The most recent articles from IT Week

Government sows seeds for new ID systems

Dave Bailey — 2008-08-07T17:49:00.000Z

Dave Bailey, IT Week, Thursday 7 August 2008 at 17:49:00

Government to invest £5m into identity systems research

The UK government is to invest £5.5 million in developing the next generation of secure identity management systems.

The investment, led by the Technology Strategy Board, Engineering and Physical Sciences Research Council (EPSRC) and Economic and Social Research Council (ESRC), will create three new research projects, called EnCoRe, VOME and Privacy Value Networks.

The projects will be collaborations between business, academia and the public sector and will aim to ensure that the next generation of identity management systems strike appropriate balances with privacy concerns, the Technology Strategy Board said.

“In order to prepare UK businesses for competition in this global market, practical and cost effective solutions need to be developed which inspire public confidence by improving privacy and enabling consent as an integral part of future procurements," said Iain Gray, chief executive of the Technology Strategy Board.

Project EnCoRe will focus on providing more rigorous means for individuals to grant and revoke consent for the use, storage and sharing of personal data.

VOME will give a clearer hardware and software requirement for end users’ ideas and concepts regarding privacy and consent.

The final project, Privacy Value Networks (pvnets), aims to generate, a detailed understanding of individuals’ and organisations’ conceptions of privacy and identity.

EPSRC chief executive Professor David Delpy said that the new research had a unique approach, "looking at both the technological advances that need to be made alongside the social considerations and implications. The long term aim is to ensure a good balance between freedom and security for everyone.”

A cloud of suspicion hangs over online security

Tim Anderson — 2008-07-18T15:17:00.000Z

Tim Anderson, IT Week, Friday 18 July 2008 at 15:17:00

Online services need stronger security if business users are to entrust their critical data to the cloud

There’s a lot of hype about IT services living “in the cloud” these days. But is this approach to computing safe? If the recent experience of one software developer is anything to go by, then potential customers ought to have second thoughts.

Marko Karppinen, who uses Apple’s .Mac online services, got a shock when he tried to log into his Apple Developer Connection account (see his blog here). He found that the password and the email address associated with his account had been changed. Apparently, someone other than himself contacted Apple’s Developer Relations unit claiming to have forgotten the password, and Apple responded by changing both the email and password without any further checks - effectively handing over the account to the hacker.

No doubt this was an isolated incident, but it is one that highlights several security issues. First, it underlines the drawbacks of single sign-on. Apple is one of several IT giants offering a suite of services linked to a single user account. What Karppinen lost, as he noted in an indignant email, was not just his developer account, but files stored in the iDisk remote storage services, an iTunes account, personal email, and more. Single sign-on is convenient, but increases the risk to you, and the value to criminals, if that flimsy username and password combination is discovered.

Apple has just launched its MobileMe service, a revamped version of .Mac that synchronises email, contacts, calendar and files to the web, and to all your devices. The service looks compelling, but the more usage grows, the more likely it is that stolen password incidents will come to rival stolen laptop incidents for putting confidential data at risk.

Second, Apple’s identity management is weak even disregarding Karppinen’s story. It has an automated forgotten password service that lets you reset your password either through an email sent to the registered email address, or by answering a secret question that you specified when signing up.

Password reset via email is common, but desperately vulnerable. Emails generally travel through the internet unencrypted, so there is risk of interception. Further, once it arrives at its destination server, its security is dependent on the ISP running that server. Finally, the user may read that email through unencrypted POP3 collection, or in plain text on a web email service. If you put this together with the popularity of public Wi-Fi services, it is clear that resetting or reminding users of passwords via email is no security at all.

The secret question idea is no better. Users are often encouraged to use semi-public information, such as their mother’s maiden name. Apple makes you state your date of birth as well, but that is no better.

The difficulty for businesses is that services like Apple’s MobileMe, Microsoft’s Live SkyDrive or Google Docs are effectively unmanageable. But at the same time they are so useful that they gradually cross over from personal to business use, while staff may not realise that data stored online is just as vulnerable as it is on laptops or USB storage devices.

Security practices in some parts of the industry are astonishingly immature. We are long past the time when no passwords should be sent in the clear, yet the FTP protocol, for example, still does exactly that. Data stored online can and should be more secure than it is when stored locally. The technology is there, but it is frustrating to see stronger authentication schemes like Microsoft’s CardSpace languishing with little use even by Microsoft itself.

In 2008 you would have thought it would be easy to send a sensitive email signed and encrypted, but it is not. Password reset can be done securely too, by doing what banks do and sending a real letter to a physical address. Apple, please take note.

DPA hits 10-year milestone

Dave Bailey & Gareth Morgan — 2008-07-16T00:00:00.000Z

Dave Bailey & Gareth Morgan, IT Week, Wednesday 16 July 2008 at 00:00:00

Are the 10-year-old data protection laws still fit for purpose?

The Data Protection Act (DPA) 1998 today marks the ten-year anniversary, but increasingly data specialists are split on whether it still fit for purpose.

With the issue of data protection today receiving unparalleled attention, some commentators are suggesting that the rapid advances in technology have outpaced the legislation.

The amount of data being stored by enterprises today was inconceivable when the DPA received Royal assent on 16 june 1998, said Jamie Cowper, marketing director at security vendor, PGP Corporation. "I’d be surprised if nearly all companies aren’t in some way contravening the Act as it currently stands, whether they realise it or not."

Cowper called for a major overhaul of the legislation, arguing that it needed to be given "much sharper teeth", to persuade business leaders to abide by its principles.

But others believe that little change is needed, arguing that the broad principles of the Act provide a solid basis for navigating a complex issue in a fast-changing environment.

"[The DPA] doesn't need any major overhaul and can be seen as a good building block to move forward with," said Annabel Lyell, a solicitor with law firm Morgan Cole. "The fair and lawful processing of personal data is still a very useful concept."

Under the DPA's first principle, also known as the "fair and lawful processing" principle, individuals have the right to know who is collecting and storing information about them.

Data watchdog serves notice on government departments

Gareth Morgan — 2008-07-15T17:19:00.000Z

Gareth Morgan, IT Week, Tuesday 15 July 2008 at 17:19:00

HMRC & MoD slapped with enforcement notices

Data protection watchdog, the Information Commissioner's Office has confirmed that it has served enforcement notices on both HM Revenue and Customs and the Ministry of Defence, following high profile data breaches at the organisations.

Both departments will now be compelled to provide progress reports detailing how they are improving data governance practices.

The announcement was made as the Information Commissioner, Richard Thomas, released his annual report.

Thomas used the launch to criticise government proposals to store details of citizens' phone and internet communications.

"There needs to be the fullest public debate about the justification for, and implications of, a specifically created database … holding details of everyone's telephone and internet communications," he said.

"Such a scheme would require the fullest public debate to establish whether, whatever the benefits, it amounted to excessive surveillance as a step too far for the British way of life."

Hypertec USB drive enforces security

Daniel Robinson — 2008-07-07T17:24:00.000Z

Daniel Robinson, IT Week, Monday 7 July 2008 at 17:24:00

Flash drive forces users to protect their data

Hypertec has introduced a brand of USB Flash drives aimed at business customers, which enforces security by requiring the user to set a strong password before any data can be stored.

The Hyperdrive DataSafe BE, available immediately, secures all files using 256bit AES encryption, handled using a hardware encryption engine built into the device. Previous secure USB drives from Hypertec had both public and private areas for storing data, which meant it was possible for some sensitive information to be unprotected.

“We have upgraded our Hyperdrive DataSafe products in line with corporate user requests for a more secure method of transporting data," said Hypertec managing director Lianne Denness.

Available in capacities from 512MB up to 64GB, the DataSafe enforces password generation rules to ensure that the user chooses a strong password and is not able to store anything until one has been set.

If repeated attempts are made to guess the password by unauthorised users, the device will respond by deleting the internally stored encryption key, thus rendering the data unreadable, Hypertec said.

The DataSafe BE is available in a variety of case styles including rugged, retractable, slimline and standard, and is backed by a three-year warranty.

Commissioner urges data protection reform

Gareth Morgan — 2008-07-07T12:31:00.000Z

Gareth Morgan, IT Week, Monday 7 July 2008 at 12:31:00

UK Information Commissioner says European data laws are outdated

The UK's data watchdog, the Information Commissioner, has called for European data protection laws to be reformed to make them more business-friendly.

Speaking at the annual Privacy Laws and Business conference in Cambridge, the Information Commissioner, Richard Thomas, said that existing legislation was out-dated and increasingly ill-suited to the internet age.

"It is high time the law is reviewed and updated for the modern world," he said.

The Information Commissioner's Office (ICO) has hired research group Rand Europe to undertake an assessment of European data protection laws and identify avenues for reform, with a focus on enhancing consumers' rights while simultaneously reducing the burden on enterprises.

"This research will help identify ways we can make the law more straightforward and more effective in practice, but less burdensome for organisations," added Thomas.

Google responds to privacy calls

David Neal — 2008-07-07T12:01:00.000Z

David Neal, IT Week, Monday 7 July 2008 at 12:01:00

Google has added a privacy link to its homepage

Google has responded to advice from privacy advocates and has added a new link to its homepage.

Last week the firm added a link that takes users through to its corporate and privacy information, a simple addition that had been requested by privacy experts.

In June a coalition of groups asked Google to add the information, those groups included the Electronic Privacy Information Centre, and World Privacy Forum. They said that by not doing so the firm would be violating privacy laws.

In a post on its company blog, the search giant said, “Google values our users' privacy first and foremost. Trust is the basis of everything we do, so we want you to be familiar and comfortable with the integrity and care we give your personal data. We added this link both to our homepage and to our results page to make it easier for you to find information about our privacy principles. The new 'Privacy' link goes to our Privacy Center, which was revamped earlier this year to be more straightforward and approachable, with videos and a non-legalese overview to make sure you understand in basic terms what Google does, does not, will, and won't, do in regard to your personal information.”

Web giants spark privacy concerns

Rosalie Marshall — 2008-07-04T17:49:00.000Z

Rosalie Marshall, IT Week, Friday 4 July 2008 at 17:49:00

Google and LinkedIn criticised for not protecting individuals' data

While a US court ruled Google must hand over details of every person that has watched a video on YouTube, professional networking site LinkedIn has been criticised for exploiting its users and selling their personal information at a costly price to human resource professionals.

A New York judge has ordered Google to hand over all YouTube data, including user names, associated IP addresses and every video watched on the site, to entertainment company Viacom, in the latest move to settle a £500m law suit. Lawyers have since criticised the ruling for putting individual privacy at risk.

Nickelodeon owner Viacom argued in March last year that 160,000 clips of its TV shows were watched illegally more than 1.5 billion times on YouTube.

Viacom argued that although YouTube “touts itself as a service for sharing home videos” the reality is very different. “YouTube has filled its library with entire episodes and movies and significant segments of popular copyrighted programming from plaintiffs and other copyright owners,” Viacom had argued.

Google’s senior litigation councillor Catherine Lacavera voiced privacy fears after the judge adhered to Viacom’s demands for Google to disclose the data. She said she hoped Viacom will allow Google to “anonymise” the logs before producing them under the court’s order.

Law firm Cobbetts’ ICT and media partner, Susan Hall, echoed Google’s concerns. “The protective order which the parties have agreed and which Viacom are relying on as protecting the interests of end users is surprisingly ill-adapted to the estimated 12 terabytes of data which is expected to be revealed under order,” Hall argued.

Hall cast doubts that individuals’ privacy would be guarded by the judge order for Viacom not to re-use any of the information given marked “confidential”. She said she regarded the order as “oddly out of tune with the information society”.

UK rights group Privacy International’s Simon Davis said the Google court case will erode European trust in US sites. “We warned Google to delete all data that was no longer necessary, rather than keeping it for 18 months,” he said. “Now the data can be cherry-picked by anyone who holds an interest."

Meanwhile Privacy International is also accusing Google of breaking data protection laws with its planned launch of Street View in Europe. Street View is a product that matches locations on maps to photos which may include captured individuals.

“When CCTV was introduced into Britain, it was for public safety and law enforcement,” Davis explained. “The idea that a commercial organisation could turn public images into profit is something that was not envisioned by the law. "

Davis explained Privacy International had given Google a seven-day period to demonstrate that its “face-blurring technology” works. But Davis remains sceptical. “Six weeks ago Google had not been able to make it work so it is unlikely that it can miraculously be deployed,” he said.

Google is not the only web giant currently the subject of privacy concerns. Professional networking site LinkedIn, while announcing secured funding of $53m from Bain Capital Ventures, has also been accused of betraying its users.

Human resources analyst Bill Kutik compared the current LinkedIn site to the site first launched five years ago. At first, the definition of networking was users asking their contacts to connect them to other profiles through introductions. The introduction could only take place if one of the users already carried a close connection with the member that appealed. “Though it seemed like a gimmick at the time, the guarantee was that no one could find you, read about you or contact you except by linking to people personally linked to you,” argued Kutik in his blog.

However soon LinkedIn was selling advertising space for a cost depending on the professional position of the user. IT professionals were the most expensive to target.

Then LinkedIn launched InMail, whereby individuals can search for individuals they do not know at a cost. LinkedIn argues it is “30 times more likely to get a response than a cold call or email”.

Soon after, the firm launched the Enterprise Corporate Solution that allows account holders to search the entire site’s 23 million member profiles.

“Linked in is becoming a job board dressed in social-networking clothing,” noted Kutik. “When I’m promised privacy and then get monetised instead, I like to be asked first and then get a split of the take."

More regulation for online retail arrives

Dave Bailey — 2008-07-02T11:45:00.000Z

Dave Bailey, IT Week, Wednesday 2 July 2008 at 11:45:00

A new PCI-DSS regulation requires online retail firms to perform code reviews and use a web application firewall

Firms who process payment card industry data online, have another regulation to deal with. They must now become 'PCI-Compliant', after section 6.6 of the Payment Card Industry - Data Security Standard (PCI-DSS) standard came into force throughout Europe on 30 June.

The PCI-security standards council (PCI-SCC) said that PCI-DSS section 6.6 is intended to secure public Internet-facing web applications through two methods – reviewing code for Web applications and installing an application-level firewall. “Whilst proper implementation of both options would provide the best multi-layered defence PCI SSC recognises that the cost and operational complexity of deploying both options may not be feasible,” added the PCI-DSS,.

Andrew Clarke, senior vice president at Lumension Security’ said that adhering to the standard extends beyond compliance. “About half of all account compromises are a result of web-application data breaches and of this, and about 90 per cent of the data compromises are a result of the top 5-10 web-application vulnerabilities, so being PCI-compliant also becomes a competitive differentiator for those that adhere,” he explained.

NHS falls victim to another data breach

David Neal — 2008-07-01T14:35:00.000Z

David Neal, IT Week, Tuesday 1 July 2008 at 14:35:00

Another public sector organisation loses personal details

The NHS has had to admit to losing a laptop containing thousands of patient details

A hospital Trust has become the latest public body to suffer a data loss. The Trust failed to encrypt 21,000 patient details on a laptop which was subsequently stolen.

In a letter sent out to patients following the theft, Colchester Hospital University NHS Foundation Trust's chief executive Peter Murphy said, "The Trust offers all affected patients its sincere apologies for putting their confidential information at risk.

"Patients and the public should be reassured that the trust takes security and patient confidentiality very seriously. We are holding an investigation into how this incident occurred and its consequences and have suspended the member of staff involved until the investigation concludes."

However, this is unlikely to appease those who's details have been lost, who have already been commenting on blogs online about the conditions under which their details were stored.

The security firm Symantec recently began advising firms on how best to react to such losses, and has released a guide to coping with such an event, including the suggestion that businesses, "Lock down computers or mobile devices using software and physical means; eg use a secure password, use Control ALT Delete when laptops are left alone; encrypt data; use a Kensington Lock, etc."

Richard Archdeacon, Director Symantec Global Security, said, “Many of the recent high profile data loss examples could have easily been avoided but this doesn’t mean that it won’t continue to happen. However, by following these measures, businesses and the Government could avoid many of the high profile examples that have happened recently.”

Plasmon protects archived data

Dave Bailey — 2008-06-30T18:10:00.000Z

Dave Bailey, IT Week, Monday 30 June 2008 at 18:10:00

Plasmon's NetArchive platform uses NetApp RAID hardware and WORM appliance to archive data

Archiving solution provider Plasmon has announced NetArchive, an enterprise-class archiving system, which blends online and long-term storage architectures with data management software to give enhanced data integrity, longevity and disaster recovery, according to the vendor.

The system allows customers to let employees move data between NetApp's RAID hardware and the archive appliance using automated policy management software to link data transfer between the two sets of hardware. This reduces the cost and complexity of managing archives, Plasmon said.

Plasmon chief executive Steven Murphy said that NetArchive was "a key step toward the realisation of Plasmon’s strategy to simplify the archive process through virtualisation, which delivers an intelligence-based system behind a single storage node".

Murphy added, "NetArchive leverages appropriate storage technologies to balance capacity, performance and storage costs against the legal and business value of data and improves operational efficiencies while meeting customer requirements for a robust disaster recovery strategy."

NetArchive creates a tiered storage system, which migrates infrequently accessed data off NetApp's RAID hardware onto Plasmon's write-once, ready-many (WORM) Archive Appliance.

Ministers admit government must do more to improve its data-handling procedures

Rosalie Marshall — 2008-06-27T12:02:00.000Z

Rosalie Marshall, IT Week, Friday 27 June 2008 at 12:02:00

Minister for Justice Michael Wills acknowledged public disquiet over plans for massive government databases

Technology is developing too fast for organisations, both public and private, to form lasting data handling principles, Minister for Justice Michael Wills told a House of Lords Constitution Committee gathering on Wednesday.

The Lords met to question Wills and Tony McNulty, the Minister of State for Security, Counter-Terrorism, Crime and Policing, on issues surrounding the Surveillance Society report, a Lords public inquiry into the principles and technology by which the public sector administers public data. The inquiry followed numerous data losses by public and private organisations and growing public anxiety surrounding the government's data collection and sharing policies.

“It is clear we need a radical change in government in how we handle data,” said Wills. “Over the years the government has become scrupulous about how it handles money and has put lots of checks and balances in place, but the case for data is less clear,” he added.

Wills acknowledged the government needs to give the public more confidence that it does not intend to become a data hound, collecting as much individual data as possible. “I don't think anyone wants to see huge databases where anyone can go and search,” he added. “The security implications of that are horrendous.”

McNulty denied claims made by the Information Commissioner that Britain is “sleepwalking” towards a “big brother state”, but he acknowledged a government “struggle” between striking a balance between the duty of the state to protect the public and the individual's right to privacy, as well as “how to deal with the positive benefits of new technology”.

Also debated was the possibility of a privacy impact assessment for new government data-sharing legislation, which would require the government to clarify exactly what individual data would be sought and shared when putting forward new legislation. McNulty said it was an idea that was “worth exploring”.

Ask.com answers privacy questions

David Neal — 2008-06-26T12:06:00.000Z

David Neal, IT Week, Thursday 26 June 2008 at 12:06:00

Ask.com is responding to privacy pressures

Search firm Ask.com has today sent out a letter to its users and the web community at large in which it sets out its privacy aims and ambitions.

The letter, which is simply signed "the Ask.com Team", has been sent out in response to calls from privacy advocates who are seeking to change the way that online firms operate. Its ambitions, which would represent "a commitment be a commercial web site to inform users about the company's privacy practices", were welcomed by Ask.com.

Privacy bodies have recently been asking that that search firms place a link on the front page of their sites which would take users through to the company privacy policies, in a bid to make them more transparent.

This call was welcomed by Ask.com, who said, "we take our commitment to user privacy and data protection very seriously. We've demonstrated this not just through words, but through deeds and actions… Ask has added a conspicuous link to our privacy policy right on our 'About' page, which is one click off our homepage.

With privacy becoming increasingly important to our users, we took a look at our web pages and realised we could make some key improvements when it came to privacy links on our service… We strongly encourage others in the search marketplace and online industry to do the same."

DataFlux updates platform to enhance scalability

Rosalie Marshall — 2008-06-18T16:00:00.000Z

Rosalie Marshall, IT Week, Wednesday 18 June 2008 at 16:00:00

Threaded algorithms can enhance data quality faster

SAS owned Data integration firm DataFlux has updated its Data Quality Integration Platform with improvements in performance and scalability.

“Data volumes are rising rapidly and some organisations are being forced to process ever large quantities of data in batch or real-time,” said DataFlux chief executive Tony Fisher. “It’s essential that data quality technologies are built with the ability to scale up to this new challenge and process hundreds of thousands of records every day,” Fisher explained.

Version 8.1 of the platform adapts to an organisation’s data quality requirements. “We have threaded algorithms so they can run in parallel and perform more pieces of work at the same time,” Fisher said.

The algorithms work to match and standardise data, alerting organisations to instances where data does not conform to their quality standards. Fisher explained the update will also mean customers do not need to purchase another platform as one becomes unable to process increased data volumes.

DataFlux accelerators will also be part of the update. These are pre-built components that help apply generic data quality rules to specific problems in order to reduce implementation time, said Fisher. DataFlux has released three accelerators so far, while a fourth is planned for release before the end of year.

A single sign on capability has also been added to the platform. This will enhance management’s control over staff access to data, Fisher added.

Government warned on surveillance society dangers

Rosalie Marshall — 2008-06-11T16:21:00.000Z

Rosalie Marshall, IT Week, Wednesday 11 June 2008 at 16:21:00

Select Committee says privacy under threat from new technology

IT databases and search engines are encouraging the development of a surveillance society, according to a new report by the Home Affairs Select Committee.

“Technological developments have increased capacity for surveillance, particularly in terms of the storage of large volumes of data, and the ability to search databases and share information through the use of interoperable systems,” the report, titled “A Surveillance Society”, concluded.

Three government databases were highlighted as potential concerns by the report: the NHS care record service, the children's database ContactPoint, and the National Identity Card Scheme.

The report also noted that social networking increases the chances that personal information can be spread, without individuals' necessarily appreciating the risk.

Other risks include technology that creates profiles of individuals in order to make predictions on their future behaviour. The Committee pointed to digital technology firm Phorm, which has designed software called Webwise and OIX that tracks internet users´ behaviour to generate sales opportunities.

The rise in government surveillance is partly due to a strategy coined by the Cabinet Office in 2005 as “Transformational Government”, explained the report. The strategy aims to take advantage of technology used by the private sector to tailor services to the customer and to increase efficiency.

The Committee warns there are serious risks associated with the government’s penchant for collecting and storing personal information. Not only can mistakes or misuse of databases cause substantial harm to individuals but data-collection on a mass scale will eventually erode trust between the individual and state.

“To enjoy a private life is to act on the assumption that the state trusts the citizen to behave in a law-abiding and responsible way,” the report added.

The reported recommended that organisations should employ data minimisation policies – where a proven need has to be demonstrated for all information collected. Businesses should also adopt policies and procedures, which monitor staff access to customer information.

Individuals were urged to take responsibility for monitoring the collection, storage and use of their data.