Thoughts on regulatory and ethical issues relating to the use of technology in education and research
A thought-provoking talk at the TERENA Networking Conference by Barry Smyth of the Insight Centre for Data Analytics suggested both the possibilities and the problems of big data, and some of the decisions that society needs to make soon about how we do, and do not, use it to maximise benefits and minimise harms. A […]
A number of people have asked me what the recent European Court judgment in the Google “right to be forgotten” case means; here’s why I have been answering that I don’t know! The case concerned a fifteen-year old article in a Spanish newspaper about a named individual who had got into financial difficulties. The individual, […]
I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community. Any organisation that processes personal data needs to have a legal justification for this; in access management that applies both to […]
At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]
Martin McKeay’s presentation at Networkshop warned us of the risk of spiralling “security debt”. Testing for, and exploiting, well-known vulnerabilities in networked systems now requires little or no technical expertise as point-and-click testing tools are freely available. The best known of these led Josh Corman to propose “HDMoore’s law“, that the capabilities of the Metasploit […]
[Updated with further information and suggestions provided by CSIRTs: thanks!] One incident response tool that seems to be growing in value is passive DNS monitoring, described in Florian Weimer’s original paper. As described in the references at the bottom of this post, patterns of activity in the Domain Name System – when names change, move […]
A strong common (and unplanned, honest!) theme emerged from the information security session at Networkshop yesterday: that information security, or information risk, is ultimately the responsibility of individual users. Only they can decide which documents it is safe to read on a train, which phone calls they can make in a public place. The role […]
I’ve had several conversations this week that related to what’s commonly referred to as “level of assurance”: how confident we can be that an account or other information about an on-line user actually relates to the person currently sitting at the keyboard. Governments may be concerned with multiple forms of documentary proof but I suspect […]
The various committees of the European Parliament have now published their response to the Commission’s draft Network and Information Security Directive. Their proposal is much more narrowly focussed than the Commission’s: public administrations are excluded (though individual Member States are allowed to opt theirs in), as they already “have to exert due diligence in the […]
The Information Commissioner’s analysis of the European Parliament’s amendments to the draft Data Protection Regulation discusses the wide range of information that falls within the definition of “personal data” and gives examples that seem particularly relevant to identity federations. The Information Commissioner considers that identifiers pose a higher privacy risk if they are “interoperable”. Since […]