Today, the 28th of January 2011, marks the European Privacy and Data Protection Day. In a time when our online privacy is being eroded by the use of social networks and companies and governments continue to store our personal details in ever increasing databases, today is a day to reflect on how your use of the Internet and social networks impacts on your privacy.
In today’s Irish Times Karlin Lillington has an excellent piece on privacy and the impact various government legislation has on it. Indeed, earlier this week the Data Protection Commissioner’s office also issued a warning to politicians that they must respect people’s privacy when canvasing and not send unsolicited emails or texts unless they have gained the person’s permission.
However, the worrying message from the above is that people seem to have little or no awareness of their right to privacy or the impact infringes to that right can have on their lives. This can be seen by how much personal information people voluntarily give to social media networks such as Twitter and FaceBook. It is also exemplified by the acceptance of greater and greater government monitoring of people’s activities all in the name of security.
I accept that governments need to be able to access certain information to investigate or prevent illegal activities it much be done in a balanced manner. It is important the the rights of the individual are not impinged or trod and that appropriate controls and judicial oversight are in place.
Yesterday, saw the release of Privacy International’s European Privacy and Human Rights report for 2010 which highlighted a worrying trend in the increase in surveillance within countries within the EU. In particular Ireland came under a lot of criticism.
It is also worth noting the below privacy map published by the Forrester Group highlighting how different countries respect the privacy of their citizens.
FaceBook announced this week that they will now provide secure web browsing using HTTPS for all activity within their social network which should protect individuals from having their information compromised by someone monitoring their network traffic.
So on today of all days perhaps you should go and check your privacy settings within your FaceBook user profile and with the upcoming elections you should take the opportunity to quiz your local candidates on their stance regarding our right to privacy.
You may remember that in 2008 I was challenged by technical journalist Marie Boran to steal her identity using only information I could get online. I subsequently spoke at a number of conferences on the subject and you can find a copy of that presentation online.
Last Thursday both Marie and I were invited onto the Daily Show to discuss that project and the implications for people’s online privacy. It was an interesting talk and fun to watch Claire Byrne’s face when I mentioned I had been following her twitter stream. The interview is now available online (the interview begins 17 minutes and 50 seconds into the show). Also the tips I gave are available on the Daily Show’s website.
Recent investigations by German authorities discovered that the Google street car was recording information about Wireless Access Points it detected during its journeys. More seriously it was revealed that the system recording that data was also gathering any data being transmitted over any unsecured wireless networks it detected. Google claims that this was a mistake and has promised to delete all such data.
On Tuesday the 18th May the RTE news covered the story and I was interviewed as part of the piece which is available here.
I got an email today pointing me to this story in Time magazine, Trying to Escape the Surveillance State, where a journalist tries to live for a month without his privacy being impinged. It led to a conversation about privacy and whether or not there is privacy on the Internet or will people pay the cost for the amount of personal information that they freely give to various sites such as Facebook, Twitter, LinkedIn etc.
I argue that there is privacy on the Internet depending on the choices you make. In most cases an online transaction be that purchasing something online, joining a social network or sending emails has privacy as an element built into the cost of that transaction. In order to buy those goods you surrender your privacy surrounding your personal details to receive those goods, you also probably use a credit card which means that your transactions are noted by your credit card issuer and finally sites may keep track of your activity to suggest recommended goods on your next visit. This is no different from the physical world where you purchase items by credit card and perhaps use a loyalty card in the store.
Joining a social network, e.g. Linkedin, also has its privacy transaction costs. You want the benefits of a social network then you need to surrender your personal details to become part of that network. In real life you join social clubs, meet friends in public places where you also trade part of your privacy to take part in the group.
Some will argue that governments monitoring of Internet usage is a breach of privacy, for example your Internet browsing and email history is retained under the EU Data Retention Directive and that your ISP knows all your activity from their system logs recently highlight by the Phorm controversy in the UK.
This is true but you can still take measures to protect your privacy online using various techniques such as anonymous proxies, never using your real name online, never purchasing items online and not joining any social networks or forums.
You can control your privacy on the web, the question needs to be asked, at what cost?
The 21st annual report from the Data Protection Commissioner’s office has been released. As usual it makes for some very interesting reading. The report notes that the number of breaches reported to the office has doubled since the previous year. Most of these reported breaches are from organisations within the public sector. While the first reaction may be to say the public sector is not taking due care of the personal data entrusted to it, I would argue that the public sector is no better nor worse than the private sector.
One of the main reasons for the increased number of reported incidents from the public sector is most likely due to the guidance issued by the Department of Finance in late 2008 “encouraging” government departments to report breaches to the Data Protection Commissioner. See section 4 on page 23 of the guidance.
In my opinion the Data Protection Commissioner’s report reinforces the argument that Ireland should introduce mandatory data breach disclosure laws. My own thoughts on that particular issue are in this presentation that I gave at the last NITeS seminar;
I strongly urge that you take the time to read the report and to ask yourself the question, “How effective are my security controls in protecting the personal data entrusted to my organisation?” If you find it hard to determine how to answer the question there is a very good self assessment checklist available on the commissioner’s site.
The 4th Annual Privacy & Data Protection Ireland 2009 seminar is due to be held on the 18th and 19th of February 2009. I will be giving and Interactive case study on Identity Theft at the seminar. As a speaker I am happy to be able to pass on a discounted rate to those of you who wish to register and attend the event. Up until the 1st of December you can register for one or both days of the seminar and achieve significant savings on the normal fees.
If you book early for one day the fee will be €400, after the 1st of December that will rise to €575. If you book for both days before the 1st of December the cost to you will be €750 instead of the normal €950. There are some excellent speakers addressing the event and if you have an interest in data protection and/or privacy then you should attend. Booking forms and more information is available at the seminar’s website.
I have been asked to speak at the 4th Annual Privacy & Data Protection Ireland 2009 which is scheduled for next February. My talk is titled “Identity Theft: An Interactive Study”and I will be using my experience in stealing Marie Boran’s, from the SiliconRepublic.com, identity which she wrote up and I posted about earlier. There are a number of other interesting talks lined up for the event so it should be an interesting seminar.
It appears that a security breach at Deutche Telekom in 2006 exposed personal details of over 17 million customers of its mobile phone division, T-Mobile. The company claims that no credit card or financial details were exposed but that information such as email addresses as well as mobile numbers and addresses was exposed.
The company claims that they found no evidence of the data being used or traded on the Internet or any data exchanges. Well I am sure that will make those affected sleep better at night. However, German newspapers are claiming that the data is already in the hands of criminals. In particular the data belonging to some celebrities, politicians and well known business people.
This issue does beg the question who decides when individuals should be notified that their data has been exposed? The company who suffers the breach or an independent third party? I guess if you have read this Blog for any period of time you know where I stand on this.
It has been an interesting week to say the least with regards to information security breaches in Ireland. First we heard of the responses to Ruairi Quinn’s question as to how many portable devices belonging to government departments have gone missing this year. So far over 45 devices have been lost. Damien Mulley has a breakdown as to what was lost. Then on Friday the HSE reports that it lost another laptop which reports claim leaves the personal details of thousands of HSE staff at risk of identity theft.
To cap it all the Irish Timesreports that the Minister for Justice Dermot Ahern is now considering introducing mandatory breach disclosure laws. Having been an advocate for the introduction of such laws I welcome these moves. However, as Digital Rights Irelandpoints out the proposed laws appear to have a number of shortcomings such as being restricted to only portable devices. This means that breaches such as the exposure of people’s CVs on the Jobs.ie website earlier this year would not need to be reported. Also it appears the minister wants to concentrate on major breaches. It will be interesting to see what a major breach is defined as. Will that be dependent on the type of data exposed or the number of records?
I attended the Irish ISACA Chapter’s conference on Friday and a number of people asked me for my reaction to the above. So let me take this post as an opportunity to share my thoughts on breach disclosure;