Thursday, 8 December 2016

New UK Information Commissioner shows her teeth issuing fines for wealth screening to RSPCA and BHF

What on earth has been going on at the RSPCA ? Assumed to be a quiet backwater for helping out animals in distress it became a vehicle for what looked like politically motivated criminal cases and now has been found to have been breaking the law with very aggressive data profiling or "wealth screening" without consent in order to generate income.

All credit to Elizabeth Denning, the new head of the  ICO, for the bravery to take this organisation on as they would not immediately fit into the category of data villain.

One of the areas of breach was the sharing of data in a group with others (unidentified) called "reciprocate". Effectively when agreeing to share data (or not) with the RSPCA they took it as carte blanche to share your personal data with everyone.

Perhaps up to now Data Protection has been seen as a box ticking exercise with many government agencies relying on blanket exemptions and busily building databases.

However as the Alan Lord case showed there are no blanket exemptions and each case must be considered on its merits. The rights of data subjects to request information via a subject access request will need to be taken even more seriously now.

A new attitude at the ICO should send a warning shot across the bows of both government and big business who have been harvesting and processing personal data without getting proper consent and being clear about the purpose.

Friday, 25 November 2016

Data protection and cyber issues for small and medium sized business

Having been involved in setting up and running a number of small businesses it is very clear that generally there is a relentless focus on sales, cash and new customers (and survival). Regulation and bureaucracy are not your friend as unlike larger businesses there is not the scale to support the army of required admin people ticking boxes with feverish intensity.

Overall the digital age has been a positive for small business allowing lots of admin activity to be simplified and reducing the need for infrastructure. A lot can be done with a mobile phone number, email address and website. Welcome to the gig economy.

However it has become very clear that digital data has a huge value, and personal data even more so. Data is like money. Since it has value some people want to steal it and stealing data is generally called hacking.

Also Governments, ever keen to "guide" or "nudge" the people to the correct conclusions (not going so well with Brexit and Trump) have been spying on the population leading to the game changing revelations from Edward Snowden.

Therefore into the previous wild west of big digital data comes regulation. In the UK the very analog Data Protection Act has been updated piecemeal by the Regulation of Investigatory Powers Act, The Protection of Freedoms Act, Freedom of Information Act soon to be in force GDPR.

Small and Medium Businesses are presented with quite a challenge as a result. For example issues like encryption of sensitive data, explicit consent and right to be forgotten all need to be considered. All these are important issues but for the owner of a small business who has not changed his passwords in 12 month these issues seem esoteric at best.

Unfortunately if small business does ignore this issue they can destroy customer trust if hacked and also suffer on the compliance side as this case from the ICO shows. 

Therefore what ?

At klipcorp IP we have developed this simple free risk assessment tool aimed to help small business on this complex journey and would encourage engagement with it.

It is inevitable that business will need to allocate resource into this area (both large and small) and over time those that do not will lose customer trust / business and sometimes suffer at the hands of the regulator.

Thursday, 6 October 2016

Yahoo: Directors liability for cyber breach : IP protection in the Digital Age

With only 20 months until the implementation of the GDPR large organisations such as Barclays have already put big teams and resources in place to meet the new requirements. With breach fines up to 4% of turnover and the requirements to maintain a personal data inventory and report breaches within 72 hours this will be a big challenge for the SME and Mid Size community. The requirements of explicit consent for processing sensitive personal data (likely to include video and voice) and a linked right to be forgotten will require significant resource commitment and expertise.

TalkTalk were fined a record £400,000 yesterday by the ICO for a very poor level of cyber security which is close to the maximum under current UK legislation. This is a wake up call for businesses handling personal data in the UK as fines will be much higher under the new regime. Dido Harding may be regretting that she did not obtain an independent view of her cyber safety levels and allowed her IT team to mark their own homework.

The Yahoo hack has made the news but most of the focus has been around its scale in terms of numbers of email addresses. The class action suit available HERE  alleges under Count V Negligence. The specific wording is "Defendant owed a duty to Plaintiffs and the other class members to exercise reasonable care in safeguarding and protecting their PI and financial information in its possession from being compromised, lost, stolen, misused, and/or disclosed to unauthorised parties".

Further in the suit it is suggested that that the identity thieves may wait for years to use the information gained and that therefore class members will need to be vigilant for years or decades to come.

The combination of negligence and the potential for decades of required monitoring points to a potentially huge damages number. This could be the end of the road for Yahoo and open the way for personal negligence claims against Directors in this area.

Taken together the regulatory regime in terms of personal data is significantly tightening up and the associated risk level is beginning to become clear. 

Friday, 16 September 2016

Amazon Echo raises the stakes on privacy in the home and IP protection in the digital age.

Is it safe or is there a storm coming over the horizon ? Difficult to tell. Great excitement about the new Amazon Echo (new to the UK) which is a voice activated networked microphone and speaker which allows interaction with the web via voice command. It is intended to sit in the home and answer questions, play selected music, adjust smart devices in the home order things online etc.

It works by constantly monitoring sounds in the home and responding to its name Alexa. However in order to recognise the word Alexa it needs to listen to everything and the microphones are so good that it can listen across the room and filter our loud music.

The convenience is very appealing but the loss of privacy substantial. Who owns the data that is collected by Alexa and the profiling that results from that data ? Who will carry the liability if that data is misplaced or stolen or for example voice activated financial transactions are carried out by the wrong people ?

A company with the scale of Amazon will have worked through these issues no doubt but the significance of networked always on audio monitoring in the home may not fully register with a technology enthusiast simply looking for an easier way to stream music in the home.

Thursday, 8 September 2016

There is no data cloud, only somebody else's computer

Perhaps because digital data has negligible physical presence we often struggle to view it as property.

If we stored our valuable physical possessions in a facility with no security people would think we were crazy and possibly partly to blame if our stuff went walkabout.

The penny is starting to drop however that remote digital storage of our valuable digital IP needs to be evaluated in respect of its security and that contracts need to deal with the sticky subject of liability in the event of data breach or loss. This is particularly the case when the IT company who are in theory holding your data are in fact outsourcing it to another third party. It seems likely that aside from contractual terms the tort of negligence may have a part to play here when the basic requirements of cyber security have been ignored by those handling personal data.

Tuesday, 30 August 2016

Kim Dotcom LIVE

Kim Dotcom has been successful in insisting that his current trial can be viewed live on YouTube.

DotCom seems pleased with this outcome as he insists that when people realise the basis of the case against him they will support him.

He insists that MegaUpload was blindly storing copyright infringing material and as such should not be held responsible. In the same way that a man who makes or sells a knife or a car is not held responsible if that object is later used to break the law.

The analogy breaks down a bit as the servers remained under the control of MegaUpload whereas the other objects mentioned do not - but that is for another day.

However, when this case is settled we will be one step closer to understanding where liability rests online and the degree of responsibility a hosting company, or third party provider, must take. This is also relevant for data protection and the GDPR.

Hold onto your hats - this is showtime !

Thursday, 18 August 2016

Stormy weather for healthcare providers (and others) not protecting personal data - $5.55 million fine

The recent fine of $5.55 million dollars levied on Advocate Health Care Networks (AHCN) starts to sketch out liability levels for failing to protect sensitive personal information. This will be of great interest to insurance companies looking to calculate risk premiums and to IT providers looking to limit liability.

AHCN is the largest health care provider in the Chicago area and between July and November 2013 they suffered 3 data breaches. 4 million records went missing but there has been no indication that these records have been used or published. So no loss to date for the victims.

2 of the 3 breaches were straighforward theft of hardware (4 desktops / 1 laptop) rather than the more exotic type of cyber attack.

The areas of failure were identified as follows;

failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;

failure to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;

failure to obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and

failure to reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

No doubt AHCN will have attempted to present itself as the victim of crime, which it was, but was fined nevertheless even though the data does not appear to have been misused.

How many handlers of personal data would currently pass the tests above ?

Tuesday, 16 August 2016

Sage hacked : insider threat and third party liability

Recent news that Sage (the accounting software provider) has been hacked and that staff details of around 300 UK businesses have been accessed (names, addresses, bank details etc) should alarm many SME's who rely on third party technology providers without question.

According to reports internal login details were used so this was less of a high tech hack and more of a walking in through an unlocked door - a disgruntled insider probably.

The Information Commissioners Office are having a look at this and this breach is potentially more serious than TalkTalk as the type of data access looks to be more valuable and personal. But when the fire has been put out who will pick up the tab and compensate the individuals whose data has been taken ?

Sage will no doubt be going through the terms and conditions of standard contracts to determine if they can wriggle out of any liability to their impacted customers. In any event what direct loss does a customer suffer if name, address, bank details etc are published on the open internet ? If a customer is later the victim of internet fraud will it be possible to create a causal link between the breach and the loss ?

Might Sage be insured for cyber breach ? If so does this cover insider threat which might well be viewed as negligent ? Will the insurance extend to pay customers of Sage compensation ?

Given the above complexity it is understandable that Sage should seek to keep as low a profile as possible on this matter but if you are using a Sage solution right now how secure do you feel ?

Anybody can be hacked but the question of who picks up the tab when it happens is far from settled.

Tuesday, 9 August 2016

Cyber safety: separating the wheat from the chaff

It is predicted that the internet of things will see 20 billion devices connected to the internet by 2020. The pace of change is enough to make your eyes bleed and inevitably there will be some major cyber security issues along the way.

Even the insurance community who are generally comfortable with risk are mainly keeping their powder dry - most policies available (AIG, Hiscox, Zurich) are bespoke and assume high levels of pre-existing cyber safety.

Court cases such as Travelers Casualty and Surety co. vs Ignition Studios Inc do not help to identify where liability falls as it was settled out of court.

From an SME perspective it is very tough to penetrate the complex language around cyber safety and absent user friendly insurance policies the market looks likely remain in its early stages. Until a few court cases have shown where liability falls between principals and third party providers and what level of cyber safety is a minimum standard before negligence kicks in sorting the wheat from the chaff will be a tough challenge.

Wednesday, 3 August 2016

Cyber security for solicitors and barristers. Can you promise confidentiality and asset security if your IT systems are vulnerable ?

In 2015 62% of law firms were estimated to be the victim of cyber attack (PWC) and only 35% had mitigation plans in place. The Information Commissioners Office reported a 32% increase in data breaches in the legal sector in 2015.  Mossack Fonseca was the victim of a major data breach which looked to be carried out by a malicious insider. Insider threat shows that cyber security and safety is more than just a matter of technology safeguards.

Against this rapidly evolving factual backdrop can solicitors and barristers reasonably promise confidentiality and security to their clients and can clients continue to trust that this is the case ?

The legal profession plays a key role in society and the corner stone of that role is client trust in confidentiality and in the security of the assets transferred to solicitors and barristers.The SRA and Bar Standards Board both insist in their codes of Professional Conduct that confidentiality and asset security are maintained.

However, the digital age has brought outsourced IT providers (who themselves outsource), home working on personal devices and remote digital storage very little of which is measured against the criteria of security but very understandably convenience and price. This week 200 million Yahoo passwords were put up for sale on the dark web.

Common sense suggests that until solicitors or barristers have had an independent Digital Audit to check cyber risk levels it would be unwise to make promises about security and confidentialty to clients. To hide a disclaimer of liability for data loss in the small print of an Engagement Letter in the absence of an independent Digital Audit could also be viewed as unprofessional.

To get in touch with us at KLipcorp IP to discuss any issues raised in this article please CLICK HERE

Thursday, 7 July 2016

National Crime Agency scope out the issues re Cybercrime and Internet enabled fraud

In today's assessment of cybercrime in 2016 from the NCA some very good points are made which can assist with the management of a difficult issue.

There is always enthusiasm for a magic "piece of kit" which solves the problem - especially from the command and control boffins in the IT dept - but this is an illusion

"Perfect security is almost impossible. Almost all organisations, no matter how much money and effort they put in, are vulnerable to determined attacks by high-end crime groups which have developed tools and techniques that can penetrate all but the very best defences."

In addition

"Although the most serious threat comes, directly or indirectly, from international crime groups, the majority of cyber criminals have relatively low technical capability. Their attacks are increasingly enabled by the growing online criminal marketplace, which provides easy access to sophisticated and bespoke tools and expertise, allowing these less skilled cyber criminals to exploit a wide range of vulnerabilities."

A quite bleak assessment but it points to the importance of recognising the challenge as not purely technical and having a disaster recovery plan in place.

Thursday, 30 June 2016

Swefilmer case might follow Sanoma / Playboy into the rabbit hole

Followers of the intracacies of copyright law will know that a core requirement of infringement is the communication to a new public.

The global nature of the internet however can be taken to mean that once something is available anywhere online it is therefore not an offence to re-publish it.

In the current Swefilmer case leave has just been granted to apply to the ECJ for a ruling on this point and the case has been suspended.

If this goes the way of Sanoma / Playboy the rights holders are going to need to adjust their approach to IP protection and allocate resources to tracing and stopping the "first seeders" rather than the aggregators even though it is mass distribution that really does the damage to exclusivity.

Tuesday, 28 June 2016

Ethical Hacking

It causes amusement sometimes when we explain that we work with Ethical Hackers - or more specifically graduates in Ethical Hacking.

The choice of the word ethical seems very vague to some as there is a general sense that ethics are very subjective and it is pretty easy to get drawn into the circular debate about one mans freedom fighter being another mans terrorist.

However the choice of the word Ethical as opposed to Legal is possibly down to the fact that the Law is very badly out of date and totally inconsistent around the world and the internet is a global thing.

A man sitting in switzerland remotely logged in to a PC in London accessing a DDoS attack tool hosted in multiple locations decides to attack an online store in Texas because they over charged him and did not deliver what he ordered. Go figure the legal issues but the ethical issues are pretty easy.

Hacker groups like Anonymous and Our Mine test to destruction the idea of ethical hacking and re-emphasize the need for global co-operation and regulation.

Monday, 20 June 2016

Brexit and the Digital Age

In all the back and forth over whether the UK will vote to leave or remain in the European Union we have been deluged with carefully timed statements from various business leaders telling us what would be best.

Notable by their absence (unless I missed it) are statements from some some of world's biggest digital businesses whether we should leave or stay. Google, Microsoft, Amazon and others have all kept a pretty low profile even though they are generally enthusiastic lobbyists of Government.

Perhaps they are anticipating an interconnected fluid global economy where location and government matter far less and only to the extent that it dictates the tax base and weather you enjoy (or not). If you want to sell online services to an international customer simply target your marketing at them and ensure your online presence can be viewed by the correct IP address range.

To defend their world view the Digital Single Market is being pushed hard by the EU but it remains the case that policing the internet proves much more difficult than policing physical goods.

The role of an entity such as the EU is less in the Digital Age as we are all by default trading or starting to trade on a global basis and others are doing the same.

In the event that the UK voted for Brexit how would the EU actually enforce the new general data protection regulations for example ?

There are many good reasons to both vote leave and vote remain but either way the role of the EU as an "aggregator" is less needed than in the pre-internet era when it was originally conceived.

Meanwhile - something from the archives about why we joined the EU to begin with;

Wednesday, 1 June 2016

Pepper the Robot - do you want fries with that ?

When Softbank placed 1000 of its new emotionally intelligent robots (Pepper) on sale for $2000 each they sold out in under 1 minute. It has also just been announced that Pepper has secured a number of jobs in Pizza Hut across Asia taking orders and payments.  Next stop USA and Europe.

Take a look at the video of Pepper talking to Rory Cellan-Jones in Estate Agent mode. She is very cute and if we assume a shelf life of 3 years would cost about $55 dollars per month.

As previously commented on automation has been creeping up on us since the dawn of the digital computer  but suddenly this starts to look like mass job replacement on an industrial scale as opposed to tools which help people do their jobs more efficiently.

News that Apple supplier FoxConn recently replaced 60,000 staff with Robots in a single factory supports this view. Estimates vary by work sector but in some sectors such as call centre activity 75% of jobs are expected to be replaced by automation and respected surveys show 45% of jobs will be lost in manufacturing.

All good maybe - more time to loaf around, watch some TV and idly sip on a cold beer while pondering the facts of life. The slight flaw in that brief sketch of nirvana is the complete lack of earned income to support those worthy activities.  On a macro scale will the politicians be able to maintain the types of distinctions they enjoy between the workers and the shirkers and the deserving and un-deserving poor as the tax base shrinks faster than a EU politician can claim his expenses ?

600 factories in Kunshan Province in China are looking at similar proposals and since average local annual income is @$4000 per annum if the numbers work in China they are a no-brainer in Europe and the UK.

The rapid rise of inequality and emergence of a global "elite" has a tang of Feudalism about it but in reality free market capitalism was dead and buried when the banks were bailed out by the taxpayer during the financial crisis. That issue however has not really gone away and in the US a new group is in place to address this - Take on Wall Street - who argue that since the crash 90% of the income growth has been captured by the top 1%.

If predictions are correct on automation inequality is about to become much more severe due to high levels of unemployment and these will make the issues around the financial crisis look small by comparison.

However - top prize will go to the hacker who breaks in to Pepper's operating system while she is talking to customers.............................

Thursday, 26 May 2016

CERT-UK identify massive increase in new releases of ransomware in last 8 months

Between January 2012 and October 2015 there were 33 new releases of ransomware.

In the last 8 month this figure has jumped to 70 showing the rapid rise of pre-packaged off the shelf tools for hackers.

Ransomware delivers a virus into a system (often via a phishing email) which locks the system up totally and destroys data unless a ransom is paid within an agreed period.

The only realistic defence against this is regular offline backups of material to a secure location.

Law enforcement agencies such as the Met Police and City of London Police strongly advise against the payment of ransoms.

Monday, 23 May 2016

DeepWeb and SurfaceWeb: What lies beneath ?

There is a popular misconception that Google and the other mainstream search engines index all the content that is out there on the web (if you are prepared to dig enough). In fact, Google / Bing etc only access the surface web in much the same way that a trawler with a drag net only picks up the fish fairly close to the surface.

Perhaps, like experienced fishermen, they don't want to go too deep for fear of what might end up in the net.

Estimates vary but a very popular statistic is that the DeepWeb is about 500 times larger than the SurfaceWeb. This might seem absurd but lots of government data is stored out there in a way that is not visible to the search engines.

A part of the DeepWeb that has attracted a fair bit of media attention is the DarkWeb which can only be viewed as part of the Tor network. The websites on this section of the web have a .onion title albeit that this is not a recognised domain like a .com.

SilkRoad was the most famous site on the Tor network / dark web and was involved in almost all the illegal activities that spring to mind. The FBI and Europol have closed down a number of versions of the site (proving that nothing is 100% anonymous) but tribute sites continue to spring up.

Both the DeepWeb and DarkWeb present big challenges to both Governments and Law Enforcement all over the world.

Both the Deep and DarkWeb's have proved invaluable to individuals fighting against oppressive regimes which stifle free speech. The value is precisely because these networks are free from censorship. Anne Frank would have been posting to the DeepWeb rather than scratching away at her diaries in Hitler's Germany.

On the other hand it seems pretty absurd that a specific search engine exists on the DeepWeb to search for and supply illegal drugs.

The statement that one man's terrorist is another man's freedom fighter neatly captures the problem here. The internet is global and the standards across the globe are not consistent. Large corporations have exploited these different standards in respect of tax and regulation and the criminal fraternity are doing so in respect of criminal and civil (or common) law.

The Budapest Convention on CyberCrime seeks to address this issue and start to enforce common standards but at this point it only has 50 signatories worldwide and Russia, China and India are notably absent.

A search engine now exists called Onion City which allow access to the Dark Web without using the Tor Network. This is probably a good thing as increased visibility should facilitate regulation.

Looking forward it will be interesting to see if if the first attempts at global regulation of the internet (which is obviously required) will go for the highest common factor in terms of standards or the lowest common denominator.

Thursday, 19 May 2016

Top obvious passwords in Linked In hack: 750,000 people used 123456

Recent information has been released relating to the 2012 Linked In hack. Hopefully, given that this relates back to 2012, this information is badly out of date but below is an indication of how common very easily hacked passwords are;


123456       : 753,305 people
1234567     : 49,652 people
12345678   : 63,769 people
123456789 : 94,314 people

Tuesday, 17 May 2016

Cert-UK publish data for 2015-16 - cyber incidents increase by 85% in 12 months

Cert-UK has released data recently which paints a picture of rapidly growing cyber crime combined with the increased popularity of easy to use "off the shelf" hacking tools.

As you can see malicious code makes up the lions share of reported incidents with a further breakdown below of the types of malware that are proving the most common.

Cyber data released recently shows variations and the NTT report released at the end of April 2016 showed a decrease in DDoS attacks while Cert-UK has seen that number increase.

Taking a helicopter view what is clear is that as hacking and cyber attack becomes de-skilled the volume of attacks is rapidly increasing.

Cert-UK saw the greatest increase in Phishing as a form of attack and predicted that in 2016 Ransomware would dominate. In addition there is a very high probability of a major cyber attack on national infrastructure.

IT departments often bamboozle their line managers in respect of the security or otherwise of their systems and processes - especially if the line managers are not digital natives.

In fairness to IT departments many of the core risks are entirely people related and have no technical aspect to them but either way the knowledge that most internet connected IT systems are extremely vulnerable in spite of the machine that goes "ping", is reaching a much broader audience.

Monday, 16 May 2016

SyntaxNet and ParseyMcParseface - what do you see ?

Last week Google supercharged the artificial intelligence and machine learning landscape by releasing, for free, an advanced natural language understanding system. The technical term for breaking down a sentence into chunks a computer can understand is parsing and hence ParseyMcParseface. Take that sports lover as an old friend of mine used to say. No chilling effects here but a red hot acetylene blowtorch.

Detailed information on this and the free software download can be found HERE

On one level this is an amazing advance which will allow developers and coders all over the world to benefit from capabilities they could never have developed themselves. This could lead to various challenges being solved in a much shorter time frame related to health, food supply etc etc and the greater good.

Perhaps the various commercial businesses who were developing similar technologies but cannot afford the "free model" will be less positive about this as a blowtorch is taken to all the revenue projections in their carefully polished business plans. Game over at a stroke probably (briefly delayed until the advisors have found a suitably padded exit of course).

A combination of Google's DeepMind artificial intelligence and the software identified above appears to put Google well ahead of any potential competitor or government. Let's hope benevolent dictatorship is the end game here and that there is not a less positive ghost in the machine lurking somewhere in the code.

What might DeepMind and all this software have to say on the concept of democracy, the EU referendum or even The Donald ?

Tuesday, 3 May 2016

10% of Amazons "workforce" are now robots

Amazon now employs about 230,000 people worldwide and has over 30,000 very cute Kiva robots whizzing about the distribution centres. Press reports suggest they are very keen to grow that number.

Take a look above at the robots in action.

If these Kiva Robots did not exist we can speculate that Amazon would perhaps hire another 30,000 people and pay the payroll taxes etc that would go with that. Perhaps some of the people replaced by the Kiva Robots are now entirely dependent on the government for support in their local jurisdiction.

As a purely theoretical exercise we could assume that these workers would have been paid an average of $25,000 per year which was taxed at an average of 20%. Over ten years this is a loss of $1,500,000,000. No account taken here if additional state support is needed.

From a perfectly reasonable Amazon perspective they are making the supply chain as efficient as possible and meeting the perceived needs of the consumer

With companies such as Rockwell Automation (global sales $7 billion) entirely focused on automating industrial processes it is safe to assume that we are at the start of a pretty rapid acceleration of the shift to automation and robotics operating with a degree of AI.

It must therefore be a very interesting debate with companies such as Amazon as to how much tax they pay in any jurisdiction given that they can massively reduce the tax bill by introducing more robots. No doubt companies such as Amazon will struggle over time with the fairly thin argument about being based in an offshore jurisdiction but they can counter that by stripping out the local workforce and replacing it with robots.

Politicians are in for a pretty tough time as it seems possible that automation on a mass scale will have an even greater impact on the average person than globalisation and the democratic process will start to come under massive pressure if all the wealth becomes too concentrated in the hands of a few global highly automated companies and their shareholders, directors and employees.

The free market philosophy is going to have to work very hard to defend itself if inequality starts to edge up further and the support of the middle class for Trump in the USA suggests tempers are already running pretty hot.

Wednesday, 27 April 2016

Sky quarterly results paint picture of fast changing consumer entertainment market

Solid results from Sky again with high numbers of new customers, a fairly stable ARPU and churn of around 10% suggest steady as she goes. A slight uptick in churn was explained due to a reduction in heavy discounting - albeit light touches in the tiller.

However, great levels of resource appear to being spent on pan European integration to generate economies of scale, upmarket services like Sky Q and products for other demographic groups like Now TV as well as substantial investments in mobile. This perhaps suggests that the plain vanilla UK Pay TV model is not proving very robust in the new digital age and Sky are moving as fast as possible to diversify before this is generally perceived.

 In a fascinating comment during the earnings call Jeremy Darroch referred to evolving relationships with content partners which were closer to co-productions which allowed flexibility during the period of a rights contract rather than a very rigid structure set in stone at the outset (such as the Premier League for example). He suggested that where partners did not want to take a flexible approach Sky would seek to make cost savings.

BT's next set of results will show how BT's move into entertainment is going and Premier League clubs must be keeping fingers and toes crossed that it is going well for BT to avoid a one horse race at the next rights auction with Sky dominating the European picture.

Wednesday, 20 April 2016

NetFlix up 100% in 2 years NewsCorp down 23% - internet vs traditional TV

With NetFlix hitting over 80 million subscribers the nights are drawing in for the traditional operators. Below, in no particular order, are some of the key differences between the 2 distribution models which while mostly irrelevant to the consumer make an impact on the business models.

1. Internet delivery is by default global while traditional TV has always been highly regional.
2. Barriers to entry for internet TV are very low indeed while merely getting an EPG slot for traditional TV is difficult and expensive.
3. Traditional TV infrastructure is command and control based with a limited level of true interactivity. Internet delivery is far more open, difficult to control and with very high degree of potential interactivity.
4. Traditional TV remains a more stable platform for the delivery of very high volumes of live content. Once multicasting is fully enabled on IP networks this will probably change.
5. Micro payment for content is far easier and cheaper on internet TV.
6. It seems that the monthly price point for internet TV is under £10 per month while traditional TV manages to edge up to £50 per month at the moment.
7. Internet TV requires virtually no installation and it plug and play. It does require a high speed broadband connection.
8. Advertising rates on traditional TV are significantly higher.
9. Audience metrics are capable of being far more accurate on internet delivered TV as the return path is in place.

For those who believe the market is never wrong the judgement is clear - a mainly traditional operator such as News Corp has seen its share price fall 23% over the last 2 years while NetFlix has seen its share price increase by 100%.

Tuesday, 19 April 2016

NetFlix hits 81.5 million subscribers worldwide

The shares may have fallen @15% in trading on weaker forecasts but it is a big win for NetFlix to hit 81.5 million subscribers for an internet only streaming service.

In the USA Netflix has more than twice the number of subscribers as Comcast and it makes Sky in the UK on 12 million subscribers look like a tiddler.

With Amazon launching monthly subscriptions the battle is well and truly on but NetFlix would be a very attractive merger partner for an old style media company who missed the boat initially on the digital age. Good news for the internet streamers but there are bound to be more casualties in the traditional TV world.

Thursday, 7 April 2016

Linking to Pirate Content may not be communication to a new public

Perhaps a slightly dull headline but in the world of copyright infringement and piracy this preliminary ruling today from the European Court of Justice CLICK HERE FOR THE FULL TEXT makes life more difficult for the copyright owners.

In essence, and only on the facts of this case, if material is freely available already, then no new communication to the public occurs when it is published / linked to again without permission. This echoes Svensson and Bestwater.

Without a communication to the public there is not on the face of it copyright infringement. Other remedies such as trademark infringement and conspiracy to defraud still stand however.

This is not really ideal particularly when it does not seem to matter if it is obvious that the "source" material is not itself authorized. Copyright legislation really needs a bit of a re-boot.

Wednesday, 6 April 2016

Good night Vienna for (client) confidentiality

There is a really strong moment in Jurassic Park when the character played by Jeff Goldblum delivers the line "they were so pre-occupied with whether they could they didn't stop to think if they should".

Whoever is the current (or maybe former by now) head of IT / Security at Panama law firm Mossak Fonseca must be wishing nostalgically for the days of typewriters and attractive people reaching for the bottom drawer of the metal filing cabinet.

According to reports the data breach which is by some measurements the largest ever at 2.6 TB of data with documents going back to the 1970's was achieved through a breach of the security on the email server leading to the download of its entire contents. Since 1970 was pre-digital the decision must have been taken to digitize hard documents and add them to the servers.

One might expect a massive download of this type to be picked up by network monitoring systems and therefore it seems likely that the external hackers had some internal assistance - but that is speculation. The alternative is that no network monitoring was occurring which might leave you wondering what the IT dept were up to (other than watching dodgy online content and surfing social media).

As none of the documents were encrypted once breach had occurred it was very much "good night Vienna"  both for the clients of Mossac Fonseca and the concept of confidentiality between lawyer and client.

As a broader issue medical records and all other digitally stored content that is not encrypted must now be considered semi-public.

While 3TB may seem large (maybe 10 million docs) portable storage for this can be bought off the shelf for about £115. Any unhappy person in any IT department can simply walk out the door with sensitive data.

The ethics around the actions of Edward Snowden and the hackers involved in the Mossak Fonseca case are not clear cut and unless you are an ends justifies the means merchant they will always be in a grey area.

The key thing to now accept is that the old adage from Benjamin Franklin rings true "Three people can keep a secret, if two of them are dead."

Monday, 21 March 2016

Beware the typo...and the stay safe online

Phishing scams rely to a large extent on people not spotting small typos and therefore believing that an email or website is legitimate..............a clear example would be (which is an Oman registered domain). Believing a communication to be legitimate links are clicked, files downloaded, passwords shared etc which leads to financial loss or worse.

A recent review of the free hacking tools easily available online (passwords crackers, wireless hacking tools including the beautifully named firesheep, packet sniffers, keystroke loggers etc etc) re-emphasise the need to take online security seriously and check online communication with great care.

Tuesday, 15 March 2016

Lee Se-Dol 1 - DeepMind AlphaGo 4

Expressed in footballing terms it is a bit of a thumping. A computer powered by artificial intelligence has convincingly defeated its world champion human opponent at the intuition based board game GO. Is it possible that AlphaGo deliberately lost one game to give the humans hope and prevent us taking early defensive action ?

Deep Mind was founded in September 2010 so it has taken @6 years to defeat about 6,000 years of human development.

The network effect will allow machines to learn much faster than human biology will allow so the question is what happens next ?

From an optimistic point of view many issues that seem totally beyond our capability to solve can be sorted out (financial crisis, hunger etc etc) from a pessimistic point view we lose control and humans are seen as part of the problem.

Either way this will be pretty exciting and my money backs the humans to keep the upper hand.

Tuesday, 8 March 2016

CyberSecurityShow 2016 - trends to watch out for going forward in cyber security

At the 2nd Annual Cyber Security Show in trendy North London a wide variety of vendors, products and services were on display and offered a good insight into industry trends.

At the apex of the industry defence related contractors such as Babcock, Lockheed Martin, Airbus and Thales offer the perception of total security for critical applications. At the next level providers such as Dark Trace, esentire, Zscaler and iboss deliver solutions into financial services and other industries. Below this some excellent but smaller scale operators such as BitNinja, ripjar, GeoLang and SHAYYPE offer more specific solutions to specific problems.

None of the providers go as far as offering a silver bullet solution and none will accept liability if a cyber attack does penetrate defences.

In a few years when the hacker community has had a really good crack at these systems we will have a better idea which ones are robust and resilient and which are signed up members of the smoke and mirrors brigade but in fairness all looked to offer genuine value in one way or another.

The stand out trend was probably the emergence of viable ways to manage remote working from multiple devices in a fairly low risk way across the cloud. A notable absentee was any technical solution to spear phishing which given the resources available to some of the attendees points to the challenge of solving this. The closest to this is DarkTrace which manages internal network threats.

Wednesday, 2 March 2016

Beyond Google

The industrial revolution and steam age reduced the value of physical labour. Google has now set the bar pretty high for any aspiring knowledge workers. Essentially to deliver value you have to be able to deliver beyond what Google has to offer for free. What might the hourly rate be for a professional Googler ? Would a Google Scholar Googler get a premium ?

Imagine a researcher not delivering what could be discovered on Google in 30 mins and hoping to be paid for it ? Trust has a part to play and perhaps Googling the symptoms of pancreatic cancer would not be enough to head direct to the operating theatre.............but give automated eye scan based diagnosis a few years and we might be there.

DeepMind the Google AI project will really accelerate the erosion of value in knowledge work and challenge the value of many previously well protected professions.

Wednesday, 24 February 2016

Internet safety tips

1. Browse safely

In the same way that you would not head off down a dark alley stay away from websites that are clearly not legitimate. In the live sports area these can be listed below and contain viruses and malware.

A prominent search listing on Google or Bing does NOT in any way imply internet safety. If you do visit these sites do not click on ads or interact with them.

2. Update passwords and don't use words you would find in a dictionary.

3. Don't open email from people you don't know and never click on the links if you have opened the email.

4. Remember you are not anonymous online - much the reverse.

Friday, 19 February 2016

Cyber attacks; Who carries the liability ?

It is clear that the volume of cyber / hacking attacks is rapidly increasing whether very low tech (but effective) phishing scams or much more advanced activity.

What is less clear is who is picking up the tab when things go wrong. Given that most companies tend to outsource hosting and webdesign and frequently work with freelance IT contractors liability may be limited at the contractual level. There is also a strong incentive for existing technical providers to insist all is well to avoid clients digging too deep and realizing that they are carrying all the liability.

Insurance has a part to play here but the insurance industry seems to be struggling to determine risk premiums and the policies available are awash with exclusions.

It was widely reported that TalkTalk suffered substantial loss from being hacked but not made clear whether this was an insured risk.

If private data is held on a third party shared server and that data is stolen partly through the failure of the hosting company to implement reasonable levels of security who pays ?

Arguably none of this has really mattered in hard financial terms because losses have been difficult to quantify. This is set to change if the legislation which can fine companies up to 4% of turnover comes into force in 2017.

One way or another the  issue will be clarified and whether the liability rests with the client or IT / hosting contractors. With the average cost to an SME of a cyber attack being @£190,000 the cost is material.

Wednesday, 17 February 2016

CERT-UK shines a light on internet safety in 2015/16

CERT-UK the excellent UK government sponsored cyber resilience entity  has released its overview of cyber risk in 2015.

It pulls together data from a range of sources and listed below are some key extracts;

1. The 2015 Information Security Breaches survey found that 74% of small businesses suffered a breach 38% of which was from an external attacker. So the disgruntled employee / freelancer is alive, kicking and armed with a USB stick. The average cost of breach was between £75,000 and £311,000.

2. The cyber insurance market is set for rapid expansion from £1.7 billion to £5 billion in 5 years. There is a caveat here that as the risk level is poorly understood there is some doubt in respect of whether cyber policies will prove effective until the market is more mature.

3. Top malware types (most common first were)

gameover zeus

Conficker was the clear winner and represents a very serious threat for anyone still running XP or other unsupported software.

4. DDoS as a service is one to watch in 2016 potentially in combination with Ransomware.

Monday, 15 February 2016

Vtech tries to wash its hands re internet safety

As some of you will be aware Vtech (baby monitors to cordless phones) was seriously hacked recently and personal data was comprised. A potential response to this could be to improve security levels on it s products but it appears that the Vtech legal department has jumped in and tried to push liability away and onto the users of Vtech products.

So the proposition is presumably that if a live feed from a hacked Vtech baby monitor appears online Vtech has excluded all liability ? This may or may not be legally sound and it seems likely that the tort of negligence might have something to say here but it is pretty cheeky from Vtech.

When you entrust personal data to a third party online it seems only reasonable that they take care of that data in the same way that a bank need to take care of your money. If not it might be best to use an alternative supplier.

Tuesday, 9 February 2016

Services going global may limit UK average earnings growth

Recent information from the Institute of Fiscal Studies suggests that the UK's current financial plan may not come in as forecast. It seems unlikely that this would surprise anybody.

However, digging into the figures there is a new pattern emerging which is causing a bit of general confusion among the pointy head economists and it goes something like this;

Normally as employment levels increase (as they have in the UK) this causes a shortage of labour which in turn drives its price up. These increased wages translate into greater tax revenues due to the progressive nature of income tax.

However this is not what has been happening. Average earnings are 7% under where the IFS expected them to be in 2016 which is a very big miss.

It seems possible that that the ability to get lots of projects done remotely via the internet by people based all over the world (often in a very low cost base) provides companies with an option they did not have before. There was a time, for example, when a logo design was a £2-3k investment whereas now numerous auction type websites will have good designers from all over the world competing to do the design for under £150. And the results are excellent.

This limits the options of the UK based graphic designers to argue for a bumper pay rise (or any pay rise) however good the client relationship. They do have the option to join the global pool online but work for a fraction of previous earnings.

Companies under pressure in the long shadow of the 2008 financial meltdown will find lots of ways to do more with less and it seems likely that accessing low cost skilled labour from a global pool via the internet will be one of them. Common sense suggests that countries like India where a monthly average wage is £200 will benefit whereas countries above the mean global average will suffer as the playing field levels off in a networked world.

Monday, 1 February 2016

SkyQ might be aimed at the silver surfers

Sky has decided to take an old school approach with the imminent launch of its premium Sky Q service. Generally Sky has been on the right side of all the big decisions and the timing of those decisions (going digital / HD / Sky Plus etc etc) but this one is quite a big call.

Essentially Sky has gone for lots of local storage & multiple tuners in the home with the ability to play that locally stored content on multiple devices in the house (and out of it where content can be sideloaded).

This appears to be going in the opposite direction to many of the web based services such as Amazon Prime and NetFlix who look to relying on very lite Apps and Dongles to get the content into the home and are more reliant on high speed connectivity into the home with centralized technology. Interestingly it also does not seem Sky have a desire to develop the Now TV proposition into a premium service which might have been expected.

One explanation might be demographics. Sky Q is possibly aimed at those over about 40 who are not digital natives but are generally more affluent. This group have probably never visited a torrent site or heard of CricFree. Now TV on the other hand goes head to head with the pirates and is targeted at a generation who are well aware nothing is exclusive.

If the above is correct how many of this older Sky Q group would want to watch TV on a tablet or phone or record 5 programmes at once ?

With BT launching 4K and the young challengers NetFlix and Amazon hot on their heels Sky appear keen to be seen to be innovating and if past performance is a guide to future performance this should be a success.

Tuesday, 26 January 2016

Internet wins the distribution battle with 5-16 year olds - they spend 50% more time online than watching TV

Arguably the means of distribution makes no difference to a consumer of content but even so the broadband internet seems to be confirming its place as the winner against conventional TV distribution.

It may be the ability to seamlessly access from any device (YouTube), the social interaction / network aspects or the nature of the material available. Zoella - the most popular Vlogger with 5-16 year olds has 10 million followers on YouTube - a dream audience for many small regional cable or satellite channels.

An example is here;

Children between the ages of 5-16 are spending 3 hours a day online against 2.1 hours in front of the TV. YouTube and NetFlix are the stand out winners with a blend of "normal" TV content and new formats.

Amusingly a number of terrified TV people have popped up in the media suggesting that traditional TV content is simply being viewed on the internet without acknowledging that internet content is now also being viewed on the TV.

If the consumer doesn't really care how the pictures get to them it is a very different matter for the media companies who create and deliver the content.

In the case of Zoella she needs decent video and audio equipment, some $100 editing software on a PC / laptop and a broadband connection. If really enthusiastic she can do the editing herself.

Creating this type of content in an old school TV environment you would need to get past the creative gatekeepers first, hire a studio, cameraman, editor etc etc etc - basically a non starter.

In the case of NetFlix going global was about adjusting some IP address ranges and extending the bandwidth / streaming agreements. The old school model would involve painful discussions on satellite time and securing decent slots on the EPG's controlled by others  - many in the pocket of the existing dominant distributors.

Fundamentally to distribute content on the internet is far less capital intensive but also it is impossible to control distribution to the same degree which lessens the reality of exclusivity. There is also far less scope for intermediaries to take a cut along the way. These factors fundamentally change a number of old school business models and will drive the cord cutting and cord never figures.

The return of the turntable shows that old technologies do not die but change and find a very different place in the market.

These new figures from Childwise shows convergence has arrived and will follow 5-16 year old's into adulthood.

Monday, 18 January 2016

Back to the future

With the comeback of the turntable might the typewriter be hot on its heels ?

As security concerns regarding the Internet start to penetrate more deeply into people's thinking might very confidential documents be kept "off the grid" all together ?

Encryption algorithms are not 100% secure - but effective enough for most applications - leaving a space when total technical security is required and a device which cannot be networked cannot be hacked in the technical sense. This does not eliminate the human factor in security (the typist for example) but narrows the attack surface.

The type of language used in the security industry is also pretty hard to fathom sometimes  for the non expert which would make a return to a simple solution such as a type writer even more understandable when absolute confidentiality is required. If Snowden had tried to wander out with 50 box loads of paper files he might well have been spotted.

An example of this hard to penetrate language is below from the OWASP top 10 pro active controls for 2016 (all of which are very sensible if you can understand them);

1. Verify for Security Early and Often
2. Parameterize Queries
3. Encode Data
4. Validate All Inputs
5. Implement Identity and Authentication Controls
6. Implement Appropriate Access Controls
7. Protect Data
8. Implement Logging and Intrusion Detection
9. Leverage Security Frameworks and Libraries
10. Error and Exception Handling

Tuesday, 12 January 2016

Panto in the cord cutting debate

Everybody loves a bit of panto but the recent suggestion that Time Warners additional 32,000 cable customers in 2015 mean that cord cutting is dead have possibly over indulged during Xmas.

Kodi (the re-branded XMBC) provide a very well made and technically respected media interface which aggregates 1000's of channels which are available on the internet. Most of which are unlicensed.

This interface (or software) can be sideloaded onto Apple TV and other things running IOS as well as android systems and the Amazon Fire TV stick. For the plug and play brigade boxes can be purchased with pre-loaded software for about $55 with no ongoing subscription costs and connected directly to the TV.

It is quite amazing that Amazon both promote content via Amazon Prime and undermine that activity by not blocking Kodi from the Fire TV stick. Didn't get the memo ?

At the CES 2016 show lots of snappy new devices which aggregate feeds from across the web in ever greater quality on a subscription free basis were on show.

The argument deployed by these device vendors can be termed the "google defence" which states that merely linking to content which is unlicensed does not break the law. If it did Google might be writing a very big cheque indeed (sorry transferring loads of BitCoin using a BlockChain.)

For the demographic totally unconcerned with costs of pay tv etc these innovations will make little difference but as a younger demographic feeds through will they "step up" or become the cord nevers much feared within the industry ?

The outcome of this debate probably boils down to how copyright law is updated to reflect the realities of the digital age.

At a very top line level it seems likely that loss of control over distribution will reduce the ability to monetize content using the lever of exclusivity. On a rational basis this would reduce the amount distributors could pay to rights holders and still make a return. Looked at another way companies will take extraordinary steps to defend business models under pressure and may be tempted to bid up the value of the very premium content that could draw in subscribers......maybe.

Friday, 8 January 2016

Hateful Eight shows the lack of analysis in the piracy debate

A quick search on Google for a free download of the Hateful Eight provides lots of options - probably an equal balance between legitimate licensed viewing and pirate activity.

Richard Gladstein writes in the Hollywood Reporter that the movie has been illegally downloaded 1.3 million times since Xmas and that Google is basically to blame for not taking more action.

The piracy group behind the leak which occurred pre-release, Hive-CM8, claim a physical copy with no encryption was bought off the street. They also claim that the PR around the leak has helped movie sales.

A few conclusions can be drawn

1. Despite the deployment of technical solutions by the movie business to fight piracy they are not working 100% which unfortunately given the nature of digital replication and distribution presents an issue. The video games industry has had more success in this area but they have the advantage of a console to tie into.

2. As no accepted metric for the losses caused by piracy has been established yet bizarre claims that piracy helps the movie business cannot be dismissed. Until this is addressed the debate will remain circular.

3. The legal framework is not fit for purpose and the simple principles behind the Berne Convention and copyright generally have been diluted. If the situation really is that all rights are non-exclusive in the digital age then relevant governments should simply say that and we can all adjust accordingly.

Thursday, 7 January 2016

Privacy enters the search arena with DuckDuckGo, Oscobo and Hulbee

Size matters and the image of David with the head of Goliath is much more the exception than the rule.

The search market which is estimated to be worth over $80 billion dollars is dominated by Google at over 65% with Bing, Baidu and Yahoo all under 20%.

New privacy centric search engines DuckDuckGo (USA), Oscobo (UK) and Hulbee (Europe) have decided that consumers want to search anonymously and are not OK with the level of data harvesting that is going on.

A very interesting proposition that requires a high degree of trust from consumers but in the case of DuckDuckGo has seen 600% traffic growth over the last year.

With the rapid growth of ad blockers and the possibility that consumers will start to protect & value personal data more carefully there will be some adjustments needed to ad funded online models.

Wednesday, 6 January 2016

European VPN market to grow at 13% per year to $15 billion by 2020

Recent research and analysis  from Frost & Sullivan suggests that the current European MPLS / IP VPN market is worth just over $7 billion. This is forecast to grow to just under $15 billion by 2020 at a compound annual growth rate of 13%.

If true this shows that the genie is well and truly out of the bottle regarding internet security post Snowden.

In the corporate market increased use of cloud based storage requires greater focus on secure connections to that storage and use of the open internet for confidential data / communications starts to look negligent. If proposed Data Protection legislation is enacted fines of up to 4% of turnover will be in place which will focus attention (especially around the time when bonuses are trousered).

In the consumer market innovative products like the Shellfire VPN box developed in Germany allow the non tech savvy to notch up security levels on the home network across multiple devices. Whether all the new flavours of OTT subscription based video streaming services (which may require an IP address) will integrate OK with a system of this type remains to be seen. If not can you imagine the calls to the helpdesk ?

That said it may prove to be the case that there is a significant correlation between users of VPN's and those who wish to watch unlicensed content and avoid ISP blocks on pirate or unlawful websites.

When it comes to the really "bad guys (and girls)" the VPN / encryption debate could prove a red herring as they will probably hide in plain site on the open internet using steganography based techniques which are as old as the hills and will not be picked up by the automated systems and machines that go "ping".


Tuesday, 5 January 2016

Amazon Prime vs NetFlix

Amazon, the giant of online retailing, has over 35% market share of cloud platforms. With a market cap of over $300bn it dwarfs a company such as News Corp at $10bn.

Amazon's share price was about $5 in 1998 and now stands at over $600.

The perception of dominance therefore of media companies in local markets must be taken with a pinch of salt given the expansion of the Amazon Prime entertainment offering. Stories of success and failure in the entertainment industry have often been driven by the ability of distributors to pay very high prices for exclusive content for long enough to destroy the competition and grow a customer base. This is even more extreme if Amazon decide to use its content offering as a marketing tool for the retail offering.

What price to understand the level of ambition for Amazon Prime and the investment that they are prepared to make in it. Free hosting / distribution and customer care are a pretty good start combined with hassle free online payment.

NetFlix, success story that they are, have clearly recognised the threat and started to produce content in house (such as the excellent Beasts of No Nation).

These developments look to be good news for both the producers of compelling content and the massive remaining global content distribution platforms once they have fought it out and either consolidated or been forced out.

Amazon look to be able to lose money on content for longer than NetFlix if Amazon have decided that this is a priority area.