Privacy & compliance, reprised

I have had a look at the changes in Law, and thus the potential changes in data protection strategy since I first wrote about the conflicts between privacy, compliance and law enforcement.

The US courts have been siding with citizens and their privacy rights, the ECJ has been doing the same. Parliament has been going in the opposite direction, although the Supreme Court has declared the Data Retention laws to be contrary to Human Rights Law and should we actually leave the EU we will find obtaining an “Adequacy” agreement harder than we’d hope as the EU Parliament, Commission and the EU Data Protection Supervisory board focus on the rights of privacy from Governments. This will be a significant problem if the ECJ strikes down the model clauses and binding corporate rules.

I briefly touch on the fact that the European Laws are meant to be implementing the globally agreed seven principles of Data Protection, of Notice, Purpose, Consent, Security, Disclosure, Access and Accountability and that in a rights based jurisdiction, these rights must be protected from the Government as well as from Corporates.

 

The language has developed since 1980 but these principles were agree by the OECD in 1980.

I conclude the article by saying,

Today, under EU law, the lawful purpose would seem to be more flexible, cross border transfers are more restricted, and may become more so, and the EU is more concerned about nation state compliance; it’s what you’d expect from a political entity consisting of states and the children of people surviving fascist or Stalinist rule.

This political heritage should be remembered by those that see these laws merely as a business burden, …

Wannacrypt,a story

The NSA’s hack on old Microsoft operating systems is weaponised and released to the internet, most publicly massively impacting the UK’s NHS, which had taken the decision not to move forward from Windows XP, a product for which support by its authors ceased in 2012. This was meant to be quick and a source list for a blog article, but as ever it took too long.

This is a storify I made at the time and have transferred it to this blog and published as at the date created. …

Freedom of Information

I have been looking at a couple of association/organisation constitutions, both of which have rules controlling the way in which some people, by which we mean those in a minority, can communicate information about the conduct of business to members and/or the public. On thinking about it, I wonder if these rules fall foul of the ECHR Article 10 rights, the freedom of speech right. While the US version is famous, and rightly so, it is much more explicit about speech and publication, the European version, talks of the right to receive information.

Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.

  …

Losing one’s way

Over the last few days, the Guardian has broken the story of the illegal use of personal data in the US 2016 general election. We are now waiting for the trail to come back to UK politics, in particular, the use of Cambridge Analytica (or one of its associates) by the alliance of Leave organisations. The data was stolen, well acquired, from Facebook, but it seems they knew for two years and there is some argument as to their corporate complicity. Their Chief Information Security Officer has been on the way out since the end of last year and some stories suggest it’s because he argued for greater openness in co-operating with the enquiries into Russian state sourced fake news.

Citizens, their representatives and law makers have been arguing that IT companies should have a duty to report security breaches to law enforcement and the EU is introducing such a law now; such Laws exist in California which is where Facebook is headquartered. We should also note that their duty to protect their users personal data is governed by the US privacy laws, the now defunct EU Safe Harbour agreement and its successor, the Privacy Shield. In addition, the US signed up to the 7 Principles of Data Potection when first declared by the OECD.  It is a fact however, that many US business executives (and their employees) consider the European Data Protection laws as non-tariff import barriers, not that this should matter but I have no doubt that considerable time has been spent in determining where the line between legality and illegal activity stands.

There are several factors in the US political culture which often makes it hard for the US to obey foreign laws (and their own), one of them being, that they often have difficulty in legitimising their own laws and law enforcement.

This is, to me, summarised in the 10th Amendment, one of the Bill of Rights amendments to the US Constitution.

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

There is a beauty to the sentiment and an economy to the words, but they are a fundamental challenge to the rule of law. (Is this a bit extreme?) The Citizen’s United ruling, which upheld the citizen’s free speech rights for an association, can be taken to mean that corporations have citizenship rights. US Laws are hard to make and often Laws re challenged in court often to the Supreme Court asking for laws to be struck down as unconstitutional. The upshot of all this is that politicaly citizens can take a view on whether a law is legal in the knowledge that if they win, unlike in Europe & the Antipodes where the Government’s have majorities in their legislatures and will rewrite the laws, they get to do what they want.

The US tradition of a people’s access to justice, showcased by the Judge Judy show is also admirable, if a bit bizarre to UK eyes but it is another dimension of the US commitment to rights and the rule of law; they’e just a bit weaker in understanding collective and inalienable rights, such as privacy (except from Government).

We also have the growing dichotomy between companies Legal and Compliance teams, with Legal advising under the protection of client/attorney privilege in the best interests of their clients and Compliance having a duty to the public advising how not to break the Law.

One can see how US Companies might lose their way. It’s nothing to be proud of though, the UK route to corruption is just shorter as currently viewing the C4 news program on Cambridge Analytica will show.

Do politicians understand? They may not understand the details of the tech., but they do understand Human Rights law and the rule of law, although some of the House of Commons are to quote the shadow chancellor “Fucking Useless”, and the select committees could do with better advisors;  the purpose of the witnesses is to deliver this advice and knowledge, but you need to know the questions and understand the answers. You need a nose for a cover up and to know the 2nd question. …

The subversion of democracy by big data

The subversion of democracy by big data

The fabulous Carol Cadwalladyr brings us the next instalment of undoing the surveillance states control over our democracies.

In an article “The Great British Brexit Robbery”, she and the Guardian showed how the Tories and the Brexit Leave Campaigns had used US Data Aanlytics companies to influence the Brexit referendum. It is alleged that the personal data was obtained illegally, its processing was illegal and that it was an undeclared election/referendum expense. The evidence was sufficient for the Information Commissioner’s Office and the Electoral Commission to launch investigations.

Over the last two days, Facebook have suspended Cambridge Analytica & one other company and the latter’s Principal for breaking their terms and conditions and in one case a breach of contract not to pass data on. The story is reported in the Guardian in a story called, “‘I made Steve Bannon’s psychological warfare tool’: meet the data war whistleblower” , which documents the contractual paper trial. This happened two years ago and it is alleged that Facebook knew of it then. It is a crime in many jurisdictions, including California to not notify either the regulators or the data subjects of a breach/leak of personal data.

Sadly 🤔 they have been accused of misleading the House of Commons, select committee inquiry into Fake News. It has been denied that Cambridge Analytica had Facebook data in a verbal submission. Its Chair, Damian Collins, is quite forthright, accusing Facebook of sending under informed representatives to answer the committee’s questions. The word wilful ignorance comes to mind.

As Brits, we need to see if crimes were committed during the 2015 & 2017 General Elections and/or the Brexit Refrendum but this can’t be good for Facebook’s reputation.

ooOOOoo

I wish we still had Storify, this is one for them.

The image is from the Guardian on the story on Parliament’s reaction. …

Bitcoin

This is a long diatribe at Hacker Noon about the Bitcoin bubble and the blockchain hype. I had been considering writing something similar although my focus was on the excessive use  & cost of electricity to “mine” coins and the demonstrable industrialisation and economic consolidation of the mining operations.

Bitcoin, in particular, has a shrinking use as a means of exchange, as identified by this business insider preview of a Morgan Stanley opinion. This is compounded by the fact that the transaction fees are now too high for small or micro payments, and that it is not real time, (it can take minutes to clear) and thus cannot be used for transactions that require simultaneous exchange, be it a cup of coffee or a house.

The block chain does not scale well, despite the massively distributed architecture. If its performance is matched with say Visa or other significant global payment processors, VISA is rated at 60,000 transactions/sec (TPS) where as the Bitcoin maxes out at 7 TPS. So not only is it expensive, but it can’t cope with real world volume; it’s just as well that small transactions are deserting the platform.

What started me thinking this time round, was the realisation that the amount of power required to “mine” the currency grows and is now significant. While the compensation for the miners is scrip/free, the real cost in electricity and thus carbon pollution is significant. This adds to the cost, both internal but more importantly the external cost. The planet cannot afford the electricity power and the carbon footprint to virtualise global capitalism’s money supply.

Kai Stinchcombe argues that the lack of regulation is also a disincentive to use crypto currencies and examines the Etherium/DAO hack and draws the conclusion that on the whole society needs contracts to be interpreted by people, not by software.

Money must be a means of exchange, and a store of wealth, block-chain crypto-currencies are struggling and increasingly failing  to be the former and it’s current price peaks , historic volatility and lack of regulator suggests it’s weak as the latter. Is it just a con? …

Working Title

Today, I wrote to Labour List and proposed to write an article for them.

I’ll take help on the title but currently working with “Privacy Law, canvassing and registered supporters”

Next year, 28th May, the EU’s General Data Protection Regulation comes into force. Among other things it will prohibit the storage and processing of canvass returns without freely given, informed and explicit consent. We will have to prove that consent has been obtained and be able to tell electors everything we know about them.

The simplest answer to these new compliance requirements is to extend the registered supporter arrangement, make it an ongoing contract so that the agreement can include privacy clauses. The ambition would be to extend the scheme to high proportions of our voter base. For this purpose, the fee would need to be low, nearer £3 than £25.

ooOOOoo

I should add that without some form of reform, the retention of the Registered Supporters data in the membership system is in my mind questionably legal, as it breaks the storage limitation principle. When compliance ruled that Registered Supporters could not be invited to member’s meetings, they made the sole purpose of holding the data the leadership election. This purpose was confirmed when the NEC required re-registration of the registered supporters at £25 in 2016; the consequence of such a decision to my mind negated the purpose of the original registrations. …

Toxic Combinations

I have written a piece about Segregation of Duties and Toxic Combinations on my linkedin blog. The bulk of the article talks about how to organise staff roles and responsibilities to meet the standard admin/developer segregation of duties rules in IT organisations but it also talks about the need to apply segregation of duties in the justice system. I say a bit more here and comment on lessons for the Labour Party.

In the world of police and justice, the need for a segregation of duties has been long understood. It is known that an uncontrolled police force is the mark of a totalitarian society. In most democracies, the police investigate a crime identifying witnesses and evidence, independent prosecutors take the decision to prosecute, and courts hear the case with the role of Judge who issues penalties, and jury who assess the facts and determine guilt being an additional separation of duties. Measures are taken to eliminate conflicts of interest by having judges step down if there is a conflict of interest, for instance if they are a participant in the case as either complainant/defendent or a witness, and to ensure that crimes committed within each of these roles cannot be covered up. Whether the Independent Police Complaints Commission, the Bar Association, the Judicial Appointments and Conduct Ombudsman or their international equivalents are enough is a question for debate, but their existence is a crucial part of the defence of justice.

In the febrile atmosphere of the Labour Party today, the lack of control over the General Secretary and his staff together with the failure to adopt a modern segregation of duties, means the General Secretary acts as investigator, and prosecutor. He is also the employing manager of the Regional Directors who often also act as Judge & Jury. This growing and serious problem is, in many cases, compounded by a lack of grievance and whistle-blower processes. The aggressive use of the complaints process and the often, dual role of complainants and role holders in the process is also a problem. The Chakrabarti report saw the lack of professional lawyers, a legally qualified Head of Legal, partly as a skills issue but a professional lawyer’s strong binding to act both as an officer of the court and to preserve their professional registration would be a significant advance to what we have today, a bunch of people trained in the worst of student and trade union politics where winning counts for more than justice and there is no accounting of collateral damage. …

Equifax

Bruce Schneier testified to Congress on the Equifax Breach and posted his testimony onto his blog. .Because of the political nature of the content, he is frequently much more technical some of the the comments are very superficial, complaining about the need for more regulation.

The problem is, as he says, that without regulation business wont keep personal data secure. The problem is bad corporate behaviour.

His testimony, in my mind, shows the weakness of seeing this as a consumer protection issue. Much of the bad behaviour comes from 3rd parties; the data subject is not the customer and thus have no rights of tort and in the US, the FTC can’t pursue the data controllers. By placing privacy in a consumer protection framework, they also leave it to the victims of breaches to prove harm.

In the EU, our rights based legal framework means that a breach is harm, because our human rights to privacy have been infringed.

Schneier raises the GDPR as an example of how companies can confirm to better standards and raises the spectre of the EU imposed fines on US companies. He also hints at the fragility of safe harbour/privacy shield. …