call +44 20 7096 1079

Blog


June 30, 2008 | Michael Holloway

Supporter update - June 2008

The June 2008 supporter update is now available for your enjoyment. Read on...

[Read more]


June 25, 2008 | Glyn Wintle

HMRC "Datagate" verdict: further data loss "a distinct possibility"

Kieran Poynter has published his review of information security at HM Revenue and Customs. Yes, after a seven month wait, it's the official explanation of how it was possible for a junior official to lose discs containing records for 25 million individuals and 7.25 million families in the post. ORG is very pleased to see the review making sensible recommendations that should be followed not only by HMRC but by all government institutions. Information security should be seen as a priority. This report is clear in stating that in HMRC it was not.

The fact that information has value may be blindingly obvious to most of those who read our blog, but it is not so obvious to officials working in government. Poynter recommends that HMRC should hold the minimum amount of data required to perform its functions - a recommendation echoed by the Home Affairs Select Committee in their recent report A Surveillance Society?. Unfortunately, unless this Government can get over its addiction to large, centralised databases, data minimisation will be a distant dream.

The report also recommends that the transfers of digital data involving physical media should be phased out completely and computers (and in the short term, any removable media) should be encrypted. From the report it is clear that HMRC employees were unsure about who owned and was responsible for data. Insufficient security education and awareness is highlighted as an unsurprising explanation for the poor information security. And because HMRC did not understand how data moved through the organisation it was hard to effectively identify and manage its information security risks. Or, put a different way, if you do not know what you have got, where it is and who is doing what with it, it is impossible to guarantee that someone is not doing something they shouldn't be.

The data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office ("NAO"). The loss was entirely avoidable and the fact that it could happen points to serious institutional deficiencies at HMRC.

The two major institutional deficiencies from which many of the more detailed issues flow were:

  • Information security simply wasn't a management priority as it should have been, and
  • HMRC had an organisational design which was unnecessarily complex and crucially, did not clearly focus on management accountability

So now to an important question: will it happen again?

HMRC has significantly reduced the risk of further data loss since the incident. However, when there are so many islands of information and so many data transfers going on, and while simple guidance is not available to staff, further data loss nonetheless remains a distinct possibility and more needs to be done. Investment will be required to continue the reduction of risk to an acceptably low level, although the review process is identifying data transfer practices which can simply be stopped at no significant cost.

Not the most reassuring answer. The good news is that a low level employee has not had all the blame placed on his head. The culture inside HMRC of getting things done quickly and cheaply at the expense of information security is singled out throughout the report.

... the more junior staff involved in the incident clearly voiced their concerns about handing over the data to the NAO, but were overruled by their immediate superiors - at least in part to save the cost of producing a bespoke set of data.

The HMRC Discgate affair has not solved Government's bad habit of losing valuable and sensitive data about individuals. A rolling log of data losses can be found on our UK Privacy Debacles page.

Richard Thomas, Information Commissioner, said:

I will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred.

The reports that have been published today show deplorable failures at both HMRC and MOD. Whilst these breaches have been highly publicised and involve big numbers, sadly they are not isolated cases. It is deeply worrying that many other incidents have been reported, some involving even more sensitive data. It is of fundamental importance that lessons are learned from these breaches. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations. No chief executive can now say that data protection doesn’t matter.

It is beyond doubt that both Departments have breached Data Protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them. To comply with the terms of the Enforcement Notices we will require HMRC and the MOD to use their best endeavours to implement all the recommendations outlined in the reports. We will also be monitoring the situation closely. We will require progress reports to be published after 12, 24 and 36 months documenting in detail how the recommendations have been, or are being, implemented to improve Data Protection compliance. Failure to comply with an Enforcement Notice is a criminal offence. ‘I welcome the seriousness of the requirements and guidance for central government in the Cabinet Secretary’s Data Handling Report; this material should help chief executives across the whole of the public, private and third sectors achieve better compliance with the Data Protection Act and keep people’s personal details more secure.

A separate report by the Independent Police Complaints Commission said that "investigation found no visible management of data security at any level".

[Read more] (5 comments)


June 23, 2008 | Michael Holloway

Open Tech 2008 preview

Open Tech 2008 is an informal, low cost one-day conference on technology, society and low-carbon living, featuring Open Source ways of working and technologies that anyone can have a go at.

We don't usually flag events on this blog, instead we use Upcoming to publish events. Open Tech is exceptional because Open Rights Group was conceived at this conference in 2005. Our sessions at Open Tech 2008 will review the giant steps we've made and look forward to even greater things.

The programme is a three-streamed feast of 60 talks from the likes of mySociety, No2ID, OpenStreetMap, the Power of Information task force, ourselves and many others. Our sessions kick-start the day, beginning at 10.30am, when we'll share the stage with No2ID to present our current programme of works. The second slot at 11.30am will features Danny O'Brien telling the story of ORG and asking for your suggestions to help chart our future course. Recordings will be made available.

Open Tech logo

Besides these seminars, we're rounding up a posse of staff, directors, advisors and volunteers for a few drinks after the formal sessions close at 7.15pm. We're inviting everyone who cares about their digital rights to help us celebrate ORG and spot future issues. Here's all the details you need to be a part of Open Tech 2008:

When: Saturday 5 July 2008, 10.30am-7.15pm. Registration now open (Doors open at 10am, bar closes at 11pm) Where: ULU, Malet street, London WC1E 7HY (Zone 1, CC zone). Link to map. Cost: £5 on the door. The organisers expect to sell all tickets so pre-registry is strongly advised.

[Read more]


Term Extension "will damage Commission's reputation", top legal advisers tell Barroso

Today, the leading European centres for intellectual property research have released a joint letter to EU Commission President José Manuel Barroso, enclosing an impact assessment detailing the far-reaching and negative effects of the proposal to extend the term of copyright in sound recordings. With the confusion and disillusionment of Ireland's rejection of the Lisbon Treaty still ringing in the Commission's ears, the letter states:

"This Copyright Extension Directive, proposed by Commissioner McCreevy, is likely to damage seriously the reputation of the Commission. It is a spectacular kowtow to one single special interest group: the multinational recording industry (Universal, Sony/BMG, Warner and EMI) hiding behind the rhetoric of "aging performing artists".

"The Commission is required to conduct an impact study for each directive it proposes. We, the leading European centres for intellectual property policy research, have collectively reviewed the empirical evidence. Our findings are unanimous. The proposed Copyright Extension Directive will damage European creative endeavour and innovation beyond repair."

Read the letter and impact assessment in full. Further details are available from the Centre for Intellectual Property and Management.

[Read more] (5 comments)


June 06, 2008 | Michael Holloway

The Future of the Internet in Focus

Will consumer pressure for a safer net mean the end of open platforms and rapid innovation? And should the geeks who "get" the net care if the rest of the world prefer TiVos and iPhones?

On Wednesday of this week we co-hosted an event at the British Computer Society to discuss the problems raised by Jonathan Zittrain's new book, The Future of the Internet and How to Stop It. Professor Zittrain was joined by technology journalist Bill Thompson and our Executive Director, Becky Hogge, to discuss the threat that insecurity and "tethered appliances" pose to the generative Internet. We were also fortunate enough to have an expert and lively audience.

The recording (thanks to Felix) of this 90 minute event shows there is both plenty of middle ground and a broad range of views held within our community. We'd love to see your comments on the merits of Jonathan's arguments, particularly his point that online communities should develop self-regulatory mechanisms rather than rely on Government measures to ensure the net flourishes.

[Read more] (4 comments)


June 06, 2008 | Daniel

OfCom Chief Exec on next generation broadband... and network neutrality?

Broadband Internet access is great, isn't it? Sure, it's greater in some areas than others, but in general cable and ADSL have made possible the age of streaming content we now inhabit. And yet... it could always be faster. Especially as low-res sites like Youtube give way to hi-res apps like iPlayer, some providers have forecast that online traffic will meet its physical capacity within the next few years.

Government has taken notice of the problem, but not perhaps in a way that favours users. On Tuesday morning, Ofcom chief executive Ed Richards appeared on Radio 4's Today in part to address the introduction of next-generation broadband in Britain. To gain the added infrastructure necessary for this switch-over, Mr. Richards said:

"Are we doing everything that we can to set out a clear regulatory framework, to ensure that there are returns where companies take risks? Yes, I think we are doing that as well."
Will this have implications for network neutrality? He cited Virgin Media as the vanguard of fibre investors — that company's views on net neutrality are as unpalatable as they are unprintable on our front page.

Ofcom occupies a unique position in this field, because it has the power to guide the debate on what the next paradigm in Internet access will look like. Clearly, 2008 will be an important moment in this debate, and ORG is doing what we can to remind Ofcom that it is just as much its duty to "further the interests of citizens" as to ensure Virgin a healthy return. You can see our current work on the issue on our wiki, and we invite you to contribute to the project.

A transcript of the relevant portion of the Mr. Richards' interview also appears on the wiki. The interview came ahead of Ofcom's release of a new voluntary code of conduct for ISPs advertising broadband speeds.

[Read more]


June 03, 2008 | Michael Holloway

Floreat ORG: new staff members

The ORG office has expanded with two new additions to our staff. Gavin Hill joins as part-time Policy Officer and Dan Ray will be interning with us for the next two months. Welcome along, guys. New team members significantly increase our capacity to campaign for digital rights both by releasing existing resources and bringing new expertise and energy to our work.

Our new role of Policy Officer was created thanks to a generous grant from the Open Society Institute. The role's focus is to coordinate opposition to copyright term extension and the "three strikes" agenda at the European level. Gavin is a seasoned digital rights campaigner who developed and managed the UK arm of the Foundation for a Free Information Infrastructure's strategic resistance to European software patents. He has also worked for the National Union of Students and the Open Schools Alliance. You can reach Gavin on gavin at openrightsgroup dot org.

And our new intern, Dan Ray, is on summer vacation from his postgraduate work at Harvard Law School. He majored for his undergraduate degree in Political Science and spent a summer studying British history at Oxford University. Dan's duties will be varied and his main output will be managing the collaborative drafting of a briefing pack on network neutrality. If you've got any pointers for that project, then please leave your remarks and links on Dan's working page on orgwiki. You can reach Dan on daniel at openrightsgroup dot org.

[Read more]


May 30, 2008 | Michael Holloway

Supporter update - May 2008

Another busy month here at ORG HQ, not least with the knitting frenzy and ElectionWatch '08. Click the link below for your monthly digest of Open Rights' activities. And if you have any advice on format or content, would be interested to hear it in the comments.

Supporter update - May 2008

[Read more]


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail