|Professor Reza Sotudeh||Head of School of Engineering & Technology, University of Hertfordshire>|
|David Smith||Deputy Information Commissioner and Director of Data Protection|
|Professor Ross Anderson FRS FREng||Professor of Security Engineering, University of Cambridg|
|Lars Davies||CEO, Kalypton Limited|
|Professor M. Angela Sasse||Head of Information Security Research, University College London|
|Vote of Thanks|
|Teresa Schofield||Chair, Women in Engineering, IEEE (UKRI)
“Information – Safe?” – EEESTA’s twelfth annual prestige seminar – took place on the evening of Wednesday 10th November 2010 at the University of Hertfordshire.
After an informal networking buffet, the seminar was opened by the Chairman – deputy commissioner for Data Protection David Smith. The welcome address was then given by our host for the evening, Professor Reza Sotudeh, Head of School of Engineering, University of Hertfordshire, after which the Chairman presented the EEESTA Innovation Award.
This annual award to an outstanding Arkwright Scholar was inaugurated in 2008 to celebrate the 10th annual Prestige Seminar at the University of Hertfordshire. This year it went to James Crossley of St Albans School – a young man of many talents. He is a key member of the award winning school Engineering and Technology Society; is actively involved with Brambleton Model Railway Club and is a theatre tech at the Alban Arena. But James is primarily a young entrepreneur. He already has three profitable businesses which will he intends to develop to full maturity.
The Chairman then set the scene for the evening and introduced the first speaker, Professor Ross Anderson FRS FREng, Professor of Security Engineering, University of Cambridge. Professor Anderson is one of the founders of a new academic discipline – the economics of information security. He is the author of the standard textbook “Security Engineering – a Guide to Building Dependable Distributed Systems” and is widely published on technical security.
Professor Anderson spoke first about personal privacy in social networking. He pointed out that engineering for privacy, as for security or dependability, involves computer science, economics and psychology. Privacy is particularly hard to achieve because these three factors often pull in different directions. Social networking sites fund themselves by sales of user data, but users seek a feeling of intimacy so they are liable to include private information in their profiles. Privacy controls provided by sites are often complex to configure and the default settings are usually wide open. But over ninety per cent of users never change the defaults, so exposure is the norm.
He then discussed the findings of a 2009 research programme he participated in on the security and extent of UK government databases. Of 46 databases, only six got a green light for fulfilling the spirit of privacy law and eleven were considered to be potentially in breach of the Human Rights Act. Examining the current position, he pointed out that a substantial number of the offending databases had merely been revamped or renamed, so despite public promises to the contrary, it’s really business as usual.
Professor Anderson summed up by repeating that online privacy is hard, as economics, psychology and technology are often in conflict. However European law may ultimately set the boundaries, as in the case of “I v Finland”, where a nurse who was HIV+ was hounded out of work by colleagues after they gained access to her personal medical records. The European Court of Human Rights ruled that she had a right to restrict access to her health records to clinicians involved directly in her care.
The second speaker, Lars Davies, is CEO of Kalypton Limited. He was a Senior Visiting Fellow to the Institute for Computer and Communications Law, Centre for Commercial Law Studies at Queen Mary, University of London where he specialised in Information Technology Law, Internet Law and Telecommunications Law. Lars currently concentrates on information management, compliance and policy for commerce and government.
Speaking on corporate privacy, he pointed out that commercial organisations have a legitimate need to make use of personal data, without which many of the services that we take for granted would be impossible to perform. This point is often lost in the hysteria surrounding data breaches, and there is often a lack of understanding of the true nature of data protection and what it should achieve. Organisations need to understand their obligations and the benefits that they will gain from meeting those obligations. Individuals must understand why organisations need to access that data. Most importantly, both organisations and individuals need to understand what privacy really is, and what is required to maintain it. Lars pointed out that personal data is only a subset of the data corporates need to protect. Breaches can seriously damage the public image of a corporation, but proper data management can significantly enhance it.
The third speaker, Angela Sasse, is Professor of Human-Centred Technology and Head of Information Security Research in the Department of Computer Science at University College London. A usability researcher by training, her research over the past 15 years has focused on developing a human-centred approaches to security, privacy, identity and trust. Professor Sasse spoke about managing the human element in information security. She pointed out that keeping corporate data secure is a hard task, and managing human behaviour is a key challenge. Referring to a study on the escalating cost of password resets at a large corporation, she pointed out that users faced with an excess workload tend to shortcut security mechanisms. They don‘t understand threats and risks. In consequence there is conflict between users and those tasked with maintaining security. Without understanding the implications, users feel overloaded with rules and are penalised for mistakes. So under pressure, they will find ways to circumvent controls. For example, an unintended consequence of chip and PIN is that some parents have sent their children shopping with their credit card and PIN, which breaches card issuers’ terms and conditions, but would not have been possible when a signature was required.
The seminar ended with a chaired question and answer session which provided further interesting insights from all the speakers. The Chairman then summed up, mentioning the topic for the 2011 Seminar, ”Engineering the Olympics”.
The vote of thanks was given by Teresa Schofield , Chair Women In Engineering, IEEE (UKRI), and mother of two MEng students. She kindly stood in at short notice for Sir William Francis, who was unable to attend owing to illness. Reviewing the presentations, she offered some personal insights that confirmed the validity of many points made by the speakers, particularly with reference to the everyday habits of ordinary people and their potential impact on personal privacy
Photographs on this page by Will Dennehy Photography. Text by Ian Williamson.