On Wednesday I attended the Information Commissioner's Office (ICO) Personal Information Online Conference 2009 at which the ICO launched their consultation on the new Personal Information Online Code of Practice.

Manchester and Salford gave us a beautiful sunny day for the event which briefed delegates on the ICO's approach to data protection and an outline of the collaborative process used to develop the draft code of practice. Iain Bourne, Head of Data Protection projects, noted that fewer than hoped public sector organisations had been involved to date, and they would like more feedback from this sector in particular during the consultation phase that ends on 5 March 2009.

My first impressions are this will be a useful document for organisations without staff dedicated to data protection or compliance, especially once the examples and SME checklist are added. The structure and content are still a little raw, but probably about right for the start of a 12-week consultation process. Areas where I am already considering providing feedback are:

• local storage of personal information (not just cookies)
• verification of protection
• suppliers, sub-contractors and staff
• monitoring and anomaly detection
• transmission of personal information
• inclusion of third party content in web sites
• using cookies to enforce an opt out
• additional reference materials.

The full text and consultation document is available as a PDF.

Feedback on the Personal Information Online Code of Practice can be provided using the ICO's consultation portal with further background available in the related press release.

The results of the Internet in Britain 2009 survey by the Oxford Internet Institute highlights people's usage and concerns about the internet and web sites.

Some aspects of the report relating to e-commerce, trust, fraud and privacy are summarised below.

• Confidence in the Internet and the commercial services that it offers remains high.
• Use of the internet is leading to greater trust in the technology as a source of information and medium of communication and services.
• Since 2007, people are now just as concerned about credit card fraud, and the right to anonymously express opinions, but less concerned about the threat of computers and the internet to privacy.
• Negative experiences of the internet are not as great as portrayed in the media.
• The survey examined what personal information people are willing to provide when registering on websites.
• A general desire for greater regulation of the internet.

Read the report for the methodology, full information and detailed analysis. The report also provides useful data on internet penetration and usage patterns such as for web 2.0 and mobile technologies.

In this month's PC Pro magazine, Davey Winder commented on the Information Security Awareness Forum (ISAF) concerning their recommendation to have "report abuse" links on web sites.

In his column titled "Stupid Security" in the Online Security section of Real World Computing, he says there are too many "click this" links on most sites and that a report abuse link on a fake site is likely to give you a fake answer. Very true.

But that doesn't get away from the problem that people still need to have somewhere to go to ask for help, to query account entries, to answer concerns or to report suspicious emails and web pages. That's why we have phone numbers printed on credit cards, bank statements and even on web sites.

The ISAF and its member organisations are doing more than many others, including their excellent Directors' Guides, and they didn't deserve this. Perhaps PC Pro will become a member and contribute to the effort to promote and improve information security awareness.

Do people understand tab grouping in Internet Explorer version 8 (IE8)? This was a new idea introduced to collect together and identify tabs originating from the same source.

Note this isn't grouping based on the web site (domain name)—it's grouping from which other tab you clicked. The group colour is selected randomly, so yesterday's blue might be today's yellow.

My concern with tab grouping is not the concept, but the use of colour. Not because of the accessibility difficulty that some people may have distinguishing between colours, which is partially addressed by Microsoft in a tab naming convention, but because the colours can lead to confusion about SSL certificates. Take this example with four tabs open, the first tab selected and a current Extended Validation (EV) SSL certificate in use:

1. Bank No X online banking login (domain A / SSL)
2. Bank No X information page (domain B / non-SSL) opened using a link on page 1
3. Bank No Y home page (domain C / non-SSL)
4. Bank No Y business banking login (domain D / SSL) opened using a link on page 2

What does green mean? How about if we have an invalid SSL certificate and the tab group is green:

Confusing? Yes. It can lead to this type of misunderstanding:

Helping people to identify and reject invalid SSL certificates is important—IE8 users are being put at a disadvantage by Microsoft. I'd like to see tab grouping turned off by default for now, and some other indicator of tab groups used instead of distracting colour-coding. Perhaps, since new tabs are always opened adjacent to their 'parent', even something as simple as this mock-up might suffice:

Is this easier to understand? What do you think?

It came as news to me that there is a UK Risk and Regulation Advisory Council (RRAC). It has been considering how distorted perceptions of risk can encourage poor policy-making and unnecessary laws.

The RRAC's report on Response with Responsibility Policy-Making for Public Risk in the 21st Century includes some useful discussion and ideas on the perception of risk. I think there are many parallels with information security risk such as the un-necessary spreading of Fear, Uncertainty and Doubt and risk perception & risk-reduction behaviour in The Psychology of Security.

Information privacy and security professionals would do well to read the case study on "Tree Safety – The Role of the Risk Actor" on page 15 of the RRAC report which discussed a proposal for tree safety management and a lack of participtaion during the consultation stages except for arboriculturalists ("tree consultants").

The privacy and security industry need to make sure, we don't blindly recommend the ALARP principle (As Low As is Reasonably Practical), or be seen as promoting our own vested interests, whether by being a product vendor or provider of consultancy services. Yes, risks should be kept as low as reasonably practicable, but they need to be considered in the context of the individuals, the business and society.

Last night I had the pleasure of attending the Nominet Best Practice Challenge Awards 2009 at Banqueting House in Whitehall, London.

In the Best Security Initiative Award, OWASP Board member Dinis Cruz, OWASP London chapter leader Justin Clarke and I were representing The Open Web Application Security Project. Our entry for the 2009 Best Practice Challenge had been shortlisted in June.

It was interesting to see the innovative work being undertaken across the UK in security, access, diversity and openness. The Yorkshire Business Crime Reduction Centre (BCRC) won the Best Security Initiative Award. The BCRC is supported by South Yorkshire Police and the Regional Development Agency, and undertakes e-commerce and physical security assessments for small and medium-sized enterprises (SMEs) in the area. Their recent E-Crime Guide is a very useful introduction to the issues.

It is good to see an increasing awareness of online and e-commerce security, and this looks likely to continue with the recent announcement by the Prime Minister of new initiatives to secure the UK from cyber threats, following publication of the Digital Britain report last month.