Archive for Legislation

Is CCTV Surveillance By Amazon Drones The Future?

An Amazon patent from 2015 appears to indicate that Amazon may consider ‘surveillance as a service’ using a swarm of its delivery drones armed with CCTV, as a monetising opportunity in the future.

Patent

The details in the patent foresee customers paying for a tiered service that employs the onboard cameras of Amazon’s delivery drones visiting users’ homes in-between delivery routes and filming irregularities and potentially suspicious activities.  For example, the cameras could potentially be programmed to detect evidence of break-ins and lurkers on/near a property, and the onboard microphones could even be programmed to detect suspicious noises such as breaking glass.

Tiered Service

It is thought that such a service could offer different tiers of service (reflected by different pricing) based upon factors such as frequency of visits e.g. daily or weekly, monitoring type e.g. video or still, and alert type e.g. SMS, email, a call or via app ‘push’ notifications.

Privacy

There are likely to be some obvious privacy concerns with a private company using its drones to film an area where it has a customer. However in doing so, avoiding filming an area where it does not have permission to film would present a challenge.

The Amazon patent suggests a possible remedy in the form defining a “geo-fence” around the area that does have permission to be filmed so that the drone’s surveillance activities can be focused (to an extent).  The patent appears to accept, however, that some filming of the outside area of the fence could occur.

National Surveillance Camera Day

In a world first, last week the UK played host to an awareness-raising National Surveillance Camera Day on 20th June as part of the National Surveillance Camera Strategy. As part of the day’s events, an “doors open” initiative allowed the public to see first-hand how surveillance camera control centres are operated at the premises of signatories to the initiative in the UK e.g. local authorities, police forces, hospitals, and universities.

Drone Research Reveals Negative Perceptions Among The Public

For the most part, people accept that the presence of CCTV surveillance cameras in public areas, operated by local authorities, and the presence of CCTV on business premises are generally for the greater good as a crime-reduction tool.

The same cannot be said for drone-based surveillance.  For example, new research from the PwC has shown that public perception remains a barrier to drone uptake in the UK.  The results of the research showed that less than a third of the public (31%) feel positive about drones, and more than two-thirds are concerned about the use of drones for crime.  In contrast, businesses appear to have a much more positive perception of drone use with 35% of business leaders saying that drones aren’t being adopted in their industry because of negative public perceptions despite the fact 43% of those business people who were surveyed believed that their industry would benefit from drone use.

What Does This Mean For Your Business?

Amazon is a company that has continued to grow and diversify into many different areas in recent years, embracing and pioneering many different technologies along the way, such as parcel delivery drones. It is not unusual for companies, particularly big tech companies to introduce many patents with many new ideas. In that sense, it’s difficult to criticise Amazon for wanting to get maximum (monetising) leverage from its delivery drones from a business perspective.

There remain, however, some serious challenges to the ideas in the drone surveillance patent including privacy concerns, and problems with current negative public perceptions of drones.  This will require education around case-use for drones, and re-assurance around regulation and accountability – this is a public company and could be one of many using the skies to offer the same service once the floodgates are opened.

For some businesses, however, as identified by the PwC and by Amazon’s patent, drones potentially offer some great new business opportunities.  It should also be noted that drones can offer some potentially life-saving opportunities, such as the human kidney for transplant that was delivered by drone, in the first flight of its kind, to a Medical Centre in Baltimore in May this year, thereby getting the organ to the surgeons much faster than by road.

For Drones it seems, there remains many opportunities and challenges to come.

Survey Shows Half OF UK Firms Have No Cyber Resilience Plan

A survey commissioned by email security firm Mimecast and conducted by Vanson Bourne has revealed that even after GDPR’s introduction, more than half of UK firms have no Cyber Resilience Plan.

What Is A Cyber Resilience Plan?

An organisation’s cyber resilience is its ability to prepare for, respond to and recover from cyber-attacks, and a Cyber Resilience Plan details how an organisation intends to do this.  Most organisations now accept that the evolving nature of cyber-crime means that it’s no longer a case of ‘if’ but ‘when’ they will suffer a cyber-attack.  It is with this perspective in mind that a strategy should be developed to minimise the impact of any cyber-attack (financial, brand and reputational), meet legal and regulatory requirements (NIS and GDPR), improve the organisation’s culture and processes, protect customers and stakeholders, and enable the organisation to survive beyond an attack and its fallout.

More Than Half Without

Mimecast’s survey shows that even though 51% of IT decision-makers polled in the UK say they believe it is likely or inevitable they’ll suffer a negative business impact from an email-borne cyber-attack in the next 12 months, 52% still don’t have a cyber resilience plan in place.

Email Focus

Email is a critical part of the infrastructure of most organisations and yet it is the most common point of attack. It is with this in mind that the Mimecast survey has focused on the challenges that managing the security aspects of email present in terms of cyber resilience and in achieving compliance with GDPR.

E-Mail Archiving

One potential weakness that the survey revealed is that only 37% of UK IT decision-makers said that email archiving and e-discovery are included in their organisation’s cyber resilience strategy.  When you consider that email contains a great deal of personal and sensitive company data, it’s protection should really be at the core of any cyber resilience strategy.

Also, for example, in relation to GDPR, not having powerful archiving systems to enable emails to be found and deleted quickly upon a user’s request could pose a compliance challenge.

Human Error

Human error in terms of not being able to spot or know how to deal with suspicious emails is a common weakness that is exploited by cyber-criminals.

What Does This Mean For Your Business?

If the results of this survey reflect a true picture of what’s happening in many businesses, then it indicates that cyber resilience urgently needs to be given greater priority, particularly since it is now a case of ‘when’ rather than ‘if’ a cyber attack will occur.  Also, the risks of not addressing the situation could be huge in terms of risks to customers and stakeholders and the survival of the business itself, particularly with the huge potential fines with GDPR for breaches.

E-mail, and particularly email archiving (what’s stored, where and how well and quickly it can be searched) poses a serious challenge. Businesses should reassess whether their email archiving strategy is effective and safe enough and security should go beyond archive encryption to guard against impersonation attacks and malicious links.

Bearing in mind the role that human error so regularly plays in enabling attacks via email, education and training in this area alongside having clearly communicated company policy and best practice in managing email safely should form an important part of a company’s cyber resilience

Proposed Legislation To Make IoT Devices More Secure

Digital Minister Margot James has proposed the introduction of legislation that could make internet-connected gadgets less vulnerable to attacks by hackers.

What’s The Problem?

Gartner predicts that there will be 14.2 billion ‘smart’, internet-connected devices in use worldwide by the end of 2019.  These devices include connected TVs, smart speakers and home appliances. In business settings, IoT devices can include elevators, doors, or whole heating and fire safety systems in office buildings.

The main security issue of many of these devices is that they have pre-set, default unchangeable passwords, and once these passwords have been discovered by cybercriminals the IoT devices can be hacked in order to steal personal data, spy on users or remotely take control of devices in order to misuse them.

Also, IoT devices are deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large-scale attack on these IoT systems could affect the economy.

New Law

The proposed new law to make IoT devices more secure, put forward by Digital Minister Margot James, would do two main things:

  • Force manufacturers to ensure that IoT devices come with unique passwords.
  • Introduce a new labelling system that tells customers how secure an IOT product is.

The idea is that products will have to satisfy certain requirements in order to get a label, such as:

  • Coming with a unique password by default.
  • Stating for how long security updates would be made available for the device.
  • Giving details of a public point of contact to whom cyber-security vulnerabilities may be disclosed.

Not Easy To Make IoT Devices Less Vulnerable

Even though legislation could put pressure on manufacturers to try harder to make IoT devices more secure, technical experts and commentators have pointed out that it is not easy for manufacturers to make internet-enabled/smart devices IoT devices secure because:

Adding security to household internet-enabled ‘commodity’ items costs money. This would have to be passed on to the customer in higher prices, but this would mean that the price would not be competitive. Therefore, it may be that security is being sacrificed to keep costs down – sell now and worry about security later.

Even if there is a security problem in a device, the firmware (the device’s software) is not always easy to update. There are also costs involved in doing so which manufacturers of lower-end devices may not be willing to incur.

With devices which are typically infrequent and long-lasting purchases e.g. white goods, we tend to keep them until they stop working, and we are unlikely to replace them because they have a security vulnerability that is not fully understood. As such these devices are likely to remain available to be used by cybercriminals for a long time.

What Does This Mean For Your Business?

Introducing legislation that only requires manufacturers to make relatively simple changes to make sure that smart devices come with unique passwords and are adequately labelled with safety and contact information sounds as though it shouldn’t be too costly or difficult.  The pressure of having, by law, to display a label that indicates how safe the item is could provide that extra motivation for manufacturers to make the changes and could be very helpful for security-conscious consumers.

The motivation for manufacturers to make the changes to the IoT devices will be even greater when faced with the prospect of retailers eventually being barred from selling products that don’t have a label, as is the plan with this proposed legislation.

The hope from cybersecurity experts and commentators is that the proposal isn’t watered-down before it becomes law.

GDPR Says HMRC Must Delete Five Million Voice Records

The Information Commissioner’s Office (ICO) has concluded that HMRC has breached GDPR in the way that it collected the biometric voice records of users and now must delete five million biometric voice files.

What Voice Files?

Back in January 2017, HMRC introduced a system whereby customers calling the tax credits and Self-Assessment helpline could enrol for voice identification (Voice ID) as a means of speeding up the security steps. The system uses 100 different characteristics to recognise the voice of an individual and can create a voiceprint that is unique to that individual.

When customers call HMRC for the first time, they are asked to repeat the vocal passphrase “my voice is my password” to up to five times to register before speaking to a human adviser.  The recorded passphrase is stored in an HMRC database and can be used as a means of verification/authentication in future calls.

It was reported that in the 18 months following the introduction of the system, HMRC acquired 5 million peoples’ voiceprints this way.

What’s The Problem?

Privacy campaigners questioned the lawfulness of the system and in June 2018, privacy campaigning group ‘Big Brother Watch’ reported that its own investigation had revealed that HMRC had (allegedly) taken the five million taxpayers’ biometric voiceprints without their consent.

Big Brother Watch alleged that the automated system offered callers no choice but to do as instructed and create a biometric voice ID for a Government database.  The only way to avoid creating the voice ID on calling, as identified by Big Brother Watch, was to say “no” three times to the automated questions, whereupon the system still resolved to offer a voice ID next time.

Big Brother Watch highlighted the fact that GDPR prohibits the processing of biometric data for the purpose of uniquely identifying a person, unless there is a lawful basis under Article 6, and that because voiceprints are sensitive data but are not strictly necessary for dealing with tax issues, HMRC should request the explicit consent of each taxpayer to enrol them in the scheme (Article 9 of GDPR).

This led to Big Brother Watch registering a formal complaint with the ICO.

Decision

The ICO has now concluded that HMRC’s voice system was not adhering to the data protection rules and effectively pushed people into the system without explicit consent.

The decision from the ICO is that HMRC now must delete the five million records taken prior to October 2018, the date when the system was changed to make it compliant with GDPR.  HMRC has until 5th June to delete the five million voice records, which the state’s tax authority says it is confident it can do long before that deadline.

What Does This Mean For Your Business?

Big Brother Watch believes this to be the biggest ever deletion of biometric IDs from a state database, and privacy campaigners have hailed the ICO’s decision as setting an important precedent that restores data rights for millions of ordinary people.

Many businesses and organisations are now switching/planning to switch to using biometric identification/verification systems instead of password-based systems, and this story is an important reminder that these are subject to GDPR. For example, images and unique Voiceprint IDs are personal data that require explicit consent to be given, and that people should have the right to opt out as well as to opt-in.