Friday 26 June 2009

Security and cloud computing

Academics warn recently about the dangers of cloud computing, where softwares and data are stored in online companies' servers and accessible from the internet. E.g.: mobileme for Apple, Dropbox, etc... It's strange because it is one of the reasons why I have still not used those services, although I have to admit I am tempted sometimes for the sheer ease of accessing data anywhwere as long as I have a connection.

Cloud computing et confidentialité des e-mails (Euractiv, 17 June 2009)

From 30 April 2009, but valuable. It is about the UK Internet Watch Foundation, that self-regulatory body (yet using taxpayer's money), filtering the internet. We had already questioned the transparency of the filtering. The IWF own report does not reassure much about the utility of its role, not about the criteria it uses to do its job.

Child Porn Blacklist Group Claims Its Approach Is Working, But There Are Lots Of Questions(TechDirt, 30 April 2009)


See previous post http://cybercrimeatessex.blogspot.com/2009/02/transparency-in-cybercrime.html

ISPs and illegal contents in China

Not made to reassure about ISPs' behaviours towards China's regulations. It shows they ere on the side of caution, as usual. The only thing unusual is the Chinese Court's decision which was to condemn the ISP for not demonstrating that the content was illegal.
The information originates from the Financial Times with its correspondent.

Surprise: Beijing Court Sides With Victim Of Internet Censorship (TechDirt, 27 May 2009)


Victim of Beijing internet censorship wins landmark court ruling (FT, 26 May 2009)

Fraud and insider access to confidential data

The security/sofware company Cyber ARk released a report or survey on administrators' behaviours in firms. 35% of them use data they come accross because of their job or research that data in illegal ways. This is quite scary and shows how vulnerable companies can be.

http://www.cyber-ark.com/news-events/pr_20090610.asp

and a French summary of the report on JDN 17 June 2009

Un tiers des administrateurs informatiques tentés par le vol de données

Swedish piracy case and judge's impartiality

Justice must be seen as well as be done. A traditional ECHR principle stemming out of a English common law culture of impartiality which Sweden may well have forgotten in this case. A real shame when one thinks of the controversy around the justifications of piracy.

Swedish Appeals Court Denies Pirate Bay Retrial -- Says No Bias By Judge(TechDirt, 25 June 2009)

Hadopi: the new bill establishing sanctions and procedures to be followed

The tone of the new bill (projet de loi), not yet discussed by Parliament, is much harsher than the previous version struck down by the Constitutional Council.
No access to internet for a maximum of a year; any attempt to reinstate the connexion would attract up to 2 years imprisonment and 30 000 euros fine (about 21 000 pounds). I find it fascinating that at a time where copyrights regulations, hence piracy, are strongly criticised in their very existence, the Government chose to take a stand harsher than what happened sometimes when somebody's life and well being is at stake. In other words, money linked with copyrights has more value than the protection of the person, say on social networks. This discrepancy in priorities is typical of the regulatory approach to the internet (think of the US where striking down the legislation on child porn in the name of free speech meant property is better protected than the child's person/body abused by adults), but I can't get over it, and hope I actually won't get over it.
Moreover the procedure used will not involve a contradictory debate but will be one of those simplified ordonnance type of procedure, which when one thinks that freedom of communication is at stake here (including jobs because today one cannot work without internet), is pretty troubling.

Un texte plus répressif pour sanctionner le piratage (JDN 25 June 2009)

Report on privacy in social networking

The national privacy watchdogs (often administrative authorities) produced a report on privacy and social networking. They are particularly concerned about the level of disclosure and the lack of prior consent of all parties involved, whether what is disclosed are pictures, details of life in writing or videos. They recommend that whoever posts information, notably pictures, obtains prior consent of people involved or face exclusion from the social network.
Given that the basis of those networks is to share information, often without consent, the recommendation would be a blow to those technologies. I personally think it is not the way forward; rather, we should differentiate between those participating in the network and those not participating. Those in, by the fact of subscribing, should have a opt-out; those not in should have an opt-in.
More sensible is the recommendation that social networks warn clearly and extensively at the level of disclosure faced by their users and how that information could be used against them or their family and friends.

See the summary on Euractiv
http://www.euractiv.com/fr/societe-information/vie-prive-rseaux-sociaux-online-loupe-ue/article-183506

For the report itself, Article 29 Data Protection Working Party

It is worth comparing with the 2007 report from ENISA, the rather silent EU agency on cyber issues, Enisa Position Paper EU agency for network and information security suggests updating legislation to face new social networking-related risksPdf external (25 October 2007)

Thursday 25 June 2009

US, EU collaboration - cybercrime

"US Officials Finally Going After Online Organized Criminals In Other Countries" (TechDirt, 10 June 2009) - I would not be as severe as the post's author but I have to say the US tend not to bother about the rest of the world, unless we are poor G. McKinnon

Hence the importance of the Agreement on Mutual Legal assistance http://www.statewatch.org/news/2009/may/uk-eu-usa-extradition-mutual-assistance.pdf

data retention - analysis of policies

The German Working group on data retention produced the following report:

Position on the processing of traffic data for “security purposes” (21 March 2009) on the statewatch website

Europol's improvement

COUNCIL DECISION of 6 April 2009 establishing the European Police Office (Europol) - the decision is available at http://www.statewatch.org/news/2009/may/europol.pdf

beaware: Europol exists since 1992

Best protection: technical vs legal

Nothing protects better against crime than testing one's vulnerabilities and strengths. A non legal response understood by Governments:

UK launches dedicated cyberattack agency (ZDnet.co.uk, 25 June 2009)

Pentagon moves to protect military networks (ZDnet.co.uk, 24 June 2009)

Hadopi, right to access a court of first instance and piracy policy

Before it was even adopted by Parliament, the French bill that promoted the three strikes policy in its attempt to fight piracy was doomed.

The EU Parliament condemned it (See TechDirt, 6 May 2009) EU Says No To Three Strikes On Accusation Only; Requires Court Order

and even the UK TalkTalk ISP (TechDirt, June 9, 2009) director considered it was silly to forbid, "pirats will always win" UK ISP Boss: 'The Pirates Will Always Win'

Without surprise, the bill, passed by an empty Assembly, was declared unconstitutional by the Constitutional Council and thus in effect can only become a Statute if the unconstitutional provisions are withdrawn.


"French Constitutional Council Guts 'Three Strikes' As Unconstitutional" (TechDirt, 10 June 2009)

Legally, the decision is particularly enlightening when it comes to the grounds of unconstitutionality. The Council found several flaws, all in line with what I have been writing about in this blog:

- violation of freedom of speech and communication because the sanction was not decided by a court, but by an administrative agency; I keep saying that a court/ the judiciary has to decide on withdrawing illegal content as much as who committed any other illegal behaviour
  • "16. Considérant que les pouvoirs de sanction institués par les dispositions critiquées habilitent la commission de protection des droits, qui n'est pas une juridiction, à restreindre ou à empêcher l'accès à internet de titulaires d'abonnement ainsi que des personnes qu'ils en font bénéficier ; que la compétence reconnue à cette autorité administrative n'est pas limitée à une catégorie particulière de personnes mais s'étend à la totalité de la population ; que ses pouvoirs peuvent conduire à restreindre l'exercice, par toute personne, de son droit de s'exprimer et de communiquer librement, notamment depuis son domicile ; que, dans ces conditions, eu égard à la nature de la liberté garantie par l'article 11 de la Déclaration de 1789, le législateur ne pouvait, quelles que soient les garanties encadrant le prononcé des sanctions, confier de tels pouvoirs à une autorité administrative dans le but de protéger les droits des titulaires du droit d'auteur et de droits voisins ;"

- violation of presumption of innocence by reversing the burden of proof to the accused; it is what I always found disturbing in those cases where the RIAA in the US bring lawsuits/charges before the Court and it is most of the time for the defendant to find proof s/he did not commit the action.
  • "18. Considérant, en l'espèce, qu'il résulte des dispositions déférées que la réalisation d'un acte de contrefaçon à partir de l'adresse internet de l'abonné constitue, selon les termes du deuxième alinéa de l'article L. 331-21, " la matérialité des manquements à l'obligation définie à l'article L. 336-3 " ; que seul le titulaire du contrat d'abonnement d'accès à internet peut faire l'objet des sanctions instituées par le dispositif déféré ; que, pour s'exonérer de ces sanctions, il lui incombe, en vertu de l'article L. 331-38, de produire les éléments de nature à établir que l'atteinte portée au droit d'auteur ou aux droits voisins procède de la fraude d'un tiers ; qu'ainsi, en opérant un renversement de la charge de la preuve, l'article L. 331-38 institue, en méconnaissance des exigences résultant de l'article 9 de la Déclaration de 1789, une présomption de culpabilité à l'encontre du titulaire de l'accès à internet, pouvant conduire à prononcer contre lui des sanctions privatives ou restrictives de droit ;"
- violation of privacy if the private institutions collecting data about illegal downloading use this data for other purposes; we know by experience that it is well possible, so I wonder how the Constitutional Council thought his "reserve of interpretation" will be complied with and which mecanisms will be used to ensure compliance.
  • 27. Considérant que la lutte contre les pratiques de contrefaçon sur internet répond à l'objectif de sauvegarde de la propriété intellectuelle et de la création culturelle ; que, toutefois, l'autorisation donnée à des personnes privées de collecter les données permettant indirectement d'identifier les titulaires de l'accès à des services de communication au public en ligne conduit à la mise en oeuvre, par ces personnes privées, d'un traitement de données à caractère personnel relatives à des infractions ; qu'une telle autorisation ne saurait, sans porter une atteinte disproportionnée au droit au respect de la vie privée, avoir d'autres finalités que de permettre aux titulaires du droit d'auteur et de droits voisins d'exercer les recours juridictionnels dont dispose toute personne physique ou morale s'agissant des infractions dont elle a été victime ;

Censure du Conseil constitutionnel : pas d'happy end pour l'HADOPI (Juriscom. 10 June 2009)

"French court curbs internet piracy legislation" (ZDnet.co.uk, 11 June 2009)

David El Sayegh (Snep)"Couper l'accès Internet comme on envoie les contraventions établies par les radars" (JDN, 11 June 2009)

Gaming, robots and criminal law

Jacques-André Dupuy (Operantis)"Nous faisons du serious game pour les pilotes d'avion" (JDN 25 June 2009)
Use of 3D games to train pilot - positive use of technology, but one cannot be left but to wonder whether the reality of those games could have adverse effects in certain conditions and be responsible for more violence?

And what if the robots copy 'bad' behaviours and commit crimes? fiction? not so much if one believes this article about a child robot which memory increases by copying real human behaviour. "CB2 : parfait pour un prochain film d'horreur" http://www.journaldunet.com/hightech/salon-multimedia/dossier/ils-sont-la-et-nous-ressemblent-les-robots/cb2-parfait-pour-un-prochain-film-d-horreur.shtml
this made me think about the work of Michelle Hildebrand from Rotterdam/Brussels...

Spam, fraud and mobile phones

"Proud, Bragging Spammer Alan Ralsky Pleads Guilty" (TechDirt, 24 June 2009) - the US spammer was finally caught ... for fraud and spam!!

For new areas of fraud coming up soon given the huge development of mobile phone banking:
Le m-paiement atteindrait 250 milliards de dollars d'ici 2012 (JDN, 23 June 2009)

Surveillance: EU Commission & responses to the Stockholm programme

In its Communication 262/4, on 10 June 2009, to the EU Parliament and the COuncil, the EU Commission seems to favour "wider freedom in a safer environment" so that there can be "An area of freedom, security and justice serving the citizen" (p. 2, 16).
http://www.statewatch.org/news/2009/jun/eu-com-stockholm-prog.pdf

The problem is as usual: safety is done through sharing of information. But how this information is collected and used remained very much undefined... So not surprisingly, there are oppositions to the Stockholm programme
See the Statewatch's summary: http://www.statewatch.org/future-group.htm (
and also the seminar organised on 31 may 2009 http://www.statewatch.org/news/2009/may/surveillance-states-seminar.pdf

with references to the European Civil Liberties Network's own analysis http://www.ecln.org/ECLN-statement-on-Stockholm-Programme-April-2009-eng.pdf

One can only agree when one looks at the EU Council's report of the "Check the Web" project launched in 2007 and presented by Europol to the COuncil on 15 May 2009 http://www.statewatch.org/news/2009/jun/eu-europol-use-of-personal-data-in-the-check-the-web-project-9604-09.pdf
and the analysis provided by Cryptohippie on Statewatch's website, which describes well what is a police state and how blissfully unaware we can be until it is too late http://www.statewatch.org/news/2009/jun/electronic-police-state-2008.pdf

See also, Watching the computers. Function creep allows EU states to use intrusive remote computer searches to target any crime, however minor (TheGuardian, 9 June 2009)

the fact that the surveillance attitude is widespread does not help Canadian Politicians Want To Pass Internet Snooping Legislation (TechDirt, 19 June 2009)

And contrary to the wide-spread feeling, security is not a justification per se for surveillance even if obviously increased CCTV and the like can help detecting crime As Google Agrees To Delete Unblurred Street View Images In Germany, One Is Used To Solve A Crime

Finally, see EU Parliament on the subject
with its "REPORT with a proposal for a European Parliament recommendation to the Council on strengthening security and fundamental freedoms on the Internet
(2008/2160(INI))"
(25 February 2009)

and the HL view on procedural rights in EU criminal proceedings http://www.statewatch.org/news/2009/may/eu-hol-ec-procedural-rights.pdf

"pro"-piracy policy, anti-piracy policy and distorted language and

Woman Who Owned No Computer, But Got Sued By The RIAA, 'Settles' Techdirt: "Woman Who Owned No Computer, But Got Sued By The RIAA, 'Settles'" (TechDirt, 19 June 2009)

As pointed out, one cannot settle when the facts established demonstrate an impossibility to commit the action. The RIAA is manipulating the language to appear victorious when its actions embody utter failure.
More troubling, is the issue of evidence. What would have happened if this woman owned a computer but never filed share? How is the RIAA collecting its evidence? Are we not here faced with illegal surveillance?

In that sense, Norway's position to avoid general surveillance for just an issue of IP makes much more sense.
Norway Decides Privacy Is More Important Than Protecting The Entertainment Industry's Business Model (TechDirt, 24 June 2009)

Obviously, Norway's position obliges to rethink piracy and the IP rules. The analysis of Shakespeare's work and how the famous poet and writer borrowed from traditional folk tales and their various interpretations by other authors is quite enlightening about the real issue IP legislation create, especially in a world which works on the basis of networks and sharing.
"Would King Lear Ever Have Been Written If Copyright Law Existed?" (TechDirt, 23 June 2009)
"The Guardian Embraces Crowdsourcing The News In Useful Ways" (techDirt, 24 June 2009) (The Guardian put online all the data on the MPs' expenses scandal - ordinary people digged out what they found interesting and journalists just check and put the information within a broader perspective

Misuse of criminal law

Student Found Guilty Of 'Disturbing The Peace' For Sending Nasty Political Email To Professor Techdirt: "Student Found Guilty Of 'Disturbing The Peace' For Sending Nasty Political Email To Professor" (TechDirt, 18 June 2009)

How sending an e-mail can breach the peace, I am puzzled. It was not a collective e-mail, say to the whole of the University, what would have justified (maybe) the analogy of the public forum. At most, the e-mail, if repeated at least once, would fall within harassment, but certainly not breach of the peace.
Disciplinary actions might also be foreseen if the university charter of conduct was breached

Tuesday 16 June 2009

Nasa hacker

Court hears Nasa hacker 'at risk of psychosis' (ZDnet.co.uk, 9 June 2009)

Judges delay decision in Nasa hacker case (ZDnet.co.uk, 11 June 2009)

Nasa hacker petition tops 4,000 (ZDNet.co.uk, 15 June 2009)

Filtering,

EC: New net-neutrality law is unnecessary - ZDNet.co.uk: "EC: New net-neutrality law is unnecessary"

The Conseil constitutionnel (French Constitutional Court) rejected part of the Bill nicknamed Hadopi in its provisions that were allowing an administrative authority to cut the right to access the internet. The Authority, although independent, did not provide sufficient safeguards to the internet user, given that was at stake freedom of expression. Only a court, as part of the judiciary with its own requirements of independence and impartiality, could take such decision.

The decision is interesting for several reasons:
1- in relation to the "independent administrative authority" system which France is so fond of, the decision puts a halt to a recurrent trend to transfer legal issues from the courts to non judicial authorities.
2 - it is a reminder that freedom of communication and expression are so intrinsic to the internet, that any measure curtailing it, whatever the justification offered, must be assessed by the courts. Compared with what is happening with ISPs taking down materials, the decision makes one think about the appropriateness of those take down notices procedure not validated by courts...
3 - I am not as sure as the Commission that net neutrality is not needed; resorting to courts is not the main method within Europe. Harmonisation at EU level should be certain before engaging into a dangerous path

From filtering to software piracy

How the desire to control child pornography turns into a piracy/ illegal trade issue...Apparently, upon request of China, computers shifted from the US to China must contain a 'Chinese' filtering software... which code is partly stolen from a US company!

Chinese censorware has stolen code, says US firm (ZDNet.co.uk, 15 June 2009)

update: "US asks China to drop filtered software " (ZDnet.co.uk, 25 June 2009)

Wednesday 10 June 2009

Firewall and control on PCs

Want to know what this headline reminds of? Hitler having successfully ordered the making of radios that did not allow for foreign stations to be received by German people and without the knowledge (and even less the consent) of the population. Let's hope Chinese people will not be blinded by their Government's policy and will learn that the controls are on the machines as much as on the internet itself.

"Local Version Of China's Great Firewall Now Required On All PCs In China" (TechDirt, 8 June 2009)

Twitter; ID fraud

The story runs as follow. Account was opened in Twitter under La Russa; it was a fake account. Some claimed that under threat of lawsuit, Twitter (the company) closed the account and donated money to charity. Twitter denied the story.
Two things spring to mind. Is the fake account doing any harm, for example by impersonating a real life person so well one could not easily guess what was true and false? if so, civil law at least applies and Twitter can delete the account. However, there should be court proceedings rather than threats and bullying.
"La Russa & The AP Claims Twitter Settled Lawsuit... Twitter Sets The Record Straight
"French Law has actually taking the step of making it an offence, with a maximum of one year emprisonment, following a few MPs whose name have been 'abused'. "Loppsi : 1 an de prison pour la fraude à l'identité sur Internet" (Numerama, 27 May 2009)

Then, this affair/case seems a matter of education of people and companies on the internet.

"Lifelock Found To Be Illegally Placing Fraud Alerts On Credit Profiles" (TechDirt)

"So-Called 'Friendly Fraud' On The Rise" (TechDirt 27 May 2009)

Hacking -future of hackers

Just in case some might have some hope. It did not even occur to me that the change of Minister could modify Mr. McKinnon's situation, especially that the hearing before the Supreme Court (ex-House of Lords) is pending

"Lawyer: Home Office unlikely to U-turn on hacker " (ZDNet.co.uk, 8 June 2009)


But there may be some hope in the mid-term future: (ex) "Hacker joins US Homeland Security in advisory role" (ZDnet.co.uk, 8 June 2009)

with the following update: "Mitnick: from 'computer terrorist' to consultant " (ZDnet.co.uk, 23 June 2009)

Theft/acces to confidential data

BT researchers bought on e-bay 300 hard drives and checked their data content. The results are surprising and scary: 34% of the drives contain data easily identifiable to real persons or companies, some contained high security data such as log in of the French ambassador in Germany or information about US firms making missiles.
I can't believe people are silly enough to sell on e-bay disks that have not been reformated with complete erasure of data, especially in high-risk domains.

"Des disques durs d'occasion très bavards sur eBay" (JDN, 13 May 2009)

And it is no better when data is not even encrypted like the Royal Air Force's data!
Vols de données dans l'armée de l'air britannique (JDN, 28 May 2009)

"Hacked ATMs let criminals steal cash, PINs" (ZDnet.co.uk, 5 June 2009)

Defamation/insult online and disciplinary action

The basis for a disciplinary action is that the context is that of discipline. The offence has been committed within specific area/location (a school, an office, a prison) or in relation to a group often regulated specifically (e.g.: doctors) . The sanction aims at maintaining order within that location or within that group. I don't see how comments online outside school hours and outside the school itself can fit than notion of discipline. THen if it is not discipline, only civil law applies and in very rare cases, criminal law.

"Judges Divided On Right Of Schools To Punish Students For Mocking Principals Online" (TechDirt, 9 June 2009)

Wednesday 3 June 2009

DDOS practice by security firms

In order to shut down those sending spam and scams (particularly phishing), security firms can identify the original server and then send e-mails to shut down the site

Sébastien Darnault (MarkMonitor)"Nous bombardons les serveurs de mails frauduleux jusqu'à les faire tomber" (JDN 2 June 2009)

Reliability of data

An interesting analysis of facts about the posting on YouTUbe of a video where a young man was attacked by a group of young women. The bloggers apparently questioned the reliability of the video and some thought it was a fake. It was confirmed later on it was real, but I like the idea (and in that sense I concur with the article's author) that people questioned what they saw and did not take it at face value.
In terms of criminal procedure it is absolutely essential.

"Info sur le web : Le syndrome inversé de la fille du RER D" (JDN, 26 May 2009)

On a similar note, the explanations about information safekeeping/safeguarding, which is linked with its reliability. "Cycle de vie des données informatiques, du berceau à la tombe !" (JDN 7 mai 2009)

Social networks: world and power

With always/often talk of Facebook, but this is not the only one on the web. Others in non English languages are actually attracting more customers, in China obviously, but also Brazil, Russia, Netherlands etc...
"Ces réseaux sociaux qui résistent à Facebook Sonico.com au Brésil" (JDN, 2 June 2009)
I wonder if their business models are better than those of Facebook. Note though that the Russian internet business man just 'bought' Facebook ...

"Judge 'Friends' Lawyer During Case, Influenced By Defendant's Website" (TechDirt 2 June 2009) or how a judge disqualified himself by contacting one party's lawyer with the new technologies during the trial!!! One wonders about the judge's sense of duty.
On collection of data/communication of data to the public:

Self-explanatory
"If You Rob A Bank, Perhaps You Shouldn't Brag About It On MySpace" (TechDirt 2 June 2009)

Not criminal as such, but interesting about the degree of non privacy (to be expected really):
"Analyzing Labor Data Via Facebook Status" (TechDirt, 2 June 2009) or how the words hired/fired on posting were used to analyse the trend in financial crisis management....