No more Safe Harbour…or Harbor

European Court of Justice has ruled that transatlantic data sharing agreement is invalid. What does this mean for UK businesses that utilise US datacentres or Cloud services?

Advent IM Director Mike Gillespie, “There are issues arising from this ruling that require the urgent attention of UK businesses and they need to be aware of the legislative implications of how they plan to store and manage data”.

For some time now, hosting companies, system support and system management companies, contact centres and most recently cloud providers have been selling their services, some or all of which reside in the US, into the EU. These companies have consistently cited Safe Harbor as the assurance that EU citizen data would be afforded the commensurate level of protection that it would receive from an EU/EEA member state.

The inception of Safe Harbor predates the US Patriot Act, legislation which, many people feel made a nonsense of Safe Harbor. This has been widely documented and discussed by Data Protection practitioners for some time now and, whilst there have been ongoing negotiations, the European Commission appears to have made little progress. Meanwhile any EU Citizen data resident in US servers remained vulnerable to release to US authorities.

In one fell and rather final swoop, the Court removed the blanket approval for data transfers to the US. This now allows for individual national Data Protection Authorities (ICO in UK) to scrutinise any proposed transfers to ensure that transfers guarantee the rights to privacy and freedom from surveillance afforded each of us by the Charter.

Of course one way to attempt to get round the issue could be by following the EU Model Clauses route, an option often deployed by organisations in the past wanting to transfer data to/allow data processing in non-EEA or other trustworthy countries ie India. This option required the inclusion of a series of model clauses into contracts which effectively bind the Data Processor to abide by the principles of EU Data Protection. However, which takes precedence, contract law or the Patriot Act? Can a commercial contact ensure the privacy of EU Citizens personal data and guarantee it to be free from disclosure to US Authorities? This seems highly unlikely.

A further option could be implementing Binding Corporate Rules (BCRs) which are “designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA”. So far so good as this sounds just the ticket especially for multinational hosting providers and cloud computing providers?

However for BCRs to work, applicants must demonstrate that their BCRs “put in place adequate safeguards for protecting personal data throughout the organisation”.

How can any company hosting data inside the US offer this? In reality they probably cannot.

The truth is, EU Citizens data protection cannot be guaranteed once it’s transferred to the US, this has been acknowledged so finally that the EU Commission and member states’ Data Protection Authorities have an imperative to do something about it.

The fallout from the decision is yet to be felt but could have far reaching for some organisations. The ICO has been at pains to point out that the ruling does not mean there is an increase in threat to people’s personal data. However, companies will need to review how they ensure that data transferred to the US complies with legislation. Safe Harbor was not the only regulation available for transfers between the US and EU but it was the most widely used.

So what does this mean in the short term? Immediately little will probably happen. The ICO are considering the judgement and will be issuing guidance in due course. A new Safe Harbor agreement is also currently being negotiated between the EU and US, and has been in negotiation for the last two years, following the Snowden revelations. Once various authorities have cogitated over the ruling we will then need to assess the full impact on organisations moving forward as more guidance is released. In the meantime, a review of current practices is recommended by those organisations transferring data to the US.

Issued:  08.10.15                             Ends                                     Ref: safeharbor-01-Advent -MG

NOTES TO EDITORS

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

What is TOR ?

An opinion piece post from Advent IM Consultant, Del Brazil

TOR is a service that is freely downloadable that assists in providing anonymity or improves privacy for users who wish to keep, among other things, their internet location secure.  In essence it provides a defensive mechanism against traffic analysis, network surveillance and assists in protecting confidential business activities, relationships and potentially assists in maintain security.  It can also be used to circumnavigate certain country restrictions such as the ‘Great Firewall of China.’

TOR operates by operating through a series of virtual tunnels or a system of TOR relays (other TOR users) which facilitates the use of the TOR network.  In essence the more TOR relays (users) the faster, the more secure and more robust the TOR network is.  TOR relays (users) can be either Middle Relays, Exit Relays or Bridges each with a distinctive role to play in the TOR Network.  A Middle Relay allows internet traffic to be passed onto the next relay whilst the Exit Relay is the final relay before any internet traffic reaches its destination.  A user operating as a Middle Relay will have their IP Address masked and hence be hidden to the rest of the internet but visible to the TOR Network.  Any user/organisation conducting illegal or objectionable activities whilst operating as an Exit Relay may be answerable to policing agencies, complaints or copyright infringement notices etc.    TOR Bridges are vital TOR relays that enable users to circumnavigate censorship software deployed by various countries to ensure that information is freely available or distributed to all persons.

It was developed by the US Department of Defense and is still currently used today by the US Navy for open source intelligence gathering whilst some Journalists use it to contact whistle blowers.  A few organisations use TOR to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organisation. For example if you’re travelling abroad and you connect to your employer’s computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.  Some TOR users, such as research development engineers, journalists and seekers of democracy are clear that their use of TOR is for legitimate purposes; however it is clear that criminals are frequently using TOR to conduct illegal activities.  There are concerns from various organisations that TOR assists the criminal underworld in conducting illegal activities whilst remaining near enough un-discoverable such as drugs, person or arms trafficking, child abuse or identity theft; That said there has been a few high profile convictions of persons conducting illegal activities whilst using TOR, this includes the Silk Road investigation which resulted in the hidden underground illegal-drugs website being shut down in October 2013.

It has been reported that in the USA the NSA have attempted to target TOR users through cyber-attacks aimed at security weaknesses within various internet browsers.  These targeted attacks only go to reinforce the necessity to ensure that security measures are developed with browsers, applications, operating systems, software and hardware and are also updated on a regular basis.

There are a few security experts that have highlighted TOR as being the first step in attempting to remain secure against cyber-attacks; however as attacks methods and frequency increase, the likelihood of TOR remaining secure are rapidly diminishing.  This will not deter some elements of the internet community from utilising TOR as they strive to remain anonymous whilst corporate and government surveillance increases.

Is there a future for TOR in the corporate or even the government sector within the UK?  In the author’s opinion TOR is unlikely to be used in its current form as potentially throws up a multitude of questions as to why persons or organisations feel the need to conduct business behind ‘closed doors’.  In this age of where transparency and honesty go hand in hand the use of TOR may invoke a distrusting attitude which can harm business opportunities despite the legitimate use of TOR.  TOR does have its uses and in certain circumstances can assist with maintaining confidentiality whilst ensuring that the freedom of speech is maintained.  It is, as always, a fine balance between promoting a business whilst also protecting it as even though using of TOR is not illegal it may, if disclosed or later discovered deter businesses or organisations from interacting with each other.

Watch out for those iPhone/iPad phishing emails

For reasons far too dull to expand upon, there were no Apple products in my stocking this year. I have however, had a mountain of email telling me to click through various links in order to re-register my iPad, to download a free app or piece of music, and a variety of other things. Also for my iPhone (that I don’t have) a variety of free apps and other vital pieces of software I must have/register or otherwise obtain. I hope that you have not been subjected to any of this opportunistic phishing. For that is what it is.

Given that Apple products dominated Christmas this year in terms of phones and tablets, it looks like a safe bet for a phisher. Add to that some of the recipients might be kids/inexperienced/slightly merry on Christmas day and therefore more likely to click an unexpected link or file and thereby deliver the toxic payload or whatever the email was designed to do..

At this point I would refer you to my previous post about making sure you are allowed to use your device on your employers networks, before you actually do. Especially if you have not been careful about what you have clicked on when you had your party hat on…

Happy 2015 everyone.

The U2 Album and some phishing

Opinions vary on the success and indeed the ethics of Apple’s decision to place a copy of U2’s new music in iTunes libraries. Some people have welcomed it, though I assume these are the ones who did not have their personal preferences overridden. Apparently, it appears many people had not selected the auto download option in their settings but this seems to have made little or no difference. (These may or may not be some of the contributors to the Twitter hashtag #IblameBono currently occupying a space in my recommended trends. I hasten to add Advent IM has not contributed)

It has also become apparent that the album is not too easy to remove either… indeed the news today includes an update from Apple, who have now created a remove U2 with one click tool after the clamour from iTunes users. They do say that there is no such thing as bad publicity but I can’t help but wonder if invading people’s privacy in this way would ever be good news for a brand. Knowing that your wishes can be overridden with impunity is not reassuring. Realistically, I would think that regular reassurance and demonstration of privacy and security being respected would be a far better approach.

One of the unintended consequences of this has been a massive increase in the number of iTunes and Bono-based phishing emails. Some have offered a ‘delete the U2 album link or tool’ (either carrying or linking to malware). Others have capitalised on the fact that Apple have given something away by purporting to carry a link to a free film from Apple. Users who were suitably impressed by being given the free U2 album have been ‘softened’ into thinking it was perfectly believable Apple would now be sending them links to free movies. 

So users who were less than happy with the sneaking of U2 into their library may get caught by the first kind and those who were thrilled and were then happy to have more free Apple stuff may be caught by the second…

Whatever way you look at this, the U2 album has been a bit of a nightmare from a security perspective. #IMightBlameBono…

 

By popular demand…

Our NHS CCTV Awareness training day is back!

For all users and viewers of CCTV images in the NHS regardless of role, the ccourse is deisgned to keep NHS trusts on the right side of the Data Protection Act and ICO guidelines.

November 20th is the date for the training centre but if you have a larger group and would prefer us to come to you, we can arrange it for you.

You can get details of the course, prices  and a booking form here… 

“This was a really informative day. Lots of questions answered. I wish we had had this training when the CCTV was first installed.” – recent delegate from Cornwall Foundation Trust

Watching you, watching me – CCTV in school toilets and why we need to consider more than numbers

Every once in a while, some stats will appear that capture everyone’s imagination and prove to be a sub editor’s dream for headlines. The Big Brother Watch FOI report release this week has brought with it a wealth of headline opportunities, many of them toilet related and all quite breathless in their indignation. But the placing of cameras in private places is just the beginning of the story.

Whilst as security professionals we can totally understand the general public’s shock at the level of CCTV use in secondary schools and academies, we were as disquieted as everyone else about the use of CCTV in areas such as toilets, showers and changing areas. Not everyone realises the complexity of securing a school, college or university. There may be several buildings with varying traffic and visitors. Effective security looks at all threats and risks and treats them appropriately. So it’s not very surprising that the hue and cry has erupted over the acceptability of placing CCTV cameras in such intrusive areas. When performing one day School Security Health Checks we suggest that a Privacy Impact Assessment be carried out, for what will be now be obvious reasons.

For us though it shows the beginning of the problem and isn’t an isolated issue. We deal with schools, colleges and universities frequently. One of the main things they like help with is CCTV and the Data Protection Act. A head teacher is a head teacher not a security expert but the responsibilities that come with managing the images that come from CCTV are quite expansive and are not limited to where the cameras are placed.

We find that for instance, external cameras may inadvertently be recording images that they should not be. So if the camera’s field of vision includes perhaps an area of a neighbouring garden or there is a view of someone’s home, then the use of that camera is contravening the Data Protection Act and the user could be fined. Its irrelevant that this was not the intention of the user, it simply can’t be done.

Also, there may be issues around storing and deleting the images. Schools need to be fully conversant with how to  secure the images they have captured. Security isn’t just about the camera, the images have to be handled carefully – as happens with pupil and staff personal data and protected from either malicious or accidental breach. Deleting images when they should no longer be stored is also covered by the Data Protection Act and once again a user could find themselves in hot water if images are not being securely deleted after the allotted period has expired.

Who views the images created by CCTV systems? Again this falls into the policy and procedure area when we perform health checks. Only appropriate and necessary staff should have access to CCTV images as would apply with any sensitive data for pupils or staff. If we are to use the wonderful security opportunity that CCTV affords us, we must do it securely and appropriately is the message that most comes out of the Big Brother Watch report. You can access the full report on a pdf here.

We plan to publish a White Paper on this topic and if you follow this blog you will receive a notification of when it has been released and where you can obtain a copy. Alternatively you can email us and ask for one. bestpractice@advent-im.co.uk or keep an eye on the website www.advent-im.co.uk

We have visualised some of the key elements we thought you may find interesting. These relate to both the number and ratio of CCTV cameras as well as those found in private areas in school. Whilst we don’t mind you using them if you wish, can you just drop us a note to let us know and make sure you credit both ourselves and Big Brother Watch.