On ICT law, politics and other digital stuff
This is a close-up of a banner belonging to the Prefecture de police, Paris, Rue de la citè.
Actually this banner says nothing special but what a public police power is supposed to do; nevertheless ? – as I wrote commenting the picture – I don’t know why, but every time I hear a public power saying that he cares about me I feel a bit worried.
No, I didn’t do a mistake. I actually meant that security is product and not – as the mantra we hear since decades – a process. Truth is that company departments are governed by this god called “budget” and failing to fully spend it means that at the next round the financial controller will bash it, thus lowering the status and the power of the involved IT or security manager.
So monies have to be spent but how? Not on consulting or security management, of course. When incidents happen (as they do, more often that we may imagine or hope) the barrel starts rolling and everybody in the company keep it rolling on somebody else’s shoulders. And here comes the catch: nobody will ever be fired for having purchased stacks of “security-branded” boxes like firewalls, intrusion detections tools etc. even if these boxes aren’t properly deployed.
It’s easy to address the incident meeting with the CEO, the HR head and the legals by saying: “look, we purchased the best things on the market, and to be sure that we were safe, we doubled all the components – you know, redundancy, high-availability and those other things required by our security certification. Unfortunately these fucking balcanian hackers know better then the devil itself. But I have already managed how to fix the problem: our supplier has been asked to provide its latest device that will protect us better than ever. BTW, since we’re talking about that, though I got a fair price cut, the thing is costly and I need my budget to be extended. Is for security sake!”
Now compare this statement with what follows: “well, as you know, we didn’t need to spend money on hardware. Our firewalls are still capable and fit, so I focused on the internal checks. I hired a consulting firm to do penetration test once-a-year (can’t do it more often because the company complained that these activities slow down the business), than I had another company to monitor and analyze the daily flow of the traffic we generate (but we have been prevented by the legals to dive much too deep into the origin of the connections, so we don’t actually know where did the trojan come from), I then hired an auditor to check the software installed on each computer in use, but the HR told us that we couldn’t do it on the high level management laptop.”
And here comes the final question: which one security manager is gonna be fired?
Repubblica.it, an Italian online newspaper, accounts for the cancellation of a fund-raising initiative to collect money for the research on rare disease. The cancellation has been motivated by the fear of riots provoked by animalist activists who object living animals to be used in medical research. This form of terrorism is a dangerous growing trend in Italy, and one of the reasons for this growing is that extreme animalism is not perceived as bad as its “political” sibling (thank to the support given by teen-agers oriented TV channels, politicians and artists.) I don’t see how the opinion of (former)models, self-professed experts with no impact-factor or citation-index or bloggers-on-a-mission should prevail over the facts stated by the major Italian research institution.
Anyway the consequence is that police authorities and the government aren’t taking seriously this issue letting activists to continue threatening the medical and biotech research in Italy. Of course I don’t claim that “every animalist is a terrorist” and I don’t want to enter into the semantics of both words. What I do not find fair is the justification for the use of violence in the name of an idea: the field of history is crossed by enormous rivers of blood because somebody bleieved to be absolutely right, thus taking the burden to “convert” those who disagreed.
As often happens in Italy, this is the result of the a confusion between “ethics” (that is a personal matter) and “law” (that is – or is supposed to be – a tool for balancing contradictory interests.) This confusion is likely to badly affects the feasibility of the scientific research in Italy. I still haven’t collected enough information about how big a disincentive this animalist threat is for the health companies who want to invest in Italy, but the very first hints don’t let imagine a bright future.
All the fuss generated by the use of cookies by almost every website on the traditional Internet that led the EU to pass the Cookie Directive just produced a pop-up that warns the anonymous user about the presence of these digital candies. Thus, the Ad-dicted can claim to be law-abiding netizens while giving no actual privacy protection for the users. Want a proof? What follows is a cookie left on my computer by a well-known e-commerce giant: A0CJfSiKBUmZik9DPj7fCXA. Firefox tells me about it existence and expiring date, but how am I supposed to know what does this cookie means? And what difference does it make whether I am aware or not of its presence, since I have no way of understanding what’s its function?
Short: the Cookie Directive is useless and, as Cicero used to say, Summum Jus, Summa Injuria.
One of the oddities of the Data Protection legal framework is the relationship between Data Retention and Data Protection and the (wrong) notion that when the retention period has expired, the retained data must be deleted.
Let’s start from scratch: as soon as the services work properly, an ISP has no need to preserve the traffic data, but since we don’t live in a perfect world, problems happen so it is necessary to retain some information for troubleshooting and traffic shaping; furthermore, customers’ claims, billing and legal issues strongly support the need to save some more information. Thus, ISPs – though on a voluntary basis – do collect and retain traffic-related information as long as these information are useful to pursue legitimate goals.
Enter the Data Retention. With a questionable motive, ISPs are now forced – forced – to retain for a limited time some traffic data for the sake of the law enforcement community. In other words, what before the Data Rention Era was voluntary, now is mandatory.
But what happens when the mandatory retention period expires? The answer is (supposed to be) easy: the ordinary Data Protection legal regime comes back into force, so the ISPs are – or should be – free to either continue keeping those data (for legitimate purposes) or deleting it.