The videos stolen from the anchorman’s house are not just a news story: they expose the contradictions of a technological model based on surveillance and the illusion of control by Andrea Monti – Initially published in Italian by Italian Tech – La Repubblica
The case of Stefano Di Martino prompts a more broader discussion on the meaning of the industrial model that wants any service that concerns us, even in the most personal and intimate spheres, to be necessarily “delivered in the cloud” or in any case through the possibility for the provider to enter directly into our home or business network.
Is home automation “vulnerable by default”?
Few people are aware that the router provided “free of charge” by the access provider has always allowed the provider to control it remotely and that services based on the ubiquitous “app” — especially those that manage the operation of webcams or surveillance systems — store video streams for future consultation somewhere, but not necessarily on the customer’s terminal.
With all due respect to “security obligations” and “contractual guarantees”, which very often amount to little more than slogans, the reality is that too often data about our personal and public lives ends up in the hands of those who should not have it. This, however, is also due to the shared responsibility of the victims who, through trust or negligence, do not really ask themselves what it means to use technology that is controlled or controllable by someone else.
How was it possible to steal the videos?
There is no public information on how De Martino’s video surveillance system was structured, but from the description of the facts, it can be inferred that, in the simplest configuration, it consisted of one or more cameras accessible from outside via the internet and that the video streams were recorded either on the individual device (often equipped with autonomous memory) or on a server available to the manufacturer.
Based on this assumption (one of many possible ones), if the files were taken directly from the cameras, it means that they were directly exposed—i.e., accessible—on the network, that their firmware, the software that makes them work, was vulnerable, and/or that the passwords were weak or non-existent.
If, on the other hand, the files were stolen from the remote systems where they were stored, this could have happened because someone used legitimate credentials, thus committing what is improperly called “identity theft”, or exploited vulnerabilities in the infrastructure where the data was stored.
What offences have been committed?
Regardless of how the offence was committed, it is quite clear that we are dealing with the offence provided for in Article 615-ter of the Criminal Code, i.e. the offence of unauthorised access to a system — whether a single computer or a machine connected to a network — potentially also involving unlawful interference in private life but, paradoxically, not unlawful processing of personal data or “revenge porn”.
Offences relating to personal data punish those who cause “harm” by misusing telematic traffic or geolocation data, spammers or those who unlawfully disseminate files; none of these scenarios is applicable to the De Martino case. Similarly, in order to apply Article 612-ter of the Criminal Code, which deals with “revenge porn”, it is necessary that the person disseminating the content is also the author — and this is not the case.
The role of the Data Protection Authority
The intervention of the Data Protection Authority deserves separate consideration.
If the act is of criminal relevance, the Data Protection Authority — which does not have the power to protect rights — cannot carry out independent investigations into the offence. However, if, during administrative checks, it finds elements of interest to the judiciary, it must then report them to the public prosecutor. But what investigations can the Data Protection Authority carry out in such a case?
To answer this question, we must return to the technical aspects of the case and revisit the difference between a system that is entirely self-managed by the user and a system that involves an intermediary as a provider of storage and remote control services for the devices.
In general terms, in the first case, there is little that the Data Protection Authority can ascertain: if there has been an error on the part of the user who did not rely on a qualified person to install the system in order to take adequate countermeasures even in the presence of possible vulnerabilities in the cameras, the matter remains exclusively within the competence of the public prosecutor.
If, on the other hand, and again in very general terms, access to the videos was possible due to negligence in the management of the remote control of the system or the storage of the files, then it is reasonable to assume that there is at least a need to verify the overall security of the product (camera)/service (remote management and storage).
Finally, if the videos appear on any platform or blog, you could try to block the processing of that content, provided that this is compatible with the fact that it should be (at least) a civil court that orders such a measure.
The responsibilities of those who share videos and the platforms that make them available
It is quite unlikely that individual “sharers” of videos can be brought to court — whether civil or criminal — since the efforts to identify each individual could be so time-consuming and costly as to make it pointless to take such action. This is especially true when you consider the “Lernaean Hydra” effect, whereby when content is removed from one place, it “reappears” in multiple copies elsewhere.
Realistically, therefore, it will be the platform operators who will have to remove the content, as one of their obligations under EU law — but also under the Italian Civil Code — is to identify their users. Furthermore, due to a recent ruling by the Court of Cassation, they do not even have to wait for a court order, as even an “unqualified” report – i.e. one coming from a private individual, especially if they are the victim of the offence – is sufficient to establish the operator’s liability. Similarly, and again based on the same principle of law, access operators could also be ordered to block certain network resources without waiting for an order from the authorities.
The finger and the moon
Perhaps the perpetrators of the unauthorised access to Stefano De Martino’s private network will be identified and prosecuted, as will perhaps be the case for those who shared the stolen videos far and wide. Some companies will pay the fines imposed by the Data Protection Authority, and some platforms will find themselves, once again and in the name of EU regulations, applying private justice that is beyond the control of the judiciary. Private chats and groups remain outside the scope of action, as they are not easily or immediately identifiable, but the European Commission is also considering this with future rules on client-side scanning, which, by authorising the preventive and automatic search of devices for “illegal content” and weakening encryption, will turn us into presumed guilty parties without trial.
All this, however, does not change one fact, or rather two: the first is that the clay feet of the tech giant we have allowed to be built are no longer holding up; the second is that users without any real ability to protect themselves are destined to be increasingly unwitting victims of industrial models based on the fact that software or service defects are not errors but features.
Identifying and punishing those responsible for illegal acts is certainly necessary, but to think that this can solve the stability problems of the digital Colossus of Rhodes without seriously addressing the issue of responsibility for those who cause structural vulnerabilities in software, networks and systems is simply to live in a fairy tale world — or in that of bureaucracy.