Wednesday, 19 March 2008
Fraud and spamming: the US
I have not looked at it in details, but spamming in the US is tacled through fraud. Would the new offence in the UK cover the same ground? Suggestions welcome... "Top Spammer Pleads Guilty, But Spam Still Going Strong" (17 March 2008) http://www.techdirt.com/articles/20080316/212058558.shtml
hacking - hacktivism?
Rumours and more tangible proofs have started to emerge from the past two years about the 2004 American elections of George Bush. If they ever are right, not only it raises serious questions of legitimacy of the current president, but it asks an even more troubling question: who did hack in the machines for e-voting? The political motive seems at the forefront, and it is pretty scary to think about who could have ordered the hack. Hactivism?
"Ohio E-Voting Machines Declared A Crime Scene?" (18 March 2008)
http://www.techdirt.com/articles/20080317/162504563.shtml
As scary as above is the mistaken belief that e-voting continues to be safe. See the interesting comparison with e-banking made by Timothy Lee on TechDirt (17 March 2008)http://www.techdirt.com/articles/20080304/134146430.shtml
"Ohio E-Voting Machines Declared A Crime Scene?" (18 March 2008)
http://www.techdirt.com/articles/20080317/162504563.shtml
As scary as above is the mistaken belief that e-voting continues to be safe. See the interesting comparison with e-banking made by Timothy Lee on TechDirt (17 March 2008)http://www.techdirt.com/articles/20080304/134146430.shtml
China's use of the internet
The number of users from China overcomes now the number of users from the US. Not only it means that the language of the internet is not mainly English, and won't English, even though we may not see it; but in addition it means that cybercrime is going to thrive in other parts of the world. Wonder how the Chinese Government will react to that...
"China overtakes US in number of web users" (14 March 2008)
http://news.zdnet.co.uk/internet/0,1000000097,39366044,00.htm?r=1
"China overtakes US in number of web users" (14 March 2008)
http://news.zdnet.co.uk/internet/0,1000000097,39366044,00.htm?r=1
Response to cybercrime: specialised investigation forces?
Recurrent debate of the UK, since the Government went against the trend to establish specialised forces for investigation of cybercrime. Whether the original decision was money-driven or not, what appears clearly now is that even businesses see they cannot afford to stay without effective enforcement forces. Thus, they even think of funding an e-crime unit. What about that? Sad that the Government which should be the leader in criminal policy chose to step back at a time when e-commerce is thriving.
More frightening really is the idea that businesses could have their say in the running of the unit. That police forces be accountable, fine; but police forces represent public interest and the State, not businesses' interests however important they may be. Accountability is to everyone and police forces should not be interfered with by anyone apart Government and fair accountability procedures. Otherwise, we are not far from private justice
"Businesses may be forced to fund e-crime unit" (18 March 2008)
http://news.zdnet.co.uk/security/0,1000000189,39369101,00.htm
To contrast with Tories' approach? Well, when money is at stake, some always find more money to avoid the loss. Yet, cybercrime is not simply about avoiding loss of money for business. Individuals' suffering (from loss of job to that of reputation, or even arrest with no attempt from prosecution to find out more) can be fare more important in terms of values society wishes to defend through criminal law and criminal prosecution.
See the BBC documentary on April 3, 2008 "Identity Fraud: Outnumbered Thu 3 Apr, 9:00 pm - 10:00 pm 60mins" http://www.bbc.co.uk/bbcone/listings/programme.shtml?day=yesterday&service_id=4223&filename=20080403/20080403_2100_4223_10817_60
with the two related articles, one from Marc Sigsworth (3 April 2008) http://news.bbc.co.uk/1/hi/magazine/7326736.stm and Sophos (3 April 2008) http://www.sophos.com/security/blog/2008/04/1255.html
and for the Tories "Tories attack gov't over cybercrime delay " (4 April 2008) http://news.zdnet.co.uk/security/0,1000000189,39379892,00.htm
More frightening really is the idea that businesses could have their say in the running of the unit. That police forces be accountable, fine; but police forces represent public interest and the State, not businesses' interests however important they may be. Accountability is to everyone and police forces should not be interfered with by anyone apart Government and fair accountability procedures. Otherwise, we are not far from private justice
"Businesses may be forced to fund e-crime unit" (18 March 2008)
http://news.zdnet.co.uk/security/0,1000000189,39369101,00.htm
To contrast with Tories' approach? Well, when money is at stake, some always find more money to avoid the loss. Yet, cybercrime is not simply about avoiding loss of money for business. Individuals' suffering (from loss of job to that of reputation, or even arrest with no attempt from prosecution to find out more) can be fare more important in terms of values society wishes to defend through criminal law and criminal prosecution.
See the BBC documentary on April 3, 2008 "Identity Fraud: Outnumbered Thu 3 Apr, 9:00 pm - 10:00 pm 60mins" http://www.bbc.co.uk/bbcone/listings/programme.shtml?day=yesterday&service_id=4223&filename=20080403/20080403_2100_4223_10817_60
with the two related articles, one from Marc Sigsworth (3 April 2008) http://news.bbc.co.uk/1/hi/magazine/7326736.stm and Sophos (3 April 2008) http://www.sophos.com/security/blog/2008/04/1255.html
and for the Tories "Tories attack gov't over cybercrime delay " (4 April 2008) http://news.zdnet.co.uk/security/0,1000000189,39379892,00.htm
Fraud: increased number of phishing attacks against banks
Apparently nothing really new, but the facts given are actually interesting: the types of attacks differ according to the security systems adopted by countries. Hence, Germany who favours strong identification procedures is attacked by Trojans and is rather left aside from the phishing method to frauding. On the contrary, the US are a very much liked destination by phishers. This data proves that security measures can be effective, even if they are not perfect. Hence, the law, especially criminal law, represents only a tool of last resort.
See "Banks under fire as phishing attacks accelerate" (19 March 2008) http://news.zdnet.co.uk/security/0,1000000189,39369892,00.htm
See "Banks under fire as phishing attacks accelerate" (19 March 2008) http://news.zdnet.co.uk/security/0,1000000189,39369892,00.htm
Friday, 14 March 2008
Response to cybercrime: hackers as security guards?
Security is best; law is second-best. Great, but how to enhance security? Debate was launched about whether or not to hire hackers. See the responses or comments to TechDirt's post "Does It Make Sense To Hire A Convicted Cracker For Security Work?" (12 March 2008) http://www.techdirt.com/articles/20080311/113836498.shtml
the reality is that most famous hackers ended up as security men and some earn a fortune!
the reality is that most famous hackers ended up as security men and some earn a fortune!
Fraud and identity theft
Stealing identities of persons who are unlikely to notice anything is not new. Dead people are an obvious target; but children or babies are also unvoluntarily good candidates. The article is US based, but I can't help making the link with the theft of the CD-Roms from the HM Customs and Excise at the end of last year 2007, where social security numbers of children were involved I reckon... "Stealing credit from a baby" (12 march 2008) http://www.techdirt.com/articles/20080312/023601513.shtml
Theft and corporations
Nothing new really; corporate espionage is thriving and can be done in many ways: hacking, developing spywares, phishing with e-mail appearing genuine, and other legal (although ethical problematic) methods like Google hacking, i.e. using Google search features to obtain maximum information.
The interest of the article really lies in those factual descriptions of the different methods used. "Corporate espionage: Not if, but when" (12 March 2008)
http://resources.zdnet.co.uk/articles/features/0,1000002000,39365959,00.htm
The interest of the article really lies in those factual descriptions of the different methods used. "Corporate espionage: Not if, but when" (12 March 2008)
http://resources.zdnet.co.uk/articles/features/0,1000002000,39365959,00.htm
RFID, privacy and investigation
The following article raises awareness of the RIFD revolution in Europe and the rest of the world. A technology that allows any item to be tracked down and monitored from around the world, it is highly used, according to the article, in non-European countries. By contrast, Europe is more than reluctant, for fear of privacy breaches. Fears are certainly not underestimated.
Related to crime, the technology works both ways: RFID allows for items to be tracked, so stealing could become more difficult; on the other hand, imagine investigatory forces (official or not) using the device without anybody knowing... that could lead to potential abuses and evidence gathered illegaly without warrant.
(13 March 2008)
http://www.euractiv.com/en/infosociety/eu-moves-catch-microchip-revolution/article-170942
Related to crime, the technology works both ways: RFID allows for items to be tracked, so stealing could become more difficult; on the other hand, imagine investigatory forces (official or not) using the device without anybody knowing... that could lead to potential abuses and evidence gathered illegaly without warrant.
(13 March 2008)
http://www.euractiv.com/en/infosociety/eu-moves-catch-microchip-revolution/article-170942
Wednesday, 12 March 2008
Jurisdiction, ISPs' liability and libel
According to the story, a British politician shut his blog for Google (US) refused to remove a defamatory post put on his blog and on others'.
What strikes me first is the line taken by Google. De facie, perfectly adequate, their response only highlights the double standard applied by the company and others to be fair. For if the request came from China and the like, previous experiences show that Google was quick in removing the post and even giving the dissident's details. Suddently, lack of jurisdiction was not an issue anymore. The difference only confirms that when big money is at stake, there is suddenly no legal obstacle on the way to satisfy greedy people.
Secondly, as pointed out by the author of the post, there were probably other ways of tackling the issue of libel if it was serious.
Thirdly, it highlights the problem of offensive contents: how to reconcile the global aspect of the net with regional differences?
"The Other Side Of The Jurisdiction Issue: UK Politician Upset That US-Based Blogs Follow US Laws" (7 March 2008) http://www.techdirt.com/articles/20080305/193747455.shtml
What strikes me first is the line taken by Google. De facie, perfectly adequate, their response only highlights the double standard applied by the company and others to be fair. For if the request came from China and the like, previous experiences show that Google was quick in removing the post and even giving the dissident's details. Suddently, lack of jurisdiction was not an issue anymore. The difference only confirms that when big money is at stake, there is suddenly no legal obstacle on the way to satisfy greedy people.
Secondly, as pointed out by the author of the post, there were probably other ways of tackling the issue of libel if it was serious.
Thirdly, it highlights the problem of offensive contents: how to reconcile the global aspect of the net with regional differences?
"The Other Side Of The Jurisdiction Issue: UK Politician Upset That US-Based Blogs Follow US Laws" (7 March 2008) http://www.techdirt.com/articles/20080305/193747455.shtml
Notion of privacy - information
Again what information should be protected for privacy purposes? It seems that some argue "none" in the name of transparency. It is rather disturbing and seems to confuse transparency of procedure to store and access data which remains private, and transparency of content which equals to lack of privacy. (7 March 2008) So I certainly agree to the title of the post "Transparency Isn't A Substitute For Privacy" http://www.techdirt.com/articles/20080307/102347473.shtml
Anonymity and fighting harassment and libel
In the US, Kentucky lawmaker filed a bill to make anonymous posting illegal. The website operator who would fail to enforce the law (i.e. let somebody posting without identifying him/herself) would pay a fine.
there are two problems here: first, free speech; anonymity is a key feature of free speech. See previously anonymous mail which can be bad or good. Secondly, criminal policy: is it the best way to fight bullying to require loss of anonymity? (10 March 2008) http://www.techdirt.com/articles/20080310/110506493.shtml
Compared with the following, it is interesting to see that readers of websites sued the website owner/operator, along similar lines as proposed by the bill above. But they did not succeed (action dropped) and are even now a target of a lawsuit for libel, for the website owner losts his job because of the damage the first legal action brought. Which raises incidentally the question of the presumption of innocence! (10 March 2008) "When Law Students Get Angry... Lawsuits Get Filed" http://www.techdirt.com/articles/20080310/014651487.shtml
And where the above idea becomes interesting is when are at stake websites ranking or rating individuals for their performance in their job. Libel is obviously a danger; but this is only part of the iceberg: harassment and personal vengeance could be coupled with anonymity and give extremely hurtful results for the people targeted. Contrary to the author of the following post, I do not think accountability can be achieved via websites of this sort. There is no control on facts, no procedure to promote fairness; whatever an individual has done, s/he cannot be deprived of fairness of procedure. Otherwise, we become like those monsters we are supposedly fighting. (10 March 2008) "Police Accountability Is A Good Thing" http://www.techdirt.com/articles/20080305/075621447.shtml
The French courts clearly took the opposite view from the author of the above article. They ordered a website ranking teachers nominally to stop publishing the teachers' names, thus taking away the whole interest of the website. The co-founder of the website Stephane Cola is obviously unhappy and considers there is a breach of freedom of speech, making a parallel with ranking institutions, but I think the issues are muddled here. It's OK to rank institutions who have no career as such and have a duty of accountability to all; but to rank an individual whose career and privacy is directly at stake with no chance to put things right reaches an other level.
Sorry the article is in French "La justice dit non aux noms des professeurs sur Note2be" (3 March 2008) http://www.01net.com/editorial/372605/la-justice-dit-non-aux-noms-des-professeurs-sur-note2be/
there are two problems here: first, free speech; anonymity is a key feature of free speech. See previously anonymous mail which can be bad or good. Secondly, criminal policy: is it the best way to fight bullying to require loss of anonymity? (10 March 2008) http://www.techdirt.com/articles/20080310/110506493.shtml
Compared with the following, it is interesting to see that readers of websites sued the website owner/operator, along similar lines as proposed by the bill above. But they did not succeed (action dropped) and are even now a target of a lawsuit for libel, for the website owner losts his job because of the damage the first legal action brought. Which raises incidentally the question of the presumption of innocence! (10 March 2008) "When Law Students Get Angry... Lawsuits Get Filed" http://www.techdirt.com/articles/20080310/014651487.shtml
And where the above idea becomes interesting is when are at stake websites ranking or rating individuals for their performance in their job. Libel is obviously a danger; but this is only part of the iceberg: harassment and personal vengeance could be coupled with anonymity and give extremely hurtful results for the people targeted. Contrary to the author of the following post, I do not think accountability can be achieved via websites of this sort. There is no control on facts, no procedure to promote fairness; whatever an individual has done, s/he cannot be deprived of fairness of procedure. Otherwise, we become like those monsters we are supposedly fighting. (10 March 2008) "Police Accountability Is A Good Thing" http://www.techdirt.com/articles/20080305/075621447.shtml
The French courts clearly took the opposite view from the author of the above article. They ordered a website ranking teachers nominally to stop publishing the teachers' names, thus taking away the whole interest of the website. The co-founder of the website Stephane Cola is obviously unhappy and considers there is a breach of freedom of speech, making a parallel with ranking institutions, but I think the issues are muddled here. It's OK to rank institutions who have no career as such and have a duty of accountability to all; but to rank an individual whose career and privacy is directly at stake with no chance to put things right reaches an other level.
Sorry the article is in French "La justice dit non aux noms des professeurs sur Note2be" (3 March 2008) http://www.01net.com/editorial/372605/la-justice-dit-non-aux-noms-des-professeurs-sur-note2be/
Fighting cybercrime again: technical help to gather evidence
The challenge of cybercrime is not simply to gather evidence, but to gather evidence that can later be used at trial and pass the test of admissibility (i.e. integrity and reliability). The students' initiative in West Australia is interesting, for according to the article it should definitely help police forces. Several questions however: training of police forces to Linux when Windows is dominant, reliability of the device produced (has it been tried? on which scale? what data has been gathered proving it does not give biaised results...?), and obviously how it fits with the laws on searches and seizures, and maybe interception of communication.
(6 March 2008) "Linux tool speeds up police computer forensics" http://news.zdnet.co.uk/software/0,1000000121,39363098,00.htm
To be compared with Nato's own efforts? Nato's Computer Incident Response Capability (NCIRC) unit (6 March 2008) http://news.zdnet.co.uk/security/0,1000000189,39363084,00.htm
(6 March 2008) "Linux tool speeds up police computer forensics" http://news.zdnet.co.uk/software/0,1000000121,39363098,00.htm
To be compared with Nato's own efforts? Nato's Computer Incident Response Capability (NCIRC) unit (6 March 2008) http://news.zdnet.co.uk/security/0,1000000189,39363084,00.htm
Fighting cybercrime in the UK: Government's policy questioned
It's the turn of the Tories to question Government's policy in fighting cybercrime. Nothing new, but it is striking that the article stresses how cybercrime is a profitable business and not simply a gimmick used by hackers for fun purposes. Although one could argue it's quite fun to earn millions of pounds! (7 March 2008) http://news.zdnet.co.uk/security/0,1000000189,39363895,00.htm
Government's earlier move seems at odd with the international approach of Nato... although Nato is probably more concerned with cyberterrorism than with fraud (6 March 2008) "Nato bolsters cyber defences" http://news.zdnet.co.uk/security/0,1000000189,39363084,00.htm
Government's earlier move seems at odd with the international approach of Nato... although Nato is probably more concerned with cyberterrorism than with fraud (6 March 2008) "Nato bolsters cyber defences" http://news.zdnet.co.uk/security/0,1000000189,39363084,00.htm
Cyberterrorism: renewed warning
Renewed warning about cyberterrorism but in a way nothing really new. Unless we link it to what happened to Estonia a year ago, where most of the official services were shut down because of a DDoS attack. If it was that easy with Estonia, why not with other countries' infrastructures? (10 March 2008) "Nato: Cyber-terrorism danger equal to missile attack" http://news.zdnet.co.uk/security/0,1000000189,39364674,00.htm
Fraud: eBay and its fight against phishing
The article raises a number of interesting points. Not new is the fact that China, Russia and some Eastern European Countries like Romania are havens for criminals, or at least partial havens depending on the attitude of authorities. Not new ever is the fact that the best protection against crime is not the law but education and technical measures (see the end of the article).
More interesting is the last line: "eBay is often successful in tracking down the smaller online criminals". Several interpretations to that statement: eBay seeks the help of official police forces or the like to track down criminals and fight cyberfraud; but the previous part of the article suggests that police forces are not always efficient and that eBay found criminals outside the Romanian capital city, i.e. it used its own logistic to crack down on crime. Which raises several questions in terms of HR: interception of communication, searches and seizures...
"eBay riled by Romania's policy on phishers" (March 11, 2008) http://news.zdnet.co.uk/internet/0,1000000097,39365232,00.htm
More interesting is the last line: "eBay is often successful in tracking down the smaller online criminals". Several interpretations to that statement: eBay seeks the help of official police forces or the like to track down criminals and fight cyberfraud; but the previous part of the article suggests that police forces are not always efficient and that eBay found criminals outside the Romanian capital city, i.e. it used its own logistic to crack down on crime. Which raises several questions in terms of HR: interception of communication, searches and seizures...
"eBay riled by Romania's policy on phishers" (March 11, 2008) http://news.zdnet.co.uk/internet/0,1000000097,39365232,00.htm
Friday, 7 March 2008
Social networking and security
An interesting article for the facts it reveals. Nearly at the end, the author, Aaron Greenpsan, reveals a breach of security which is pretty scary when thinking about identity theft. Apparently, Facebook's security was so lax that users could download personal details of others without their consent. Several complaints did not initiate any response from the company, until Aaron brought it to the press. This behaviour calls for two comments: first, cybercrime is best avoided by security measures (i.e. technical measures); second, those social networking sites when security is inadequate represent an ideal platform for identity theft, increasing the potential of being a victim. "Facebook and the price of user privacy" (29 February 2008)http://resources.zdnet.co.uk/articles/comment/0,1000002985,39359153,00.htm
Wednesday, 5 March 2008
Liability for RSS flux
As Wikipedia puts it, RSS (Really Simple Syndication) "makes it possible for people to keep up with their favorite web sites in an automated manner that can be piped into special programs or filtered displays" http://en.wikipedia.org/wiki/RSS_(file_format)
A website or hosting provider uses RSS feeds to alert readers to new materials; to refer somewhere else to those RSS means the second website or blogger... relies on the first to automatically update contents. How can liability be engaged in those situations?
A French court, whose decision has not been translated so far, considers that although the RSS is automatic update, refering to it reveals an editorial choice which renders whoever author and not mere distributor of the content. Hence a website was ordered to stop providing the RSS about the movie "La Mome" (Edith Piaf) which sends to the Gala website. (2 March 2008) http://www.juriscom.net/actu/visu.php?ID=1032
So be cautious... although the second case on the matter makes it less likely for website to be liable if the correct disclaimers have been used "Le meurtre des flux RSS n'a pas eu lieu " (12 March 2008) http://www.juriscom.net/actu/visu.php?ID=1036 and http://www.juriscom.net/jpt/visu.php?ID=1035
A website or hosting provider uses RSS feeds to alert readers to new materials; to refer somewhere else to those RSS means the second website or blogger... relies on the first to automatically update contents. How can liability be engaged in those situations?
A French court, whose decision has not been translated so far, considers that although the RSS is automatic update, refering to it reveals an editorial choice which renders whoever author and not mere distributor of the content. Hence a website was ordered to stop providing the RSS about the movie "La Mome" (Edith Piaf) which sends to the Gala website. (2 March 2008) http://www.juriscom.net/actu/visu.php?ID=1032
So be cautious... although the second case on the matter makes it less likely for website to be liable if the correct disclaimers have been used "Le meurtre des flux RSS n'a pas eu lieu " (12 March 2008) http://www.juriscom.net/actu/visu.php?ID=1036 and http://www.juriscom.net/jpt/visu.php?ID=1035
Wednesday, 27 February 2008
the law and cybercrime: an illusory pursuit?
Not a new debate I am afraid. Yes the law is behind technology, but has not law always been behind innovation? The question is more likely: can the law adapt to innovations or can it not requiring then new legislation to be enacted? The question is particularly crucial for criminal law as the key principle is that of non-retroactivity.
"Australian High Court Judge Recognizes That Technology Outpaces The Law" (22 February 2008)http://www.techdirt.com/articles/20080222/153544324.shtml
"Australian High Court Judge Recognizes That Technology Outpaces The Law" (22 February 2008)http://www.techdirt.com/articles/20080222/153544324.shtml
Terrorism: imaginative detection or illusory means?
Apparently, the IARA in the US reviews Second Life for potential terrorists. The information seems weird, for how can they know who is behind a character in Second Life; second, what about the other offences committed on Second Life, like blackmail, fraud, drug dealing, probably by now money laundering? "Government Continues To Search Virtual Worlds For Terrorists" (26 February 2008)http://news.zdnet.co.uk/security/0,1000000189,39352920,00.htm
Subscribe to:
Posts (Atom)
Posts
