Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

Reconstructing consumer privacy protection on‐line: a modest proposal

Problems with consumer trust and confidence in the Internet as a safe environment in which to shop, browse and associate are well documented, as are the correlations between this lack of consumer trust and fears about privacy and security online. This paper attempts first to show why existing legal and extra‐legal modes for the protection of privacy online are failing to protect consumers and promote consumer trust. In particular it critiques the European regime of mandatory data protection laws as outdated and inappropriate to a world of multinational corporatism and ubiquitous transnational data flows via cyberspace. In the second part lessons are drawn from the crisis currently faced by intellectual property in cyberspace, particularly in reference to MP3 music files and peer‐to‐peer downloading and useful parallels are drawn from the solution devised by William Fisher of the Berkman Centre, Harvard, in the form of an alternative payment scheme for copyright holders. Finally, the insights drawn from Fisher's work are combined with original proposals drawn from a comparison of the consumer–data collector relationship in cyberspace with the roles played by truster, trustee and beneficiary in the institution of common law trust. The resulting ‘modest proposal’ suggests that a ‘privacy tax’ be levied on the profits made by data collectors and data processors. This could fund no‐fault compensation for identified ‘privacy harms’, improve public privacy enforcement resources, provide privacy‐enhancing technologies to individuals, satisfy the desire of commerce for less data protection‐related internal bureaucracy and possibly create the conditions for better promotion of consumer trust and confidence. The uptake of electronic commerce would thus be significantly enhanced.     

Reconfiguring the Animal/Human Boundary: The Impact of Xeno Technologies

The focus of this paper is on the symbolic and cultural as well as practical implications of what I term xeno technologies. I argue that these biomedical technologies, which aim to prolong individual human lives through the sacrifice of animal bodies, generate considerable anxiety and pose many intriguing issues for health care lawyers. In part, the concerns engendered by xeno technologies are attributable to the incalculable risks they may pose. This, coupled with public distrust of scientific evaluations of risk, undermines scientific attempts to present them as benign technologies. In this paper, however, I suggest that xeno technologies provoke a deeper cultural unease by raising, in acute new forms, historical and religious concerns about bodily mixing and rejection which challenge traditional notions of (human) self identity. The various ways in which xeno technologies render human and non-human bodies vulnerable and penetrable, pose multiple challenges to the animal/human boundary. In my view, they should force a radical re-thinking of notions of kinship, which should extend beyond the ȁ8easy caseȁ9 of human kinship with other great apes. Rather than addressing this issue, however, healthcare law makes valiant attempts to shore up the animal/human boundary. Such efforts at boundary maintenance may be traced at various sites, including the regulatory regime under the Human Fertilisation and Embryology Act 1990. I argue that lawȁ9s efforts to grapple with the ethical challenges posed by biotechnologies are doomed to incoherence unless it confronts the unreflective speciesism underpinning law, which designates animals as property and serves to obscure our kinship with them. My suggestion is that health care ethicists and lawyers should instead seek to expose the myriad ways in which biotechnologies may prove oppressive rather than liberatory for those who are made their human and animal subjects.     

Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools,trust, and techniques

We expose and explore technical and trust issues that arise in acquiring forensic evidence from infrastructure-as-a-service cloud computing and analyze some strategies for addressing these challenges. First, we create a model to show the layers of trust required in the cloud. Second, we present the overarching context for a cloud forensic exam and analyze choices available to an examiner. Third, we provide for the first time an evaluation of popular forensic acquisition tools including Guidance EnCase and AccesData Forensic Toolkit, and show that they can successfully return volatile and non-volatile data from the cloud. We explain, however, that with those techniques judge and jury must accept a great deal of trust in the authenticity and integrity of the data from many layers of the cloud model. In addition, we explore four other solutions for acquisition—Trusted Platform Modules, the management plane, forensics-as-a-service, and legal solutions, which assume less trust but require more cooperation from the cloud service provider. Our work lays a foundation for future development of new acquisition methods for the cloud that will be trustworthy and forensically sound. Our work also helps forensic examiners, law enforcement, and the court evaluate confidence in evidence from the cloud.     

Intelligent agents and intentionality: Should we begin to think outside the box?

The emergence of intelligent software agents that operate autonomously with little or no human intervention has generated many doctrinal questions at a conceptual level and has challenged the traditional rules of contract especially those relating to the intention as an essential requirement of any contract conclusion. This paper will explore some of these challenges, and shine a spotlight on the conflict between the traditional contract theory and the transactional practice in the case of using intelligent software agents. Further, it will examine how intelligent software agents differ from other software applications and then consider how such differences are legally relevant. This paper, however, is not intended to provide the final answer to all questions and challenges in this regard, but to identify the main components and provide perspectives on how to deal with such issues.     

Smart meters and the information panopticon: beyond the rhetoric of compliance

The Smart Meter Implementation Programme is the Government's flagship energy policy. In its search for solutions to address privacy dilemmas raised by smart meters, the Government has been content with using data protection principles as a policy framework to regulate the processing of consumers' personal information. This is worrying since the question of who has access to what type of information and how it is used cannot simply be regarded as raising information security, authenticity and integrity issues. If we are to go beyond the rhetoric of protecting the privacy rights of energy consumers we must scrutinise the context in which legitimate interests and reasonable expectations of privacy subsist. To remedy this apparent policy oversight, the paper undertakes two tasks: first, to clarify the content and application of data protection and privacy rights to smart meters; and second, it outlines a policy framework that will address the lack of specificity on how best innovation and privacy issues can be better calibrated. More importantly, it calls for targeted substantive reforms, development of accessible privacy policies and information management practices that promote transparency and accountability and deployment of technological solutions that will help reduce emerging fault lines between innovation and privacy in this sphere of energy policymaking.     

Conflict of laws and the cloud

Cloud technology offers wonderful potential for users in terms of convenience, ease of obtaining updates etc. However, it presents significant legal challenges. Our laws, largely based on notions of territoriality, struggle to respond to technology in which lines on maps are largely irrelevant. In this article, I articulate some of the specific challenges. The law of contract, tort and national regulation might all apply to a claim of breach of privacy in relation to material uploaded to the cloud. Unfortunately, each of the jurisdictions studied would approach the issues in different ways, potentially creating significant confusion. The article proposes a need for international co-operation and agreement on these matters.     

Disentangling privacy from property: toward a deeper understanding of genetic privacy

With the mapping of the human genome, genetic privacy has become a concern to many. People care about genetic privacy because genes play an important role in shaping us--our genetic information is about us, and it is deeply connected to our sense of ourselves. In addition, unwanted disclosure of our genetic information, like a great deal of other personal information, makes us vulnerable to unwanted exposure, stigmatization, and discrimination. One recent approach to protecting genetic privacy is to create property rights in genetic information. This Article argues against that approach. Privacy and property are fundamentally different concepts. At heart, the term "property" connotes control within the marketplace and over something that is disaggregated or alienable from the self. "Privacy," in contrast, connotes control over access to the self as well as things close to, intimately connected to, and about the self. Given these different meanings, a regime of property rights in genetic information would impoverish our understanding of that information, ourselves, and the relationships we hope will be built around and through its disclosure. This Article explores our interests in genetic information in order to deepen our understanding of the ongoing discourse about the distinction between property and privacy. It develops a conception of genetic privacy with a strong relational component. We ordinarily share genetic information in the context of relationships in which disclosure is important to the relationship--family, intimate, doctor-patient, researcher-participant, employer-employee, and insurer-insured relationships. Such disclosure makes us vulnerable to and dependent on the person to whom we disclose it. As a result, trust is essential to the integrity of these relationships and our sharing of genetic information. Genetic privacy can protect our vulnerability in these relationships and enhance the trust we hope to have in them. Property, in contrast, by connoting commodification, disaggregation, and arms-length dealings, can negatively affect the self and harm these relationships. This Article concludes that a deeper understanding of genetic privacy calls for remedies for privacy violations that address dignitary harm and breach of trust, as opposed to market harms, as the property model suggests.     

The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition

The year 2010 set an important milestone in the development of data protection law in Europe: both Europe's basic regulatory texts, the EU Data Protection Directive and the Council's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), were placed at an amendment process, having served individual data protection for many years and witnessed in the meantime technological developments that threatened to make their provisions obsolete. After briefly presenting Convention 108, the analysis that follows will highlight the Council's data protection system currently in effect as well as developments relating to the Convention's amendment so far with the aim of identifying improvements and shortcomings. While doing this two separate points of view shall be adopted: at first a micro point of view will attempt to identify improvements and shortcomings through an ‘insider’ perspective, that is, judging only the merits and difficulties of the draft text at hand. Afterwards a macroscopic view will be adopted, whereby strategic issues will be discussed pertaining to the important issue of the relationship of the suggested draft with the EU data protection system, as well as, the same draft's potential to constitute the next global information privacy standard.     

Options towards a global standard for the protection of individuals with regard to the processing of personal data

PurposeStates have adopted a number of international instrument dedicated in full or in part to privacy and data protection, at multilateral or regional levels, in binding or non-binding form. This article discusses the potential and context of the emergence of a possible global standard on data protection focusing on the 1981 Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data, as amended (Convention 108+).AimsWith due regard being paid to the dynamic technological and business environment that surrounds policy-making in the field of personal data protection, this article attempts to look at some strengths, weaknesses, opportunities and challenges of Convention 108+ in the competition for becoming a global standard. It seeks to identify possible future directions and priorities, taking into account the evolving nature of international relations in a more multipolar world where multilateralism is less obviously the preferred approach to international issues.FindingsInformed by an in-depth study of relevant international instruments relating to the right to privacy this article explores several strengths and opportunities that may be built on to promote a global role for Convention 108+, but also some weaknesses and threats. In sum, it concludes that the Convention is relatively well placed to ambition becoming a global standard.     

New Privacy Concerns: ISPs,Crime Prevention and Consumers' Rights

In November 1998, Cyber-Rights & Cyber-Liberties (UK) authored a 'privacy letter' to be sent from a subscriber to an Internet Service Provider (ISP) addressing concerns over privacy of communications through a UK ISP. The letter was drafted from the consumers' perspective and raises important issues in relation to ISP privacy policies. The 'privacy letter' was partly developed as a response to the Association of Chief Police Officers (ACPO), the ISPs and the Government Forum's initiatives in relation to developing 'good practice guidelines' between Law Enforcement Agencies and the Internet Service Providers' Industry. These guidelines describe what information can lawfully and reasonably be provided to Law Enforcement Agencies, under what circumstances such information can be provided, and the procedures to be followed in such cases. The process initiated by the ACPO Forum has so far excluded the views of concerned citizens and civil liberties organizations. This article will provide an insight into the activities of the ACPO/ISPs/Government Forum and will argue that procedures can only be properly designed within a legal context that takes due account of individual rights and liberties.     

Roadmap to solving security and privacy concerns in RFID systems

This paper focuses on privacy and security concerns in Radio Frequency IDentification (RFID) systems and paves the way towards a roadmap for solving security and privacy concerns in RFID systems. RFID systems have captured much interest around the World. The technology has many advantages and applications in a real world situation. Examples of such scenarios will be discussed in this paper.This paper reviews privacy and security concerns within the context of the advantages the technology offers and reviews solutions to overcome the privacy and security challenges. However, this research found that many proposed technological solutions are not “bullet proof” and policy regulations have to be employed as well. Few such RFID policies have been proposed. However, this paper argues that users/consumers of RFID systems should be given the mandate to have control over their products and systems and in order to fully address solution to the security concerns.     

Russian PNR system: Data protection issues and global prospects

The usage of Passenger Name Record (PNR) for security purposes is growing worldwide. At least six countries have PNR systems; over thirty are planning to introduce them. On 1 December 2013, a Russian PNR system will be implemented. But enhanced collection of personal data leads to increased surveillance and privacy concerns. Russian authorities state that passengers' rights will be respected, but a closer look at the Russian regime reveals a number of critical points. From a global perspective, the Russian regime is only one of many PNR systems, including new ones to come in the future. Apparently, for the majority of them, similar challenges and problems will apply. At the same time, for the EU, with its strict data protection requirements, PNR requests by third countries (i.e. non-EU countries) create conflicts of laws. In order to resolve them, the EU concludes bilateral PNR agreements. However, the current deals, especially the one between the EU and the USA, involve a number of weaknesses. Accepting the latter, and having a pending proposal on the EU PNR system, the EU has weakened its position in negotiations with third countries. How will the EU deal with the Russian as well as with all the future requests for PNR? This paper provides legal analysis of the Russian PNR regime, pointing out common problems and giving prognosis on the global situation.     

Analysing the sexual abuse of children by workers in residential care homes: Characteristics,dynamics and contributory factors

Abstract

This article analyses why workcrkhild s m l abuse occurs in residential children's homes. The importance of previously documented features, such as inadequate complaints and whistle blowing procedures, and poor vetting, training and supervision of stafi arc acknowledged. This exposition, however, concentrates on the tactics abusers employ to groom, entrap and silence children, whilst simultaneously controlling and silencing non-abusive staff. The success of these tactics is then contatualised within notions ojwebcrian rational-legal bureaucratic and charismatic power. as well as the location ofsomeabusers within entrenched pedophilenetworks. Contributory jactors, such as the enclosed and institutionaliscd nature of many settings and the inadequate, gendcrcd and haophobic manner in which stafloften deal with both sexuality and sexual abuse issues are also m i n e d and analyscd, as arc children's own gendcred prc-conceptions. Important theoretical constructions utiliscd include Goffman's theory of 'total institutions', the social construction ofchildhood, includingchitdhoodasdity and the concept of'organisation sexuality'.     

Security-oriented cloud computing platform for critical infrastructures

The rise of virtualisation and cloud computing is one of the most significant features of computing in the last 10 years. However, despite its popularity, there are still a number of technical barriers that prevent it from becoming the truly ubiquitous service it has the potential to be. Central to this are the issues of data security and the lack of trust that users have in relying on cloud services to provide the foundation of their IT infrastructure. This is a highly complex issue, which covers multiple inter-related factors such as platform integrity, robust service guarantees, data and network security, and many others that have yet to be overcome in a meaningful way. This paper presents a concept for an innovative integrated platform to reinforce the integrity and security of cloud services and we apply this in the context of Critical Infrastructures to identify the core requirements, components and features of this infrastructure.     

Public security versus privacy in technology law: A balancing act?

Technology invades a person's privacy but this has been justified in law on public security grounds. The more technology advances, the more difficult it is to control its privacy intrusive use. This paper argues that there are a number of difficulties posed by such use concerning the respect of one's privacy. The meaning of ‘public security’ is not entirely clear and there are various laws which authorise the invasion of privacy for public security reasons. Technology is developing at such a fast pace and in a more diffused manner without taking on board its privacy implications whilst technological privacy enhancement mechanisms are not catching up. The law of privacy is not sufficiently elaborate and is slow in coming to terms to deal with these novel situations posed by rapid technological advances. The paper thus develops universally legally binding minimum core principles that could be applied indiscriminately to all privacy intrusive technology.     

Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.     

Child witness research and forensic interviews of young children: A review

In this article, we provide an introduction to child eyewitness memory issues that are frequently discussed and debated, both within the research and practice communities. We review several of the central areas of research on child eyewitness memory and some of the most promising protocols aimed at standardizing and improving child forensic interviews. We focus primarily on memory in young children, because they pose particular challenges. Research on the use of props and external cues to prompt young children's memory is discussed. We also review research on professionals' knowledge and attitudes about children as witnesses. It is concluded that we must guard against overly negative or overly optimistic views of children's abilities.