Download as PDF
Blog Article
Four years ago, Jisc responded to the Board of European Regulators of Electronic Communications (BEREC) consultation on network neutrality to point out that some security measures cannot just be temporary responses by the victims of attacks, but need to be permanently configured in all networks to prevent them being used for distributed denial of service and other attacks. This applies, in particular, to blocking of spoofed addresses, as recommended by BCP-38.
Blog Article
[Updated Oct.19 to add EDPB on Necessary for Contract and ICO on Consent]
[Updated Sep.18 to repair links broken by the demise of the Article 29 WP website]
[Updated Oct.17 to include an example where multiple justifications are appropriate]
Blog Article
The European Data Protection Board's (EDBP) latest Guidelines further develop the idea that we should not always expect relationships involving personal data to have a single legal basis. Although the subject of the Guidelines is the legal basis "Necessary for Contract", much of the text is dedicated to pointing out the other legal bases that will often be involved in a contractual relationship.
Blog Document
Following on from my previous blog post on the possible uses of wellbeing analytics, we'd very much welcome comments on this latest draft of our Code of Practice. Note that this includes the maximum safeguards from all legal bases that seem likely to apply, so even if our continuing investigations conclude that some of those bases are not appropriate, the Code's recommendations are unlikely to change significantly.
Blog Article
Monica Whitty's keynote at the FIRST Conference (recording available on YouTube) used interviews at organisations that had been victims of insider attacks to try to understand these attackers – and possible defences – from a psychological perspective.
Blog Article
Leonie Tanczer's FIRST 2019 keynote (recording now available on YouTube) looked at more than a decade of European discussions of whether/how to regulate the Internet of Things (no, I didn't realise, either) and how we might do better in future.
Blog Article
Merike Kaeo's keynote "Waking Up the Guards" at the FIRST 2019 conference (recording now available on YouTube) highlighted how attacks on the internet core no longer target a single service (naming, routing, signing) but move between these to achieve their hostile result.
Blog Article
Apparently Miranda Mowbray had been wanting to do a talk on "Things that Go Bump in the Night" for some time, and it made an excellent closing keynote for the 2019 FIRST conference in Edinburgh (recording now available on YouTube).
Blog Article
An interesting talk from Rockwell at this year's FIRST conference looked at how to organise incident response in environments containing network-connected hardware devices. Though Rockwell's focus is on industrial machinery, the same ideas should apply to smart buildings and other places where a security incident can cause physical, not just digital, harm. This is not the only difference: connected hardware devices tend to be much more diverse than PCs, and they are expected to have much longer lifetimes.
Blog Article
While colleagues are looking at whether data can be used to pick up early signs of mental health and wellbeing problems, I'm exploring possible legal frameworks for doing that safely. As the diagram shows, trying to deliver an early warning service to all students falls into a gap between three reasonably familiar areas of data protection law:
