ICO and the Data Protection Act: do they fine the victims and expect them to punish the perpetrator?
The Information Commissioner’s Office (ICO) has come down hard on two councils. It has fined Worcestershire £80,000 after “a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients.” And it fined North Somerset £60,000 “for a serious breach of the Data Protection Act where a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.”
Christopher Graham, the Information Commissioner, explained: “There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure… The Information Commissioner takes this sloppiness seriously – and so should you.”
Ed Rowley, Senior Product manager at M86 Security thinks this is a positive step. “It was suggested earlier this year,” he commented, “that the ICO was not using its powers to penalise organisations for the most serious data breaches. These two fines demonstrate that the ICO is serious about punishing those who fail to protect sensitive information. Commercial and government organisations must learn that protecting private data needs to be built into all of their processes from the ground up. Having the appropriate policies in place and training is the best place to start. However, these need to be supported by using appropriate technology to enforce those policies. Certainly, in both of these cases technology could have been used to prevent the email leaks and saved the councils and tax payers a lot of money, in addition to protecting the privacy of the vulnerable individuals whose information was inappropriately handled.”
My own view is simple (and explained here: Data Protection Act Fail): fining councils doesn’t help anyone, it merely punishes the taxpayer. I put this to Ed.
“I understand the point that you are making,” he replied. “However, I do have faith in the democratic process. While the public end up paying for the fines in a roundabout manner, a local council’s inability to provide services to the public can result in those responsible being ousted at the next set of elections in which they stand: elected officers can lose their jobs if they are not able to control public finances and ruling parties can be weakened or even lose overall control. Even though the fines imposed by the ICO may only play a small part from a financial perspective, the damage that these breaches can cause to the reputation comes at a much higher cost to those in power.”
It’s a valid point; but I haven’t changed my opinion, and I doubt that Ed will change his. However, I would add an additional comment that didn’t come up in this conversation. Within the legal system in general there is a huge desire for greater consistency in sentencing. This is necessary not merely for the old-fashioned view of ‘fairness’, but also to demonstrate to potential criminals the likely outcome of the offence. The ICO is not part of the judicial system even though in matters of data protection it effectively acts as both judge and jury; so the point is relevant. Here it is fining a local council £80,000 that will be paid by the victims and other innocent taxpayers. Earlier in the year it fined ACS: Law just £1000 to be paid by the perpetrator. So I ask: where is the consistency in this?
Is Guido in contempt of the enquiry; is Leveson in contempt of freedom; or is it Campbell that is contemptible?
What a strange democracy this is. The Leveson enquiry into telephone hacking (a public enquiry paid for by us) will be speaking to Alastair Campbell about the time he was working for Blair and paid by us. Guido Fawkes, who takes no money from us, obtained an advance copy of Campbell’s witness statement through legal but not necessarily clear means, and published it for us. Tom Watson, MP and self-aggrandiser maximus, republished it.
The Right Honourable Lord Justice Leveson was unhappy. He demanded that Tom remove the offensive, sorry, offending document. Tom obliged. Leveson demanded that Fawkes also remove the document (by the rather obscure route of sending an ‘order’ to Harriman House Publishing, the 2007 publishers of the The Big Red Book of New Labour Sleaze edited by Fawkes and Iain Dale).
IT IS ORDERED that, until further order,
1. No witness statement provided to the Inquiry whether voluntarily or under compulsion, nor any exhibit to any such statement, nor any other document provided to the Inquiry shall be published or disclosed, whether in whole or in part, outside the confidentiality circle comprising of [sic] the Chairman, his assessors, the Inquiry Team, the Core Participants and their legal representatives prior to the maker of the statement giving oral evidence to the Inquiry or the statement being read into evidence, or summarised into evidence by a member of the Inquiry Team as the case may be without the express permission of the Chairman…
Why? I can only assume that publishing the document before it is aired to the enquiry is some form of contempt, whether legal or purely semantic. But surely Leveson has it the wrong way round?. The person in contempt of the Leveson enquiry is the author of the document who did not hold the enquiry with sufficient reverence to keep his statement private until the enquiry?
Contempt? But who is really contemptible to the Leveson enquiry: Fawkes or Campbell?
And the real victim? On the day before he published Campbell’s evidence, Fawkes blogged:
Well, he was right – but not perhaps in the way he intended.
This article has been described as ‘tripe’ by the keeptonyblairforpm website, a leading supporter of the Ban Blair-Baiting petition.
Last week the Sydney Morning Herald ran a story on the Hacking Team’s Remote Control System, stating
DAVID Vincenzetti isn’t your typical arms dealer. He’s never sold a machinegun, a grenade or a surface-to-air missile. But, make no mistake, he has access to a weapon so powerful it could bring a country to its knees. It’s called RCS – Remote Control System – and it’s a piece of computer software.
The one ring to rule them all
RCS has been developed by an Italian company calling itself the Hacking Team. Its website claims
Remote Control System is totally invisible to the target. Our software bypasses protection systems such as antivirus, antispyware and personal firewalls.
Hacking Team sales literature
Scary stuff. And on the back of the FBI’s CIPAV, the Dutch police taking over and using a Bredolab botnet, and the German ‘Staatstrojaner’ exposed by the Chaos Computer Club, it is a worrying idea that law enforcement can get hold of software that can ‘bring a country to its knees’.
I don’t know whether to laugh or cry.
First up, David Harley, board member at AMTSO and senior research fellow at ESET: “I only skimmed the Sydney Morning Herald story earlier this week, as the first paragraph tripped my hype detector, padding out some PR for the company with some barely relevant purple prose of variable accuracy about arms dealers and Stuxnet.”
So, hype or horror story?
“What they advertise in that PDF is a bot,” says Luis Corrons, technical director at PandaLabs, “with the usual functionalities and a command & control panel to manage it – the same thing cybercriminals have been using for years. The main difference here is that those guys are offering their services to law enforcement agencies. That’s it.”
“The Hacking Team brochure suggests some form of RAT,” adds David, “which would almost certainly have to have rootkit functionality to perform as claimed.” Hacking Team’s sales literature also claims to be able to access all platforms, but David has his doubts on “whether it’s really possible, even with direct access to a system, to rootkit ‘any platform’”.
“Make no mistake,” says Chester Wisniewski, senior security advisor at Sophos. “This software is malware. Software that performs unwanted actions on a victim’s PC is malware, whether it is purchased for use by law enforcement or hand crafted by secret Iranian spies. You could say it is simply attempting to put a legitimate angle on criminal tools…”
So that’s what we’ve got: a nasty little rootkit RAT that tries to look like legitimate software. But let’s face it, rootkits do a lot of damage. And Hacking Team claims that this one is undetectable. But, “putting aside the legal issues involved in what they do,” comments Ram Herkanaidu, education manager at Kaspersky Lab, “the claim that their software is undetectable by security software is, at best, spurious.”
“It should have a footnote under its claim of being undetectable,” adds Luis: “for a limited period only.”
“Most anti-virus vendors will work on detecting it if they come across a sample,” explains Chester.
“It will only be a matter of time until it is detected,” adds Luis.
“I have yet to see an undetectable program of any sort, even a rootkit,” says David.
And once it is detected, “We would analyse and treat it in the same manner as any other malware and add detection to our software,” concludes Ram.
That pretty well sums it up: the newspaper story is hype and the software is malware. It is dangerous because it is a rootkit – but it’s no more than that, and all reputable anti-malware companies will eventually discover it and disinfect it. We need worry no more about this than any other malware.
The Cabinet Office has commented on the first 100 days of the UK’s e-petitions service.
Last Saturday marked 100 days since the new e-petitions service was launched by GDS and the Office of the Leader of the House of Commons. The service continues to be incredibly popular – on average 18 people have signed an e-petition every minute since the service started.
The report goes on to talk about the success of the system:
Of the six e-petitions which have passed the 100,000 threshold, two have been debated (the London riots and Hillsborough petitions), two are scheduled to be debated (Fuel Duty and Babar Ahmad – as part of a wider extradition debate) and one has been accepted for debate but will not be scheduled until the new year (Immigration). The only other outstanding petition, financial education in schools, is waiting for an MP to approach the Backbench Business Committee (who schedule e-petition debates), which should happen this month.
e-petitions: the first 100 days
Funny that. I seem to remember a petition for an EU referendum passing the 100,000 mark, and being debated, some time ago. But of course that was before Merkel and Sarkozy sacked Papandreou for offering the Greek people a referendum. Cameron must be running scared: don’t mention the EU!
You have to marvel at their cheek. pizzahutonlinecoupons.scam just tried to post the following in the comments:
This is an anti-spam message|| Join the anti-spam movement! Accept this comment and do your part spreading the word that we will NOT be spammed anymore.Do your duty and pass it on by posting on a friends blog!
I have said it before, but clearly it needs to be said again: the Data Protection Act and the Information Commissioner’s Office, as configured today, are a waste of time, space and our money. Today, Big Brother Watch has published a report showing
more than 1000 incidents [of data loss] across 132 local authorities, including at least 35 councils who have lost information about children and those in care…
…Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.
Local authority data loss exposed
Put plainly, the Data Protection Act isn’t working.
I have also been critical in the past about the Information Commissioner. In reality, he is in an impossible position. What can he do with local authorities? Fines are meant to hurt – they are a punishment to make people behave more responsibly in the future. But fines don’t work on local authorities because they don’t have any money of their own – it is our money. And if they don’t have enough of our cash to pay the fine, they’ll just have to reduce our services.
The local authorities are also in a difficult position. It’s not ‘them’ that loses the data, but their staff. And it’s nigh on impossible to sack local authority staff because of the combined weight of the employment laws, the Human Rights Act, and of course, UNISON.
So we have an Act that doesn’t work enforced by an organization that cannot enforce. That should be enough to cause a change. But nothing will change because the Data Protection Act is forced on us by the EU, and we don’t have the sovereignty to do anything about it. And there’s one other problem: the Data Protection Act allows our government to pretend it cares about our privacy. Obviously it doesn’t.
I just love a good joke. Here’s a new one called New EU-US agreement on PNR improves data protection and fights crime and terrorism.
The preamble is this:
The agreement sets out privacy-friendly rules on how and for how long PNR data may be stored. Data will be de-personalised 6 months after it is received by the US authorities. After 5 years the de-personalised data will be moved to a ‘dormant database’ with stricter requirements for access by US officials. The total duration of data storage is limited to 10 years for serious transnational crimes. Only for terrorism will the data be accessible for 15 years.
Brussels, 17 November 2011
And here’s the punch-line: they expect us to believe it!