Privacy

Reading yet another paper on privacy and big data that concluded that processing should be based on the individual's consent, it occurred to me how much that approach limits the scope and powers of privacy regulators. When using consent to justify processing, pretty much the only question for regulators is whether the consent was fairly obtained – effectively they are reduced to just commenting and ruling on privacy notices. And, indeed, a surprising number of recent opinions and cases do seem to be about physical and digital signage.

Although it's now almost three years since the European Commission published their proposed General Data Protection Regulation, it seems unlikely that a final text will be agreed even in 2015. That means we'll be stuck for at least another year with the 1995 Directive, whose inability to deal with the world of 2015 is becoming increasingly apparent.

I was invited to give a presentation on legal and ethical issues around information sharing at TERENA’s recent security services workshop. The talk highlighted the paradox that sharing information is essential to protect the privacy of our users when their accounts or computers have been compromised, but that sharing can also harm privacy if it’s not done correctly.

At the FIRST conference this week I've heard depressingly many incident responders saying "our lawyers won't let us...". Since incident response, done right, should actually support the law's objectives, it seems we need to be smarter, and maybe a bit more assertive, about explaining how incident response and law interact.