Archive for the ‘security’ tag
News, blog posts, etc
European Commission, ‘EU Cybersecurity plan to protect open internet and online freedom and opportunity‘ (press release, 7 February 2013). Marking the release of a new strategy and proposed Directive (download both of them here) on this topic. The interesting bit about this is how it’s framed – legally speaking it’s an internal market measure (not crime!); strategically, it follows up on the many comments about ‘trust’ in the Digital Agenda documents of the last couple of years. While most of the operative provisions of the Directive are about national authorities for infrastructure and cooperation between them, there is an interesting (proposed) obligation for member states to regulate ‘market operators’ in terms of security and also notification of breaches. (Incidentally, is this category of ‘market operator’ a new one? It has two sub-categories – information society services ‘which enable the provision of other’ ISSes (examples in an Annex are cloud computing platforms, app stores, search engines, social networks), and operators of certain types of critical infrastructure. Art 14 doesn’t apply, in essence, to telephone/mobile/broadband providers, because the electronic communications directives already occupy the field. (It also doesn’t apply to certain players in the much-maligned electronic signatures field – although I read that exclusion as being broader than those entities contemplated in the 1999 Directive). (The ‘open internet’ etc language of the strategy and press release is slightly overstated, I think).
John Brodkin, ‘Wi-Fi “as free as air”—the totally false story that refuses to die‘ (Ars Technica 8 February 2013). This is most curious. The (interesting and potentially significant) work of the FCC on what to do with UHF ‘white spaces’ – spectrum formerly used or left as a buffer for TV broadcasting but becoming available for other uses – has been of interest in IT law for some years now. Then seemingly from nowhere, a normal development in the regulatory process became the basis for an article about free wifi. This is not to say that white spaces and Internet access are unconnected; clearly, it’s one of the reasons that people beyond spectrum gurus talk about it. (I wrote about it in passing in this 2009 article, in section 5.5). But the licensing process does not deliver a free service by any means (even if, as is being discussed, the regulatory model would not include a license fee for spectrum use). Nor has anything particularly interesting happened in recent weeks – as Brodkin’s deconstruction points out, the interesting stuff either happened a few years ago (when the opening up started) or will happen in the future (if new services are launched).
Simon Fodden, ‘Edwin Mellen Press’s Curious Case‘ (Slaw 10 February 2013). A comment, with plenty of links, on the developing (and worrying) story about the huge defamation claim (the applicant seeks the equivalent of over £2m!) against a librarian (who wrote some quite critical things about a publisher, informed by his knowledge of the field) and his university employer. I would certainly not have anything to do with this publisher as a result of its actions in this case (whatever about the underlying allegations themselves!).
Alexander Hanff, ‘The murky world of privacy advocacy‘ (10 February 2013). A new blog and a rollicking start, with a detailed analysis of corporate funding for tech-related NGOs. It’s about time. Given the field I’m working in, I’ve seen quite a few of these organisations (and indeed, their close cousins, the consultant reinventing themselves as an NGO/think-tank with no membership, no membership and often nothing to add). I think the post by Hanff demonstrates a very honest attempt to understand the weaknesses of the lobbying system and reminds us all to think about the motives as well as the contents of interventions.
‘Virtual currency and virtual property revisited‘ (Technollama 11 February 2013). An overview of recent developments on virtual £££ and IP and other things, prompted by a piece in Forbes which mostly about virtual property). See also this nice PBS video on Bitcoin, etc.
Nina Mendelson, ‘Should Mass Comments Count?’ (2012) 2 Michigan Journal of Environmental & Administrative Law 173 (SSRN). This is a response to the author’s earlier work (and a debate about it), but reading the article covers much of what before quite neatly. The issue is a controversial one – how, when public consultation happens, to deal with different forms of participation (particularly one-click or template methods).
Michael O’Flaherty, ‘Freedom of Expression: Article 19 of the International Covenant on Civil and Political Rights and the Human Rights Committee’s General Comment No 34′ (2012) 12 Human Rights Law Review 627-654 (£, link). The author of this article was the rapporteur work on this General Comment and discusses the comment as well as some of the cases and stories it relied upon. Watch out for the interesting discussion of article 19 and emerging technology, too.
E Tarantino, ‘A simple model of vertical search engines foreclosure’ (2013) 37 Telecommunications Policy 1 (£, link). The new volume of this journal (mix of law, business, economics, etc) starts off with one of the topics of the year, competition law and search engines.
Wiebke Abel (Edinburgh) and Matthias Damm (an attorney in Karlsruhe, and LLM graduate of Strathclyde) both addressed the topic of trojans and spy software and their use by law enforcement agencies in particular.
Wiebke started things off with an overview of how ‘the world has changed’ and what this means for crime. Are traditional investigation methods and laws sufficient to deal with new challenges? Can a ‘new generation of investigators’ (and investigative tools) help? She picked a particular example, the ‘German Federal Trojan’ (aka Bundestrojaner!). Trojans are familiar (as used by hackers, spammers and others) – but are they only for criminal use? The plan here is for covert search and surveillance of private computers by police or secret services. This can be implemented through spyware, through existing ‘backdoors’ and even download-contamination. There was – naturally – outrage in Germany about this – but was this a once-off? No: the US ‘magic lantern’ and Austrian ‘online search’ are other examples. These technologies are special because of the way they combine factors such as mobility, ubiquity, invisibiity and digital evidence collection; but they are unpredictable and can even raise international issues (trojans operating outside national borders), and the use of gathered data is wholly unclear at this stage (would it stand up in court? should it?). And how do you prevent antivirus software from identifying the supposedly hidden trojan? Wiebke mentioned R v Aaron Caffrey (existence of trojan used as defence in a criminal trial about material on C’s machine). A possible solution is seeing source code as the ‘DNA of software’; hardwire the law into software. But the overwhelming need is an approach where regulation through law and regulation through code are working together
Matthias then started his presentation, ‘I know what you saved last summer’. He also took guidance from history, mentioning fingerprints, DNA and CCTV as examples of new investigative ‘technologies’. Today’s investigators look more like computer operators than Sherlock Holmes. CIPAV (Computer and IP Address Verification) is in use in the US, although it’s not supposed to be dealing with content. The FBI haven’t been very helpful in explaining how it works. As for the Bundestrojaner, the Federal Constitutional Court dealt with this (on 27th February 2008) and gave the go-ahead to such software in its ruling, subject to strict conditions (such as a court order and the respect for private data). This was the same case where the Court formulated a new constitutional right, the guarantee of the confidentiality and integrity of IT systems. More than 60% of the German population apparently support the system, although are they aware of the Orwellian nature of such software?
After a discussion on the trojan issues, Angus Marshall (Teeside) then reported on the EPSRC-funded ‘Cyberprofiling’ project. The project looked at offender and geographic profiling, in particular in the context of intelligence and intelligence-sharing. How can existing information (server logs etc) be used in a useful way? Overcoming various problems, they developed a ‘data collection appliance’. But one of the most interesting legal issues that arose was whether an IP address is a ‘personal identifier’ (relevant for sensitive data / data protection / sharing / etc). Information Commissioner has given various answers; European practice varies. But the research group didn’t feel that IP addresses were personal, though they did accept the advice and used anonymisation. This itself required some new work. So how does this type of ‘dataveillance’ compare with other things like (on one hand) CCTV, DNA and wiretapping and (also, or on the other hand) credit cards, mobile phone tracking, loyalty cards etc. The first category is ‘biometric keyed’ and the second is ‘token mapped’. Angus gave an overview of the regulation and effectiveness of each. He concluded that a telephone number is not a personal identifier; neither, they argued, is an IP address (but combined with other factors ‘may be personal data’). Again, the discussion was extremely vibrant, and now it’s off to lunch.