No Safe Harbour for data in European eyes

The European Court of Justice ruled this week that the Safe Harbour agreement, in place since 2000, is now invalid.  This story was originally covered in our blog in March 2015.

This is likely to create a sea change in where and how organisations hold their data.  With clear guidance yet to follow in what could be a confused few months of local and conflicting regulation, there may yet be a scramble to create urgent interim measures both within Europe and US businesses (of which about 5,000 US businesses make use of the arrangement), relying on Safe Harbour for the freeflow of information between the territories.

Designed to be a “streamlined and cost effective” way for US firms to get data from Europe without breaking the rules, the Safe Harbour agreement allowed US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security were upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).   With the security agencies exerting surveillance pressure revealed in the Snowden leaks, the safeguards were viewed as not being carried out.

It is not just about Facebook (who through a lawsuit brought a privacy campaigner Max Schrrems challenged their use of private data), though the news will have a big impact for the tech giants such as Facebook, Google and Twitter who may have to build new data centres in Europe to counter this decision.  It reflects the differences between the two cultures:  in the EU, data privacy is treated as a fundamental right, whilst in the US, other concerns which might conflict are sometimes given priority.

The patchy interim to authorise the “export” of the data will require for the two bodies involved to draw up new “model contract clauses” setting out the US organisation’s privacy obligations.
For Data Controllers, this will be something of an administrative nightmare and will likely push up costs and cause delays.   Managed Service Providers had better be thinking about their customer’s data with a sharper eye this week.

SafeHarbor Logo-Lines

IBM and Apple monitor our health

We first reported IBM and Apple’s JV partnership in our blog of 18th July 2014 with AppleCare for enterprises.

The boom in fitness trackers and health apps has prompted the tech giants to make commercial inroads on the opportunities arising from analytic technologies.  IBM has set up a new health unit to create “a secure, cloud-based data sharing hub” as part of their “employee health and wellness management solutions” with the aim that it will provide diagnoses or health alerts for GPs, carers and insurers in future, with the user’s permission.

IBM aspires to offer greater individual insights into people’s health and to advance this strategy, has bought Explorys (which owns one of the largest healthcare databases in the world) and healthcare specialist Phytel (which works with digital medical record systems to reduce hospital readmissions and automate communications).  Added to this, Apple iPhones provide ResearchKit, free software for gathering health data, which Apple states has already been used to develop apps to study asthma, breast cancer, cardiovascular disease, diabetes and Parkinson’s disease.

US consumer technology and wearables supplier Jawbone is trying to engage businesses with its fitness trackers as a way to monitor the health of a company’s workforce.  How does this leave the end user/employee?  For a start, if a company sought to monitor the health of an employee, consent has to be given freely, with the ability to withdraw that consent at any time.

Insurers are also keen to get in on the act, with companies like UK’s Vitality offering rewards to policy holders for undergoing certain activities whilst wearing their devices.  Are we reaching the point though where data analytics lead ultimately to cover being withheld, other than premiums going up or down.

The latest UK Government stats show that 61.9% of adults and 28% of children aged between 2 and 15 are overweight with a higher risk of developing Type 2 diabetes, heart disease and certain cancers.  The cost of health problems associated with being overweight and obese is estimated to cost the NHS more than £5billion every year.

For GPs, gathering data which gives a broader and more accurate picture of exercise undertaken and calories consumed, could alter health directives on the amount of sleep we need, or which exercises are most effective.

Gazing into the NHS’ future, a carrot and stick approach accompanied by bold education messaging for health reform of UK citizens may be the tough approach needed by the next Government.  However, to succeed, with an NHS in crisis on funding and struggling to hold onto its GPs through which the future frontline is directed, many parts of its processes and systems will have to go digital. This comes back to having data shared securely with privacy maintained and strict governance on who it is share by – and that is a big promise to keep.

gsmarena_001

 

 

This week’s technology news – 27th March 2015

Are you really YOU online?

Cifas have published Fraudscape, their annual survey of 277,000 fraud cases from 245 members spanning a range of UK sectors.  With cyber security issues topping the chart of risks for business in 2014/15, ID fraud is becoming the largest emerging threat as cyber criminals turn their attention to using other people’s identifies or creating new false identities, as increased vigilance by business and consumers has begun a decline in accounts being hacked or taken over.  It is estimated that there are 758 frauds occurring every day at a rate of 31 per hour in the UK (Cifas members alone) and the Department of Health estimates there were an eye watering 30 million cases of prescription fraud in 2014.

The survey findings report:

• 41% of all frauds recorded in 2014 involved criminal abuse of personal data or ID details to impersonate someone or create fictitious ID to steal money.
• 113,839 cases of ID fraud were recorded in 2014, up by 5% on 2013.
• Average victim’s age was 46
• Men are twice as likely as women to have their ID stolen.
• Emerging trend for young adults (21-30) being targeted (up 51% since 2011 to 14,850), reflecting this group’s increased use of financial products.
• The 55+ age group has witnessed a 15% rise in ID fraud victims from 2013 reaching 25,346 in 2014.

Read the full survey at:  https://www.cifas.org.uk/fraudscape_latest

Cifas CEO Simon Dukes described ID fraud as being on an industrial scale, “The frauds we are recording point to increasingly sophisticated, predatory and organised criminals”.  Cifas acknowledge that the stats may be the tip of the iceberg as this is only what has been reported by their members and is on public record.

The true extent is expected to be far greater, as the UK stats which create the starting point for data gathering, are understandably challenging and much goes unreported.  The Department for Business, Innovation and Skills figures records the following baselines:

• There were 5.2 million private sector businesses in the UK at the start of 2014.
• 180,000 charities (England and Wales)
• 560 central government bodies
• 400 local authorities
• 150 NHS Trusts

Then there are the individuals who have suffered fraud.   Collating reports therefore from across 5.4 million organisations and identifying how many out of 60 million people have suffered fraud requires some degree of estimation (and the figures do not include SMEs in the private sector which according to the Federation for Small Businesses accounts for over 99% of all private sector business in the UK and almost 50% of private sector employment).

But the warning bells are there for us all. The last recorded stats from the now disbanded National Fraud Authority (NFA) put the cost of fraud to the UK economy at £15.5 billion in 2013.   The Cifas fraud cases route to the City of London Police. But few of Cifas’ members know the point at which an ID has been compromised which would help target prevention efforts.

WHAT TO DO?  Any organisation which has not taken steps to increase resilience by improving its firewalls, beefing up id authentication, encyption and having sound antivirus and malware software in place could be placing it and its customers at unnecessary risk.  Reporting ID fraud and data breaches as standard has the potential to strengthen national security learning if government and industry can work closer together.  Added to this, education and awareness training amongst employees and consumers is a must as we find ourselves in an ever more cynical world surrounded by criminal intent.

2736833_s

Threat to Safe Harbour Agreement in Euro court

Europe’s highest court, the European Court of Justice’s (ECJ) will shortly be reviewing how European’s data is shared with US companies in a landmark case which questions the effectiveness of the US Safe Harbour Agreement.

Brought by activist Max Schrems off the back of Edward Snowden’s whistleblowing, the lawyer’s complaint is that companies such as Facebook (by being complicit in Prism, an NSA surveillance system), are ignoring privacy practices and that the Safe Harbour Agreement should be scrapped in favour of local regulators acting to protect European’s data.

The Safe Harbour agreement (in place since 2000), allows US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security are upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).

UK data regulator Ofcom are reported to have said at the hearing that scrapping Safe Harbour would “risk disrupting trade that carries significant benefit for the EU and its citizens”.

If upheld, the decision would have severe repercussions for any US firm dealing with Europeans’ data, including giants such as Twitter, Google, Microsoft and Yahoo.   Twitter commented they would be forced to build datacentres in Europe to hold separated info.  Facebook has not responded formally, although the BBC has quoted that the social media behemoth would welcome an update of the Safe Harbour rules post Snowden.

For UK organisations where the issue of sovereignty is important, let alone the level of data protection required, the issue is likely to drive them to seek to preserve and protect their customers data by having it only reside in various UK datacentres to avoid the risk of losing control of the data at any time and having to deal with local regulators and data laws.

275994_s

Microsoft’s future career as a carrier

Microsoft has been delivering text, voice and video services for many years to both consumers and businesses across phones, tablets and PCs. Their current offerings are Skype and Lync, with the latter soon to be rebranded Skype for Business.   Currently over 100 million people now use Lync to communicate at work. This week Microsoft announced that Skype for  Business would include an enterprise-grade PSTN connection to Office 365 Skype for Business.

Microsoft’s strategic partners (including AT&T, BT, Colt, Equinix, Level 3 Communications, Orange Business Services, TAT Communications, Telstra, Verizon and Vodafone) will be working together with Microsoft to deliver secure and direct connections to Office 365 Skype for Business customers through Azure ExpressRoute for Office 365.   Azure ExpressRoute leverages partners’ networks to provide a private, dedicated and high bandwidth connection that bypasses the internet – essentially making Office 365 an extension of your on-premise environment whether you’re on site or not.

Skype for Business can handle all an organisations’ communications and with Azure ExpressRoute and their partners providing a direct connection rivalling traditional communication companies, Microsoft is essentially placing themselves into the carrier business.

This will offer businesses a one-stop-shop for a secure communication package, which is where Microsoft is aiming this offering – for now. In principle this technology could be used on a commercial device. The user, instead of buying a phone, minutes and texts from a high-street carrier, could order a Windows 10 phone with a subscription to Office 365 that includes minutes and texts through Skype direct from Microsoft.

Whether Microsoft does or doesn’t tie these devices and services together in such an offering, its potential does highlight the importance of Microsoft’s strategic partnerships which benefits all – not just Microsoft going forward.

Skype-for-Business-logo-FI

Troublesome domains

When browsing the internet – or even securing your own website, you will likely only worry about a few TLDs (top level domains), with the most common being .com, .net and .org.    In recent years there has been an explosion of new TLDs with the number now available rising to over 650.

One of the most recent TLD’s ”.sucks” has been stirring up trouble.   It’s easy to see how this new domain could be a serious nuisance as all it takes is for someone to take your company’s name and register the new “.sucks” domain and they have the perfect, virtual home in an ideal location to poke mischief and maliciousness at your brand, with the potential of you losing big business.

The initial answer for most will be simple; to buy the domain before anyone else can and cause trouble, but this is where it gets ugly.  The group who purchased the rights to sell “.sucks” called Momentous is charging astronomical fees of $2,500 for ”.sucks” domains.   To major organisation, this could be small change and amount to no more than regular IT admin housekeeping, however for SMEs or professional individuals, the cost is extortionate – and every business will need to calculate the risk of a 3rd party taking over this domain and the potential cost of damages to its brand in doing so.

ICANN, the international body that supervisors all things internet, including the creation and approval of new TLDs clearly decided that “.sucks” was fit for purpose.  Whether ICANN is fit for purpose itself in thinking that such a domain name could be positive in any way for business is risible.

Organisations are now left with a wholly unnecessary headache and unwanted financial outlay if they are to insure against potential negative outcomes.  Hopefully a sharp backlash from disapproving businesses will make ICANN recognise their folly – and in future only permit the release of sensible domain names that add value to the internet.

1280px-ICANN_svg

 

This weeks cyber security news – Friday 16th January 2015

Three different tales of terrorism mark the end of 2014 and the start of 2015 and make cyber security the hot topic for 2015:

Picture this – don’t let it happen to you
In December 2014 we witnessed the fallout from the attacks on Sony Pictures which destroyed data and hardware and proved very costly with the leak of a slate of films due for release.  Whether or not North Korea were behind it, the events and initial capitulation by the studio damaged the studio’s brand inexorably.  Cyber attacks are highly challenging and pose a serious threat to a company’s economic stability and security, as well as wider reputations.

Exploited by foreign governments, hackers, criminals and the disaffected who all probe computer networks daily, this New Year marks a timely opportunity for organisations to prevent their own “Sony situation”, by assessing and identifying any potential infrastructure weaknesses, updating processes, staff education and awareness – and implementing new, tighter measures and governance procedures to assure customers.

sony_pictures_logo

 

 

 

 

 

 

 


Securing communications data – an acceptable price for us Charlies?

On Friday 9th January 2015 two tragic terrorist attacks concluded in Paris, with the perpetrators treated as criminals and shot.

Incidents like this are frightening and a prompt for sombre reflection.   Behind the Paris attacks is the multifarious use of the internet, social media, email, telephone and mobile communications connecting individuals and groups, to inform global audiences on extreme topics and ideologies. This has accelerated so fast in the last 15 years, that it makes control of such communications and intelligence gathering, challenging but highly essential if nations are to have any chance of preventing the next atrocity.

Both the UK and the US are responding by seeking to toughen up their legislative processes to track communications.  In the UK, the Government wishes to collect data in bulk from all sources including social media, irrespective of citizen (from child to grandparent). This effort they believe, by intercepting communications would help identify new perpetrators and build up a body of evidence to be used in court.

Defenders of civil liberties with privacy concerns are correctly identifying the wider impact this would have on individuals and companies. However, when set against the motive of defending the public and infrastructures to keep the lights on, it is an increasingly hard position to argue against.  Only time will tell, but it will be interesting to see if a bi-product becomes the further movement of information to sovereign controlled data centres to ensure improved access and regulation.

19867036_s

 

 

 

 

 

Cyber threats – an urgent and growing danger
Finally, Tuesday 13th January 2015, saw a CyberCaliphate attack breaching US Central Command’s Twitter feed Centcom and YouTube feed.  With several thousand social media accounts, social media is seen as a fast and effective way for the US military to communicate globally with its staff and families – on anything from on-base events to power outtages.  The ‘cyber vandalism’ as it is being described, only showed information widely available online – there was not believed to be any theft or disclosure of classified information.

The timing was embarrassing though and created a PR disaster for the President, given that he was outlining plans to strengthen cyber security when it happened. This was unlike the 2008 foreign intelligence breach via malware into the Pentagon mainframe computer system.  This latest public hack is believed to have been caused by password disclosure (inadvertently or not) from an individual.  US officials have duly updated passwords and issued tip sheets to staff to bolster online security advice and are reviewing processes.   In social media, both Twitter and Google now recommend two-factor authentication, so anyone logging on to the account from a new computer has to enter a code sent to their mobile phone.

Whilst the Centcom attack did not have the impact that the perpetrators hoped for, lessons are there and must be learned and applied by all organisations using the internet.  Financial systems, powergrids, pipelines, healthcare systems and wholescale society infrastructures run on networks connected to the internet.  Safeguarding these are the crux to public safety and public health.

As we go to press today, David Cameron on a visit to Washington confirmed that MI5 and the FBI will be playing cyber wargames targeting the Bank of England, commercial banks, the City of London and Wall Street and be followed by “further exercises to test critical national infrastructure”.

As a healthcheck, businesses and organisations should do the following:

  • ensure good password hygiene is maintained
  • review and update processes regularly
  • ensure internet security is up to date
  • limit the number of administrators who can access accounts
  • ensure accounts are regularly monitored

In this case, a sense of proportion needs to be maintained.  Yes, it was embarrassing, but nobody died.

Centcom

The Week’s Technology News – 28th November 2014

Coldfinger not goldfinger, as smartphone biometrics not a panacea

Former GCHQ boss, Sir John Adye, has just given evidence about his concerns regarding the unsupervised use of biometrics on smartphones to an audience of British MPs in the Commons Science and Technology Committee.

Adoption of fingerprint technology has taken off most notably with smartphone giant Apple’s iPhone6 and users can now make payments and access services using a fingerprint. However, as the GCHQ security expert who runs his own biometrics company commented:  “I don’t know what happens to my personal data when I use it on a smartphone… there’s no physical supervision of the system (unlike an ATM which a bank oversees)”.  “You need to design security methods… which are going to be strong to protect the interests of the individual who is using the phone and the relying party at the other end… the bank or whoever it is, who is providing a service to them.”    Apple says it uses the most technologically advanced fingerprint security and puts security and privacy at the core of the “Apple Pay” system.   But Adye also wants more transparency in the way personal information is passed to third parties.  He does not believe users fully read through the notices in the tick box procedures layering complacency, when in the background, the criminal community get ever more clever about seeking ways in.

Another biometrics engineer presenting to the Committee, Ben Fairhead, advised there were various anti-spoofing and other methods to work out whether the finger was real, but acknowledged spurious results got thrown up if for example blood flow to the finger was low, which would reject the verification.  In a twist to the old tales of criminals smuggling a file into prison now we have criminals adding iron filings to fake fingers to mirror the conductivity of human skin.  From the Government’s point of view there will come increasing pressure to demonstrate they have weighed up the increased approval of biometrics in border controls and public services with sufficient measures to safeguard against the risks and possible flaws.
iphone 6

Forget me not
With the ‘right to be forgotten’ now in situ, the European Commission has finally published guidelines to tell search providers how to handle individuals take down requests (first discussed in our blog of 16 May 2014).

Mostly requests synch with what Google has already been doing – and the balance is successfully struck between an individual’s search for privacy against the public’s rights to know something.  One area that has created consternation though in the EU is Google’s tendency to warn both users and site operators when it takes a notice down. This lacks legal basis according to the Commission, when they could be contravening data protection laws.

This was recently experienced by US singer Barbara Streisand, who sought to have some online information taken down, but the ensuing actions actually drew attention to the very issue she was trying to keep secret.

The Commission also wants a level playing field so it applies to all web domains, not just removing them on country centric ones (ie. ‘.co.uk’ or ‘.fr’) and leaving uncensored results on a ‘.com’ page.   This comes at a time when Microsoft’s ‘Forget.me’ has just started reviewing requests through its Bing search engine and using the EU advice as a template, but it remains to be seen if the guidelines can please both sides AND the regulators.
bing-right-to-be-forgotten_thumbnail

This Week’s Technology News – 24h November 2014

3D Printing – refreshing the parts other printers cannot reach
The 3D printing sector has seen interesting advances over 2014 with this growing technology in use on earth and in space.  The International Space Station (ISS) has installed its first 3D printer. Before the installation, start up company Made in Space tested the printer in zero-gravity on an airplane. With the printer on-board, astronauts will be able to print physical parts themselves without needing to commission them from earth and get rocketed into space (both costly and time consuming).     Printed parts in theory will be able to replace faulty parts or maintain certain equipment in the ISS.

In parallel, researchers from the University of Oslo have designed bots that can already adapt to unforeseen problems and 3D-print new parts for themselves (ie. self healing manufacture) and apply intelligent best adaptation to its environment.   The options are limitless the scientists believe, based on a few limited instructions ie. what to do, how fast to go, its size and energy consumption.  The ingenuity for an autonomous computer being able to consider thousands of options simultaneously and 3D-print parts to create a new model, creates an intriguing possibility perhaps for ‘3-D Printing as a Service’ for MSPs?

 

Is business ready to accept ‘Facebook at Work’?
Although not formally announced, ‘Facebook at Work’ has been heavily rumoured to be used internally at the company, with a worldwide launch for business imminent.    Apparently, it is distinct from its current consumer model by barring personal details and helping overcome being blacklisted by organisations which disallow social media engagement at work. With the rise of social networking and collaboration, Facebook is cleverly poised through its dominant position with over one billion Facebook accounts, to try to take on the likes of LinkedIn and other corporate-focused social networks like Microsoft’s  Lync and Skype.   The diversification opportunities deepen, as collaboration leads to online storage where users upload and collaborate on documents with other users of the service.

The real question is whether, despite all their canny commercial plans, and even accounting for proper security and governance procedures, will the sheer name of ‘Facebook’ simply scare off a lot of companies?   Ultimately, the scale and impact of social networking cannot be ignored, but overcoming assumptions about the brand and how it will advocate its handling of public and private information will be the largest hurdle facing Facebook as it stares out from this mirror of opportunity.

Facebook

Dictat to go digital in healthcare – or warning NHS funding will be pulled
NHS England’s National Director for Patients & Information, Tim Kelsey, has announced the publication of its ‘Personalised Health and Care 2020 Strategy’.  This paper confirms NHS England’s intention to go paperless by 2018-20, or face having its funding pulled.

At its heart, patient care records must be available across urgent care services by 2018 and throughout all NHS organisations by 2020 to create joined up practice amongst professionals, speed and efficiencies and avoidance of errors (ie. in prescriptions).  Only 4% of records are currently accessible online.

The technical challenge around IT remains that many of the NHS’s PCs are still running the soon to be defunct Windows XP.  If as stated, financial resources will be made available to assist healthcare organisations, this will come as good news for IT teams and MSPs to help support any such migration to make the NHS fit for digital.  However, it must remain an integrated and secure approach.  The BMA’s GP Committee Chair Chaand Nagpaul concluded that “..the most critical aspects to get right beforehand are the safeguards, confidence and trust of patients”.   Added to this, should be the strict management of patient data to prevent it being sold unknowingly to third party commercial organisations for private profit.

Following errors on the Care.data scheme debacle earlier in 2014 which failed to have appropriate data privacy safeguards in place, this is a very valid point, but should not stop  future rollout if armed with correct good practice and security and governance policies. Hopefully, with National Data Guardian Dame Fiona Caldicott now on board, this will no longer be an issue. The key obstacle instead will be how much money healthcare organisations can secure to cover the necessary IT ‘fit for future’ upgrade investments.

NHS

NHS kitemarks for apps
In a separate move, with the rapid increase in health-related apps for mobile phones and other personal devices available in the market, NHS chiefs are backing a “kitemark” for health-related smartphone apps to validate those deemed as safe to use by patients to help them manage health conditions.  It also includes an e-version of the red book recording baby’s immunisations and development to be online from 2016, to counter the loss of key info if the actual book goes missing and the child requires vaccination, review or emergency treatment.

BSI-logo-strap-and-Kitemark

 

This week’s technology news – 27th June 2014

Supreme Court ruling for mobile phone privacy does not answer Cloud issue
Forrester report an emphatic decision by the Supreme Court in the US this week, which has endorsed the fundamental right of the individual to safeguard the privacy of data held on a mobile phone and that the only way for 3rd party agencies to access this, would be to seek a warrant.

The sheer variety of applications now available on mobile phones (cameras, video players, Rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, newspapers, forums etc.) reveal much about its owner as well as what can be shown through the browsing history.  Consequently it was felt this would give 3rd parties too personal an insight about things we would prefer to keep private, even from our partners.  The crossover impact for this in business is in BYOD where corporate employers may not yet have taken steps to assess and implement data security policies to safeguard corporate privacy.

With the increase of devices and wearable technology, much of the content will inevitably be stored in the Cloud and what is not revealed through the phone as its conduit, will be accessible once it hits storage sites like Dropbox, Evernote etc.   So as soon as you have connected, you are no longer able to control that privacy, or that right.   This ruling is insufficient therefore in the wider context of cloud content and management of personal (and customer data), so expect more rulings in future as the further legal ramifications are reviewed.  As an MSP, it is your responsibility to be a privacy advocate.

Stop thief – you are turning me off!

Research by Glasgow Caledonian University into the way we hold and use smartphones, is leading to a new form of security being developed, to identify abnormal patterns which could trigger a “kill switch”. The software logs, monitors and profiles “normal” behaviour, carriage mannerisms, application access and timing, plus geolocation and browsing. Subtle changes to this information could indicate unauthorised use and prompt a shut down. The profiles take a few days of average use to build up a coherent picture and current versions of logging software are detecting illegal use within a couple of minutes which will no doubt get far quicker.

Lead scientist, Professor Lynn Baille notes that a further development of this software could be in authenticating identity. Research indicates users wiping or tapping in their pin up to 100 times a day to unlock their handset, which for some users is putting them off using security measures, if they have that choice. This new software could sanction access simply because the device is “in the right hands” and keeps a phone unlocked in normal use, except where a user needed to purchase something, or log in to a corporate network. Yet again, there are implications about privacy for such monitoring and whether this is managed centrally, or locally on the device.