Categories
Articles

Musing on Federated Platform Regulation

The recent increased awareness of federated social networks has produced some discussion about their status under new “platform regulation” laws, such as the UK Online Safety Bill. Most of this has focussed on whether federated instances might be covered by legislation and, if so, what their operators’ responsibilities are. But this post uses them as […]

Categories
Articles

ECJ: Legitimate Interest in accessing registries

European Data Protection Regulators have been expressing their concerns for nearly twenty years about public records of domain name ownership (commonly referred to as WHOIS data). A recent case (C37-20) on public records of company ownership (required under money-laundering legislation) suggests that the European Court of Justice would have similar doubts. But its comments on […]

Categories
Articles

Measuring Student Workloads

Discussions of student wellbeing tend to focus on providing individual support for those who are struggling to cope. That’s great, but likely to demand a lot of skilled staff time. A few years ago Bangor University investigated whether the university might be contributing to stress through excessive or spiky workloads. Addressing causes of stress would, […]

Categories
Articles

Volunteers and Consent

I’ve read two documents this week – one academic paper and one guide from the Information Commissioner – pointing out that just because someone chooses to participate in an activity doesn’t mean that Consent is the appropriate legal basis for processing their personal data. There might be several reasons for that… First, if the nature […]

Categories
Articles

Thinking about automation: DDoS protection

One of the major causes of disruption on the Internet is Distributed Denial of Service (DDoS) attacks. Unlike “hacking”, these don’t require there to be any security weakness in the target system: they simply aim to overload it with more traffic than it (or its network connection) can handle. Often such attacks are launched from […]

Categories
Articles

Europe Wants Patches

The Proposal for a Regulation on Cybersecurity Requirements, recently published by the European Commission, significantly raises the profile of software vulnerabilities and processes for dealing with them after a product is delivered. The Regulation on Digital Resilience in the Financial Sector (DORA), proposed in 2020 and likely to become law shortly, does require organisations to […]

Categories
Presentations

Future of Cyber Risk podcast

A few weeks ago I was invited to contribute to Team Cymru’s Future of Cyber Risk podcast. As I hope is apparent from the resulting recording, it was a fun conversation about working with regulators and how apparently different risks often turn out to be the same after all.

Categories
Articles

Privacy Enhancing Technologies: ICO draft guidance

The latest draft part of the ICOs guidance on data protection technologies covers Privacy Enhancing Technologies (PETs). This is a useful return to a topic covered in a very early factsheet, informed both by technical developments and a better understanding of how technologies can (and cannot) contribute to data protection. Perhaps the most important message […]

Categories
Articles

Do Display Names Matter?

Display Names are often how we are represented online. Michael might choose to appear as “MusicFan”, “Mikey”, “Florence” or “Andrew”. Does that establish a good tone for discussion? Or does it risk misleading readers, perhaps making them act on the basis of a mistaken identity? Platforms that use display names can and, I think, should […]

Categories
Articles

Thinking about automation: Malware Detection

Sophos have recently released a tool that uses Machine Learning to propose simple rules that can be used to identify malware. The output from YaraML has many potential uses, but here I’m considering it as an example of how automation might help end devices identify hostile files in storage (a use-case described by Sophos) and […]