No More Mandatory Data Retention in Italy? – Update

As a consequence of the Parliament/Govern inactivity, the huge quantity of traffic data that survived the June, 30 midnight – and that some ISP might still have in its own hand, maybe hoping for a last-minute, never passed, prorogation – is currently being deleted.

Right now, traffic-Database deleting schedules should have been re-set to the old standard: one year retention period as set forth by sec. 132 of the Italian Data Protection Act.

And the Data Protection Authority still hasn’t hissed a word.


No More Data Retention in Italy?

Yesterday the Internet Traffic Mandatory Data Retention regulation expired without being re-enacted by the Parliament. This means that at the midnight of June, 30, all the Italian Telcos and ISPs just (or should have) deleted last year Internet usage information from their databases.

Maybe the Parliament and the Data Protection Authority just had a strike of consciousness and decided so, after having “forgotten” for years to stress test the national data retention legislation to check if it could still stands against the EU Court of justice 2014 decision that bashed the data-retention directive.

Or, maybe, the powers-that-be just forgot about the data-retention.

We’ll never know for sure, but fact is that current high profile criminal investigations are now deprived of an important information gathering tool.

EUCJ and the Data Retention and Investigatory Powers Act

A friend of mine asked a quick commentary about a Telegraph news about the European Court of Justice decision that bashed the British Data Retention and Investigatory Powers Act, forcing the ISPs to abid to a one-year Internet traffic data retention period.
Here is my answer:

It is clear that the EUCJ is following its political agenda.
As I said countless times, law enforcement and national security aren’t subjected to the might of the data-protection directive so this legal instrument can’t be enforced to rule investigative powers.
It is false that users are note informed about the retention. There is a law that set forth the duty, so the citizen are supposed to know about it (ignorantia legis non excusat.)
Again, the article and – I suppose – the EUCJ confuses fairly different things: GCHQ is intelligence and – as such – is well out of reach from the DP directive. Other public bodies have the right to perform their investigation to guarantee the respect of the law.
So, the actual problem is quis custodies ipsos custodies. In other words: I have no problem with an agency that accesses my data. But I do have the right to know in real time when it happens and why (or, if there is a secrecy issue, as soon as it is reasonable.)

Italy To Storm Playstation Networks? The Steve Jackson Game Case Strikes Back

According to Andrea Orlando, Italian Minister of Justice, Italy plans to fight the war on terrorism on Playstations.

In a press conference, Mr. Orlando said that new technologies are exploited by terrorists, and it is imperative to keep pace with the innovation, by allowing the capability to wiretap chat (whatever this means) and Playstations.

Apart from the merit of the issue (we might either agree or not about the strategy, but this is a horse of different colour) what matters is the clear uneasiness of the Minister in talking about topics he’s clearly not knowledgeable in.

I really wander how the law enforcement agencies will be able to extract something useful by wiretapping network games that deal with assaults, terrorist actions, covert operation and so on.

Will they be able to sort the truth from the game?

Are we on the verge of a new Steve Jackson Games scandal?

The usual approximation showed by a politician in charge of taking the lead on technology-related issues shows that key decision on such a sensitive matters are made elsewhere, by someone else not at all well versed in the matter. And it would be interesting to know who this “Mr. Someoneelse” actually is.

To have a better grasp on the operative issues before talking to the Press, maybe it wouldn’t had been a bad idea for the Minister to spend some spare time playing Call of duty or Splinter cell.


My Two Cents on the Hacking Team Hack

What happened to Hacking Team neither is the first nor will be the last time a security company that lives by the sword, dies by the sword. Neither this is the first nor will be the last time that huge quantity of critical data are made available through the Internet.

So, to some extent, there is actually nothing new under the sun in the fact itself. This is why – putting aside the legal issues involved – I can hardly understand all the rants aimed at Hacking Team.

It is interesting, though, analyze the “claims” that some “expert” did about the story. To make my points, instead of talking about someone in particular, I’d rather refer in general to the accusations made against HT, so:

  1. Hacking Team has been “unethical”. A company is just supposed to be legally compliant. Ethic is a horse of different colours: it’s a personal thing, is relative and – thank to the French Revolution – is not mixed with laws. As soon as Hacking Team didn’t break any law by selling its stuff, it can’t be blamed because “money doesn’t smell”.
  2. Hacking Team sold its technology to human-rights bashing countries. While I’m in the digital rights world since 1994, I wasn’t aware that there were so much human-rights (keybord) warriors… Anyway, as soon a state has a seat in UN, and the sell is compliant to international laws and treaties (such as the Wassenaar Agreement), doing business with it shouldn’t raise any concern (as international weapon dealers are well aware of.)
  3. Hacking Team has jeopardized investigations and covert activities all around the world. No, the investigation have been jeopardized by the choice made by governments of “going private” instead of developing in house its intelligence-gathering tools, and by the lack of a “Plan B” in case things – as just happened – screwed up. In particular, is rather curious that nobody checked the fact that the HT’slicense was associated to the customer identity in clear, instead of using a nickname or a cipher.
  4. There will soon be a “black” Hacking Team’s software clone that will be used against the “good guys”. This malware is far from being the “only kid in town” and the Internet is full of brilliant (rogue) programmers able to build a “HT-like” software. So this statement is just a nonsense.
  5. The are hints suggesting that Hacking Team’s malware has been exploited to plant fake evidence in the targeted computer. So what? Blackmailing is a standard tool-of-the-trade in the intelligence world and the way this is done is irrelevant. And to shut down the disturbing voice of a political opponent it’s easier to frame him with conventional means (drugs, sex) that are cheaper while very effective, then using a costly and complex to manage application.
  6. Hacking Teams’s software is untraceable and now can and will be used without control. No, HT malware is not invincible and while it is able to fly under the antivirus’ radars, it doesn’t mean that there are no defense. Guess how you can reduce its’ might? Use pure text emails, don’t click links and attachments, check your machines and data-traffic for odd behaviours… In other words, stop using  wisthle&bell operating systems and fancy features and go back to basics. Ain’t no fancy, but is safer.
  7. Hacking Team helped intelligence agencies to gain access to everybody’s computer. Again, so what? Are intelligence agencies around the world supposed to play bridge, instead? As much as I dislike the fact, I cannot but pragmatically accept that the powers-that-be can do whatever they want, without actual accountability. They call it “democracy”.

Post Scriptum: Though I met David Vincenzetti about eighteen years ago at the Department of Computer Science in the Milan University and a couple of times in the following years, I never worked with or for him.


Does the French Intelligence Actually Have Such Big Gaps?

A significant part of the aftermath of an event is the so called “post mortem”: a thorough analysis of  what went right, what wrong and why.

While “post-mortem” is a common practice within complex organizations and helps detecting flaws to be fixed or positive actions to be standardized, it must not be confused with the “rolling-barrell” attitude of putting the load of a (ex-post proven wrong) choice on somebody else’s shoulders.

As everybody outside the intelligence’s  “inner circle” should, I neither claim to own the knowledge nor the expertise to assess the work’s quality and the assumed weakness of the French security system. But what I can say – relying upon my criminal trial lawyer experience – is that is always easier to find an explanation for something that happened once it happened, while it is very hard to “foresee” an event.

This is to say that once you know where to look for, the needle in the haystack is fairly easy to find. Or, put in other words, those who came late always look smarter than those who were there earlier: they already know where not to look at.

Whether the French intelligence services did a mistake or not, then, is of poor importance. Mistakes happens (much too) often and it wouldn’t be a surprise to discover that in the Charlie Hebdo massacre mistakes have been done.

But the best we can do is to learn from it, instead of publicly blaming people in the line of fire just for the sake of looking “smart”.

The (defunct) Data Retention Directive Still Causes Harm

Notwithstanding the Data Retention Directive has been bashed by the EUCJ Ruling, there is a wide agreement on the fact that its national implementation might still be valid if not in contrast with the main Data Protection Directive.

Just yet, neither the Italian Parliament nor the Data Protection Authority ran the “stress test”, thus leaving ISPs into a void of uncertainty.

Furthermore, the news is new as today, there is a case where the actual providing of Internet access whose contract terminated back in 2010 has been challenged in court by the former customer. Under the Italian Supreme Court jurisprudence, in this case it is the ISP who must provide the evidence that the agreement has been fulfilled. But, guess what? Under the strict (and wrong) interpretation of the Data Retention Directive this ISP deleted the log files and now has problem in supporting its defense.

True, keeping the traffic data for legitimate purposes (such as legal defense) is allowed by the Data Protection Directive.

True, the Data Retention Directive can be interpreted as an exception that doesn’t overrule the Data Protection Directive.

True, an ISP has more than a chance (in theory) to successfully support its choice of keeping the traffic data for legal defense purposes even exceeding the mandatory term seth forth by the DRD.

But all this means fighting an all-round legal battle, explaining to the Court that the traffic data have been legally retained and are, thus, valid evidence, standing against a possible Data Protection Authority investigation, and so on.

To put it short: a waste of time, money and resources, that could be spared if only the Powers-that-be had dedicated a fraction of their time to solve this riddle, instead of toying with this Internet Bill of Right nonsense.


A Homicide Investigation And The (Still Alive) Data Retention Regulation

The young girl homicide investigation I’ve talked about in a previous post reveals other interesting information, this time about the Telcos’s role in supporting the public prosecution service through the traffic data retention.

The media are reporting (italian only, sorry) that more than 120.000 single mobile calls are under scrutiny spanning from a few months before the kill. But since the fact is more than three years’old, these data aren’t even supposed to exist since the Data Retention Directive forbade its preservation once the (maximum) two-years term expired.

So, hopefully for the justice and the family of the poor girl, at the beginning of the investigation the public prosecutor, as required by law, did issue a traffic data “freezing” order or, better, seized it as dictated by the Italian Criminal Rule of Evidence.

As in the case of the DNA-based evidence, the collection of traffic data without complying the Rule of Evidence might allow the defense lawyers to challenge the reliability of these information especially because the original traffic data have (or should have been) destroyed once collected by the public prosecution service, thus preventing the possibility of double-checking during the trial their actual evidence “weight”.

Google, the European Court of Justice and the End of History

The European Court of Justice ruling against Google Spain is another step toward the deletion of the History (capital “H”) and collective memory. In the name of “privacy” the Court allowed the possibility to completely remove a lawful information from public scrutiny, as is clearly stated at the end of the ruling:

Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful. (emphasis added)

Now, with the support of this decision, corrupts politicians, scammers, con artists, bad payers and similar breeds can easily re-gain their anonymity, and historians from the future will not be able to discover and understand how our society was working.

And, to some extent, this wouldn’t be a bad thing…