The ‘Crusher’

Intellectual Property

Well, it has been a long time since The Crusher last commented on news and some current affairs. Quite a lot of metaphorical water has passed through the broadband routers and bridges including much discussion at a European and now national UK level about content filtering and the requirement to filter access to certain sites hosting material held to be illegal (not just unlawful but illegal), typically sites hosting child sexual abuse materials.

Quite a lot of the argument against content filtering suggests that it is ineffective and that it is far more effective to go after the owners of the abuse sites and to shut them down at source. The number of sites that remains suggests that shutting down is not quite as easy as some might want us to believe. Perhaps that is because the sites are located in countries where jurisdiction is difficult to enforce.

So why is this of interest? In the UK, processes exist to provide for illegal materials to be removed at short notice. The IWF has a very effective system of working with ISPs and others but this can only work within the jurisdiction and within others where there is agreement.

The interest is now to see how some copyright owners are looking to take down and criminal prosecution to take action against sites that may promote access to unlawful materials. The latest step in this process is the request from the US to extradite a UK student to face criminal copyright proceedings in the US. Now, the UK government signed an agreement with the US to allow UK citizens to be extradited to the US but without the opposite effect of allowing US citizens to be brought to the UK. A very one side agreement signed into UK law by a craven government.

Richard O’Dwyer is a student at Sheffield Hallam University. He set up and ran a web site providing links to other sites that provided access to copyright materials. The web site was not hosted in the US and O’Dwyer was not working in the US. Yes, US officials succeeded in obtaining a Court Order in New York to allow them to seize O’Dwyer’s domain names (tvshack.net and tvshack.cc) and have now submitted a request to extradite O’Dwyer to face criminal copyright prosecution in the US.

tvschack - announcement of domain seizure

Hold on - he is a UK citizen, living and working in the UK and running a website that is not hosted in the US. How can he be held to have incurred a criminal liability in the US - other than by an assumption that US law applies where US persons can read internet material or where US companies can allege that they are affected.

If there was to be a prosecution then it should be brought under UK law - using provisions for criminal effect within the Copyright and Designs Patent Act 1988 (and as subsequently amended). But - these require that there should be an intent and that there should be some benefit. O’Dwyer was not providing copies of the copyright materials, was merely providing a link.

Interestingly, providing a link is pretty much what a search engine does. So, are the US prosecutors going after Google, Yahoo, AltaVista and others. I suspect not, perhaps because they know that they have the resources to engage lawyers to provide an effective defence.

Actions have been taken in the UK against other domains. Trading standards worked with FACT and Gloucestershire police to bring a prosecution agains TVLinks.co.uk - a remarkably similar situation to that which now involved tvshack. However, in the TVLinks case the judge threw the case out of court after the defence (yes, it is defenCe not defenSe) successfully argued that the site operated under the European concept of ‘mere conduit’. The defence of ‘mere conduit’ is applicate where the defendant: did not initiate the transmission; did not select the receiver of the transmission; and did not select or modify the information contained in the transmission. ‘Mere conduit’ has been successfully used by ISPs to defend against various actions trying to include them within defamation or transmission proceedings.

Had action been taken to bring Richard O’Dwyer to court in the UK and to bring charges of criminal copyright then it is likely that the TVLinks case would be cited as a precedent and that action would be stopped. UK law follows the European Directive and is quite clear - but is very different to the far harsher application in the US.

In this case it would seem that US officials have decided that they would have little likelihood of success in bringing a criminal charge in the UK and have decided that they have far better chance of an action in the US. But, has O’Dwyer committed an offence in the US - he was not on US territory when the alleged offence was committed, he was not using servers based in US territory.

If US officials assume their right to prosecute then they are setting themselves up as a form of ‘Team America - World Police’. Our politicians have to recognise that their first obligation is to protect the citizens of their own country and must tell US prosecutors that they have no jurisdiction.

If the US succeed in extraditing O’Dwyer will they then look to action against domain owners, domain hosts and ISPs here in the UK who they consider to be implicit in the transmission of material that may infringe the rights of domestic (ie US) companies.

End of an era

Well, first of all, Happy New Year - it is now 2011.

But, a look back to yesterday. 31st December 2010 marked the end of an era. For those who are old enought to have used film in cameras, yesterday was a sad day as it marked the final passing of Kodachrome. The film stock had not been produced for a while but yesterday was the final processing at the last processing lab able to put Kodachrome through the extensive system required to create the full reversal colour transparency product.

Dwayne’s Photo in the USA was the last lab and yesterday the last processing took place. There are now no more chemicals to service the processing plant and the machines will now be sold for scrap. Kodachrome was a film that was designed to be machine processed - the colour reversal process cannot be carried out in a conventional manual tank process.

Kodachrome survived for more than 70 years and was an outstanding stock. With it’s particularly slow speed rating it had a microscopic grain structure that provided an ultra fine finish with transparencies capable of being blown up across buildings! Kodachrome had a depth of colour that had to be seen - and was used for some of the most recognised images of the last 75 years including Steve McCurry’s iconic ‘Afghan girl’ image for National Geographic.

Above all, Kodachrome was archival - the process removed colour couplers and other oxidising materials which meant that there was very little if any of the colour degradation that has plagued other films of much newer creation.

If you want to see some of the last images check out the Kodachrome Project

Kodachrome has paid the price of the rise in digital photography. Digital is yet to provide the sheer quality of image that the ageing film stock was capable of but can, of course, provide advantages of variable speed rating and much higher performance.

Someone once said, ‘If you can’t take it on Kodachrome it isn’t worth taking’ - the 25 and 64 ASA/ISO stock required good lighting to make an image. Speed is not everything - as speed ratings increase noise becomes more apparent in a digital context (equivalent to grain in a silver based stock).

It is sad to mark the passing of an era. Producing a specialist film stock and maintaining highly specialised processing equipment was undoubtedly expensive. Would I have shot 10,000 plus images in the past 12 months if I had used Kodachrome? I think we know the answer to that and must welcome the digital revolution. But sad to see the passing of an old friend.

Kodachrome - R I P - 31st December 2010

Intercept moving forward

A number of documents published by the Government in the last few weeks now seem to point towards a continuation of the Intercept Modernisation Programme (IMP) that was under discussion under the previous government.

Interestingly, there are some divergent pointers yet the overall impression seems to be that the Government is now looking to update provisions with an intention to have a range of new services in place to support law enforcement and national security by the end of the current parliamentary session (2015).

First to come along was the Strategic Defence and Security Review with the announcement that the Govt. intends to, ‘introduce a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain communication data and to intercept communications within the appropriate legal framework.’ The following explanations are taken straight from the discussions that surrounded the transposition of the Data Retention Directive back in 2008. ‘This programme is required to keep up with changing technology and to maintain capabilities that are vital to the work these agencies do to protect the public. Communications data provides evidence in court to secure convictions of those engaged in activities that cause serious harm.’

When this came around first time (brought forward by the then Labour government) there was some substantial critiscism from the opposition and from industry. That opposition took the form of both the civil liberties argument and a technical response. That was around the idea that the technology to perform the kind of real-time interception and storage simply did not exist, nor was likely to within the timescales envisaged. The Defence Review continues, ‘ We will legislate to put in place the necessary regulations and safeguards to ensure that our response to this technology challenge is compatible with the Government’s approach to information storage and civil liberties.’

So, at least the paper recognises that there are issues with information storage and with civil liberties.

Now, at the beginning of November, the Home Office has published its business plan for 2011 to 2015. That states that the Home Office will:

‘End the storage of internet and email records without good reason; Develop and publish proposals for the storage and acquisition of internet and e-mail records; Implement key proposals, including introducing legislation if necessary’

The plan includes some dates and milestones. It indicates that plans are already underway for the storage and acquisition of internet and e-mail records and that this is expected to be completed by December 2010. Whoaa - that’s next month. Clearly the discussions and shelving that took place under the previous Government have not stopped the agencies from continuiing to plan for storage. The business plan indicates that action will then be taken (December 2010 onwards) to implement recommendations and to introduce legislation. That is anticipated to be complete by 2015. Now the interesting words there are ‘if necessary’.

When Baroness Pauline Neville-Jones was in opposition she made it clear that she was opposed to new powers being introduced without primary legislation. That, of course, requires debate in Parliament and an opportunity for both supporters and opposers to express their views. Now it seems that there is some confusion, perhaps it may not ‘be necessarsy’ to introduce new legislation. Perhaps the security and law enforcement agencies have persuaded their new masters that the need for access to communications data overrides the civil liberties argument. That is a dangerous route to follow.

The next few weeks look to be interesting. It will be interesting to follow the outcome of plans and proposals from the Home Office. This may be moving rather more quickly than had been expected.

Interestingly this speed now puts the Home Office ahead of the European review of the Data Retention Directive. That was supposed to have taken place but has now been put back to nxt year. There remain arguments that the Directive is flawed and should be withdrawn - it will be interesting to see how the Home Office responds if the European Directive is struck down.

Secure comms ….

No real surprises today with a report that nearly a quarter of home wireless networks investigated had no password set to secure the network. Home networks have always been something of the achilles heel with far too few users understanding the need to take steps to secure their systems.

The Crusher has long held the view that wireless equipment (broadband routers, access points etc.) shoudl be sold with security enabled. With security in place from the start it would require some knowledge to disable the security rather than needing some knowledge to enable it when setting up the system. To be fair, some providers do take steps to secure systems but many users purchase equipment off the shelf in a wide range of outlets and fail to heed the advice in the set up instructions.

Some while ago, The Crusher took wireless enabled equipment for a walk along a street in a Hampshire market town. In just 200 yards, walking along a main shopping street with flats above, the system detected some 10 wireless networks, at least half of which were unsecured meaning that anyone could connect and gain access.

But it gets worse. More than half of the wireless networks still used the original router manufacturers SSID. If you can see the SSID and it identifies a particular manufacturer then there is a pretty good chance that the default password is still in use - most likely to require a username of ‘admin’ and a password of (yes!) ‘password’. It really is not too difficult to get in and if you can gain access to the router then you can secure it from remote and make changes to the configuration preventing the original user and owner from getting in! Of course, if you can physically access the router then you can reset to default and start again but …..

The problem is that an insecure wireless network is like leaving the front door of the house open. Anyone can come in and take a look around. Chances are that there are other machines connected to the network, once in you can sniff traffic and detect and read data. That could include usernames, passwords, financial data - the list goes on.

If you can access a wireless network from outside then you can connect and use the bandwidth and that might include accessing illegal or unlawful content. And that could pose a problem for the owner of the network - if a rights agency detects unlawful download of copyright materials then they can apply to a court for an order requiring an ISP to divulge details of the circuit and the owner. The rights owner may then seek to obtain damages and will pursue the owner of the circuit, whether or not that person had any knowledge of the infringing traffic or not. Having the police knock on the door at 6.00am to investigate child pornography might seriously upset your day - and that of the neighbours and your relations with them.

So what should you do if you are using a wireless network. The Crusher believes that there are a series of relatively simple steps that can be taken to substantially improve the security of a home wireless network. When setting up the system, take actions to:

1. Change the default system password. Make it something that you can remember but not something that is easily guessed (like the phone number, car registration, user name etc.)

2. Change the SSID, the wireless network name. By default this will typically be the name of the equipment manufacturer, Netgear, Dlink etc. Don’t use your name or the address as these will immediately identify the network with a particular property.

3. Secure the connection by setting an access password so that any user connecting to the system will be required to enter the password. This should be encrypted - systems will offer either WEP or WPA. WPA is more secure - WEP passwords can be decrypted relatively easily and the security broken.

4. To enhance the access control, restrict connections to known MAC addresses. Each wireless connection (network card) will have a unique MAC address. Your router will be able to show the connections - identify the connections with known equipment and grant access only to those you know and approve. Once this is set up any other equipment attempting to connect will be refused.

Let’s just go back to the first item. If you can connect to the router with a wired connection (plug in an RJ45 lead) then all the wireless protection is irrelevant. If you have not changed the password then you can get in.

The Crusher had occasion to stay in a small hotel. The WiFi system was not working at all well and the router was on a table in the main lounge. Plug a wired connection in and enter ‘admin’ and ‘password’ and there was immediate root access to the router and a quick indication of where there were problems. Now, access was with the permission of the owner and sorted out the problems but an unscrupulous person could have made changes that would have been unnoticed yet allow access from remote. Of course, the password was changed and the system secured when it was left.

The old adage, ‘caveat emptor’, is as relevant here as anywhere else. Far too many purchase equipment, take it out of the box and plug it in and play. Unfortunately, in most circumstances, that is all that is needed for it to work - to work safely and securely takes a bit more knowledge.

The ISPAs 2010

Thursday night (8th July) was a glittering night for the Internet industry - the annual ISPA Awards bash at the Marriott Hotel in Grosvenor Square. After all the testing and all the submissions it was time to hear the judges verdict.

The awards are the Internet industry’s chance to recognise good practice and good performance. Over the last 12 years they have changed with new categories and new means of assessing performance in the ISP Division. The ISP Division recognises best practice across hosting, customer service, consumer and business broadband etc. The Times noted that the ISPAs were, ‘The awards that could have the most direct bearing on your life’ and the Daily Mirror called it, ‘The Internet event of the year’. Whatever, it is without doubt keenly awaited by those in the industry and keenly commented by customers and others.

Congratulations to all those who won. The Crusher was pleased to see the team at NewNet picking up another piece of acrylic to add to the two previous awards - this year in the class of Best Dedicated Hosting. Well done to the NewNet team and to all those who won in the ISP Division.

But, it is the Special Awards that arise more interest. New categories here for digital inclusion (Bolton Literacy Trust) and for Internet Safety (Childnet), Access Innovation (The Alston, Cumbria, CyberMoor project with a special commendation to SW Internet CIC) and Corporate Social Responsibility (Orange).

At the end of the evening there are two awards that evoke much wider interest - the Internet Hero and the Internet Villain award. Now, in years past The Crusher was pleased to nominate someone who was then awarded the Internet Villain prize so there is always a little more than minor interest here.

What was interesting this year was that both awards recognised different sides of the same thing - the passage through Parliament of the Digital Economy Bill to become the Digital Economy Act. ISPA Council members bestowed the Internet Hero Award upon Tom Watson MP for leading the opposition to the parliamentary fight against the Digital Economy Bill and continuing the campaign to ensure an informed approach to the Act. Well done Tom - your actions in the House of Commons and your speech in the final parts were an inspiration and made it clear that there was not a common cross-party consensus.

The passage of the Digital Economy Bill was fraught and was not helped by changes being made during the consultation period and then by inclusion within the final ‘wash-up’ stages before the end of the parliamentary session and the General Election. There were a number of nominations for the Internet Villain award, all in their own right quite worthy recipients, but in the end, the winner was a shoe-in for the award. It was the Dark Lord himself, Lord Mandelson, formerly Secretary of State for Business and Skills, who had steered the Digital Economy Bill through the various processes. The change that was made during the consultation phase coincided with a weekend meeting with a major rights owner and the final stages were a sham, forcing through legislation that was deeply unpopular and which made fundamental changes to the due process of law.

So, a worthy villain. Sadly, Lord Mandelson was not available to collect his award in person. What a shame - would have been a great appearance and a great acceptance speech!

The new coalition governement has now invited the public to suggest law that should be removed, replaced or amended. Inviting the public to comment is always a risk (a request to introduce a law ‘to allow me to marry my horse’) but sometimes shows popular unrest and resentment. No surprises really to see that some of the largest number of comments and requests related to repeal of the Digital Economy Act. So, it is over to you government, you asked and now you have been told. DEA must go!

Tempus fugit II …..

Time flees as the Latin tag says (perhaps more commonly recognised as ‘Time Flies’) and it certainly seems to be the case with Data Retention.

It seems just a short time ago that we were watching the progress of the Directive through the European parliamentary system, from introduction through discussion (is that really the right word for the actions of the UK Presidency in 2005?) to amendment and then to final acceptance and transposition to national law.

In the UK we were there at the beginning, transposing the first parts to apply to fixed line and mobile telephony. 18 months later came the inclusion of Internet data. The interesting bits were the differences between national transpositions - some elected for retention for as little as 6 months, others for 12 and some for as long as 24 months (but would have liked longer). The UK opted to allow for reimbursement of capital expenditure and the provision in relation to Internet data seems to pay only slight compliance - requiring retention of data only where the national authorities deem that it is necessary.

Some member states have only brought data retention within national law in recent months - Portugal in August 2009, Italy at the end of 2009 and Poland only at the beginning of 2010 (UK, 1st phase Sept 2006, 2nd phase March 2008). There remain a number of member states where data retention has still not been applied - Austria, Belgium, Greece, Ireland, Luxembourg, Romania, Sweden - so much for the idea of ensuring a common approach to law enforcement.

But, time flies. The implementation of the Data Retention Directive provided for an evaluation of the Directive. The time has now come for that evaluation and a number of conferences and meetings have taken place. The results of evaluation will be published later in the year, probably in October 2010. After that, the Commission will begin the processes that will lead to proposals for a revised Directive, probably by the end of 2011 with expected implementation by 2014.

It is too early to say what that new Directive may include, but undoubtedly there will be pressure to expand the range of retained data to include a wider range of Information society services - The Crusher would expect to see pressure for the inclusion of social networking data and web site access. There may be some agreement on a reduction in the range of the approved time scales -although as most members currently retain for 12 months this is unlikely to affect the majority (including the UK).

The evaluation report from the Commission does include some interesting data relating to the number of requests for access to retained data in 2008.

Clearly there are wide variations in the raw number of requests with France and the UK heading the number of actual requests. Of course, both have fairly high populations so it is reasonable that there should be a large number of requests. But, when the figures are compared against the national populations the data requests become more interesting. the right hand column shows the number of data requests per 100,000 of population. Under this order, Lithuania shows a massive 2239 requests per 100K with the UK behind France at a much lower 769. Yet Cyprus only requests data at the rate of 3 per 100,000!

Of course, there will be variations in what is perceived as relevant crime and the use of data to locate rather than to determine specific use. It may well be that the larger number of requests are being used more as a location tool than as a more detailed investigatory procedure. But, the figure for Lithuania is so much greater than others it does rather beg the question what use is being made of retained data in that small state? Perhaps there remains an investigatory throwback to a prevous regime - although the lower (far lower) figures for neighbouring Estonia and Latvia may negate that suggestion.

Interesting data - it will be interesting to watch what comes out of the Commission in late summer/autumn 2010.

All Change!

Well, here we are, just a week or so since the announcement of a coalition between the Conservatives and the Liberal Democrats. Now the new government is taking shape and we know who has the top jobs.

But is it a Lib-Con or a Con-Dem - only time will tell.

Anyway - now the politicians have had a week or so to wait by the telephone (guess there are quite a few Tories who did not get a call that they might have expected) and to start to get policies announced ahead of the formal State Opening of Parliament. That will see the reading of the Queen’s Speech but it is clear that many of the contents of that speech have already been announced.

It is clear that this new Parliament is going to be different. For a start there are now more newly elected Members (new intake) than at almost any previous time. The Crusher wonders just how many of these will actually have some understanding of the online world - perhaps the fact that there are many younger members may suggest that they may have some idea about how to use email and the various social networking media. Perhaps some may even understand what an IP address is.

But, the interesting bits have come in this second week. Policy announcements have made it clear that many projects favoured by the previous administration have now fall out of favour with the new. Most of this is down to cost (as the former Chief Secretary to the Treasury left a message for the incoming replacement - ‘there is no money’) but there are some areas where it is clear that public concern has manifested in political action.

An announcement today made the point - suspending the widely unpopular Home Information Packs(HIP). Introduced in an attempt to make information available to house purchasers and to streamline the conveyancing process they included an energy efficiency assessment. The reality was that there was now a requirement for sellers to purchase an expensive pack that duplicated the work that would still have to be undertaken by solicitors in the conveyance process (who would still have to conduct searches etc. in order to ensure that liabilities were met). The pack had to be prepared before sale and was only valid for six months. In the current sales environment there was every likelihood that sellers would have to arrange for several packs.

So, with immediate effect, there is no longer a requirement to have a HIP in place. But the requirement for the energy assessment remains in place and sellers will have to have an assessment and a certificate within 28 days. Now this is a European requirement and is set out within a European Directive so the hands of the UK coalition are tied - they cannot scrap all of the HIP and must retain the requirement for the energy certificate - all dressed up in the words of promoting green behaviour etc.

The energy certificate is a pointer to some actions elsewhere. Nick Clegg, Deputy Prime Minister, set out a number of pointers this week:

“This government is going to transform our politics so the state has far less control over you, and you have far more control over the state …..

Big, sweeping change. “

Nick Clegg continued:

“First, sweeping legislation to restore the hard won liberties that have been taken, one by one, from the British people.

So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports. We won’t hold your internet and email records when there is just no reason to do so.”

There has certainly been concern over the use of RIPA (Regulation of Investigatory Powers) by some local authorities to keep tabs on parents, fishermen and dog walkers (and much more). It will be interesting to see how the actions of local authorities is to be curbed.

Cancellation of the ID card programme was always going to be on the cards as there were major cost implications. Quite simply it was a project too far, a project too expensive. Interestingly I recently saw a poster on the wall at an Identity and Passports Office - ‘ID cards are coming.’ Wonder if that has come down already!

‘We won’t hold your internet and email records when there is just no reason to do so.’ So far we have the Data Retention Regulations transposing the European Data Retention Directive - the UK implementation is rather idiosyncratic and is applied where the Home Office feels that there may be a need, somewhat less than the wording of the Directive. It is likely that the Regulations will remain (they are after all prescribed within European Law) but that the discussions for increased data gathering under the Internet Modernisation Plan will now go no further. IMP was causing concern with the suggestion that security services and law enforcement agencies could benefit from data gathered using deep packet inspection techniques implemented by ‘black box’ servers located within ISP networks. Forget concerns that the technology was not yet up to the task, nor really likely to be in the near future - the real problem was the potential cost. That is where the cut has fallen.

Another area that has raised much concern over recent years is that of the DNA database. The decision in the European Courts in S and Marper v United Kingdom made it clear that changes were required, however much the then Government disagreed and tried to back-track. Now it seems that there may well be a tide that will restrain the expansion of the database - restricting the collection of data to those who are actually convicted of a crime will be a start and removing all those records that relate to persons wholly innocent and with no conviction against them. Maybe, at long last, there will be the will to implement S and Marper.

Yes, the pendulum is now swinging towards change. How much will actually change remains to be seen but there is certainly a groundswell of opinion. We could well be heading for an interesting time. Not the least of which will be the realisation of where actions are restrained by Directives applied from Europe.

Identity - start by helping yourself ……

Whilst we all mull over the results of the General Election held on May 6th here in the UK, a time to ponder some other topics. It seems that it will be a while before there is any clear indication on future policy and on departmental responsibilities and it may now be likely that there will be some form of coalition. If there is not then we may well be in for a period of minority government and the likelihood of another election in the coming months. If that is the case I will suggest Thursday October 21st as a suitable day.

That is, of course, Trafalgar Day, so a suitable day to decide the future path of the coun try. Remember, you saw that date here first!

But, to a different topic. The Crusher finds an opportunity from time to time to consider things away from the normal run of regulation and legal development. Now seems as good a time as any to do that.

A few weeks ago The Crusher updated links to online credit cart transactions. As part of the update, the bank offered a higher level of security and the availability of software to monitor access to banking accounts and to advise of any potential threats to personal security. All good stuff and good to see that the bank are taking steps to help customers with their online transactions. The latest applications now run alongside the standard anti-virus, anti-spyware, firewall and other tools - all of which should be part of the standard set-up for any online user.

The Crusher is only too well aware of the potential problems. At the beginning of this year one of our financial service suppliers advised that they had detected an unusual transaction for a fairly large sum. They asked if an online order had been placed with a US based supplier. Apparently the order had already been declined as it was outside the normal pattern and had been flagged as potentially suspicious by security software - the call confirmed the status and no payment was authorised.

Of course, the result of this was immediate cancellation of the account and a new card. Interesting to speculate on how the card number came to be used. Maybe it was collected from the home PC (unlikely to be honest), maybe from a remote merchant or maybe it was randonly generated. Whatever the source, the security and anti-fraud systems at the bank kicked in and spotted and blocked an unusual transaction.

Online fraud and identity theft is an increaqsing problem. The card issuers in the UK have attempted to tackle problems here by issuing ‘chip and PIN’ cards. If a card is used and the correct PIN is inserted then the transaction is verified and payment authorised. If a card is used for an online transaction then there are a series of checks to ensure that the card is being used correctly - entering exact name, registration address, card verification code (the last three digits on the reverse), start and expiry date etc. And then there are the further security steps using ‘Verified by Visa,’ 3D Secure etc. where the card owner is asked to insert a password or a selection from a pass-phrase to validate the purchase. All godd stuff - but it is clear that the move to ‘chip and PIN’ has made life more difficult for criminals and that there is now an increasing in online fraud.

Identity theft is now a recognised problem, much publicised in the press and by financial service providers with strong advice to users. It really is not a good idea to store details of the PIN in the same location as the card! Shred unwanted documents and store statements and others in secure locations. Most people will recognise the actions and will be taking steps - and are rightly aggrieved with the loss of personal data by large organisations including Government Departments and others.

But - prevention of identity theft must start at home. As alreadysuggested, make sure that there are firewalls, anti-virus, anti-spyware in place and that operating systems are fully patched and up-to-date. Those are all the obvious and technical things. But it is the warmware that is likely to be the weakest link - not the software or the hardware.

Warmware is, of course, the user. So why is that that The Crusher is writing about this right now? Well, again it is down to personal experience.

Last week my mobile phone broke - well, it was the tiny pin within the charging connection of the Nokia phone. Once that broke it was impossible to charge the battery so only a short time before the phone became completely u/s. It probably could be repaired but it is now a few years old and there were other faults as well. So, time to get a new one. Or, at least, new to me. Relatively new mobile phones can be picked up quite easily online, eBay and other sources can offer deals at well below the prices of high street suppliers.

So, a search for a new phone, an order and a delivery. Very rapid delivery and far faster than it would have taken to have got the old one repaired. More up to date model to with lots of new gizmos to play with!

OK, steps to update. Connect old phone to PC and download all contact details and stored messages etc. Now connect the new one ready to sync the details.

Ah ha - the new phone has a lot of data in it. Download all the contents to the PC to edit. Now what do I have - all the previous owners contacts, family, friends, work related etc. Music tracks, some data, some video and more.

Of course, I have now taken steps to erase all the data, both from the phone and from my PC. But, in this world of identity theft it really is a little worrying to see what someone, probably wholly inadvertently, has left for someone else to discover.

Now, I no longer have the data but I coud very easily have built up a profile of the user. That would have included their home location(it’s in the Midlands), the location of family members (parents, parents-in-law, brothers and sisters and others), exact work location (try Googling a business phone number), names of work colleagues etc. I know who the previous owner is likely to bank with, likely hobbies and interests and that they are likely to be concerned over crime or anti-social behaviour in their area.

This sort of information would be an absolute gold-mine for a criminal. It is clearly so easy to overlook but a potential warning for us all.

If you are going to dispose of any item that may have personal or other important data on it then do take steps to either thoroughly delete the data or to destroy the device before disposal. The Crusher knows of one person who took a 12-bore shotgun to a hard drive, another who used a lump hammer and an electric drill to break up the device. You really cannot be too careful!

A final Westminster salute to the voters?

So now we have it. The Digital Economy Bill has completed all its stages and is about to become law, the last addition to the Statute Book at the end of this Parliament.

There has been wide discussion of the various clauses and a large number of amendment brought forward and, in most cases, subsequently withdrawn. The real problem has been the lack of effective scrutiny in the elected House and the resulting passage of a piece of flawed legislation. The final stages of the passage of this Bill may be something of a parting Westminster salute to the electorate - we really do not care for what you are telling us, we will go and vote on party lines, don’t trample me in the rush back to the constituencies.

The final debate took place in the chamber of the House of Common on Wednesday night. Interesting to follow the discussion and progress via the live webcast. Interesting and informed intervention and discussion from a small number of elected Members including Tom Watson, Austin Mitchell etc. But what was really noticeable was the small number of members who were actually in the House to take part in the debate. At times it seemed that there were no more than a dozen or so - out of some 646.

But wait - after a mere 2 hours and 11 minutes (including time out for the two Divisions) 236 elected representatives filed through the lobbies to vote. Hang on, at best there were only 40 in the chamber for the debate. Where were all the others. Following the debate via the Internet - I doubt it. From the quality of comment made by some I suspect they would not know how. Waiting outside the chamber of the House in order to troop through to the braying of the party whips - of course!

Forget the 5,000 people participating in live online discussion with nary a few in favour, forget the 20,000 who wrote to MPs and who contributed to campaigns against the Bill, forget …..

In fact, forget the views of the electorate, those who will actually cast a vote on Thursday 6th May. Demonstrate that you are all above this, able to force through a badly drafted and fundamentally flawed piece of legislation using ‘wash up’ procedures that involve horse-trading between party managers in order to reach a wholly undemocratic consensus.

OK, the final result of the horse-trading was that some parts of the original Bill was discarded or further amended. Clause 18 is now referred back, Clause 43 relating to orphan rights has been removed, much to the pleasure of photographers. Did it ever really impact on them - perhaps the original intention was that it should not but drafting may have made it possible. Whatever, that is now kicked out.

Out too went the tax (sorry, levy) on fixed line telephone circuits to fund next generation fibre. Oh - but that was dropped from the Finance Bill not from the Digital Britain.

Trying to track down exactly what the new law contains is not easy - until the final version of the Act is published one must cross-reference the original Bill laid before Parliament with Amendments and with the official record of the debate.

If you want to put it together the locations are:
Digital Economy Bill
Commons Amendments
Hansard debate (official record including list of Ayes and Noes)

Go to the Official Record and check to see if your MP voted. Did your MP vote ‘AYE’ (for the Bill) or ‘NO’ (against).

If they voted ‘AYE’ ask them why they were prepared to vote through a Bill that makes fundamental changes to the law, changes the presumption of guilt, introduces substantial new powers for the Secretary of State through ‘Henry VIII’ clauses, provides for Rights Owners to seek details of individual users of an ISPs services etc. etc.

Why were they prepared to force through such a fundamental piece of legislation in the face of very considerable informed dissent and using short-circuit procedures to prevent effective democratic scrutiny of the proposed legislation.

The Bill was introduced by an unelected and unaccountable member of the upper House. Sadly, he cannot be removed on May 6th. Likely he will no longer be in office but he will still have a seat.

As for the others ……

There will be a lot of new faces on May 7th. Some of them may bring experience and a new sense of right and wrong. What they should all realise is that there will be a new order and that the electorate will be looking for change, for some accountability and for some honest representation.

Tempus fugit …..

Where does the time go? It seems only just a few weeks ago that we were discussing the ramifications of the proposal for a European Data Retention Directive. The reality is that this was now five years ago and the major discussions took place during the UK Presidency of the European Union in the second half of 2005.

We are now fast approaching the date set within the Directive for the European Commission to report to the European Parliament and the Council on the working of the Directive and its impact on the economic operators and consumers. The date for the submission of the evaluation is 15th September 2010 - just 6 months away now. As a result of the evaluation, the Commission will determine whether it is necessary to amend the provisions, particularly in relation to the nature of the data to be retained and the period of retention. The results of evaluation must be made public.

In the background to the imminent evaluation there are some interesting developments and it is clear that the Directive has not yet been applied across all member states of the European Union.

On March 2nd, the German Constitutional Court ruled that the implementation of the Directive in Germany was in contravention of the German Constitution. Der Spiegel reported on Wednesday 3rd March that the Court had ruled that data collected and retained under the (now unconstitutional) law was to be deleted with immediate effect and that strict controls were to be brought into place before the law could be re-introduced. The case has taken some two years to progress but was brought as a class action on behalf of some 35,000 German citizens who argued that the new law went too far.

The court agreed and said that there was insufficient clarity in the reasons for the retention of data and that there were insufficient safeguards on the data once retained. A key point here is that the Constitutional Court has struck down the German implementation of the Data Retention Directive, not the Directive itself. The German government must now look at the decision of the Court and consider the safeguards that must be put into place before it can draft a new law and introduce that. It is certain that there will now be intense public scrutiny.

Belgium also faces an interesting period, particularly as it is scheduled to take over the rotating Presidency later in the year and will be ‘in the hot seat’ when the evaluation of the Directive is due to be presented. The transposition of the Directive into national (Belgian) law has taken some time and there has been considerable and vocal opposition to the Government proposals. The proposals went much further than provided for within the Directive including banking data and use of the data beyond what may be determined as ’serious crime’. The Belgian proposals also called for the retention of data at the maximum period (24 months) provided for within the Directive. The initial proposals attracted a negative response from the Belgian data protection agency, an almost unheard of situation - although that eventually was turned around to a more positive response when the proposals were watered down time scales pulled back to a more standard 12 months.

The Belgian proposals have not yet completed the parliamentary process. In the last couple of months, Belgian ministers have been trying to reach consensus with stakeholder groups to see if they can bring forward a new law before June. That is an important date - the rotating Presidency comes to Belgium on 1st July and the government wants to prevent the country from critiscism about their failure to implement whilst they are also supposed to be leading discussions on evaluation.

It is clear that some Belgian politicians had been awaiting the outcome of the case before the German constitutional court. That is now clear - it remains to be seen how this may affect the Belgian transposition.