ICO and the Data Protection Act: do they fine the victims and expect them to punish the perpetrator?
The Information Commissioner’s Office (ICO) has come down hard on two councils. It has fined Worcestershire £80,000 after “a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients.” And it fined North Somerset £60,000 “for a serious breach of the Data Protection Act where a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.”
Christopher Graham, the Information Commissioner, explained: “There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure… The Information Commissioner takes this sloppiness seriously – and so should you.”
Ed Rowley, Senior Product manager at M86 Security thinks this is a positive step. “It was suggested earlier this year,” he commented, “that the ICO was not using its powers to penalise organisations for the most serious data breaches. These two fines demonstrate that the ICO is serious about punishing those who fail to protect sensitive information. Commercial and government organisations must learn that protecting private data needs to be built into all of their processes from the ground up. Having the appropriate policies in place and training is the best place to start. However, these need to be supported by using appropriate technology to enforce those policies. Certainly, in both of these cases technology could have been used to prevent the email leaks and saved the councils and tax payers a lot of money, in addition to protecting the privacy of the vulnerable individuals whose information was inappropriately handled.”
My own view is simple (and explained here: Data Protection Act Fail): fining councils doesn’t help anyone, it merely punishes the taxpayer. I put this to Ed.
“I understand the point that you are making,” he replied. “However, I do have faith in the democratic process. While the public end up paying for the fines in a roundabout manner, a local council’s inability to provide services to the public can result in those responsible being ousted at the next set of elections in which they stand: elected officers can lose their jobs if they are not able to control public finances and ruling parties can be weakened or even lose overall control. Even though the fines imposed by the ICO may only play a small part from a financial perspective, the damage that these breaches can cause to the reputation comes at a much higher cost to those in power.”
It’s a valid point; but I haven’t changed my opinion, and I doubt that Ed will change his. However, I would add an additional comment that didn’t come up in this conversation. Within the legal system in general there is a huge desire for greater consistency in sentencing. This is necessary not merely for the old-fashioned view of ‘fairness’, but also to demonstrate to potential criminals the likely outcome of the offence. The ICO is not part of the judicial system even though in matters of data protection it effectively acts as both judge and jury; so the point is relevant. Here it is fining a local council £80,000 that will be paid by the victims and other innocent taxpayers. Earlier in the year it fined ACS: Law just £1000 to be paid by the perpetrator. So I ask: where is the consistency in this?
Is Guido in contempt of the enquiry; is Leveson in contempt of freedom; or is it Campbell that is contemptible?
What a strange democracy this is. The Leveson enquiry into telephone hacking (a public enquiry paid for by us) will be speaking to Alastair Campbell about the time he was working for Blair and paid by us. Guido Fawkes, who takes no money from us, obtained an advance copy of Campbell’s witness statement through legal but not necessarily clear means, and published it for us. Tom Watson, MP and self-aggrandiser maximus, republished it.
The Right Honourable Lord Justice Leveson was unhappy. He demanded that Tom remove the offensive, sorry, offending document. Tom obliged. Leveson demanded that Fawkes also remove the document (by the rather obscure route of sending an ‘order’ to Harriman House Publishing, the 2007 publishers of the The Big Red Book of New Labour Sleaze edited by Fawkes and Iain Dale).
IT IS ORDERED that, until further order,
1. No witness statement provided to the Inquiry whether voluntarily or under compulsion, nor any exhibit to any such statement, nor any other document provided to the Inquiry shall be published or disclosed, whether in whole or in part, outside the confidentiality circle comprising of [sic] the Chairman, his assessors, the Inquiry Team, the Core Participants and their legal representatives prior to the maker of the statement giving oral evidence to the Inquiry or the statement being read into evidence, or summarised into evidence by a member of the Inquiry Team as the case may be without the express permission of the Chairman…
Why? I can only assume that publishing the document before it is aired to the enquiry is some form of contempt, whether legal or purely semantic. But surely Leveson has it the wrong way round?. The person in contempt of the Leveson enquiry is the author of the document who did not hold the enquiry with sufficient reverence to keep his statement private until the enquiry?
Contempt? But who is really contemptible to the Leveson enquiry: Fawkes or Campbell?
And the real victim? On the day before he published Campbell’s evidence, Fawkes blogged:
Well, he was right – but not perhaps in the way he intended.
This article has been described as ‘tripe’ by the keeptonyblairforpm website, a leading supporter of the Ban Blair-Baiting petition.
Last week the Sydney Morning Herald ran a story on the Hacking Team’s Remote Control System, stating
DAVID Vincenzetti isn’t your typical arms dealer. He’s never sold a machinegun, a grenade or a surface-to-air missile. But, make no mistake, he has access to a weapon so powerful it could bring a country to its knees. It’s called RCS – Remote Control System – and it’s a piece of computer software.
The one ring to rule them all
RCS has been developed by an Italian company calling itself the Hacking Team. Its website claims
Remote Control System is totally invisible to the target. Our software bypasses protection systems such as antivirus, antispyware and personal firewalls.
Hacking Team sales literature
Scary stuff. And on the back of the FBI’s CIPAV, the Dutch police taking over and using a Bredolab botnet, and the German ‘Staatstrojaner’ exposed by the Chaos Computer Club, it is a worrying idea that law enforcement can get hold of software that can ‘bring a country to its knees’.
I don’t know whether to laugh or cry.
First up, David Harley, board member at AMTSO and senior research fellow at ESET: “I only skimmed the Sydney Morning Herald story earlier this week, as the first paragraph tripped my hype detector, padding out some PR for the company with some barely relevant purple prose of variable accuracy about arms dealers and Stuxnet.”
So, hype or horror story?
“What they advertise in that PDF is a bot,” says Luis Corrons, technical director at PandaLabs, “with the usual functionalities and a command & control panel to manage it – the same thing cybercriminals have been using for years. The main difference here is that those guys are offering their services to law enforcement agencies. That’s it.”
“The Hacking Team brochure suggests some form of RAT,” adds David, “which would almost certainly have to have rootkit functionality to perform as claimed.” Hacking Team’s sales literature also claims to be able to access all platforms, but David has his doubts on “whether it’s really possible, even with direct access to a system, to rootkit ‘any platform’”.
“Make no mistake,” says Chester Wisniewski, senior security advisor at Sophos. “This software is malware. Software that performs unwanted actions on a victim’s PC is malware, whether it is purchased for use by law enforcement or hand crafted by secret Iranian spies. You could say it is simply attempting to put a legitimate angle on criminal tools…”
So that’s what we’ve got: a nasty little rootkit RAT that tries to look like legitimate software. But let’s face it, rootkits do a lot of damage. And Hacking Team claims that this one is undetectable. But, “putting aside the legal issues involved in what they do,” comments Ram Herkanaidu, education manager at Kaspersky Lab, “the claim that their software is undetectable by security software is, at best, spurious.”
“It should have a footnote under its claim of being undetectable,” adds Luis: “for a limited period only.”
“Most anti-virus vendors will work on detecting it if they come across a sample,” explains Chester.
“It will only be a matter of time until it is detected,” adds Luis.
“I have yet to see an undetectable program of any sort, even a rootkit,” says David.
And once it is detected, “We would analyse and treat it in the same manner as any other malware and add detection to our software,” concludes Ram.
That pretty well sums it up: the newspaper story is hype and the software is malware. It is dangerous because it is a rootkit – but it’s no more than that, and all reputable anti-malware companies will eventually discover it and disinfect it. We need worry no more about this than any other malware.