Blog

Posted on

Aggregate data and Italian Data Protection Authority

An Italian Data Protection Authority decision issued on June, 25, 2009 set the deadline of Sept. 30, 2009 for telco operators and ISPs that must notify the Data Protection Authority the list of their mining activities executed on customers’ aggregate data (such as traffic volumes, paths and so on.) The aim of this decision is to spot illegal (at least, under Data Protection Authority opinion) data handling “masked” by activities performed to keep the infrastructure running

The Data Protection Authority, after having received the information, will decide what can be still done without informing the customer, what can be done AFTER having informed the customer and obtained his approval and what cannot be done at all. Furthermore, the Data Protection Authority will release a set of technical and management rules to ensure the concerned subjects’ compliance.

If these new set of rules will mimic those recently established for data-retention purposes and system administrators, telcos and ISPs will face again a mayhem of useless bureaucracy so hard to understand that the Data Protection Authority itself did release a FAQ to explain what these regulation actually meant (and we’re still waiting for the FAQ interpretation.)

Although the decision is limited to the Internet and telephony world, it is clear that in the near future it will affects too energy firms, banks, insurance companies and, in general, everybody who relies upon aggregate data to tweak its supply chain of services.

Once again, the Italian Data Protection Authority is proved to be one of the biggest blocking factor of Italian telco market, while not granting citizens some sort of protection.

Posted on

Italian data protection authority to (apparently) sanction Carabinieri’s DNA forensics biobank

On May, 25 2009 the Italian Data Protection Authority (DPA) disclosed the results of an investigation over the DNA forensics database run by the Carabinieri’s Raggruppamento Investigativo Speciale (RIS.) 1

According to the laconic press release, the DPA ordered RIS to enforce stricter security measures to track who access the database. Although the DPA (as often) didn’t release the full decision, it is a legitimate inference to say that RIS didn’t take DNA security seriously enough. DPA decision shares the same (flawed) cultural milieu of the Italian National DNA Database Institution Bill, soon to become into full force. The DPA objected nothing about RIS ( (as well as the NDNAD bill) to retain ? both biological sample and DNA profile. By doing so, the DPA laid the foundation for the most pervasive, State-controlled citizen mass privacy violation.

Current DNA profiling methods, such as the SNPs (read “snips”) are powerful enough to allow the identification of a person, without the need of preserving the biological sample that provided the genetic profile. By saying that Carabinieri (and the Parliament) are allowed to do the contrary, means bear the effective risk of having analysis of a very diferrent (and uncontrolled) kind to be performed on the genetic code of the inhabitant of the Italian NDNAD.

Pandora’s pot would be – then – ready to be opened.

  1. One of the three main police force in Italy. The others are Polizia di Stato and Guardia di Finanza
Posted on

CNAIPIC… a borderless center

On May 19, 2009 Italian news services announced the creation of a new governmental entity named CNAIPIC (Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche – National Center Anti-Computer Crimes for the Critical Infrastructure’s Protection. Sorry, still no website up to present.)

While CNAIPIC members will surely use their brains’ computing power to figure out how fight these hideous hacker out there, I wonder if they’re aware that “old school techniques” such as war dialing, still work against big infrastructure even after thirty years or so.

Instead of thinking how to build taller “chinese walls”, they’d better step back and check critical infrastructure default passwords or (supposedly) non connected modem and RAS.

Posted on

Why “Olivennes Bill” wouldn’t work in Italy

Olivennes Bill” (named after the French lobbyist who proposed it) on copyright protection has been blocked by the French Parliament a couple of days ago (but there is little doubt that French Government will try to have it approved ASAP.) If ? (better, when) passed, this bill would have enforced a “parallel indictemnt system” handled by an “independent” authority called HADOPI acting as an actual Justice Court, that is given the power to decide, without a fair trial, whether a person deserves to be disconnetted by the Internet after being warned twice by copyright holder through the concerned Internet Access Provider.

Entertainment Industry lobbyists like this approach very much and are pushing hard to have Italy enforce it too. “The Problem” is – fortunately – that Olivennes Bill Italian version’s ? would be affected by serious legal and Constitutional flaws, thus making it impossible to pass, for a number of reasons.

First, Italian Code of electronic communication (L.259/03) sect. 4 para I letters f) g) and h) make network neutrality mandatory. To impose over Access Providers’ ? shoulder filtering duties or any other technological activity limiting the way Italian Public Network (rete pubblica di comunicazioni) works, would be what the Code calls “discrimination among specific technologies” and “forcing the use of a particular technology against others”.

Second, the Access Providers would be forced to report the Public Authorities their users’ criminal behaviour by fault of cross-combination between legislative decree 70/2003 1 and sect. 171 bis et al. of Law 633/41. 2 Legislative Decree 70/2003, in fact, makes Access Provider non-automatically accountable for its users’ actions, provided that he doesn’t willingly become part of it. Furthermore, the Decree says that the Access Provider must report to the police forces any criminal misconducts as soon as he’s been given sound evidence of a criminal behaviour committed by an Internet user, thus forcing the prosecutor to start a criminal investigation. All this, is possible because Italian Copyright infringement provisions are “designed” to be mandatory investigated by the Public Prosecutor. 3Then, should Italy enforces an Olivennes-like legislation, there would be a “double trial” for the same (alleged) fact: the first – real – under a Court scrutiny, the second – “mock” – run by an “independent” authority, leading to a conflict of public powers.

Third, as a side question, nobody told Mr. Olivennes that his bill is oddly similar to ancient Western Europe Barbarian laws, where didn’t matter who the actual culprit was, because the victim had the right to retaliate against any other culprit’s family member. This is what Mr. Olivennes proposes: to seclude a whole family or company from the Internet, for the (alleged) wrongdoing of a single member.

Not bad, as an exercise on democracy.

  1. enforcing EU directive 31/00 on e-commerce and access/content providers online liability
  2. Italian Copyright Law
  3. Italian Penal Code contains two “kind” of crimes: the first one is composed by very serious misconducts such as homicide and money laundering – to name a few – that must be investigated no matter if the victim ask for it. Second one is composed of serious crimes too, whose investigation begininnig is in victim’s own hands. In other words, if the victim of a theft doesn’t ask the public prosecutor to start investigating the crime, nothing happens, even if a policeman or a magistrate knows that the fact actually happened.
Posted on

Italian Politicians to storm the Internet

There is a disturbing trend in Italy. Every now and then, for the most various reasons, a politician feels compelled to propose a bill  ?”regulating” the Internet. ?

In a previous post I addressed the issues arisen by Cassinelli and D’Alia bills in re: Internet censorship. A few weeks after, more colleagues followed their lead. ?

Former showpersons – now MPs of Berlusconi’s party – proposes free speech and anonimity regulation “to protect minors” (but fact shows that they’re mostly concerned of copyright.) ?

Between January and March 2009 Luca Barbareschi (actor) and Gabriella Carlucci (anchor woman), proposed two draft laws whose declared intent was to enforce copyright protection by shutting down civil liberties. ?

Mr. Barbareschi proposal creates a “single point of cultural control” by granting the Italian State backed royalty collecting agency, the role of exclusive gateway between artists and market. Furthermore, Mr. Barbareschi’s draft law contains so loose statements about ISPs liability that the Government is allowed to do basically whatever he wants. ?

More dangerous, if possible, is Mrs. Carlucci draft law that wants to ban anonymity from the Net, refusing even to consider intermediate forms such as “protected anonymity” (where the ISP act as trusted third party). ?Mrs. Carlucci want to establish a committee under the Communication Authority with power of interpreting Internet-related law (in Italy, only magistrates and the Parliament is supposed to), receiving “confidential notice” of infringement, acting as Alternative Dispute Resolution provider, counseling magistrates about the enforcement of preemptive activities ruled under rule of evidence code, like searches and seizure, termporary jail restriction etc.)

Again, on March 19 2009, MP’s Beatrice Lorenzin, Manlio Contento e Enrico Costa (all belonging to Mr. Berlusconi’s party) proposed a bill to filter minor’s access to websites suggesting though weight-loss techniques. Of course this was done to “protect minors”.

On the other (political) side, ?on March, 27 2009 ?Vincenzo Vita and Luigi Vimercati (both belonging to the Democratic Party),  ?proposed a bill to respect network neutrality and use open source in public administration. Oddly enough, this proposal comes too late, since both Mr. Vita and Mt. Vimercati ran institutional offices under the centre-left central Government and local administrations. When both Mr. Vita and Mr. Vimercati had the actual chance to do something effective, they did nothing, while their colleagues promoted proprietary software (Mr. Mussi as Minister of university and Mr. Nicolais as  ?Minister of innovation) and severely injured human rights by forcing Italian ISPs to block access to controversial websites, without a court order (Mr. Gentiloni, now Democratic Party, Minister of communication.)