Tempus fugit II …..

Time flees as the Latin tag says (perhaps more commonly recognised as ‘Time Flies’) and it certainly seems to be the case with Data Retention.

It seems just a short time ago that we were watching the progress of the Directive through the European parliamentary system, from introduction through discussion (is that really the right word for the actions of the UK Presidency in 2005?) to amendment and then to final acceptance and transposition to national law.

In the UK we were there at the beginning, transposing the first parts to apply to fixed line and mobile telephony. 18 months later came the inclusion of Internet data. The interesting bits were the differences between national transpositions - some elected for retention for as little as 6 months, others for 12 and some for as long as 24 months (but would have liked longer). The UK opted to allow for reimbursement of capital expenditure and the provision in relation to Internet data seems to pay only slight compliance - requiring retention of data only where the national authorities deem that it is necessary.

Some member states have only brought data retention within national law in recent months - Portugal in August 2009, Italy at the end of 2009 and Poland only at the beginning of 2010 (UK, 1st phase Sept 2006, 2nd phase March 2008). There remain a number of member states where data retention has still not been applied - Austria, Belgium, Greece, Ireland, Luxembourg, Romania, Sweden - so much for the idea of ensuring a common approach to law enforcement.

But, time flies. The implementation of the Data Retention Directive provided for an evaluation of the Directive. The time has now come for that evaluation and a number of conferences and meetings have taken place. The results of evaluation will be published later in the year, probably in October 2010. After that, the Commission will begin the processes that will lead to proposals for a revised Directive, probably by the end of 2011 with expected implementation by 2014.

It is too early to say what that new Directive may include, but undoubtedly there will be pressure to expand the range of retained data to include a wider range of Information society services - The Crusher would expect to see pressure for the inclusion of social networking data and web site access. There may be some agreement on a reduction in the range of the approved time scales -although as most members currently retain for 12 months this is unlikely to affect the majority (including the UK).

The evaluation report from the Commission does include some interesting data relating to the number of requests for access to retained data in 2008.

Clearly there are wide variations in the raw number of requests with France and the UK heading the number of actual requests. Of course, both have fairly high populations so it is reasonable that there should be a large number of requests. But, when the figures are compared against the national populations the data requests become more interesting. the right hand column shows the number of data requests per 100,000 of population. Under this order, Lithuania shows a massive 2239 requests per 100K with the UK behind France at a much lower 769. Yet Cyprus only requests data at the rate of 3 per 100,000!

Of course, there will be variations in what is perceived as relevant crime and the use of data to locate rather than to determine specific use. It may well be that the larger number of requests are being used more as a location tool than as a more detailed investigatory procedure. But, the figure for Lithuania is so much greater than others it does rather beg the question what use is being made of retained data in that small state? Perhaps there remains an investigatory throwback to a prevous regime - although the lower (far lower) figures for neighbouring Estonia and Latvia may negate that suggestion.

Interesting data - it will be interesting to watch what comes out of the Commission in late summer/autumn 2010.

Identity - start by helping yourself ……

Whilst we all mull over the results of the General Election held on May 6th here in the UK, a time to ponder some other topics. It seems that it will be a while before there is any clear indication on future policy and on departmental responsibilities and it may now be likely that there will be some form of coalition. If there is not then we may well be in for a period of minority government and the likelihood of another election in the coming months. If that is the case I will suggest Thursday October 21st as a suitable day.

That is, of course, Trafalgar Day, so a suitable day to decide the future path of the coun try. Remember, you saw that date here first!

But, to a different topic. The Crusher finds an opportunity from time to time to consider things away from the normal run of regulation and legal development. Now seems as good a time as any to do that.

A few weeks ago The Crusher updated links to online credit cart transactions. As part of the update, the bank offered a higher level of security and the availability of software to monitor access to banking accounts and to advise of any potential threats to personal security. All good stuff and good to see that the bank are taking steps to help customers with their online transactions. The latest applications now run alongside the standard anti-virus, anti-spyware, firewall and other tools - all of which should be part of the standard set-up for any online user.

The Crusher is only too well aware of the potential problems. At the beginning of this year one of our financial service suppliers advised that they had detected an unusual transaction for a fairly large sum. They asked if an online order had been placed with a US based supplier. Apparently the order had already been declined as it was outside the normal pattern and had been flagged as potentially suspicious by security software - the call confirmed the status and no payment was authorised.

Of course, the result of this was immediate cancellation of the account and a new card. Interesting to speculate on how the card number came to be used. Maybe it was collected from the home PC (unlikely to be honest), maybe from a remote merchant or maybe it was randonly generated. Whatever the source, the security and anti-fraud systems at the bank kicked in and spotted and blocked an unusual transaction.

Online fraud and identity theft is an increaqsing problem. The card issuers in the UK have attempted to tackle problems here by issuing ‘chip and PIN’ cards. If a card is used and the correct PIN is inserted then the transaction is verified and payment authorised. If a card is used for an online transaction then there are a series of checks to ensure that the card is being used correctly - entering exact name, registration address, card verification code (the last three digits on the reverse), start and expiry date etc. And then there are the further security steps using ‘Verified by Visa,’ 3D Secure etc. where the card owner is asked to insert a password or a selection from a pass-phrase to validate the purchase. All godd stuff - but it is clear that the move to ‘chip and PIN’ has made life more difficult for criminals and that there is now an increasing in online fraud.

Identity theft is now a recognised problem, much publicised in the press and by financial service providers with strong advice to users. It really is not a good idea to store details of the PIN in the same location as the card! Shred unwanted documents and store statements and others in secure locations. Most people will recognise the actions and will be taking steps - and are rightly aggrieved with the loss of personal data by large organisations including Government Departments and others.

But - prevention of identity theft must start at home. As alreadysuggested, make sure that there are firewalls, anti-virus, anti-spyware in place and that operating systems are fully patched and up-to-date. Those are all the obvious and technical things. But it is the warmware that is likely to be the weakest link - not the software or the hardware.

Warmware is, of course, the user. So why is that that The Crusher is writing about this right now? Well, again it is down to personal experience.

Last week my mobile phone broke - well, it was the tiny pin within the charging connection of the Nokia phone. Once that broke it was impossible to charge the battery so only a short time before the phone became completely u/s. It probably could be repaired but it is now a few years old and there were other faults as well. So, time to get a new one. Or, at least, new to me. Relatively new mobile phones can be picked up quite easily online, eBay and other sources can offer deals at well below the prices of high street suppliers.

So, a search for a new phone, an order and a delivery. Very rapid delivery and far faster than it would have taken to have got the old one repaired. More up to date model to with lots of new gizmos to play with!

OK, steps to update. Connect old phone to PC and download all contact details and stored messages etc. Now connect the new one ready to sync the details.

Ah ha - the new phone has a lot of data in it. Download all the contents to the PC to edit. Now what do I have - all the previous owners contacts, family, friends, work related etc. Music tracks, some data, some video and more.

Of course, I have now taken steps to erase all the data, both from the phone and from my PC. But, in this world of identity theft it really is a little worrying to see what someone, probably wholly inadvertently, has left for someone else to discover.

Now, I no longer have the data but I coud very easily have built up a profile of the user. That would have included their home location(it’s in the Midlands), the location of family members (parents, parents-in-law, brothers and sisters and others), exact work location (try Googling a business phone number), names of work colleagues etc. I know who the previous owner is likely to bank with, likely hobbies and interests and that they are likely to be concerned over crime or anti-social behaviour in their area.

This sort of information would be an absolute gold-mine for a criminal. It is clearly so easy to overlook but a potential warning for us all.

If you are going to dispose of any item that may have personal or other important data on it then do take steps to either thoroughly delete the data or to destroy the device before disposal. The Crusher knows of one person who took a 12-bore shotgun to a hard drive, another who used a lump hammer and an electric drill to break up the device. You really cannot be too careful!