ICYMI: The right to be forgotten, NSA transparency and security nativity

A landmark court ruling on European privacy dominates this week's In Case You Missed It Column.

ICYMI: The right to be forgotten, NSA transparency and security nativity
ICYMI: The right to be forgotten, NSA transparency and security nativity

Google loses landmark privacy case

European privacy loomed front and centre in the news coverage this week, and that was down to a significant ruling in a Spanish court.

As SC reported at the time, the ruling was made at the court case of Spanish man Mario Costeja González, who had requested that Google delete certain references to his name on the search engine. And to huge surprise, González won the case.

His issue with the Californian technology giant went back as far as 1998, when he put his house up for auction in attempt to clear social security debts. The details of the auction were reported by La Vanguardia, a popular mass circulation newspaper in Catalonia, and ever since a search for his name has resulted in Google showing a link to the said article.

However, Gonzalez successfully argued that the references should now be deleted, saying that the matter has been resolved. The ruling has received huge media coverage and unsurprisingly so, for it has potentially huge effect on publishing and the data that all companies – regardless of sector – store on their customers. Google has reportedly already received ‘right to be forgotten' requests for disgraced politicians and paedophiles, in a bid for their digital history to be erased.

These cases could become commonplace, especially with the ‘right to be forgotten' one of the important pillars of the forthcoming EU Digital Protection regulation (which replaced the EU Data protection Directive).

Can the NSA be transparent?

SCMagazineUK.com attended an interesting panel discussion at the Houses of Parliament this week, where Timothy Edgar, President Obama's first director of privacy and civil liberties for the White House National Security Staff, spoke on NSA and GCHQ surveillance.

Edgar, who was joined by senior MPs from the three main political parties as well as activism groups Big Brother Watch and Privacy International, talked of the need for both agencies to be transparent and to work together on doing so.

In fact, he said that the NSA had little choice in doing so – such was the public's reaction to the leaks from former CIA contractor Edward Snowden.

“We've been dragged kicking and screaming into transparency world,” he said at the time.

But in the week that Glenn Glennwald revealed in his  ‘No Place to Hide' autobiography that NSA inserted backdoors into USA-made routers and servers, there's a question to be had on how transparent these bodies can be, given that secrecy is vital to their operations.

There's also blurred lines in terms of what is and isn't normal, as far as collaboration is concerned. Last week, we reported on Google's regular conversations with the NSA, and yet numerous people in the know suggested that these meetings were most likely normal to improve overall security protocols.

Security naivety a worry

Three recent interesting studies painted a worrying picture on businesses' approach to IT security. To summarise, they highlighted that most companies are failing at the ‘basics', are often ‘complacent' in employing countermeasures, and that they suffer detrimental brand reputation in the event of a data breach.

The first study, carried out by Atomic Research and sponsored by Tripwire, revealed that 60 percent of companies are confident that their security controls are able to prevent loss of data files. However, this "flies in the face of recent evidence to the contrary," said Tim Erlin, director of IT security and risk strategy at Tripwire.

Tripwire CTO Dwayne Melancon accused the firms of a “false sense of security”, saying that while 95 percent of respondents felt they were able to detect a breach on critical systems within a week, nearly all recently disclosed breaches went undetected for months.

Separately,  the Information Commissioner's Office (ICO) published a report which detailed the eight most common IT security vulnerabilities as follows:

·     A failure to keep software security up to date

·     A lack of protection from SQL injection

·     The use of unnecessary services

·     Poor decommissioning of old software and services

·     The insecure storage of passwords

·     Failure to encrypt online communications

·     Poorly designed networks processing data in inappropriate areas

·     The continued use of default credentials including passwords

 

ICO group manager for technology Simon Rice said that too many companies are making ‘basic' errors.

“Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics,” said Rice.

“If you're responsible for the security of your organisation's information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you.”

These findings come as a worry, not least in the same week where Ponimon's “The Aftermath of a Mega Data Breach: Consumer Sentiment” study revealed that data breaches - along with customer service and environmental disasters - had the biggest effect on brand reputation.