Thursday, November 19, 2009

Telenor Pirate Bay blocking decision - English translation

In an important (but surprisingly poorly publicised) decision two weeks ago a Norwegian court dealt a blow to music industry attempts to force ISPs to police their users, holding that Telenor was under no obligation to block access to The Pirate Bay. An English translation of that decision is now available (PDF link) and makes interesting reading. One particularly significant portion of the ruling stresses that it is not appropriate to assign a censorship function to private entities, and that if filtering is to be required then legislation would be necessary:
If the plaintiffs' claim is heard, this will, in the court's view, give a situation difficult to handle in practice. Reference is made to the fact that the content on The Pirate Bay, and also other websites, can be changed and is in fact constantly being changed. The court further states that Telenor as an Internet provider does not have a duty to monitor or investigate what Internet is used for, so that the Internet providers must be notified of alleged illegal actions. Thus, Telenor and other Internet providers, as private companies, must assess whether or not to stop a relevant website or service. This task normally belongs to public authorities, and the court finds that in the present situation, it is unnatural to assign such responsibility to private companies. If this solution is to be chosen, a closer study will be required. As we have been informed, the Ministry of Culture and Church Affairs has already initiated a legislation process on these matters.

Saturday, November 14, 2009

BT Ireland caves in on "three strikes" demands?

According to today's Irish Times the music industry's litigation against BT Ireland has been settled. Terms of the agreement weren't revealed, but my assumption would be that BT have agreed to implement a three strikes system for disconnecting users accused of filesharing, following the Eircom model. Surprisingly however there hasn't yet been a press release from IRMA or BT. Does anyone have more information?

Edited to add: Thanks to the anonymous commenter for pointing out that this simply follows BT's deal to move its consumer division to Vodafone.

Sunday, November 08, 2009

Irish law on hacking tools / dual-use software

In my last post I mentioned the iPhone dessid app which generates WEP keys from the SSIDs of Eircom routers - making life easier for individuals who wish to piggyback on the wifi of others.

What are the legal issues associated with using or providing this app? Unsurprisingly media coverage of the software has reported that unauthorised access to wifi may constitute a criminal offence, something Eoin O'Dell has previously teased out in a series of posts (1|2|3).

A more difficult question however - and one which hasn't yet been considered - is whether simply providing the app might itself constitute a criminal offence.

So called hacking tools have been specifically criminalised in some jurisdictions. In the UK for example section 37 of the Police and Justice Act 2006 (which was eventually brought into force in October 2008) amended the Computer Misuse Act 1990 to create a new offence of making, supplying or obtaining articles for use in computer misuse offences - an offence which would be committed where a person supplies a program "intending it to be used" or "believing that it is likely to be used" in an unauthorised access offence.

That offence is wide enough to capture dual-use tools - programs such as this one which have legitimate as well as criminal uses - and consequently the Crown Prosecution Service has issued guidelines to prosecutors in relation to when prosecutions should be brought, looking at factors such as whether software is "available on a wide scale commercial basis and sold through legitimate channels", is "widely used for legitimate purposes", is "circulated to a closed and vetted list of IT security professionals or [is] posted openly" or has been "developed primarily, deliberately and for the sole purpose of committing" an offence.

Unsatisfactory though the UK law and guidance might be (a point made by, amongst others, Richard Clayton) it does at least attempt to legislate specifically for computer crime. Irish law on the other hand has no offence specifically tailored for this situation, leaving us to wonder whether new situations might be forced within the confines of old offences. I wrote about this point recently for Reich (ed.), Cybercrime and Security, and here's a short excerpt:
While Irish law does not specifically deal with these matters, it may be possible to prosecute in individual cases using section 4 of the Criminal Damage Act 1991. That section provides:
“A person (in this section referred to as the possessor) who has any thing in his custody or under his control intending without lawful excuse to use it or cause or permit another to use it— (a) to damage any property belonging to some other person … shall be guilty of an offence.”
Bearing in mind that the definition of property under the 1991 Act includes data, this section would seem to be wide enough to criminalise possession of e.g. a virus or Trojan horse where accompanied by an intention to damage property. It should, however, be noted that this section does not criminalise creation, possession, sale or distribution per se – in every case it must be shown that the defendant had an intention to use the item to damage property. This appears to create two related problems for prosecutors. From an evidential point of view it is likely that they will face a difficulty in demonstrating that an accused person had the necessary intention. Moreover, the intention which must be shown is an intention to damage property – a mere intention to carry out an unauthorised access would not suffice. If, for example, A were found to be in possession of a username and password belonging to B, this would not be an offence under section 4 if A’s intention was merely to view B’s data.
Applying this analysis to the dessid app, it seems to me unlikely that distributing this or similar software would be an offence under section 4. First, that section requires an intention to cause or permit a person to use it to commit an offence. Mere foresight that an offence might be committed would not seem to be enough. Secondly, section 4 applies only to things to be used for the purpose of criminal damage - so that distribution of software for some other illegal purpose (such as unauthorised access) would not fall within its remit. (A further obstacle might lie in the narrow wording of section 4 - is software a "thing" within the meaning of that section?)

Friday, November 06, 2009

Unauthorised access? There's an app for that

APPLE IS benefiting from sales of a piece of software that provides free access to up to 250,000 home broadband networks without the owners’ knowledge.

The software for Apple iPhones, called “dessid”, which costs €1.59, exploits a flaw in the hardware Eircom provided to its broadband customers and which first came to light in September 2007.

The problem occurred because each Eircom customer’s wireless network broadcast a unique eight-digit code as its network name. The password was derived from these digits.
To my mind, the real issue behind this Irish Times story is not that you can buy an app which allows you to piggyback on the wifi of Eircom customers (there's a handy web page that will still work even if Apple pulls the program from the app store) - instead it's that Eircom have agreed to disconnect users accused of filesharing, despite knowing full well that their own wireless modems are insecure and that people will be wrongfully disconnected as a result.