There is no such thing as “information” security. Continue reading “There Is No Such Thing as “Information” Security”
According to a statement published on the Brazilian Policia Federal’s website, a criminal court issued a “mandado de pris?o preventiva” (roughly, pre-emptive arrest order) against Facebook’s representative in Brazil, charged of not having cooperated in providing information about a Facebook page.
The Brazilian Court, unlike the San Bernardino’s one in the Apple case, chose to put its white gloves off and go straight for the jugular, leaving no doubt about the fact that cooperation with the public prosecutor is a mandatory duty for everybody, tech-companies included.
By comparing the Apple and the Facebook cases (and Google’s public position about the topic) a disturbing trend emerges: Internet companies (at least the so said “Over The Top” – OTT) “think different” about themselves. Why the OTT should be let alone, when? an ISP is burdened (often for free, BTW), to provide a public prosecutor with wiretapping, data-retention, forensic support, and data-mining services? Like it or not, corporate criminal liability and obstruction to justice regulation still work for the OTT too, and the OTT must live with it.
This Facebook case further supports the opinion I’ve expressed about the true issue at stake: by one side, the lack of confidence is our social and legal system as a whole and thus the fact that you can’t actually trust a magistrate and a law enforcement agency; by the other side the “ubermensch” syndrome that affects (not only high-tech) companies and that leads them into thinking that they have the “right” (or the power) to part the right from wrong.
Apple’s CEO Tim Cook, talking about the request made by the law enforcement community to weakens IOS? stated that to comply to what the FBI is asking, would mean write a software that is sort of the equivalent of cancer.
The statement is technically wrong , a slap in the face of the people who are plagued by this deadly disease and the evidence that talk is cheap.
First: cancer is an highly evolved entity (being around since 4 billions of years or so) made of mutated cells that have lost its “self-killing” mechanism, that keep mutating and growing and creating new forms of cancer elsewhere in the body once removed by surgery or other therapies. This has nothing to do with a piece of software kept under strict control by a private company.
Second: Mr. Cook is absolutely within his rights when he tries to defend his company’s Intellectual Property, but this time Apple’s spin doctors pushed the limits much too far when for the sake of the controversy they involved people that are meeting their fate in a dire straits.
Third, of all arguments that could have been exploited by Mr. Cook’s spin doctors, referring to such a dramatic disease shows a true lack of compassion toward our fellows human beings. Maybe this is not what Mr. Cook had in mind, but this is how his statement looks like.
Become a legal IT security expert doesn’t need a lot of effort and, with the due care, you can build your legend in a short time-frame following ten easy steps:
- learn the lingo (security is a process, not a product; don’t use simply-to-guess password, is your company ISO-27000-1 compliant? and so on),
- give yourself an “authoritative” demeanor and look (always talk in a “visionary” way, making people feel like they still live in the stone age) and dress accordingly,
- Talk legalese with techies, technical with lawyers,
- attend (possibly) international IT technical, legal/management conferences and try to get as much pictures as possible? of you with reputable people although they don’t know you, and regularly update your facebook/google+/blog with those pictures,
- try to give a speech at some university students association, so you can claim to be an “invited speaker” at the university (without mentioning the name, of course),
- create your own “digital-something organization”, become its chairman (and sole member, BTW) and champion for digital human rights,
- flood the newspapers with press-releases that will be regularly ignored until some journalist that is out of time to finish an article stumbles upon your statement, thus promoting you at the level of “source”
- try to catch-up with some low-level civil servant involved in trivial stuff related to the trade, give him some vapourware hint that makes him look smart at work, and use him as a source of petty-information that let you look like you’re part of the “inner circle”,
- try to have as much as possible Linkedin connection,
- get the European Computer Driving License (at least, you must know how to switch on a computer to work in this field, don’t you?)
By following these steps you start a loop where your legend become more and more solid up to a moment when you will be considered a “guru” and nobody will ever check your actual background.
And don’t worry, if you ever get a client, as soon as you stay stick to these ten commandments you’re safe: nobody will ever challenge the outcome (if any) of your work, because nobody will ever admit to having being fooled into hiring a fake…
Under Legislative Decree 196/03 (the Italian enforcement of the Data Protection Directive) one of the most common practice when developing the data-protection corporate policy of a company is to appoint the heads of the various departments as “Data Processor”.
Although easy on the short term, this solution might backfire the company itself. A recent Corte di cassazione (Italian Supreme Court) decision – ? III penal section – Dec. n.20682/14 – ruled that under the workplace safety regulation, the employer that appoints a safety manager who is not fit for the job because of his lack of competence, ? commits a criminal offense.
The very same principle can be applied by analogy to the Data Protection Directive. The DPD – and its Italian enforcement – make mandatory to appoint a data controller actually fit for the job.
By choosing people on different basis (not because they know the matters, but just because they’re company’s heads) means that in case of data-protection-related criminal offenses the data controller (and, most important, the prosecutor and the court) can’t blame (only) the data processor itself.
Then, in terms of management, the decision is between only formally comply with the legal requirements, and actually comply by appointing capable data processors.
In the first case the company is accepting the risk of a future (but uncertain both in “if” and “when”) accident but saves on the short term effort and time.
In the second case the company spends more, has to possibly change its internal processes in the anticipation of an event that might not happens at all.