The Privacy, Identity & Consent Blog

The value of a US-style data breach notification law is questionable. Once notified of a breach, there is little that the data subject can do but remain alert to potential frauds. With the volume of incidents in recent times, most people would soon become tired of receiving notifications.

Clearly where sensitive personal information is lost, such as in the case of trainee doctors’ sexual orientation being erroneously posted on the Internet, there is a case for penalising the organisations concerned. Likewise, if fraud can be directly traced back to the loss or theft of data, then this should be prosecuted in accordance with existing laws.

Rather than creating a cumbersome and self-serving new regulator tasked with notifying individuals of breaches, we need to provide a ten-fold increase in funding for the existing Information Commissioner’s Office, which would give his team the necessary resources to investigate and enforce existing data protection laws. The US model succeeds because of a powerful and well-funded Federal Trade Commission, coupled with a litigious culture – not because of a well-meaning rule to force disclosure.

Microsoft has unveiled Beta 2 of Internet Explorer 8, and this is an important release from a privacy perspective. The new InPrivate tools allow users to surf anonymously, delete their browsing history and restrict adware.

Of course other browsers have offered enhanced privacy features for a while now - for example, Firefox has a host of security and privacy plug-ins - but this is particularly important because of Microsoft's 76% browser market share (depending upon how you measure it). The majority of Internet users have Explorer, and I suspect that the majority of 'novice' users - those who are worst-placed to protect themselves - will use Explorer because it came with their PC.

Critics have of course joked about InPrivate browsing in fact providing a 'pr0n mode' for users of shared or corporate machines to access adult content, but the mode is equally useful for accessing online banking where you might not want to leave any residual data on the machine. I'm less convinced by arguments that it can protect users on shared PCs - this is only true if you trust the machine, since it can't be long before someone 'skins' IE7 or IE8 to fool users into thinking they've enabled InPrivate browsing when in fact the machine is recording every keystroke and click. However, that's no different from the current situation for Internet cafes, and if you use them for anything sensitive then you'd be well advised to use a 'browser on a stick' such as an IronKey.

But that's just a minor point here. Microsoft's enhancements are welcome and timely. I'm upgrading to IE8 (you can do so here) and will continue to use it alongside Safari (my main browser because I'm a Mac user) and Firefox.

(Click through for further details of the new features in IE8)

Continue reading "Internet Explorer goes private" »

New Forest District Council has been rapped by the Information Commissioner for posting up personal information on its planning website. The problem is not new, and a number of councils have been warned about this in the past. However, having been warned before about this, New Forest's response to the criticism was: "... signatures and other unique information are not now available for public scrutiny".

Out of interest, I went to their planning portal, punched in a postcode and pulled down the documents from a random applications. Guess what? There's the signature, together with all the other personal information. In the very first document I downloaded. So, is the New Forest District Council lying, or do they not understand their own system? Let's hope the enforcement notice is in Monday's post - because I'm off to steal a pony's identity.

(Partial signature reproduced here)

The BBC is reporting that a man who chose a telephone banking password with Lloyds TSB of "Lloyds is pants" (he wasn't very happy with Lloyds at the time) had it changed to "no it's not" by a member of staff. Apparently "Barclays is better" was also rejected. Lloyds TSB has said that the member of staff concerned no longer works there.

I'm a very happy Lloyds TSB customer, but I won't use telephone banking until I get a two-factor token for authentication. Passwords should be secret, and even if the word is an expletive (which isn't clever, they're pretty high up the list on brute force password cracking dictionaries) then that should be my right to do so - after all, it's nobody else's business, is it?

Another day, another data loss, and another struggle for an original headline. However, the RBS / NatWest / Amex loss of 1m sets of personal information isn't as straightforward as it might at first look.

Continue reading "Meet the new loss, same as the old loss" »

Dave Birch has done an excellent job of describing a point that is oft-discussed in identity/privacy circles: that we in fact rarely need to identify ourselves. Government ministers bang on about how good citizens need to identify themselves many times each day. Utter poppycock. We need to prove entitlement to a service, or authenticate ourselves as the legitimate recipient, but we rarely need to identify ourselves. Please can we sit down with the policymakers and educate them on some of the most elementary principles of ID before they start writing user specifications for massive database systems? (Of course if we educated them properly, the systems wouldn't be massive in the first place).

I get particularly annoyed when I'm asked for inappropriate credentials. Government offices will very often request a credit card so that I can prove who I am when going into a building. What exactly does that prove? That I'm capable of stealing a wallet or making a false credit card? My solution is always to respond to a request for an inappropriate credential with an inappropriate credential: my favourite cards are my National Rifle Association membership (that always leaves security guards with a dilemma) or my CLAS membership (a little piece of laminated card that in theory says I have security clearance, but in practice has nothing to bind it to the bearer other than a name on the front).

Of course the politician's response to this problem is to day that it proves the need for an identity card. Oh no, it doesn't. It proves the need for an identity metasystem, and that's a very different beast indeed.

It's a corny title but an appropriate one: the Home Office has admitted to the loss of a memory stick containing personal information about every one of the 84,000 prisoners in England & Wales. This time the loss wasn't by a 'junior official' but by an organisation that should have known much better - PA Consulting did the lion's share of planning for the National Identity Scheme. Their staff have been immersed in HM Government Information Assurance procedures for some years now, so the very existence of an unencrypted memory stick with that data on it is inexcusable. The questions that need to be answered - and I hope this is by an independent enquiry - include:

• why was such a data set allowed to exist at all outside of the Home Office?
• what was it doing on an unencrypted media device?
• who authorised that transfer?
• what procedures did PA apply to protect the device?
• how do those procedures compare with CESG's requirements for securing data?
• why has it taken (allegedly) several days to reveal the loss?
• what penalties will be applied to the individual, company and department concerned?

At least in the post-HMRC world we've been told about the incident (although the cynic in me asks why - is it possible that someone has found it and coerced them into revealing the loss?). As Deputy Information Commissioner David Smith said, this shows how personal information can become a "toxic liability" if not handled properly. We expect to see a rigourous and transparent clean-up after this particular spill.

Despite more than 20 years of data protection legislation in the UK and efforts to encourage the adoption of privacy friendly technologies and ways of working, progress has been disappointing and data protection and privacy safeguards are often bolted on as inadequate afterthoughts rather than built into new developments from first principles. The Information Commissioner's Office has launched the 'Privacy by Design' project to start addressing this problem, and readers are invited to submit their views to the consultation.

Continue reading "Consultation: Privacy by Design" »

Kim Cameron - Microsoft's Architect of Identity, identity guru and all round decent chap, has been working on a simplified 'plain english' version of his Laws of Identity. This is an important piece of work, since it sets a number of key principles into a language easily understandable by all. If you've been scared off by the complexity of his work, then read on to see what they look like now.

Continue reading "Simplifying the Laws of Identity" »

The BBC is reporting that the Information Commissioner in Schleswig-Holstein, Germany, is calling for tougher privacy laws to tackle the illegal sale of personal data, some of which includes bank account details and phone numbers. And this in a country that already has the toughest privacy laws in Europe. Commissioner Thilo Weichert already has a track record of taking on the big boys - as SWIFT found out - so expect to see real results in this case.