Download as PDF
Blog Article
Next month I'll be going to an academic conference on Google Spain and the "Right to be Forgotten" (actually, "right to be delinked") so I thought I'd better organise my thoughts on why, as a provider and user of communications and information services, the decision worries me. And I am much more worried by the decision itself and the train of proposed law it seems to have created than by how Google has responded.
Blog Article
The Counter-Terrorism and Security Act 2015, which received Royal Assent last week, has some network-related provisions among its various powers relating to terrorism. Section 21 adds further "relevant internet data" to the list of information that public telecommunications operators may be required to retain about the use of their networks and systems.
Blog Article
Tilmann Haak's presentation at this week's TF-CSIRT/FIRST meeting was on incorporating security requirements into software development processes using agile methods, but his key points seem relevant to any style of software or system development:
Blog Document
I've done a couple of presentations this week, comparing the risks and benefits of Bring Your Own Device (BYOD) with those that research and education organisations already accept in the ways we use organisation-managed mobile devices. As the title of my talk in Dundee asked, "What’s the Difference?"
Blog Article
During a recent conversation about learning analytics it occurred to me that it might be helpful to analyse how universities use student data in terms of the different justifications provided by UK and European Data Protection Law.
Blog Article
"Is scanning lawful?" sounds as if it ought to be a straightforward question with a simple answer. However investigating it turns out to be a good illustration of how tricky it is to apply real-world analogies to the Internet, and the very different results that different countries' legislators (and courts) can come up with when they try.
Blog Article
Recently we had one of our regular reviews of security incidents that have affected the company in the past few months. All three – one social engineering attack, one technical one, and one equipment loss – were minor, in that only limited information or systems were put at risk; all were detected and fixed, to the best of our knowledge, before anything was accessed that shouldn't have been. If we had only been looking at data breaches they probably wouldn't even have made it to the agenda.
Blog Article
Reading yet another paper on privacy and big data that concluded that processing should be based on the individual's consent, it occurred to me how much that approach limits the scope and powers of privacy regulators. When using consent to justify processing, pretty much the only question for regulators is whether the consent was fairly obtained – effectively they are reduced to just commenting and ruling on privacy notices. And, indeed, a surprising number of recent opinions and cases do seem to be about physical and digital signage.
Blog Article
The steady growth in the use of encrypted communications seems likely to increase next year given recent announcements on both web browsers and servers. That's good news for security people worried that their users may be sending sensitive information such as passwords and credit card numbers over the Internet.
Blog Article
Although it's now almost three years since the European Commission published their proposed General Data Protection Regulation, it seems unlikely that a final text will be agreed even in 2015. That means we'll be stuck for at least another year with the 1995 Directive, whose inability to deal with the world of 2015 is becoming increasingly apparent.
