This afternoon I attended a meeting of the UK Internet Governance Forum (UK IGF) at the BIS Conference Centre in London.

Nominet Chief Executive Lesley Crowley described the messages the UK team took from the recent Internet Governance Forum (IGF) in Sharm el Sheikh, Egypt, in November 2009. The overall theme had been "Internet Governance – Creating Opportunities for All" and the Rt Hon Alun Michael MP, Andrew Miller MP, Ian Taylor MP and Derek Wyatt MP described their impressions from the workshops and meetings at Sharm el Sheikh about involvement of young people, green issues, the internet as a forum for good and security & e-crime.

An open discussion was held with contributions from the audience on these topics and also about the future of the IGF. The fifth annual IGF Meeting will be held in Vilnius, Lithuania, from 14th to 17th September 2010. The UK is again looking to take examples of best practice to demonstrate how self-regulation can work.

Nominet also launched their Internet Awards 2010 which is accepting entries until 1st April 2010. This year's categories are Getting People Online, Making the Internet Safer, Opening the World of Knowledge, Empowering Young People & Citizens and Nurturing Powerful Local Partnerships. The judges are looking for innovative, different, high-quality entries—especially for projects that might surprise the judges.

The meeting closed with comments from the Rt Hon Stephen Timms MP (Financial Secretary to the Treasury and BIS Minister responsible for Digital Britain) and from Bob Gilbert (Nominet Chairman).

I have updated the chart detailing the most important guidance, standards, legislation and organisations that can affect web development security and privacy in the UK.

The Principal Influences on UK Web Applications is published on my company's web site and details the changes made since the previous version in August. The information is laid out as a mind map diagram, and as a text tree.

Not all the items are relevant to every web site—some aspects are sector specific—but much of the guidance from organisations, in guidelines and in standards can be of use beyond their intended audiences.

But this chart isn't just about web site security and privacy. The chart can also be useful for organisations implementing an information security management system (ISMS) that need to keep up-to-date with compliance requirements, and those with a need for knowledge on wider information assurance (IA) aspects. There's quite a lot of overlap.

This week the Ministry of Justice published the summary of responses to their consultation on revised fines for serious breaches of the Data Protection Act.

In Civil Monetary Penalties: Setting the Maximum Penalty proposals were made for a maximum £500,000 fine following granting of powers to impose civil monetary penalties being added to the Data Protection Act (DPA) 1998 (Sections 55A to 55E) by the Information Commissioner's Office (ICO) through section 144 of the Criminal Justice and Immigration Act 2008.

The 52 submissions described in the summary of responses showed broad agreement for fines up up to £500,000 for data controllers who seriously contravene data protection principles. The ICO issued a press release Data Breaches to Incur Up To £500,000 Penalty on the same day with details of how they will consider:

• the circumstances including the seriousness of the data breach
• the likelihood of substantial damage and distress to individuals
• whether the breach was deliberate or negligent
• what reasonable steps the organisation has taken to prevent breaches.

The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament.

The statutory guidance is worth reading since it outlines things such as "reasonable steps the Commissioner expects the data controller to take" that include (in a non-exhaustive list that includes mention of risk assessment, governance, audit, policies, procedures and practices):

So, the standards are being raised.

Subject to Parliamentary approval, the civil monetary penalties are expected to come into force later this year on 6 April:

• Draft Order "The Data Protection (Monetary Penalties) Order 2010"
• Statutory Instrument 2010/31, The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010

P.S. If you are interested in privacy matters, The EU's Article 29 Working Party and Working Party on Police and Justice have jointly published a paper on The Future of Privacy (WP 168) and there is an excellent summary and overview on the Tech and Law blog. The conclusion: a new comprehensive legal framework for data protection is needed in the EU.

On Wednesday I attended the Information Commissioner's Office (ICO) Personal Information Online Conference 2009 at which the ICO launched their consultation on the new Personal Information Online Code of Practice.

Manchester and Salford gave us a beautiful sunny day for the event which briefed delegates on the ICO's approach to data protection and an outline of the collaborative process used to develop the draft code of practice. Iain Bourne, Head of Data Protection projects, noted that fewer than hoped public sector organisations had been involved to date, and they would like more feedback from this sector in particular during the consultation phase that ends on 5 March 2009.

My first impressions are this will be a useful document for organisations without staff dedicated to data protection or compliance, especially once the examples and SME checklist are added. The structure and content are still a little raw, but probably about right for the start of a 12-week consultation process. Areas where I am already considering providing feedback are:

• local storage of personal information (not just cookies)
• verification of protection
• suppliers, sub-contractors and staff
• monitoring and anomaly detection
• transmission of personal information
• inclusion of third party content in web sites
• using cookies to enforce an opt out
• additional reference materials.

The full text and consultation document is available as a PDF.

Feedback on the Personal Information Online Code of Practice can be provided using the ICO's consultation portal with further background available in the related press release.

You may have heard some news about cookies, consent and the Council of the European Union in the consideration of the confidentiality the communications. Well, the legislation has been passed and the regulators is each nation have until 26th April 2011 to implement it.

The legislation amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, will require that prior consent is required before cookies are set:

What will this this mean for authentication and authorisation cookies that use cookies for session management? If the cookies are a mandatory part of the purpose for which the user is undertaking (i.e. requested access to an area that requires authentication), there is an exception:

Note that there is no exception for cookies for advertising, web analytics software, security logging, usability testing etc., and it would seem that prior consent will be required for those. Although 2011 may seem a long way off, new applications in development and changes to existing applications should certainly be considering the implications, and owners of existing web applications should be assessing the possible effects and make plans once UK legislation is passed and guidance issued.

Additional discussion:

• Telecoms package conciliation: MEPs and Council representatives agree on internet access safeguards
  Press release, Euroepan Parliament, 6 November 2009
  http://www.europarl.europa.eu/news/expert/infopress_page/052-63798-309-11-45-909-20091105IPR63793-05-11-2009-2009-true/default_en.htm
• An Analytics Problem for the UK Public Sector
  The Pickards, Blog, 25 October 2009
  http://www.thepickards.co.uk/index.php/200910/an-analytics-problem-for-the-uk-public-sector/
• Consent will be required for cookies in Europe
  Out-Law News, 9 November 2009
  http://www.out-law.com/page-10510

I don't feel as pessimistic about this as Out-Law seem to be. Perhaps we'll see opt-in services being provided by the advert distribution agencies, rather than by each individual web site.

Sometimes you read someone else's blog post and think "I wish I had written that".

Well, Jeremiah Grossman has blogged All about Website Password Policies which neatly sums up password policies for typical web sites and web applications.

The suggested policy is not for your online bank, but the sort of web sites most developers have to work on day-to-day. He also has a good brief explanation of how to store passwords in a hash digest form (but also read the associated comments).

I do think, however, that there is never a reason to have passwords stored in plain text—password recovery mechanisms can be built that do not need to send the actual password. But also, I agree with the comment that passwords truncation should be done with care and that allowing users to have longer pass phrases (containing space characters) can be beneficial. Let the user decide on what they are happy with, above the minimum standards.

My own password related posts are Is Password Complexity Too Complex to Implement? and Guessable Usernames and Passwords.

It's common for access to some web sites to be restricted to users from particular Internet Protocol (IP) addresses. This is usually in addition to some other identification and authentication method. But other IP addresses are often added to this "allow list" and these should not necessarily be trusted in the same way.

In a typical scenario, a web site hosted on the internet that is used to administer another web application might be restricted to the company's own IP addresses. Then the developers say they need to check something on the live site, or another server needs to index the content, or someone wants to work from home for a while, or the site needs to be demonstrated at a client's location. All these additional IP addresses are added to the "allow list". These restrictions may be being applied at a network firewall, traffic management system, at the web server, in the application itself, in intrusion detection systems or in log analytical software, or in many of these. These are difficult to manage and in time there will be many IP addresses that no-one knows why they are allowed unless they are carefully documented, and subject to a fixed time limit when they are confirmed again by an appropriate person or removed. These extra addresses are quite often hard for someone else to guess.

However, there is another area where IP addresses are added to "allow lists", and this is for remote monitoring and testing services. These might be checking uptime, response times, content changes, HTML validation or security testing. The service providers publish the IP addresses of the source systems so that companies can specifically allow access to their web sites. Since the number of these services is relatively small, it's not too difficult to find which one might give access to areas of a web site or web application that the public (and malicious people) should not be able to get to. The particular danger here is that the IP addresses might be excluded from monitoring and logging, and therefore even a diligent web site manager might not realise for example the uptime monitoring service is making unusual, or excessive, requests.

Although it is not likely a malicious person is using this "trusted" address unless routing has been compromised as well, problems can go undetected, from what might seem to be a legitimate source. The IP address may have been typed incorrectly, or worse, the restrictions/exceptions may not have been implemented correctly allowing more addresses to have the privileged access than intended. Not logging a user's session is privileged access.

Allow traffic through, but be very specific what is allowed and monitor what's going on. Review all the exceptions periodically. Be especially careful about anything that bypasses authentication (such as allowing a search engine to crawl restricted-access content) on an otherwise public site.

If you are considering undertaking customer monitoring, offering personalisation, providing targetted recommendations or even just appointing an advertiser that uses online behavioural advertising, reading guidance from the Internet Advertising Bureau (IAB) is a good starting point.

The IAB have developed a consumer-orientated website Your Online Choices, a guide to online behavioural advertising and online privacy.

However, more useful reading matter is the IAB's Good Practice Principles for Online Behavioural Advertising. The principles are self-regulatory and prospectively binding on each member in respect of their UK operations. Also remember the principles I discussed last month in User Analytics and Tracking. Whether your company, or advert network, is a signatory or not, it makes sense to understand the issues and apply them in your own online provisions. Consider what data are really necessary and ensure compliance with all internal and external mandates, including legislation.

At this time of the year, gardeners have usually seen the best of their summer displays, and thoughts turn to tidying up the garden before the winter.

The publication of a new report from the Ponemon Institute on Data Security in Development & Testing is a timely reminder that like gardens, our web site and web application development and test systems need periodic attention, otherwise they can go wild too. The report describes the findings from a survey of IT practitioners in the United Kingdom and United States on the adequacy of their policies and technologies in place to protect real data used in development and testing. The survey is included in the report, so you can compare your own organisation.

Take some time to identify how real data are being used in your development and test systems, and determine what sensitive data is being used, stored, transmitted and how it is deleted. Are you allowed to sue the data for development and testing? Check who has access to the data, from where, and what the risks are.

If you undertake some form of masking or other anonymisation technique, do read and take into account a new summary of research and discussion by Paul Ohm in his paper Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.

Put plans in place now, that will make next year easier. No manure required.

The results of the Internet in Britain 2009 survey by the Oxford Internet Institute highlights people's usage and concerns about the internet and web sites.

Some aspects of the report relating to e-commerce, trust, fraud and privacy are summarised below.

• Confidence in the Internet and the commercial services that it offers remains high.
• Use of the internet is leading to greater trust in the technology as a source of information and medium of communication and services.
• Since 2007, people are now just as concerned about credit card fraud, and the right to anonymously express opinions, but less concerned about the threat of computers and the internet to privacy.
• Negative experiences of the internet are not as great as portrayed in the media.
• The survey examined what personal information people are willing to provide when registering on websites.
• A general desire for greater regulation of the internet.

Read the report for the methodology, full information and detailed analysis. The report also provides useful data on internet penetration and usage patterns such as for web 2.0 and mobile technologies.