GDPR

Register Now Or Lose EU Research Grants Post-Brexit

Posted on by Andy Miller

The UK government is urging organisations that benefit from European Union (EU) research funding to sign-up to a UK-led replacement scheme now in order to guarantee that their Horizon 2020 project funding can continue after Brexit.

What Is Horizon 2020?

Dating back to 2014, Horizon 2020 from the EU, is the largest ever European funding programme for research and innovation with a budget of 79 billion euros and is set to run until 2020.  It is aimed at improving Europe’s global competitiveness in research and innovation.  Applications for the funding are open to registered businesses, charities, partnerships or research organisations with a legal standing across the EU. For example, higher education institutions, public bodies and charities make up many of the applicants.

What’s The Problem?

The concern, highlighted by The Department for Business, Energy and Industrial Strategy (BEIS), is that when the UK leaves the EU (possibly without a deal), in order to ensure no disruption in the receipt of funding that organisations are currently receiving from the EU’s Horizon 2020 project, they will need to sign up to a UK-led replacement programme that guarantees continuity in a no-deal Brexit scenario.  According to BEIS figures, therefore, the 2,700 public and private sector organisations that are receiving Horizon 2020 funding from the EU but have not yet signed up to the replacement programme could be at risk of disruption in funding and delays to future grants if they don’t sign up asap.

Guaranteed

Although the Science and Innovation Minister, Chris Skidmore, has guaranteed that UK organisations and businesses who already receive EU science and research funding will continue to do so, even if there’s no-deal Brexit at the end of March, he is urging businesses to register their details on a simple online portal for Horizon 2020 grants in future.

Online Portal – Doesn’t Take Long

The BEIS is, therefore, encouraging the remaining 2,700 businesses to join the current 5,500 registrations to date, to sign-up on the online portal. Reports suggest that it only takes around ten minutes per grant for the data to be inputted. The new portal can be found here:  https://www.ukri.org/funding/how-to-apply/

What Does This Mean For Your Business?

If you are a business or an organisation that receives Horizon 2020, and if you haven’t already done so, the advice is to sign-up via the government’s online portal (run by UKRI) to the UK-led replacement programme in order to avoid disruption to funding.  The BEIS has said, for example, that If an organisation leaves it until 5th March, ahead of a no-deal Brexit on 29 March 2019, they could be risking delays to future Horizon 2020 funding.

Millions of Taxpayers’ Voiceprints Added to Controversial HMRC Biometric Database

Posted on by Andy Miller

The fact that the voiceprints of more than 2 million people have been added to HMRC’s Voice ID scheme since June 2018, to add to the 5 million plus other voiceprints already collected, has led to complaints and challenges to the lawfulness of the system by privacy campaigners.

What HMRC Biometric Database System?

Back in January 2017, HMRC introduced a system whereby customers calling the tax credits and Self-Assessment helpline could enrol for voice identification (Voice ID) as a means of speeding up the security steps. The system uses 100 different characteristics to recognise the voice of an individual and can create a voiceprint that is unique to that individual.

When customers call HMRC for the first time, they are asked to repeat a vocal passphrase up to five times before speaking to a human adviser.  The recorded passphrase is stored in an HMRC database and can be used as a means of verification/authentication in future calls.

Got Voices By The Back Door Said Big Brother Watch

It has been reported that in the 18 months following the introduction of the system, HMRC acquired 5.1 million people’s voiceprints this way.

Back in June 2018, privacy campaigning group ‘Big Brother Watch’ reported that its own investigation had revealed that HMRC had (allegedly) taken 5.1 million taxpayers’ biometric voiceprints without their consent.

Big Brother Watch alleged that the automated system offered callers no choice but to do as instructed and create a biometric voice ID for a Government database.  The only way to avoid creating the voice ID on calling, as identified by Big Brother Watch, was to say “no” three times to the automated questions, whereupon the system still resolved to offer a voice ID next time.

Big Brother Watch were concerned that GDPR prohibits the processing of biometric data for the purpose of uniquely identifying a person, unless the there is a lawful basis under Article 6, and that because voiceprints are sensitive data but are not strictly necessary for dealing with tax issues, HMRC should request the explicit consent of each taxpayer to enrol them in the scheme (Article 9 of GDPR).

This led to Big Brother Watch registering a formal complaint with the ICO, the result of which is still to be announced.

Changes

Big Brother Watch’s complaint may have been the prompt for changes to the Voice ID system. In September 2018, HMRC permanent secretary John Thompson said that HMRC felt it had been acting lawfully, by relying on the implicit consent of users.  Mr Thompson acknowledged, however, that the original messages that were played to callers had not explicitly stated it was possible, or how, to opt out of the voice ID system, and that, in the light of this, the message had been updated (in July 2018) to make this clear.

Mass Deletions?

On the point of whether HMRC would consider deleting the 6 million voiceprint profiles of people who registered before the wording was changed to include ty opt-out option, Mr Thompson has said that HMRC will wait for the completion of the ICO’s investigation.

Backlash

Big Brother Watch has highlighted a backlash against the Voice ID system as indicated by the 162,185 people who have called HMRC to have their Voice IDs deleted.

What Does This Mean For Your Business?

Even though many businesses and organisations are switching/planning to switch to using biometric identification/verification systems in place of less secure password-based systems, it is still important to remember that these are subject to GDPR. For example, images and unique Voiceprint IDs are personal data that require explicit consent to be given, and that people have the right to opt out as well as to opt-in.

It remains to be seen whether the outcome of the ICO investigation will require mass deletions of Voice ID profiles.  Big Brother Watch states on its website that if people are not happy about the HMRC system they can complain to the HMRC directly (via the government website) or file a complaint about the HMRC system to the ICO via the ICO website (the ICO is already investigating HMRC about the matter).  HMRC has said that all the voice data is stored securely and that customers can now opt out of Voice ID or delete their records any time they want.

Google’s £44 Million GDPR Fine

Posted on by Andy Miller

Google has been fined a massive 50 million euros (£44m) for breach of GDPR dating back to May 2018 and relating to how well people were informed about how Google collected data to personalise advertising, and the matter of consent.

Who?

Google (Alphabet Inc) has been fined £44 million by the French data regulator CNIL.  The two complaints that brought about the investigation and the fine were filed in 2018 by privacy rights groups noyb and La Quadrature du Net (LQDN).

Even though the fine is eye-wateringly large, the maximum fine for large companies like Google under GDPR could have been 4% of annual turnover, which could equate to around €4bn.

Ad Personalisation & Google

Google personalises the adverts that are displayed when a person is signed in to their Google account based on ad-personalisation settings. When a person is signed out of their Google account, they are still subject to ad-personalisation across the Web on Google’s partner websites and apps based on their browsing history, and on Google Search based on their previous activity such as previous searches.

What & Why?

The two privacy groups complained that Google didn’t have a valid legal basis to process user data for ad-personalisation because of issues relating to transparency and consent.

The reasons for Google receiving the fine were that:

  1. Google failed to provide its users with transparent and understandable information on its data use policies.  This was because the “essential information” that users would have needed to understand how Google collected data to personalise advertising, and the extent of that information, was too difficult to find because it was spread across several documents.  This meant that it was only fully accessible after several steps e.g. up to five or six actions. Ultimately, this meant that users were unable to exercise their right to opt out of data-processing for personalisation of ads.
  2. It was also found that the option to personalise ads was “pre-ticked” when creating an account.  This meant that users were essentially giving consent in full for all the processing operations purposes carried out by Google based on this consent.  Under GDPR however, consent should be ‘specific’ only if it is given distinctly for each purpose.

Other Complaints

Privacy group noyb has also filed more formal complaints against Amazon, Apple, Google, Netflix, Spotify, and other entertainment streaming services. The reason, according to noyb, is that when people request a copy of the personal data that these companies hold on them, some of it may not be supplied in a format that can be easily understood.  GDPR requires companies to supply users with a copy of their data that is both machine-readable and can be easily understood.

What Does This Mean For Your Business?

Even before GDPR was introduced, many technology and security commentators predicted that the big names e.g. Google and Facebook would be the first to be targeted by privacy campaigners, and that appears to be what is happening here. In this case however, the fact that the complaints have created a record-breaking fine shows that there was genuine concern about a lack of compliance with GDPR from a company that many would have expected to be on top of the legislation and setting an example. It is likely that Google will need to make some significant modifications to some aspects of its services now, and that this may prompt other large tech companies to do the same in order to avoid similar fines and bad publicity.

This case is a reminder to businesses, particularly larger ones, that although GDPR appears to have been buried by concerns about Brexit, the need to stay compliant with GDPR is an ongoing process and should still be high on business agenda.

Biggest Personal Data Breach Puts Password Effectiveness In The Spotlight

Posted on by Andy Miller

Password-based authentication has long been known to be less secure than other methods such as multi-step verification or biometrics, but a massive leak of a staggering 87GB of 772.9 million emails, 21.2 million passwords and 1.1 billion email address and password combinations recently shared on hacking forums has brought the inherent weaknesses of password authentication into sharp focus.

What Leak?

The massive leak of 2.6 billion rows of data from 12,000 files dubbed Collection #1 onto hacking forums was revealed in a blog post by security researcher Troy Hunt, who is most well-known for managing the ‘Have I Been Pwned’ service.

In his post, Mr Hunt said that the leaked personal data is a set of email addresses and passwords totalling 2,692,818,238 rows and is made up of many different data breaches from thousands of different sources. The data contains 772,904,991 unique email addresses, and 21,222,975 unique passwords, all of which can be put into 1,160,253,228 unique combinations.

Risks

Clearly, Mr Hunt has an interest in publicising the existence of Collection #1 and the fact that it has been incorporated into his service to help publicise the ‘Have I Been Pwned’ service, but as Mr Hunt points out, if your password/email combinations are part of the collection and have not been changed since, you could face some serious risks.  For example:

  • Credential stuffing attacks. In this case, 2.7 billion of the username and password combinations could be put into a list and used for credential stuffing.  This is where cyber-criminals rely on the fact that people may use the same username and password combinations for multiple websites, and therefore, the criminals use software to automate the process of trying the breached username/password pairs on many other websites to see if they can gain access.
  • Phishing attacks.  The stolen credentials can be used to automatically send malicious emails to a victim’s list of contacts.
  • Targeted digital identity attacks. The breached credentials can be used in targeted attacks designed to steal a victim’s entire digital identity or steal their money or even to compromise their social media network data.

What Does This Mean For Your Business?

This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.

Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One tool that can help is a password manager.  Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.

If you’re worried that people in your organisation may be using passwords that have been stolen, Troy Hunt has provided a list of them here:  https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/  and provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

£15K Fine For Ignoring Data Access Requests

Posted on by Andy Miller

SCL Elections, the parent company of the now defunct Cambridge Analytica which was famously involved in the Facebook profile harvesting scandal, has been fined £15,000 for failing to respond to a data access request from a US citizen, and for ignoring an enforcement notice by the UK’s Information Commissioner’s Office (ICO).

Data Protection Act

The fine was made for a breach of the Data Protection Act which was in force for all at the time of the data request, which was originally made back in 2017.  GDPR, which came into force on 25th May 2018 (to replace the Data Protection Directive) covers the data protection rights of EU citizens.

The person who made the data request in this case, however, was US citizen Professor David Carroll, and SCL Elections wrongly believed that because he was not a UK citizen, he had no more right to request access to data “than a member of the Taliban sitting in a cave in Afghanistan”.

What Happened?

Professor David Carroll, who was based in New York in May 2017 at the time of his original data request under UK Data Protection Act, asked SCL Elections’ Cambridge Analytica branch in the UK to provide all the data it had gathered on him. Under that law, SCL Elections should have responded within 40 days with a copy of the data, the source of the data, and stating if the organisation had given / intended to give the data to others.

Professor Carroll, a Democrat, was reported to have been interested from an academic perspective in the practice of political ad targeting in elections and believed that he may have been targeted with messages that criticised Secretary Hillary Clinton with falsified or exaggerated information that may have negatively affected his sentiment about her candidacy.

Sent Basic Information On A Spreadsheet

Some weeks after Professor Carroll’s subject access request in early 2017, SCL Elections sent him a spreadsheet of basic information that it held about him.

However, that information contained accurate predictions of Professor Carroll’s views on some issues and had scored Carroll a nine 9 out of 10 on what it called a “traditional social and moral values importance rank”.

Wanted To Know How

This prompted Professor Carroll to submit a second request to SCL Elections, this time to find out what that ranking meant and what it was based on, and where the data about him came from. This second request was ignored by SCL.

The CEO of Cambridge Analytica at the time, Alexander Nix, told a UK parliamentary committee that his company would not provide American citizens, like David Carroll, all the data it holds on them, or tell them where the data came from, and Nix (mistakenly) said that there was no legislation in the US that allowed individuals to make such a request.

ICO Involved

The ICO then became involved with the UK’s Information Commissioner, Elizabeth Denham, sending a letter to SCL Elections (Cambridge Analytica) asking where the data on Professor Carroll came from, and what had been done with it.  A section 40 enforcement notice was also issued in May 2018 to SCL Elections, thereby making it a criminal matter if they failed to comply by responding to the request and by providing the full records as requested by Carroll. No records were forthcoming, which resulted in the recent prosecution, the first against Cambridge Analytica.

During the case at Hendon Magistrates Court, it was revealed that SCL Elections had a turnover of £25.1m and profits of £2.3m in 2016.  The judge fined SCL Elections £15,000 for failing to comply with the section 40 enforcement notice from the ICO and ordered the company (whose affairs are being handled by administrators, Crowe UK) to pay a contribution of £6,000 to the ICO’s legal costs, and a victim surcharge of £170.

Some Mitigating Circumstances

Although Counsel for SCL Elections’ administrators acknowledged that SCL elections had failed to respond to the section 40 enforcement notice, they did highlight some mitigating circumstances, such as the company’s computer servers being seized by the ICO following a raid on the SCL Elections premises in March 2018.

What Does This Mean For Your Business?

This case shows that ignorance of data protection law is not a defence and that businesses and organisations need to protect their customers, stakeholders, and themselves by making sure that they fully understand and comply with data protection laws. This is particularly relevant in the UK since the introduction of GDPR.

As pointed out by Information Commissioner Elizabeth Denham in this case, companies and organisations that handle personal data need to respect people’s legal privacy rights and to understand that wherever a person lives in the world, if their data is being processed by a UK company, UK data protection laws apply. This case has also highlighted the fact that where there is no compliance with the law, and where ICO enforcement notices are ignored, action will be taken that could be very costly to the subject of that action.

Smart Botnet Detection Needed

Posted on by Andy Miller

For businesses to maintain an effective cyber defence, the ability to prevent, detect and stop smart botnets in real-time is now an important consideration.

What Is A Botnet?

A botnet is a term for multiple malicious mini-programs working together to take over large numbers of computers and digital devices for different purposes e.g. stealing data and / or launching attacks, or in the case of DDoS attacks, shutting down servers (and the websites on them) by bombarding them with requests (a flood).  Botnets also sap electricity and computing power as they work.

How Big Is The Problem?

According to DDoS protection provider Link11, DDoS attacks (launched using botnets) on e-commerce providers showed an increase of more than 70% on Black Friday compared with other days in November this year, and Cyber Monday attacks showed a massive increase of 109% compared with the November average. Botnets have also shown a move towards the Internet of Things (IoT).

Last year saw a huge growth in the use of botnets.  For example, Spamhaus figures showed that the number of command and control (C&C) servers used for managing IoT botnets more than doubled, going from 393 in 2016 to 943 in 2017.

The increase in the use of botnets has been driven by factors such as the availability to cyber criminals of very cheap and easy to operate rent-a-botnet services booter or stresser botnet services, and the proliferation of IoT device with sub-standard security that can be used in attacks. Cyber criminals also use various amplification techniques to increase the impact of their attacks.

Characteristics Of Botnets

The characteristics of botnets and how they are made can provide the key to detecting them and preventing them. For example:

  • Some have a long ‘dwell time’ (the time the malicious program sits on a device before it’s activated), and they need to communicate to work. Communication often involves the use of command and control servers. Disconnecting communications between bots and their botnet command and control servers has, therefore, been a way of stopping them.  New smart bots, which create peer-to-peer networks, can be more difficult to stop.
  • Botnets use processing power.  If suspicious processes that take up a lot of memory are spotted, and / or if devices appear to slow down, this can be an indicator that the device has been compromised and a botnet is awake and active.

Turned To Crypto-Mining

A recent security bulletin from Kaspersky Labs states that botnets are now increasingly being used to distribute illicit crypto-mining software, and that the number of unique users attacked by crypto-miners grew significantly in the first three months of 2018. The malware used for mining is designed to secretly reallocate an infected machine’s processing power to mine cryptocurrencies, with all the proceeds going to the attacker.

What Does This Mean For Your Business?

With cyber-crime, prevention is better than cure, and being able to detect signs of attacks early is vitally important. Security commentators suggest a focus on security measures that prevent initial infection and lock-down unnecessary trust permissions. Businesses may also benefit from using security technologies that can detect, alert or block botnet activity in real-time, and by continually analysing network traffic and local system logs.

Inspecting devices and checking for any suspicious processes that appear to be taking up taking up a lot of memory may also be a way to detect botnets that have already slipped through the net and are active.

70% Increase In DDoS Cyber Attacks On Black Friday Prompts Christmas Warning

Posted on by Andy Miller

Cyber security experts are warning companies with online shops to have adequate protection against DDoS attacks in place after a 70% increase in that kind of cyber-attack was recorded on Black Friday.

What Is A DDoS Attack?

A denial-of-service attack is a cyber-attack on that is intended to make a computer or network unavailable to users, and a distributed denial-of-service attack (DDoS) is one that uses multiple compromised systems, sometimes thousands, that are often infected with a Trojan virus to launch a single attack on one system. The sheer number of requests that the target receives (called a ‘flood’) typically overload the resources and memory and render the targeted computer or network unavailable.

Black Friday – 70% Increase!

According to DDoS protection provider Link11, DDoS attacks on e-commerce providers showed an increase of more than 70% compared with other days in November, and Cyber Monday attacks showed a massive increase of 109% compared with the November average.

Up To 100 Gbps

Gbps, which stands for billions of bits per second, is a measure of bandwidth on a digital data transmission, and is the level used to gauge the intensity of DDoS attacks. When you consider that Link 11 have reported that attacks of around 6 Gbps are more than enough to exceed the capacity of most websites, the Black Friday and Cyber Monday recordings of levels of up to 100 Gbps in some attacks were extremely high.

The Cost of DDoS Attacks

Bitkom research found that cyber-attacks can cost retailers an average of €185,000.  This total includes costs of IT repair, loss of sales revenue and reputational damage to the business.

Research from Corero, in April this year, found that (DDoS) attacks typically cost enterprises up to £35,000 per attack in lost business and productivity, as well as mitigation costs. The research revealed that 69% of respondents said their organisation experiences anywhere between 20 and 50 DDoS attack attempts a month – about one attack per day!  78% of respondents in the Corero research said that the loss of customer trust and confidence was the most damaging effect on business of DDoS attacks.

Christmas Warning

Based on the huge increase in DDoS attacks on Black Friday and Cyber Monday, cyber security professionals are warning businesses to prepare now in order to protect themselves against an expected high level of DDoS attacks over the Christmas shopping period.

What Does This Mean For Your Business?

Businesses trying to simply expand their own infrastructure to absorb peak loads with their own resources may not have enough resources to stop determined attackers who may decide to deliver ever greater attacks to overwhelm services completely.

One of the best ways that businesses can prepare themselves for a possible increase in DDoS attacks is by investing in scalable, cloud-based protection solutions that can counteract the kind of targeted overloads caused by DDoS attacks.

Making sure that the business has an updated and workable Business Continuity Plan and Disaster Recovery Plan in place are also important elements of preparing for the possibility of the aftermath of a successful DDoS attack.

ICO Investigation Into Police Use of Facial Recognition Technology

Posted on by Andy Miller

ICO head Elizabeth Dunham is reported to have launched a formal investigation into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

Concerns Expressed In Blog Post In May

In a blog post on the ICO website back in May, Elizabeth Dunham expressed several concerns about how FRT was being operated and managed. For example, although she acknowledged that there may be significant public safety benefits from using FRT, Elizabeth Dunham highlighted concerns about:

  • A possible lack of transparency in FRT’s use by police and how there is a real risk that the public safety benefits derived from the use of FRT will not be gained if public trust is not addressed.
  • The absence of national level co-ordination in assessing the privacy risks and a comprehensive governance framework to oversee FRT deployment.  This has since been addressed to an extent by an oversight panel, and by the appointment of a National Police Chiefs Council (NPCC) lead for the governance of the use of FRT technology in public spaces.
  • The use and retaining of images captured using FRT.
  • The need for clear evidence to demonstrate that the use of FRT in public spaces is effective in resolving the problem that it aims to address, and that it is no more intrusive than other methods.

Commissioner Dunham said that that legal action would be taken if the Home Office did not address her concerns.

Notting Hill Carnival & Football Events in South Wales

Back in May 2017, South Wales and Gwent Police forces announced that it would be running a trial of ‘real-time’ facial recognition technology on Champions League final day in Cardiff. In June, the trial of FRT at the final was criticised for costing £177,000 and yet only resulted in one arrest of a local man whose arrest was unconnected.

Also, after trials of FRT at the 2016 and 2017 Notting Hill Carnivals, Police faced criticism that it was ineffective, racially discriminatory, and confused men with women.

Research

Recent research by the University of Cardiff, which examined the use of the technology across a number of sporting and entertainment events in Cardiff for over a year, including the UEFA Champion’s League Final and the Autumn Rugby Internationals found that for 68% of submissions made by police officers in the Identify mode, the image had too low a quality for the system to work. Also, the research found that the locate mode of the FRT system couldn’t correctly identify a person of interest for 76% of the time.

What Does This Mean For Your Business?

Businesses use CCTV for monitoring and security purposes, and most businesses are aware of the privacy and legal compliance aspects (GDPR) of using the system and how /where the images are managed and stored.

As a society, we are also used to being under surveillance by CCTV systems, which can have real value in helping to deter criminal activity, locate and catch perpetrators, and provide evidence for arrests and trials. It is also relatively common for CCTV systems to fail to provide good quality images and / or to be ineffective at clearly identifying persons and events.

With the much more advanced facial recognition technology used by police e.g. at public events, there does appear to be some evidence that it has not yet achieved the effectiveness that was hoped for, may not have justified the costs, and that concerns about public privacy may be valid to the point that the ICO deems it necessary to launch a formal and ongoing investigation.

Liberty Wins Right To Judicial Review Into Investigatory Powers Act

Posted on by Andy Miller

The fact that Human rights group Liberty has won the right for a judicial review into the Investigatory Powers Act 2016 could mean a legal challenge in the high court as soon as next year.

The Investigatory Powers Act

The Investigatory Powers Act 2016 (also known as the ‘Snooper’s Charter’) became law in the UK November 2016. It was designed to extend the reach of state surveillance and requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months and to give the police, security services and official agencies unprecedented access to that data. The Charter also means that security services, government agencies and police can hack into computers and phones and collect communications data in bulk, and that judges can sign off police requests to view journalists’ call and web records.

Long Time Coming

Liberty was given the general go-ahead by the UK High Court to make a legal challenge against the Investigatory Powers Act in July 2017 and was enabled to do so with the help of £50,000 of crowdfunding raised via CrowdJustice.

Also, Liberty’s challenge is thought to have been helped by the European Court of Justice (in a separate case, represented by Liberty lawyers back in 2016) ruling that the same powers in the old the UK state surveillance law the ‘Data Retention and Investigatory Powers Act’ (DRIPA) were unlawful, and by a ruling by the court of appeal in January 2018 also finding the same thing.

The UK government was, therefore, given until July 2018 to amend or re-write powers to require phone and internet companies to retain data on the UK population.

Part 4 of the Act

The most recent High Court ruling on 29th November gives Liberty the right to a judicial review on part 4 of the Investigatory Powers Act.  This is the part which gives many government agencies powers to collect electronic communications and records of internet use, in bulk, without reason for suspicion.

Concerns About GCHQ’s Hacking

Human rights groups and even Parliament’s Intelligence and Security Committee have become particularly concerned about an apparent shift towards the use of hacking of computer systems, networks and mobile phones for information gathering by intelligence services such as GCHQ in projects such as the ‘Computer Network Scaling’ programme.

What Does This Mean For Your Business?

The UK’s ability to spot and foil potential plots is vital. Although the Investigatory Powers Act may include measures that could help with that, many people and businesses (communications companies, social media, web companies) are still uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state. The 200,000+ signatures on a petition calling for the repeal of the Investigatory Powers Act after it became law, and the £50,000 crowdfunding raised from the public in less than a week to challenge parts of the Act in the courts, both emphasise the fact that UK citizens value their privacy and take the issues of privacy and data security very seriously.

Liberty is essentially arguing for what it sees as a more proportionate surveillance regime that can better balance public safety with respect for privacy. The government initially believed that this level of surveillance was necessary to counter terrorist groups and threats posed to safety and democracy by other states, but successive legal challenges by Liberty have seen them give some ground. According to the Intelligence and Security Committee, GCHQ is running a project that aims to improve the way that it complies with the Act, and MI5 has also said that it trying to operate more compliantly.  As for any additional oversight of government orders to internet and phone companies, this is estimated to be running about a year behind schedule with IT problems being blamed for the delay.

Data Protection Trust Levels Still Low After GDPR

Posted on by Andy Miller

A report by the Chartered Institute of Marketing (CIM) has shown that as 42% of consumers have received communications from businesses they had not given permission to contact them (since GDPR came into force), this could be a key reason why consumer trust in businesses is still at a low level.

Not Much Difference

The CIM report shows that only 24% of respondents believe that businesses treat people’s personal data in an honest and transparent way.  This is only slightly higher than the 18% who believed the same thing when GDPR took effect 6 months ago.

Young More Trusting

The report appears to indicate that although trust levels are generally low, younger people trust businesses more with their data.  For example, the report shows that 33% of 18-24 and 34% of 24-35 year olds trust businesses with their data, compared with only 17% of over 55s.

More Empowered But Lacking Knowledge About Rights

Consumers appear to feel more empowered by GDPR to act if they feel that organisations are not serving them with the right communications.  For example, the report showed that rather than just continuing to receive and ignoring communications from a company, 50% of those surveyed said that GDPR has motivated them to not consciously opt-in to begin with, or if opted in, make them more likely to subscribe.

This feeling of empowerment was also illustrated back in August in a report based on a study by business intelligence and data management firm SAS.  The SAS study showed that more than half of UK consumers (55%) looked likely to exercise their new GDPR rights within the first year of GDPR’s introduction.

Unfortunately, even though many people feel more empowered by GDPR, there still appears to be a lack of knowledge about exactly what rights GDPR has bestowed upon us. For example, the report shows that only 47% of respondents said they know their rights as a consumer in relation to data protection.  This figure has only increased by 5% (from 43%) since the run-up to GDPR.

What Does This Mean For Your Business?

The need to comply with the law and avoid stiff penalties, and the opportunity to put the data house in order meant that the vast majority of UK companies have taken their GDPR responsibilities seriously, and are likely to be well versed in the rights and responsibilities around it (and have an in-house ‘expert’). Unfortunately, there are always a few companies / organisations that ignore the law and continue contacting people.  The ICO has made clear examples e.g. back in October Manchester-based Oaklands Assist UK Ltd was fined £150,000 by the ICO for making approximately 64,000 nuisance direct marketing calls to people who had already opted out of automated marketing.  This is one example of a company being held accountable, but it is clear from the CIM’s research that many consumers still don’t trust businesses with their data, particularly when they hear about data breaches / data sharing on the news (e.g. Facebook), or continue to have their own experiences of unsolicited communications.

It may be, as identified by the CIM, that even though GDPR has empowered consumers to ask the right questions about their data use, marketers now need to answer these, and to prove to consumers how data collection can actually benefit them e.g. in helping to deliver relevant and personalised information.

The apparent lack of a major impact of GDPR on public trust could also indicate the need for an ongoing campaign to drive more awareness and understanding across all UK businesses.