Categories
Publications

Privacy and Incident Response

At a meeting of TERENA’s CSIRT Task Force last week, I presented an updated version of my paper on Privacy and Incident Response. Responding effectively to incidents is essential to protect the privacy and other rights of individuals and organisations that use the Internet: compromises, phishing, etc. clearly infringe those rights. However incident response may […]

Categories
Articles

IETF on Botnet Detection

A bot is a program, maliciously installed on a computer, that allows that computer and thousands of others to be controlled by attackers. Bots are one of the major problems on the Internet, involved in many spam campaigns and distributed denial of service attacks, as well as allowing attackers to read private information from the […]

Categories
Closed Consultations

MoJ Evidence on EC Data Protection proposal

I’ve just sent in a Janet Submission to the Ministry of Justice’s Call for Evidence on the EU Data Protection proposals. Our response mentions the good and bad things about the proposal, as discussed here previously, for Internet Identifiers: still no clarity on when IP addresses etc. are personal data, but at least more realistic […]

Categories
Articles

Data Protection Proposal: Incident Response

The Commission’s proposed Data Protection Regulation seems very positive for Incident Response. Indeed Recital 39 explicitly supports the work of Incident Response Teams: The processing of data to the extent strictly necessary for the purposes of ensuring network and information security … by public authorities, Computer Emergency Response Teams … providers of electronic communications networks […]

Categories
Articles

Europe’s Data Protection Proposal

Last week the European Commission published their proposed new Data Protection legislation. This will now be discussed and probably amended by the European Parliament and Council of Ministers before it becomes law, a process that most commentators expect to take at least two years. There’s a lot in the proposal so this post will just […]

Categories
Articles

Processing personal data for third party interests

An interesting reminder from the European Court of Justice (ECJ) that the Data Protection Directive (95/46/EC) is supposed to make processing and exchanging personal data easier as well as safer. The Directive contains a number of different reasons justifying processing of personal data (gathered together as Schedule 2 of the UK Data Protection Act 1998), […]

Categories
Articles

Domains with Criminal Purpose

Questions about my last posting on Nominet’s DNS domain suspension discussions, have got me thinking a bit more about my idea of “domains registered for a criminal purpose”. My suggestion is that these should be the only domains that a top-level registry can remove on its own, rather than asking for the decision to be […]

Categories
Articles

.ch and .li domains promoting malware clean-up

An interesting news item from SWITCH, the Swiss NREN and also operator of the .ch and .li TLD registries, on how they are alerting website owners to malware and, if necessary, taking action to protect customers from being infected. Swiss law allows the registry to suspend a domain for five days, or longer if the […]

Categories
Articles

Domain suspension – when might it be justified?

Nominet have published an issues paper asking whether there are circumstances in which it might be appropriate to rapidly suspend a DNS domain involved in criminal activity, and the processes that would be needed to ensure such action did not create too great a risk of unfairness. I’m writing this in an attempt to sort […]

Categories
Articles

MoJ Data Protection Response

An interesting morning yesterday at the launch of the Ministry of Justice’s Response to the Call for Evidence on the Current Data Protection Legislative Framework. JANET’s evidence focussed on the difficulties of applying data protection law to the Internet: the current law has proved unclear on the status of IP addresses and similar pseudonymous identifiers, […]