Upload
anna-davies
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Copyright2012
1
I.T. Challenges to Information Law
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor in Cyberspace Law & Policy, U.N.S.W.
Visiting Professor in Computer Science, A.N.U.Chair, Australian Privacy Foundation (APF)
Secretary, Internet Society of Australia (ISOC-AU)
http://www.rogerclarke.com/EC/AGS-121116.ppt
NPG, Canberra, 16 November 2012
Copyright2012
2
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
3
Cloudsourcing from the User Perspective
A service that satisfies all of the following conditions:1. It is delivered over a telecommunications network2. The service depends on virtualised resources
i.e. the user does not know which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located
3. The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used
4. The user organisation places reliance on the service for data access and/or data processing
5. The user organisation has legal responsibilities
Copyright2012
4
Shortlist of Major Cloudsourcing Risks
Reliability – continuity of operation• Availability hosts/server/db
readiness/reachability• Accessibility network readiness• Usability response-time,
consistency• Robustness – the incidence of
unavailability (97% up = 5 hr pwk)
Service Survival, e.g. supplier withdrawal
Data SurvivalLateral Compatibility – multi-
sourcing
Authentication, Authorisation• Convenient client access• Denial of access to imposters
Compliance• Evidence Discovery Law• Financial Regulations• Security Treaty Obligations• Confidentiality
Strategic, Commercial, Governmental
• Privacy. esp. Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach')
Copyright2012
5
Consumer Computing
Email clients, usingsmtp/pop/imap
Personal Web-Sites
Dedicated Devices
Office on the Desktop
FTP-server and -client
Functions Applications 1975-2005/08
Personal Galleries
Personal Music
Doc Prep
File-Sharing
Copyright2012
6
Consumer Computing
Email clients, usingsmtp/pop/imap
Personal Web-Sites
Dedicated Devices
Office on the Desktop
FTP-server and -client
Webmail, usinghttp / https
Flickr, Picasa
iTunes
Zoho, Google Docs
Dropbox
Functions Applications ==>> Services 1975-2005/08 2000-
Personal Galleries
Personal Music
Doc Prep
File-Sharing
Copyright2012
7
Results from a Survey of Terms of Service
• Consumers dependent on C.C. Services are at dire riskService malfunctions, loss of data, provider exploitation of their data, low standards of accessibility and clarity of Terms, largely unfettered scope for providers to change the Terms
• Consumer Protections are essential, but seriously inadequateTransnationality of Internet commerce, dominance of US marketing morés, pro-corporate and anti-consumer stance of US regulators, meekness of regulators in other countries, the lack of organised resistance by consumer reps, advocacy bodies
• Serious consumer disappointments are inevitable• Recriminations against cloud-sourcing are inevitable
http://www.rogerclarke.com/EC/CCC.html
Copyright2012
8
Cloudsourcing of Email• ANU recently announced adoption of MS 365• MS 365 is hosted in Singapore and Hong Kong,
but can be hosted anywhere• The data is subject to the PATRIOT Act
• ANU has a high concentration of staff and students who have families at risk in un-free nations
• Some of those un-free nations are (from time to time) friends of the US Administration
• There are some nervous ANU staff and students
Copyright2012
9
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
10
Transaction Assurance
Copyright2012
11
Transaction AssuranceCheck the Critical Assertions
• 'Value Authentication'Liquid assets are of appropriate quality and quantity
• 'Data Authentication'The key data accurately reflects reality
• 'Attribute Authentication'The entity has the relevant attribute, especially:- eligibility for a subsidy, concession or tariff,
or to purchase age-restricted goods or services- the power to perform acts on behalf of another entity
Copyright2012
12
Transaction AssuranceCheck the Critical Assertions
• 'Value Authentication'Liquid assets are of appropriate quality and quantity
• 'Data Authentication'The key data accurately reflects reality
• 'Attribute Authentication'The entity has the relevant attribute, especially:- eligibility for a subsidy, concession or tariff,
or to purchase age-restricted goods or services- the power to perform acts on behalf of another entity
• '(Id)entity Authentication'The data is associated with the correct (id)entity
Copyright2012
13
The Huge Quality Problemswith Biometric Applications
Dimensions of Quality
• Reference-Measure• Association• Test-Measure• Comparison• Result-Computation
Other Aspects of Quality
• Vulnerabilities• Quality Measures• Counter-Measures• Spiralling
Complexity
Copyright2012
14
Consequences of the Quality Problems
• There is never 'a perfect match'; it's fuzzy• A Tolerance Range has to be allowed• 'False Positives' / 'False Acceptances' arise• 'False Negatives' / 'False Rejections' arise• Tighter Tolerances (to reduce False Negatives)
increase the rate of False Positives; and vice versa• The Scheme Sponsor sets (and re-sets) the Tolerances• Frequent exceptions are mostly processed cursorily• Occasional ‘scares’ slow everything, annoy everyone
Copyright2012
15
Identity-Related CrimesUse of an identifier and/or authenticators for:• Identity Fraud
to financially advantage or disadvantage someone ...• Identity Theft
... to such an extent, or with such a negative impact, as to effectively preclude further use by the person who previously used the identity
• Identity-Facilitated Criminal ActsProceeds of crime laundering, tax avoidance, trafficking ...
The identity that is compromisedmay be someone else's, may be
'fictional', or may even be the person's own
Copyright2012
16
Responses to Identity-Related Crime
Strategy• Piggy-back on, reinforce
national security extremism
'Real Names Policies'• Denial of Nymity• Denial of Multiple
Separate Identities• Imposition of a Singular
Identity per Person• Consolidation, Re-
Purposing of Personal Data
Hardened Id Requirements
• Identity Declarationdemanded more often
• Identity Authenticationimposed
• Biometrics imposed(Entity, not Identity)
Social Networks• Exploitation• Inferencing
Copyright2012
17
Responses to Identity-Related Crime
The Consequences
• Greatly increased scope for Id-Related Crime !
• Many more high-value / soft-target datasets
• Routinisation of id capture• Exposure of Persons-at-Risk
• Destruction of Social Trust• Encouragement to Lie, Cheat and
Obfuscate
Copyright2012
18
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
19
Technology Neutrality is Harmful Mythology
• Japanese legislators and regulators comprehensively apologised to the Japanese people because:Nuclear power stations were subjected to generic regulatory measures when they should have imposed regulations specific to the nuclear context
Copyright2012
20
Technology Neutrality is Harmful Mythology
• Japanese legislators and regulators comprehensively apologised to the Japanese people because:Nuclear power stations were subjected to generic regulatory measures when they should have imposed regulations specific to the nuclear context
• Software is a 'literary work'. Oh, really??Okay, we need a (sort-of) sui generis arrangement
Copyright2012
21
The Accidental Extension of Copyright-Owner Power
• There has never been any right to preclude people from accessing copyright-objects, whether to read them, listen to them, look at them, or watch them
• But the act of accessing digital copyright-objects involves the making of copies
• Because of the wording of copyright law, this intermediate step generally represents a breach of an copyright, and requires a licence
• This simple accident gave copyright-owners a great deal of lobbying power
• The principle of balance has been subverted
http://www.rogerclarke.com/EC/ETCU.html (1999)
'Copies ain't Copies'
Copyright2012
22
Letters were:• anonymous• secret in transit• untracked
And the postman wasn't responsible for their contents.
eLetters should be no different.
(And especially not if the purpose is to prop up dying business models for publishing industries).
Rick Falkvinge4 November 2012
http://torrentfreak.com/why-offline-privacy-values-must-live-on-in-the-digital-age-121104/
Copyright2012
23
Telecommunications 'Interception' Powers
• The PSTN has given way to:• Mobiles• VoIP incl. Skype
• Change was/is needed to sustain some powerssuch as named-person / many-'line' warrants
• Some of the AGD's demands of the Parliament have been warranted
• If the AGD consulted with public advocacy groups, and sought support, they would get it
Copyright2012
24
Telecommunications 'Interception' Powers
• PSTN: Call Records cf. Call Content• DigitalEra: 'Metadata'?? cf. 'Call' Content
• Ephemera have become recorded data, asas audio, text (email, IM, SMS), and video
• 'Interception' has become 'I & Access'• The carefully protected has become unprotected• The principle of balance has been subverted
Copyright2012
25
Technology Neutrality is Harmful Mythology
• Japanese legislators and regulators comprehensively apologised to the Japanese people because:Nuclear power stations were subjected to generic regulatory measures when they should have imposed regulations specific to the nuclear context
• Software is a 'literary work'Okay, we need a (sort-of) sui generis arrangement
• Copying is a breach, until it's part of network functionality
• Telecomms Interception has to be continually re-defined(but not in ways that abuse civil freedoms!)
Copyright2012
26
Privacy Law is Adaptive, Right?• The OECD Guidelines are predicated on the
computing of the 1970s, not the IT of the 2010s(They were also designed to facilitate business and government, not to protect privacy)
• Australian law is a very weak implementation• Australian law has been subverted by myriad
subsequent statutes• Australian Privacy law may shortly be ripped
to shreds by the current, consumer-hostile Bill• There is no right to sue, no criminal sanctions,
no enforcement action by the PC'er, and the PC'er actively avoids the creation of case law
• Any adaptive function is negative, not positive
Copyright2012
27
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
28
Privacy-Enhancing Technologies (PETs)
1. PIT Countermeasures
• Cookie-Cutters• Cookie-Managers• Personal Data Managers (e.g. 'eWallets')• Personal Intermediaries / Proxies• Data Protection Tools• Client-Side Security Tools• Channel, Server and Proxy/Firewall Security
Tools
Copyright2012
29
2. Savage PETs
Deny identityProvide anonymity
Genuinely anonymous ('Mixmaster') remailers,
ToR, web-surfing proxies,
ePayment mechanisms, value authentication,
attribute authentication
Copyright2012
30
3. Gentle PETs
Balance nymityand accountability
through Protected Pseudonymity
Intermediary Tools and Proxies, Client-Side Agents,
Pseudonymous Connection, Remailers, Web-Surfers
Copyright2012
31
Will Consumers Come to be Banned From Owning General-Purpose
Computing Devices?Some powerful groups might like to achieve it
• Copyright-Dependent Corporations• Government Censors• The Moral Minority, who want governments to extend
censorship to whatever content the moral minority thinks the majority shouldn't have access to [Stop Press?]
• (Dominant) Computing Device Providers• Law Enforcement & National Security Agencies
(LEANS)• 'Fraud Experts'
Re 'fraud experts': http://www.itnews.com.au/News/263042,jailbroken-phones-not-safe-for-banking.aspx – 8 Jul 2011
Copyright2012
32
Consumer-Oriented Social Media
To Address the Catalogue of Social Media Privacy Concerns
1 Privacy-Abusive Data Collection
2 Privacy-Abusive Service-Provider Rights
3 Privacy-Abusive Functionality and User Interfaces
4 Privacy-Abusive Data Exploitation
http://www.rogerclarke.com/II/COSMO-1211.html
Copyright2012
33
Location – from Added-Extra to Intrinsic
• Physical Address / Geo-Location• knowledge of the cell that a mobile-phone is in,
is intrinsic to the service’s operation• more precise geo-location is increasingly feasible• location is becoming readily available to the device• location is being acquired by service-providers
• Location-based services can be valuable to users• A primary use is in consumer marketing• For most current-round SMS, location is an extra• For the coming round, Geo-Location is intrinsic• Privacy sensitivity about Social Media will leap
Copyright2012
34
The Primary Geolocation Technologies
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Copyright2012
35
I.T. Challenges to Information Law
AgendaSome Obvious Things• Cloudsourcing• Jurisdictions of
Convenience• Extra-Territorial Reach
Some Less Obvious Things
• Transaction Assurance• Identity Threats
Some Non-Solutions• Technology Neutrality• Privacy Law
Some Solutions• Misinformation• PETs, Obfuscation• Social Media?
Copyright2012
36
I.T. Challenges to Information Law
Roger ClarkeXamax Consultancy, Canberra
Visiting Professor in Cyberspace Law & Policy, U.N.S.W.
Visiting Professor in Computer Science, A.N.U.Chair, Australian Privacy Foundation (APF)
Secretary, Internet Society of Australia (ISOC-AU)
http://www.rogerclarke.com/EC/AGS-121116.ppt
NPG, Canberra, 16 November 2012