Tuesday, June 30, 2009

Quote of the day

Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.
- Bruce Schneier

Thursday, June 25, 2009

Bord Gais Laptop Loss

I wrote an opinion piece for the Sunday Business Post on the recent Bord Gais laptop loss - using it as a jumping off point to argue for a data breach notification law in Ireland. Here's an excerpt:
It hasn’t been a good week for personal information. Last Tuesday, the HSE admitted that it had lost an unencrypted laptop containing sensitive information, including particular social work case notes on nine families.

Remarkably, the HSE had not reported this loss to the Data Protection Commissioner, who learned of the incident from media reports. The HSE incident was eclipsed the following day when Bord Gáis revealed that it had lost an unencrypted laptop with account details - including bank and credit card information - on 75,000 customers, exposing them to the risk of identity theft.

Unfortunately, these are not isolated incidents. In the last year alone, multiple cases have come to light: notably Bank of Ireland, which lost personal data on more than 30,000 life assurance customers; the Office of the Comptroller and Auditor General, which lost information on 380,000 social welfare recipients; and Airtricity which posted the financial details of 1,200 customers on its website for six weeks.

Why have Irish organisations been so slipshod with the information we have entrusted to them? One problem is that the bodies that hold the data suffer little direct damage if the data is lost - it is the individual, not the company, who suffers the harm. Consequently, there is little financial incentive for them to take adequate measures to protect our data.

This is compounded by a lack of transparency. Under Irish law, there is no express obligation for a company that has lost customer data to notify anyone - neither the customer nor the Data Protection Commissioner.

The result is that organisations try to cover up data breaches to save face. Consequently, if your details are leaked, it is entirely possible that the first you will know of it is when you discover that your fraudulent alter ego has enjoyed a spending spree on your credit card or run up huge debts in your name. By then, it’s too late.
More from the Digital Rights Ireland perspective here. What Irish bloggers have been saying about the Bord Gais scandal here.

Thursday, June 18, 2009

The Music Industry v. ISPs - Round 2

After their inconclusive action against Eircom, this time the music industry is suing UPC and BT. Proceedings were issued on Tuesday according to the (stupidly not hot-linkable) search facility on courts.ie. Expect the cat to be put among the pigeons shortly.

I believe that litigation demanding that ISPs monitor what their users do and/or disconnect users based on three unproven allegations is unjustified - for the reasons why, see the Digital Rights Ireland site in relation to user monitoring and three strikes.

Digital Britain and the Internet Watch Foundation

The long awaited Digital Britain Report (pdf) has stirred up a great deal of comment - particularly in relation to filesharing - though little of it complimentary. (E.g. Andes Guadamuz | Chris Marsden | Lilian Edwards | The Register.)

But one aspect of the report which has received less attention (with the notable exception of the Register) is its discussion of the Internet Watch Foundation (pp. 202-203). This is relatively short so it's worth posting in full:
Criminal Material on the Internet

64. The Internet Watch Foundation, based in Cambridge and with just 15 employees, is tasked with minimising the availability of criminal content – specifically, child sexual abuse content hosted anywhere in the world and criminally obscene and incitement to racial hatred content hosted in the UK. It works with law enforcement agencies worldwide and operates a "notice and take down" procedure in relation to content on UK sites and a list of international child abuse sites that ISPs can block at the network level. The vast majority of UK networks use this list and discussions are under way to ensure that relevant consumer networks are comprehensively covered.

65. As a result of the partnership approach adopted by the IWF, less than 1% of child sexual abuse content, known to the IWF, has been hosted in the UK since 2003, down from 18% in 1997. The IWF’s work remains invaluable to every part of the value chain in the UK’s Internet industry. And, in a world of universal availability, increasing take-up and enhanced services on the network the work of the IWF will become more and more important.

66. IWF’s current income includes a contribution from the EU Safer Internet Action Plan with the bulk being derived from voluntary membership subscriptions. Its current income equates to some £1m per annum. This voluntary structure means that there is no certainty that the level of funding received now from the EU or from its membership will continue at this level in the future. In the current economic climate a voluntary funding base carries with it increased uncertainty over funding. Whereas having secure funding would allow the IWF to consider expanding its internal skill base, especially with regard to hiring additional technical expertise and raising greater awareness amongst Internet users about their role and remit. The IWF model of self-regulation is a success and is admired internationally, but if the regulation of criminal content is not adequately funded by industry, Government would need to consider statutory intervention. We therefore call on the IWF membership to propose a more secure funding model for the future.

67. The IWF has also been a model for international hotlines for reporting child abuse material, especially across the EU. Some operators already use its list of illegal sites internationally. Since most child abuse material originates outside the EU, there is a case for its operations to cover at least the whole of the EU. We will therefore explore with the IWF and the European Commission the scope for a pan-European model with commensurate funding.
What to make of this discussion? First, it's noticeably uncritical. For example, the claim that the "IWF model ... is a success and is admired internationally" simply ignores the criticisms that have been voiced of the IWF model by observers such as Lilian Edwards, Frank Fisher, Richard Clayton (pdf) and others.

In part, this flows from a second problem with the report - it doesn't differentiate between the role of the IWF in dealing with illegal material hosted in the UK (which is generally regarded as successful) with its role in providing a blacklist against which ISPs can/must filter (a much more controversial and ineffective endeavour). By conflating the two it attempts to use the success of the hosting remit to justify expansion of the very different filtering remit.

Third, the report - by referring to exploring "a pan-European model" - appears to be unaware of the fact that there are already proposals at an EU level for internet filtering. In fact, far from exporting the IWF model to Europe those proposals - by requiring the involvement of "judicial or police authorities" and "adequate safeguards ... to ensure that the blocking is limited to what is necessary, that users are informed of the reason for the blocking and that content providers are informed of the possibility of challenging it" - would if adopted require the IWF model to be entirely rebuilt.

Overall, therefore, the report's analysis of the IWF is quite flawed - undermining the recommendations it makes in respect of funding. It will be interesting to see how IWF members respond.

Incidentally, it's also been a busy week elsewhere in Europe in relation to internet filtering as proposed German legislation to require blocking of child pornography appears to be agreed between the main parties.

Monday, June 15, 2009

A must see - Tony Bunyan comes to Dublin

Tony Bunyan is one of the stalwarts of the civil liberties movement in the UK and Europe. As a journalist, writer and founder of Statewatch he's been at the very forefront of monitoring what governments and the European Union have been doing in our name (but without our knowledge). The Irish Council for Civil Liberties is bringing him to Dublin next Saturday (20th June) to talk about his new report, "The Shape of Things to Come" - and I can't recommend this event highly enough to anyone interested in law, technology and civil liberties. It will be held in The Blue Room, Law Society of Ireland, Blackhall Place, Dublin 7 (map) at 3.30pm. The talk is free but spaces are limited so if you'd like to go, contact Joanne Garvey (Tel: 01-7994504 or E-mail: info@iccl.ie) to ensure a place.

Update: The Irish Times has a report from the talk.

Monday, June 08, 2009

Surveillance Bill "will fail to tackle gangs"

John O'Brien - a former Detective Chief Superintendent - has an interesting opinion piece in the Irish Times arguing that the Surveillance Bill is likely to be inadequate. Here's an excerpt where he summarises his objections:
1. It adopts a generalist approach by seeking to apply this law to the entire population and not directly to criminal organisations as defined in the Criminal Justice Act 2006.

2. The threats emanate from specific and defined sources, criminal gangs and subversive organisations. The threats do not emanate from the population as a whole and arguably the population as a whole should not be subjected to these measures.

3. The definition of surveillance data is far too wide.

4. It can be construed to include all surveillance activity, including intelligence and evidential material.

5. The material received from foreign agencies could be disclosable and electronic devices fitted by them to assist Irish authorities could be rendered inadmissible.

6. There may be a loss of confidence at international level in the Irish systems which may inhibit the flow of intelligence and subsequently of evidence.

7. The rules on disclosure are unclear.

8. It is not clear if telephones and electronic mail are covered. Some of the measures may have the effect of neutralising current surveillance practices, particularly in relation to telephone intercepts and electronic mail.

9. Placing authorisations at the District Court level is unnecessarily indulgent and it exposes a greater number to possible threats from the criminal elements.

10. The authorisation process is rigid at the operational level and lacks operational reality.

11. The rules on privilege are also unclear.

12. Surveillance officers may be compromised in terms of personal safety and their identities may become known to the criminal gangs.

13. Their operational effectiveness may be impaired and, of course, they will spend much more time dealing with bureaucracy.

14. It is not clear whether individual surveillance actions will have to be authorised on a piecemeal basis and the thrust of the Bill seems to suggest that approach. This would hamstring fast flowing dynamic operations.

15. The Bill seems to miss the point that surveillance activity is, by its very definition, a secret activity and its efficiency depends on the practitioners maintaining a high level of security for their own safety and that of others.

Tuesday, June 02, 2009

Computers, Freedom & Privacy 2009

I'm lucky enough to be at Computers Freedom & Privacy 2009, which has just started in George Washington University with a opening talk from Susan Crawford. She's been appointed as Special Assistant to the President for Science, Technology, and Innovation Policy, and her talk (and the hosting of CFP in Washington this year) reflects a buzz of excitement here about the new administration and the possibility for change in technology and privacy policy.

Video of most of the conference proceedings is being streamed live online. There's also a twitter feed at #cfp09 and an event blog.