Optimists look at a glass of water filled 50% and say it is half full
Pessimists look at the same glass as half empty
A security person looks at the glass and says "how do I know this is water and not some deadly chemical"
Chris Cunningham (just now)
Friday, July 27, 2012
Friday, June 1, 2012
Cookie Guidance from the UK ICO
In 2002 the European Directive 2002/58/EC laid the ground work for the protection of privacy for electronic communications. This was amended in 2009 by directive 2009/136/EC commonly referred to as the “cookie rule”. This directive required governments in the EU to implement these changes in their own laws by May 25, 2011. The UK ICO allowed for a “lead in period” of one year, and that year is now up. On May 25th, The UK ICO published their recommendations on the directive and how the UK ICO views the issues and requirements in the directive, as well as some insight into how enforcement actions may take place within the UK. This is a valuable resource for organizations operating websites in the UK.
As should be anticipated, any cookies that are not strictly necessary or any cookies that handle sensitive data should get extra attention, since you can be assured the DPAs will be paying special attention to them. This is an area where explicit consent should be obtained.
A couple of items from the guidance should be noted by any organizations using cookies on their websites, especially cookies that track users actions across multiple sessions.
• Explicit consent is not a requirement in all cases
• Users on the site should be conspicuously advised of the use of cookies on the site, and their choices on allowing the cookies.
• Exceptions for a cookie being “strictly necessary” should be sued very narrowly
• Make the use of third party cookies very clear to the end-user
As should be anticipated, any cookies that are not strictly necessary or any cookies that handle sensitive data should get extra attention, since you can be assured the DPAs will be paying special attention to them. This is an area where explicit consent should be obtained.
A couple of items from the guidance should be noted by any organizations using cookies on their websites, especially cookies that track users actions across multiple sessions.
• Explicit consent is not a requirement in all cases
• Users on the site should be conspicuously advised of the use of cookies on the site, and their choices on allowing the cookies.
• Exceptions for a cookie being “strictly necessary” should be sued very narrowly
• Make the use of third party cookies very clear to the end-user
Friday, February 24, 2012
How a carrot and a stick relate to US privacy legislation
Yesterday, the Obama Administration released their latest efforts to effect real privacy standards and legislation in what they are calling the Consumer Privacy Bill of Rights. The paper, entitled Consumer Data Privacy in a Networked World outlines several measures that will drag the US, kicking and screaming, into the development of a real privacy standard that will rival the European and OECD standards and directives.
The plan is broken down into several areas. First, there is a Consumer Privacy Bill of Rights that is similar to the OECD Privacy Principles, albeit unnecessarily complicated and duplicative. Secondly, the Bill of Rights would be implemented in Codes of Conduct that industry would need to develop in concert with the government’s “assistance”. Thirdly, the FTC would be the enforcer of these codes of conduct similar to their current role. Lastly, the plan calls for a Federal breach notification standard and calls for enforceable federal legislation that would enable mutual recognition by other countries. To date, Congress has failed miserably in every attempt to enact Federal data privacy legislation, so I applaud the Administration for trying the carrot approach, since the stick has not been effective.
Consumer Privacy Bill of Rights
The Obama Administration is hoping that even if Congress does not implement Federal legislation, that this will be the starting point for industry discussion and a beginning of privacy standards that can be used by businesses and industries. The Bill of rights is similar to the OECD standards and includes:
•Individual Control
•Transparency
•Respect for Context
•Security
•Access and Accuracy
•Focused Collection
•Accountability
Codes of Conduct
The plan calls for companies and groups to develop these codes of conduct in cooperation with the FTC and the National Telecommunications and Information Administration (NTIA). The enforcement powers would most likely be given to the FTC under Section 5 off the FTC Act, similar to how the FTC now brings actions against organizations for unfair and deceptive trade practices. Any Federal legislation resulting from this should preempt any state laws to the extent they are inconsistent with the Federal law.
Time will tell if the plan will advance privacy legislation and improve consumer protection, but it is already an improvement of anything we have seen come down from Capitol Hill – which is nothing. If this indeed moves forward, the next step will be gaining recognition by the EU, but forgive me if I don’t hold my breath on this just yet.
More to come on this topic as it develops.
The plan is broken down into several areas. First, there is a Consumer Privacy Bill of Rights that is similar to the OECD Privacy Principles, albeit unnecessarily complicated and duplicative. Secondly, the Bill of Rights would be implemented in Codes of Conduct that industry would need to develop in concert with the government’s “assistance”. Thirdly, the FTC would be the enforcer of these codes of conduct similar to their current role. Lastly, the plan calls for a Federal breach notification standard and calls for enforceable federal legislation that would enable mutual recognition by other countries. To date, Congress has failed miserably in every attempt to enact Federal data privacy legislation, so I applaud the Administration for trying the carrot approach, since the stick has not been effective.
Consumer Privacy Bill of Rights
The Obama Administration is hoping that even if Congress does not implement Federal legislation, that this will be the starting point for industry discussion and a beginning of privacy standards that can be used by businesses and industries. The Bill of rights is similar to the OECD standards and includes:
•Individual Control
•Transparency
•Respect for Context
•Security
•Access and Accuracy
•Focused Collection
•Accountability
Codes of Conduct
The plan calls for companies and groups to develop these codes of conduct in cooperation with the FTC and the National Telecommunications and Information Administration (NTIA). The enforcement powers would most likely be given to the FTC under Section 5 off the FTC Act, similar to how the FTC now brings actions against organizations for unfair and deceptive trade practices. Any Federal legislation resulting from this should preempt any state laws to the extent they are inconsistent with the Federal law.
Time will tell if the plan will advance privacy legislation and improve consumer protection, but it is already an improvement of anything we have seen come down from Capitol Hill – which is nothing. If this indeed moves forward, the next step will be gaining recognition by the EU, but forgive me if I don’t hold my breath on this just yet.
More to come on this topic as it develops.
Tuesday, July 19, 2011
Working Party Opinion on Consent 15/2011
On July 13 the Article 29 Working Party issued Opinion 15/2011 on the definition of consent.
In their words:
“The Opinion provides a thorough analysis of the concept of consent as currently used in the Data Protection Directive and in the e-Privacy Directive. Drawing on the experience of the members of the Article 29 Working Party, the Opinion provides numerous examples of valid and invalid consent, focusing on its key elements such as the meaning of "indication", "freely given", "specific", "unambiguous", "explicit", "informed" etc. The Opinion further clarifies some aspects related to the notion of consent. For example, the timing as to when consent must be obtained, how the right to object differs from consent, etc.”
The opinion, all 38 pages of it, answer some of the questions that face many organizations when it comes to tactical privacy decisions involving consent. It has many real world examples, and gives great insight into the WP thinking for possible future changes. It is easy to fall into the trap of only looking at 95/46 and not taking the various member state implementations into account, and consent is no exception to this rule.
Following are some items to consider when making decisions based on consent.
- Currently, the Council’s definition of consent is
"any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed"
- Consent should not be used as an exemption form other data protection principles, you still need to process for purpose, use limitation, openness, etc.
- Consent is a weak basis for justifying the processing of personal data, and loses even more value when stretched to include items not in the original scope of the processing or for other purposes is not sufficient to prove consent
- Subjects should be able to exercise a real choice when consenting, and negative consequences of non-consent is not a good idea (duh!)
- Consent must be specific, and for the exact purpose of the processing
- Controllers should review data subject’s choices periodically
- Consent should be verifiable, and you should maintain proof of the consent
- Consent in the case of sensitive personal data must be explicit
- Explicit consent in the on-line world may be a clickable button, but not the lack of clicking or un-checking a default. In other words inaction typically will not be viewed as valid consent
- Be careful when using consent in the employment context. The WP’s stance on employee consent remains as it was in WP48 and WP 114
"where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given. If it is not possible for the worker to refuse it is not consent.… An area of difficulty is where the giving of consent is a condition of employment. The worker is in theory able to refuse consent but the consequence may be the loss of a job opportunity. In such circumstances consent is not freely given and is therefore not valid. The situation is even clearer cut where, as is often the case, all employers impose the same or a similar condition of employment.”
Wednesday, November 24, 2010
help - I got groped at the airport, but the mall is still vulnerable
First – all of us are not terrorists, especially the 80 year old grandmother and 10 year olds you are groping. However, if the United States government continues with their current trend of invasion of privacy and near molestation of American citizens they may be well on their way to becoming a terrorist state. Additionally, it appears as if we are already being terrorized due to the number of ridiculous steps one has to take when flying, and we have done nothing to increase our security.
OK, that was my rant and I will attempt to deliver the rest in a logical matter taking security and risk into account.
There is a great quote regarding security that paraphrased states the protector has to be right 100% of the time but the attacker only has to be right once. There are a lot of targets for attackers, and note that I am not using the word terrorist, but I include them in this categorization. Shopping malls, restaurants, crowded bus and train terminals, trains, busses, subways, concerts, schools, etc. It is impossible to protect all of these locations 100% of the time from 100% of attackers. Furthermore, you have to classify the risks and distribute your finite amount of protections against them in a manner that reduces, but never eliminates the risk. This has to be balanced by protecting the rights and freedoms of the very people you are trying to protect in the first place, or you have accomplished nothing and the people intending to harm you (the attackers) have actually terrorized you and accomplished their main goal. I could go on discussing the need for intelligence and actual police work, which is the only item that has ever stopped attacks or terrorist activity, but instead I am focusing this blog on just aviation security.
The government has once again based their security posture on a reaction to a specific threat and not on the overall risks to commercial passenger aviation. The shoe bomber tried to detonate a device in his shoe, so we all remove our shoes, the underwear bomber tried to detonate a device in his pants, and now we are all getting groped and having naked images of ourselves taken when we fly. There was a device disguised as a toner cartridge, so now we can no longer bring those on board. In the old days, I had to make my pager beep so that the security people knew it was not a bomb, and every time I did this the same thought ran through my head “If someone could make a pager into a bomb, they could damn sure make it beep when they wanted”.
The new procedures will still not be able to find explosives hidden in or on the body, and anyone who has worked in a prison will tell you that for certain, and let you know how you would have to search someone to find them - let’s just say it ain’t pretty. People with medical devices or prosthetics will be especially embarrassed by the latest tactics, and in the end the TSA agent will still not know if the insulin pump contains anything we should not let on a plane. It is still far easier and less risky to get a job as a baggage handler or ramp employee and smuggle explosives on a plane, than it is to bring it through the front door or to simply mail the explosives in a cargo container. There are hundreds of other means as well, but again we are discussing a specific threat and need to be discussing risks and countermeasures at a broader level. In disaster planning, you don’t plan for a plane crashing through your building, you plan for any occurrence that could harm an employee or the facility and plan accordingly. Again, I am only speaking of aviation security here, and there are many more targets that are far easier than an aircraft to attack.
Ask yourself this, would the current tactics have stopped the 9/11 terrorists – no. That event was a black swan, and was not anticipated by the countermeasures in place at the time, and the next event may not be either. If we continue down the road of reacting to every event with draconian measures that undermine our privacy and freedoms, we will have accomplished nothing, not made our country any safer, and spent a lot of money in the process. We need to ensure that Police are on the job, the intelligence community gets the resources and recognition is desperately deserves and look at all of our risks and not just the one that the last terrorist used.
OK, that was my rant and I will attempt to deliver the rest in a logical matter taking security and risk into account.
There is a great quote regarding security that paraphrased states the protector has to be right 100% of the time but the attacker only has to be right once. There are a lot of targets for attackers, and note that I am not using the word terrorist, but I include them in this categorization. Shopping malls, restaurants, crowded bus and train terminals, trains, busses, subways, concerts, schools, etc. It is impossible to protect all of these locations 100% of the time from 100% of attackers. Furthermore, you have to classify the risks and distribute your finite amount of protections against them in a manner that reduces, but never eliminates the risk. This has to be balanced by protecting the rights and freedoms of the very people you are trying to protect in the first place, or you have accomplished nothing and the people intending to harm you (the attackers) have actually terrorized you and accomplished their main goal. I could go on discussing the need for intelligence and actual police work, which is the only item that has ever stopped attacks or terrorist activity, but instead I am focusing this blog on just aviation security.
The government has once again based their security posture on a reaction to a specific threat and not on the overall risks to commercial passenger aviation. The shoe bomber tried to detonate a device in his shoe, so we all remove our shoes, the underwear bomber tried to detonate a device in his pants, and now we are all getting groped and having naked images of ourselves taken when we fly. There was a device disguised as a toner cartridge, so now we can no longer bring those on board. In the old days, I had to make my pager beep so that the security people knew it was not a bomb, and every time I did this the same thought ran through my head “If someone could make a pager into a bomb, they could damn sure make it beep when they wanted”.
The new procedures will still not be able to find explosives hidden in or on the body, and anyone who has worked in a prison will tell you that for certain, and let you know how you would have to search someone to find them - let’s just say it ain’t pretty. People with medical devices or prosthetics will be especially embarrassed by the latest tactics, and in the end the TSA agent will still not know if the insulin pump contains anything we should not let on a plane. It is still far easier and less risky to get a job as a baggage handler or ramp employee and smuggle explosives on a plane, than it is to bring it through the front door or to simply mail the explosives in a cargo container. There are hundreds of other means as well, but again we are discussing a specific threat and need to be discussing risks and countermeasures at a broader level. In disaster planning, you don’t plan for a plane crashing through your building, you plan for any occurrence that could harm an employee or the facility and plan accordingly. Again, I am only speaking of aviation security here, and there are many more targets that are far easier than an aircraft to attack.
Ask yourself this, would the current tactics have stopped the 9/11 terrorists – no. That event was a black swan, and was not anticipated by the countermeasures in place at the time, and the next event may not be either. If we continue down the road of reacting to every event with draconian measures that undermine our privacy and freedoms, we will have accomplished nothing, not made our country any safer, and spent a lot of money in the process. We need to ensure that Police are on the job, the intelligence community gets the resources and recognition is desperately deserves and look at all of our risks and not just the one that the last terrorist used.
Tuesday, March 9, 2010
Out of the mouths of babes
My 6 year old, upon entering the room and noticing my Wife's laptop was in a the grips of a blue screen of death, remarked - just turn it off and back on again.
She is well on her way to an MCSE certification
She is well on her way to an MCSE certification
Tuesday, January 5, 2010
The Fruit Wars
I don’t read fiction books, and anyone who reads this blog, can attest that I am not a great writer either, but here is my first attempt at fiction. The conversations and meeting transcripts below take place in the mythical land of Securitavia between their leader, Supreme Overlord Goober, and General Really, his most senior advisor. Securitavia has just suffered a widespread grape attack from their neighbor to the East, where they were viciously pelted with grapes thrown over the 3-foot picket fence that separates Securitavia and their neighbor. SO Goober wants actions and answers and has called General Really to his office.
May 3
SOG – These grape attacks can never happen again, we must do something about it and quick.
GR – I would suggest strengthening our defenses and intelligence to combat these fruit attacks
SOG – I like the intelligence idea, after all we are going to need someone to blame if this happens again. What I really think we need is a grape embargo, and some anti-grape defenses. Grapes are small and light, so I think a 10 foot lace curtain should be plenty
GR – Sir, I beg to differ, but what if they change their tactics? I mean we shouldn’t base our defenses on their current tactics, but instead attempt to reduce our threats to a wider range of attacks.
SOG – Nonsense, get me some anti-grape technology, and let’s really focus on that one item.
June 1st
Securitavia’s neighbors to the East are now using straws to spit pomegranate seeds through the holes in the lace curtain, erected previously, and the anti-grape shield that was installed has been little help in the defense of this new strategy. The banning of grapes within the area has also left the innocent, non-grape throwing people, with no grapes to eat. Our story picks up again in the offices of Supreme Overlord Goober and General Really
SOG – how could this have happened?
GR – Well Sir we, only protected ourselves against a grape attack
SOG – Who’s dumb idea was that?
GR – I wonder
SOG – well what should we do now?
GR – I would suggest we increase our intelligence budget, spend more money on recovering from these attacks, and look at our defenses across the board including processes for fruit management, and near picket fence access procedures.
SOG – Couldn’t we just blame the intelligence agency?
GR – Sir, I really don’t think that will help
SOG – Nonsense, blame them and let’s ban pomegranates and straws in the entire region.
July 5th
Securitavia has suffered another attack, this time by a Securitiavian citizen that attacked an 18-wheeler full of pigs with a homemade watermelon cannon. SO Goober is surprised how this could have happened. The Neighbors to the East were all on the no grape and pomegranate list. Once again he calls General Really to his headquarters.
SOG – We need more money for protection against pig transports immediately. I love my ribs and bacon, and by God no one is going to jeopardize that.
GR – Sir, we simply can’t protect everything, but we can get more police on the streets to patrol, and reduce our risks somewhat. We also need to pay attention to first responders for any type of emergency – not just your dinner.
SOG – No that doesn’t sound right
GR – Really?
SOG – What we need are armed guards on all of the pig transport trucks to guard against this type of thing
Frustrated by the senseless spending and ridiculous measures that offer no security, but instead place costs and burdens on the majority of non-fruit throwing people of Securitavia, General Really takes a job in the private sector – where the same conversations happen. Supreme Overlord Goober eventually retired, got chubby and moved to Miami, leaving the security concerns of Securitavia to his successor.
May 3
SOG – These grape attacks can never happen again, we must do something about it and quick.
GR – I would suggest strengthening our defenses and intelligence to combat these fruit attacks
SOG – I like the intelligence idea, after all we are going to need someone to blame if this happens again. What I really think we need is a grape embargo, and some anti-grape defenses. Grapes are small and light, so I think a 10 foot lace curtain should be plenty
GR – Sir, I beg to differ, but what if they change their tactics? I mean we shouldn’t base our defenses on their current tactics, but instead attempt to reduce our threats to a wider range of attacks.
SOG – Nonsense, get me some anti-grape technology, and let’s really focus on that one item.
June 1st
Securitavia’s neighbors to the East are now using straws to spit pomegranate seeds through the holes in the lace curtain, erected previously, and the anti-grape shield that was installed has been little help in the defense of this new strategy. The banning of grapes within the area has also left the innocent, non-grape throwing people, with no grapes to eat. Our story picks up again in the offices of Supreme Overlord Goober and General Really
SOG – how could this have happened?
GR – Well Sir we, only protected ourselves against a grape attack
SOG – Who’s dumb idea was that?
GR – I wonder
SOG – well what should we do now?
GR – I would suggest we increase our intelligence budget, spend more money on recovering from these attacks, and look at our defenses across the board including processes for fruit management, and near picket fence access procedures.
SOG – Couldn’t we just blame the intelligence agency?
GR – Sir, I really don’t think that will help
SOG – Nonsense, blame them and let’s ban pomegranates and straws in the entire region.
July 5th
Securitavia has suffered another attack, this time by a Securitiavian citizen that attacked an 18-wheeler full of pigs with a homemade watermelon cannon. SO Goober is surprised how this could have happened. The Neighbors to the East were all on the no grape and pomegranate list. Once again he calls General Really to his headquarters.
SOG – We need more money for protection against pig transports immediately. I love my ribs and bacon, and by God no one is going to jeopardize that.
GR – Sir, we simply can’t protect everything, but we can get more police on the streets to patrol, and reduce our risks somewhat. We also need to pay attention to first responders for any type of emergency – not just your dinner.
SOG – No that doesn’t sound right
GR – Really?
SOG – What we need are armed guards on all of the pig transport trucks to guard against this type of thing
Frustrated by the senseless spending and ridiculous measures that offer no security, but instead place costs and burdens on the majority of non-fruit throwing people of Securitavia, General Really takes a job in the private sector – where the same conversations happen. Supreme Overlord Goober eventually retired, got chubby and moved to Miami, leaving the security concerns of Securitavia to his successor.
Subscribe to:
Posts (Atom)