Thursday 26 February 2009

Sex offenders and the use of Facebook

Chris Kelly, Facebook's chief privacy officer explained how sex offenders are banned from Facebook. "We have been working productively with General Blumenthal and other attorneys general to keep sex offenders off Facebook, and to assure that those who attempt use our site in violation of their parole or other restrictions are brought to justice. This is one of many measures that we continue to take to make Facebook a safer and more trusted online environment." (our emphasis - the quote is from "Report: 5,585 sex offenders purged from Facebook", CNET, 20 February 2009).

This answers my concerns when I first read the headlines in several newspapers. I wondered on which criteria Facebook banned people. At least it is after a conviction, not before a conviction, and on the terms of the sentence given.
However, I share one concern with TechDirt's author Longino: the ban seems to me very general and rests on the assumption that sex offenders will use Facebook ONLY to track down future victims. To make a parallel, it's like saying that each time they switch TV is to look for and at child porn or the like. Or that they enter a bookstore only to find filthy images. I find the assumption in violation of those offenders' most basic rights of freedom of communication. Let's be clear though: there is a possibility that Facebook or MySpace can be use to groom. HOwever, I think justice should have evidence of it (like where they log in) rather than accept a preemptive ban so broad it is forbidding sex offenders to use an important mean of communication nowadays. "Facebook Boots Off Almost 5600 Sex Offenders; Don't You Feel Safer Now?" (TechDirt, 20 Feburary 2009)

Fraud, the banks and firms

Well, one would have thought that the banks were at the top of the security game to avoid unnecessary losses. It seems that the last scam targeted banks quite successfully. Arguably, citybank did not lose the money because at the end, the money was not transfered. However, the reason for not doing so was a mere technicality. The fact that the bank believed the fraudsters and undertook all the steps necessary to send the money demonstrates that the false representation worked very well!

"DEAR CITIBANK: I WOULD LIKE REQUEST TO YOU HELP IN SECURING 27 MILLION DOLLARS US" (TechDirt, 23 February 2009)

No less reassuring although banks are not necessarily the culprits: "Researcher demonstrates SSL attack" (ZDNet.co.uk, 20 February 2009)

Similarly, the following post shows that banks and firms continue to integrate into their inevitable losses the cost of cybercrime/cyberfraud. Maybe it's time to wake up and be a bit more proactive? Or maybe consumers should be better informed and go on strike? After all, the banks seem to be the only business those days that can think that they can loose money and still get the taxpayer/consumer to pay for their debt and for their bonus.
"Making Credit-Card Payments More Secure By Making Breaches More Expensive" (TechDirt, 4 March 2009)

Wednesday 25 February 2009

Skype and interception of communication (update)

A very interesting article (because of the details provided) has been written in French. The reason why Skype's communications are difficult to intercept is that they are using encryption keys that Skype, so far, has refused to communicate.
A software is available that allows for decryption: Digitask. But it costs, according to the article, 3500 euros to acquire, and more importantly, 2500 euros to use and for each interception; in other words, a fortune for police forces. This is why police officers are so keen in obtaining the keys from Skype itself.
Given that both Germany and Italy were concerned about this, not surprising the EU started to look at the issue. Hence the Judicial Co-operation Unit launched an investigation into the possibilities to tap internet conversations, on the basis that organised crime uses Skype facilities already

"Bientôt des écoutes policières sur la VoIP ?" (JDN, 25 February 2009)

"EU to investigate VoIP-tapping techniques" (ZDnet.co.uk, 20 February 2009)

Thursday 19 February 2009

ISPs not effective cops?

When I have the time, I'll read it more carefully, but the research is interesting. If it is proven that ISPs are not effective cops, then there is a practical for forbidding them to act as cops, independently of human rights issues.

"Research Paper Shows How Useless It Is To Require ISPs To Be Copyright Cops" (TechDirt, 18 February 2009). The post refers to an article in Computers and the law available on SSRN http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1329703 from Adams and Brown (the later I wrote a post about on 5 February 2009 Transparency in cybercrime reporting/filtering of content)

sentencing and corruption

Corruption not where you would imagine: judges seem to have sent children to detention centers more than necessary because of financial interests in doing so. How come the system was set up in such a way that corruption was that easy is a mistery.

"Corrupt Judges Sent Kid Who Made Spoof MySpace Pages To Detention... For Profit" (TechDirt, 18 February 2009)

Skype and interception of communications

Skype does not allow for easy wiretapping of conversations. Anyone can imagine the potential for criminals, but also, on the good side, for dissidents. However, I don't think the loophole will remain for long; somebody somewhere will invent a good wiretapping device , if it has not already be done in China for example, as the article below suggests.

"Italian Cops Complain That They Can't Listen In On Skype" (TechDirt, 18 February 2009)

Paying people to filter the internet

China seems to now pay people per porn website discovered and reported. Being cynical, I wonder to which extent this solution might be cheaper than hiring them as full-time employees for the Great Firewall. A future law and economics study?
In terms of human rights and liberties, well, using people to report websites (free of charge) is a common procedure in most countries. UK does it with Internet Watch Foundation; France does it with the Internet Gouvernance website and system, etc... None however when as far as paying them! The question is probably how the prospect of being paid could affect the "objectivity" (if any) of the person's appreciating the contents of the website. As usual, how the information reported is used by Government or non Governmental agencies is crucial as lack of transparency promotes censorship and violation of human rights.

"China Looks To Build Human Firewall With Fun, Prizes" (13 February 2009)

Need for special courts for cybercrime?

In India, Justice V.S. Sirpurkar of the Supreme Court explains that specialised courts would be better suited to tackle cybercrime and e-commerce issues. I am not sure I would agree on the conclusion. I would certainly agree that judges, as much as police forces, need specific training, a training which is not mainstream currently. However, I do not see why we should have specific courts: there would be problem of defining jurisdiction of those courts, which would create another layer of unecessary issues to deal with. Maybe it is time for the judicial system, whether in India or not, to adapt to the changes.

"Special courts for cyber crime sought" (CCRC, 8 February 2009)

Localisation of e-mail senders via Google mail

Quite a scary feature for Google mail users: according to the French JDN (web journal), Google will make available to other users the geographical localisation of users when they send e-mails with city/village, region and country.
In terms of privacy, it is obviously problematic. Other forms of communications like telephone do not give that amount of details as to the whereabouts of people. Telephone numbers for example indicate a region more often than a city. Only postal communication does give away the same amount of features. However, postal communication is not instantaneous, thus the person can have moved away by the time the other person received the message. This won't be the case by e-mail.
Nevertheless, the feature is not surprising given past relationships of Google with China and handing in dissidents.
"Google teste la géolocalisation d'e-mails avec Gmail" (JDN, 11 February 2009)

Tuesday 10 February 2009

Disappeared posts - hidden filtering

As creepy as the previous one, although the persons involve do not suffer like this woman and her children did and do. Apparently, posts from bloggers disappear when related to music and copyrights.
How on earth can Google accaparate the right to filter without warning and notice? Who are they? the secret police of some private dictatorship?

Google Accused Of Invisibly Deleting Blog Posts On The RIAA's Say-So (TechDirt, 6 February 2009)

It all comes back to one question: who is in charge of filtering and on which criteria? private companies for their own sake or for other companies or for Governments? The first two, in a liberal/democratic State, have always been forbidden; the last has so far been subjected to a policy of check and balances, with transparency at its heart (well, at least that is the objective). WHy should it be different online?

See for example the comment of Kelly for Facebook:

Terrorist search -use of language searches

I read the post sent by Statewatch in its last newsletter. I clicked rather out of habit/curiosity than anything else, but what I read, I found deeply disturbing. Please read the whole post before reading mine - you will then understanding exactly what I mean.

Those are extracts on which my analysis is based:
"Andrej works as a sociologist on issues such as gentrification and the situation of tenants. Outside academia he is actively involved in tenants' organizations and movements that deal with gentrification and urban development. Using words such as 'gentrification', 'marxist-leninist', 'precarisation' oder 'reproduction' in their texts was enough to start complete surveillance (a linguistic analysis by the Federal Police later showed it's most unlikely they wrote these texts). "

My interpretation is as follow: the police is simply using extensive powers not to do their job.
As a researcher using the web to find documentation (perfectly respectable by the way), I use regularly keywords. I also know by experience that what I want is NEVER EVER under the keywords that I type. In other words, the most obvious range of keywords will lead me to documents I don't really have any use for. Anybody using the web extensively knows that.
I worked on an article about hatecrime in cyberspace - I wanted the UN Human rights committee decision on Faurisson - I typed Faurisson & decision and used google.com. The revisionist website of aaargh came up (it does not, by the way, if you use google.fr - the website is blocked). Now linguisticly, the website never uses any offensive language; the decision published should be questioned for its reliability because it is not the official UN website (even if it is not unreliable). Conversely, although I have not done personally conducted such research, those who look at websites from neo-nazis and the like all know that the obvious words of nazis won't bring you many websites; that the most dangerous and scary stuff appear at random under the most unlikely headings (see Roversi's book on Hatecrime).
Coming back to this post I refer to, what does it mean? that the German police simply should get a grip with technology and a tutorial on internet/google searches held by librarians could actually help them understanding the fundamental flaw of their investigation practices. They used words they associate with terrorism and terrorists to conduct their search, but no other ground work substantiated their analysis before they sought permission to wiretap!!! Which, by the way, shows also how clueless the judges are...

the rest of the investigation seems also a lot of rubbish based on assumptions rather than real facts. To suspect somebody because they don't use mobile phones sometimes or do not say things on the phone or encrypt their e-mails can have several explanations. I don't use a mobile phone; I certainly will NOT say certain things on the phone or by e-mail; and if I don't encrypt usually, I certainly could do so sometimes, for security purposes because I don't want anybody knowing. But that does not make me a terrorism.
If I were politically active, would the situation change? no, because my ideas of dissent do not make me suspect of mass murder, just because I dissent.

Facebook fraud

nothing new; common sense may be the best security feature...

"Man falls victim to Facebook hackers " (CCRC, 2 February 2009)

"That Person Asking For $3000 On Facebook Might Not Actually Be Your Friend" (TechDirt, 9 February 2009)

Online watch for illicit content - France

After a bit of research (online though), the text for fraud is a Ministerial Decree from the Home Secretary - Décret n° 2008-1109 du 29 octobre 2008, available at Legifrance http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000019708364&dateTexte
The title itself is "experimental automatic treatment of online pre-complaint". In other words, the online system is just an online tool for the police to do their job and for the victims to complain, as they would do at their local police station.
It is experimental because it has been tested in two "counties" (départments in French). It is the police who investigates once they received the information; a face to face meeting will be requested and if the person does not pursue, the data after 30 days will be deleted.

The CNIL (a quango for ensuring privacy in the collection and use of data) approved of the scheme in April 2008 - Délibération n° 2008-102 du 29 avril 2008 portant avis sur un projet de décret en Conseil d'Etat autorisant la création d'un traitement automatisé dénommé « pré-plainte en ligne » PUblished in the JO 31 october 2008 http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=14152FC1A28C9B4FFBC3C63149E83684.tpdjo04v_1?cidTexte=JORFTEXT000019709044&dateTexte=20081031&categorieLien=cid

Thursday 5 February 2009

Transparency in cybercrime reporting/filtering of content

The following paper of Dr. Ian Brown, published on SSRN, touches upon an important issue in my opinion linked with cybercrime. The Internet Watch Foundation filters contents from the web after reporting by users. BUt the process is far from transparent (actually, very little is known about it) and the problem for me as a criminal lawyer, is that the content leads to a criminal offence/sanction but all along the process of investigation and decision no governmental agency (police officers, courts...) either do appear. Why?
At least France launched in November 2008 its website to report problematic content (offensive or eve fraudulent content) and the people in charge are governmental officials who must report to the Prosecutor in case of criminal offences committed. https://www.internet-signalement.gouv.fr/PortailWeb/planets/Accueil!input.action
I have not found the original piece of legislation creating this website and its process but at first sight, the French system is preferable.

Fraud - France launced a new reporting website

To combat fraud, the French Government launched in November 2008, a new website to enable user to report frauds (escroquerie in French) https://www.internet-signalement.gouv.fr/PortailWeb/planets/Accueil!input.action

the complaints are investigated by police officers and then refered to the Prosecutor if the facts fit the legal offence of fraud. The police officers are a special unit of the Cybercrime unit (l'Office Central de Lutte contre la Criminalité liée aux Technologies de l'Information et de la Communication)

But actually, the headlines are misleading because the website is not simply about fraud, but about illegal and harmful content as far as I could understand on the "questions and responses" webpage, with express reference to parents monitoring their children's use of internet.
https://www.internet-signalement.gouv.fr/PortailWeb/planets/Faq.action

at least the process seems a bit more transparent than that of the IWF in England!

Google's criminal liability

Just two informations on this: the trial is opening; Google's exec was silly enough to travel to Italy for a conference and got arrested.
I can't find information about which bits of the criminal code or legislation has been used, but my knowledge of Italian is too bad to do any serious research.

For TechDIrt,

For the International Association of Privacy Professionals, "Additional claim filed against Google" (3 February 2009)


Update on 21 February 2009:
I thought it was not worth writing a different post, but rather completing this one. The judge seems to have refused dismissed the case. Assuming that Google is not responsible, two interpretations can be given: 1) a silly decision, 2) a willingness to let the trial happen so that the flaws in the prosecution's arguments can be exposed and the judgment be a final stop to this king of charges. The later is not as unlikely as one may think and it is a tool used by European Governments themselves when they let a case move to the European Court of Human Rights knowing full well they will be condemned. It is an effective way of settling the law.


http://www.techdirt.com/articles/20090219/0045403825.shtml

Sunday 1 February 2009

Cost of cybercrime - another study

"Global cost of cybercrime hit $1tn, study finds" by McAfee, (ZDnet.co.uk, 29 January 2009)

Fraud - clickjacking increase; and police training

The American firm Clic Forensics registers a sharp increase in clickjacking, fraudulent modification of HTML code underlying a weblink on a website.
"Recrudescence de la fraude au clic fin 2008" (JDN, 30 January 2009) - the article shows graphs that are self-explanatory

see also "Flaw exposes Chrome, Firefox to clickjacking " (ZDNet.co.uk, 29 January 2009)

which makes police training more than necessary "Cyber-Crime: Law Enforcement Must Keep Pace With Tech-Savvy Criminals" (Digital Communities, 28 January 2009)

sex offenders and MySpace

Two interesting bits of information here: 1) that MySpace does filter its users' profile to search for sex offenders; I can understand why, but this is a permanent ban or ostracism on those offenders based on the philosophy of no rehabilitation. It looks like excommunication except no religious belief is at stake. Do we have a right as a society to reach such extreme measures? Is that an acceptable cost to protect children notably against predators?
2) the reliability of profiles on MySpace: fakes are numerous and nothing should be taken for face-value...

"Raising Some Questions About Smoking Gun Sex Offender Profiles On MySpace" (TechDirt, 28 January 2009)

Obscenity (UK) and outsiders' view

The new offence of extreme porn attracts more media coverage than Government's funding. So is there a point in enacting such laws if they cannot be enforced? Let's hope one day Government will wake up to cybercrime's threats...
"Police will not target offenders against law on violent porn" (The Guardian, 26 January 2009)

The same question of "why legislation" was raised, but for different reasons: "UK Citizens Worked Up About Broad And Vague Obscenity Law" (TechDirt, 29th January 2009)

Nasa hacker's perception on his trial

In a press conference, Mr. McKinnon explains why he believes he would have a fair trial in the UK: no big press coverage turned against him etc...
"Nasa hacker: I'd get a fairer trial in UK" (ZDnet.co.uk, 28 January 2009 - video)

A reminder that cybercrime is not always about law

A reminder that sometimes the best response to cybercrime is the use of technology rather than the enactment of legislation. Be aware though that no technology is flawless, so security is never 100% guaranteed.

India IT sector boosts (ZDnet.co.uk, 27 January 2009)