The UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code) will include new rules in a month's time (February 4th 2013) relating to greater transparency and choice for consumers around Online Behavioural Advertising (OBA).

The Committee of Advertising Practice (CAP) published the Online Behavioural Advertising Regulatory Statement in November 2012 describes how notices must be provided to web users, in or around online display advertisements, that they are undertaking OBA, together with a mechanism to opt out. These are based upon the pan-European industry-wide agreed self-regulatory standards — European Advertising Standards Alliance (EASA) Best Practice Recommendation and the IAB Europe Self-Regulation Framework.

The rules are defined in a new Appendix 3 of the CAP Code, and will be enforced by the Advertising Standards Authority. The rules will be reviewed again later in 2013.

Just in case you have got the development process running slickly, and operation is going smoothly, have you thought about asset disposal, and related data destruction, at the end of life?

Well, the UK's Information Commissioner has produced a short guide IT Asset Disposal for Organisations.

As it states in the guide "if personal data is compromised during the asset disposal process, even after it has left your organisation, you may still be responsible for breaching the DPA so it is important to manage the process correctly". This is of course relevant for other types of data too. And not just your own equipment, but that of organisations processing data on your behalf (and in the cloud).

Who is your "asset disposal champion"?

The UK's Information Commissioner's Office (ICO) Head of Policy, Steve Wood, recently discussed the issues around data anonymisation on the ICO blog. Anonymised data is information that does not identify any individuals, either in isolation or when cross referenced with other data available, and he suggested the need to develop an effective and balanced risk framework for personal data anonymisation to protect privacy and yet provide opportunities to exploit the data.

Anonymisation is another technique that can be used to reduce the risk from the loss or unauthorised access to personal data, along with data minimisation, pseudonymisation, aggregation, masking, encryption and tokenisation.

Following the ICO's public consultation earlier in 2012, a new code of practice has been issued under the Data Protection Act that focuses on managing the data protection risks related to anonymisation. Anonymisation: Managing Data Protection Risk Code of Practice intends to assist organisations that need to anonymise personal data, identifies the issues to consider, discusses whether consent is required, confirms there are fewer legal restrictions on anonymised data, and describes the legal tests required under the Data Protection Act.

The code provides guidance on a decision making process to help when considering the release of anonymised data that includes establishing a process to take into account the:

• likelihood of re-identification being attempted
• likelihood the re-identification would be successful
• anonymisation techniques which are available to use
• quality of the data after anonymisation has taken place and whether this will meet the needs of the organisation using the anonymised information.

The key point behind the code is the need to make a risk-based decision, and this could form part of a privacy impact assessment.

I very much like the examples and case studies in the three annexes. The case study in Annex 1 includes an example of how the "scope of personal data" can be minimised in the same way the "scope for PCIDSS" can be. In the latter, the storage of encrypted card holder data by an organisation that does not have access to the encryption keys can be deemed out of scope of PCIDSS requirements. In the code's case study, the partial redaction of data, means the originating organisation must still consider the information as personal data (because it has the full version of the data, and the key to reverse the redaction), but another party that only has the redacted data set does not need to treat the information as personal data. Parallel compliance examples.

The section on governance, discusses the need for assigning responsibilities, providing staff training, having procedures to help identify difficult cases, keeping up-to-date with legislation, the use of privacy impact assessments, being transparent with the individuals concerned, reviewing possible consequences, and preparing for an incident when re-identification has occurred.

A very comprehensive report by the Boston Consulting Group, that assesses the value of digital identity, has been published by Liberty Global.

The Value of Our Digital Identity, describes consumers increasing awareness and desire for control and how user control increases the willingness of users to share data. The report highlights how unlike some commodities, as the volume and variety of digital data grows, so does its value. And this data explosion is being driven by digital services & media, online data transactions, the internet of things and the current boom in social media, In turn this can fuel economic growth.

The report attempts to define what digital identity is, quantifies the current and potential economic value of digital identity for organisations and consumers, identifies important trends and offers a set of guiding principles that could help responsible organisations benefit from the value of digital identity.

Topics included that may be of particular interest to those involved with application design and implementation include:

• Problems when there is a lack of transparency for users about how their personal data is collected and used
• The benefits of offering the right to be forgotten
• How the the form of consent should be based on the type of data requested
• The need for convenience (usability)
• Sector-specific variations in user behaviour
• The requirement to increase data security (and not just using technical controls)
• Why there should be flexibility in regulation to allow users to make their own choices
• How digital identity can be used to provide differentiation from competitors

The report suggests that organisations need to establish and promote a trusted flow of data, or otherwise there are significant lost opportunities for value generation. Read, digest and implement.

The UK government's House of Commons' Justice Committee has published a report on the European Commission's proposals for reform of data protection rules.

The Committee's Opinion on the European Union Data Protection Framework Proposals details the written and oral evidence received during the committee's consideration of the proposals, and lists 22 conclusions and recommendations.

The committee raises concerns about definitions, the benefits of prescriptive regulation, effect on law enforcement agencies, breach notifications, sanctions, and the impact on the UK's ICO and businesses.

Note the ICO is currently in the process of seeking quotations to undertake research into the quantification of the effect of the proposals on business. See also enquiries and clarifications regarding the request for quotation.

Tesco plc has been in the news in the last couple of weeks regarding security of its ecommerce web site and how this has now escalated into an investigation by the ICO.

Troy Hunt, security expert and generous contributor to application security community, reported his concerns at the end of July. The issue seems to have rolled on, and on, and and on. So it looks like there are at least password storage and cross-site scripting problems — two of the bare minimum OWASP Top Ten.

It appears Tesco has not taken application security seriously, and it has also managed to make matters worse by how it responded to valid enquiries from its customers and feedback via Twitter. Were these enquiries dealt with under an incident response plan? It seems unlikely. But this type of disregard for application security and failure to recognise valid feedback from customers is common. And, it is not limited to the UK retail sector. This isn't good enough.

Listen to your customers. Some of them might actually be trying to help you. For free. And they're not all muppets, whatever your corporate culture believes.

The theme of consultations continues. Last week the UK government's department for Business, Information and Skills (BIS), announced a consultation on a potential requirement for suppliers of services and goods, that hold data electronically, to provide to their consumer customers historic transaction and consumption data on request, in an open standard machine readable format.

The consultation describes how transaction data can empower consumers to help them improve future decision-making. For example it might help them find a better deal, make savings, find services better suited to their needs or tell them useful things about their spending habits. The hope is that increased data transparency and greater consumer choice will help promote innovation and competition and could also have a deregulatory effect.

Currently the proposal is that the new requirement:

• would only relate to transaction data relating to a consumer's purchase/ consumption of products and services from that supplier
• would only cover factual information, for example what a consumer bought, where they bought it, how much they paid for it etc.
• would not cover any subsequent analysis that the data holder has undertaken on the information
• would only apply to businesses that already hold this information electronically and it will only have to be released if requested by consumers.

It is not intended that businesses would be required to collect any new information, but being able to service such requests would be an additional burden and needs to be considered in future systems development. Regardless of the outcome of this process, now is probably the time to review data retention and disposal policies, and ensure terms & conditions of web site use and trading are kept in step so that consent for data deletion can be obtained and recorded.

BIS holding three open forums — on the 9th, 16th and 23rd August — to discuss the proposals.

Responses can be submitted by email to midata@bis.gsi.gov.uk using the form in the consultation document, or using an online form. The closing date for responses is 10th September 2012.

Summer must be the time to publish consultations before everyone goes away on holiday. the European Commission (how the EU works) has published a consultation regarding information risk assessment and breach notification.

The public consultation briefing describes how the European Commission is seeking to adopt a joint strategy with the High Representative of the Union for Foreign Affairs and Security Policy, that will ensure a secure and trustworthy digital environment, while protecting fundamental rights and EU core values. It is considering three approaches:

• Voluntary cooperation and information exchange between member states, the public and private sectors as happens currently
• Taking up minimum capabilities at a national level and promote a more structured approach to cooperation and information exchange
• Legislation to define minimum network and information security (NIS) capabilities for member states, a dedicated network for cooperation and information exchange, and most interestingly requirements for the private sector to adopt "NIS enhancing actions"

Within the last option, the Commission is considering a requirement to adopt risk management practices and to report security breaches to networks and information systems "that are critical to the provision of key economic and societal services (e.g. finance, energy, transport and health) and to the functioning of the Internet (e.g. e-commerce, social networking)".

The Commission has prepared a response form (web form, PDF) that asks a series of wide-ranging questions of governments, businesses and citizens, and there is scope for long answers and for submitting additional documents. The responses will be used to identify strategic actions and contribute to its impact assessment of the proposals. If your trade organisation or professional association is not planning a response, chase them up now.

The consultation runs until mid October 2012 (the 12th or 15th depending upon which document you believe).

In another consultation, the UK's Department for Energy and Climate Change (DECC) is asking for views on the draft licence conditions relating to security risk assessments and audits for the UK's smart meter implementation programme.

The licence conditions will run through to when the planned Data and Communications Company (DCC) becomes responsible for the provision of services. 55 million smart meters will be rolled out to consumers from 2014 through to 2019. The consultation is important in that it sets the precedent for the security of "end-to-end smart metering systems" in the UK. This includes equipment located at consumers' premises, the communications network between the consumers' premises and the energy suppliers, and the the energy suppliers' head end system — and all business procedures associated with the installation, operation and support of the system. The scope is all-encompassing. Additionally the government wants to ensure security is embedded into the design of the systems and that they continue to be for for purpose as risks, technologies and requirements evolve.

The consultation document includes the draft energy supplier licence conditions (in Annex A), and the consultation asks three questions:

• "Do you consider that the draft licence conditions deliver the policy intention outlined in this document? Please provide comments on where the drafting could be amended or clarified.
• Do you have any comments on the proposed approach that suppliers should carry out a number of good practice security disciplines and procedures as is set out in this document?
• Do you have any further comments with regard to the issues raised in this document? We also welcome general comments around the approach to small suppliers, the processes expected of suppliers in general, and any related costs."

The draft conditions include requirements for carrying out a comprehensive risk assessment and for securing the system to an "appropriate standard" which is a "high level of security that is in accordance with industry good practice" and "capable of being verified" independently. Licensees would have to "take all reasonable steps to ensure that it is able to comply" to comply with ISO 27001:2005 and "any equivalent standard of the ISO that updates, replaces or supersedes that standard". I am slightly concerned about the term "good practice" and would prefer "appropriate measures based on the risk assessment". Additionally it is not clear which entities the risks will be assessed for — apart from the energy companies, I would like that to include consumers and society at large, since security incidents may have wider impacts than on the ability for energy suppliers to conduct their business.

Surprisingly, there is no mention of work from other countries such as NIST Interagency Report (IR) 7628 Guidelines for Smart Grid Cyber Security, published in 2010.

The term "supplier end-to-end system" is defined in paragraph Z.5 of the appendix such that "equipment" includes "any associated software and ancillary devices". Paragraph Z.6 then goes on to provide a definition of "secure". The Supplier End-to-End System is secure if "both the System and each individual element of it is designed and operated to ensure, to the Appropriate Standard, that it is not subject to interference or misuse that (whether directly or indirectly):

• causes any loss, theft or corruption of data;
• results in any other unauthorised access to data; or
• gives rise to any loss or interruption of [electricity/gas] supply or to any other interference with the service provided to a Customer at any premises."

So, clearly protection of data and availability of service to customers. But these types of system misuse have not been mentioned:

• Use of the communications network for unauthorised purposes
• Collection or processing of unauthorised data by the software
• Use of the application to undertake unauthorised activity
• The presence of unapproved or malicious code within the authorised software
• Installation of unapproved software on any device
• Use of any part of the system to attack other systems

Surely a system would not be "secure" if any of the above occurred? Remember this includes software on the smart meters and all the business processes for support and operation. And finally, perhaps there ought to be some statement in the definition of "secure" about hardening and patching, although these might be derived from the policy. Similarly monitoring of suspicious and malicious use.

Responses to the consultation have to be sent to smartmetering@decc.gsi.gov.uk by 27 July 2012.

In previous posts, I have mentioned labelling in A Software Security Kitemark?, Trust and E-commerce Trustmarks, Privacy Labelling, Trust .UK, Security Labelling, and Software Assurance Labelling. There are some impressive developments in ideas for privacy and terms of use labelling.

In Coming to Terms on the Project VRM blog describes the work at StandardLabel.org, CommonTerms and BiggestLie.

There are some great insights into rights, user behaviour and clarity of expression, which could contribute to formulating better, more understandable, descriptions of software security quality for users. Could security be meaningfully summed up in a single statement, or even just a small number of icons?

It's a challenging problem to produce something of value to a consumer, that takes a minimal amount of effort to digest. I like the approach of the OWASP Application Security Verification Standard, but even this has a degree of complexity of manual vs. automated testing, and I am not sure software security (from the end user's viewpoint) can be entirely divorced from the security of the underlying infrastructure.

Any thoughts?