30 April 2011

Sony PSN: Clueless And Breaching

Playstation 3: Sixaxis Wireless Controllerphoto © 2008 włodi | more info (via: Wylio)

Not that I wish to blog so often on data protection, but some technology giants would not give me a break.

Last week I covered the (very likely) unlawful data collection practice of Apple’s iPhone and this week I decided to spend some words on the fact that

Sony Leaked Personal Data

particularly credit card data from its Play Station Network.

Ars Technica have been reporting during the last few days, here is the most current update as of the writing of this article.
According to Sony, “It is possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.”

What is this if not a

Personal Data Breach?

Some of you will remember that at the end of 2009 the European Union updated its Telecoms Package and, as a part thereof, the ePrivacy Directive. The European lawmakers sharpened the provisions on privacy and introduced a data breach notification requirement in order to prevent data loss debacles.

The updated ePrivacy Directive mandates that in the event of a personal data breach, providers of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority in charge for data protection.

Now read the italic type again. What providers does it cover? Only telcos, right? One could ask:

Must Sony Notify Its Breach?

Well, seemingly not under the ePrivacy Directive since Sony should not be defined as a telco.
Funnily, during the negotiations of the Directive’s final version, the European Parliament demanded that all providers of “information society services” be subjected to the data breach notification duty. Sony is, inter alia, a provider of information society services – check the definitions of the E-Commerce Directive (2000/31/EC). Hence, that demand would have covered Sony, had it only been implemented.

However, European Union Directives normally set only minimum requirements and leave member states with a certain amount of leeway as to the exact rules to be transposed.

Member states such as Germany, Spain, Austria and Ireland did not limit the data breach notification duty to only telcos. They rather chose to oblige the so-called data controller under the Data Protection Directive (95/46/EC). Thus, they have achieved a much broader scope of applicability.
Data controller’s definition clearly puts

Sony Under An Obligation

to notify the respective data protection authorities of above member states.
To the best of my knowledge, Sony has not yet undertaken such a notification – it has been dangerously clueless for more than two weeks instead.

What Is The Moral Of The Story?

The data breach notification was introduced as a consequence of recent years’ high-profile incidents of personal data loss across Europe.
Who forgot the T-Mobile data loss or the UK privacy debacles?
Now, it seems, Sony has joined the data breach elite.
See, what the consequence therefor will be.


29 April 2011

5 Tips To Avoid Troubles In The Cloud

Lightningphoto © 2010 scyllarides | more info (via: Wylio)

Couple of days ago I had to review an agreement on cloud computing services that one of the major suppliers in this realm had submitted. When I went through the terms and conditions, I could not gain the impression that the supplier has a great confidence in its capability to deliver the service in question. I found some of the terms even so onerous that I had to consider a strategy to protect my client from getting electrocuted in that supplier’s cloud!

Having thought that sharing some tips on the Reguligence Weblog would be of interest for its readers, I have composed the following list:

1. Service Availability

This agreement reminded me of a telecommunications contract: the supplier basically grants recipient an access to its infrastructure environment and the recipient pays a use-based fee in return.
However, the supplier offers its service on an “as-is” basis and does not warrant any specific availability or quality.
Hence, you should not go for it, if you intend to run a mission critical system in the cloud or your business requires a reliable service performance. You can either endeavour to negotiate different terms or opt for a specifically tailored solution. In both cases the payments are very likely to increase. If you re-sell your services, you should endeavour to limit your liability towards your recipients.

2. Warranties

As mentioned in the beginning of the article – the service supplier seems not confident in its service capabilities. The supplier merely warrants to perform the service with a reasonable care and workmanship. Should you accept it? Well, unless your business model mandates otherwise… You could also suggest a discretionary payment language, something like payment shall be subject to recipient’s overall satisfaction and wait for supplier’s reaction.

3. Liability

What damage are you likely to suffer during such a service delivery? Hmm, maybe loss of data and loss of profit due to a service interruption or an outage? Yes, I guess they are the likeliest to occur, but I  feel you can already assume that, they are –  what? – excluded, what else?
So, make sure you have not entered into an obligation to recover your customer for such losses because this could ruin your business!

4. Data Security

From what I did read, I would never encourage you to upload sensitive data onto the cloud… Again, your supplier is neither liable to keep them secret and confidential nor to retrieve them if they happen to disappear.

5. Data Protection

Albeit this is the last topic on my list, it is very wise to pay special attention to it because data protection may be a very tricky issue under the jurisdiction of a EU member state. Beware if you have to upload personal data onto the cloud – your supplier has access to them and is eager to process them for its own purposes! And this is the catch: personal data must be obtained and processed only for a specified purpose. I bet your purpose will differ from the one of your supplier. Besides, as a general rule personal data must not be transferred outside the European Economic Area, so make sure you have read and understood your cloud services agreement or process previously anonymized data only.

My Final Say

Cloud services may be a great thing if you need a specific infrastructure whose purchase for a single project would not pay off.
On the other hand, cloud services agreements seem to be too much supplier oriented and, as a matter of fact, detrimental to the recipient.

Make sure you do not use cloud services to run mission critical tasks, at least not before you have spoken with your trusted lawyer!

Cloud Texture 11photo © 2009 Jacob Gube | more info (via: Wylio)

Questions, suggestions, opinions? Just use the comment function below.

27 April 2011

Draining The Spam Flood: FBI vs Coreflood Botnet

According to Wikipedia, Computer crime, or cybercrime, refers to any crime that involves a computer and a network, i.e. the Internet.
Since the Internet is a global network and can be accessed anywhere in the world, combating cybercrime has become a real challenge.

Therefore, I must say that I was all the more glad when I read Ars Technica’s report on

FBI’s Beheading Of The Coreflood Botnet

Coreflood is a malicious software used by its controllers to steal online banking credentials from a victim’s computer to loot their financial accounts. This means that the operators of Coreflood have made themselves guilty of several offences penalised by the

Cybercrime Convention

such as computer related fraud and computer related forgery.

The convention has been signed and ratified by the majority of the industrial states, thereby including the USA and the vast members states of the European Union.
The signatory states have undertaken to transpose convention’s catalogue of crimes into their own law.

For instance, the USA have addressed the most of them in the 18 USC § 1028 and I guess that the above acts of the FBI agents grounded thereupon.

However, it has not all been

Sunshine And Roses

The FBI seems to have used a stealth mode to access infected computers in order to remove the malware from them. Consequently, it would be the first time a government agency accessed and automatically removed code from Americans’ computers.

Although I appreciate what FBI did in terms of cyber security, I could never acclaim the government to access my computer, no matter how noble its purpose was.

What about you?

21 April 2011

Your iPhone Disrespects Your iPrivacy

iPhone Desktopphoto © 2007 Terry Johnston | more info (via: Wylio)

No, doubt iPhone is a hip communication tool with a great design. Who would not like to have one?

But will you still want to have one if you knew that

iPhone Records Every Step You Make

Will you really? Hmm, well maybe not.

Guardian has the story and in the next few lines I will provide you with a very concise

Legal Analysis

What Apple’s iPhone seems to do is usually referred to as location data processing. In the European Union the latter is governed by Directive 2009/136/EC – the so called ePrivacy Directive.

Apple acts as a provider of a value added service in the sense of the ePrivacy Directive since it processes location data beyond what is necessary for the transmission of a communication or the billing thereof.
Apple is generally allowed to do so, however, under the condition that it fully informs its users of its data collection and processing

Prior To Obtaining Their Consent

From what I read, no users have been informed and their consent has not yet been obtained.
Besides the fact that it disrespects the privacy of its users, Apple is in a clear breach of applicable data protection and telecommunications legislation.

iPhone or iPrivacy, what will be your choice?

Information v Defamation: ECtHR Rules Against Bulgaria

Europe zone, Strasbourgphoto © 2008 Stephen Colebourne | more info (via: Wylio)

As early as 1992 Bulgaria acceded to the Council of Europe.  The accession meant not only the acceptance of the European Convention on Human Rights (ECHR), but also Bulgaria’s submission to the jurisdiction of the European Court on Human Rights (ECtHR), the authority serving as the last resort against violations of the rights protected by the ECHR.
Since its accession, Bulgaria has been found liable for violating human rights in a large number of cases. As of yesterday the number of cases rose by two more (courtesy to Dr Lehofer for sharing this information).

In its very recent judgments in Kasabova v Bulgaria (application no. 22385/03) and Bozhkov v Bulgaria (application no. 3316/04) the ECtHR found that Bulgaria had violated Article 10 (freedom of expression and information) of the ECHR.

The Facts

The cases concerned the complaints of two journalists. They had reported on alleged bribes in the admission procedure to specialised secondary schools in the city of Burgas. As a consequence, the journalists were found liable for defamation and were made to pay huge sums in compensation for their statements made in articles published in the Bulgarian press and directed against four administrative experts involved in said admissions.

As you can see, the cases are driven by the conflict between two fundamental human rights: the  right to freedom of expression (and to inform the public) of the journalists literally clashes with the  right to privacy and reputation of the four  experts.
In its


the ECtHR had to strike a (fair) balance between these fundamental human rights.

While the ECtHR acknowledged that the allegations made by Kasabova and Bozhkov had been difficult, if not impossible to prove and that, their journalistic research had shown some flaws, it nevertheless held that the sanctions imposed on the journalists had been excessive, disproportionate when compared to the damaged reputation of the four experts and had thus had huge potential chilling effect. Consequently, there has been a violation of Article 10 ECHR.

In the outcome, the Court found that

Freedom Of Expression Outweighed Privacy

A shock to the system for the Bulgarian media sector. Why?

Well, the majority of the Bulgarian media is considered largely tabloidized and owned by anonymous proprietors. This often results in publications that are clearly false and even defamatory.

Even though the Criminal Code penalizes defamation, so far only very few authors of defamatory materials or owners of publicizing media have been successfully charged, convicted and sentenced.
Kasabova and Bozhkov seem to be among those few.
Should this ruling of the ECtHR be interpreted as a carte blanche to journalists writing defamatory materials? I hope not!

On the other hand, it is an open secret that many Bulgarian journalists work under threat or undue influence. For instance, Freedom House designates Bulgaria as merely partly free in terms of press and media in their 2010 report (select country).

No doubt, threatened journalists would clearly benefit from above judgments.

All in all I would agree with the ECtHR since it does not say that journalists should not be punished, if they write defamatory materials. It says that the punishment should not be excessive and disproportionate to the damage the defamation has caused.

What do you think?

18 April 2011

Another One Bites The Dust: Czech Constitutional Court Shoots Data Retention With Five Bullets

Autumn Morningphoto © 2007 Jeff | more info (via: Wylio)

The judicial development on data retention across Europe will not cease! Following the meanwhile numerous decisions in, just to mention some, Bulgaria, Romania and Germany, some two weeks ago

The Czech Constitutional Court Abrogated Data Retention

Yes, on a sitting held on 22 March 2011 it delivered a ruling abrogating Section 97, subsections 3 and 4 of the Czech Electronic Communications Act as well as the related Decree 485/2005 on the storage of traffic and location (altogether “the contested provisions”).

Court’s ruling grounded on the following


1. The language of the contested provisions is too vague and thus fails to fulfill the constitutional requirement on certainty and clarity.
2. The contested provisions have failed to clearly and precisely define the purpose to retain data and particularly to rectify the vague serious crimes language of Directive 2006/24/EC. Such failure contradicts the requirements laid down in the Charter of Fundamental Rights and Basic Freedoms (the Charter).
3. The absence of clear legal determinations is likely to result in an abuse, i.e. in that the law enforcement agencies use retained data to combat less serious crimes. The latter view appears fortified by the following quotation from the 2008 Report on the security situation in the Czech Republic: a total number of 343 799 comitted criminal offenses resulted in the total number of 131 560 applications to access retained data.
4. The contested provisions have failed to safeguard the integrity and confidentiality of the retained data and to prevent access through (non-state) third parties. The Court opines that such safeguards are mandated by the enormous development and emergence of new and more complex information technologies and communications systems that inevitably blur the boundaries between private and public space.
5. The contested provisions have failed to provide for the destruction of the data following the retention period. The contested provisions have further failed to provide for responsibilities of and sanctions against the public authorities in case of abuse of the retained data as well as for the possibility of individuals to seek for effective relief against such abuse.

In light of the above, the Court found the contested provisions violating constitutional limits and hence unconstitutional. Besides, the Court expressed also some doubts as to the constitutionality of s. 88a of the Czech Criminal Code and urged the lawmakers to either derogate said section or provide for its constitutional compliance.

So, three cheers to the Czechs and their Constitutional Court!

Skydiver with Czech flag

photo © 2010 Ivan Pik | more info (via: Wylio)



The decision of the Czech Constitutional Court goes in a clear confrontation with the legislature.
It is the first decision in a EU member state to criticise the lack of responsibilities in dealings with retained data and to demand sanctions for negligence and misuse.
Unlike the decisions in Romania and Germany, it does not deliver  guidance as to how lawmakers should repair the contested provisions in order to achieve constitutional compliance.
In other words, the courts in Romania and Germany made really precise shots that aimed to merely injure their national data retention provisions. The Czech decision is quite the opposite: the justices shot to kill.
A righteous kill?
I would say yes.

What would you say?

16 April 2011

Scarlet vs SABAM: Gone With The Wind?

Interiorsphoto © 2009 jaci Lopes dos Santos | more info (via: Wylio)

In Margaret Mitchell’s novel Gone with the Wind, the novel’s protagonist, Scarlett O’Hara wonders to herself if her home on a plantation called “Tara” symbolising the pre-civil war South is still standing, or if it was “also gone with the wind”.

I must say that I had similar thoughts when I read the opinion of Advocate general Cruz Villalón in the case Scarlet vs SABAM.
I bet you want to know why?

Good, before I share them with you, however, I will present you with the


In 2004 the Société belge des auteurs compositeurs et éditeurs (SABAM) applied for interim relief against the Belgian ISP Scarlet on the ground that Scarlet’s users had shared musical works contained in SABAM’s repertoire without SABAM’s permission, thereby infringing the copyright in the works.
In 2007 the Brussels Tribunal of First Instance ruled that Scarlet was under an obligation both to block the accounts of its users and to implement a mechanism to filter out infringing content. According to this decision, Scarlet was obliged to make it impossible for its customers to send or receive a P2P file that would include works from SABAM, and faced fines of €2,500 a day if it failed to comply within six months.

In 2008 the Tribunal of First Instance in Brussels decided, on an application for “absolute impossibility of compliance” filed by Scarlet against its decision of 2007, that the Tribunal had been badly informed when it decided that appropriate filtering technologies were available on the market. Scarlet had argued that it was technically impossible or unreasonably expensive to block the P2P traffic and that the solution developed by Audible Magic, a filter mechanism, did not work. Additional technical options were considered and implemented but none of them led to a satisfactory solution.
The Tribunal declared itself not competent to deal with the question as to whether filtering can be made compulsory for ISP and referred the case to the Brussels Court of Appeals.

The Court of Appeals sought a ruling from the Court of Justice of the European Union on whether EU law and, in particular, the fundamental rights guaranteed by the Charter of Fundamental Rights, permit a national court to order an ISP to install a system for filtering and blocking electronic communications.

Advocate General’s opinion

Advocate General Cruz Villalón considers that a court order to install a system to

1. filter all data communications passing via Scarlet’s network, in order to detect data which involve a copyright infringement and
2. block communications which actually involve copyright infringement, either at the point at which they are requested or at the point at which they are sent

constitutes a general preventive obligation that would apply in abstracto without determining whether there had been an actual infringement of an intellectual property right or even that an imminent infringement was likely.

This obligation, says the Advocate General, would also delegate the legal and economic responsibility for combating illegal downloading of pirated works to the ISP.

In the light of the above, Cruz Villalón considers that the installation of that filtering and blocking system is a restriction on the right to privacy of communications and the right to protection of personal data, both of which are rights protected under the Charter of Fundamental Rights. Equally important, the deployment of such a system would restrict freedom of information, which is also protected by the Charter of Fundamental Rights.

To say it with Cruz Villalón’s own words: “As far as we can tell, no system of filtering and blocking seems to guarantee, in a manner that is consistent with the requirements of Articles 11 and 52, paragraph 1, of the Charter, that it will block only content specifically identifiable as illicit”.

Consequently, the Advocate General proposes that the Court of Justice should declare that EU law precludes a national court from making an order that an ISP installs such a filtering system.

This is not just a wind, no, it is a real bomb blast!

Nuclear Blast 1945photo © 2005 Thomas Williams | more info (via: Wylio)



As you might know, the Court of the European Union follows Advocate General’s opinion in about 80 percent of its decisions.
This means there is more than just a fair chance that the Court rules against the requested filtering system.

In fact it is not a simple ruling that we need.
We need the Court to sweep the adversaries of fundamental human rights away and make them “gone with the wind”!


Did you like this article? If yes, do not forget to share your thoughts with me!

12 April 2011

Bulgaria: Freedom Of Information Or Purposive Opaqueness?

This is a screenshot of Bulgaria’s commercial register’s website.
The interesting thing about it is that anyone (to the extent he or she can navigate in Bulgarian) may access it and search for company related information.
No other restrictions.
Well, not exactly as soon there will be some.
Owing to a current legislative initiative the register is very likely to compete with below info column in terms of free and transparent information access.

Freedom of Information?photo © 2006 Ian Parkes | more info (via: Wylio)

Believe it or not, but this initiative is driven by a political party holding the name

Citizens for European Development of Bulgaria (link)

Whether in an attempt to create an association with their party’s name or not, but said party’s representatives reason and defend the planned restrictions with “well-proven and tested European practices”. As one may expect, they still owe a detailed explanation as to what practices they have meant.

Mrs Iskra Fidosova (MP), chair of the justice committee and advocate of the restricted access.

It’s the data protection, stupid

This move would halt the more and more frequent cases of abuse of personal data, explained the guy below.

Mr Emil Radev (MP), proposer of the initiative.

However, according to the Access to Information Programme (AIP), an NGO, there is no actual proof that such abuses have increased after the introduction of the register in early 2008.
Not only this, but AIP stresses on the importance of the register for the purposes of journalistic investigations. The latter is of a particular relevance since the vast capital invested in Bulgaria during the last decade is considered of unclear provenance.

Whose data privacy

do the Bulgarian politicians care for?

Maybe for that of the mysterious 26-year-old entrepreneur whose one-month-old company allegedly enabled him to spend some 162 Million Euro on the bankrupt steel plant Kremikovtzi?


Did you find this article informative or helpful? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!

1 April 2011

Austria’s Data Protection Council On Data Retention – A Déjà Vu

Who remembers the cat scene in The Matrix?
The scene depicted Neo, Morpheus & the other good guys convinced that they had already witnessed or experienced a certain situation. What do we usually call this experience or state of mind?
Déjà vu, right?
Unlike the most cases of a déjà vu where no determination can be made as to whether the circumstances of the previous encounter were imagined or true, in that particular scene from The Matrix the cat indeed passed the door twice.
The good guys instinctively felt that something was wrong. And their feelings did not betray them: something was wrong indeed!

Data retention is The Matrix in real life

In a previous blog post I did already compared the laws on data retention with the bad guys’ attempt to maintain total control in The Matrix.
When I recently read that the Austrian data protection council had again disfavoured the then current bill on data retention in a critical statement, it felt like a déjà vu to me.

What does the council criticise?

1. The council has some very serious doubts as to data retention bill’s compatibility with Art 8 of both, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union.

2. While the council acknowledges that law enforcement authorities should be equipped by sufficient powers in order to fight organized crime and that access to communication data might be helpful in such context, it opines that such powers must be applied only to concrete occasions and be subject to specific controls.

Data stormphoto © 2006 Dave Herholz | more info (via: Wylio)

3. The council further urges the European Commission to eventually conduct the evaluation owing to Article 14 of the Directive 2006/24/EC.

4. In the event that Commission’s evaluation results in a review of the data retention Directive which recommends the implementation of lesser onerous measures, the council suggests that the legislature opt for the so-called quick-freeze procedure. The latter recently gained a measure of popularity because of its submission to public debate in Germany.

5. Last but not least and given the “informative value” of retained data, the council calls upon the legislature to maintain the highest possible data security standards when transposing the Directive.

Will this statement halt the transposition of data retention in Austria?

Unfortunately, it will not, because the data protection council has advisory and, hence limited, powers.
Its statement is nevertheless significant – it once again makes it very clear that data retention is at odds with fundamental human rights, and that the politicians are very well aware of this fact.

What can a single individual do?

First of all inform yourself and inform others who are not yet familiar with data retention. And since data retention is considered avoidable – learn how to either avoid it or make it appear obsolete.


Did I miss an important point? What else would you suggest?


Did you find this article informative or helpful? If yes, do not forget to share it by pressing one of below buttons or to otherwise tell your friends about it!