With Parliament now on its summer break, the legal position under the Counter-Terrorism and Security Act 2015 is unlikely to change till September. That makes this a good time for HE and FE providers in England, Wales and Scotland (the duty doesn’t cover Northern Ireland – see s51(1)) to review the guidance that has been […]
Categories
Network Neutrality and Network Security
There’s a tension between network neutrality – essentially the principle that a network should be a dumb pipe that treats every packet alike – and network security, which may require some packets to be dropped to protect either the network or its users. Some current attacks simply can’t be dealt with by devices at the […]
Since becoming involved in Jisc’s work on learning analytics, I’ve been trying to work out the best place to fit the use of students’ digital data to improve education into data protection law. I’ve now written up those thoughts as a paper, and submitted it to the Journal of Learning Analytics. As the abstract says: […]
After more than three years of discussion, all three components of the European law making process have now produced their proposed texts for a General Data Protection Regulation should look like. The Council of Ministers’ version published last week adds to the Commission’s 2012 original and the Parliament text (unofficial consolidated version) agreed last March. […]
There’s no doubt that some parts of the UK Data Protection Act and the EU Data Protection Directive are badly out of date and need revising. The world they were drafted for in the early 1990s has changed. One area that has worn much better is the six justifications for processing personal data: those still […]
Scott Roberts of Github gave an excellent talk on Crisis Communications for Incident Response. If you only follow up one talk from the FIRST conference, make it this one: the slides and blog post are both well worth the time. So this post is just the personal five point plan that I hope I’ll remember […]
Categories
The Human Side of Vulnerability Handling
Thanks to recent work, particularly by the Dutch National Cyber Security Centre, the processes that result in successful discovery and reporting of software vulnerabilities are reasonably well understood. For those processes to work, though, potentially tricky human interactions need to be negotiated: discoverers don’t know whether they will be regarded as helpers, criminals or sources […]
At the FIRST conference this week I presented ideas on how effective incident response protects privacy. Indeed, since most common malware infects end user devices and hides itself, an external response team may be the only way the owner can learn that their private information is being read and copied by others. The information sources […]
Categories
The Judgment of Delfi
In Ancient Greece the oracle at Delphi was notorious for speaking in riddles. The European Human Rights Court’s judgement in Delfi v Estonia is similarly puzzling. Back in 2006 an anonymous reader made a comment on a newspaper website; six weeks later the comment was removed following a claim that it was defamatory. In 2008 […]
Categories
Efficient incident detection
An interesting theme developing at this week’s FIRST conference is how we can make incident detection and response more efficient, making the best use of scarce human analysts. With lots of technologies able to generate alerts it’s tempting to turn on all the options, thereby drowning analysts in false positives and alerts of minor incidents: […]