Copyright 2012 1 I.T. Challenges to Information Law Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy, U.N.S.W. Visiting Professor in Computer Science, A.N.U. Chair, Australian Privacy Foundation (APF) Secretary, Internet Society of Australia (ISOC- AU) http://www.rogerclarke.com/EC/AGS-121116.ppt NPG, Canberra, 16 November 2012
36
Embed
Copyright 2012 1 I.T. Challenges to Information Law Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy, U.N.S.W. Visiting.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Copyright2012
1
I.T. Challenges to Information Law
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor in Cyberspace Law & Policy, U.N.S.W.
Visiting Professor in Computer Science, A.N.U.Chair, Australian Privacy Foundation (APF)
Secretary, Internet Society of Australia (ISOC-AU)
http://www.rogerclarke.com/EC/AGS-121116.ppt
NPG, Canberra, 16 November 2012
Copyright2012
2
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
3
Cloudsourcing from the User Perspective
A service that satisfies all of the following conditions:1. It is delivered over a telecommunications network2. The service depends on virtualised resources
i.e. the user does not know which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located
3. The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used
4. The user organisation places reliance on the service for data access and/or data processing
5. The user organisation has legal responsibilities
Copyright2012
4
Shortlist of Major Cloudsourcing Risks
Reliability – continuity of operation• Availability hosts/server/db
• Consumers dependent on C.C. Services are at dire riskService malfunctions, loss of data, provider exploitation of their data, low standards of accessibility and clarity of Terms, largely unfettered scope for providers to change the Terms
• Consumer Protections are essential, but seriously inadequateTransnationality of Internet commerce, dominance of US marketing morés, pro-corporate and anti-consumer stance of US regulators, meekness of regulators in other countries, the lack of organised resistance by consumer reps, advocacy bodies
• Serious consumer disappointments are inevitable• Recriminations against cloud-sourcing are inevitable
http://www.rogerclarke.com/EC/CCC.html
Copyright2012
8
Cloudsourcing of Email• ANU recently announced adoption of MS 365• MS 365 is hosted in Singapore and Hong Kong,
but can be hosted anywhere• The data is subject to the PATRIOT Act
• ANU has a high concentration of staff and students who have families at risk in un-free nations
• Some of those un-free nations are (from time to time) friends of the US Administration
• There are some nervous ANU staff and students
Copyright2012
9
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
10
Transaction Assurance
Copyright2012
11
Transaction AssuranceCheck the Critical Assertions
• 'Value Authentication'Liquid assets are of appropriate quality and quantity
• 'Data Authentication'The key data accurately reflects reality
• 'Attribute Authentication'The entity has the relevant attribute, especially:- eligibility for a subsidy, concession or tariff,
or to purchase age-restricted goods or services- the power to perform acts on behalf of another entity
Copyright2012
12
Transaction AssuranceCheck the Critical Assertions
• 'Value Authentication'Liquid assets are of appropriate quality and quantity
• 'Data Authentication'The key data accurately reflects reality
• 'Attribute Authentication'The entity has the relevant attribute, especially:- eligibility for a subsidy, concession or tariff,
or to purchase age-restricted goods or services- the power to perform acts on behalf of another entity
• '(Id)entity Authentication'The data is associated with the correct (id)entity
Copyright2012
13
The Huge Quality Problemswith Biometric Applications
• There is never 'a perfect match'; it's fuzzy• A Tolerance Range has to be allowed• 'False Positives' / 'False Acceptances' arise• 'False Negatives' / 'False Rejections' arise• Tighter Tolerances (to reduce False Negatives)
increase the rate of False Positives; and vice versa• The Scheme Sponsor sets (and re-sets) the Tolerances• Frequent exceptions are mostly processed cursorily• Occasional ‘scares’ slow everything, annoy everyone
Copyright2012
15
Identity-Related CrimesUse of an identifier and/or authenticators for:• Identity Fraud
to financially advantage or disadvantage someone ...• Identity Theft
... to such an extent, or with such a negative impact, as to effectively preclude further use by the person who previously used the identity
The identity that is compromisedmay be someone else's, may be
'fictional', or may even be the person's own
Copyright2012
16
Responses to Identity-Related Crime
Strategy• Piggy-back on, reinforce
national security extremism
'Real Names Policies'• Denial of Nymity• Denial of Multiple
Separate Identities• Imposition of a Singular
Identity per Person• Consolidation, Re-
Purposing of Personal Data
Hardened Id Requirements
• Identity Declarationdemanded more often
• Identity Authenticationimposed
• Biometrics imposed(Entity, not Identity)
Social Networks• Exploitation• Inferencing
Copyright2012
17
Responses to Identity-Related Crime
The Consequences
• Greatly increased scope for Id-Related Crime !
• Many more high-value / soft-target datasets
• Routinisation of id capture• Exposure of Persons-at-Risk
• Destruction of Social Trust• Encouragement to Lie, Cheat and
Obfuscate
Copyright2012
18
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
19
Technology Neutrality is Harmful Mythology
• Japanese legislators and regulators comprehensively apologised to the Japanese people because:Nuclear power stations were subjected to generic regulatory measures when they should have imposed regulations specific to the nuclear context
Copyright2012
20
Technology Neutrality is Harmful Mythology
• Japanese legislators and regulators comprehensively apologised to the Japanese people because:Nuclear power stations were subjected to generic regulatory measures when they should have imposed regulations specific to the nuclear context
• Software is a 'literary work'. Oh, really??Okay, we need a (sort-of) sui generis arrangement
Copyright2012
21
The Accidental Extension of Copyright-Owner Power
• There has never been any right to preclude people from accessing copyright-objects, whether to read them, listen to them, look at them, or watch them
• But the act of accessing digital copyright-objects involves the making of copies
• Because of the wording of copyright law, this intermediate step generally represents a breach of an copyright, and requires a licence
• This simple accident gave copyright-owners a great deal of lobbying power
• The principle of balance has been subverted
http://www.rogerclarke.com/EC/ETCU.html (1999)
'Copies ain't Copies'
Copyright2012
22
Letters were:• anonymous• secret in transit• untracked
And the postman wasn't responsible for their contents.
eLetters should be no different.
(And especially not if the purpose is to prop up dying business models for publishing industries).
• Ephemera have become recorded data, asas audio, text (email, IM, SMS), and video
• 'Interception' has become 'I & Access'• The carefully protected has become unprotected• The principle of balance has been subverted
Copyright2012
25
Technology Neutrality is Harmful Mythology
• Japanese legislators and regulators comprehensively apologised to the Japanese people because:Nuclear power stations were subjected to generic regulatory measures when they should have imposed regulations specific to the nuclear context
• Software is a 'literary work'Okay, we need a (sort-of) sui generis arrangement
• Copying is a breach, until it's part of network functionality
• Telecomms Interception has to be continually re-defined(but not in ways that abuse civil freedoms!)
Copyright2012
26
Privacy Law is Adaptive, Right?• The OECD Guidelines are predicated on the
computing of the 1970s, not the IT of the 2010s(They were also designed to facilitate business and government, not to protect privacy)
• Australian law is a very weak implementation• Australian law has been subverted by myriad
subsequent statutes• Australian Privacy law may shortly be ripped
to shreds by the current, consumer-hostile Bill• There is no right to sue, no criminal sanctions,
no enforcement action by the PC'er, and the PC'er actively avoids the creation of case law
• Any adaptive function is negative, not positive
Copyright2012
27
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
28
Privacy-Enhancing Technologies (PETs)
1. PIT Countermeasures
• Cookie-Cutters• Cookie-Managers• Personal Data Managers (e.g. 'eWallets')• Personal Intermediaries / Proxies• Data Protection Tools• Client-Side Security Tools• Channel, Server and Proxy/Firewall Security
Tools
Copyright2012
29
2. Savage PETs
Deny identityProvide anonymity
Genuinely anonymous ('Mixmaster') remailers,
ToR, web-surfing proxies,
ePayment mechanisms, value authentication,
attribute authentication
Copyright2012
30
3. Gentle PETs
Balance nymityand accountability
through Protected Pseudonymity
Intermediary Tools and Proxies, Client-Side Agents,
Pseudonymous Connection, Remailers, Web-Surfers
Copyright2012
31
Will Consumers Come to be Banned From Owning General-Purpose
Computing Devices?Some powerful groups might like to achieve it
• Copyright-Dependent Corporations• Government Censors• The Moral Minority, who want governments to extend
censorship to whatever content the moral minority thinks the majority shouldn't have access to [Stop Press?]
• (Dominant) Computing Device Providers• Law Enforcement & National Security Agencies
(LEANS)• 'Fraud Experts'
Re 'fraud experts': http://www.itnews.com.au/News/263042,jailbroken-phones-not-safe-for-banking.aspx – 8 Jul 2011
Copyright2012
32
Consumer-Oriented Social Media
To Address the Catalogue of Social Media Privacy Concerns
1 Privacy-Abusive Data Collection
2 Privacy-Abusive Service-Provider Rights
3 Privacy-Abusive Functionality and User Interfaces
4 Privacy-Abusive Data Exploitation
http://www.rogerclarke.com/II/COSMO-1211.html
Copyright2012
33
Location – from Added-Extra to Intrinsic
• Physical Address / Geo-Location• knowledge of the cell that a mobile-phone is in,
is intrinsic to the service’s operation• more precise geo-location is increasingly feasible• location is becoming readily available to the device• location is being acquired by service-providers
• Location-based services can be valuable to users• A primary use is in consumer marketing• For most current-round SMS, location is an extra• For the coming round, Geo-Location is intrinsic• Privacy sensitivity about Social Media will leap
Copyright2012
34
The Primary Geolocation Technologies
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Copyright2012
35
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
36
I.T. Challenges to Information Law
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor in Cyberspace Law & Policy, U.N.S.W.
Visiting Professor in Computer Science, A.N.U.Chair, Australian Privacy Foundation (APF)
Secretary, Internet Society of Australia (ISOC-AU)