BT 21CN (NGN) Security Threat?

We were interested to read over the weekend that there may be hardware trapdoors or software trojans in Huawei next generation network equipment supplied to BT for its 21CN NGN network, according to a report in The Sunday Times.

At what point does this become a regulatory issue?  The Privacy and Electronic Communications (EC Directive) Regulations 2003 impose an obligation on providers of public electronic communications services to:

“take appropriate technical and organisational measures to safeguard the security of that service”  (See Reg. 5).

The service provider can require the network provider to comply with its reasonable requests concerning implementation of these appropriate measures.  Where a significant security risk remains, then subscribers are supposed to be told.

We look forward to Ofcom investigating whether BT has done the appropriate technical due diligence on Huawei equipment and the statement from BT that it has addressed the security risks to its public electronic communications services!

IT: Core (In)Competence?

This morning we heard the news that the Dunfermline Building Society will not be supported by HM Treasury. Is this just another financial services disaster?

Maybe, but as commercial lawyers we were drawn to the reports that the reported loss of £26m for 2008 at DBS was less than the claimed £31m invested in a failed IT venture. On closer inspection, thanks to an informative article in The Herald, it is clear that the IT venture did not sink DBS, but it cannot have helped.

Why did the building society not consider outsourcing? One of the reasons often quoted for choosing to outsource, is that it leaves the outsourcing customer able to focus on its core competence. In addition, engaging an outsourcing service provider expert in the relevant back office or other IT support services often enables the customer to obtain a more efficient and effective service than was possible when the services were provided in-house.

This is familiar territory for our IT lawyers – our outsourcing agreements for customers are designed to facilitate these outcomes.

Password Security

We liked the guidance in the blog from Graham Cluley of Sophos on choosing passwords – see here.  It is timely advice, given that a Sophos survey found that 33% of us use the same password for all our website accounts.

Alternatively, how about using a short two word phrase – convert the second word into numbers using your phone’s  keypad. 

Using a sentence or phrase as a memory aid is quite common.  Users of Mark IV manifoil combination locks (standard locks in government and military secure environments) often use sentences together with letter tables (similar to keypads on mobile phones).  It’s much easier to remember a sentence than a whole series of combinations!

Google Street View

I’m normally one of the first to get on my soapbox about breaches of the Data Protection Act/Directive, but with Google Street View I seem to be missing the point.

Why is everyone so upset by a collection of crowd scenes? If I told you I featured on 10 street views for the UK, and that each view where I feature gives away some personal information about me, could you find them? Of course not. In fact, I couldn’t even tell you if I appear on any of them.

Let’s get proper enforcement of what laws we have about personal data sorted out before we get precious about so-called invasions of privacy by applications such as Street View.

Andrew (first posted as an answer on LinkedIn)

European Space War?

Thanks to a Tweet from Guardian Tech, we were alerted to a story about trouble brewing between the European Commission and the ITU: here.

Frankly, we are surprised it has taken this long.  In short, the European Commission has decided to sort out the selection and authorisation of S-Band mobile satellite services operators in the EU: see Decision 626/2008/EC. 

What still hasn’t been sorted out, as far as we can see, is the issue of national licence fees.  The operators selected by the Commission will still need to get national spectrum licences (or even recognised spectrum access licences).  At what cost? Article 7 of the Decision is silent on this, only requiring member states to grant authorisations to the selected operators in accordance with Community and national laws.

If the cost set in some member states is low, expect the existing mobile phone operators, in particular the 3G operators who paid fortunes in the 3G licence auctions, to come out fighting.