Breaches & Human Rights in Finland
The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen’s personal data. One data protection expert said that the case creates a vital link between data security and human rights.
The Court made its ruling based on Article 8 of the European Convention on Human Rights, which guarantees every citizen the right to a private life. It said that it was uncontested that the confidentiality of medical records is a vital component of a private life.
The Court ruled that public bodies and governments will fall foul of that Convention if they fail to keep data private that should be kept private.
The woman in the case did not have to show a wilful publishing or release of data, it said. A failure to keep it secure was enough to breach the Convention.
“Data blunders can breach human rights, rules ECHR” on Pinsent Masons Out-Law blog.
“What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place.”
Emphasis mine.
There be dragons.
Dragons indeed.
I’ve been doing a moderate amount of research into issues of identity and trust (in addition to my recent forays into FISA) and I am more and more convinced that we have been using the wrong model of computer security and that we actually have no decent formal model of trust in digital systems. If I am at all correct in either of these, what I am saying is that there is no basis for knowing what is effective, or if effective is even possible, let alone practical.
By the wrong model, I mean that we tend to think of things in terms of what I would call a “Mote and Bailey” model. We act as if there are natural or even artificial boundaries along which we can build a palisade, thus rendering the area within safe. In truth, our digital environment is more like raw biology. There are some numbers of membranes like skin and cell walls, but there is contamination on both sides of every membrane and all membranes are porous and infecting agents are actively seeking to piggy back on every legitimate crossing.
We act as if we are safe in our computers or their disks or on our LANs or our applications and databases, as if once inside the Bailey all enemies are known to be outside. Witness even the language of the title of this posting: “Breaches & Human Rights in Finland”. Someone has breached the wall.
Is the architect or the landlord in violation for having not used one way mirrors in all of the windows? Must every door have a lock, must every lock be locked?
I don’t have a lot of answers here. I just think we’re a little behind in our thinking. I’m not sure we’ve asked the right questions, thought out the right problems, let alone found the right answers and yet we have to make public policy, decide if FISA is good or bad, if the Convention on Human Rights is too strict or lax and what technologists, businessmen and the ordinary citizen have to do to comply. We need to decide which firewall to buy or what features a good one would have.