The past couple of weeks must have been an anxious time for the customers of the outsourcing service run by 2e2 which went into administration on January 29^th.  This impacted on a range of organizations including hospitals. The good news today is that the Daisy Group plc. has been appointed to manage the 2e2 Data Centre business.  Organizations are now almost totally dependent on their IT services to operate. It is tempting to think that outsourcing the service absolves you of any responsibility.  This is not the case; an organization using a cloud service is still responsible for the continuity of its business.  The lesson to be learned from this is that while organizations may hope for the best they need to plan for the worst!

A previous example of the need for business continuity planning occurred some years ago.  On the 29^th of March of 2004 a fire in tunnels under the city of Manchester had a major impact on telecommunications in the North of England.  Emergency services were hit and mobile phone services disrupted; it was estimated that 130,000 ‘phone lines were affected.  It was not until April 5^th of that year that services were back to normal. 

Most organizations depend heavily upon the public telephone network and this network is normally one of the most reliable services so how did they cope with this disruption?  The organizations that had an up to date and tested disaster recovery plan (mostly the large ones) were able to continue their operations.  The small organizations without a plan were badly hit.

Smaller organizations, ones that are not able to afford their own highly resilient data centres, should benefit the most from the resilience offered by the larger cloud service providers.  However, as the example above illustrates, small organizations tend not to have a business continuity plan. In addition not all large organizations have included cloud services in their plan.

Organizations need to determine the business needs for the continuity of any services and data moved to the cloud. They should have policies, processes and procedures in place to ensure that the business requirements for business continuity are met. These policies and procedures involve not only the CSP, but also the customer as well as intermediate infrastructure such as telecommunications and power supplies. They should form part of a complete business continuity plan. Such a plan is part of the operations of what KuppingerCole defines as the “IT Management and Security” layer within IT organization, which is described in the KuppingerCole Scenario: Understanding IT Service and Security Management – 70173.

Here are some points that need to be considered.  For a more detailed view see KuppingerCole Advisory Note: Avoiding Lock-in and Availability Risks in the Cloud – 70171

End to End Infrastructure: Use of the Cloud depends upon the infrastructure to be available from end to end. Not only does the equipment and services at the CSP have to be operational but also the network and the customer equipment need to be available and working. Therefore the Cloud customer, as well as the CSP, needs to ensure the availability of components under their control as well as having appropriate contingency plans.

Service and Data Availability: the data or the service may become unavailable for many reasons.  These include misconfigurations and bugs as well as hardware failures; in addition it may be corrupted or be erased. The CSP may offer several approaches to minimize the risk of data becoming unavailable. However – if timely access to the data is important – ensure that you understand the promised time to recovery. In some circumstances the Cloud customer may need to perform a backup themselves to ensure the required level of business continuity.

Theft or Seizure: The equipment that is used to provide the Cloud service may be stolen or seized by law enforcement because of the activities of co-tenants. These can both lead to a loss of availability of the Cloud service.

Supplier Failure: The cloud service may become unavailable due to the failure of the CSP or of one of their providers. The CSP may go out of business for many reasons ranging from withdrawal from the market through to financial bankruptcy. The CSP may also outsource some of the services that it depends upon and its own supply chain could fail with the failure of one of these providers. Whatever the reasons the impact of this failure on for the cloud customer could be very high.

Power Loss and Natural Disasters: The cloud service provided depends upon the availability of power for systems as well as air-conditioning and other ancillary services for the data centre. An example of this was the lightning strike in Dublin that caused the Amazon and Microsoft Cloud to go offline in 2011.

For more details on best practices for cloud computing attend European Identity & Cloud Conference held in Munich during May 2013.  This will feature a one day workshop on Cloud Provider Assurance.  This workshop uses real life scenarios to lead the participants through the steps necessary to assure that cloud services meet their organization’s business requirements.

KuppingerCole research confirms that “security, privacy and compliance issues are the major inhibitors preventing organizations from moving to a private cloud.”  Our report on Cloud Provider Assurance provides information in depth on how to manage these issues.  Here is a summary of our top ten tips on negotiating and assuring cloud services.

1. Consistent IT governance is critical: The cloud is just an alternative way of obtaining IT services and, for most organizations; it will be only one component of the overall complex IT service infrastructure.  IT Governance provides a way to manage, secure, integrate, orchestrate and assure services from diverse sources in a consistent and effective way.
2. Adopt best practices that are relevant to your organization from one or more of the frameworks or industry standards that are available.  These represent the combined knowledge and experience of the best brains in the industry.  However – be selective – not everything will apply to your organization.  Whatever standards you choose – select a CSP (Cloud Service Provider) that conforms to these standards.
3. Understand the business requirements for the cloud service – security, privacy and compliance needs follow directly from these.  There is no absolute level of assurance for a cloud service – it needs to be as secure, compliant and cost effective as dictated by the business needs – no more and no less.
4. Implement a standard process for selecting cloud services: This should enable fast, simple, reliable, standardized, risk-oriented selection of cloud service providers.  Without this there will be a temptation for lines of business to acquire cloud services directly without fully considering the needs for assurance.
5. Manage Cloud Contracts – beware of CSP standard terms and conditions and consider carefully when to accept them.  If the CSP standard contract satisfies the business needs – that is fine.  If not accept nothing less than you would from your in house IT!  If the CSP won’t negotiate try going via an integrator. 
6. Classify data and applications in terms of their business impact, the sensitivity of the data and regulatory requirement needs.  This helps the procurement process by setting many of the major parameters for the cloud service and the needs for monitoring and assurance in advance.
7. Division of responsibilities:  when adopting a cloud service make sure you understand what your responsibilities are as well as those of the CSP.  For example, in most cases under European law, the organization using a cloud service is the “data controller” and remains responsible for personal data held in the cloud. 
8. Independent Certification of CSP: Look for regular independent certification that the service parameters which are relevant to your business need are being met.  Typically external audits are only performed once or twice per annum and so whilst they are important they only provide snapshots of the service.
9. Continuous Assurance: To provide continuous assurance of the cloud service, require the CSP to provide regular access to monitoring data that allows you to monitor performance against the service parameters.
10. Trust but Verify – Using the cloud inherently involves an element of trust between the organization using the cloud service and CSP.  However – this trust must not be unconditional and it is vital to ensure that the trust can be verified.

For more details on best practices for cloud computing attend European Identity & Cloud Conference held in Munich during May 2013.  This will feature a one day workshop on Cloud Provider Assurance.  This workshop uses real life scenarios to lead the participants through the steps necessary to assure that cloud services meet their organization’s business requirements.

Was 2012 a big year for IT security breaches?

Whilst I don’t have quantitative information on exactly how many data breaches there were during 2012.  However, during this period, there were many prosecutions, enforcement notices and monetary penalties issued by the ICO (UK Information Commissioner’s Office).  These included a record monetary penalty of £325,000 for a hospital in the UK where discs containing patient data were sold on the internet , a penalty of £150,000 for Greater Manchester Police where an officer lost an memory stick with unencrypted information relating to more than 1000 people linked to serious crimes, and a penalty of £120,000 was issued to council where sensitive information about a child protection legal case was emailed to the wrong person.  There have also been a number of cases of Hacktivism and a worrying trend towards “ransom ware” – and example being where extortionists encrypted patient data belonging to an Australian hospital and demanded $5000 to restore access.

Does this mean that the IT security industry losing the battle against the hackers?

In terms of IT security technology there is a continuing arms race. As new kinds of security are developed the criminals find alternative tools, tactics and procedures to overcome these.  This challenge needs to be considered against a wider scope than one of technology.  As long as criminals can make money at – what they consider to be an acceptable level of risk – they will continue.  The challenges include the lack of consistent laws and enforcement across the globe and the ability of criminals to process and bank their ill-gotten gains.  As an example of this Sophos was able to trace the gang behind the “Koobface” malware but there was no chance of being able to prosecute themin the UK.

What are the biggest IT security threats facing companies in 2013?

The single biggest threat is getting the owners and holders of information to recognize its value and their responsibilities.  What is needed is a much greater degree of “information stewardship” to take appropriate care of information – to treat it like money.  The examples from the ICO show that there are still too many organizations that fail to take adequate care of the information they hold.  In addition cyber criminals often seem to be better at recognising the value of information than owners.   The cyber criminals are evolving their tools, techniques and processes to focus their attacks on the highest value targets.  So organizations need to guard against and prepare for these kinds of event.  This means a change of culture as well as applying the best technology.

The KuppingerCole advisory note: From Data Leakage Prevention (DLP) to Information Stewardship – 70587 provides more details on this subject.  This subject will also be covered at the European Identity & Cloud Conference held in Munich during May 2013

Adopting cloud computing means moving from “hands on” management of IT services within the organization to “hands off” IT management using governance, service level agreements and contracts. This approach sits uneasily with many IT people whose education, training and experience are in the delivery of services rather than negotiation and governance. Nevertheless the IT department is an important player in ensuring that an organization gets what it needs from the cloud.  IT Service and Security Management are key components of the KuppingerCole IT paradigm which identifies the important elements necessary to successfully adopting and assuring cloud services.

An interesting article on negotiating cloud contracts was recently published in the Stanford Technology Law Review. This article provides a comprehensive list of the concerns of organizations adopting the cloud and a detailed analysis of cloud contract terms.  This article suggests that: “a multiplicity of approaches are emerging, rather than a de facto ‘cloud’ model, with market participants developing a range of cloud services with different contractual terms, priced at different levels, and embracing standards and certifications that aid legal certainty and compliance”.

 According to this paper the most negotiated terms are:

• “provider liability,
• service level agreements,
• data protection and security,
• termination rights,
• unilateral amendments to service features,
• and intellectual property rights”

This is essential reading for any organization adopting cloud services.

KuppingerCole research confirms that “Cloud security issues (84.4%) and Cloud privacy and compliance issues (84.9%) are the major inhibitors preventing organizations from moving to a private Cloud.”  Our report on Cloud Provider Assurance also provides information on how to assure the technical elements cloud services which lead to the concerns mentioned in the Stanford paper. In summary – it is important to follow the old Russian maxim, which was often quoted by President Ronald Regan:  “trust but verify”.  Using the cloud inherently involves an element of trust between the consumer and the provider of the cloud service.  However – this trust is not unconditional and it is essential to ensure that the trust can be verified.

The Stanford paper highlights the risk that end users within an organization will bypass internal governance and procurement processes and procure cloud services directly.  It describes this as the “click through” trap.  The KuppingerCole model for cloud service management emphasizes the need for a quick and user friendly process for requesting cloud based services and assuring that they meet the needs and the risk appetite of the organization.   This process should be set up ahead of time in collaboration between all of the stakeholders including governance, risk, legal and procurement.

This process should:

• Identify the business requirements for the cloud based solution.
• Determine the security and governance needs based on these business requirements. Some applications will be more business critical than others.
• Develop scenarios to understand the security threats and weaknesses. Use these to determine the response to these risks in terms of requirements for controls and questions to be answered. Considering these risks may lead to the conclusion that the risk of moving to the Cloud is too high.
• Make clear which party (customer/provider) is responsible for all important aspects.
• Specify what measures are needed to confirm that the required service is being delivered and make sure that these are measured and action is taken.

For more details on best practices for cloud computing attend European Identity & Cloud Conference held in Munich during May 2013.  This will feature a one day workshop on Cloud Provider Assurance.  This workshop uses real life scenarios to lead the participants through the steps necessary to assure that cloud services meet their organization’s business requirements.

Cloud computing provides organisations with an alternative way of obtaining IT services. However many organisations are reluctant to adopt the Cloud because of concerns over information security and loss of control. This presentation covers assurance approaches to managing the Cloud including CSA Controls Matrix, SSAE16/ISAE3401, BITS Shared Assessments and ISO 27001.

RSACE2012 Podcast: GRC-301: Cloud Provider Assurance

Listen to the podcast now:

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Or download the audio file directly:

Download (mp3, 12:21, 11 Mb)

There is an old joke that circulated amongst IT professionals during the 1980s – this joke goes as follows.  A man goes up to an ATM puts his card in the machine and requests some cash.  The machine accepts his card and PIN but doesn’t give out any cash.  He goes into the bank and tells a cashier what has happened.  The cashier replies – “that’s strange because we just had brand new software installed this morning”.  This joke is probably not funny if you bank with RBS in the UK.

I normally write about IT security issues so – why is it that this entry is about managing change.  Well – security is about confidentiality, integrity and AVAILABILITY. Good IT security ensures that you have access to the information that you are entitled to whenever and wherever you need it.  One of the most frequent causes of non-availability is poorly managed changes.  In the world of software – a change is often a change for the worse.

The older the software system the more difficult it is to patch and most of the retail banking systems are very old.  The people that originally wrote it may be long gone; the change you are applying is probably on top of many previous changes.  You did your best and it looks like it should work but unfortunately you didn’t fully understand the complex interactions that now exist within the program.  So you test it, and your test contains all the expected cases plus all the previously detected bugs that have been fixed.  However these tests don’t include every possible case and so when it goes live – whoops the impossible happens and the system crashes.  If you are lucky this unlikely event only causes minor damage.  If you are unlucky – as seems to have been the case with the RBS systems – this unlikely event causes major damage.  It becomes the nightmare of IT security: a low probability, high impact event.

Now you have to recover from the problem.  Can you roll back the software to the last working version?  Are you able to restart or re-run the failed transactions?  How can you make sure that you don’t repeat the successfully processed transactions?  You need to have planned for all of these contingencies BEFORE you applied the change.  You need to have tested your plan BEFORE you applied the change. 

Now it may well be that RBS did all that it could and should have done – only a detailed investigation will reveal whether there were avoidable shortcomings.  Nevertheless RBS’s experience should be a reminder to all of us in the IT industry to be careful about managing change to IT systems.  It shows the need for IT professionals to really understand the impact they have on the business.

The fundamental role of IT within an organization is simple to describe: It must provide the IT services that business requires in the way business wants them – nothing more, nothing less.  Unfortunately, many corporate IT departments tend to concentrate more on technology than on the needs of the business.  This is a major paradigm shift for many IT professionals.  To explain this business led approach to managing IT services KuppingerCole has written a research note “The Future of IT Organizations”. 

If you were asked to think of an IT security firm perhaps IBM would not be top of the list.  However IBM has a significant set of products in this market and it manages the security of its customers’ outsourced and cloud systems, as well as that of its very large internal IT operations.  Following the acquisition of Q1 Labs late last year IBM is reorganizing to bring together all the security products under one division.  Well large companies are forever re-organizing so why does this change matter?  In short this is important because it reflects the increasing level of cyber risk and the recognition of this risk within the boardroom of the organization that are customers of IBM.

Over the past 12 months there have been a number of widely reported cyber-attacks on large organizations and these attacks have been intended to steal information of significant value or to cause commercial damage.  The organizations affected include Sony whose PlayStation Network was targeted and the details of 77 million users compromised, RSA has offered to replace the SecurID tokens following a compromise of information relating to those tokens, and according to the Verizon 2012 Data Breach Investigations Report there has been a huge rise in politically motivated attacks. Even the head of MI5, the UK’s internal security and agency, has said it is working to counter “astonishing” levels of cyber-attacks on UK industry.  The trend, identified in the Verizon report, is a large increase in data breaches stemming from external agents.  So is this a watershed for boardrooms to take an interest in cyber- security?

According to a study conducted using double blind interviews by the IBM Centre for Applied Insights with 138 security leaders, that “while many security organizations remain in crisis response mode, some security leaders have moved to take a more proactive position, taking steps to reduce future risk.”:

• Business leaders are increasingly concerned with [IT sic] security issues.
• Budgets are expected to increase,
• Attention is shifting towards risk management.
• External threats are the primary security challenge.
• Mobile security is a major focus.

In this study security leaders rank themselves according to their organization’s maturity and ability to handle a breach and from this three types of organizations appear:

• Influencers: those that have business influence and authority – who rank themselves highly in maturity and preparedness.
• Protectors: who recognize the importance of information security – but who lack measurement insight and budget authority needed.
• Responders: who do not have the resources or business influence to drive significant change.

So the challenge for IT many security organizations remains one of dispelling the idea that IT security is just another technology support function but is something that has to be designed to protect the whole enterprise.  This involves being able to communicate to the business that the cyber-threat is a real and present danger to the organization.  It is also important because many organizations are moving to outsourced IT or the Cloud and this brings additional IT security challenges.

So what about security products? Well IBM has chosen focus at the higher levels of IT security management rather than low level threat protection.  The rationale behind this is that threats to organizations are both targeted and persistent.  If the threat is blocked in one way the attacker will continue to look for other approaches that bypass the block.  Therefore behavioural analysis of what is happening around and inside the organization’s network and systems is a better indicator of an attack in progress, and this often provides the security intelligence needed to counter these threats.

The other area that IBM has focussed on is mobile security.  The increasing trend towards BYOD and the proliferation of tablets and other end user devices that can be connected to the corporate network has increased the risks of data loss.  Although people value their smartphone they are not careful with them. (According to a study by Plaxo – 19% of people reported that they had dropped their smartphone down a toilet!).  When the device is lost the data it contains is often more valuable than the device itself.  In the KuppingerCole’s opinion BYOD brings many challenges and the key to mobile security is to start from a data centric position rather than a device centric one.  Understand what data you have and then to make sure that you protect it properly.  IBM say that their strategy in this area comes from ”following the data” – if so that is good news.

So – in summary – the risk of cyber-threats to organizations is increasing, and it is clear that IT security professionals need to do a better job of explain these risks in business terms.  KuppingerCole’s view is that IT Organizations have to adapt to become much more business aware or they will fail.  This includes, but is not limited to security challenges.  It is good to see IBM is providing a lead in this area.

I just returned from NISC – the National Information Security Conference – held this year in Cumbernauld in Scotland. The theme of this event was “the diminishing network perimeter”. With the advent of smart phones, tablets, Kindles and BYOD, the boundaries between the work and home environment have dissolved so how do you maintain the security of your corporate network? How does this impact on the corporate network, and how much can you put into the cloud?

There were many interesting sessions around this theme and, as well as giving a talk on the Deadly Sins of Cloud computing, I sat on a panel which discussed the diminishing network perimeter.

Amongst the other sessions – one by Dr Simon Shui of HP labs provided an interesting and different perspective on Cloud computing. Dr Shui has been working with Professor David J. Pym at the University of Aberdeen on the subject of “Information Stewardship in the Cloud”. They have developed a series of economic and mathematical models that explore various aspects of the emerging cloud ecosystem. These models allow the exploration of different priorities on information stewardship as well as the relative success of different policies and the attributes or platforms and providers.

I was honoured to be part of a panel, chaired by Gerry O’Neill, which discussed the diminishing network perimeter.  In my opinion – the network perimeter is and always was an illusion created as a comfort blanket. We need to get over the idea that the whole organization can somehow be isolated – it can’t. The business perimeter is long gone. What is commodity is outsourced, only what adds value is retained. We need to remember that, in general, IT is now a commodity.
In this new world indirect governance now replaces hands on management. This approach is essential when you acquire services rather than produce them yourself. In general internal IT organizations have focussed on how to do it themselves and are not good at indirect governance. For indirect governance to succeed it is important to:

a. Really understand the business requirements (which include need for compliance and risk appetite)
b. Understand what data you have and the value of this to your business.
c. Base IT architecture, and decisions about how to acquire IT services on these requirements.
d. Assess risk and choose risk response on real need rather than theoretical possibilities.
e. Make sure that responsibilities are clearly defined and set controls and measure performance against this business need.

We can no longer design IT systems on the assumption that they will be run in-house. We can no longer rely on a notion of a secure perimeter as the basis for IT security. IT systems should be designed to run in whatever location is best from a point of view of cost and risk.

Adopting Cloud computing can save money, you need to avoid the seven deadly sins.

The Cloud provides an increasingly popular way of procuring IT services that offers many benefits including increased flexibility as well as reduced cost. It extends the spectrum of IT service delivery models beyond managed and hosted services to a form that is packaged and commoditized. However – many organizations are sleepwalking into the Cloud. Moving to the Cloud may outsource the provision of the IT service, but it does not outsource the customer’s responsibilities. There are issues that may be forgotten or ignored when adopting the cloud computing.

In medieval times the Christian church created the concept of the seven deadly vices to explain the human weaknesses that lead to sins. These are: wrath, greed, sloth, pride, lust, envy and gluttony sometimes known as the seven deadly sins. Of these vices one above all can lead to problems with Cloud computing. The deadly vice of Cloud computing is sloth which leads to inattention to details like:

• Not knowing you are using the Cloud: it is easy to buy a Cloud service using a credit card – your organization may be using the Cloud without you knowing it. When you buy the Cloud service that way it is likely that you have agreed to the terms and conditions set by the provider and these may not be appropriate for your needs. You should to ensure that there is a proper process for obtaining a Cloud service and that this is followed.
• Not assuring legal and regulatory compliance: many organizations have invested heavily to ensure that their internal IT systems comply with the legal and regulatory requirements for their type of business. You need to check that if you move these systems into the Cloud that you will not lose this compliance.
• Not knowing what data is in the cloud: one of the key legal requirements for many organizations is compliance with data privacy laws. These mandate where personally identifiable data can be held and how it must be processed. If you don’t know what data you are moving to the Cloud you could be in trouble. This problem has become more acute because of the explosion in the amount of unstructured data like spread sheets, presentations and documents. It is essential that you identify and classify data you are moving to the Cloud to manage risks and ensure compliance.
• Not managing identity and access to the cloud: controlling who can access what is even more important when data and applications are accessed via the Internet. Managing identity and access remains the responsibility of the customer when the data and application is moved to the Cloud. The best way to achieve this is through the use of identity federation based on standards like SAML and ADFS.
• Not managing business continuity and the cloud: organizations adopting the Cloud need to determine the business needs for continuity of any services and/or data being moved to the Cloud. To support this they should have policies, processes and procedures in place to ensure that theses business requirements are met. These involve not only the Cloud Service Provider, but also the customer as well as intermediate infrastructure such as telecommunications and power supplies.
• Becoming Locked-in to one provider: it is often claimed that the Cloud provides flexibility but how easy is it to change Cloud Service Provider? There are a number of factors that can make changing provider difficult. There may be contractual costs incurred on termination of the service contract. The ownership of the data held in the Cloud may not be clear and return of the data on termination of contract may be costly or slow. When data is returned it may not be in a form that can easily be used or migrated. Cloud services (built using Cloud Platforms, PaaS in particular) may be based on a proprietary architecture and interfaces making it very difficult to migrate to another provider.
• Not managing your Cloud provider: you need to manage your Cloud provider just like any other outsourced IT service provider. This means defining and agreeing metrics via service level agreements and then making sure that these are achieved. You customer may wish to perform an audit of the provider but it may not be practical for the provider to allow every customer to perform their own audit. Certification of providers by a trusted third party is a way to satisfy this need. However it is important to understand what these service organization controls (SOC) reports cover.

Is your location private? If you have installed an App on a smartphone it is almost certain that your location is being tracked. So should you care? Are you giving away details of your movements too cheaply? Is being able to track where your children are a benefit or a risk? To find the answers to these and other questions, on December 12th I attended “A Fine Balance 2011: Location and Cyber privacy in the digital age” sponsored by the UK Knowledge Transfer Network.

The title to this article is taken from the lyrics of a 1983 song by “The Police” that was used as the basis of a talk by Richard Hollis, CEO of Orthus and a director of ISACA. In his talk he explained the business value of geo-location information to increase revenue as well as to reduce cost, and the difficulty individuals have to opt out from having their location tracked. He gave a number of examples of the use of location data including; a US car rental firm that adds an extra charge if the car has exceeded 79mph for a period longer than 2 minutes, and a French company that saved on fraudulent expenses claims by tracking employees’ locations. He also described how he discovered that his new bank debit card contained an RFID chip, allowing the bank to track his presence. When he enquired of all the major UK banks he found that he was unable to opt out from this or find a bank that didn’t use this technology. Hollis believes that companies like Google have made billions of dollars from tracking where you went on the internet and they expect to make more from tracking your physical location. The downside of this data is that it is valuable to criminals; for example knowing you are not at home is valuable to thieves.

Stewart Room, a partner at Field Fisher Waterhouse LLP, outlined the legal basis for privacy. In Europe, the relevant legal framework is the data protection directive (95/46/EC). This applies where personal data are being processed as a result of the processing of location data. The e-privacy directive (2002/58/EC, as revised by 2009/136/EC) applies to the processing of base station data by public electronic communication services and networks (telecom operators).

Location data is defined in the above as being: “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”.

Location data is covered by general rules on data protection and can only be processed anonymously or with informed consent. But how informed is the consent that is given? Jonathan Bamford, Head of Strategic Liaison at the ICO described an end user agreement for the use of an App that was over 10,000 words in length. He also reported that the EU Working Party set up under Article 29 of EU Directive 95/46/EC has published a document on this subject: Opinion 13/2011 on Geolocation services on smart mobile devices. He noted that this document states – “Typically, companies that provide location services and applications based on a combination of base station, GPS and WiFi data are information society services. As such they are explicitly excluded from the e-Privacy directive,..” At the end of his presentation the audience was invited to vote on a number of issues including what approach should the ICO take to deal with this emerging problem.

Prof Jonathan Raper then presented his vision for a location data broker. This would provide a service that would securely store data on the location and movements of individuals. It would then only make this information available to other organizations with the consent of the individuals concerned and share any monetary value. It would also be able to provide confirmation of individual’s whereabouts in the case of disputes.

Chris Atkinson, from the UK Council for Child Internet safety, then discussed Safeguarding children’s privacy in social media. She posed the question “are children vulnerable innocents or tech savvie natives?” In the UK 50% of children aged 12-15 own a smart phone in comparison to only 27% of adults. In the EU 1 in 5 9-12 year olds have a profile on Facebook, in spite of there being a requirement to be 13 years or older (due to the US child protection laws). Most of these younger children do it with the help of their parents. 52% of 11-18 year olds are aware of geo-location services and 48% like their friends to know where they are.

At the end of this event I had more questions than answers. Geo-location information on individuals seems to be in widespread use. It is for example, funding the development of Apps and people want the services provided by the Apps but would prefer not to pay for them directly. Online marketing is willing to pay to know where you are and that is fine if it is done lawfully and transparently. I still worry that this geo-location data could be misused and personally I prefer not to knowingly provide it.

For more debate on this subject why not attend the European Identity Conference on April 17-20 in Munich.