Thursday 20 October 2016

Blog Inactive

Apologies, this blog has not been used for some time - if you are still interested in my work -  I maintain another blog about research now. It is available here. 
Thanks :) 

Thursday 18 April 2013

It lives...

It has been far too long since my last post on here, almost an entire year(!). After a great time as a research assistant at the University of Strathclyde for a little while, I then moved and started as a PhD researcher last September at the University of Nottingham Horizon Digital Economy Centre. This centre focuses on the range of social and technical issues surrounding the digital economy, ubiquitous computing and the 'lifelong contextual footprint'. I've been increasing my multidisciplinary credentials beyond IT law by studying human computer interaction, creating maps in geospatial information services, basic programming in Java, learning qualitative techniques and quantitive statistics, building mobile apps and even considering philosophy of technology in science and technology studies.


Given all these new ideas buzzing around, I've felt the increasing urge to revise the Mooseabyte blog. I used to really enjoy doing fuller freelance blog pieces for Naked Security, but of late I've struggled to do these, so I hope these shorter commentaries here might satisfy in the interim. That is not to say I haven't been writing... I recently did a piece for the Society of Computers and Law called "The Aerial Gaze - Regulating Domestic Drones in the UK". Perhaps unsurprisingly it considers the range of issues posed for effective regulation of civilian UAV's operating in UK airspace. It maps out a tentative legal framework drawing on channels that address privacy, surveillance and air safety concerns. If this sounds of interest, you can read the full article here It builds on earlier presentations where I outlined the issues at the University of Edinburgh SCRIPT Conference, and GikII 2012, which was hosted by the University of East Anglia at their London campus. I'll be presenting again at a "Spy in the Sky" conference at the University of Ljubljana next month with my talk "Smile - drones operating overhead" I also have a couple of other pieces I've been working on including one entitled "European Data Protection Reform and digital memories of objects", which I'm hoping to develop further.


I was at BILETA 2013 at the end of last week and had a great time catching up with other IT law researchers - albeit whilst I was plagued by a cold(!). It was extensively live tweeted by many at the event and you can see these messages if you search the #Bileta13 hashtag. I listened to many fascinating sessions on the future of cyberlaw, issues with developing a Liverpool smart city, data protection and big data, drones and international humanitarian law, ethics of autonomous systems, why the ICO is an (in)adequate regulator, the US FISA law and surveillance in the cloud... the list goes on! There was an interesting talk with qualitative and quantitive results from the CONSENT FP7 project with discussion consumer attitudes to online privacy and consent. Results are here, and worth checking out. I always really enjoy these conferences as they provide intellectual reinvigoration, and they let me re-calibrate with the IT law community, which is important as I'm no longer based in a law school environment.
 
Another highlight of the year thus far was during early 2013, I had the pleasure of attending the Living in Surveillance Societies (LiSS) /Centre for Research in Information, Surveillance and Privacy (CRISP) doctoral training school. This week long event involved lots of workshops, seminars and activities led by leading academics from the field of surveillance studies. I met some fantastic people, and it confirmed my conviction that I wanted to incorporate a significant 'surveillance studies' angle into my PhD research (which will be looking at effective governance of privacy and surveillance in ubiquitous computing environments).

So despite my lack of virtual activity at least I've been far from virtually inactive...(sounded better in my head)

Also two humorous snippets from TV shows I've been watching which have a vague law/tech/privacy theme - the first from the wonderful Parks and Recreation, with Ron Swanson discovering cookies...then Google Earth -

The second is from Scotland's own Limmy's Show with a funny sketch about User Agreements.

Enjoy :) 

Monday 14 May 2012

Government Snoopers charter announced, many questions left unanswered


Last week's Queen's Speech showed the Coalition's wish list of law proposals and reforms for this Parliamentary legislative agenda. This included a little bit more information on the government plans for updating law enforcement access to communications data that have been circulating under the Communications Capabilities Development Program (CCDP) name since late 2011/early 2012.
 

We now know it's called the draft Communications Data Bill and it "intends to bring forward measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses"

Luckily, the Bill was moved out of the fast stream "Home Office/Ministry of Justice crime and courts bill" to be considered on it's own merits as a standalone bill.

This is good news because extensive scrutiny and public consideration of draft clauses are essential to fully understanding the implications of this 'Snooper's Charter'. 

Nick Clegg has promised the Bill won't be 'rammed through Parliament' and the Home Office pledge to include strong safeguards.

Nevertheless, the very existence of this proposal is curious given the 2010 Coalition pledge to "end the storage of internet and email records without good reason".

Current System

It's important to remember that communications data is not actual content, but the metadata about phone and Internet communications.

This includes the email addresses of sender and recipient, user location, phone numbers, equipment used, the time and duration of a phone call.

Since 2009, UK ISPs and Telcos have retained communications data collected in the course of business (for billing etc) for 1 year under powers derived from the EU Data Retention Directive.

Under the Regulation of Investigatory Powers Act 2000, law enforcement agencies and other authorised bodies can already access this data, for many reasons including fighting crime and maintaining the economic well being of the country.

So how will this new bill change the current system? It will:

1) Update the framework for collection and retention of communications data by communication service providers (CSPs)

2) Update the framework on lawful access to such data for authorised government bodies including the police and intelligence agencies.

3) Create 'strict safeguards' including:
        - A 1-year limit on data held by CSPs
        - Measures to protect data from unauthorised access or disclosure.
        - Extension of the Interception of Communications Commissioner oversight
        - Provide an independent Technical Advisory Board for CSPs
        - Extend powers of the Investigatory Powers Tribunal for investigating individual complaints

4) Remove communications data laws that have lower standards of protection.

Problematically, this outline doesn't really provide much detail on the nuts and bolts of the new Bill.

There are many key practical areas I think have to be addressed including: What additional powers will be provided for oversight bodies? Do CSPs have to install dedicated 'black box' deep packet inspection technology? Who will pay for this infrastructure and maintenance of interception algorithms? How will the new law handle encrypted communications?

Requiring data from third party services, often outside the UK, raise many questions too: How will US third parties, like Google, Microsoft or Facebook, fit in with UK police seeking social networking and instant messaging comms data? How will CSPs accurately separate the content of communications from the metadata? And how will real time access to data work in practice?

The current EU Data Retention laws have often been criticised for creating a system of mass surveillance.

Yet, instead of rolling back these powers, this Bill wants to further expand and entrench this culture of storing everything 'just in case' it becomes useful.

Whilst it's claimed 'modernisation' is needed to stop terrorism, paedophile rings and other organised criminal activity, these criminal groups will doubtless use encryption technologies and anonymised networks keeping them off the grid anyway.

This just leaves the general population unjustifiably under the gaze of a decentralised network of private surveillance.

Until specific details of the plans are released the many questions outlined above will remain unanswered, preventing any real debate.

However, even when more information becomes available, it remains impossible to envision how treating the entire UK population as a 'nation of suspects' is necessary and proportionate in a democratic society.

Roundup of my Naked Security Articles 20 March to 14 May


20/03/2012 - Cyberwar: Hype or reality? - Is "cyberwar" really upon us? Is a "digital Pearl Harbour" imminent? And is an international agreement on "cyberarms" a plausible solution? These are just some of the questions I address in this piece.

29/03/2012 - Stopping the Zombies: Introducing the new Federal Communications Commission anti-botnet code - A new voluntary code of conduct for ISPs in the US creates new measures for addressing botnets. Does it go far enough?

10/03/2012 - A New Cookie Recipe: The International Chamber of Commerce Cookie Code - As of next month, the ICO will be enforcing new(ish) rules on cookies and consent, but is the business world ready? And if not, will the International Chamber of Commerce's UK Cookie Guide provide the tools to help them comply?

18/04/12 - New Bill in UK wants Internet to be censored from porn by default - A new Bill wants to protect children by requiring all users to opt-in if they want to access porn. This would create a system of censorship by default. Is this necessary when parents already have access to porn-management tools?

30/04/12 - ACTA Update the Fight goes on - ACTA has received considerable criticism from a number of high-profile sources, but don't write it off just yet. there is still a chance it could become law.
 

Tuesday 13 March 2012

Naked Security Articles 27.02.12 to 09.03.12

This is a quick post just to link to a few more articles on Naked Security:

Controversial ACTA is referred to the ECJ  on 27.02.12  The heated debate across Europe about ACTA has led the European Commission to refer the controversial agreement to the European Union's highest court.

 New GSMA privacy guidelines for mobile app developers on 02.03.12-  Host of the Mobile World Congress, the GSMA, have launched new guidelines for mobile app developers to increase transparency and trust between users and companies. Will it work?

 Smartphone apps are sending your data to China on 09.03.12A Sunday Times report found that many smartphone apps are collecting too much personal data and then sending it outside the EU to the US, Israel, China and India. But do these countries meet EU data protection standards?

Enjoy :) 

Lachlan

Wednesday 22 February 2012

Roundup of new articles over at Naked Security

New Naked Security Articles 

I've been busy writing more articles for Naked Security  and I thought it might be a good idea to periodically provide an update of them here too. The links to the original articles are provided with a little blurb and any important updates since the stories were posted too.  Please check them out, and (hopefully) enjoy!

ACTA Protests in Bulgaria - Photo from The Guardian
1) What's all the fuss about ACTA? on 06/02/2012 - In this article I was discussing myths floating around about ACTA, and what can be done to re-instill some democracy into the secretive negotiation and signing process. Widespread protests, following signing in Europe, spread through Poland and other European countries. This brought awareness of ACTA to the fore, and since writing the article further protests have led Germany, The Netherlands and Bulgaria to denounce and refuse to ratify ACTA. Just today it was announced that it will be referred to the European Court of Justice for consideration.


Importantly, negotiations of another sinister trade agreement based acronym are underway in private...the TPP or Trans-Pacific Partnership. I'm intending to write about this in the near future too.

Gary McKinnnon - Photo from The Guardian
2) Should having autism be a legal defence to hacking charges? on 10/02/2012 - I tried to answer this tricky question posed on Channel 4 News. The cases of Gary McKinnon and alleged Lulzsec hacker Ryan Cleary, both who have Asperger Syndrome, have raised legal questions about the impact of their condition. Here is an excerpt of my thoughts from one of my comments. 

People with autism have a very clear understanding of the notions of right and wrong. Professor Baron Cohen found that for Gary McKinnon, his Asperger Syndrome led him to weigh up right and wrong in a manner that seemed morally right to him at the time. However, he did not fully appreciate or foresee the severity of the consequences due to his condition (and "mind blindness"). 

For Gary, he believed finding and disseminating information to the world about UFO's was the right thing to do because it would benefit humanity. This is despite having to hack into NASA &The Pentagon etc to get the information. 

This balancing of interests clearly contrasts with the conclusion someone without the condition may reach. For them the awareness of breaking many laws and fear of prison would be enough incentive to stop hacking. 

Is it fair then that someone, who by virtue of their autism has an altered perception of the situation, could be treated the same as someone without the condition? I am trying to say that because autism is a spectrum disorder it affects all individuals differently. Therefore, any argument should be on a case-by-case basis, with expert assessment.

Perhaps there should be more provisions in place within the legal system to handle a range of outcomes. This is why I don't think having autism should provide an absolute defence. There has clearly been wrongdoing when hackers with autism break into computer systems searching for UFO evidence or otherwise. 

However, maybe there should be other legal measures in place to reflect the defendant's position, like creating a partial defence allowing lowering of charges, or a shortening of sentence. 

Although these measures could be achieved when sentencing is carried out (by incorporating mitigating circumstances), maybe it needs to be a bigger factor than just in the sentencing stage."

Please read the whole article though and let me know what you think.

3) Who has better privacy laws: USA or European Union? on 15/02/2012 - 

In my opinion, the European Union, by far. When reading an article in PCWorld proposing a US digital consumer bill of rights , I was struck by how many of those rights already exist in Europe. This led me to discuss the current sate of EU Data protection laws and outline how reforms in the new Data Protection Regulation will further change data subject protections.

I noted how the new law will "create pro-consumer rights including a broader interpretation of what data is personal, demands for 'explicit' consent for data processing, develop a right to be forgotten, a right to object to data profiling and require greater portability of electronic data. In respect of data loss, there are new 24-hour data breach notification obligations."

In contrast I noted how the US have a "more fragmented approach, with use of industry self-regulation, sector-specific standards (for finance, children rights, federal bodies and healthcare), and state-level rules. Broad constitutional privacy protections in the Fourth Amendment exist too. The US Federal Trade Commission plays an enforcement role, has privacy guidelines, and pushes initiatives like Do Not Track for online marketing. But there is no single body with a sole data protection focus in the US."

4) Canadian politician accuses bill opposition of siding with child porn peddlars on 17/02/2012

The Canadian Bill C-30 seeks new rules for lawful access by law enforcement. It was comments by Canadian Pubic Safety Minister, Vic Toews that brought the bill into popular media last week. He stated that critics of the bill were on the side of child pornographers. This ridiculous statement did nothing for allowing a rationale debate and I wanted to look past this to see what Bill C-30 actually proposes.

It establishes rules for regulation of surveillance, including interception guidelines and obligations. Controversially, it also includes rules permitting law enforcement to approach telecoms companies (telcos) and Internet service providers (ISPs) to demand subscriber data without applying for a warrant. 

The government have argued this is just the modern equivalent of phone book information but when you look at s16(1) of the bill it shows it includes your IP addresses, subscriber ID email address, phone number, name and address.

Professor Michael Geist provided some very useful ideas on improving the Bill to find a compromise, which I discuss and quote in the article. Regulation of surveillance legislation plays a very important role in protecting privacy, and therefore it is important Bill C-30 doesn't fail. It has been pulled back for further revision by the government, and hopefully they will find a middle ground between law enforcement interests and privacy.

UPDATE 24/02/2012 - Michael Geist has suggested 12 recommendations on how to fix Bill C-30, well worth reading.

5) Interception Modernisation Programme or Communications Capabilities Development Programme? Who cares its still storing your data on 22/02/2012

Today I uploaded a story about the Coalition resurrecting the lambasted Interception Modernisation Programme (IMP), which is now known as the Communications Capabilities Development Programme (CCDP). 

The Coalition parties slated Labour for the IMP, rightfully calling it "reckless". When they came to power they committed to ending storage of internet and email records without good reason.

Nevertheless, we somehow have the CCDP, with the formal plans to be published by the end of April 2012, and implemented by the end of June 2015. As Jim Killock, Executive Director at the Open Rights Group said "Labour's online surveillance plans have hardly changed but have been rebranded. They are just as intrusive and offensive."

The CCDP wants, like the IMP, to have ISPs and telcos create databases of communications data for spooks and police to access at their convenience. According to a Telegraph report,  it will define the "who, when and where" of data subjects, including email addresses, IP addresses, phone numbers, time, location, data sender and recipient. It also allows spooks to monitor real time email and text traffic, and social media communications like instant messages on Twitter and Xbox Live.

Once again, there are many things to object to with this, not least its lack of necessity and impact on privacy. There are laws on interception and access to communications data already in place, and the justification of a mass surveillance mechanism like this is unfounded.

Beyond this there are security issues of privately held databases, policy issues incorporating companies into public policing practices (despite their lack of public accountability/transparency) and importantly, the potential for scope creep by storing data "just in case" it becomes useful.

I discuss these in more depth in the article, so please check it out and let me know what you think.

Thursday 12 January 2012

Writing on Naked Security blog

Followers of my Twitter feed may have noticed I have been writing for the Naked Security blog lately. This award winning news service is run by computer security firm Sophos. I am writing about legal IT current affairs and although I am not posting as frequently on this domain, I will regularly be writing about current developments in the IT world with a legal twist here.

Some of my recent posts are:

1) Yahoo!'s $610m anti spam win and why it is meaningless.
2) Forced decryption/password disclosure and the 5th Amendment in the USA with US v Fricosu.
I also looked at how the equivalent situation might pan out in the UK under RIPA s49.
3) Most recently looking at the new ICANN gTLD registration program and the risks from cybersquatting.

Please keep an eye on Twitter for these short articles. Thanks.