Categories
Articles

From mobile device policy to BYOD

I’ve had a few discussions recently where people talked about the ‘new risk’ of Bring Your Own Device (BYOD), but then mentioned risks – loss/theft of device, use in public place, etc. – that already exist on organisation-managed mobile devices. Turning that around, it struck me that one way to develop a BYOD policy might […]

Categories
Articles

Legislating for Indirectly-linked identifiers

A law that promotes Privacy by Design and Data Minimisation ought to encourage the use of indirectly-linked identifiers, which allow processing to be done separate from, or even without, the ability to identify the person whose information is being processed. However European Data Protection law has never really worked out what these identifiers are. The […]

Categories
Articles

Encrypted Information: Law enforcement access

The amount of information stored in encrypted form is steadily increasing, supported by recommendations from the Information Commissioner and others. When deciding to adopt encryption, it’s worth planning for what might happen if the police or other authorities need to access it in the course of their duties. Normally the existing access rules under section […]

Categories
Presentations

Federated Access Management: Legal Developments

At the VAMP workshop last week I was asked to review legal developments that might affect access management federations. On the legislative side the new European Data Protection Regulation seems to be increasingly mired in politics. The Commission’s proposed law from January 2012 needs to be discussed with the European Parliament and Council of Ministers […]

Categories
Articles

Interception definition and mailboxes

If you look up “interception” in most dictionaries you’ll find that it happens before an action has completed: in sport a pass can no longer be “intercepted” once it reaches a teammate. In a legal dictionary, however, that turns out not to be true. According to section 2(2) of the Regulation of Investigatory Powers Act […]

Categories
Articles

Managing Incident Response in Identity Federations

In talking with service providers at this week’s conferences on federated access management in Helsinki it’s become apparent that many of them are asking identity providers to supply not only the information that they need for normal operations, but also information that will only actually be needed if a problem occurs. For example it seems […]