Tuesday, October 14, 2008

Ireland against the Data Retention Directive: AG nixes constitutional attack

From Digital Rights Ireland: (and thanks to Judith Rauhofer for the tip off)

"The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.

It’s important to point out, though, that this ruling only relates to the procedural way in which the Directive was passed. It doesn’t affect our case that the Directive breaches fundamental principles of human rights, and we still await a decision from the High Court referring these issues to the European Court of Justice."

Pangloss is speaking tomorrow at a Parliamentary and ISPA event on the UK consultation on implementing the DRD by March 2009, so this is rather timely. However as DRI points out, to some extent this is almost a side issue: the real issue continues to be whether it is proportional to the aim of reducing crime and terrorism to retain all forms of e-communications by te entire UK population for up to two years. In the UK consultation, a year's retention is recommended for e- and telecoms traffic to help cut down on serious crime; yet almost every example but one given in the document relates to an investigation which was solved using data retained for a matter of hours, days or weeks, not a year. How thus is one year the "proportionate" response to the invasion of privacy sanctioned?

I think it was Ray Corrigan (though I can't seem to find the reference, sorry!) who pointed out the bad science involved in the much quoted statement in the consultation, that retention for a full year was justified because, in a trial month in 2005:

"there were 231 requests for data relating to communications that had taken place between 6
and 12 months earlier. 60% of these requests were in support of murder and terrorism investigations and 26% of the requests were in support of other forms of serious crime including armed robbery and firearms offences. "

But the key point for such stats is how many requests were made in 2005 in TOTAL? Privacy International quote that figure as 439,000, drawn from government stats. Thus assuming a similar rate of request across the year, the requests for data over 6 months old were only 0.006% of all requests made in 2005. Does that justify retention for a year for every type of communication data, given the privacy implications? (And given the anecdotal evidence so far that such data is being requested by local authorities for purposes other than catching serious criminals or terrorists??

A nice quote, also from DRI and via B2fXX: ""Laws requiring monitoring of the entire population are astonishing in a democracy."

E-money Rides Again, at the Least appropriate Time Possible

This report from El Reg on the Commission's new Working Document on e-payments is so gloriously cynical that I'm not even going to try to re-write it.

"The European Commission has launched a new legal framework to boost the use of "electronic money" within the EU, even as we all realise we had even less real money than we thought.

The Eurocrats have admitted that earlier utopian predictions that we’d all be loading cash on our mobile phones, travel cards or internet accounts have proved to be somewhat overblown. In part, it is blaming itself, saying current rules “have hindered the takeup of the electronic money market, hampering technological innovation”.

Translated, this means the foolish peasants (the rest of us) have refused to stop keeping anachronistic wads of notes and piles of coins in stupid places like pockets, in wallets, under mattresses, that sort of thing, when what they really should be doing is paying smart young things to take their money and convert it into cyber cash, loaded on trustworthy items like phones, Oyster cards, servers and deelie boppers.

So, in the interests of keeping the dream alive, Brussels has proposed a new framework for “issuing electronic money”. This will include a “technologically neutral and simpler definition”, ie that electronic money is “monetary value stored electronically on receipt of funds and which is used for making payment transactions". This will include e-cash stored on devices in the holders' possession or “remotely at a server.” "

Internal capital requirements for EMIs will be reduced to 125,000 Euros - "“enabling market entrance for smaller players" - is this really what we want to encourage at a time when giants like HBOS etc are dropping like flies?! What happens when an EMI goes under? Does the relevant national underwriting guarantee apply? We have all the potential problems of Icesave staring us in the face as a stark example that national guarantees do not transpose well to virtual banks.

As all IT lawyers know, the main problem with the old EMI Directive was indeed that it was not technology-neutral at all, but modelled around smart card money, which was terribly hip before all the schemes like Mondex etc quietly flopped and failed. When in reality it turned out that what people wanted was credit, not debit, in times of free fast credit thrown at you from all directions, and/or alternately to use anonymous, data-protecting, handy account-based systems like Paypal (complete with useful guarantee for eBay transactions) rather than carry round yet another card whose loss might result in loss of actual money, without guarantee of repayment.

It sounds like Brussels has now finally recast the definition of an EMI to firmly cover the likes of Paypal. (See the now defunct argument about this via Andres Guadamuz here.) Which is sort of amusing when PayPal itself long gave up on the clunky EMI framework and instead just became a bank in Luxembourg. And when the bottom has dropped out the credit market so thoroughly that pre-pay debit cards might just possibly become saleable again.. (though I wouldn't hold my breath. The Oyster card/debit car all-in-one model however should be useful whenever they iron out the commercial holdups.)

What will be really interesting to see is how far the proposed new rules cover mobile- phone-as-e-wallet - which is the development that was already looking set to revitalise the digital payments sector, if anything could.

Also the problem remains that paying by Paypal , even when linked to a credit card, is not covered by the usual guarantees of the EC consumer credit legislation - or at least not according to the UK Banking Ombudsman and the FSA - and should thus really be discouraged for dubious or large purchases (eg travel companies about to go bust, unknown ebay sellers).

I doubt the consultation touches this , being mainly concerned with capital requirements and the like, but I'll report back when i've actually read it properly , ok?

EDIT: OK, an hour later..

The consultation does indeed refer to MNOs (MObile Network Operators)) as another problem for the definition of e-money, along with "server-based" systems like Paypal.

It is starkly admitted that traditional smart card systems a la Mondex are dead. Contactless transport cards as e-money are catching on yes (22 in the Czech Republic), but still almost exclusively used at unmanned sites such as transport turnstiles or car parks. Public shows no sign of wanting to use e-cash more extensively. (This may explain the mysterious failure of the Oyster system to expand to small value real world purchases eg newspapers..)

The only major problem asserted with the current ElMI system apart from the definition issues is the high internal capital requirement - hence the suggestion to reduce from 1 m Euros to an eighth of that!

There is no mention of the difficulties with credit card like guarantees for paypal etc payments, unless it is dealt with tangentially in the under discussion harmonisation of EU payment laws under the Payments Directive, currently due to be passed November 2009.

Similarly money laundering - which is known to be increasingly used by criminals to get funds past national borders, especially to Africa and Eastern Europe - is left to be dealt with as and when by financial fraud legislation.

Overall, a remarkably unambitious and pretty redundant consultation. One suspects it might habve been more sensible if politically difficult to shelf this document entirely untiul the dust settles a bit on the current financial meltdown.

Saturday, October 11, 2008

Fun Times for Phishing

The credit crisis is doing interesting things to computer crime. One might have predicted that a background of banks crashing, closing access to depositors and being bailed out would be seventh heaven for phishing emails, with uses failing to distinguish real reassuring emails from fake ones in the confusion. And so it has transpired - with Chase, Wachovia and Bank of America among the most popular targets with scammers, according to the US's watchdog, the FTC.

But of course what are you phishing FOR? As credit dries up, the old standby of stealing personal id so as to apply for limitless amounts of credit loses its efficacy. Soon, the days of easy credit cards will be gone. So instead, phishing attacks have switched from ID theft to to faking credentials to allow withdrawals from existing accounts. This is interesting - surely such attacks should be more visible than plain old ID theft? Would this not be a good time to look at banking security and supervision with a view to automatedly spotting upsurges in microwithdrawals from multiple accounts?

The HL recently reiterated its call for banks to be legally held liable for phishing losses to bank accountholders. At the moment, despite the lack of mandatory control, banks usually, though not universally , pay up. As margins tighten and liquidity disappears, and as phishing attacks mount (already up 180% in the UK from January to June 08 compared to the same period in 2007, according to Apacs) it will grow ever more tempting for banks to find ways to get out of reimbursing phishing losses eg by claiming that users failed to take adequate security steps. Considering the imbalance in technical knowledge and control between banks and users, this must be resisted. Phishing liability needs to be put on a legal basis, and soon.

Statute of Limitations & Privacy Round-Up

Brief moment of self aggrandisement - looking something up, I notice I've just missed the three year anniversary of this blog, having started in September 05. Cor. The private lawyer in me notes that the first claims for negligent misstatement or defamation should now be time barred.

Now that I am finally installed properly in Sheffield as of this week, I hope this blog will return to more rgular service than of late :-)

Advance warning - Ian Brown and I have just completed this year's Macafee Virtual Criminology Report 2008 and it should be launched week beginning Dec 8th. Clear your virtual desks in antici-pation!!!

More bathetically, in a bid to encounter friendly natives, I will be at the Sheffield Law Society Halloween bash on Oct 31st!! If you're in the area and want to meet the (in) famois Pangloss do say hi! I believe costumes are mandatory however so I will be unrecognisable, and probably dressed as a Russian botnet. Should be fun :-)

Two actual items of content: one, the very in(famous) Mr Mosley, of Nazi orgy fame, is to petition the ECHR to change privacy law and require the media to notify people before they punish stories about them. Briefly this seemed a nice idea to Pangloss, but of course all it would do is enable preliminary gagging of the press by immediate seeking of injunctions in every case. One cannot see this going anywhere as the essence of the libel/freedom of speech compromise is that post factum damages are preferable to prior restraint. I can't see any reason why this policy balance should be unsettled by reference to privacy rather than defamation. Still, interesting times.

Secondly, an oldy but a goody - yet more evidence that no one reads privacy policies. Well, if you tried to, it would take you anything from ten minutes to half an hour.

"Were people to actually read the policies and charge for that time it would cost $652bn a year.

Though that figure has limited usefulness, because people rarely read whole policies and cannot charge anyone for the time it takes to do this, the researchers concluded that readers who do conduct a cost-benefit analysis might decide not to read any policies."

As a former reader of fantasy, I love law and economics ...

Monday, October 06, 2008

The OPA rides again..


Bleeding heck. This and the UK extraditing someone for denial of Holocaust, a crime we don't actually have here, all in one week?

I hate to say it, but both the Lib Dems and the Telegraqh are dead right on this one. I'm all for reasonable restraints on freedom of speech, of which this certainly is one, but the correct approach should then be a public debate in the UK as to whether this is a crime we wish to recognise (or introduce) not a blank cheque to the receiving country's police. That way lies extraditing Western citizens to Saudi Arabia for sever penalties for (say) sleeping with married women. No please.

The Girls Aloud stuff is equally vile but the principle has long been understood: no more prosecutions of literature, stick to obscene pix. Even the IWF now says it is after "images of child abuse" not "child porn". As Wendy Grossman pointed out, if this prosecution is successful, will the IWF have to start considering the artistic worth of stories and fan fiction, so as to add it after complaint to its block list. Really no please. That is for courts.

Are conservative values reasserting themselves in recession or is it just autumn and time for some Internet moral panic stories?

ps this is my first blog post written on my beautiful new and very tiny Acer 1: staggeringly cheap, fast, decent keyboard, virus free Linux OS, built in web cam. I am a total convert. All I need now is mobile Internet sub and I can happily write all my articles on the train to Sheffield :-)