AntiPublic, British Airways and the Italian Data Protection Supervisor

Italy just discovered AntiPublic, the next data-leak with about half a million of personal accounts made publicly available by the lack of care of “trusted” websites in handling its “security measures”.

British Airways got a shut down of its IT infrastructure due, according to the Italian newspaper Repubblica.it, a lack of management of the business continuity plan.

This two cases, while unrelated, are both evidence of an infringement of the EU Data Protection Directive (95/46/CE).

In the AntiPublic data-leak the reason why is obvious, as it should be for the British Airways IT infrastructure “freeze”: business continuity, indeed, is one of the security measures that the Data Processor should enforce to avoid damages arising from the unavailability of personal data.

This is a challenge for the (Italian) Data Protection Supervisor. He can either look elsewhere, or open an investigation to ascertain what happened and who is the culprit of these personal data mismanagement.

The EU Directive 95/46 and his own case law  give the Italian Data Protection Supervisor the power to act even outside the national and European jurisdictions,  so there wouldn’t be a motive no to start an investigation.

So, if the Italian Data Protection Authority will actually starts poking around to find out the “truth”, then a message is sent to the business and civil servant community: we don’t need to wait for the General Data Protection Regulation (GDPR) to enter into force, to exercise our prerogatives against no matter who.

Should he, on the contrary, look elsewhere, the message would have a very different meaning. Citizen, companies and public services might be led to think that all the “early warnings” about the upcoming GDPR and the dire consequences of the non compliance are just a pre-emptive notice of some sort of “hidden tax payment through fines” approach, targeted against SME, some big Italian company and a couple of USA multinationals.)

In the meantime, AntiPublic & C shall continue to access unnoticed our personal data, while citizen will continue paying the consequences (in term of damages and lack of services) of the poor compliance to a set of provisions that, just yet, are felt as useless bureaucratic burden.

Does Your Privacy Actually Matters To You?

An article published by the New York Times addresses the possible outcomes of the announced changes in the US privacy legislation that allows a free sales of people’s Internet “life”, and advise to use TOR, VPN or similar tools to “protect the right to privacy”.

I actually think that the best privacy protection tool is to comply to what the latin poet Orazio said: Nescit vox missa reverti (Once you said something, it is useless to say “I didn’t want…”) Or, to put it short, “what you want to keep secret, don’t tell Google” 🙂

Kidding apart I think that the privacy hysteria led us much beyond any logic thinking.

Like a Pavlovian reflex, as soon as something is announced that might slightly interact with us, a rant shouts out: hey! This infringes my privacy!

Sure, Google and companies are snooping into our private lives, but it is every single of us that allow for that. Google (Facebook & C) are companies that seek for profit, and since there is no free lunch, somebody has to pay the bill (in terms of personal data.)

I don’t like this status quo but I have to face actuality: if we care about our privacy, we should start using these tools in a more aware way, by selecting what we want to share. We can’t throw our life into the wild and then complain that somebody else took it away.

So, privacy protection starts from ourselves.

Do we have a right not to be “blamed” for some specific interest or personal inclination (as soon as it isn’t criminal?) Absolutely. But the Internet it is not the only place where we can cultivate our personal interest. It is an oxymoron to call for privacy protection when we are withdrawing this right in the very moment we hit “search” on Google. I may dare to say that on the Internet, as in public spaces, there is no “reasonable privacy expectation”.

What scares me more is the State surveillance because in this case I have neither a technical nor a legal protection to enforce. I can avoid to give Facebook some information, and I don’t care if Amazon gives somebody else my shopping history (dind’t buy bombs or mass-murder weapons to be shipped to Middle East) but I can’t stop a spook to dig into my life.

So, “shouting fire” every time something goes remotely “personal” is the best way to pollute the notion and the value of privacy.

EUCJ and the Data Retention and Investigatory Powers Act

A friend of mine asked a quick commentary about a Telegraph news about the European Court of Justice decision that bashed the British Data Retention and Investigatory Powers Act, forcing the ISPs to abid to a one-year Internet traffic data retention period.
Here is my answer:

It is clear that the EUCJ is following its political agenda.
As I said countless times, law enforcement and national security aren’t subjected to the might of the data-protection directive so this legal instrument can’t be enforced to rule investigative powers.
It is false that users are note informed about the retention. There is a law that set forth the duty, so the citizen are supposed to know about it (ignorantia legis non excusat.)
Again, the article and – I suppose – the EUCJ confuses fairly different things: GCHQ is intelligence and – as such – is well out of reach from the DP directive. Other public bodies have the right to perform their investigation to guarantee the respect of the law.
So, the actual problem is quis custodies ipsos custodies. In other words: I have no problem with an agency that accesses my data. But I do have the right to know in real time when it happens and why (or, if there is a secrecy issue, as soon as it is reasonable.)

The Italian Supreme Court: name and surname only aren’t subjected to the Data Protection Act

The Corte di cassazione (Italian Supreme Court) decision n. 20615/16 narrows the definition of “personal data” under the Italian data-protection act that enforces the data-protection directive.

The merit of the decision is a legal action against a municipality accused of having published on its website the name and surname of an individual who sued the municipality.

While, the Court said, when mandatory by law the releasing of personal data is always allowed (and this was the case, since there is a law the bind a municipality to disclose its decisions, including those related to legal actions), the simple publication of a name and surname is not enough to make and individual actually identifiable.

Verbatim, the Court says:

the identification of the individuals… would have been possible only by way of further investigations, including third-parties database, with a disproportionate effort in terms of energy and money that is not justified by the interest to identify people involved in a trivial car accident.

This decision set forth a very important point because points out the fact that the “identifiability” notion of the directive is a relative one.

In other words, and enforcing the legal principle to the telco world, an IP number in itself is not necessary a personal data, unless “the identification of the individuals… would have been possible only by way of further investigations, including third-parties database, with a disproportionate effort in terms of energy and money that is not justified by the interest to identify people”.

Needless to sat, the Italian Data Protection Authority has always challenged this interpretation, trying to affirm an “absolute” notion of personal data, thus creating bureaucratic burdens end financial costs for the compliance.

What “Big Brother” and “Orwellian” actually mean

A lot of people – politicians, “gurus” and “activists” use the word “Big Brother” and “Orwellian” without having read even the cover of a George Orwell’s book.

They rather want to have a look at this TED-ed short lesson, to discover what they’re actually talking about.

Is The IPhone Criminals’ Weapon of Choice?

According to NBC, Apple has been ordered by a federal judge to support the FBI in decrypting the Iphone used by the people accused of having slaughtered 14 people in San Bernardino, California, last December, 2, 2015. The court order has been necessary since Apple refused to voluntarily provide such support.

These are the bare facts, that have been turned into a horse of different colours by  bad-faith anti and pro encryption activist. The former sang the usual song “Strong Encryption Smooths Criminals”(FBI Records), while the latter waged the old flag “Weak Encryption Affects Civil Rights”.

The federal court neither asked for a backdoor nor for the enforcement  of a weaker Iphone security, but just said Apple to support the after-crime investigation. This court order doesn’t hampers people’s legal right to strong encryption, because the justice said something like “you have the right to own a strong safe, but the State has the right to try to open it whatever the mean in case of a criminal investigation”. In this context, then, the fact that Apple has been ordered to provide support to the FBI is not constitutionally illegal.

I still support strong encryption for the masses (and for companies too), but I don’t think that making a case out of this court order might help the civil right cause. It only works as as a (maybe unintended) advertising stunt for Apple that can portray itself as a “privacy shield”.

Blogging vs Social Networking: different tools for different goals

Blog and Social Networks are very different tools of expression (and, for what it worth, online marketing.)

A blog gives you absolute freedom and exposes your thoughts to potentially a huge quantity of people. People, on the other end, can enjoy the things you do without necessarily disclose their identity, unless they actually want to do.

A Social Network page/profile, instead, implies that the majority of your audience is made by those you already know or, at least, you are acquainted with. Yes, I either know about the existence of “public” pages or the possibility of “following” somebody else, but this doesn’t change the point.

To blog is more like living into the wild, where you can meet other peers, predators or none at all (and in this case ask yourself why are you still blogging if nobody cares.) While “living” in a social network is fairly safer but actually less challenging because of its “Walled Garden” design.

While is obviously possible to use a blog to stay in touch with people and a social network to publish contents aimed at a (personally) unknown audience, it would be more efficient to use the proper tool designed for the specific task.

Unless you are left without options, why should you use a hammer to cut a wire and a screwdriver to hammer in a nail?

The Web is ISIS’s Nuclear Bomb

The Web is ISIS’s Nuclear Bomb. This is what Loretta Napoleoni, author of books on the economic side of terrorism, wrote in an article for the leftwinger Italian newspaper Il Fatto Quotidiano.

Napoleoni claims that – as the Marxist ideology did in the past with the “word-of-mouth” or, better, “word-of-book” – ISIS’s propaganda gets its power from a new “ideology-spreading-tool”: the Internet, and thank to the Internet will last, no matter what:

Even though, hypothetically, we should succeed in taking out all of ISIS’s warriors by bombing them and killing al Baghdadi, the ideology that these people have created and their universal message will last on the Internet. 1

I don’t have enough authority to challenge the curious association Napoleoni did between Karl Marx philosophy and ISIS’s vision of the Islamic religion, but I find grossly superficial and offensive for the victims of (every) war to compare “the Web” to a nuclear bomb.

As I wrote in a post, war is made of bullets, and bullets hurt as do (nuclear) bombs. Bombs make carnage, slaughters, shred a human being in pieces, burn, annihilate, vaporize, wipe communities, blindly kill innocents, pollute lands for centuries or millennia (ask Hiroshima and Nagasaki survivors for additional info, just in case.) E-mail, newsgroups, chats, FTP (yes, Napoleoni, the Internet is not only made by HTTP) are tool of freedom designed by free people to give humans a free chance to communicate with no physical and social barrier.

Those like Napoleoni – and her cultural associates, member of the “Internet-as-a-threat Club” – should simply accept the fact that ideas are countered (and sometimes, fought) with ideas and that the worst way to challenge a disturbing statement is to censor it.

The idea that a sole statement might change somebody’s personal philosophy up to turning him into a human bomb carrier is simply wrong. Change of mind happens by way of  tragedies, loneliness, apartheid and injustice and not because of a tweet.

As per the “Internet Patrolling” advocated (not only) by Napoleoni – though sadly labelled by her as ineffective – again, let’s go back to basics: as the East Germany, Russian and Italian political police history show, to fight an enemy and prevent attacks there is no substitute for an actual, massive, ruthless and pervasive physical control. But t this is disturbing and, rightly so, nobody in the Western world is available to give a government so much power.

And here comes the brilliant solution: let’s fall back on the Internet and blame “the Web” as a radicalization tool.

No, Napoleoni, ideologies will not last because of a blog. They will stand until there will be inequality in world, it means until the end of time.

  1. Orginal text in Italian: Anche se, ipoteticamente, riuscissimo a stanare con le bombe tutti i guerrieri dello Stato Islamico e a far fuori al Baghdadi, l’ideologia che costoro hanno creato ed il loro messaggio universale in rete rimarrà