Category: IT Security

Posted on

Google executives acquitted in Italy from defamation charges

Today the Court of Milan made public the decision in the criminal trial against four Google executives, charged of defamation and illegal personal data handling in relationship to the publication on the video sharing platform ? of a video containing act of bullyism against a person affected by the Down Syndrome.

The legal basis for the charges, following the prosecutor’s theory of the case, was that those executives failed to exercise a pre-emptive control over the contents published by Google final users’, thus allowing the infringement of the reputation of the concerned person and of an NGO representing Down-Syndrome-affected persons.

The Court acquitted all the defendant from the charges of defamation, while found them liable of the illegal personal data handling charge. The whole sentence (including the legal technicalities that support the decision) will be public within the next 30 days.

This indictment is the last component of a long series of court decisions that kill Network Neutrality and turn ISPs and Telcos into Digital Vigilantes while, in the meantime, no actual protection is given to the victims of online crimes.

The Peppermint and The Pirate Bay cases, the legal argument against Youtube and the one between an entertainment-backed lobbying group by one side and Telecom Italia, the ISP’s association and the Data Protection Authority on the opposite and – finally – this indictment are all linked through the same connection: to erode the absence of the legal duty to preemptively contol internet users’ activity established by the UE directive on e-commerce.

What is bizarre, in this Google trial, is that for the very first time the existence of the ISP’s duty to perform a mass-control of user activities has been asserted thank to the data protection regulation. The same data protection regulation that forbade the disclosure of the identities of people allegedly accused by the entertainment industry of copyright infringement through P2P networks.

Is still to early to understand the Court mind (since the basis for the decision will be disclosed within the next 30 days. It is, nevertheless possible to try an educated guess based on the Court records. To put it short, here is a probable explanation for the decision:

1 – there is a rule of law into the Criminal Code that says: to not stop a fact equals to cause it,
2 – data protection law requires a prior authorization to be obtained before handling personal data,
3 – a video to be posted online is personal data,
4 – therefore Google executives had to check whether the user who posted the video got the preemptive authorisation from the people of the video, and
5 – by failing to do so, they infringed the data protection law
6 – furthermore, by not controlling in advance, they let the video to libel the victim of the violence (this charge has been dismissed.)

It is too early to assess the damages provoked by this decision, but it is not unreasonable to imagine that – should this court decision become “case law” – the telco market will suffer an alteration of the competion among the various players. The smallest one can’t handle the increasing risk (and cost) of being sued or investing in momentum-generating policies. Big international players might find Italy a lesser attractive place to do business in.

Posted on

Aggregate data and Italian Data Protection Authority

An Italian Data Protection Authority decision issued on June, 25, 2009 set the deadline of Sept. 30, 2009 for telco operators and ISPs that must notify the Data Protection Authority the list of their mining activities executed on customers’ aggregate data (such as traffic volumes, paths and so on.) The aim of this decision is to spot illegal (at least, under Data Protection Authority opinion) data handling “masked” by activities performed to keep the infrastructure running

The Data Protection Authority, after having received the information, will decide what can be still done without informing the customer, what can be done AFTER having informed the customer and obtained his approval and what cannot be done at all. Furthermore, the Data Protection Authority will release a set of technical and management rules to ensure the concerned subjects’ compliance.

If these new set of rules will mimic those recently established for data-retention purposes and system administrators, telcos and ISPs will face again a mayhem of useless bureaucracy so hard to understand that the Data Protection Authority itself did release a FAQ to explain what these regulation actually meant (and we’re still waiting for the FAQ interpretation.)

Although the decision is limited to the Internet and telephony world, it is clear that in the near future it will affects too energy firms, banks, insurance companies and, in general, everybody who relies upon aggregate data to tweak its supply chain of services.

Once again, the Italian Data Protection Authority is proved to be one of the biggest blocking factor of Italian telco market, while not granting citizens some sort of protection.

Posted on

CNAIPIC… a borderless center

On May 19, 2009 Italian news services announced the creation of a new governmental entity named CNAIPIC (Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche – National Center Anti-Computer Crimes for the Critical Infrastructure’s Protection. Sorry, still no website up to present.)

While CNAIPIC members will surely use their brains’ computing power to figure out how fight these hideous hacker out there, I wonder if they’re aware that “old school techniques” such as war dialing, still work against big infrastructure even after thirty years or so.

Instead of thinking how to build taller “chinese walls”, they’d better step back and check critical infrastructure default passwords or (supposedly) non connected modem and RAS.

Posted on

Italy to ban on-line anonimyty?

A contribution for ALCEI.ORG
There is a disturbing, arising trend in Italy, of former showpersons now MPs of Berlusconi’s party to propose free speech and anonimity regulation “to protect minors” (but fact shows that they’re mostly concerned of copyright.)
Between January and March 2009 Luca Barbareschi (actor) and Gabriella Carlucci (anchor woman), proposed two draft laws whose declared intent was to enforce copyright protection by shutting down civil liberties.
To be clear:
Mr. Barbareschi’s Proposal is aimed at create a “single point of cultural control” by granting the Italian State backed royalty collecting agency, the role of exclusive gateway between artists and market. Furthermore, Mr. Barbareschi’s draft law contains so loose statements about ISPs liability that the Government is allowed to do
basically whatever he wants.
– More dangerous, if possible, is Mrs. Carlucci draft law that wants to ban anonymity from the Net, refusing even to consider intermediate forms such as “protected anonymity” (where the ISP act as trusted third party).
Mrs. Carlucci want to establish a committee under the Communication Authority with power of interpreting Internet-related law (in Italy, only magistrates and the Parliament is supposed to), receiving “confidential notice” of infringement, acting as Alternative Dispute Resolution provider, counseling magistrates about the enforcement of preemptive activities ruled under rule of evidence code, like searches and seizure, termporary jail rescrition etc.)
If approved, these (draft) laws will cause the concentration of power in goverrment’s hands, by weakening the possibility (or the right) to defend ourselves in Court.
Another step toward the ethical state?