On ICT law, politics and other digital stuff
Law n. 133 passed on Aug. 6, 2008 amends the Italian Data Protection Code and allow conglomerates and multi-national companies to freely exchange personal data, provided that their internal corporate rules system matches Italian Data Protection Regulation.
This is a way to circumvent the strict limits imposed by former regulation, that forbade the exchange of personal data with countries (like United States of America) with a lower level of personal data legal protection.
This is the title of a speech Withfield Diffie gave in Rome at University La Sapienza last Jan. 31 2008, where I have been invited to attend the round table the followed. Other participants were Corrado Giustozzi, Giovanni Manca (CNIPA – National Centre for Information Technology in the Public infrastructures), prof. Luigi Mancini and Luisa Franchina (ISCOM).
There are a few online account for the day but none of them tells about the “content” of the conference. Mr. Diffie’s talk was professional and fascinating – if you don’t belong to the IT security professional’s circle. And this is the point: how is it possible that in 2008 we – Italians – still are so far from moving (even a few) steps ahead from what we were talking in 1995?
“Fighting terrorism” was – as usual – the “leading concern” to advocate defense and civil rights suspension in Italy. And each time I ear some Italian civil servant singing that song I remember about Michael Crichton’s State of fear, whose lesson – creating a state of fear to let powers and lobbies pursue their goals – is largely missed. This is not to say that terrorism is a fake issue. But when security of the State become a political (i.e. partizan) weapon, all we get is neither effective anti-terrorism measures nor freedom protection.
As Benjamin Franklin said,
They that would give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety
And this is what we are doing right now.
Rumors say that Italy will be the next country to create a nation-wide DNA forensics database. A bill has recently been proposed, and the enforcement of the Schengen III Agreement seems closer than ever.
Last June 5, 2007 the Italian Camera dei deputati (roughly, a sort of US “lower house” equivalent) passed a law to excuse Small Medium Enterprises (SME) employing no more than 15 people from the enforcement of mandatory security measures to protect personal data. To enter in full force the law need to be approved by the Senate, whose decision is exepcted in the very next weeks.
This law has been proposed because – as matter of fact – from 1996 to present days Italian Data Protection Law has become just a bureaucratic issue, made of form to fill, with no actual attention to substantive issus. And – that is worse – the Italian Data Protection Authority did almost nothing in the last twelve years to stop this trend.
The proposed SME’s exemption arouse the furious reaction of ICT security lobbies who claimed that this law endagers the whole Italian communication network “safety”. ?This is a grossly misleading claim since data protection law only deals with a limited subset of data an the security measures related provisions basically provide “paper based security”.
True problem is that – on the contrary – Italian Data Protection Law has been drafted and enforced with a distinctive lack of ? “reality check”, whose result is that now the Parliament is stepping back on its foot.
A side issue arising from the Peppermint affaire is the relationship between criminal and civil trials rule of evidence.
In a criminal investigation, access to ISP owned traffic data and log files is possible only with a public prosecutor search and seize warrant. One seized, these information are strictly confidential and cannot disclosed – even to the defense counsel – before the trial starts.
The very same data – as the Peppermint affaire shows – can indeed be obtained by a private entity alleging a civivl – not criminal, then – copyright infringement, just asking the civil court to force an ISP to disclose information.
This is a paradox of the Italian legal system, since criminal action is supposed to be the only reason to allow the breach of constitutional rights, while the a civil case only gives the court limited powers. This common-sense rule has been subverted when talking about copyright. Is it fair or acceptable?