UK Government announces "Cloud First" policy

The Government of the UK has just announced its "Cloud First" policy.

Government announces 'Cloud First' procurement policy - Government Computing Network:

Government announces 'Cloud First' procurement policy

Charlotte Jee

Published 05 May 2013

Mandates central government to consider cloud solutions before all others when buying IT

The government has confirmed that it has adopted a 'Cloud First' policy, making it mandatory for buyers of IT products and services in central government to consider purchases through the cloud as their first option.

Cabinet Office minister Francis Maude said that the policy will drive wider adoption of cloud computing in the public sector, boosting business through the G-Cloud programme's CloudStore, and ensuring the public sector buys IT in a 'quicker, cheaper, more competitive way'.

According to the Cabinet Office, as of now, when they buy new or existing services, public sector organisations should consider and fully assess potential Cloud solutions first, before looking at any other option.

A statement explained, "This approach is mandated to central government and strongly recommended to the wider public sector. Departments will remain free to choose an alternative to the Cloud if they can demonstrate that it offers better value for money."

Alongside today's announcement, the third iteration of G-Cloud (G-Cloud III) is going live today, with 708 firms offering over 5,000 services listed on the new framework- up from the 458 suppliers and 3,000 services on G-Cloud II when it went live last October .

Maude said, "Many government departments already use G-Cloud, but IT costs are still too high. One way we can reduce them is to accelerate the adoption of Cloud across the public sector to maximise its benefits.

"The Cloud First policy will embed the skills a modern civil service needs to meet the demands of 21st-century digital government and help us get ahead in the global race."

The policy has been under consideration for some time, with G-Cloud programme director Denise McDonagh suggesting at a roundtable in March that Maude was likely to give it the go-ahead.

McDonagh, who has long advocated a 'Cloud First' policy, said, "Sales from G-Cloud are rising steadily, with cumulative spend now over £18 million - two-thirds of it with SMEs. This is still small relative to overall government IT spend, and the transition to widespread purchasing of IT services as a commodity won't happen overnight.

"The adoption of a Cloud First policy will give added impetus for Whitehall and the wider public sector to move in this direction - complementing our ongoing work to encourage Cloud adoption and to help buyers adapt to this way of purchasing IT, which is already showing results."

US federal agencies have been operating with a cloud first policy since December 2010, and a number of other countries are believed to be considering instituting similar directives.

US federal district court judge rules National Security Letters are unconstitutional

The Electronic Frontier Foundation is reporting that a US Federal District Court judge in San Francisco has ruled that National Security Letters are unconstitutional as a violation of the First Amendment of the US Constitution and the separation of powers. The Judge's order has been stayed for 90 days to permit the federal government time to appeal.

National Security Letters (NSLs) are a form of administrative subpoena that can be issued by a senior official of the FBI, which requires the recipient to provide non-content or transactional information and is usually accompanied by a gag order.

According to EFF's media release, Judge Susan Illston ordered that the FBI stop issuing NSLs and cease enforcing the gag provision in this or any other case.

From the EFF: National Security Letters Are Unconstitutional, Federal Judge Rules | Electronic Frontier Foundation

A copy of the Judge's decision is available here, also on the EFF website.

New Zealand Privacy Commissioner offers cloud guidance

The Privacy Commissioner of New Zealand has released a checklist for businesses and a guidance document [PDF] to about cloud computing. Here is the Commissioner's summary of the two documents: Cloud computing guidelines.

From the Checklist:

1. Figure out which cloud services will work for you and what your current risk level is
   
2. Know what information you'll be sending to the cloud
   
3. Recognise that the responsibility is ultimately yours
   
4. Security - lock it down
   
5. Check out your provider
   
6. Know exactly what you're signing up for
   
7. Be as up front with your clients as you can
   
8. Location - where will the information be?
   
9. Use and disclosure - who sees the information and what will it be used for?
   
10. Ability to exit, and deleting information

Note to HRSDC: Cloud computing and remote access dramatically reduces the risk of portable device data breaches

The Canadian news has been full of reports related to two significant privacy breaches emanating from the federal ministry of Human Resources and Skills Development Canada. The first to be reported was the loss of a USB thumb drive containing the personal information (including personal health information) of more than 5,000 disabled Canadians who were receiving benefits under programs administered by HRSDC. In the course of investigating that first breach, a second came to light. Apparently someone at HRSDC thought it would be wise to backup the data of over half a million student loan recipients onto a portable USB hard-drive, which could be easily lost or misplaced. Guess what happened ... it was lost or misplaced.

Problems with storing sensitive personal information on USB storage devices are not unknown. The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has recently been on a tear over a USB-related breach by Elections Ontario resulting from poorly understood policies, bad training and a lack of accountability. In fact, she's published reams of reports on the breach, its root causes and what should be done to prevent it from happening again. (The TL;DR version: Employees were engaged in a project where they had to clean up electoral lists at an off-site location. They decided to transfer the data using USB thumb drives and didn't even do that well.)

The HRSDC Minister's media release says that, as a response to the second breach, employees will be given training on a new information security policy. That suggests to me that the reckless practice of placing unencrypted personal information on portable storage devices was A-OK. Well, it's not. Never has been and never will be.

The full facts of the HRSDC breaches are still very sparse, but we know that the second breach was caused by an employee or employees who wanted to make a backup of data (probably a good idea) and put the backup on a small portable device (a very bad idea). It may be that the first breach was caused by an employee who either needed to work offsite with the data or needed to move it from one computer to another. Both are reasonable things to want to do. And in some computing environments, can only be accomplished by making a copy of the data and USB devices are a handy way of accomplishing that.

A large part of my practice is advising clients on cloud computing. And I also often get invited to speak to groups of IT professionals and fellow lawyers on legal issues related to cloud computing. For the past few years, the majority of questions about the risk of cloud computing have focused on the fact that the data may be outside of Canada and that the customer is trusting someone else to secure the data. Those are both important questions to ponder, but few turn their minds to the fact that, in most cases, cloud computing is much safer for the data and significantly lowers the risk to data.

If Elections Ontario or HRSDC were using a cloud computing model, none of these breaches would have happened in any of the scenarios outlined above. Cloud computing keeps the data on a server or series of servers in highly secured data centres. There's no need to copy or move the data to get access to it remotely. This is accomplished through secured connections between an authorized computer or browser and the data centre. If you want it backed up, that's usually done on tapes in the data center and the data seldom has to leave the secured premises. In any data centre worth its salt, disk inventory is carefully controlled and audit tools are used to keep track of who has accessed what data. If tapes are moved offsite for redundancy's sake, there is usually a much higher level of diligence exercised as it follows documented processes.

When questions are being asked about how this happened and what can be done to prevent such breaches from happening again, the government should carefully consider how cloud computing or other remote access models dramatically reduce the risk of such breaches.

Keeping data in Canada provides illusory protection against foreign government access

I was invited by CATA to give a presentation on cloud computing, privacy and cross border data flows for a number of its members and stakeholders who are involved with the fledgling Shared Services initiative coming out of the Government of Canada.

Here is the presentation, in case it is of interest:

IT World Canada was in attendance and has posted the following article:

Keeping data here no protection against US: Lawyer:

Ottawa may not allow cloud providers to store citizens' data across the border. But a lawyer says a better protection against US law is risk mitigation

By: Howard Solomon

ComputerWorld Canada (19 Dec 2012)

The refusal of some federal government departments to allow outsourcers to store personal data of citizens outside Canada won’t keep foreign governments from getting legal access to it, says a lawyer who specializes in cloud computing.

“Data sovereignty is a bit of an illusion because we’re so interconnected (with law enforcement agencies) and there’s so much data sharing taking place,” David Fraser told an audio conference call Tuesday sponsored by the Canadian Advanced Technology Alliance (CATA).

In particular, fears that the USA Patriot Act acts as a “huge vacuum cleaner” for American law enforcement agencies to get at personal data is baseless, he said.

The Patriot Act is a “boogey man,” he said.

The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders, Fraser said.

Fraser, a partners with the Halifax firm McInnes Cooper, argued the real issue for Ottawa when considering outsourcing that includes storing data in the U.S. should be assessing the risk that data can be lost or unlawfully accessed and taking steps to lower the risk.

The teleconference is part of a campaign by CATA, which represents IT manufacturers, solution providers, system integrators and consultants trying to sell products and services to governments, to get Ottawa to clarify its position on outsourcing data.

In an interview John Reid, CATA chief executive officer, said that since the creation last year of Shared Services Canada, an agency trying to consolidate federal IT services, the government has suggested it may mandate that personal data of citizens must be held in data centres here.

There isn’t a formal federal policy on cross-border data storage, Fraser told the conference call. Nor is there federal law that prohibits it. Instead, it is up to individual departments to do a risk assessment if they decide cross-border data storage is justified and take appropriate privacy measures. Only two provinces, British Columbia and Nova Scotia, have policies forbidding cloud providers from storing provincial data outside Canada.

Shared Services Canada has been trying to create new buying and outsourcing policies, setting up several committees on which CATA and other private sector groups sit. It is those committees, Reid said, that CATA is getting signals of SSC’s only-in-Canada intent.

Earlier this month CATA sent a letter to SSC asking for the department’s intentions, but Reid said he hasn’t had a reply yet.

The department didn’t respond to a request Tuesday from IT World Canada for clarification

One person on the conference call said some government departments already demand in requests for proposals (RPFs) her organization that any outsourced solution has to keep data in Canada.

Reid wants to persuade Ottawa to be more open to cloud solutions where data is stored outside the country in part so his members get opportunities to bid on business, and in part, he said, because the government shouldn’t turn aside possible solutions that will make it more efficient.

Fraser noted that according to international law, U.S. law enforcement authorities have the right to subpoena data even if the data is held outside its borders, as long as there are connecting factors. (The same is true for police here, he added.)

For example, he said, if the data is held in Canada the U.S. could subpoena it through a person working for a company there.

For that reason, he said, a Canadian data centre owner might be able to safeguard data here if none of its executives ever crossed the border.

More practically, he said the Canadian government could take a number of steps to reduce the odds of the personal data of its citizens being misused by U.S. authorities.

The first is to encrypt the data – which should be a standard procedure anyway, he said ---- and make sure control of the encryption keys is held here.

Second, the government could decide that only “low risk” data can be sent out of the country.

Third, the government could demand certain contractual provisions with a service provider, such as clauses that says the data belongs to the customer, not the data centre, that the service provider won’t turn data over unless legally required to so, and that it will notify the customer of any subpoenas.

There could also be a requirement the provider to go a U.S. court to resist a subpoena, although Fraser admitted there’s no guarantee will be successful.

“There isn’t a shortage of ideas of how to mitigate risk,” he said.

Fraser didn’t say, but these risk mitigation options also apply to private sector companies who have been shy about adopting American cloud-based solutions.

Google offers model contract clauses for EU data protection compliance

Google has today announced that it is making Model Contract Clauses available to customers who have to deal with EU data protection rules.


Model contract clauses are one mechanism that permit an entity to export European personal information outside of the EU, which is in addition to safe harbor and binding corporate rules.


The announcement is found here: Official Google Enterprise Blog: Google Apps offers additional compliance options for EU data protection.

Nova Scotia trade union resurrects the USA Patriot Act boogeyman to prevent outsourcing

For those who have been following this topic in Canada, you'll remember that the first time that the USA Patriot Act appeared on the country's radar in earnest was when the British Columbia government proposed to outsource IT processing to the Canadian subsidiary of a US company. The union, most likely concerned about job losses latched onto the USA Patriot Act as the hook that would get some traction in the media and in the public mind.

That led to the inquiry by BC's Information and Privacy Commissioner, then amendments to that province's Freedom of Information and Protection of Privacy Act and then Nova Scotia's Personal Information International Disclosure Protection Act.

Now, somewhat predictably, the principal Nova Scotia trade union for public employees is resurrecting the boogeyman to try to stop outsourcing of IT services by the provincial government. We'll see how this plays out ...

Data at risk in private-sector deal | The Chronicle Herald

Union worried Nova Scotian’s records vulnerable

The province’s largest public-sector union is worried about the security of Nova Scotians’ information if the government contracts out information technology work in a deal workers say could total $100 million over 10 years.

Joan Jessome, president of the Nova Scotia Government and General Employees Union, said Thursday that there’s a vast amount and array of data in the SAP computer system. She said it includes everything from payroll numbers to procurement information and data from the Registry of Motor Vehicles.

“There probably isn’t a single Nova Scotian ... that has not been impacted by SAP,” Jessome said.

“(Our members) are telling us that we have reason, no matter what the agreement is, that once that (information) goes to an international company, we should always be concerned about how far that goes and what acts does it cover in different countries across the world.”

She said employees mentioned the Patriot Act in the United States, passed after the 9-11 attacks. It requires U.S. companies to provide records to the American government upon demand.

A 2005 provincial auditor general’s report raised a concern that U.S. companies with Canadian subsidiaries could also be compelled to turn over information. In 2006, the minority Tory government of the day passed the Personal Information International Disclosure Protection Act, meant to prevent U.S. authorities from inappropriately accessing Nova Scotians’ information under the Patriot Act.

Finance Department spokeswoman Michelle Lucas had said Wednesday that ensuring information is secure would be a top priority. She had no further comment on the potential outsourcing Thursday.

On Monday, government officials met with employees who run the system to tell them about the possibility their jobs will be contracted out. There are about 73 unionized workers, and another 35 who aren’t unionized. The non-union workers run the system for district health authorities and the IWK Health Centre.

Jessome said workers told her that the government is considering a 10-year contract for the work, worth $10 million a year.

Lucas had said Wednesday that a multinational firm approached the province last year about setting up a “global delivery centre” in the province. Its main office would be in Halifax, with a smaller one in Sydney.

Sources have said the firm is IBM Canada. Jessome said the government has told her which company, but she agreed to keep it confidential.

IBM Canada spokeswoman Carrie Bendsza said the company, which has employees in Halifax now, doesn’t comment on rumour or speculation. She also said it doesn’t reveal how many employees it has in individual cities or countries.

Jessome said there are currently eight union SAP information technology workers in Sydney, three in Truro, and the rest in Halifax.

Lucas has said that if the province does make a deal with the company, all affected provincial employees would be offered a job. Jessome said many have already indicated they wouldn’t take it.

She said they’d lose the security of being in the union, the work week would likely go up to 40 hours from 35, their pension plan would change to defined contribution from defined benefit, and they could face months-long placements at the company’s other locations, such as China and India.

“They’re certainly concerned about their jobs, no question, but the other thing that they were scared of is the security of information,” Jessome said.

Lucas also said the potential contracting out isn’t being considered as a cost-cutting measure, but as an economic development opportunity in the hope of creating more jobs.

The province has spent many millions on the SAP system since first adopting it in 1996, with some projects going over budget, and the system not always working properly.

Ontario Information Privacy Commissioner blesses cross-border outsourcing of province's hunting and fishing license system

This decision from the Information and Privacy Commissioner of Ontario snuck under my radar this summer while I was on vacation.

This investigation is the result of a complaint brought by a Member of the Provincial Parliament about the Ontario Government's decision to outsource the processing and management of fishing and hunting licenses to a US-based business. The Commissioner did a thorough investigation and I am told they were pleasantly surprised by what they found. With regard to the USA Patriot Act, the Commissioner wrote:

The PATRIOT Act

The complainant has expressed concerns that the personal information of Ontarians will be subject to and accessible under American laws, including the PATRIOT Act. It is important to remember that, in Ontario, there is no legislative prohibition against the storing of personal information outside of the province or Canada. In other words, Ontario law, including the Act, does not speak to this issue. However, the Act and its regulations do require provincial institutions to ensure that reasonable measures are in place to protect the privacy and security of their records containing personal information. This applies regardless of where the records are located. Further, Ontario provincial institutions remain accountable for the actions of their agents or service providers, whether located in Ontario or in other jurisdictions.

I understand the complainant’s concern that the PATRIOT Act may be used by U.S. law enforcement agencies to access Ontarians’ personal information. However, the risk that law enforcement agencies may access personal information is not restricted to information held in the U.S. In fact, Canadian law enforcement agencies have similarly robust legal powers to obtain personal information held in Canada, and similar powers exist throughout most countries in the world. Further, law enforcement agencies in Canada, the U.S. and other countries have the ability to reach across borders to access personal information under various laws and agreements.

In this regard, the federal Privacy Commissioner of Canada has found that the privacy risks posed by the PATRIOT Act are similar to those found in Canada and, therefore, the privacy protection afforded by a U.S. service provider is comparable to that of a Canadian-based provider. In particular, the federal Privacy Commissioner has stated:

The risk of personal information being disclosed to government authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities.

The federal Privacy Commissioner has also found that prior to the passing of the PATRIOT Act, U.S. authorities were able to access records held by U.S.-based firms relating to foreign intelligence gathering in a number of ways, including through formal bilateral agreements.3

Canadian legal scholars and practitioners have also carefully examined and commented on the privacy implications of the PATRIOT Act. Professor Michael Geist, Canada Research Chair in Internet and E-commerce Law, has written:

Claims that the enactment of the USA Patriot Act has dramatically altered the legal landscape are simply false. The U.S. law enforcement toolkit, which allows for the compelled, secret disclosure of personal information, pre-dates the USA Patriot Act by decades. Suggestions that the problem can be solved by keeping personal information from flowing outside the country are not realistic from a real-world, commercial perspective, where data is transferred and stored instantly on computer servers in other jurisdictions without regard for location.

David T.S. Fraser, a prominent Canadian privacy lawyer, has also been very clear in writing:

Most people are surprised to learn that some of the most “problematic” provisions of the USA Patriot Act are replicated in Canadian law in the Anti-Terrorism Act. We just don’t hear about it as much. People are also surprised to learn of huge amount of information sharing that takes place between agencies in Canada and their counterparts in the US.

The Act does not prohibit provincial institutions from outsourcing services on the basis that foreign law, including the PATRIOT Act, may apply. Similarly, there is no prohibition on the storage of personal information by government institutions outside the province. In fact, as noted by Professor Geist, outsourcing of technology services is a reality, whether by government agencies or private sector companies. Personal information may be subject to disclosure to law enforcement authorities, whether stored in the province or elsewhere. The critical question for institutions which have outsourced their operations across provincial or international borders is whether they have taken reasonable steps to protect the privacy and security of the records in their custody and control. I have always taken the position that you can outsource services, but you cannot outsource accountability. With this in mind, I now turn to consider what measures the Ministry has put into place in the circumstances of this complaint.

The decision is worth reading in its entirety: IPC - Office of the Information and Privacy Commissioner/Ontario | Reviewing the Licensing Automation System of the Ministry of Natural Resources: A Special Investigation Report [PC12-39].

US cloud vendors complain to Congress about foreign privacy FUD

The United States House of Representatives Judiciary Committee (through its Internet subcommittee) this past week held a hearing to discuss issues related to cloud computing. Specifically, the hearing highlighted how fear, uncertainty and doubt is being spread regarding US privacy protections to discourage the use of American cloud vendors. The hearing included representatives of the Business Software Alliance, Rackspace, IBM and ITIF.

Principally, hysteria about the USA Patriot Act is being used by some non-US vendors to market their services. This ignores the fact that most countries have legal regimes very similar to the USA Patriot Act.

Check it out:

US Groups: Foreign Cloud Providers Marketing Against Privacy Concerns CIO.com

IDG News Service (Washington, D.C., Bureau) — Cloud computing services from outside the U.S. are trying to exploit perceived weaknesses in privacy laws to drive business away from U.S. providers, according to some representatives of the tech industry.

Deutsche Telekom and other companies are marketing their cloud products as more private than those from U.S. vendors because of the Patriot Act and other laws, representatives of the Business Software Alliance and Rackspace told a U.S. House of Representatives subcommittee during a hearing Wednesday.

Foreign cloud computing vendors are spreading "fear, uncertainty and doubt" about U.S. privacy standards, Justin Freeman, corporate counsel for Rackspace, told members of the House Judiciary Committee's Internet subcommittee.

"We commonly see almost absurd positioning of what the Patriot Act permits, to the extent that it allows almost any U.S. government agency to, without notice or warrant, access any private data that's on a server contained within the United States," Freeman said.

"That's totally false," said Representative Bob Goodlatte, a Virginia Republican.
Witnesses from the U.S. tech industry and some lawmakers complained that some of the privacy problems are more perceived than actual, but some also called for Congress to change U.S. privacy laws to better protect data stored in the cloud.

The U.S. Electronic Communications Privacy Act (ECPA) allows law enforcement agencies easier access to information stored in the cloud than to information stored on a hard drive or in a file cabinet, noted Representatives Zoe Lofgren, a California Democrat, and Jerrold Nadler, a New York Democrat.

Some countries have "legitimate concerns, honestly, about the lack of standards in American law," Lofgren said. "We have a lot of work to in this area."

In addition to marketing campaigns, several nations have passed or are considering laws that require their residents' data to be stored on servers within the country, said Daniel Castro, senior analyst with the Information Technology and Innovation Foundation (ITIF), a tech-focused think tank. Many countries are using privacy and security concerns to pass domestic storage laws, he said.

"Some countries are using unfair policies to intentionally disadvantage foreign competitors and grow their domestic cloud computing industry," Castro said. "The rise of cloud mercantilism is an emerging threat to global trade and information technology."

Greece, China, Russia and Venezuela are among the countries that have passed data localization requirements, Castro said. He called on the U.S. government to push against such laws.

Castro and Robert Holleyman, the BSA's president and CEO, also asked Congress to update ECPA to better protect stored data.

Congress also needs to consider ways to better protect stored information on cloud services, Lofgren said. The U.S. Department of Justice, when it shuttered the Megaupload file-sharing site in January, left the data of many innocent users in limbo, she said.

Holleyman, whose trade group supports strong law enforcement actions against file sharing sites, said he didn't have a suggestion for how to protect innocent users.

"Nobody seems to feel any responsibility toward people who are completely innocent here," Lofgren said. "There seems to be no interest or obligation to innocent bystanders to this action."

Economist editorial: spot-on about cloud privacy and law enforcement

The Economist has an absolutely spot-on editorial on privacy in the age of cloud computing:

Data privacy: Out of shape | The Economist

The rules on what data governments can demand from communications companies need tightening
Jul 21st 2012 | from the print edition

SNOOPING, like so many things in life, is going mobile and online. In 2011 Google received 12,271 requests for data from the American government and acceded to all but a few of them. American mobile-phone carriers together fielded more than 1.3m such requests. Some covered multiple subscribers. Some were for “tower dumps”, which reveal the phone numbers of everyone—criminal suspects or not—in range of a certain mobile-phone tower at a certain time.

The rate of government requests has been growing: Verizon, America’s biggest mobile-service provider, says it has gone up by 15% in each of the past five years. Large mobile companies now have teams of employees that do nothing other than respond to government requests for data (see article).

This is happening partly because technology makes snooping easier, and partly because the law has not caught up with the technology. In the offline world, governments generally need a judge to sign a warrant to put a wire-tap in place; the same goes for a physical search of property. In the online world, most data—concerning who called or e-mailed whom, or visited what website, though not the content of a communication—is handed over without any such judicial review.

This is not just an American issue; European states are at least as careless of their citizens’ privacy as America. The European Union’s Data Retention Directive requires telecoms firms to store vast amounts of data about their customers’ activities, which may then be provided to law-enforcement agencies. In Britain, a draft Communications Data bill gives intelligence agencies even wider powers to intercept and store such data.

There are decent arguments in favour of giving governments such powers. Criminals, as well as law-enforcement agencies, make effective use of digital communications, so states need to be able to respond in kind. Rescue services sometimes need phone data to locate someone who needs urgent help. And where such information can help catch criminals, it should be made available. But there are also arguments for greater restraint. Communications technology these days compromises people’s privacy more than it used to. Mobile-phone records can reveal where people are, what websites they visit, what they are interested in and what they buy. Law-enforcement agencies should not be allowed unrestricted access to such complete, and intrusive, pictures of people’s lives.

Rewind, please

There is, at least, some kickback. The European law has been found unconstitutional in several member states, and the European Commission intends to revise it. But Britain’s bill seems likely to become law, despite much criticism. In America, the main federal law on the subject was written in 1986, when the internet barely existed. It badly needs an overhaul.

A good general principle would be to afford data stored in a private e-mail account as much protection as letters stored in a locked desk drawer—that is, law-enforcement agencies wanting to get a look at them should need a warrant. Internet and mobile-phone companies, and the agencies that get data from them, must be subject to proper reporting requirements. Only if people know more clearly what information is being collected about whom, and to what uses it is being put, can they judge whether the benefits of greater safety the surveillance state has brought them are worth the huge loss of privacy they have suffered as a result.