Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by admin on marzo 15, 2017

computer crimes

(No comments)

The latest report from Clusit (the Italian Association of Internet and IT Security) states that 2016 was the worst year ever for the evolution in cyber threats and their impact. The Interministerial Commitee for the Security of the Republic, chaired by Prime Minister Gentiloni, has devised a national cyber security plan.

Clusit stresses the phenomenal rise (+1,166%) in phishing attacks – by means of which cyber scammers persuade victims to hand over personal and financial data or login credentials by masquerading as bona fide companies – and social engineering scams – i.e. techniques of studying individual people’s behaviour in order to extort information. Malevolent common malware virus attacks also rose (+116%), and were not only small scale attacks, but also aimed at attacking important targets with significant impact.

There was a dramatic rise even in cyber warfare related attacks (+ 117%), which aim to increase geopolitical pressure or manipulate public opinion. Examples of cyber warfare attacks include those on political parties’ or institutions’ email accounts, but potential targets also include critical infrastructure such as energy, water, communications and transport services, attacks on which rose by + 15% compared to 2015.

So-called cybercrime – i.e. offences committed in order to extort money or information – represented 72% of global attacks in 2016. There has been a consistent upward trend in cybercrime since 2011, when the percentage was 36%. 32% of attacks use unknown techniques, which is 45% up on 2015.

In 2016 the healthcare sector was under increased serious attack (+ 102%) from ransomware – i.e. viruses that encrypt data on victims’ devices only released if the victims pay a ransom – and data theft. There was also a substantial rise in attacks against large scale retail distribution (+70%) and the banking and financial sector (+64%).

In geographical terms, in the second half of 2016 attacks against European targets rose from 13% to 16% and against Asian targets from 15% to 16%, whereas the number of victims in the USA seems to have dropped slightly, even if the USA remains the area most hit by cyber attacks. The tendency to attack mostly important and transnational targets was confirmed. An example of one of the most important global attacks was that against the Italian Ministry of Foreign Affairs.

The Interministerial Commitee for the Security of the Republic (Cisr) has launched a multi phase national plan for cyber security with a new decree – “indications for cybernetics protection and national information security”, which replaces the old Council of Ministers Presidential Decree of January 24th, 2013.

The new measure acknowledges the NIS (Network and Information Security) European Directive and reinforces the role of the Cisr which will issue directives with the aim of raising the level of national cyber security and will avail itself of the support of interministerial coordination on the part of the so-called “Cisr tecnico” (the Technical Interministerial Commitee for the Security of the Republic) and the Security Intelligence Department (Dis).

The new decree assigns the Director General of the DIS the task of defining appropriate courses of action to ensure the required levels of security in both public and private strategic systems and networks, identifying and removing their vulnerabilities. So as to successfully carry out these initiatives the involvement of both the academic world and the world of research is envisaged, as is the idea to use top quality resources in addition to setting up extensive co-operation with businesses in the cyber sector.

At an operational level, the Cyber Security Unit (Nsc) – now part of the Dis – will guarantee a coordinated joint response to any significant cyber attack on national security, together with specialists from all relevant Government Departments.

 

 

posted by admin on marzo 1, 2017

Privacy

(No comments)

ratingBlackMirrorThe Italian Data Protection Authority has established that a “reputation rating” project violates the provisions of the Personal Data Protection Code and impacts negatively on human dignity.

The project, which was devised by an organisation structured as an association and a company appointed for its management, is based on a web platform and a database which gathers vast amounts of personal data either uploaded by users or obtained from the web, on various types of individual – from job candidates to business people, freelance professionals and private individuals. By means of a specific algorithm the system would then be able to objectively measure people’s reliability in the economic and professional fields, by assigning a score (“rating”) to their online reputation.

The DPA observed that the system would create significant problems in relation to privacy due to the confidential nature of the information, the pervasive impact on the interested parties and the method of processing. Essentially, the system implies the massive collection – also online – of information open to significantly impacting on the economic and social representation of thousands of people. Such processed reputation ratings might have serious repercussions on the lives of those who had been rated, since it might influence other people’s choices as well as jeopardising access for rated parties to services and benefits.

The DPA also expressed a number of doubts about the objectivity claimed for the ratings, stressing that the company could not prove the effectiveness of the algorithm used to regulate the settings of the “ratings”, which would be calculated without rated parties having any chance to freely give their consent. Given the complexity and sensitivity of measuring situations and variables which are not easy to classify, any rating might be based on incomplete or flawed documents and certificates with the consequent risk of creating inaccurate profiles which do not correspond to the real social identity of the rated parties.

Moreover, the DPA was concerned about the unreliability of allowing an automated system to decide upon such complex and sensitive issues relating to individuals’ reputations.

The system’s security measures which are principally based on “weak” authentication systems (user ids and passwords) and on encryption techniques only for judicial data, were found to be totally inadequate in the DPA’s opinion. Finally, further critical issues were detected in the time period for data storage and privacy policies for interested parties.

Therefore, in conclusion, the DPA has banned all present and future processing operations related to the reputation rating project.

 

 

posted by Giulia Giapponesi on febbraio 15, 2017

Internet control

(No comments)

Voted the Oxford Dictionaries’ international word of 2016, so-called “post-truth” refers to an apparently new concept.

The compound word relates to all those circumstances in which objective facts are less influential in shaping public opinion than news stories based on emotion or personal belief.

After its first appearances in 2015 in a number of articles, in 2016 the term “post-truth” became disconnected from its original definition and became widely used in political comment, especially with regard to the Brexit referendum and the U.S. Presidential election. In Italy the term has often been used in commenting on the outcome of the constitutional referendum.

In simple terms, according to many commentators, the UK’s exit from the European Union, the election of Trump and the failure of Renzi’s referendum proposal are the direct consequence of an era in which voters opt not to believe in objective facts but rather in emotionally charged news stories. Naturally it is not possible to assess how consciously this decision is taken by voters, but it seems obvious that the debate on post-truth also and perhaps mainly refers to those who are unable to distinguish between reliable sources of information and those which are manifestly biased.

As is entirely predictable, at the heart of this alarming situation countless observations can be found on the role of social media as the main vehicle of this uncontrolled spread of fake news and propaganda. Although news is posted and shared by users, the role these platforms play is much more active than might be imagined. On Facebook, for example, the “Trending Topics feed” column actively encourages the reading and sharing of the most popular articles on the social network, many of which come from unreliable websites full of glaringly fake news, the importance of which is exaggerated in this way.

Buzzfeed magazine uncovered the prime case of certain (more than 100) pro-Trump websites, which had been created by numbers of Macedonian teens and which reported sensationalist and totally fictitious news with the single declared aim of making money through Google’s online Ad-sense advertising network. One example is of the baseless smear campaign against Hillary Clinton which helped generate over 140,000 shares (reactions and comments) by U.S.users (on Facebook).

Facebook’s management were faced with a torrent of rage and criticism in the wake of Trump’s victory, being accused of not admitting their responsibility in shaping public opinion. In response to this criticism, on the 15th of December 2016, Mark Zuckerberg announced the launch of an article classification system, which will begin flagging news stories reported as fake by users, which will then be sent to (five) third-party outside professional fact-checking organisations for verification.

However, there are many who do not want to leave the power to distinguish real news from fake news to the major Internet platforms, the so-called Over The Top (OTT) players. Both commentators and experts have underlined the danger of leaving private companies in charge of assessing the accuracy of web-based information.

Speaking of which, the Financial Times interview with Giovanni Pitruzzella, head of the Italian Antitrust, published on the 30th December 2016, attracted particular attention. In the interview, Pitruzzella underlines the need to set up “a network of independent national bodies in charge of identifying and removing fake news from circulation (and imposing fines if necessary)”. A sort of Authority tasked with monitoring the truthfulness of information.

The idea has sparked a certain interest among commentators but also a chorus of accusations in relation to the presumed intention on the part of the Institutions to impose censorship. In Italy the former comedian and political leader Beppe Grillo has defined the post-truth alarm as “a new inquisition”. There are also those, such as Riccardo Luna, the former editor of Wired Italia, who asks for a rethink of quality journalism’s commitment as a bastion to combat widespread misinformation, stressing that although post-truth is not a new phenomenon, it is hugely amplified nowadays by the web and social networks.

However, this prompts us to make a further consideration. If it is true that the web has increased chances of running into fake news, it must also be acknowledged that the wide variety of information sources allows us more than ever today, to study news items in depth and to analyse and compare them. It goes without saying that a certain degree of skill to discriminate is necessary, but it is only in the context of a multiplicity of voices that it becomes possible to develop helpful cognitive instruments for distinguishing between relatively realistic news and sensational hoaxes. Therefore, in addition to being difficult to apply, devising solutions to limit and control information (contained in news) might also be counterproductive.

Yet there are still only very few voices which underline the need to help present and future voters in providing themselves with those intellectual instruments which would enable them to recognise the most reliable sources by themselves. So, regardless of any effective practical solutions (there may be), the mere fact of discussing post-truth publicly may represent a first step towards awareness of a global issue each one of us can give our personal contribution to limiting in a very simple way: namely, by avoiding sharing unverified news.

 

posted by admin on gennaio 30, 2017

Labour law and digital world

(No comments)

On 1st January 2017 France brought into force a law on the “right to disconnect”, which aims at banning office emails outside working hours.

Conceived as a means to combat an increase in stress, linked to compulsive out-of-hours email checking, the new legislation requires all companies with more than 50 employees to start negotiations in order to define the rights of employees to ignore their smartphones out of working hours.

As is well known, replying to emails outside working hours is not usually considered as overtime and therefore generally remains unpaid. Moreover, employee availability during off-hours is nowadays considered “a duty” by many employers. For this reason the new law requires companies to reach an agreement with their employees, in which the out-of-hours times when employees are required to reply to office communications must be explicitly detailed. The new measure also aims to protect digital professionals, who work remotely and are therefore more exposed to off-hours calls.

The law was introduced after Labour Minister Myriam El Khomri had commissioned a report on the health impact of the uninterrupted flow of digital information, so-called “info-obesity”, coming from the workplace. The excessive use of digital devices on which employees are reachable 24/7 has been considered the cause of any number of health conditions from “burnout”, to sleeplessness and relationship problems.

A number of multinational companies based in France have already announced that they have already taken steps to put in place innovative solutions such as a “curfew” on evening communications or systems that automatically delete emails sent to employees when they are on holiday or not working.

 

 

posted by admin on dicembre 15, 2016

Privacy

(No comments)

The Privacy Shield agreement, which regulates cross border data transfer flows between the European Union and the United States and which recently replaced the previous Safe Harbor agreement, is once again under discussion.

Only a few months after the text came into force, the European Court of Justice has been called upon to decide on the adequacy of the level of protection guaranteed by the Privacy Shield agreement.

A number of companies working in the digital sector and performing the transfer of personal data abroad (among which the by now well known Digital Rights Ireland Ltd.) argue that the Privacy Shield agreement does not offer an adequate level of protection, contrary to what was deemed to be the case by the European Commission, which on the 12th July 2016 implemented the adequacy decision, making legitimate the transfer of data towards the United States and those American organizations endorsing the new agreement.

In particular, the claimants maintain that the EU-US Privacy Shield does not fully implement those principles and rights regarding personal data protection included in directive 96/46/EC (which will be repealed from 2018 by means of recent EU Regulation 679/2016) and consequently, does not adequately safeguard the rights of European citizens. In the appeals it is also brought into question that the agreement does not exclude indiscriminate access to electronic communications by foreign authorities, thus in violation of the right to privacy, to the protection of personal data and the freedom of expression as set out in the Charter of Fundamental Rights of the European Union.

For the abovementioned reasons the said companies appealed challenged the Commission’s adequacy decision in accordance with art. 263 TFUE, which grants interested parties the right to appeal against the Commission’s acts and obtain their annulment within two months from their entry into force or their publication.

It is worth recalling that the Article 29 Working Party had already expressed its fears regarding certain aspects of the agreement, which had not been modified, despite repeated requests for review. Immediately following the implementation of the Privacy Shield agreement, in a statement on the 26th July 2016, the Group of European DPAs underlined that no concrete security measures to prevent the general collection of data had been provided and that the independence of the role and powers of important redress bodies (such as the Ombudsperson) had not been guaranteed.

As a consequence, the new system does not seem to have helped to establish a climate of certainty regarding the legal framework regulating cross border data transfer flows to the United States, a country, which has clearly not yet gained the trust of European operators. The decision by the Court of Justice is now awaited since it might either consider the appeals inadmissible due to a lack of legitimization or groundless motivations or decide to uphold them.

 

 

The 54th session of UNCITRAL Working Group IV on Electronic Commerce brought to a close work on the regulation of “Electronic Transferable Records”, following which a new Working Group on Identity Management was formed.

During the last session in Vienna, Working Group IV on Electronic Commerce of the United Nations Commission on International Trade Law (UNCITRAL) produced a final version of the International Model Law on Electronic Transferable Records and invited the UNCITRAL Secretariat to forward the text to all Member States and international organisations for their opinions, after which the text will then be submitted to the UNCITRAL Commission in Vienna in July 2017.

Over the last five years the Working Group’s activity focused on the definition, the rules and the use of these particular electronic financial data. As its President, Giusella Finocchiaro chaired the Working Group from 2012 until the termination of its work.

In its activity concerning ETRs, the Working Group drew inspiration from a number of fundamental principles such as those of technology neutrality and of non-discrimination between paper and electronic documents, keeping the impact on national substantive legislation to a minimum.

At the same time as they brought to an end their analysis of Electronic Transferable Records, the Working Group initiated a discussion on the new Identity Management project assigned by the Commission, which is currently an issue of significant national and international interest.

The new Working Group will be required to focus both on Digital Identification systems with a diversity of subjects and on bilateral systems and will have to take into consideration the identities of both natural persons and legal persons, without at the moment excluding digital objects. There was a reminder that the Commission’s mandate also concerns “Trust Services” the detailed study of which will be made in the future, but which will immediately be taken into consideration working out their definitions.

Therefore a group of experts has been created for the elaboration of first drafts. Given that the European Regulation on this subject has recently come into force, the European approach, which the Commission strongly supports, will be most significant.

 

A recent judgment by the European Court of Justice stated that IP addresses can be considered as personal data in that they can be used to identify a user by turning to the authorities or ISP providers.

The point was raised in the context of a controversy between Mr Patrick Breyer and the Bundesrepublik Deutschland (Federal Republic of Germany) concerning the registration and storage of Mr Breyer’s IP address on the occasion of his consulting a number of Internet websites of the German federal services.

Every access to German Government websites is registered with the aim of thwarting cyber attacks and identifying hackers and at the end of each consultation session, a range of data is stored, such as the name of the website or file consulted, words typed in the search bars, date and time of consultation, volume of transferred data, outcome of the consultation and the IP address of the computer which has effected access.

Mr Breyer petitioned the German administrative judges, requesting them to prohibit the Federal Republic of Germany from storing IP addresses. His request was rejected at first instance trial, but the Appeal Judge partially accepted his petition, condemning the Federal Republic of Germany to refrain from storing IP addresses when these are collected together with the corresponding date of consultation and when users reveal their identity during the consultation session, even though in the form of an e-mail address.

Therefore, according to the German Court of Appeal, dynamic IP addresses associated with dates of consultation are only to be considered personal data in those cases when users have revealed their identity when surfing the web, whereas if users do not reveal their identity during a consultation session, IP addresses would not be considered as personal data as only Internet service providers could link those IP addresses to the names of their subscribers.

As both the Federal Republic of Germany and Mr Breyer opposed the Appeal Court’s decision, each petitioned the Bundesgerichtshof (Federal Court of Justice), Mr Breyer aiming at full approval of his injunction and the State requesting its rejection.

The Federal Court of Justice pointed out that the qualification of IP addresses as «personal» data depends on whether or not it is possible to identity users and raised a question of doctrine regarding the choice of «objective» or «relative» criteria in order to establish whether a person is identifiable. Applying «objective» criteria, IP addresses could be considered personal data even if only one third party were able to determine the identity of the person involved; the third party, who in this case would be an Internet access service provider. On the other hand, according to «relative» criteria, these data could only qualify as personal data in relation to a particular subject, such as the Internet access service provider, who was able to trace precise identification back to a specific user. On the contrary, IP addresses could not be considered personal data for other subjects such as Internet site administrators, since they are not in possession of the necessary information for identification without resorting to external sources, except for those cases in which users reveal their identities while browsing the web.

First of all the European Court of Justice observed that a dynamic IP address does not represent information referring to an «identified natural person», since it directly reveals neither the identity of a computer owner connected to an Internet website, nor that of another person who may be using the same computer. However, the Court stressed that the wording in art. 2, letter a) of directive 95/46 proves that a person is considered identifiable when they can be identified not only directly, but also indirectly. Moreover, recital 26 of directive 95/46 states that, to determine whether a person is identifiable, it is appropriate that the sum total of the means that may be reasonably used by a data processor or others to determine said person’s identity should be taken into consideration.

According to the Court, the fact that additional information necessary to identify users is not directly in the possession of website administrators, but rather in that of Internet access service providers, is not sufficient to exclude dynamic IP addresses from being considered as personal data in accordance with art. 2, letter a) of directive 95/46. Indeed, it needs to be established whether the possibility to match a dynamic IP address to the names in the possession of Internet access service providers constitutes an accessible means for website administrators. A situation that would not be conceivable if the identification of the person involved was prohibited by law or in practice unfeasible, for example due to the fact that it would imply an enormous amount of time, cost and labour.

Despite German national legislation not allowing ISP providers to directly transmit information that identifies a person starting from an IP address, the Court stressed that there are legal instruments which, especially in cases of cyber attacks, allow website administrators to turn to the appropriate authorities, in order that these authorities can obtain the relevant information from Internet access service providers and initiate criminal proceedings. It follows that there are means, which, with the help of other subjects, can be reasonably used to identify a person based on their IP address.

Therefore, the European Court of Justice has established that article 2, letter a) of directive 95/46 must be interpreted as meaning that a dynamic IP address registered by a website represents personal data, where website administrators are concerned, in the event that they are in possession of the legal means to allow the identification of the person involved by recourse to an Internet access service provider.

The European Court of Justice decision is available HERE.

 

 

posted by admin on novembre 15, 2016

computer crimes

(No comments)

This is a summary of the interview given by Prof. Giusella Finocchiaro to Vanity Fair, in which she was invited to explain certain legal aspects underlying some particular recent news items regarding online privacy.

Social media allow a choice of the level of visibility for each post published, however for uses such as that of videos illegally circulated online judicial measures are required. Giusella Finocchiaro, the first attorney at law in Italy to teach Internet law, explains how.

Two cases recently appeared in the news in the space of just 24 hours. Firstly, the suicide of a 31-year-old woman, whose hard core videotape had been circulating illegally on the web for more than a year and the case of a 17-year-old girl, whose girl friends recorded and posted a video of her while she was being raped in a disco. Both of these cases raise the question of what the limits of privacy on the Internet are. The head of the Italian Data Protection Authority, Antonello Soro, spoke of « the risk of being pilloried that the Net exposes us to, given the lack of adequate user awareness of the nature of its unlimited space and of the damaging effects that violent communication or the ferocity of ruthless mockery on the part of others may cause».

Lack of legislation was not in question Soro did not speak of a lack of legislation but rather of the need for «appropriate response procedures on the part of the different platforms» and also of another fundamental need: namely «to cultivate respect among people on the Internet». Investment in digital education is fundamental also according to Giusella Finocchiaro, (attorney at law and Professor of Private and Internet law at the University of Bologna, the first chair for this subject in Italy, as laws exist and the legal course followed by Tiziana Cantone (the woman who committed suicide) was the correct one, but timescales remain lengthy and not all people know how to protect themselves.

 

 

posted by admin on novembre 1, 2016

Interviews

(No comments)

This is the interview Giusella Finocchiaro gave to Vanity Fair and which was published in issue 39/2016 of the weekly.

What laws do we have to protect us?

«Quite a few. Both of these recent incidents, for example, contain a series of civil offences that range from the violation of privacy legislation to the violation of a person’s fundamental rights. There are a number of possible offences that could be brought before a criminal court such as instigation to commit suicide, unlawful interference in a person’s private life and the handling of child-pornography material».

Who to press charges against? And how effective is it?

«Those to take action against are the authors, those who put the videos online. Then, naturally, action may also be taken against service providers, namely those companies which provide access to the Net, but only on certain conditions: they’re under no obligation to monitor in advance what’s made available online, nonetheless they’re legally required to remove contents if there’s provision to do so on the part of the judicial authority or of any other competent authority».

But can everything be blocked and for always?

«The possibility can’t be ruled out that the video has been downloaded by other users and that it keeps on circulating. Of course these other users are committing a crime as well. In practice, it’s a constant game of catch-up: in the digital dimension it’s extremely easy to even reproduce multiple copies of a message».

Should providers be given more responsibilities?

«Certainly, but not with a control system, because it’s very laborious. A mechanism to allow users to contact providers would be useful, because in this way, when they received a complaint, providers could verify and remove contents in a very short space of time».

What advice would you give to make good use of the Net?

« Never forget that when you access the Net you leave a strictly private dimension and you enter a very public one».

 

 

 

  • Recent comments

  • Popular posts

    • None found