Monthly Archives: November 2011

Oral evidence to the malware inquiry

The House of Commons Science and Technology Select Committee is currently holding an inquiry into malware.

I submitted written evidence in September and today I was one of three experts giving oral evidence to the MPs. The session was televised and so conceivably it may turn up on the TV in some strange timeslot — but if you’re interested then there’s a web version for viewing at your convenience. Shortly there will be a written transcript as well.

The Committee’s original set of questions included one about whether malware infection might usefully be treated as a public health issue — of particular interest to me because I have a published paper which considers the role that Governments might play in countering malware for the public good!

In the event, this wasn’t asked about at all. The questions were much more basic, covering the security of hardware and software, the role of the police (and at one point, bizarrely, considering the merits of the Amstrad PCW; a product I was jointly involved in designing and building, some 25 years ago).

In fact it was all rather more about dealing with crime than dealing with malware — which is fine (and obviously closely connected) but it wasn’t the topic on which everyone submitted evidence. This may mean that the Committee has a shortage of material if their report aims to address the questions that they raised today.

Want to create a really strong password? Don’t ask Google

Google recently launched a major advertising campaign around its “Good to Know” guides to online safety and privacy. Google’s password advice has appeared on billboards in the London underground and a full-page ad in The Economist. Their example of a “very strong password” is ‘2bon2btitq’, taken from the famous Hamlet quote “To be or not to be, that is the question”.
Empirically though, this is not a strong password-it’s almost exactly average! Continue reading Want to create a really strong password? Don’t ask Google

Complaining about spam to the ICO

Like I imagine most readers of Light Blue Touchpaper, the vast majority of spam I receive is from overseas. For that you can try complaining to the sender’s ISP, but if the spam is being sent from a botnet, there’s not much you can do to stop them sending you more in the future. There might be an unsubscribe link, but clicking on it will just tell the sender that your address has a real person behind it, and might encourage them to send more spam.

Things are different if the sender (of spam email or text messaging) is in the UK, because then they might have violated the Privacy and Electronic Communications Regulations (PECR), and you can complain to the Information Commissioner’s Office (ICO). The process isn’t fast, or particularly easy, and there are plenty of ways the ICO can avoid investigating, but it can get results.

The last time I went through this process was regarding a PR agency which was sending me repeated emails despite me asking to unsubscribe. I sent the complaint to the ICO in November 2010, and it took over 2 months for them to deal with it, but the ICO did conclude that based on the information available, the PR agency did violate the PECR. At the time, the ICO didn’t have powers to punish an organisation for PECR violations but they did remind the agency of their obligations. I was finally unsubscribed from the list and the PR agency even sent me a box of muffins as an apology.

Things don’t always go smoothly though. Before then I complained about an online DVD rentals company, for similar reasons. The ICO initially refused to invoke the PECR, claiming that “If you work for or attend higher education and are receiving unsolicited marketing emails to a university email address, there is no enforceable opt-out right provided by The Privacy and Electronic Communications Regulations 2003 (the Regulations).” However, they did say that if my name is identifiable from my email address, then the sender is processing personal data and thus is covered by the Data Protection Act. I could therefore ask the company to unsubscribe me (which I had done), and if they continued to send me email after 28 days I could complain to the ICO again.

In fact, the email address to which I was sent the spam was my personal address (I did however send the complaint from my university address), which I told the ICO. The ICO then wrote to the company reminding them of their obligations. I never received further emails from the company so it probably worked, but I didn’t get any muffins or even an apology from them.

Since then, some things have changed — particularly that the ICO can now fine organisations up to £500,000 for very serious breaches of the PECR (although as far as I can tell the ICO has never done so). Hopefully this will encourage organisations to take their obligations seriously. I’ve sent a further complaint to the ICO, so I’ll keep you posted on how this progresses. If you want to try sending a complaint yourselves, instructions can be found on the ICO site.

Sovereignty and Cybercrime

I spent the early part of this week at the London Conference on Cyberspace, organised by the UK Foreign Office.

Besides feel-good sessions on how wonderful the Internet can be for social engagement and economic growth, the two themes that had really drawn the participants were cybercrime and cyberwar (the latter being rebranded as ‘cyber security’ to avoid frightening the horses).

There was predictably little progress on the latter topic to be seen in public — Russia wants to strengthen national borders in cyberspace (and Evgeny Kaspersky spoke approvingly of strong online identity) and China’s position is similar (albeit their main intervention from the floor was an offer to investigate hacking attacks that came from their country).

Cybercrime was more straightforwardly condemned (which would not have surprised Calvin Coolidge) but the same fault-lines showed up in this topic as well.
Continue reading Sovereignty and Cybercrime