Ramsés Gallego looks at how the European Commission’s new cookie rules are changing the security landscape for Webmasters, IT departments and anyone involved in the editing and maintenance of a Web portal.
Regardless of whether you are a Web designer, IT administrator or not-so-humble end user of the World Wide Web, the chances are that the new European Commission’s rules on cookies – which became law in late May of this year - will have changed your outlook on the Internet.
The new cookie privacy rules are the result of revisions to the EU Privacy and Electronic Communications Directive (2002), which was revised by the Citizen's Rights Directive (2009) and implemented in the UK through the Privacy and Electronic Communications Regulations (2011).
There are some exceptions to the legislation, but they are very few and far between.
This is a substantial change from the previous regime under which cookies were dropped onto a user’s computer, unless the user had specifically `opted out’ for the site concerned.
The law change – which has been overseen in the UK by the Information Commissioner’s Office - has been implemented to provide greater privacy for Internet users, and controls what data that a Web site operator can drop on to a visitor’s computer.
Although the new legislation is still in its early days of deployment – and the ICO has not yet begun `discussions’ with any sites for failing to abide by the new rules – my observations are that implementing the directive has not been an easy task for most IT professionals, whilst few Internet users – except those within the IT function – are fully aware of the new requirements and what they mean.
The UK's ICO has issued some helpful guidance notes centering on the need for sites to perform a cookie audit, a user-impact assessment and an action plan. Most automated `website in a box’ services have also launched an EU cookie facility for their clients.
Welcome to the world of geo-location
Geo-location is a discipline that is firmly on the modern Internet-aware business agenda, as it can bring tremendous marketing rewards to the site concerned, in the form of geo-marketing activities, targeted messages and the like.
It’s worth noting that the new cookie legislation presents a number of risks to portals that use geo-location technology – and many business have discovered that the risks can potentially outweigh the rewards, mainly because their site is now required to interpret a lot of the data on the user `in the clear,’ including location, time and Web-browsing habits.
In view of this, it is clear that most organisations now need to be cautious when embracing mobility and all the features that come with it - as well as including mobile devices within their corporate security strategy and integrating those devices within their business asset management programme.
The issue that is of most concern, we have observed, is that a growing number of mobile devices have corporate information stored on them and are used for enterprise activities.
The new EU cookie directive obliges service providers to explicitly indicate that the browsing session on a given set of Web pages is being tracked/recorded.
As European legislation watchers will be aware, the new rules are clearly in place for the foreseeable future and its implications - and resulting implementations - pose a number of difficulties from both a security and governance perspective.
ISACA believes that implementing – and continuing to meet the provisions of the EU cookie directive - on a secure and effective basis is the logical way forward, as the data involved is both high-risk and personal.
Sensitive data that could be leaked typically includes information on gender, age and other attributes that could allow your `digital persona’ to fall into the wrong hands, including those of Internet marketers.
This leads us neatly into the privacy aspect of the new legislation – largely as a result of the Internet, most Web users have fewer barriers and fewer secrets than they did just a few years ago.
Many Web users, in fact, think that is now cool to post where we are, what we are doing, with whom, when and even why.
In fact, according to an April 2012 survey conducted by ISACA, 32% of individuals in the US are using location-based services more now than they did 12 months ago.
Against this backdrop, it is clear that organisations need to address how they are gathering location-based information and what they do with it.
This business security process is about defining a security posture around classification of information, data collection practices, etc., that can identify a person's present location-and equally important, past and future locations. Organisations must clearly indicate the methods of collection, the retention policies, and when-and how-the information will be destroyed.
Failure to comply is not an option
A failure to comply with the new EU cookie directive will certainly have ramifications for a business in terms costs - as well as the obvious legal and reputational consequences.
And, whilst the financial implications can leave a big impact, it should be clear that the cost of reputational damage is likely to be far greater.
ISACA believes that the concept of privacy - when dealing with personal information - centres on the individual's trust in an organisation and its information systems.
It is this trust that allows us - as individuals - to make a judgement call on whether we are happy to release the kind of information that we do to that organisation.
Unfortunately, we have seen several examples recently with recognised brands suffering data/information breaches. Based on the fallout from these breaches, it should be clear to any manager that companies must communicate the technical and organisational mechanisms they have in place to protect user information-such as encryption, processes and procedures.
How to comply with the Directive
It should now be clear that businesses using geo-location applications and methods of data collection have a responsibility to behave ethically and protect consumers' information and rights.
And - whilst there are clear differences in how the US, Europe and other regions of the world treat the explicit consent of their Internet user - businesses around the world should provide opportunities to opt-in - not by default, but with an explicit consent from the user.
Businesses also need to include geo-location data as one of the priorities within their audit governance strategy. The definition of governance, by the way, is "setting strategic direction, and achieving corporate goals, working out that risks are managed and that resources are used responsibly.”
ISACA, which believes that the governance of geo-location data should be addressed using these facets of the definition – can offer a lot of assistance in the helping to develop the planning progress that form a central plank of an company’s governance strategy.
Now available as a free download at www.isaca.org/cobit, COBIT 5 is created for business and IT professionals alike.
Its guidance helps enterprises to bridge the gap between IT control requirements, technical issues and business risks.
Recently, ISACA published COBIT 5 for Information Security, which provides additional guidance on the enablers within the COBIT framework and equips security professionals with the knowledge they need to use COBIT for more effective delivery of business value.
The bottom line is that, when it is properly governed, geo-location technology is a tool that can be very effective for both consumers and businesses, and the EU cookie directive will, in the end, protect both of these parties.
Ramsés Gallego is international vice president of ISACA and also is a member of ISACA's Guidance and Practices Committee, the CISM Certification Committee and the CGEIT Certification Committee. He also served on the planning committee of the inaugural ISACA World Congress and chaired the planning committee for ISACA's Information Security and Risk Management Conference in Europe. Gallego is also security strategist at Quest Software.