Monday 31 March 2008

ownership - ISPs

I do not know to which extent the following article could influence cybercrime, but at least the thought is there. The title on TechDirt is intriguing: "Ownership Doesn't Always Mean Control" (21st March 2008) because common assumption is to associate ownership with complete control on what is owned. What it means for ISPs is unclear: on the one hand, they do have control; on the other hand, they don't control everything...

http://www.techdirt.com/articles/20080305/052101445.shtml

Wi-Fi and piggybacking

In the State of Maryland in the US, an MP proposed a Bill to criminalise piggybacking with Wi-Fi. See PDF document: http://mlis.state.md.us/2008rs/bills/hb/hb1377f.pdf

"FOR the purpose of prohibiting a person from intentionally, willfully, and without
authorization accessing, attempting to access, causing to be accessed, or
exceeding the person’s authorized access to wireless Internet service with a
certain knowledge; applying certain penalties; and generally relating to
unauthorized access to computers and related material."

Wonder if any similar proposal would be of any use? CMA 1990 section 1 cirminalised unauthorised access to computer; can the interpretation be extended to Wi-Fi (which after all requires access to computers?)

See "A Public Official Actually Shows Common Sense in Wireless 'Piggybacking' Debate" (21 March 2008) http://www.techdirt.com/articles/20080320/172759602.shtml

Second life and copyrights virtual claims

Yes, it happened! A lawsuit launched, now dropped, about copyrights in Second Life. Apparently a company specialised in writing scripts for virtual sex toys and M. Leatherwood a year ago did copy the items to sell them on Second Life. The company sued him for breach of copyrights. The case (federal) was dropped after settlement with no admission of liability.
Reading the article, I was interested in the plaintiff's argument that the legal rules of the real world apply to online universe like Second Life. And the contrast to M. Leatherwood's approach to the breach: "I did it in private," he said. "I wasn't out to do a huge market thing. I was doing it for a little bit of money." In other words, breach was implicitly acknowledged; motive (=money) was at the heart of the action, like most copyrights infringment by the way; defendant did not really challenge the fact that real world rules could be transplanted to virtual worlds. Is it because money is at stake? Second Life currency being exhangeable against real dollars?
See TEchDirt 27 March 2008 http://www.techdirt.com/articles/20080326/164522658.shtml refering to
26 March 2008 on SignOnSanDiego http://hosted.ap.org/dynamic/stories/T/TECHBIT_VIRTUAL_SEX_MACHINE?SITE=CADIU&SECTION=HOME&TEMPLATE=DEFAULT
and even the Forbes newspaper mentioned it : "Lawsuit over online sex toys settled" (26 March 2006) http://www.forbes.com/markets/feeds/afx/2008/03/26/afx4817411.html

Facebook and harassment claim

An odd case, which facts are not yet very clear, at least for me. It seems that M. Hurst did a search on the internet about his ex-girlfriend and was added on the list of requests to be her friend on Facebook; she denied and then complained to the police who charged him with harassment under the 1997 Harassment Act. Well, on those facts alone, it is hard to believe that the prosecution could have any chance to win the case. So it begs the question of why it all started and spent the taxpayer's money on a charge unlikely to succeed?

See "First 'Facebook harassment' defendant cleared" (27 March 2008)http://www.theregister.co.uk/2008/03/27/facebook_birmingham_harassment_cleared/

and with more details, the Birmingham Post (27 March 2008) http://www.birminghampost.net/news/west-midlands-news/2008/03/27/ex-boyfriend-cleared-of-facebook-harassment-65233-20681245/

Friday 21 March 2008

Investigations: clicking=guilty

Please read the following article carefully. It is about US law, but the practice could be more widespread and whether UK law on interception could protect people is questionable.

The facts are the following: honeypot (= fake website or similar created by law enforcement forces like the FBI here, to attract illegal behaviours) on child porn; Mr Vosburgh clicked on a link, did not look any further on the website, and found himself arrested by the FBI. Guilty verdict returned by jury; his lawyer tries to overturn the verdict, but chances of success are small.
I have several issues with the case:
1) in itself setting up a honeypot is not "kind of sad", contrary to what is said in the McCullagh's article. Entrapment always existed, especially for serious crime which detection causes difficulties. Nothing new here

2) entrapment is however regulated, for the obvious reason that innocent people may fall in the trap without knowingly engaging into illegal behaviours. And that's where the difficulties start. To click to a porn website cannot constitute a crime in itself if mens rea, intent to go to a porn website, does not exist. Mens rea cannot be deducted from the simple action of clicking. Anybody who used the internet knows how sometimes we end up on a website we surely never intended to go, for its contents does not reflect our original search. Therefore, I found it troublesome that the FBI relied on evidence based solely on clicking. The least that we can say is that evidence gathered by entrapment is never sufficient; other corroborative evidence must be brought. According to the article, it does not seem the case. In other words, by not engaging into other investigations that could corrobate the clicking action as proof of looking at child porn, the FBI simply did not investigate the case of the alleged offender. And this is more than troublesome. The life of this person found guilty is shattered until his death: if the conviction is not overturned, he will never find employment again in academia (and he is a PhD student; think of the amount of money one has to pay to do a 3 to 4 years PhD - you have to be wealthy or borrow a lot of money), and will be systematically stigmatised for something that looks like he has never done.
Last thing, even if he was interested in child porn, that simple fact NEVER discharges the prosecution to prove beyond reasonable doubt that the person engaged in the illegal activity. If it were, we would simply live in a dictatorship, like it used to be in the USSR where one could be found guilty and send to the goulag for "unauthorised thoughts". Criminal procedure is far too serious a matter to be played with simply because we think we are morally on the right side. Reading this article on Good Friday just reminds me that whether one believes or not in Jesus Christ, the story of Good Friday is there to remind us of our "dark side", what we tend to do when we think we are right. Agree: striking the balance is not easy; but criminal procedure is about finding that balance, not denying it per se.

M. Masnick "Click This Link, Go To Jail" (20 March 2008)
http://www.techdirt.com/articles/20080320/102209599.shtml

D. McCullagh "FBI posts fake hyperlinks to snare child porn suspects" (20 March 2008)
http://www.news.com/8301-13578_3-9899151-38.html

Thursday 20 March 2008

Social networking and identity theft

I though I wrote about it but can't find the post (please tell me if you do). So the issue is about a fake profile created on Facebook involving a Morrocan prince. Apparently, the person has been discovered and since then sentenced to three years imprisonment in Morroco for identity fraud. Mr Masnick, from TechDirt, disagrees on the harshness of the sentence and the principle of prosecuting the offender. He thinks the reaction is disproportionate to the crime.
I can't disagree that three years, when there is no money gain and no defamatory statements, is harsh. But on the principle of prosecuting, sorry, I wholly agree. A fake profile in a CV or a newspaper would certainly have attracted prosecution, so why not when it's on the web? The public interest defended here is that of integrity of information. In that sense, resorting to a take down notice, as suggested in the article, does not seem appropriate. Moreover, this idea of constantly using take down notices is not particularly protective of freedom of speech, for there is absolutely no impartial control on who says what; the procedure actually bypasses completely judicial proceedings and as such attracts the same criticisms as it does for defamatory statements. "Moroccan Man Pardoned For Fake Facebook Profile" (19 March 2008)
http://www.techdirt.com/articles/20080319/121024586.shtml

Wednesday 19 March 2008

Investigations of files and documents

Nothing new: we all know that documents keep track of their multiple modifications. Not to difficult to find out. Hence the French Government could have been a bit more careful when releasing its first Bill reforming liability of hosting providers a few days ago. A Word document was issued and it revealed important information of who intervened... and was not said to have been officially consulted! No military secret, but still a secret: openness/transparency could have been prefered really. "De curieuses traces dans le fichier de l'avant-projet Olivennes" (14 March 2008) http://www.pcinpact.com/actu/news/42427-olivennes-FAI-editeur-hexadecimal-log.htm

Second life: Second crime?

Rare are the articles or comments about Second Life and cybercrime. Here is an article in French (yes I know, there is no translation so far), which in substance says the following:
1) although a virtual world in theory, its impact on the real world exists simply because the currency in Second Life can be exchanged againts... real dollars. Hence a lawyer (!) suing the publisher LInden Lab for loss of 8000 dollars because he was evicted when buying property (he did not comply with some rules). What I have not investigated and is unclear from the article is whether the eviction was based on virtual rules designed to prevent fraud...

2) the charity Familles de France (literally Families of France) is suing the publisher ... because the contents on Second Life give easy access to children to violence and pornography. The First Instance Tribunal rejected the claim on the basis the evidence presented was not tangible enough. But what if it becomes? What about the other violent games available on the market whether through or outside the internet?

By the way the article is an interview first published in December 2007, Michael Malka "Le droit dans «Second Life» (interview) " http://www.juriscom.net/pro/visu.php?ID=1039

Fraud and spamming: the US

I have not looked at it in details, but spamming in the US is tacled through fraud. Would the new offence in the UK cover the same ground? Suggestions welcome... "Top Spammer Pleads Guilty, But Spam Still Going Strong" (17 March 2008) http://www.techdirt.com/articles/20080316/212058558.shtml

hacking - hacktivism?

Rumours and more tangible proofs have started to emerge from the past two years about the 2004 American elections of George Bush. If they ever are right, not only it raises serious questions of legitimacy of the current president, but it asks an even more troubling question: who did hack in the machines for e-voting? The political motive seems at the forefront, and it is pretty scary to think about who could have ordered the hack. Hactivism?
"Ohio E-Voting Machines Declared A Crime Scene?" (18 March 2008)
http://www.techdirt.com/articles/20080317/162504563.shtml

As scary as above is the mistaken belief that e-voting continues to be safe. See the interesting comparison with e-banking made by Timothy Lee on TechDirt (17 March 2008)http://www.techdirt.com/articles/20080304/134146430.shtml

China's use of the internet

The number of users from China overcomes now the number of users from the US. Not only it means that the language of the internet is not mainly English, and won't English, even though we may not see it; but in addition it means that cybercrime is going to thrive in other parts of the world. Wonder how the Chinese Government will react to that...
"China overtakes US in number of web users" (14 March 2008)
http://news.zdnet.co.uk/internet/0,1000000097,39366044,00.htm?r=1

Response to cybercrime: specialised investigation forces?

Recurrent debate of the UK, since the Government went against the trend to establish specialised forces for investigation of cybercrime. Whether the original decision was money-driven or not, what appears clearly now is that even businesses see they cannot afford to stay without effective enforcement forces. Thus, they even think of funding an e-crime unit. What about that? Sad that the Government which should be the leader in criminal policy chose to step back at a time when e-commerce is thriving.
More frightening really is the idea that businesses could have their say in the running of the unit. That police forces be accountable, fine; but police forces represent public interest and the State, not businesses' interests however important they may be. Accountability is to everyone and police forces should not be interfered with by anyone apart Government and fair accountability procedures. Otherwise, we are not far from private justice

"Businesses may be forced to fund e-crime unit" (18 March 2008)
http://news.zdnet.co.uk/security/0,1000000189,39369101,00.htm


To contrast with Tories' approach? Well, when money is at stake, some always find more money to avoid the loss. Yet, cybercrime is not simply about avoiding loss of money for business. Individuals' suffering (from loss of job to that of reputation, or even arrest with no attempt from prosecution to find out more) can be fare more important in terms of values society wishes to defend through criminal law and criminal prosecution.

See the BBC documentary on April 3, 2008 "Identity Fraud: Outnumbered Thu 3 Apr, 9:00 pm - 10:00 pm 60mins" http://www.bbc.co.uk/bbcone/listings/programme.shtml?day=yesterday&service_id=4223&filename=20080403/20080403_2100_4223_10817_60

with the two related articles, one from Marc Sigsworth (3 April 2008) http://news.bbc.co.uk/1/hi/magazine/7326736.stm and Sophos (3 April 2008) http://www.sophos.com/security/blog/2008/04/1255.html

and for the Tories "Tories attack gov't over cybercrime delay " (4 April 2008) http://news.zdnet.co.uk/security/0,1000000189,39379892,00.htm

Fraud: increased number of phishing attacks against banks

Apparently nothing really new, but the facts given are actually interesting: the types of attacks differ according to the security systems adopted by countries. Hence, Germany who favours strong identification procedures is attacked by Trojans and is rather left aside from the phishing method to frauding. On the contrary, the US are a very much liked destination by phishers. This data proves that security measures can be effective, even if they are not perfect. Hence, the law, especially criminal law, represents only a tool of last resort.
See "Banks under fire as phishing attacks accelerate" (19 March 2008) http://news.zdnet.co.uk/security/0,1000000189,39369892,00.htm

Friday 14 March 2008

Response to cybercrime: hackers as security guards?

Security is best; law is second-best. Great, but how to enhance security? Debate was launched about whether or not to hire hackers. See the responses or comments to TechDirt's post "Does It Make Sense To Hire A Convicted Cracker For Security Work?" (12 March 2008) http://www.techdirt.com/articles/20080311/113836498.shtml
the reality is that most famous hackers ended up as security men and some earn a fortune!

Fraud and identity theft

Stealing identities of persons who are unlikely to notice anything is not new. Dead people are an obvious target; but children or babies are also unvoluntarily good candidates. The article is US based, but I can't help making the link with the theft of the CD-Roms from the HM Customs and Excise at the end of last year 2007, where social security numbers of children were involved I reckon... "Stealing credit from a baby" (12 march 2008) http://www.techdirt.com/articles/20080312/023601513.shtml

Theft and corporations

Nothing new really; corporate espionage is thriving and can be done in many ways: hacking, developing spywares, phishing with e-mail appearing genuine, and other legal (although ethical problematic) methods like Google hacking, i.e. using Google search features to obtain maximum information.
The interest of the article really lies in those factual descriptions of the different methods used. "Corporate espionage: Not if, but when" (12 March 2008)
http://resources.zdnet.co.uk/articles/features/0,1000002000,39365959,00.htm

RFID, privacy and investigation

The following article raises awareness of the RIFD revolution in Europe and the rest of the world. A technology that allows any item to be tracked down and monitored from around the world, it is highly used, according to the article, in non-European countries. By contrast, Europe is more than reluctant, for fear of privacy breaches. Fears are certainly not underestimated.
Related to crime, the technology works both ways: RFID allows for items to be tracked, so stealing could become more difficult; on the other hand, imagine investigatory forces (official or not) using the device without anybody knowing... that could lead to potential abuses and evidence gathered illegaly without warrant.
(13 March 2008)
http://www.euractiv.com/en/infosociety/eu-moves-catch-microchip-revolution/article-170942

Wednesday 12 March 2008

Jurisdiction, ISPs' liability and libel

According to the story, a British politician shut his blog for Google (US) refused to remove a defamatory post put on his blog and on others'.

What strikes me first is the line taken by Google. De facie, perfectly adequate, their response only highlights the double standard applied by the company and others to be fair. For if the request came from China and the like, previous experiences show that Google was quick in removing the post and even giving the dissident's details. Suddently, lack of jurisdiction was not an issue anymore. The difference only confirms that when big money is at stake, there is suddenly no legal obstacle on the way to satisfy greedy people.

Secondly, as pointed out by the author of the post, there were probably other ways of tackling the issue of libel if it was serious.
Thirdly, it highlights the problem of offensive contents: how to reconcile the global aspect of the net with regional differences?
"The Other Side Of The Jurisdiction Issue: UK Politician Upset That US-Based Blogs Follow US Laws" (7 March 2008) http://www.techdirt.com/articles/20080305/193747455.shtml

Notion of privacy - information

Again what information should be protected for privacy purposes? It seems that some argue "none" in the name of transparency. It is rather disturbing and seems to confuse transparency of procedure to store and access data which remains private, and transparency of content which equals to lack of privacy. (7 March 2008) So I certainly agree to the title of the post "Transparency Isn't A Substitute For Privacy" http://www.techdirt.com/articles/20080307/102347473.shtml

Anonymity and fighting harassment and libel

In the US, Kentucky lawmaker filed a bill to make anonymous posting illegal. The website operator who would fail to enforce the law (i.e. let somebody posting without identifying him/herself) would pay a fine.
there are two problems here: first, free speech; anonymity is a key feature of free speech. See previously anonymous mail which can be bad or good. Secondly, criminal policy: is it the best way to fight bullying to require loss of anonymity? (10 March 2008) http://www.techdirt.com/articles/20080310/110506493.shtml

Compared with the following, it is interesting to see that readers of websites sued the website owner/operator, along similar lines as proposed by the bill above. But they did not succeed (action dropped) and are even now a target of a lawsuit for libel, for the website owner losts his job because of the damage the first legal action brought. Which raises incidentally the question of the presumption of innocence! (10 March 2008) "When Law Students Get Angry... Lawsuits Get Filed" http://www.techdirt.com/articles/20080310/014651487.shtml

And where the above idea becomes interesting is when are at stake websites ranking or rating individuals for their performance in their job. Libel is obviously a danger; but this is only part of the iceberg: harassment and personal vengeance could be coupled with anonymity and give extremely hurtful results for the people targeted. Contrary to the author of the following post, I do not think accountability can be achieved via websites of this sort. There is no control on facts, no procedure to promote fairness; whatever an individual has done, s/he cannot be deprived of fairness of procedure. Otherwise, we become like those monsters we are supposedly fighting. (10 March 2008) "Police Accountability Is A Good Thing" http://www.techdirt.com/articles/20080305/075621447.shtml
The French courts clearly took the opposite view from the author of the above article. They ordered a website ranking teachers nominally to stop publishing the teachers' names, thus taking away the whole interest of the website. The co-founder of the website Stephane Cola is obviously unhappy and considers there is a breach of freedom of speech, making a parallel with ranking institutions, but I think the issues are muddled here. It's OK to rank institutions who have no career as such and have a duty of accountability to all; but to rank an individual whose career and privacy is directly at stake with no chance to put things right reaches an other level.
Sorry the article is in French "La justice dit non aux noms des professeurs sur Note2be" (3 March 2008) http://www.01net.com/editorial/372605/la-justice-dit-non-aux-noms-des-professeurs-sur-note2be/

Fighting cybercrime again: technical help to gather evidence

The challenge of cybercrime is not simply to gather evidence, but to gather evidence that can later be used at trial and pass the test of admissibility (i.e. integrity and reliability). The students' initiative in West Australia is interesting, for according to the article it should definitely help police forces. Several questions however: training of police forces to Linux when Windows is dominant, reliability of the device produced (has it been tried? on which scale? what data has been gathered proving it does not give biaised results...?), and obviously how it fits with the laws on searches and seizures, and maybe interception of communication.
(6 March 2008) "Linux tool speeds up police computer forensics" http://news.zdnet.co.uk/software/0,1000000121,39363098,00.htm

To be compared with Nato's own efforts? Nato's Computer Incident Response Capability (NCIRC) unit (6 March 2008) http://news.zdnet.co.uk/security/0,1000000189,39363084,00.htm

Fighting cybercrime in the UK: Government's policy questioned

It's the turn of the Tories to question Government's policy in fighting cybercrime. Nothing new, but it is striking that the article stresses how cybercrime is a profitable business and not simply a gimmick used by hackers for fun purposes. Although one could argue it's quite fun to earn millions of pounds! (7 March 2008) http://news.zdnet.co.uk/security/0,1000000189,39363895,00.htm

Government's earlier move seems at odd with the international approach of Nato... although Nato is probably more concerned with cyberterrorism than with fraud (6 March 2008) "Nato bolsters cyber defences" http://news.zdnet.co.uk/security/0,1000000189,39363084,00.htm

Cyberterrorism: renewed warning

Renewed warning about cyberterrorism but in a way nothing really new. Unless we link it to what happened to Estonia a year ago, where most of the official services were shut down because of a DDoS attack. If it was that easy with Estonia, why not with other countries' infrastructures? (10 March 2008) "Nato: Cyber-terrorism danger equal to missile attack" http://news.zdnet.co.uk/security/0,1000000189,39364674,00.htm

Fraud: eBay and its fight against phishing

The article raises a number of interesting points. Not new is the fact that China, Russia and some Eastern European Countries like Romania are havens for criminals, or at least partial havens depending on the attitude of authorities. Not new ever is the fact that the best protection against crime is not the law but education and technical measures (see the end of the article).
More interesting is the last line: "eBay is often successful in tracking down the smaller online criminals". Several interpretations to that statement: eBay seeks the help of official police forces or the like to track down criminals and fight cyberfraud; but the previous part of the article suggests that police forces are not always efficient and that eBay found criminals outside the Romanian capital city, i.e. it used its own logistic to crack down on crime. Which raises several questions in terms of HR: interception of communication, searches and seizures...
"eBay riled by Romania's policy on phishers" (March 11, 2008) http://news.zdnet.co.uk/internet/0,1000000097,39365232,00.htm

Friday 7 March 2008

Social networking and security

An interesting article for the facts it reveals. Nearly at the end, the author, Aaron Greenpsan, reveals a breach of security which is pretty scary when thinking about identity theft. Apparently, Facebook's security was so lax that users could download personal details of others without their consent. Several complaints did not initiate any response from the company, until Aaron brought it to the press. This behaviour calls for two comments: first, cybercrime is best avoided by security measures (i.e. technical measures); second, those social networking sites when security is inadequate represent an ideal platform for identity theft, increasing the potential of being a victim. "Facebook and the price of user privacy" (29 February 2008)http://resources.zdnet.co.uk/articles/comment/0,1000002985,39359153,00.htm

Wednesday 5 March 2008

Liability for RSS flux

As Wikipedia puts it, RSS (Really Simple Syndication) "makes it possible for people to keep up with their favorite web sites in an automated manner that can be piped into special programs or filtered displays" http://en.wikipedia.org/wiki/RSS_(file_format)


A website or hosting provider uses RSS feeds to alert readers to new materials; to refer somewhere else to those RSS means the second website or blogger... relies on the first to automatically update contents. How can liability be engaged in those situations?

A French court, whose decision has not been translated so far, considers that although the RSS is automatic update, refering to it reveals an editorial choice which renders whoever author and not mere distributor of the content. Hence a website was ordered to stop providing the RSS about the movie "La Mome" (Edith Piaf) which sends to the Gala website. (2 March 2008) http://www.juriscom.net/actu/visu.php?ID=1032

So be cautious... although the second case on the matter makes it less likely for website to be liable if the correct disclaimers have been used "Le meurtre des flux RSS n'a pas eu lieu " (12 March 2008) http://www.juriscom.net/actu/visu.php?ID=1036 and http://www.juriscom.net/jpt/visu.php?ID=1035