Blog

Posted on

Italian NDNA database. The devil is in the details

On June 30, 2009, the Italian Parliament finally passed Law No. 85 that ratifies the Prum Convention and forms the legal ground for the creation of an Italian National DNA Database (NDNAD.)

Although this law might have benefited from UK and USA court experience in the field of DNA forensics, the current text indicates that neither British nor American case law have been taken into consideration. Furthermore, the law is flawed by a foggy understanding of the technicalities behind DNA profiling and sloppy wording that certainly will not facilitate the work of lawyers, prosecutors or judges. Just to highlight a few of these inconsistencies, it must be noted that art. 8 (Attivita` del laboratorio centrale per la banca dati nazionale del DNA – Activity of NDNA Database Central Laboratory) lacks any general provision that would oblige all the responsible parties to adopt serious and adequate security measures against unauthorized access, data tampering, and illegal handling of data and information. Continue reading “Italian NDNA database. The devil is in the details”

Posted on

Corporate liability for copyright infringements in Italy?

Among the measures to fight the economic crisis announced by the Italian Government, sect. 15 para 1 lett. c) of the Anti-Crisis decree deserves a special mention: to put it short, the provision asserts corporate liability (under legislative decree 231/01) ? for copyright infringement committed by top management.

Although it may seems that the new law is of a little impact on corporate life (is highly unlikely that a top manager has time to waste doing file sharing) a second glance prove this first opinion not entirely correct.

The inclusion of copyright infringements into the list of crimes implying specific corporate liability forces a company to revise its (mandatory) prevention model to reflect new changes; thus – de facto – establishing a specific set of controls aimed at downloads, website surfing and file sharing. Failing to do so might lead some zealous prosecutor to think that the company actually allows copyright abuses.

A side effect of this regulation – when it will come into full force – is that workplace privacy will get another heavy blow. For the sake of copyright abuse prevention, indeed, all of employees’ Internet activity will be deeply inspected.

So long, Mr. Data Protection Commissioner…

Posted on

Aggregate data and Italian Data Protection Authority

An Italian Data Protection Authority decision issued on June, 25, 2009 set the deadline of Sept. 30, 2009 for telco operators and ISPs that must notify the Data Protection Authority the list of their mining activities executed on customers’ aggregate data (such as traffic volumes, paths and so on.) The aim of this decision is to spot illegal (at least, under Data Protection Authority opinion) data handling “masked” by activities performed to keep the infrastructure running

The Data Protection Authority, after having received the information, will decide what can be still done without informing the customer, what can be done AFTER having informed the customer and obtained his approval and what cannot be done at all. Furthermore, the Data Protection Authority will release a set of technical and management rules to ensure the concerned subjects’ compliance.

If these new set of rules will mimic those recently established for data-retention purposes and system administrators, telcos and ISPs will face again a mayhem of useless bureaucracy so hard to understand that the Data Protection Authority itself did release a FAQ to explain what these regulation actually meant (and we’re still waiting for the FAQ interpretation.)

Although the decision is limited to the Internet and telephony world, it is clear that in the near future it will affects too energy firms, banks, insurance companies and, in general, everybody who relies upon aggregate data to tweak its supply chain of services.

Once again, the Italian Data Protection Authority is proved to be one of the biggest blocking factor of Italian telco market, while not granting citizens some sort of protection.

Posted on

Italian data protection authority to (apparently) sanction Carabinieri’s DNA forensics biobank

On May, 25 2009 the Italian Data Protection Authority (DPA) disclosed the results of an investigation over the DNA forensics database run by the Carabinieri’s Raggruppamento Investigativo Speciale (RIS.) 1

According to the laconic press release, the DPA ordered RIS to enforce stricter security measures to track who access the database. Although the DPA (as often) didn’t release the full decision, it is a legitimate inference to say that RIS didn’t take DNA security seriously enough. DPA decision shares the same (flawed) cultural milieu of the Italian National DNA Database Institution Bill, soon to become into full force. The DPA objected nothing about RIS ( (as well as the NDNAD bill) to retain ? both biological sample and DNA profile. By doing so, the DPA laid the foundation for the most pervasive, State-controlled citizen mass privacy violation.

Current DNA profiling methods, such as the SNPs (read “snips”) are powerful enough to allow the identification of a person, without the need of preserving the biological sample that provided the genetic profile. By saying that Carabinieri (and the Parliament) are allowed to do the contrary, means bear the effective risk of having analysis of a very diferrent (and uncontrolled) kind to be performed on the genetic code of the inhabitant of the Italian NDNAD.

Pandora’s pot would be – then – ready to be opened.

  1. One of the three main police force in Italy. The others are Polizia di Stato and Guardia di Finanza
Posted on

CNAIPIC… a borderless center

On May 19, 2009 Italian news services announced the creation of a new governmental entity named CNAIPIC (Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche – National Center Anti-Computer Crimes for the Critical Infrastructure’s Protection. Sorry, still no website up to present.)

While CNAIPIC members will surely use their brains’ computing power to figure out how fight these hideous hacker out there, I wonder if they’re aware that “old school techniques” such as war dialing, still work against big infrastructure even after thirty years or so.

Instead of thinking how to build taller “chinese walls”, they’d better step back and check critical infrastructure default passwords or (supposedly) non connected modem and RAS.