The ICO: as useful as a chocolate teapot?

The ICO deals with two main areas of responsibility: dealing with appeals in regards to Freedom of Information requests and any issues connected with the Data Protection Act. Personally speaking I do have a degree of respect for the ICO when it comes to how they deal with matters pertaining to Freedom of Information. I might not always agree with their conclusions but it’s easy to see that some thought have normally gone into them. Data protection is, however, a different matter. Getting them to do anything seems to be up uphill struggle and often next to impossible. A good demonstration of this would be my recent complaint to them in regards to a form apparently set up on Tom Watson’s behalf.

Many of you will be aware of the plan for a free copy of the Sun to be delivered to each home in England – Liverpool excepted. A lot of you will also be aware of Labour MP Tom Watson’s idea that people should be given the opportunity to stop the free copy from being delivered to their house. For those of you not familiar with the story, you may want to visit the following site:

http://labourlist.org/2014/06/world-cup-blues/

So far so good. Personally I have no real problem with this. The questionable journalism shown in the immediate aftermath of Hillsborough deserves to be condemned. The demand to stop such free copies from being delivered was clearly there, and Tom Watson – or one of his friends – was able to provide a form that allowed people to send in their details. These details would then be forwarded to the Royal Mail. I had even initially visited the site with the intention of signing up myself.

However in doing all this Tom Watson also displayed a level of hypocrisy that I believe also deserves to be condemned.

He mentions the Printers Imprint Act 1961. This is an obscure law that most people would not even be aware of. He continues with how the law needs to be enforced and how a £50 fine ought to be paid for each copy of the Sun sent out that breaks this law. Unfortunately for Tom Watson however the form provided is completely unprotected. Data is also sent outside the EEA without any protection each time details are submitted. My personal view is that this goes against the Data Protection Act. The DPA is a more fundamental law than the one that Tom Watson used to attack those working at the Sun. If the Sun deserves to be punished for their actions then so does Tom Watson in my opinion.

The website set up for this purpose can be found here:

http://notothesun.nationbuilder.com

The form asks the user for their:

  • First name
  • Last name
  • Mobile number
  • Email address
  • Postal address

And then submits them in plain text with no protection whatsoever via a server located in a banana republic like Costa Rica courtesy of a US company outside the reach of UK regulators.

Over 7,000 people have apparently filled out this form.

I sent an email to the ICO inquiring about the legality of such a move. An abridged copy of their response follows:

Thank you for raising your concern with us about the collecting of personal data in connection with a campaign to stop the Sun newspaper from being delivered to individuals who do not want to receive it.

You say that the data capture form is not protected by SSL.

We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for. Reporting your concerns to us will help us to do that.

Our role is primarily to consider whether there is an opportunity to improve the practice of the organisations we regulate, not to investigate or provide a formal adjudication on individual concerns.

As you are aware, the seventh data protection principle says that appropriate technical and organisational measures shall be taken against unauthorised processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This means that organisations are under a duty to keep personal information secure. However, the DPA does not specify what action they should take. The DPA recognises that there is no ‘one size fits all’ approach to data security. It is therefore necessary for organisations to adopt a risk-based approach to the level of security required in any particular circumstances. The measures an organisation takes should be appropriate to the nature of the personal data and the harm that could result from a security breach.

The personal data in this case is not ‘sensitive’ in terms of the DPA definition. Neither is it particularly confidential. It does not, for example, include any details of bank accounts or credit card numbers. It is made quite clear what purpose the individual is providing their personal data for and what will happen to it. There is no indication that individuals are being misled in any way about what they are consenting to when they provide their personal data and it is entirely their choice to provide their personal data or not. Nevertheless, any security breach would cause inconvenience at the very least.

It is not entirely clear that Mr Watson is the data controller in this case but in view of the fact that his name appears in connection with the campaign, we will write to him to provide advice about compliance with the seventh principle.

In relation to your concerns about CloudFlare, as this appears to be a US-based company, it is outside the Information Commissioner’s jurisdiction.

We will not be taking any further action in relation to the specific points you raise at this time. However, we will retain details of these matters, to inform our overall view of current internet issues.

I also asked the ICO for their view of exporting data to the US or within the US sphere of influence given recent stories (not just the PATRIOT Act, but also FISAAA as well as the appearance of the complete lack of rights for non-Americans).

They have steadfastly refused to address this question. In addition they appear to have deliberated avoided dealing with the issue of exporting data outside the EEA by making it sound like the company is responsible for the export of data, rather the the person or persons setting up the form and choosing them as the provider. Cloudflare, the service provider that underpins the website in question, has offices in the UK. The website itself lists other UK organisations as users, but the ICO appears to have made zero effort to find out who was responsible for creating the form.

As for not being sensitive, personally I would suggest that somebody at the ICO read this:

http://blog.spiderlabs.com/2014/06/from-a-username-to-full-account-takeover.html

It would appear that I’m not the only one to notice the toothless nature of the ICO.

“One of the problems we have got as a community is that if you don’t fine people then they don’t do stuff.”

Martin Sugden, chief executive of security firm Boldon James, takes a dim view of his industry.

A veteran of the security industry, he believes the UK’s Information Commissioner’s Office (ICO) has been lax in punishing those who flout the data protection rules and are failing to deter bad behaviour.

Trawl through the security archive of CBR over the last few months and you would have to agree IT has a security problem.

[…]

He believes the office is not as investigative as it should be, and subsequently is “slow to affect things”.

http://www.cbronline.com/news/security/is-the-information-commissioner-doing-enough-to-protect-your-data-4311103

In my case ‘not as investigative as it should be’ would appear to be the same as ‘no investigation whatsoever’. It’s a real shame that we seem to have an ‘independent’ regulator that seems to be more concerned with the impact on the economy amongst other things than actually doing their job.

Leave a Reply

Your email address will not be published. Required fields are marked *