Reading yet another paper on privacy and big data that concluded that processing should be based on the individual’s consent, it occurred to me how much that approach limits the scope and powers of privacy regulators. When using consent to justify processing, pretty much the only question for regulators is whether the consent was fairly […]
The steady growth in the use of encrypted communications seems likely to increase next year given recent announcements on both web browsers and servers. That’s good news for security people worried that their users may be sending sensitive information such as passwords and credit card numbers over the Internet. However it may also require an […]
This paper looks at the UK’s Computer Misuse Act 1990 and how it might apply to the practice of vulnerability scanning. Where a scan has been authorised – either specifically or via a network security policy – there should be no problem. But there are some situations where we’d like to scan hosts for which […]
Although it’s now almost three years since the European Commission published their proposed General Data Protection Regulation, it seems unlikely that a final text will be agreed even in 2015. That means we’ll be stuck for at least another year with the 1995 Directive, whose inability to deal with the world of 2015 is becoming […]
A long time ago, testing software was part of my job. To help with that I had an initial checklist of questions to pose to any new program: situations where I should check that it behaved as expected. Once it passed those basic checks I could get on to the more detailed testing specific to […]
Herewith first impressions of the Government’s proposal to criminalise “Revenge Pornography” since, if it is passed, this will be another type of material that those offering web or other publishing services for user generated content will need to include in their notice and takedown processes. Comments welcome, especially if you think there’s something I’ve missed. […]
One aspect of the Google Spain judgment I’ve not seen discussed is the incentives it creates for search engines. The European Court of Justice found that under some circumstances Data Protection law entitles an individual to demand that out of date and inaccurate results be removed from the results of a search for their name […]
I had been planning to write up a summary of my thoughts on Bring Your Own Device, but I’m pleased to discover that the UK Government has pretty much done it for me. Their draft guidance, just published for comment, suggests an approach along the following lines: Start by reviewing which information should not be […]
A couple of sessions at the VAMP2013 workshop in Helsinki related to complexity and how best to express it to users. Bob Cowles pointed out that current access management systems can involve a lot of complexity even to reach the binary decision whether or not to allow a user to access a resource. This might, […]
I was invited to give a presentation on legal and ethical issues around information sharing at TERENA’s recent security services workshop. The talk highlighted the paradox that sharing information is essential to protect the privacy of our users when their accounts or computers have been compromised, but that sharing can also harm privacy if it’s […]