E-signatures fail to catch on

Florence Olsen dares to write about the failure of market-based e-signature solutions in Federal Computer Week: "Electronic signatures have often been touted as a cornerstone of e-government, providing the legal underpinnings needed to do away with paper and move transactions online. So far, however, e-signatures have failed to deliver on their promise. Although many agencies have launched initiatives, they have been hindered by a number of obstacles, including competing e-signature standards and a lack of interest and understanding by citizens..."

Poles must show ID to open email account?

The Warsaw Business Journal, citing a report in Puls Biznesu, says that "Onet.pl, Interia.pl and Gazeta.pl have sent an open letter to [the Polish parliament's] Speakers in protest against changes to the telecommunications law which...will force people to show their ID card to open an e-mail address. No other country has such strict formal requirements. If implemented it will probably mean that Internet users would resign from using Polish portals and move their e-mail addresses abroad."

UPDATE: According to EDRI-gram number 2.11 (2 June 2004), in response to the 3 portals' letter, "the government issued an official statement that promised that the proposal would be re-worded, if the objection was indeed correct. The bill is currently being examined by parliament's infrastructure committee and has not yet been scheduled for a second reading... [See the official statement of the Polish Ministry of Infrastructure (in Polish, 31.05.2004).]

Self-Regulation of inappropriate content in converging media

"Self-Regulation of Digital Media Converging on the Internet: Industry Codes of Conduct in Sectoral Analysis," Oxford University Programme in Comparative Media Law & Policy (30 April 2004, 103 pages, 824kb pdf - download here):

"This report examines the regulation of harmful or otherwise inappropriate content, particularly minors' access to such content... The primary case studies concern the providers of connectivity and content hosting on the Internet, and of their Codes of Conduct (CoCs). Further case studies consider the models for self-regulation from other media, notably: press self-regulation; film and video classification; computer games ratings schemes; broadcasting self-regulatory schemes; mobile telephony content regulation. Special attention is given to the effect of the Internet and regulatory trends on demand for self-regulation across the traditional and new media industry sectors...

"An imperfect self-regulatory solution may be better than no solution at all, and we must not raise our standards so high that self-regulation is never attempted. But there are limits to how much imperfection can be tolerated, and for how long. If self-regulatory codes and institutions are insufficiently transparent and accountable, and if they do not observe accepted standards of due diligence, they will lose the trust of the public and fail. There is a danger that some aspects of internet self-regulation fail to conform to accepted standards. We recommend co-regulatory audit as the best balance of fundamental rights and responsive regulation."

Thanks to the European Digital Rights Initiative for the pointer.

Italy passes online copyright law

Updating an item from last March: ""This is the most extreme law that has been passed against peer-to-peer file-sharing internationally," said Robin Gross, head of IP Justice, about a new law criminalizing the unauthorized online transfer of copyrighted materials, passed by Italy's parliament just over a week ago. Associated Press writer Aidan Lewis notes that the law's heavy penalties include fines of up to $1,250 for simply downloading copyrighted works for personal use, and "up to three years in prison for using the Internet illegally for commercial purposes."

However, Andrea Rossato, an assistant professor of law at the University of Trento, claims, in a note posted on p2pnet.net, that Italy's minister of culture, Giuliano Urbani, admitted it was a mistake to blur the distinction between violating copyrights for commercial and for noncommercial purposes. "Therefore, Parliament, at the very moment it approved the Act, adopted a resolution to push the Italian government into proposing a new Bill to amend the amendment discussed above," said Prof. Rossato. It remains to be seen if the Parliament and Government will deliver these modifications.

Are cyber-attacks "foreseeable"?

In CSO Online, William Cook analyses recent changes in the legal concept of a "foreseeable event" as it applies to cybercrime in the United States:

"In the class-action litigation brought by families of Sept. 11th victims against the airlines, airport security companies, airplane manufacturers and the owners and operators of the World Trade Center, the court... made a revolutionary declaration with respect to foreseeability. The court stated that, typically, a criminal act (such as terrorism or hacking) severs the liability of the defendant, but that doctrine has no application when the terrorism or hacking is reasonably foreseeable." And as the 2004 E-Crime Watch Survey shows (see next item), computer intrusions and cyber-attacks are now common enough in certain industries that they can be considered "reasonably foreseeable." This idea is reinforced by a recent case involving the telecom carrier Verizon, where the State of Maine's Public Utilities Commission found that "viruses and worms are foreseeable events, as evidenced by the regular security bulletins issued by software companies." Therefore, companies which don't quickly patch their web servers to fix known vulnerabilities may now be subject to legal liabilities for damage to their clients through loss of service, and licensed telecom carriers may be subject to penalties set by regulators.

Cook continues: "So now that threats to technology and other systems are no longer considered unforeseeable, what is a conscientious CSO to do? Three suggestions. First, companies must have 'court provable' security. They must be able to prove they use best practices with respect to policies for information management, security, implementation of those policies and disaster recovery plans... Second, buy cyberinsurance from a trusted broker with a national or international underwriter. Third, consider buying antiterrorist technology. Under the Support Anti-terrorism by Fostering Effective Technologies (Safety) Act, sellers of qualified antiterrorism technology (QATT) are provided with risk and litigation protections..."

2004 E-Crime Watch Survey

"The 2004 E-Crime Watch survey (pdf, 20 pages) conducted among security and law enforcement executives by CSO magazine in cooperation with the United States Secret Service and the Carnegie Mellon University Software Engineering Institute's CERT Coordination Center, shows a significant number of organizations reporting an increase in electronic crimes (e-crimes) and network, system or data intrusions... Respondents say that e-crime cost their organizations approximately $666 million in 2003. However, 30% of respondents report their organization experienced no e-crime or intrusions in the same period."

Indeed, the survey - which seems to be limited to the US - shows intrusions and attacks as very unevenly distributed: government offices, ICT firms, banks and other financial institutions are the most frequent targets, and 28.6% of e-crimes were apparently committed by "insiders." Here is a summary of the specific types of crime reported:

• Virus or other malicious attack: 77.2%
• Denial of service attack: 43.6 %
• Illegal generation of SPAM email: 38.3%
• Unauthorized access by an insider: 35.7%
• Phishing: 31.0%
• Unauthorized access by an outsider: 27.2%
• Fraud: 21.9%
• Theft of intellectual property: 20.5%
• Theft of other proprietary info: 16.4%
• Employee identity theft: 12.0%
• Sabotage by an insider: 10.8%
• Sabotage by an outsider: 10.8%
• Extortion by an outsider: 3.2%
• Extortion by an insider: 2.6%
• Other: 11.1%

Thanks to BeSpacific for the pointer to this survey.

Danish IT firm gives workers porn access

By Lester Haines, for The Register: "Forget luncheon vouchers, Danish IT outfit LL Media has set a new benchmark in worker welfare by handing its workers free subscriptions to Net porn sites. The company hopes that the freebies will stop randy Scandinavian employees from accessing Web smut while at work. Levi Nielsen, company director of the Nordjylland-based libertine collective, reckons that access to porn is a legitimate fringe benefit. He told Danish media: 'We know that 80 per cent of all hits on the Internet are on porn sites. And we can see that people also surf porn pages during work.' Nielsen apparently also expressed the hope that the initiative will make his staff 'more relaxed on the job.' This unfortunate turn of phrase should not hide the fact that LL Media's is a laudable example of corporate philanthropy, and one which should immediately be adopted by UK businesses. Naturally, Reg staff have already petitioned management for a similar scheme, but - being British - have eschewed hard-core rumpy-pumpy in favour of either Sky Sports or The Shopping Channel."

Haines' article seems to be based on earlier online reports in Danish: see, for example "Danske firmaer betaler ansattes netporno" by Casper Thomsen for ComputerWorld.

North Korea's cyber-spies

Ho-Won Choi wrote in yesterday's edition of Donga-Ilbo International (S. Korea): "Military authorities have confirmed that North Korea is collecting information from South Korea through computer hackers. Song Young-keun, commander of confidential operations, stated on May 27 in his opening speech for the 'Conference for National Information Security' at the Korean Air Force Assembly Hall, 'Under the direct order of Kim Jong-il, North Korea has been using its elite hacking unit to collect information from our national institutions and research facilities...'" [Thanks to Hacktivismo for the pointer]

Indian police chief orders blocking of US-based website

Rediff journalist Priya Ganapati reports that on 28 April, the police commissioner's office in Mumbai sent a letter to ISPs in India telling them to block a website in the United States - http://www.hinduunity.org - and many of them have apparently complied. Hinduunity.org is run by Rohit Vyasmaan and it normally receives about 17,000 hits a day: "Sources at the Mumbai police commissioner's office said the directive was issued because the web site published inflammatory material against Islam... Vyasmaan says he is ready to fight the Mumbai police commissioner's move. 'We plan to actively seek support from various US and other world organisations,' he said. 'It is a direct gag order to silence the Hindu voice in India. It is a fact that the dictatorial regime in Saudi Arabia blocks HinduUnity.org, but to even [force] Internet service providers in our democratic nation is an insult to every citizen of India...'"

In September 2003 we reported that access in India to all Yahoo Groups was blocked because India's Computer Emergency Response Team ordered the blocking of one email list and the ISPs were unable to isolate that one list from all the others sent from the same set of IP addresses.

Worms eat Euro-ISP profits

"European broadband providers are bearing massive cost burdens in order to minimise the impact of worm attacks on residential subscribers, according to new research from Sandvine Incorporated... Working from metrics derived from European customers and selected industry sources, Sandvine has calculated that worm attacks - small and large - will cost the European service provider sector more than EUR 123 million in 2004 and EUR 159 in 2005. Metrics include the cost of specialised tactical response teams, swamping of customer support resources, inflated transit costs and [increases in] customer churn... On any given day, between 5 and 12 per cent of all Internet traffic moving across European ISP networks is malicious... For more on the study, download Sandvine's just-released white paper 'Worms gobbling ISP profits: The financial impact of attack traffic on European service provider networks'..."

UPDATE: An essay by Steven E. Landsburg, posted on MSN's Slate yesterday, carries this argument to a logical extreme: "If we execute murderers, why don't we execute the people who write computer worms? It would probably be a better investment. Let's do the math. What do we get out of executing a murderer? Deterrence. A high-end estimate is that each execution deters about 10 murders... That's 10 lives saved, with a value—again a high-end estimate—of about $10 million apiece.... Compare that to the benefit of executing the author of a computer worm, virus, or Trojan. There seems to be no good name for such people, so I'll make one up—at least until some reader sends in a better suggestion, I'll call them vermiscripters..." [etc.]