Category: IT Security

Posted on

The XP’s EOL. History Will Teach Us Nothing

Windows XP is dead in Redmond, but alive and kicking in a huge quantity of devices such ? ATMs. When the news hit the media, waves of “concerns” for the security of our money and safety stormed the public, with no actual effect on the Microsoft’s strategies. And history keeps repeating with domotics, wearable technologies and in-car systems.

This aftermath was easy to foresee when some “clever” IT manager chose to go proprietary when moving its ATM infrastructure “to the next step”, but between this and the open source alternative a third option would have spare us all the current trouble: just put into the agreement a source-code escrow provision, to guarantee the (big) client against the End-of-Life of the software.

Sure, this wouldn’t have been a cheap solutions (we’re not talking about a bunch of PHP code, here) but there are no free beers and easy life can’t last forever. If you go proprietary and enjoy the safety(?) of having somebody else who cares about bugs, patches and updates, you need to have a contingency plan for the moment when your licensor plugs-off the cord that keeps alive the software you’re using.

And now history is re-repeating itself. We’re on the edge of a new invasion of pervasive technology based on Apple’s OSX or – again – Microsoft Windows Whatever, and in a bunch of years we will complain again that because of a copyright issue we can’t enter our home, use the fridge, watch the television, start the car, know what’s the time, have a medical diagnosis and so on…

A final, collateral, question: where do the corporate lawyers were, when those agreement have been signed?

Posted on

Google, the European Court of Justice and the End of History

The European Court of Justice ruling against Google Spain is another step toward the deletion of the History (capital “H”) and collective memory. In the name of “privacy” the Court allowed the possibility to completely remove a lawful information from public scrutiny, as is clearly stated at the end of the ruling:

Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful. (emphasis added)

Now, with the support of this decision, corrupts politicians, scammers, con artists, bad payers and similar breeds can easily re-gain their anonymity, and historians from the future will not be able to discover and understand how our society was working.

And, to some extent, this wouldn’t be a bad thing…

Posted on

The Italian Data Protection Authority to start a code reviewing investigation

Better late then ever: a press release from the Italian Data Protection Authority ? advertises the data-protection oriented review of a certain number of apps.

This initiative should be a major concern for the (yet unaware) software industry, whose intellectual and industrial property might be endangered by a deep peep into its well protected secrets. Neither are clear the criteria that will lead to the app selection, nor whether or not the DPA will asks the developers for source code access.

Unless this IDPA investigation is just an empty PR stunt, it should be carried on by accessing the source code or reverse-engineering the executables: but doing so without signing NDAs and/or provide guarantees of non exploitation is an approach that the industry will likely reject.

Furthermore, if the software check will target only a certain kind of companies, leaving the other players of the same market safe from the scrutiny, this might be held as an unfair alteration of the market dynamics. And things might be much worse if the targeted companies are the smallest one, instead of the big fishes in the pond.

Mind, the lack of data-protection compliant programming isn’t a new or unforeseen issue – as the history of software can witness – but the IDPA never actually cared that much. For instance, it didn’t move a finger when back in 2002 ALCEI (a civil-rights Italian NGO) asked in vain the IDPA to check the claims of the existence of hidden features of a certain series of Telindus routers that posed significant threats to the users’ data protection.

 

 

Posted on

Data Protection and Right of Defense. Stating the Obvious

Yet more evidence that Data Protection is not an absolute right. On the contrary, as the Italian Supreme Court decision n. 7783/14 said 1 a few days ago:

the interest to the protection of personal data must step back when confronted by true defense needs and other legally relevant interests, such as the fair and coherent enforcement of the right of defense in court.

  1. Unofficial Translation
Posted on

Statute of limitation and Data Retention Corporate Policies

There is a common opinion that personal data should be deleted almost immediately and, anyway, as soon as they become useless: a sensitive problem in particular under the (now defunct) Data Retention Directive, once the mandatory retention period expired.

This position is not correct since a company has a legitimate motive – and a legal obligation – to preserve whatever information, including personal data, that are necessary to abide the law and to protect both its right of defense and the right to a due process. This means that under the term set forth by the Statute of limitation a company might, at its own will, choose to continue retaining personal data of its customer base.

In Italy, the ordinary Statute of limitation is ten years. So companies can be sued by customers and tax authorities for alleged charges that go way back into the past. This is what happened in a court case tried in front of the Justice of peace of Grosseto (Tuscany) that on January 2014 ruled a quarrel started in 2011 between a telecom company and a client. The ruling said that, under the rule of evidence for civil trials, the telecom company has the duty to provide evidence of having actually delivered its services and that this duty is fulfilled by showing the traffic-data log.

It is clear that by interpreting the Italian Data Protection Act in a way that forces the deletion of the traffic data after a few months, an ISP or a telecom operator wouldn’t be able to defend itself if the trial starts within the Statute of limitation term but after the traffic data have been deleted.

A similar situation might happens in the antitrust field and in case of investigations run by the Italian Internal Revenue Service, so the conclusion is that the Data Protection Legal Framework cannot be interpreted in such a strict manner to endanger the legitimate rights of a company.