By Kevin Cahill
The Justice Committee of the European Parliament has set the scene for a major showdown with the US over data transfers between the EU and the US by setting a Sept 1st deadline for the US to get in compliance with EU law.
At issue is the Privacy Shield non-legal, non-binding replacement for ‘Safe Harbour”, a failed agreement between the EU and the US struck down by the European Court of Justice in October 2015.
Privacy Shield, activated in July 2016 by the Commission, provides for issues between EU users and US corporations to be settled in the US, by an ombudsman appointed by the US Department of Commerce. The Ombudsman’s appointment has not been ratified by the US and the agreement itself has not been ratified by the US Congress or government.
In a motion that now goes to the full European Parliament in July the Committee Chair, London based Labour MEP Claude Moraes notes that the Article 29 Group of EU Regulators had failed to meet a May 25th (2018) deadline to solve outstanding issues with the US and the committee supported his call for the Regulators to consider sending the matter back to the European Court of Justice if nothing had happened by 1st September.
The Committee did note the fact that the Irish High Court’s Judge Caroline Costello has already referred Privacy Shield to the European Court on May 2nd 2018, as one of her 11 questions arising from the failed implementation of the Court’s judgment and the earlier finding of fact by the Irish High Court that the US was engaged in “mass and indiscriminate surveillance” throughout the EU via its PRISM programme.
The Justice Committee raised a string of concerns about Privacy Shield including whether the idea of a US ombudsman was compatible with the rights of EU citizens but avoided the hot potato of PRISM, the actual surveillance programme that was the target of the original European court findings of unlawful and in the UK criminal, mass surveillance.
However, the Committee put the US on clear notice of how serious the situation is by warning that the reauthorisation of section 702 of the US Foreign Surveillance Act (FISA) places in question the legality of Privacy Shield. Under the FISA the US considers itself to have the legal right to impose mass and selective surveillance on all foreign citizens, in their home countries, irrespective of local laws.
The motion in the Justice Committee was passed by a narrow majority of 29 to 25 with 3 abstentions, a foretaste of the likely battle in the full Parliament. In Brussels the US internet giants are mounting a massive lobbying campaign to persuade the European Parliamentarians to ignore local concerns and let the US carry on mass and selective surveillance in the EU.
The Committee placed considerable reliance on negotiations between the Article 29 Working Party of Regulators and the US authorities, overlooking the fact that the Article 29 Working party is just that, and may not have any legal authority to negotiate a settlement. Questions about the legal status of the Art 29 Working party put to the European Justice Commissioner Vera Jourova by Computer Weekly over several weeks have not been answered.
The European Court of Justice may not have a hearing into crucial questions about the legality of the EU-US data transfer system for at least 18 months according to a spokesperson for the Court.
On 2nd May the Irish High Court’s Judge Caroline Costello sent 11 controversial questions about data transfers to the US, to the EU’s highest Court in Luxemburg.
These included a query as to whether the ‘Privacy Shield’ agreement is valid. The questions are currently being translated into the 24 official languages of the EU.
An adverse response by the Court could have implications the recently introduced GDPR legislation and leave some US internet companies facing huge compensation claims under earlier laws.
The European Court of Justice must hear all parties to the litigation in Dublin, that gave rise to Judge Costello’s questions, as well as various EU bodies, a spokesman confirmed to Computer Weekly.
One of the Dublin defendants was Max Schrem’s, the Austrian privacy campaigner. He was, in effect, put in the dock in Dublin alongside Facebook, against whom he had complained, by the Irish Data Commissioner.
The case could see Schrems facing 69 legal teams, including 28 teams from the EU Member states, 28 teams from the 28 independent EU data regulators. Another 9 teams from the original corporations found to be engaged in “mass and indiscriminate surveillance” and 4 other legal teams, including the US Government, from the Dublin litigation.
The 56 legal teams from the EU and the Regulators will all be funded by the EU taxpayer, and from current indications, will be siding with the US Government in trying to persuade the Court to ignore the questions. Rather than face the spectacle of a lone Schrems as the only champion of 504 million EU citizens privacy rights, the Court is likely to order some kind of consolidation of the litigants.
Schrems has recently launched a $3.8 billion law suit against Facebook and Google in the Austrian, Belgian and German courts under the new GDPR legislation.
These complaints may be referred to the Irish Data Commissioner Helen Dixon, who regulates Facebook and Google across all 28 EU member states.
Schrems has complained that Irish litigation costs are “insanely high”. He is still waiting to have his original complaint to the Irish Regulator from 2011, reformulated in June 2013, fully investigated as ordered by the Irish High Court and the European Court of Justice.
An online training initiative promises to make information security accessible and understandable to journalists, confidential sources and whistleblowers.
Snowden’s revelations of the extent of UK and US state surveillance were a wake-up call to journalists, sources and whistleblowers to take information security more seriously.
Across the world, governments are taking an increasingly hostile approach to journalists and the brave individuals who feed them information to expose wrong doing, hypocrisy and unethical behaviour by those in power.
In the UK, since the passing of the Investigatory Powers Bill last year, a wide range of government bodies beyond the police and the security services have been given legal powers to access journalists’ phone, email and internet browsing records.
They include the NHS, the Department of Work and Pensions, and the Food Standards Agency, among many others.
As a result, journalists, whisteblowers and sources need to become more sophisticated in the way they use electronic devices to communicate if they are to guarantee confidentiality to their informants.
Dangers of phoning or emailing sources
Protecting the identities of individuals who are brave enough pass on information in the public interest has always been a fundamental principle of journalism.
Nicky Hager, an investigative journalist in New Zealand, who faced jail after exposing corruption in New Zealand’s National Party government, following a clearly politically motivated police raid, summed it up beautifully in an interview last year.
“If you’re meeting a source, you don’t ring them, you don’t email them and you don’t take your phone. That is pretty simple,” he said. “If you contact the source by phone you are a bloody idiot these days.”
Journalists need infosec training
Information security should feature in every journalism training course. The problem is, the technology can be difficult to use and understand, both for journalists and especially for their contacts.
Organisations like the human rights group Liberty, and the Centre for Investigative Journalism (CIJ) have been offering great classroom courses in information security, which explain how to minimise the risks of exposing confidential sources and journalistic material to prying authorities.
But an initiative launched today, Infosec Bytes, promises to make this training more widely accessible to journalists and would-be sources.
It features a series of highly accessible, jargon-free training videos, funded by the Logan Foundation, and created by security specialists at the Centre for Investigative Journalism.
They explain, in non-technical language how to use security tools to protect journalistic work, and offer a screen-by-screen guide on how to install and use security software.
The first in the series explain how to use and install Tor browser – to carry out research on the internet anonymously – in a way that is highly accessible to anyone, whether or not they have a technical background.
Others are on their way that will explain end-to-end encryption, the use of secure operating systems, and how to encrypt computer files.
The videos, which will also be useful for lawyers, campaigners and whistleblowers are a great starting point for understanding and using information security.
Journalists dealing with the secret state, or stories that may have life and death consequences, as the CIJ acknowledges, will probably need to seek additional advice from information security professionals.
Abuse of powers
There are safeguards in the Investigatory Powers Bill that require state agencies to seek a warrant from a judicial commissioner before using surveillance powers to identify journalistic sources.
But history shows that it is tempting for the state to use surveillance under the radar to identify and deter government employees who have the temerity to leak embarrassing material to journalists.
In the UK, Cleveland Police was criticised for using the Regulation of Investigatory Powers Act (RIPA) to unlawfully monitor journalists suspected of receiving embarrassing information about the force from police insiders.
Meanwhile, the US has virtually declared war on leakers. President Obama used the 1917 Espionage Act, introduced to prosecute spies during the First World War, to prosecute more leakers and whistleblowers than all previous administrations combined.
There is no indication that the Trump presidency shows any more sympathy with those who pass on information to journalists.
But it’s easy to get carried away. As Investigative journalist Duncan Campbell has pointed out, most day-to-day stories will be of no interest to the electronic intelligence gathering agency GCHQ or its US counterpart, the NSA.
“There are a huge number of stories, from tracing contamination in food to medical scams to corruption in business, where there’s not the remotest possibility that the extensive capability of NSA and GCHQ, and those they share with, is not going to be allowed anywhere near those who might seek to interdict the source of this journalism,” he said, quoted in the study “No More Sources ?” by Paul Lashmar.
That is why one of the videos promised by the Info Sec Bytes project will be particularly important – how to model threats and conduct risk assessments – so that journalists and take precautions that are proportionate to the risks.
Infosec Bytes is an important contribution which will hopefully lead to more journalists understanding and using information security technology appropriately to protect their confidential sources.
Check out the videos here
A guest blog post from Kevin Cahill
The Lizard Squad are as mysterious as their logo; a large bow tied frog, monocled, smoking a pipe and sporting a Santa hat. They are accused of having brought down Facebook, Microsoft, Sony and most recently, the Malaysia Airlines web site.
Members of the Lizard Squad make their claims on twitter. But their attack on Malaysia Airlines was a re-routing exercise. Users of the web site were redirected to a false site. Malaysian Airlines claim that the main site was not actually hacked. Various parties claiming to be the Lizard Squad say otherwise.
The mystery is why a group that is so active, with billions of dollars of supercomputers ranged against them, from business, GCHQ, the NSA and other Government bodies, are evading detection or discovery ? And how dangerous are they ?
The BBC has twice tried to track them down without success. Quoting a report from Arbor Networks, an American security consultancy, with offices in London and a home-base in Arlington Virginia, all they got was studied ambiguity, at least about Lizard Squad.
Darren Anstee, Arbor’s spokesperson told the BBC that,”attacks were being mounted by different groups and had grown considerably in size, from about 100 gigabytes in 2011 to about 400gb in 2014″
He continued: “In 2014 we see more volumetric attacks, with attackers trying to knock people offline by saturating their access to the internet”
Based on arrests around the UK for hacking activity, the signs are that Lizard Squad are a random group of gamers, showing off to each other or just ‘having a go’.
Anstee seemed to support this when he concluded that; “Hactivists, hacker groups such as Lizard Squad and gamers who wanted revenge on other players were the biggest users of Distributed Denial of Service (DDos) tactics.”
McAfee VP and Chief Technical Officer, Raj Samani told Computer Weekly that Lizard Squad’s attacks follow a similar pattern.
“The majority of recent hacks attributed to Lizard Squad have followed a particular modus operandi. The group has focused on DDoS attacks and Twitter hacks to create high profile incidents which achieve the greatest publicity.”
The hacking of American singer songwriter, Taylor Swift’s Twitter account this week, also attributed to Lizard Squad, is no exception, said Samani. ” This group is concentrating on attacks which promote their own status as hackers.”
The pace of arrests and convictions in the UK would seem to support this conclusion. The last convictions were in April 2014, of 4 people connected to the Lulzec group. They were convicted for hacking Sony, News International and the CIA three years before, in 2011. There have been two subsequent arrests.
Kevin Cahill FBCS, CITP (FRSA, FRGS, FRHistS) is a professional fellow of the British Computer Society
Mobile computing, social media, cloud and big data, are top of CIOs priorities says Software AG COO.
The four forces of social media, cloud, mobile technology, computing and big data, are at the top of business leaders right now, says Darren Roos, Chief Operating Officer of Software AG.
The topic was one of the key themes that came out of Software AG’s user conference, Innovation World in October 2013.
CIOs, for example, snapped up business cards from 9 start-up firms offering technology based each of these four forces, said Roos
And as these technologies come into play, companies will spend more on IT, rather than less, Roos argues.
He talks about research presented by private equity firm, Andressen Hororwiz, which shows that that IT budgets rise with each new wave of technology.
“What is going to happen is more money is going to drift to technology. When that money is going to be spent on innovation and competitive advantage, its going to be easier to get that spend,” he says.
That spend may not come from the IT department – it could equally come from marketing, or HR or other parts of the business.
Software AG’s focus is on supplying the middleware technology that will make this innovation possible – what Roos calls the innovation and agility layer.
Innovation is likely to drive more Software AG technology acquisitions over the next 12 months.
But that is unlikely to include Business Process Management or Enterprise Service Bus technology: “We believe we are the best in the market,” he says.
“We certainly will continue to make acquisitions. We live in a world where you are either being acquired or you are acquiring. The market will continue to consolidate,” he says.
Software AG’s markets are likely to remain static, but the company plans to grow by taking market share from competitors.
It claims to be the market leader in South Africa and German for business process modelling, management and integration.
That leaves plenty of potential market share to capture in other geographies.
“We are seeing growth globally in our business process engineering business. The growth we are seeing is outpacing the market, because we are able to win market share from other businesses,” he says.
His advice to CIOs, as business clamour for new technologies, is to focus on business value.
“Do it incrementally, step by step, and focus on how the business sees value. Don’t do it for the sake of technology,” he says.
In this guest blog post Vaughan Shayler explains how a benchmarking initiative by
CompTIA, a non-profit making trade association which advances the interests of IT professionals and IT companies, can help IT departments gain confidence in choosing the right IT supplier.
We live in a referral-based world. Whether you’re researching a new smartphone or tablet, seeking a new day-care provider for your children or looking for a house cleaning service – you want to be sure you’re making the right decision. If we hire someone, we look at their qualifications; if we buy a computer, we look for trusted brands and read reviews.
CompTIA is aiming to allow the world of ICT to do the same, by providing an internationally recognised benchmark which shows solution providers meet an industry approved level of service and professionalism. We have worked closely with IT companies and solution providers to agree various best practice standards, and developed methods to validate these.
The result is two levels of business Trustmark. CompTIA’s IT Business Trustmark validates an ICT business’ basic demonstration of sound business practices and its ability to provide quality service. The Accredit UK Trustmark+ takes things up a level as an advanced, fully audited standard providing the logical next step for ICT businesses seeking to position themselves for growth.
CompTIA business standards are available for a wide range of ICT businesses including those providing communications infrastructure; software product design and development; ICT consultancy; solutions and support; and e-media and e-commerce. They are designed to help the companies themselves prove their abilities and help those outsourcing IT services to identify people to work with.
Companies that hold the CompTIA IT Business Trustmark have successfully navigated a process that digs into their internal operating procedures, reviewing their service agreements, systems and tools for delivering their services. These companies have demonstrated sound business practices and an ability to provide quality service.
Mark Lambert, technical director at Bear IT – a company that has held the IT Business Trustmark for nearly a year now – said the Trustmark has boosted the company’s reputation. “This whole process has enhanced our current certifications and shows our customers that we are a committed IT company,” he said.
Companies that hold the Accredit UK Trustmark+ have gone through a fully audited process that includes examination of organisational management, company direction, business generation, service delivery, operations and customer relations. These companies have passed the audit by showing their ability to develop and deliver best-in-class ICT solutions and services to their customers and prospects.
Tracy Pound, managing director at MaximITy, first pursued the Accredit UK Trustmark+ designation as a means of differentiation. “It sets me apart from my competition, demonstrates that I’m serious about running a professional business in a professional way, helps ensure that I have a structured and measured approach to growth and makes me accountable for what I do to an external body,” she said. MaximITy has held the Accredit UK Trustmark+ for over three years.
The confidence that having an independent benchmark inspires is a two-way street. “In addition to the customer or prospect taking confidence from us having this credential, our own confidence grows in knowing that we’re externally audited and can prove that we have a structured approach to client work that is to the benefit of the client,” Pound said.
More than 150 ICT companies have attained either the IT Business Trustmark or the Accredit UK Trustmark+. A complete list of credential holders is available on the CompTIA Trustmark Directory.
Vaughan Shayler is director, channel strategy at CompTIA.
Thanks to Nathalie Nahai, The Web Psychologist, for this guest blogpost.
You don’t need to be a designer to understand the impact that colour can have on first impressions.
Whether it’s the eponymous woman in red (from Little Red Riding Hood to Number Six, the dangerously seductive Cylon), or the allure of a wide expanse of blue (open skies from our ancestral savannah), the power of colour has long been documented in our offline world.
Although colour meanings can vary dramatically from culture to culture, if I asked you to think of a sexy, hot, aggressive colour, chances are you’d think of red. And if I asked you to call to mind a soothing, cool colour, you might think of blue. It’s a simple association exercise, but one that hints at what a growing body of research is discovering: that colour can have a profound influence on our emotional, psychological and even physiological state.
Online, the impact is no less striking. The difficulty is finding a comprehensive, silver-bullet theory that realistically covers effective colour use, simply because the reality is far too complex to be reduced to such terms. The fact is that when it comes to persuasive colour use online, there are a multitude of variables you must consider if you are to communicate your message persuasively.
Everything from your cultural context (such as your age, ethnicity and gender) to your psychological makeup (learned associations) can influence the way in which you interpret and respond to colour. And with an increasingly global audience, knowing which colours to use when designing a website can be tricky at best.
There are a few rules of thumb you can follow, however.
For instance research has shown that using blue as the predominant colour for a website can elicit feelings of trust and security, which may be why it has become de riguer for so many financial institutions (especially given the current economic climate). What you may not know is that the colour blue can also warp our sense of time, making websites on slow connection speeds appear to load more quickly.
Yellow, on the other hand, is best avoided in web design, especially when considering it as the dominant colour for e-commerce sites – it’s one of the few colours that appears to be ubiquitously disliked regardless of culture or creed.
There are of course always exceptions, and when it comes to designing for a particular audience your best bet will always be to do your research first and reflect the preferences of your target market. But whatever your message, one thing is certain – colour has a powerful way of communicating meaning.
Getting that meaning right is up to you.
Nathalie Nahai is an award-winning speaker, Web Psychologist, and author of ‘Webs of Influence: The Psychology of Online Persuasion‘.
With the ongoing breaches of personal data by public sector organisations and resultant calls by the privacy watchdog for greater penalties, it seems the UK is making no progress on data protection.
Just this week the Information Commissioner’s Office (ICO) issued a monetary penalty of £120,000 for losing an unencrypted non password protect USB memory stick containing sensitive personal data.
Have UK data handling organisations learned nothing in the past five years?
“We are seeing the same pattern we did in the run up to the HMRC data breach in 2007,” says Stewart Room, partner at international legal firm Field Fisher Waterhouse.
He believes the increasing monetary penalties against public sector organisations like the Greater Manchester police are the first rumblings ahead of another major data breach.
It remains to be seen whether there will be another data breach that will equal or exceed the HMRC fiasco, but the ongoing breaches nonetheless prove that UK data protection is not getting better.
Did the government’s data handling review after the HMRC really achieve anything?
In many senses, the data handling review appears to have had an effect that did not last much more than a year, according to Room.
“The fact that organisations like the Manchester Police are still storing sensitive data on unencrypted USB memory sticks indicates that they are slipping back into bad practices; the data handling review seems largely forgotten,” says Room.
He suspects we could be on the verge of another HMRC-style data breach because history appears to be repeating itself in terms of data protection, but how bad will it have to be to make a real difference?
The ICO argued long and hard for the monetary penalties, but they seem to be making little impact. Is there any point in continuing the way we are, simply waiting for HMRC-2, or is it time to do something completely different, before there is another major data breach?
Fortunately the HMRC breach so far does not seem to have had any devastating effect on the lives of the people whose data was lost, but that may not be the case next time around.
:iPad with on display keyboard (Photo credit: Wikipedia)
urchases), I have to confess that I think I may be some way off bringing in my own device.
On a recent training course, I opted to travel light by taking my own iPad and leaving the laptop at home. To my surprise, I was able to survive. I am also certain that the technology will come of age.
The trouble is that enabling the technology is only a small part of the change required. Much like bringing your own lunch, it sounds good in theory but can be problematic in practice. I draw some comparisons from my recent experience:
You need to set aside preparation time
Preparing my lunch for the next day requires a bit of thought, not least trying to work out what I think I might want to eat by the time midday comes.
Similarly, when I packed my iPad instead of my laptop, I had to think very carefully about the work I would be doing the next day.
Would I be able to access everything that I need? What would I do if someone asked me to work on a document that my iPad wouldn’t be able to load?
It might taste a bit different
In the same way that I am not capable of rustling up a coffee shop-quality chunky soup, there are differences between my own device and the corporate offering.
Lunch (Photo credit: munir)
I found myself pining for my trusty laptop on more than one occasion in order to do just that little bit more.
You have to find a suitable container
When using your own device, you need something to ‘contain’ the IT services on the device to allow them to be used securely.
Much like my collection of Tupperware, your company needs to select the right one for the job. Without a container, you are really limited to basic webmail (or soup all over the inside of your work bag).
Everyone else’s looks better than yours
As I place my carefully crafted delicacy in the fridge, I often find myself envious of the leftover tagine with couscous occupying the top shelf.
As organisations move to BYOD, will this spawn a new wave of device envy? Someone on the training course has brought with them their iPad 3. I already feel inferior – no one judges or takes any notice of my trusty laptop!
From the outset, BYOD seems like a great idea. But as with many things, there are a few obstacles that I need to overcome, even when the technology is available.