Legislation

Over Half of Businesses Don’t Respond To GDPR Requests On Time

Posted on by Andy Miller

The results of a survey by Talend show that 58% of businesses worldwide fail to address requests from individuals for a copy of their personal data within the one-month time limit as required by GDPR.

Bad, But Better Than Last Year

The survey, which involved 103 GDPR-relevant companies across the globe (84% of which were EU-based companies) revealed that more than 18 months after the General Data Protection Regulation (GDPR) came into force, most companies are still not complying with the Regulation when it comes to data requests.

Even though a 58% failure to comply rate is not good, it is an improvement on 2018 when 70% of the companies surveyed reported they had failed to provide an individual’s data within one month.

Public Sector, Media & Telecoms Worst Offenders

The Talend survey revealed that only 29% of public sector organisations and only 32% of companies in the media and telecommunications industries were able to respond with the correct data within the one-month limit, putting them at the bottom of the compliance table for this issue.

Average Performers

The survey also showed that companies in the retail (46%), financial services, travel, transport and hospitality sectors barely achieved an average response rate within the one-month limit. This, however, was a small improvement on the previous year.

Why?

According to Talend, the lack of a consolidated view of data and clear internal ownership over pieces of data, and a lack of automation in processing requests are key reasons why companies are failing to respond to data requests within the legal time limit.

In some industry sectors too (e.g. financial services), retrieval of the information may be complicated by clients perhaps having many different contracts with the same company with their data being spread across different offices and systems.  This, coupled with the fact that processing data requests is often manual, time-consuming, and, therefore, costly (“spend, on average, more than $1,400 to answer a single SRR” – Gartner) goes some way to explaining the slow response. (SRR means subject rights request)

Also, there is a lack of proper ID checks by companies where data requests are concerned with only 20% asking for ID, and there have also been reports of companies struggling to find the right email address to send the data requested to.

What Does This Mean For Your Business?

With GDPR becoming law 18 months ago, the potential fines for non-compliance being large, and with companies and organisations having appointed specific people to be in charge of data management and security, these results do look a little disappointing on the surface, and many businesses would expect to do better.  However, GDPR has brought a much larger volume of data requests for some organisations and back in June it was even reported by law firm Squire Patton Boggs that one year on from the introduction of GDPR, companies were facing cost pressures from a large number of subject access requests (SARs) coming from their own employees.

Nevertheless, the shift in responsibility towards companies that GDPR has brought, and the widespread knowledge about GDPR is a reminder also, that companies really should have a system and clear policies and procedures in place that enables them to respond quickly and in a compliant way to data requests, whoever they are from.

Hacker’s Website Closed Down In International Operation

Posted on by Andy Miller

A website (and its supporting infrastructure) which sold a variety of hacking tools to other would-be cybercriminals has been closed down after an investigation by agencies from multiple countries including the UK’s National Crime Agency (NCA).

IM-RAT

The main tool that the agencies were particularly interested in eradicating was the Imminent Monitor Remote Access Trojan (IM-RAT) which is a hacking tool, of Australian origin, which has been on sale for 6 years and was available for sale via the Imminent Monitor website.

According to Europol, once installed on a victim’s computer the IM-RAT malware, which could be purchased for as little as $25, allowed cybercriminals to secretly “disable anti-virus and anti-malware software, carry out commands such as recording keystrokes, steal data and passwords and watch the victims via their webcams”.

Big International Operation

The investigation and the operation to shut down the sale of IM-RAT was led by the Australian Federal Police (AFP) and involved judicial and law enforcement agencies in Europe, Colombia and Australia, and was coordinated by Europol and Eurojust.

Coordinated law enforcement activity has now ended the availability of IM-RAT, which was used across 124 countries and sold to more than 14 500 buyers. IM-RAT can no longer be used by those who bought it.

In a week of actions (in November), the international agencies dismantled the infrastructure of IM-RAT, arrested 14 of its most prolific users and seized over 430 devices for forensic analysis.

Back in June, search warrants were executed in Australia and Belgium against the developer and one employee of IM-RAT and most recently, actions to fully shut down the distribution of IM-RAT have also been taken in Australia, Colombia,  Czechia, the Netherlands, Poland, Spain, Sweden and the UK.

In the UK, it has been reported that the NCA searched properties in Hull, Leeds, London, Manchester, Merseyside, Milton Keynes, Nottingham, Somerset and Surrey in relation to the investigation.

The shutting down of the whole IM-RAT infrastructure, and the detailed analysis of the malware and the website used to sell it mean that IM-RAT can no longer be used.

Tens of Thousands of Victims

With the IM-RAT malware/hacking tool being so widely used, Europol believes that there are probably tens of thousands of victims around the world, and so far, investigators have been able to find evidence of stolen personal details, passwords, private photographs, video footage and data.

IM-RAT

Although IM-RAT allows cybercriminals to secretly take control of a computer, there are some common signs which indicate that a computer may have been infected with IM-RAT.  These signs include an unusually slow internet connection, unknown processes running in a system (which are visible in the Task Manager, Processes tab), files being modified or deleted without your permission, and unknown programs being installed on your device (visible in the Control Panel, Add or Remove Programs).

What Does This Mean For Your Business?

For businesses, this kind of malware caused considerable problems, not least in terms of data protection, disruption, industrial espionage and extortion, and left their devices wide open to hackers. This internationally co-ordinated move by multiple agencies is an important step in the battle against so-called ‘crime as a service’ and bulletproof hosting where organised gangs have sought to profit from crimes that they can carry out from a distance via the Internet.

If you believe that your device may have been infected by IM-RAT, the Europol advice is to disconnect your device from the network in order to prevent any additional malicious activity, install trustworthy security software, and run a scan of your device using security software. When you’re satisfied that you’ve removed the infection, change the passwords for your online accounts and check your banking activity.

Some general steps you can take to guard against falling victim to malware include keeping your anti-virus software and patching up to date, installing a firewall, only using strong passwords (that aren’t shared across different accounts), covering up your webcam when its not in use, regularly backing up your data, and making sure that you don’t open any suspicious-looking emails and attachments even if they do come from people on your contact list.

The Tech That The Parties Are Promising

Posted on by Andy Miller

With the UK’s General Election due to take place on 12 December, many issues have been covered in the media.  One key area of interest for businesses is technology and for those of you who may not have time to plough through the manifestos of the main parties, here’s a quick look at some of the technology-related pledges and ideas featured in those manifestos.

CONSERVATIVES

With the Conservative government being in power since May 2010 (firstly in coalition with the Lib Dems) the tech vision, policies and direction of travel is, of course, a little clearer to all. The EU referendum under David Cameron heralded the need for UK data protection laws to be aligned with a the EU’s GDPR and an uncertainty and concerns that UK employers would be less likely to seek migrant tech employees, and that fewer overseas tech workers seek on to stay in their jobs in the UK, in an environment where the challenge posed by a tech skills gap was already evident.  Having said that, back in 2017, the Conservative government under Teresa May announced a boost to the UK’s digital and technology industries in the form of £700m of funding as part of the launch of its Industrial Strategy Challenge Fund. Also, under the Conservatives, a National Cyber Security Centre was set up in London in February (to act as part of GCHQ in Cheltenham), which was intended to enable businesses to report serious data breaches to the NCSC in confidence.

Looking forward to this 2019 election then, the Conservative manifesto features some of the following technology ideas and pledges:

  • The setting up of a new, dedicated national cybercrime force and National Crime Laboratory, both of which are intended to help the police to safely get the benefits from the use of new technologies like biometrics and artificial intelligence, and to use DNA, all within a strict legal framework.
  • Providing gigabit broadband access for “every home and business” by 2025 to help businesses and remote workers, to be paid for under the ‘National Infrastructure Strategy’.
  • Investing £1bn in “completing a fast-charging network” for electric vehicles to make sure that “everyone is within 30 miles of a rapid electric vehicle charging station”.
  • With reference to R&D tax credits, increasing the tax credit rate to 13 per cent and reviewing the definition of R&D so that investments in innovation and productivity-boosting cloud computing and data are incentivised.
  • Creating a new £3 billion (over the next Parliament) National Skills Fund to provide matching funding for individuals and SMEs for high-quality education and training.
  • Creating 20 Institutes of Technology, to connect teaching in science, technology, engineering and maths to business and industry.
  • Investing in “world-class computing and health data systems” to help with research.

LABOUR

In the Labour Party’s 2019 manifesto, party leader and leader of the opposition Jeremy Corbyn says that he’s planning to “launch the largest-scale investment programme in modern times to fund the jobs and industries of the future so that no one is held back and no community left behind.”

Some of the key technology-related pledges and ideas that feature in the Labour Party’s manifesto for the coming 2019 General Election include:

  • A proposal which has attracted a lot of media attention (and criticism from the Conservatives) to re-nationalise part of BT and deliver free full-fibre broadband to all.
  • This will involve the creation of two new government entities: British Digital Infrastructure and British Broadband Service (BBS) to help roll out of full-fibre networks and coordinate the delivery of free broadband. Labour says this can all be paid for through the party’s planned Green Transformation Fund and a new tax regime for multinational companies, and there will be a jobs guarantee for all workers in existing broadband infrastructure and retail broadband work.
  • The appointing of a cabinet-level minister dedicated to cybersecurity to help ensure that the nation’s cybersecurity issues are tackled effectively and to offer regular reviews of cyber-readiness.
  • Giving officials working for National Cyber Security Centre (NCSC), which is the public-facing division of GCHQ, the power to audit public and private sector organisations’ cyber defences and issue warnings to organisations in order to reduce their cyber risk.
  • Ensuring that no services are offered on a “digital-only” basis in order to try and remove the so-called ‘digital barrier’ that may exclude vulnerable people, and also to offer telephone, face-to-face and outreach support.
  • Bringing in a legal right to collective consultation on the implementation of new technology in workplaces in order to ensure more rights and protections for workers whose jobs may be at risk of being lost or reduced as a result of technological advancement.

THE LIBERAL DEMOCRATS

The big news is that beyond the 12-key policies focused on by the media, the Jo Swinson-led Liberal Democrats (Lib Dems) have their eyes set upon a “vision for an innovation-led economy”.  With stopping Brexit as their main focus, the party makes the point that retaining the Freedom of movement that EU membership has given could mean that British tech industries can “have access to the best and brightest talent from the EU” and thereby giving “businesses opportunities to grow and contribute to life and prosperity in the UK.”

Some of the other key technology areas that the Lib Dem’s say in their manifesto that their innovation-led vision will cover include:

  • Positioning the UK to become a world leader in new technologies like artificial intelligence (AI).
  • A belief that the EU should make solid new legislation about blockchain, AI and other new technologies.
  • Giving high priority to matters relating to cybersecurity, data protection and privacy matters.
  • Seeking to encourage competition from companies in the “digital space” and supporting the use of European and UK competition powers to stop “tech giants” from exploiting consumers and ensuring innovation through competition.
  • Increasing the national spend on R&D to 3% of GDP (2.4% by no later than 2027), doubling innovation spend and creating “catapult” innovation and technology centres.
  • Allowing companies to claim R&D tax credits against the cost of purchasing datasets and cloud computing, as well as simplifying regulations speeding up regulatory change.
  • Creating a “startup allowance” to support fast-growing businesses e.g. tech startups.

THE GREEN PARTY

Even though the Green Party’s leader (and Brighton MP) Caroline Lucas was the party’s only MP elected in the last general election, they now have 7 MEPs in the European Parliament. Obviously, Green Party pledges and ideas relate strongly to environmental issues, and some of the technology-related pledges and ideas in their 2019 General Election manifesto (which pledges zero carbon by 2020) include:

  • Delivering financial mechanisms and the transfer of new technologies to help the Global South adapt to climate change in a just way.
  • As part of the “Green New Deal”, including finance and technology to “help the majority world adapt to climate change”, support human well-being,  and to break “the carbon chains of fossil fuel dependence”, thereby bringing about a “green economic and social revolution”.
  • Setting new clean technology standards and investing in research.
  • Applying a Carbon Tax to help incentivise industry to switch to low and zero-carbon technology and equipment.
  • Making finance and technology available to support developing nations.
  • Introducing a Digital Bill of Rights (a new law) in order make the UK a leading voice on standards for the rule of law and democracy in digital spaces and to ensure independent regulation of social media providers. This law will also be designed to safeguard elections from foreign interference.

General Election – 12 December

Obviously, there are other political parties that make up and influence the UK political landscape, and which have technology-related pledges, but hopefully, this shorthand summary of some of the key tech pledges from the main players has provided some insight into where they say they stand on technology matters.

Clearly, elections are decided on a wide range of different issues and subjects and even though Brexit has been a dominant issue for some time now, it remains to be seen how the political and economic landscape will be changed after 12 December.  Technology, however, will continue to advance, and exciting new areas such as AI promise to create new opportunities for businesses going forward.

Uber Loses London Licence

Posted on by Andy Miller

A decision by Transport for London (TfL) means that ride-hailing service Uber has lost its licence to carry passengers in London over safety and security failures.

Why?

According to TfL, it had identified a pattern of failures by Uber, including breaches that had risked the safety of passengers and drivers, plus some uninsured journeys.

Prior to the decision to remove its London Licence, Uber had pledged to improve its drivers’ safety training and provide a direct connection to emergency services.

Not The First Time

Uber had its London licence removed before by TfL back in 2017 after it was decided that the company was “not fit and proper” following security issues, public safety issues, poor reporting (of serious in-car crimes), poor medical checks (of drivers) and poor background checks (of drivers). Uber’s controversial founder and CEO Travis Kalanick had already resigned (in June 2017) amid rumours that he had possibly been “pushed” by unhappy shareholders.  Mr Kalanick was replaced by Dara Khosrowshahi.

In 2018, Uber was only given a probationary 15-month license in London following changes made to improve relations with city authorities and had most recently (September) only been granted only a two-month license, which is the licence that is now about to be allowed to expire.

Black Cab Battle

Uber has not had an easy ride in London from its competitors, the drivers of the famous black cabs. The 22,000 traditional “cabbies”, who are required to pass the notoriously difficult memory test of the city’s road network known as “the Knowledge” in order to pick up passengers have objected (many would say understandably) to the loss of business as a result of having to compete with a growing number of Uber drivers who don’t face the same costs or regulations, and who don’t take the same test, and who can rely on satnav apps.

Carry On and Appeal

It has been reported that although the decision to remove the London licence has been taken, Uber will appeal and it is likely that its 45,000 drivers in London may decide to keep accepting customers until the long process of the appeal has been considered.

Trouble Around The World

It’s certainly not just the UK where Uber has found itself facing legal challenges in recent years.  For example:

In the US, in March, the company had to pay $20 million in settlement of a lawsuit brought by drivers who claimed they were employees and were therefore entitled to some wage protections. Also, in November, Uber unsuccessfully challenged a city law which limited the number of licenses for ride-hailing services.

In Australia this year, the company faced a class action on behalf of thousands of drivers who alleged that Uber was operating illegally and harming them financially, and back in December 2018 in Germany, Uber’s limousine service (stopped in 2014) was ruled to have been illegal. Uber has also faced legal problems in the Netherlands, India, and Austria.

Other Woes

Back in November 2017, Uber was handed a £385,000 fine by the ICO in the UK for data protection failings during a cyber-attack back in 2016 which involved the compromising (and theft) of data relating to 600,000 US drivers and 57 million user accounts.

Also, back in May, Uber’s trading debut at the New York Stock Exchange (NYSE) proved to be somewhat underwhelming when the opening share price was much lower than had been expected at only $45 per share.

Move to Bikes and Scooters

In August 2018, Uber announced a shift in focus towards bikes and scooters in order to drive growth and keep people using the platform. It was thought that bikes and scooters would be more effective and efficient than cars in congested city areas, could represent a way to get another slice of the lucrative mobility market, and that they could be used to help shape consumer behaviour and keep levels of engagement high.

Popular With Users

It has to be said that despite Uber’s problems with the authorities and London cabbies, the service has been popular with many users having positive things to say about the convenience of the app, Uber prices and the speed of the service.

What Does This Mean For Your Business?

Uber had already been on borrowed time in London after finally being granted a two-month licence (following on from just a 15-month probationary one).  Uber’s relationship with the UK authorities and Mayor Sadiq Khan, who had accused Uber as adding to the city’s congestion problems, has been on the edge for quite some time, and it appears as though Uber may not have made the changes that it had pledged to make in order to retain its licence.  The appeal may take a few months, so it is likely that Uber drivers will simply carry on for the time being.

For users, it may come as a disappointment that a service that they found to be very convenient will soon no longer be available but it may be the case that a new London Mayor after May 2020 could take a different approach towards Uber.  For example, some Uber drivers have expressed the belief that Mayor Khan may be pandering too much to the black cabbies, and a hopeful future mayor candidate, Shaun Bailey (Conservative) has expressed regret over TfL’s decision to not grant another licence to Uber.  For the time being though, it’s a waiting game in London for Uber.

Google To Offer Bank Accounts

Posted on by Andy Miller

Tech giant Google is crossing over into the banking world by partnering with Citigroup to offer ‘smart checking’ accounts (bank current accounts) next year as part of its ‘Cache’ project.

Partnering, Not Self-Branding

Google is reported to be prepared to rely heavily on the knowledge of Citibank partner in the project and will not be self-branding the accounts. Google will, no doubt, be grateful for the guidance of its partner through the complicated regulatory aspects of banking.

Other Tech Companies Too

Google’s move into the finance world follows that of competitor tech giants, some of whom have experienced a bumpy ride in banking territory such as:

– Facebook developing its own cryptocurrency called Libra which has recently suffered the departure of big names from the association of organisations that was set up to run the currency – PayPal has dropped out with Mastercard, Visa, and digital payment platform and processor Strip soon to follow.

– Apple introducing its own credit card, the ‘Apple Card’ in the US in partnership with Goldman Sachs and with processing by Mastercard.  The card system operates through the Wallet app on iPhone (iPhone 6 and later), but Apple soon suffered criticism that the physical titanium card that accompanies each account would be vulnerable to damage by everyday material surfaces such as denim and leather, thereby rendering potentially impractical.

– Amazon offering credit card and business loans, with a view to boosting its own e-commerce business.

Uber Money offering credit cards, debit accounts and money tracking tools to help the company with its own taxi operations.

Why?

Like other tech companies, Google’s massive customer base and widely recognised brand mean that it can leverage this power through brand extension.  Google knows that by simply supplying more of peoples’ needs online, often by strategic alliance, it can stay competitive, and find new users and new opportunities.

Privacy & Trust Worries

Some technology commentators have, however, have expressed worries that giving tech companies access to our financial information could mean that they know too much about us, and may be tempted to share data with (or sell that data to) their advertising arm or other organisations.

Although Google has said that it will not be selling or sharing its account holders’ financial data just as it doesn’t share data from its Google Pay service with advertisers, there has been a recent report that Google may be able to gain access to personal medical data of up to 50 million Americans through its partnership with the healthcare giant Ascendant.

Resea

Research has indicated that consumers are likely to trust Google with their financial affairs.  For example, a study by McKinsey & Company revealed that 58% of people (surveyed) said they would trust Google with financial products.

UK BoE Governor

Back in June UK BoE Governor, Mark Carney offered tech companies and all payment providers the chance to store funds overnight in interest-bearing accounts at the central bank and appeared to be adopting an “open mind but no open door” approach to Facebook’s Libra cryptocurrency.

What Does This Mean For Your Business?

It was more or less inevitable that the reach and brand power of tech giants, who are already trusted with many personal aspects of our lives would mean that they want (and would be able) to move into the world of our personal finances too.  The move may be a win/win for both the financial partners (who can learn how to upgrade the tech of their service) and the tech giants who can find out even more about us and can become even more essential partners to us in all parts of our digital life.

The damage to trust, however, caused by Facebook’s sharing of harvested user data with Cambridge Analytica has left some people with reservations about trusting tech companies with too much of our personal data.

Scale of Police Computer Misuse Uncovered

Posted on by Andy Miller

A Freedom of Information (FoI) request made by think tank Parliament Street has revealed that 237 serving officers and members of staff have been disciplined for computer misuse in the last two financial years.

Sackings and Resignations

The FOI request, which was responded to by 23 forces also revealed that 6 employees resigned and 11 were sacked over failures in adhering to IT best practices e.g. for disclosing personal information.

Took Photos of Screen and Shared

In Hertfordshire, two incidents out of 16 disciplinary cases involved employees taking photographs of the screen of a (confidential) police computer system and sharing those photos via social media.

Most Cases

The most individual computer misuse incidents were recorded by Surrey Police with 50. Second in the misuse ranking was the Metropolitan police where 18 people were disciplined (4 were accused of misusing social media) and one staff member was sacked for misusing the Crime Reporting Information System.

Greater Manchester Police managed to take the third position in the incidents rankings with 17 for misuse of force systems.

Other Incidents

Other incidents uncovered by the FoI request included 3 officers getting sacked from Gwent Police (for researching the crime database for a named person, disclosing confidential information, and for unlawful access to information) and 3 getting sacked form Wiltshire Police force for using the police databases without lawful access to the information. Also, one member of Nottinghamshire Police was disciplined for using the police computer system to search for information about a civil dispute they were involved in.

Case In July

These incidents were reminiscent of the case from July this year whereby a serving Metropolitan police officer was given 150 hours of community service and ordered to pay £540 after pleading guilty to crimes under the UK’s Computer Misuse Act, which included using a police database to monitor a criminal investigation into his own conduct.

What Does This Mean For Your Business?

We all must adhere to data protection laws (GDPR) and best practices to ensure that company computer systems are used responsibly and legally.  The irony of the information uncovered with the FoI request is that hundreds of those persons who are entrusted to uphold and enforce the law appear to be prepared to risk their jobs, break the law and betray public trust.  The fact that hundreds of police have been caught (there may be many more who haven’t) misusing police systems which contain large amounts of sensitive personal data raises serious questions about privacy and security.

This may indicate that police forces need to offer more education and training to employees about data protection and the correct (and legal) use of police computer systems as well as tightening up on monitoring, access control and validation/authorisation.

Businesses Not Prepared For IR35 Tax Reforms

Posted on by Andy Miller

A poll by recruitment firm Hays appears to show a lack of awareness about preparedness for next year’s new IR35 tax reforms for medium-to-larger private sector organisations.

What Is IR35?

The IR35 tax reform legislation, set to be introduced in April 2020 is designed to stop tax avoidance from ‘disguised employment’, which occurs when self-employed contractors set up their own limited company to pay themselves through dividends (which are not subject to National Insurance).  IR35 will essentially mean that, from April 2020, medium-to-larger private sector organisations could become responsible for determining the tax status of any non-permanent contractors and freelancers their organisation hires. Also, the tax liability will transfer from the contractor to the fee-paying party i.e. the recruiter or the company that directly engages the contractor.

The idea for the introduction of the legislation dates back to 1999 with Chancellor Gordon Brown and Chancellor Philip Hammond introduced IR35 for public bodies using contractors from April 2017.

Not Ready

The Poll by Hays, involving the views of 31,598 UK-based individual employees and employers showed that only 43% of respondents in organisations to which the new legislation would apply said they have begun preparations, and one fifth said they have not.

A study by the Association of Professional Staffing Companies (APSCo) in the summer also showed that only 39% of agencies polled believed that most of their business clients were even aware of the incoming changes and that only 12% thought that their clients are actively preparing for IR35.

Concerns

The main worries expressed about the introduction of IR35 by the 24% who were aware of its imminent introduction are that it could bring more costs and responsibility (68%) and could mean that they lose key talent from their organisation because of its introduction (56%).

Many organisations also fear the complexity and potential administrative burden of IR35.

Man Wins £240,000 In IR35 Appeal

IR35 was first introduced in the public sector, and there was news this week that a former Department for Work and Pensions (DWP) worker (from 2010 to 2015), Richard Alcock, won a £240,000 appeal against HMRC after an IR35 tribunal.  It had been alleged by HMRC that Mr Alcock, who had used his limited company RALC Consulting Ltd to engage in contracts with the DWP, owed more than £200,000 in unpaid taxes because he was working on an equivalent basis to full-time staff, and should pay the same rates of tax and national insurance (under IR35). Mr Alcock was, however, able to show that because (in his case) there had been no minimum obligation to provide work and no ability to charge for just making himself available for work, he couldn’t be an employee.

What Does This Mean For Your Business?

There does appear to be some complexity in IR35, and businesses may be right to fear that this could lead to more costs and admin and could cause complications in an organisation’s relationship with trusted contractors who may work very effectively within that organisation.

Many business owners may also feel that not enough has been done by the government to raise awareness of the changes and to educate businesses and contractors about the implications and responsibilities of IR35.

Nevertheless, the clock is ticking on the introduction of IR35 for medium-to-larger private sector organisations, and these organisations now need to make sure that they progress as quickly as possible with IR35 preparations.

ICO Warns Police on Facial Recognition

Posted on by Andy Miller

In a recent blog post, Elizabeth Denham, the UK’s Information Commissioner, has said that the police need to slow down and justify their use of live facial recognition technology (LFR) in order to maintain the right balance in reducing our privacy in order to keep us safe.

Serious Concerns Raised

The ICO cited how the results of an investigation into trials of live facial recognition (LFR) by the Metropolitan Police Service (MPS) and South Wales Police (SWP) led to the raising of serious concerns about the use of a technology that relies on a large amount of sensitive personal information.

Examples

In December last year, Elizabeth Denham launched the formal investigation into how police forces used FRT after high failure rates, misidentifications and worries about legality, bias, and privacy.  For example, the trial of ‘real-time’ facial recognition technology on Champions League final day June 2017 in Cardiff, by South Wales and Gwent Police forces was criticised for costing £177,000 and yet only resulting in one arrest of a local man whose arrest was unconnected.

Also, after trials of FRT at the 2016 and 2017 Notting Hill Carnivals, the Police faced criticism that FRT was ineffective, racially discriminatory, and confused men with women.

MPs Also Called To Stop Police Facial Recognition

Back in July this year, following criticism of the Police usage of facial recognition technology in terms of privacy, accuracy, bias, and management of the image database, the House of Commons Science and Technology Committee called for a temporary halt in the use of the facial recognition system.

Stop and Take a Breath

In her blog post, Elizabeth Denham urged police not to move too quickly with FRT but to work within the model of policing by consent. She makes the point that “technology moves quickly” and that “it is right that our police forces should explore how new techniques can help keep us safe. But from a regulator’s perspective, I must ensure that everyone working in this developing area stops to take a breath and works to satisfy the full rigour of UK data protection law.”

Commissioners Opinion Document Published

The ICO’s investigations have now led her to produce and publish an Opinion document on the subject, as is allowed by The Data Protection Act 2018 (DPA 2018), s116 (2) in conjunction with Schedule 13 (2)(d).  The opinion document has been prepared primarily for police forces or other law enforcement agencies that are using live facial recognition technology (LFR) in public spaces and offers guidance on how to comply with the provisions of the DPA 2018.

The key conclusions of the Opinion Document (which you can find here: https://ico.org.uk/media/about-the-ico/documents/2616184/live-frt-law-enforcement-opinion-20191031.pdf) are that the police need to recognise the strict necessity threshold for LFR use, there needs to be more learning within the policing sector about the technology, public debate about LFR needs to be encouraged, and that a statutory binding code of practice needs to be introduced by government at the earliest possibility.

What Does This Mean For Your Business?

Businesses, individuals and the government are all aware of the positive contribution that camera-based monitoring technologies and equipment can make in terms of deterring criminal activity, locating and catching perpetrators (in what should be a faster and more cost-effective way with live FRT), and in providing evidence for arrests and trials.  The UK’s Home Office has also noted that there is general public support for live FRT in order to (for example) identify potential terrorists and people wanted for serious violent crimes.  However, the ICO’s apparently reasonable point is that moving too quickly in using FRT without enough knowledge or a Code of Practice and not respecting the fact that there should be a strict necessity threshold for the use of FRT could reduce public trust in the police and in FRT technology.  Greater public debate about the subject, which the ICO seeks to encourage, could also help in raising awareness about FRT, how a balanced approach to its use can be achieved and could help clarify matters relating to the extent to which FRT could impact upon our privacy and data protection rights.

Equifax Hack Inevitable Says Lawsuit

Posted on by Andy Miller

A lawsuit against US Credit Rating Company Equifax relating to the massive 2017 hack alleges that the breaching of Equifax’s systems was “inevitable because of systemic organisational disregard for cybersecurity and cyber-hygiene best practices.”

What Happened

Back in September 2017, US Credit Rating Company Equifax was hacked and, in one of the largest recorded data breaches in history, an estimated 148 million customer details stolen, 44 million of which are believed to have come from UK customers.  Details stolen in the attack included names, US social security numbers, dates of birth, addresses, driver’s license details, and around 209,000 credit card numbers.

Hackers got in through a vulnerability in the website and Equifax was reported to have known about the attack 40 days before informing the public that it had happened.  Another aspect of the case that caused outrage at the time was the fact that three senior executives at the company were believed to have sold-off their shares worth almost £1.4m before the breach was publicly announced.

The Lawsuit

The lawsuit that was filed against Equifax with the Northern District Court of Georgia (Atlanta Division) in the US states that the breach was the “inevitable result of widespread shortcomings in Equifax’s data security systems”.

What Kind of Shortcomings?

The lawsuit alleges that Equifax’s data protection measures were “grossly inadequate,” and “failed to meet the most basic industry standards”.  The lawsuit paints a picture of a company with a shockingly simplistic and risky approach to the protection of personal data.  For example, it alleges that Equifax:

  • Failed to implement proper patching protocols and relied upon one individual to manually implement its patching process across its entire network.
  • Didn’t encrypt sensitive information and instead, stored in plain-text, making it easy for unauthorised users to read and misuse.
  • Didn’t encrypt mobile applications, meaning that it failed to encrypt data being transmitted over the internet.
  • Stored sensitive data on public-facing servers and left the keys to unlocking the encryption on those same public-facing servers, making it easy to remove the encryption from any data.
  • Used inadequate network monitoring practices and obsolete software.
  • Failed to implement adequate authentication measures.  This allegedly included using weak passwords and security questions.

Simple Usernames and Passwords Including ‘Admin’

One of the shocking accusations in the lawsuit relates to passwords.  It highlights how the New York Stock Exchange-listed firm responsible for protecting the sensitive personal data of millions of people used four-digit pins (derived from Social Security numbers and birthdays) to guard personal information, even though these weak passwords had already been compromised in previous breaches.

Also, the lawsuit alleges that Equifax relied upon the username “admin” and the password “admin” to protect a portal used to manage credit disputes, thereby making it incredibly easy for any hackers to guess.  For example, many penetration testing companies will use more obvious passwords such as ‘admin’ as a basic part of their testing of company systems.

Simple Passwords Still Widely Used

One of the main ways that we can all leave the door open to security breaches and hacks is by using simple, easy to guess passwords, and by sharing the same password between multiple websites and platforms.

For example, a study by the UK’s National Cyber Security Centre (NCSC) into breached passwords (in April this year) revealed that 123456 featured 23 million times, making it the most widely used password on breached accounts.  The study, which analysed public databases of breached accounts, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

What Does This Mean For Your Business?

The allegations about the apparent organisational disregard for cyber-security at such a big company and the use of simple, default-style passwords such as ‘Admin’ and leaving one person in charge of patching for the whole company are truly shocking.  The case highlights how some organisations may be too casual about how they manage and protect sensitive data, which is a dangerous position to be in, particularly with the possible fines from GDPR. Since most companies still rely upon passwords for many important systems and tools, this case particularly highlights how IT departments may need to implement processes to make sure that default passwords are changed to more secure ones, and that commonly used passwords are blacklisted.  Introducing multifactor authentication (MFA) also adds another important extra layer of security to password-based systems, and many companies are now seeking biometric authentication methods as a way of getting completely away from the whole risky password area.

The Equifax case also highlights how businesses shouldn’t treat database security any differently from other aspects of their cybersecurity, especially by not sharing admin passwords, and if sharing is necessary, by keeping track of who has those passwords and why. Using analytics on a database is also a way in which businesses can track when someone has got into a database using certain admin credentials.

New Law To Advance Fast Broadband Roll-Out Announced

Posted on by Andy Miller

Amendments to the UK’s Electronic Communications Code will give broadband operators compulsory rights to install their apparatus on another person’s property, thereby getting around the problem of landlords not responding to requests for access to blocks of flats and apartments.

The Challenge

The challenge that has prompted the government to seek changes to the current legislation has been a claim by broadband operators that 40% of their requests for access to blocks of flats and apartments have routinely received no response. This has been blamed for slowing down the UK government’s plans to deliver the target of national full-fibre coverage by 2025 and develop the kind of digital infrastructure that could boost growth and boost productivity.

The Law

Prior to 2017, the UK law that applied to relations between landlords and telecoms operators in respect installing and maintaining electronic communications apparatus on land and buildings was the Telecommunications Code in the Telecommunications Act 1984 (amended by the Communications Act 2003). This Telecommunications Code has now been replaced by the new Electronic Communications Code (as part of the Digital Economy Act 2017). The new code means that a broadband operator can now apply for compulsory rights to install apparatus on another person’s property.

It is thought this change to the law will mean that an extra 3,000 (estimated) residential buildings (flats and apartments) per year can now have modern broadband installed.

Rural Challenge

The government still faces a considerable challenge in getting more rural areas connected in order to meet its broadband and mobile network roll-out targets, and there is currently a digital divide between urban and rural areas of the UK.  The government has recently announced, however, that £5bn new funding will be made available to bring gigabit-capable broadband to harder-to-reach, rural parts of the UK as well as a change in planning rules to help the roll-out of 5G.

What Does This Mean For Your Business?

Now that operators don’t have to wait for responses from landlords, this could make the chance of the government meeting its broadband targets a little more likely and could help boost the economy.

Broadband is an essential service for business and despite this positive change in the law, many UK business owners still know that broadband services in the UK can sometimes be patchy and often expensive, while ‘Which?’ research shows that the UK ranks only 31st in the world for average broadband speeds. Those businesses in rural areas are also finding themselves facing the challenge of a growing digital divide between rural and urban that is adversely affecting their competitiveness.

Even with this change in the law, being able to meet the target of national full-fibre coverage by 2025 is a big ask and it is estimated that the UK may only have 7% full-fibre coverage by 2020.