ICO: Volunteer to be audited by us, we might not bust you The Information Commissioner's Office said more companies should offer themselves up for voluntary audits. According to the quango's annual report, a third of organisations offered the chance to be audited by the ICO accepted. Of the 603 breaches last year, 186 came from private companies. But only 19 per cent of these firms …
Is this a sense of humour or legal amorality? I can't tell.
I can blame Sony for keeping customer information on an Internet-connected server, for being incompetent at basic security, for grossly immoral behaviour that created enemies, for deliberately and illegally infecting their customers computers with that root-kit, for breaking their contract with their customers by removing functionality post-purchase, ... The list is endless.
"no one can blame them [Sony] for getting hacked"
There are no* 'unhackable' systems, but if putting unencrypted text files of passwords onto an insecure public server isn't a cause for blame, I'd like to know what is.
* The only 100% secure computer system is one that’s not connected to a network … and switched off … and encased in concrete … at the bottom of the ocean.
Sending demands for payment[1] to Councils? Why not just send the taxpayers a bill directly, it works out to the same thing?
The ICO should bring cases against individuals, go after commercial targets, or sod off and get proper jobs.
[1] Last I checked, a "fine" can only be imposed by a court, not some pathetic quango.
Councils need to be held to account for not looking after personal data properly. How should that be done?
In some ways fining a council isn't that different to fining a corporate - it doesn't come out of the pocket of the person responsible, ultimately the public pay. For a council it comes out of taxes, for a corporate it is passed on as price rises and lower dividends (= smaller pension).
What it achieves in a small way is to weaken the position of the council leaders/board of directors. In an ideal world that would affect their salary or even cost them their job. In the real world perhaps not.
.."* The only 100% secure computer system is one that’s not connected to a network … and switched off … and encased in concrete … at the bottom of the ocean."
You have no clue what you are talking about, as evidenced by the fact you used the phrase "the only 100% secure". NOTHING is "100% secure" when applied to a broad threat model. If you think that your definition of 100% secure is in some way actually useful, you truly are naive.
You have only implemented prevention systems systems in that model - no detection of attacks or response for when they are in process (or afterwards - when they are successful). In theory only the cost of getting the thing off the ocean bed (and a hammer and chisel to get past the concrete) are needed to gain access to your "100% secure computer system".
Security is an fundamentally an economics problem - you make trade-offs in resources or functionality to gain security (or not). Your above model is not only insecure by any sane reason for why you would use that approach, but for all intents and purposes utterly useless and impractical - what's the point of a computer that cannot be used?
I really hope you have no responsibility for anything where security actually matters.
I try my best to support the ICO but when every complaint to their office gets the obligatory "we're sorry for the time it has taken to respond", I find it a bit annoying that they're not devoting resources to speeding up the complaints process.
The ICO should carry out audits whenever they receive a complaint. When you bear in mind that the majority of organisations in the UK use standard form civil contracts in an attempt to "customise" the DPA98 to suit their own needs, and when you bear in mind that no term in a standard form civil contract can deny a consumer of a statutory right, why aren't the ICO auditing the terms and conditions of companies?
Pick a company... any... and I bet I can find something in their privacy policy/terms and conditions that is incompatible with the rights afforded me by the DPA98.
"Pay the boss, or something nasty might happen to your windows. Capiche?"
The ICO Data Protection Racket; cough up the dough, give the Godfather 'respect', and they won't prosecute you... regardless of the way you abuse personal information.
ICO; lazy, corrupt, and completely incompetent.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
