The cybersecurity spotlight has been magnified, burning the unprepared

After an incredibly long hiatus, the blog is back in action.

Cybersecurity breaches, at least the public’s knowledge of them, has increased. The breaches have been happening for years, and the media spotlight has continued to increase, especially with high-profile cases involving millions of consumers’ personal data.

A couple of breaches in 2019 impacted numerous consumers:

Increasing regulation in the form of the General Data Protection Regulation (GDPR) has applied pressure far beyond previous regulations. Note that the last blog written here was published in 2013, and note that the landscape has significantly changed since then. The consequences of non-compliance can be very severe with up to 20M EUR or 4% of annual turnover, whichever is greater, being the penalty in the case of a GDPR violation. Also in force since January 1, 2020, the California Consumer Privacy Act (CCPA) can impact businesses, but it is important for any business or other organization to consider whether the activity they are carrying out even falls within the scope of these laws.

The UK ICO provides a guide on GDPR focused on UK businesses and organizations, but the principles are worth considering when controlling or processing personal data of citizens of European Economic Area (EEA) states. There will be differences that are applicable within different member states that should be considered, but for managing risk especially where a business or an organization is getting off the ground, this is a good start.

Regulations aside, attention must be focused on securing systems and eliminating any security risks that may affect the protection of personal or other data. The best deterrence to a cybersecurity breach is not operating at all, but being practical, the next best is implementing best practices in information security especially at the technical level. The administrative and organizational best practices are also incredibly important, but without the technical component, the data is at critical risk of exposure regardless of how a business or an organization is administered or operated.

E-commerce stores should consider data protection and privacy

Are you processing personal data through your website in order to faciliate commerce?  In simpler terms, are you asking customers to provide information about themselves through your website, app, or email addess, followed by using that information in order to carry out your business?

One of the questions of the self-assessment written by the Information Commissioner’s Office (ICO) states: “Do you only process personal data for staff administration, advertising, marketing or public relations, or accounts or records?”  Another states: “Do you process individuals’ information for advertising, marketing or public relations?” And: “Do you process individuals’ information for accounts or financial records?”  If the answer to any of these is ‘no,’ then you need to register with the ICOIf you are meant to register but have not, the ICO might come knocking on your door with more than just a slap on the wrist.

Of key interest to online retail store owners would be the last question about accounts and financial records, and the ICO provides guidance on this in the self-assessment:

You should answer ‘Yes’ if you:

  • only process information necessary for undertaking and managing transactions with your suppliers and customers; and 
  • only share the information with people and organisations necessary to do this. Important – if individuals give you permission to share their information, this is also allowed; and
  • keep the information while you have a relationship with the supplier or customer it refers to or as long as necessary for your accounts and financial records.

So as long as you are doing just the above, this should be sufficient, but in case of any doubt, seek legal assistance.  Just as well, the other aspects of the assessment must be met properly regarding communications (advertising, marketing, and public relations).  It may be prudent to register with the ICO voluntarily, which can indeed be considered to be a mark of integrity and credibility with customers who can have confidence their personal data is used in accordance with the law.  Don’t forget to secure your data, too.

The tipping point for data protection to become the norm

With consumer security becoming highlighted constantly in the wave of online account phishing attacks, consumers becoming further concerned their communications could be compromised, and the PR message that consumers need to “watch what they are doing online” failing to modify consumer behavior on a wide scale, the tide in secure communications is turning.

In January 2010, Google began offering secure authentication access for its search engine.  For the first time in the competitive search market, security in searches became a reality.  Google had already offered HTTPS (Hypertext Transfer Protocol Secure) support through Gmail, which major email player Hotmail added only in November.  Google has also led the way in online collaborative office work through Google Docs, which uses HTTPS to protect confidential materials.  Yahoo! Email in the United States has yet to join the bandwagon, which it ought to as allowing consumer data to flow freely around public wireless hotspots is not preferable, and consumers have been continually gaining awareness about privacy and security.

Facebook, arguably now the world’s most popular website with over 500 million users, has also been using Yahoo!’s strategy in the United States only to allow HTTPS for logging in, to protect the password.  However, and with respect to Privacy Day that passed only yesterday, Facebook has set the stage for HTTPS to become the norm by beginning its roll out of full HTTPS support throughout the Facebook website.  This is data protection compliance at its fullest, as it ensures the consumer is obtaining the highest amount of security based on current consumer and professional standards.

Most e-commerce businesses, including financial services, have an obligation to implement HTTPS onto their websites, as consumer and client information must be kept fully confidential.  With Facebook’s induction into the secure world, commerce has stepped past the tipping point in security, and any company looking to enterprise today cannot only consider security in project management, it must implement that security as well.  This has always been the case for e-commerce, financial services, health services, and generally any service intended to be confidential, but it is clear the the intention today is moving towards guaranteed confidentiality throughout the Internet.

A libertarian take on human rights and intellectual property

Disclaimer: This essay is an intellectual assessment of legislation and judicial decision-making to date from an equal-opportunity competitive point of view, originally written on February 13, 2010. The author’s current opinion would apply a more pragmatic take on human rights and intellectual property given the economic context in which society emerges, taking into account the bigger picture of industry and regulation as it does exist, and working from there to promote economic development.


How do we unite humanity? How do we maintain honest governance? How will technology be used either for the benefit or for the detriment of society? Questions like these spark in the minds of socially conscious individuals, and while they may not in others due to what could be considered impractical idealism, one thing appears evident: individuals think in many different ways, and they are strongly influenced by their environment. With the rise in the influence of money, individual rights have been pushed second to the pursuit of profit. This has led to cultural acceptance of deliberate social stratification; that others must lose rights in order for others to have more due to scarcity. What has led to this, though? If it is accepted, then this is dependent on the information each individual has; information, whether public or private, has come to define society.

The activists who dedicate their time to various progressive causes understand that appreciation of issues on a wider scale benefits these causes. When it comes to guaranteeing the rights and liberties people desire to maintain, it is the right to privacy and freedom of speech that allow for the persistence of the rest.[i] For better or for worse, technology has hit the core of these liberties. Although easy to generalize in a few pages of writing, the relationship between intellectual property and human rights continues to grow, and it could be argued that the two, in their strongest forms, are antithetical; this is why a balance must be made between the two in order to safeguard societal progression.

Creativity

It could be argued that privacy and free speech are generalized liberties that do not deserve elaborate protection due to the potential troubles behind having them[ii], but it can be argued that these rights, properly balanced[iii], will progressively enhance society. While money does guide many behaviors people use to survive, creativity has guided society through every progressive change it has endured. The agricultural and industrial revolutions were spawned not only out of a desire to maximize profit, but out of the creative minds of individuals who used existing knowledge and resources to create what people today call inventions, resulting in economic progress irrespective of the desire for profit. That creativity comes from information – without it, society is less susceptible to undergo progressive change.

Perception

The attitudes and reflections of individuals in today’s society are borne out of the knowledge they have collected over time, followed by their perceptions in the existing environment. Social psychology aside, the past century has produced a plethora of change, particularly in information technology. Society has applied technology to make business processes more efficient, maintain communication with loved ones, and improve the efficiency of other processes, such as enforcement, military and security. Unfortunately, the latter processes have entrenched on the former, as technology has become sophisticated enough to retrieve and apply information in ways that an everyday regular person would call invasion of privacy and restriction of free speech if he or she knew “what was going on.” Once again, the pursuit of profit[iv] and the consideration of unidentifiable national security issues[v] have come to affect these rights.

Stratification

While laws have been enacted to protect the rights of individuals who author different works, some of these laws, either in their statutory or case law form, have been interpreted in ways that interfere with the basic individual rights of authors, innovators, and consumers alike – the DMCA is only one in the United States that has caused a great deal of frivolous litigation and threats to the average consumer, such as the RIAA sending subpoenas to university students to pay a fine or face lawsuits that could put them and their families into financial trouble.[vi] Intellectual property is a human rights issue. Academically speaking, intellectual property should be used for not only the benefit of the author or innovator involved, but also for its consumers and even its competitors. Intellectual property rights have been argued as human rights, but this could not be the case if some of them can infringe on other, tangible human rights. The ideal free market individuals desire is affected not only by resource scarcity, but also by political power scarcity – when legislation exists in ways that strengthen parties of differential advantage, it can become too difficult for smaller competitors to compete and even too difficult for disadvantaged consumers to purchase and consume the various kinds of products protected by intellectual property law.[vii]

Paralysis

Intellectual property was meant to exist to protect rights but also benefit the public – for example, with patent protection, innovators are encouraged to disclose their inventions in consideration for a virtual monopoly on the market-control of that product. However, when the few in differential advantage have the capital to acquire patents in order to prevent legitimate competition, a gray area emerges as to the usefulness of the patent construct. For example, technological innovation has freed humanity from simple chores from sewing and cleaning clothes to manufacturing automobiles with minimal to no human effort. Fully automated restaurants have been developed which free humans from working in mundane and boring jobs. However, another gray area emerges when a player in the energy industry patents advanced battery and renewable energy harnessing technologies followed by rarely exploiting the technologies until near the expiration date of the patent, paralyzing technological progress and maintaining profit on an existing, prior art. An example of a prior art here would be in the oil and gas sector, in which advanced technologies have been patented and economically suppressed, leaving the patent owner time to innovate and profit from the prior art of oil production for as long as possible given the scarcity of oil.[viii]

Restriction

As government has been meant to provide rights to the individuals in society as well as prevent injustice, the economic understanding of elected officials and the degree to which they emphasize these issues will determine just how well they represent the people in these areas. Technological progress becomes economic progress when uninhibited and available for the wider public to enjoy. In distinction to the Felton v RIAA case, powerful copyright holders have unfortunately made their way into stopping “violators” in the United Kingdom, one of which created a device that video game players may install onto their console system to evade copyright protection mechanisms.[ix] This could set an unjust precedent that rights holders may argue should justify the criminalization of using devices on which infringement may occur, such as BitTorrent. While it may sound unreasonable to the average consumer to ban the use of BitTorrent and other seemingly harmless peer-to-peer software applications, several public universities and their accommodation facilities in the United Kingdom already block BitTorrent traffic from their networks with the reasoning “because it can be used for infringing copyright,”[x] even though the same or similar peer-to-peer technologies are used for non-infringing purposes.

Globalization

Moving from the developed countries of the United States and the United Kingdom to developing ones, consideration must be given to how intellectual property and technology affect the world as a whole. Trade does not stop within a country, and with ever-expanding technology comes ever-expanding profitable trading policies[xi], allowing for potential exploitation of developing countries. [xii] When patents and the pursuit of profit slow down the benefit of developing countries, a very clear issue arises in which technology that could be applied to better society is instead paralyzed due to the inability of such countries to afford it. Rights come with responsibility, and reasonably so, they should come with social responsibility.

Treaties: Institutions

Technology improves healthcare, education, and communication systems on a dramatic level, and if international organizations, such as the World Intellectual Property Organization (WIPO) and the World Trade Organization (WTO), do not take this factor into account, profit pursuits will continue to far surpass the pursuit of human rights. Developments in the WIPO have led to its Development Agenda, showing that there is consideration of developing countries being taken into account. However, the further the world economy moves into intellectual property as the primary competitive market while the lasting tangible commodities such as food, clothing, and shelter are still required to be traded simply for survival, the further capital will spread itself thin at the detriment of the unfortunate. Unfortunately, the WIPO and the WTO, while broadly international, do not prevent the minority of developed countries from entering into agreements such as the Anti-Counterfeiting Trade Agreement (ACTA), which, if unchecked, could paralyze the progress of the WIPO’s Development Agenda. Therefore, as international treaties become further and further binding across the majority of the world’s people, so does the consideration of the effects of all possible intellectual property rights on the same people.

Treaties: Human Rights

Various human rights laws attempt to keep authoritarian and profit-motivated entities from entrenching on various liberties – the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR) are two examples that have strength in international law, so long as constituent countries give them respect. Articles 12 and 19 of the former detail respect of private life and of freedom of expression, while Articles 17, 19, and 25 of the latter detail respect of private life, freedom of expression and reception, and the right to take part in public affairs.[xiii] The emergence of international bodies such as the European Union must also be taken into account, as the recently ratified Lisbon Treaty affects both human rights and intellectual property rights – the divergence of copyright laws across the twenty-seven member states has in its own right caused interference in international trade[xiv], and arguments for or against harmonization of the laws have their merits. In the case of divergence, it can be said that the divergence shows the sovereignty of each member state, while the other end of the argument would state that convergence promotes efficient international trade and unifies Europe.

Intellectual Property vs Human Rights

Intellectual property rights, although they do promote innovation and protection of such in the monetary world, as a matter of principle, they do not deserve to supersede civil liberties and human rights. If the pursuit of profit becomes so desirable as to neglect consumer privacy in enforcing, for example, copyright holders’ rights, the precedent for the judicial system and for the culture would clearly be an unjust one – ISPs, typically private corporations, could end up becoming indirect law enforcement out of fear of losing sponsorship from copyright holders. This forces the hand of ISPs, which force even harder the hands of consumers, the individuals who should always have a right to use the Internet for lawful purposes. Unfortunately, attempts to pass legislation in France and in New Zealand have set a harmful precedent that may lead to further international support for ACTA, though in both scenarios the legislation was rejected or indefinitely postponed.[xv]

Awareness

While it is clear that there ought to be corporate social responsibility in consideration of international trade, all too often does the electorate forget that their elected leaders require the government to maintain social responsibility, too, by remaining constitutional in practice. In an increasingly complex world with increasingly complex problems such as terrorism, citizens tend to turn a blind eye to any injustice the government may conduct[xvi] due to the fear they might have over a situation[xvii], real or imaginary. When institutions conduct themselves in ways that are clearly violations of civil liberties and human rights and the government “for the people, by the people” does not actually serve the people, not only does it cause disaffection with the government and an “us versus them” mentality, it reduces general expectations of trust citizens have for their government. [xviii]

If the global perception is ever allowed to persistently believe in fears that can be manipulated into minimizing privacy and free speech, so persistently will the culture be paralyzed from attaining progress. It has always been through general security that an individual feels that he or she has been able to freely express ideas for the benefit of all people – the two rights are intertwined, they promote education, and ultimately promote societal progress. In some cases, a major controversy must be fueled before individuals are aware of their rights.[xix] Therefore, it is in the best interest of individuals and their society to be as aware as possible about the impact of intellectual property on their rights.


That is, if either of these two rights were severely restricted, so easily could other rights be restricted due to how these two freedoms, particularly free speech, allow for democratic participation. Meanwhile, the level of privacy one has can come to dictate the level of free speech he or she decides to apply due to environmental factors.

See http://boingboing.net/2009/12/09/google-ceo-says-priv.html. Google CEO Eric Schmidt essentially states that if something must be private, it probably should not be done, though BT Chief Security Technology Officer Bruce Schneier has a different opinion, which intertwines privacy and free speech, “For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that — either now or in the uncertain future — patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.”

Hoanca, Bogdan. “Freedom of Silence vs. Freedom of Speech: Technology, Law, and Information Security.” The main idea is that silence, or privacy, can be at odds with free speech. Different interest groups may want to communicate their materials freely, but this could come at the expense of the privacy an individual desires. The article argues that improved technological methods to ensure privacy and free speech will work far more efficiently than the repeated failure of legal mechanisms to balance to two, which often result in the restriction of one of the two freedoms more often given the law’s inability to account for technological progress.

17 U.S.C. amendments including the implementation of the Digital Millennium Copyright Act (DMCA), argued by opponents that it “chills free expression […], jeopardizes fair use […], impedes competition and innovation […], and interferes with computer intrusion laws,” per http://www.eff.org/files/DMCAUnintended10.pdf. Proponents such as the Recording Industry Association of America (RIAA) have made arguments and conducted questionable practices – for the pursuit of profit; Felton, et al., v RIAA et al., in which the RIAA threatened scientists with legal action for desiring to release legally created methods that could be used to infringe copyright.

50 U.S.C. Ch 36, Subch 1 (Electronic Surveillance). This implementation of the Foreign Intelligence Surveillance Act still provides the government broad sweeping powers over U.S. citizens that may be suspected of aiding and abetting terrorists as “agents of foreign powers.”

See http://www.thetartan.org/2007/10/1/news/download. This is one of several examples of university students affected by the pre-litigation strategy of the RIAA.

See Banta, D.H. (2001). “Worldwide Interest in Global Access to Drugs.” Journal of the American Medical Association 285 (22): 2844–46. Patents by default restrict competition in consideration of full disclosure of the patented item’s design. The argument here is that pharmaceutical companies have a direct incentive to bar competitors from providing these medicines to the poor who cannot afford the patented, expensive version.

U.S. Patent Nos. 6,255,015 and 6,969,567 are two examples. A primary reason the patents have been rarely exploited is due to the demand the patent holders have sought in order to supply products. Due to the heavy competition in the oil and gas sector, Chevron, the current patent owner, would argue that fully exploiting the patent would not be in their investment interest. This would be a Catch-22 argument, though, as with most infrastructure-related matters such as telecommunications, a tipping point is necessary to be passed for the product to sustain demand.

R v Gilham [2009] EWCA Crim 2293.

http://www.halls.london.ac.uk/documents/college/licence_agreement_double.pdf is one example, “Please Note: the use of applications which in practice are used almost exclusively in breach of the JANET Acceptable Use Policy [and the University’s IT code of conduct after Acceptable use policy] will be deemed unacceptable, regardless of their actual use. Most notably, the use of peer-to-peer sharing software generally used for the sharing of material in breach of copyright is unacceptable.” While this statement is enforced as is in the License Agreement, the JANET Acceptable Use Policy (http://www.ja.net/documents/publications/policy/aup.pdf), never explicitly states such a restriction on the use of such software, while the “IT code of conduct” does not readily appear to exist.

Trade liberalization, with such treaties such as the North American Free Trade Agreement (NAFTA), the emerging European Union, and other economic agreements, has caused normally closed markets to be exposed to the effects of markets around the globe.

In reference to outsourcing and the poor conditions workers have to deal with, particularly if these workers have no other option; if the appropriate structural adjustments are not made in the outsourced country, then unemployment will be vast due to the technological unemployment that would occur; i.e., the country is not developed enough to handle the influx of technology that affects competition, so a few, privileged set of individuals in that country would benefit greatly by being able to compete in the global marketplace. See http://www.cato.org/pubs/pas/pa092.html. Regarding the World Bank, it is stated, “But the bank itself is based on an outdated theory of development economics, which assumes that all Third World economies need for growth is to be provided with capital handouts and modern technology.”

Directly related to ISPs forcing the hands of consumers, detailed in the subsequent paragraph.

See “Oh brave new world! Lisbon enters into force.” EU Focus 2010, 267, 1-14. © 2009 Sweet & Maxwell and its Contributors. The commentary cites TFEU Article 118 which will allow the European Parliament and Council to ensure enforcement of intellectual property rights.

See http://www.eff.org/deeplinks/2009/06/three-strikes-dead-in-france.

For example, ridicule of underrepresented minorities, torture of “enemy combatants” and surveillance of suspected terrorists.

For example, the “War on Drugs,” the “War on Terror,” and xenophobia. See https://www.apsanet.org/~polcomm/apsa%20papers/Davis-Silver.pdf. “More limited support for civil liberties is fed by the interaction of trust in the government and fear of terrorism. A high level of fear compels many people to adopt positions that they might otherwise find unacceptable.”

See http://www.aclu.org/free-speech/aclu-renews-its-call-investigation-civil-liberties-violations-rnc. Citizens used their right to assembly, met with fierce law enforcement response, causing various civil liberties violations. See alsohttp://www.telegraph.co.uk/finance/financetopics/g20-summit/5920924/G20-police-did-not-respect-protesters-human-rights.html. The Joint Committee on Human Rights in the United Kingdom Parliament has accepted that rights have not been respected: “Police have a ‘long way to go’ before they succeed in promoting and protecting human rights in their training and operations, the report concluded.”

E.I.P.R. 2010, 32(3), 99-103. When Facebook modified its terms of use regarding its control and use of data its users communicated to its servers, a public outcry caused Facebook to reinstate original, more protective terms, and since then, users have been more cognizant of their rights over the social networking platform, though the vast majority could still be argued to be unaware of most of what they share online.

Privacy and confusion over what deserves privacy

Work in progress, incomplete.

Certain events or trends have proven to be catalysts for major discussion or reform of the laws in place.

The most widely known catalyst to date, is the September 11, 2001 terrorist attacks in New York, Pennsylvania, and Washington, D.C.  The reaction to this catalyst continues in a very direct way with the ongoing military operations of coalition forces in Afghanistan.  In the United States at the very least, this caused a great debate as to when our civil liberties are necessary when it comes to combating international terrorism, with legislation quickly following suit, such as the USA Patriot Act.  With an active, leadership-oriented foreign policy, many other countries have followed suit with regards to counter-terrorism measures.

Issues have arisen in the United States such as the legitimacy of the Foreign Intelligence Surveillance Act to allow warrantless wiretapping, which directly affects the privacy of Internet Service Provider consumers.

However, there is a new catalyst that is emerging as a trend that has major implications for the law with regard to privacy versus expression: the proliferation of confidential materials not authorized and therefore proliferated following a breach of confidence.  Without sounding too complicated, this means there is an emerging trend in using information intended to remain private in a public sphere due to a perceived “public interest” of the private information.  Still too complicated?  Maybe this has to do with the way individuals and organizations all together are flexing their PR muscle.

There is a lack of analysis provided in the rhetoric approving or disapproving of “public interest” breaches of confidence and the proliferation of the confidential material following the initial breach by an original actor before such rhetoric is published, and this is why there are major implications for the law.  What does not help clear up the confusion on how future legislation may proceed is the silence assumed by the owner on the matter of the owner’s confidential material and whether or not the information contained is legitimate, though the silence can be there for a legitimate reason, to protect security.  It is not just because this is an emerging trend that confidentiality is breached, it is because the rhetoric floating around the airwaves may not be focusing on the exact legal and social issues at play here.  Tabloid-style rhetoric is not only unnecessary, but it is irresponsible when a serious matter is the focus of the media, such as confidential material.

What is certain is that with this emerging trend of breaches of confidence that cannot be contained by the traditional injunction, an increasing focus will be set on the consequences for breachers in the criminal justice system as well as the security applied to protect private information.

A look at data protection from around the world

A work in progress, works cited under development.

This paper will focus on legislation in the European Union, the United Kingdom, China, and the United States.  In summary, we will be able to see some of the key differences in the various legislation, but more importantly we will be up to date on these increasingly important laws that affect the way our personal information is used around the world.

Data Protection Directive, Directive 95/46/EC and Data Protection Directive, Directive 97/66/EC

Enacted in 1995 and in 1997, these European Union directives act to harmonize member state legislation in the data protection arena.

Data Protection Act 1988, United Kingdom

Although enacted before the EU directive above, this is the main piece of legislation guiding data protection in the UK.

Data protection in China

Only relatively recently has a framework for data protection laws developed in China.

Data protection in the United States

Rather than using a central framework approach to data protection laws, the United States allows business to flourish, taking issues into account as doing so becomes necessary.  Therefore, there is detailed legislation in place, but the sectors for which they are in place vary widely.

There are other statutes and regulations in place that form the framework of data protection law, but the key to note is the approach different regions around the world have taken with regard to developing data protection laws and what implications this will have for a general “right to privacy.”