Archive for December, 2010

Data protection – made Crystal clear for Christmas

I was listening to the excellent A Christmas Gift For You from Phil Spector at the weekend, and one line in The Crystals’ cover of Santa Claus is Coming To Town caught my attention:

He’s making a list and checkin’ it twice
He’s gonna find out who’s naughty and nice

That to me sounds like processing of personal data.

Place of establishment
First things first.

Now I have always understood that Santa Claus lives in Lapland (that’s where I sent my letters, and I always got a nice reply), rather than the potential tax-haven of the North Pole. Lapland is an area covering Finland and Sweden, both of which are EU member states. Under EU data protection law, the test for which member state’s data protection regime applies is the place of establishment of the data controller – not the location of the data subject.

Accordingly, it looks like Santa will be subject to either Finish or Swedish data protection laws in respect of any processing of data relating to children in the European Union.

I tried to see whether Santa had made a notification to either the Swedish Data Inspektionen or the Finnish Data Ombudsmannes, but unfortunately my Swedish and Finnish has failed me.

Has consent been obtained?
Having established that Santa is a data controller, any processing must be in accordance with the EU Data Protection Directive (as implemented into Swedish/Finnish law). Santa should of course be setting all this out in his fair processing notice and making children aware of this before they send in their letters.

Whilst consent to processing for the purposes of delivering presents can probably be implied from a child sending in his or her Santa letter, I am not sure that this would cover the further processing that Santa might carry out to “find out” if the child has been “naughty and nice”. For example, requesting character references from the child’s parents.

In particular, if Santa is planning on carrying out criminal record checks to establish “naughtiness”, then unless Santa can argue that he exists for philosophical purposes (and therefore falls within Article 8(d) of the Directive) the data subject’s express consent will be required as this will involve the processing of sensitive personal data.

Santa should further note that “if you ask a child to provide personal information you need consent from a parent or guardian, unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision.”

Covert monitoring
Listening further, it appears to be suggested that Santa has an all seeing eye – which must mean some form of covert monitoring:

He sees you when you’re sleeping
He knows when you’re awake
He knows if you’ve been bad or good
So be good for goodness sake!

It’s not clear how this is done (CCTV? Telephone tapping? Private investigator (maybe an elf)? Some form of Spooks-style computer system?), but again Santa should ensure that he gives fair notice of this monitoring, and the reasons for which the monitoring is taking place (“…to ensure that only good children receive presents from Santa”). Otherwise he risks breaching his obligations as data controller.

Perhaps he relying upon the nation’s retailers to publicise that fair processing notice though playing Christmas songs on loop from early October onwards?

Compliance with the fourth data protection principle
Whilst there may be some issues over whether or not Santa has properly obtained consent to processing, I note that Santa is careful to comply with the fourth data protection principle (“Personal data shall be accurate and, where necessary, kept up to date) by ensuring that he checks his list not just once, but twice. This should help to avoid any mistakes in the accuracy of his list of naughty children.

And finally..
If you haven’t been naughty but you still don’t get any presents on 25 December, then you may wish to make a subject access request to Santa so that you can see what information he holds about you. If the information is incorrect, then you can require Santa to fix it. Whilst this might not help for this Christmas, it should help ensure that your record is correct in time for next Christmas.

Merry Christmas!

Identity Theft – Douglas on Radio Scotland

Last week I was asked on to the Fred MacAulay show on Radio Scotland to talk about identity theft.

Here is an mp3 extract of “my” bit of the show.

Douglas on Radio Scotland 14 December 2010 (extract)

If you think you have been the victim of idenity theft then go to the CIFAS web site at: for some practical advice and in order to put your accounts on to “high alert”.

Cyber War! (Wikileaks update)

Last week I wrote a relatively informal summary of the Wikileaks story which focused on the chain of events rather than the law surrounding them. The pace of events has slowed (slightly) this week, and it’s a good time to examine how the law applies to some of the events.

The U.S. Government is claiming that Assange will be indicted and face trial for disseminating confidential information, possibly in contravention of the U.S. Espionage Act, or under “conspiracy or trafficking in stolen property”. However, sabre-rattling aside, federal prosecutors may find it difficult to actually identify a legal basis upon which to pursue Assange. Charges of violation of the Espionage Act aren’t always successful in these circumstances – see for example the famous “Pentagon Papers” case of 1972 involving the New York Times.

From a UK law perspective, the most immdiately relevant aspect of the Wikileaks saga is the Direct Denial of Service (“DDoS”) attacks. As I briefly mentioned last week, while the means, motives, and targets of a DDoS attack vary, they generally consist of concerted efforts by a person or persons to prevent an internet site or service from functioning efficiently, temporarily or indefinitely. The Wikileaks websites are experiencing very high levels of DDoS attacks from unknown sources, and supporters of Wikileaks have retaliated by attacking sites such as, and today, the Swedish Prosecution Authority’s site. Governments and corporations across the world are now preparing for what the tabloids are referring to as “cyber war”!

Beyond the sensational soundbites, DDoS attacks are clearly illegal in a lot of jurisdictions. In the UK, the Police And Justice Act 2006 updated the Computer Misuse Act 1990, in order to make it a criminal offence to carry out “any unauthorised act in relation to a computer” where the person “has the requisite intent and the requisite knowledge” to carry out the act. The requisite intent is to carry out the act by: i) impairing the operation of any computer; (ii) preventing or hindering access to any program or data held in any computer; or (iii) impairing the operation of any program or the readability of any data. The intent need not be directed at any particular computer or any particular program or data, and the wording is wide enough that paying someone else to launch an attack will still be a crime, with a maximum penalty of 10 years in prison. The U.S has similar laws in place, and a man was jailed last year for instigating DDoS attacks against Scientology websites . What will happen next is anybody’s guess.

Sweden’s move to have Assange detained in the United Kingdom for now, on whatever charge, provides time for a case to be fashioned against him. In light of the Wikileaks affair, and the likely high-profile casualties of the “cyber war” in the weeks to come, the pressure to charge Assange is only going to become more intense. Watch this (cyber)space!

British Standard on web accessibility finally published

Regular Techblog readers may remember my post back in May on the latest consultation by the British Standards Institute on BS 8878, the proposed British Standard on web accessibility. Well, yesterday the final version of BS 8878 was published.

The new Standard
As I said back in May, BS 8878:2010 Web Accessibility. Code of Practice (to give it its Sunday title) is designed to assist organisations in understanding how to develop and commission accessible websites and web products (a generic term used to cover websites, apps and other things that utilise web-based technologies).

The Code of Practice does not seek to replace existing technical guidelines (such as the W3C‘s Web Content Accessibility Guidelines). Instead, it provides guidance and recommendations on good practice for senior management, procurement managers, those in charge of web policy within an organisation, and those people responsible for creating online content.

In particular, it provides guidance on things to consider when procuring web design services, or buying content management systems, from third parties.

Ancillary benefits
As well as helping organisations identify and overcome accessibility problems for people with disability (and helping them to comply with their legal obligations), following the guidance should also improve usability for elderly web users, as well as usability for customers in general (how often does a website not render properly on a mobile device? That’s usually down to poor usability design).

Interaction with the Equality Act
I also blogged recently about the new Equality Act, which has replaced the Disability Discrimination Act, and sets out the laws applying to the accessibility of websites offered by service providers. Whilst complying with BS 8878 will not necessarily automatically mean compliance with the Equality Act, if an organisation can show that it followed the best practice guidance contained in BS 8878, it is likely to assist in demonstrating to a court that the organisation has complied with its obligations to make reasonable adjustments.

BS 8878 can be downloaded from the British Standard Institute’s website. The cost is £100, with a discount available for charities. For an overview of what BS 8878 covers, you should soon be able to download a webinar run earlier today by the ICT and disability charity AbilityNet.


“Hollywood Hacking” is the trusty cinema cliche whereby a geek with a laptop hits lots of buttons on his keyboard very quickly, says “we’re in” (or something similarly breezy), and gains access to the military system/bank account of his choosing. While Hollywood Hacking is usually very silly and completely unrealistic, the current Wikileaks saga is actually happening right now, in real life, and there’s more than a touch of unbelievable Hollywood Hacking about the whole tale.

As you’ll probably be aware, Wikileaks is the whistleblowing website that last week made available for download more than 250,000 confidential U.S. diplomatic cables. The cables contain correspondence between American embassies throughout the world and the U.S. State Department, and their contents are proving to be highly embarrassing for the U.S. Government and its allies.

Wikileaks founder Julian Assange has been placed on Interpol’s Most Wanted list (for “sex crimes” being investigated by the Swedish authorities, although the US government is also investigating if espionage laws were broken), and the Wikileaks website is under continuous heavy attack from unidentified and mysterious “internet hackers”.

These hackers are bombarding the site, or more accurately, the computer servers which hold or “host” its content, with “Distributed Denial of Service” (“DDoS”) attacks of unprecedented ferocity. (In DDoS attacks incoming messages flood the target system and force it to shut down, thereby denying service to the system to legitimate users).

In an attempt to defend itself, Wikileaks moved last week from smaller internet providers to a larger one whose servers would be more likely to withstand a DDoS assault. Wikileaks provider of choice was and its’ much-vaunted EC2 cloud computing system, which operates on vast banks of computers, meaning that network capacity can be quickly scaled up or down to meet surges in traffic. The tactic was working well for Wikileaks until decided on Thursday to kick them out.

In a blogpost, denied that it was acting under pressure from politicians, saying WikiLeaks had breached its terms by not owning the rights to the content it was publishing. (I imagine might also have been a bit nervous about potential liability for the illegally sourced cables.)

The web address was then withdrawn from Wikileaks because its domain name service provider claimed that WikiLeaks had violated part of its Acceptable Use Policy, which requires members not to “interfere with another member’s use and enjoyment of the service or another entity’s use and enjoyment of similar services. WikiLeaks had interfered with other members’ service because, said EveryDNS, “ has become the target of multiple DDoS attacks. These attacks have, and future attacks would, threaten the stability of the infrastructure, which enables access to almost 500,000 other websites.”

Wikileaks solution has been to move to Switzerland, with a new domain  The domain name is registered by the Pirate Party of Switzerland, associated with an IP address in Sweden, and points to a web address in France (where the Wikileaks documents are actually believed to be hosted).  If is also withdrawn, Wikileaks has announced that content will still be accessible by bypassing the DNS look-up and typing in Wikileaks’ actual IP address:

Over the weekend online payment service provider PayPal cut off the WikiLeaks account, eliminating one of the easiest means for donors to send money to the organisation. It’s simply impossible to tell what’s going to happen next!   The latest development is that Julian Assange is under arrest, having voluntarily reported to a police station in central London this morning.

Who said Tech Law was boring? Hopefully in the inevitable Hollywood dramatisation of the saga there will at least be a cheeky cameo of yours truly writing this blog.

End of the Road for Google Street View Row

What better way to celebrate my return from 7 months on secondment than a post on the Brodies Tech Blog?

A lot has been going on in the world of technology in my absence – for example, boffins have invented a camera which can take pictures around walls (sort of).

However I’d like to discuss the most recent scandal concerning Google’s much-maligned Street View. A lot of people were unhappy last year when Google sent cars around the UK to capture street images which were then published on the internet. However it has gradually emerged that the Google cars were doing more than simply carrying out street-level photography. German authorities discovered that the cars were also gathering information about the location of unencrypted WiFi “hotspots”. And then the Canadian Privacy Commissioner learned that during this exercise Google had “mistakenly” collected payload data , or, in plainer English, mistakenly collected the actual information being sent on WiFi networks, including emails, URLs and passwords.

It remains unclear, even from a third-party audit why code designed to collect WiFi data transmissions got incorporated into a WiFi hotspot logging program.

Google apologised, and deleted the data, and throughout the summer it was speculated that Google might be the first company to be fined under the Information Commissioner’s new powers to impose monetary penalties on data controllers for breaches of the Data Protection Act. In July the Information Commissioner said that he did not think that the data captured by Google included significant amounts of personal data, nor was there any evidence that the data capture caused, or would cause, detriment to any individual. In August the Commissioner then said that if any law had actually been broken then it was probably not the Data Protection Act, but possibly the Regulation of Investigatory Powers Act, which governs the interception of communications, and is outwith the Information Commissioner’s ambit. And finallylast week the Information Commissioner released a press release, announcing that Google had signed a commitment to improve data handling to ensure breaches like the collection of WiFi payload data by Google Street View cars would not occur again.

This signed commitment appears to be the extent of Google’s censure, and this may initially seem surprising, especially if you consider that individuals have been fined and/or imprisoned for accessing unencrypted WiFi networks without permission. However, I think the difference is the intent. Google didn’t mean to intercept and/or collect the data, and it has also destroyed it. The Metropolitan Police did investigate a possible breach of the Regulation of Investigatory Powers Act, but closed their case, believing that criminal charges were not appropriate.

I think the situation is arguably comparable to a refuse collector gathering personal data because they have collected a bin. The refuse collector isn’t deliberately gathering the data, and it’s only being collected because it hasn’t been treated with enough care. While using an unencrypted WiFi network isn’t directly comparable to throwing your personal data in the bin for anybody to find, it’s not as different as you may think! And by leaving your network unsecured you may also be in breach of your contract with your ISP! And so on.

It’s nice to be back!

Twitter: @BrodiesTechBlog feed

December 2010
« Nov   Jan »

%d bloggers like this: