Friday, February 19, 2010

Government departments not up in the clouds

After last week's story about the Department of Finance issuing warnings about the use of cloud computing, Sean Sherlock TD followed up by asking whether the warnings stemmed from any particular incident; whether government departments are already using cloud computing; and if so what safeguards are in place. The results are interesting: the Finance warnings don't appear to be the result of any mishap in central government as not one department is yet using cloud computing. (Though the Minister for Communications, Eamon Ryan, did say that his Department is actively promoting its use.)

Thursday, February 18, 2010

Alternative routes to identifying "anonymous" online users

David Robinson and Harlan Yu have posted a superb series of posts on Freedom to Tinker (1,2,3) about tactics which might be used to identify anonymous internet posters, even in cases where IP addresses might not have been logged by the site which hosts the comment. The key insight is that sites typically embed multiple external services (such as advertising, stats counters and video hosting) which may either individually or in combination enable the identity of particular users to be pinned down:
[P]laintiffs' lawyers in online defamation suits will typically issue a sequence of two "John Doe" subpoenas to try to unmask the identity of anonymous online speakers. The first subpoena goes to the website or content provider where the allegedly defamatory remarks were posted, and the second subpoena is sent to the speaker's ISP. Both entities—the content provider and the ISP—are natural targets for civil discovery. Their logs together will often contain enough information to trace the remarks back to the speaker's real identity. But when this isn't enough to identify the speaker, the discovery process traditionally fails.

Are plaintiffs in these cases out of luck? Not if their lawyers know where else to look.

There are numerous third party web services that may hold just enough clues to reidentify the speaker, even without the help of the content provider or the ISP. The vast majority of websites today depend on third parties to deliver valuable services that would otherwise be too expensive or time-consuming to develop in-house. Services such as online advertising, content distribution and web analytics are almost always handled by specialized servers from third party businesses. As such, a third party can embed its service into a wide variety of sites across the web, allowing it to track users across all the sites where it maintains a presence.
The traceability of any given site visitor will still depend on context: the number of third party services used by the site, the popularity of each third party service across the web, the types of identifying data that these parties collect and store, whether the speaker used any online anonymity tools, and many other site-specific factors.

Despite the variability in third party tracing capabilities, the nearly simultaneous connections to a few third party services means that the results of tracing can be combined. By sleuthing through information held in third party dossiers, logs and databases, plaintiffs in John Doe lawsuits will have many more discovery options than they had ever previously imagined.
Of course, these tactics are likely to be expensive. Also, in an Irish context the uncertainty as to whether a result will be achieved may mean that a court will be less willing to grant a Norwich Pharmacal order (which is a discretionary remedy (PDF) - not something which is available as of right). But nevertheless, the research is important - particularly as it illustrates that traditional methods of ensuring online anonymity (such as TOR routing) may be vulnerable to indirect attack.

Wednesday, February 10, 2010

Banned in Turkey: Turkish internet filtering and blocking

Banned in turkey

 Yaman Akdeniz has recently published a superb report for the OSCE on Turkey and Internet Censorship (press release | full text pdf).
Ironically, Yaman Akdeniz and his co-author Kerem Altıparmak have themselves been the subject of legal threats aiming to silence their criticism of Turkish internet censorship. Fortunately their book Restricted Access: A Critical Assessment of Internet Content Regulation and Censorship in Turkey (2008) is still available.

The image above is from Richard Dawkins' website, which has been blocked in Turkey since September 2008.

(Via Chris Marsden.)

Tuesday, February 09, 2010

Home Office terrorist material reporting site - some thoughts

The Home Office launched a new Directgov site last week, which "provides members of the public with information about what they can do if they come across violent extremist, terrorist and hate content online" (press release). The site takes reports and forwards them to a specialist unit within Association of Chief Police Officers (ACPO), which will take action if the material is illegal. Unsurprisingly there has been a good deal of media coverage (e.g. The Register | The Inquirer | BBC News).  So far, though, there doesn't seem to have been any assessment of how this fits into the broader matrix of internet regulation in the UK. This post asks what effect it might have.
Reducing the role of the IWF?

One of the more significant aspects of this story is that it appears to be the first time that the UK government has set up a specific site to which internet content can be reported. Until now, the government has effectively devolved that function to the Internet Watch Foundation (IWF). Although this is a private body, official policy has been to designate the IWF as the first port of call for online content. The Surrey Police website is typical:
If you come across offensive or illegal material, please DO NOT contact Surrey Police directly.
Instead, you can make a report on the Internet Watch Foundation (IWF) web site.
If they decide any action is needed, they will contact the ISP or the police, who can take appropriate action. (It's worth remembering that evidence of illegal or offensive material can be detected even after it has been deleted from a computer.)
The Internet Watch Foundation are qualified to judge the illegality of material and will report matters to the relevant police force. They are the only authorised organisation in the UK that provides an Internet hotline for the public to report their exposure to illegal content online.
Despite this, however, the IWF has never had a remit to receive complaints in relation to all illegal material online. For example, while there have been proposals from the Home Office that the IWF's remit should be extended to cover extremist websites, these have never come to fruition. Similarly, when the Terrorism Act 2006 created a system of notifying ISPs to take down terrorist material, that system bypassed the IWF entirely and required that notices be given via the police.

Consequently, the setting up of this site may be significant - does it indicate a trend which moves away from government reliance on the IWF and towards the use of separate (and public) reporting mechanisms?

Content control as a means of protecting vulnerable people?

The rhetoric used in announcing the site is also interesting. According to Lord West:
We want to protect people who may be vulnerable to violent extremist content and will seek to remove any unlawful material.
If this sounds familiar, that's because it echoes the justifications for introducing the Cleanfeed child abuse image blocking system and later for criminalising extreme pornography - in each case, a central component was the argument that harm would be caused to the viewer (by simply viewing the material, or by predisposing them to commit crimes). Is this approach - focusing on harm to the viewer - becoming more common in controlling content in the UK?

Using consumer pressure as a regulatory tool?

Quite apart from illegal content, the site also sets out to encourage users to challenge content which is  legal. According to Lord West:
This is also about empowering individuals to tell them how they can make a civic challenge against material that they find offensive, even if it is not illegal.

The internet is not a lawless forum and should reflect the legal and accepted boundaries of society.
Consequently, the site provides information on how to make complaints:
What you can do about online hate or violence that is not illegal

Most hateful or violent website content is not illegal. While you may come across a lot of things on the internet that offend you, very little of it is actually illegal.

UK laws are written to make sure that people can speak, and write, freely without being sent to prison for their views.

To be illegal, the content must match the descriptions at the top of this page.

Still, even if what you’ve seen does not seem to be illegal, you can take the steps below to have it removed if it upsets, scares or offends you.

Report it to the website administrator

Most websites have rules known as ‘acceptable use policies’ that set out what cannot be put on their website. Most do not allow comments, videos and photos that offend or hurt people...

If what you’ve seen is on a site with a good complaints system, you should report it to the website’s owners. Look out for their ‘contact us’ page, which should be clearly linked...

Report it to the hosting company

If the website itself is hateful or supports violence or terrorism let the website’s hosting company know. Hosting companies provide a place where the website sits, and often have rules about what they are willing to host.

Let the hosting company know they are hosting a website that breaks their rules, and ask them to stop.

You can find out which company hosts a website by entering their web address on the ‘Who is hosting this?’ website.
This approach - by encouraging community pressure to force ISPs to change their behaviour - matches policy in relation to blocking, where the Home Office has abandoned plans to legislate and has instead stated its intention to rely on public pressure instead:
For the first time the IWF will publish the list of ISPs who are certified as having implemented its blacklist. "Hopefully consumer and public pressure will encourage the ISPs who aren't on the list to comply," said Carr. A Home Office spokesman said: "We will continue to urge ISPs to implement blocking, and ask consumers to check with their suppliers that they have done so."
Does this mark the start of a trend towards greater use of consumer pressure by the UK government as a means of regulating what ISPs do?

Monday, February 08, 2010

Cloud computing complications

Not too long ago the Taoiseach and the Green Party were telling us that cloud computing is the way of the future for Irish business. Now it emerges that the Department of Finance has emailed government departments and public bodies warning about the risks of cloud computing. Is this a case (as some amused observers are saying) of the left hand not knowing what the right hand is doing? Or, as some sectors of the Irish technology industry are putting it, simple technical ignorance?
A Microsoft spokeswoman said that Ireland should "embrace the cloud across all aspects of public services".

"Microsoft’s software plus services offering provides enhanced security for data over and above what has traditionally been available for private and public organisations, and this is one of the primary reasons why so many public and private organisations across the globe are beginning to deploy solutions in the cloud."

Ed Byrne, general manager of Hosting 365, which provides cloud computing services, described the e-mail as "damaging" and showed a "lack of knowledge" of what the technology involves.

The technology is "mature and not nascent" said Philip Nolan, a partner in legal firm Mason Hayes + Curran. He said any contractual issues were surmountable, and he has large clients who use cloud computing for their core systems.
So are these criticisms justified? While it's understandable that providers might be defensive, these responses seem out of place given the very moderate tone of the original email, which is not a blanket ban on the use of cloud computing but simply a reminder to take legal advice before buying these services:
The Department of Finance has warned Government departments and public sector bodies that they should not purchase cloud computing services without obtaining legal advice.

The warning e-mail, which carries the subject "cloud computing warning", says that the Chief State Solicitor’s Office has "advised that issues such as data protection, confidentiality and security and liability are not necessarily dealt with in a manner that would be necessary for public sector responsibilities".
Far from being ignorant of the nature of cloud computing, this seems to show a good awareness of the challenges it can present. As Simon McGarr points out in today's Irish Times, unless properly thought out in advance cloud computing may result in the transfer of personal information outside the EU and in inadequate security measures being put in place by data processors. Suitable contracts can deal with these risks - but not all cloud computing providers (particularly those headquartered outside the EU) seem to be fully aware of their responsibilities under European data protection law, making detailed legal advice essential in all cases.

In addition, public sector storage of data presents further problems which are distinct from those faced in private sector use of cloud computing. For example, how will the public body ensure that data held in the cloud is available to meet a Freedom of Information Act request? How will departmental records held in the cloud be preserved and archived as required by the National Archives Act 1986? Will data in the cloud be sufficiently searchable as required by the Reuse of Public Sector Information Regulations? These and other complications make the advice from the Department of Finance seem eminently reasonable.

Update (27.02.10) - Microsoft's new secure cloud product for the US government shows some of the ways in which cloud computing products may have to be tailored for public sector use.

Friday, February 05, 2010

Please forgive the technical problems...

As you might have noticed, I'm changing the look and feel of the blog at the moment: something that requires migration from FTP to hosting with Google; updating the zone file for the domain; and all sorts of other technical shenanigans. Apologies in advance for the inevitable glitches. Normal service should be resumed shortly.