Wednesday 22 February 2012

Roundup of new articles over at Naked Security

New Naked Security Articles 

I've been busy writing more articles for Naked Security  and I thought it might be a good idea to periodically provide an update of them here too. The links to the original articles are provided with a little blurb and any important updates since the stories were posted too.  Please check them out, and (hopefully) enjoy!

ACTA Protests in Bulgaria - Photo from The Guardian
1) What's all the fuss about ACTA? on 06/02/2012 - In this article I was discussing myths floating around about ACTA, and what can be done to re-instill some democracy into the secretive negotiation and signing process. Widespread protests, following signing in Europe, spread through Poland and other European countries. This brought awareness of ACTA to the fore, and since writing the article further protests have led Germany, The Netherlands and Bulgaria to denounce and refuse to ratify ACTA. Just today it was announced that it will be referred to the European Court of Justice for consideration.


Importantly, negotiations of another sinister trade agreement based acronym are underway in private...the TPP or Trans-Pacific Partnership. I'm intending to write about this in the near future too.

Gary McKinnnon - Photo from The Guardian
2) Should having autism be a legal defence to hacking charges? on 10/02/2012 - I tried to answer this tricky question posed on Channel 4 News. The cases of Gary McKinnon and alleged Lulzsec hacker Ryan Cleary, both who have Asperger Syndrome, have raised legal questions about the impact of their condition. Here is an excerpt of my thoughts from one of my comments. 

People with autism have a very clear understanding of the notions of right and wrong. Professor Baron Cohen found that for Gary McKinnon, his Asperger Syndrome led him to weigh up right and wrong in a manner that seemed morally right to him at the time. However, he did not fully appreciate or foresee the severity of the consequences due to his condition (and "mind blindness"). 

For Gary, he believed finding and disseminating information to the world about UFO's was the right thing to do because it would benefit humanity. This is despite having to hack into NASA &The Pentagon etc to get the information. 

This balancing of interests clearly contrasts with the conclusion someone without the condition may reach. For them the awareness of breaking many laws and fear of prison would be enough incentive to stop hacking. 

Is it fair then that someone, who by virtue of their autism has an altered perception of the situation, could be treated the same as someone without the condition? I am trying to say that because autism is a spectrum disorder it affects all individuals differently. Therefore, any argument should be on a case-by-case basis, with expert assessment.

Perhaps there should be more provisions in place within the legal system to handle a range of outcomes. This is why I don't think having autism should provide an absolute defence. There has clearly been wrongdoing when hackers with autism break into computer systems searching for UFO evidence or otherwise. 

However, maybe there should be other legal measures in place to reflect the defendant's position, like creating a partial defence allowing lowering of charges, or a shortening of sentence. 

Although these measures could be achieved when sentencing is carried out (by incorporating mitigating circumstances), maybe it needs to be a bigger factor than just in the sentencing stage."

Please read the whole article though and let me know what you think.

3) Who has better privacy laws: USA or European Union? on 15/02/2012 - 

In my opinion, the European Union, by far. When reading an article in PCWorld proposing a US digital consumer bill of rights , I was struck by how many of those rights already exist in Europe. This led me to discuss the current sate of EU Data protection laws and outline how reforms in the new Data Protection Regulation will further change data subject protections.

I noted how the new law will "create pro-consumer rights including a broader interpretation of what data is personal, demands for 'explicit' consent for data processing, develop a right to be forgotten, a right to object to data profiling and require greater portability of electronic data. In respect of data loss, there are new 24-hour data breach notification obligations."

In contrast I noted how the US have a "more fragmented approach, with use of industry self-regulation, sector-specific standards (for finance, children rights, federal bodies and healthcare), and state-level rules. Broad constitutional privacy protections in the Fourth Amendment exist too. The US Federal Trade Commission plays an enforcement role, has privacy guidelines, and pushes initiatives like Do Not Track for online marketing. But there is no single body with a sole data protection focus in the US."

4) Canadian politician accuses bill opposition of siding with child porn peddlars on 17/02/2012

The Canadian Bill C-30 seeks new rules for lawful access by law enforcement. It was comments by Canadian Pubic Safety Minister, Vic Toews that brought the bill into popular media last week. He stated that critics of the bill were on the side of child pornographers. This ridiculous statement did nothing for allowing a rationale debate and I wanted to look past this to see what Bill C-30 actually proposes.

It establishes rules for regulation of surveillance, including interception guidelines and obligations. Controversially, it also includes rules permitting law enforcement to approach telecoms companies (telcos) and Internet service providers (ISPs) to demand subscriber data without applying for a warrant. 

The government have argued this is just the modern equivalent of phone book information but when you look at s16(1) of the bill it shows it includes your IP addresses, subscriber ID email address, phone number, name and address.

Professor Michael Geist provided some very useful ideas on improving the Bill to find a compromise, which I discuss and quote in the article. Regulation of surveillance legislation plays a very important role in protecting privacy, and therefore it is important Bill C-30 doesn't fail. It has been pulled back for further revision by the government, and hopefully they will find a middle ground between law enforcement interests and privacy.

UPDATE 24/02/2012 - Michael Geist has suggested 12 recommendations on how to fix Bill C-30, well worth reading.

5) Interception Modernisation Programme or Communications Capabilities Development Programme? Who cares its still storing your data on 22/02/2012

Today I uploaded a story about the Coalition resurrecting the lambasted Interception Modernisation Programme (IMP), which is now known as the Communications Capabilities Development Programme (CCDP). 

The Coalition parties slated Labour for the IMP, rightfully calling it "reckless". When they came to power they committed to ending storage of internet and email records without good reason.

Nevertheless, we somehow have the CCDP, with the formal plans to be published by the end of April 2012, and implemented by the end of June 2015. As Jim Killock, Executive Director at the Open Rights Group said "Labour's online surveillance plans have hardly changed but have been rebranded. They are just as intrusive and offensive."

The CCDP wants, like the IMP, to have ISPs and telcos create databases of communications data for spooks and police to access at their convenience. According to a Telegraph report,  it will define the "who, when and where" of data subjects, including email addresses, IP addresses, phone numbers, time, location, data sender and recipient. It also allows spooks to monitor real time email and text traffic, and social media communications like instant messages on Twitter and Xbox Live.

Once again, there are many things to object to with this, not least its lack of necessity and impact on privacy. There are laws on interception and access to communications data already in place, and the justification of a mass surveillance mechanism like this is unfounded.

Beyond this there are security issues of privately held databases, policy issues incorporating companies into public policing practices (despite their lack of public accountability/transparency) and importantly, the potential for scope creep by storing data "just in case" it becomes useful.

I discuss these in more depth in the article, so please check it out and let me know what you think.