I have long had strong views on the need for effective Data Protection but I have just received a e-mail via ISOC UK soliciting my support for tomorrow’s “Press Stunt” by the Open Rights Group to “protect” the proposed EU Data Protection Regulation. I have sat in on meetings which helped produce some of the amendments that the Open Rights group are condemning as lobby fodder and read their guide to the issues . Either the Open Rights Group has missed the plot or it represents a different set of interest groups to that which I thought it did..
The high level objectives of the EU Regulation are admirable but the focus on meaningless tick box rituals, like data breach notification, means that it is, in practice, unfit for purpose, unless the purpose is to drive on-line operations off-shore (to the United States or India) or to facilitate the quiet harvesting of data to commit systemic fraud. It will do little or nothing to protect privacy. It will, however, help protect those who abuse our privacy by giving them the excuse of “compliance” with the rituals.
The focus should be on “encouraging” those who want you to use their products and services to help protect us when the data needed to impersonate you is available over the Internet, whether legally or illegally. Current “data breach” notification routines serve to deter organisations from taking action to protect customers known to be at risk when the channels via which their data came into criminal hands are unknown or legal (e.g. Companies House and other “public record” sources contain almost all that is needed to impersonate anyone who has served as a director of a company). Meanwhile routines cited as “good practice” are known to facilitate fraud: we cannot dismiss the US “evidence” that breach notifications are followed by attacks on the recipients, even though we may have doubts over its meaning. Publicity for breaches is indeed commonly followed by a surge of false “notifications” to harvest rather more than leaked.
The proposed EU Regulation will almost certainly make that situation worse. The need is instead to clarify the liabilities of those who do not take effective action to protect customers whose details are “available” over the Internet. I say “clarify” because, for common law countries, the liabilities may already be clear but unpublicised, (in the UK it is a mix of tort, contract, bills of exchange and fair trade) – and we can see large organisations beginning to take action accordingly. Indeed the recent “spat” between Spamhaus and Stophaus appears to have originated with an exercise to do so.
I spent yesterday at Infosec getting sore feet visiting the stands of the security snake-oil salesmen. Many were selling products and services to help clients meet data protection “compliance” requirements which did little, or nothing, to help them protect customers from fraud or abuse. Several had products which could also be used to help identify those attacking their clients and/or reselling “stolen” data – but this was not at all obvious from the material on their stands. Only one had publicity material promoting a product (Garlik Data Patrol) designed for that purpose. Yet to my mind the use of such products should be the first duty of any organisation that suspects it has had a data breach. Indeed I would argue they should be used, in parallel, by all who use services like Trusteer. Given that most breaches are identified weeks or even months after they occurred, the requirements in the EU Data Porection regulation are, by comparison, either meaningless or worse than useless.
So what planet is the Open Rights Group on?
Perhaps more interestingly, who side is it on?
I used to think is was on “my” side: thinking of “me” as an individual who is as suspicious of
- Governments, who demand data retention in order to “protect” me,
- Regulators, who demand data retention for “consumer protection and
- Anyone who extols the virtues of “Big Data” as an aid to democratic decision making
as I am of the mass market ISPs, On-Line Retailers, Search Engines and Social Networks who track my on-line activities in order to improve service (alias sell) to me.
I now have my doubts about the Open Rights Group. I fear those doubts may be reinforced tomorrow when we see who it attacks, why and how. “By their enemies shall ye know them“
I also have my doubts about ISOC. I joined in 1995 in the fond belief that sooner or later it would become the Governance structure that the Internet so badly needed. It is now clear that it will not. It does much good work but appears unable to look at issues from the perspective of billions of users, most of whom no longer have english as their first language. I have a growing suspicion that the future of the Internet will come out of Africa (like mankind) and Asia (like printing) not California or the Cambridges (Fenland and New England). And Western Liberals may not like that future. if so, it will have been their fault. I remind readers that the one thing I am not is a Liberal. My politics are where left meets right, round the back, beside the bike sheds.
P.S. I have focussed on the counter-productive nature of the proposals for Data Breach notification but I could have made similar points regarding the proposals on privacy by design, impact assessments, consent, the right to be forgotten or data portability – when the small print will almost certainly deliver the opposite of what the regulation is supposedly eeking to achieve.
If you think I am wrong please comment. In the past I have had a lot of time for the Open Rights Group and I would love to believe that I have misunderstood their position.