Impact of the Criminal Justice Bill on the investigation of cybercrime

The Minister for Justice yesterday published the Criminal Justice Bill 2011 (pdf) which is primarily aimed at white collar crime and unsurprisingly aims to facilitate the investigation of banking and financial crimes in particular (press release | Irish Times). It will, however, also have a significant impact on the investigation and prosecution of cybercrime.

Under section 3, the Bill applies to “relevant offences” which, as set out in Schedule 2, includes the offence of dishonest use of a computer. In addition, the Bill allows the Minister to add crimes to the list of "relevant offences" including "criminal acts involving the use of electronic communications networks and information systems or against such networks or systems or both". Consequently, assuming the Minister uses this power, the majority of computer crimes are likely to be subject to the provisions of this Bill.

As summarised in the press release, the key parts of the Bill are:

• A new system to make more effective use of detention periods. This will allow persons arrested and detained for questioning by the Gardaí to be released and their detention suspended so that further investigations can be conducted during the suspension period.

• New powers for the Garda Síochána to apply to court for an order to require any person with relevant information to produce documents, answer questions and provide information for the purposes of the investigation of relevant offences. Failure to comply with such an order will be an offence.

• Measures relating to how documents are to be produced to the Gardaí. These measures are aimed at reducing the delays associated with the production of large volumes of poorly ordered and uncategorised documents to the Gardaí in the course of their investigations.

• Measures to prevent unnecessary delays in investigations arising from claims of legal privilege.

• The creation of a new offence, similar to the former misprision of felony offence, which relates to the failure to report information to the Gardaí.

Also, though not mentioned in the press release, s.18 of the Bill will make the admission of documentary and electronic evidence in criminal trials significantly easier by establishing new presumptions regarding the creation, ownership and receipt of documents.

These provisions would dramatically change the rules governing the investigation and prosecution of computer crime in Ireland. Take two examples. The proposed offence of failing to report information would create a positive duty to report computer crimes to the Gardaí - with failure to do so carrying a term of imprisonment of up to five years. One wonders whether this is workable and what effect it might have on the work of computer security researchers. Similarly, the new power to order the production of documents includes a requirement that such documents be provided in decrypted form or that a password be provided (s.15(6)), which appears to address the gap in the law revealed by the encrypted Anglo Irish Bank files.

This is certainly one to watch for anyone with an interest in cybercrime in Ireland, and I'll be coming back to it as it progresses through the Oireachtas.

ALAI comes to Dublin

There's a very good IPR conference coming up in Dublin shortly as the Association littéraire et artistique internationale will hold its bi-annual Study Days on the 30th June and 1st July, hosted by the Copyright Association of Ireland. Readers of this blog may be particularly interested to see that speakers include the president of HADOPI, solicitor Helen Sheehy (who has represented the Plaintiffs in all Irish filesharing litigation) and Judge Peter Charleton (who heard both the Eircom and UPC filesharing cases). Full details at www.alaidublin2011.org.

The curious case of internet filtering in Ireland

[Reblogged from the new website MediaLaws.eu, where I will be contributing updates from Ireland.]

One of the most important developments for freedom of expression online has been the growth of internet filtering systems, which have rapidly been adopted by national governments as the “solution” to various forms of internet wrongdoing. Ireland is no exception to this trend, and last month it was revealed that the Garda Síochána (the national police force) is now attempting to introduce a system whereby ISPs would block access to websites alleged to host child abuse images.

It is somewhat ironic that this news becomes public just as both Germany and the Netherlands have decided to abandon similar systems, having found that they are ineffective as a means of tackling child abuse images. Even leaving aside considerations of effectiveness, however, the proposed Irish system still presents a number of significant concerns.

A fundamental principle under Article 10 of the European Convention on Human Rights is that measures which have the effect of restricting freedom of expression must be “prescribed by law”. In this case, however, the Irish system would not have any legal basis whatsoever, much less any judicial oversight or control. Instead, it would involve the police in telling ISPs what domains to block on a “self-regulatory” basis. Consequently, it would seem on the face of it that the proposed system would violate Article 10. The European Commission recently reached the same conclusion about self-regulatory blocking systems (p.30) as did a government study which was decisive in causing the Dutch blocking system to be abandoned.

A further problem relates to the secret manner in which the government and the police have attempted to introduce this system. There has been no public consultation or debate of any kind regarding blocking – instead, information has only dripped out in response to freedom of information requests and leaks from ISPs. This is particularly worrying given that (as Lessig points out) internet filtering is an inherently opaque process, which is prone to operating in an unaccountable way and to being extended beyond its original purposes. In the Irish context, the secrecy surrounding the introduction of filtering doesn’t bode well for the future.

The nature of the proposed blocking is also worrying. What Irish police have suggested is based on the CIRCAMP model, which attempts to block material by using DNS tampering. In short, the police would notify ISPs to block http://example.com or http://subdomain.example.com and the ISP would then configure their DNS servers to redirect all attempts to visit any material hosted on those (sub)domains. The effect would be massive overblocking, where users would be unable to visit any page hosted on a particular domain, irrespective of whether it had any connection whatsoever with the blocked material. Last February, a similar approach in the United States saw over 84,000 innocent websites being wrongfully blocked, and there is no reason to think that the Irish approach would be any more precise.

Finally, one particularly unusual aspect of the proposals is the way in which police seek to introduce monitoring of users. According to the proposals, where a user attempts to view a blocked domain name, police would “obtain details of other websites visited by the user, along with other technical details, in order that [they] can identify any new websites that require blocking”. This in effect seeks the full browsing history of users – whether or not there has been any attempt on their part to view child pornography! (Bearing in mind that DNS tampering results in massive overblocking, it is quite likely that a user may have their browsing history disclosed due to an attempt to visit http://example.com/innocent_content when the entirety of example.com has been blocked due to a single image or page elsewhere in the site.) This raises fundamental privacy and data protection concerns, particularly given that a user can often be identified by viewing their browsing history (e.g.), and has therefore been referred to the Data Protection Commissioner for investigation.

Given these problems, it must be hoped that these proposals are abandoned. But quite apart from these particular proposals, it is now also time to look at the other systems of internet filtering in Ireland that have developed on an ad hoc basis. In particular, Irish mobile phone companies have been engaged in self-regulatory blocking for some time (1|2), in a manner which often affects innocent users due to crude DNS systems. Similarly, the largest Irish broadband provider Eircom recently settled an action brought by the music industry by (amongst other things) agreeing to block access to The Pirate Bay and “related domain names”. These systems have developed without any real public scrutiny or oversight and it is time to consider the effect which they have on users, whether they are subject to adequate transparency and oversight mechanisms and whether or not they are effective at achieving their goals.

Data breach law in Ireland - the current state of play

I had a very interesting morning at McCann Fitzgerald who were kind enough to invite me in to give a legal update on data breaches - here's a copy of the handout I provided:Lessons from laptop loss: Legal consequences where organisations lose personal data

Irish Press Council now taking online only sites as members

The Press Council published its annual report for 2010 yesterday. It details some interesting cases (1|2) involving reporting which reuses material from social networking sites and blogs, but more importantly for Irish websites the launch also revealed that the Press Council is now taking online only media as members.

From the Irish Times:

With the increase in news gathering and reporting increasing on the internet, chairman of the Press Council Daithí Ó Ceallaigh said web-based organisations or publications could benefit by joining its independent regulatory regime.

“When this happens – and at least one new web-based organisation has already been accepted as one of the recent new members of the council – we are ready to play a positive role in light of our own experience in support of the highest possible journalistic standards.”

This is a significant development. Membership of the Press Council and adherence to its Code of Practice offers periodicals a significant benefit in establishing a defence of fair and reasonable publication on a matter of public interest. The narrow definition of "periodical" in the Defamation Act 2009, however, created doubt as to whether an online-only publication would qualify for membership.

Eoin O'Dell took the view that it wouldn't (a view which I shared) though the last Minister for Justice later took a contrary view, claiming that:

The question of whether publications existing "on-line" only, either now or in the future, wish to come under the umbrella of the Press Council - and abide by its code of practice - is a matter for those publications. Nothing in the Defamation Act precludes this. Neither have I noticed any express limitation of jurisdiction in the Articles of Association of the Press Council on membership by on-line publications. Some recent commentary from media experts seems to have missed this point.

The Press Council itself has now clearly taken the position that online-only periodicals are eligible for membership, which will certainly cause a number of Irish websites to consider joining.

One note of caution, however: it will ultimately be for a court to determine whether an online-only site is a "periodical" for the purposes of the defence of fair and reasonable publication. The views of the Press Council on this point will be relevant but certainly not conclusive.

Consultation on implementation of Telecoms Reform Package

There are just a few days left if you wish to comment on the Department of Communications proposals for implementation of the Telecoms Reform Package.

While there's quite a lot contained in the five sets of proposed regulations, the portions of most interest to me are the proposals regarding the revised E-Privacy Directive (.doc) which will implement a requirement for data breach notification along with new rules regarding cookies.

Curiously enough, there hasn't been much public debate in Ireland about the impact of the new rules regarding cookies - unlike the UK, where a similar implementation (which essentially copies and pastes text directly from the Directive) has been particularly controversial. This may be because the proposed Irish text is more business friendly in explicitly stating that browser settings can be used to show that users consent to cookies. However, it's still not entirely clear from the draft regulations whether this means that the technically unsavvy user will be taken to have consented where they fail to adjust their browser settings from what is (usually) the default "accept all cookies" option. (The Article 29 Working Party, for example, have taken the view that failure to adjust default settings does not amount to an affirmative consent.)

Update: The Department has now confirmed that it has extended the deadline for submissions to 15 April.

Analysis of the new Data Retention Act

Ronan Lupton (barrister and also chair of Irish telecom industry body ALTO) has written a particularly useful and well informed analysis of the impact of the new Data Retention Act on Irish law and has been kind enough to allow me to mirror it here:

The Internet in Society: Empowering or Censoring Citizens?

This video by RSA Animate is a superb visualisation of Evgeny Morozov's recent book The Net Delusion on cyber-utopianism and the impact of the internet on fundamental freedoms. While I don't agree with his overall conclusions, his cyber-realist argument is certainly a welcome corrective to a media tendency to believe in technological determinism and the inevitable spread of freedom via Facebook. His pessimistic views on the crowd-sourcing of surveillance and censorship are particularly insightful and present an interesting challenge for advocates of free speech online.

Impact of the Programme for Government

Daithi MacSithigh has written an excellent post on the new Programme for Government and what it means for technology law and policy in Ireland. There are some particularly interesting commitments on broadband, fair use and cloud computing, while filesharing gets a mention but without any detail as to what the new government plans to do.

Subject access requests up by 25% as employees seek to see HR files

Elaine Edwards has an interesting report from the Irish Computer Society Annual Data Protection Conference:

THE NUMBER of complaints from people seeking access to personal information held on them increased last year due to the economic downturn, with many people concerned about potential or actual dismissal from their jobs.

Data Protection Commissioner Billy Hawkes said yesterday the top item for complaints to his office in 2010 was about failure to respond adequately to requests for access to personal data.

Individuals have a right under the Data Protection Acts to be given this data. “In past years, the top spot was always occupied by unsolicited direct marketing,” Mr Hawkes said. “I think with the economic downturn we are currently suffering, we’ve seen increasing use of the right of access by people who are fearful that they are going to lose their jobs or, who sometimes may have lost them.

“They are using the right of access to see what exactly is going on in relation to them within a particular organisation, or to see was it justified that they should have been picked out for dismissal from the company.”

Daragh O'Brien has also put up a screencast of his presentation at that conference.

Update: Elaine Edwards has more from the conference here, discussing the need for reform of data breach reporting.

Judge's report reveals allegations that Garda used phone records to spy on her ex

Mark Tighe has an important story in today's Sunday Times about apparent abuse by a garda of the data retention system. Unfortunately it's behind a paywall, but I've taken the liberty of scanning the hardcopy and placing it here as it raises a number of fundamental questions about the safeguards which are in place against abuse and the likelihood of further abuse now that the 2011 Act has extended data retention to internet use also.

Garda accused of bugging her ex-boyfriend

Mark Tighe

A FEMALE garda suspected of obtaining the phone records of her ex-boyfriend has been reported as the first person who may have breached phone-tapping rules introduced in legislation in 1993.

The case is highlighted in a report prepared by Iarfhlaith O'Neill, a High Court judge designated to monitor the state's phone-tapping activities.

Security sources say that the case involves a garda who was stationed in the force's crime and security division, which carries out spying and intelligence services. The garda is accused of obtaining phone records of her former boyfriend to track his movements and activities after they separated. The man became suspicious and complained to gardai because his ex-girlfriend allegedly knew s details of calls he had made.

In a report to the Oireachtas earlier this month, O'Neill said that he investigated a number of alleged breaches of Section 64(2) of the Criminal Justice (Terrorist Offences) Act 2005. Under Section 64(2) no garda below the rank of chief superintendent can request an individual's phone records from a service provider to aid investigations of criminal offences.

O'Neill said: "These breaches are alleged to have been committed by a member of An Garda Siochana."

"As a result of my investigations, I was concerned that these breaches may have occurred. These alleged breaches are now the subject matter of a criminal investigation and also disciplinary proceedings under the garda disciplinary code."

O'Neill said that the extent of the alleged non-compliance with the 2005 Act had been "rigorously investigated and fully understood". He said all appropriate steps had been taken to ensure future compliance with the act.

The rest of O'Neill's report states that on November 18 last year he attended garda headquarters, then army headquarters in McKee Barracks and later the Depart¬ment of Justice offices on St Stephen's Green.

In each location he reviewed documents relating to phone tapping and phone records and spoke to people involved in the operation of the act. He said that all his queries were answered to his satisfaction.

"As a result of the forgoing, I am satisfied that there is, as of the date of this report (November 26, 2010) full compliance with the provisions of the above acts," he said.

A spokesman for the Data Protection Commissioner (DPC) said that gardai had informed it of the apparent data breach last June.

Gardai refused to comment on the case.

Gardai and the Department of Justice have refused to release details of how many requests for phone records or how many phone taps are authorised each year. They say that such information is sensitive.

The Labour party has called for a review of the powers given to gardai to access personal records and said they should only be used in exceptional circumstances.

In 2007 the DPC said that, based on audits of phone companies, it estimated gardai were making 10,000 requests for citizens' phone records each year. Security sources say the figure is now likely to be closer to 15,000 as gardai regularly seek phone records to aid investigations.

Despite its resistance to publishing details about requests to access the phone records of private citizens, Ireland may be forced to do so by a 2009 European Council directive.

The directive requires member countries to legislate to provide their data protection commissioners with the number of requests made for phone records and the legal justification invoked.

Some quick thoughts:

The references to bugging and phone-tapping are misleading - what is alleged here (as I understand it) is that the garda accessed the phone records of her ex rather than actually listened to the contents of telephone calls.

There are, unhelpfully, no details given in the report as to how the abuse came to light or what changes will be made in future to prevent further abuses. (Continuing a fine tradition of opacity.) But a number of questions spring to mind.

When did the alleged abuse take place, and how long did it take before it was uncovered? Was the abuse discovered purely by chance? Is there an adequate internal audit trail of requests which are made? If so, who is responsible for reviewing that trail? Does the designated judge access a sample of requests from the preceding year to ensure that the surveillance was appropriate? If the designated judge will not provide this level of detail in the annual report then the Minister for Justice must do so to the Oireachtas if the public are to have confidence in this system. While the particular details of this case cannot be discussed until any criminal trial is concluded, it is remarkable that there is absolutely no discussion of the systems-level controls which are (or are not) in place.

Finally, when data breach notification is finally introduced as a legal obligation (whether under the revised e-Privacy Directive or the Data Protection Commissioner's Code of Practice) will it include a right to be notified of this type of breach also? Note that the Directive appears to impose a notification obligation on telcos only.

For more background on the allegations behind this story, see this Mail on Sunday piece from last year.

Irish local government says open source software not just for "sandal-wearers"

According to today's Irish Times, the Local Government Computer Services Board is moving towards open source software:

THE LOCAL Government Computer Service Board, a flagship Microsoft client, is moving to open-source software after nearly 10 years of allegiance.

The public sector body provides shared ICT services to local government and was a pioneering exponent of SharePoint, the Microsoft web-based product that is used as an intranet by many of the country’s 33 councils.

In 2001, the board signed a landmark €10 million contract with Microsoft, licensing end-to-end software from desktop to database for use across local government. It was renewed in 2005, but only after assistant director Tim Willoughby looked at the open-source alternatives.

At the time he expressed a reluctance to entrust local government IT platforms to a “sandal-wearing” community, preferring the level of support offered by Microsoft.

A number of factors have convinced Willoughby that the time is right to make the move, not least the fact that the computer service board has seen a 15-20 per cent cut in its IT spend and must make funds go further.

Interestingly, Willoughby also states that data portability was a factor in the decision - "we don’t want our data to be stuck in old infrastructure where we have to pay somebody to get it out".

The relevant request for information is available on eTenders.

The Local Government Computer Services also has a blog on open source software, which includes presentations from a recent local authority forum discussing issues associated with a move to open source.

For background on the relatively slow takeup of open source within the Irish government see this 2008 article from Pearse Ryan and Andy Harbison (PDF).

Importation and sale of mobile phone jammers now an offence

Comreg watchers will be interested to learn that it has today issued the catchily-titled Prohibition of Sale, Letting on Hire, Manufacture, and Importation of Wireless Telegraphy Interference Apparatus Order 2011. The statutory instrument does what it says on the tin, and makes it a criminal offence to import, sell, etc. jamming devices - in particular mobile phone jammers.

I'm not sure what prompted this action now (growing numbers of cheap jammers being imported via Hong Kong sites?) though it does plug a gap which was recognised as far back as 2004 when a Comreg consultation on mobile phone interceptors pointed out that the use but not the sale, etc. of jammers was illegal (Consultation Document | Response to Consultation).

Incidentally, there is an overlap here with offences under the European Communities (Electromagnetic Compatibility) Regulations also, as by their nature jammers cause excessive electromagnetic interference and so could not be lawfully put on the market.

(h/t Ronan Lupton)

Want to know how much your neighbour owes on his credit card? Try the Companies Registration Office

Edited 21/2/11: The story behind this post has since been removed from the Sunday Business Post from its site and a clarification printed:

In an article published on February 13 under the headline "Debtors’ personal details posted online by debt collection firm", we said that Cash Flow Services (CFS) had made personal details of almost 1,100 credit card holders available on the internet, through the Companies Registration Office.

We have been asked to point out, and are happy to clarify, that neither CFS nor any party acting on its behalf listed the names or outstanding debts of MBNA customers in any documents filed in the Companies Registration Office, nor did CFS post any debtors’ personal details online.

The Sunday Business Post apologises to CFS and its directors for any misunderstanding or confusion caused.

The ISPAI are looking for a legal intern

This looks like an interesting job for a newly-minted law graduate:

ISPAI – The Internet Service Providers Association of Ireland Limited

ISPAI is the Industry Association that represents businesses operating in Ireland that provide publicly available Internet infrastructural and electronic services to customers both in Ireland and abroad. The Association deals with regulatory and legal issues which potentially impact the ISP business environment and affect all our members (see: www.ispai.ie). As part of this, ISPAI coordinates ISP industry self-regulation, administers the industry code of practice and ethics and runs the Hotline.ie service which supports ISPAI members to comply with Irish/EU law to respond to notices of illegal content and to assist international cooperation in this area.

ISPAI offers an intern opportunity for a post-graduate legal student who has a specific interest in the area of telecommunications and digital media law. This is a highly dynamic area with many new initiatives emerging as legislators, law enforcement and various lobbying groups realise the ubiquitous nature of the Internet and its role in shaping modern society. This is a unique opportunity to gain experience and to work with leading companies in the industry. It is strongly recommended for those intending to practise in this area.

It is intended that the selected Intern will follow proposed measures, draft legislation and other issues potentially affecting the ISP industry which are being developed at EU and national level. They will be expected to liaise with the EuroISPA secretariat in Brussels (see: www.euroispa.org) and ISP organisations. The internship will entail European travel to selected meetings or conferences

The Intern will be expected to undertake research on the issues they will be assigned to monitor and write briefings for the internal information of ISPAI secretariat and members. They will also work closely with ISPAI staff to promote our views through our websites and develop press releases.

The internship will be of at least 9 months duration. It will be based in our offices located opposite the Sandyford Luas station in South Dublin. Working within the small ISPAI team, the Intern will report to the ISPAI General Manager. They will be expected to work at least three days per week. The position offers good opportunities for self-development and interaction with international counterparts.

The successful applicant must demonstrate:

• A reasonable knowledge of using various Internet services (web, peer to peer, etc.) and methods used in web based services and be proficient using Microsoft Office products such as Word, Powerpoint and Excel.
• Familiarity with the legal issues surrounding the internet in Ireland, such as the E-Commerce Directive, online defamation and/or "three strikes" and similar systems. The successful applicant must have a law degree and is likely to have taken at least one module covering related issues.
• Good verbal, presentation and writing skills which are essential. Proficiency in a major European language in addition to English would be an advantage.
• A diligent and accurate approach to completing tasks and an ability to work to deadlines with minimal supervision.

Training on technical principles of Internet communications and digital content distribution will be given. Please note: this internship will involve possible exposure to information relating to assessments of potentially illegal pornographic imagery and other content, within the context of ISPAI Hotline.ie operations. This is indemnified under strict procedures agreed with Government and overseen by the Department of Justice and Law Reform, Office for Internet Safety (www.internetsafety.ie) and approved by An Garda Síochána.

Expenses will be given for travel, accommodation and subsistence for approved work-related activities outside the office and a nominal stipend will be available.

Please provide by email to legalintern2011@ispai.ie, your CV and a covering letter of no more than one A4 page explaining why you should be awarded the Internship.

Closing date for applications: Tuesday 15th February 2011.

Finance Bill taxes internet betting sites - will this lead to blocking of offshore sites?

In my last post I looked at the possible implications of the Finance Bill for Irish computer crime and data protection laws. I missed, however, another important aspect of the Bill, which is that it will extend betting duty to internet betting sites. (In my defence, I didn't read all 223 pages of the Bill and don't plan to do so any time soon. The relevant provision is s.46, at p.186.)

According to the Taoiseach, this extension of duty will be matched by a new requirement that offshore providers obtain a licence to offer their services in Ireland:

The Government will introduce legislation to ensure that overseas betting providers comply with a licensing regime that will permit them to sell their products into our jurisdiction.

So what happens if the offshore providers decide not to play ball? It might not be a coincidence that the Department of Justice has been considering the introduction of internet filtering for some time now - and officials in the Department's Gaming Control section have been taking part in this discussion (PDF released under FOI - see item 49). I can't help but suspect that there will be calls for ISPs to block access to offshore sites which don't pay this new tax - and there have been some European developments in this direction already.

Watch this space.

Finance Bill 2011 - impact on Irish data protection and computer crime law

I'm indebted to Rossa McMahon and Daragh O'Brien for pointing out (via Twitter) two interesting provisions in the Finance Bill 2011 (PDF).

Section 71 creates a new revenue offence of possessing or using computer tools for the purpose of evading tax:

71.—Section 1078 of the Principal Act is amended in subsection (2), by inserting the following after paragraph (b): "(ba) knowingly or wilfully possesses or uses, for the purpose of evading tax, a computer programme or electronic component which modifies, corrects, deletes, cancels, conceals or otherwise alters any record stored or preserved by means of any electronic device without preserving the original data and its subsequent modification, correction, cancellation, concealment or alteration,
(bb) provides or makes available, for the purpose of evading tax, a computer programme or electronic component which modifies, corrects, deletes, cancels, conceals or otherwise alters any record stored or preserved by means of any electronic device without preserving the original data and its subsequent modification, correction, cancellation, concealment or alteration,".

This would appear to cover a wide range of software and hardware, including encryption and steganography software and secure deletion tools. (Though not the encryption of the Anglo files, unless it could be shown that those files were encrypted for the purpose of evading tax.)

Section 73, meanwhile, creates what is in effect a parallel data protection system for the Revenue. Although too long to quote in full, an interesting aspect is that it creates a new offence of unauthorised disclosure of information:

(2) All taxpayer information held by the Revenue Commissioners or a Revenue officer is confidential and may only be disclosed in accordance with this section or as is otherwise provided for by any other statutory provision.

(3) Except as authorised by this section, any Revenue officer who knowingly—
(a) provides to any person any taxpayer information,
(b) allows to be provided to any person any taxpayer information,
(c) allows any person to have access to any taxpayer information, or
(d) uses any taxpayer information otherwise than in the course of administering or enforcing the Acts,

shall be guilty of an offence and shall be liable —
(i) on summary conviction to a fine of €3,000, and
(ii) on conviction on indictment to a fine of €10,000.

I wonder whether this amendment may have been prompted by the publicity attached to these recent examples of wrongdoing by Revenue staff.

Cloud computing complications costing Celtic companies

The lack of an appropriate regulatory environment, standard due-diligence checklists, and standard SLAs are an economic barrier to vibrant young technology companies providing cloud-based technology solutions to enterprises that need a greater level of protection than is currently on offer. The costs of developing such offerings and dealing with due-diligence queries and contract negotiations may be beyond the financial resources of a start-up.

Professional service providers who wish to avail of the efficiencies of cloud services may decide that they are not equipped to conduct due diligence or agree SLAs without the help of specialist consultants. This is an impediment to Irish businesses reducing their costs and increasing their competitiveness through the adoption of cloud technologies.

Reamonn Smith (solicitor and member of the Law Society's Technology Committee) argues for "a clearer regulatory and legal environment" in relation to cloud computing in the Law Society Gazette (PDF, p.24).

Data breach notification - ENISA study released

ENISA - the European Network and Information Security Agency - has just published a study (PDF) on data breach notification. The research was carried out as part of the process of implementing the notification requirement in the revised e-Privacy Directive, and aims to develop consistent guidelines throughout Europe for the technical and procedural issues surrounding breach notification. Some highlights from the summary (text in [brackets] is my own interlineation):

[Views of telecoms operators]

The telecommunications sector recognises that data breach notifications have an important role in the overall framework of data protection and privacy. Nevertheless, operators are seeking support and guidance on an EU and local level over a number of issues, which if clarified, would better enable European service providers to comply effectively with data breach notification requirements. Key concerns raised by telecom operators include the following:

● Risk prioritisation – The seriousness of a breach should determine the level of response. In order to prevent ‘notification fatigue’ for both the operator and the data subjects, breaches should be categorised according to specific risk levels.

● Communication channels – Operators want assurances that notification requirements will not negatively impact their brands. It is important for operators to maintain control of communications with relevant data subjects, as much as possible, to ensure that operators can effectively manage any impact on brand perception brought about by the data breach and subsequent notification.

[If operators want to avoid negative impact on their brands it might be more productive to avoid data breaches in the first place.]

● Support – In preparation for mandatory notification requirements, operators are looking for support in terms of guidance on procedures. In particular, guidance should provide a methodology for categorising types of private data and combinations of private data, as well as how to proceed with notifications based on the level of risk attributed to each breach.

[Views of Data Protection Authorities]

Data protection authorities (DPAs) take varied approaches to enforcing data protection and privacy. Some follow EC Directives closely, while others take on additional responsibilities beyond those outlined in the Directives. Although there are exceptions, the majority of DPAs surveyed in this study support mandatory notifications for telecom operators. Those that did not support mandatory notifications mostly indicated that budgetary limitations were a key factor in influencing their opinion. As notifications are not yet mandatory in most countries, regulatory authorities have little experience in handling notifications. Since regulatory authorities have a number of responsibilities, there are concerns that additional duties must not interfere with pre-existing responsibilities. Notifications are not viewed as a number one priority for most authorities. A smooth transition to mandatory notifications will consequently depend on a resolution to a number of factors, outlined here:

● Resources – Budgetary allocations for regulatory authorities should reflect new regulatory responsibilities. Concern has been raised that resources at some regulatory authorities are already occupied with other priorities. Bandwidth for additional responsibilities is limited.

● Enforcement – DPAs indicated that sanctioning authority enables them to better enforce regulations. Data controllers will be less incentivised to comply with regulations if regulatory authorities do not have sufficient sanctioning powers. Some authorities indicated that financial penalties are seen as the most effective tool for pressuring data controllers to comply, while others indicated that public criticism and black lists could be effective too.

● Relevant authorities – Local legislation will determine who the relevant authority is for regulating data breach notifications in the telecommunications sector, when mandatory notification requirements are transposed into local legislation. Although many data protection authorities indicated they are communicating effectively with other authorities already, it is important for legislation to clearly delineate relevant responsibilities, in order to mitigate or prevent potential conflicts.

● Technical expertise – In some cases, businesses have a high level of technical sophistication, which allows them potentially to conceal valuable information regarding breaches from regulatory authorities, which do not have comparable resources and expertise. Hiring new staff with relevant expertise is important in order for regulatory authorities to remain effective.

● Awareness raising – A high public profile is an important element in demonstrating the influence of regulatory authorities. A common strategy in communicating the importance of data protection to the public could be useful in better educating data subjects about their privacy rights, and the role of notifications in the overall framework of data protection.

[Areas of conflict]

Smooth implementation of data breach notification procedures requires close cooperation between data controllers at the service providers and the relevant regulatory authorities. While most operators and regulatory bodies surveyed recognise the importance of notifications, there are a number of issues where interests of the parties involved might conflict.

● Undue delay – Regulatory authorities want to see a short deadline for reporting breaches to authorities and data subjects, in order to prevent controllers from concealing evidence and also to give data subjects ample time to protect themselves. Service providers, however, want their resources to be focused on identifying if the problem is serious and solving the problem, instead of spending time reporting details, often prematurely, to regulatory authorities.

[This is an important point which is sometimes overlooked. In some breaches - such as those of credit card details - it will be essential that individuals be notified immediately so that they can e.g. cancel cards. Other breaches - such as those of healthcare information - may be just as serious but aren't likely to be as time sensitive. However, the fact that the affected individuals may not need to be notified immediately must not become an excuse for failure to notify the relevant DPA as soon as possible.]

● Traffic monitoring – Private data belonging to employees or customers running over a corporate network remain a challenging issue for both regulatory authorities and operators. Telecom operators are often requested to monitor and analyse traffic data on behalf of their customers, particularly in cases where companies want to monitor the actions of their employees. In this context, regulatory authorities see traffic monitoring as a privacy risk, due to the fact that employers may be exchanging private information on the corporate network, to which the employers would then have access.

● Content of notifications – The content of the notifications can have a direct impact on customer relations and retention. Operators want to make sure that the content of the notifications does not impact negatively on customer relations. Regulatory authorities, however, want to see that the notifications provide the necessary information and guidance in line with the rights of the data subjects.

● Audits – One service provider indicated that it performed its own security audits internally, with the aim of detecting and solving any potential vulnerabilities that could result in data breaches. The operator believed that its internal expertise were sufficient to ensure it was using the latest techniques for securing data and compliance with regulations, suggesting its expertise surpassed that of the national regulatory authorities. Regulatory authorities, however, indicated that their ability to perform audits and spot checks provides the authority necessary to enforce compliance.

[Extension of notification to other sectors]

While the recent telecoms reforms make notifications mandatory for telecom operators, there remains ongoing debate about extending mandatory notifications to other sectors.

● Telecommunications operators: In comparison to other sectors, regulatory authorities indicated that telecommunications operators ranked high in terms of their security measures and ability to limit data breaches.

Telecom operators have at their disposal some of the top networking, communications and security experts. But this is true mostly for the larger operators. Smaller alternative operators and local ISPs do not necessarily have resources comparable to the large international companies and incumbent operators.

● Finance sector: Finance institutions are considered to be at great risk, due to the sensitive nature of the data they possess. Nonetheless, financial institutions are already subject to regulations across Europe, with regulations being enforced by various bodies, including central banks. Consequently, extending data breach requirements to financial institutions would require careful coordination with other responsible authorities, which may already require incidents of data breaches to be reported.

● Healthcare: Data protection authorities regularly pointed to the healthcare sector as an area of high risk. Due to the large amount of very sensitive private data stored on doctors’ and nurses’ laptops, which are often unencrypted, there is high risk for exposure or leaks.

● Small businesses: Small businesses pose a major challenge. Collectively, they have a lot of personal data, but individually they do not have resources or know-how to secure their data. Due to the sheer number of small businesses, regulation would prove challenging. Educating and making businesses aware would require significant efforts and resources. As more and more small businesses develop online strategies, the risk for exposure is increasing.

Job opportunity: Privacy and surveillance

I received a very interesting job opportunity in my inbox this morning, which might be of interest to some readers of this blog:

Senior Research Analyst

Trilateral Research & Consulting, a London-based consultancy, specialising in research and the provision of strategic, policy and regulatory advice on new technologies, privacy, trust, surveillance, risk and security issues is seeking to engage a Senior Research Analyst to work on one or more new projects. Specific duties of the position include:

• Performing research work related to current projects, writing reports or sections of reports and developing other deliverables as required to fulfil contractual obligations.
• Researching and writing content for grant proposals and tender submissions.
• Writing content for peer-reviewed journal articles and book chapters, as part of projects, or as an outgrowth from projects.
• Attending and/or presenting at some project-related meetings, involving some level of travel outside the UK.

 Preferred candidates will be based in the UK, will have English as their native language and will have recently completed a PhD in an area of study related to security, privacy, data protection, surveillance or a related field.

Contact:
David Wright
Managing Partner
Trilateral Research & Consulting
www.trilateralresearch.com
david.wright@trilateralresearch.com

or

Kush Wadhwa
Senior Partner
Kush.wadhwa@trilateralresearch.com