Future policy approaches to the convergence of privacy and security online
INTERNATIONAL INSTITUTE OF COMMUNICATIONS
UK CHAPTER EVENT
FUTURE POLICY APPROACHES TO THE CONVERGENCE OF PRIVACY AND SECURITY online
Thursday 14 July 2016, 1730 - 20:00
Location: TechUK, 10 St Bride Street London EC4A 4AD
Click here to see the panel presentations on our YouTube Channel
The UK chapter meeting's chair, Ann Lafrance (Squire, Patton Boggs LLP) set the scene by stating that businesses seem to be caught between a rock and a hard place as they use encryption to protect their customers' privacy but also face the UK's investigative powers bill (IPB). The IPB provides that communication providers have to assist government with details of their encryption.
Privacy and security are co-dependent issues, rather than a trade-off as often depicted, according to Robin Wilton [Technical Outreach Director for Identity and Privacy, ISOC]. Privacy cannot be ensured just by technology; policy is also needed. In fact, encryption – the technological answer to privacy – is a necessary but not sufficient condition for privacy protection, as it only ensures privacy at the point of first disclosure. Three things need to happen for good protection: people need to be aware there is a problem, motivated and equipped to do something about it – or able to delegate to a service provider who can help. A key problem is that consumers cannot influence the economics of data, hence have little control over its effects on them. This is the field where policy has its greatest potential role.
Renaud Di Francesco (Sony Europe) echoed the view that users give away their data because they are not aware of its value, adding that recognising who owns the data is another important issue. At the moment, cyber security is in the hands of technology experts while it is lawyers who tend to defend privacy. There should be a more legal protection of security and technological protection of privacy. The IoT will bring new issues of activity (not just communication) protection; for example, criminals could detect when a house is operated remotely and take advantage of it.
Talal Rajab (TechUK, Head of CyberSecurity) felt that the privacy/security debate is actually about balancing different types of security, i.e. private vs. public security. He added that in its current format, the IPB would not pass the safe harbour and private shield tests required by the EU in order to offer services to its citizens. Also, whether or not the UK is part of the EU, it is bound by GDPR.
The Q&A session recognised that the twin influence of Snowden and the EU's GDPR – the former showing that necessity and proportionality of surveillance was at best a lipstick, the latter providing incentives to class action and damages - has brought data protection on top of the agenda for many companies. Businesses make their security features a key part of their branding, and any data breach is punished by stock markets and users walking away. What if the data breach happens in the public sector? Any financial punishment would make the public body even less able to protect security. Public sector really needs to put training and processes in place. The discussion also provided interesting examples from around the world. One is Japan, who is taking the opportunity of a very visible event, 2020 Olympics, to promote awareness and training on cybersecurity. The other is Singapore announcing that their public data systems are no longer connected to the internet. Does this mean that you can no longer remain connected and secure?
Vice President, International Institute of Communications; Coordinating Partner, EMEA Communications Law; Co-Chair, Global Data Privacy & Cybersecurity; Squire Patton Boggs (UK) LLP
Chair of the Internet Society, England Chapter and Chair of European At-Large Organisation (EURALO) at ICANN.
Director, Europe Technology Standards Office at Sony Europe
Technical Outreach for Identity and Privacy at ISOC
Head of CyberSecurity at TechUK