Data Retention – Page 3

July 1, 2017

No More Data Retention in Italy?

Yesterday the Internet Traffic Mandatory Data Retention regulation expired without being re-enacted by the Parliament. This means that at the midnight of June, 30, all the Italian Telcos and ISPs just (or should have) deleted last year Internet usage information from their databases.

Maybe the Parliament and the Data Protection Authority just had a strike of consciousness and decided so, after having “forgotten” for years to stress test the national data retention legislation to check if it could still stands against the EU Court of justice 2014 decision that bashed the data-retention directive.

Or, maybe, the powers-that-be just forgot about the data-retention.

We’ll never know for sure, but fact is that current high profile criminal investigations are now deprived of an important information gathering tool.

December 23, 2016December 23, 2016

EUCJ and the Data Retention and Investigatory Powers Act

A friend of mine asked a quick commentary about a Telegraph news about the European Court of Justice decision that bashed the British Data Retention and Investigatory Powers Act, forcing the ISPs to abid to a one-year Internet traffic data retention period.
Here is my answer:

It is clear that the EUCJ is following its political agenda.
As I said countless times, law enforcement and national security aren’t subjected to the might of the data-protection directive so this legal instrument can’t be enforced to rule investigative powers.
It is false that users are note informed about the retention. There is a law that set forth the duty, so the citizen are supposed to know about it (ignorantia legis non excusat.)
Again, the article and – I suppose – the EUCJ confuses fairly different things: GCHQ is intelligence and – as such – is well out of reach from the DP directive. Other public bodies have the right to perform their investigation to guarantee the respect of the law.
So, the actual problem is quis custodies ipsos custodies. In other words: I have no problem with an agency that accesses my data. But I do have the right to know in real time when it happens and why (or, if there is a secrecy issue, as soon as it is reasonable.)

October 27, 2016

Privacy Shield Dead-On-Arrival?

As expected, Privacy Shield has been challenged in front of the EUCJ.

Before wasting time and money trying to comply with this DOA thing, it would be safe to wait for the judgement.

November 27, 2015November 27, 2015

Italy To Storm Playstation Networks? The Steve Jackson Game Case Strikes Back

According to Andrea Orlando, Italian Minister of Justice, Italy plans to fight? the war on terrorism on Playstations.

In a press conference, Mr. Orlando said that new technologies are exploited by terrorists, and it is imperative to keep pace with the innovation, by allowing the capability to wiretap chat (whatever this means) and Playstations.

Apart from the merit of the issue (we might either agree or not about the strategy, but this is a horse of different colour) what matters is the clear uneasiness of the Minister in? talking about topics he’s clearly not knowledgeable in.

I really wander how the law enforcement agencies will be able to extract something useful by wiretapping network games that deal with assaults, terrorist actions, covert operation and so on.

Will they be able to sort the truth from the game?

Are we on the verge of a new Steve Jackson Games scandal?

The usual approximation showed by a politician in charge of taking the lead on technology-related issues shows that key decision on such a sensitive matters are made elsewhere, by someone else not at all well versed in the matter. And it would be interesting to know who this “Mr. Someoneelse” actually is.

To have a better grasp on the operative issues before talking to the Press,? maybe it wouldn’t had been a bad idea? for the Minister to spend some spare time playing Call of duty or Splinter cell.

July 9, 2015July 9, 2015

My Two Cents on the Hacking Team Hack

What happened to Hacking Team neither is the first nor will be the last time a security company that lives by the sword, dies by the sword. Neither this is the first nor will be the last time that huge quantity of critical data are made available through the Internet.

So, to some extent, there is actually nothing new under the sun in the fact itself. This is why – putting aside the legal issues involved – I can hardly understand all the rants aimed at Hacking Team.

It is interesting, though, analyze the “claims” that some “expert” did about the story. To make my points, instead of talking about someone in particular, I’d rather refer in general to the accusations made against HT, so:

Hacking Team has been “unethical”. A company is just supposed to be legally compliant. Ethic is a horse of different colours: it’s a personal thing, is relative and – thank to the French Revolution – is not mixed with laws. As soon as Hacking Team didn’t break any law by selling its stuff, it can’t be blamed because “money doesn’t smell”.
Hacking Team sold its technology to human-rights bashing countries. While I’m in the digital rights world since 1994, I wasn’t aware that there were so much human-rights (keybord) warriors… Anyway, as soon a state has a seat in UN, and the sell is compliant to international laws and treaties (such as the Wassenaar Agreement), doing business with it shouldn’t raise any concern (as international weapon dealers are well aware of.)
Hacking Team has jeopardized investigations and covert activities all around the world. No, the investigation have been jeopardized by the choice made by governments of “going private” instead of developing in house its intelligence-gathering tools, and by the lack of a “Plan B” in case things – as just happened – screwed up. In particular, is rather curious that nobody checked the fact that the HT’slicense was associated to the customer identity in clear, instead of using a nickname or a cipher.
There will soon be a “black” Hacking Team’s software clone that will be used against the “good guys”. This malware is far from being the “only kid in town” and the Internet is full of brilliant (rogue) programmers able to build a “HT-like” software. So this statement is just a nonsense.
The are hints suggesting that ?Hacking Team’s malware has been exploited to plant fake evidence in the targeted computer. So what? Blackmailing is a standard tool-of-the-trade in the intelligence world and the way this is done is irrelevant. And to shut down the disturbing voice of a political opponent it’s easier to frame him with conventional means (drugs, sex) that are cheaper while very effective, then using a costly and complex to manage application.
Hacking Teams’s software is untraceable and now can and will be used without control. No, HT malware is not invincible and while it is able to fly under the antivirus’ radars, it doesn’t mean that there are no defense. Guess how you can reduce its’ might? Use pure text emails, don’t click links and attachments, check your machines and data-traffic for odd behaviours… In other words, stop using ? wisthle&bell operating systems and fancy features and go back to basics. Ain’t no fancy, but is safer.
Hacking Team helped intelligence agencies to gain access to everybody’s computer. Again, so what? Are intelligence agencies around the world supposed to play bridge, instead? As much as I dislike the fact, I cannot but pragmatically accept that the powers-that-be can do whatever they want, without actual accountability. They call it “democracy”.

—

Post Scriptum: Though I met David Vincenzetti about eighteen years ago at the Department of Computer Science in the Milan University and a couple of times in the following years, I never worked with or for him.