Category Archives: Law

Privacy in Germany: Courts Support It

papier.jpg Interesting that Germany has more respect for privacy than the U.S. does:
Government surveillance of personal computers would violate the individual right to privacy, Germany’s highest court found Wednesday, in a ruling that German investigators say will restrict their ability to pursue terrorists.

The Karlsruhe-based Federal Constitutional Court said in a precedent-setting decision that data stored or exchanged on a personal computer is effectively covered under principles of the constitution that enshrine the right to personal privacy.

“Collecting such data directly encroaches on a citizen’s rights, given that fear of being observed … can prevent unselfconscious personal communication,” presiding judge Hans-Juergen Papier said in his ruling.

Court Shoots Down Computer Surveillance, By MELISSA EDDY, Associated Press Writer, 27 Feb 2008

Although apparently Germany also has lazy cops who think spying on individuals is their birthright, just like in the U.S. Not regular police, mind you, but
…secret services’ ability to use virus-like software to monitor suspected terrorists’ online activity.
The court rightly said suspicion is not enough:
“Given the gravity of the intrusion, the secret infiltration of an IT system in such a way that use of the system and its data can be searched can only be constitutionally allowed if clear evidence of a concrete threat to a prominent object of legal protection exists,” Papier said.
And a judge has to approve it.

Now that’s risk management.

-jsq

Canadian Breach Reporting

michael_geist.gif Michael Geist’s top tech law issue for Canada for 2008 is:

Security Breach Reporting Rules Are Introduced. Scarcely a week went by last year without a report of a security breach that placed the personal data of thousands of Canadians at risk. Last spring, a House of Commons committee acknowledged that the country needs mandatory security breach disclosure legislation that would require organizations to advise Canadians when they have been victimized by a breach.  A public consultation on the issue concludes next week and new regulations will be introduced before the summer.

Eight Tech Law Issues To Watch in 2008, Michael Geist, Tuesday January 08, 2008

That would be a good thing.

-jsq

Bot Roast II: FBI Cracks Down on Bot Herders

cyber110607.jpg FBI indicts, and in some cases gets guilty pleas or sentences, eight people they say were involved in botnet-related activities:
Secure Computing’s prinicipal research scientist Dmitri Alperovitch was quite happy about the news.

“We welcome this news and applaud the FBI’s efforts and law enforcement worldwide in attempting to cleanup the cesspool of malware and criminality that the botmasters have promoted,” Alperovitch said in a press release. “Since botnets are at the root of nearly all cybercrime activities that we see on the Internet today, the significant deterrence value that arrests and prosecutions such as these provide cannot be underestimated.”

FBI Cracks Down (Again) on Zombie Computer Armies, By Ryan Singel, Threat Level, November 29, 2007 | 4:54:32 PM

Indeed, good news.

Now where are the metrics to show how much effect this actually had on number of botnets, number of bots, criminal activities mounted from bots, etc.? Baseline, ongoing changes, dashboard, drilldown?

-jsq

PS: Interestingly, every blog or press writeup I’ve seen about this misuses the word “hacker” to apply to these crackers, yet the actual FBI announcement never makes that mistake: it says cyber crime.

Antitrust and Microsoft: Still on the Table?

Taft.jpg More time to determine whether Microsoft has a monopoly?

Microsoft, state prosecutors, and the U.S. Department of Justice on Tuesday said a federal judge needs more time to weigh whether Redmond should be subjected to a lengthier period of antitrust policing.

In a joint filing with U.S. District Judge Colleen Kollar-Kotelly, who has been overseeing Microsoft’s antitrust compliance, they asked for a soon-to-expire oversight period to be temporarily extended until at latest January 31, 2008. That way, the judge will have more time to weigh the merits of last-minute pleas from a number of state prosecutors to add another five years to the oversight regime.

Right now, most of Microsoft’s 2002 consent decree with the Bush administration is set to expire November 12. One small portion, related to a communications protocol licensing program that has encountered numerous delays since its inception, has already been extended through November 2009.

U.S.-Microsoft antitrust deal to get temporary extension, by Anne Broache, C|Net News.com News blog, October 30, 2007 2:24 PM PDT

The story says the judge and Microsoft are expected to agree to the extension. Not surprisingly, there’s an objection from a different quarter:

The Justice Department has already said it doesn’t believe there’s any need to extend the oversight period and that the agreement with Redmond has been working as designed.

It’s state prosecutors from 10 states who are driving this extension.

These days we don’t have Teddy Roosevelt to bust trusts, nor even William Howard Taft, whose Department of Justice started 80 antitrust lawsuits. Maybe the states can do it.

-jsq

Fingerprint False Positives

fingerprint_definition.jpg Not all that glitters is gold:
“Fingerprints, before DNA, were always considered the gold standard of forensic science, and it’s turning out that there’s a lot more tin in that field than gold,” he said. “The public needs to understand that. This judge is declaring, not to mix my metaphors, that the emperor has no clothes.”

Judge bars use of partial prints in murder trial, By Jennifer McMenamin, Sun Reporter, October 23, 2007

The judge did this because of the partial fingerprint false positive linking an Oregon lawyer to the Madrid bombings. Apparently that was only one of twenty false matches in that case. So the judge in this homicide case has ruled that partial fingerprint matches can’t be used as evidence.
At a pretrial hearing in May, prosecutors argued that fingerprint evidence has been accepted by the courts and relied upon for nearly 100 years. Defense attorneys countered that there is no similar history of subjecting the evidence to scientific review.

“The state is correct that fingerprint evidence has been used in criminal cases for almost a century,” Souder, the judge, wrote in her decision. “While that fact is worthy of consideration, it does not prove reliability. For many centuries, perhaps for millennia, humans thought that the earth was flat.”

So if a hundred year old “gold” standard of evidence turns out to be tin, what about all the wide-scan wiretap dragnet evidence that certain governments seem intent on compiling these days?

-jsq

PS: Seen on Bruce Schneier’s blog.

eCrime Papers Posted

ecrimetitle.gif The APWG eCrime Researchers Summit has released its papers by linking them to its agenda. Lots of interesting stuff there about phishing and website takedown, capture and recapture, password reuse, behavorial reaction, etc.

There were also sessions on getting technology solutions adopted and user education, but those appeared to be panels, and don’t have papers posted.

-jsq

RIAA Money Pit

RIAA demonstrates how not only to alienate customers by suing them, but to lose money while doing so:

During an occasionally testy cross examination, a Sony executive said what many observers have suspected for a long time. The RIAA’s four-year-old lawsuit campaign is costing the music industry millions of dollars and is a big money-loser for the record labels. The revelation came during the first day of Capitol Records v. Jammie Thomas, the first file-sharing case to go to trial (it was formerly known as Virgin v. Thomas, but the sole Virgin Records track was stricken from the complaint, making Capitol Records the lead plaintiff).

RIAA anti-P2P campaign a real money pit, according to testimony, By Eric Bangeman, ars technica, October 02, 2007 – 11:40PM CT

I don’t quite understand how this is good for anybody, except maybe iTunes. As risk management goes, it’s about as negative as it gets.

-jsq

Silver Bullet Security Considered Harmful

Silver_Bullet.jpg In the comment discussion about Linus’s schedulers vs. security polemic, Iang mentioned a paper he’s writing:
We hypothesize that security is a good with insufficient information, and reject the assumption that security fits in the market for goods with asymmetric information. Security can be viewed as in a market where neither buyer nor seller has sufficient information to be able to make a rational buying decision. These characteristics lead to the arisal of a market in silver bullets as participants herd in search of best practices, a common set of goods that arises more to reduce the costs of externalities rather than achieve benefits in security itself.

The Market for Silver Bullets, by Ian Grigg, Systemics, Inc. $Revision: 1.27 $ $Date: 2005/11/05 18:25:54 $

Evidently security needs to find another precious metal for its bullets, given that the Storm Botnet is still out there after months, phishing becomes more expensive all the time, spam has killed electronic mail for a whole generation of users, and the best the monoculture OS vendor can come up with is a new release that attempts to push responsibility for all its bugs and design flaws back on the user.

What to do? Continue reading

Liability Waiver?

Speciality Insurance Blog points out that liability waivers, while increasingly popular, may not protect governmental entities from gross negligence claims.

That doesn’t stop governmental entities from using them even in the grossest cases:

Sec. 5. For those persons whose property and interests in property are blocked pursuant to this order who might have a constitutional presence in the United States, I find that, because of the ability to transfer funds or other assets instantaneously, prior notice to such persons of measures to be taken pursuant to this order would render these measures ineffectual. I therefore determine that for these measures to be effective in addressing the national emergency declared in Executive Order 13303 and expanded in Executive Order 13315, there need be no prior notice of a listing or determination made pursuant to section 1(a) of this order.

Sec. 8. This order is not intended to, and does not, create any right, benefit, or privilege, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, instrumentalities, or entities, its officers or employees, or any other person.

Executive Order: Blocking Property of Certain Persons Who Threaten Stabilization Efforts in Iraq , by George W. Bush, The White House, 17 July 2007

You’ve got to admire the chutzpah of promulgating a blatantly unconstitutional directive (see Fourth Amendment) and ending it with a liability waiver.

And there’s always suppressing the evidence, as in FEMA trailers outgassing formaldehyde.

Risk management includes watching what’s going on.

-jsq

Negligence and Breaches

richard_thomas.jpg
Banks, shops and government departments have exposed thousands in Britain to the risk of fraud through “horrifying” breaches of data protection laws, a watchdog said on Wednesday.

In his annual report, Information Commissioner Richard Thomas, whose office enforces the Data Protection Act, said firms must do more to secure people’s private details.

“The roll-call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying,” he said in the report.

Privacy watchdog warns of “horrifying” breaches, The Scotsman, Reuters, 11 July 2007

He’s not talking terrorism, so we can hope this is not just more FUD. Continue reading