Singapore: Computer Misuse and Cybersecurity Act (Part II)

This is part II of my post on the proposed changes to the Computer Misuse Act (which will be known as the Computer Misuse and Cybersecurity Act after the changes). 

Active Defence

The move by the Singapore Government to make changes to the Computer Misuse Act parallels the moves of other governments. The Washington Post reported that US President Obama signed Presidential Policy Directive 20 which set out "a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace". There are other pieces of cyber-security legislation winding their way through both the US House of Representatives and the US Senate which would permit the deployment of countermeasures. I also previously highlighted a UK parliamentary commission suggesting that proactive first-strike measures be taken in the event of a cyber attack. 

The issue of active defence is controversial mainly because of an expansion in its scope and the challenges in implementing such measures. For example, the US Secretary of Defence Leon Panetta suggested the possibility of pre-emptive strikes, and a former FBI official suggested that companies should be allowed to take more aggressive action to defend themselves.

The Bill provides the legal cover for persons and companies in Singapore (at the direction of the Singapore Government) to potentially walk down that path (that is, if the Singapore Government ever decides that it is necessary to do so).

As the Bill does not limit the type of measures which the Singapore Government can direct a person to take, it could conceivably range from reactive defensive measures to proactive defensive measures to offensive measures. While no one can doubt the right to adopt reactive defensive measures within the perimeters of one's own network, the complications start to arise when measures are of a pre-emptive or intrusive nature.

To put this into context: if a hacker manages to steal proprietary information from your computer system, a reactive defensive measure would be to identify and close off the vulnerability or exploit that was used by the hacker to access your system. An example of a proactive and intrusive defensive measure could be the gaining of entry into the hacker's system to delete only the proprietary information which was stolen. An example of an offensive measure would be to deploy software within the hacker's systems to disrupt the systems of the hacker (think Stuxnet) or to conduct surveillance on the hacker's activities. 

I am reminded by what Chief Justice Menon mentioned in his response to my question on amending the Computer Misuse Act. He said that while it was easy to say that we could have a carefully constructed exception to the general prohibitions against unauthorised access or use of a computer in the Computer Misuse Act, the practicalities of such an exception would be more complex. The upshot was that it would not be that easy to apply active defence measures in practice. I agree with him. 

So, what could be the challenges of requiring the deployment of active defence measures (which are pre-emptive, intrusive or offensive in nature) in the context of the Bill?

What would constitute a threat to the national security, essential services or defence of Singapore or foreign relations of Singapore? 

The term "foreign relations" is not defined and could also mean a host of things like espionage to Wikileaks.

The term "essential services" is defined as services "directly related to communications infrastructure, banking and finance, public utilities, public transportation, land transport infrastructure, aviation, shipping, or public key infrastructure, or emergency services such as police, civil defence or health services".

That definition covers a large swarth of companies (both domestic and foreign). I am not sure how many companies in these sectors are aware of this Bill (coverage in the mainstream media of the Bill was not prominent) but they should take note of it given the broad powers granted to the Singapore Government and the measures or requirements which they may be asked to implement or comply with, and the mere fact that all that is needed is a certificate from the Minister of Home Affairs that the Minister is satisfied that there is a threat to the national security, essential services or defence of Singapore or foreign relations of Singapore.

Are there limitations on the scope of measures which the specified person can take? 

The Bill refers to “any measure or … requirement”. There is no restriction in the Bill on the type of measure which may be deployed. As mentioned earlier, these could take the form of both offensive (whether pre-emptive or retaliatory) and defensive (both reactive and proactive) measures.

The procedures and standards which will be applied by the Singapore Government in any particular cyber attack or exploitation will undoubtedly be highly classified (and rightfully so). These procedures and standards would probably need to address a range of issues: 

• What are the standards that will be adopted to pass the test of being satisfied that the measures are necessary for preventing, detecting or countering a threat to national security, essential services, defence or foreign relations of Singapore?

While every person has the right to exercise self-defence, what about a pre-emptive strike in anticipation of an attack? How imminent must a threat be? How many threats or attacks must there be (a single threat or repeated attacks)?

• A question of attribution. Who is the attacker? It is not always possible to identify who the attacker is.

For example, there is still speculation as to which country or organisations were behind the Stuxnet virus (although many people point towards the U.S and Israel). Even if investigators are able to discover evidence within a virus, the investigators have to be circumspect as well given the possibility of false flags being embedded in the software code to throw investigators off the scent.

What if attackers have commandeered layered systems of innocent third parties (bot-nets) for the purposes of launching distributed-denial-of-service attacks?

What is the threshold of proof of the identity of the attacker which is required before a retaliation is warranted? Also, will the active defence measure be limited to the attacker's systems?

As a cyber attack can be launched from hijacked systems, retaliatory  attacks may not be effective in situations where it is difficult to attribute responsibility and to limit the collateral damage.

• Assuming the attacker can be identified, what type of measures will be directed at the attacker? What would constitute a proportional response to the attack or the prospective attack? 

• If the aggressor is a state or a state-backed actor (assuming that can be proved), could a pre-emptive action be viewed as an act of war? What is the potential for a cyber war triggering a hot war (i.e with missiles and guns)? For a brief discussion on the application of the Law of War to cyber threats, one can read this article. 

• As the specified person has civil and criminal immunity if he does anything in good faith for the purpose of complying with any measure directed by the Minister, I think that the direction must contain very detailed and limited parameters so that specified persons (i) have the necessary comfort that they are able to execute with clear instructions and (ii) do not go act beyond the measures identified, and potentially result in escalation of hostilities or unnecessary collateral damage. 

These parameters could include identifying the measure, the target, the resources to be used to execute the measure, timing, supporting agencies, co-ordinating instructions with other agencies, command and communication including reporting structure, and the desired outcome. It would certainly would not suffice if the direction was merely an instruction to "counter attempts by XYZ to gain unauthorised access to your system". 

The proposed changes to the Computer Misuse Act and the broad powers granted onto the Executive are a reflection of where we are in this quickly evolving and dangerous world of multiple threats and actors, and where the cost of developing and delivering these threats is low compared to other physical/kinetic weapons. 

Some may argue that in addressing threats (physical or otherwise), it would be unfair for the target of the attack to be constrained in the fight with one hand tied behind his back. The option of throwing a punch from a defensive crouch instead of merely taking body blows should be made available as new methods of delivering a focused punch can be developed in the future (and it would take too long for the legislative process to legalise that attempt).

However, the difficulties in taking the offensive suggests that the appropriate focus should be to establish and maintain a good defensive crouch first. As such, active defence measures should be considered as options to be considered further down the line of defence. Arguably, the hardening of systems and security by design are equally, if not, more important than active defence. If active defence measures are directed, it should be done with circumspection, clear direction and objectives, oversight and supervision as would be the case with all intrusions into unfamiliar ground. It is hoped that the Singapore Government has developed the procedures and standards for moving into that unfamiliar territory. 

Singapore: Computer Misuse and Cybersecurity Act (Part I)

This is a bit overdue but better late than never. 

When US Attorney General Eric Holder was in Singapore to give a talk at the Singapore Academy of Law, I had asked what A-G Holder, the Singapore Foreign Affairs and Law Minister K Shanmugam and the Chief Justice of Singapore Sundaresh Menon thought about companies moving towards unilateral action to actively interrupt or disrupt the systems or activities of hackers (otherwise known as active defence or hack the hacker). I had also asked whether Chief Justice Menon and Minister Shanmugam thought that it would be worthwhile considering looking at Singapore's Computer Misuse Act and whether an exemption relating to active defence could be included so that companies taking such action would not fall foul of the law (the Singapore Computer Misuse Act in its present form makes interrupting or disrupting the systems of a hacker an illegal act). 

That was in July 2012.

On November 12, 2012, a Bill was introduced in the Singapore Parliament to amend the Computer Misuse Act (which will be called the Computer Misuse and Cybersecurity Act).

The Changes

In summary, the changes to the Act will allow the Minister of Home Affairs to:

• authorise or direct a company or person (called the “specified person” … remember that term) to take measures to prevent, detect or counter any threat. Such steps must be for the purpose of preventing, detecting or countering any threat to national security, essential services or defence of Singapore or foreign relations of Singapore. 
• require the specified person to provide any information to the Minister that would be necessary to prevent, detect or counter the threat. 
• require the specified person to direct another person or company to provide any information.
• require the specified person to provide the Singapore Government with a report of a breach or an attempted breach of security of the specified person's computer system. 

It is an offence not to comply with the directions of the Government or the directions of the specified person. The penalty is a fine of S$50,000 or up to 10 years in jail, or both.

What I will be trying to do over two posts is to describe the possible implications of the changes. Here goes.

Broad information gathering powers

The Minister can require the provision of information relating to the design, configuration or operation of any computer, computer program or computer service, and any information relating to the security of any computer, computer program or computer service (section 15A(2)).

This power to obtain information is quite broad on several levels:

• Type of information. The Bill refers to “any information that is necessary to identify, detect or counter any threat”. The Bill also provides examples of what information may be required: information relating to the design, configuration or operation of any computer service, and information relating to the security of any computer, computer program or computer service. (as a side-note, I don’t really understand the drafter’s intention of splitting up the examples in section 15A(2)(b)(i) and (ii). Why not just combine the two examples as “information relating to the design, configuration, security or operation of any computer service, and information”?

"Any information" is pretty broad. 

This could conceivably extend to personally identifiable information. I would have liked the Bill to specifically exclude personally identifiable information of individuals unrelated to the incident or have a provision which requires reasonable efforts in stripping out personally identifiable information of individuals unrelated to the incident. This was something which is present in the PRECISE Act, H.R. 3674 (section 248) and the Cybersecurity Act S. 2105.

It could even include highly sensitive information like software source code. The concern here relates to the Minister requiring a person who licenses software from a software vendor to direct the vendor to provide a copy of its software source code. Would the vendor need to send the source code through the specified person? The way section 15A(2)(c) seems to work is that the vendor would need to send the information through the specified person to the Singapore Government. The relevant words are:

“providing to the Minister or a public officer authorised by him any information … obtained by the specified person from another person pursuant to a measure or requirement under paragraph [15A(2)(b)]”

I would have liked for there to be an option for that other person to provide the highly sensitive information directly to the Singapore Government instead of through the specified person. This would be reasonable as there is no need for a private entity to have access to such sensitive information (especially if the information has an impact on the commercial relationship between the parties), and there is no guarantee that all the vulnerabilities within the specified person (who was the target of the exploitation) have been resolved.

In the source code example, a possible practical work-around would be for the direction to require the vendor to obtain a source code audit itself, and to share the results of the audit to the Singapore Government.

Section 15A(2)(b) and (c) should also clarify that a person should only be required to provide information which it has in its possession or within his control or which is reasonably practicable for the person to provide it. These would then be similar to the defences present in section 59 of the Telecommunications Act.

• Type of service. The Bill covers computers, software, computer services (e.g. cloud services). The definition of computers in the Act is wide enough to cover almost all computer related devices, systems and networks.

• Persons covered. The Bill allows the Minister to authorise the specified person to direct another person to provide information to the Singapore Government. This other person could be a third party vendor/outsourcer/cloud service provider/etc that provide software or services to the specified person.

It would be an offence for that third party vendor to fail (without reasonable excuse) to comply with the direction of the specified person. This has considerable implications for companies which outsource or obtain software or services from a third party vendor, and more importantly, for the vendors themselves.

• Territoriality. The Computer Misuse Act already contains a provision (section 11) which states that the Act has effect in relation to any person regardless of his nationality or citizenship or whether he is in or outside of Singapore. The Act goes on to say that where an offence under the Act is committed by any person outside Singapore, he may be dealt with as if the offence has been committed within Singapore provided that the accused was in Singapore at the material time or the computer, program or data was in Singapore at the material time.

Most companies obtain software or services from third party vendors that have a local presence in Singapore through locally incorporated offices which would then place them within the territorial scope of the Computer Misuse Act.

Even if the third party vendor does not have a local presence and the third party vendor uses a subsidiary in a foreign country to contract, that would not be a problem if the data is in Singapore at the material time (for example, one could argue that this extends to the ability to access the data in Singapore via an interface even though the data is stored in servers outside of Singapore). This would mean the third party vendor will have to comply with the direction to provide the information to the specified person directed by the Singapore Government.

• No restriction on time-frame. One would assume that any direction issued would be reasonable in limiting the time-frame to the time period around the specific incident (e.g. server or application logs for a period of one year prior to). However, if a direction does not specify a time-frame for the information or which specifies a very long time-frame (which is possible since as it may not be possible at the time of issuing the direction to determine when the cyber exploitation took place i.e. the hacker may have exploited the vulnerability a long time ago), one would have to consider how far back to go in the information archives, and then to locate the information sources and collate the information. This could be resource intensive if the time-frame is long (e.g. tape drives have to be obtained from off-site locations, servers may have to be identified to load the data on the tape drives, search parameters have to be determined, the search results analysed, and then collated for the requesting party).

• Retention of the information by a person

While the proposed Bill tries to protect information which is disclosed to a person/company, I would have liked the Bill to require the deletion of information received by a specified person and the Singapore Government after the threat has been resolved, failing which there should be civil liability (vis-a-vis the specified person) arising from losses arising from the failure to delete.

No computer system is 100% impregnable and the repository for that information may itself be attacked for the amount of confidential and sensitive information that it may now contain. Companies that disclose information to specified persons or the Singapore Government should have the assurance that the information provided is deleted after the purpose for which the information was originally collected has ceased to exist. 

The potential ability to monitor communications

The language in the proposed Bill is wide enough to require a company to monitor communications of individuals provided that it is to prevent, detect or counter any threat to the national security, essential services or defence or foreign relations of Singapore. For example, an ISP, email service provider, instant messaging provider or social media platform may be required to provide information (including real-time information) relating to the operation of its service (which could potentially include communications made by individuals over the service or platform).

Breach report

To my knowledge, this will be the first instance of the Singapore statute books requiring certain companies/persons to provide a report of a breach or an attempted breach of computers, computer programs or computer systems. This is as close as Singapore has come to a breach notification requirement though it is not as stringent as breach notification requirements in other countries which are proactive in nature. 

[More of this in Part II] 

Asia Privacy Newsbites, October 3

A round-up of privacy news in Asia during the week.

Malaysia: The Star reports that "enforcement details" of Personal Data Protection Act may come out in November

A newspaper in Malaysia, The Star, has reported that ministry sources say "that enforcement details would be announced as early as next month". If that means that an announcement would be made about the enforcement date, this would be quite consistent with what I was told as well when I made a call to the Department of Personal Data Protection a few months back. Back then another possibility was also that the Act will not come into effect until after the national elections in Malaysia were over. That is still a possibility.

Taiwan Personal Data Protection Act came into effect on October 1 (sans a few sections)

The Taipei Times reports that the Personal Data Protection Act came into effect on October 1, except for a few sections that the Executive Yuan has decided to revise and submit to the Legisative Yuan for final approval. A bit of a huff erupted due to this with some calling the 2 step implementation unconstitutional. You can read a legal alert on the Act from Baker & Mackenzie here.

A What the Heck moment: Privacy concerns over eel-up-bottom case

In New Zealand, the New Zealand Herald reports that a hospital has launched an investigation into how a patient privacy's was breached after it was reported that an eel was stuck up his bottom. The eel was apparently about "the size of a decent sprig of asparagus". Now the hospital authorities are getting quite serious about this breach of a patient's privacy, as you would expect. One thing I am not sure about is how an eel managed to get stuck up the man's bottom ...

Asia Privacy Newsbites

Here is a round-up of some recent privacy news around the region:

Hong Kong Privacy Commissioner publishes leaflet on outsourcing to data processors 

In Hong Kong, the Privacy Commissioner published a leaflet on outsourcing the processing of personal data to data processors. The leaflet contains guidance about what the Privacy Commissioner thinks a data user (i.e a data controller) should do when it trusts a data processor in processing personal data. Crucial reading for all service providers.

Hong Kong Privacy Commissioner publishes leaflet on new offence

Staying in Hong Kong, some of the sections in the Personal Data (Privacy) (Amendment) Ordinance 2012 come into force on 1 October 2012. One of those sections is a new offence (section 64) which imposes fines (up to HK$1,000,000 i.e. about USD128,000) AND imprisonment for 5 years for unauthorised disclosures of personal data obtained without consent from the data user. The Privacy Commissioner also published a leaflet on the new offence, with a few examples of what might be caught by the new offence. The examples track some recent instances of personal data of celebrities being used without their permission (e.g. Edison Chen and the infamous uploading by a computer repairman of photos of him and other celebrities in various intimate positions).

Singapore comes closer to enacting Personal Data Protection Bill

The Singapore Personal Data Protection Bill (which introduces general data protection rights and obligations and also a do-not-call regime) was introduced into Singapore Parliament on September 10, 2012. This is the first reading. Subsequently, there will be a debate in the Singapore Parliament on the Bill. Following the debate, the Bill will be read a second time, and then a third time before it is passed into law. Although it will be passed into law, it is expected that the data protection provisions in the Personal Data Protection Act (when passed) will only come into effect after 18 months from the date of enactment of the Act. The do-not-call regime in the Act is expected to come into effect 12 months from the date of enactment of the Act (as the do-not-call registry is estimated to become operational only after 12 months from the date of enactment of the Act).

New Zealand's EU Data Protection Directive adequacy decision is coming up in October

The Article 31 committee is deciding on the adequacy of New Zealand data protection laws after the Article 29 Working Party (made up of national data protection commissioners) gave a favourable opinion of the adequacy of the laws. The Article 31 committee is likely to release its opinion in October 2012 (as reported by Data Guidance). After that, the European Parliament will have 30 days to scrutinise the opinion, and then the EU Commissioners will decide to adopt the adequacy decision. This is significant for New Zealand as it would mean that organisations can rest easier in transferring personal data from an EU member state to New Zealand (a non-EU member state) as the organisation would rely on the adequacy determination. If successful (and it is likely that it will be), New Zealand will be the first country in the Asia Pacific region to have gained that recognition of general adequacy (as opposed to findings of adequacy in a specific area e.g. the processing of Passenger Name Records in the case of Australia).



For those wondering about the absence of posts, I have been quite busy. Work, family and a few other matters have been occupying my time (including writing an article ... which hopefully I will be able to provide a link to when or if it gets published). A number of balls up in the air, and now that I am typing this out, it feels good to be back.

Google Street View Episode 3: the Return of the Data

Uh-oh. It is never good for a company to find out that what it said earlier to a regulator was not exactly accurate.

Unfortunately, Google found itself in exactly that situation. Google had previously told various regulators (e.g. in Australia) that it had deleted the payload data (which may contain personal data) that it had collectd from wifi networks when its Street View cars drove along streets. Now, Google has found out that they still had in its possession some payload data (which may contain personal data).

It is not clear how other many countries in Asia are in this sitution, but Google has already informed the UK and Australian privacy regulators of the mistake. You can read Google's letter to the UK ICO here. A similar letter was sent to the Australian OAIC. No news from the Hong Kong regulator on this yet (remember that Google gave an undertaking to the Hong Kong Privacy Commissioner that it had deleted all the payload data).

I last posted on the Street View here, and was of the view back then that regulators in Asia would generally not reopen their investigations. I am still of that view.

I have no particular insight into the workings of Google, but incidents like this suggest a number of things which could be instructive for other companies in similar situations.

• People make mistakes. No matter how robust your process or system is, the human element within the process or which crafted the process will fail from time to time. Automated processes still rely on input by humans (search terms, date range of the search, locating the hard disk or tape drive in the box in the room). So, what does that mean for companies that realise that they have made a mistake. Apologise and be up-front with it. Voluntary disclosure in situations like this can be a good thing (and usually a necessary thing) - especially where you are dealing with a reasonable regulator.

• Second, investing in people and processes does help. A number of companies have woken up to the idea of the importance of a separate compliance function (i.e separate from the legal function). Having the right people with the the right relationships and an understanding of cultural differences does help in Asia. Backing up these people with senior executive support can help in the implementation of compliance processes and programs, and in responding to breach situations.

• Third, try to get it right the first time. There is always an urgency to responding to a complaint or a regulator. Pressure comes from many sides: internally from management, externally from the press, regulators, consumer groups, the complainants. Pressure may also come from the regulatory framework itself which requires a response within a specified period of time. It is crucial to get the information right the first time round especially if you are giving an undertaking to the regulator. In many Asian jurisdictions, providing inaccurate information to a public officer is a criminal offence. You can't unscramble a scrambled egg. If you need more time to get the information, ask for an extension of time (most regulators are reasonable - especially if a relationship of trust is established). I know it is sometimes easier said than done.

• Fourth, identify and fix whatever made you make that mistake in the first place. Regulators like to be reassured that the mistake is not a systemic one. That you are taking proactive measures to make sure it does not happen again. It will take some time to fix that but giving that reassurance that steps are being taken to deal with the mistake is usually helpful.

Those are my quick takes on this. Hopefully Google does not have a sequel to this.

Eric Holder in Singapore. Balance and Values

Attorney-General Eric Holder's speech on "Asymmetrical Threats: Responding to Terrorism and Cybercrime while Protecting Civil Liberties" sounded largely like a diplomatic speech addressing common values and co-operation between countries in Asia in fighting cyber-crime and terrorism. He repeated a number of times the need to continue to uphold or honour basic and fundamental freedoms while still engaging in law enforcement and protecting citizens' lives and security. Trying to quote him as best as possible: 

And in fighting terrorism we have renewed our commitment to ensuring that protecting the safety of our citizens does not mean, does not mean, compromising our determination to uphold civil liberties ....

We must not abandon democratic values even in the pursuit of public safety. The values are in fact our greatest tools for ensuring peace and security ...

He did call out the Budapest Convention on Cyber Crime as a critical instrument in confronting copyright infringement, child pornography, network security and computer related fraud. In that he also called other nations like Singapore to accede to the Budapest Convention.

He stressed the importance of international frameworks (like the Budapest Convention and the Interpol Centre) in preventing and combating cybercrime as no nation can tackle this by themselves.

Expectedly, he referred to the "layered oversight" in the US which helps in safeguarding civil liberties (e.g. the Constitution establishing a federal government with extensive checks and balances, bill of rights, protection against self-incrimination, protection against unreasonable search and seizures).

The more interesting part was the panel discussion moderated by Professor Simon Chesterman, with AG Holder, Foreign Minister Shanmugam and Judge of Appeal designate Sundaresh Menon.

When asked about the tension between security and liberty (especially after the events of September 11), and whether the balance between the two can ever be stable, A-G Holder mentioned that we should always aspire to a balance. He did acknowledge that in US history there were situations where those values have been sacrificed in trying to protect its citizens, and he described (and I think rightly so), that the enduring thing of the US is that they have always self-corrected, and they have always gotten back into that balance.

I thought that Mr Sundaresh Menon also characterised this balance very well. Paraphrasing: Balance is not a static concept. Events like September 11 were cataclysmic events that affected our perspective on a whole array of issues, and inevitably when you have an incident like that, you have dramatic changes or reactions to it, and after a period time, you evolve to find a balance that is appropriate to your society and to the peculiar challenges that you face. And that hopefully this balance will be guided by the values which you subscribe to.

On the topic of the detention facility at Guantanamo Bay, A-G Holder said that he was "cautiously optimistic" that Guantanamo Bay will not be in operation in five years time.

The question and answer session was interesting with questions about drone strikes, and the Singapore internal security act.

I asked a question as well on what A-G Holder's views were on companies moving towards unilateral action to actively interrupt or disrupt the systems or activities of hackers (i.e "active defence" or "hack the hacker"), considering that such activity is likely to be illegal, and whether Mr Sundaresh Menon and Minister Shanmugam thought that it would be worthwhile considering looking at Singapore's Computer Misuse Act and whether a carefully crafted exemption relating to active defense measure could be included so that companies protecting themselves will not fall foul of the law. I had asked that question because of news recently with Google mentioning that they were going to use technology to target illegal networks, and a UK parliamentary commission suggesting that proactive first-strike measures be taken in the event of a cyber attack. For the answer from the panelists and my further thoughts on this, I am going to leave it to a next post as it is a whole topic by itself.

UPDATE: the US Department of Justice has put up the actual text of A-G Holder's speech here. Someone asked me whether he actually said "does not mean" twice in his speech. Yes he did. I heard it, and I think that he did it for emphasis.

Eric Holder in Singapore. Ask him a question

Eric Holder, the US Attorney General is coming to Singapore to speak on "Security, Privacy and Rights in an Age of Asymmetrical (or Unconventional) Threats" "Asymmetrical Threats:
Responding to Terrorism and Cybercrime while Protecting Civil Liberties" on 19 July at 5pm Singapore time. He will also be on a panel discussion with Singapore's Minister of Law, Mr K Shanmugam, and Judge of Appeal-Designate, Mr Sundaresh Menon.

[UPDATE: the title of the speech has been changed. It appears that security, privacy and rights has been subsumed under the general heading of "civil liberties". The word "protecting" in front of civil liberties is encouraging ... ]

Sounds like a great topic which will probably be about the balance which authorities need to adopt in ensuring security of citizens/residents within their countries and protecting and respecting the privacy and rights of individuals. The discussion will probably be against the backdrop of the multi-threat, multi-vector environment where physical and/or financial loss can be initiated by states, individuals or groups of individuals (who may not be playing by the same rule-book).

We can probably see discussions around drones, license reading cameras, sting operations (e.g. the recent Operation Card Shop), surveillance, access to telecommunication service provider and communication service provider records, and the role of judicial, executive and law-maker oversight.

I will be there at the talk. If you have any interesting questions to ask, let me know and I will see whether I can get them in (and post the answers up) - subject of course to time, decency and relevance : )

New Page: Privacy and Data Protection regulators

I have created a new page which lists the privacy and data protection regulators in Asia. As usual, I will try to keep it up to date, but no promises.

Mosey over to the page. Hope you find it useful.