U.K.


1130702.largethumbA really great post on Panopticon legal blog (again :-))

Apparently Optical Express (OE) has been sending SMS messages to individuals who had not opted-in to this service. In fact 4,600 registered concern on OEs marketing practices. It’s pretty interesting as OE seems to be blind to the fact that they have not received explicit consent, they claim that it was sufficient that Thomas Cook, who stated that personal data would be shared, with whom, or how much, etc., is not made clear in the statement.

I have to make a quote from the post, as the author seems to be a lawyer with a sense of humour…

“OE appears not to have seen any problem with texting people who had never previously dealt with it, believing they had sufficient consent. Whether their laser eye surgery offers would have assisted this possible case of Nelsonian blindness is unclear.”

Read post on Panopticon blog

IDripping Tap love what UK is doing to keep alive the data retention directive that died an untimely death recently with DRIP 😉

Some debate that it ‘extends’ the powers of RIPA. UK government officials claim it is just to cover the loss of the EU data retention requirements temporarily until they think of some new that is more manageable. Read what Panopticon blog is saying and decide for yourself?

In case you missed this from your bedtime reading list 😉

Sorry I’ve been so verbose today, but there is just so much going on right now!

Here I am again, popping online to check, when this pops up on the Panopticon blog. This blog is cool because it is seriously legal. You know real legal experts writing about threats to our personal privacy. I wish my legal expertise was more seriously legal 😉

Well now they are talking about new legislation going through in the UK, CCTV, surveillance stuff, with all this Snowden excitement.

It is about the the Protection of Freedoms Act 2012 expressed the incoming Coalition Government’s commitment to keeping in check the state’s surveillance of ordinary citizens. By that Act (sections 29-36), the Home Secretary was to present to Parliament a Code of Practice governing the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR). Now go and visit this site. They summarize this Act. I haven’t looked in detail yet, but what I have read it looks more that it is protecting the rights of the citizen rather than vise-versa.

The Code sets out 12 guiding principles which systems operators should follow:

(1) Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
(2) The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
(3) There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
(4) There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
(5) Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
(6) No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
(7) Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
(8) Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
(9) Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
(10) There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
(11) When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
(12) Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

It’s amazing the amount of discussions there are on how to secure information in the cloud when we are walking around with sensitive information on a portable hard drive, maybe even a USB stick!

There have been two cases recently of lost personal information one was information pertaining to Canadian students and the other in April 2013, the Investment Industry Regulatory Organization (IIROC) admitted that the personal information of 52,000 clients from dozens of investment firms had equally been compromised.

Remember the UK HM Revenue and Customs that lost computer discs containing the entire child benefit records, including the personal details of 25 million people – covering 7.25 million families overall in 2007. There are loads of reported cases and probably many more unreported!

OK so how do we solve this? According to Daniel Horovitz it is about security awareness and policies that are enforced. With this I concur with completely. However I am also thinking that if no personal data was stored on any local device anywhere, that it was all web-enabled, private cloud, shared cloud. It would bring closer the BYOD device movement, and surely it must be safer than a mobile HD? Clearly security awareness and policy enforcement is essential, but it still does not seem to be working. If it was then these incidents would not be happening.

Came across this rather interesting blog post in Computer Weekly almost a month ago. Just scroll down until you get to the sub-title “Identity Assurance” to find this, that I have quoted for your convenience below, and more if you are interested.

“The Government Digital Service (GDS) has devised a fresh approach to building online trust: the Identity Assurance (IDA) programme. The aim is to allow users to prove their identity, or other information about themselves, using services from private-sector organisations. In the IDA model, individuals and businesses will be able to ‘reuse’ existing trust relationships to interact with government (and ultimately with each other): for example, a customer might use their online banking credentials to prove their entitlement to a public authority so that they can claim benefits. GDS is working with key authorities to deliver the necessary technical, commercial and regulatory infrastructure to make this new approach possible.

GDS is also developing a market of companies wishing to act as Identity Providers (IDPs), who will have to bid for the right to do so, and undergo rigorous independent certification to ensure that their security and commercial controls are appropriate. Eight Identity Providers have been selected to provide the first set of IDA services in support of pilot activities from October 2013. Those IDPs are working together under the aegis of the Open Identity Exchange (OIX) to deliver the technology, commercial and legal approaches needed to make the service a reality.”

LOL, I love this from the UK government initiative to attract budding hackers. They have posted a puzzle that is to be hacked. If you hack it then well you could have the privilege to be offered a post as a UK government spy. Read more here.

Next Page »