Posts on this blog represent my opinion. It may be my considered opinion on the basis of my formal study of law and technology. But it is not legal advice. It must not be treated as, or acted upon as, legal advice and no liability is accepted for doing so.

Friday, 14 October 2011

SCL Conference 2011 - Day 1

I'm at the Society for Computing and Law's 2011 Conference in Bath, with the theme of New Technology v High Risk. I'll aim to blog updates on the sessions as we go along, so refresh for details.

Technology, Risk and Law - Dr Andrew Martin, University of Oxford.
A heartfelt plea for professionalism in the IT industry, in the context of properly understanding what risk is and what technology can and cannot do. Andrew Martin observed how we are increasingly reliant on security entities we have no knowledge of (eg certification authorities) and, with more and more of our household devices not only being connected to the Internet but having multiple sets of our credentials, this poses risks of security failures it is hard to be aware of, let alone properly quantify. He put forward three wishes for the genie that we have let out of the bottle: better technology, in the sense of understanding and removing vulnerabilities; more realism as to what IT can and can't do; and more focus on reliability and robustness in place of pushing the state of the art.

Cyber-crime - Prof Ian Walden (QMUL), Det Sup Charlie McMurdie (Met Police), Neil Hare-Broom (QCC Forensics)
Cyber-crime is getting more sophisticated; we are seeing seized PCs with over a dozen virtual machines, or more than 8TB of data to be examined. Some suspects have literally dozens of online IDs. The problem is made worse by the declining effectiveness of anti-malware protection, the growing pressure (from economy and convenience) for businesses to allow use of employee devices for work, and the jurisdictional challenges of cloud computing. The panel couldn't offer a simple answer, with views from "it can only get worse" to "we have to do what we can to help ordinary users and shouldn't just accept that this happens". Again, the question of how much we accept poor reliability in software came up - should we extend consumer protection law to cover the quality of software security? Ditto for enforcing pervasive use of encryption to protect payment details. Interestingly, the police officer was wary of adding more and more laws, on the basis that threats of prosecution can deter reporting - carrots are better than sticks.

No comments: