The Privacy, Identity & Consent Blog

Welcome to the Privacy, Identity and Consent blog. Not the snappiest title for an online soapbox, but then this isn't a simple subject area. Consumer awareness of privacy – and what happens when it goes wrong – is fast becoming one of the most important data governance issues for public authorities and private companies. Data managers are finally realising that personal information has a hard cash value, and can carry even greater liability if it is misused. We need to get this right, yet we understand so little about it.

The risks associated with social networking sites are becoming a hot topic, but a recent incident demonstrates a new low for employer attitudes towards staff use of the Internet.

Last year's data loss incidents have sparked a fascinating discussion that compares personally identifiable information with radioactive waste - and who is supposed to pay to clear it up.

Privacy protection pioneers Garlik have been recognised for their innovation at the World Economic Forum in Davos.

BAA is trialling the biometric identification systems that will be used throughout the new Terminal 5, but is this an appropriate solution, and what exactly is the problem?

A Canadian company has launched an identification service that embodies some of the most important principles of identity crime prevention.

An online service claims to be able to secure compensation for individuals who claim they were affected by the HMRC data loss incident.

Whilst we're discussing compensation for data loss, a US citizen is suing Best Buy for $54m for the loss of her laptop.

It would seem that the plague of personal data loss incidents has spread to Irish shores as the Irish Blood Transfusion Service admits to losing a laptop with 170,000 patient records on it.

Home Secretary Jacqui Smith has just published the government's new Delivery Plan for the National Identity Scheme, and HM Treasury has released the long awaited Crosby report. Here's a summary of the key points at a packed press conference.

A new bill introduced in the state of Washington has outlawed the use of RFID technologies for malicious purposes. Anyone caught scanning a person remotely "without his or her knowledge and consent, for the purpose of fraud, identity theft, or some other illegal purpose" will be charged with a felony. What the bill omits is any concept of an 'opt-in', so it's still fine for companies to affix and read tags without the subject's knowledge.

I'm at a complete loss to understand what the benefit of that legislation might be. Maybe David can shed some light on it?

BAA has confirmed that London Heathrow's Terminal 5 will not be using fingerprint biometric controls when it opens, due to concerns raised by Privacy International and the Information Commissioner.

HSBC has admitted the loss of a CD containing 370,000 customers' details that were destined for a reinsurer. Apparently the normal network connection was unavailable, so a password-protected CD was burned and bunged in normal Royal Mail post. Of course it never arrived. Sound familiar? What sort of maniac could possibly authorise such an action in light of the publicity around HMRC? Are they dead? Or in a coma? Or have they travelled back in time?

A few days in the stocks for whoever authorised this sounds like an appropriate punishment.

Tony reports that the board of HM Revenue & Customs has been suspended following an external review of last November's loss of child benefit data. Since the incident, three non-exec directors have stepped down, one has resigned and another has moved to a new job. The Chancellor's public statement on the incident and subsequent resignation of HMRC's acting chairman were widely reported. The board will be replaced with an Executive and Advisers Committee pending a reorganisation.

Whilst the incident itself should of course never have been allowed to happen, the subsequent transparency and accountability is very welcome indeed. Finally we see senior executives held to account for privacy breaches. Not so long before, senior civil servants would have been able to shrug off such an incident and blame it on the system / a junior clerk / external suppliers / flawed systems inherited from the previous government* [delete as appropriate]. Hopefully this will put an end to such attitudes, and executives across the public and private sectors will follow HMRC's example by taking privacy seriously.

High-profile online advertising service Phorm is holding an open meeting with its supporters and critics this evening. The meeting will be chaired by Dr Ian Brown, and speakers include Simon Davies, Dr Richard Clayton and Kent Ertegrul, CEO of Phorm.

A meeting of this type is unprecedented: Phorm are taking the stage with critics and supporters alike, and the CEO and CTO will be open to questions from the audience. If you have a criticism of, or interest in, Phorm then you need to be there. It's an open meeting, so anyone can attend. Location details, timings and registration are available here.

According to a Press Association report, the Department for Work and Pensions has allegedly been breaching its own security policies:

Government staff have been sending out highly sensitive data in packages that include the passwords.

The errors at the Department for Work and Pensions "defeat the purpose" of tighter security rules brought in after last year's data loss scandals, according to an internal email.

The startling admission comes in a message circulated to staff by one of the DWP's security advisers, and will provoke fresh doubts over Government systems.

The Criminal Justice Justice and Immigration Act has received Royal Assent. Why does this matter? Because it gives the Information Commissioners Office new powers to fine organisations that deliberately or recklessly abuse the Data Protection Act. ICO representatives have been talking a much tougher story recently, so let's hope that they're prepared to follow through with rigourous action against offenders. The acid test will be whether they're prepared to fine public authorities who fail to look after personal information.

The US has a wealth of state and federal laws intended to protect privacy, but what it doesn't have is a federal equivalent to the EU Data Protection Directive. There's even a law to protect privacy of video rental information (and if you're not familiar with the story behind that, then it makes for great reading). The US Constitution doesn't specifically protect privacy, although this is covered in the 9th amendment. Despite that, an aggressive Federal Trade Commission and active litigation combine to offer good privacy protection.

Security guru Bruce Schneier has called for a US privacy law - a federal equivalent to the EU Directive. I'm sceptical that this will happen, but it would certainly be worth a try.

The Identity and Passport service has confirmed that all five bidding organisations - CSC, EDS, Fujitsu, IBM and Thales - have gone through to the next stage of procurement. This will give these companies the opportunity to bid for the first four packages of work.

The Crewe and Nantwich by-election has seen two notable trust hiccups:

• the Conservative Party sent a list of 8,000 local party members to Manx radio by mistake;
• local Labour Party members accused Conservative candidate - and now MP - Edward TImpson of 'opposing making foreign nationals carry an ID card,' in a bizarre move to appeal to ultra-right voters.

Hopefully this isn't the shape of things to come in party politics over the next few years.

Google is under the spotlight again, and this time for something seemingly innocuous: the Privacy Rights Clearinghouse in the US is calling for the search engine giant to display a link to its privacy policy from the homepage. Surprisingly, when most credible websites have a link to their privacy policy from the homepage, Google doesn't. Google argues that the policy itself - which isn't the problem in this debate - is easily accessible with just a few clicks (or I suppose you could Google it...).

Whilst it might not apply in this particular case (I don't know what Google's reasons are for refusing to provide the link), the story highlights a problem for global companies: how to maintain a consistent privacy approach across multiple jurisdictions. A privacy policy that complies with US law might not be good enough for Germany or Canada. A policy complying with German requirements could leave a company handicapped when operating in territories where privacy laws are more permissive and customers either don't expect the same degree of privacy protection, or expect to achieve it through a different cultural approach. This is one of the big challenges for a privacy professional, and yet another reason why the subject is in fact very different indeed from information security.

A little while ago I declared a closed season on Phorm, but this story merits coverage. The UK Information Commissioner has examined Phorm's OIX and Webwise offerings, and concluded that since they have yet to launch a commercial service, it does not merit intervention, and the ICO's current position is to maintain a watch on events. However, that didn't satisfy camapaigners who object to Phorm's approach to user profiling, and as a result the European Commission is apparently considering intervention. Anti-phorm protesters will be at BT's AGM next month, and will also be demanding police intervention over Phorm's technology trials with BT (although I imagine it highly unlikely that will result in action simply because of the complexity of the legal issues and an under-resourced police force).

This battle is proving to be another demonstration of just how hard a small but motivated group of campaigners can hit major corporates when they feel their privacy has been breached. BT's handling of protesters is going to be a tipping point for the battle, so keep an eye on the news on July 16th.

First we had Top Secret Al-Qaeda analyses left on a train out of Waterloo... then financial crime plans left on a train back into Waterloo... (and all I found on my Waterloo train this week was an unexploded gym kit - somehow I feel short changed)... now Hazel Blears' constituency office admits to the loss of a laptop containing "a combination of constituency and government information which should not have been on it."

Anyone stupid enough not to have noticed the string of data loss incidents in the past six months, and the consequences for the individuals concerned, frankly deserves to be tarred and feathered and pilloried in Whitehall. Actually, why don't we propose a pillory for the 'empty' plinth in Trafalgar Square, reserved exclusively for anyone who's ignored the Manual of Protective Security? It would make a good installation piece...

Thanks to Edgar for bringing my attention to the loss of six laptops from St George's Hospital in Tooting. Apparently the machines contained 20,000 patient records, stored there because there were problems with the network. But don't worry, everything's OK, because "all the information on the laptops was password protected and personal information, such as postcodes, were hidden - although the patient's name and hospital number was shown." What on earth is that pseudo-security doublespeak supposed to mean?

I'll be applying to the Arts Council for funding to build a pillory on the spare plinth in Trafalgar Square - which should make for a good tourist attraction - and this incident definitely makes it to the candidate list for early occupants.

The BBC is covering a survey commissioned by StrongMail, in which the company claims that "one in five [marketing professionals] said they had given out credit card details, one in seven would reveal information about customers political affiliations, and one in 10 would disclose their religious beliefs."

Now I appreciate that the marketing profession hasn't always had a good press, and that as with any profession there will always be a few mavericks, but surely the efforts of DMA and Chartered Institute of Marketing have achieved more than that? I'm going to remain very sceptical indeed about the sample of "marketing and data protection executives at 900 firms" since these are, by definition, very different job roles. Furthermore, it's sadly uncommon to encounter such a thing as a "data protection executive," since the role more normally sits at a junior level.

The only reported part that feels right is that "nearly 90% of these said the incidents had not been reported to customers." That bit rings true.

I'd very much like to see StrongMail's source data when it becomes available.

Today's been the biggest privacy news day of the year; the Poynter and Burton reviews are out, the ICO has said it will slap enforcement notices on HMRC and MoD, and there are more data loss incidents emerging. Please excuse the radio silence, but I've been focussed on delivering the Enterprise Privacy Group's response to the Identity and Passport Service consultation, and preparing for a workshop we're holding with IPS on Monday. With a stroke of luck I'll have time to prepare a full analysis of events over the weekend.

In the meantime, for those of you who don't want to read the full response, here's the wordle version.

I've just received the very best phishing email I've ever received. Look, the money arrived in my account just a couple of hours ago - all I need to do is log in to get it! I've disabled the offending URL so that this doesn't fall foul of content filters.

---

Title: PAYMENT CONFIRMATION

Dear Abbey Customer,

STUART FREEMAN made an online funds transfer to your online account.
The details of this transaction are shown below.

Transfer Date and Time: 26/06/08 at 07:34 AM
Transfer Amount: £4370.00
Transfer Description: PAYMENT

To view this transaction and your current balance, please CLICK HERE
If you have any questions related to this message or the funds transfer,
please contact STUART FREEMAN. Please do not reply to this message.

------------------------------
Sincerely,
Abbey Customer Service

The Computer Weekly blog awards are now accepting voting. There are some great blogs in there, but I'd like to suggest you take a look at a few of my favourites:

- Dave Birch (Consult Hyperion, Digital Identity Forum) - IT Security category

- Jerry Fishenden (NTO, Microsoft UK) - IT Law and Governance category

- Tom Ilube (Garlik CEO) - IT Lifestyle category

- Guy Bunker (Symantec) - IT Security category

- Robin Wilton (Sun Microsystems) - IT Law and Governance category

This is your chance to recognise some of the great thinking and writing that's going on at there - get voting!

A US Court has ordered YouTube to hand over logs of the viewing habits of every user who has ever watched any video using the service. By favouring copyright over privacy, it has dealt a blow both to YouTube and the broader freedom of Internet usage.