There’s no doubt that some parts of the UK Data Protection Act and the EU Data Protection Directive are badly out of date and need revising. The world they were drafted for in the early 1990s has changed. One area that has worn much better is the six justifications for processing personal data: those still […]
Category: Articles
Thoughts on regulatory and ethical issues relating to the use of technology in education and research
Scott Roberts of Github gave an excellent talk on Crisis Communications for Incident Response. If you only follow up one talk from the FIRST conference, make it this one: the slides and blog post are both well worth the time. So this post is just the personal five point plan that I hope I’ll remember […]
Categories
The Human Side of Vulnerability Handling
Thanks to recent work, particularly by the Dutch National Cyber Security Centre, the processes that result in successful discovery and reporting of software vulnerabilities are reasonably well understood. For those processes to work, though, potentially tricky human interactions need to be negotiated: discoverers don’t know whether they will be regarded as helpers, criminals or sources […]
Categories
The Judgment of Delfi
In Ancient Greece the oracle at Delphi was notorious for speaking in riddles. The European Human Rights Court’s judgement in Delfi v Estonia is similarly puzzling. Back in 2006 an anonymous reader made a comment on a newspaper website; six weeks later the comment was removed following a claim that it was defamatory. In 2008 […]
Categories
Efficient incident detection
An interesting theme developing at this week’s FIRST conference is how we can make incident detection and response more efficient, making the best use of scarce human analysts. With lots of technologies able to generate alerts it’s tempting to turn on all the options, thereby drowning analysts in false positives and alerts of minor incidents: […]
Categories
Detecting Incidents in DNS Resolver Logs
Domain Name Service resolvers are an important source of information about incidents, but using their logs is challenging. A talk at the FIRST conference discussed how one large organisation is trying to achieve this. DNS resolvers are used legitimately every time a computer needs to convert from human-friendly names (such as www.google.com) to machine friendly […]
The Government has published its proposed guidance to universities, colleges and other specified authorities on what they will be expected to do to satisfy their duty under the Counter-Terrorism and Security Act 2015 to “to have due regard to the need to prevent people from being drawn into terrorism”. This guidance may not become law […]
Categories
Preparing for Prevent
While we’re still awaiting the announcement of the date when universities and colleges will have a legal duty to “have due regard to the need to prevent people from being drawn into terrorism”, there’s probably enough information available in the published guidance for organisations to start reviewing whether their current practice is likely to be […]
Categories
Learning Analytics: OECD and EU
A recent conference on student data included perspectives on learning analytics from the OECD and the European Commission. Stephan Vincent-Lancrin (OECD) looked at how improving our use of student data could improve the quality of education provided. He noted that a considerable volume and variety of data about education is already generated within universities, and […]
I’ve been at several conferences recently on how Data Protection law is developing, and they’ve left me less than optimistic. By the end of 2015 Europe will have been working for four years on a Regulation “on the protection of individuals with regard to the processing of personal data and on the free movement of […]