What Happened?
On Sunday July 10th, 2011 the News of the World published it last edition. This paper had been publishing for 168 years and was the top selling Sunday newspaper in the UK. The closure came following revelations of how the newspaper had allegedly obtained personal information using illegal methods such as phone hacking. What does this teach us about privacy and information governance?
The News of the World had a long history of exposing corruption in business and politics as well as the personal scandals of celebrities. It had been very effective at finding and revealing many stories of wrongdoing and corruption with a genuine public interest. However the events leading up to the closure began in 2005 when the News of the World published details of Prince Williams’s health. These details could only have originated from mobile ‘phone messages having been intercepted and this led to a police investigation. Two years later, a reporter working for the newspaper and a private investigator were sent to prison for phone hacking. It was reported that the pair were considered to have been acting alone, and the investigation ended.
Over a period of time it emerged that the ‘phones of further prominent people had been hacked. Then there were allegations that the lists of ‘phone numbers included those of victims of crime and including victims of the 7/7 London bombing. Gordon Brown, the former prime minister, has accused the News International, owners of the News of the World, the Sun and the Sunday Times, of using known criminals to find stories. In 2006 the Sun published a story about the medical condition of Mr Brown’s son Fraser. Mr Brown says that only his family and medical staff had access to this information[1].
What is Privacy?
What is privacy and why does it matter? Privacy is the capability for people to prevent information about themselves from being made available to other people. There is no universal agreement on what information is considered private. However privacy is a balance of the rights of an individual against the good of society. For example it should not be possible for people to keep criminal activities secret using the right to privacy as an excuse.
The European Convention on Human Rights[2] guarantees a right to privacy and this convention forms the basis for privacy legislation in the EU. This Convention emerged from the aftermath of the Second World War and was intended to prevent oppressive actions by states, bugging and late night knocks on the door by secret police. In particular Article 8 of this convention guarantees a right to privacy is extracted here:
- Everyone has the right for his private and family life, his home and his correspondence.
- There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
During the 1990’s it was recognized that cross border trade required free movement of information and this was vital to create strong EU. This led to the EU directives on privacy which were intended to enable free interchange of personal information around Europe while protecting the privacy of individuals. There are two principal EU directives which cover privacy: 95/46/EC on personal data processing, and 2002/58/EC on privacy of electronic communications. While these directives provide a common approach, laws vary in detail from country to country.
What is the Problem?
Firstly - it is difficult to understand how obtaining the information described above can be explained as being in the public interest. Secondly the fact that reporters and investigators were able to get hold of some of the information raises the question of how well the information was being cared for. So the problem is one of information governance.
When an organization in the UK obtains personal information about individuals it should do this with the consent of the individual and for a clearly defined purpose. If the information is held on a computer it should register the fact with the Information Commissioner. It should allow individuals to have copies of the information that it holds on them and it should correct errors. It should use appropriate techniques and technology to secure the information from misuse.
If an organization obtains or holds information about individuals but does not know that this is happening – there is a clear failure of information governance. Equally if an organization holds information about individuals and discloses this information to unauthorized people then that is also a failure of information governance.
Now it may be argued that the news media are a special case; and there is some merit in this argument. If the objective of an organization is to penetrate criminal gangs and corrupt enterprises in order to reveal the wrongdoing – it can hardly be expected to act like a retail marketing organization. However we will have to await the results of the new police investigation to find out whether or not the law has been broken.
The ease with which it was able to obtain some of the information raises the question of how well this information was being managed by the individuals and organizations holding it. It is alleged that that mobile ‘phones did not have voicemail security codes set, and that reporters were able to “blag” information by calling organizations holding information and pretending to have a legitimate right to the information. (Even though this may be difficult to believe by anyone who has attempted to negotiate the questions posed by call centres in the name of data protection).
Information Governance
So what is the solution to this problem? Balancing the rights of individual privacy against the need for a free press is not easy and we will have to wait to see what emerges from these events. However organizations need to take care of the information they hold and ensure that they comply with laws and best practice. The best approach for organizations is one of information governance. Information governance sets the policies, procedures, practices and organizational structures that ensure that information is properly managed. Good governance ensures that there is a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can reduce costs by avoiding multiple, ad hoc, approaches to compliance and risk management.
Organizations with good information governance will know what information they hold and will have a process for training staff on how to keep this information secure. This training should include securing voicemail and how to detect and resist attempts to “blag” the information. Most “blagging” is based on the exploitation of human rather than technology weaknesses. For example the blagger will pretend to be someone in authority or will ask for help. The strongest defence against blagging is to ensure that you have registered an agreed point of contact with the individual (for example a phone number). Then if there is any suspicion to insist that will only provide the information via that point.
Privacy is a balance between individual rights and public interest. Organisations that collect information on individuals, even the news media, need to make sure that they comply with privacy legislation. Organizations that hold information on individuals need to take care that this information is handled properly and that staff are trained to detect and resist unauthorized attempts to get hold of this information. Basically it is down to good information governance.
About Mike Small, Information Security Management Analyst
Mike Small has over 40 years experience in the IT industry. He is an honorary fellow analyst with Kuppinger Cole Ltd as well as a Science Technology Engineering and Mathematics Ambassador to schools. Previously Mike worked for CA (now CA Technologies Inc) where he developed the strategy for identity and access management and was VP responsible for product development. This strategy led to the developments and acquisitions that contributed to CA’s IAM product line. He is a frequent speaker at IT security events around EMEA and contributor to the security press.
Mike began his career with International Computers and Tabulators (which later became International Computers Limited), where he was the architect for a number of leading edge information technology development projects ranging from system software to artificial intelligence.
Mike is a Chartered Engineer, a Chartered Information Technology Professional, a Fellow of the British Computer Society, and a Member of the Institution of Engineering and Technology. He has a first class honours degree in engineering from Brunel University.
Recent Speaking Engagements
1. IAM in the Cloud European Computer Audit and Security Conference Manchester, England, March 2011
2. Finding the Right Approach to Cloud Governance European Identity Conference Munich, Germany, May 2011
3. Security and Trust – Mission Impossible? Identity Next 2010 The Hague, The Netherlands, December 2010
4. Security in the Cloud – 10 questions to ask ISACA Information Security and Risk Management Conference Vienna, November 2010
5. Identity Issues of Virtualization European Identity Conference, Munich, Germany, May 2010
6. Cloud Computing – Security Smog? European Identity Conference, Munich, Germany, May 2010
7. Security in the Cloud European Computer Audit and Security Conference Budapest, Hungary, March 2010
8. Integrating Identity and Data Loss Prevention ISACA Webinar November 2009
9. Security Implications of the Virtualised Data Centre, Datacentre 2009 Belfast, Manchester and London November 2009
10. Risk, Reward and Compliance in Challenging Times, Gartner IAM Security Summit, London England, March 2009
11. Managing Roles and Entitlements European Computer Audit and Control Symposium Frankfurt, Germany, March 2008
12. Compliance for Multi National Companies CA World 2008, Las Vegas, November 2008
13. Malice, Misuse or Mistake: Getting to the ‘root’ of the Problem Gartner IT Security Summit, London England, September 2008
14. Security, Privacy and Trust - Mission Impossible? European Identity Conference, Munich Germany, May 2008
15. Unify and Simplify Identity Management, ISACA Computer Audit and Control Symposium Stockholm, Sweden, March 2008
[1] http://www.bbc.co.uk/news/uk-14116786
[2] Convention for the Protection of Human Rights and Fundamental Freedoms, Rome; 4th November, 1950.