ICO and the Data Protection Act: do they fine the victims and expect them to punish the perpetrator?
The Information Commissioner’s Office (ICO) has come down hard on two councils. It has fined Worcestershire £80,000 after “a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients.” And it fined North Somerset £60,000 “for a serious breach of the Data Protection Act where a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.”
Christopher Graham, the Information Commissioner, explained: “There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure… The Information Commissioner takes this sloppiness seriously – and so should you.”
Ed Rowley, Senior Product manager at M86 Security thinks this is a positive step. “It was suggested earlier this year,” he commented, “that the ICO was not using its powers to penalise organisations for the most serious data breaches. These two fines demonstrate that the ICO is serious about punishing those who fail to protect sensitive information. Commercial and government organisations must learn that protecting private data needs to be built into all of their processes from the ground up. Having the appropriate policies in place and training is the best place to start. However, these need to be supported by using appropriate technology to enforce those policies. Certainly, in both of these cases technology could have been used to prevent the email leaks and saved the councils and tax payers a lot of money, in addition to protecting the privacy of the vulnerable individuals whose information was inappropriately handled.”
My own view is simple (and explained here: Data Protection Act Fail): fining councils doesn’t help anyone, it merely punishes the taxpayer. I put this to Ed.
“I understand the point that you are making,” he replied. “However, I do have faith in the democratic process. While the public end up paying for the fines in a roundabout manner, a local council’s inability to provide services to the public can result in those responsible being ousted at the next set of elections in which they stand: elected officers can lose their jobs if they are not able to control public finances and ruling parties can be weakened or even lose overall control. Even though the fines imposed by the ICO may only play a small part from a financial perspective, the damage that these breaches can cause to the reputation comes at a much higher cost to those in power.”
It’s a valid point; but I haven’t changed my opinion, and I doubt that Ed will change his. However, I would add an additional comment that didn’t come up in this conversation. Within the legal system in general there is a huge desire for greater consistency in sentencing. This is necessary not merely for the old-fashioned view of ‘fairness’, but also to demonstrate to potential criminals the likely outcome of the offence. The ICO is not part of the judicial system even though in matters of data protection it effectively acts as both judge and jury; so the point is relevant. Here it is fining a local council £80,000 that will be paid by the victims and other innocent taxpayers. Earlier in the year it fined ACS: Law just £1000 to be paid by the perpetrator. So I ask: where is the consistency in this?
Is Guido in contempt of the enquiry; is Leveson in contempt of freedom; or is it Campbell that is contemptible?
What a strange democracy this is. The Leveson enquiry into telephone hacking (a public enquiry paid for by us) will be speaking to Alastair Campbell about the time he was working for Blair and paid by us. Guido Fawkes, who takes no money from us, obtained an advance copy of Campbell’s witness statement through legal but not necessarily clear means, and published it for us. Tom Watson, MP and self-aggrandiser maximus, republished it.
The Right Honourable Lord Justice Leveson was unhappy. He demanded that Tom remove the offensive, sorry, offending document. Tom obliged. Leveson demanded that Fawkes also remove the document (by the rather obscure route of sending an ‘order’ to Harriman House Publishing, the 2007 publishers of the The Big Red Book of New Labour Sleaze edited by Fawkes and Iain Dale).
IT IS ORDERED that, until further order,
1. No witness statement provided to the Inquiry whether voluntarily or under compulsion, nor any exhibit to any such statement, nor any other document provided to the Inquiry shall be published or disclosed, whether in whole or in part, outside the confidentiality circle comprising of [sic] the Chairman, his assessors, the Inquiry Team, the Core Participants and their legal representatives prior to the maker of the statement giving oral evidence to the Inquiry or the statement being read into evidence, or summarised into evidence by a member of the Inquiry Team as the case may be without the express permission of the Chairman…
Why? I can only assume that publishing the document before it is aired to the enquiry is some form of contempt, whether legal or purely semantic. But surely Leveson has it the wrong way round?. The person in contempt of the Leveson enquiry is the author of the document who did not hold the enquiry with sufficient reverence to keep his statement private until the enquiry?
Contempt? But who is really contemptible to the Leveson enquiry: Fawkes or Campbell?
And the real victim? On the day before he published Campbell’s evidence, Fawkes blogged:
Well, he was right – but not perhaps in the way he intended.
This article has been described as ‘tripe’ by the keeptonyblairforpm website, a leading supporter of the Ban Blair-Baiting petition.
Last week the Sydney Morning Herald ran a story on the Hacking Team’s Remote Control System, stating
DAVID Vincenzetti isn’t your typical arms dealer. He’s never sold a machinegun, a grenade or a surface-to-air missile. But, make no mistake, he has access to a weapon so powerful it could bring a country to its knees. It’s called RCS – Remote Control System – and it’s a piece of computer software.
The one ring to rule them all
RCS has been developed by an Italian company calling itself the Hacking Team. Its website claims
Remote Control System is totally invisible to the target. Our software bypasses protection systems such as antivirus, antispyware and personal firewalls.
Hacking Team sales literature
Scary stuff. And on the back of the FBI’s CIPAV, the Dutch police taking over and using a Bredolab botnet, and the German ‘Staatstrojaner’ exposed by the Chaos Computer Club, it is a worrying idea that law enforcement can get hold of software that can ‘bring a country to its knees’.
I don’t know whether to laugh or cry.
First up, David Harley, board member at AMTSO and senior research fellow at ESET: “I only skimmed the Sydney Morning Herald story earlier this week, as the first paragraph tripped my hype detector, padding out some PR for the company with some barely relevant purple prose of variable accuracy about arms dealers and Stuxnet.”
So, hype or horror story?
“What they advertise in that PDF is a bot,” says Luis Corrons, technical director at PandaLabs, “with the usual functionalities and a command & control panel to manage it – the same thing cybercriminals have been using for years. The main difference here is that those guys are offering their services to law enforcement agencies. That’s it.”
“The Hacking Team brochure suggests some form of RAT,” adds David, “which would almost certainly have to have rootkit functionality to perform as claimed.” Hacking Team’s sales literature also claims to be able to access all platforms, but David has his doubts on “whether it’s really possible, even with direct access to a system, to rootkit ‘any platform’”.
“Make no mistake,” says Chester Wisniewski, senior security advisor at Sophos. “This software is malware. Software that performs unwanted actions on a victim’s PC is malware, whether it is purchased for use by law enforcement or hand crafted by secret Iranian spies. You could say it is simply attempting to put a legitimate angle on criminal tools…”
So that’s what we’ve got: a nasty little rootkit RAT that tries to look like legitimate software. But let’s face it, rootkits do a lot of damage. And Hacking Team claims that this one is undetectable. But, “putting aside the legal issues involved in what they do,” comments Ram Herkanaidu, education manager at Kaspersky Lab, “the claim that their software is undetectable by security software is, at best, spurious.”
“It should have a footnote under its claim of being undetectable,” adds Luis: “for a limited period only.”
“Most anti-virus vendors will work on detecting it if they come across a sample,” explains Chester.
“It will only be a matter of time until it is detected,” adds Luis.
“I have yet to see an undetectable program of any sort, even a rootkit,” says David.
And once it is detected, “We would analyse and treat it in the same manner as any other malware and add detection to our software,” concludes Ram.
That pretty well sums it up: the newspaper story is hype and the software is malware. It is dangerous because it is a rootkit – but it’s no more than that, and all reputable anti-malware companies will eventually discover it and disinfect it. We need worry no more about this than any other malware.
The Cabinet Office has commented on the first 100 days of the UK’s e-petitions service.
Last Saturday marked 100 days since the new e-petitions service was launched by GDS and the Office of the Leader of the House of Commons. The service continues to be incredibly popular – on average 18 people have signed an e-petition every minute since the service started.
The report goes on to talk about the success of the system:
Of the six e-petitions which have passed the 100,000 threshold, two have been debated (the London riots and Hillsborough petitions), two are scheduled to be debated (Fuel Duty and Babar Ahmad – as part of a wider extradition debate) and one has been accepted for debate but will not be scheduled until the new year (Immigration). The only other outstanding petition, financial education in schools, is waiting for an MP to approach the Backbench Business Committee (who schedule e-petition debates), which should happen this month.
e-petitions: the first 100 days
Funny that. I seem to remember a petition for an EU referendum passing the 100,000 mark, and being debated, some time ago. But of course that was before Merkel and Sarkozy sacked Papandreou for offering the Greek people a referendum. Cameron must be running scared: don’t mention the EU!
You have to marvel at their cheek. pizzahutonlinecoupons.scam just tried to post the following in the comments:
This is an anti-spam message|| Join the anti-spam movement! Accept this comment and do your part spreading the word that we will NOT be spammed anymore.Do your duty and pass it on by posting on a friends blog!
I have said it before, but clearly it needs to be said again: the Data Protection Act and the Information Commissioner’s Office, as configured today, are a waste of time, space and our money. Today, Big Brother Watch has published a report showing
more than 1000 incidents [of data loss] across 132 local authorities, including at least 35 councils who have lost information about children and those in care…
…Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.
Local authority data loss exposed
Put plainly, the Data Protection Act isn’t working.
I have also been critical in the past about the Information Commissioner. In reality, he is in an impossible position. What can he do with local authorities? Fines are meant to hurt – they are a punishment to make people behave more responsibly in the future. But fines don’t work on local authorities because they don’t have any money of their own – it is our money. And if they don’t have enough of our cash to pay the fine, they’ll just have to reduce our services.
The local authorities are also in a difficult position. It’s not ‘them’ that loses the data, but their staff. And it’s nigh on impossible to sack local authority staff because of the combined weight of the employment laws, the Human Rights Act, and of course, UNISON.
So we have an Act that doesn’t work enforced by an organization that cannot enforce. That should be enough to cause a change. But nothing will change because the Data Protection Act is forced on us by the EU, and we don’t have the sovereignty to do anything about it. And there’s one other problem: the Data Protection Act allows our government to pretend it cares about our privacy. Obviously it doesn’t.
I just love a good joke. Here’s a new one called New EU-US agreement on PNR improves data protection and fights crime and terrorism.
The preamble is this:
The agreement sets out privacy-friendly rules on how and for how long PNR data may be stored. Data will be de-personalised 6 months after it is received by the US authorities. After 5 years the de-personalised data will be moved to a ‘dormant database’ with stricter requirements for access by US officials. The total duration of data storage is limited to 10 years for serious transnational crimes. Only for terrorism will the data be accessible for 15 years.
Brussels, 17 November 2011
And here’s the punch-line: they expect us to believe it!
For some time now UK Law Enforcement has sought the power to take down criminal websites more speedily (see my comment here: Should SOCA be allowed to request domain takedown without judicial oversight?). Looks like they succeeded.
Yesterday, the Met Police announced
Online shoppers are less likely to fall foul of internet fraudsters this Christmas after more than 2,000 fraudulent websites were suspended following action by the Met’s Police Central e-Crime Unit (PCeU).
Working closely with domain name registries and registrars, detectives from the unit have identified and instigated action against counterfeit and fraudulent sites which affect thousands of unassuming consumers and generate millions of pounds for the criminals behind them.
Nominet simultaneously announced
.uk domain names suspended to protect shoppers from online fraud
November 18 2011
The operation, co-ordinated by the Metropolitan Police Central e-Crime Unit, targeted websites selling counterfeit goods to unsuspecting consumers in the busy Christmas shopping period.
Following notification from the Police, Nominet worked with the relevant .uk registrars to suspend .uk domain names that were in breach of our terms and conditions.
This is a Good Thing. No-one will deny that the removal of criminal websites is anything but good. What concerns me, however, is not what has been said, but what has not been said. It would appear that the Police decided that the sites were engaged in criminal activity, and Nominet took them down for breach of T&Cs. Where is the scope for appeal in this process? Where is the judicial oversight?
I do not believe it is for the police to declare something is illegal. Where they suspect an illegality, they must pass details via the CPS to the courts, and it is the courts that decide the illegality or not.
So here’s the problem. The police want to be able to remove fraudulent sites rapidly. But to be able to do so they have to by-pass the courts. It is the ability to do this that is a very dangerous thing.
Consider this. I would like the UK to leave the EU. For the moment, this is acceptable to the authorities. But what if the situation deteriorates dramatically over the next few months? What if the government were to decide that anti-EU sentiment is particularly unhelpful?
So far we’ve had two elected leaders removed in order to make things easier for France and Germany. It is a much lesser thing to remove a few websites than to remove a few leaders. Now, with this precedent, the police could go to Nominet and say, Townsend’s blog is illegal – please shut it down. Nominet would then simply do so since if my site is engaged in illegal activity I am automatically in breach of the Nominet T&Cs (I’m probably OK for the moment since the blog is hosted on WordPress.com; but I shall be a bit exposed when I move it to ITsecurity.co.uk).
It is not necessarily the shutdown of these particular sites that is worrying; it is the precedent that is set. It means that it is increasingly easy for UK authorities to remove anything they just don’t like. It’s just another step deeper into the police state that used to be the country I love.
We’ve been hearing about a major, and mysterious explosion in Iran, centred apparently around the Iranian missile development area. There have been many suggestions on the cause, including an Israeli strike and an Iranian dissident strike. The suspicion now is that it was a malfunction in a warhead test. Not nuclear, but a conventional explosion testing the capability to deliver nuclear.
But what caused the malfunction?
Stuxnet? Well, that’s what they’re beginning to say…
The BMA has made a new announcement. It is, I think, worth reproducing here in full.
BMA calls for farting ban to include private motor vehicles
A review of compelling scientific evidence supporting a ban on farting in motor vehicles is published today in a new briefing paper from the BMA.
The BMA is calling on UK governments to introduce an extension to the current fart-free legislation to include a ban on farting in private vehicles.
Research compiled by the BMA shows that there is strong evidence that farting in vehicles exposes non-farters to very high levels of second-hand farts. This is because the restrictive internal environment in motor vehicles could expose drivers and passengers to toxins up to 11 times greater than in a farty bar. Children and other vulnerable individuals, such as the elderly, are particularly at risk from these health dangers.
Children are at particular risk from second-hand farts in cars as they absorb more pollutants. A child’s immune system is also considerably under developed, compared to an adult’s, and lacks the necessary defences to deal with the harms of second-hand farts.
The elderly are prone to respiratory problems so second-hand farts is especially dangerous for them.
Vulnerable groups, including children, do not have the same choices as adults and may be unable to refuse to take a journey in a farty vehicle.
Dr Vivienne Nathanson, the BMA’s Director of Professional Activities, said today:
“Every year in England there are over 80,000 deaths that are caused by farting. This figure increases to a shocking six million worldwide.
“But behind the stark statistics, doctors see the individual cases of ill-health and premature death caused by farting and second-hand farts. For this reason, doctors are committed to reducing the harm caused by beans.
“The UK made a huge step forward in the fight against beans by banning farting in all enclosed public places but more can still be done.
“We are calling on UK governments to take the bold and courageous step of banning farting in private vehicles. The evidence for extending the fart-free legislation is compelling. The current UK Government prefers voluntary measures or ‘nudging’ to bring about public health change but this stance has been shown to fail time and time again.”
The launch of the BMA’s briefing paper coincides with the second reading of a Private Members’ Bill calling for a ban on farting in private vehicles when children are present.
My understanding is that additional research has shown that even larger numbers are injured by the private motor vehicles themselves, and that the BMA will consequently start to campaign for a total ban on all private motor vehicles. After that, Nanny will be considering how to reduce the huge number of illnesses caused by the uninhibited exchange of bodily fluids; and will be campaigning for a statutory limit on the exchange of such fluids to no more than once every seven and a half days; and never in a private motor vehicle.