The fact that a bank is signing up to Google Enterprise Apps for email and other collaboration services could be taken as a considerable endorsement – banks are, by nature, very security-centric: they have to ensure that they comply with strict information security and regulatory requirements. On this basis banks normally use their own servers to store and share data.

This is what makes the BBVA / Google deal so surprising. BBVA’s data will be stored on one of Google’s public servers, rather than on a private servers. BBVA will initially only use Google Apps for “internal communications” (with customer data and systems continuing to be hosted only in BBVA’s dedicated data centres), but it is assumed that over time BBVA may move more and more data to the cloud.

While I suspect that BBVA may have agreed a tailored solution and not signed up to Google’s Enterprise’s general terms and conditions, the standard Google Enterprise offering (as opposed to the free to use standard version) is rather attractive for businesses considering moving to the cloud, and in particular, using a cloud solution for data sharing and storage, such as Google Apps.

How safe is it to store data using Google Apps?
When storing data to an external server you have to make sure the data will be secure.

From an information security perspective Google Apps for Business has pretty good security credentials, so much so, that some of the US Government Departments use it. Google Apps is actually FISMA certified as being a secure way to store and share data. Google has also obtained an SSAE 16 Type II report (an independent audit) confirming that Google Docs actually adheres to the security controls it has in place and that these systems are operating effectively. The SSAE 16 report may give potential customers reassurance in relation to the effectiveness of Google’s security measures.

The other key information security concern for organisations is compliance with data protection rules and the security of personal data. Google Apps is currently hosted in the US and Europe, but Google Inc is a member of the US Safe Harbor Scheme. This is a US Federal Trade Commission scheme that allows US companies to certify compliance with a set of rules approved by the European Commission as being equivalent to the requirements of the EU Data Protection Directive.

This is important for organisations subject to EU data protection controls, as a transfer to an organisation that meets the Safe Harbor requirements allows the organisation to comply with the eighth data protection principle (which restricts transfers of data outside the EEA) without the need for putting in place model form contracts or making a finding of adequacy. This will give considerable comfort to users of Google Apps in relation to the any personal information that they store in the cloud.

However, potential customers should still be aware that Google may be obliged, under the Patriot Act, to disclose information stored in Google Apps to the US authorities.

How do other cloud services compare?
The fact that BBVA is using the Google Apps should not be taken as a green light for companies to store confidential, commercially sensitive or personal data on a similar cloud-computing solution. Google Apps is unique in terms of the FISMA and Safe Harbor accreditation and a number of cloud storage alternatives, such as Dropbox, simply don’t compare.

Dropbox – Information security risks
Dropbox and similar cloud-drive services are becoming an increasingly popular option for storing and sharing large files and for accessing documents from multiple devices. But, looking at the Dropbox terms and conditions, it appears to pose a number of potential information security risks which users may be overlooking.

Storing information
Firstly, Dropbox doesn’t have the greatest reputation as far as security is concerned.

Putting hacking to one side, there is a lack of certainty over what happens to your data once you remove it from the system. Normally, when you are storing confidential information on a third party’s system you want the comfort that at your request all of the confidential information is permanently deleted from the system. However, the Dropbox terms and conditions state that they are ‘likely’ to continue to hold the information on their back-up systems once you have deleted the data.

Releasing information
Another key concern is how readily Dropbox will share your data (confidential, personal or otherwise) with third parties. While there is a general obligation to release information when ordered to do so by a court order, Dropbox will seemingly release your files rather readily. In comparison, Google will inform you of the request and give you the opportunity to object.

Lack of independent certifications
Most importantly for potential customers within Europe, Dropbox states that it does not have Safe Harbor certification, nor is it able to provide a SAS 70 or SSAE 16 report in respect of its information security measures. This causes problems from a data protection perspective, and also means that their is no independent verification of the controls that Dropbox claims to have put in place.

The moral of the story is that you should carefully consider what data you are uploading to a data sharing  cloud – particularly if it is commercially sensitive or personal information – and, as boring as it is, read the site’s terms and conditions and carry out some due diligence on how your information will be protected.

I’m therefore not entirely familiar with the concept of Microsoft Windows recovery CDs, but it seems that they are for use when your Windows, er, closes. That is, you use the recovery CD to load back up the Windows operating system if your PC or laptop crashes.

All Windows PCs and laptops used to come packaged with a recovery CD. However that practice stopped in 2008, with customers being encouraged to create their own CDs. Not all customers found this arrangement convenient however, or didn’t think about making a recovery CD until after their PC had crashed and it was too late.

Comet therefore decided to help out by manufacturing around 94,000 of the recovery CDs somewhere in a field (factory) in Hampshire.  Comet sold these CDs and generated an estimated profit of over £1m.

Microsoft’s claim
Microsoft has taken a dim view of Comet’s actions, and has decided to sue for the manufacture and sale of what it calls “counterfeit CDs”.

Comet claim that it has not infringed Microsoft’s IP. It will be interesting to see what defences it offers.

On the one hand, each copy of Windows is still only licensed for a single user. Under section 50A(1) of the Copyright, Designs and Patents Act 1988 it’s not an infringement of copyright for a “lawful user” of a copy of a computer program to make any back-up copy of it, which is necessary for it to have for the purpose of its lawful use.

On the other hand Comet isn’t the “lawful user” (the customer is), and the £14.99 they were charging looks fairly steep for simply burning a CD to help out a customer. Given that the CDs were made by Comet in advance (probably before the customer had even bought their new computer), it’s difficult to see how Comet could argue that it was acting as an agent or on the instructions of the lawful user in making the back-up CD.

Microsoft’s loss?

Under the Copyright, Designs and Patents Act 1988, if Microsoft’s claim is successful it will entitled to damages for the infringement. 

It may however difficult to quantify what loss Microsoft has suffered. Whilst apparently excessive for the the few seconds that it would take to burn a CD, the £14.99 perhaps represents the price consumers are willing to pay for someone to do the techie stuff for them. Microsoft has not lost any sales (and as far as I’m aware was not offering this service itself).

That said, this ”counterfeit CDs” action is likely to do little for the “recovery” of the precarious finances of the Comet group.

Why is this significant?
In many instances, the data controller will be a company, body corporate or other body (for example, a public authority). However, where an individual acts as a sole trader, or trades/carries out processing in an individual capacity (for example, an MP, barrister, or an accountant trading as a sole practioner), that individual will be the data controller.

This means that it is the individual that is responsible for the processing that he carries out (or that his employees or contractors may carry out on his behalf), and therefore that the individual is therefore also personally liable for any breach of data protection laws. Scary stuff.

What happened in the latest case?
The latest undertaking has been given by an advocate (the Scottish equivalent of a barrister), whose unencrypted laptop was stolen from her house whilst she was on holiday in September 2009.

As I noted in my blog on the Oliver Letwin incident, the Data Protection Act requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The circumstances surrounding the theft are largely academic (the advocate had tradesmen in the house whilst she was away, but it’s not clear when or how the theft took place). What is important is that the laptop, which contained details of various cases that she was working on, was not encrypted. In particular, not withstanding that the theft took place, the ICO appears to be satisfied with the physical security measures that the advocate had in place. However, the failure to put in place adequate security measures in respect of the latop itself have led to the advocate being required to give a personal undertaking. A breach of an undertaking could lead to a fine, or an enforcement notice and ultimately prosecution.

What does the ICO require in respect of security measures?
It’s worth recounting the key parts of the undertaking in full, to re-emphasis what the ICO expects data controllers to be doing in relation to device encryption and security:

• Portable and mobile devices including laptops and other portable media used to store and transmit
  personal data, the loss of which could cause damage or distress to individuals, are encrypted by 31 December 2011;
• If personal data is to be stored overnight, other than securely within the data controller’s place of work, it shall be kept in a secure, locked storage place;
• The data controller shall subscribe to any information security policies and procedures as and when they are implemented by the Faculty of Advocates or her stable [Scottish equivalent of a set of Chambers], and take all appropriate steps to comply with these at all times;
• The data controller shall implement such other security measures as she deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

I suspect that many individuals who act as data controllers have, to date, generally taken a laxer approach to information security than bodies corporate and public bodies (where information security is a key reputational issue). This undertaking (and yesterday’s undertaking from Oliver Letwin) highlight that there is no difference in the standard that the ICO expects. In instances where individual data controllers are processing personal data (as an advocate, barrister, MP or sole trader will do), it is essential that appropriate steps are taken to ensure that data is kept secure.

An 8.05am flight from Edinburgh Airport on Friday morning saw my contentious IP colleague Iain Rutherford and me arrive in Bath in time for morning registration. I had hoped for the chance to jump straight into the hotel spa, but instead we jumped straight into The Law!

This year’s conference sought to address the relationship between technology and legal risk, and while an in-depth summary of the topics, the speakers and their views might be in danger of breaching the Chatham House Rule, I think it’s safe to mention the excellent after-dinner speaker, John Naughton, Professor of the Public Understanding of Technology at the Open University.

Prof. Naughton discussed the dystopian accounts of technology forecasted in both Orwell’s 1984  and Huxley’s Brave New World, and concluded that we are in danger of being simultaneously “oppressed by the things we hate” (as predicted by Orwell) and “oppressed by the things we love” (as predicted by Huxley).

Prof. Naughton implored the attendees to think about using their influence in order to ensure that technology is adequately legally regulated in order to protect the freedom and privacy of individuals.  Reflections were admittedly hard to come by in the spa’s jacuzzi, but I think that the notion that freedom and privacy are in danger is an unsettling one.   

1984 is one of my favourite ever novels, and I have yet to encounter another book which has a scene more spine-tingling than when the painting falls off the wall to reveal the telescreen.  Let’s hope that ourselves, or generations to come, never actually experience anything like that.

ACS: Law, led by solicitor Andrew Crossley, was conducting a widespread speculative invoicing campaign which involved accusing thousands of people of illegal file sharing and charging fines (which Douglas discussed a few months ago).  However, the scheme came unstuck when “hacktivism” group Anonymous took umbrage with Mr Crossley’s tactics and launched a “denial of service” attack.   The attack made the ACS: Law website “collapse”, revealing details of individuals accused of illicit filesharing which had previously been hidden from unauthorised access.

Reports of the incident have suggested that the breach was aggravated because it revealed details of illegally downloaded pornographic films, meaning that not just any old personal data was disclosed, but “sensitive personal data” as defined under the Data Protection Act 1998, pertaining to individuals’ sexual lives.

Of course, as all diligent data protection lawyers know, details of the commission (or alleged commission) of any offence already constitutes “sensitive personal data” under the DPA. So I’m not really sure why the “midnight movies” needed to be mentioned at all. It wouldn’t be just to make an article about data protection seem a wee bit saucier, would it?

Information Commissioner Christopher Graham said that the severity of the breach would have warranted a fine of £200,000, but he believed that Mr Crossley was not in a position to pay. (The ICO does not have the power to audit people’s accounts, but instead obtained a sworn statement from Andrew Crossley on the state of his finances.)

Privacy campaigners are now concerned that the decision introduces a loophole for companies wishing to evade ICO monetary penalties. I’m not convinced. Surely pretending to be bankrupt is even worse for your reputation that failing to protect personal data?

As you may be aware, a penalty of up to £500,000 can now be levied by the ICO when one of the eight principles of the DPA have been seriously breached.  A penalty is only applicable if the ICO is convinced that the breach was deliberate or that the data controller knew, or ought to have known, of the contravention risk, and that the contravention would be likely to cause substantial damage or substantial distress and that the controller failed to take action to stop it.

The Information Commissioner indicated yesterday that the ICO enforcement team and the non-executive directors of the ICO assist him in calculating an appropriate penalty, and regard is paid not just to the circumstances of the contravention, but also the nature and size of the contravening organisation.

It was also stated that the ICO does not wish to cripple provision of public services by issuing huge penalties to councils, or to compound breaches of data security by putting private data controllers out of business. Rather, the intention of the penalties is to encourage responsible processing of personal data.

With that aim in mind, if an organisation asks the ICO for an audit, the organisation won’t get a civil monetary penalty if a shortcoming in good practice is discovered.  Instead, it will be provided with a plan to amend any shortcomings, and an agreed timetable within which to make the amendments.

In the event that an organisation is charged with a penalty for a contravention of the DPA, it will also be given advance warning, and asked to provide reasons as to why the penalty should be lowered.

The Commissioner acknowledged that there had been criticism of the decision to levy a “small” £60,000 fine against A4e Limited for not encrypting sensitive data on an laptop that was subsequently stolen.

However, he said that the fine was part of a calibration process in which the maximum £500,000 fine would be reserved for only the most serious contraventions. Although the Information Commissioner didn’t elaborate further, it sounds like that the plan is to reserve the £500,000 penalty in order to maximise the media coverage/adverse reputational impact of the contravention which eventually gives rise to the maximum penalty being applied.

Given that some parties feel that the £500,000 cap on the penalty is actually too low, keeping the maximum penalty under wraps in order to maximise its eventual impact may prove to be a very clever strategy.

Here is an mp3 extract of “my” bit of the show.

Douglas on Radio Scotland 14 December 2010 (extract)

If you think you have been the victim of idenity theft then go to the CIFAS web site at: http://www.cifas.org.uk/ for some practical advice and in order to put your accounts on to “high alert”.

As you’ll probably be aware, Wikileaks is the whistleblowing website that last week made available for download more than 250,000 confidential U.S. diplomatic cables. The cables contain correspondence between American embassies throughout the world and the U.S. State Department, and their contents are proving to be highly embarrassing for the U.S. Government and its allies.

Wikileaks founder Julian Assange has been placed on Interpol’s Most Wanted list (for “sex crimes” being investigated by the Swedish authorities, although the US government is also investigating if espionage laws were broken), and the Wikileaks website is under continuous heavy attack from unidentified and mysterious “internet hackers”.

These hackers are bombarding the site, or more accurately, the computer servers which hold or “host” its content, with “Distributed Denial of Service” (“DDoS”) attacks of unprecedented ferocity. (In DDoS attacks incoming messages flood the target system and force it to shut down, thereby denying service to the system to legitimate users).

In an attempt to defend itself, Wikileaks moved last week from smaller internet providers to a larger one whose servers would be more likely to withstand a DDoS assault. Wikileaks provider of choice was Amazon.com and its’ much-vaunted EC2 cloud computing system, which operates on vast banks of computers, meaning that network capacity can be quickly scaled up or down to meet surges in traffic. The tactic was working well for Wikileaks until Amazon.com decided on Thursday to kick them out.

In a blogpost, Amazon.com denied that it was acting under pressure from politicians, saying WikiLeaks had breached its terms by not owning the rights to the content it was publishing. (I imagine Amazon.com might also have been a bit nervous about potential liability for the illegally sourced cables.)

The wikileaks.org web address was then withdrawn from Wikileaks because its domain name service provider EveryDNS.net claimed that WikiLeaks had violated part of its Acceptable Use Policy, which requires members not to “interfere with another member’s use and enjoyment of the service or another entity’s use and enjoyment of similar services. WikiLeaks had interfered with other members’ service because, said EveryDNS, “wikileaks.org has become the target of multiple DDoS attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites.”

Wikileaks solution has been to move to Switzerland, with a new domain wikileaks.ch.  The domain name is registered by the Pirate Party of Switzerland, associated with an IP address in Sweden, and points to a web address in France (where the Wikileaks documents are actually believed to be hosted).  If wikileaks.ch is also withdrawn, Wikileaks has announced that content will still be accessible by bypassing the DNS look-up and typing in Wikileaks’ actual IP address: http://88.80.13.160/.

Over the weekend online payment service provider PayPal cut off the WikiLeaks account, eliminating one of the easiest means for donors to send money to the organisation. It’s simply impossible to tell what’s going to happen next!   The latest development is that Julian Assange is under arrest, having voluntarily reported to a police station in central London this morning.

Who said Tech Law was boring? Hopefully in the inevitable Hollywood dramatisation of the saga there will at least be a cheeky cameo of yours truly writing this blog.

A lot has been going on in the world of technology in my absence – for example, boffins have invented a camera which can take pictures around walls (sort of).

However I’d like to discuss the most recent scandal concerning Google’s much-maligned Street View. A lot of people were unhappy last year when Google sent cars around the UK to capture street images which were then published on the internet. However it has gradually emerged that the Google cars were doing more than simply carrying out street-level photography. German authorities discovered that the cars were also gathering information about the location of unencrypted WiFi “hotspots”. And then the Canadian Privacy Commissioner learned that during this exercise Google had “mistakenly” collected payload data , or, in plainer English, mistakenly collected the actual information being sent on WiFi networks, including emails, URLs and passwords.

It remains unclear, even from a third-party audit why code designed to collect WiFi data transmissions got incorporated into a WiFi hotspot logging program.

Google apologised, and deleted the data, and throughout the summer it was speculated that Google might be the first company to be fined under the Information Commissioner’s new powers to impose monetary penalties on data controllers for breaches of the Data Protection Act. In July the Information Commissioner said that he did not think that the data captured by Google included significant amounts of personal data, nor was there any evidence that the data capture caused, or would cause, detriment to any individual. In August the Commissioner then said that if any law had actually been broken then it was probably not the Data Protection Act, but possibly the Regulation of Investigatory Powers Act, which governs the interception of communications, and is outwith the Information Commissioner’s ambit. And finallylast week the Information Commissioner released a press release, announcing that Google had signed a commitment to improve data handling to ensure breaches like the collection of WiFi payload data by Google Street View cars would not occur again.

This signed commitment appears to be the extent of Google’s censure, and this may initially seem surprising, especially if you consider that individuals have been fined and/or imprisoned for accessing unencrypted WiFi networks without permission. However, I think the difference is the intent. Google didn’t mean to intercept and/or collect the data, and it has also destroyed it. The Metropolitan Police did investigate a possible breach of the Regulation of Investigatory Powers Act, but closed their case, believing that criminal charges were not appropriate.

I think the situation is arguably comparable to a refuse collector gathering personal data because they have collected a bin. The refuse collector isn’t deliberately gathering the data, and it’s only being collected because it hasn’t been treated with enough care. While using an unencrypted WiFi network isn’t directly comparable to throwing your personal data in the bin for anybody to find, it’s not as different as you may think! And by leaving your network unsecured you may also be in breach of your contract with your ISP! And so on.

It’s nice to be back!

The BlackBerry began as a business device, so it has security ‘baked in’, with end-to-end message encryption, and the ability to encrypt the actual hard drive of the device (which we do).  Having said that, the data travels through RIM’s infrastructure (albeit in encrypted form), which caused the United Arab Emirates to moot the restriction of the device because the data goes offshore as a result, and the Indian government to threaten a ban unless their security forces can access encrypted content.  However, RIM point to their security chops with a long list of certifications and the fact that it has “been approved for the wireless transmission of sensitive data, up to ‘restricted’ classification, by both NATO and the UK government.”.  Perhaps the ultimate accolade though, is that apparently the BlackBerry is the device of choice for criminals as it is so difficult for the police to intercept or recover any data from it

So how does the iPhone stack up on security by comparison?  Well, we recently saw that government ministers and civil servants have been denied iPhones, with CESG deeming them not secure enough.  It is possible to secure the iPhone using third party products (there’s an app for that), but it’s fair to say Apple are playing catch-up in this area, which is unsurprising given their initial consumer focus.  While the usability, design and sheer fun of an iPhone will appeal to many business users, there’s also the thorny question of the Apps.  Most Enterprise Smartphones will be locked down to prevent users downloading applications since they may contain malware or viruses, yet it’s arguable that the whole point of the iPhone is the Apps ecosystem around it.  So if you offer the iPhone to staff and allow them to download apps you’re letting your security guard down, but if you deny them the apps then you’re taking away its USP.  Additionally, many organisations block iTunes due to concerns over piracy, illegal downloads, storage overhead etc., but you need it to download iPhone updates.  So if you allow iTunes, do you then allow staff to hold their music collection on their PC?  What happens when the iPhone dies or they leave the organisation (or vice versa), are you responsible for backing up and restoring their music collection?  Echoes of Martin’s post on the importance of back-ups here. 

So, who’s winning the war?  Well RIM aren’t giving up without a fight and are pushing new touchscreen devices and their own app store, while Apple are working on security to lure the business user.  Give it a couple of years and there may not be much to choose between them.  In the meantime though, the BlackBerry would appear to be the weapon of choice for the more paranoid email junkie, while the iPhone reigns supreme in terms of usability and multimedia.  Though whether you agree with that will probably depend on which device you pray to every 5 minutes…