The fact that a bank is signing up to Google Enterprise Apps for email and other collaboration services could be taken as a considerable endorsement – banks are, by nature, very security-centric: they have to ensure that they comply with strict information security and regulatory requirements. On this basis banks normally use their own servers to store and share data.

This is what makes the BBVA / Google deal so surprising. BBVA’s data will be stored on one of Google’s public servers, rather than on a private servers. BBVA will initially only use Google Apps for “internal communications” (with customer data and systems continuing to be hosted only in BBVA’s dedicated data centres), but it is assumed that over time BBVA may move more and more data to the cloud.

While I suspect that BBVA may have agreed a tailored solution and not signed up to Google’s Enterprise’s general terms and conditions, the standard Google Enterprise offering (as opposed to the free to use standard version) is rather attractive for businesses considering moving to the cloud, and in particular, using a cloud solution for data sharing and storage, such as Google Apps.

How safe is it to store data using Google Apps?
When storing data to an external server you have to make sure the data will be secure.

From an information security perspective Google Apps for Business has pretty good security credentials, so much so, that some of the US Government Departments use it. Google Apps is actually FISMA certified as being a secure way to store and share data. Google has also obtained an SSAE 16 Type II report (an independent audit) confirming that Google Docs actually adheres to the security controls it has in place and that these systems are operating effectively. The SSAE 16 report may give potential customers reassurance in relation to the effectiveness of Google’s security measures.

The other key information security concern for organisations is compliance with data protection rules and the security of personal data. Google Apps is currently hosted in the US and Europe, but Google Inc is a member of the US Safe Harbor Scheme. This is a US Federal Trade Commission scheme that allows US companies to certify compliance with a set of rules approved by the European Commission as being equivalent to the requirements of the EU Data Protection Directive.

This is important for organisations subject to EU data protection controls, as a transfer to an organisation that meets the Safe Harbor requirements allows the organisation to comply with the eighth data protection principle (which restricts transfers of data outside the EEA) without the need for putting in place model form contracts or making a finding of adequacy. This will give considerable comfort to users of Google Apps in relation to the any personal information that they store in the cloud.

However, potential customers should still be aware that Google may be obliged, under the Patriot Act, to disclose information stored in Google Apps to the US authorities.

How do other cloud services compare?
The fact that BBVA is using the Google Apps should not be taken as a green light for companies to store confidential, commercially sensitive or personal data on a similar cloud-computing solution. Google Apps is unique in terms of the FISMA and Safe Harbor accreditation and a number of cloud storage alternatives, such as Dropbox, simply don’t compare.

Dropbox – Information security risks
Dropbox and similar cloud-drive services are becoming an increasingly popular option for storing and sharing large files and for accessing documents from multiple devices. But, looking at the Dropbox terms and conditions, it appears to pose a number of potential information security risks which users may be overlooking.

Storing information
Firstly, Dropbox doesn’t have the greatest reputation as far as security is concerned.

Putting hacking to one side, there is a lack of certainty over what happens to your data once you remove it from the system. Normally, when you are storing confidential information on a third party’s system you want the comfort that at your request all of the confidential information is permanently deleted from the system. However, the Dropbox terms and conditions state that they are ‘likely’ to continue to hold the information on their back-up systems once you have deleted the data.

Releasing information
Another key concern is how readily Dropbox will share your data (confidential, personal or otherwise) with third parties. While there is a general obligation to release information when ordered to do so by a court order, Dropbox will seemingly release your files rather readily. In comparison, Google will inform you of the request and give you the opportunity to object.

Lack of independent certifications
Most importantly for potential customers within Europe, Dropbox states that it does not have Safe Harbor certification, nor is it able to provide a SAS 70 or SSAE 16 report in respect of its information security measures. This causes problems from a data protection perspective, and also means that their is no independent verification of the controls that Dropbox claims to have put in place.

The moral of the story is that you should carefully consider what data you are uploading to a data sharing  cloud – particularly if it is commercially sensitive or personal information – and, as boring as it is, read the site’s terms and conditions and carry out some due diligence on how your information will be protected.

Leaving aside whether this was a prudent thing to do given the phone hacking allegations and court cases, shredding a hard drive is one of the best ways of securely destroying information. (I love the photos on that website – you really can shred metal).

I blogged about this last year. The problem with erasing data from a drive is that the data recovery people are becoming ever cleverer at reconstructing data. It’s essentially an arms race between data destruction and data reconstruction.

So if you want to make sure data definitely has been deleted then you need to either shred the drive or follow something like the US Department of Defense erase/rewrite standard.

Destruction of disks is something that should be addressed in an organisation’s information security policy, and appropriate requirements specified (or referenced) in any outsourcing or services agreement under which a supplier is processing personal or confidential information.

So whatever the News of the World’s other failings might have been over the years, it’s good to see that their information security policy is robust and ensures that data is properly and completely destroyed, such that it cannot ever be reconstituted.

However, I wanted to pick up on the action taken by Ryan Giggs against Twitter in order to get Twitter to give details of the Twitter users who were naming him as a super injunction holder.

This is not unusual. Quite often a party (or brand owner) objects to on-line comments made under cover of a user name (such as @BrodiesTechBlog on twitter).   However, in order to go to Court against that user you need more than a username, you need the actual name and address of the poster.

How do you get that name and address?

Well, you could ask the hoster, i.e. the person who hosts the relevant forum (in the Giggs case Twitter), to disclose the name and address. However, most hosters won’t give up this information unless compelled to by a Court Order (because of the fear of breaching data protection law).

So you raise proceedings against the hoster to get that court order.   Typically the hoster won’t defend that action (in order to minimise costs).   (In fact yesterday the European boss of Twitter confirmed  that Twitter would comply with any court order to disclose personal details of users. )

In England these orders against hosters are known as Norwich Pharmacal orders (after the first case in which they were used).   Scotland provides for a largely parallel type of order.

My experience is that because the actions are not typically defended by the hoster you can get the order quite quickly/cheaply, and when presented with a Court order the hoster will cough up the information fairly quickly.

Of course all that legal work only gets you the name and address of the person you actually want to sue!  It also assumes that the information the hoster holds is complete and accurate (it’s pretty easy to set up a fake email address).

One final word of caution. Quite often suing an online “nutter” is much more trouble than it is worth because the nutter will: (i) become more determined/vitriolic; and (ii) use the fact that you are taking court action to paint you as a bully or having “something to hide”. To put it another way, when thinking about enforcing legal rights always remember the PR angle (something that certain footballers would be well advised to consider in the future).

As you’ll probably be aware, Wikileaks is the whistleblowing website that last week made available for download more than 250,000 confidential U.S. diplomatic cables. The cables contain correspondence between American embassies throughout the world and the U.S. State Department, and their contents are proving to be highly embarrassing for the U.S. Government and its allies.

Wikileaks founder Julian Assange has been placed on Interpol’s Most Wanted list (for “sex crimes” being investigated by the Swedish authorities, although the US government is also investigating if espionage laws were broken), and the Wikileaks website is under continuous heavy attack from unidentified and mysterious “internet hackers”.

These hackers are bombarding the site, or more accurately, the computer servers which hold or “host” its content, with “Distributed Denial of Service” (“DDoS”) attacks of unprecedented ferocity. (In DDoS attacks incoming messages flood the target system and force it to shut down, thereby denying service to the system to legitimate users).

In an attempt to defend itself, Wikileaks moved last week from smaller internet providers to a larger one whose servers would be more likely to withstand a DDoS assault. Wikileaks provider of choice was Amazon.com and its’ much-vaunted EC2 cloud computing system, which operates on vast banks of computers, meaning that network capacity can be quickly scaled up or down to meet surges in traffic. The tactic was working well for Wikileaks until Amazon.com decided on Thursday to kick them out.

In a blogpost, Amazon.com denied that it was acting under pressure from politicians, saying WikiLeaks had breached its terms by not owning the rights to the content it was publishing. (I imagine Amazon.com might also have been a bit nervous about potential liability for the illegally sourced cables.)

The wikileaks.org web address was then withdrawn from Wikileaks because its domain name service provider EveryDNS.net claimed that WikiLeaks had violated part of its Acceptable Use Policy, which requires members not to “interfere with another member’s use and enjoyment of the service or another entity’s use and enjoyment of similar services. WikiLeaks had interfered with other members’ service because, said EveryDNS, “wikileaks.org has become the target of multiple DDoS attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites.”

Wikileaks solution has been to move to Switzerland, with a new domain wikileaks.ch.  The domain name is registered by the Pirate Party of Switzerland, associated with an IP address in Sweden, and points to a web address in France (where the Wikileaks documents are actually believed to be hosted).  If wikileaks.ch is also withdrawn, Wikileaks has announced that content will still be accessible by bypassing the DNS look-up and typing in Wikileaks’ actual IP address: http://88.80.13.160/.

Over the weekend online payment service provider PayPal cut off the WikiLeaks account, eliminating one of the easiest means for donors to send money to the organisation. It’s simply impossible to tell what’s going to happen next!   The latest development is that Julian Assange is under arrest, having voluntarily reported to a police station in central London this morning.

Who said Tech Law was boring? Hopefully in the inevitable Hollywood dramatisation of the saga there will at least be a cheeky cameo of yours truly writing this blog.

For those that are not a fan of the BBC’s Top Gear programme, The Stig is the show’s “tamed racing driver” – known only by his white overalls and white helmet (which he never removes). The BBC maintains that revealing his identity would “spoil viewers’ enjoyment of the show.”

What’s the issue?
At play here is a conflict between the contractual obligation of confidence given by the Mr X in his contract with the BBC and Mr X’s attempt to cash in on the fame of the character that he plays. Top Gear and The Stig are very lucrative for the BBC, but newspaper reports suggest that Mr X does not do as well out of this as his fellow presenters.

However, an autobiography about being The Stig is likely to be hugely successful.

Psuedonyms and trade marks
Interestingly, there is no (legal) reason why The Stig could not publish his autobiography under a pseudonym. Section 77 of the Copyright, Designs and Patents Act 1998 specifically provides that moral rights (the right of an author to be named every time a work is published) can be asserted using a pseudonym. However, “The Stig” is a registered trade mark of the BBC, and therefore any attempt to publish an unauthorised book under that pseudonym would infringe that trade mark.

So Mr X is rather stuck. Contractually, he cannot publish his autobiography under his real name, and trade mark law is likely to prevent him from publishing his autobiography under his on-screen alter ego.

This may seem unfair, but The Stig brand is owned by the BBC, and Mr X is contracted to the BBC to play that role under a condition of anonymity. The BBC is therefore simply doing what any brand owner would do to prevent third parties from cashing in on, or damaging, its brand.

So what next?
It will be interesting to see how the battle between the BBC and HarperCollins pans out. A Google News search shows plenty of newspapers revealing Mr X’s suspected identity, and HarperCollins’ argument is that his identity is now no longer confidential. Whilst this might make a common law obligation of confidence no longer enforceable, it may not be as simple as that for a contractual obligation.

I see that the case has been adjourned for a week. I expect that those discussions will lead to the autobiography being published under the pseudonym of “The Stig” (with the BBC getting a cut of the royalties) or Mr X being allowed to publish his autobiography under his own name, but on the condition that (as with Mr X’s predecessor, The Black Stig) he leaves the show and is replaced by a new Stig.

Anyone want to have a guess at what colour he will be?

As the data controller, it will be your responsibility (under the Data Protection Act) to ensure that the data is securely destroyed – even if the kit on which it is stored belongs to a contractor. If data is not properly destroyed, then there is a risk that it could be used to help perpetrate fraud or identity theft, or allow competitors to access your confidential information.

We’ve all read stories about hard drives full of confidential information ending up on eBay. As the volume of data held on servers increases, the more important it is to ensure that the data in question is destroyed when the kit or media upon which it is stored is no longer required.

However, there are two competing industries. On the one hand, plenty of legitimate businesses specialise in recovering apparently lost, corrupt or deleted data – whether it is for the purpose of forensic investigations or for disaster recovery purposes. On the other hand, another sector is trying to help people permanently destroy that data. The techniques used by the data recovery experts show that erasing (or even erasing and re-writing) is not sufficient to stop that data being recovered.

Here are some things to consider:

• Firstly, develop and adopt (and follow) a policy setting out your organisation’s requirements in respect of the destruction of data. This is likely to involve adopting relevant British and international standards and certifications.
• The safest thing (in terms of data security, if not avoiding trips to A&E) to do is to remove all drives from your hardware before you dispose of that hardware (replacement drives are cheap). But then what do you do? You could shred the drive (making sure that it is destroyed such that it cannot be reconstituted) or have it degaussed. For CDs and DVDs, as any student will tell you, it is fairly easy to melt them into oblivion.
• If you do not wish to remove a drive from the hardware before disposal or do not wish to destroy it (or any other magnetic media), you could adopt a recognised erase/re-write standard – for example, the US Department of Defense standard.
• If you are dealing with a contractor, you should ensure that your contract specifies what the contractor should (and should not!) do. Consider whether the contractor should be responsible for disposal or destruction of media and drives, or whether these should be done under your control.
• Finally, ensure that your contract with your contractor includes appropriate provisions dealing with liability for a failure to follow those procedures, and rights to terminate the contract.

To date, the majority of apps that have been developed are consumer facing. However, Clayton reckons that there is a market for developing apps that employees of an organisation can use. Given the relatively easy programming platform, it should be fairly straight forward to develop custom apps that can provide employees with an interface to back office systems – whether to view real-time data or to help automate some of the tasks that employees might wish to do on the fly.

Mobile apps already exist for some off-the-shelf enterprise systems. Through its alliance partner programme. Blackberry offers a number of these types of applications which provide mobile connectivity to standard software packages for things like time recording, digital dictation and document management systems.

However, the new SDKs for Blackberry, iPhone and Android should make it easy for individual organisations to develop their own custom apps that reflect the tasks that their employees perform on a day to day basis. One example might be an app for board members which gives real-time access to sales figures. Another example might be an app which allows employees to carry out tasks which would traditionally require a laptop to access and submit data.

The advantages of developing custom apps for the organisation’s chosen smartphone are obvious. Application development costs should be reasonably low. There are low deployment costs as the device is already in the pocket of most members of staff (or can replace their existing mobile device). It can be accessed anytime, any place – no need for a bulky laptop and power supply. Hosting an app on the client, rather than the server, lowers the amount of data traffic without any impact on functionality, as you only need to transfer the live data, not the application itself (cf with “The Future” ten years ago, when thin clients were seen as the way forward). The combination of 2G/3G and wifi connectivity means that a data link is usually always available (and when it’s not, data can be cached locally and then synchronised), and GPS/location based functionality adds another level of functionality. All these things can help improve productivity, efficiency and the service offered to customers. What might app could might you benefit from?

Of course, all this mobile access does give rise to increased risks.

I’ve blogged before about the security (or lack thereof) of personal mobile devices. Providing a direct link to back-end systems giving access to confidential data and (potentially) personal data raises a number of informations security and data protection issues. In particular, organisations developing and deploying such apps will want to ensure that the devices (and the data link) are encrypted, that a VPN is used to protect the link into the back-end systems, and that additional verification is considered when accessing the app itself. Any app that gives access to customer lists or customer information will need to be considered against the organisation’s obligations under the Data Protection Act. This also requires a health-check of the organisation’s internal acceptable use policies to ensure that employees are also doing everything that they should be to avoid unnecessary security risks.

*Sorry – no Schwarzenegger puns today.

However, one thing that rarely gets mentioned is the plethora of data that each of us now carry, or have access to, through mobile devices, such as mobile phones and PDAs. Whilst (the lack of) encryption of mobile devices used by the public and private sector is becoming an almost daily news event, how often do you hear about protection of personal, non-work, mobile devices, which are almost always unprotected?

You may think that there isn’t really anything to protect here. But consider this. If you have an iPhone, iPod Touch, Blackberry or other “smart” device offering access to the Internet, it’s likely that you can access your email account, social networking account, contacts and other personal information without needing to enter a password – you simply load up the relevant app and will be logged straight in. The Internet browser may also have saved website passwords. As the app market matures, it is likely that banks will start offering Internet banking apps that allow you to access your personal bank account through your iPhone or Blackberry. We may also see apps allowing access to NHS and other sensitive records and services. The “Internet in your pocket” isn’t just marketing fluff.

But what happens if your device is lost or stolen? As well as the inconvenience of losing your device (and any data on it that hasn’t been backed up) and people spamming in your name, you will probably need to reset all the passwords for your email and other accounts. There’s also a reasonable risk of identity theft in one way or another – whether it be people hijacking your email account, attempting to access your bank or credit card account, or buying things through Amazon with your saved credit card details. If you have been negligent in protecting your account (or card number), it is likely that a bank would take a dim view of any loss suffered – have a look at your online banking ts and cs. Other organisations are likely to take the same view.

Most devices tend not to come with their security features activated. One of the easiest things to do to reduce this risk is to regularly back-up your device and activate the main password protection function on the device. It’s a fairly simple step, but it is amazing how many people don’t use it. On the iPhone and iPod Touch, you can also set the device to erase all data on it after ten failed password attempts.

Whilst this protection may not stop a determined hacker with time and specialist software at his disposal, it may stop the average phone thief from easy access to your data.

The judgement came in the context of a messy divorce between the super rich.  So I have to be careful what I say here in terms of libel law!

The wife’s family obtained files and emails from the  computer used by the husband. In order to do so they used  an IT expert to bypass the husband’s password protection.

The judgement was simple and unsurprising : the wife’s family shouldn’t have done it; they had to return all the files and emails, and they couldn’t use them in the divorce proceedings.

From a legal standpoint the interesting thing was that the judge said in passing that any files on a  computer that are password protected are presumed to be “confidential information”.

You are probably thinking “so what?”.  Well in terms of the various case laws  information is not protected by confidentiality law unless it has “the necessary quality of confidence”.

There is a lot of case law about when information has the “necessary quality of confidence”.  So for example if I tell you something in the pub does that have the “necessary quality of confidence”?   Probably not (unless I tell you its confidential).  However, if I tell you something in the context of a business negotiation then it probably does meet the “necessary quality of confidence” test (unless I tell you its not confidential).

Got it? Good.

So this case makes it fairly certain that password protected computer files and  emails that are password protected, or that are stored on a computer where the computer in password protected,  have the necessary quality of confidence.

 Douglas