Friday, October 28, 2005

Publication on web in Scotland is not "public" enough!

The latest Brodies Solicitors free technology law supplement helpfully tells me of an intersting recent Scottish Fredom of Information decision.

In Decision 001/2005, Mr l and the Lothian & Borders Safety Camera Partnership (17 May 2005)
Mr L requested sight of the calibration certificate for equipment used in an alleged speeding offence.The Partnership argued that the information was already "otherwise accessible" under s 25 of the FOI (SC) Act by virtue of it being on the Partnership’s website. As it turned out, the particular calibration
certificate was not actually on their website at the time of the request. However, the Commissioner provided his view , making reference to the fact that most deprived households were without internet access according to the Social Justice Annual Report 2003:
“In my view therefore it is not yet possible to say that information which is solely provided on a website is reasonably accessible to people in Scotland”

This must be an expensive blow for public authorities. The commissioner stated that “where [the authority] receives a request for the information to be made
available in another format, e.g. in paper form posted to a home address, then it should do so unless there are overriding technical or cost implications.”

Other recent decisions mainly question the relationship between release of information under FOI and the protection of personal data under data protection law. This is shaping up to be a very controversial area.

Thursday, October 27, 2005

Secure feed ISPs

Interestingly since writing the last post, I've noticed that Edinburgh University - who act as my ISP and that of many 1000s of staff and students have begun compulsorily scanning the accounts of users, by administrative unit, for security breaches and vulnerabilities. And yes, you can opt out - but then the unit opting out according to the security policy must " ensure that they have sufficient resources to quickly identify compromised or mal-configured systems when the need [arises]" . This is pretty much the model I was beginning to outline below.

Liability of ISPs for malware?

Bruce Schneier has reiterated his long held belief that ISPs should be held liable for their part in spreading viruses and malware.

The Register quote him as saying: “It’s about externalities – like a chemical company polluting a river – they don’t live downstream and they don’t care what happens. You need regulation to make it bad business for them not to care. You need to raise the cost of doing it wrong.” Schneier said there was a parallel with the success of the environmental movement – protests and court cases made it too expensive to keep polluting and made it better business to be greener.

The analogy is appealing, but wrong. ISPs are not the polluters but the water-ways, or perhaps, their curators. The real polluters are the virus writers and bot creators - who are in most jurisdictions already criminally , and probably, civilly liable - just impossible to find.

Schneier goes on to say that ISPs should offer consumers “clean pipe” services: “Corporate ISPs do it, why don’t they offer it to my Mum? We’d all be safer and it’s in our interests to pay."

Here Schneier gets nearer to the real way forward. What Schneier, being a brilliant security expert, not a lawyer or economist, is getting wrong, is not the desirable end - ISPs helping clean up the Internet "environment" - but how to achieve it. You don't need public regulation of ISPs on the polluters model - which is unfair given the ubiquity malware is nsimply ot their fault - when it's easier to get profits to act as an incentive instead. US companies, correctly, saw cleaning up pollution as a profit loser until it was made too expensive to ignore on a PR level, but security can be turned into a money maker easy.

My Mum, much like Schneier's I suspect, has no idea how to set up a firewall or a virus checker, or come to that, her email account. But she's not that short of a bob. If she was offered, instead of the almost useless "BT Privacy", "BT Security" for an extra £12 a month, say, where BT undertook to manage the security of her machine, monitoring, reporting, isolating and cleaning it out if it was infected or zombified, etc etc, she'd take it tomorrow. ISPs should be offering security cleanfeeds instead of content ones. When there's a decent , competitive market of those, we won't NEED enviromental Internet laws - which will in any case be expensive and almost impossible to enforce universally, due to safe havens and lack of global harmonisation of criminal and public law (as Schneier himself acknowledges).

Someone pointed out to me that this isn't a solution, because those who don't buy in to a secure feed still remain vectors for infection. This is true: but it's possible we can deal with that by making the opters-out personally strictly liable for the security of their own machines (they are likely to be either the techy or the bolshy), rather than imposing inequitable liabilities on ISPs wholesale. Such an onus would be likely to drive all but those who really can look after their own machines - sysops, geeks, Linux lovers :-) - into the arms of a safefeed ISP. Another alternative for such would be to offer insurance to cover claims against them by affected consumers or networks.

Another commentor pointed out that a security service almost exactly as described above already exists - and lo! it costs £12 per month!. Truth is stranger than fiction.

The UK answer thus far is not more law but public education in the shape of the new National Hi Tech Crime Unit GetSafe camapign. We shall report on its success but remain cynical ..

Monday, October 24, 2005

Honey, I Trademarked the Blog

The Markenblog blog reports that on October 21, 2005 the term law blog was registered by the owner of the popular German blog "law blog". The registration does not, actually, expressly cover blogs, but legal services in class 42, and services including the presentation of creative works in class 41. The German registration should not affect the general use of the generic or descriptive term by others.
says the German American Law Journal.

Words fail me really. I'm not a trademark lawyer but has "blog" not become a generic word? Does adding "law" really suffice to distinguish it as a badge of origin of particular services? Anyone out there want to comment?

Creative Commons: threat or menace?-)

Some random quotes from an online discusion on LIve JOurnal after a Friday night pub discussion on whether open source, creative commons and the rest of the anti copyright movements are new religions or merely fora for the development of useful tools:

"Creative Commons and Open Source are religions. Not as bad as some of the others, but nonetheless they are somebody else's vision of utopia that we're all supposed to participate in." Voidampersand.

"The sub-sect that drives me up the wall in the Wikipedians - and I speak as an avid user and browser of Wikipedia. Yes, it's an impressive achievement, but you can only tout it as an improvement over traditional encyclopeadias by rather radically redefining 'improved'. Which some of its most zealous advocates are happy to do... (Isn't it brilliant! Our users can democratically determine the value of pi by continuous re-editing!)"

"I'm tolerant and indeed supportive of OSS between consenting adults; it'd be hypocritical of me not to, as I use enough of the stuff at home - but I'm opposed to fundamentalism about it too. I don't like people saying I shouldn't have the right to protect intellectual property and make a living from it; it should be my choice".

On open source: "it's plainly a way for young white introvert males to "stick it to the man" -- in this instance, their employers"

Friday, October 21, 2005

Once More With Lawyers

Fox have closed down a planned fan performance of the well known Buffy musical Once More With Feeling at a fan convention, on copyright grounds, despite la Joss himself saying he was happy for it to go ahead. Illustrating yet again that the interests of the artists/creators themselves and those they assign rights to tend to be very, very different.

Should a fan musical really need copyright permision? It's well known that UK and US don't go for a "private non commercial copying" exemption as Continental countries like France and Germany do, and even if they did, a public performance would never , I expect, be seen as private copying. But as Kim Weatherall comments, there's no way this performance could do anything other than encourage people to buy profit-making official Buffy CDs, DVDs and other merchandise. There's no travelling official Buffy musical whose revenues can be cut into by fan knock offs (more's the shame!) Fox is simply cutting off its nose to spite its own fans here.

Some commentators have compared this unfavourably to the permissive attitude towards Rocky Horror Show peformances which take place all over the world with massive fan , er, interpretation of the plot and cast. But the point there is that every such performance also involves a public showing of the movie, so will usually involves a revenue stream, as almost all professional cinemas will abide by normal license agreements.

Thursday, October 20, 2005

Oxford Internet Institute UK Survey

The Oxford Internet Institute survey of UK Internet usage landed on my desk (yes! hard copy! how quaint!) this morning. It is a thing of wonder. Every totally obvious statement you ever wanted to include in an article but couldn't be bothered to find statistical backing for is included. Yes, 74% of UK citizens have now bought something on line. Yes, 61% of UK people now have Internet access at home. Yes, broadband uptake is higher in wealthy homes than poorer ones (no, you don't say.) People think the Internet is bad for privacy? Tick! ( 49% think the use of computers in the UK is a threat to personal privacy. 45% are concerned about access to their personal data.) Worried about spam? Tick! (60%. Though only 35% have done anything about it.) Concerned about viruses? Tick! (82%! And 65% have done something about it! (or so they say :-)

Thre are some pleasant (and less pleasant) surprises though. 72% of those asked said the Internet had made their life better. Only 23% agreed strongly that they were concerned about immoral content on the Internet, while 15% strongly disagreed (given the social difficulty of disagreeing with such a question for many parents, the "strongly"s striks me as the only section of the respondents who matter). An amazing 18% claim they post pictures on the Web and 14% keep a website , though only 5% blog (but still!). But only 17% of Britons object to ID cards and around 5% of users have given up on the Internet entirely between 2003 and 2005 for whatever reason (mainly lack of interst - only 11% cited bad experiences and 17% privacy worries.

And only 2% agree strongly that email takes up too much of their time while 65% disagree or strongly disagree. They sure as hell didn't interview me for this survey:-)

Wednesday, October 19, 2005

It's a hacker's life being a security pro

Hands up if you've never worried that a website that looks oh so real might just be a phishing site? We've all by now unfortunately seen enough sites that look as real as apple pie, but something - the URL usually - tells us that actually, it's a vehicle for fraud. If you work in professional computer security, this paranoia must be all the more overwhelming, and you have the tools to hand to test out your theories. It got to a certain Daniel Cuthbert, a security pro, who even lectured part time in security to members of the police's own Computer Crime Unit. Cuthbert, a well meaning citizen, went to a site to donate £30 to the Tsunami relief appeal. After making a donation but not getting any official thank-you or confirmation page, Cuthbert tested the security of the page, using tricks like putting in ../../../ to move up three directories. In fact, the site was genuine, and Cuthbert's access atempts (which failed) were recorded, Cuthbert was arrested, and successfully prosecuted for attempted unauthorised access under s 1 of the Computer Misuse Act. Last week, he was fined £400, paid £600 in costs and lost his job as a result.

Remarkably few convictions have been made under the CMA s 1 and this should not hve been one. As the defense opined, it was tantamount to turning the s 1 offence into a strict liability offense. "Unauthorised access" simplex is the least serious charge in the CMA, but it cannot be regarded as an "administrative" crime, one like wrongful parking, which in the interests of the smooth running of society should be enforceable even when the party intended to do no wrong - it can earn a term of imprisonment and quite clearly demands mens rea. Section 1 of the CMA states that

1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

Arguably, Mr Cuthbert was not trying to "secure access" as his purpose but merely as his literal means to that purpose. His true intent was merely to test whether the site was actually what it claimed to be. On the Internet, this is very dificult to establish without attempting access unless the site has a digital certificate or a SET/SSL interface. This defence could have been backed up by analysis of the statute as a whole (and its peliminary debates) which clearly assume that the access that is sought to be obtained is so sought in pursuit of some criminal or at least amoral purpose.

If we are talking only of the preservation of privacy of personal data, not about criminal activity, as we really were here, then the data protection laws should suffice without needing to go to the hacking laws. This was a case for the Information Commisioner not the police. Given the longstanding and honorable tradition of benign hacking to probe security holes (which following Cuthbert, must clearly fall within the s 1 offence) there is room for a public interest/research exemption here to clarify matters, as there is indeed in relation to the arguably much less acceptable act of possession of child pornography (see the Protection of Children Act 1978 1(4)(a) and equivalent provisions for Scotland in the Criminal Justice Act 1988 and Civic Govt )(Sc) Act 1982.) As matters stand, security professionals will be unable in any circumstances to test the validity and security of a site unless they know for sure they have authorisation fom the true owner of the site.