Privacy

17 June 2014 at 4:21pm

Cleaning up after Botnets

Andrew Cormack
incident response
Privacy
#TNC2014
One of the challenges in finding an appropriate legal framework for incident response is that for many types of incident you don’t know in advance what information you are likely to receive. Rogier Spoor of SURFnet discussed one of the most common situations – cleaning up after a botnet infection - at the TERENA Networking Conference last month. Although SURFnet’s approach is designed to comply with Dutch, rather than UK, law, it seems a reasonable fit for our legislation too.
Read more
23 May 2014 at 11:47am

Making Best Use of Big Data

Andrew Cormack
Privacy
#TNC2014
A thought-provoking talk at the TERENA Networking Conference by Barry Smyth of the Insight Centre for Data Analytics suggested both the possibilities and the problems of big data, and some of the decisions that society needs to make soon about how we do, and do not, use it to maximise benefits and minimise harms.
Read more
22 May 2014 at 7:10am

Is there a "Right To Be Forgotten"? I don't know

Andrew Cormack
Data Protection Directive
right to be forgotten
Privacy
A number of people have asked me what the recent European Court judgment in the Google “right to be forgotten” case means; here’s why I have been answering that I don’t know!
Read more
17 May 2014 at 12:16am

AusCERT 2014

James Davis
auscert
CSIRT
infosec
bigdata
nsa
Privacy
Thanks to the generosity of my host, AusCERT, I’ve been able to spend this week in Queensland at AusCERT’s annual conference. Whilst not part of the Australian NREN AARNet, AusCERT fulfils a similar role to Janet CSIRT and provides incident response services to the Higher Education sector in Australia.
Read more
25 April 2014 at 12:03pm

Opportunities and Choices: Digital Student Records and Privacy

Andrew Cormack
Privacy
Groningen Declaration
I was recently invited by the Groningen Declaration Network to join a panel discussing privacy issues around the exchange of digital student records. Like the discussion, this summary is a collaborative effort by the panel team.
Read more
14 April 2014 at 11:13am

Reducing the Impact of Privacy Breaches

Andrew Cormack
Privacy
Breach Notification
Data Protection Regulation
Cybersecurity Directive
eSignature Directive
At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected.
Read more

Managing IT Security

Sammy Ashby
8 April 2014 at 9:38am
security
network
data
Privacy
Bristol
The security of computer, data and networks is now a matter of importance to everyone who uses them. Computers connected to a network, whether local or wide area, are exposed to many threats against their effective operation and the safety and privacy of the data they hold. Topics Covered
Read more
4 April 2014 at 9:57am

Passive DNS: improving security and privacy

Andrew Cormack
incident response
Domain Names
passive DNS
Privacy
[Updated with further information and suggestions provided by CSIRTs: thanks!]
Read more
30 October 2013 at 1:52pm

From mobile device policy to BYOD

Andrew Cormack
BYOD
Privacy
I’ve had a few discussions recently where people talked about the ‘new risk’ of Bring Your Own Device (BYOD), but then mentioned risks – loss/theft of device, use in public place, etc. – that already exist on organisation-managed mobile devices. Turning that around, it struck me that one way to develop a BYOD policy might be to start from the mobile device policy you already have. I’d be interested in comments on how this approach might work.
Read more
28 October 2013 at 11:03am

Legislating for Indirectly-linked identifiers

Andrew Cormack
Data Protection Directive
Data Protection Regulation
Privacy
A law that promotes Privacy by Design and Data Minimisation ought to encourage the use of indirectly-linked identifiers, which allow processing to be done separate from, or even without, the ability to identify the person whose information is being processed. However European Data Protection law has never really worked out what these identifiers are. The resulting regulatory uncertainty discourages the use of indirectly-linked identifiers to protect privacy and may even result in obligations that create new privacy risks.
Read more
Subscribe to Privacy