Thursday, 20 August 2009

SCRIPTed new issue

The latest issue of the online journal script-ed ("A Journal of Law, Technology & Society") is out - (2009) 6:2 SCRIPTed 194-533

I've not had a chance to read it yet but these seem particularly interesting:

- and there's quite a few articles on copyright as you'd expect.

(For anyone who missed it, see also IFOSSLR.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 19 August 2009

Open source programming languages - rankings

This is pure tech rather than tech and law, but I just think it's interesting.

The H reported on Black Duck Software's analysis of usage of programming languages used in open source projects (see also Black Duck press release).

The table above from the analysis page shows languages ranked in order of use in open source projects, so that over all time C is the most used open source language with Ada the least used.

Dynamic languages are increasing in popularity over static. The bars show changes over just the last 12 months, with Javascript gaining the most with some 2 percentage points, then SQL, Ruby and C#, while Shell, Perl, Java, C and C++ have all lost ground.

Javascript is said to be "the most-used and fastest-growing scripting language. More projects overall have used JavaScript than Java by a margin of 3 percentage points."

65% of open source code is C, C++, and Java, and 80% of open source is C, C++, Java, Shell and JavaScript.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Technology, domestic violence, anonymity

There's a US initiative to "promote safe technological practices" involving the National Network to End Domestic Violence (NNEDV), who "works closely with technology companies to inform survivors and domestic violence service programs on best practices for security and privacy".

They sponsored a panel last week with Google, Microsoft and Verizon, but I haven't heard anything much about it.

There was a short Microsoft blog post on it and on MS technology, but I don't see how the Microsoft technologies mentioned would help "maintain confidentiality following the end of an abusive relationship."

Anti-spyware can detect installed monitoring software, and Vista warns when monitoring is turned on, but surely that will only help during the relationship, not after? It's creepy that your partner can try to spy on your computer activities, but knowing that they're doing it isn't enough in itself.

What about help on privacy and anonymity, and hiding one's online traces e.g. from a threatening ex-partner? Spyware as a stalking tool only works on the infected computer, but women can be stalked online generally.

We haven't heard much from Google or Verizon about what they're doing on this front, apart from:

"informed use of technology like wireless communication makes the difference in helping victims become survivors" and

"Google has worked with NNEDV to ensure that many of its products, including Street View and Search, incorporate strong privacy protections for victims of domestic violence and the shelters that provide them with safe havens" - what protections exactly, and how can victims avail themselves of them?

(If I'm being unfair and just missed it, do tell me.)

The NNEDV's Safety Net project is along the right lines but their advice is very short; a lot more needs to be done. All the same, this initiative is to be applauded, and at least the 3 corporations concerned have become involved.

All this does prove, though, that there is a legitimate place for digital anonymity, and I hope that any identity management system required by the US government and others will allow anonymity and not prevent it.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 18 August 2009

MoD wrist slapped by ICO for bad FOI

On 13 August 2009 the Ministry of Defence got its wrist slapped by the Information Commissioner's office and ordered to "improve its handling of internal reviews and ensure its standard completion target for internal reviews conforms to guidance issued under the Freedom of Information  Act".

The ICO even issued a new practice recommendation especially for the MOD, "Freedom of Information Act 2000 (Section 48) Practice Recommendation Date 10 August 2009".

See the ComputerWeekly report.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Censorship - China's Green Dam scaled down; & anti-censorship software

China seems to have given in, at least a bit, to the international and indeed internal outcry against its "Green Dam" plans to install internet monitoring and filtering software on all its citizens' computers. It'll just be installed in schools and internet cafes, for now. And it's "voluntary" for private citizens. Telegraph report.

Separately, the US agency Broadcasting Board of Governors (BBG) said that it is working on "feed over email" (FOE) software which can enable free Web-based email services like Gmail, Yahoo! Mail, or Hotmail, which have built in encryption, to be used as secure channels for news. When ready it will be beta tested in China and Iran. AFP report.

There's "feed to email" services already in existence. For instance Google's excellent Feedburner automatically converts feeds to emails to subscribers. Or there's FeedMyInbox. I wonder what extra features the BBG's FOE software will add?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 17 August 2009

Digital Economy Bill, Digital Britain implementation report, ISPs as enforcers

A Digital Economy Bill, outlined in the draft legislative programme published on 17 August 2009, follows on from last week's Digital Britain Implementation Plan, August 2009 (on the implementation plan see the reports from Computing and ComputerWeekly (entitled "Digital Britain implementation plan: Government seeks control of UK internet domains"). Here's the main Digital Britain page.

The Bill will include:

  • "delivering a universally available broadband in the UK by 2012 through a public fund, including funds released from the digital television switchover help scheme;
  • giving the sectoral regulator, Ofcom, two new duties: first, to promote investment in infrastructure and content alongside its duties to promote competition; and second, to carry out a full assessment of the UK's communications infrastructure every two years; to ensure that the UK has a first class and resilient communications infrastructure;
  • creating a robust legal and regulatory framework to combat illegal file sharing and other forms of online copyright infringement and give Ofcom a specific new responsibility to significantly reduce this practice, including two specific obligations on Internet Service Providers: the notification of unlawful activity and, for alleged serial-infringers, collation of data to allow rights holders to obtain court orders to force the release of personal details, enabling legal action to be taken against them"

ISPs as enforcers

The proposals to make ISPs "enforcers" is to me problematic.

Before I started this blog there was some publicity about "Guilty till you're… nope, just guilty" Karoo, a small ISP with a monopoly in Hull.

It cut off its customers without any warning on simply getting notification from copyright holders of suspected illegal filesharing. And it refused to reconnect them till they promised never to do it again (even if they'd never done it in the first place!). Talk about "natural justice".

After some adverse publicity, including the intervention of MP Tom Watson, Karoo have now said they'll adopt a "three strikes" policy instead. But even that leaves a nasty taste in the mouth.

The whole issue of using ISPs as copyright police to, essentially, enforce the commercial interests and prop up the profitability of powerful industries, just doesn't sit well with me.

What about the rights of ordinary individual citizens? And who bears the costs of this "robust legal and regulatory framework " and "obligations" on ISPs - shouldn't it be the music / film business rather than UK taxpayers and ISP customers?

Why is combating "illegal file sharing" so much more important and worthy of politicians' time and legislation than combating street crime, or stopping elderly people dying for want of enough heating in their homes?

Perhaps the chance to have dinner with the rich & famous and to hobnob with ageing rock stars could be a deciding factor. Got to get one's priorities right after all, building up one's connections with industry is vital - especially if one may be having to look for a job after 2010.

I really, really don't want the UK to move to "One law for the rich and powerful…" Although some may think we're already there.

Have your say

Everyone is free to comment on the legislative programme, by 21 September 2009. "Do you think the Draft Legislative Programme reflects the right priorities for the United Kingdom and, if not, what other issues do you think the Government should be addressing?"

Note also that the Consultation on legislation to address illicit peer-to-peer (p2p) file-sharing is technically still open, closing 15 Sep 2009.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Microsoft Word, XML & patents

Last week a court in the claimant-friendly state of Texas ordered Microsoft to stop selling or importing into the USA recent versions of Word (2007 and 2003), because Word versions which can open documents in the .XML, .DOCX, or DOCM format containing "custom XML" allegedly violate a patent granted to a Canadian company called i4i - the best report is by The Register; see also SCL, Ars Technica.

The implications are broad, especially as the planned Office 2010 is to use custom XML too. But Microsoft hasn't stopped selling Word and is appealing against the judgment; worse comes to worse it could just disable the Custom XML feature, if it doesn't settle. Ironically, Microsoft was recently granted an XML-related patent itself.

For those who don't know it, the XML standard is an increasingly popular way to exchange and transfer data in electronic documents, especially over the internet.

I don't think anyone should be allowed to own patents related to XML, which is now a very important technology; it would inhibit the free use of XML and the free exchange of information. That of course is a personal view on the policy; the legal situation is, as we know, different.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Associated Press's tracking "beacon" is Javascript

You'll have heard of Associated Press's announcement about their new "news registry" and the puzzlement over how the hNews microformat could provide tracking of use of AP content on other websites.

Zachary M Seward of Nieman Lab has now obtained obtained a copy of the detailed internal Associated Press paper "Protect, Point, Pay" - and he also managed to have a long chat with Associated Press's general counsel Srinandan Kasi and others.

Mr Seward clarifies that the "tracking beacon" will just be a bit of Javascript code included in AP subscribers' news feeds. So again the code can be easily deleted from copied content. If it gets copied across at all via a simple Copy / Paste. Which is why for belt and braces the AP are still going to crawl the Web looking for copied content.

The good news is, it seems AP do want to encourage re-use of their content, in a way - the issue is communicating their real intentions clearly and unambiguously.

(Via Tom Morris.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Privacy protection - business case - discussion document released

The UK Information Commissioner's Office commissioned Watson Hall Ltd and John Leach Information Security Ltd to:

"research and develop an easily understandable and compelling business case that will help organisations to justify and implement privacy protection within their business processes and systems."

Their discussion document is now out:  Discussion Document - The Business Case for Investing in Proactive Privacy Protection 17th August 2009 (version 1.1)

Version 1.0  was released on Friday but note that another version 1.1 was published today. See the fuller background.

They'll be releasing new versions of the discussion document from time to time too, so you'll have to "check here periodically". Why no feed?

They are seeking views on the discussion document from all quarters, by email to privacy.protection@jlis.co.uk - by 1 Sept 2009.

That's not very long in the scale of things, especially given that it's holiday season. Perhaps they're under time pressure from the ICO. Or perhaps that's a subtle way to discourage comments!

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

UK ID cards - again

I was jokingly deliberately exaggerating when I referred to the Home Office sticking their fingers in their ears and going "La la la", but this is ridiculous. The HO still refuses to meet with the security expert who cloned their card, with ZDNet reporting the Home Office as saying that:

"it had declined on the grounds that it did not want to be overwhelmed by individuals wishing to demonstrate ID card cracks."

So, the HO knows that there are an overwhelming number of people who can crack the UK ID card? And it's still being pushed through?

Separately, ComputerWeekly have reported recent research / analysis of the National Identity Register scheme by public sector research outfit Kable which showed that scrapping identity cards, the National Identity Register and fingerprints on passports could save UK citizens some £3.08 billion.

I'd really quite like some of that £3.08 billion to be spent on the NHS (UK staff not IT systems), proper education, public transport and green energy, please.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

US government websites' deals with social media corporations - and privacy

Campaigning organisation EPIC got the US government to disclose their contracts with Web 2.0 companies including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace.

There seems to have been no requirement for the private non-government corporations to preserve users' or citizens' privacy, and in fact Google got a special dispensation for persistent cookies.

Some of the agreements also allowed tracking of government website users for advertising purposes.

See the EPIC report and documents linked to in it.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

The music industry - including recording studios

On recording studios, University of Nottingham researchers have found that:

"a severe crisis in the music industry is seriously depleting the UK’s recording studio sector… A number of iconic London recording studios, including Olympic Studios, Townhouse Studios, Whitfield Street Studios (formerly Sony and, before that, CBS Studios) and Eden have closed in recent years… brought on by the explosion of digital music formats and the democratisation of musical technology…

The problem is not only affecting the production of music but has also changed the way new talent is found. Record companies have withdrawn from the business of discovering and developing new talent (A&R) and instead have left this to the management companies, who some argue are in the business of taking new talent and turning them into marketable artists, who can then be found a recording contract."

Earlier, a much reported (see BBC) survey by University of Hertfordshire researchers for the UK Music group, on music consumption in 14-24 year olds, had some interesting statistics on music file sharing and downloading etc, e.g.:

  • Popularity of P2P remains unchanged since 2008 – 61% said they download music using P2P networks or torrent trackers. Of this group, 83% are doing so on a weekly or daily basis
  • There is real interest for new licensed services. 85% of P2P downloaders said they would be interested in paying for an unlimited all-you-can-eat MP3 download service.

Links to the reports:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Convictions for failure to give up passwords / decryption keys

Under part III of RIPA (s. 49 notably)  the police can (with NTAC permission) demand private passwords or decryption keys to encrypted electronic data if they reasonably believe it's necessary to prevent or detect crime. (There are other, broader grounds. See generally Home Office page on Part III.)

The Annual Report of the Chief Surveillance Commissioner to the Prime Minister and to Scottish Ministers for 2008-2009, 21 July 2009, by Sir Christopher Rose, noted in para 4.11 (p.12) that 2 people had been convicted of failing to comply with s.49 notices - the first known convictions under this law, breach of which is punishable by jail and fines.

It was reported by e.g. The Register and Heise. It's not known exactly what crimes were under investigation; from the report they must have been one of "counter terrorism, child indecency and domestic extremism".

After the Court of Appeal's ruling in S & Anor, R v [2008] EWCA Crim 2177 (09 October 2008) it's not possible to refuse to hand over your password or key on the basis of the human right to protection against self-incrimination. And it's not considered an abuse of process to mount a prosecution under s.49.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

More criticism of the UK DNA database

In their responses to the Government’s consultation, ‘Keeping the Right People on the DNA Database’, which closed 7 August 2009, from:

  • The Equality & Human Rights Commission:
    • "The Commission believes this proposal does not meet the European Court of Human Rights requirement for the UK Government to have clear, justifiable reasons for holding on to DNA data from people who had not been convicted of a crime. The Commission’s response is based on advice from Michael Beloff QC…
      The Commission also wants an independent adjudicator to be put in place to oversee the system. This would give innocent people a way of challenging the need to keep their DNA profile on file…"
  • The Foundation for Information Policy Research:
    • "…FIPR therefore strongly urges that the Home Office should use this consultation only as a preliminary exercise. A revised retention policy should be drawn up based on responses received and higher quality, peer-reviewed evidence. The public and Parliament should then be consulted on a Green Paper describing primary legislation that would properly control the National DNA Database and associated procedures for the retention, use and governance of profiles. This would ensure that the UK meets the "special responsibility for striking the right balance" found by the European Court where there is such a strong potential for damage to citizens' human rights."

See previously criticisms by Sir Jack Beatson, judge and President of the British Academy of Forensic Science, on police retention of DNA on the DNA database.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 12 August 2009

Open Trust Frameworks for Open Government

The Information Card Foundation and OpenID Foundation have launched a joint white paper Open Trust Frameworks for Open Government (direct link to PDF paper - Open Trust Frameworks for Open Government: Enabling Citizen Involvement through Open Identity Technologies).

The paper covers their approach to enabling open, Internet-scale trust networks using OpenID and Information Cards and the process they're going through to prepare open trust frameworks for certification under the U.S. General Services Administration’s Trust Framework Adoption Process (TFAP).

The white paper was announced at the Open Government Identity Management Solutions Privacy Workshop, Monday August 10, 2009 earlier this week, which dealt with the privacy implications of introducing open identity technologies to US federal websites.

Via Drummond Reed's post on the Information Card Foundation blog, which said:

"Open trust frameworks are the way to bridge open identity technologies like OpenID and Information Cards with the trust requirements of large communities such as the U.S. federal government. They are a practical solution to enabling government agency websites and applications to accept identities from non-governmental identity providers. This reduces friction and lowers costs while at the same time increasing security and privacy."

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 11 August 2009

Porta whaaat? and trademarks

There's protecting your trademarks, and there's… whaaat?

MySociety have mentioned a complaint by Portakabin Limited regarding a couple of reports on FixMyStreet (a MySociety project) which used the words “portacabin” or “portaloo” in them.

(For those who don't know, FixMyStreet is an innovative free service in the UK that lets citizens report online any problems in their local area e.g. (to quote the site itself) graffiti, fly tipping, broken paving slabs, or street lighting. The FixMyStreet website then forwards reports to the relevant local authority. A very useful (non-profit) service for the public. And, of course, that should include problems with broken public toilets.)

Portakabin Limited do have trademarks on Portakabin™ (two!) and Portaloo™ (two, again) and it's understandable that they'd want to try to avoid their trademarks becoming genericised (hoover, anyone?).

But what I want to know is, did they check first to see if the broken down portable units concerned were actually made by them or not, huh? If they were, surely the uses of the words in the reports would have been entirely warranted?

If not, this action does seem a bit fierce (MySociety linked to a blog about another Portakabin complaint made to Private Eye magazine a couple years back).

But trademark owners do tend to be very protective - Google don't want people using their name as a verb for "to search on the Web using a search engine that's not Google", for instance, although they're letting advertisers use other people's trademarks in ads, and I've not heard of them getting out the lawyers on this sort of usage yet. Now put down the lawyer.. step away from the lawyer..

Anyway, MySociety are fixing this just by rewriting any reports using the verboten words so that they refer to "portable cabin" and "portable loo" instead.

I notice that Wikipedia redirect this URL to "Portable toilet":

http://en.wikipedia.org/wiki/Portaloo

- and this URL to "Portable building":

http://en.wikipedia.org/wiki/Portakabin

Was that a clever way to try to avoid a similar problem? Or are they going to be in trouble too for including trademarked words in the redirected URLs?

Maybe those are signs that it's too late to stop the genericisation…

 

 

(It was very hard to avoid the temptation to use a headline with a pun involving a word not unadjacent to "s**t". But I did it.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

E-voting machine hacked via return oriented programming

US computer scientists have successfully made a Sequoia AVC Advantage electronic voting machine (version 5.00D) "turn against itself and steal votes".

See the 5-minute video demo above by Hovav Shacham, a professor of computer science at UC San Diego’s Jacobs School of Engineering and co-author of the report on their research - "Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage" by Stephen Checkoway, UC San Diego, J. Alex Halderman, U Michigan, Ariel J. Feldman, Princeton, Edward W. Felten, Princeton, Brian Kantor, UC San Diego, Hovav Shacham, UC San Diego ("DRE"stands for "direct recording electronic", in the context of voting machines).

From the report:

"We have demonstrated that an attacker can exploit vulnerabilities in the AVC Advantage software to install vote-stealing malware by using a maliciously-formatted memory cartridge, without replacing the system ROMs. Starting with no source code, schematics, or nonpublic documentation, we reverse engineered the AVC Advantage and developed a working vote-stealing attack with less than 16 man-months of labor."

The paper was presented at the 2009 Electronic Voting Technology Workshop / Workshop on Trustworthy Elections.

The news release from UCSD outlines the technique used:

"return-oriented programming, …is a powerful systems security exploit that generates malicious behavior by combining short snippets of benign code already present in the system.

The new study demonstrates that return-oriented programming can be used to execute vote-stealing computations by taking control of a voting machine designed to prevent code injection."

Hacking e-voting machines is of course an excellent way for organised crime or corrupt political parties, or even terrorists or spies from other countries, to make sure that their chosen candidates are elected into power.

I use technology a lot and am more familiar with it than most lawyers (and probably most people - here of course I assume lawyers are a subclass of people rather than a separate class, although I know some may disagree!).

So I am well aware that technology has its limitations, and it should only be used in situations where it's appropriate.

Voting, which is vital to democracy, is not one of them.

Paper voting is best because electronic voting machines are too easily subverted, as this research has shown.

I hope that this new research represents another nail in the coffin for evoting and that politicians can be persuaded away from their love affair with e-voting, to mix a metaphor.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Medical records - Conservatives - no central database for personal health info

Reported by various sources e.g. BBC, Computing.

As well as scrapping any centralised NHS database of patient records (with local storage and inter-operability instead) and re-considering existing government IT contracts, a Conservative government would encourage the use of open source software in the public sector.

See further on NHS IT / healthcare technology:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 8 August 2009

UK ID cards security - government rejoinder; & reaction to database violations

Some follow up on the story that UK ID cards can be hacked too easily, covering the government response:

And on government employees illegally accessing government databases, while some local authority staff were dismissed or disciplined for snooping in the Department of Works & Pensions' Customer Information System database, none of the councils involved are going to initiate any prosecutions against the employees concerned.

In order to reassure citizens that UK government authorities take the security of people's personal data seriously, a lot more will have to be done.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

National Portrait Gallery & Wikipedian - copyright, jurisdiction - more commentary

I mentioned the National Portrait Gallery & Derek Coetzee / Wikipedia / Wikimedia saga previously.

Here are some interesting links to more views or comments on the saga:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 7 August 2009

EU information society strategy - consultation on post-i2010 priorities (2010-2015)

The EU are consulting until 9 October 2009 "to help prepare a new EU strategy for the information society, as the current i2010 strategy is coming to a close this year".

You can view the full questionnaire in PDF and view related EU documents (e.g. on ICT for a sustainable 'low carbon' economy, future high speed networks and open internet, e-government etc) before replying to the questionnaire.

This looks important as the strategy will cover a very broad ranging series of topics. Basically, almost anything you can think of that relates to technology or the internet is going to be addressed, including identity management of course.

Here's the full list of subjects:

  1. ICT for a growth and jobs agenda (priorities)
  2. ICT for a sustainable 'low carbon' economy (barriers, quick wins, longer term strategies & best practices)
  3. Improving Europe's performance in ICT research and innovation (resources, research priorities, new markets)
  4. Creating a 100% connected society and economy through a highspeed
    and open internet for all (future proof infrastructures, future of the sustained internet services growth - internet to drive innovation, promoting internet for users)
  5. Consolidating the online services Single Market (level playing field, improving consumer trust & confidence)
  6. Promoting access to creativity at all levels (users' rights in the participative web, sustainable copyright, digital content to cross borders, "development of ICT sector and of European content industry to reinforce each other", digitising cultural resources, steps to open access to content to people with disabilities)
  7. Strengthening EU's role in the international ICT arena (openness of the internet as a global issue, European dimension in international research, European voice in international fora, new models for internet governance & other global challenges)
  8. Making modern and efficient public services available and accessible to all (avoiding new digital divides, dealing with the challenges of participatory web, electronic procurement and electronic identity management, eHealth, impact of ICT on teaching and learning)
  9. Using ICT to improve the quality of life of EU citizens (bridging gaps, improving digital skills, "Enhancing the economic dimension of eInclusion", "Enforcing rights of people to go online", coping with an ageing society, "Promoting a holistic approach").

Unlike the EU's Consultation on the legal framework for the fundamental right to protection of personal data, which was notably short on consultation questions (see e.g. this speculative view as to why!), the questionnaire here does have more info on the aims of the future new strategy:

"Europe needs a new digital agenda to meet the emerging challenges, to create a world beating infrastructure and unlock the potential of the internet as a driver of growth and the basis for open innovation, creativity and participation.

Europe needs to raise its game:
• to accelerate the economic recovery and maintain its world leadership in high-tech sectors;
• to spend research budgets more effectively so that bright ideas are marketed and generate new growth;
• to kick-start ICT-led productivity to offset GDP stagnation as the labour force starts to shrink when the baby boomers retire;
• to foster new, smarter, cleaner technologies that can help Europe achieve a factor or growth; and
• to use networking tools to rebuild trust in Europe as an open and democratic society…

…Europe’s successes to date have been built on a consistent drive for fair competition in telecoms markets and a borderless market for digital content and media services. Europe’s technological leadership stems from its continuous efforts to establish a critical mass of R&D in emerging fields of ICT. It has a great capacity to capitalise on its cultural resources, such as its
vibrant and successful film and media sector and the European digital library. This overall policy thrust remains valid for the future.

However, the success of the EU ICT strategy over the last four years needs to be put in a global perspective. Today it is becoming apparent that, even in areas where it has global leadership, Europe is at risk of losing its competitive edge when it comes to new, innovative developments…"

And the questionnaire summarises issues before listing the questions they are seeking responses on.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 6 August 2009

12 minutes to clone UK identity card

A disturbing article in the Daily Mail reports that it took computer expert Adam Laurie just 12 minutes to clone and fake a UK identity card borrowed from a foreign student (foreign nationals living in the UK have to have ID cards). (More on Adam Laurie and biometric passports, Bluetooth.)

He just used a standard Nokia mobile phone and read the information on the RFID chip embedded in the borrowed ID card, and copied it to a blank plastic smart card (the Oyster card is an example of a smart card). Tada, clone!

That's right, details on an ID card can be stolen and duplicated. Bye bye privacy and security, hello identity theft.

Another expert, computer security consultant Jeroen van Beek, then led a team which, based on the work of computer scientist Peter Gutmann, changed and "relocked" the data on the datagroup files in the clone's chip so that it would be accepted as genuine. Tada, fake card!

The "look and feel" of an identity card can be duplicated to pass a visual inspection (or blank cards can be stolen). The fake card might not pass a check against the National Identity Register database, but at £2 a pop to check against it not everyone will bother (and no doubt organised crime / terrorists will be able to inject false details into that database in due course - too many people already have access to the National Identity Register's "precursor").

But it did pass a check using the Golden Reader Tool, software produced by the UN International Civil Aviation Organisation to read and validate electronic IDs and passports according to the standards they set. (The Mail had to download the software instead of trying the falsified card in a UK card reader, as no official electronic card readers are available yet in the UK except at borders.)

Security has got to be paramount with something like this, and the Daily Mail experiment proves that UK identity cards are far from secure; it's much too easy to fake or reprogram them, clearly. Indeed ID cards may even make life much easier for organised criminals and terrorists, as people may well believe government assurances on security and too readily accept faked cards as genuine.

Given that the final ID card for UK nationals (see UK ID card design recently unveiled) is likely to be similar to the one cloned and faked by the Mail's experts, and certainly said to use the same technology, all this is very worrying indeed.

It's even more worrying that UK Home Office officials' reaction to this seems to have been the equivalent of sticking their fingers in their ears and going "La la la".

See further the detailed Daily Mail article, which is a must read. (See also Why RFID chips (passports / ID cards) are stupid.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 5 August 2009

Is journalism dead? & 7 laws of journalism

After the Associated Press desperately said anything (plausible or not) to try to protect their content, here's a couple of broader pieces on the death of journalism (or not) which may be of interest:

  • The Death of Journalism (Gawker Edition), by journalist Ian Shapira in the Washington Post, about how media blog Gawker picked up on a previous story by him and quoted from it, and his changing reactions to the use of his story.
  • The Seven Laws of Journalism, by US journalism academic Danna Walker - scroll to the second half of that blog post for the laws, including "Journalism isn’t dead". (Via a Guardian article - although unlike the Guardian, as I can't see any Creative Commons or other copyright licence on that blog, I won't reproduce the 7 Laws in full here!)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

US - Open Government Identity Management Solutions Privacy Workshop, Monday August 10, 2009

This 1-day workshop / public meeting on Open Government Identity Management Solutions Privacy appears to be free (except lunch is "on own"!) but registration is on a first come first served basis - it certainly sounds worth signing up if you're going to be in Washington DC next Monday.

Organised by the Information Card Foundation with the U.S. General Service Administration (GSA) and other Internet identity organizations, the agenda includes discussion of  open trust frameworks and privacy issues, in particular a couple of US Federal ICAM (Identity, Credential and Access Management) papers of 8 July 2009:

and the speakers will include representatives from OpenID, InfoCard, InCommon and Kantara Initiative as well as the US federal government.

I'm not able to go, obviously - so I hope there will be full reports of the event, which sounds very interesting.

Via Information Cards blog.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

UK website disclaimers will breed like rabbits

Patchett & Anor v Swimming Pool & Allied Trades Association Ltd [2009] EWCA Civ 717 (15 July 2009) has already been well covered e.g. at SCL and Out-Law - see those links or the transcript for the full facts. (Claimants hired swimming pool builder thinking, based on the trade association SPATA website, that they'd be covered if the builder went bust, but they weren't covered, and the Court of Appeal said they couldn't successfully sue SPATA.)

In brief, it'll be easier for website owners to point to disclaimers and the like on their sites to escape or at least cut down their liability for statements on their webpages which visitors rely on, e.g. if the statement might be misleading or wrong though negligence.

Just have a clear prominent statement that visitors must make further enquiries (like, ask for a hard copy information pack from you), or make their own enquiries, and it seems that you'll be sorted.

Personally, I think Out-Law's analysis is spot on and that the result is wrong - people just don't use web sites in the way that the majority of their Lordships seem to think they do. Who's going to go through all the pages of a site carefully, really? Or realise that there's additional vital info that's not on the site? I agree with Struan Robertson of Out-Law:

"SPATA claimed that its members are backed by insurance and Crown was identified as a member. Given that information, I think it's incorrect to suggest that most users would investigate further (a point that Lady Justice Smith made in her dissenting judgment)."

While the case is good news for web sites, it's not so good for website users, and goes against some moves to try to protect consumers better, e.g. the Information Commissioner's guidance on privacy notices which, while in a different vein, does try to encourage websites to communicate certain important information proactively to the public.

In this case, "With SPATA full members you're protected, with affiliate members you aren't, and here are the separate lists of both types of members" should I think have been clearly set out on the site - but it wasn't, and the defendants still escaped liability just because the claimants didn't ask for a hard copy information pack with fuller information which was said to be available.

I don't know if warning notices will work in the case of mistakenly low prices being advertised though, as with Dell in Taiwan.

Does anyone know if Patchett is going to be appealed?

 Warning: nothing in this blog is intended to be legal advice. Seek complete information via the links given. Take specific advice on your own position. 

Tada - bye bye duty of care!

 

 

(That was, of course, a joke.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 4 August 2009

Interception Modernisation Programme (IMP) - criticism by ISPs, ICO etc

More criticism for the UK government's Interception Modernisation Programme (IMP) - plans to modernise their ability to intercept citizens' communications, including electronic communications, which it's estimated will cost some £2 billion at least, not to mention the human rights implications.

This time the criticisms come from LINX, whose members comprise UK ISPs, in their response to the recently concluded Home Office consultation Protecting the public in a changing communications environment.

The headlines from the news reports summarise LINX's position:

See also the full LINX response (Word). Given LINX's membership, their views on the technical issues must be considered fairly authoritative to say the least.

Separately, whether related to the news of the LINX response or not, the UK Information Commissioner's Office (ICO) today issued a statement about the IMP - also critical about the plans for mass data interception and data retention on an unprecedented scale.

I say "whether related or not" as it's somewhat puzzling why the ICO waited until now to make their statement, which simply summarises the ICO's own detailed response to the consultation which they submitted on 15 July 2009.

Some extracts from the ICO's full response:

"This proposal represents a step change in the relationship between the citizen and the state… Evidence for this proposal must be available to demonstrate that such a step change is necessary and proportionate…

The Commissioner is concerned about the distinction being made between traffic data and content data of any communication..

The Information Commissioner accepts that communications data can be an important tool in tackling serious crime, preventing terrorism and protecting the public. However there are several reservations which mean the answer to this question cannot be an unqualified ‘yes’. Accepting the value of communications data does not necessarily mean support for the general use of interception technology covering the population as a whole.

One reservation is that just because certain communications data have proved useful in certain cases where a specific individual, or group of individuals, has been identified, it does not necessarily follow that the collection of the communications data of the entire population will be useful in any but a tiny minority of cases. The value of information gained through the interception of communications of specific, identified individuals does not in itself justify the general collection, processing and retention of communications information covering the population as a whole. The case has not yet been fully made out for routine collection and retention of further communications data covering the entire population..

..Is the best use currently being made of what is already available for the police and intelligence services? If the intention of Government is to ensure that this information is available when needed in specific cases, and therefore that communications data relating to individuals who are not suspects will not be routinely profiled, then it is more difficult to justify the mass retention of additional communications data covering the entire population.

While the value of accessing communications data as part of an ongoing investigation is not in doubt, it is harder to make a case for the collection of even more communications data on a population-wide scale “just in case”…

A second reservation is that the definitions in the conditions under which communications data can be accessed by a relevant public authority are often too widely drawn and can lead to misuses of the rights of access of public authorities to such information. There has been much public debate about the inappropriate use of powers under the Regulation of Investigatory Powers Act 2000, and this must not be allowed to happen under any new legislation brought before Parliament…"

For some other criticisms of the IMP plans see:

Americans too are also worried about similar issues - see New York Times report on US email surveillance and the mass intrusion into citizens' privacy.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

US national identity management - no to anonymity, after all?

A keynote speech which seemed to be very anti-anonymity was given at the Black Hat USA Conference 2009 by Robert Lentz, who is Deputy Assistant Secretary of Defense for cyber, identity, and information assurance in the Office of the Assistant Secretary of Defense, and Chief Security Officer for the US Department of Defense.

From Dark Reading's report of Mr Lentz's speech:

"In my opinion, there needs to be a cyberczar just for identity. Without that, we're going to be done," said Lentz, who said reducing anonymity is key to ensuring security and resiliency on the Net. He noted that reducing anonymity also will generate debate over "legitimate privacy concerns," too."

Also see Heise Security's summary of the conference, which noted that Mr Lentz repeated "several times how important it is to get rid of anonymity on the Net".

Yet in contrast, in early July 2009 Thomas Donahue, director of cyber policy for Obama's National Security Staff, was reported as saying (at an identity management conference in Washington):

"Any system will have to allow for some level of anonymity, with room for a user to shed some anonymity in order to demonstrate trust with another person or a Web site in a digital relationship."

Very different attitudes, reflecting it seems very different backgrounds and priorities.

Anonymity has long been cherished as being vital for free speech in the USA.

The tricky issue will be how to reconcile the two approaches so as to strike the right balance between security and privacy.

As many said at the European e-Identity Management Conference June 2009 (including Mary Ellen Callahan, Chief Privacy Officer at the US Department of Homeland Security), privacy and security ought to be viewed as being two sides of the same coin, rather than being in conflict.

Much will depend on who is appointed as the US cybersecurity czar.

Melissa Hathaway, who was responsible for a review of cybersecurity for the Obama administration in April 2009 (full text of Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure), has just taken her name out of the hat (for details see the reports by the Wall Street Journal, BBC)

So the appointment of the US cybersecurity czar - and maybe cyberidentity czar? - will be awaited with especial interest.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

UK National Identity Register - snoops sacked

See the ComputerWeekly article:

"Nine staff have been sacked from their local authority jobs for snooping on personal records of celebrities and personal acquaintances held on the core database of the government's National Identity Scheme.

They are among 34 council workers who illegally accessed the Customer Information System (CIS) database, which holds the biographical data of the population that will underpin the government's multi-billion-pound ID card programme."

See also:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Law firms aren't compliant themselves!

Christopher Giles, Managing Director of UK consultancy Legal RM (emphasis added):

"Although law firms understand the law itself, they are failing to apply it operationally in their own business practice. The UK Proceeds of Crime Act, The Prevision of Terrorism Act 2008, the Weapons of Mass Destruction Act, and the US Treasury Department's Office of Foreign Assets Control (OFAC) Sanctions List make it illegal to do business with sanctioned individuals or entities linked with the proceeds of crime or the funding of terrorism. For law firms, this means that unless they are in a position of privilege with a client, they are liable and accountable to the letter of the law, especially in their client screening obligations. Likewise, law firms must also comply with the regulatory obligations around anti-money laundering, including the EU 3rd Money Laundering Directive, the Money Laundering Regulations 2007, as well as the Solicitors Regulation Authority and the Law Society.  They must also carefully consider the business risk of new clients in the context of these legal and regulatory obligations….

…We've recently conducted risk audits with two of the Top 100 commercial law practices. We found two terrorists within their client database, several suspected cases of laundering proceeds of crime, numerous instances of banned company directors as named company contacts, as well as drug traffickers - none of which they were aware of despite implementing what they considered to be adequate ‘ongoing client monitoring'. Law firms need to be systematically and comprehensively screening clients against global sanctions lists or be prepared to face the growing financial penalties associated with a breach."

(See his full blog post for more on this.)

Their findings don't surprise me, I have to say.

While of course his blog post is intended to spur law firms into proactively checking and monitoring their compliance with sanctions and other requirements (presumably preferably by hiring his consultancy firm!), he makes a good point that's worth repeating.

Lawyers are notoriously bad at looking after their own personal legal or financial affairs.

And law firms, I suspect, could do more to sort out their own money laundering and other compliance and risk management systems with better use of technology.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 3 August 2009

Businesses and Web 2.0 / social networking

It looks like Enterprise 2.0 is the new buzzword. In this regard a couple of reports on enterprise and social networking / Web 2.0 are of interest:

Social Networking on Intranets - by usability guru Jakob Nielsen based on a survey of 14 companies in 6 countries including BT, IBM, Intel and Johnson & Johnson, with best practices for how to design social features for intranets. The full report costs enterprise level money.

AIIM Industry Watch: Collaboration and Enterprise 2.0 survey (you have to register in order to download the paper by this B2B organisation) - "there has been a dramatic increase in the understanding of how Web 2.0 technologies such as wikis, blogs, forums, and social networks can be used to improve business collaboration and knowledge sharing, with over half of organizations now considering Enterprise 2.0 to be "important" or "very important" to their business goals and success. " - "27% of 18-30 year-olds agree that Twitter is an important rapid-feedback tool for business use, compared to only 7% of those over 45" - for a longer summary see their press release.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Privacy on Facebook - demands for Facebook / social networking logins etc

Give me your username and password, NOW!

A few incidents about demands for Facebook etc logins have received some publicity recently.

The city of Bozeman in Montana required anyone applying for a job with them to give Bozeman their logins and passwords for all social networking groups the applicant belonged to, including Facebook, Google, Yahoo, YouTube.com, MySpace. They did at least retreat from this "never ending background check" (as Citizen Media Law put it) after much adverse press.

Houston's Restaurant in New Jersey demanded an employee's MySpace login and password for an invitation-only MySpace group in order to read what employees were saying about them, then fired two - though not without repercussions (Citizen Media Law report).

School teachers got in on the act - a coach, it was claimed, made a high school cheerleader give up her Facebook login and password, whereupon her private Facebook information was shared with other school officials (ars technica report; Citizen Media Law report.)

There's an excellent commentary on the cheerleader story by Dave Birch, who points out that other students when asked for their Facebook details simply deleted their accounts via their cellphones, and notes that the new generation don't regard their Facebook identity in a conventional way. He also comments, and I couldn't agree more, that while many consider Facebook an identity management system, it's not suitable for that as it is. Incidentally, he gave an excellent talk at the e-Identity Management conference in June 2009, which I haven't had a chance to write up yet.

Personally, I consider that forcing or bullying people into disclosing their user / password details in order to access personal accounts is a step too far in the privacy invasion stakes. I await the outcome of the cheerleader's resulting claims against the school with interest.

Privacy on Facebook generally

But of course, it can't hurt to remind people that, even without disclosing their logins, what they say on Facebook and other social networking sites cannot be assumed to be private. (How to change your Facebook privacy settings, from someone who got burned!)

People can get fired or maybe un-hired for what they say on Facebook or Twitter, or even put lives at risk or cause national security issues (whether American or UK). People also might want to be careful about whether their Facebook info gets stuck on "public".

Quite apart from what people say in their Facebook messages, in terms of its privacy practices and defaults, Facebook was recently found to be in breach of Canadian privacy laws (Personal Information Protection and Electronic Documents Act) - BBC report, Canadian Office of Privacy Commissioner’s findings in a complaint against Facebook by the Canadian Internet Policy & Public Interest Clinic; and see this summary of the issues and findings.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 2 August 2009

Where crowdsourcing works – and where it doesn’t

There's probably life in the crowdsourcing business model yet, the trick is to find a version that works.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 1 August 2009

Future of media - John Malone FT interview

An interesting interview in yesterday's FT (View From the Top) with John Malone of Liberty Media, described as "one of the most powerful figures in the media world, responsible for creating cable and satellite television empires".

A quote relating to monetising internet businesses, and paying for Web content:

"A big debate in media is: can you get consumers to pay for online content? There will be a transition to people paying for [the] internet. Unfortunately, a lot of the people promoting the internet have other monetisation theories, such as search, which is "free" to the consumer. Believe me, it's not free to the retailer. The real question is: can you get people to pay for content on the internet? That will happen over time. If you're a newspaper publisher and you're giving information free on the internet and charging a subscription fee [for the paper], I don't understand the logic."

Another one:

"Newspapers? Short."

Read the full interview.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.