Law is full of jargon as we all know. So is the world of IT. And when the two worlds collide, as they did for 145 delegates and speakers at an outstanding SCL Annual Conference on Tuesday, it can be fascinating to see how jargon can emerge or evolve as we try to create the language to comprehend rapid change.
So inspired by the jargon, much of it really useful, here is a potted guide to the conference in just a few words.
Airgap
An airgap is one possible solution if you need to hide from State (or other) intrusion into what you are doing on a computer.
In the keynote address on the hottest of topics, Ben Jaffey told us of lawyers working in a sealed room, using untraceable, connection-less laptops bought on the Tottenham Court Road that requires the lawyer using it to remember, then immediately destroy, a complex 25 character password. That is working in an airgap.
The use of such a Draconian tactic suddenly seemed self-evidently sensible once he related just how much data the US, and indeed GCHQ, can and are collecting: the NSA collects half a million address books a day and GCHQ carries out sweeps by flying over London (though the legality of that activity is unclear at the moment). Interestingly the Government does not offer any assurances that even legally privileged data is free from routine monitoring. One bit of good news: encryption is not secure but costs the hacker money to overcome so try to encrypt – or use a service that allows it – where possible.
Balkanisation
A perhaps slightly derogatory term (at least to any inhabitants of that area) describing the threat that states will not agree to standards of data protection and security, and fall back on their own measures, so that aspiring global businesses will be forced to provide different products for different jurisdictions.
This issue came up several times during the day. Ben Jaffey referred to it in the light of the NSA’s response to a 2010 Treaty regulating bank transactions undertaken through the SWIFT system. Although that Treaty specified that data mining of the shared information was impermissible, and that only targeted requests should be made, the NSA duly hacked the SWIFT database anyway. Ben felt that such incidents could undermine international treaties creating ‘balkanisation’ with local standards taking over.
Bojana Bellamy, President of the Centre for Information Policy, also used the term in her contribution to the panel session on big data. Whereas most Europeans understand that there has to be a legal basis in place before you can process, combine and analyse datasets, the UK and US attitude is more laissez-faire and this mismatch threatens adoption of differing standards.
Timothy Pitt-Payne QC of 11KBW did not use the term ‘balkanisation’ in his talk but his description of the current wrangling over the proposed new EU Data Protection Regulation reeked of the same problems. The draft regulation has generated 3,000 proposed amendments, ranging from those in the Albrecht Report, which seeks individual rights not to be profiled and to be ‘forgotten’, through to the Irish proposals (which, dare I say, may have been influenced by the businesses operating from there, such as Google) that would regard direct marketing as a legitimate reason for data processing. Such balkanisation means that we are unlikely to see any implementation before 2016.
Big Data
A fashionable, possibly short-lived phrase used to emphasise how much data is now being captured and how it can be queried quickly, cheaply and without gridlocking a server.
If anything could be considered the theme of the day this was it. Without the sudden capture and transfer of all this data, primarily by US-based businesses, the push for new data protection regulations and heightened concerns over privacy and cybercrime just would not exist.
Joren De Wachter, speaking on the big data panel session, graphically illustrated why suddenly data is ‘big’: 90% of the data out there has been created in the last two years. In the same session, Simon Dring of PA Consulting added that the processing power now available on demand from Amazon, Google and other cloud providers allows you to query billions of records in real-time. And with all that data sloshing around governments, businesses and other organisations are working out ways to put it to use.
To illustrate, Simon demonstrated a live query across a database of drug prescriptions and admissions to hospital which showed possible correlations between the two. Very useful it would seem. Less clear-cut was a case Bojana recounted where Target supermarkets used their purchasing history data and predictive queries to identify that one of their customers was pregnant. Target started e-mailing her offers for baby related products, her Dad spotted them and suddenly some anonymous data had become highly personal. In that light, Bojana pondered whether big data queries will ever be compatible with legitimate processing.
Joren also controversially suggested that big data might see the death of the current patent system. With so much big data out there – and increasing daily – being able to claim novelty for a patent might become impossible. A researcher could probably type the idea into Google and get 20-30 results for that very same idea. He was challenged from the floor on this point, the questioner (Simon Bradshaw) arguing that patents are not just about novelty but also about how you achieve the end product. For example everyone can have the idea of a space car but cannot describe how it would be built. Joren disagreed, not on any legal grounds but just because the numbers are on such a trajectory that he views it as inevitable that 100% of patents would have to be rejected because big data equals prior art.
BYOD
Acronym for ‘bring your own device’ or the growing acceptance that the kit we own for personal use is better than the kit the employer provides – so you might as well let the employees bring their own in.
A slightly tongue-in-cheek definition I admit, but one that seems to sum up the approach taken by many of the speakers on the topic. It surfaced in several sessions, as BYOD instantly raises potential security problems (when you lose your iPhone containing the company server password?), IP problems (who owns the phone number you’ve given to important clients?) and privacy issues (how does an employer demand that an employee hands over their own phone so they can access some business related emails?) to highlight just a few.
In the BYOD session, Robert Jones from Kroll Ontrack, widened the definition still further. Webmail, he suggested, is a form of BYOD, even though it is not a device. He also noted that researchers in the US have achieved the seemingly impossible: they have started to capture human thoughts in a computer so that in future your own brain might be a form of BYOD. As one delegate tweeted ‘put your thinking caps on – or is it your thinking cap?’
BYOD also featured in the last session of the day, a bravura performance from Daniel Pollick the CIO at DLA Piper which concentrated on the future of IT in legal practice. He is looking to utilise BYOD so he does not have to bother providing as much in the way of hardware. Instead he is looking to create software applications that will enable staff to use their own device but silo the corporate data. A brief look at their prototype ‘legal facebook’ app showed the way he was thinking.
Professor Chris Hankin’s slant was that BYOD presents a security risk but its use is inevitable and the key is to nudge employees into adopting better security behaviour. The Government’s 10 Steps to Better Cybersecurity may help on this point as would implementation of a BYOD policy like that outlined by Nigel Miller from Fox Williams in his talk, BYOD: Win-win or zero-sum game. Just to confuse us, Nigel threw in another acronymn – COPE (corporately-owned, personally enabled) to refer to kit that is given to an employee for work purposes, perhaps a Blackberry, but can also be used to send an e-mail to your Dad.
Hackmageddon
Not a word but a website – hackmageddon.com – that keeps track of the volume, nature and frequency of cybercrime incidents worldwide. Run by two men in a garage apparently.
Professor Chris Hankin, from Imperial College, introduced this one as he talked us through the initiatives underway as part of the Government’s cyber security strategy, including the use of predictive technologies and games theory to help prevent the damage caused by cybercrime.
Chris McConkey, from PWC further emphasised the scale of the problem by showing a 20 second clip of their own cybercrime tracking software, a constant explosion of red circles spreading around the globe that over a day would represent 40,000 compromised lap-tops. Fortunately he did provide some peace of mind by emphasising that if you get the basics right – such as implementing patches and whitelists – you can stop 85% of attacks. A legal slant was added by Conor Ward of Hogan Lovells who highlighted a proposed EU directive on data security that would apply to public bodies and ‘market operators’ broadly defined to include e-commerce infrastructure such as payment gateways.
Interception
I include this solely to reinforce how seemingly obvious interpretations can go adrift from the common understanding. According to Ben Jaffey, interception of personal data by a government occurs only when the data is read by a human. Which lets a lot of activities off the hook.
Private Cloud
A bespoke server farm for your corporate data sited in a country of your choice.
According to Daniel Pollick, this is where data is heading for organisations that really do need to keep it secure and understand where it is stored. He also suggested that legal firms should develop ways in which that data can be used offline as well. Moving further away from the cloud / social model, he is also reigning in any attempts to create communities because of the 1,9,90 rule. For every 100 members of a community there is 1 person who contributes, 9 people who comment and 90 people who do nothing. Inevitably those that do contribute are the ones who you would rather stay quiet. As for e-mail it is just a massive security hole that will never be plugged so we should look at new forms and create internal solutions on a private cloud that match the capabilities of external apps.
Public Sector Joint Venture
An amorphous term used to encapsulate the Government’s attempts to get some upfront cash from a private sector partner, who will be expected to transform a project but still leave the Government with a stake.
On the face of it this phrase is self-explanatory but the session devoted to it only served to undermine any clarity. This was not the fault of either of the speakers, I hasten to add. They presented the material as concisely as possible. No the confusion lies at the heart of the policy which wants to see value created from government projects without either selling or outsourcing them and with the added complexities of requiring employee participation and responsible tax planning. As Stephen Rayfield of Herbert Smith Freehills LLP noted, a John Lewis type employee trust model would normally be based in Jersey for tax reasons but that would not wash when partnering with the government. Add in the desire of the Cabinet Office not to impose a vision of what any JV will look like before it is agreed, a view aired by their representative Tim Decamp, and you can see that any tangible meaning of Public Sector Joint Venture is very vague – which is probably how it should be.
Shoulder-surfing
A pleasingly alliterative and catchy term to describe the situation where you allow someone to read your laptop or tablet, or listen into a phone call, in a public place so risking breaches of data privacy or security policies.
Nigel Miller mentioned this as a potential hole that needs to be addressed in any BYOD policy and it was tellingly illustrated on my journey home from the Conference. I was seated at a table in an overcrowded train when the man next to me fired up his laptop and placed some papers he was working from almost directly in front of me. A surreptitious sideways glance was all I needed to work out that the top sheet of paper was the medical report of a patient with a potentially cancerous growth on his cheek. It clearly displayed his name, date of birth and address. Now I like to think that I am a decent sort who would not use this data for any nefarious deeds – but the woman opposite looked very shifty and I’ll bet she could read upside down.
The challenge ahead is a big one.
PS: I could not finish this piece without mentioning Daniel Pollick’s closing session which demonstrated his latent stand-up comic abilities including a dig at Apple ‘What does the ‘s’ in the iPhone5s stand for? The same’ To get a belly laugh from 145 IT lawyers at 5pm after a long day is no mean feat.
David Chaplin is an SCL member and director of Bath Publishing, online law publishers.