A UK-based cyberlaw blog by Lilian Edwards. Specialising in online privacy and security law, cybercrime, online intermediary law (including eBay and Google law), e-commerce, digital property, filesharing and whatever captures my eye:-) Based at The Law School of Strathclyde University . From January 2011, I will be Professor of E-Governance at Strathclyde University, and my email address will be firstname.lastname@example.org .
Friday, November 28, 2008
3 Strikes and the Telecoms Package: What's Going On?
Chaos reigns still, but the upshot seems to be that the CoM have , as expected, excluded the European Parliament , Commission-backed amendments (especially 138) which might have protected due process and human rights (bad news); but on the other hand, the CoM itself seems to have succumbed to pressure to seperate content from conduit regulation, and has removed or watered down some of the provisions which appeared to provide an EC foundation for Sarkozy's 3 Strikes law (good news). Indeed, La Quadrature du Net are claiming Sarkozy now faces an uphill struggle in bringing his law in even in France.
Pangloss is, frankly, confused and without the time to find out more. Off to Israel Sunday to speak on social networks and privacy at the University of Tel Aviv! (And also to visit my niece :-)
Will be back in London to promote the global launch on Dec 9th of the 2008 McAfee Virtual Criminology Report!! Watch this space for our phishy, financial and other findings this year (it's a co-production by myself and Ian Brown of the OII.) I wonder if we can top last year when the Chinese government called a press confernce to rebut our acusations of Chinese cyber terrorism!
Thursday, November 27, 2008
MySpace suicide bully found guilty of.. hacking???
The facts are so crazy I'm just going to paste from El Reg here..
"The case was heard in Los Angeles because that is where the MySpace servers are.
Lori Drew created a fake MySpace profile in the name of Josh Evans. She used the persona to flirt with a thirteen year old girl called Megan Meier, who her daughter had previously fallen out with.
After weeks of flirting Drew then sent her message which said: "You’re a shitty person, and the world would be a better place without you in it." Hours later Meier hung herself in her bedroom.
Local police in Missouri would not charge Drew and the LA prosecutor has been accused of grandstanding. The charges were downgraded from felonies to misdemeanors - three counts of accessing a computer without authorization - but Drew could still face jail, the New York Times reports.
The case has split legal observers with some welcoming extension of the use of the Computer Fraud Act to social networking sites. But Matthew L Levine, a defense lawyer in New York, told the NYT: “As a result of the prosecutor’s highly aggressive, if not unlawful, legal theory, it is now a crime to ‘obtain information’ from a website in violation of its terms of service. This cannot be what Congress meant when it enacted the law, but now you have it.” MySpace T&Cs oblige users to be truthful in information they post."
This is a good example of how hard cases make really bad law. The problem here apparently was that Missouri had no relevant criminal stalking law - which would have been the obvious way to deal with this. So Missouri passed, and an ambitious LA prosecutor saw a way to go for a conviction under their equivalent of the UK's Computer Misuse Act 1990, s 1 - an "unauthorised access" law, which was clearly originally designed for hacking.
What is "unauthorised" has been a bugbear throughout the history of these kind of laws. Originally , "unauthorised" in most jurisdictions contemplated outsiders breaking into a computer or system. In the UK, some of the earliest CMA cases ruled that unauthorised access could occur even where an insider - say a disgruntled employee - used a password or simply physical access rights to get into a computer system to say, defraud the employer or commit e-vandalism. A serious problem is whether you are authorised simply to access a sustem, or to access it for a particular purpose. A number of cases, eg, dealt with policemen abusing their rights of access to the Police National Computer to wreak private justice on ex girlfriends and the like.
More recently in the famous Lennon case, a court also had to decide if sending a few million emails as a DOS attack to a mail server was "unauthorised". The first instance court said no: mail servers offer a standing permission to receive mail, don't they? The appeal court more pragmatically said, yes, but they don't authorise receiving several million emails sent with a malicious intent. I warned at the time that, although useful as extending s 1 of the CMA to fight DOS and DDOS, this approach would have consequences. And here, sort of , they are.
What the UK has never really come to grips with - and the Drew case does - is whether "unauthorised" is also what you do when you break the contractual rules relating to access to a website (whether express ie in the EULA, or AUP, or T & C - or implied - as in Lennon).
Let's have an example. Blogger's content policy says that images of nudity should be posted only behind a Friends-lock. What if I post a (harmless, non child porn, non violent, non criminal) nude picture here for the world to see? (Like say this one?) By all means Blogger should have the right to throw me off its site - that's their contractual privilege. But should I be open to a criminal prosecution under s 1 of the CMA for "unauthorised access"? I don't think so.
Blogger's content policy (which is I think the same as Google's now) is pretty sensible in fact. I had to look quite hard to find an example of what I might do that would breach their T & C and not already be an criminal offense, eg, incitement to racial hatred. But remember that unlike the criminal law, what a site puts in its EULA or T & C is its privilege, and need not confirm to popular views as to what is societally unacceptable or wrong.
This is why it is crucially important to keep civil sanctions for breach of contract quite seperate from criminal sanctions for crininal behaviour, even though there is obviously an overlap in the actual types ofconduct. In the Drew case, the answer could have lain with using stalking laws rather than hacking laws to prosecute the undoubtedly evil accused; in the UK the answer could be to clarify exactly what "unauthorised" means (or to abandon the s 1 offense of "pure" hacking, and allow it as an offense only when used to pursue an illegal subsequent activity?).
I hope this US case will be seen as what it is: an unfortunate aberration.
EDIT: Link on (US) legal opinions on whether suicide-watching online (not the same as instigation , at least necessarily) is illegal inducemnt or abetting of suicide.
EDIT: Link from Making Light giving more info about the Drew case.
Monday, November 24, 2008
Public sector implications of phishing
And yet in the laast couple of months. I have paid for my road tax online, ditto for my TV license, and having failed to make my self assessment deadline, will be (ahem) paying someone else to do it for me online. E-government really is here.
Whih means it will no doubt be only a matter of minutes before the phishers catch on and exploit it as mercilessly as they're currently playing the troubled banking sector and its conbused customers. Today I got yet another Lloyds TSB -etc phish and for some reason decided to investigate this one. It was surprisingly mote sophisticated than last time I looked. The usual ploy; a fake URL which magically trasnsported you to a site that was NOT Lloyds TSB.
It was in fact
Quite clever that huh? The even vaguely clued up punter now knows to like for the right URL - and it has the co.uk part right. That intrigued me so i looked up whois and found this:
Front Page Information
|Website Title:||Lloyds TSB - Logon|
|Meta Description:||This is the Lloyds TSB logon page|
|Description Relevancy:||71% relevant.|
|AboutUs:||Wiki article on Uk-pre.info|
So they've again anticipated the even vaguely clued up punter and poisoned the whois directory. Now that IS bad. The fake Wiki article link is also quite neat. I checked and it doesn't link to Wikipedia itself but an obviously f(ph) ishy advertising site. However i'm sure the next lot along will easily concoct a real Wiki article. After all it only has to stay up for a day or so...
All this makes it even clearer that expecting the consumer to spot a phish sit e is ever more unlikely. We need better anti phishing tools, better take down networks, more police/bank collaboration and better rules about phishing liability, and , as I've saiid before, soon.
Note: and the fake site is down - so that WAS take down within 12 hours or so..
Thursday, November 20, 2008
Hugh Hancock has set up a Facebook group to help campaign- go join!
I'm also advised the email addresses of the Ministers to write to should you wish to are
Stephen Carter : email@example.com
Shiriti Vadera: firstname.lastname@example.org
Wednesday, November 19, 2008
Thought inspired by the much bally hooed leak of the entire BNP membership list in breach of court injunction.
WikiLeaks has of course been in this business for a long time - but I suspect rather more of the UK population than before has just begun to wake up to the world in which court gagging orders are simply a waste of time. (I just went there to get the URL, and surprise, it's slashdotted. I don't know if they do have the BNP list.) I could go and torrent that list now anyway, with no danger of the re publisher being tracked(though of course I won't). This is possibly the most effective counter-injunction leak in the UK since people discovered they could get illicit copies of Spycatcher online.
Someone I know has already to her shock found an old family friend on the list. People are scared of losing their jobs. Some of them , like police officers, arguably should. There are children on it enrolled as part of a family membership package -how may they feel? Now or in the future when they have their own views?
Is this really, finally, the transparent society, and if so, do we like it?
Tuesday, November 18, 2008
Fighting Dustbin Hogs, the RIPA Way!
Well you can tell what really gets the British public steamed up can't you? Forget the credit crunch, the collapse of the global economy and the war in Iraw, it's early rubbish-sneakers we're really worried about... (give them large roadside wheelie bins like we have in Embra! , says Pangloss, holding her nose).
Actually the story is (surprise) misleading - the Mail really mean that half of those who replied - only 151 out of 474 councils - admitted to tactics such as putting spy cameras on bins, lampposts and in tin cans.
The Regulation of Investigatory Powers Act 2000, or RIPA, has apparently been used, according to the Mail be justify surveillance operations via a variety of grounds, including to 'protect public health' or the 'economic well-being of the UK'. When of course we all know it ought only to be used to catch serious criminals or terrorists. But - hang on a mo.
Pangloss is a teeny bit bemused. Local councils and police can put up CCTV cameras anyway, she thought, and merely give notice in the standard ways according to ICO Codes of Practice that they are so doing. Consent of data subjects is not needed if the purpose is to aid law enforcement or prevent crime. Why were RIPA powers needed at all? (Good for public transparency in that it would then figure in statistics, but..) Presumably because it was covert monitoring which is usually regarded as against DP law (see ICO Codes) but is allowed under RIPA Part II.
But that Chapter - which is little talked of in digital circles , as we are normally interested in the parts on interception and retention of communications and traffic data, and encryption - to a large extent merely codified previously existing police powers (or so I have always assumed). It was the *monitoring* and *decryption* Parts - 1 and 3 - which were novel with RIPA, and which were delayed in implementation by political controversy.
Furthermore none of RIPA was actually specifically introduced as an anti- terror law - it originated well before 9/11 etc and makes as many references to crime (not just serious crime) , economic well being and public health (eg) as "terror" or national security. It was the Anti-Terrorism, Crime and Security Act 2001 which was a specific response to terror (surprise).
Whichi s not to say that this wasn't a bad use of a bad law, and we should hope the Mail does more entertaining digital investigations in future :) But it may not actually have been an "abuse of anti terror law" at all.
(belated thanks to Hugh Hancock for pointing me towards this story!)
Fighting 3 Strikes, the French way?
It is dfficult to see how any democratic organisation could object to such values being embedded in any type of dispute resolution process, and indeed the Amendment was passed by 88% of European MEPs and endorsed in the Commission report; however the Council of Ministers removed it from their draft proposal, and will almost certainly be continuing this opposition when the Telecoms Package comes to its next major vote on Nov 27th.
The right to due process, if preserved, will indubitably strike a significant blow against Sarkozy's plans to introduce a 3 strikes law and thus this vote is of particular importance to the French.
However it is significant in many other European countries too, notably our very own United Kingdom of GB, where the result of the current (now closed) consultation on the BERR-sponsored Memorandum of Understanding might well be the introduction of a similar process a similar process compelling ISPs to clamp down on alleged filesharers, and similarly lacking safeguards of impartialitry, exaination of evidence and opportunity for legal assistance in the UK. Indeed the UK process might turn out to be more damgerous, since while the French law primarily contemplates outright disconnection, the UK process might include less transparent and more obscured sanctions such as traffic slowing and filtering. Opponents of covert censorship thus have an agends here as well.
If you are worried, check out the La Quad site and see what you can do.
If you want to read more about this and see more legal backing for these claims, see the brief prepared by Simon Bradshaw and myself on interpreting the Telecoms Package.
If you want to see a video of a Swedish MEP explaining what he sees as at stake here, see here.
Saturday, November 15, 2008
More possible solutions to credit card scams..
Credit cards which generate one-time PINS.
"The next-generation cards feature a numeric keypad on the back of a plastic card. Customers enter their PIN code to generate a one-time password. This code, displayed on a card’s display panel, is then used to authenticate online purchases.
The approach is an alternative to using a password when authenticating online purchases through the much-criticised Verified by Visa scheme. As previously reported, VbyV passwords can often be easily reset knowing only card details and a user's birthday."Re my previous suggestion of decent roll out of two factor ID, ie, dongles etc, A Reader writes:
"Physical banking tokens are a complete pain in the arse; I either carry the sodding thing about with me, in which case we have the modern equivalent of 'keep your chequebook and cheque guarantee card separately' -- no, actually, I am a woman and I carry a handbag because my business clothes do not have pockets, and all this stuff is in it; plus, although it's not terribly heavy, it's another thing to carry -- or I am essentially disenfranchised from key banking services when I'm not at home. I get particularly pissed off with the physical token when I make periodical payments of random amounts from my current account to my offset mortgage account. I have paid money to this account before. Lots of times before. The chances of this transaction being fraudulent is nil. Why are you asking for token codes?"
EDIT: a new report on this on OUT_Law makes it a bit clearer that this tchnology replaces BOTH the verified-by-Visa type programmes and the dongle. Instead the one time PIN generated requires the user to both have the card and the usual PIN - efectively making online, card not present transactions as secure as face=to=face ones.
Although this obviously still allows for some fraud, it does seem a major step forward. Here's hoping the trial is successful, says this very fed up online shopping card user.
AReader also rather sensibly asks why all banks can't demand as little security as PayPal, ie, one usrname and password. Presumably because when losses acrue due to hacking of PayPal accounts the losses stay with the credit card isssuers not PayPal ? Does anyone know how PayPal manages risk??
Eloquence for the end of the week
"While I have low expectations of the British media, it seems to me that there is a deep Luddite vein that is exploited repeatedly whenever games and virtual worlds are concerned. For most people, gaming simply replaces other entertainment activities, such as reading, watching TV, or listening to the radio. When you boil it down to basics, gaming is a way of removing oneself from reality and experiencing other points of view. But is that not the same of reading? When reading I have spent countless hours lost in Middle Earth, visited Macondo, explored the Galaxy in Culture ships, and metamorphosed into a giant insect. On TV I have followed the perilous journey of the Battlestar Galactica in its brave escape from the Cylons. In cinema I have witnessed the triumph of the Rebel Alliance, followed the romantic adventures of a French waitress, and seen seven brave samurai rescue a village from bandits. Those are hours of my life "wasted" in other realities instead of "being outside" doing "real things" and interacting with "real people". Are there people who abuse gaming? Sure! But so do lots of people abuse alcohol, knitting and sport. To me this is the most fallacious of dichotomies, people who are inclined to spend 12 hours in front of a computer screen playing a game are not likely to suddenly go out and become involved in "real life" if you switch the computer off."
Bravo, even tho I'm not a gamer.
Friday, November 14, 2008
Not a very difficult process you might think; certainly not for a professor of Internet law?
But in fact every previous time I have started to do this, I have given up in sheer frustration and irritation and just gone to the station and bought the damn ticket - why?
Because making this very simple everday e-commerce transaction involves:
- remembering my thetrainline.com login - not easy because they refuse my "normal" passw as it does not have numbers in it (thus encouraging me to use a highly guessable password instead as the types of numbers people can remember ARE highly guessable - you know what I mean :)
- going through not just ordinary debit card security, but ALSO RBOS's *extra* security (since my debit card is RBOS) - which involves re entering much of the same info, plus a DIFFERENT passw from the one I already use for RBOS's *own* on line banking, again, a different passw from my "usual" passw, because of their *own* arcane restrictions)
- putting in my mobile no, but having to go through yet anothr log in get a "verification code" before I can actually get the damn booking reference sent to my damn phone.
Do you begin to see why I might prefer just to go queue at the station??
By contrast, in the days when I flew to Embra from Soton, somehow I could book a plane using an ordinary credit card, avoid extra security by using a credit card which hadn't yet invented "VisaSafe" or whatever :-), get a reference no, and just stick the credit card in a machine at the airport to get my tickets printed out. Damn it, I could even print my tickets AT HOME and forget all my ref nos.
This rant is partly then about why can't it be as easy to get a train ticket as a plane ticket when logic suggests it should be the other way around.
But mainly it is about B2C e-commerce and payment security in general. This is NO WAY to build a business model. I should not have to re enter fiddly personal details in different abstruse combinations three or four times to complete a simple transaction.
The banks' security, upped in reaction to their fears of having to reimburse CNP fraud losses (even though they off lay most of it on to the merchants) have reached the point where, I assert, they will do their best to deter most ordinary customers. I don't know what the answer is, though I suspect it has to do with identity management, or with physical token roll out to everyone, not just prized upmarket customers. But this simply will not do.
Thursday, November 13, 2008
Analysing the European Telecoms Package: Even More About Three Strikes and You're Out
However as I reported then, there was serious concern (raised by La Quadrature de Net and Monica Horten at IPIntegrity) that some interest groups (in the main, it seems, the French Sarkozy government, and the global content industry lobby) were using this complex law reform exercise as a Trojan horse to pass through some fairly bland looking proposals, which when looked at more closely proved to lay what might well be a framework for European legitimisation of Sarkozy's "3 strikes and you're out law".
This law - whose basic idea is that alleged repeat filesharers should be summarily disconnected from the Internet without the intervention or supervision of the courts, on the say so of the content industry - had already been rejected in principle by the European Parliament as a breach of due process and fundamental rights such as privacy and freedom of expression.
As a result of publicity and a write in campaign to MEPs, these issues became better known, and safeguards were inserted into the Telecoms Package at the European Parliament reading stage. However these were subsequently removed (with little or no) publicity in the leaked Council of Ministers proposed amended version. Opaque waters were further muddied when a week or so ago the Commission came back with their (official) proposed version, which attempted to address some , but not all, of the worriesome issues in the Package. At this point I was asked, along with trainee barrister, blogger and IT law expert Simon Bradshaw, to have a look and say just what there was (if anything) still to worry about in the Telecoms Package as of right now, since its level of incomprehensibility had already reached beyond 11 on a scale of 1 to 10, for anyone except trained combat Internet lawyers (and we were struggling too:-).
After much burning of midnight oil and pixels, these are our conclusions. We hope they are useful to all participants in the European democracy and legislative process; in particular we hope they inform both the public and the politicians during the current vital period when the future of the Telecoms Package and whether it will go to a second reading in the EUP are being decided behind closed doors.
Here is the top level summary; the whole report can be downloaded here.
"The central issue discussed here relates to the current state of the Telecoms Package and
the extent to which it allows or does not allow (or requires, or does not require) the
disconnection of alleged filesharers from the Internet, without the involvement of courts to
assess the evidence for the possibility of error, and to provide protection for due process and
fundamental rights . It is indubitable that the Telecoms Package also provides many important
consumer friendly guarantees, but these are not the topic of this brief.
In particular, we wanted to find out if the Telecoms Package, at its latest stage, still provides a potential guarantee of legality for the “3 strikes and you’re out” legislation currently being implemented in France and of interest in some other member states such as, notably, the UK. The key parts of the argument above have been emboldened.
On the basis of our analysis it is clear that the package does, or at least can, provide a
mandatory basis for the “warnings” part of a French-style connection sanctions law (the
“strikes”) (see para 12 of brief), and also potentially provides a means by which public CSPs
(ISPs and the like) can be compelled by the national regulator to work with (“promoting
cooperation”) rightsholders to implement a disconnection scheme (the “you’re out” – see para
19 of brief). Wording in various places of the latest version seems to confirm that this “cooperation” is a more extensive obligation than simply providing copyright related
public interest information.
This is a crucial set of obligations, about to be imposed on all of Europe’s ISPs and telcos,
which should be debated in the open, not passed under cover of stealth in the context of a
vast and incomprehensible package of telecoms regulation. It seems, on careful legal
examination by independent experts, more than possible that such a deliberate stealth
exercise is indeed going on. When passed, these obligations will provide Europelevel
authority for France’s current “3 strikes” legislation, even though this has already been
denounced as against fundamental rights by the European Parliament, when it was made
clear to them what they were voting for or against.
Importantly, two amendments originally inserted by the EUP did provide protection against
nonjudicial imposition of disconnection and other sanctions against alleged filesharers,
in particular Art.32a of the Universal Service Directive (see para 35 of brief) and Art.8(4)(ga) of
the Framework Directive (see para 28 ). However, both of these provisions were deleted by
the CoM, and did not appear in the CoM’s proposed final text.
Somewhat unexpectedly, however, one of these “safeguard” provisions, Art 8(4) (ga) ,was in
fact reinstated by the Commission in the latest version. Why both Amendments 166 and 138
were not so reinstated is unknown, but may relate to “horse trading” between the Commission,
the Council of Ministers and the European Parliament to get the package passed during the
Sarkozy Presidency of the EU. Whether (ga) will survive to the final version of the Telecoms
Package is anyone’s guess, but it is clearly a key defence for civil liberties and against “3
strikes”, as it explicitly protects both the right to due process and the right to private life. This
brief commends its re-inclusion and suggests that Amendment 166 also be reinstated...
...Finally we reiterate that this brief has been prepared to give a legal, rather than a lobbying,
perspective upon the telecoms package. Good European law cannot be made when sectoral
agendas are hidden within nested sets of amendments, obscure definitions by reference, and
overly wide and vague terminology. The purpose of this brief has been to open up these
obfuscated agendas to the light of day. The brief is based on the Telecoms Package state of
play as at 12 November 2008. It will be updated as developments occur. "
Finally, thanks for help with this relating to European policy and process from the ever-helpful Judith Rauhofer, Research Fellow at UCLAN.
Monday, November 10, 2008
Obama has a few statements on his new website about technology plans that may be relevant to the IT/IP community:
"Protect the Openness of the Internet: A key reason the Internet has
been such a success is because it is the most open network in history.
It needs to stay that way. Barack Obama strongly supports the
principle of network neutrality to preserve the benefits of open
competition on the Internet."
"We live in the most information-abundant age in history and the
people who develop the skills to utilize its benefits are the people
who will succeed in the 21st century. Obama values our First Amendment
freedoms and our right to artistic expression and does not view
regulation as the answer to these concerns."
"Safeguard our Right to Privacy: The open information platforms of the
21st century can also tempt institutions to violate the privacy of
citizens. As president, Barack Obama will strengthen privacy
protections for the digital age and will harness the power of
technology to hold government and business accountable for violations
of personal privacy."
Sounds good doesn't it - net neutrality. certainly. Privacy protection definitely - could we finally see the rise of omnibus privacy regulation in the commercial sector of the US? But many wiser people than me are worried about what "artistic expression" means. Remix artists right to rip mix burn, or rights for music labels? Optimism says the former; realism the latter.. does Obama want to be darling of Hollywood, or the opiate of the masses? anyone care to speculate?
Saturday, November 08, 2008
Blogs are what happen when....
I long to debate the exciting things that are happening: the Google Library settlement, the Telecoms Framework latest Commission compromise position, the French passing 3 Strikes and You're Out, data retention , Internet libel cases in the UK courts, and how to deal with regulating the security of wi fi - but too busy actually doing things that relate to these to have time. Ag! I seem to have made a F austian bargain of my own - surrounded by a panoply of interesting legal developmnets, but noooo time to chat about them. Sigh.
Things wot I have done instead:
helped (a bit ) with the ORG response to the BERR filesharing consultaion;
helped (a bit more) with the ORG response to the UK consultation on implementing the Internet data part of the Data Retention Directive (link to follow)
supervised the preparation of an excellent brief by Simon Bradshaw on how the Telecoms Framework , having now been through the European Parliament, the Council of Ministers and the Commission report stages, still contains provisions which may well enable and legalise a France style "3 strikes" regime throughout Europe. We (Simon, ORG and myself) hope to publish this brief in the next few days. Thanks also to Monica Horten for invaluable assistance on this project.
So instead, meanwhile here's the latest XKCD cartoon, which as usual is superb :-)
Wednesday, November 05, 2008
I Have a Dream?
So Boing-Boing is already speculating on Fantasy Presidential Staff. Could we see Lessig at the FCC, they suggest, or Schneier at Homeland Security? Would any of my US`readers care to speculate if this sort of thing is actually plausible?
In much more important political news (ha), Becky Hogge is stepping down as chief leaderette and PR person for the Open Rights Group (ORG.), the UK's leading digital rights campaigning group. She's done an amazing job and will be a tough but enthralling act to follow. If you're interested, have a look
The advert is here:
And feel free to pass this link on. (Disclosure: I am on the Advisory Board.)