Policy actions sorted A-Z.
Policy actions sorted A-Z.
Products that meet certain requirements of transparency, privacy and security are awarded a certification mark so that people know they can trust the product.
European Union: EuroPriSe is a privacy seal for organisations in the EU.
United Kingdom: The Information Commissioners Office is developing their own privacy seal that will be awarded by other organisations.
United Kingdom: BSI, known for their Kitemark Symbol, created a standard for secure digital transactions. IF have proposed a transparency mark that acts as both a certificate and as a link to more information about a product.
Consumers may not understand what a seal means and this could create a false sense of confidence in a service.
Seals establish a lowest common denominator.
Seals prove expensive to audit.
People can access a history of who has viewed data held about them, so they can understand what is happening to their data and spot fraud and misuse.
United States: Under the Health Insurance Portability and Accountability Act, “patients can request an account of the manner their private health information has been used”.
Credit report services show when lenders have accessed an individual’s credit report.
Create a central database of known software vulnerabilities. This will allow consumers to know what products and services are affected, and help developers fix vulnerable code. Software security research firms typically publish their findings publicly and have a unique vulnerability identifier attached to their work.
There may be inconsistency between software vulnerability databases operated by different organisations.
Government-owned vulnerability databases may be biased in the security interests of that state.
The data from these databases are technical in nature and aren’t accessible by the average consumer.
Government and technical organisations should recommend best practices to developers to ensure safety, particularly in environments where computers have control over the physical environment. Existing guidelines are biased towards space and nuclear science, but there will be a need for consumer advocacy here as self-driving cars near readiness for everyday use.
A team or service exists to inform companies about best practices for digital security, consumer privacy and consent models.
United Kingdom: The National Cyber Security Centre provides guidance to organisations and government to manage their IT and information more securely. CareCert, part of NHS Digital, provides information security advice for the public health sector.
United States: The United States Computer Emergency Readiness Team, from the Department of Homeland Security, publishes advice on computer security for a non-technical audience.
Elsewhere: Various countries have computer emergency response teams that respond to information security emergencies.
Guidance is issued in specialist terms, requiring third parties to interpret it.
Guidance doesn’t adapt quickly enough to changing threats or technologies.
Promote best practices, such as strong passwords and two-factor authentication, to improve public understanding of digital security.
It is difficult to engage the general public with an issue of a technical nature.
Some campaigns may over-simplify digital security.
Software vulnerabilities are included in product recall notices and product recall notices are maintained and made available as open data, so that consumers are aware when they own an unsafe digital product.
European Union: The European Commission operate a database of product recalls. It allows people to subscribe to weekly product notifications.
OECD: Global Recalls collates data about product recalls from OECD member states. This information is available in English and French.
In 2016, the car manufacturer Tesla pushed an over-the-air update following a death caused by its autopilot system.
The changing nature of consumer products like cars mean that recalls can be avoided by pushing updates straight to the device. A report suggests that by 2022, 230 million vehicles could have this functionality.
A faster software update cycle could increase the risk that bugs are undetected.
Implementation of notices is a lost opportunity if it doesn’t incorporate shorter feedback loops.
Regulators should be able to compel manufacturers to follow standards for privacy and security when designing Internet of Things (IoT) devices, in a similar way that regulators mandate that electrical safety standards are followed. This is important for consumers, because IoT devices collect so much data about a person and their surroundings and privacy considerations are poor at present.
European Union: A working group of European data protection regulators have published an opinion (PDF) on the privacy risks of IoT and how the current data protection framework in the EU can be applied in their context.
United States: The Federal Trade Commission have released a report (PDF) into IoT and possible regulation. It states that it may be too early to do so, as the industry is still in its infancy, but general data protection legislation should be strengthened.
David Wheeler has written about policy interventions for digital security that could apply to Internet of Things devices.
Range of devices is so broad that it’s difficult to audit them consistently.
Regulatory overhead prevents small companies from launching products.
The law requires services to monitor for suspicious authentication, for example signing in from another country, so fraud and data theft can be prevented.
Automated services could misinterpret legitimate behaviour.
Services built to sanction quickly, and don’t accommodate fair process or right to reply.
Data controllers are compelled to publicly report data breaches so that the public know it has occurred and can take action where possible and to incentivise data controllers to maintain secure data handling practices.
European Union: Under Article 33 of the General Data Protection Regulation, data controllers are required to notify data subjects “no later than 72 hours” after having become aware of it.
Mexico: Under the Federal Personal Data Law, the data controller must immediately inform the data subject if a breach of violation of security has been made to the data controller’s security measures that could affect the moral and economic rights of the data subject.
South Korea: Under the Personal Information Protection Act, the data controller must provide individual breach notices to data subjects and file a personal information leakage report to the Ministry of Government Administration and Home Affairs and Korea Internet Security Agency.
Turkey: Under the Data Protection Law, data breaches must be disclosed to the Data Protection Authority and data subjects.
United States: 47 States and the District of Columbia have enacted state-level security breach notification laws. There are no notification laws at Federal level.
The lack of understanding around data breaches may cause consumer panic when they receive notifications.
Notifications on their own may not suffice. They may need to happen in concert with other measures.
The law requires the use of strong customer authentication for certain kinds of service.
Estonia: A chipped identity card is used as secondary authentication when accessing digital services.
European Union: the European Banking Authority requires the use of “strong authentication”, defined to mean “multi-factor authentication”, in online payments.
Implementing multi-factor authentication into existing systems could be costly.
If designed poorly, multi-factor authentication can make a service less usable.
Government or industry bodies agree a set of standards for securing specific data and transaction types so that people can expect a minimum level of security.
PCI is a proprietary credit card security standard operated by the major global credit card companies.
GOV.UK Verify is a delegated method of identity verification, available from multiple providers, for use in UK government digital services.
3-D Secure is a protocol for additional identity verification when making online purchases. It is branded by Visa and MasterCard as “Verified by Visa” and “MasterCard SecureCode” respectively.
ISO/IEC 27002 is an international standard on information security, providing best practice for both digital and physical security.
Create and publish a set of design standards to promote best practices, accessibility and familiarity between digital public services.
Set a minimum period where manufacturers must provide software updates to ensure customers are reasonably protected against software vulnerabilities without having to make new purchases.
Some software manufacturers have fixed support periods. Microsoft has a 10 year support period for Windows 10. Ubuntu, a Linux operating system, designate every fourth version as “Long Term Support”, where the update period is extended from 9 months to 5 years for server software and 3 years for desktop software.
Netherlands: Consumentenbond is campaigning for mobile phone manufacturers to provide longer support periods for Android.
The United States Navy paid Microsoft $9.1 million to continue support for Windows XP, a version of Windows released in 2001 but has widespread use in government IT because of the time between the following version being released.
David Wheeler writes that updates should be legally mandated for three years after purchase, or the customer should be offered a refund.
Mandating a minimum period of software updates could be financially straining for smaller software developers.
Longer mandatory update periods could increase costs for consumers.
Set rules that require data to be encrypted when it’s stored by a data controller to mitigate the risks of a data breach.
Australia: Office of the Australian Information Commissioner recommends data is encrypted when stored.
United States: A law in the New Jersey state legislature prohibits health insurance companies from keeping unencrypted patient information.
Set rules that require data to be encrypted when sent across the internet to prevent it from being intercepted by an unauthorised third party.
United Kingdom: Part of the Government Digital Service Standard requires the use of HTTPS.
United States: Memorandum M-15-13 from the Federal Chief Information Officer that stated that all publicly accessible Federal websites and web services must only do so through a secure connection.
In-transit encryption is a requirement in the PCI credit card transaction standards.