining the NHS; so, hard as it may seem, doctors who lose their patients’ medical records need to be sacked. And that applies to anybody who loses the personal data of others. It’s the only way.
It is the only way; because the ICO’s slapped wrist and don’t do it again approach clearly is not working. Today, the Birmingham Post is reporting an absolutely horrific data breach story:
All patient data along with staff pay and personal details up to chief executive level are believed to have been left accessible to more than 6,000 NHS workers who normally would not be allowed access to such private material…
A NHS source, who feared being named, claimed members of the public using computers at some health sites, like Moseley Hall Hospital, would also have been able to access the insecure confidential records.
Security alert over NHS data breach
Words fail me. We need to wait for more information to emerge, but what if it’s true? Fining the NHS the maximum fine of £500,000 is just a way of levying a £500,000 additional tax on us; because we are the ones who will have to pay it. Somebody has got to go. My bet is that the managers are already looking for a sacrificial lamb amongst their staff. Wrong. It is the top levels of management that need to take responsibility for their failure: resign or be sacked.
Here’s another of those debates that confound the security industry, like ‘should security firms employ proven security experts if they’re ex-hackers?’ and ‘which is right: full disclosure or responsible disclosure?’. This one is ‘should the security industry pay a reward for vulnerabilities?’
The argument against is given by Anthony Haywood, CTO at Idappcom; a company strong in application security and management, and vulnerability assessment; the trigger is news that Barracuda Networks has launched a bug bounty programme, with ‘a cash prize ranging from $500 to $3133.7, depending on the severity of the vulnerability’.
Barracuda Networks Inc. today announced the Barracuda Security Bug Bounty Program, an initiative that rewards researchers who identify and report security vulnerabilities in the company’s security product line…
“Security product vendors should be at the forefront of promoting security research,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “This initiative reflects our commitment to our customers and the security community at large. The goal of this program is to reward researchers for their hard work as well as to promote and encourage responsible disclosure.”
Barracuda’s Bug Bounty Scheme
Anthony Haywood is agin it. He believes that there is a significant danger that it will attract developers into researching the vendor’s products and then offering them to the highest bidder. Personally, I think this is already happening. But if the legitimate industry offers nothing, then the illegitimate industry is all that is left. A good zero-day exploit could be worth anything from tens of thousands of dollars to hundreds of thousands of dollars to the criminal fraternity. Those researchers who will sell to the highest bidder are already doing so.
And, of course, if the bug is a really serious one that cybercriminals can exploit to generate fraudulent revenue, there is a significant danger of the exploit information falling into the dark ecosystem that black hat hackers – as well as cybercriminals – now inhabit.
I would suggest that this is less likely to happen with Barracuda’s bounty programme than if there were no legitimate reward.
Whilst even organisations like Google and Mozilla offer juicy sums of money for bugs in their software, you are going to get other vendors following suit. But just because it is becoming the norm for the IT industry, does not make it in the long-term interests of our market sector…
…The irony of the situation is that, as well as paying indirectly for the bug bounty schemes, end users of IT security systems, software and services also end up `paying’ as the tide of malware and other electronic mayhem rises as a result.
This is a cause and effect situation. No one really wins in the longer term from bug bounty programs. And that’s why we say that they are not in the real interests of our industry.
Personally, I disagree with this interpretation just about, well, totally. Firstly, software vendors demanding what they describe as ‘responsible disclosure’ without a reward is the same as demanding that security researchers act as unpaid employees, effectively undertaking and reporting unpaid security code audits. And secondly, security researchers, whether white hat or black hat, do not create the vulnerabilities. They merely discover them. So if a white hat researcher doesn’t find it first, sooner or later (and possibly already) a black hat researcher will do so. I would much rather a good guy find the vulnerability and pocket $3000 by disclosing to the vendor a vulnerability that can now be fixed; than a black hat researcher sell it to a criminal gang for a lot more money.
The current system isn’t working. Criminals are getting more and more organised, and there seems to be an inexhaustible supply of vulnerabilities. Researchers don’t make these vulnerabilities; it is the software developer that creates the software vulnerabilities. Therefore the software vendor is responsible. And where responsibility lies, there too should lie redress. So this is my proposal. All software vendors should have a choice. Either they should be responsible for loss caused by vulnerabilities in their software; or they should offer a reward program. This will force the vendor to behave more responsibly. He will increase efforts to release secure software, because failure to do so will prove very expensive. Either he will be liable for his users’ losses, or he will choose to pay a reward to freelance researchers for responsible disclosure. My bet is that 100%, give or take nothing, will opt for the reward scheme. So, rather than be castigated, bug bounty schemes should be applauded, and possibly compulsory.
The UK Government is conducting what it calls a consultation into its proposed amendments to RIPA – specifically, amendments to ‘lawful interception’. This is not done by choice, but because it has to, by order of the EU.
It goes back to Phorm’s behavioural advertising system, and BT’s covert use of the system on its own customers without their knowledge, nevermind their approval. At the time, the Home Office had issued guidance suggesting that the Phorm system was legal. Privacy campaigners disagreed, complained and took the matter to the EU.
The EU decided that the UK had not ‘transposed’, that is, implemented, the EU privacy requirements adequately into UK law (the EU privacy requirements are contained in the European Data Protection Directive (95/46) and the E-Privacy Directive (2002/58).
Apparently, the UK did not transpose the E-Privacy Directive in toto because it believed that some of the conditions were already met within the Regulation of Investigatory Powers ACT (RIPA). Under RIPA, the Home Office believed that Phorm/BT’s opt-out (of interception) process is legal. But the EU’s position is that interception is only lawful under informed consent; that is, ‘opt-in’ rather than ‘opt-out’. The EU has consequently required the UK to bring its national laws into line with the EU Directives.
The UK’s proposed course of action is to amend RIPA.
RIPA makes provision for lawful interception without a warrant under certain limited circumstances. These include the provision in section 3(1) where both the sender and intended recipient of the communication give their consent to the interception, or where the person carrying out the interception “has reasonable grounds for believing” that consent has been given. The interception of communications will involve the processing of personal data, and it is important to ensure that there is clarity about the circumstances in which lawful interception can take place.
The current provisions do not provide the required clarity. This is because “reasonable grounds for believing” is open to different interpretations.
The UK proposes to amend RIPA so that it is clear that “interception will be lawful only where both parties to the communication give specific consent to the interception?” In other words, behavioural advertising must become opt-in by the user – that’s you and me. Our ISPs and behavioural advertising companies (take note, TalkTalk) will not be able to covertly monitor where we go and what we do on the internet without our specific approval.
It doesn’t mean that behavioural advertising is dead, because the ISPs could always push up their prices for anyone who doesn’t opt-in – but at least covert behavioural profiling is dead in the UK. Which might explain why Phorm is reducing its presence in the UK. Phorm’s Interim results for the six month period ended 30 June 2010 has the Chairman and CEO’s statement starting:
Operating losses for the six month period ended 30 June 2010 were $15.7m (six month period ended 30 June 2009: $15.0m). During this period, the Company underwent further restructuring, building up its operations in Brazil while reducing the size of the UK office to reflect the focus of our current operations…
So far the Government’s proposals seem to be a Good Thing. But the EU also requires that all unlawful interception should be subject to sanction. RIPA only has sanctions for ‘intentional interception'; spying on us by accident has been, well, not worth worrying about. But rather than make all unlawful interception subject to “imprisonment of up to two years and a substantial fine up to the statutory maximum”, the Government is now introducing a new civil sanction rather than extending the existing criminal sanction to include ‘unintended interception’.
The argument appears to be that since ISPs can be legally served warrants under RIPA to compel them to spy on us (legally) they should not be punished harshly if they accidentally spy on others of us who are not directly covered by the warrant. I don’t have too many concerns about this – after all, we all make mistakes. But it is not the courts who will decide, in public, whether an unlawful interception was intended or unintended – it is another of those unaccountable quangos: the Interception of Communications Commissioner (IoCC).
And this is where I do have a problem. Such quangos are not required to justify their actions in public – this one would merely
be required to take account of any representations made by the CSP before deciding whether to impose a penalty. Before imposing any penalty, the IoCC would also have to ensure that the penalty imposed and its amount was determined in accordance with all issued guidance.
In other words, a government-appointed quango will have the ability to take decisions secretly, and only be required to act ‘in accordance with all issued guidance.’ Guidance of the quality, I guess, of the earlier Home Office guidance saying that Phorm’s opt-out was perfectly legal.
This consultation provides a lesson in how to comply with European regulations without changing a thing: doublespeak in action.