Managing Compliance Software

Managing Compliance Software

I have just published on my linkedin blog a little essay on managing software used for the purpose of compliance. One key insight which one might consider is that these programs are being used because you have to not because you want to. Also society does not want businesses innovating the compliance software, we need to know it does what society requires not what the business wants. This makes the governing super strategy for these applications one of “operational efficiency”, or in Dan Remenyi’s model, a “support” system. For compliance systems it is advantageous to buy or adopt a package and to adopt the package’s optimum process; society has confidence that companies are complying with the law, and the companies share the maintenance costs and get a superior product and support. In some cases, the requirement that society has confidence that compliance is correct leads to the regulators giving companies the software or running it themselves.  …

Balancing interests

I have been thinking about secure election systems for a while. Two events have provoked me to consider this issue today. Firstly, I was looking at building a voting system in WordPress and came across YOP Poll which does not have a secret ballot hidden from the system administrators. Secondly, the Lewisham Momentum meeting tonight it seems is going to have Momentum staff or nominees on the door.

The point of principle is that when building trustworthy systems, they must have a segregation of duties and are best observed by competing interested parties who can call foul if something wrong is happening.

In the examples above, neither the software, nor its administrators should be trusted, and in the second example, since there is no audit of their decisions neither should the door keepers who are accountable to no-one. …

Big Brother. No, not the TV show

The police are building a new super database combining records with “intelligence”. Liberty have withdrawn from the government consultation as they rightly feel that it’s a breach of our privacy rights and even the government admit that much/some of the data has no lawful purpose. (I see an ECHT case coming on.)

I have three comments to add.

The Guardian article states that the database will be held on a private cloud provider’s systems; if US owned, then the databases will be subject to US FISA warrants, so the “encrypted at rest” security solution had better be pretty good as the best in the world may be looking for it.

Secondly, government data leaks! The legal precedents in this country show that while the Government may build systems for one purpose, the courts may force disclosure to them in the resolution of private/civil disputes. The first Norwich Pharmacal warrant was issued against the HMRC as the plaintiff showed that the defendants tax records were relevant to the court. It seems that there is a public interest defence against these now, and ensuring the Government’s ability to keep it’s secrets would seem to be in the public interest but we’ll see.

Thirdly, the intelligence databases as noted probably fail the need for a lawful purpose, and fail to deliver most of the privacy rights legislated for by the GDPR, most obviously the need to ensure that personal data is accurate.

I am glad I am still a member of Liberty, and I’ll help them. …

Tory Conference Data Breach

Over the weekend, it seems to have been established that the Tory Party’s confence app suffers a major secutity flaw and that personal details of its users are available to all. While the BBC seem concerned that the ex-Foreign Secretary’s details are available, its of equal concern that all the journalists are also exposed. The maximum fine for any breach is €20m.

A further problem is that under the new laws, people who suffer a breach of rights no longer have to prove harm. This would seem to be a breach of rights and so will be treated at the serious end of the spectrum and there’s a low burden of proof.

Additionally I would add, this app It should have had a data privacy impact analysis and if deemed a high risk, permission needs to be sought from the ICO to deploy it.

The cyber-security controls should have been defined before and tested before and after the DPIA.

The Tories have 72 hours to notify the ICO of the breach and will need to consider remediation for each an every user impacted.

I am sure the ICO would not want the Tories to be their first case as they would like to have established a precedent based tariff; they wouldn’t want the governing party to be the precedent; expectations are that the ICO will be one of the more forgiving of the European data protection supervisory authorities. …

I.T. implications

In my many articles on Labour’s Democracy Review, and in a preview I talk about the Information Technology implications of Labour’s coming rule changes. I have extracted the following quote from my article, The denoument, as I’d like it to be easier to find,

In the NEC rule changes as presented to Conference the NEC talks about using IT to maximise participation. All constituency documents, are to be available to all members via a clockwork platform, sorry, I made it up, an electronic platform, “provided by the Party”; I hope that’s the national party as I have thought hard about this and creating a shared disk is not hard, managing the Access Control List (ACL) is, particularly if your membership and volatility is large.

 …

The fringe & TWT

I was a delegate this year, and so attendance at even the official fringe meetings was not easy, the conference is a very full day. The one thing I have observed is that the reality is that “The World Transformed” creates an additional paywall on attending the fringe and this year they were poor at advertising their events, although I did not buy a ticket and so may not have been as well informed as I might. I am not sure this is truly the way to go, Conference is expensive enough as it is and you’ll know from much of my writing that charging for material which can be distributed for free is both morally & economically wrong, but also restricts the power of your message.

The fact is that TWT competes with the Labour Fringe, although it might be much cheaper to organise inside TWT if you get permission.

Others have made pointed comments about their views on the relevance of some sessions to a socialist party. …

Reference back

Every reference back on the NPF report was carried although with the new majority on the NPF this may change but the key thing is that no notice is required! The platform and front bench can be taken by surprise. I see more restrictions on this being written into the new Conference Standing orders. …