At my last Union branch meeting, we heard from Gemma Short of the right to strike campaign. As one part of her presentation she mentioned that one of the Unions’ response to the recent Trade Union laws is to demand that they can run strike ballots (and the mandatory political levy and elections) using e-voting technology. I have been thinking about this for a while and its fans need to take stock; there’s some inconvenient truths. …
I am just back from orgcon17, and here are my notes; this was a two day conference, with many sessions on issues of concern to digital liberty campaigners on regulation of the use personal data. It took place over two days, consisting of lectures & panels and workshops. On the first day, at Friends House, where we had the use of the amazing central meeting room it looked at the coming legislation on investigatory powers, the use of the law to make political advances (it’s slow & uncertain), an interview with Caroline Criada Perez, the campaigner who got the first woman on British bank notes and a women’s statue in Parliament Sq.. It looked at e-voting systems in Taiwan where the government used a consensus building software product to engage the population in traffic management solutions design. Jamie Bartlett spoke about privacy vs. security. There was a session on Digital Liberty & regulation in Nigeria. There was also a session on the privacy vulnerability to the coming “age verification for porn users” regulations. Much of these lectures are available on the ORG’s Video channel.
The second day consisted mainly of workshops focused on campaigning. There was a workshop that reviewed the technical architecture of the investigatory powers bill (as they then were i.e. the architecture and legislative stage). There was a workshop in using the Freedom of Information Laws to enhance campaigning, and also about the likely campaigning tools to be offered by the coming General Data Protection Regulation (GDPR) i.e. enhanced subject access requests, the right to be forgotten, of remediation and to object and stop processing.
There were sessions on building local Open Rights Group groups, how to perform IT security effectively for campaigners and a review of the ORG’s Blocked tool.
I chaired a session on building a Charter of Digital Rights, with Richard Barbrook and Mara Leverkuhn. Richard announced his initiative to put some more detail behind the Jeremy Corbyn’s Digital Manifesto which they created to support his 2016 Leadership Campaign. I documented/advertised this session on my blog https://davelevy.info/digital-liberties/
ooOOOoo
The relevance of this conference to CISSP certification is in the Regulation & Compliance domain. One of the critical to IT organisations is failing to keep up with laws and regulations. The ORG focuses on the law as it relates to privacy, censorship & intellectual property. Businesses need to keep these laws in mind when designing their risk taxonomy and control catalogue.
This was written in Oct 2018, nearly 12 months after the event; I did it to claim CISSP CPD Credits. I have as normal, for me, in these circumstances backdated the article to the time of occurrence. …
In 2011, Andrew Rhodes wrote a paper entitled, Can Prominence Matter Even in an Almost Frictionless Market? He models consumer behaviour in frictionless markets and the role of search engines and their paid placement on the search results page. I have had a look at the article because I am the target of one of Lewisham Labour’s candidates for Mayor’s google ad-campaign. I look at what Rhodes did, and ask a couple of questions about how applicable his model and assumptions are. …
Simon Phipps comments on Oracle’s decision to close down the SPARC and Solaris business units. He was close to the politics of Sun’s “Dash to Open” in the mid noughties. My feeling is that Sun had failed before Schwartz was appointed; there was no longer room for differentiated hardware company; Oracle’s failure to monetise the SPARC product line may have been caused by management hubris, but the long term economics …
We then considered enforcement trends. The total number of fines is going up; the maximum under the DPA is £½ m, the maximum under the GDPR will be €20m or 4% of global turnover. Today the ICO can fine under two laws, the Data Protection Act and the Privacy and Electronic Communication Regulation (PECR), which regulate Data Controllers and Processors and direct mailing houses respectively. The ICO have taken more interest in the DPA since they gained fining powers. This note looks at the record in court, the change in enforcement powers, and notes that the preponderance of fines have been levied due toinadequate technical protection. …
A presentation was made about the to be established Data Protection Officer, claiming to be informed by the EU’s advice on what the law means. We looked at whether a DPO is needed, the expertise and skills required, and the requirement for independence. …
At the BCS legal day, a presentation was made entitled “Key Issues” which they started with a quote from Jan Albrecht MEP (the Rapporteur),
“[The] result is something that makes (as we intended from the beginning) everybody equally unhappy, but at the same time is a huge step forward for all sides involved.
Jan Albrecht MEP”
It is hoped that business opportunity will be created by a harmonisation of regulation across Europe with a goal of improved privacy for its citizens. The harmonisation is constrained by the Restrictions Article, which excludes areas of law from the Regulation and creates nationally authored variances. …
I attended the BCS ISSG Legal day where the priority was the coming General Data Protection Regulation. I believe that the day was held under Chatham House rules, which means that comments cannot be attributed. I prefer to work on more open terms; it allows me to attribute credit to those who have informed me or changed my mind but the notes have been anonymised. The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement. The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement. I have written these notes over the last week, and backdated them to the day of occurrence. These are a bit less polemic than my recent articles here, but for various reasons I have been reminded that that’s how they once were; I hope these articles are useful to my more technical readers. Some of the discussions and issues may interest those that follow me for politics. …
Another refugee from Storify, this time I was asked for a comment on some research into mobile app IT security and identified the Operating System and physical proximity as the two key attack vectors.
The Digital Economy Act 2010 showed the long term goal of the entertainment industry, they want to criminalise file sharing. At the time, individual acts of copyright infringement were civil acts and the copyright owners had to pursue them through the courts, one at a time. This is expensive, slow, uncertain and most importantly expensive, compared with the cover price of a CD or DVD. The DE Act did that, it also sought to automate the justice system and in order to do that it weakened innocent until proven guilty, by prescribing defences and also placed a charge on going to court to argue not guilty. It really was a shit piece of legislation. However, the Law stated that the costs of surveillance and discovery had to be shared by the copyright owners and the internet service providers. The Courts struck down this part of the Law, (see here … for more) …