Google, the GDPR and Brexit

Google, the GDPR and Brexit

Google are going to move their UK users data from Ireland to the USA. I wrote a little note on my linkedin blog. I headline it as

Google are moving UK data from Ireland to the US … what does this say about UK/EU/US dataflows and ompliance with the GDPR and the world’s data protection laws.

I also point out the need for robust legal redress to comply with the GDPR, which the UK and USA may not meet and that the UK will lose access to the US Privacy Shield arrangements. I note that the UK will lose its member state privileges and powers under the GDPR when the transition period ends and that RIPA 2016 and the immigration exception of the DPA 2018 may cause the Commission some problems with respect to “Adequacy”.

I note that model clauses and binding corporate rules will remain in place and I wonder if this is a business opportunity for a European based phone operating system author as people choose to withdraw from Android? Nokia? Canonical? …

Digital Democracy

Digital Democracy

One of the motions proposed but not debated at the CLPD AGM was called “Digital Democracy & the need for greater voter participation”. It’s quite long at over 550 words and I planned to speak against it, by saying something like,

This motion, despite its length, says only two things: that we’ve read Corbyn/Barbrook’s Digital Democracy Manifesto and that we approve of a digital identity card as part of a system of access to e-voting in public elections.

I have read the manifesto and believe it is flawed, most importantly in it postpones the consideration of what human rights looks like in an age of the ultimate surveillance machine until after the election of a Labour Government, when it proposes a consultation. It proposes a People’s Charter of Digital Liberties but makes no mention of the work other campaigners for digital liberty have done in defining new Human Rights needs in a connected world and old Rights that need defending. These campaigning bodies include Liberty, the Open Rights Group, the Electronic Frontier Foundation and Labour’s members on the European Parliament’s LIBE committee.

But we can’t talk about e-voting without talking about Estonia, the poster child of e-voting, and its failed audits, and its proof that e-voting does not increase turnout, and its alleged failure to meet European data protection standards.

We can’t talk about e-voting without talking about the Surveillance State and its private corporate arm. It’s bad enough that the datenkraken can use our phones to spy on us, but I suppose the fact that the US government has access via them to all they know perhaps should reassure us that there is no risk to making a short cut to British Intelligence of our internet usage records, they already have it.

We can’t talk about e-voting without talking about the digital divide.

We can’t talk about e-voting without looking at whether the ERS removed votes from the 2015 Labour Leadership elections, a fact if true showing the vulnerability of the “transparency of the result” to insider attack.

We can’t talk about e-voting without talking about Russia’s interference in the US, British elections and the Brexit referendum through their advanced hacking capability.

We can’t talk about e-voting without noting that Verify, the current Government identity portal has been criticised as a failure by the Public Accounts Committee and now looks likely to be privatised.

We can’t talk about e-voting without looking at the fundamental criticisms of such systems, that they are hard to build, and it may be impossible to resolve the conflict between having a transparent result and a secret ballot; this is before we address the issues of coercion,  impersonation and 2nd party verification i.e. how to implement polling/counting agents in a proprietary software system.

In the US, engineers and electoral administrators are developing the systems to make this easier, requiring physical receipts of the cast vote, which are then electronically counted with statistical control samples manually counted.

This motion is technically premature at best and otherwise dangerous populist nonsense.

Please remit or oppose.

ooOOOoo

Interestingly, DARPA have announced an e-voting proof of concept, I am pointed at it by Bruce Schneier. …

Data and Versions

I am trying to write an article for my linkedin blog for which I needed to revisit something I wrote for Citihub. I decided to create a comment & mirror on this site, as my blog has outlasted seemingly mightier organisations then them. I originally commented on it as follows,

why encrypt inside the firewall, and why applications logs are important

On revisiting the article, the need to keep versioned copies of the data, like a wiki or a write-ahead log become more obvious, or I recognise as under emphasised in the original article. I also, this time, consider the inappropriate demise of “Entity Life History” analysis. …

Do the right thing!

A new linkedin blog by me on the fine print of the GDPR’s “legitimate interest”. The print is not so fine, and in summary, you don’t need to read the fine print to do the right thing.

When claiming a legitimate interest, the privacy rights of data subjects are established as controlling the data processor/controller’s legitimate interest by the requirement to recognise the “fundamental rights and freedoms” of the data subject. The “fundamental rights and freedoms” are defined in the Charter of Fundamental Rights

Due to indirection and thus undocumented nature of the data subject’s consent inherent in legitimate interest, I’d advise finding another lawful purpose. …

Looking back about Data Centre location

Looking back about Data Centre location

I just came across some writing I did while working at Sun Microsystems; they/we were considering building a cloud platform in Europe and I was part of the team evaluating the potential location. (This would have been 2008/2009.

The key driver for locations was thought to be firstly the IT infrastructure i.e. networks and power, an EU compliant data protection regime, and political stability, with skills supply coming a 4th.

We argued for London or Amsterdam, which is quite funny 10 years later as London looks to leave the EU and there are growing doubts about its GDPR compliance.

I argued that Sun needed to avoid dis-intermediation and retain brand loyalty; this may have been impossible as part of a Cloud offering but it had the world’s leading software superstructure products at the time. I argued that IaaS was not enough to make it work for Sun and thus initiatives like Project Kenai (a predecessor to GitHub) were important indicators of what we should do, although the font in which I did it was quite small. I didn’t see that this was crucial, but when Sun announced its cancellation, I knew that this was part of the end and a decision taken by those that fetishised hardware. Interestingly Oracle reversed this decsion, and it staggered on for another eight years. It was one of a huge number of destructive decisions taken by a management who won by luck until it ran out.

Interesting to see where I was right and where I was wrong and just how much has changed in 10 years. …

HRMS, a distressed purchase?

I was provoked by this on Hackernoon, and wrote a little piece on HRMS systems. I have just come back from a Trade Union course on Employment Law and wonder whether the US based systems built for Silicon Valley behemoths are suitable for UK based SMEs. I reference the Gartner MQ which seems to have come on in the last two years; google it, you can get to see it from one of the companies in the top right quadrant but I like their functional breakdown.

I state that a “person” data model is key and finish with the following quote,

HR functions need to define their mission statement, somewhere between “stop the staff suing us”, and “delivering a self-actualising company”; only then can the needs of the software be defined and developed, bought or rented.

 …

Five steps to Compliance

As we entered the ground rush zone for the GDPR a number of organisations issued numbered guidance documents in preparation. I joined in and published a blog article on my linkedin blog called “Beyond Adequate Protection”. This had my five point list of tasks to be GDPR compliant. I summarise them here,

  1. Know and document your personal data catalogue and its lawful purpose
  2. Create an identity solution for your data subjects, so subject access requests can be fulfilled
  3. Build a record keeping solution
  4. Ensure that your incident management solutions are compliant
  5. Implement changes to the software development Life Cycle(SDLC) to include privacy impact assessments

The original article deals with these in a bit more detail but I finish by saying that it’s only this easy if your organisation already meets the need to provide adequate technical and organisational protection.

 …

Facebook & the European Union

Techcrunch reports that the European Parliament have called for an audit of Facebook’s systems in the light of reported data breaches. Will Facebook be added to the long list of US Tech companies successfully regulated by the EU albeit mainly over monopoly issues. (Google, Microsoft, Intel, Oracle). This is shared power, that the UK will lose should we leave the European Union. …

A bit of an old hat

I am tidying up my flat and recovered a copy of my 1988 paper developed for Oracle Expo Europe of that year, called Developments in the UK Case Market. It looked at SSADM vs Information Engineering and how and why to implement these methodologies. It’s not as dated in content as one might think, although the language is a bit old fashioned. Obviously if using post relational design and implementation techniques some of it is a bit old hat but not having a data model will be a cause of regret. …