Computer Crimes – Page 14

May 7, 2014

The Italian Data Protection Authority to start a code reviewing investigation

Better late then ever: a press release from the Italian Data Protection Authority ? advertises the data-protection oriented review of a certain number of apps.

This initiative should be a major concern for the (yet unaware) software industry, whose intellectual and industrial property might be endangered by a deep peep into its well protected secrets. Neither are clear the criteria that will lead to the app selection, nor whether or not the DPA will asks the developers for source code access.

Unless this IDPA investigation is just an empty PR stunt, it should be carried on by accessing the source code or reverse-engineering the executables: but doing so without signing NDAs and/or provide guarantees of non exploitation is an approach that the industry will likely reject.

Furthermore, if the software check will target only a certain kind of companies, leaving the other players of the same market safe from the scrutiny, this might be held as an unfair alteration of the market dynamics. And things might be much worse if the targeted companies are the smallest one, instead of the big fishes in the pond.

Mind, the lack of data-protection compliant programming isn’t a new or unforeseen issue – as the history of software can witness – but the IDPA never actually cared that much. For instance, it didn’t move a finger when back in 2002 ALCEI (a civil-rights Italian NGO) asked in vain the IDPA to check the claims of the existence of hidden features of a certain series of Telindus routers that posed significant threats to the users’ data protection.

March 5, 2014March 5, 2014

Data Protection vs Data Retention

One of the oddities of the Data Protection legal framework is the relationship between Data Retention and Data Protection and the (wrong) notion that when the retention period has expired, the retained data must be deleted.

Let’s start from scratch: as soon as the services work properly, an ISP has no need to preserve the traffic data, but since we don’t live in a perfect world, problems happen so it is necessary to retain some information for troubleshooting and traffic shaping; furthermore, customers’ claims, billing and legal issues strongly support the need to save some more information. Thus, ISPs – though on a voluntary basis – do collect and retain traffic-related information as long as these information are useful to pursue legitimate goals.

Enter the Data Retention. With a questionable motive, ISPs are now forced – forced – to retain for a limited time some traffic data for the sake of the law enforcement community. In other words, what before the Data Rention Era was voluntary, now is mandatory.

But what happens when the mandatory retention period expires? The answer is (supposed to be) easy: the ordinary Data Protection legal regime comes back into force, so the ISPs are – or should be – free to either continue keeping those data (for legitimate purposes) or deleting it.

February 17, 2014February 17, 2014

Conversation on Evidence

“Discorsi sulla prova” (“Conversations on evidence”) is a conference that will be held in Milan, next Apr. 4.

Judges, philosophers, physicians and scientist will talk about the different meaning of the word “evidence” in their specific fields.

More info here.

February 4, 2014

How Linkedin Helped to Fight a Possible Scam

Among the usual daily flow of e-mails that submerges me, today I’ve spotted a request for contact coming from a North-European research firm active in the healthcare sector. Its CFO asked for information about a possible breach of contract litigation.

I didn’t have any reason to think of this e-mail as a scam, but there was “something” definitely odd in the message. So I checked both the person and the company name on the Internet and they were real. Still, I wasn’t convinced and decided to have a look at the message header: again, I got contradictory results. The mail server used to send the message was in a remote part of the US, belonging to a local ISP with no apparent connection with both Europe and the Healthcare industry the message was (apparently) coming from.

This couldn’t be a coincidence so I’ve searched the Linkedin profile of the manager that allegedly sent me the message and dropped him an in-mail (so to be sure about his identity and affiliation) and… gotcha! He replied confirming that it wasn’t him the sender of the message.

To put it short, it was a scam and being on Linkedin helped both me to avoid a fraud and this company to discover that it is targeted by an identity theft.

January 29, 2014December 9, 2016

The Legal Status of Bitcoin in Italy

While it’s easy to think of Bitcoin as a “currency” things become complicated when approaching the issue from a legal (though, Italian) perspective.? Under Italian law, Bitcoin neither is a “currency”, nor the equivalent of check or a credit card. Is “just” a good that people freely chose to put some value into, like an old camera or a classic car whose intrinsic value is close to nil, while the trading value skyrockets.

To better explain my point, let’s start with some economics.

Currency, in itself, has no intrinsic value. We do accept a piece of paper because we trust that somebody else, on the receiving side, will do the same, otherwise we don’t. This is what happened during the Cold War, when in the Eastern Block countries western currencies – officially not allowed – were traded on the black market, while in the West nobody would ever accepted Roubles. For the records, the root of this “psychological” way to create value dates back to the breaking of the Bretton-Woods Agreements.? So, as odd as it may seems, we may safely assume that money is just a creation of the mind. The “currency power” is a prerogative of a sovereign State. In other words, to be acknowledged as “currency” a currency must come from the Power-that-be. Thus, whatever doesn’t fit this requirement can’t be called “currency” or “money” (this is true within the EU, but not in some parts of the USA where the “private currency” is currently allowed.) It comes from this definition that Bitcoin is not a “currency”.

Is, then, Bitcoin something like a check or a promissory note? No, because under Italian law these things are regulated by specific laws.

Furthermore, is Bitcoin similar to a credit-card? Again, no, because there is no third-party who guarantee for use of the plastic-money.

One possible solution, at least under the Italian legal system, is to treat a Bitcoin as an immaterial good that can be traded as a quid-pro-quo either with other Bitcoins or different things. Simple as that.

Of course, I’m aware of the issues raised by the use of Bitcoins that – if you think for a while – aren’t different by those related to the use of cash or other valuable assets. Gold, diamonds and other precious things can be used for legitimate purposes or to fund illegal activities. But this doesn’t make a brick of gold illegal “ex se”. The same approach should work for Bitcoins (whathever its legal status.) It is the misuse that should be punished and not the Bitcoin in itself. Unfortunately, as always happens when technology is involved, the “Fear Spreading Professionals” are playing loud their “warning” instead of trying to understand how to gain advantage from a brilliant mathematical application.