Cyber Security Industry Alliance Newsletter • Volume 2, Number 5 • January 2006

Global Perspectives

i2010

The European Commission’s Directorate General for the Information Society issued a benchmarking report on 19 December 2005. The report provides an overview of the state of the information society across the EU since i2010 was adopted and a check on progress since the launch of eEurope 2005 in 2003 (i2010’s predecessor). It also provides a first analysis of the information society in the ten member states that joined the EU in May 2004.

Some key findings in the survey include:

  • The best connected sectors are IT services, the automotive, aeronautic and pharmaceutical industries

  • Broadband rollout has been a clear success story, but there is a wide variation between member states

  • Disparities between member states have not decreased between the start of eEurope and 2004

  • Connectivity of enterprises is high throughout the 25 EU countries (87% of large enterprises had broadband access, 71% of medium-sized enterprises but only 48% of small firms)

  • Availability of online public services has continued to grow

  • All member states are confronted with the challenge of extending the information society to people with little or no formal education, those not in employment and older people.

An inclusive information society will not be achieved without policy support.

Link to the report: http://europa.eu.int/information_society/eeurope/i2010/docs/benchmarking/051222%20Final%20Benchmarking%20Report.pdf



Data Retention

The Council has made certain documents relating to the negotiations on the Data Retention Directive public. A note from the Secretariat General of the Council to the member states (dated 19 December 2005) makes a direct reference to the compromise reached between the European Parliament and Council:

"In accordance with the provisions of Article 251(2) of the EC Treaty and the joint declaration on practical arrangements for the codecision procedure 1, a number of informal contacts have taken place between the Council, the European Parliament and the Commission with a view to reaching an agreement on this dossier at first reading, thereby avoiding the need for a second reading and conciliation.

In this context, the PPE-ED and PSE political groups presented 42 compromise amendments to the proposal for the directive. These amendments had been agreed during the informal contacts referred to above."

The note also states that because the amendments adopted by Parliament correspond to what was agreed between the three institutions (Commission, Parliament and Council), the text ought to be acceptable to the Council. The text could in theory therefore be adopted as soon as the legal linguists have signed off the different language versions.

The other documents relate to the discussion that took place between the member states in early December.

Links:
http://register.consilium.eu.int/pdf/en/05/st15/st15691.en05.pdf
http://register.consilium.eu.int/pdf/en/05/st15/st15220.en05.pdf
http://register.consilium.eu.int/pdf/en/05/st15/st15237.en05.pdf
http://register.consilium.eu.int/pdf/en/05/st15/st15101-ad01.en05.pdf



ENISA Update

Andrea Pirotti, Executive Director of the European Network and Information Security Agency (ENISA), issued a message in December 2005. He summarises the events and developments in relation to ENISA during 2005:

  • The first map of all 106 European Computer Emergency Response Teams (CERTs) and an Inventory of European CERT activities

  • The first version of the ENISA Who’s Who Directory in Information Security

  • The first analysis and Information Package on Awareness Raising

  • The establishment of 3 Working Groups: one on Awareness Raising, one on CERTs, one on Risk Assessment and Risk Management

  • Input and visions for the future in Information Security from the Permanent Stakeholders’ Group, with 30 members from Industry, Consumers organisations and Academics in a new way of dialogue with stakeholders

  • Close contacts with all Member States through the 25 National Liaison Officers, to continuously provide ENISA with material in order to enable ENISA to become a true switchboard of information

  • Participation and/or co-organisation of circa 30 conferences, workshops, joint events and speaking engagements in Rome, Bonn, Vilnius, Brussels, Paris, Vienna, Warsaw, London, Copenhagen, Stockholm, Budapest, Utrecht, Dubrovnik, Prague, Helsinki, Amsterdam, The Hague, Milan, Hannover, Luxembourg, Riga, Rueschlikon, Moscow and many other places across Europe, to bring together and bridge the gap between the private and the public actors in this field.

Link: http://www.enisa.eu.int/news/XmasmessagefromED2/index_en.htm

ENISA also published a number of documents in December 2005 (mentioned above), including: a Who’s Who Directory (which lists all the various departments dealing with information security in the member states), and a document on raising awareness of information security. Targeted at member states for use in their awareness raising campaigns, this document offers an insight into the types of problems currently being faced by countries with regards to information security, illustrates examples of campaigns and other awareness-raising initiatives that have been run or are planned to run in member states, and provides examples of some of high level non technical messages that should be conveyed in a typical campaign.

All documents can be downloaded at: http://www.enisa.eu.int/deliverables/index_en.htm



Article 29 Working Party/RFID

The Article 29 Working Party has issued an "Opinion on the use of location data with a view to providing value-added services". The Opinion notes the rising importance and use of location data and reiterates the importance of companies complying with their obligations under data protection legislation when providing a value-added service on the basis of location data. Amongst other things, the Opinion contains a provision on security measures and transmission to third parties:

"The Working Party would draw the attention of electronic communications operators and providers of value-added services based on the processing of location data to the need to introduce security measures designed to ensure the confidentiality and integrity of the location data processed.

Under Article 9(3) of Directive 2002/58/EC, location data to be processed for providing a value-added service may not be transmitted to third parties other than those who provide the value-added service. Only persons acting under the authority of the third party providing the value-added service may process the data, to the extent and for the duration necessary for providing the service. Accesses by such persons to the location data should also be logged."

Link to Opinion: http://www.europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp115_en.pdf



Other Issues of Relevance

A businessman who received spam e-mails has successfully sued the sender for damages under the Privacy and Electronic Communications (EC Directive) Regulations 2003. To his knowledge he had never had any dealings with the defendant, and had not opted to receive communications from the company, Media Logistics UK. He used the Internet Protocol address information contained in the e-mails to track down the sender, and then wrote requesting an apology and details of the data it held about him and where it had obtained them. The defendant apologised, but refused to give him the information he sought. Mr Roberts therefore brought an action in the small claims court for damages under regulation 30 of the Privacy Regulations. It was settled out of court.