Sunday, October 18, 2009

Data breach consultation paper now out

The Data Protection Review Group has now published a consultation paper (pdf) on reforming Irish law on notification of data breaches. Pages 33-38 on possible regulatory options are particularly useful, though the group is clearly hampered by the fact that any national reforms might soon be out of date as a result of changes at European level.

Garda databases still open to abuse?

From today's Sunday Business Post:
A garda undermined a series of major anti-crime surveillance operations by passing details of car registrations belonging to undercover detectives onto a gang of armed robbers.

The garda is the subject of an internal investigation which is looking into a number of officers who are suspected of being on the payroll of separate Dublin criminals. The garda was in regular contact with a crime figure who is facing charges related to serious criminal activity.

When the criminal gang suspected that they might be under surveillance, they supplied the garda with a list of car registrations they had encountered. The garda checked the car details on the force’s Pulse IT system and informed the gang if the cars were part of the Garda fleet.

In several cases, the garda was able to identify vehicles that were being used by an undercover Garda unit. To avoid detection, the officer got junior uniformed gardaĆ­ to log into the Pulse system using their own passwords - as the system records a digital imprint of every log-in by a member using their unique password, The Sunday Business Post understands.
Update (8.11.09) - The Sunday Independent has more on abuse of Garda databases. v. - Denis O'Brien takes the PR battle online

Today's Sunday Business Post has an interesting article about Denis O'Brien's latest salvo in his ongoing PR battle against the Moriarty Tribunal investigation into how he came to be awarded Ireland's second mobile phone licence.

The official website of the Tribunal is and O'Brien has now launched a full frontal attack on the findings of the tribunal at, which bills itself as presenting "the true picture of the Moriarty Tribunal's 8 1/2 year inquiry into the awarding of the second mobile phone licence" - including confidential correspondence between the Tribunal and parties.

Is a UDRP claim on the cards? Probably not (though there has been one case where an Irish public body has unsuccessfully invoked the IEDRP). Nevertheless, I'll be interested to see whether the Tribunal will object to the use of such a similar domain name.

Friday, October 16, 2009

UK Government abandons plans for mandatory web filtering

Just over a month ago the Independent on Sunday reported that:
The Home Office is drawing up plans for what, in effect, would be the first form of state intervention in Britain in relation to the internet.

British ISPs would face heavy fines for failing to block sites containing images of child sexual abuse, according to the contents of a leaked Home Office document seen by The Independent on Sunday...

The leaked Home Office letter says a clause in the Police, Crime and Private Security Bill in the Queen's Speech would "compel domestic ISPs to implement the blocking of illegal images of child sexual abuse".
This was far from new policy - since 2006 the Home Office has consistently said that it would legislate for mandatory filters unless ISPs "voluntarily" filtered against the IWF blacklist. But according to The Register, it has now rather abruptly changed its position:
The government has abandoned its long-standing pledge to force 100 per cent of internet providers to block access to a list of child pornography websites.

The decision to drop the policy will be finalised at a meeting on Monday to be attended by internet industry representatives, children's charities and Alun Michael MP.

The former minister had aimed to pressurise small ISPs to implement the Internet Watch Foundation's (IWF) blacklist with the threat of legislation, but the Home Office has now backed down. A lobbying campaign argued costs were too high for small companies to bear and that the blocking technology can be easily circumvented by determined paedophiles.
Instead the Home Office will attempt to use consumer pressure to encourage the remaining ISPs to filter:
For the first time the IWF will publish the list of ISPs who are certified as having implemented its blacklist. "Hopefully consumer and public pressure will encourage the ISPs who aren't on the list to comply," said Carr. A Home Office spokesman said: "We will continue to urge ISPs to implement blocking, and ask consumers to check with their suppliers that they have done so. The Government recognises the work done by most of the internet industry to tackle this problem."
Why the about-face? One factor may have been that the Home Office didn't enjoy wide support for its plans even amongst official bodies. The Chief Executive of the Child Exploitation and Online Protection Centre (CEOP) recently said that he was not convinced of the need to introduce mandatory filtering, while apComms had come out strongly against mandatory web filters. Key to both views was the recognition (which was slow in dawning at the Home Office) that web filters are increasingly irrelevant to the wider problem. Or, as The Register put it:
One likely factor in the softening of stance of both the government and charities is the fact that on the frontline of online child protection, websites carrying images of abuse are no longer seen as a priority.

The Child Exploitation and Online Protection Centre is focussed on paedophile peer to peer networks as they are much more likely to carry recent images, potentially indicating ongoing abuse. The IWF's website blocking is seen as yesterday's issue.
Coincidentally, Germany is also having second thoughts about mandatory filtering, with post-election negotiations for a new coalition government featuring demands that the proposed filtering system be halted.

Thursday, October 15, 2009

apComms come out for worldwide IWF system; against mandatory internet filtering

apComms - the influential UK All Party Parliamentary Communications Group - have now issued the Report from their inquiry "Can we keep our hands off the net?". This inquiry commenced in April and focused on five questions:
#1 Can we distinguish circumstances when ISPs should be forced to act to deal with some type of bad traffic? When should we insist that ISPs should not be forced into dealing with a problem, and that the solution must be found elsewhere?
#2 Should the Government be intervening over behavioural advertising services, either to encourage or discourage their deployment; or is this entirely a matter for individual users, ISPs and websites?
#3 Is there a need for new initiatives to deal with online privacy, and if so, what should be done?
#4 Is the current global approach to dealing with child sexual abuse images working effectively? If not, then how should it be improved?
#5 Who should be paying for the transmission of Internet traffic? Would it be appropriate to enshrine any of the various notions of Network Neutrality in statute?
The full report is an interesting document, and is squarely at odds with current government policy in several areas. Here's what it has to say on filesharing, for example:
We do not believe that disconnecting end users is in the slightest bit consistent with policies that attempt to promote eGovernment, and we recommend that this approach to dealing with illegal file-sharing should not be further considered.
What interests me most is what apComms have to say about dealing with online child pornography. Here they've adopted what seems to be a sensible approach (no doubt influenced by their advisor, Richard Clayton) warning against over-reliance on filters, rejecting government policy to introduce mandatory filters and instead recommending an international extension of IWF-type voluntary cooperation on notice and take-down systems:
We recommend that the Government does not legislate to enforce the deployment of blocking systems based on the IWF lists. This has the potential to damage future attempts to fix problems through self-regulation, and will thus, in the long term, be counterproductive...

It seems quite clear from the evidence that we received that a great deal more could be done to promptly request ISPs to remove child sexual abuse image websites. The IWF are clearly doing a good job along these lines within the UK, but they tell us that they are unable to extend this activity to key countries such as the US and Russia.

In our view, this is an unacceptable situation. If the IWF are unable to perform this important function on a global basis, then some other organisation will need to be given the task. Although there is no particular reason why such a global body should be UK based, the long history of leadership in this area makes the UK a natural candidate to develop a new approach.

We recommend that the Government, in consultation with the EU Commission, establish whether the Internet Watch Foundation (IWF) should extend its “notice and take-down” mechanisms to the whole world, and if not, work to establish such a global system.
More from Andres and The Register.

Wednesday, October 14, 2009

Judgment in Irish Pirate Bay blocking case now available

The website now has the full text of the judgment by Charleton J. in EMI Records v. Eircom where an order was made against Eircom requiring them to block access to The Pirate Bay. This decision is of limited precedential value - it was made on the consent of Eircom and is an ex tempore judgment only. Nevertheless it's worth reading for an insight into how Irish judges will respond to claims that websites should be blocked.

The judgment itself doesn't refer to the terms of the order against Eircom, but I've previously put up the relevant portions of the order.

Tuesday, October 13, 2009

IRISS Conference on Cybercrime in Ireland

This promises to be a very interesting event:
IRISS Conference 2009

IRISS will hold its first annual conference on the 19th of November 2009 at the D4 Berkley Court hotel. This all day conference will focus on providing you with an overview of the current cyber threats facing businesses in Ireland and what you can do to help deal with those threats.

Experts on various aspects of cyber crime and cyber security will share their thoughts and experiences with you while a number of panel sessions will provide you with the opportunity to discuss the issues that matter to you most. There will be a number of expert speakers on cyber crime including representatives from;

* The Irish Reporting and Information Security Service
* An Garda Siochana,
* The Data Protection Commissioner's Office
* The European Network and Information Security Agency
* OWASP (The Open Web Application Security Project).

In parallel to the above speaking sessions Ireland's first Cyber Security Challenge, HackEire, will be held to identify Ireland's top cyber security experts. HackEire will see 10 teams, up to a maximum of four people per team, compete against each other in a controlled environment to see which team will be the first to exploit weaknesses in a number of systems and declare victory. The purpose of the HackEire competition is to demonstrate how attackers could gain access to your systems and allow you to learn from the event on how to prevent such attacks from impacting your network.

The conference will be open to anyone with the responsibility for securing their business information assets. There is no charge for those who wish to attend.
(via Michele)

Monday, October 12, 2009

Employment law issues that didn't exist when I was in law school

Employers must gain control of their employees' online behaviour and virtual attire according to business research firm Gartner. It said that companies should establish dress codes for employees' avatars.