The Italian Home Affair Minister To Call For Another Internet Crackdown

In the aftermath of the Charlie Hebdo massacre, as a way to improve the “safety” of the citizen, the Italian Home Ministry Affair, Alfano (a right-winger) ? called for:

  • a “registration” of “dangerous” websites,
  • a further enhancement of the ISPs duty to block access to
    (terrorism-related) Internet resources,
  • an exception to the data-protection regulation, to allow the law
    enforcement agencies to easily access “sensitive” data.

This is an exploitation of the recurring rhetorical locus: “enhance safety needs the fundamental rights to be weakened”.
It is easy to answer with an often quoted statement by Benjamin Franklin:

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

But this is not the point.

From a “terrorism” fighting point of view, what Alfano is calling for is simply useless.

If the target is to gather as much information as possible to prevent new attacks, blacklisting websites obviously doesn’t help. It neither stops terrorists from talking each-other, nor allows to spot upcoming threats.

If the target is to gather advance information to run “pre-emptive actions”, it is useless to “weaks” the data-protection regulation to ease the law enforcement agencies access to “sensitive” (i.e. political-related) information. Those who need a fast and direct access to such king of information, in fact, are the secret services (whose activities are neither handled nor reported to a magistrate) and not the law enforcement bodies, that can only act, in Italy, AFTER a crime has been committed (having, in this case, full access to everything they need, under the control of the public prosecutor.)

Then, a couple of questions:

  • why does Alfano calls for measures that don’t help fighting terrorism, but allow a crackdown against normal citizens?
  • why the ISPs should be burdened to act as censors and central scrutinizer on behalf of the government?

The Roman Catholic Church Knows Better (about privacy and the Internet)

Monsignor Nunzio Galantino, the secretary of the Conferenza Episcopale Italiana (the permanent assembly of Roman Catholic Bishops) stated that (my translation)

The Internet is useful and effective, but the price we pay in term of privacy is huge

and, talking about the Data Protection Authority, he said

I don’t understand what these useless entities are worth for.

Of course he’s right, but the Italian Data Protection Commissioner (obviously) has a different opinion claiming that (again, my translation)

It is rather odd to call as useless the only entity that – within its powers – has always defended the human dignity from the “mud machine” 1, and from the plots arranged by those who want to turn the Internet into a space of violence and outlaws, form the totalitarian logic of the man-in-a-fishbowl.

Is this the same Data Protection Authority that failed to address the issues of the Telindus Router, the Android Spyware Case, The Pirate Bay Case, the Aruba Case, the Sony BMG rootkit case, that didn’t say a single word (while being informed) about the security concerns in relationship to the upcoming massive, trial-related personal data flood originated by the online shift of the Italian Civil Trial System, and that wasn’t able to prevent the leak of a confidential report?

 

  1. The reference is to a journalism idiomatic meaning the use of the media machine to soil somebody’s reputation

Apple’s New Security Policy: Just a PR Stunt?

Apple announced not to be able anymore to hack into IOS8-based devices because of its “privacy-by-design” development strategy. Thank to this choice, according to Tim Cook, quoted by The Washington Post,

it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

Since the fantasy of both lawyers and judges knows no limit, I wouldn’t be surprised to hear, in the next future, about some claim for “contributory criminal activity” filed against Apple based on the deliberate choice of giving “unbreakable weapons” to terrorist, paedophiles and copyright infringers.

When this scenario will become real, it will be interesting to see whether Apple remains stuck into his “libertarian” position risking a trial for contempt of the court, or negotiates over its users with the powers-that-be.

Then, and only then, we will be able to check if this “privacy commitment” was a genuine attitude or just the next marketing trick.

The Data Protection Authority Leak And The (Now) Hard To Find Article

The title that links the article about the leaked Italian Data Protection Authority secret report is no more easily accessible on Repubblica.it (the newspaper that did the scoop.) There is no trace of this link in the home-page, and the title is missed in the Technology section.

If you are quick enough, a one minute short video clip gives you the possibility to click an anonymous link (labelled “Leggi su Repubblica.it” – “Read it on Repubblica.it”) and finally the article comes on screen.

Technically speaking, then, the article is still online but now in a hard-to-find form. And this is rather odd, because other older and less important articles (such as the valueless research on the personal data selling price) are still featured in the technology section of this newspaper.

An Italian Data Protecion Authority Secret Report Leak?

According to an Italian newsmagazine, a non-for-public eyes investigation of the Italian Data Protection Act would have found severe security problems in the management of the Internet Exchange Points (the points of the Italian telecommunication network where the various telco networks are mutually interconnected.)

A first remark is that the King is – or might be – naked. If this secret report actually exists (and the IDPA didn’t deny its existence) and has been leaked, the Authority’s information security is not that good, and – therefore – the IDPA should fine itself for this non compliance, instead of just targeting the rest of the (industrial) world.

Coming to the heart of the matter, in the words of the journalists that authored the article:

there is an enormous black hole in the security of the Italian telecommunications. A hole so wide that allows whoever with a proper equipment to have available phone calls, SMS, emails, chat, and social-network posted contents.

The journalists claim that the report verbatim says:

These device are equipped by technical features that can allow the traffic duplication, in real time, of the traffic in transit diverting it to another port (port mirroring)

and that

if somebody wanted to look at the traffic in transit this would be easily done with specific analysis tools …

It is amazing how this article – and the IDPA findings, if proven true – are so poorly legally and technically savvy because:

  • the possibility of performing a port mirroring is necessary to the public prosecution and intelligence agency activities. The point, then, is how and by who these feature are exploited rather than its mere existence, that like-it-or-not are necessary for investigative purposes. One day, maybe, it will be possible to disclose some of the ways traffic data information are asked, but this is another story…
  • there is no evidence of the port mirroring features being abused, misused or cracked,
  • performing a port mirroring in an Internet Exchange Point is not as easy as the article and the IDPA report(?) says: it is not like Independence Day computer virus uploading or Swordfish’s Hugh Jackman “under pressure” hack,
  • there is an easy way, available almost since day one of the pre-internet era to protect users’ communications without caring of what the ISPs do: client-based encryption. But I assume that the Minster of home affair wouldn’t like an IDPA endorsement of the “crypto-for-the-masses” slogan,
  • oddly enough, the IDPA secret report (if true) doesn’t address the serious problem of network devices proprietary firmware and operating systems that prevent an ISP to check on its own the existence of backdoors (as in the recent Cisco affair) and other security flaws.