OFCOM, the UK communications sector's regulator and competition authority, has announced a report on adults' use of media and attitudes.

The Adults' Media Use and Attitudes Report 2013 (complete 181 page print version) discusses media literacy, take-up, preference and media use, understanding, attitudes and concerns, use of the internet and mobile phones, and users in three class — new, "narrow" and non-users.

There is a wealth of valuable data for strategic planning and marketing purposes, but also useful information on security and safety habits and attitudes to regulation of the internet. If you need information to help support decisions around security and usability, this report will have something of use to you.

It is this weekend's best read.

BT has announced a trial of its Carrier-Grade Network Address Translation (CGNAT) where Internet Protocol (IP) addresses will be shared between subscribers.

Concerns have been expressed about the ability for some application to work if they rely on the assumption that IP addresses are unique, and also how this affects the identification of individual people.

Out-law.com provides a good review of the issues and information from BT, but links to the sources are not provided. BT has apparently stated they will still be able to identify individuals despite using CGNAT.

But the issue of identification does not only relate to newsworthy "illegal online activity" but also for wider privacy protection of completely legal activity where it is clear that IP addresses really must be considered as personal identifiers, especially when they can be combined with other data sets. Something to be considered in privacy impact assessments.

The UK Cabinet Office has announced a consultation into the proposed cyber risk management standard for organisations as part of its cyber security strategy announced in November 2011.

The proposed guidance and accompanying call for views and evidence define Cyber security as "preservation of confidentiality, integrity, and availability of information in cyberspace" and cyberspace quite broadly as "complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form".

The UK Government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management. The current proposal outlines requirements for a standard, its objectives, outcomes, auditable requirements and controls in "at least" the following areas:

• Network security
• Malware prevention
• Secure configuration of information systems
• Monitoring
• Removable media
• Home and mobile working
• Managing user privileges
• User education and awareness
• Incident management.

So, somewhat disappointing that application security isn't mentioned, but those requirements pre-date this consultation - about the choice of an existing standard to follow.

Responses can be sent by email to cybersecurity@bis.gsi.gov.uk or by post to Cyber Security Team, BIS, 1 Victoria Street, London SW1H 0ET. The closing date to submit evidence is 14 October 2013.

Last week the UK's Department for Business Innovation & Skills published the 2013 Information Security Breaches Survey, created in conjunction with PwC.

The report presents the results of the survey and breaks the findings down for larger (>250 staff), medium and smaller (<50 staff) organisations. The term "cyber" appears 15 times and "APT" only once, so is generally hyperbole-free.

The most interesting data points for me are:

• 18% of "worst breaches" related to websites and internet gateways, and 4% to breach of laws/regulations
• For all breaches, operation disruption typically lasts a week, with 2-4weeks FTE effort responding to the incident, and a quarter of incidents leading to lost business
• Reputation losses were estimated to be between £10,000 and £100,000.

The report is available to download in full free of charge without registration.

At the end of January, the Market Research Society (MRS) launched an initiative called Fair Data.

Existing MRS Company Partners (who are already subject to the MRS Code of Conduct), and others who apply and pass an assessment by the MRS of their "policies and procedures", must firstly adhere to the 10 principles and secondly must "use the Fair Data mark in all relevant dealings with customers and respondents". The 10 principles relate to the following topics:

1. Consent
2. Purpose
3. Access
4. Security
5. Respect
6. Sensitive personal data
7. Supply chain
8. Ethics
9. Staff training
10. Default to not using personal data unless there is adherence to the above nine principles

So the scheme does not include all eight data protection principles but some extra business process requirements. Perhaps this is because the trust mark has been designed "to be used internationally".

The scheme seems to have some initial endorsements, but these type of things won't work unless there is a large adoption so that consumers and others recognise the mark, and that is backed up by verifiable evidence that it makes a difference. I am not sure if this "kite mark" or "trust seal" is the one to make everyone confident about use of their personal data.

With the publication of a report by the US Federal Trade Commission, new proposed privacy legislation is gaining support in the United States.

The FTC's report Mobile Privacy Disclosures: Building Trust Through Transparency made recommendations for platform developers, app developers and third parties including advertising networks. The report also commented on how app developer trade associations, academics, usability experts and privacy researchers can contribute.

The Application Privacy, Protection and Security Act of 2013 (APPS Act) discussion draft proposes requirements for user consent, the protection of personal and de-identified data, with enforcement by the FTC.

It will be interesting to see where this goes.

The European Commission published its Cybersecurity Strategy and details of a new proposed directive yesterday under the Digital Agenda flagship for ten-year growth.

In the Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace describes five strategic priorities:

• Achieving cyber resilience
• Drastically reducing cyber crime
• Developing cyberdefense policy and capabilities related to the Common Security and Defence Policy (CSDP)
• Develop the industrial and technological resources for cybersecurity
• Establish a coherent international cyberspace policy for the European Union and promote core EU values.

These lead to actions including:

• Developing strong national cyber resilience capabilities, notably by building expertise on security and resilience of industrial control systems, transport and energy infrastructure
• A voluntary certification programme to promote enhanced skills and competence of IT professionals (e.g. website administrators)
• Training on NIS and secure software development and personal data protection for computer science students
• Increase accountability of registrars of domain names and ensure accuracy of information on website ownership
• Examine how major providers of ICT hardware and software could inform national competent authorities on detected vulnerabilities that could have significant security-implications
• Develop ... technical guidelines and recommendations for the adoption of NIS standards and good practices
• Stimulate the development and adoption of industry-led security standards, technical norms and security-by-design and privacy-by-design principles
• Develop, in cooperation with the insurance sector, harmonised metrics for calculating risk premiums, that would enable companies that have made investments in security to benefit from lower risk premiums.

The Proposal for a Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union is a complementary measure aimed to standardise efforts in member states. Responsibilities are placed on public administrations and market operators in the private sector. The latter is defined to include both providers of information society services which enable the provision of other information society services (e.g. e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores), and operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking that provide credit, financial market infrastructure such as stock exchanges, and organisations providing health care.

There is a helpful commentary of initial opinions on ComputerWeekly.com

MEP Jan Philipp Albrecht, Rapporteur to the European Parliament's Committee on Civil Liberties, Justice and Home Affairs has published a report with suggested amendments to the EU Data Protection Framework proposals.

These might well add to the concerns of the UK's Justice Committee, and certainly from the advertising industry around the issue of explicit consent and a widening of the definition of personal data, including in some circumstances "Internet Protocol addresses, cookie identifiers and other unique identifiers".

The report outlines the current text proposed by the Commission, the proposed amendment and justification for the proposed change. Apologies for the length of this post, but some of the more important suggested amendments for web site and web service operators are outlined below to give a flavour of what might be expected.

• 14 "... The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable"
  changed to
  "... This Regulation should not apply to anonymous data, meaning any data that can not be related, directly or indirectly, alone or in combination with associated data, to a natural person or where establishing such a relation would require a disproportionate amount of time, expense, and effort, taking into account the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed."
• 15 "When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances."
  changed to
  "When using online services, individuals may be associated with one or more online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses, cookie identifiers and other unique identifiers. Since such identifiers leave traces and can be used to single out natural persons, this Regulation should be applicable to processing involving such data, unless those identifiers demonstrably do no relate to natural persons, such as for example the IP addresses used by companies, which cannot be considered as 'personal data' as defined in this Regulation."
• 31 "In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation."
  changed to
  "In order for processing to be lawful, personal data should be processed on the basis of the specific, informed and explicit consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation."
• 19 "In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment."
  changed to
  "In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment. The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent."
• 25 New "The interests and fundamental rights of the data subject override the interest of the data controller where personal data are processed in circumstances where data subjects do not expect further processing, for instance when a data subject enters a search query, composes and sends an electronic mail or uses another electronic private messaging service. Any processing of such data, other than for the purposes of performing the service requested by the data subject, should not be considered in the legitimate interest of the controller."
• 45 New "The right to the protection of personal data is based on the right of the data subject to exert the control over the personal data that are being processed. To this end the data subject should be granted clear and unambiguous rights to the provision of transparent, clear and easily understandable information regarding the processing of his or her personal data, the right of access, rectification and erasure of their personal data, the right to data portability and the right to object to profiling. Moreover the data subject should have also the right to lodge a complaint with regard to the processing of personal data by a controller or processor with the competent data protection authority and to bring legal proceedings in order to enforce his or her rights as well as the right to compensation and damages resulting of an unlawful processing operation or from an action incompatible with this Regulation. The provisions of this Regulation should strengthen, clarify, guarantee and where appropriate, codify those rights."
• 54 "To strengthen the 'right to be forgotten' in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party."
  changed to
  "To strengthen the 'right to erasure and to be forgotten' in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public without legal justification should be obliged to take all necessary steps to have the data erased, but without prejudice to the right of the data subject to claim compensation."
• 61 "The protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and organisational measures are taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by default."
  changed to
  "The protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and organizational measures are taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by default. The principle of data protection by design require data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. The principle of data protection by default requires privacy settings on services and products which should by default comply with the general principles of data protection, such as data minimisation and purpose limitation."
• 84 "'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;"
  changed to
  "'data subject' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, social or gender identity or sexual orientation of that person;"
• 106 New "4a. Consent looses its effectiveness as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were collected. "

The topic of information security is also addressed:

• 39 "The processing of data to the extent strictly necessary for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, and the security of the related services offered by, or accessible via, these networks and systems, by public authorities, Computer Emergency Response Teams - CERTs, Computer Security Incident Response Teams - CSIRTs, providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the concerned data controller. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems."
  changed to
  "The processing of data to the extent strictly necessary for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, and the security of the related services offered by these networks and systems, by public authorities, Computer Emergency Response Teams - CERTs, Computer Security Incident Response Teams - CSIRTs, providers of electronic communications networks and services and by providers of security technologies and services, in specific incidents, constitutes a legitimate interest of the concerned data controller. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems. The processing of personal data to restrict abusive access to and use of publicly available network or information systems, such as the blacklisting of Media Access Control (MAC) addresses or electronic mail addresses by the operator of the system, also constitutes a legitimate interest."

While not all these amendments (or the rest of the draft framework itself) will come into law, it would be a brave organisation not to start taking these types of considerations into planning and upcoming projects.

The UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code) will include new rules in a month's time (February 4th 2013) relating to greater transparency and choice for consumers around Online Behavioural Advertising (OBA).

The Committee of Advertising Practice (CAP) published the Online Behavioural Advertising Regulatory Statement in November 2012 describes how notices must be provided to web users, in or around online display advertisements, that they are undertaking OBA, together with a mechanism to opt out. These are based upon the pan-European industry-wide agreed self-regulatory standards — European Advertising Standards Alliance (EASA) Best Practice Recommendation and the IAB Europe Self-Regulation Framework.

The rules are defined in a new Appendix 3 of the CAP Code, and will be enforced by the Advertising Standards Authority. The rules will be reviewed again later in 2013.

The European Commission is planning new legislation to support the digital economy, including around the aspect of cyber security.

In its Digital Agenda for Europe, the EC proposes measures to improve trust so that the EU becomes the leading region in the world in terms of network and information security, on-line safety, as well as protection of on-line privacy. It is proposed the European Cyber Security Strategy includes the establishment of the European Cybercrime Centre (EC3) at Europol and adoption of the Directive on attacks against information systems.

Additionally measures are proposed to target the sale of fake goods, particularly fake pharmaceuticals and consumer products using the internet, and for the protection of children.

The public sector, companies providing "essential services" (e.g. banking, energy, health, transport) and those providing "online platforms" (perhaps cloud services, large social media sites?) may need to undergo risk assessments, perform preparedness tests and also be subject to mandatory incident reporting.