Peppermint, copyright and personal data

A side issue arising from the Peppermint affaire is the relationship between criminal and civil trials rule of evidence.

In a criminal investigation, access to ISP owned traffic data and log files is possible only with a public prosecutor search and seize warrant. One seized, these information are strictly confidential and cannot disclosed – even to the defense counsel – before the trial starts.

The very same data – as the Peppermint affaire shows – can indeed be obtained by a private entity alleging a civivl – not criminal, then – copyright infringement, just asking the civil court to force an ISP to disclose information.

This is a paradox of the Italian legal system, since criminal action is supposed to be the only reason to allow the breach of constitutional rights, while the a civil case only gives the court limited powers. This common-sense rule has been subverted when talking about copyright. Is it fair or acceptable?

Intesa Sanpaolo: when marketing meets security

Recently Intesa Sanpaolo (born after a merge between Banca Intesa e Istituto San Paolo) moved its Internet banking authentication system from a password-based to a one-time-password-based access.

They sell that “innovation” – ever happens in the ICT business – as a major increase in IT security and then as a benefit for the customer, but if you think for a while this is not entirely true. Or – better – this might be true from the perspective of a marketing manager. But it is not from the customer standpoint.

Continue reading “Intesa Sanpaolo: when marketing meets security”

CALEA and US based foreign e-mail accounts. A deadly lock

If an US law enforcement officer wants to tap an American citizen internet account, the officer must play by the books. But If the US officer wants to wiretap an Italian citizen whose account is hosted in the US by an US company, does the USofficer need to respect the US regulations, or, since the target is a foreigner, he’d be free to play as he wishes? As far as I know, the answer is a sound “no”: the law enforcement officer must always comply to the US regulation (at least because the company that hosts the account is american and it is established on the US soil.)

Continue reading “CALEA and US based foreign e-mail accounts. A deadly lock”

Privacy, corporate secret information and ICT. A speech at Infosecurity.

Tomorrow I give a speech at Infosecurity, the most important ICT security exhibit in Italy.
The conference is (unfortunately) in Italian only, but who’s familiar with the language might like to have a look at the programme.

Continue reading “Privacy, corporate secret information and ICT. A speech at Infosecurity.”

The Telecom Italia scandal. A gun aimed at the wrong target

Current Italian media hype is pumped by the “Telecom Italia scandal”. The criminal investigation is handled by the Public Prosecutor of Milan that invetigates the alleged theft of confidential information and hack of major Italian and foreign companies. Recently, the Public Prosecutor findings led to preemptive jail custody Telecom Italia high-level security officers, employees and out firm security experts hired as consultants. The defendants are charged of running “covert black-ops” on their own, unbeknownst to their employer.

Apart from the merit of the investigation (that belongs to the Court and will likely be ruled not before several years), this criminal investigation itruly demonstrates how the ICT security business in Italy actually works. Companies (big ones, first) don’t really care about IT security. Top management leaves all the relevant decisions to the “IT guys”, while not caring about their own compliance to the security policies.

Continue reading “The Telecom Italia scandal. A gun aimed at the wrong target”