Losing one’s way

Over the last few days, the Guardian has broken the story of the illegal use of personal data in the US 2016 general election. We are now waiting for the trail to come back to UK politics, in particular, the use of Cambridge Analytica (or one of its associates) by the alliance of Leave organisations. The data was stolen, well acquired, from Facebook, but it seems they knew for two years and there is some argument as to their corporate complicity. Their Chief Information Security Officer has been on the way out since the end of last year and some stories suggest it’s because he argued for greater openness in co-operating with the enquiries into Russian state sourced fake news.

Citizens, their representatives and law makers have been arguing that IT companies should have a duty to report security breaches to law enforcement and the EU is introducing such a law now; such Laws exist in California which is where Facebook is headquartered. We should also note that their duty to protect their users personal data is governed by the US privacy laws, the now defunct EU Safe Harbour agreement and its successor, the Privacy Shield. In addition, the US signed up to the 7 Principles of Data Potection when first declared by the OECD.  It is a fact however, that many US business executives (and their employees) consider the European Data Protection laws as non-tariff import barriers, not that this should matter but I have no doubt that considerable time has been spent in determining where the line between legality and illegal activity stands.

There are several factors in the US political culture which often makes it hard for the US to obey foreign laws (and their own), one of them being, that they often have difficulty in legitimising their own laws and law enforcement.

This is, to me, summarised in the 10th Amendment, one of the Bill of Rights amendments to the US Constitution.

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

There is a beauty to the sentiment and an economy to the words, but they are a fundamental challenge to the rule of law. (Is this a bit extreme?) The Citizen’s United ruling, which upheld the citizen’s free speech rights for an association, can be taken to mean that corporations have citizenship rights. US Laws are hard to make and often Laws re challenged in court often to the Supreme Court asking for laws to be struck down as unconstitutional. The upshot of all this is that politicaly citizens can take a view on whether a law is legal in the knowledge that if they win, unlike in Europe & the Antipodes where the Government’s have majorities in their legislatures and will rewrite the laws, they get to do what they want.

The US tradition of a people’s access to justice, showcased by the Judge Judy show is also admirable, if a bit bizarre to UK eyes but it is another dimension of the US commitment to rights and the rule of law; they’e just a bit weaker in understanding collective and inalienable rights, such as privacy (except from Government).

We also have the growing dichotomy between companies Legal and Compliance teams, with Legal advising under the protection of client/attorney privilege in the best interests of their clients and Compliance having a duty to the public advising how not to break the Law.

One can see how US Companies might lose their way. It’s nothing to be proud of though, the UK route to corruption is just shorter as currently viewing the C4 news program on Cambridge Analytica will show.

Do politicians understand? They may not understand the details of the tech., but they do understand Human Rights law and the rule of law, although some of the House of Commons are to quote the shadow chancellor “Fucking Useless”, and the select committees could do with better advisors;  the purpose of the witnesses is to deliver this advice and knowledge, but you need to know the questions and understand the answers. You need a nose for a cover up and to know the 2nd question.

The Data Flow implications of Brexit

The Data Flow implications of Brexit

Project Fear or Project Reality about Brexit continues and while risks to banking, air travel, radio-therapy and the pan-European integrated manufacturing supply chains are all making the headlines, there is also a serious problem with maintaining data flows particularly of personal data, which underpins both secondary & tertiary sector industries.  This article looks at the threat to trade involving data flows posed by Brexit and looks at the likely shape of US/EU data flow and privacy regulation.

Manifesto bingo, digital liberty and the internet

Manifesto bingo, digital liberty and the internet

I have had a look  at the manifestos and see what they have to say on the internet and Digital Liberty. I have been very influenced by the EDRi voting exchange and summarise the issues of Digital Liberty as e-citizenship, equality before the law, privacy and copyright reform, to which for this election we must add internet governance and industrial & innovation policy. I have created a table summarising the positions of the Tories, Labour, LibDems and Greens. Possibly I should have analysed the SNP manifesto since much of this is Westmister reserved powers. I was hoping to write something easy and quick to read. I don’t think I have succeeded. My super summary is in the figure immediately below, and here is the table I built to help me write this article. (I lost the excel file, so this will have to do!)  My main source was the ORG pages but I have been reading the Labour Manifesto also. I feel that the opposition parties have suffered from the surprise; they probably expected more time to develop their promises. All three opposition parties 2015 manifestos covered these issues in more depth. 

Fines, Enforcement and good faith

Fines, Enforcement and good faith

We then considered enforcement trends. The total number of fines is going up; the maximum under the DPA is £½ m, the maximum under the GDPR will be €20m or 4% of global turnover. Today the ICO can fine under two laws, the Data Protection Act and the Privacy and Electronic Communication Regulation (PECR),  which regulate Data Controllers and Processors and direct mailing houses respectively. The ICO have taken more interest in the DPA since they gained fining powers. This note looks at the record in court, the change in enforcement powers, and notes that the preponderance of fines have been levied due toinadequate technical protection.

An overview of issues with the GDPR

An overview of issues with the GDPR

At the BCS legal day,  a presentation was made entitled “Key Issues” which they started with a quote from Jan Albrecht MEP (the Rapporteur),

“[The] result is something that makes (as we intended from the beginning) everybody equally unhappy, but at the same time is a huge step forward for all sides involved.

Jan Albrecht MEP”

It is hoped that business opportunity will be created by a harmonisation of regulation across Europe with a goal of improved privacy for its citizens. The harmonisation is constrained by the Restrictions Article, which excludes areas of law from the Regulation and creates nationally authored variances.

Why you should be bothered about the Snoopers Charter

Why you should be bothered about the Snoopers Charter

Late last year, the UK Parliament passed the Investigatory Powers Act 2016. This law builds on the Regulation of Investigatory Powers Acts and the Data Retention Laws. This law allows the Government to store all our electronic communications traffic, read the content and meta data and co-opt the product and service vendors to help them. I describe this in more detail below.

The Law was written in the aftermath of Court of Justice of the European Union’s (CJEU) ruling in the Schrems vs. Facebook case that the EU’s Data Retention Directive and hence the member state implementations were in contradiction to the EU’s human rights law, the Charter of Fundamental Rights. Parliament had considered aspects of these proposals twice before under the two previous administrations and rejected them.

This article looks at the new Law, criticises it on Human Rights grounds in that it jeopardises the right to privacy, the right to organise, the right to a fair trial and rights to free speech and on IT Security grounds in that the new regulation of encryption products jeopardises access to electronic trust and privacy. It also examines the likely impact of the recent CJEU ruling on the legality of its predecessor law, and in passing, likely conflicts with last year’s passage of the General Data Protection Regulation (GDPR) by the European Union.

Oi!, You! No snooping on my emails and chat!

Oi!, You! No snooping on my emails and chat!

Earlier this week, the Court of Justice of the European Union delivered its judgement on the legality of the UK & Swedish data retention and surveillance laws. They confirmed their ruling from 2015 that general monitoring is illegal, that retention must be specific and is only allowed to combat serious crimes, that access to surveillance records must be authorised by independent authorities and that EU data subjects must be have access to legal remediation if their rights to privacy are breached. The Guardian report on it here, the Independent here ,the Register here and even  the Daily Mash comments here. The UK’s Investigatory Powers Act also gives the government the right to mandate backdoors in UK operated communications products; these powers may also fall foul of the prohibition on general monitoring and the need for independent review. While the ruling is specific to the UK’s DRIPA law, which has now been replaced by the Investigatory Powers Act, it poses a clear challenge to the legality of the new Law.

A note on the coming GDPR

A note on the coming GDPR

In a blog at my employer’s site I looked at how to become compliant with the EU’s General Data Protection Regulation. Regulations are the Law in all the member states, and members of the European Economic Area. The article looks at the issues of consent, the new data subject rights, privacy by design, the meaning of adequate protection and new public accountability via the duty to report breaches and to appoint a professional data protection officer.

More on Brexit

More on Brexit

Many the implications of the vote to leave the EU has been exercising my mind. I have finally got my notes & thoughts to publish my initial views on the politics of the aftermath; this article attempts to limit itself to the events and thoughts of the first week after the referendum. I have published them as at the date I started my storify where I collected the sources I wanted to quote. This is because it is one of a planned series, I plan to follow up with a piece on immigration, one on Labour Party and Left unity and one on the mutation of capitalism and politics.

One of the reasons for my delay was that I was asked for a number of quotes in the IT trade press which took some writing time. I have posted the complete quotes as three articles in linkedin pulse, on Cybersecurity, Privacy & Trade and the single market, covering innovation, TTIP & Privacy and net neutrality.