On Sunday 10 July, the News of the World published its last edition. This paper had been in print for 168 years, and was the top selling Sunday newspaper in the UK.
Its closure, of course, followed revelations of how the newspaper had allegedly obtained personal information using illegal methods such as phone hacking.
The $64,000 question for security managers and their Boards of Directors is simply this: ‘What does this whole episode teach us about privacy and information governance?’
The News of the World had a long history of exposing corruption in business and politics as well as the personal scandals surrounding celebrities. Indeed, the title had been very effective at finding and revealing many stories of wrongdoing and corruption that were indeed in the genuine public interest.
The events leading up to the paper’s closure began in 2005 when the News of the World published details of Prince Williams’ health. These details could only have originated from mobile telephone messages having been intercepted, and this duly resulted in a police investigation.
Two years later (and as stated in a prior article published by SMT Online), a reporter working for the newspaper and a private investigator were sent to prison for phone hacking. It was reported that the pair were considered to have been acting alone, and the investigation subsequently ended.
However, over a period of time it emerged that the telephones of further prominent people had allegedly been hacked. Then there were further allegations that the lists of ‘phone numbers compromised apparently included those of crime victims and family members of people who died as a result of the 7/7 London suicide bombings.
Former Prime Minister Gordon Brown has since accused News International – owner of the News of the World as well as The Sun and The Sunday Times, of course – of using known criminals to find stories.
In 2006, The Sun published a story about the medical condition of Brown’s son Fraser. Brown suggests that only his family and medical staff had access to this information1.
So what exactly is privacy?
What is privacy, and why does it matter?
In essence, privacy is the capability of people to prevent information about themselves from being made available to others. There’s no universal agreement on what information is considered private. However, privacy is a balance of the rights of an individual against the good of society.
For example, it should not be possible for people to keep criminal activities secret using the right to privacy as an excuse.
The European Convention on Human Rights2 guarantees the right to privacy, and forms the basis for privacy legislation in the European Union (EU). This document emerged from the aftermath of the Second World War, and was intended to prevent oppressive actions by states, bugging and late night knocks on the door by the secret police.
In particular, Article 8 of this document guarantees a right to privacy (and is extracted here):
1. Everyone has the right to privacy for his/her private and family life, his/her home and his/her correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others.
During the 1990s, it was recognised that cross-border trade required the free movement of information which was vital in terms of creating a strong EU. In turn, this led to the EU directives on privacy which were intended to enable the free interchange of personal information around Europe while at the same time protecting the privacy of individuals.
There are two principal EU directives which cover privacy: 95/46/EC on personal data processing and 2002/58/EC concerning the privacy of electronic communications. While these directives provide a common approach, laws do vary in detail from country to country.
What’s the basic problem?
In terms of the current situation, it’s difficult to understand how – if the allegations are proven to be true – obtaining information such as that described above can be explained as being in the public interest.
Second, the fact that reporters and investigators were apparently able to get hold of such information raises the question of how well that information was being managed and secured. The basic problem, then, would appear to be one of information governance.
When an organisation in the UK obtains personal information about individuals it should do this with the consent of those individuals and for a clearly defined purpose.
If the information is held on a computer then that organisation should register this fact with the Information Commissioner. It should also allow individuals to have copies of the information that it holds on them and correct any errors therein.
That organisation should use appropriate techniques and technology to secure the information from misuse.
If an organisation obtains or holds information about individuals but does not know that this is happening then there’s a clear failure of information governance.
Equally, if an organisation holds information about individuals and discloses this detail to unauthorised people then that’s also a failure of information governance.
It may be argued that the news media are a special case, and there is indeed some merit in this argument. If the objective of an organisation is to penetrate criminal gangs and corrupt enterprises in order to reveal wrongdoing then it can hardly be expected to act like a retail marketing operation.
In terms of the current situation, we will have to await the results of the latest police investigation to find out whether or not the law has been broken.
As stated, the ease with which individuals were allegedly able to obtain some of the information raises the question of how well this information was being managed by the individuals and organisations to whom it belonged.
It’s alleged that the mobile ‘phones did not have voicemail security codes set to operate, and that reporters were able to ‘blag’ information by calling organisations holding information and pretending to have a legitimate right to that information (even though this scenario may be difficult to believe for anyone who has attempted to negotiate the questions posed by call centre staff in the name of data protection).
A question of information governance
What’s the solution to this problem?
Balancing the rights of individual privacy against the need for freedom of the press isn’t easy, and we will have to wait to see what emerges from these events.
Certainly, organisations need to take care of the information they hold and ensure that they comply with both the laws of the land and recognised Best Practice technqiues.
The best approach for organisations to adopt is one focused around high level information governance. Information governance sets the policies, procedures, practices and organisational structures that ensure information is properly managed.
Of itself, good governance ensures that there’s a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can also reduce costs by avoiding multiple ad hoc approaches to compliance and risk management.
Organisations with good information governance will know what information they hold, and will have a process for training staff on how to keep this information secure. That training should include securing voicemail and how to detect and resist attempts to ‘blag’ information.
Exploitation of human weaknesses
Most ‘blagging’ is based on the exploitation of human rather than technology weaknesses. For example, the ‘blagger’ will pretend to be someone in authority, or will alternatively ask for help.
The strongest defence against this is to ensure that you have registered an agreed point of contact with the individual (for example, a phone number), then if there’s any suspicion it’s right to insist that information will only be provided via that point.
Balance between individual rights and the public interest
Privacy is a fine balance between individual rights and public interest. Organisations that collect information on individuals – even the recognised news media – absolutely need to make sure that they comply fully with privacy legislation.
Similarly, organisations holding information on individuals need to take care that this information is handled properly, and that staff are trained to detect and resist unauthorised attempts to get hold of this information.
Like I said, it’s basically all down to good information governance.
Mike Small represents the London Chapter of the ISACA Security Advisory Group and is a senior analyst with KuppingerCole
References
1http://www.bbc.co.uk/news/uk-14116786
2Convention for the Protection of Human Rights and Fundamental Freedoms, Rome, 4 November, 1950
*Mike will be running a Workshop on ‘Securing the Cloud’ at ISACA’s Information Security and Risk Management Conference 2011, which is to be held in Barcelona from 12-16 November
Access the dedicated web link at the foot of this page for further information
