Monday, August 08, 2011

Data protection: subject access rights not affected by litigation

The Circuit Court recently gave a significant judgment in Dublin Bus v. Data Protection Commissioner, holding that subject access rights in Ireland are not affected by the fact that civil proceedings are contemplated or ongoing.

In this case Dublin Bus attempted to withhold CCTV footage of an accident from a subject access request, making a number of rather weak arguments which claimed alternatively that the footage was subject to legal professional privilege and/or that the access request constituted some form of interference by the DPC with pending litigation. In the Circuit Court Judge Linnane gave short shrift to these claims, holding that the footage was not privileged, the Data Protection Acts did not contain any exemption in respect of contemplated or pending legal proceedings, and (unlike UK law) the Irish legislation does not permit the court any discretion as to whether to order access.

None of these rulings are surprising (it would have been very surprising indeed if the court had found otherwise) but it is nevertheless useful to have a decision confirming these points. I've placed a copy of the full judgment on Scribd in the hope that it might prove useful for other subject access requests:Dublin Bus v. Data Protection Commissioner

Wednesday, August 03, 2011

Site Blocking: What the UK Government would prefer you not to see

It's well known that internet blocking is easy to circumvent. Ofcom in today's report "Site Blocking" to reduce online copyright infringement admits as much, saying that:
For all blocking methods circumvention by site operators and internet users is technically possible and would be relatively straightforward by determined users. (p.5)
Despite this, however, one branch of the UK Government still appears determined to keep its head in the sand, and according to that report:
The Department for Culture, Media and Sport has redacted some parts of this document where it refers to techniques that could be used to circumvent website blocks.
Unfortunately, the technical competence of the DCMS appears to be somewhat limited, and the redaction was (ironically?) also easily circumvented, by measures as simple as copy/paste. Needless to say, a department which is unable to censor a single PDF does not exactly inspire confidence when it proposes to introduce blocking for the entire UK internet, and it is just as well that the UK government has today announced plans to abandon the blocking provisions of the Digital Economy Act.

[Updated - 1.15pm]

The full, unredacted version now appears on Scribd. As can be seen from that document, the material which was redacted was all improperly removed. The tactics discussed to circumvent blocking are all well-known, even to a mere lawyer such as myself, and the redactions appear to be motivated more by considerations of security theatre than anything else.Ofcom Site Blocking Report With Redactions Removed

[Previously]

Here are the individual portions of the report which the DCMS attempted to quash. Text in italics was not redacted but appears for context:

pp.28-29
Robustness

Bypassing IP address blocking is technically straightforward for those who have an incentive to do so.
The blocked site operator may:

• change IP address but stay on the same network (i.e. on the same hosting provider);
• move to an entirely new network (to a previously unobserved IP address);
• offer encrypted network services which obscure the true network address/destination such as Virtual Private Networking;26,27 or
• server operators may institute a Fast Flux network (where users run software on behalf of blocked site which hides the true network address of the blocked site).

There are other methods available to site operators. When moving to a new IP address a site operator may register multiple IP addresses for a given site in order to maintain service in the event that some of those individual IP addresses are blocked. This approach has legitimate purposes also.28 Furthermore, by setting a low “Time to Live” (TTL) Domain Name System (DNS) record value, determining the length of time that the IP address for a particular domain (expressed in seconds) remains in remote name server caches, it is easier for a site operator to move IP addresses without end users losing access. Where a low TTL is expressed the ISP DNS name server resolution cache is purged quickly thereby ensuring that newly assigned site IP addresses are retrieved from the authoritative name server and site accessibility is maintained. Figure 13 below shows that the TTL value for "kickasstorrents" is one hour, demonstrating that any changes to IP address to DNS name are refreshed and propagated within ISP DNS servers in just over an hour.

Figure 13: Kickasstorrents DNS record Time to Live (1 hour) Name TTL Class Record Address
www.kickasstorrents.com. 3600 IN A 95.215.60.37
www.kickasstorrents.com. 3600 IN A 93.114.40.112
www.kickasstorrents.com. 3600 IN A 193.105.134.81
www.kickasstorrents.com. 3600 IN A 95.143.195.138
www.kickasstorrents.com. 3600 IN A 76.76.107.90

26 Ipredator - Surf anonymously with VPN and proxy https://www.ipredator.se/?lang=en
27 UK based VPN services facilitating access to copyright infringed material may be subject to site blocking injunctions. UK VPN operators may institute site blocking at the VPN egress point. NB: we are not aware of any UK based VPN service marketed or positioned for such activity. Such services are likely to be non-UK based.
pp.33-34
DNS blocking robustness

For site operators and end users with a sufficient incentive to engage in circumvention DNS blocking is technically relatively straightforward to bypass:


• the blocked site may offer services such as Virtual Private Networking, which is where encryption and other security measures are deployed to ensure that the data cannot be viewed by third parties (DNS name resolution may occur within the VPN providers network thereby bypassing the ISP based DNS site-blocking);
• the end-user can change their DNS name servers to 3rd party DNS name servers;32,33
• users may use anonymous web proxy or other anonymising services which are not reliant on the ISP DNS servers; or
• name resolution may be performed locally by adding an entry to a hosts file (IP address resolution information can be obtained from websites running a web-enabled equivalent of “nslookup” command).

32 Google Public DNS - http://code.google.com/speed/public-dns/
33 OpenDNS Store > Sign up for OpenDNS Basic: - https://store.opendns.com/get/basic/

For end users who want to bypass blocks there are several options. For instance, there are many legitimate alternative DNS providers to ISP DNS registries. Examples include OpenDNS and Google DNS. We consider the changing of DNS servers to alternative providers to require low technical skills, as the providers offer clear instructions using plain English. For instance, switching to Google DNS requires 11 steps for Windows users and only 8 for those using MAC OS.

With a modest understanding of internet technologies it is possible to access a site by entering the site IP address (if multiple websites are hosted at the same IP address the user will be displayed the default web site or page for that web server/IP address). Site operators can draw attention to online web based and alternative sources of DNS name resolution within emails to their user base or via online forums.

Other channels that site operators could use to widely distribute advice on how best to circumvent DNS blocking could include posting to online forums, Really Simple Syndication (RSS) or updates via micro blogging sites such as Twitter ®. The advice could include changing to unblocked DNS name servers, Virtual Private Networks and proxy services or other anonymising systems. Similarly, site operators may quickly mirror or make copies of a blocked site on new top level or country code domains pointing towards new IP addresses e.g. www.blockedsite.cc; www.blockedsite.ru; www.blockedsite.vn; www.blockedsite.net.
p.38
Techniques that may undermine URL blocking include:

• web site operators providing encrypted access to their web sites via Secure Sockets Layer/ Transport Layer Security i.e. https connectivity https://www.example.com/downloads/pirate.zip;
• a site operator may run a website on a network port other than port 80;
• the site operator changing the IP address and bypassing the network routing announcements;
• a site operator registering a new domain name e.g. www.example.net or www.example.org;
• the blocked site offering services such as Virtual Private Networking;
• the use of anonymous web proxy or other anonymising services;
• the site operator reorganising the site structure if the blocking is conducted against specific URLs; and
• the site operator or end user encoding URLs to bypass blocking.
p.40
Packet inspection blocking robustness

Both shallow and deep packet inspection can be bypassed by site operators using the following means:


• changing the IP address but staying on the same network;
• moving to an entirely new network (to a previously unobserved IP address);
• the site may use network encryption techniques such as Virtual Private Networking to render scrutiny of the IP packet‟s payload or real IP address destination impossible, given the technology available today; or
• the site operator may add or remove site IP addresses from a pool of IP addresses.

End users who wish to circumvent packet inspection may opt to use anonymous web proxies or other anonymsing services.
p.41
As with the deployment of any of the single primary techniques, the hybrid approach is also susceptible to circumvention by the use of anonymising tools such as The Onion Router, VPNs or anonymous proxy services.
p.44 (Column marked "Difficulty of circumvention" originally redacted)


p.45 (Column marked "Difficulty of circumvention" originally redacted)




p.52
Technical Glossary

Anonymous Web Proxy Service that allows users to place web requests via an intermediary server. The proxy server makes the connection on behalf of the user thereby hiding originating IP address and bypassing blocking network techniques.

The Onion Router (ToR) Anonymity network originally developed by the United States Navy. Used in many countries to bypass state censorship.

Monday, August 01, 2011

Judicial committee to consider internet use by juries and live tweeting of trials

According to Kieron Wood in the Sunday Business Post Mr Justice John Murray is to chair a committee to consider the contempt risks posed by jurors' use of the internet and social media, and which may also consider the issues associated with courtroom reporting via twitter or liveblogging. There doesn't seem to be anything on the Courts Service website about this yet, but hopefully the committee will follow the UK practice by holding a full public consultation and (if there is a need for urgent action) issuing interim guidance only in the meantime. Given the importance of the constitutional guarantee of open justice it would be wrong to make any final decision without giving those affected the opportunity to be heard.

Kieron Wood also writes about the wider problems the internet poses for the justice system in a longer piece in the Business of Law supplement.