Wednesday, November 24, 2010

EU Internal Security Strategy Published

The Commission has just published an internal security strategy document setting out a four year plan for European level action on the issues of "fighting and preventing serious and organised crime, terrorism and cybercrime, strengthening the management of our external borders and building resilience to natural and man-made disasters."

While the entire plan is likely to be controversial (and the sections on border control have already been criticised), I'd like to focus on the section on cybercrime and to offer a few thoughts:
Action 1: Build capacity in law enforcement and the judiciary

By 2013, the EU will establish, within existing structures, a cybercrime centre, through which Member States and EU institutions will be able to build operational and analytical capacity for investigations and cooperation with international partners. The centre will improve evaluation and monitoring of existing preventive and investigative measures, support the development of training and awareness-raising for law enforcement and judiciary, establish cooperation with the European Network and Information Security Agency (ENISA) and interface with a network of national/governmental Computer Emergency Response Teams (CERTs). The cybercrime centre should become the focal point in Europe's fight against cybercrime.

At national level, Member States should ensure common standards among police, judges, prosecutors and forensic investigators in investigating and prosecuting cybercrime offences. In liaison with Eurojust, CEPOL and Europol, Member States are encouraged by 2013 to develop their national cybercrime awareness and training capabilities, and set up centres of excellence at national level or in partnership with other Member States. These centres should work closely with academia and industry.
The recommendations for action at EU level are welcome, but unfortunately Ireland has a long way to go to meet the recommendations for action at national level. I've written about the failings in the Irish response to cybercrime recently in the Sunday Business Post.
Action 2: Work with industry to empower and protect citizens

All Member States should ensure that people can easily report cybercrime incidents. This information, once evaluated, would feed into national and, if appropriate, the European cybercrime alert platform. Building on the valuable work under the Safer Internet Programme, Member States should also ensure that citizens have easy access to guidance on cyber threats and the basic precautions that need to be taken. This guidance should include how people can protect their privacy online, detect and report grooming, equip their computers with basic anti-virus software and firewalls, manage passwords, and detect phishing, pharming, or other attacks. The Commission will in 2013 set up a real-time central pool of shared resources and best practices among Member States and the industry.

Cooperation between the public and private sector must also be strengthened on a European level through the European Public-Private Partnership for Resilience (EP3R). It should further develop innovative measures and instruments to improve security, including that of critical infrastructure, and resilience of network and information infrastructure. EP3R should also engage with international partners to strengthen the global risk management of IT networks.

The handling of illegal internet content – including incitement to terrorism – should be tackled through guidelines on cooperation, based on authorised notice and take-down procedures, which the Commission intends to develop with internet service providers, law enforcement authorities and non-profit organisations by 2011. To encourage contact and interaction between these stakeholders, the Commission will promote the use of an internet based platform called the Contact Initiative against Cybercrime for Industry and Law Enforcement.
Much of this is uncontentious, but the references to handling illegal internet content require careful scrutiny. The "guidelines on cooperation" and "notice and takedown procedures" reflect a worrying trend at EU level towards bringing about internet censorship by means of self-regulation. The result is that decisions about legality are being made in a way which doesn't have a legislative basis and excludes judicial oversight. This trend can already be seen in relation to internet filtering but this strategy, if implemented, would seem to extend it significantly further. It is hard to see how this proposal could be compatible with Article 10 of the European Convention on Fundamental Rights.
Action 3: Improve capability for dealing with cyber attacks

A number of steps must be taken to improve prevention, detection and fast reaction in the event of cyber attacks or cyber disruption. Firstly, every Member State, and the EU institutions themselves should have, by 2012, a well-functioning CERT. It is important that, once they are set up, all CERTs and law enforcement authorities cooperate in prevention and response. Secondly, Member States should network together their national/governmental CERTs by 2012 to enhance Europe's preparedness. This activity will also be instrumental in developing, with the support of the Commission and ENISA, a European Information Sharing and Alert System (EISAS) to the wider public by 2013 and in establishing a network of contact points between relevant bodies and Member States. Thirdly, Member States together with ENISA should develop national contingency plans and undertake regular national and European exercises in incident response and disaster recovery. Overall, ENISA will provide support to these actions with the aim of raising standards of CERTs in Europe.
The Irish CERT body (IRISS) does not have any state funding at present - will this recommendation encourage the Irish government to provide funding?

Wednesday, November 17, 2010

Legal issues for mobile marketing

Peppe Santoro of Eversheds O'Donnell Sweeney has just placed a very comprehensive and useful presentation on this topic on Slideshare:
Strongly recommended.

Friday, November 12, 2010

More developments on defence access to breathalyser source code

I've blogged before about whether a defendant in a drink driving charge is entitled to examine the source code to the breath testing machine, and there's been a High Court decision on this point since then, but this issue has recently cropped up yet again in the form of an interesting decision of the Information Commissioner.

In Case 080260 - Mr. W & The Medical Bureau of Road Safety (MBRS) the applicant sought to use a FOI request to the Medical Bureau of Road Safety to obtain (amongst other things) the source code relating to a "Lion Intoxilyzer 6000 IRL". The decision of the Information Commissioner addressed a number of important issues - including whether FOI could be used to "provide a parallel system whereby the defence could obtain what is in effect disclosure in a criminal case" - but in relation to the source code the Commissioner had this to say:
It is my understanding that the term "source code" refers to high level code, the disclosure of which would allow the development of competing products. I therefore accept that the source code at issue in this case qualifies as a trade secret within the meaning of section 27(1)(a) of the FOI Act. I also consider that, on balance, the public interest would not favour release, particularly if the testing, maintenance and repair records are made available. As Ms. Campbell stated, court procedures must be considered adequate to ensure the fairness of any criminal proceedings under the Road Traffic Acts.

I also accept that a duty of confidence would be owed to Lion Laboratories in the circumstances. Moreover, I note that evidence was submitted in the case stated by Judge Mary Devins in DPP v. O'Malley [2008] IEHC 117 to show that the MBRS is contractually prohibited from disclosing the source code to any third party. In the circumstances, I am satisfied that the source code is exempt under section 26(1)(b) as well as section 27(1)(a) of the FOI Act.
While this may be the correct result in the context of FOI, when taken together with the decision in DPP v. O'Malley it seems to leave defendants in drink driving cases with no effective means of challenging the inner workings of the machines used to convict them, and may potentially lead to an injustice. As a fundamental principle of law, if a person is to be convicted based on the "testimony" of a machine then that person should have the right to challenge the process by which the machine generates that "testimony" - something which may require inspection of the source code. As things stand however it seems that there's no route in Irish law for that to be done.

Wednesday, November 10, 2010

Advertising standards, the internet and "ghost and entity removal"

There was some publicity recently about the fact that the UK Advertising Standards Authority is to extend its remit to cover online advertising also. Surprisingly, however, there appeared to be very little awareness of the fact that the Advertising Standards Authority of Ireland has explicitly covered internet advertising since 2001. (Rather than 2009, as the Sunday Business Post suggested.)

To honour this long record of regulating internet advertising, I thought I'd share a recent ASAI decision on internet advertising- one which considered amongst other things "Shamanic Healing", "Angel Therapy" and - best of all - "Ghost and Entity Removal". The complaint related to an Irish website Seventh Heaven Healing and the variety of "spiritual" services it offered. According to the decision, "the complainant challenged all the claims in relation to distant healing and medical advice from the spirit world. He questioned the ability to arrange for divine intervention and requested that proof be provided for all claims."

Perhaps unsurprisingly, the ASAI wasn't persuaded by the website owner's claims that she could not prove her "claims on healing an individual without disclosing personal information about the people in question" and that "as a medical intuitive she uses her mediumship ability to help individuals remove energy blocks on an energetic scale". Consequently it ordered that "the advertisement must not run in its current format again".

As to how effective that ruling has been, judge for yourself at seventhheavenhealing.net. (Warning - autoplay saccharine music.) Or, if you're in a hurry, jump straight to the "Ghost and Entity Removal" page.

For a related ASAI ruling on "powerful energy over the phone" and "healing" in relation to cancer and "sick babies" see this decision.

Police access to encrypted files: Does the Anglo case show up a gap in the legislation?


According to today's Irish Independent the Anglo investigation is being held up by encrypted files:
Gardai are unable to examine more than 100 key files in their investigation into Anglo Irish Bank because former senior executives have not handed over the computer passwords.

Former Anglo staff hold passwords to about 200 documents vital to the inquiries being carried out jointly by the Garda Fraud Bureau and the Director of Corporate Enforcement.

The passwords for around a third of the encrypted documents have been produced so far by the bank. But Anglo admitted it has been unable up to now to secure the rest.

Among the former employees being contacted by Anglo to establish if they have knowledge of the missing passwords is its ex-chairman Sean FitzPatrick.

Gardai are using state-of-the-art technology to crack the password puzzle and are confident they will be able to gain access to all of the key documents.

But they indicated yesterday that the absence of the passwords was one of the factors which have delayed the completion of their inquiries.
In light of this story it might be worth considering the legal position governing police access to such files and whether or not the former bank officials mentioned might be compelled to assist in decrypting them.

Background

Irish law generally doesn't require disclosure of passwords or private keys to police - see e.g. section 28 of the Electronic Commerce Act 2000. (This is in contrast to the position in the UK, where there is a wide power to order key disclosure and it is an offence to fail to disclose - see here for an example of such an order.)

However, there are specific Garda powers under the Criminal Justice (Theft and Fraud Offences) Act 2001 which are relevant. Will they apply to the facts of this particular case?

Search warrants

The first power is contained in section 48 of the Act, which deals with search warrants and provides that:
A member of the Garda Síochána acting under the authority of a warrant under this section may—

(a) operate any computer at the place which is being searched or cause any such computer to be operated by a person accompanying the member for that purpose, and
(b) require any person at that place who appears to the member to have lawful access to the information in any such computer—

(i) to give to the member any password necessary to operate it,
(ii) otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or
(iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.
Consequently search warrants under this section can have the effect of requiring individuals to provide passwords or to decrypt information (to provide it in a "visible and legible" form). However, this power wouldn't apply in the context of the Anglo investigation insofar as it only applies to any "person at the place which is being searched". Former bank employees who are sipping brandy at home can't be required to assist in the decryption process.

Evidence orders

At first glance, the section 52 power would appear to be more promising. That section provides that:
(2) A judge of the District Court, on hearing evidence on oath given by a member of the Garda Síochána, may, if he or she is satisfied that—

(a) the Garda Síochána are investigating an offence to which this section applies,
(b) a person has possession or control of particular material or material of a particular description, and
(c) there are reasonable grounds for suspecting that the material constitutes evidence of or relating to the commission of the offence,

order that the person shall—

(i) produce the material to a member of the Garda Síochána for the member to take away, or
(ii) give such a member access to it,

either immediately or within such period as the order may specify.

(3) Where the material consists of or includes information contained in a computer, the order shall have effect as an order to produce the information, or to give access to it, in a form in which it is visible and legible and in which it can be taken away.
As with the section 48 power, this includes a power to require a person to decrypt information (though not to require a person to provide a password or key). Again, however, it wouldn't seem to apply to former bank officials. The order to produce and/or decrypt evidential material applies where a person has certain material in their "possession or control". This wouldn't seem to stretch to the situation where the material - the file - is located on bank premises and as such isn't in the possession or control of the former bank official.

Other statutory powers?

Sections 48 and 52 of the 2001 Act are not the only statutory powers to provide for passwords to be handed over or information to be decrypted. Similar powers are contained in section 16 of the Proceeds of Crime Act 1996 (as amended by the Proceeds of Crime (Amendment) Act 2005) and several other pieces of legislation. However, these powers all appear to be modelled on the 2001 Act and consequently would fall foul of the same problems if applied to a person who is not at the scene or does not have possession or control of the material in question.

Conclusion

If this analysis is correct then there would seem to be a gap in the 2001 Act powers to require decryption - while a person can be compelled to decrypt material so long as they remain in employment in a particular organisation it would seem that once they leave then they are no longer subject to these powers.

Tuesday, November 09, 2010

Are Norwich Pharmacal orders compatible with the Data Retention Directive?

Interesting news from Sweden, where a court has made a preliminary reference to the ECJ which calls into question the use of information held under the Data Retention Directive to identify users accused of copyright infringement. According to a report in Intellectual Asset Management:
The request for a preliminary ruling was made by the Supreme Court in a copyright litigation case between five audiobook publishers, and Perfect Communication AB, an ISP. Before the case reached the Supreme Court, the audiobook companies had requested the district court to order Perfect Communication to reveal information regarding the name and address of the registered user of a certain IP address, who was suspected of infringing copyrights in a large number of popular audiobooks...

On 25th August 2010 the Supreme Court requested a preliminary ruling from the ECJ on two questions:

* Whether the Data Retention Directive prevents the application of a national rule based on the EU IP Rights Enforcement Directive (2004/48/EC), which provides that an ISP in a civil case can be ordered to provide a copyright owner or a rights holder with information on which subscriber holds a specific IP address assigned by the ISP, from which address the infringement is alleged to have taken place.
* Whether the answer to the first question is affected by the fact that the state has not yet implemented the Data Retention Directive, although the deadline for implementation has passed.
While the full text of the reference isn't available, the ISP's case seems to be based on the interaction between the ePrivacy Directive and the Data Retention Directive. In particular it appears to argue that data stored under the Data Retention Directive should only be made available to national authorities for the purposes of that Directive - not for other, unrelated purposes (such as civil actions against filesharing). If successful, the implications would be far reaching and would at the very least require the Irish and UK courts to revisit cases such as EMI v. Eircom which deal with Norwich Pharmacal orders identifying internet users.


(My thanks to Niall Handy for pointing out this case.)