AntiPublic, British Airways and the Italian Data Protection Supervisor

Italy just discovered AntiPublic, the next data-leak with about half a million of personal accounts made publicly available by the lack of care of “trusted” websites in handling its “security measures”.

British Airways got a shut down of its IT infrastructure due, according to the Italian newspaper Repubblica.it, a lack of management of the business continuity plan.

This two cases, while unrelated, are both evidence of an infringement of the EU Data Protection Directive (95/46/CE).

In the AntiPublic data-leak the reason why is obvious, as it should be for the British Airways IT infrastructure “freeze”: business continuity, indeed, is one of the security measures that the Data Processor should enforce to avoid damages arising from the unavailability of personal data.

This is a challenge for the (Italian) Data Protection Supervisor. He can either look elsewhere, or open an investigation to ascertain what happened and who is the culprit of these personal data mismanagement.

The EU Directive 95/46 and his own case law  give the Italian Data Protection Supervisor the power to act even outside the national and European jurisdictions,  so there wouldn’t be a motive no to start an investigation.

So, if the Italian Data Protection Authority will actually starts poking around to find out the “truth”, then a message is sent to the business and civil servant community: we don’t need to wait for the General Data Protection Regulation (GDPR) to enter into force, to exercise our prerogatives against no matter who.

Should he, on the contrary, look elsewhere, the message would have a very different meaning. Citizen, companies and public services might be led to think that all the “early warnings” about the upcoming GDPR and the dire consequences of the non compliance are just a pre-emptive notice of some sort of “hidden tax payment through fines” approach, targeted against SME, some big Italian company and a couple of USA multinationals.)

In the meantime, AntiPublic & C shall continue to access unnoticed our personal data, while citizen will continue paying the consequences (in term of damages and lack of services) of the poor compliance to a set of provisions that, just yet, are felt as useless bureaucratic burden.

When Security Becomes Service Disruption: the Banca Popolare di Bari Case

The message reads: For security reasons, this ATM doesn’t provide cash between Friday, 16,30 and Monday, 09,00. We are sorry for the inconvenience.

This way of looking at IT Security reminds me of those Security “Managers” who were use to advise to unplug the Ethernet cable at the daily close of business, to put it back the very next day.

Security can’t be a way to make the customers’ life more miserable. The challenge of a Security Manager is exactly the opposite: let customers doing their business while keeping the environment safe.

 

EUCJ and the Data Retention and Investigatory Powers Act

A friend of mine asked a quick commentary about a Telegraph news about the European Court of Justice decision that bashed the British Data Retention and Investigatory Powers Act, forcing the ISPs to abid to a one-year Internet traffic data retention period.
Here is my answer:

It is clear that the EUCJ is following its political agenda.
As I said countless times, law enforcement and national security aren’t subjected to the might of the data-protection directive so this legal instrument can’t be enforced to rule investigative powers.
It is false that users are note informed about the retention. There is a law that set forth the duty, so the citizen are supposed to know about it (ignorantia legis non excusat.)
Again, the article and – I suppose – the EUCJ confuses fairly different things: GCHQ is intelligence and – as such – is well out of reach from the DP directive. Other public bodies have the right to perform their investigation to guarantee the respect of the law.
So, the actual problem is quis custodies ipsos custodies. In other words: I have no problem with an agency that accesses my data. But I do have the right to know in real time when it happens and why (or, if there is a secrecy issue, as soon as it is reasonable.)

Phoney and the forensics value of Iphone chat

Phoneys is a software that allows a user to change the content of an Iphone chat thus altering the meaning of the conversation.While this is just an entertainment software, it might have some disturbing impacts on a possible criminal investigation.

Indeed, SMS, chat transcripts and messages are routinely used as a source of evidence by lawyers and prosecutors on the basis that if something is on a phone it can be hardly be faked. Of course, this is not always true, of course evidences must be corroborated by independent checks, of course the legal community is not that dumb to give face value to a text on a phone screen. But…

Phoneys allows a malicious person to create a prima facie deceiving fact, by exploiting the fact that a message has actually been sent, thus leading the investigator into thinking that a conversation took place with the intended correspondent. In an emergency context, the necessity of taking immediate action might push him to under evaluate what has been shown as “evidence”, thus jeopardizing the final result.

Maybe this is a either a minor or non-existent issue. But judicial reality has proven to be more surprising then legal-thriller. So, next time you’re confronted with a message as an evidence, why not double check?

Just in case…

After Apple, Facebook Is the Next Target of Judicial Orders to Cooperate With Prosecutors

According to a statement published on the Brazilian Policia Federal’s website, a criminal court issued a “mandado de prisão preventiva” (roughly, pre-emptive arrest order) against Facebook’s representative in Brazil, charged of not having cooperated in providing information about a Facebook page.

The Brazilian Court, unlike the San Bernardino’s one in the Apple case, chose to put its white gloves off and go straight for the jugular, leaving no doubt about the fact that cooperation with the public prosecutor is a mandatory duty for everybody, tech-companies included.

By comparing the Apple and the Facebook cases (and Google’s public position about the topic) a disturbing trend emerges: Internet companies (at least the so said “Over The Top” – OTT) “think different” about themselves. Why the OTT should be let alone, when  an ISP is burdened (often for free, BTW), to provide a public prosecutor with wiretapping, data-retention, forensic support, and data-mining services? Like it or not, corporate criminal liability and obstruction to justice regulation still work for the OTT too, and the OTT must live with it.

This Facebook case further supports the opinion I’ve expressed about the true issue at stake: by one side, the lack of confidence is our social and legal system as a whole and thus the fact that you can’t actually trust a magistrate and a law enforcement agency; by the other side the “ubermensch” syndrome that affects (not only high-tech) companies and that leads them into thinking that they have the “right” (or the power) to part the right from wrong.

Apple, the FBI and the All Writ Act. Why the New York Court is Wrong

The US District Court for the Eastern District of New York Order that prevented the US Drug Enforcement Agency (DEA) to force Apple to provide support in bypassing the passcode security on an Apple device is another chapter of the “Should-we-allow-State-to-mess-with-our-intellectual-property” saga, starring Apple.

Now that another Court ruled in a different way than the previous one, the score is even: 1 for the “crack-the-iphone” team, 1 for the “don’t-even-think-about-it” Cupertino’s.

To me, this legal uncertainty shows the mistake underlying the whole issue.

A public prosecutor has the power to do whatever it takes to finalize an investigation, provided that his powers are scrutinized by a judge. This is the theory, and a fair compromise under the “check-and-balance” doctrine.

So, from a strictly legal point, Apple and the NY court are wrong, since the privacy threats and the possibility of abuse were still there with the wiretapping, remote surveillance and so on. The Iphone issue is just a variation of a known “breed”. We all know that the legal system is not “foolproof”, and that sometimes somebody abuses of his prerogatives, but
this is not a reason to stop allowing a law enforcement entity to do its job by way of technical means.

Again, the actual point is whether the private interests of a company can overrule the State duty to seek for justice.

And even if Apple were right, this would make things worser, because it would means that we live in a society that we ourselves don’t trust enough. And if so it is, obviously the problem is neither Apple nor the Iphone encryption…

Apple vs FBI: A Disturbing Option (for Apple)

Although PGP is widely spread and used since 25 years, after the first, early complaints nobody heard a single hiss from the FBI and its siblings about the  IOS-like “problems”. Maybe this is because of the open source license attached to PGP that allows whoever has enough brain, power and money to find ways to crack it. In the past, for instance, the FBI has been able to crack a Truecrypt password belonging to a suspect.

To balance people rights with the needs of the investigation, Apple might just go open source or, at least, disclose to the law enforcement community the IOS source code, thus allowing the “good guys” to develop long-term tools for forensic purposes.

Of course, to Apple, this is an absolutely nonviable option, nevertheless the point stays: should a government be entitled to access each and every source code of critical software?

To put it short, the Apple vs FBI quarrel involves the role of proprietary copyright and has about nothing to do with the “we protect our customer rights” claim.

No, Mr. Cook, A Flawed IOS Is Not Like A Sort Of Cancer

Apple’s CEO Tim Cook, talking about the request made by the law enforcement community to weakens IOS  stated that to comply to what the FBI is asking, would mean write a software that is sort of the equivalent of cancer.

The statement is technically wrong , a slap in the face of the people who are plagued by this deadly disease and the evidence that talk is cheap.

First: cancer is an highly evolved entity (being around since 4 billions of years or so) made of mutated cells that have lost its “self-killing” mechanism, that keep mutating and growing and creating new forms of cancer elsewhere in the body once removed by surgery or other therapies. This has nothing to do with a piece of software kept under strict control by a private company.

Second: Mr. Cook is absolutely within his rights when he tries to defend his company’s Intellectual Property, but this time Apple’s spin doctors pushed the limits much too far when for the sake of the controversy they involved people that are meeting their fate in a dire straits.

Third, of all arguments that could have been exploited by Mr. Cook’s spin doctors, referring to such a dramatic disease shows a true lack of compassion toward our fellows human beings. Maybe this is not what Mr. Cook had in mind, but this is how his statement looks like.