Privacy and Data Protection – Page 34

March 29, 2014March 29, 2014

Friday Night (Data Retention) Fever

Here is a real case that happened just a couple of days ago, while helping an ISP to find a way to handle the deletion of data after the mandatory term imposed by the Eu Data Retention Directive expires. Whatever the solution, thank to the rigidity of the provisions, a law will not be obeyed.

Background:

? The automatic processing of the data-deletion is usually made so that a script matches daily the data-creation date with the current date, and if the match says that the retention term is expired, then the script delete the data,
The only exception is a “freeze” order issued by a Court or a prosecutor. In this case it is possible to avoid the requested data to be destroyed,
The “freeze” order are notified either by fax, secure email or direct order to the “Protocol department” (that handles the incoming communications, and that “route” the messages to the concerned people),
While when the offices are closed there is always at least one resource belonging to the technical department to be alerted in case of urgency, the administrative offices just shut down the curtains of Friday at – say – 5P.M.,

Scenario:
– let’s say that a secure mail or a fax containing the “freezing” order arrives when the Protocol Department is closed. This means that the request will be processed the next day,

– let’s say that the “freezing” order concerns data that are going to be destroyed the very same Friday night when the order arrived,

What happens is that the “freezing” order arrived timely, before the data were destroyed, but since the internal route of the order is handled when the term is expired, the data have been deleted.

A possible solution could be to extend the deleting time frame of three days (thus accounting for the week-end gap) but it doesn’t work. Here is why.

If I have to destroy the data on Friday, and I kept it until Monday just to check if some Court order has been notified in the meantime, it might happens that on the very same Monday a Court order might be notified in relationship to the Friday-to-be-deleted data (when the data are supposed not to exist anymore).

So, if I follow the DRD I must refuse to comply with the Court order because though the data are there, they can be processed only if the Court order were notified within the original term. On the other hand, I can’t refuse to obey to a Court order, if I still have the concerned information.

A contemporary version of the Buridan’s Ass Paradox.

March 23, 2014

The Security Excuse

This is a close-up of a banner belonging to the Prefecture de police, Paris, Rue de la citè.

Actually this banner says nothing special but what a public police power is supposed to do; nevertheless ? – as I wrote commenting the picture – I don’t know why, but every time I hear a public power saying that he cares about me I feel a bit worried.

March 8, 2014

Why the UE Cookie Directive doesn’t actually protect the final user

All the fuss generated by the use of cookies by almost every website on the traditional Internet that led the EU to pass the Cookie Directive just produced a pop-up that warns the anonymous user about the presence of these digital candies. Thus, the Ad-dicted can claim to be law-abiding netizens while giving no actual privacy protection for the users. Want a proof? What follows is a cookie left on my computer by a well-known e-commerce giant: A0CJfSiKBUmZik9DPj7fCXA. Firefox tells me about it existence and expiring date, but how am I supposed to know what does this cookie means? And what difference does it make whether I am aware or not of its presence, since I have no way of understanding what’s its function?

Short: the Cookie Directive is useless and, as Cicero used to say, Summum Jus, Summa Injuria.

March 5, 2014March 5, 2014

Data Protection vs Data Retention

One of the oddities of the Data Protection legal framework is the relationship between Data Retention and Data Protection and the (wrong) notion that when the retention period has expired, the retained data must be deleted.

Let’s start from scratch: as soon as the services work properly, an ISP has no need to preserve the traffic data, but since we don’t live in a perfect world, problems happen so it is necessary to retain some information for troubleshooting and traffic shaping; furthermore, customers’ claims, billing and legal issues strongly support the need to save some more information. Thus, ISPs – though on a voluntary basis – do collect and retain traffic-related information as long as these information are useful to pursue legitimate goals.

Enter the Data Retention. With a questionable motive, ISPs are now forced – forced – to retain for a limited time some traffic data for the sake of the law enforcement community. In other words, what before the Data Rention Era was voluntary, now is mandatory.

But what happens when the mandatory retention period expires? The answer is (supposed to be) easy: the ordinary Data Protection legal regime comes back into force, so the ISPs are – or should be – free to either continue keeping those data (for legitimate purposes) or deleting it.

February 28, 2014February 28, 2014

Reverse Engineering of the gray world: Intelligence as a black-box

Back to one of my first love: next March 11 (Rome University La Sapienza) and 20 (Milan University Statale) I have been asked to talk about “Reverse Engineering of the gray world: Intelligence as a black-box” and “Use(less) online Open Source Intelligence”.