Tuesday, December 12, 2006

From "the innocent have nothing to fear" files - mortgage brokers selling financial information on buyers to estate agents

Unless you've been living on Mars recently, you'll have heard of the RTÉ Prime Time exposé of dodgy dealings in the property market. Amongst other things, that program revealed that estate agents are (illegally) buying information from mortgage brokers about prospective purchasers: how much they have to spend, how much they've received in mortgage approval, how much they might have from other sources (such as parental gifts). Unsurprisingly, they are using this to extract every last penny from purchasers.

Hopefully we'll remember this the next time somebody tries to tell us that if you've done nothing wrong, you've nothing to fear.

Wednesday, December 06, 2006

From "the innocent have nothing to fear" files - police kept record of beautiful women

Cops kept record of beautiful women - Peculiar Postings - MSNBC.com:
STOCKHOLM, Sweden - Two Swedish border control officers risk disciplinary action for keeping a photo collection of 'exceptionally beautiful' women who passed through their checkpoint, police officials said Tuesday.

The officers, who were working at a ferry terminal near Stockholm, made photocopies of the women's passport photos and placed them in a binder. They also noted the date of birth next to each entry, the Stockholm police department said.

The binder contained instructions on how to compile the collection, and orders to make backup copies in case the binder would go missing or be confiscated by 'evil-minded bores,' police said.

Friday, December 01, 2006

Irish law on metatags and keywords

I've written (together with Paul Lambert of Merrion Legal solicitors) a piece on the legal issues involved where businesses find their trademarks being used by competitors as metatags or keywords. The full article (with the kind permission of Thomson Roundhall) is available here. Excerpt:
As cybersquatting declines we find that trade mark owners now have to defend their names in a different context. As search engines become more sophisticated, users are tending to rely on them as their primary means of navigation. Rather than type in a domain name directly (or rely on a bookmark), many users will simply enter a term—such as a company name or product – into a search engine, expecting the site they are looking for to appear high in the list of results. Consequently, the importance of domain names is diminished and search engines take on a new prominence. As Nielsen puts it:

“Web users are growing ever-more search dominant. Search is how people discover new websites and find individual pages within websites and intranets. Unless you're listed on the first search engine results page … you might as well not exist.”

This poses a new problem for trade mark holders—what happens when a competitor uses their trade mark in such a way that a person searching for the term will be shown a competing site in the list of results, or will be shown an advertisement for the competitor? ...

At first glance the unauthorised use of trade marks as metatags or keywords might seem to be a clear infringement of the mark in question. The trade mark holder will certainly argue that the metatag or keyword improperly takes advantage of the goodwill in the trademarked term and confuses the user into believing that there is some link between the trade mark and the search results or advertisements displayed in response. It can also be argued that the search engine is itself guilty of infringement by selling the trademarked term as a keyword. In addition, the tort of passing-off may be available.

However, look more closely and the position becomes more complicated. Trade mark law was not drafted with metatags or keywords in mind, making it difficult to bring these situations within the legislative language. There will be some situations where the trade mark use is legitimate, for example, a company which manufactures spare parts for BMW cars might be entitled to use “spare parts suitable for BMW” in its metatags.

The likelihood of consumer confusion may also be less in metatag / keyword cases as the trade mark is being used “invisibly” — that is, in a way which is not directly visible to the user, reducing the likelihood that the user will associate the search result or the advertisement with the trade mark. If a search engine faces liability for selling trademarked keywords, it may be hard to determine whether that liability is direct or merely contributory. (Some cases suggest that the search engine should not be liable for the keywords chosen by its clients.)

In addition, some would argue that provided users are not confused, presenting advertisements for competing goods alongside search results is no more objectionable than a shop placing similar products in the same aisle.

Friday, November 03, 2006

Your personal information is for sale: Bank worker uses information to stalk model

From BreakingNews.ie:
A 27-year-old former bank official who harassed Irish model Glenda Gilson and her family has been given a three month suspended sentence and ordered to stay 100 yards from the victims.

Daniel Rooney, of Castleknock Cottages, Castleknock, pleaded guilty at Dublin Circuit Criminal Court, to harassment of the Gilson family by persistently communicating with Glenda Gilson and her parents Noel and Aileen Gilson by e-mail and telephone at various locations on dates between November 12, 2004 and March 21, 2005.

Defence counsel Mr Luigi Rea BL, said Rooney was underachieving at that time in his life and he had became "jealous and obsessed" about Miss Gilsons progress in her modelling career. He had used his computer skills to "obtain telephone numbers he should not have".

Judge Bryan McMahon said one should not under estimate the "sinister impact these calls from a unknown quarter" can have on their victims but said he would take the mitigating factors into account and treat this as an "aberration".

He said this case was a "a feature of modern technology and mobile phones and the access to people on these phones" and that it was "indicative of the personal data of all citizens" which corporations hold.


Garda Deirdre Conway told Mr Paul Carroll BL, prosecuting, that there had been 49 calls to the family over the five month period. She said the harassment began on November 12, 2004, when Miss Gilsons model agency, Assets, received a call and an e-mail purporting to be from a friend.

It soon became evident that the caller was using a false name as he started shouting abuse about Miss Gilson and her career. Miss Gilson later received abusive calls on the land line at her parents home and also on her mobile. Many of the calls made to Miss Gilson’s home were answered by her parents...

Mr Rooney worked for AIB at the time and had been able to access the phone numbers though his work.
Despite Judge McMahon's comments, I suspect that it will take many more cases like this before people realise the dangers of their private information being open to abuse.

Friday, October 27, 2006

Your personal information is for sale: Call centre edition

The BBC reports that
One in 10 of Glasgow's financial call centres has been infiltrated by criminal gangs, police believe.

The scam works by planting staff inside offices or by forcing current employees to provide sensitive customer details.

The information is then used to steal identities and fraudulently set up accounts or transfer money...

Det Ch Insp Derek Robertson of Strathclyde Police told the BBC's Newsnight Scotland programme that there were a large number of call centres in the Glasgow area...

"I would say approximately 10% have been infiltrated in the past and we are working very hard to reduce that number."

Detectives believe that criminal crews are sent out to recruit volunteers to work in the centres.

Once they agree, they are asked to supply financial information in return for a fee.

Another tactic is to identify pubs where call centre workers visit and intimidate the employees to pass on the details.

Det Ch Insp Robertson said: "There are a number of different ways to do it.

"We know of organised crime groups who are placing people within the call centres so that they can steal customers' data and carry out fraud and money laundering.

"We also know of employees leaving the call centres and being approached and coerced, whether physically, violently or by being encouraged to make some extra money.

"And of course you have the disgruntled employee who may turn their hand to fraud just to benefit themselves."
Expect data retention to be a goldmine for criminals.

Sunday, October 22, 2006

UK rules requiring all pub-goers to be fingerprinted at the door

Words fail me. From The Register:
The government is is funding the roll out of fingerprint security at the doors of pubs and clubs in major English cities.

Funding is being offered to councils that want to have their pubs keep a regional black list of known trouble makers. The fingerprint network installed in February by South Somerset District Council in Yeovil drinking holes is being used as the show case...

The council had assumed it was its duty under the Crime and Disorder Act (1998) to reduce drunken disorder by fingerprinting drinkers in the town centre.

Some licensees were not happy to have their punters fingerprinted, but are all now apparently behind the idea. Not only does the council let them open later if they join the scheme, but the system costs them only £1.50 a day to run.

Oh, and they are also coerced into taking the fingerprint system. New licences stipulate that a landlord who doesn't install fingerprint security and fails to show a "considerable" reduction in alcohol-related violence, will be put on report by the police and have their licences revoked.
Edited to add:
Ralf Bendrath kindly posted a link to his detailed analysis of this measure.

Samizdata have an enlightening take on the abuse of regulatory authority behind these rules.

Thursday, September 21, 2006

Your personal information is for sale: Italian telco in wiretapping scandal

BBC News has reports of an Italian scandal involving telecom company insiders:
Telecom Italia has been in the headlines in recent weeks
Italy's justice minister has started an investigation into whether government officials were involved in an alleged wire-tapping scandal at Telecom Italia.

The news comes a day after police said they had arrested 20 people as part of an investigation into the case.

Prosecutors say the spy ring taped the phone conversations of politicians, industrialists and even footballers.
Of course the information stored by the same telecoms companies under data retention won't be abused. Oh no. Perish the thought.

Tuesday, September 19, 2006

Godaddy caves in rateyoursolicitor.com case?

This is a fascinating development in the ever-entertaining rateyoursolicitor.com saga. American company blocks off access to 'rate your lawyer' site - Irish Independent:
"AN American domain name provider has suspended access to the controversial rateyoursolicitor.com website after an Irish High Court issued a court order to remove offensive material about a barrister from the site.

Godaddy.com, an award winning internet site, suspended access to the rateyoursolicitor.com portal within 24 hours of an injunction issued by Judge Michael Hanna.

Last Wednesday, Judge Hanna issued an order that defamatory material posted about Jayne Maguire, a barrister, on rateyoursolicitor.com must be removed with immediate effect.

Ms Maguire has claimed that John Gill, of Drumline, Newmarket on Fergus, defamed her by posting offensive remarks on rateyoursolicitor.com.

Mr Gill, chairman of the Victims of the Legal Profession Society, denied that anything concerning Ms Maguire was published or posted on the site.

Ms Maguire is seeking damages for defamation and privacy and an interlocutory injunction of the statements about her on the site which she says is administered by Mr Gill.

Godaddy.com have locked access to the site domain name until High Court proceedings are concluded. Lawyers acting for Ms Gill served notice on www.gmax.net, an American Internet Service Provider that is host to the site.

It had been thought that Godaddy.com was hosting the site which invites Irish people to rate their lawyers, however gmax.net has now been identified as the ISP and has received notice of the High Court proceedings.
Slashdot has some interesting comments. More on this when I get the chance - but if these reports are accurate I'll certainly be moving my own registrations and hosting from Godaddy.

Friday, September 15, 2006

Gardaí disclosing confidential information to media

This RTÉ News report is worrying, and reinforces the DRI complaint earlier this year about the leaking of mobile phone records by gardaí.:
"Garda Commissioner Noel Conroy is this afternoon to appoint a senior officer to investigate the circumstances surrounding the release of video footage to RTÉ News.

The footage, broadcast yesterday, features two men convicted of dangerous driving, videoing themselves driving at high speed on the N4, near Mullingar, Co Westmeath.

District Court judge John Neilan this morning requested the commissioner to commence an internal investigation.

Judge Neilan said his relationship with the force was deeply strained as a result of events this week.

Judge Neilan said he was appalled by the conduct of the garda officers in the case.

He said the case had first come before him in June and he was satisfied beyond any shadow of a doubt that one of the prosecuting officers had primed the media in respect of the case.

He said that since the tape from the camcorder found in one of the cars was not available to the court yesterday, the only evidence that was available was that as recounted by the Inspector at Mullingar District Court yesterday.

Judge Neilan also said that it was his belief that the evidence of the arresting officers was tainted and embellished by what they saw on the camcorder.

Charges withdrawn

He said that the prosecution had decided without indicating to the court or the media, which apparently had the inside track on the case, that it was withdrawing two of the charges.

Two of the charges related to the material which was used and retained on the camcorder.

The judge said the DPP did not give any reason to the court for not proceeding with those particular charges.

He said that the conduct of members of An Garda Síochána in discussing evidence and possibly releasing material which was intended to be used in the case yesterday was nothing short of scandalous.

Judge Neilan said that the material seized by gardaí was material which was under the authority of his court.

He warned members of the public to be cautious about what he called the hype surrounding this case, and he said that every member of the public should be aware that certain members of the gardaí are priming the media well in advance of any case being dealt with in accordance with the law.

Judge Neilan also said that certain members of the gardaí believe they have 'a God given right to undermine the cases of the DPP and generate as much hype and hysteria as they can'."

Thursday, September 14, 2006

Wednesday, September 13, 2006

McGarr Solicitors and public access to court files

McGarr Solicitors have a new website which has two firsts for Irish solicitors - they're the first firm of Irish solicitors to have a blog (surprisingly Irish barristers have put down their quills and been to the front here), and (more significantly) they've been the first to make some court documents publicly available on their web site.

Court documents in Ireland currently exist in a legal limbo - although justice must be administered in public, the practice has been to limit access to the court file. This is so even though every document in the file might have been read out in open court, and even though there is no rule prohibiting disclosure of the contents. Consequently if you as a member of the public wish to see the papers in a case you are dependent on the good will of the parties. This is unlike other jurisdictions such as the United States, where it is generally presumed that court documents are public documents in the same way that the proceedings themselves are public. I've long felt that the Irish practice is far too restrictive, and it's good to see solicitors making it easier to view these documents.

Thursday, September 07, 2006

Schools fingerprinting children - Data Protection Implications

It seems as though everybody wants to fingerprint your children these days. The latest issue is whether schools can fingerprint children without so much as a parental by your leave. The Register has a very interesting discussion of the data protection issues involved:
Parents cannot prevent schools from taking their children's fingerprints, according to the Department for Education and Skills and the Information Commissioner.

But parents who have campaigned against school fingerprinting might still be able to bring individual complaints against schools under the Data Protection Act (DPA).

DfES admitted to The Register that schools can fingerprint children without parents' permission.

This position has also been taken by the Information Commissioner, who interprets and enforces the Data Protection Act - the law privacy campaigners hope might be used to stop schools fingerprinting their children.

The Information Commissioner's Office (ICO) is drawing up guidance on the use of fingerprints for purposes other than law-enforcement. The guidance will say once and for all whether parents can prevent their children's fingerprints being taken.

David Smith, deputy Information Commissioner, said it was a complex issue that was still being worked out, but it was likely that parents did not have an automatic right to decide whether their children's biometrics could be taken by a school.

"The Data Protection Act talks of consent of the individual - essentially that's consent of the child," he said.

"Now there's a requirement that consent is informed and freely given. That will depend on the age of the child," he said.
Update: Spongebobb asks what the situation would be in Ireland. The Irish Data Protection Commissioner has given guidance on whether children can consent to the use of their personal information, though this doesn't specifically address this situation:
The minimum age at which consent can be legitimately obtained is not defined in the Data Protection Act, 1988.

Section 2A(1) of the Acts states that consent cannot be obtained from a person who, by reason of age, is likely to be unable to appreciate the nature and effect of such consent. Judging maturity will vary from case to case.

In the medical area, the GPIT Guide (www.GPIT.ie) suggests that an individual may be assumed to be competent to give consent for medical purposes on reaching the age of 16 years. Where the individual is below that age, consent may still be given, but this requires that the medical practitioner involved must assess whether a child or young person has the maturity to understand and make their own decisions about the handling of their personal health information. In relation to the right of access to health data, where the individual is below 16 years, it was recommended that the general practitioner should use professional judgement on a case by case basis, on whether the entitlement to access should be exercisable by (i) the individual alone, (ii) a parent or guardian alone, or (iii) both jointly. In making a decision, particular regard should be had to the maturity of the young person concerned and his or her best interests.

In the marketing area, where sensitive data is not involved, including on websites, a lower threshold may be permissible. For example, it is a matter for a company to judge if a 14 year old can appreciate the issues surrounding consent and to be able to demonstrate that a person of that age can understand the information supplied and the implications of giving consent. While care should be taken that a person under that age would not be enticed into a deception concerning his/her age, a clear statement that an age limit applies would normally suffice. Where the company becomes aware at a later date that a person has supplied false age-related information, then that data subject's details should be removed from the live site. Sufficient identifiers may be retained purely for the purpose of blocking future entry attempts by that individual.

Where the company accepts that an individual is a minor and are seeking parental consent, e-mail might not be the best medium, unless they can establish that the e-mail address is genuinely a parent/guardian's e-mail address. A postal address is more readily authenticated, though it still does not preclude a letter being addressed to a sibling.
The closest Irish precedent is a case involving a primary school which put the personal details of pupils on a website without parental consent. The Data Protection Commissioner took a dim view of this:
A parent contacted my Office to complain that the local primary school was publishing personal details of pupils on the school web site, without the knowledge or consent of parents. The details included photographic images of named individual pupils, as well as general details volunteered by pupils regarding their hobbies, likes and dislikes. The parent was concerned that the non-selective publication of children’s details in this way was inappropriate, and could expose the children to unnecessary risks. The parent had raised the matter with the school authorities and was very dissatisfied with the response she had received.

I immediately contacted the school principal to arrange that personal details relating to identifiable children would be deleted from the web site, pending an urgent meeting on this matter. At the meeting, the school principal explained that the web site had been set up several weeks previously in order to meet the educational needs of children in relation to computing. The pupils themselves had been quite positive about the development. Photographs of individual pupils in the junior and senior infants classes had been posted on the web site. Other pupils had been invited to contribute to the web site through other activities, such as filling out questionnaires giving personal information that would be of interest to pupils in other schools, both nationally and internationally. It was noted that the school web site had been given an award by an internet service company in recognition of its merit. As regards parental consent, the principal said that the new web site had been mentioned in a recent school newsletter, and that parents had been invited to come to the school to check it out for themselves.

I pointed out that section 2(1)(a) of the Data Protection Act requires that personal data "shall have been obtained, and the data shall be processed, fairly ". When dealing with personal data relating to schoolchildren, "fairness" in my judgement requires that the clear and informed consent of parents or guardians must be obtained before any use is made of the children’s data. This is particularly so where the use envisaged involves the posting of data on the worldwide web. The principal accepted these points and undertook not to post personal details of schoolchildren on the web site except with the express authorisation of a parent or guardian.
Of course, the children in this case were of primary school age and so unlikely to be able to give an informed consent. It leaves open the question of whether parental consent could still be required in respect of an older child.

Your personal information is for sale - HP spies on directors' home telephone calls

Newsweek has revealed that:
To catch a leaker, Hewlett-Packard's chairwoman spied on the home-phone records of its board of directors.

The confrontation at Hewlett-Packard started innocently enough. Last January, the online technology site CNET published an article about the long-term strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. HP’s chairwoman, Patricia Dunn, told another director she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then took the extraordinary step of authorizing a team of independent electronic-security experts to spy on the January 2006 communications of the other 10 directors—not the records of calls (or e-mails) from HP itself, but the records of phone calls made from personal accounts. That meant calls from the directors’ home and their private cell phones. ...

The HP case specifically also sheds another spotlight on the questionable tactics used by security consultants to obtain personal information. HP acknowledged in an internal e-mail sent from its outside counsel to Perkins that it got the paper trail it needed to link the director-leaker to CNET through a controversial practice called “pretexting”; NEWSWEEK obtained a copy of that e-mail. That practice, according to the Federal Trade Commission, involves using “false pretenses” to get another individual’s personal nonpublic information: telephone records, bank and credit-card account numbers, Social Security number and the like. Pretexting is heavily marketed on the Web.

Typically—say in the case of a phone company—pretexters call up and falsely represent themselves as the customer; since companies rarely require passwords, a pretexter may need no more than a home address, account number and heartfelt plea to get the details of an account. According to the Federal Trade Commission’s Web site, pretexters sell the information to individuals who can range from otherwise legitimate private investigators, financial lenders, potential litigants and suspicious spouses to those who might attempt to steal assets or fraudulently obtain credit
The UK Information Commissioner has shown that "pretexting" is prevalent in the UK also, in his report "What Price Privacy? The Unlawful Trade in Confidential Personal Information". While we have no comprehensive report in respect of Ireland, it is likely that it is just as common here.

Incidentally, one of the most common misconceptions about privacy is that it's merely about trusting the government not to abuse its powers. This case illustrates that when you create vast databases, you have to cross your fingers and hope that there is no one else (such as your employer) with a motive to spy on you.

Update: It's now emerged that HP spied on journalists' telephone calls also. Particularly in the US, there's been media lethargy about privacy issues - hopefully there'll be more coverage of the issues as reporters realise that it may be their ox being gored.

Thursday, August 31, 2006

Privacy: One law for them, one law for us

The Telegraph reports that "Celebrity children will get database privacy" in the Orwellian "Children's Index":
Children of celebrities will be given special safeguards in a new database that will store details of every child in England and Wales, it was disclosed yesterday. ...

Ministers said the contentious two-tier level of privacy will protect children of the rich and famous from intrusion.

Addresses and telephone numbers of celebrities will be removed from the database if, for example, their children are deemed at risk of kidnap.

But opponents of the £241 million Children's Index — a supposedly confidential system intended as an early warning system for children at risk of abuse — said the move underlined their concerns about its security.

In further embarrassment to the Government, an independent report commissioned by Parliament's Information Commissioner and due to be published next month, is understood to warn that the index is causing serious concern and is possibly unlawful.

There are fears that it does not comply with the European Convention on Human Rights and may contravene the Data Protection Act. ...

Files are held by many bodies on the 11 million children in England and Wales, but the index will link this sensitive information in one database accessible to hundreds of thousands of officials. ...

Lord Adonis, the education minister, told the House of Lords: 'Between 300,000 and 400,000 users will access the index. Children who have a reason for not being traced, for example where there is a threat of domestic violence or where the child has a celebrity status, will be able to have their details concealed.'

Robert Whelan, the deputy director of the think-tank Civitas, said Lord Adonis's remarks showed there were legitimate concerns about the security of the index.

'The Government is showing it has no confidence in this database,' he said.

'There have been all these assurances it is secure, but how can we believe them now? I will tell you who will be off the register — the Blairs' children. This is just politicians protecting their own.

'And how is the Government going to define celebrity? It is a very fluid term — an assembly of high-profile clergy, disgraced politicians, topless models, pop singers and reality TV contestants.' ...

But, in an interview for tomorrow's Channel 4 programme Your Kids Under Surveillance, Prof Ross Anderson, an author of the report sent to the Information Commissioner, expressed concern about security.

'There will always be bent insiders. If you connect all these systems up and if you've got over a million professionals needing to access this every day it will all get out.

'Paedophiles for example can use the database to find out which children in their neighbourhood are vulnerable and where they live.'

Yet another argument against ID cards - UK Edition

ID card fears as staff hack into Home Office database | This is London:
"Office staff are hacking into the department's computers, putting at risk the privacy of 40million people in Britain.

The revelation undermines Government claims that sensitive information being collected for its controversial ID Cards scheme could not fall into criminal hands.

The security breaches occurred at the Identity and Passport Service, which is setting up the National Identity Register to provide access to individuals' health, financial and police records as part of the £8billion ID card scheme scheduled to begin in 2008.

MPs and technology experts have expressed fears that the national register, which will store sensitive details of more than 40million people, will be a honeypot for hackers and identity thieves. Liberal Democrat

Home Affairs spokesman Mark Hunter said: 'These revelations show it is folly to put all the precious personal data of our citizens in one place.'

Personal information about every British passport holder - including their date of birth, mother's maiden name, address and photographs - is already held in the IPS computers.

A Home Office spokesman last night confirmed the IPS security breaches. He also confirmed that three staff involved had been sacked and a fourth had resigned before disciplinary procedures had concluded."

Tuesday, August 29, 2006

NY Times uses geolocation to avoid contempt of court

Times Withholds Web Article in Britain:
If Web readers in Britain were intrigued by the headline “Details Emerge in British Terror Case,” which sat on top of The New York Times’s home page much of yesterday, they would have been disappointed with a click.

“On advice of legal counsel, this article is unavailable to readers of nytimes.com in Britain,” is the message they would have seen. “This arises from the requirement in British law that prohibits publication of prejudicial information about the defendants prior to trial.”

In adapting technology intended for targeted advertising to keep the article out of Britain, The Times addressed one of the concerns of news organizations publishing online: how to avoid running afoul of local publishing laws.

“I think we have to take every case on its own facts,” said George Freeman, vice president and assistant general counsel of The New York Times Company. “But we’re dealing with a country that, while it doesn’t have a First Amendment, it does have a free press, and it’s our position that we ought to respect that country’s laws.”

Jonathan Zittrain, a professor of Internet governance and regulation at Oxford University, said restricting information fit with trends across the Internet. “There’s a been a sense that technology can create a form of geographic zoning on the Internet for many years now — that they might not be 100 percent effective, but effective enough,” Mr. Zittrain said. “And there’s even a sense that international courts might be willing to take into account these efforts.

Plans were made at The Times over the weekend to withhold print versions of the article in Britain, as well as news agency and archived versions.

But the issue of the Web was more complicated.

Richard J. Meislin, the paper’s associate managing editor for Internet publishing, said the technological hurdle was surmounted by using some of The Times’s Web advertising technology. The paper could already discern the Internet address of users connecting to the site to deliver targeted marketing, and could therefore deliver targeted editorial content as well. That took several hours of programming.

“It’s never a happy choice to deny any reader a story,” said Jill Abramson, a managing editor at The Times. “But this was preferable to not having it on the Web at all.”"
This sets an interesting precedent - if the NY Times is willing to filter content for one jurisdiction to avoid contempt of court problems, how long will it be able to avoid filtering for possible libel issues?

Monday, August 28, 2006

Yet another argument against ID cards - Australian edition

The Register reports:
Australia's identity card system was routinely searched for personal reasons by government agency employees, some of whom have been sacked.

Police are now investigating allegations of identity fraud resulting from the security breaches.

There were 790 security breaches at government agency Centrepoint involving 600 staff. Staff were found to have inappropriately accessed databases containing citizens' information. The databases are part of a massive federal Government smart card project which will link medical, welfare, tax and other personal data on Australia's 17m citizens.

Thursday, August 10, 2006

AOL Searches Now Available Online

Hot on the heels of AOL's disclosure of private customer information, the AOL Search Database has put that information into a searchable format for the world to see.

Wednesday, August 09, 2006

Still more on the AOL disclosure - what your internet history might say about you

CNET News looks at the AOL disclosure to show how much information your internet history can reveal about your life. Two examples:
A woman affiliated with Temple University in Philadelphia, perhaps a student, shared her life's troubles with AOL Search this spring. That woman, user 591476, typed:
  • replica loius vuitton bag
  • how to stop bingeing
  • how to secretly poison your ex
  • how to color hair with clairol professional
  • girdontdatehim.com
  • websites that ask for payment by checks
  • south beach diet
  • nausea in the first two weeks of pregnancy
  • breast reduction
  • how to starve yourself
  • rikers island inmate info number
  • inmatelookup.gov
  • www.tuportal.temple.edu
  • how to care for natural black hair
  • scarless breast reduction
  • pregnancy on birth control
  • temple.edu
  • diet pills
Some AOL users seem to be worried that an abusive partner in a relationship may come back to hurt them. This person, AOL user 005315, searched for information about prison inmates, gang members, sociopaths in relationships, and women who were murdered in southern California last year:
  • resources for utility bill paying assistance in southern california
  • section 8 housing southern california
  • los angeles county ca. gang member pictures
  • orange county california jails inmate information
  • fractured ankle
  • letters and responses written by women to emotionally
  • abusive partners
  • men that use emotional and physical abandonment to control their partner
  • warning signs of a mans infidelity or sexual addiction
  • the sociopathic relationship
  • southern california newspaper stories about woman murdered by boyfriend in pomona december2005
  • names of females murdered or found dead in pomona california in 2005
  • characteristics of a sociopath in a relationship
  • a person that shows lack of empathy
  • help in writing a letter to a abusive narcissistic ex boyfriend
  • how to hurt the narcissistic man
  • retaliating against the narcisisstic man

The NY Times puts a face on one of AOL's victims

A Face Is Exposed for AOL Searcher No. 4417749 - New York Times:
Buried in a list of 20 million Web search queries collected by AOL and recently released on the Internet is user No. 4417749. The number was assigned by the company to protect the searcher’s anonymity, but it was not much of a shield.

Thelma Arnold’s identity was betrayed by AOL records of her Web searches, like ones for her dog, Dudley, who clearly has a problem.

No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from “numb fingers” to “60 single men” to “dog that urinates on everything.”

And search by search, click by click, the identity of AOL user No. 4417749 became easier to discern. There are queries for “landscapers in Lilburn, Ga,” several people with the last name Arnold and “homes sold in shadow lake subdivision gwinnett county georgia.”

It did not take much investigating to follow that data trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga., frequently researches her friends’ medical ailments and loves her three dogs. “Those are my searches,” she said, after a reporter read part of the list to her." ...

Ms. Arnold, who agreed to discuss her searches with a reporter, said she was shocked to hear that AOL had saved and published three months’ worth of them. “My goodness, it’s my whole personal life,” she said. “I had no idea somebody was looking over my shoulder.”

In the privacy of her four-bedroom home, Ms. Arnold searched for the answers to scores of life’s questions, big and small. How could she buy “school supplies for Iraq children”? What is the “safest place to live”? What is “the best season to visit Italy”?

Her searches are a catalog of intentions, curiosity, anxieties and quotidian questions. There was the day in May, for example, when she typed in “termites,” then “tea for good health” then “mature living,” all within a few hours.

Her queries mirror millions of those captured in AOL’s database, which reveal the concerns of expectant mothers, cancer patients, college students and music lovers. User No. 2178 searches for “foods to avoid when breast feeding.” No. 3482401 seeks guidance on “calorie counting.” No. 3483689 searches for the songs “Time After Time” and “Wind Beneath My Wings.”

At times, the searches appear to betray intimate emotions and personal dilemmas. No. 3505202 asks about “depression and medical leave.” No. 7268042 types “fear that spouse contemplating cheating.”
If this story disturbs you, you might want to visit Digital Rights Ireland and support our campaign against data retention.

Tuesday, August 08, 2006

Your personal information is for sale, episode 8,763 - AOL reveals users search history

From Techcrunch :
AOL must have missed the uproar over the DOJ’s demand for “anonymized” search data last year that caused all sorts of pain for Microsoft and Google. That’s the only way to explain their release of data that includes 20 million web queries from 650,000 AOL users.

The data includes all searches from those users for a three month period this year, as well as whether they clicked on a result, what that result was and where it appeared on the result page. It’s a 439 MB compressed download, expanded to just over 2 gigs. The data is available here (this link is directly to the file) and the output is in ten text files, tab delineated.

The utter stupidity of this is staggering. AOL has released very private data about its users without their permission. While the AOL username has been changed to a random ID number, the abilitiy to analyze all searches by a single user will often lead people to easily determine who the user is, and what they are up to. The data includes personal names, addresses, social security numbers and everything else someone might type into a search box.

The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with “buy ecstasy” and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless.

Marketers are going nuts over the possibilities, users are calling for a boycott of AOL, and others are just enraged:

User 491577 searches for “florida cna pca lakeland tampa”, “emt school training florida”, “low calorie meals”, “infant seat”, and “fisher price roller blades”. Among user 39509’s hundreds of searches are: “ford 352″, “oklahoma disciplined pastors”, “oklahoma disciplined doctors”, “home loans”, and some other personally identifying and illegal stuff I’m going to leave out of here. Among user 545605’s searches are “shore hills park mays landing nj”, “frank william sindoni md”, “ceramic ashtrays”, “transfer money to china”, and “capital gains on sale of house”. Compared to some of the data, these examples are on the safe side. I’m leaving out the worst of it - searches for names of specific people, addresses, telephone numbers, illegal drugs, and more. There is no question that law enforcement, employers, or friends could figure out who some of these people are.

There is some really scary stuff in this data.

Bear in mind that this was not an accidental or inadvertent disclosure - much less a security breach. AOL took a deliberate and planned decision to release this information.

Wednesday, August 02, 2006

Today's outrage - Millions of children to be fingerprinted

The Observer reports that:
British children, possibly as young as six, will be subjected to compulsory fingerprinting under European Union rules being drawn up in secret. The prints will be stored on a database which could be shared with countries around the world.

The prospect has alarmed civil liberties groups who fear it represents a 'sea change' in the state's relationship with children and one that may lead to juveniles being erroneously accused of crimes. Under laws being drawn up behind closed doors by the European Commission's 'Article Six' committee, which is composed of representatives of the European Union's 25 member states, all children will have to attend a finger-printing centre to obtain an EU passport by June 2009 at the latest.

The use of fingerprints and other biometric data is designed to prevent passport fraud and allow European member states to meet US entry visa requirements, but the decision to fingerprint children has disturbed human rights groups.

The civil liberties group Statewatch last night accused EU governments of taking decisions in which 'people and parliaments have no say'. It said the committee's decisions were simply based on 'technological possibilities - not on the moral and political questions of whether it is right or desirable.'

'This is a sea change,' said Ben Hayes, spokesman for Statewatch. 'We are going from fingerprinting criminals to universal fingerprinting without any real debate. In the long term everyone's fingerprints will be stored on a central database. You have to ask what will be the costs to a person's privacy.'
[Edited to add]

It's not clear what effect this may have in Ireland. The legal basis is Regulation 2252/2004 which is a Schengen act and therefore not binding on Ireland. The Government's current policy is not to include fingerprints on passports - see the Dept. of Foreign Affairs FAQ. However, if and when Ireland does enter Schengen this will be a fait accompli.

Tuesday, July 25, 2006

When surveillance meets bureaucracy

"Innocent People Placed On 'Watch List' To Meet Quota":
You could be on a secret government database or watch list for simply taking a picture on an airplane. Some federal air marshals say they're reporting your actions to meet a quota, even though some top officials deny it.

The air marshals, whose identities are being concealed, told 7NEWS that they're required to submit at least one report a month. If they don't, there's no raise, no bonus, no awards and no special assignments.

"Innocent passengers are being entered into an international intelligence database as suspicious persons, acting in a suspicious manner on an aircraft ... and they did nothing wrong," said one federal air marshal. ...

What kind of impact would it have for a flying individual to be named in an SDR?

"That could have serious impact ... They could be placed on a watch list. They could wind up on databases that identify them as potential terrorists or a threat to an aircraft. It could be very serious," said Don Strange, a former agent in charge of air marshals in Atlanta. He lost his job attempting to change policies inside the agency.
(via MetaFilter)

Tuesday, July 18, 2006

UK Government implements "Minority Report" - Department of Pre-Crime awaits

The Register reports that the UK government plans to tackle crime at birth by means of yet more entries in the proposed "Children's Index" database:
Children's Minister Hilary Armstrong was due today to outline what could become one of Project Blair's most ambitious, misguided and hubristic projects yet. The Government will attempt to identify children at risk of failure, violent behaviour or criminality at birth, and take the necessary corrective actions to steer them onto a law-abiding and successful path.

Ironically, Armstrong is floating these proposals just as this same predictive approach to future behaviour patterns is becoming discredited. A couple of national newspapers, the Independent and The Observer, appear to have seen outlines of the plans. According to the Independent, midwives, doctors and nurses are to be "asked to identify 'chaotic' families whose babies are in danger of growing up to be delinquents, drug addicts and violent criminals." The plan will be backed up by "research" which "shows that children from the most dysfunctional families are 100 times more likely to abuse alcohol commit crimes or take drugs", and a "source" close to Armstrong says: "It is the 'supernanny' model.' There is no reason why midwives who ask mothers lots of questions anyway can't ask a few more about the family circumstances and identify families where there may be problems. We need to intervene early to stop the cycle that leads to social exclusion."
The Register has some interesting comments about the quality of the data we can expect this database to contain:
The information they're sharing, meanwhile, will become more junk-like as the boxes they need to check and the fields they need to fill in multiply. Social workers, police, anyone who's given the job of spotting early warning signs will feel the need to put something in the box, for all too obvious reasons. What's it going to look like in five years time when some kid on your books gets beaten to death, and it turns out you didn't notice anything? The empty box clearly indicates negligence on your part. So the slightest, part-imagined 'signs' will go down, the people you're sharing the data with will see this 'concern' flagged and put in some 'signs' of your own. And as Brian Sheldon, Emeritus Professor, University of Exeter and former director of the Centre for Evidence-Based Social Work puts it, once social workers decide people need visiting, "they need visiting a lot." Or as Hine says, "if you're looking for problems, you will find problems."

The cases will tend to build themselves, the effect much magnified by the 'share and deploy' approach, and they'll also tend to focus on the easier cases. The ones who're easier to get at and who're on the receiving end of self-generating warning signs will get lots of attention (despite quite possibly never having needed any in the first place), and quite possible acquire real problems because of this, while harder cases of real need may not get any attention at all.

At ground level, midwives (and one presumes other professionals) are beginning to see the collateral damage of the Blair Project's data kleptocracy (Sheldon diagnoses this as symptomatic of a country suffering from obsessive-compulsive disorder). Some of the women midwives are dealing with have noticed that their histories can be taken down and used against them, and that it does not matter whether or not they have successfully coped, or are successfully coping with whatever the problem might have been. If you tell someone, it will be flagged as a 'concern' and will breed more concerns, and turn you into a 'case'. So they're starting to withhold information, and as midwives, and other professionals continue to ask "a few more" questions, people on the receiving end of the data kleptocracy will start to go underground.

Leaving systems built on junk science sharing junk data in pursuit of imaginary concerns and a pre-defined criminal underclass, while the rest of us hide.( Emphasis added)
For another perspective see the proceedings of the LSE conference "Children: Over Surveilled, Under Protected".

Monday, July 17, 2006

Online Anonymity - Ryanair Edition (continued)

The Irish Times reports that Ryanair has lost its action seeking to identify pilots posting to a bulletin board under pseudonyms. While the judgment doesn't seem to address the privacy issues involved, it does look at motive behind the action, and notes that "when Ryanair set up an investigation to find out who was behind the website, the real purpose of that investigation was to 'break the resolve' of pilots to seek better terms and conditions." This is an important finding - it indicates that actions to identify internet users should be assessed carefully to see whether there is some improper purpose underlying the application. From the Irish Times:
A High Court judge has rejected claims by Ryanair that its pilots or their unions had engaged in bullying, intimidation or isolation of other pilots over conditions imposed by Ryanair relating to training on new aircraft.

The only evidence of bullying was by Ryanair itself, Mr Justice Thomas Smyth stated yesterday. He described as "most onerous and bordering on oppression" a condition requiring pilots to pay Ryanair €15,000 for training on new aircraft in 2004. The €15,000 was payable by pilots if they left the company within five years or if Ryanair was required to engage in collective bargaining within the same period.

In a strongly worded reserved judgment, the judge dismissed a bid by the private airline for orders aimed at identifying pilots who posted messages under codenames, such as "ihateryanair" and "cantfly, wontfly" on a pilots' website. Ryanair had claimed the messages showed evidence of wrongful activity against it and its employees.

The judge also made a finding of false evidence in relation to two members of Ryanair management who had given evidence at the hearing. He held that, when Ryanair set up an investigation to find out who was behind the website, the real purpose of that investigation was to "break the resolve" of pilots to seek better terms and conditions. There was no warrant for Ryanair's action in seeking assistance from gardaí on the matter, he added.

He rejected as "baseless and false" the evidence of Ryanair director of personnel Eddie Wilson in relation to the setting up the investigation. The judge also said there was no conspiracy in relation to the setting up of the website and it was not engaged in anything unlawful. There was "no actionable wrong", he held, and dismissed Ryanair's application.

Friday, July 14, 2006

Dutch court upholds refusal to disclose file-sharers' identities

The Register reports that the Dutch decision in BREIN (holding that information about alleged filesharers had been obtained in breach of data protection law) has been upheld on appeal. The result is that litigation by the music industry will be unable to proceed.
A Dutch appeals court has thwarted attempts by the Dutch anti-piracy organisation BREIN to get the identities of file-sharers from five ISPs, including Wanadoo and Tiscali.

The court found that the manner in which IP addresses were collected and processed by US company MediaSentry had no lawful basis under European privacy laws. A lower court in Utrecht had reached a similar conclusion last year.

The court also argued that the software MediaSentry uses can't properly identify users or provide evidence of infringement.

Last year, expert witnesses at Delft University of Technology criticised MediaSentry's software for being too limited and simplistic. For instance, MediaSentry took filenames in Kazaa at face value. More importantly, the software scans all the content of the shared folder on the suspect's hard disk. In that process, it breached privacy laws.

The Dutch Protection Rights Entertainment Industry Netherlands (BREIN) represented 52 media and entertainment companies and has been investigating 42 people suspected of swapping song files. Nine file-sharers decided to settle with BREIN.

BREIN says it will go to a higher court, but lawyer Christiaan Alberdingk Thijm, who represented the ISPs, sees the decision as an important victory.

Wednesday, July 12, 2006

UK government abusing copyright to silence whistleblower

The Foreign Office is now seeking to misuse copyright law to stop a former ambassador from publishing material showing British involvement in torture. From the Guardian:
The government is threatening to sue former ambassador Craig Murray for breach of copyright if he does not remove from his website intelligence material that was censored out of his newly published memoirs.

Mr Murray has posted full texts of all passages the Foreign Office ordered deleted from the book version of Murder in Samarkand, the former Tashkent ambassador's account of alleged British complicity in torture by the despotic Uzbekistan regime. His book contains links to the website.

The passages detail CIA intelligence reports that Mr Murray says were false, and accounts of US National Security Agency intercepts and conversations with John Herbst, the US ambassador in Uzbekistan at the time. The Foreign Office says release of the material is damaging. ...

The Foreign Office is also demanding, in a claim that breaks new legal ground, that Mr Murray remove from his website the text of Foreign Office correspondence which he says he obtained officially through Freedom of Information Act and Data Protection Act requests.

The Treasury solicitors, the government lawyers, wrote to Mr Murray last week claiming: "Even if a document is released under the Freedom of Information Act or the Data Protection Act, that does not entitle you to make further reproductions of that document by, for example, putting them on your website."

Mr Murray said yesterday: "If the media do not react to this, they will lose the ability to report in any detail material released under the Freedom of Information Act. The documents in question are the supporting evidence for my book. The government continues to claim my story is untrue."
It is unacceptable that a government can silence its critics by relying on copyright law. The approach taken by US law is preferable, under which government publications don't benefit from copyright protection. After all, this material has already been paid for by the taxpayer.

Tuesday, July 11, 2006

Henry Porter on ID cards

Henry Porter gives an eloquent statement of the case against ID cards in today's Guardian:
Some, like the editor of Prospect, David Goodhart, have attempted to portray the cards as "badges of citizenship embodying the idea of the contract between citizen and state". The argument is superficially comforting. "They help us to know who is in the country and what their status is and to protect the precious entitlements of all existing citizens." There is no mention in his recent essay of the database or the terrible potential for intrusion and control. And of course the idea of this being a contract is ridiculous when one party is being forced to sign or face penalties. The notion of a badge of citizenship is codswallop being put about by people who are too impressed by authority and too weak to oppose it.

When reading the ID card bill I am constantly struck by its minatory tone - the threats of fines and the general contempt for the average citizen. There's a reason for this. Rather than being something that is designed to help us, the card and the register are, in fact, tools of government control and surveillance. Over and above the information you have supplied at enrolment (please note the voluntary connotations of the word enrolment ) your file on the NIR will build an entire picture of your life - your hospital visits, your children's schools, your driving record, your criminal record, your finances, insurance policies, your credit-card applications, your mortgage, your phone accounts (and, one presumes your phone records), and your internet service providers.

Every time you get a library card, make a hire-purchase agreement, apply for a fishing or gun licence, buy a piece of property, withdraw a fairly small amount of your money from your bank, take a prescription to your chemist, apply for a resident's parking permit, buy a plane ticket, or pay for your car to be unclamped you will be required to swipe your card and the database will silently record the transaction. There will be almost no part of your life that the state will not be able to inspect. And it will be able to use the database to draw very precise conclusions about the sort of person you are - your spending habits, your ethnicity, your religion, your political leanings, your health and even perhaps your sexual preferences. Little wonder that MI5 desired - and was granted - free access to the database. Little wonder that the police, customs and tax authorities welcome the database as a magnificent aid to investigation.

But know this: from the moment the database goes live, we will become subjects not citizens and each one of us will be diminished in relation to the state's power.

Something enormous and revolutionary is about to happen to us. We are giving the most precious part of ourselves to the government, allowing it complete freedom to roam through our privacy. And it's not just to this government, but to the governments of the future, the nature of which we cannot possibly know. And it's not just our privacy - it is the rights and privacy of future generations. While we are comfortable about handing this information over to the state, the citizens of the future may feel strongly about our complacency and our faith in the British government. We have a duty to those people, just as all the people who fought for the rights we enjoy today felt a sense of obligation to us.

The prime minister asks us to trust him and implies that abuse of a database would be unthinkable in Britain. But after the lies before the invasion of Iraq, the revelations of the Hutton inquiry and the evidence about rendition flights using British airspace I would suggest that we treat these sorts of assurances and appeals with the utmost suspicion.

Remember this government's attack on liberty. Remember what we have already lost - the campaign that has diminished defendants rights, introduced punishment without a court deciding that the law has been broken, restricted protest and speech and even assembly. Blair is unabashed about his record and has taken to describing civil liberties as a privilege that may be removed from someone the moment they become a suspect or a defendant.

I am afraid I do not trust the government's motives - nor do I trust its competence. The past decade is littered with failed government IT projects - the Child Support Agency, the immigration records, the working tax credit database, the farmers' single payment scheme are a few that come to mind. This is to say nothing of its record on security. The NIR will literally have thousands of entry points where the information on your file can be accessed.

One of the worst failures of a government database came to light a few weeks ago when the Home Office admitted that the Criminal Records Office had wrongly identified 2,700 people as having criminal records. I cannot think of a clearer case of defamation and it is surprising there is not some kind of class action against the Home Office. Not only were these people's reputations seriously damaged, many were turned down for jobs as a result of the CRO's mistake and can therefore argue for a serious loss of earnings. But the Home Office did not even apologise. It is exactly the arrogance that I fear will come to characterise all government dealings with the person in the street once this database is operational.

As I said, I am instinctively - genetically, as I put it - opposed to ID cards and the Identity Register. I am also politically opposed because as the government database grows, I believe there will be a commensurate lessening in the state's respect for each one of us. We will be reduced to the great mass of classified specimens, pinned down and itemised like dead butterflies in a showcase. Because of the power it possesses over us, I believe the government will gradually become less accountable and less responsive to the needs and wishes of the people. Whereas once politicians were our servants, they will become our masters and we their slaves.

I have philosophical objections, too. In a free country I believe that every human being has the right to define him or herself independently and without reference to the government of the time. This, I believe, is particularly important in a multicultural society such as ours. The ID card and NIR require and will bring about a kind of psychological conformity, which is utterly at odds with a culture that has thrived on individualism, defiance and the freedom to go your own way.

And it will remove the right of those who for whatever reason wish to withdraw from the cares of the world and the influence of society, to resort to the consolations of solitude and privacy without inspection from a centralised authority. Privacy, anonymity and solitude are rights, and we are about to lose them for ever.

People say that everything about you is known already. Someone has calculated that each of us appears on up to 700 databases. But the real point is that everything that is known about you will become linked up on the NIR. The register will take on a life of its own, for once you set up a system like this it becomes ineluctably compelled to find out more and more about you. That will be its hardwired purpose.

Imagine handing over the keys to your home when you are out at work to allow some faceless bureaucrat to rifle through your desk and drawers, your photograph albums and children's school reports, your bills and love letters. That is the kind of access they are going to have, and it is going to grow as time goes by and we become accustomed to this unseen presence in our lives.

Well, it's not for me. I cannot do it. I will not do it, and I hope you won't either.

Tuesday, June 13, 2006

Does Irish law protect your voicemail?

The Irish Independent has a story about wrongful access to mobile phone voice mailboxes. Although the story claims that access to voicemail messages is "a crime under the Postal and Telecommunications Act 1983", it's not clear if that is true. Section 98(1) of the 1983 Act provides:
A person who-
(a) intercepts or attempts to intercept, or
(b) authorises, suffers or permits another person to intercept, or
(c) does anything that will enable him or another person to intercept,
telecommunications messages being transmitted by [a person deemed to be authorised under the Authorisation Regulations] or who discloses the existence, substance or purport of any such message which has been intercepted or uses for any purpose any information obtained from any such message shall be guilty of an offence.
The reference to telecommunications messages being transmitted suggests that stored messages, such as voicemail messages, may not be protected by section 98.

There are two counter arguments. First, it might be said that such messages are "being transmitted" until they are first listened to. This is an incomplete solution, however, at best it would only protect new messages, with those already listened to having no protection.

Second, it could be argued that the act of dialing into the voice mail itself causes the message to be transmitted, and the interception takes place where you listen to such a message. This is given support by the very wide definition of "interception" contained in section 98:
In this section, "interception" means listening to, or recording by any means, or acquiring the substance or purport of, any telecommunications message ...
Again, though, this is an incomplete solution. If we adopt this argument, then the mobile phone company employee who listens to the message at work would not be guilty of an offence, as the (locally held) message would not be transmitted.

This article highlights, then, one problem with Irish interception law. Whatever view we take, it seems that stored messages such as voicemail do not enjoy adequate protection - and it is long past time that the 1983 Act was updated to take account of technological changes in the meantime.

Monday, June 12, 2006

You couldn't make it up: Part 2

BBC NEWS - Guantanamo suicides 'acts of war':
"The suicides of three detainees at the US base at Guantanamo Bay, Cuba, amount to acts of war, the US military says.

The camp commander said the two Saudis and a Yemeni were 'committed' and had killed themselves in 'an act of asymmetric warfare waged against us'.

Friday, June 09, 2006

Sunday, May 28, 2006

Amnesty launches Irrepressible.info

Amnesty International have launched a campaign against online censorship called irrepressible.info. From that site:
Irrepressible
Adj. 1) Impossible to repress or control.

Chat rooms monitored. Blogs deleted. Websites blocked. Search engines restricted. People imprisoned for simply posting and sharing information.

The Internet is a new frontier in the struggle for human rights. Governments – with the help of some of the biggest IT companies in the world – are cracking down on freedom of expression.

Amnesty International, with the support of The Observer, is launching a campaign to show that online or offline the human voice and human rights are impossible to repress.
Amnesty's UK director Kate Allen explains:
'Open your newspaper any day of the week and you will find a report from somewhere in the world of someone being imprisoned, tortured or executed because his opinions or religion are unacceptable to his government.'

So began an article in this newspaper 45 years ago called 'The Forgotten Prisoners'. The author, Peter Benenson, urged people to call on governments to stop this persecution. The 'appeal for amnesty' that he started went on to become Amnesty International, a movement that now has 1.8 million supporters in more than 100 countries around the world and continues to stand up for freedom and justice wherever it is denied.

Much has changed in those 45 years. The Iron Curtain has been torn down and apartheid has ended; we have witnessed genocide in Rwanda and ethnic cleansing in the Balkans. And the world has moved on technologically: in 1961 people were expressing their opinions in books and newsprint; Amnesty members responded to their repression by writing letters. Now we have the internet; and Amnesty is able to mobilise its supporters online to lobby governments with emails and web-based campaigning.

Sadly what remains the same is that people are still being imprisoned for peacefully expressing their beliefs. Benenson started Amnesty after reading about two students arrested in a Portuguese cafe for raising a toast to freedom: 45 years on, we were recently made aware of three young Vietnamese people arrested after taking part in an online chatroom debate about democracy.

Governments still fear dissenting opinion and try to shut it down. While the internet has brought freedom of information to millions, for some it has led to imprisonment by a government seeking to curtail that freedom. They have closed or censored websites and blogs; created firewalls to prevent access to information; and restricted and filtered search engines to keep information from their citizens.

China is perhaps the clearest example. Its internet censorship and clampdown on dissent online is sophisticated and widespread. But Amnesty has documented internet repression in countries as diverse as Iran, Turkmenistan, Tunisia, Israel, the Maldives and Vietnam.

Another massive change since 1961 has been the rising power of multinationals, but some companies have been complicit in these abuses. So Amnesty is increasingly lobbying not just governments but powerful firms to respect the rights of ordinary people.

The internet is big business, but in the search for profits some companies have encroached on their own principles and those on which the internet was founded: free access to information. The results of searches using China-based search engines run by Yahoo, Microsoft, Google and local firms are censored, limiting the information users can access. Microsoft pulled down the work of one of China's most popular bloggers who had made politically sensitive comments. Yahoo gave information to the authorities that led to people being jailed for sending emails with political content. We do not accept these firms' arguments that it is better to have a censored Google, Yahoo or Microsoft in China than none at all.

So Amnesty International is again calling on Observer readers to join with us to take a stand for basic human freedoms. The internet has the potential to transcend national borders and allow the free flow of ideas around the world. Of course there is a need for limits to free expression to protect other rights - promoting violence or child pornography are never acceptable - but the internet still has immense power and potential.

Just by logging on to my computer I can exchange views with someone in Beijing or Washington. I can read what bloggers in Baghdad think of the situation in Iraq. I can find a million viewpoints that differ from my own on any topic. It is the greatest medium for free expression since the printing press, a meeting of technology and the social, inquisitive nature of human beings and the irrepressible force of the human voice. This is the new frontier in the battle between those who want to speak out, and those who want to stop them. We must not allow it to be suppressed.
As part of the campaign they've produced some clever html which allows you to display examples of the censored material on your own site, like this:

Saturday, May 27, 2006

US Government pushing internet data retention

ZDNet reports that:
U.S. Attorney General Alberto Gonzales and FBI Director Robert Mueller on Friday urged telecommunications officials to record their customers' Internet activities, CNET News.com has learned.

In a private meeting with industry representatives, Gonzales, Mueller and other senior members of the Justice Department said Internet service providers should retain subscriber information and network data for two years, according to two sources familiar with the discussion who spoke on condition of anonymity.

The closed-door meeting at the Justice Department, which Gonzales had requested, according to the sources, comes as the idea of legally mandated data retention has become popular on Capitol Hill and inside the Bush administration. Supporters of the idea say it will help prosecutions of child pornography because in many cases, logs are deleted during the routine course of business.
The Justice Department appears to be seeking "voluntary" data retention, but there are also proposals to introduce federal legislation:
Two proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could only be discarded at least one year after the user's account was closed.

The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, a close ally of President Bush. Sensenbrenner said through a spokesman last week, though, that his proposal is on hold because "our committee's agenda is tremendously overcrowded already."
If you haven't already thought about protecting your privacy online, now would be a good time to start. At the moment, the best way of ensuring anonymous communication is probably the EFF's Tor system. If you're running Windows, Torpark is a quick and easy way of getting started. From the Torpark FAQ:
Installation Instructions

1. Download and run the exe, it will extract Torpark.
2. Put the Torpark directory where you want it, like on a USB drive.
3. Run Torpark.exe

What is Torpark, exactly?

Torpark is a fully configured combination of Tor (The Onion Router) and Mozilla's browser technologies, enabled by John T. Haller's Portable Firefox. As of v1.5, the whole package is wrapped up in a nice single executable with file directory. No installation, no registry keys, no files left behind.

How can this be used?

Lots of ways! It can be used to circumvent censorship firewalls, like at work or in China. It can be used to bypass paying for internet access at a wifi cafe. It can be used at school computers so you can get full access to the internet. And best of all, if there is no key loggers secretly installed on the machine, nobody is going to know where you went, what you saw, who you spoke to, or what you said. It is all encrypted in a tunnel between your computer, and at least three others somewhere in the world. Only after your data has passed through the encrypted and constantly changing tunnel (a tor circuit) will it reach the internet as unencrypted. The data from surfing the internet goes through the same tunnel as well, passing back to you encrypted, where your computer uses Tor to decrypt it to the Torpark browser. When you need a secret and secure tunnel to surf the internet, Torpark is your mobile solution.

Thursday, May 25, 2006

Online Anonymity - Ryanair Edition (continued)

Ryanair are back in the High Court seeking to identify pilots who have anonymously criticised them online. According to the Belfast Telegraph:
Ryanair went to court yesterday to find out who is behind messages on its pilots website. The airline wants to know the identity of those people who go under the codenames 'ihateryanair', 'cantfly-wontfly' and others on the Ryanair European Pilots Association (REPA) website. The REPA website was set up two years ago to give "an anonymous and secure way for Ryanair pilots throughout Europe to communicate with each other". According to the website, it "allows Ryanair pilots to freely express their views on a range of industrial safety and professional issues". The membership is exclusive to Ryanair pilots, including those on contract and trainees.

In the action, which opened yesterday in the High Court, Ryanair is seeking a number of orders against Neil Johnston, an official with the trade union IMPACT; the Irish Airline Pilots Association and its British counterpart, BALPA. The airline contends it has a duty to identify the persons behind the codenames. It claims the website was established by and is controlled by IALPA and BALPA. This is denied by both pilots' associations. Ryanair is also seeking an order requiring the defendants to disclose all information within their knowledge relating to threats, intimidations and harassment of Ryanair pilots. The airline claims the defendants have refused Ryanair's requests to identify the persons behind the codenames and alleges they have sought to destroy records, registration details, databases and information relating to REPA members. Ryanair claims that unknown persons, allegedly known to the defendants, are engaged in a concerted process of intimidation, bullying, harassment and criminal activity. In an affidavit, Eddie Wilson, director of personnel with Ryanair, said that REPA, which was not a registered trade union, was set up in 2004 and its web site was designed to allow Ryanair pilots communicate with one another in a manner designed to obscure the identity of the person communicating through the use of codenames and password procedures. The defendants deny the claims and say REPA was established to facilitate the organisation of pilots employed by Ryanair in order to protect those pilots and their employment within the industry. The case continues today.
I've blogged about this case before. The defendants have already accused Ryanair of seeking to intimidate pilots from engaging in legitimate debate. It will be very interesting to see whether the High Court gives adequate weight to the freedom of expression issues at stake.

Wednesday, May 24, 2006

Yet another argument against ID cards: Error exposes 26m US veterans to ID theft

Just in case you were wondering we worry about vast government databases, the Times gives us a reminder:
AS IF war wounds and post-traumatic stress were not enough, millions of US military veterans face the risk of identity theft.

Personal data on 26.5 million veterans fell into the hands of criminals when a laptop and computer disks were stolen from a government official who had taken the information home without permission. The data contains the name, date of birth and social security number of everyone discharged from the American Armed Forces since 1975.

The security breach is second in scale only to the hacking attack on CardSystems Solutions last June, which compromised the accounts of 40 million credit card holders. But it is potentially even more damaging because the stolen information contains social security numbers, which can be used to obtain credit cards and loans in a victim’s name.

Veterans reacted with fury at the prospect of having their identities stolen by criminals who might run up huge debts in their names.

Tuesday, May 23, 2006

Innocent people branded criminals on government database: the victims' stories

The Mail on Sunday has more on the victims of the UK Criminal Records Bureau:
One of those whose lives have been ruined by the CRB is 19-year-old Emma Budd, from Maesteg, Glamorgan, who is still fighting to have her records amended after being wrongly accused of having two convictions for theft. She was rejected for two jobs teaching disabled children as a result of the mistake and has now spent almost two years trying to have the error rectified.

In 2004, she applied for a position at the National Children's Home and paid £34 for the CRB check - only to be told to her horror that she had two alleged 'convictions' for theft.

Emma said: 'I have never stolen anything in my life. But I was devastated - I felt like a criminal even though I knew I wasn't one. I disputed the results. I had to go down to the police station and have my fingerprints taken. It was mortifying.'

She added: 'The police blamed the Criminal Records Bureau for the mistake and the CRB blamed the police. It was all down to the bureaucracy. Nobody would take the blame.'

Finally the police told her that her name had been cleared and she applied to work as a home carer - but to her amazement, the required criminal records check again listed her as a convicted thief.

She has now been reassured that her records have been amended but says she will not believe this until she sees it working in practice.

David Mansfield, 58, was prevented from taking up a post as an assistant for children with learning difficulties at a local college after the CRB wrongly identified him as a peddler of hardcore pornography.

Mr Mansfield, from Hertford, who spent a lifetime working in the transport division of the NHS before taking early retirement, said: 'The CRB record claimed I had been convicted for selling hardcore pornography in Bournemouth in 1972. It was absolutely ridiculous.

'It was a horrible slur on my character and I was determined to clear my name. But you find you're dealing with a nebulous, faceless bureaucracy which makes it worse.

'It was hard work to get any replies and I was always chasing them. But I was determined to have my name cleared because it meant I would be debarred from doing any community or social or voluntary work.

'Eventually, the CRB admitted they had made a mistake and sent me £150 as an ex-gratia payment, but there was no apology.'
The Mail on Sunday editorial draws the obvious conclusions:
The apparatus of vigilance cannot be trusted to use its existing powers well or wisely. After all the recent revelations of Home Office incompetence, the disclosure that almost 1,500 citizens have been wrongly said to have criminal records is less shocking than it would once have been.

Even so, the scale of this bungle ought to be a strong warning against the Government's halfcompleted and so far voluntary plans to put us all on a national identity database.

Such a system would be far larger, far more all-embracing and far more open to misuse and confusion than the Criminal Records Bureau. And, given the gullible reliance of bureaucrats on official records, imagine the endless battles to clear names and overcome identity confusion that are bound to result.

Thousands of us will be constantly having our fingerprints retaken to persuade inflexible jobsworths that we are not terrorists or child molesters.

On the basis of its performance so far, the official claim that ID cards will be a protection against identity theft may well turn out to be the opposite of the truth. The State, whose job it is to safeguard the people, instead stole the good names from hundreds of decent individuals. Those who had nothing to hide turned out to have plenty to fear.

Your personal information is for sale: Job applicants subjected to illegal record checks

The Times has revealed yet more abuse of UK government databases:
THOUSANDS of people have been subjected to illegal background checks when they applied for jobs that did not require vetting, according to a report on the Criminal Records Bureau.

As demand for checks from the bureau grows, there are increasing concerns that employers are misusing the system.

Job applicants have been subjected to scrutiny when they applied to be refuse workers, dog wardens, car park attendants and train drivers. On one occasion checks were sought on people applying to take part in a television game show.

Disclosure of information should occur only when people are applying for jobs that involve working with children and vulnerable adults or certain financial and security- related occupations.

Sunday, May 21, 2006

Yet another reason to oppose ID cards: Innocent people branded criminals on government database

Reuters reports that:
The [UK] government, already under pressure over a series of blunders in its immigration and prison services, has confirmed it wrongly branded around 1,500 innocent people as criminals due to a computer mix-up.

It said the Criminal Records Bureau (CRB), which carries out checks on people who have applied for jobs working with children or vulnerable adults, had confused the innocent people with convicted criminals because they had similar or identical names.

The names were stored on a police database.
Bear in mind that these are just the mistakes we know about: the people who were persistent or lucky enough to establish the truth. How many other people have had their reputations and careers ruined because of government incompetence? And the official response to this outrage? Apologies? Vows that it will never happen again? Far from it:
"We make no apology for erring on the side of caution. We are talking about the protection of children and vulnerable adults," a Home Office spokesman said.
There you have it. Far from being sorry, the government feels that it is appropriate to ruin the lives of the innocent. Exactly how branding innocent people as criminals protects children is left to the imagination of the reader.

Friday, May 19, 2006

Lib Dems: UK Government unable to protect existing databases, new ID card database an even juicier target

From Silicon.com:
"Organised crime will try and crack the identity cards database — the National Identity Register (NIR) — the Liberal Democrats have warned.

Last year it was revealed that the identities of 13,000 civil servants had been stolen and used by criminals to make fake tax credit claims.

Liberal Democrat home affairs spokesman, Nick Clegg, said the theft was a 'terrible omen' for the forthcoming ID cards scheme.

Clegg said, if organised criminals are capable of infiltrating the Department for Work and Pensions (DWP), 'it is clear they will target the identity cards database, where the stakes are even higher.'

Clegg said in a statement: 'The government's claims that ID cards will cut identity fraud look increasingly unrealistic. If the ID cards database is breached, people could find their iris scans and fingerprints — as well as personal data and national insurance numbers — stolen.'"

Thursday, May 18, 2006

Irish users most aware of data retention

According to Google Trends Irish users are most likely to search on the terms "data retention" - outstripping the next country (the UK) by over two to one.I'm going to take this as a sign that Digital Rights Ireland is succeeding in raising public awareness of the issue.

UK plans to put your bedroom online - literally

The Labour party seems to have forgotten its past campaigns to keep the State out of the bedroom. From Contractor UK:
Digital pictures showcasing the interiors of taxpayers’ homes will be posted on the internet under freshly laid plans to be considered by the Deputy Prime Minister.

Under the scheme to revaluate 22 million homes, council tax snoopers could be given digital cameras to snap inside people’s homes, including their bathrooms, bedrooms and conservatories.

Confidentiality inside the home is an “old fashioned attitude” and taxpayers should feel no need to “hide” their expenses or value of their property, said Paul Sanderson, director of modernisation for the tax inspectors.

Instead, photographs of the property, details and “everything” about how much residents paid for their house, or rent, should be posted on publicly accessible website.

His suggestions have caused outrage among politicians and taxpayer alliances, while also raising fears among internet commentators.

Their concern centres on property information, including photographs, being sold in bulk to junk mailers and marketing companies, in light of the government’s decision to sell private data provided by the DVLA.

“Householders are already angry at the fact that camera-wielding tax inspectors can barge inside their family homes to record the number of bedrooms, size of their garage and their conservatory,” said Caroline Spelman, the Conservative minister.

“I suspect that people will be further shocked to discover that this private information would then be published on the internet for anyone to see and sold to junk mailers.”

The internet plan aims to reduce the number of people appealing against council tax payments by letting them use the website to compare their home’s value with neighbours’.
"Confidentiality inside the home is an 'old fashioned attitude'"? Words fail me. Fortunately, the drafters of the European Convention on Human Rights had something to say about this: "Everyone has the right to respect for his private and family life, his home and his correspondence."

More generally, this episode illustrates how seemingly unrelated areas of public policy impact on privacy. If a tax system requires disproportionate amounts of private information in order to function, the solution is not to put that information online for the world to see but to reform the system so that it is less privacy invasive, and to carry out privacy impact assessments before new tax policies are adopted.

Wednesday, May 17, 2006

High Court gives disappointing decision on video surveillance

In Atherton v. DPP the High Court has considered, apparently for the first time, the admissibility of evidence obtained by video surveillance.

The case concerned a defendant accused of damaging a neighbour's hedge. The neighbour resorted to video surveillance to catch the perpetrator, and placed a video camera in an upstairs window of a house across the street. From there, the camera recorded the neighbour's front garden, but also the front garden, driveway, door and windows of the defendant's adjoining semi-detached house.

The defendant argued that the resulting video footage of him was obtained unlawfully and in breach of his constitutional rights, particularly where it involved surveillance of his dwelling. This was rejected, however, by Peart J. who held that:
I am satisfied that the taking of video footage of the hedge and in so doing the front of the accused’s house is not an act which constitutes an unconstitutional invasion of the right to privacy as contended by Mr O’Higgins. First of all, it is obvious that the front of the accused’s house is something which is visible from the public road – perhaps only with the use of a ladder, but nonetheless visible. It is certainly visible from the upstairs of the house opposite, from which the footage was taken. In my view there is no meaningful distinction between the evidence of what was happening to the hedge in the garden opposite that house being given in the form of video footage, and that very same evidence being given by the owner of the house opposite if he arranged things so that he was standing at the same window as the camera was set up at and observing himself what was happening. He would undoubtedly be permitted to give evidence viva voce of anything which he observed happening in the garden into which he was looking, and it could not possibly be seriously contended that if that person also saw the accused re-entering his house through the front door, and while the door was open saw also into the hallway, that in some way that person had breached the accused’s right to privacy by seeing what he saw. The camera has done no more and no less than that.

Of course, a different view might easily be taken if the act of setting up the camera in the required position involved a trespass upon the property of the person to be observed. That is a different matter altogether. But that is not the position in this case. The point was made by Mr O’Higgins that this camera in the way it was set up had the capacity to see into rooms at the front of the accused’s house if the curtains were open. But in my view the problem with that submission is that the same arises if a person were to place himself at the window opposite and in the event that the owner happened to leave the curtains open.

I do not believe either that the accused’s application is assisted by the evidence given by the Garda that up to 70% of the footage contained in the frame of the video is taken up with the front of the accused’s house, rather than the hedge itself. One way or another I cannot see that there has been any breach of the accused’s right of privacy in relation to his dwelling and its curtilage – especially in the absence of any trespass or other unlawfulness. It is not necessary in these circumstances to consider whether the balancing of the rights was correctly undertaken by the District Judge was correctly carried out. There simply has been no breach as far as I can see, and therefore no justification of a breach need be investigated and considered.
This judgment is unusual, to say the least, and it is significant that no authority is cited by Peart J. for his ruling. Three points are particularly problematic. First, it relies on the fact that the area was visible from the public road (with the aid of a ladder!) or from the facing houses to deny that any privacy interest existed. This approach is entirely inconsistent with the caselaw of the European Court of Human Rights which made it clear in Peck v. the United Kingdom that privacy rights could subsist even in respect of CCTV footage of public areas. Secondly, it focuses on the fact that there was no trespass to the defendant's property. It is unclear, however, why this should be relevant. The tort of trespass deals with property rights - not privacy rights. Whether there is a physical invasion of the defendant's space should not be determinative. Indeed, the "trespass doctrine" has, after an ignoble history, been long since abandoned in the United States - see Katz v. United States, and there is no apparent reason why it should be resurrected here. Finally, the decision equates video surveillance with the view of a person who might place themselves at the window. This is to overlook, however, the pervasive and permanent nature of video surveillance - there is a qualitative difference between occasional transient views and continuous, permanently recorded, surveillance.

Instead, this appears to be a case where a balancing exercise would have been appropriate: and such a balancing exercise would probably have come to the same conclusion - that the video surveillance was not especially intrusive and was justified in the circumstances. By denying that any privacy right exists, however, the court sets an undesirable precedent.

[It may be worth contrasting this decision with the views of the Data Protection Commissioner in respect of CCTV cameras on the Luas line. In that case it was accepted that there was a breach of the Data Protection Acts where back gardens were being monitored by the Luas CCTV cameras. While there is certainly a greater expectation of privacy in a back garden, those gardens were presumably visible by travellers on the Luas line, which would have ruled out any privacy interest if we were to apply the reasoning of Peart J.]

Update (16/8/2007): Eoin Carolan has a very interesting piece in the Dublin University Law Journal ("Stars of Citizen TV" (2006) 13(1) DULJ 326) discussing Atherton.