First, the BA data breach. I may be making a big assumption
but I tend to assume that BA has top-of-the-range, state-of-the-art protection
against data breach. Certainly you would expect then to have the means to
protect payment data. (I note that every news item covering the BA breach
mentioned that passport information was not accessed; no doubt that was of
somewhat minor consolation to those about to embark on a trip abroad with a
compromised credit card.) But they have suffered major data breach through, we
are told, ‘a sophisticated attack’; one wonders what sort of attack would
qualify as ‘unsophisticated’, bearing in mind the context.
The second topic concerns the age-verification proposals
that derive from the Digital Economy Act 2017. There is a crowdfunding appeal at
https://www.crowdjustice.com/case/resistav/,
which aims to produce the funds to challenge the proposed implementation of this
scheme. The age-verification scheme had rather fallen off my radar so, while I
think any such court action has a very steep slope to climb, this was a welcome
reminder of a piece of legislation which I thought was flawed at both the
political level (it is a prime example of ‘something must be done’) and the
practical level (we will move on to cries of anguish when it is ‘exclusively
revealed’ that teenagers circumvent barriers to access porn – just as they have
for decades). Neil Brown’s article
on this topic gives an excellent insight into the basic proposals and I
found the Open
Rights Group briefing on the situation most enlightening.
Whatever one’s views on the rights and wrongs of the initial
legislation, and on the reliability and motives of the likely controllers of
the age-verification process, it is hard to argue with the view taken by the Open
Rights Group that the data that will be shared via the age-verification scheme
is super-sensitive. Even if you have never looked at porn in your life (a fact
which might be shaming in certain contexts), you have to agree that one’s
viewing history in this area above all needs special protection.
What the BA data breach shows is the obvious: if there is
valuable information that can be accessed online, it needs to be strongly
protected – and even then it might be accessed. The GDPR is a protection but it’s
not enough in this context. Given the risks here, those holding
age-verification data, and the very wide-range of super-sensitive information
that will flow from it, will be well advised to make sure that they float
small-scale subsidiaries with a relatively small turnover in the UK and will
not be intimidated or incentivised by the prospect of huge GDPR fines.
In the ideal world, the government would just give up on a
flawed proposal that reflects an evanescent popular will, but its track-record
on that isn’t great. At the very least, there needs to be more incentive to
ensure protection of this data edges as close to watertight as is possible.
Just like BA had.
