Welcome to the SecAware blog

I spy with my beady eye ...

25 Jan 2020

NBlog Jan 25 - data privacy day

On Tuesday, data privacy day, privacy will be top of the agenda.

Well, OK, not top exactly, not even very high if I'm honest.

And apart from mine, I'm not sure whose agenda I'm talking about.

Evidently it's about "data privacy", not other kinds of privacy, oh no.

If I'm coming across just a little cynically, then evidently I need to try harder.

I bumped into data privacy day while searching for something privacy related - I forget exactly what, now. Otherwise, it would surely have passed me by, and maybe you too, dear blog reader.

Anyway, data privacy day appears to date back to Jan 28th 1981 when Convention 108 was signed in conventional Europe. "The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was among the first, if not the very first, data protection regulation, predating today's privacy laws and regs.

In 2006, the Council of Europe launched Data Privacy Day as an annual event on January 28th.

Data privacy day was later taken up by some American organizations. According to the Wikipedia page, participants in the 2016 "event" included the Anti-Phishing Working Group, Carnegie Mellon University, Cyber Data-Risk Managers, EDUCAUSE, Georgetown University, Federal Trade Commission (FTC), Federal Communications Commission (FCC), Federal Bureau of Investigation (FBI), Identity Theft Council, the Privacy Commissioner of Canada, New York State Attorney General Office, the UK Information Commissioner and Data Security Council of India. I have no idea if they are still involved this year, and frankly I can't be bothered to find out just as none of them, it appears, could be bothered to update the Wikipedia page in 4 years.

The fact that I had no idea data privacy day was coming up on Tuesday suggests that all those years of publicity haven't been entirely successful.

This year, StaySafeOnline from the National Cyber Security Alliance appears to be valiantly leading the publicity effort, although their website is playing hard to get: 

StaySafeOffline would be a more apposite domain. Well I guess that's one way to ensure data privacy: simply don't publish the data on the Interwebs. Bish bash bosh, job's a good'un.

I was hoping to take a look at the information they allegedly offer in support of data privacy day, but no such luck. However, I did find some info at a related site - StopThinkConnect"the global awareness campaign to help all digital citizens stay safer and more secure online" - including these tips:
Protect Your Personal Information
  • Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.
  • Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
  • Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
  • Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. You can alternatively use a service like a password manager to keep track of your passwords.
An interesting selection of tips that, with no mention of browser security, or patching, or antivirus, or not sending personal info by email, or only disclosing personal info to trustworthy organizations, or checking privacy policies first, or totally avoiding social media and apps (!), or ... well clearly there are lots of things that they could have said but I get it: these are supposed to be a few succinct tips, which means someone had to select the very best. Hmmm. If it were me, I don't think I'd recommend writing down passwords as a way to protect personal information, even if it does avoid the need to navigate the hazards of the forgotten password/reset process. Odd, then, that they would casually mention password managers while also recommending 'positive' and memorable pass phrases (of at least 12 characters - a number plucked out of thin air I presume, and they missed the chance to mention punctuation and deliferate mispelings), rather than suggesting people use the password generators built-in to said password managers.

Summing up, data security day is a badly publicised, ill-conceived, poorly supported and not very effective effort to ... to ... well I'm not at all sure what it is intended to achieve, on just one day a year. Although admittedly I haven't put much effort into searching, I haven't found any stated objectives, which makes it hard to guage its success or otherwise. "Maybe that's a deliberate ploy to avoid accountability" said the cynical voice in my head.

I wish them well in their endeavour. I sincerely hope the day far exceeds my very low expectations. 


No comments:

Post a Comment