Tomorrow, together with Stefano Chiccarelli, co-author of Spaghetti Hacker, I give a talk at the University of Rome about the Hacker Ecosystem.
Everybody is invited:)
The XP’s EOL. History Will Teach Us Nothing
Windows XP is dead in Redmond, but alive and kicking in a huge quantity of devices such ? ATMs. When the news hit the media, waves of “concerns” for the security of our money and safety stormed the public, with no actual effect on the Microsoft’s strategies. And history keeps repeating with domotics, wearable technologies and in-car systems.
This aftermath was easy to foresee when some “clever” IT manager chose to go proprietary when moving its ATM infrastructure “to the next step”, but between this and the open source alternative a third option would have spare us all the current trouble: just put into the agreement a source-code escrow provision, to guarantee the (big) client against the End-of-Life of the software.
Sure, this wouldn’t have been a cheap solutions (we’re not talking about a bunch of PHP code, here) but there are no free beers and easy life can’t last forever. If you go proprietary and enjoy the safety(?) of having somebody else who cares about bugs, patches and updates, you need to have a contingency plan for the moment when your licensor plugs-off the cord that keeps alive the software you’re using.
And now history is re-repeating itself. We’re on the edge of a new invasion of pervasive technology based on Apple’s OSX or – again – Microsoft Windows Whatever, and in a bunch of years we will complain again that because of a copyright issue we can’t enter our home, use the fridge, watch the television, start the car, know what’s the time, have a medical diagnosis and so on…
A final, collateral, question: where do the corporate lawyers were, when those agreement have been signed?
The Italian Data Protection Authority to start a code reviewing investigation
Better late then ever: a press release from the Italian Data Protection Authority ? advertises the data-protection oriented review of a certain number of apps.
This initiative should be a major concern for the (yet unaware) software industry, whose intellectual and industrial property might be endangered by a deep peep into its well protected secrets. Neither are clear the criteria that will lead to the app selection, nor whether or not the DPA will asks the developers for source code access.
Unless this IDPA investigation is just an empty PR stunt, it should be carried on by accessing the source code or reverse-engineering the executables: but doing so without signing NDAs and/or provide guarantees of non exploitation is an approach that the industry will likely reject.
Furthermore, if the software check will target only a certain kind of companies, leaving the other players of the same market safe from the scrutiny, this might be held as an unfair alteration of the market dynamics. And things might be much worse if the targeted companies are the smallest one, instead of the big fishes in the pond.
Mind, the lack of data-protection compliant programming isn’t a new or unforeseen issue – as the history of software can witness – but the IDPA never actually cared that much. For instance, it didn’t move a finger when back in 2002 ALCEI (a civil-rights Italian NGO) asked in vain the IDPA to check the claims of the existence of hidden features of a certain series of Telindus routers that posed significant threats to the users’ data protection.
Data Protection vs Data Retention
One of the oddities of the Data Protection legal framework is the relationship between Data Retention and Data Protection and the (wrong) notion that when the retention period has expired, the retained data must be deleted.
Let’s start from scratch: as soon as the services work properly, an ISP has no need to preserve the traffic data, but since we don’t live in a perfect world, problems happen so it is necessary to retain some information for troubleshooting and traffic shaping; furthermore, customers’ claims, billing and legal issues strongly support the need to save some more information. Thus, ISPs – though on a voluntary basis – do collect and retain traffic-related information as long as these information are useful to pursue legitimate goals.
Enter the Data Retention. With a questionable motive, ISPs are now forced – forced – to retain for a limited time some traffic data for the sake of the law enforcement community. In other words, what before the Data Rention Era was voluntary, now is mandatory.
But what happens when the mandatory retention period expires? The answer is (supposed to be) easy: the ordinary Data Protection legal regime comes back into force, so the ISPs are – or should be – free to either continue keeping those data (for legitimate purposes) or deleting it.
Conversation on Evidence
“Discorsi sulla prova” (“Conversations on evidence”) is a conference that will be held in Milan, next Apr. 4.
Judges, philosophers, physicians and scientist will talk about the different meaning of the word “evidence” in their specific fields.