Category: Privacy and Data Protection

Posted on

The Roman Catholic Church Knows Better (about privacy and the Internet)

Monsignor Nunzio Galantino, the secretary of the Conferenza Episcopale Italiana (the permanent assembly of Roman Catholic Bishops) stated that (my translation)

The Internet is useful and effective, but the price we pay in term of privacy is huge

and, talking about the Data Protection Authority, he said

I don’t understand what these useless entities are worth for.

Of course he’s right, but the Italian Data Protection Commissioner (obviously) has a different opinion claiming that (again, my translation)

It is rather odd to call as useless the only entity that – within its powers – has always defended the human dignity from the “mud machine” 1, and from the plots arranged by those who want to turn the Internet into a space of violence and outlaws, form the totalitarian logic of the man-in-a-fishbowl.

Is this the same Data Protection Authority that failed to address the issues of the Telindus Router, the Android Spyware Case, The Pirate Bay Case, the Aruba Case, the Sony BMG rootkit case, that didn’t say a single word (while being informed) about the security concerns in relationship to the upcoming massive, trial-related personal data flood originated by the online shift of the Italian Civil Trial System, and that wasn’t able to prevent the leak of a confidential report?

 

  1. The reference is to a journalism idiomatic meaning the use of the media machine to soil somebody’s reputation
Posted on

Apple’s New Security Policy: Just a PR Stunt?

Apple announced not to be able anymore to hack into IOS8-based devices because of its “privacy-by-design” development strategy. Thank to this choice, according to Tim Cook, quoted by The Washington Post,

it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

Since the fantasy of both lawyers and judges knows no limit, I wouldn’t be surprised to hear, in the next future, about some claim for “contributory criminal activity” filed against Apple based on the deliberate choice of giving “unbreakable weapons” to terrorist, paedophiles and copyright infringers.

When this scenario will become real, it will be interesting to see whether Apple remains stuck into his “libertarian” position risking a trial for contempt of the court, or negotiates over its users with the powers-that-be.

Then, and only then, we will be able to check if this “privacy commitment” was a genuine attitude or just the next marketing trick.

Posted on

The Data Protection Authority Leak And The (Now) Hard To Find Article

The title that links the article about the leaked Italian Data Protection Authority secret report is no more easily accessible on Repubblica.it (the newspaper that did the scoop.) There is no trace of this link in the home-page, and the title is missed in the Technology section.

If you are quick enough, a one minute short video clip gives you the possibility to click an anonymous link (labelled “Leggi su Repubblica.it” – “Read it on Repubblica.it”) and finally the article comes on screen.

Technically speaking, then, the article is still online but now in a hard-to-find form. And this is rather odd, because other older and less important articles (such as the valueless research on the personal data selling price) are still featured in the technology section of this newspaper.

Posted on

An Italian Data Protecion Authority Secret Report Leak?

According to an Italian newsmagazine, a non-for-public eyes investigation of the Italian Data Protection Act would have found severe security problems in the management of the Internet Exchange Points (the points of the Italian telecommunication network where the various telco networks are mutually interconnected.)

A first remark is that the King is – or might be – naked. If this secret report actually exists (and the IDPA didn’t deny its existence) and has been leaked, the Authority’s information security is not that good, and – therefore – the IDPA should fine itself for this non compliance, instead of just targeting the rest of the (industrial) world.

Coming to the heart of the matter, in the words of the journalists that authored the article:

there is an enormous black hole in the security of the Italian telecommunications. A hole so wide that allows whoever with a proper equipment to have available phone calls, SMS, emails, chat, and social-network posted contents.

The journalists claim that the report verbatim says:

These device are equipped by technical features that can allow the traffic duplication, in real time, of the traffic in transit diverting it to another port (port mirroring)

and that

if somebody wanted to look at the traffic in transit this would be easily done with specific analysis tools …

It is amazing how this article – and the IDPA findings, if proven true – are so poorly legally and technically savvy because:

  • the possibility of performing a port mirroring is necessary to the public prosecution and intelligence agency activities. The point, then, is how and by who these feature are exploited rather than its mere existence, that like-it-or-not are necessary for investigative purposes. One day, maybe, it will be possible to disclose some of the ways traffic data information are asked, but this is another story…
  • there is no evidence of the port mirroring features being abused, misused or cracked,
  • performing a port mirroring in an Internet Exchange Point is not as easy as the article and the IDPA report(?) says: it is not like Independence Day computer virus uploading or Swordfish’s Hugh Jackman “under pressure” hack,
  • there is an easy way, available almost since day one of the pre-internet era to protect users’ communications without caring of what the ISPs do: client-based encryption. But I assume that the Minster of home affair wouldn’t like an IDPA endorsement of the “crypto-for-the-masses” slogan,
  • oddly enough, the IDPA secret report (if true) doesn’t address the serious problem of network devices proprietary firmware and operating systems that prevent an ISP to check on its own the existence of backdoors (as in the recent Cisco affair) and other security flaws.
Posted on

The Economics of Personal Data And The (Reckless?) Use Of Unreliable Statistics

A paper by a scholar of the university of Trento (IT), co-authored by people from the Kessler Foundation,Telefonica Network, Telecom Italia and Google finds that we are ready to sell our personal data for about two Euros.

Although the conclusions are – in principle – fair enough and match the “gut-feeling” of whoever works in the field of the personal-data handling, I wonder how it would be possible to draw statistics evidence by the criteria adopted.

I’m not a statisticians, but the only part of the paper dedicated to the sample’s composition reads:

All volunteers were recruited within the target group of young families with children, using a snowball sampling approach where existing study subjects recruit future subjects from among their acquaintances … A total of 60 volunteers from the living lab chose to participate in our mobile personal data monetization study. Par- ticipants’ age ranged from 28 to 44 years old (μ = 38, σ = 3.4). They held a variety of occupations and education levels, ranging from high school diplomas to PhD degrees.
All were savvy Android users who had used the smartphones provided by the living lab since November 2012. Regard- ing their socio-economic status, the average personal net in- come amounted to e21169 per year (σ = 5955); while the average family net income amounted to e 36915 per year (σ = 10961). All participants lived in Italy and the vast majority were of Italian nationality.

While, again, I have a limited knowledge of the statistic, there are a few oddities in the method applied by the researchers that undermine the value of the findings:

  1. The sample is made by only 60 people, belonging to young (wealthy enough) young families with children. This isn’t actually a fair depiction of the Italian socio-economics. Furthermore, there are neither enough information about the socio-economic status nor the ? geographic location of the participants to actually understand the sample quality.
  2. Even Wikpedia knows that the “snowballing” sample selection method is known to be prone to biases. No evidence are given in this paper of who the biases are handled.
  3. Though broadly used, Android isn’t the only platform. A well balanced sample should have taken into account Blackberry, IOS and Windows Mobile (or whatever the name.)
  4. The “measurements” of individual traits data relies upon psychological categories and methods. Psychology is not a science and putting a bunch of equations into an highly subjective discipline doesn’t turn it to hard science (I know, I know, positivism is dead, natural sciences aren’t so “absolute” etc. But try to send a rocket to the moon by assessing the “mood” of a ballistic trajectory and tell me the results.)

Before concluding that this paper offers no scientific evidence of its findings I would like to have these (and maybe other, expert-made) questions be answered. But I’m afraid that the final judgements wouldn’t change.

A final remark: the lack of scientific method shown in this paper is dangerous because, as often happens, poorly informed journalists jump on the news and “sell” it without any warning to the readers, thus luring them – and the Data Protection Authority, I fear – into thinking that what is a limited, partial and non-relevant work actually drives to factual conclusions.