My news stories on Infosecurity Magazine from Tuesday 10 April until Friday 13 April, and Monday 16 April until Wednesday 18 April
NHS needs a security czar to prevent continuous data walkabout
While the South London Healthcare NHS Trust signs a Data Protection Undertaking, the security industry wonders why we have learnt nothing in the last two years – and calls for a new NHS data protection czar.
18 April 2012
PwC 2012 Information Security Breaches Survey: Preliminary findings report continued mobile insecurity
New statistics show that while many companies appear to understand the business threat from BYOD, many others are taking no precautions whatsoever.
18 April 2012
(ISC)² launches its new EMEA advisory board
In a move designed to offer genuine hands-on security experience to EMEA’s different security initiatives, professional body (ISC)² has launched a new Advisory Board for Europe, the Middle East and Africa (EAB).
18 April 2012
Google co-founder worries about the future of the internet
In an interview with the Guardian, the co-founder of Google lists the threats facing the future vitality of the internet.
17 April 2012
Shadowserver uncovers campaign against Vietnam in Hardcore Charlie’s file dump
An analysis of the hacked files dumped by hacker Hardcore Charlie fails to prove Chinese culpability, but finds evidence of ‘yet another cyber espionage campaign against Vietnam.’
17 April 2012
Iranian software manager hacks and dumps card details of 3m Iranians
Khosrow Zarefarid found and reported a flaw in the Iranian POS system. He reported it, but was ignored – so he used it and hacked 3 million Iranian debit card details.
17 April 2012
Dutch Pirate Party forced to take its Pirate Bay proxy off-line
In a move that will be monitored by the UK’s music industry association (BPI), its Dutch equivalent BREIN (translates as ‘Brain’) has obtained a court injunction forcing the political party, the Pirate Party, to take down the proxy site that was allowing users to continue using the blocked Pirate Bay (TPB).
16 April 2012
Is ACTA dead in the water, or is it resurfacing via the G8?
David Martin, European Parliament’s rapporteur on the ACTA treaty, is expected to recommend that parliament should reject ACTA. Does this mean the end for the Anti-Counterfeiting Trade Agreement?
16 April 2012
Commotion Wireless: an open source censorship buster
The great contradiction in modern techno-politics is the need for democracies to promulgate free speech in other countries while controlling it in their own.
16 April 2012
Boston police release unredacted Facebook data of ‘Craigslist killer’
The complete Facebook account of Philip Markoff, in hard copy and including friend IDs, was given by the Boston Police to the Boston Phoenix newspaper.
13 April 2012
EC asks how we would want the internet of things to be controlled
The European Commission (EC) has issued an online ‘consultation’ document: How would you envisage ‘governance’ of the ‘Internet of Things’?
13 April 2012
City trader fined £450,000 by the FSA
“For the reasons given in this Notice…”, says an FSA Decision Notice, “…the FSA has decided to impose on Mr Ian Charles Hannam a financial penalty of £450,000.”
13 April 2012
MPAA’s attempted takedown of Hotfile gets more and more difficult
Don’t throw the baby out with the bathwater says Google; and there’s more baby than bathwater suggests Prof. James Boyle.
12 April 2012
UK private members bill designed to censor pornography on the internet
Baroness Howe of Ildicote has introduced the Online Safety Act 2012, designed to force ISPs to install and operate pornography filters.
12 April 2012
Financial services the target in massive DDoS increase
A new analysis from Prolexic shows a huge increase in DDoS attacks, largely sourced in Asia and primarily attacking financial institutions.
12 April 2012
Smartphones are still firmly ‘enterprise-unready’
Research from by Altimeter Group, Bloor Research and Trend Micro shows that the ‘consumer marketing’ legacy of many smartphones makes them ill-equipped to meet enterprise security demands.
11 April 2012
EU trade committee’s draft opinion on ACTA: Don’t ratify
The European Parliament’s Industry, Research and Energy committee for the Committee on International Trade has published its draft opinion on ACTA. Don’t ratify, it tells parliament.
11 April 2012
DHS gets California company to hack game consoles
In a project that started from law enforcement agencies’ request to the US Department of Homeland Security (DHS), which was then farmed out to the US Navy, Obscure Technologies of California has been awarded a contract to find ways of hacking game consoles.
11 April 2012
Real-time data mining comes to Twitter
Twitter is usually described as a micro-blogging social network. To many who monitor its ‘trending topics’ it is also an early warning news service, frequently pointing users to breaking news before the traditional news media reports it.
10 April 2012
Iran bids farewell to the internet; welcomes its own halal intranet
Iran’s answer to ‘criminality’ on the internet is not to fight criminality, but to block the internet. In the future, Iranians will have access to only the official national intranet and a whitelist of acceptable foreign sites.
10 April 2012
What an Englishman does in bed
Companies that monitor the end point behavior of their remote workers will have to start monitoring their (internet) behavior in bed. That at least is the inference to be drawn from a new street survey conducted by Infosecurity Europe.
10 April 2012
The news stories written for Infosecurity Magazine last week are:
- Law Society tougher than the ICO on Andrew Crossley
- Mixed but depressing findings in European corporate governance recruitment
- Ransomware pretending to be law enforcement
- Olympic security dossier left on London train
- Voice biometrics will be the authentication of choice, says Opus Research
- SP Toolkit illustrates the dangers inherent in many security audit tools
- HMRC’s failure to recruit security staff shows education must change
- Ten years of Microsoft’s Trustworthy Computing initiative: Has it delivered?
- A road-map towards meaningful security data sharing
- Research by Sophos reveals the gang behind Koobface
- Children’s online games used to distribute malware
- AXA global insurance company adopts data analytics to reduce fraud
- Health Software firm develops Android app while NHS warns on tablet security
- New version of Sykipot malware targets DoD smart cards
- How DarkCoderSC reveals SFX files methodology
Should staff, not the taxpayer, pay fines for public sector data breaches? This is a question posed by UKauthorITy, a publisher of IT related news for the local sector. It quotes the TaxPayer’s Alliance:
Of course people in these situations should be held personally liable as if the council is fined, then that fine is paid for out of the local council taxes. It essence it is a double tax – once for collecting/storing the data and again for losing it.
Should staff, not the taxpayer, pay fines for public sector data breaches?
Grant Taylor, UK VP of CryptZone is agin the idea of fining the staff rather than the organization, and puts forward a strong case. “If the penalties are applied to nominated senior managers in the relevant NHS trust, council or other government agency – as is the case with corporate responsibility, for example within transportation authorities – then the public sector could be forced into building liability insurance remuneration into management salaries, as has been required by medical professionals for some time,” he argues. This will simply have the effect of “moving the cost of data breach penalties across the government spreadsheet – with the taxpayer continuing to foot the bill.”
Grant believes that education and open discussion is the solution. “But to reduce the argument to individual ICO penalties within the workforce would only result in the departure of the most talented member of staff – who will be streamed off into the private sector – with predictable results. This is what makes this argument something of a non-starter in our opinion,” he concludes.
I sort of agree; but I don’t think education will ever be enough to protect our data. The bottom line is the current arrangements just are not working. Personal data continues to be lost, councils are fined, and the ‘double tax’ described by the TaxPayer’s Alliance is a reality. But potential remedies exist, and always have existed, without any action from the ICO. It is the concept of responsibility – when things go wrong, there is always someone at fault.
Consider this. Organizations will have procedures that are part of the security policy and part of the employment contract. If these procedures are followed, then data will not be lost. If they are followed and data is still lost, then the author of the procedures is responsible because he or she simply didn’t do the job properly. If the procedures are not followed and data is lost, then the person who loses the data is responsible because he or she didn’t follow procedures. Because the procedures are part of the employment contract, failure to follow them is a disciplinary offence. It’s not a case of the ICO fining individual staff, it’s a case of the organization sacking staff who haven’t done their job.
The advantage of this simple approach is that it doesn’t frighten off good staff (good staff will always be confident in their own abilities), but it does weed out poor staff. And it doesn’t cost the taxpayer an additional penny.
There are even in-built safeguards in this approach. Organizations always have bullies. Middle managers at fault will generally blame their staff. But that’s why we have employment protection laws and tribunals. If a scapegoat is selected and sacked to protect a manager, that scapegoat has recourse to the law. So we don’t need to fine individual staff or the organization. We don’t even need the ICO. We just need to do what we always could do: in the event of a data breach, the person responsible should automatically be sacked.
PRC, the Privacy Rights Clearinghouse, has launched a new online complaints form. It is a model of clarity and simplicity – but only for Americans.
We in the UK, of course, have our own Information Commissioner’s Office, to which we can make similar complaints on breaches of privacy. It is not a model of clarity or simplicity. To be fair, the site says that “some of our online complaints forms are undergoing development. In the meantime, please choose from the following options…”
Those options involve the good old-fashioned Word document that you download, print out, fill in and post or scan and email back to the ICO. My hope, but not expectation, is that the ICO takes a leaf out of the PRC’s book, and develops an online model of clarity and simplicity for future complaints.
One other current difference:
PRC: “The PRC’s staff will review and respond to every complaint, providing individuals with information and strategies to address their problem.”
ICO: “Please note: our automatic email response system is not currently working…”
Sometimes you just have to laugh for fear of crying. The Information commissioners Office (ICO) strategy for 2012 makes me do just that. It is a 17 page purple prose self-aggrandizing Declaration of Independence, declaring itself to be independent of political, public and media pressure. It should just simply say that ‘we will uphold the law in our role defined by the law.’
But it doesn’t do that. It seems more concerned to distance itself from the letter of the law by defining its own interpretation of the law, and to align itself with that interpretation. It has, in short, evolved an overblown idea of its function, which it attempts to define in this rather long and mis-titled public-relations document. I give just a few examples:
we will neither be exclusively an educator nor exclusively an enforcer. We are both, even though we prefer to deliver our desired outcomes through help and encouragement rather than force. This means we are primarily a facilitator…
In the time-honoured liberal tradition it has failed to understand that facilitation is delivered by enforcement, not enforcement delivered by facilitation.
We cannot address all risks to the upholding of information rights equally nor should we attempt to do so.
Yes it most certainly should attempt to address all risks to the upholding of information rights equally.
we will treat all cases that come to us fairly and properly but not necessarily pursue them with equal vigour.
This is perhaps one of the most worrying comments. The ICO is declaring that it will decide, arbitrarily, whether your complaint is worth its attention. Not the law, not the judiciary, not parliament, not you, but its own self will pre-judge a case and decide whether or not to pursue it with vigour.
we will devote particular effort to investigating, analysing and ultimately enforcing in those cases that we see as contributing most to the delivery of our desired outcomes and not just those presenting the biggest risk…
Not just those presenting the biggest risk. It really does say that it, the body responsible for enforcing the Data Protection Act, is not necessarily going to spend its effort on the biggest risk.
Laugh or cry? You decide.
I was pretty damning of the ICO in my post outlining Alex Owens’ witness statement to the Leveson Enquiry (looking into the phone hacking scandal). You can read that here: Something rotten in the state of the Information Commissioner’s Office – will Leveson act?
Well, surprise, surprise. Richard Thomas doesn’t remember it.
The informal meeting to which Mr Owens refers took place in this instance because (understandably) the team wished to share the nature and scale of their success with me. I recall that meeting as the occasion when I was informed about the volume and nature of the materials – the “treasure trove” – which had been discovered. I recall congratulating Mr Owens and the team for a job well done. I do not, however, recall any course of action being formally or informally recommended by Mr Owens or anyone else, let alone being “bemused”. Specifically, I do not recall any proposal, on that or any other occasion, that any journalists – nor indeed any other customers of Steve Whittamore and his associates – should be investigated. I not recall even any suggestion that any further investigations were under consideration. One of my central memories of that meeting is a recognition of the challenge presented for a very small team by the sheer bulk of the evidence, without any suggestion that even more should be obtained. I do not recall whether Francis Aldhouse was at that meeting, but I do not ever recall hearing the words attributed to him.
…I do not have any recollection or awareness whatsoever of preventing any Investigating Officer…
…Nor do I have any recollection of making any later “decision” or issuing any sort of instruction…
…Nor was I aware at any time of any grievance…
…Although I cannot recall any discussion…
Fourth Witness Statement of Richard Thomas CBE
That’s the defence. And now the attack:
Mr Owens has made a number of allegations about me and the ICO. It is therefore necessary for me to alert the Inquiry to the fact that there were a number of performance, disciplinary and grievance issues between Mr Owens and the ICO…
It’s all so predictable that any media relations person could have written it for him without ever needing to speak to him. The difference is that Owens states things happened, while Thomas doesn’t deny them, just can’t remember them.
We take our responsibilities under the Data Protection Act very seriously having in place robust procedures to meet our obligations.
Sound familiar? It’s the standard response from an organization that has just failed in its responsibilities under the Data Protection Act – and we’re hearing it all too often, and all too often from a local authority. This is Bolton Council, who left children’s files in a car that was broken into.
A report in This Is Lancashire states that
…it is also believed the files should not have been removed from the office by the worker, who has now left the council.
Probe after children’s files stolen from car
First comment: if files were wrongfully removed from the office, then the ‘robust procedures’ clearly ain’t robust.
Second comment: the worker could have been a contractor who has left at the end of the contract. More likely, I suspect, it was a full-time employee. In which case, that he or she has left the council means one of two things: either it is an admission of guilt followed by an accepted resignation; or it is obvious guilt followed by dismissal. Resignation should not be accepted: loud and painful dismissal would reinforce the message that such behaviour is unacceptable.
But this bit makes me weep. The council also stated:
At the same time we also voluntarily chose to alert the ICO of the situation and will take their recommendations on board, should there be any.
The tone is hardly contrite. Bolton seems to be seeking kudos for reporting a disaster, will listen to a telling-off from the headmaster, but doesn’t seem to think there should be one. This has to change. The ICO must find some way to seriously hurt the people responsible, council management, without hurting the public taxpayer.
The problems with employing an ex-copper, especially a senior ex-copper, are twofold. Firstly, he has a pretty good idea of what will and will not make a successful prosecution; and secondly, he is well-versed in giving evidence from recorded notes. The danger comes when those notes are turned against you. Richard Thomas, the previous incumbent as Information Commissioner, must now be regretting he ever employed Detective Inspector (retired) Alexander John Owens as an investigator.
The story effectively starts in 2002. The Devon and Cornwall Police had become concerned that serving and retired offices were illegally accessing the police national computer and selling the data to a private detective. The police intended to search the premises of the detective agency and expected to find evidence relating to the Data Protection Act. They invited Mr Owens as an investigator with the Information Commissioner’s Office, to assist – and he did so.
The result of the search was the seizure of a large amount of paperwork. Early examination of this paperwork led to the initiation of Operation Motorman (so-called because of illegal accesses to DVLA records). Its purpose was to identify corrupt sources at the DVLA, and the detective agency’s ‘customers’ who had commissioned the actions.
One request to the detective agency was for a ‘protected number’. It came from Stephen Whittamore. In March 2003, Mr Owens and four other ICO investigators effected a search warrant at Whittamore’s home. It rapidly became clear that he “worked on a full time basis for numerous newspaper groups and journalists obtaining a variety of information for them. This ranged from ‘previous convictions’ (CRO checks), VRM checks, Ex directory telephone numbers, mobile phone numbers, telephone number conversions and even ’family and friends’ lists.”
On analysing the seized data, Owens decided that it would be impossible to interview all the ‘victims’, and that the best course of action would be to work on a select pool of 25/30 prosecution cases. From this basis he would be able proceed with an overall ‘conspiracy to breach the Data Protection Act’ incorporating all the parties involved. This he did, using his police experience to protect the data and obtain legal counsel. Counsel agreed that ‘conspiracy’ was the best route.
And then came the heavy hand of Richard Thomas, the Information Commissioner. Owens was informed that he was “not to make contact with any of the newspapers identified and we were not to speak to, let alone, interview any journalists. Despite our protests we were told this was the decision of Richard Thomas and that he would deal with the press involvement by way of the Press Complaints Council. It was at this moment we knew no journalist could or ever would be prosecuted in relation to our investigation.” The newspapers and journalists were being protected, and Owens was to restrict his investigation “solely to those at the bottom of the pyramid i.e. those involved with corruptly supplying information or ‘blagging’ information.”
Owens continued with his ‘lesser’ investigation and heard no more about the journalists. He completed his investigation in February 2004, and “handed over all the evidence gathered to the ICO Legal Department with our recommendations that all parties identified as being involved be jointly prosecuted for ’conspiracy to breach the Data Protection Act 1998’.”
More than a year later he learned that Whittamore had appeared before Blackfriars Court and had been given a Conditional Discharge.
Now, two questions come to mind.
- Was this personal cowardice on the part of Richard Thomas in declining to take on the press, or was it on instruction from the higher regions of government? Remember that Tony Blair was prime minister, and that he cultivated a close relationship with the press.
- Does any spectre of this cowardice/corruption still haunt the corridors of the ICO?
We are unlikely to ever get a satisfactory answer to the first question. But back to Owens, now retired from the ICO, on the second…
In April 2011 I watched David Smith the Deputy Information Commissioner on a Panorama programme. In this programme he made a statement that no journalist was ever prosecuted ’because we didn’t have the evidence that those journalists knew beyond all reasonable doubt that the information had been obtained illegally’. This I knew was, not only inaccurate but also deliberately misleading. What David Smith had omitted to tell the public was, that there was overwhelming evidence to establish numerous prime facie cases against many journalists but the Investigations Unit had been stopped from gathering any further additional evidence, by the Commissioner himself.”
It seems beyond all reasonable doubt that the cowardice and corruption that existed in 2002 to 2005 still exists in the Information Commissioner’s Office today. Quite simply, the ICO is not fit for purpose.
ICO and the Data Protection Act: do they fine the victims and expect them to punish the perpetrator?
The Information Commissioner’s Office (ICO) has come down hard on two councils. It has fined Worcestershire £80,000 after “a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients.” And it fined North Somerset £60,000 “for a serious breach of the Data Protection Act where a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.”
Christopher Graham, the Information Commissioner, explained: “There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure… The Information Commissioner takes this sloppiness seriously – and so should you.”
Ed Rowley, Senior Product manager at M86 Security thinks this is a positive step. “It was suggested earlier this year,” he commented, “that the ICO was not using its powers to penalise organisations for the most serious data breaches. These two fines demonstrate that the ICO is serious about punishing those who fail to protect sensitive information. Commercial and government organisations must learn that protecting private data needs to be built into all of their processes from the ground up. Having the appropriate policies in place and training is the best place to start. However, these need to be supported by using appropriate technology to enforce those policies. Certainly, in both of these cases technology could have been used to prevent the email leaks and saved the councils and tax payers a lot of money, in addition to protecting the privacy of the vulnerable individuals whose information was inappropriately handled.”
My own view is simple (and explained here: Data Protection Act Fail): fining councils doesn’t help anyone, it merely punishes the taxpayer. I put this to Ed.
“I understand the point that you are making,” he replied. “However, I do have faith in the democratic process. While the public end up paying for the fines in a roundabout manner, a local council’s inability to provide services to the public can result in those responsible being ousted at the next set of elections in which they stand: elected officers can lose their jobs if they are not able to control public finances and ruling parties can be weakened or even lose overall control. Even though the fines imposed by the ICO may only play a small part from a financial perspective, the damage that these breaches can cause to the reputation comes at a much higher cost to those in power.”
It’s a valid point; but I haven’t changed my opinion, and I doubt that Ed will change his. However, I would add an additional comment that didn’t come up in this conversation. Within the legal system in general there is a huge desire for greater consistency in sentencing. This is necessary not merely for the old-fashioned view of ‘fairness’, but also to demonstrate to potential criminals the likely outcome of the offence. The ICO is not part of the judicial system even though in matters of data protection it effectively acts as both judge and jury; so the point is relevant. Here it is fining a local council £80,000 that will be paid by the victims and other innocent taxpayers. Earlier in the year it fined ACS: Law just £1000 to be paid by the perpetrator. So I ask: where is the consistency in this?
I have said it before, but clearly it needs to be said again: the Data Protection Act and the Information Commissioner’s Office, as configured today, are a waste of time, space and our money. Today, Big Brother Watch has published a report showing
more than 1000 incidents [of data loss] across 132 local authorities, including at least 35 councils who have lost information about children and those in care…
…Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.
Local authority data loss exposed
Put plainly, the Data Protection Act isn’t working.
I have also been critical in the past about the Information Commissioner. In reality, he is in an impossible position. What can he do with local authorities? Fines are meant to hurt – they are a punishment to make people behave more responsibly in the future. But fines don’t work on local authorities because they don’t have any money of their own – it is our money. And if they don’t have enough of our cash to pay the fine, they’ll just have to reduce our services.
The local authorities are also in a difficult position. It’s not ‘them’ that loses the data, but their staff. And it’s nigh on impossible to sack local authority staff because of the combined weight of the employment laws, the Human Rights Act, and of course, UNISON.
So we have an Act that doesn’t work enforced by an organization that cannot enforce. That should be enough to cause a change. But nothing will change because the Data Protection Act is forced on us by the EU, and we don’t have the sovereignty to do anything about it. And there’s one other problem: the Data Protection Act allows our government to pretend it cares about our privacy. Obviously it doesn’t.