Digital Thought

Today the Court of Milan made public the decision in the criminal trial against four Google executives, charged of defamation and illegal personal data handling in relationship to the publication on the video sharing platform  of a video containing act of bullyism against a person affected by the Down Syndrome.

The legal basis for the charges, following the prosecutor’s theory of the case, was that those executives failed to exercise a pre-emptive control over the contents published by Google final users’, thus allowing the infringement of the reputation of the concerned person and of an NGO representing Down-Syndrome-affected persons.

The Court acquitted all the defendant from the charges of defamation, while found them liable of the illegal personal data handling charge. The whole sentence (including the legal technicalities that support the decision) will be public within the next 30 days.

This indictment is the last component of a long series of court decisions that kill Network Neutrality and turn ISPs and Telcos into Digital Vigilantes while, in the meantime, no actual protection is given to the victims of online crimes.

The Peppermint and The Pirate Bay cases, the legal argument against Youtube and the one between an entertainment-backed lobbying group by one side and Telecom Italia, the ISP’s association and the Data Protection Authority on the opposite and – finally – this indictment are all linked through the same connection: to erode the absence of the legal duty to preemptively contol internet users’ activity established by the UE directive on e-commerce.

What is bizarre, in this Google trial, is that for the very first time the existence of the ISP’s duty to perform a mass-control of user activities has been asserted thank to the data protection regulation. The same data protection regulation that forbade the disclosure of the identities of people allegedly accused by the entertainment industry of copyright infringement through P2P networks.

Is still to early to understand the Court mind (since the basis for the decision will be disclosed within the next 30 days. It is, nevertheless possible to try an educated guess based on the Court records. To put it short, here is a probable explanation for the decision:

1 – there is a rule of law into the Criminal Code that says: to not stop a fact equals to cause it,
2 – data protection law requires a prior authorization to be obtained before handling personal data,
3 – a video to be posted online is personal data,
4 – therefore Google executives had to check whether the user who posted the video got the preemptive authorisation from the people of the video, and
5 – by failing to do so, they infringed the data protection law
6 – furthermore, by not controlling in advance, they let the video to libel the victim of the violence (this charge has been dismissed.)

It is too early to assess the damages provoked by this decision, but it is not unreasonable to imagine that – should this court decision become “case law” – the telco market will suffer an alteration of the competion among the various players. The smallest one can’t handle the increasing risk (and cost) of being sued or investing in momentum-generating policies. Big international players might find Italy a lesser attractive place to do business in.

On May 19, 2009 Italian news services announced the creation of a new governmental entity named CNAIPIC (Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche – National Center Anti-Computer Crimes for the Critical Infrastructure’s Protection. Sorry, still no website up to present.)

While CNAIPIC members will surely use their brains’ computing power to figure out how fight these hideous hacker out there, I wonder if they’re aware that “old school techniques” such as war dialing, still work against big infrastructure even after thirty years or so.

Instead of thinking how to build taller “chinese walls”, they’d better step back and check critical infrastructure default passwords or (supposedly) non connected modem and RAS.

A BBC report pushed Italy into international hype, for Mr. Maroni (Lega Nord) Ministry of Home Affairs, backed by a group of public prosecutors, started an aggressive campaign against Skype, claiming that organized crime uses this software to protect their illegal activities. This is a clear shift towards encryption’s outlawing – or limitation of its use – that will negatively affects both human rights and private sector activities.

Italy has a “strong” tradition in trying to ban encryption. Key recovery and/or Key Escrow related issues were debated at least since 1995 A draft of one of the many amendments (not included in the final text) of copyright law known as “legge Urbani” tried to establish the principle that using encryption to protect P2P connection deserved a stronger punishment. If passed, this would have been the first provision outlawing the use of encryption.

The problem, nevertheless, is not limited to Skype. Mr. Maroni, launched a global initiative to “seize” technology from users. He first asked Telcos to provide their customers with static IP only (to better identify persons), then he pushed for the adoption of a National DNA Database because he got “reliable information” that in Italy there is a criminal mob dealing with human organs selling, then – all of a sudden – he become concerned about Skype…

It is unlikely that Mr. Maroni claims hide a “global plot” to kill human right. The truth is more sad: magistrates have scarce investigative resources, untrained law enforcement officer (not all, of course), insufficient monies, an erroneous belief that technology-based investigation is a good shortcut.
Basically, they’re scared by technology and – in a Pavlovian mood – their automated reaction to things like Skype is “forbid”, “ban”, “takeover”.

After the investigation started by the Milan Public Prosecutor Office, another case of alleged rogue corporate security and law enforcement officer case hits mainstream media. Former Corporate security head of the Internationally known luxury firm Gucci, together with private investigators and law enforcement officers have been involved into a criminal investigation ran by Florence Public Prosecutor, with charges of computer illegal trespass.

On Oct. 10,02008 the Criminal Court of Milan issued an Order related to the criminal trial Docket Number 24919/05 RGNR stating that a bank whose customers were “affected” by successful phishing attacks, can seek for damages only against the phisher itself, while no civil action can be started against those who laundered the monies coming from the theft.

The people accused of money launderers, said the Court, had no part into the phishing attack, since they play their role only after the monies are stolen.

On Oct. 10 the Justice for preemptive investigation of the Court of Milan issued a decree of preemptive seizure against a couple of websites charged of trading cigarettes. [ 1. That in Italy is a State monopoly activity, thus forbidden to everybody but those that applied for a special license]

This decree is a replica – but a smarter one – of the decree issued (and ovverruled) by the Justice of preemptive investigation of the Court of Bergamo, in the notorious Piratebay case. No clear order of DNS hijacking has been issued, but fact is that ISP’s have to “obscure” a network resource that is far too away from their reach. Thus, if they cannot remove the “charged” files, the only alternative is… yes, you’re right: DNS hijacking.

Q.E.F.

It happened last Feb. 27, 2008. All of a sudden, Italian Parliament approved the enforcement of the Budapest Convention on Cybercrime.

In Italy, whenever you ask for an official copy of a trial-related document you must pay a specific tax established by a Presidential Decree (Testo Unico sulle Spese di Giustizia).

So – as happened today during a computer forensics phase of a criminal trial – a client had to withdraw the request of getting a 120Gb hard disk copy, because the final tax amount would have been about 40.000 Euros. The Testo Unico, in fact, set a rate of 258 Euros-per-CD.

Thus, if you do the math…

In its final judgment n. 33768 released on Sept. 3, 2007, the Corte di cassazione (Italian Supreme Court) Sezion III penale, seems to have overruled the previous decision by Bolzano’s Lower Court asserting the right of a consumer to hack a Sony Playstation. If confirmed – the decision text is still not available – this might negatively affect the conclusion I’ve drafted in my previous post about the Iphone unlock legal issue.

Skype denies that the outage is the result of an attack, but still failed both to demonstrate the lack of foundation for the attack announcement and clearly explain the reason that caused this sign-in problem. Standard Public Relation technique.