IT Security – Page 31

October 10, 2008October 10, 2008

Thepiratebay.org case. An Italian Court affirms a dangerous principle of law

N.B. Background information for this post are available here. ?

The Bergamo Court has overruled the preemptive seizure order with a decision that, instead of solving the problems arising from the first decision, creates worst issues. The Bergamo Court, in fact, has overruled the seizure, but only on the legal basis that “seizure” cannot be interpreted as “traffic hijacking”.

But the court did not, as it should have done, evaluate first of all the lack of Italian jurisdiction. By not doing so, the Bergamo tribunal has created a dangerous case law that, by reciprocity, allows any foreign magistrate to investigate and take to court an Italian citizen, with the additional absurdity that even in the absence of any evidence that a crime has been committed, a legal prosecution can be based on hypothetical “statistic calculation”.

Furthermore, by asserting the validity of the public prosecutor investigation, the Court has de facto established the automatic liability not only of internet providers, but also of search engines, and the possibility of using, as an investigative tool, data and information with no solid ground.

And also, by saying that even if preemptive seizure has been wrongly enforced , it is ?in theory compatible with ?sect.14 D.LGV 70/20003 (EU E-commerce directive implementation, dealing with ISP liability), the Court of Bergamo on the one hand allows “owners of ideas” to push for an additional and barbaric copyright law amendment while, on the other hand, it reaffirms an obvious error of interpretation of law by affirming the role of ISPs as “sheriffs of the net”.

May 30, 2008September 22, 2008

Data Retention in Italy. The state of the art

This table summarizes the new Italian Data Retention Regulation.

Data Retention timeframe
(italian version taken from Interlex)

Data and Retention scope	Retention Duration	Provision
Traffic-related data not included in Sect. 123 para I and II Data protection code	Anonnymized or deleted when no more necessary	Sect. 123, Para I
Traffic data strictly needed for billing purposes, and/or support customer claims	6 mpnths, or more, in case of legal action	Sect. 123, Para 2
Traffic data for marketing purposes, or Value Added Serice purposes	As needed, only if the customer opted-in	Sect. 132, Para 3
Traffic data (voice) for criminal investigation purposes	24 months	Sect. 132, Para 1
Traffic data (digital) for criminal investigation	12 months	Sect. 132, Para 1
Unanswered call-related data	30 days	Sect. 132, Para 1-bis
Network related Traffic Data – upon concerned authorities order, for preemptive investigation and/or prosecute specific crimes –	From 90 Days, up to six months	Art. 132, c. 1-quater

March 1, 2008March 1, 2008

Italy just enforced Budapest Convention on Cybercrime

It happened last Feb. 27, 2008. All of a sudden, Italian Parliament approved the enforcement of the Budapest Convention on Cybercrime.

February 7, 2008

A 40.000 Euros tax to get your data back (or, computer forensics’ hidden cost)

In Italy, whenever you ask for an official copy of a trial-related document you must pay a specific tax established by a Presidential Decree (Testo Unico sulle Spese di Giustizia).

So – as happened today during a computer forensics phase of a criminal trial – a client had to withdraw the request of getting a 120Gb hard disk copy, because the final tax amount would have been about 40.000 Euros. The Testo Unico, in fact, set a rate of 258 Euros-per-CD.

Thus, if you do the math…

February 2, 2008February 20, 2008

What’s ahead in security?

This is the title of a speech Withfield Diffie gave in Rome at University La Sapienza last Jan. 31 2008, where I have been invited to attend the round table the followed. Other participants were Corrado Giustozzi, Giovanni Manca (CNIPA – National Centre for Information Technology in the Public infrastructures), prof. Luigi Mancini and Luisa Franchina (ISCOM).

There are a few online account for the day but none of them tells about the “content” of the conference. Mr. Diffie’s talk was professional and fascinating – if you don’t belong to the IT security professional’s circle. And this is the point: how is it possible that in 2008 we – Italians – still are so far from moving (even a few) steps ahead from what we were talking in 1995?

“Fighting terrorism” was – as usual – the “leading concern” to advocate defense and civil rights suspension in Italy. And each time I ear some Italian civil servant singing that song I remember about Michael Crichton’s State of fear, whose lesson – creating a state of fear to let powers and lobbies pursue their goals – is largely missed. This is not to say that terrorism is a fake issue. But when security of the State become a political (i.e. partizan) weapon, all we get is neither effective anti-terrorism measures nor freedom protection.

As Benjamin Franklin said,

They that would give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety

And this is what we are doing right now.