GDPR

Facebook’s New Tool Allows You To Port Your Photos & Videos To Google

Posted on by Andy Miller

Facebook has announced that it is releasing a data portability tool that will enable Facebook users to transfer their Facebook photos and videos directly to other services, starting with Google Photos.

Why?

Facebook acknowledged in its white paper (published back in September) that under GDPR currently, and under the California Consumer Privacy Act rules next year, data portability is a legal requirement. Also, Facebook said that it had also been considering ways to improve people’s ability to transfer their Facebook data to other platforms and services for some time e.g. since 2010 Facebook has offered Download Your Information (“DYI”) to customers so they can share their information with other online services.

In addition to the legal requirements and Facebook’s existing DYI service, Facebook highlights its own belief in the principle of data portability, and how this could give people control and choice while encouraging innovation as the reason for the introduction of its new data portability tool.

What Is It?

Facebook says that its new photo transfer tool (the roll-out has just started) is a tool based on code that has been developed through participation in the open-source Data Transfer Project and can be accessed via Facebook settings within Your Facebook Information.

The tool will enable Facebook users to transfer their Facebook photos and videos directly to other services (Google Photos first).

The first part of the roll-out is in Ireland with worldwide availability planned for the first half of 2020.  Facebook says that the tool is still essentially in testing and that it will be refined based upon feedback from users and from conversations with stakeholders

Help From The Data Transfer Project

One of the key factors in the development of the portability tool was Facebook joining the Data Transfer Project (along with Google, Microsoft, Twitter, Apple, and others) which is an open-source software project that’s designed to help participants develop interoperable systems that will enable users to transfer their data seamlessly between online service providers.

What Does This Mean For Your Business?

Facebook has been offering its DYI service for nearly 10 years, but the new portability tool is something which will enable Facebook to meet its legal requirements under GDPR and the CCPA while helping Facebook to stay competitive with other online services.

Facebook is also acutely aware of the damage done to user trust over the data sharing with Cambridge Analytica, which is why the recent white paper that Facebook published about its portability ideas clearly acknowledged that portability products need to be built in a privacy-protective way.

For Facebook users, this new tool may be one of the many new services that help them to be more trusting of Facebook again by making them feel that they have real options and choices about what they do with their files from Facebook (even though it’s a legal requirement to give people the portability option).

Over Half of Businesses Don’t Respond To GDPR Requests On Time

Posted on by Andy Miller

The results of a survey by Talend show that 58% of businesses worldwide fail to address requests from individuals for a copy of their personal data within the one-month time limit as required by GDPR.

Bad, But Better Than Last Year

The survey, which involved 103 GDPR-relevant companies across the globe (84% of which were EU-based companies) revealed that more than 18 months after the General Data Protection Regulation (GDPR) came into force, most companies are still not complying with the Regulation when it comes to data requests.

Even though a 58% failure to comply rate is not good, it is an improvement on 2018 when 70% of the companies surveyed reported they had failed to provide an individual’s data within one month.

Public Sector, Media & Telecoms Worst Offenders

The Talend survey revealed that only 29% of public sector organisations and only 32% of companies in the media and telecommunications industries were able to respond with the correct data within the one-month limit, putting them at the bottom of the compliance table for this issue.

Average Performers

The survey also showed that companies in the retail (46%), financial services, travel, transport and hospitality sectors barely achieved an average response rate within the one-month limit. This, however, was a small improvement on the previous year.

Why?

According to Talend, the lack of a consolidated view of data and clear internal ownership over pieces of data, and a lack of automation in processing requests are key reasons why companies are failing to respond to data requests within the legal time limit.

In some industry sectors too (e.g. financial services), retrieval of the information may be complicated by clients perhaps having many different contracts with the same company with their data being spread across different offices and systems.  This, coupled with the fact that processing data requests is often manual, time-consuming, and, therefore, costly (“spend, on average, more than $1,400 to answer a single SRR” – Gartner) goes some way to explaining the slow response. (SRR means subject rights request)

Also, there is a lack of proper ID checks by companies where data requests are concerned with only 20% asking for ID, and there have also been reports of companies struggling to find the right email address to send the data requested to.

What Does This Mean For Your Business?

With GDPR becoming law 18 months ago, the potential fines for non-compliance being large, and with companies and organisations having appointed specific people to be in charge of data management and security, these results do look a little disappointing on the surface, and many businesses would expect to do better.  However, GDPR has brought a much larger volume of data requests for some organisations and back in June it was even reported by law firm Squire Patton Boggs that one year on from the introduction of GDPR, companies were facing cost pressures from a large number of subject access requests (SARs) coming from their own employees.

Nevertheless, the shift in responsibility towards companies that GDPR has brought, and the widespread knowledge about GDPR is a reminder also, that companies really should have a system and clear policies and procedures in place that enables them to respond quickly and in a compliant way to data requests, whoever they are from.

The Difference Between Backup and Disaster Recovery

Posted on by Andy Miller

We’re all familiar with the value of making a backup of business data, but how does this fit with ‘Disaster Recovery’ and ‘Business Continuity’ strategies?  This article takes a brief look at how these elements fit together to ensure that businesses can survive, function and get back up to speed when disastrous events (external or internal) pose a serious threat.

Reality

Normal life rules apply to the business environment i.e. things can and do go wrong, and backup and disaster recovery are both based upon this understanding.

Business continuity in the event of a ‘disaster’, is about making sure that your essential operations and core business functions can keep running while the repairs can be made that get you back up to speed.

What Could Go Wrong?

There is a potentially huge range of ‘disasters’ that businesses could make plans to be able to overcome, and even though organisations come in different sizes and have different budgets, the risks they face are generally the same.  Typically, the more obvious ‘disaster’ threats the business include:

  • Hardware failures/server failures.
  • Outages and/or file corruption
  • The effects of cyber-attacks.  For example, 53% of senior managers believe that a cyber-attack is the most likely thing to disrupt their business (Sungard AS 2019) and the effects could include damage to / locking out of systems (malware and ransomware), fraud and extortion, data breaches (which could also attract fines under GDPR, damaging publicity and loss of customers).
  • Environmental/natural disasters e.g. fire and flood.
  • Important 3rd supplier failure or the loss of key employees.
  • Failures of part / a component of a network e.g. as highlighted by recent problems with banking and airline industry services.
  • Theft or loss of equipment holding company data.

Backing Up Your Data – Where To Store It

When it comes to backups, security, integrity, cost, scalability, complying with legislation, your own business plans, and ease of daily use are all considerations.  Where / how to store backed-up data is a decision tackled differently by different companies.  In the UK, GDPR (the data protection regulations) should be taken into account in these decisions.  Places to back up data could include:

  • On-site – storing data in the same location e.g. on an external hard drive in the workplace.  Although the data backup is close to hand, this is not a particularly secure solution and in the event of flood/fire/theft disasters, your data would be gone.
  • Off-site – taking the data away on a hard drive or another physical storage medium.  This means it’s less at risk from local issues (e.g. loss, theft, damage) but could mean it takes longer to restore data .
  • Online – backing up your data on hosted servers (in the cloud) and accessing them through an application. This is now becoming the preferred method for most businesses as it is convenient and fast (if you have an Internet connection) and it cuts out many of your on-site potential disaster risks (fire, flood, loss and damage of physical storage media).

Some businesses prefer to use a ‘hybrid’ cloud backup to help address any vulnerabilities that cloud-only or local-only backup solutions have.

There are many dedicated online backup solutions available e.g. IDrive Business, Backblaze Business, Carbonite Safem, or larger solutions for businesses with much bigger data backup requirements.

Backup Decisions

Taking regular, secure backups of your business data is an important part of good practice.  It is also an important element of disaster recovery and the business continuity process.

There are several types of backup that businesses need to make decisions about.  These include whether, if/when and how to make:

  • A full backup – one that covers every folder and file type and typically takes a long time.
  • An incremental backup – the first back up is a full one, followed by simply backing up any changes made to the previous backup.
  • A differential backup – similar to an incremental backup, requires more storage space but has a faster restore time.
  • A mirror backup – an exact copy of your data that has the advantage of removing the obsolete files each time.
  • An Image-based backup – captures images of all data and systems rather than just copying the files.
  • A clone of your hard drive – similar to imaging and creates an exact cloned drive with no compression.

In reality, many businesses make use of many different types of backup solutions at the same time.

Business Continuity, Backup Decisions and Disaster Recovery

Accepting that disasters happen and that you can plan how to maintain business continuity while you deal with them (using a disaster recovery plan) is an important step in safeguarding your business. Maintaining the ability to ensure that core functions and critical systems remain in place in the event of a disaster (business continuity) involves planning, an important part of which is the disaster recovery plan (DRP).  Creating this plan is usually an interdepartmental process, which is often led by information technology.

RTO & RPO – Linking Backups To Your DRP.

There are two metrics you can use to help you to make data backup decisions that relate to your DRP.

The Recovery Time Objective (RTO): the recovery window / how long (time) the business realistically has to recover from a disaster before there are unacceptable consequences.

The Recovery Point Objective (RPO): how far back (the maximum tolerable period of time) your organisation needs to go in recovering data that may have been lost due to a disaster.

By working out these time periods (particularly RPO), it can help you to decide upon the frequency of backups, which backup methods are most suitable and preferable to you e.g. the need to go back longer periods may favour online backups, and businesses with  large quantities of valuable historic data may struggle with a short RTO (which may require tiered data recovery).

In today’s business environment it is worth bearing in mind that your customers are not likely to be very tolerant of downtime, so recovery windows now need to be as short as possible. Many businesses, therefore, simply opt for a daily backup.

Disaster Recovery Plan

At the heart of your business disaster recovery strategy should be the disaster recovery plan (DRP) which should provide step-by-step workable instructions to ensure a fast recovery.  A DRP should be tested and kept up to date to ensure that it will work in reality in the event of a disaster and typically includes elements like:

  • A plan for roles and communications, detailing employee contact information and who’s responsible for what following the disaster.
  • A plan to safeguard equipment e.g. to keep it off the floor, wrapped in plastic away from flooding.
  • A data continuity system that details what the business needs to run in terms of operations, finances/accounts supplies, and communications.
  • Checking that your data backup regime is working, and that very recent copy is stored in a secure place but would be easily and quickly accessible when needed.
  • An asset inventory, including photos where possible, of the hardware (workstations, printers, phones, servers etc) reference for insurance claims after a major disaster.
  • Keeping (up to date) documentation that lists all vital components of your IT infrastructure, hardware and software, and a sequence of what needs to be done to resume business operations with them.
  • Photos showing that the hardware was in use by employees and that care had been taken to minimise risk e.g. items were off the floor (e.g. to avoid flood damage).
  • A supplier communication and service restoration plan so that you quickly restore services and key supplies after the disaster.
  • Details of a secondary location where your business could operate from if your primary location was too badly damaged in a disaster.
  • Details of the testing, optimisation and automation of your plan to ensure that it could be implemented quickly, as easily as possible, and free from human error.

Putting The Pieces Together

The basic difference between a backup and disaster recovery, therefore, is that a backup is having a copy of your data, and disaster recovery is the whole strategy to recover your business operations and essential IT environment in the event of a serious event e.g. cyber-attack, equipment failure, fire or flood.

Creating a DRP involves completing a risk assessment and business impact analysis in order to identify critical applications and services, and it is from here that your business can then create its own tailored RTOs and RPOs which in turn, will link to your backup strategy and cycles.

Backups are essential files that enable a full restore, and as such are an important element of ongoing good practice and of your DRP, and your backup should relate strongly to the underlying strategy of disaster recovery.

One thing is certain about backup and disaster recovery which is that having no plan for either is means planning to fail.

Hacker’s Website Closed Down In International Operation

Posted on by Andy Miller

A website (and its supporting infrastructure) which sold a variety of hacking tools to other would-be cybercriminals has been closed down after an investigation by agencies from multiple countries including the UK’s National Crime Agency (NCA).

IM-RAT

The main tool that the agencies were particularly interested in eradicating was the Imminent Monitor Remote Access Trojan (IM-RAT) which is a hacking tool, of Australian origin, which has been on sale for 6 years and was available for sale via the Imminent Monitor website.

According to Europol, once installed on a victim’s computer the IM-RAT malware, which could be purchased for as little as $25, allowed cybercriminals to secretly “disable anti-virus and anti-malware software, carry out commands such as recording keystrokes, steal data and passwords and watch the victims via their webcams”.

Big International Operation

The investigation and the operation to shut down the sale of IM-RAT was led by the Australian Federal Police (AFP) and involved judicial and law enforcement agencies in Europe, Colombia and Australia, and was coordinated by Europol and Eurojust.

Coordinated law enforcement activity has now ended the availability of IM-RAT, which was used across 124 countries and sold to more than 14 500 buyers. IM-RAT can no longer be used by those who bought it.

In a week of actions (in November), the international agencies dismantled the infrastructure of IM-RAT, arrested 14 of its most prolific users and seized over 430 devices for forensic analysis.

Back in June, search warrants were executed in Australia and Belgium against the developer and one employee of IM-RAT and most recently, actions to fully shut down the distribution of IM-RAT have also been taken in Australia, Colombia,  Czechia, the Netherlands, Poland, Spain, Sweden and the UK.

In the UK, it has been reported that the NCA searched properties in Hull, Leeds, London, Manchester, Merseyside, Milton Keynes, Nottingham, Somerset and Surrey in relation to the investigation.

The shutting down of the whole IM-RAT infrastructure, and the detailed analysis of the malware and the website used to sell it mean that IM-RAT can no longer be used.

Tens of Thousands of Victims

With the IM-RAT malware/hacking tool being so widely used, Europol believes that there are probably tens of thousands of victims around the world, and so far, investigators have been able to find evidence of stolen personal details, passwords, private photographs, video footage and data.

IM-RAT

Although IM-RAT allows cybercriminals to secretly take control of a computer, there are some common signs which indicate that a computer may have been infected with IM-RAT.  These signs include an unusually slow internet connection, unknown processes running in a system (which are visible in the Task Manager, Processes tab), files being modified or deleted without your permission, and unknown programs being installed on your device (visible in the Control Panel, Add or Remove Programs).

What Does This Mean For Your Business?

For businesses, this kind of malware caused considerable problems, not least in terms of data protection, disruption, industrial espionage and extortion, and left their devices wide open to hackers. This internationally co-ordinated move by multiple agencies is an important step in the battle against so-called ‘crime as a service’ and bulletproof hosting where organised gangs have sought to profit from crimes that they can carry out from a distance via the Internet.

If you believe that your device may have been infected by IM-RAT, the Europol advice is to disconnect your device from the network in order to prevent any additional malicious activity, install trustworthy security software, and run a scan of your device using security software. When you’re satisfied that you’ve removed the infection, change the passwords for your online accounts and check your banking activity.

Some general steps you can take to guard against falling victim to malware include keeping your anti-virus software and patching up to date, installing a firewall, only using strong passwords (that aren’t shared across different accounts), covering up your webcam when its not in use, regularly backing up your data, and making sure that you don’t open any suspicious-looking emails and attachments even if they do come from people on your contact list.

New Brave Browser: Blocks Ads, Pays Rewards

Posted on by Andy Miller

The new 1.0 browser from Brave removes ads and ad trackers and pays users through a reward system for viewing the ads that Brave presents.

Brave?

Brave is a San Francisco based start-up company, founded in 2015 and led by CEO Brendan Eich, formally of Firefox.

Ad and Tracker-Free

Two of the key advantages of the new Brave browser are that it protects a user’s privacy by removing ad trackers and makes browsing a faster (download time) and less distracting experience by removing adverts.

Displays Its Own Adverts and Pays You For Viewing Them

The big difference about Brave is that it offers its own Brave Rewards system. Users who join the system only see adverts from Brave and are paid 70% of the resulting ad revenue using Brave’s own crypto-token, the Basic Attention Token (BAT).  Brave also sends the revenue you accrue back to the websites you’ve visited.

The advantages of this system should be that it can lure new users to Brave in a crowded browser market with the promise of money and a better browsing experience and improved privacy and that websites can still find a way to support themselves with advertising without having to share the personal data of users with tech companies.  The hope is that, if this browser and model gains user approval on a large-scale it will eventually deter publishers from trying to profile the behaviour of their users via privacy-invading trackers.

Earnings

Users who sign-up to the Brave Rewards system can choose where to direct the BAT they’ve earned e.g. send it certain sites, tip Twitter and Reddit users or choose to convert it into currency (which is unlikely to be a large amount).

Numbers

There are some very well-established players in the Browser market which is currently dominated by Google Chrome which has more than 65% of the market (around 2+ billion installs).

In comparison, Brave says that it is used 8.7 million times each month on Windows, macOS, Android and iOS. The company has, however, reported that the number of users is growing by 10% per month.

What Does This Mean For Your Business?

Privacy is a big concern for all web-users and trying to download web pages that are full of adverts can be a frustrating and a time and power-draining experience. Businesses also need to be able to use the tools available to them to make sure that they can get the maximum ROI from their advertising spend, plus the big tech companies need to be able to offer their business customers an ad system that delivers results, hence the perceived need for trackers and profiling the behaviour of customers.  Web publishers also need to have a viable way to help support their sites and offer content to their users (without a payment gateway) and this has traditionally been through advertising on their pages, much to the frustration of website visitors.  Brave’s browser, therefore, tries to meet the needs of all these groups in one package.  The combination of improved privacy, financial incentives and better browsing experience may prove appealing to users, and publishers may take note of the Brave model and realise that there is another way of supporting their sites. It remains to be seen, however, how much share of the browser market Brave can gain and how well it fares against some powerful and entrenched competitors.

Despite Patches, Researchers Warn That Intel Chips Are Still Vulnerable

Posted on by Andy Miller

The New York Times has reported that despite Intel issuing patches for security flaws (that were discovered last year) in its processors, security researchers are alleging that the processors still have some serious vulnerabilities.

What Flaws?

In January 2018, it was discovered that nearly all computer processors made in the last 20 years contained two flaws known as ‘Meltdown’ and ‘Spectre’. The 2 flaws could make it easier for something like a malicious program to steal data that is stored in the memory of other running programs.

Meltdown, discovered by researchers from Google’s Project Zero, the Technical University of Graz in Austria and the security firm Cerberus Security in Germany, affects all Intel, ARM, and other processors that use ‘speculative execution’ to improve their performance; i.e. when a computer performs a task that may not be actually needed in order to reduce overall delays for the task (a kind of optimisation).

Meltdown could, for example, leave passwords and personal data vulnerable to attacks, and could be applied to different cloud service providers as well as individual devices. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013.

Spectre, which affects Intel, AMD and ARM (mainly Cortex-A) processors, allows applications to be fooled into leaking confidential information. Spectre affects almost all systems including desktops, laptops, cloud servers, and smartphones.

8 More Flaws Discovered

Then, in May 2018, 8 more security flaws in chips/processors were discovered by several different security teams.  The new ‘family’ of bugs were dubbed Spectre Next Generation (Spectre NB).

September 2018

According to reports by The New York Times, the Dutch researchers (at Vrije Universiteit Amsterdam) also reported a range of security issues about Intel’s processors to the company in September 2018 and provided Intel with a proof-of-concept code to help them to develop fixes

14 Months On – Only Some Fixes

It has been reported that after waiting 8 months to allow Intel enough time to develop fixes (of which only some have issued), and more than a year after providing Intel with a proof-of-concept code, Intel has only just announced the issue of more security updates earlier this week.

More Vulnerabilities

Unfortunately for Intel, just as they announced the issue of new security fixes last week, the researchers notified them of more unfixed flaws, and it has been alleged that Intel asked the researchers to alter the report about the flaws and to effectively stay quiet about them.

MDS

The latest unpatched flaw in Intel processors that the researchers from Amsterdam, Belgium, Germany and Austria have gone public about is a hacking technique, which is a variant of ZombieLoad or RIDL (Rogue In-Flight Data Load). The technique which exploits a flaw in Intel processors is known as microarchitectural data sampling (MDS) and it can enable hackers to carry out several different exploits e.g. running code on the victim’s computer that forces the processor to leak data.

Criticism

The news that there may still be flaws in Intel’s processors after the company appears to have had a long time to fix them has prompted some criticism of Intel online, some of it reported in the New York Times e.g. allegations  that there has been a lack of transparency about the issue from Intel, that the company has tried to downplay the problems, and allegations that Intel may not decide to do much to fix the problem until its reputation is at stake.

What Does This Mean For Your Business?

Bearing in mind that these flaws are likely to exist at the architectural level in the majority of processors, this story is bad news for businesses that have been legitimately trying to make themselves totally compliant with GDPR and as secure as possible from attack.

For the time being, in the short term, and unless processor companies try to completely re-design processors to eliminate the flaws, closing hardware flaws using software patches is the only realistic way to tackle the problem and this can be a big job for manufacturers, software companies, and other organisations that choose to take that step. It is good practice anyway for businesses to install all available patches and make sure that they are receiving updates for all systems, software and devices.

The hope is now that researchers can put enough pressure on processor manufacturers e.g. through bad publicity to make them speed up their efforts to tackle the known security flaws in their products.

Scale of Police Computer Misuse Uncovered

Posted on by Andy Miller

A Freedom of Information (FoI) request made by think tank Parliament Street has revealed that 237 serving officers and members of staff have been disciplined for computer misuse in the last two financial years.

Sackings and Resignations

The FOI request, which was responded to by 23 forces also revealed that 6 employees resigned and 11 were sacked over failures in adhering to IT best practices e.g. for disclosing personal information.

Took Photos of Screen and Shared

In Hertfordshire, two incidents out of 16 disciplinary cases involved employees taking photographs of the screen of a (confidential) police computer system and sharing those photos via social media.

Most Cases

The most individual computer misuse incidents were recorded by Surrey Police with 50. Second in the misuse ranking was the Metropolitan police where 18 people were disciplined (4 were accused of misusing social media) and one staff member was sacked for misusing the Crime Reporting Information System.

Greater Manchester Police managed to take the third position in the incidents rankings with 17 for misuse of force systems.

Other Incidents

Other incidents uncovered by the FoI request included 3 officers getting sacked from Gwent Police (for researching the crime database for a named person, disclosing confidential information, and for unlawful access to information) and 3 getting sacked form Wiltshire Police force for using the police databases without lawful access to the information. Also, one member of Nottinghamshire Police was disciplined for using the police computer system to search for information about a civil dispute they were involved in.

Case In July

These incidents were reminiscent of the case from July this year whereby a serving Metropolitan police officer was given 150 hours of community service and ordered to pay £540 after pleading guilty to crimes under the UK’s Computer Misuse Act, which included using a police database to monitor a criminal investigation into his own conduct.

What Does This Mean For Your Business?

We all must adhere to data protection laws (GDPR) and best practices to ensure that company computer systems are used responsibly and legally.  The irony of the information uncovered with the FoI request is that hundreds of those persons who are entrusted to uphold and enforce the law appear to be prepared to risk their jobs, break the law and betray public trust.  The fact that hundreds of police have been caught (there may be many more who haven’t) misusing police systems which contain large amounts of sensitive personal data raises serious questions about privacy and security.

This may indicate that police forces need to offer more education and training to employees about data protection and the correct (and legal) use of police computer systems as well as tightening up on monitoring, access control and validation/authorisation.

ICO Warns Police on Facial Recognition

Posted on by Andy Miller

In a recent blog post, Elizabeth Denham, the UK’s Information Commissioner, has said that the police need to slow down and justify their use of live facial recognition technology (LFR) in order to maintain the right balance in reducing our privacy in order to keep us safe.

Serious Concerns Raised

The ICO cited how the results of an investigation into trials of live facial recognition (LFR) by the Metropolitan Police Service (MPS) and South Wales Police (SWP) led to the raising of serious concerns about the use of a technology that relies on a large amount of sensitive personal information.

Examples

In December last year, Elizabeth Denham launched the formal investigation into how police forces used FRT after high failure rates, misidentifications and worries about legality, bias, and privacy.  For example, the trial of ‘real-time’ facial recognition technology on Champions League final day June 2017 in Cardiff, by South Wales and Gwent Police forces was criticised for costing £177,000 and yet only resulting in one arrest of a local man whose arrest was unconnected.

Also, after trials of FRT at the 2016 and 2017 Notting Hill Carnivals, the Police faced criticism that FRT was ineffective, racially discriminatory, and confused men with women.

MPs Also Called To Stop Police Facial Recognition

Back in July this year, following criticism of the Police usage of facial recognition technology in terms of privacy, accuracy, bias, and management of the image database, the House of Commons Science and Technology Committee called for a temporary halt in the use of the facial recognition system.

Stop and Take a Breath

In her blog post, Elizabeth Denham urged police not to move too quickly with FRT but to work within the model of policing by consent. She makes the point that “technology moves quickly” and that “it is right that our police forces should explore how new techniques can help keep us safe. But from a regulator’s perspective, I must ensure that everyone working in this developing area stops to take a breath and works to satisfy the full rigour of UK data protection law.”

Commissioners Opinion Document Published

The ICO’s investigations have now led her to produce and publish an Opinion document on the subject, as is allowed by The Data Protection Act 2018 (DPA 2018), s116 (2) in conjunction with Schedule 13 (2)(d).  The opinion document has been prepared primarily for police forces or other law enforcement agencies that are using live facial recognition technology (LFR) in public spaces and offers guidance on how to comply with the provisions of the DPA 2018.

The key conclusions of the Opinion Document (which you can find here: https://ico.org.uk/media/about-the-ico/documents/2616184/live-frt-law-enforcement-opinion-20191031.pdf) are that the police need to recognise the strict necessity threshold for LFR use, there needs to be more learning within the policing sector about the technology, public debate about LFR needs to be encouraged, and that a statutory binding code of practice needs to be introduced by government at the earliest possibility.

What Does This Mean For Your Business?

Businesses, individuals and the government are all aware of the positive contribution that camera-based monitoring technologies and equipment can make in terms of deterring criminal activity, locating and catching perpetrators (in what should be a faster and more cost-effective way with live FRT), and in providing evidence for arrests and trials.  The UK’s Home Office has also noted that there is general public support for live FRT in order to (for example) identify potential terrorists and people wanted for serious violent crimes.  However, the ICO’s apparently reasonable point is that moving too quickly in using FRT without enough knowledge or a Code of Practice and not respecting the fact that there should be a strict necessity threshold for the use of FRT could reduce public trust in the police and in FRT technology.  Greater public debate about the subject, which the ICO seeks to encourage, could also help in raising awareness about FRT, how a balanced approach to its use can be achieved and could help clarify matters relating to the extent to which FRT could impact upon our privacy and data protection rights.

Ex-Employee Claims Your G Suite Data Is Not Encrypted

Posted on by Andy Miller

A report by a former Google employee on the ‘Freedom of the Press Foundation’ website warns organisations that any data stored on Google’s G Suite is not encrypted, can be accessed by administrators and can be shared with law enforcement on request.

G Suite

G Suite is Google’s set of cloud-based computing, productivity and collaboration tools including Gmail, Drive (for your company documents) and Calendar.

Privacy Risk

Former Google employee Martin Shelton alleges that files stored within Google’s G Suite have no end-to-end encryption as other Google services do, thereby potentially leaving business data vulnerable to being viewed by Google and by other persons such as Administrators.  Mr Shelton reports that:

  • While Google leverages your G Suite user data for e.g. filtering for spam, malware or targeted attack detection, it can also scan a user’s Google account for content that is illegal, or in violation of Google’s policies.
  • U.S. agencies can compel Google to hand over relevant user data from G Suite accounts to aid in investigations.
  • Business versions of G Suite, such as G Suite Enterprise, offer administrators the tools to monitor users and search device data within the G Suite domain thereby giving them remarkable levels of transparency to users’ (employees’) Google activities,  For example, Administrators can search for Gmail and Google Drive content, and metadata (e.g. dates, subject lines, recipients), and can log and retain this data.
  • Administrators can monitor Gmail, Calendar, Drive, Sheets, Slides, and more, from desktop and mobile devices and can receive push alerts for certain (suspicious) behaviours.
  • Administrators can use audit logs to see who has looked at or modified each document within the organisation.

Not The First Time

This is not the first time that Google has made the news over G Suite privacy.  Back in July 2018, The Wall Street Journal highlighted how third-party developers could view Gmail users’ messages.

What Does This Mean For Your Business?

This is clearly some unwanted publicity for Google, particularly when there is fierce competition in the business Cloud services market.

The advice for those worried about G Suite’s privacy and security suggested by former Google employee Martin Shelton is to use G Suite mindfully and give yourself a G Suite audit (Gmail, Drive, and Google-connected activity on mobile devices).  This way, if you can see certain data you can assume that the administrator and Google are likely to also be able see it.

Also, if you are concerned about unknown administrators seeing your G Suite data you could consider trying to identify who your G Suite administrators are, what G Suite version you have, whether your organisation is using G Suite Business or Enterprise, finding out what rules have been set in Google Vault and audit logs, and what policies exist for administrative data retention and access.

Mr Shelton also suggests that users may wish to find another cloud service provider that has end-to-end encrypted format to store any particularly sensitive data, or to simply keep data offline or off a computer entirely.

Less Than Half of Small Businesses Ready For No-Deal Brexit

Posted on by Andy Miller

Research from techUK shows that less than half of small UK businesses consider themselves to be ready to face a no-deal Brexit on 31 October, whereas 87% of larger businesses think they are prepared.

Small and Medium

The techUK research shows that only 43% of UK small businesses think they are ready for the prospect of a no-deal Brexit, which is not too different to the mere 50% of medium-sized companies that expressed readiness.

Not Up To Date With Government Guidance

The survey revealed that although most enterprises are aware that the government has given guidance on getting ready for a no-deal Brexit, only 30% of small businesses and 33% of medium-sized businesses regard themselves as being up to date with that guidance.

Popular Concerns

In addition to the impact on the UK economy, some of the popular concerns that many businesses have about a no-deal Brexit include how they stand in terms of regulatory and any extra regulatory barriers that may hinder trade compliance, and difficulty in finding staff after an end to freedom of movement (there is already a tech skills shortage and tech ‘brain drain’).  Also, businesses are clearly worried about post-Brexit relationships with suppliers, whether contracts will need to be updated, and whether they will have enough of the right raw materials and parts to keep production running smoothly and meet their customer demands while keeping their costs and prices down.

Data Protection Guidance For Brexit

As far as being prepared to stay compliant with data protection laws, the ICO has recently stated that if a UK business or organisation already complies with the GDPR and has no contacts or customers in the EEA, that business or organisation doesn’t need to do much more to prepare for data protection compliance after Brexit.

The latest guidance for businesses facing a no-deal Brexit can be found on the website here: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-and-brexit-for-small-organisations/

What Does This Mean For Your Business?

It doesn’t take a study to find out that there is still a great deal of uncertainty about trading post-Brexit, particularly after the impact of a no-deal Brexit. As the businesses in the study indicated, many are aware that there is guidance available from government sources and that SMEs don’t appear to be up to date with that guidance.  It is good, at least, that the ICO has issued clear, easily accessible guidance on its website to help companies prepare to remain GDPR compliant after Brexit. Other Brexit guidance for small businesses can be found on the FSB website here https://www.fsb.org.uk/standing-up-for-you/brexit/resources  and on the main UK government website here https://www.gov.uk/find-eu-exit-guidance-business.