Compliance – at least European regulatory compliance – bothers me. Whenever I speak to a security expert, those concerns are allayed for just so long as we talk; and then they come back again.
The problem is that Europe passes principle-based legislation (the US is more likely to pass rule-based legislation). The former tells you what must be achieved (the principle), while the latter tells you how it must be done (the rules).
The European Data Protection Directive is a perfect example of principle-based legislation. It says that personal information must be held securely; but it doesn’t tell you how it should be done.
Here’s my problem. Data that hasn’t been lost or stolen has, de facto, been held securely and the company is in compliance – even if it spends nothing on compliance. Data that has been lost or stolen has not, de jure, been held securely and the company fails compliance even if it has spent many ££millions on compliance. The existence or lack of infosecurity defences is irrelevant: if you lose that data, then you are in breach of the act; if you do not lose the data then you are not in breach of the act.
I’m not interested in claims that proof you spent money on security will make the ICO (a marketing man, mark you – not a lawyer) go easy on you. That’s just marketing dross to hide the underlying contradiction.
What I want to know is quite simple. How can it possibly be right to frame a law that states someone who tries to comply can fail compliance, while someone who ignores compliance can be compliant? The result is that there is no logical reason to spend money on securing personal data – just hope you don’t get hacked. This is aggravated by the common and growing perception that if you get targeted, you will get breached. So if you get targeted, you will have failed compliance whether you try to comply or not. Why bother?
Have I mentioned that the ICO is a waste of both space and money? Well, if you ever doubted me, doubt no more. It has been treated with utter contempt by Google, and there’s not a damn thing it can do.
Do you remember Spy-Fi, when Google engaged in its very own version of drive-by downloading? Well the ICO said, “No! Stop it. Don’t do it again. And delete what you’ve got.” And Google said, ever-so politely, yes sir – we will. Only it didn’t. “Google has recently confirmed that it still has in its possession a small portion of payload data collected by our Street View vehicles in the UK.” It says it was an error and will work with the ICO to remedy the situation.
But how does the ICO know? How does the ICO know what Google has done with that payload data, what it may do with that payload data, or how many copies of that payload exist in what parts of Google’s vast and nebulous cloud? It wrote back, even more politely, asking for Google to store the data securely for examination before being told what to do with it.
But how does the ICO know, and what can it do? Nothing, except take the word of big business.
Nick Pickles, director of privacy and civil liberties group Big Brother Watch, has no doubt on what should happen:
The Information Commissioner is hampered by a woeful lack of powers and is forced to trust organisations to tell the truth. Given Google’s behaviour has called into question if that really is a proper way to protect our personal data, it must be right to now demand a proper regulator with the powers and punishments to fully protect British people’s privacy.
It’s time to get rid of the self-congratulatory lap dog and replace it with an angry pit bull.
Anyone who heard Christopher Graham launching the ICO’s annual report last week must wonder just how many planets there are in this solar system. In his own words:
…the ICO is well up to the task.
…the ICO has bared its teeth…
It’s a case of ‘wake up and smell the CMP!’
…the regulator is getting results.
This reads like a marketing department bigging-up a poor product. The simple fact is, based on irrefutable empirical evidence, the ICO is failing: corporate and government loss of personal data is certainly not diminishing. Graham is wrong.
But there are two things in his speech that I particularly wish to consider. At one point he says:
The ICO has received precious little credit for having been the first to blow the whistle on Fleet Street practices in our 2006 publications ‘What Price Privacy?’ and ‘What Price Privacy Now?’… Meanwhile, we have been facilitating ‘fast track’ subject access from the so-called Motorman Files for any concerned citizen…
Compare this view of the ICO with that of its own Motorman investigator at the time, Alexander Owens:
“Despite our protests we were told this was the decision of Richard Thomas [then IC] and that he would deal with the press involvement by way of the Press Complaints Council. It was at this moment we knew no journalist could or ever would be prosecuted in relation to our investigation.”
Something rotten in the state of the Information Commissioner’s Office – will Leveson act?
The reason the ICO got precious little credit is because it deserves none whatsoever – in fact, on the basis of this testimony, it was effectively complicit in what amounts to a cover-up.
My second concern is over the Information Commissioner’s closing comments. Specifically, he said:
Well, the ICO can expect to remain in the news as we engage with two further Government initiatives on the information rights agenda – the Draft Communications Data Bill and the drive for Open Data. We are working to ensure necessary limitations and safeguards for personal information and we want to enable appropriate data sharing and encourage openness provided it complies with the law.
Could somebody please tell me what this means? I want to ‘safeguard’ personal information provided it complies with the law? I want to ‘enable appropriate data sharing’ that complies with the law? The law is whatever the government makes the law. The government is in the process of making a new communications law that will give them huge volumes of our personal data. But that’s alright because our privacy protector will make sure that government complies with the law that it makes.
What a waste of time. What a waste of space. What a waste of taxpayers’ money.