The payment for services of local governments is increasingly taking place online by both businesses, residents and council customers. The advent of E-day on the 19th September, where payments made by councils to suppliers will be exclusively electronic, is the culmination of this. But not a day goes by without news of a significant security breach involving a major organisation. So what steps need to be taken to ensure the security and integrity of the information local government agencies and county councils hold?
The recent earth-shaking revelations about data theft and surveillance unearthed by Edward Snowden and others finally threw the spotlight on the importance of data protection. Suddenly, internet users en masse became more aware than ever of the potential pitfalls involved in disclosing sensitive or personal information online, something which millions of us do on a daily basis, sometimes many times per day, and often unwittingly. Considering the sensitivity of some of the information which we share online, particularly bank and other financial information, the average user is entitled to a reasonable level of expectation of privacy when using the net for business or personal reasons.
Billy Hawkes is currently the man charged with the responsibility of acting as Ireland’s Data Protection Commissioner, and is based at an office in Portarlington, Co Laois. The under resourcing of this particular office has come in for wide-ranging criticism from a number of different quarters, with most of the objections raised concerning how an office of such vital national importance can be left with such a dearth of funding, staff and resources.
With the number of complaints against firms that are head-quartered in Ireland increasing each year, the resources and capacity of the Irish Data Protection Commissioner’s office is coming under renewed international scrutiny. Without positive intervention in the near future in the form of commitment to more funding and greater allocation of resources, the Data Protection Commissioner’s position will become increasingly difficult as its workload inevitably continues to mount.
One way in which the issue could be tackled is by improving encryption technology. Many critics have voiced their concerns about the lack of effective encryption being implemented in many businesses. While it may seem like something that should come as standard when referring to any business which deals in financial data in particular, many still feel that this is an area in which a lot of businesses and organisations are taking a somewhat lackadaisical approach.
Secure encryption is not nearly as widespread as it should be and the number of unencrypted USB devices or mobile devices with commercially or consumer-sensitive data is startling. An end-to-end encryption policy, guaranteeing security of information all the way through the process of paying for a specific transaction online, would be ideal, but at the moment is not always possible in every case.
While the updated European Union laws with regard to Data Protection are still working their way through the red tape and bureaucracy of the EU machine, our commissioner has stated that full implementation is not likely for three or four years. In the meantime, we looked at the methods which local government and county councils used to handle the issue of data protection.
Kildare County Council, for example, have in place a number of safeguards and a range of procedural and technological solutions in place to protect sensitive or personal information. Below is a short-list of the range of measures undertaken in this regard:
• Organisational Firewall solution in place to prevent external access to the Kildare County Council (KCC) network.
• Secure communications via the Government Virtual Private Network (VPN)
• Latest Windows patches installed.
• Intrusion Prevention System and Intrusion Detection System (IPS/IDS)
• Anti-Virus software.
• Comprehensive data backup solution in place in case of accidental loss of data.
• Two and three factor authentication on all relevant systems authorised by relevant data owner in each section.
• Automatic PC lockout.
• Internet access for staff authorised by Director of Service in writing and monitored using Web Marshal monitoring software.
• Secure server room.
• Secure off site storage of backup media.
• Encryption of mobile devices, e.g. laptops.
When visiting a County Council site, some information is collected and stored automatically. This information does not personally identify you, but is often used by County Council’s to maintain and improve their website service. The information collected includes: the Internet Domain and IP address from which you access the site, the type of browser and operating system used to access the site, the date and time of visit, and the pages visited.
If the user linked to the website from another location, the address of that web site and any web site you visit directly from the Council website is tracked. Information on the number of times particular search terms are used and the number of failed searches is also collected.
If a site user chooses to send personal information to a website, Councils use that information to respond to enquiries and will only pass details to another agency if it is required by law or that agency is relevant to the enquiry. Council’s do not collect personal information for commercial purposes.
Councils do not store any record of credit card or laser number. Any credit or debit card data is transferred directly from the user’s computer to the card services partners’ server over a secure, encrypted connection.
A “cookie” is a small amount of data that is sent to a user’s browser from a web server and stored on a user’s computer, used to store and track information about the user. Basically cookies cannot harm a user’s computer. The general controversy is not what cookies can do a user’s computer, but what information they can store, and what they can pass on to servers . County Council’s generally collect information using Google Analytics cookies.
The information is anonymous and does not contain a user’s name, address, telephone number, or email address so that no-one can be personally identifed. A normal text based cookie cannot be of any danger to a computer or spread any viruses. Whether or not other cookies can be dangerous or spread viruses has to do with whether or not a file is “executable,” meaning if it’s a program rather than data. UNIX files, for instance, have some combination of the properties readable,” “writable” and “executable.” The executable property is necessary to enable a program in a file to do something. If a cookie is not stored in an executable format for that platform, it cannot do anything hostile. Since Council website cookies are stored in a non-executable format, they cannot damage a user’s system and as a result are generally quite safe.
Use of Google Analytics
Many County Council websites uses Google Analytics, the web analytics service provided by Google, Inc. Google Analytics uses “cookies” to help the website analyse how users use the site. The information generated by the cookie about use of the website (including users’ IP address) will be transmitted to and stored by Google on servers in the United States. Google can use this information for the purpose of evaluating use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.