Anyone who heard Christopher Graham launching the ICO’s annual report last week must wonder just how many planets there are in this solar system. In his own words:
…the ICO is well up to the task.
…the ICO has bared its teeth…
It’s a case of ‘wake up and smell the CMP!’
…the regulator is getting results.
This reads like a marketing department bigging-up a poor product. The simple fact is, based on irrefutable empirical evidence, the ICO is failing: corporate and government loss of personal data is certainly not diminishing. Graham is wrong.
But there are two things in his speech that I particularly wish to consider. At one point he says:
The ICO has received precious little credit for having been the first to blow the whistle on Fleet Street practices in our 2006 publications ‘What Price Privacy?’ and ‘What Price Privacy Now?’… Meanwhile, we have been facilitating ‘fast track’ subject access from the so-called Motorman Files for any concerned citizen…
Compare this view of the ICO with that of its own Motorman investigator at the time, Alexander Owens:
“Despite our protests we were told this was the decision of Richard Thomas [then IC] and that he would deal with the press involvement by way of the Press Complaints Council. It was at this moment we knew no journalist could or ever would be prosecuted in relation to our investigation.”
Something rotten in the state of the Information Commissioner’s Office – will Leveson act?
The reason the ICO got precious little credit is because it deserves none whatsoever – in fact, on the basis of this testimony, it was effectively complicit in what amounts to a cover-up.
My second concern is over the Information Commissioner’s closing comments. Specifically, he said:
Well, the ICO can expect to remain in the news as we engage with two further Government initiatives on the information rights agenda – the Draft Communications Data Bill and the drive for Open Data. We are working to ensure necessary limitations and safeguards for personal information and we want to enable appropriate data sharing and encourage openness provided it complies with the law.
Could somebody please tell me what this means? I want to ‘safeguard’ personal information provided it complies with the law? I want to ‘enable appropriate data sharing’ that complies with the law? The law is whatever the government makes the law. The government is in the process of making a new communications law that will give them huge volumes of our personal data. But that’s alright because our privacy protector will make sure that government complies with the law that it makes.
What a waste of time. What a waste of space. What a waste of taxpayers’ money.
It was bank holiday Monday yesterday, so I didn’t spend all day in front of the computer. But I got a file from the Ministry of Lulz – it was the TangoDown http://www.justice.gov.uk graphic.
When and why, I asked; and was pointed at Saturday’s Anonymous message of support for Julian Assange.
I also received a copy of legal counsel concerning the Information Commissioner – so I started work on an article.
But it was bank holiday Monday; so I didn’t rush – and got overtaken by events. In the early evening I got another message from the Ministry of Lulz: ‘justice.gov.uk is down for last 2 hours’.
So in some senses my draft story became irrelevant – but I’m pasting it below anyway. Now, however, it is an explanation for downing the Ministry of Justice – and perhaps a warning for the Information Commissioner. Here it is…
The voice behind The Ministry of Lulz is Winston Smith (named after the hero of Orwell’s 1984). The problem with this association is that the fictional Winston Smith was lured into joining a secret organization determined to bring down the Big Brother government. That secret organization clearly translates to Anonymous. But the fictional recruiter (O’Brien in the novel) turns out to be a government agent (Fed) – and Smith is betrayed. In real life, Smith was ‘recruited’ into Anonymous by ‘XX’. Smith must hope that life doesn’t mirror fiction too closely.
The Ministry of Lulz would appear to have two immediate targets in the UK: the Ministry of Justice and the Information Commissioner. Smith sent me a ‘TangoDown’ graphic. It names ‘www.justice.gov.uk’. Asked why, he pointed to the Anonymous video that was posted to YouTube on Saturday. It’s a message of solidarity with Julian Assange following the failure of his High Court plea to prevent extradition to Sweden – from where, suggests Anonymous, there is little doubt that he will rapidly be extradited to the USA.
This second extradition would seem particularly likely following the recent publication of Parmy Olson’s new book, ‘We are Anonymous’. A small section of this book is reproduced on John Young’s Cryptome site (it seems to be the subject of a takedown notice from the DtecNet Anti-Piracy Team but was still available at the time of writing this). In this book, Olson (the London bureau chief for Forbes) states very clearly that “Assange and q appeared to want LulzSec to try to grab the e-mail service of government sites, then look for evidence of corruption or at least evidence that the government was targeting WikiLeaks.” While proof of nothing, especially since FBI-informant Sabu was involved, the suggestion of involvement in a conspiracy to attack government sites merely makes the probability of extradition from Sweden to the USA more likely.
With the tango down graphic I also received copy of a legal opinion on the ICO. The UK’s Information Commissioner’s Office is likely to be targeted for what the Ministry of Lulz considers to be corruption. The legal opinion related to a case where personal medical records were passed to the subject’s (now ex) wife’s solicitors without his permission. The subject also claimed they were incorrect. He complained to the GMC, who ruled that his GP’s action had ‘fallen below the standards expected from a medical practitioner in processing and disclosing information.’ He then complained to the Information Commissioner who rejected his complaint, ruling amongst other things that the accuracy of personal information is not an issue if he (the IC) considers it to be lawfully disclosed. Consider that for a moment: if disclosure is allowed, you can spread lies without hinderance from the ICO.
The subject then took legal counsel (which is what was sent to me). Counsel concludes that “there is a 60-65% prospect of success in an application for permission to apply for judicial review against the IC…” It goes on to say that “the IC is interpreting the justification provisions in the [DPA] 1998 very widely and in a way which is not compatible with guidance and codes from professional organisations such as the GMC and also not in tune with comments from the courts,” and that “issues of wider public interest are raised by the case, namely the correct scope of the justifications in s35 DPA 1998 and the schedules to the Act, especially when seen in the light of the right to respect for private life in Art 8 ECHR.”
That, perhaps, is what you get when you put a marketing man rather than a legal man in charge of the ICO. But given the experience of the Ministry of Justice yesterday, he should look to his defences for the future.
My news stories on Infosecurity Magazine from Tuesday 10 April until Friday 13 April, and Monday 16 April until Wednesday 18 April
NHS needs a security czar to prevent continuous data walkabout
While the South London Healthcare NHS Trust signs a Data Protection Undertaking, the security industry wonders why we have learnt nothing in the last two years – and calls for a new NHS data protection czar.
18 April 2012
PwC 2012 Information Security Breaches Survey: Preliminary findings report continued mobile insecurity
New statistics show that while many companies appear to understand the business threat from BYOD, many others are taking no precautions whatsoever.
18 April 2012
(ISC)² launches its new EMEA advisory board
In a move designed to offer genuine hands-on security experience to EMEA’s different security initiatives, professional body (ISC)² has launched a new Advisory Board for Europe, the Middle East and Africa (EAB).
18 April 2012
Google co-founder worries about the future of the internet
In an interview with the Guardian, the co-founder of Google lists the threats facing the future vitality of the internet.
17 April 2012
Shadowserver uncovers campaign against Vietnam in Hardcore Charlie’s file dump
An analysis of the hacked files dumped by hacker Hardcore Charlie fails to prove Chinese culpability, but finds evidence of ‘yet another cyber espionage campaign against Vietnam.’
17 April 2012
Iranian software manager hacks and dumps card details of 3m Iranians
Khosrow Zarefarid found and reported a flaw in the Iranian POS system. He reported it, but was ignored – so he used it and hacked 3 million Iranian debit card details.
17 April 2012
Dutch Pirate Party forced to take its Pirate Bay proxy off-line
In a move that will be monitored by the UK’s music industry association (BPI), its Dutch equivalent BREIN (translates as ‘Brain’) has obtained a court injunction forcing the political party, the Pirate Party, to take down the proxy site that was allowing users to continue using the blocked Pirate Bay (TPB).
16 April 2012
Is ACTA dead in the water, or is it resurfacing via the G8?
David Martin, European Parliament’s rapporteur on the ACTA treaty, is expected to recommend that parliament should reject ACTA. Does this mean the end for the Anti-Counterfeiting Trade Agreement?
16 April 2012
Commotion Wireless: an open source censorship buster
The great contradiction in modern techno-politics is the need for democracies to promulgate free speech in other countries while controlling it in their own.
16 April 2012
Boston police release unredacted Facebook data of ‘Craigslist killer’
The complete Facebook account of Philip Markoff, in hard copy and including friend IDs, was given by the Boston Police to the Boston Phoenix newspaper.
13 April 2012
EC asks how we would want the internet of things to be controlled
The European Commission (EC) has issued an online ‘consultation’ document: How would you envisage ‘governance’ of the ‘Internet of Things’?
13 April 2012
City trader fined £450,000 by the FSA
“For the reasons given in this Notice…”, says an FSA Decision Notice, “…the FSA has decided to impose on Mr Ian Charles Hannam a financial penalty of £450,000.”
13 April 2012
MPAA’s attempted takedown of Hotfile gets more and more difficult
Don’t throw the baby out with the bathwater says Google; and there’s more baby than bathwater suggests Prof. James Boyle.
12 April 2012
UK private members bill designed to censor pornography on the internet
Baroness Howe of Ildicote has introduced the Online Safety Act 2012, designed to force ISPs to install and operate pornography filters.
12 April 2012
Financial services the target in massive DDoS increase
A new analysis from Prolexic shows a huge increase in DDoS attacks, largely sourced in Asia and primarily attacking financial institutions.
12 April 2012
Smartphones are still firmly ‘enterprise-unready’
Research from by Altimeter Group, Bloor Research and Trend Micro shows that the ‘consumer marketing’ legacy of many smartphones makes them ill-equipped to meet enterprise security demands.
11 April 2012
EU trade committee’s draft opinion on ACTA: Don’t ratify
The European Parliament’s Industry, Research and Energy committee for the Committee on International Trade has published its draft opinion on ACTA. Don’t ratify, it tells parliament.
11 April 2012
DHS gets California company to hack game consoles
In a project that started from law enforcement agencies’ request to the US Department of Homeland Security (DHS), which was then farmed out to the US Navy, Obscure Technologies of California has been awarded a contract to find ways of hacking game consoles.
11 April 2012
Real-time data mining comes to Twitter
Twitter is usually described as a micro-blogging social network. To many who monitor its ‘trending topics’ it is also an early warning news service, frequently pointing users to breaking news before the traditional news media reports it.
10 April 2012
Iran bids farewell to the internet; welcomes its own halal intranet
Iran’s answer to ‘criminality’ on the internet is not to fight criminality, but to block the internet. In the future, Iranians will have access to only the official national intranet and a whitelist of acceptable foreign sites.
10 April 2012
What an Englishman does in bed
Companies that monitor the end point behavior of their remote workers will have to start monitoring their (internet) behavior in bed. That at least is the inference to be drawn from a new street survey conducted by Infosecurity Europe.
10 April 2012
The news stories written for Infosecurity Magazine last week are:
- Law Society tougher than the ICO on Andrew Crossley
- Mixed but depressing findings in European corporate governance recruitment
- Ransomware pretending to be law enforcement
- Olympic security dossier left on London train
- Voice biometrics will be the authentication of choice, says Opus Research
- SP Toolkit illustrates the dangers inherent in many security audit tools
- HMRC’s failure to recruit security staff shows education must change
- Ten years of Microsoft’s Trustworthy Computing initiative: Has it delivered?
- A road-map towards meaningful security data sharing
- Research by Sophos reveals the gang behind Koobface
- Children’s online games used to distribute malware
- AXA global insurance company adopts data analytics to reduce fraud
- Health Software firm develops Android app while NHS warns on tablet security
- New version of Sykipot malware targets DoD smart cards
- How DarkCoderSC reveals SFX files methodology
Should staff, not the taxpayer, pay fines for public sector data breaches? This is a question posed by UKauthorITy, a publisher of IT related news for the local sector. It quotes the TaxPayer’s Alliance:
Of course people in these situations should be held personally liable as if the council is fined, then that fine is paid for out of the local council taxes. It essence it is a double tax – once for collecting/storing the data and again for losing it.
Should staff, not the taxpayer, pay fines for public sector data breaches?
Grant Taylor, UK VP of CryptZone is agin the idea of fining the staff rather than the organization, and puts forward a strong case. “If the penalties are applied to nominated senior managers in the relevant NHS trust, council or other government agency – as is the case with corporate responsibility, for example within transportation authorities – then the public sector could be forced into building liability insurance remuneration into management salaries, as has been required by medical professionals for some time,” he argues. This will simply have the effect of “moving the cost of data breach penalties across the government spreadsheet – with the taxpayer continuing to foot the bill.”
Grant believes that education and open discussion is the solution. “But to reduce the argument to individual ICO penalties within the workforce would only result in the departure of the most talented member of staff – who will be streamed off into the private sector – with predictable results. This is what makes this argument something of a non-starter in our opinion,” he concludes.
I sort of agree; but I don’t think education will ever be enough to protect our data. The bottom line is the current arrangements just are not working. Personal data continues to be lost, councils are fined, and the ‘double tax’ described by the TaxPayer’s Alliance is a reality. But potential remedies exist, and always have existed, without any action from the ICO. It is the concept of responsibility – when things go wrong, there is always someone at fault.
Consider this. Organizations will have procedures that are part of the security policy and part of the employment contract. If these procedures are followed, then data will not be lost. If they are followed and data is still lost, then the author of the procedures is responsible because he or she simply didn’t do the job properly. If the procedures are not followed and data is lost, then the person who loses the data is responsible because he or she didn’t follow procedures. Because the procedures are part of the employment contract, failure to follow them is a disciplinary offence. It’s not a case of the ICO fining individual staff, it’s a case of the organization sacking staff who haven’t done their job.
The advantage of this simple approach is that it doesn’t frighten off good staff (good staff will always be confident in their own abilities), but it does weed out poor staff. And it doesn’t cost the taxpayer an additional penny.
There are even in-built safeguards in this approach. Organizations always have bullies. Middle managers at fault will generally blame their staff. But that’s why we have employment protection laws and tribunals. If a scapegoat is selected and sacked to protect a manager, that scapegoat has recourse to the law. So we don’t need to fine individual staff or the organization. We don’t even need the ICO. We just need to do what we always could do: in the event of a data breach, the person responsible should automatically be sacked.
PRC, the Privacy Rights Clearinghouse, has launched a new online complaints form. It is a model of clarity and simplicity – but only for Americans.
We in the UK, of course, have our own Information Commissioner’s Office, to which we can make similar complaints on breaches of privacy. It is not a model of clarity or simplicity. To be fair, the site says that “some of our online complaints forms are undergoing development. In the meantime, please choose from the following options…”
Those options involve the good old-fashioned Word document that you download, print out, fill in and post or scan and email back to the ICO. My hope, but not expectation, is that the ICO takes a leaf out of the PRC’s book, and develops an online model of clarity and simplicity for future complaints.
One other current difference:
PRC: “The PRC’s staff will review and respond to every complaint, providing individuals with information and strategies to address their problem.”
ICO: “Please note: our automatic email response system is not currently working…”