Privacy & compliance, reprised

I have had a look at the changes in Law, and thus the potential changes in data protection strategy since I first wrote about the conflicts between privacy, compliance and law enforcement.

The US courts have been siding with citizens and their privacy rights, the ECJ has been doing the same. Parliament has been going in the opposite direction, although the Supreme Court has declared the Data Retention laws to be contrary to Human Rights Law and should we actually leave the EU we will find obtaining an “Adequacy” agreement harder than we’d hope as the EU Parliament, Commission and the EU Data Protection Supervisory board focus on the rights of privacy from Governments. This will be a significant problem if the ECJ strikes down the model clauses and binding corporate rules.

I briefly touch on the fact that the European Laws are meant to be implementing the globally agreed seven principles of Data Protection, of Notice, Purpose, Consent, Security, Disclosure, Access and Accountability and that in a rights based jurisdiction, these rights must be protected from the Government as well as from Corporates.

 

The language has developed since 1980 but these principles were agree by the OECD in 1980.

I conclude the article by saying,

Today, under EU law, the lawful purpose would seem to be more flexible, cross border transfers are more restricted, and may become more so, and the EU is more concerned about nation state compliance; it’s what you’d expect from a political entity consisting of states and the children of people surviving fascist or Stalinist rule.

This political heritage should be remembered by those that see these laws merely as a business burden, …

Wannacrypt,a story

The NSA’s hack on old Microsoft operating systems is weaponised and released to the internet, most publicly massively impacting the UK’s NHS, which had taken the decision not to move forward from Windows XP, a product for which support by its authors ceased in 2012. This was meant to be quick and a source list for a blog article, but as ever it took too long.

This is a storify I made at the time and have transferred it to this blog and published as at the date created. …

E-Voting

E-Voting

At my last Union branch meeting, we heard from Gemma Short of the right to strike campaign. As one part of her presentation she mentioned that one of the Unions’ response to the recent Trade Union laws is to demand that they can run strike ballots (and the mandatory political levy and elections) using e-voting technology. I have been thinking about this for a while and its fans need to take stock; there’s some inconvenient truths. …

At Orgcon 17

I am just back from orgcon17, and here are my notes; this was a two day conference, with many sessions on issues of concern to digital liberty campaigners on regulation of the use personal data. It took place over two days, consisting of lectures & panels and workshops. On the first day, at Friends House, where we had the use of the amazing central meeting room it looked at the coming legislation on investigatory powers, the use of the law to make political advances (it’s slow & uncertain), an interview with Caroline Criada Perez, the campaigner who got the first woman on British bank notes and a women’s statue in Parliament Sq.. It looked at e-voting systems in Taiwan where the government used a consensus building software product to engage the population in traffic management solutions design. Jamie Bartlett spoke about privacy vs. security. There was a session on Digital Liberty & regulation in Nigeria. There was also a session on the privacy vulnerability to the coming “age verification for porn users” regulations. Much of these lectures are available on the ORG’s Video channel.

The second day consisted mainly of workshops focused on campaigning. There was a workshop that reviewed the technical architecture of the investigatory powers bill (as they then were i.e. the architecture and legislative stage). There was a workshop in using the Freedom of Information Laws to enhance campaigning, and also about the likely campaigning tools to be offered by the coming General Data Protection Regulation (GDPR) i.e. enhanced subject access requests, the right to be forgotten, of remediation and to object and stop processing.

There were sessions on building local Open Rights Group groups, how to perform IT security effectively for campaigners and a review of the ORG’s Blocked tool.

I chaired a session on building a Charter of Digital Rights, with Richard Barbrook and Mara Leverkuhn. Richard announced his initiative to put some more detail behind the Jeremy Corbyn’s Digital Manifesto which they created to support his 2016 Leadership Campaign. I documented/advertised this session on my blog https://davelevy.info/digital-liberties/

ooOOOoo

The relevance of this conference to CISSP certification is in the Regulation & Compliance domain. One of the critical to IT organisations is failing to keep up with laws and regulations. The ORG focuses on the law as it relates to privacy, censorship & intellectual property. Businesses need to keep these laws in mind when designing their risk taxonomy and control catalogue.

This was written in Oct 2018, nearly 12 months after the event; I did it to claim CISSP CPD Credits. I have as normal, for me, in these circumstances backdated the article to the time of occurrence. …

Search Prominence in Politics

Search Prominence in Politics

In 2011, Andrew Rhodes wrote a paper entitled, Can Prominence Matter Even in an Almost Frictionless Market? He models consumer behaviour in frictionless markets and the role of search engines and their paid placement on the search results page. I have had a look at the article because I am the target of one of Lewisham Labour’s candidates for Mayor’s google ad-campaign. I look at what Rhodes did, and ask a couple of questions about how applicable his model and assumptions are. …

Sunset, finally?

Sunset, finally?

Simon Phipps comments on Oracle’s decision to close down the SPARC and Solaris business units. He  was close to the politics of Sun’s “Dash to Open” in the mid noughties. My feeling is that Sun had failed before Schwartz was appointed; there was no longer room for differentiated hardware company; Oracle’s failure to monetise the SPARC product line may have been caused by management hubris, but the long term economics  …

Fines, Enforcement and good faith

Fines, Enforcement and good faith

We then considered enforcement trends. The total number of fines is going up; the maximum under the DPA is £½ m, the maximum under the GDPR will be €20m or 4% of global turnover. Today the ICO can fine under two laws, the Data Protection Act and the Privacy and Electronic Communication Regulation (PECR),  which regulate Data Controllers and Processors and direct mailing houses respectively. The ICO have taken more interest in the DPA since they gained fining powers. This note looks at the record in court, the change in enforcement powers, and notes that the preponderance of fines have been levied due toinadequate technical protection. …