Saturday, January 29, 2011

The ISPAI are looking for a legal intern

This looks like an interesting job for a newly-minted law graduate:
ISPAI – The Internet Service Providers Association of Ireland Limited

ISPAI is the Industry Association that represents businesses operating in Ireland that provide publicly available Internet infrastructural and electronic services to customers both in Ireland and abroad. The Association deals with regulatory and legal issues which potentially impact the ISP business environment and affect all our members (see: www.ispai.ie). As part of this, ISPAI coordinates ISP industry self-regulation, administers the industry code of practice and ethics and runs the Hotline.ie service which supports ISPAI members to comply with Irish/EU law to respond to notices of illegal content and to assist international cooperation in this area.

ISPAI offers an intern opportunity for a post-graduate legal student who has a specific interest in the area of telecommunications and digital media law. This is a highly dynamic area with many new initiatives emerging as legislators, law enforcement and various lobbying groups realise the ubiquitous nature of the Internet and its role in shaping modern society. This is a unique opportunity to gain experience and to work with leading companies in the industry. It is strongly recommended for those intending to practise in this area.

It is intended that the selected Intern will follow proposed measures, draft legislation and other issues potentially affecting the ISP industry which are being developed at EU and national level. They will be expected to liaise with the EuroISPA secretariat in Brussels (see: www.euroispa.org) and ISP organisations. The internship will entail European travel to selected meetings or conferences

The Intern will be expected to undertake research on the issues they will be assigned to monitor and write briefings for the internal information of ISPAI secretariat and members. They will also work closely with ISPAI staff to promote our views through our websites and develop press releases.

The internship will be of at least 9 months duration. It will be based in our offices located opposite the Sandyford Luas station in South Dublin. Working within the small ISPAI team, the Intern will report to the ISPAI General Manager. They will be expected to work at least three days per week. The position offers good opportunities for self-development and interaction with international counterparts.

The successful applicant must demonstrate:

• A reasonable knowledge of using various Internet services (web, peer to peer, etc.) and methods used in web based services and be proficient using Microsoft Office products such as Word, Powerpoint and Excel.
• Familiarity with the legal issues surrounding the internet in Ireland, such as the E-Commerce Directive, online defamation and/or "three strikes" and similar systems. The successful applicant must have a law degree and is likely to have taken at least one module covering related issues.
• Good verbal, presentation and writing skills which are essential. Proficiency in a major European language in addition to English would be an advantage.
• A diligent and accurate approach to completing tasks and an ability to work to deadlines with minimal supervision.

Training on technical principles of Internet communications and digital content distribution will be given. Please note: this internship will involve possible exposure to information relating to assessments of potentially illegal pornographic imagery and other content, within the context of ISPAI Hotline.ie operations. This is indemnified under strict procedures agreed with Government and overseen by the Department of Justice and Law Reform, Office for Internet Safety (www.internetsafety.ie) and approved by An Garda Síochána.

Expenses will be given for travel, accommodation and subsistence for approved work-related activities outside the office and a nominal stipend will be available.

Please provide by email to legalintern2011@ispai.ie, your CV and a covering letter of no more than one A4 page explaining why you should be awarded the Internship.

Closing date for applications: Tuesday 15th February 2011.

Saturday, January 22, 2011

Finance Bill taxes internet betting sites - will this lead to blocking of offshore sites?

In my last post I looked at the possible implications of the Finance Bill for Irish computer crime and data protection laws. I missed, however, another important aspect of the Bill, which is that it will extend betting duty to internet betting sites. (In my defence, I didn't read all 223 pages of the Bill and don't plan to do so any time soon. The relevant provision is s.46, at p.186.)

According to the Taoiseach, this extension of duty will be matched by a new requirement that offshore providers obtain a licence to offer their services in Ireland:
The Government will introduce legislation to ensure that overseas betting providers comply with a licensing regime that will permit them to sell their products into our jurisdiction.
So what happens if the offshore providers decide not to play ball? It might not be a coincidence that the Department of Justice has been considering the introduction of internet filtering for some time now - and officials in the Department's Gaming Control section have been taking part in this discussion (PDF released under FOI - see item 49). I can't help but suspect that there will be calls for ISPs to block access to offshore sites which don't pay this new tax - and there have been some European developments in this direction already.

Watch this space.

Friday, January 21, 2011

Finance Bill 2011 - impact on Irish data protection and computer crime law

I'm indebted to Rossa McMahon and Daragh O'Brien for pointing out (via Twitter) two interesting provisions in the Finance Bill 2011 (PDF).

Section 71 creates a new revenue offence of possessing or using computer tools for the purpose of evading tax:
71.—Section 1078 of the Principal Act is amended in subsection (2), by inserting the following after paragraph (b): "(ba) knowingly or wilfully possesses or uses, for the purpose of evading tax, a computer programme or electronic component which modifies, corrects, deletes, cancels, conceals or otherwise alters any record stored or preserved by means of any electronic device without preserving the original data and its subsequent modification, correction, cancellation, concealment or alteration,
(bb) provides or makes available, for the purpose of evading tax, a computer programme or electronic component which modifies, corrects, deletes, cancels, conceals or otherwise alters any record stored or preserved by means of any electronic device without preserving the original data and its subsequent modification, correction, cancellation, concealment or alteration,".
This would appear to cover a wide range of software and hardware, including encryption and steganography software and secure deletion tools. (Though not the encryption of the Anglo files, unless it could be shown that those files were encrypted for the purpose of evading tax.)

Section 73, meanwhile, creates what is in effect a parallel data protection system for the Revenue. Although too long to quote in full, an interesting aspect is that it creates a new offence of unauthorised disclosure of information:
(2) All taxpayer information held by the Revenue Commissioners or a Revenue officer is confidential and may only be disclosed in accordance with this section or as is otherwise provided for by any other statutory provision.

(3) Except as authorised by this section, any Revenue officer who knowingly—
(a) provides to any person any taxpayer information,
(b) allows to be provided to any person any taxpayer information,
(c) allows any person to have access to any taxpayer information, or
(d) uses any taxpayer information otherwise than in the course of administering or enforcing the Acts,

shall be guilty of an offence and shall be liable —
(i) on summary conviction to a fine of €3,000, and
(ii) on conviction on indictment to a fine of €10,000.
I wonder whether this amendment may have been prompted by the publicity attached to these recent examples of wrongdoing by Revenue staff.

Wednesday, January 19, 2011

Cloud computing complications costing Celtic companies

The lack of an appropriate regulatory environment, standard due-diligence checklists, and standard SLAs are an economic barrier to vibrant young technology companies providing cloud-based technology solutions to enterprises that need a greater level of protection than is currently on offer. The costs of developing such offerings and dealing with due-diligence queries and contract negotiations may be beyond the financial resources of a start-up.

Professional service providers who wish to avail of the efficiencies of cloud services may decide that they are not equipped to conduct due diligence or agree SLAs without the help of specialist consultants. This is an impediment to Irish businesses reducing their costs and increasing their competitiveness through the adoption of cloud technologies.
Reamonn Smith (solicitor and member of the Law Society's Technology Committee) argues for "a clearer regulatory and legal environment" in relation to cloud computing in the Law Society Gazette (PDF, p.24).

Friday, January 14, 2011

Data breach notification - ENISA study released

ENISA - the European Network and Information Security Agency - has just published a study (PDF) on data breach notification. The research was carried out as part of the process of implementing the notification requirement in the revised e-Privacy Directive, and aims to develop consistent guidelines throughout Europe for the technical and procedural issues surrounding breach notification. Some highlights from the summary (text in [brackets] is my own interlineation):
[Views of telecoms operators]

The telecommunications sector recognises that data breach notifications have an important role in the overall framework of data protection and privacy. Nevertheless, operators are seeking support and guidance on an EU and local level over a number of issues, which if clarified, would better enable European service providers to comply effectively with data breach notification requirements. Key concerns raised by telecom operators include the following:

● Risk prioritisation – The seriousness of a breach should determine the level of response. In order to prevent ‘notification fatigue’ for both the operator and the data subjects, breaches should be categorised according to specific risk levels.

● Communication channels – Operators want assurances that notification requirements will not negatively impact their brands. It is important for operators to maintain control of communications with relevant data subjects, as much as possible, to ensure that operators can effectively manage any impact on brand perception brought about by the data breach and subsequent notification.

[If operators want to avoid negative impact on their brands it might be more productive to avoid data breaches in the first place.]

● Support – In preparation for mandatory notification requirements, operators are looking for support in terms of guidance on procedures. In particular, guidance should provide a methodology for categorising types of private data and combinations of private data, as well as how to proceed with notifications based on the level of risk attributed to each breach.

[Views of Data Protection Authorities]


Data protection authorities (DPAs) take varied approaches to enforcing data protection and privacy. Some follow EC Directives closely, while others take on additional responsibilities beyond those outlined in the Directives. Although there are exceptions, the majority of DPAs surveyed in this study support mandatory notifications for telecom operators. Those that did not support mandatory notifications mostly indicated that budgetary limitations were a key factor in influencing their opinion. As notifications are not yet mandatory in most countries, regulatory authorities have little experience in handling notifications. Since regulatory authorities have a number of responsibilities, there are concerns that additional duties must not interfere with pre-existing responsibilities. Notifications are not viewed as a number one priority for most authorities. A smooth transition to mandatory notifications will consequently depend on a resolution to a number of factors, outlined here:

● Resources – Budgetary allocations for regulatory authorities should reflect new regulatory responsibilities. Concern has been raised that resources at some regulatory authorities are already occupied with other priorities. Bandwidth for additional responsibilities is limited.

● Enforcement – DPAs indicated that sanctioning authority enables them to better enforce regulations. Data controllers will be less incentivised to comply with regulations if regulatory authorities do not have sufficient sanctioning powers. Some authorities indicated that financial penalties are seen as the most effective tool for pressuring data controllers to comply, while others indicated that public criticism and black lists could be effective too.

● Relevant authorities – Local legislation will determine who the relevant authority is for regulating data breach notifications in the telecommunications sector, when mandatory notification requirements are transposed into local legislation. Although many data protection authorities indicated they are communicating effectively with other authorities already, it is important for legislation to clearly delineate relevant responsibilities, in order to mitigate or prevent potential conflicts.

● Technical expertise – In some cases, businesses have a high level of technical sophistication, which allows them potentially to conceal valuable information regarding breaches from regulatory authorities, which do not have comparable resources and expertise. Hiring new staff with relevant expertise is important in order for regulatory authorities to remain effective.

● Awareness raising – A high public profile is an important element in demonstrating the influence of regulatory authorities. A common strategy in communicating the importance of data protection to the public could be useful in better educating data subjects about their privacy rights, and the role of notifications in the overall framework of data protection.

[Areas of conflict]


Smooth implementation of data breach notification procedures requires close cooperation between data controllers at the service providers and the relevant regulatory authorities. While most operators and regulatory bodies surveyed recognise the importance of notifications, there are a number of issues where interests of the parties involved might conflict.

● Undue delay – Regulatory authorities want to see a short deadline for reporting breaches to authorities and data subjects, in order to prevent controllers from concealing evidence and also to give data subjects ample time to protect themselves. Service providers, however, want their resources to be focused on identifying if the problem is serious and solving the problem, instead of spending time reporting details, often prematurely, to regulatory authorities.

[This is an important point which is sometimes overlooked. In some breaches - such as those of credit card details - it will be essential that individuals be notified immediately so that they can e.g. cancel cards. Other breaches - such as those of healthcare information - may be just as serious but aren't likely to be as time sensitive. However, the fact that the affected individuals may not need to be notified immediately must not become an excuse for failure to notify the relevant DPA as soon as possible.]

● Traffic monitoring – Private data belonging to employees or customers running over a corporate network remain a challenging issue for both regulatory authorities and operators. Telecom operators are often requested to monitor and analyse traffic data on behalf of their customers, particularly in cases where companies want to monitor the actions of their employees. In this context, regulatory authorities see traffic monitoring as a privacy risk, due to the fact that employers may be exchanging private information on the corporate network, to which the employers would then have access.

● Content of notifications – The content of the notifications can have a direct impact on customer relations and retention. Operators want to make sure that the content of the notifications does not impact negatively on customer relations. Regulatory authorities, however, want to see that the notifications provide the necessary information and guidance in line with the rights of the data subjects.

● Audits – One service provider indicated that it performed its own security audits internally, with the aim of detecting and solving any potential vulnerabilities that could result in data breaches. The operator believed that its internal expertise were sufficient to ensure it was using the latest techniques for securing data and compliance with regulations, suggesting its expertise surpassed that of the national regulatory authorities. Regulatory authorities, however, indicated that their ability to perform audits and spot checks provides the authority necessary to enforce compliance.

[Extension of notification to other sectors]


While the recent telecoms reforms make notifications mandatory for telecom operators, there remains ongoing debate about extending mandatory notifications to other sectors.

● Telecommunications operators: In comparison to other sectors, regulatory authorities indicated that telecommunications operators ranked high in terms of their security measures and ability to limit data breaches.

Telecom operators have at their disposal some of the top networking, communications and security experts. But this is true mostly for the larger operators. Smaller alternative operators and local ISPs do not necessarily have resources comparable to the large international companies and incumbent operators.

● Finance sector: Finance institutions are considered to be at great risk, due to the sensitive nature of the data they possess. Nonetheless, financial institutions are already subject to regulations across Europe, with regulations being enforced by various bodies, including central banks. Consequently, extending data breach requirements to financial institutions would require careful coordination with other responsible authorities, which may already require incidents of data breaches to be reported.

● Healthcare: Data protection authorities regularly pointed to the healthcare sector as an area of high risk. Due to the large amount of very sensitive private data stored on doctors’ and nurses’ laptops, which are often unencrypted, there is high risk for exposure or leaks.

● Small businesses: Small businesses pose a major challenge. Collectively, they have a lot of personal data, but individually they do not have resources or know-how to secure their data. Due to the sheer number of small businesses, regulation would prove challenging. Educating and making businesses aware would require significant efforts and resources. As more and more small businesses develop online strategies, the risk for exposure is increasing.

Thursday, January 13, 2011

Job opportunity: Privacy and surveillance

I received a very interesting job opportunity in my inbox this morning, which might be of interest to some readers of this blog:
Senior Research Analyst

Trilateral Research & Consulting, a London-based consultancy, specialising in research and the provision of strategic, policy and regulatory advice on new technologies, privacy, trust, surveillance, risk and security issues is seeking to engage a Senior Research Analyst to work on one or more new projects. Specific duties of the position include:

  • Performing research work related to current projects, writing reports or sections of reports and developing other deliverables as required to fulfil contractual obligations.
  • Researching and writing content for grant proposals and tender submissions.
  • Writing content for peer-reviewed journal articles and book chapters, as part of projects, or as an outgrowth from projects.
  • Attending and/or presenting at some project-related meetings, involving some level of travel outside the UK.

 Preferred candidates will be based in the UK, will have English as their native language and will have recently completed a PhD in an area of study related to security, privacy, data protection, surveillance or a related field.

Contact:
David Wright
Managing Partner
Trilateral Research & Consulting
www.trilateralresearch.com
david.wright@trilateralresearch.com

or

Kush Wadhwa
Senior Partner
Kush.wadhwa@trilateralresearch.com

Monday, January 10, 2011

Protecting a .ie domain: hacking, hijacking and heedlessness

On a previous post a commenter left an interesting question about protecting .ie domains which I thought merited a post in response. First the question:
I am MD of a company which is hiring a growing number of staff. The security of these jobs is pinned on our continued ownership and control of our .ie domain as this is where the sales come from. But I didn't get a deed or any other legal document for my domain. Can you suggest any additional precautions a company can take to protect a registered .ie domain. (apart from making sure to pay the ongoing registration fee).
This sensible question reminded me that too few Irish businesses have considered the need to protect their domain name - which is often one of their most important assets. In fact, recent comments from the IEDR confirm that many forget even the most basic element of renewing their name on time.

To some extent the risks are less with .ie domains than with e.g. .com domains. As a managed registry with a restrictive registration policy, the .ie namespace makes it more difficult to carry out some of the practices that are common in other TLDs, such as the automatic registration of (accidentally) expiring domains. Nevertheless, there are still numerous risks which domain owners should be aware of, which we can summarise under the headings hacking, hijacking and heedlessness.

Hacking

The first risk is that of hacking - that an attacker may gain control of the domain by technical or social engineering means. The most famous example is the Sex.com case (Wikipedia link) in which an attacker used forged documents to persuade Network Solutions to transfer the domain to him, from its rightful registrant. More recently, P2P.com was stolen (the attacker having compromised the email account on file with the registrar) leading to what may be the first criminal conviction for domain name theft.

While there's little a registrant can do about fraud which takes place at the registrar level (as in the Sex.com case), other risks can be mitigated by making sure that the computers used to administer the domain name - and in particular the associated email account - are secure. Where a domain name is inactive, it will also be important to have some system in place to periodically monitor the registration details to detect any possible fraud.

Hijacking

The second risk is that of reverse domain name hijacking ("RDNH") where "trademark owners abusively assert their trademark rights to strip domain names from rightful owners". Brett Lewis has a particularly good description of the process:
It is a phenomenon that is all too common: small company registers dictionary word domain name. Big company wants domain name. Big company files UDRP, hoping to intimidate and outspend domain name away from small company. Panelist awards domain name to big company, often without opposition from small company. Small company fumes about unfairness of domain name dispute resolution process and of life in general.
How great a risk is this for .ie domain holders?

On the one hand, the .ie Dispute Resolution Policy might almost be tailor made to encourage RDNH, being even more skewed towards rightsholders than the UDRP on which they are based. (In fact, the .ie Rules of Procedure, unlike the UDRP Rules, do not even mention RDNH. Compare Art. 14 of the .ie Rules with Art. 15 of the UDRP Rules.)

Against that, however, decisions under the IEDRP don't seem to show any evidence that RDNH has been attempted for .ie domains - or that it would be successful if it were. Instead, panelists appointed under the .ie DRP appear to have been more balanced in their decisions than many UDRP panelists. If anything, a number of decisions (1|2|3) show a slight leaning toward registrants as against complainants in borderline cases.

Consequently, reverse domain name hijacking of .ie domains is probably not as great a risk as it is in other TLDs. Nevertheless, it would be foolish not to take the necessary steps to mitigate this risk. Consequently, domain owners (particularly where a domain is generic or where they don't hold a trademark corresponding to the domain) should consider in advance how they might respond if a complaint were filed against them under the IEDRP.

Heedlessness

The final significant threat, heedlessness, comes in two flavours. The first - forgetting to renew a domain name - is surprisingly common but easily avoided. To take a belt and braces approach: ensure that the email address on file with the registrar is active, ensure that emails from the registrar can get through your spam filter, enable auto-renew where possible, check that the relevant credit card hasn't expired and diary renewal dates.

The second - heedlessness as to who actually owns or controls the name in the first place - is again surprisingly common. Typically a small business may hire a web developer to register a domain name and create an online presence, not realising that the domain name is registered in the developer's name rather than the business name. (This is less likely in a managed namespace such as .ie, but can still happen.) In this situation, the business may abruptly find out that they were never the registered owner of the domain name. If you are worried that you might be in this position, this excellent guide will explain how to go about checking ownership of a .ie domain.