From rl.hird at orpheusmail.co.uk Fri Jan 7 13:00:28 2011 From: rl.hird at orpheusmail.co.uk (Roger Hird) Date: Fri, 07 Jan 2011 13:00:28 +0000 (GMT) Subject: NHS Number Message-ID: <5191db0c3drl.hird@orpheusmail.co.uk> This may be OT - but it may be relevant to some discussions in this forum. It is about NHS numbers and whether they need to be treated as confidential. I rang the 0800 helpline of a NHS national screening programme, to query whether some results had been posted to me. They asked for my NHS number. I started to quote the number I have had since birth - a "number" of the form AAAA 123 - and was told "that's an old number". My full name, date of birth and postcode, however, allowed them to answer my query. I asked how I could track down my new number and they simply gave it to me over the phone - it's now just a 10 figure number. I noted it was a reference number my GP practice had been putting on their letters to me but not identified as my NHS number. So I was given my NHS number by simply giving my full name, address and date of birth. I could have quoted anything of the right format as my "old" number. As I remember it the NHS number base was not so long ago seen as the nearest thing we had to a comprehensive national identity database. Should not these numbers be treated with more care? Mind you, I'm pretty sure no-one ever told me mine had even changed. RogerH -- Roger Hird rl.hird at orpheusmail.co.uk Website: http://roger.hird.orpheusweb.co.uk From pwt at iosis.co.uk Fri Jan 7 16:56:49 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 07 Jan 2011 16:56:49 +0000 Subject: NHS Number In-Reply-To: <5191db0c3drl.hird@orpheusmail.co.uk> References: <5191db0c3drl.hird@orpheusmail.co.uk> Message-ID: <4D2745D1.1070106@iosis.co.uk> Well, in late 2006 we were going to start on a 15 year programme to cross reference the IPS (ultimately it would be the ID card) database and the NI database (and have a new, common biometric database), and I never heard mention of the NHS database being involved - but last year I heard that DWP had become merely a client of Home Office . Now we have the G-digital programme, jointly run by Directgov (part of Cabinet Office) and DoH, which appears to be intending to use bank cards for secure online identification (eID)... I'm sure that that doesn't help... Peter On 07/01/2011 13:00, Roger Hird wrote: > This may be OT - but it may be relevant to some discussions in > this forum. It is about NHS numbers and whether they need to be > treated as confidential. > > I rang the 0800 helpline of a NHS national screening programme, > to query whether some results had been posted to me. > > They asked for my NHS number. I started to quote the number I > have had since birth - a "number" of the form AAAA 123 - and was > told "that's an old number". My full name, date of birth and > postcode, however, allowed them to answer my query. I asked how > I could track down my new number and they simply gave it to me > over the phone - it's now just a 10 figure number. I noted it was > a reference number my GP practice had been putting on their > letters to me but not identified as my NHS number. > > So I was given my NHS number by simply giving my full name, > address and date of birth. I could have quoted anything of the > right format as my "old" number. > > As I remember it the NHS number base was not so long ago seen as > the nearest thing we had to a comprehensive national identity > database. Should not these numbers be treated with more care? > Mind you, I'm pretty sure no-one ever told me mine had even > changed. > > RogerH > From rl.hird at orpheusmail.co.uk Fri Jan 7 17:18:42 2011 From: rl.hird at orpheusmail.co.uk (Roger Hird) Date: Fri, 07 Jan 2011 17:18:42 +0000 (GMT) Subject: NHS Number In-Reply-To: <4D2745D1.1070106@iosis.co.uk> References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> Message-ID: <5191f2b0darl.hird@orpheusmail.co.uk> In article <4D2745D1.1070106 at iosis.co.uk>, Peter Tomlinson wrote: > Well, in late 2006 we were going to start on a 15 year > programme to cross reference the IPS (ultimately it would be > the ID card) database and the NI database (and have a new, > common biometric database), and I never heard mention of the > NHS database being involved I was very briefly and marginally involved in thinking about identity before the 1997 election in CITU at the Cabinet Office. The view of those involved was that the NI number was a joke (the story was that there were twice as many NI numbers as people who should have them) and of little value but that the NHS number was a lot more reliable and potentially the basis for a national registration scheme. Going back to the main issue - is the ability to get hold of someone else's NHS number any sort of problem? -- Roger Hird rl.hird at orpheusmail.co.uk Website: http://roger.hird.orpheusweb.co.uk From Ross.Anderson at cl.cam.ac.uk Sat Jan 8 10:48:21 2011 From: Ross.Anderson at cl.cam.ac.uk (Ross Anderson) Date: Sat, 08 Jan 2011 10:48:21 +0000 Subject: NHS Number Message-ID: > Going back to the main issue - is the ability to get hold of > someone else's NHS number any sort of problem? (1) "De-identified" databases of med records used in research often have the NHS number even if name and address have been removed (2) The PDS system which people use to look up your NHS number lets users find anyone in the country, including ex-directory numbers; it has an audit trail showing all the health organisations you've dealt with. If you're a celeb who's an outpatient at the Maudsley, that could be bad news. At a more down-to-earth level, I know of one case current being litigated where a woman was tracked down by an ex-husband after a relative of hers used PDS to find her. He went round and seriously assulted her. She's now suing the hospital where his relative worked Ross From chl at clerew.man.ac.uk Mon Jan 10 11:31:34 2011 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Mon, 10 Jan 2011 11:31:34 -0000 Subject: NHS Number In-Reply-To: <5191f2b0darl.hird@orpheusmail.co.uk> References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> Message-ID: On Fri, 07 Jan 2011 17:18:42 -0000, Roger Hird wrote: > Going back to the main issue - is the ability to get hold of > someone else's NHS number any sort of problem? Look at the problems caused by the widspread use of Social Security Numbers for non-social pourposes in the USA. For any sort of number that reliably identifies a person (that seems to include NHS numbers but not NI numbers) it should be illegal to ask for that number outside of a context clearly related to the original purpose of that number. So I would not expect to be asked for my NHS number when applying for car insurance, for example. -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From lists at internetpolicyagency.com Mon Jan 10 13:18:41 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 10 Jan 2011 13:18:41 +0000 Subject: NHS Number In-Reply-To: References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> Message-ID: In article , Charles Lindsey writes >> Going back to the main issue - is the ability to get hold of >> someone else's NHS number any sort of problem? > >Look at the problems caused by the widspread use of Social Security >Numbers for non-social pourposes in the USA. > >For any sort of number that reliably identifies a person (that seems to >include NHS numbers but not NI numbers) Even if NI numbers are less reliable, they should be included in the scope of any discussion like this. >it should be illegal to ask for that number outside of a context >clearly related to the original purpose of that number. There's a list of "approved" uses of NI numbers. I don't what the sanction is for breaching it. On a broader note, DPA stipulates that data shall be "relevant and not excessive" (3rd Principle), and could also be brought into play. >So I would not expect to be asked for my NHS number when applying for >car insurance, for example. I refused to give my NI number to an estate agent recently; they put up a struggle but I was very firm about it! And the lack didn't seem to hinder their subsequent activity. -- Roland Perry From richard at highwayman.com Mon Jan 10 15:13:46 2011 From: richard at highwayman.com (Richard Clayton) Date: Mon, 10 Jan 2011 15:13:46 +0000 Subject: NHS Number In-Reply-To: References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> Message-ID: In article , Charles Lindsey writes >For any sort of number that reliably identifies a person (that seems to >include NHS numbers but not NI numbers) it should be illegal to ask for >that number outside of a context clearly related to the original purpose >of that number. There is statutory provision for the Government to make an order (under para. 4 of Part II of Schedule 1 of the Data Protection Act 1998) to do exactly this! They haven't ever done so. This type of restriction is common elsewhere in Europe, and it would be straightforward to argue that the failure to have created any such orders (and there's lots of other numbers which have similar problems, such as the Unique Pupil Number) is a failure to correctly transpose the Data Protection Directive into UK Law. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From igb at batten.eu.org Mon Jan 10 16:15:06 2011 From: igb at batten.eu.org (Ian Batten) Date: Mon, 10 Jan 2011 16:15:06 +0000 Subject: NHS Number In-Reply-To: References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> Message-ID: <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> On 10 Jan 11, at 1318, Roland Perry wrote: > > I refused to give my NI number to an estate agent recently Did you manage to get them to tell you why they wanted it? ian From otcbn at callnetuk.com Mon Jan 10 16:30:52 2011 From: otcbn at callnetuk.com (Peter Mitchell) Date: Mon, 10 Jan 2011 16:30:52 +0000 Subject: NHS Number In-Reply-To: <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> Message-ID: <4D2B343C.5010900@callnetuk.com> Ian Batten wrote on 10-01-11 16:15: > On 10 Jan 11, at 1318, Roland Perry wrote: >> I refused to give my NI number to an estate agent recently > > Did you manage to get them to tell you why they wanted it? > The reply would almost certainly have been, "It's because of the Data Protection Act, sir." -- Pete Mitchell From matthew at pemble.net Mon Jan 10 16:45:22 2011 From: matthew at pemble.net (Matthew Pemble) Date: Mon, 10 Jan 2011 16:45:22 +0000 Subject: NHS Number In-Reply-To: <4D2B343C.5010900@callnetuk.com> References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> <4D2B343C.5010900@callnetuk.com> Message-ID: On 10 January 2011 16:30, Peter Mitchell wrote: > Ian Batten wrote on 10-01-11 16:15: > > On 10 Jan 11, at 1318, Roland Perry wrote: >> >>> I refused to give my NI number to an estate agent recently >>> >> >> Did you manage to get them to tell you why they wanted it? >> >> > The reply would almost certainly have been, "It's because of the Data > Protection Act, sir." > Something to do with their Money Laundering Reporting regime, perhaps - if you have a job you have a legitimate source of income? Not saying that it is reasonable, just that it is potentially explicable. -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Mon Jan 10 18:00:43 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 10 Jan 2011 18:00:43 +0000 Subject: NHS Number In-Reply-To: <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> Message-ID: <8RCUwNBLl0KNFAIj@perry.co.uk> In article <51892E35-A27E-46A9-B499-0413693F7E4B at batten.eu.org>, Ian Batten writes >> I refused to give my NI number to an estate agent recently > >Did you manage to get them to tell you why they wanted it? Sorry I should have said. It was obvious to all concerned - they were doing a credit check. I expect they would claim that the NI number helps identify the individual, but Experian knows where I live and will have no difficulty in matching my name and address to their credit records. -- Roland Perry From lists at internetpolicyagency.com Mon Jan 10 18:02:54 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 10 Jan 2011 18:02:54 +0000 Subject: NHS Number In-Reply-To: <4D2B343C.5010900@callnetuk.com> References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> <4D2B343C.5010900@callnetuk.com> Message-ID: In article <4D2B343C.5010900 at callnetuk.com>, Peter Mitchell writes >>> I refused to give my NI number to an estate agent recently >> Did you manage to get them to tell you why they wanted it? > >The reply would almost certainly have been, "It's because of the Data Protection Act, sir." No, but I could easily have used that as part of my refusal. In fact I relied upon the DHSS's (or whatever they are called this week) rules for use of NI numbers. -- Roland Perry From jul at healthecard.co.uk Mon Jan 10 17:48:14 2011 From: jul at healthecard.co.uk (jul kornbluth) Date: Mon, 10 Jan 2011 17:48:14 +0000 Subject: NHS Number In-Reply-To: References: Message-ID: Ross I have also heard the story about the assault by an ex-husband who used the NHS number to track his ex-wife. Would you know where I could find these details? Thank Jul Kornbluth Health eSystems Ltd (UK Company Reg. 5754837) 6 Dalston Gardens, Stanmore HA7 1BU Phone 020 8206 3500 Fax 020 8206 3501 [image: a_HeC logo.gif] e-mail jul at healthecard.co.uk website www.healthecard.co.uk On 8 January 2011 10:48, Ross Anderson wrote: > > Going back to the main issue - is the ability to get hold of > > someone else's NHS number any sort of problem? > > (1) "De-identified" databases of med records used in research often > have the NHS number even if name and address have been removed > > (2) The PDS system which people use to look up your NHS number lets > users find anyone in the country, including ex-directory numbers; it > has an audit trail showing all the health organisations you've dealt > with. If you're a celeb who's an outpatient at the Maudsley, that > could be bad news. > > At a more down-to-earth level, I know of one case current being > litigated where a woman was tracked down by an ex-husband after a > relative of hers used PDS to find her. He went round and seriously > assulted her. She's now suing the hospital where his relative worked > > Ross > > > ______________________________________________ > This email has been scanned by Netintelligence > http://www.netintelligence.com/email > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 10246 bytes Desc: not available URL: From fm-lists at st-kilda.org Mon Jan 10 16:30:07 2011 From: fm-lists at st-kilda.org (Fearghas McKay) Date: Mon, 10 Jan 2011 16:30:07 +0000 Subject: NHS Number In-Reply-To: <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> Message-ID: On 10 Jan 2011, at 16:15, Ian Batten wrote: > Did you manage to get them to tell you why they wanted it? If you are renting a property and do a runner/stop paying rent - the landlord can go to court and get an arrestment on wages/salary via the NI number. f From fjmd1a at gmail.com Mon Jan 10 20:13:09 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Mon, 10 Jan 2011 20:13:09 +0000 Subject: NHS Number In-Reply-To: References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> Message-ID: On 10 January 2011 16:30, Fearghas McKay wrote: > > On 10 Jan 2011, at 16:15, Ian Batten wrote: > >> Did you manage to get them to tell you why they wanted it? > > If you are renting a property and do a runner/stop paying rent - the landlord can go to court and get an arrestment on wages/salary via the NI number. > In England and Wales that would be an attachment of earnings order. You _can_ apply for such an order even if you don't know the defendant's NI number or indeed the identity of their employer. In practice you'd apply for the debtor to be questioned and if they refused to supply the relevant information you'd ask the court to commit them to prison. Very few former landlords are sufficiently bloody minded to do so. -- Francis Davey From broonie at sirena.org.uk Mon Jan 10 18:06:56 2011 From: broonie at sirena.org.uk (Mark Brown) Date: Mon, 10 Jan 2011 18:06:56 +0000 Subject: NHS Number In-Reply-To: <8RCUwNBLl0KNFAIj@perry.co.uk> References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> <8RCUwNBLl0KNFAIj@perry.co.uk> Message-ID: <20110110180656.GE6541@sirena.org.uk> On Mon, Jan 10, 2011 at 06:00:43PM +0000, Roland Perry wrote: > In article <51892E35-A27E-46A9-B499-0413693F7E4B at batten.eu.org>, Ian > Batten writes >> Did you manage to get them to tell you why they wanted it? > Sorry I should have said. It was obvious to all concerned - they were > doing a credit check. I expect they would claim that the NI number helps > identify the individual, but Experian knows where I live and will have > no difficulty in matching my name and address to their credit records. Unless there are several different ways of writing your address in the various databases out there, in which case automated systems can have rather more trouble than is desirable. From bdm at fenrir.org.uk Mon Jan 10 18:16:51 2011 From: bdm at fenrir.org.uk (Brian Morrison) Date: Mon, 10 Jan 2011 18:16:51 +0000 Subject: NHS Number In-Reply-To: References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> Message-ID: <20110110181651.00004474@surtees.fenrir.org.uk> On Mon, 10 Jan 2011 13:18:41 +0000 Roland Perry wrote: > There's a list of "approved" uses of NI numbers. I don't what the > sanction is for breaching it. Sanction? But that would involve someone taking some action for a trivial breach, and make some official's jobs more difficult. -- Brian Morrison From fm-lists at st-kilda.org Tue Jan 11 00:18:16 2011 From: fm-lists at st-kilda.org (Fearghas McKay) Date: Tue, 11 Jan 2011 00:18:16 +0000 Subject: NHS Number In-Reply-To: References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> Message-ID: On 10 Jan 2011, at 20:13, Francis Davey wrote: > In England and Wales that would be an attachment of earnings order. > You _can_ apply for such an order even if you don't know the > defendant's NI number or indeed the identity of their employer. In > practice you'd apply for the debtor to be questioned and if they > refused to supply the relevant information you'd ask the court to > commit them to prison. Very few former landlords are sufficiently > bloody minded to do so. Indeed but having the number up front makes it easier and more importantly quicker to finish the process of getting your money. Hence the request for the data upfront. If the tenant has done a runner you need to find them before you can get the polis or local UK equivalent to interrogate them. How bloody minded you may choose to be probably depends on how much they owe. Of course it doesn't work with transient Europeans who are only issued with temporary NI numbers. f From lists at internetpolicyagency.com Mon Jan 10 21:52:29 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 10 Jan 2011 21:52:29 +0000 Subject: NHS Number In-Reply-To: References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> Message-ID: In article , Fearghas McKay writes >> Did you manage to get them to tell you why they wanted it? > >If you are renting a property and do a runner/stop paying rent - the landlord can go to court and get an arrestment on wages/salary via the NI >number. Why does having the NI number help? Surely he really wants the name of my employer - which I did give him. Although that's a small limited company with me as the director, so wouldn't help much in the circumstances you describe. -- Roland Perry From lists at internetpolicyagency.com Tue Jan 11 07:37:23 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 11 Jan 2011 07:37:23 +0000 Subject: NHS Number In-Reply-To: References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> Message-ID: <+ltUNaBziALNFAiB@perry.co.uk> In article , Fearghas McKay writes >> In England and Wales that would be an attachment of earnings order. >> You _can_ apply for such an order even if you don't know the >> defendant's NI number or indeed the identity of their employer. In >> practice you'd apply for the debtor to be questioned and if they >> refused to supply the relevant information you'd ask the court to >> commit them to prison. Very few former landlords are sufficiently >> bloody minded to do so. > >Indeed but having the number up front makes it easier and more importantly quicker to finish the process of getting your money. But this is a classic example of scope-drift. Your NI number is not supposed to be a proxy (or index to) your employer. If they want to know who your employer is, they should ask (and in this case they already did, elsewhere on the forms). -- Roland Perry From lists at internetpolicyagency.com Tue Jan 11 07:34:16 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 11 Jan 2011 07:34:16 +0000 Subject: NHS Number In-Reply-To: <20110110180656.GE6541@sirena.org.uk> References: <5191db0c3drl.hird@orpheusmail.co.uk> <4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> <8RCUwNBLl0KNFAIj@perry.co.uk> <20110110180656.GE6541@sirena.org.uk> Message-ID: In article <20110110180656.GE6541 at sirena.org.uk>, Mark Brown writes >>I expect they would claim that the NI number helps >> identify the individual, but Experian knows where I live and will have >> no difficulty in matching my name and address to their credit records. > >Unless there are several different ways of writing your address in the >various databases out there, in which case automated systems can have >rather more trouble than is desirable. All that's needed is for my name and address to be recognised by the credit reference agencies. Even if there was a problem with that (which there isn't) they could come back and ask for clarification if the check returned "can't find him". -- Roland Perry From David_Biggins at usermgmt.com Wed Jan 12 18:11:01 2011 From: David_Biggins at usermgmt.com (David Biggins) Date: Wed, 12 Jan 2011 18:11:01 -0000 Subject: NHS Number In-Reply-To: References: <5191db0c3drl.hird@orpheusmail.co.uk><4D2745D1.1070106@iosis.co.uk> <5191f2b0darl.hird@orpheusmail.co.uk> <51892E35-A27E-46A9-B499-0413693F7E4B@batten.eu.org> Message-ID: > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry > Sent: 10 January 2011 9:52 PM > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: NHS Number > > Why does having the NI number help? Surely he really wants the name of my > employer - which I did give him. Presumably a proportion of those doing a runner also leave town and/or change jobs; the NI number might provide some traceability in such cases. Doesn't mean I agree with the practice, incidentally. Dave From rich at annexia.org Thu Jan 13 16:15:28 2011 From: rich at annexia.org (Richard W.M. Jones) Date: Thu, 13 Jan 2011 16:15:28 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> Message-ID: <20110113161528.GA32177@annexia.org> A timely article: http://blogs.computerworlduk.com/the-tony-collins-blog/2011/01/will-self-policing-stop-nhs-records-being-viewed-in-india/index.htm -- Richard Jones Red Hat From amidgley at gmail.com Thu Jan 13 16:56:29 2011 From: amidgley at gmail.com (Adrian Midgley) Date: Thu, 13 Jan 2011 16:56:29 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <20110113161528.GA32177@annexia.org> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> Message-ID: "?The data processed in NHS SBS? India offices includes GP registrations and ophthalmic forms. These do not contain any clinical data. _Data does not leave the UK - it resides on servers hosted in the UK and is accessed from India_. " > > http://blogs.computerworlduk.com/the-tony-collins-blog/2011/01/will-self-policing-stop-nhs-records-being-viewed-in-india/index.htm > > That seems to me to be one of these clearly untrue things that someone has decided to repeat over and over in the hope people will believe they believe it. Data is data, and if it is accessed in India data has reached India. -- Adrian Midgley http://www.defoam.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ukcrypto at airburst.co.uk Thu Jan 13 14:11:10 2011 From: ukcrypto at airburst.co.uk (Mark Cottle) Date: Thu, 13 Jan 2011 14:11:10 -0000 Subject: NHS Number In-Reply-To: Message-ID: <4D2F07FE.21197.130FA9B@ukcrypto.airburst.co.uk> To return to the original issue again, I would add to Ross Anderson's list a third problem. (3) Possession of any information about an individual is potentially useful to a miscreant seeking to use social engineering to access further information or perpetrate fraud. Discussions about personal information (such as that about NI numbers) often seem to concentrate on questions about when and where information is strictly or technically required for particular purposes. I also think there is a terrible tendency for people to make assumptions that if policy or law is set in place to specify that particular information operations require use of particular pieces of data or exclusion of other pieces or data then that is how things will work in practice. It seems to me the real world very often works on the principles of misunderstanding, expediency, laziness and general cock-up. So I can easily envisage a situation where a miscreant is trying to access, for example, medical or financial records but does not possess the credentials or information that's strictly required in such cases. Imagine the attempt occurs in a phone call to a typical overworked, underpaid, unimaginative administrative employee who's had typically dull formulaic training. The admin employee asks for what they've been trained to request. "Ah", says our miscreant, "there's been some confusion. You're asking for X and they've only given me Y. We're under a bit of pressure so it's going to be a nightmare if I have to go back and get it. I do have an (NHS or NI) number if that's any help". And thus the miscreant plants in the admin employee's mind the impression they have some sort of access privileges of an official nature and can thus be trusted with an (apparently) minor breach of protocol. Furthermore, any piece of data acquired through such an exchange could be an additional means to leverage further access in subsequent attempts. OK, that's a clumsy simplified example, but it illustrates events that happen in the real world. I'm pretty certain it's widely practised in certain quarters of the journalism business. So, even if an NHS number did not technically give access to very much, it would still be a matter of concern if they were obtainable by the wrong people. Given that it *does* seem to be a key to other data it seems especially worrying. Mark On 8 Jan 2011 at 10:48, Ross Anderson wrote: > > Going back to the main issue - is the ability to get hold of > > someone else's NHS number any sort of problem? > > (1) "De-identified" databases of med records used in research often > have the NHS number even if name and address have been removed > > (2) The PDS system which people use to look up your NHS number lets > users find anyone in the country, including ex-directory numbers; it > has an audit trail showing all the health organisations you've dealt > with. If you're a celeb who's an outpatient at the Maudsley, that > could be bad news. From igb at batten.eu.org Thu Jan 13 18:36:59 2011 From: igb at batten.eu.org (Ian Batten) Date: Thu, 13 Jan 2011 18:36:59 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> Message-ID: <7D748715-6331-4A76-8F8B-B43FB80B8E39@batten.eu.org> On 13 Jan 2011, at 16:56, Adrian Midgley wrote: > "?The data processed in NHS SBS? India offices includes GP registrations and ophthalmic forms. These do not contain any clinical data. _Data does not leave the UK - it resides on servers hosted in the UK and is accessed from India_. " > > > > http://blogs.computerworlduk.com/the-tony-collins-blog/2011/01/will-self-policing-stop-nhs-records-being-viewed-in-india/index.htm > > > That seems to me to be one of these clearly untrue things that someone has decided to repeat over and over in the hope people will believe they believe it. > > Data is data, and if it is accessed in India data has reached India. Exactly. If the data is viewed in country X, it's in country X. What does it mean to say data is not in a country in which it is viewed? There's an old joke in which someone says "can you fax me the data?" and gets the response "yes, but you have to fax it back to me when you've finished with it", and this seems to make the same category error: it presumes that data has some sort of tangible form, which is separate from its information content. ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From tharg at gmx.net Sat Jan 15 10:17:05 2011 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Sat, 15 Jan 2011 11:17:05 +0100 Subject: Starmer dumps doormat? Message-ID: <003001cbb49d$5cdaa810$168ff830$@gmx.net> http://www.guardian.co.uk/media/2011/jan/14/dpp-news-of-the-world-phone-hack ing The CPS had been of the view that an offence of phone hacking would require it to be proved that someone had hacked a phone and listened to a message before the owner of the phone had a chance to hear it. Now the CPS believes an offence may have been committed if a phone was hacked and a message listened to by a journalist or private investigator at any time, even if the owner had already heard it -------------- next part -------------- An HTML attachment was scrubbed... URL: From tharg at gmx.net Sat Jan 15 16:40:22 2011 From: tharg at gmx.net (Caspar Bowden (travelling private e-mail)) Date: Sat, 15 Jan 2011 17:40:22 +0100 Subject: Starmer dumps doormat? In-Reply-To: <4D31B494.20803@pelicancrossing.net> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> Message-ID: <000c01cbb4d2$f6781db0$e3685910$@gmx.net> http://www.theregister.co.uk/2010/09/13/ripa_email_advice/ Yates said the following (at Q5): Hacking is defined in a very prescriptive way by the Regulation of Investigatory Powers Act and it's very, very prescriptive and it's very difficult to prove.... There are very few offences that we are able to actually prove that have been hacked. That is, intercepting the voicemail prior to the owner of that voicemail intercepting it him or herself. The supposition is that Yates was thinking of http://hansard.millbanksystems.com/lords/2000/jun/12/regulation-of-investiga tory-powers-bill <<<1438 Bassam: ...The definition of "interception" is limited to interception of a communication in the course of its transmission by certain means. To take one example, a letter which has been delivered through a letterbox and is lying on a doormat is no longer in the course of its transmission-it has, after all, arrived>>> http://www.guardian.co.uk/media/2010/sep/07/phone-hacking-voicemails-law-int erception Addressing the home affairs select committee today John Yates, the assistant Metropolitan police commissioner, repeated earlier claims by police that cases of hacking into voicemails could only be prosecuted if the victim had not yet listened to their messages. "That is nonsense, and a recurring problem with this police position in this case," said Simon McKay, author of Covert Policing Law & Practice. "The police are getting confused about a number of things relating to the evidential status of a voicemail.... -----Original Message----- From: Wendy M. Grossman [mailto:wendyg at pelicancrossing.net] Sent: 15 January 2011 15:52 To: cb at qualia.co.uk; UK Cryptography Policy Discussion Group Cc: Caspar Bowden (travelling private e-mail) Subject: Re: Starmer dumps doormat? Why should whether you've heard the messages or not make any difference? wg On 1/15/2011 10:17, Caspar Bowden (travelling private e-mail) wrote: > http://www.guardian.co.uk/media/2011/jan/14/dpp-news-of-the-world-phon > e-hacking > > > The CPS had been of the view that an offence of phone hacking would > require it to be proved that someone had hacked a phone and listened > to a message before the owner of the phone had a chance to hear it. > Now the CPS believes an offence may have been committed if a phone was > hacked and a message listened to by a journalist or private > investigator at any time, even if the owner had already heard it > From pwt at iosis.co.uk Sat Jan 15 17:48:46 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sat, 15 Jan 2011 17:48:46 +0000 Subject: Starmer dumps doormat? In-Reply-To: <000c01cbb4d2$f6781db0$e3685910$@gmx.net> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net><4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> Message-ID: <4D31DDFE.4010303@iosis.co.uk> From: Wendy M. Grossman [mailto:wendyg at pelicancrossing.net] > Sent: 15 January 2011 15:52 > To: cb at qualia.co.uk; UK Cryptography Policy Discussion Group > Cc: Caspar Bowden (travelling private e-mail) > Subject: Re: Starmer dumps doormat? > > Why should whether you've heard the messages or not make any difference? > w Following up the doormat analogy, my physical doormat is inside my front door, so anyone who reaches through the letterbox and picks up a letter and opens the envelope but without taking the envelope and contents out through the letterbox is, I believe, doing something illegal. If they just take the letter away in its envelope and don't open it, I'm sure that they are doing something illegal. And if I open the letter and leave the contents on the doormat and someone reaches in with a camera and reads the letter, they are invading my privacy, but is that illegal? The argument seems to have been that listening to a voicemail message which is stored in the phone system AND has been listened to by the recipient is not illegal - thus it further seems that we service users are in a civil law situation where my disagreement is with the service provider for not keeping the messages secure until deleted - I think that I want something stronger in law, something that responds to the very nature of these voicemail messages (and of emails) that for a time (perhaps a very considerable time) they are simultaneously both in my possession (typically stored in my brain after I have listened to them, albeit that that is a fallible storage medium) and stored in the service provider's system. Now I use an internet phone service that parcels up a voicemail message into a wav file and sends me that wav file by email (as well as keeping the message for me to listen to over the phone)... Peter From wendyg at pelicancrossing.net Sat Jan 15 16:43:39 2011 From: wendyg at pelicancrossing.net (Wendy M. Grossman) Date: Sat, 15 Jan 2011 16:43:39 +0000 Subject: Starmer dumps doormat? In-Reply-To: <000c01cbb4d2$f6781db0$e3685910$@gmx.net> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> Message-ID: <4D31CEBB.3020703@pelicancrossing.net> I see. Thanks. It's amazing how apparently simple things become quite complex when you need to pin them down as specifically as writing a law requires. wg On 1/15/2011 16:40, Caspar Bowden (travelling private e-mail) wrote: > http://www.theregister.co.uk/2010/09/13/ripa_email_advice/ > Yates said the following (at Q5): Hacking is defined in a very prescriptive > way by the Regulation of Investigatory Powers Act and it's very, very > prescriptive and it's very difficult to prove.... There are very few > offences that we are able to actually prove that have been hacked. That is, > intercepting the voicemail prior to the owner of that voicemail intercepting > it him or herself. > > The supposition is that Yates was thinking of > http://hansard.millbanksystems.com/lords/2000/jun/12/regulation-of-investiga > tory-powers-bill<<<1438 Bassam: ...The definition of "interception" is > limited to interception of a communication in the course of its transmission > by certain means. To take one example, a letter which has been delivered > through a letterbox and is lying on a doormat is no longer in the course of > its transmission-it has, after all, arrived>>> > > http://www.guardian.co.uk/media/2010/sep/07/phone-hacking-voicemails-law-int > erception > Addressing the home affairs select committee today John Yates, the assistant > Metropolitan police commissioner, repeated earlier claims by police that > cases of hacking into voicemails could only be prosecuted if the victim had > not yet listened to their messages. "That is nonsense, and a recurring > problem with this police position in this case," said Simon McKay, author of > Covert Policing Law& Practice. "The police are getting confused about a > number of things relating to the evidential status of a voicemail.... > > -----Original Message----- > From: Wendy M. Grossman [mailto:wendyg at pelicancrossing.net] > Sent: 15 January 2011 15:52 > To: cb at qualia.co.uk; UK Cryptography Policy Discussion Group > Cc: Caspar Bowden (travelling private e-mail) > Subject: Re: Starmer dumps doormat? > > Why should whether you've heard the messages or not make any difference? > wg > > On 1/15/2011 10:17, Caspar Bowden (travelling private e-mail) wrote: >> http://www.guardian.co.uk/media/2011/jan/14/dpp-news-of-the-world-phon >> e-hacking >> >> >> The CPS had been of the view that an offence of phone hacking would >> require it to be proved that someone had hacked a phone and listened >> to a message before the owner of the phone had a chance to hear it. >> Now the CPS believes an offence may have been committed if a phone was >> hacked and a message listened to by a journalist or private >> investigator at any time, even if the owner had already heard it >> > From wendyg at pelicancrossing.net Sat Jan 15 14:52:04 2011 From: wendyg at pelicancrossing.net (Wendy M. Grossman) Date: Sat, 15 Jan 2011 14:52:04 +0000 Subject: Starmer dumps doormat? In-Reply-To: <003001cbb49d$5cdaa810$168ff830$@gmx.net> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> Message-ID: <4D31B494.20803@pelicancrossing.net> Why should whether you've heard the messages or not make any difference? wg On 1/15/2011 10:17, Caspar Bowden (travelling private e-mail) wrote: > http://www.guardian.co.uk/media/2011/jan/14/dpp-news-of-the-world-phone-hacking > > > The CPS had been of the view that an offence of phone hacking would > require it to be proved that someone had hacked a phone and listened to > a message before the owner of the phone had a chance to hear it. Now the > CPS believes an offence may have been committed if a phone was hacked > and a message listened to by a journalist or private investigator at any > time, even if the owner had already heard it > From lists at internetpolicyagency.com Sat Jan 15 21:29:14 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 15 Jan 2011 21:29:14 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> Message-ID: <2UsGRqDqGhMNFAIm@perry.co.uk> In article , Adrian Midgley writes >"?The data processed in NHS SBS? India offices includes GP >registrations and ophthalmic forms. These do not contain any clinical >data. _Data does not leave the UK - it resides on servers hosted in the >UK and is accessed from India_. " > >http://blogs.computerworlduk.com/the-tony-collins-blog/2011/01/will-self >-policing-stop-nhs-records-being-viewed-in-india/index.htm > >That seems to me to be one of these clearly untrue things that someone >has decided to repeat over and over in the hope people will believe >they believe it. > >Data is data, and if it is accessed in India data has reached India And the exact opposite theory (to the one you are critiquing) is used to prosecute people who administer offshore child porn sites from the UK. -- Roland Perry From igb at batten.eu.org Sun Jan 16 09:16:03 2011 From: igb at batten.eu.org (Ian Batten) Date: Sun, 16 Jan 2011 09:16:03 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D31DDFE.4010303@iosis.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net><4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> Message-ID: <123BC674-6251-4E8F-9615-7E29B8F203E2@batten.eu.org> On 15 Jan 2011, at 17:48, Peter Tomlinson wrote: > And if I open the letter and leave the contents on the doormat and someone reaches in with a camera and reads the letter, they are invading my privacy, but is that illegal? Well, they're arguably breaching the copyright of the original author, and if so would find it hard to claim that that there was any sort of implied permission to do so (unlike, say, the addressee of the letter scanning it into a filing system, or copying it to show to their solicitor). But my suspicion is that the reason adduced historically against cryptanalysis and interception --- that gentlemen don't read each other's mail --- dies awfully hard, and your mail is mostly protected by fairly deep-seated taboos against reading other people's letters, rather than tangible statute or precedent. ian From pwt at iosis.co.uk Sun Jan 16 09:18:01 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 16 Jan 2011 09:18:01 +0000 Subject: New York Times on Stuxnet Message-ID: <4D32B7C9.8030101@iosis.co.uk> For information: long article in New York Times online edition today, about Stuxnet: http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&nl=todaysheadlines&emc=tha2 Peter From igb at batten.eu.org Sun Jan 16 09:25:19 2011 From: igb at batten.eu.org (Ian Batten) Date: Sun, 16 Jan 2011 09:25:19 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <2UsGRqDqGhMNFAIm@perry.co.uk> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> Message-ID: <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> On 15 Jan 2011, at 21:29, Roland Perry wrote: > In article , Adrian Midgley writes >> >> Data is data, and if it is accessed in India data has reached India > > And the exact opposite theory (to the one you are critiquing) is used to prosecute people who administer offshore child porn sites from the UK. That's a really good point. I had tried to construct some similar counter-argument to the NHS's position involving logging in to classified servers via a thin client to view material in breach of the Official Secrets Act, but came up against the Computer Misuse Act. Your example "solves" that: the NHS argument would appear to mean that if a Bad Person offers a Citrix, RDP, VNC or similar remote login solution so that UK residents can log in to a server located in (for the sake of argument) international waters and then view child pornography residing on that server, no offence will have taken place. If the argument is made by the prosecution, as it would be, that the transient copy created in memory as part of displaying the image constitutes "making" an image, then a fortiori the NHS's position collapses. If the NHS's position is sustained, then provided a consumer of child pornography can show the images were only transiently present on their machine, they have an arguable defence. Child Pornography legislation is closer to strict liability than Data Protection, so the arguments aren't symmetrical, but I suspect no-one has thought this through in enough detail to know... ian From peter at pmsommer.com Sun Jan 16 08:34:14 2011 From: peter at pmsommer.com (Peter Sommer) Date: Sun, 16 Jan 2011 08:34:14 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D31CEBB.3020703@pelicancrossing.net> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net> Message-ID: <4D32AD86.2030507@pmsommer.com> In fact you have two bits of legislation to consider. If you stick to RIPA and interception, the general view is that interception only occurs when something is in the course of transmission (as Caspar report). Once it has been received it is no longer "in the course of transmission" so that there is no RIPA offence. On the other hand, if you turn to the Computer Misuse Act, 1990, the essence of the offence is unauthorised access to a computer. "Computer" was deliberately not defined in the Act so as to allow for a wide degree of interpretation. As tape-based answerphones vanished many years ago one could easily conclude that both desk-based answer phones and the systems run by the cellphone companies are "computers". So the prosecution route is via s 1 CMA 1990 - maximum punishment (I am pretty sure): 5 years. Peter Sommer On 15/01/2011 16:43, Wendy M. Grossman wrote: > I see. Thanks. > > It's amazing how apparently simple things become quite complex when > you need to pin them down as specifically as writing a law requires. > > wg > > On 1/15/2011 16:40, Caspar Bowden (travelling private e-mail) wrote: >> http://www.theregister.co.uk/2010/09/13/ripa_email_advice/ >> Yates said the following (at Q5): Hacking is defined in a very >> prescriptive >> way by the Regulation of Investigatory Powers Act and it's very, very >> prescriptive and it's very difficult to prove.... There are very few >> offences that we are able to actually prove that have been hacked. >> That is, >> intercepting the voicemail prior to the owner of that voicemail >> intercepting >> it him or herself. >> >> The supposition is that Yates was thinking of >> http://hansard.millbanksystems.com/lords/2000/jun/12/regulation-of-investiga >> >> tory-powers-bill<<<1438 Bassam: ...The definition of "interception" is >> limited to interception of a communication in the course of its >> transmission >> by certain means. To take one example, a letter which has been delivered >> through a letterbox and is lying on a doormat is no longer in the >> course of >> its transmission-it has, after all, arrived>>> >> >> http://www.guardian.co.uk/media/2010/sep/07/phone-hacking-voicemails-law-int >> >> erception >> Addressing the home affairs select committee today John Yates, the >> assistant >> Metropolitan police commissioner, repeated earlier claims by police that >> cases of hacking into voicemails could only be prosecuted if the >> victim had >> not yet listened to their messages. "That is nonsense, and a recurring >> problem with this police position in this case," said Simon McKay, >> author of >> Covert Policing Law& Practice. "The police are getting confused about a >> number of things relating to the evidential status of a voicemail.... >> >> -----Original Message----- >> From: Wendy M. Grossman [mailto:wendyg at pelicancrossing.net] >> Sent: 15 January 2011 15:52 >> To: cb at qualia.co.uk; UK Cryptography Policy Discussion Group >> Cc: Caspar Bowden (travelling private e-mail) >> Subject: Re: Starmer dumps doormat? >> >> Why should whether you've heard the messages or not make any difference? >> wg >> >> On 1/15/2011 10:17, Caspar Bowden (travelling private e-mail) wrote: >>> http://www.guardian.co.uk/media/2011/jan/14/dpp-news-of-the-world-phon >>> e-hacking >>> >>> >>> The CPS had been of the view that an offence of phone hacking would >>> require it to be proved that someone had hacked a phone and listened >>> to a message before the owner of the phone had a chance to hear it. >>> Now the CPS believes an offence may have been committed if a phone was >>> hacked and a message listened to by a journalist or private >>> investigator at any time, even if the owner had already heard it >>> >> From lists at internetpolicyagency.com Sun Jan 16 11:42:51 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 16 Jan 2011 11:42:51 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> Message-ID: In article <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE at batten.eu.org>, Ian Batten writes >> In article , Adrian Midgley writes >>> >>> Data is data, and if it is accessed in India data has reached India >> >> And the exact opposite theory (to the one you are critiquing) is used to prosecute people who administer offshore child porn sites from the >>UK. > >That's a really good point. I had tried to construct some similar counter-argument to the NHS's position involving logging in to classified >servers via a thin client to view material in breach of the Official Secrets Act, but came up against the Computer Misuse Act. Your example >"solves" that: the NHS argument would appear to mean that if a Bad Person offers a Citrix, RDP, VNC or similar remote login solution so that UK >residents can log in to a server located in (for the sake of argument) international waters and then view child pornography residing on that >server, no offence will have taken place. > >If the argument is made by the prosecution, as it would be, that the transient copy created in memory as part of displaying the image >constitutes "making" an image, then a fortiori the NHS's position collapses. If the NHS's position is sustained, then provided a consumer of >child pornography can show the images were only transiently present on their machine, they have an arguable defence. Child Pornography >legislation is closer to strict liability than Data Protection, so the arguments aren't symmetrical, but >I suspect no-one has thought this through in enough detail to know... On the other hand, I read an article this week about BYOC (bring you own computer), which is a scheme to outsource the supply of thin clients to employees. http://www.bbc.co.uk/news/business-12181570 [1] And the "global law firm" (and their supplier) which was quoted must have done a proper audit of the security issues of data leaking off[2] Citrix PCs and into the local (potentially hostile and unsafe harbour) environment. I don't pretend to understand the details of how that security is implemented though. But if it's good enough for them, would it be good enough for the NHS? Digressing slightly, I'm not a great fan of thin clients due to seeing various industry colleagues struggling to read their emails over dodgy connectivity in far flung parts of the world; whereas all I need is a whiff of port 110 now and again. [1] "we see the uptake of virtual desktop technology, given that the data never leaves your data centre..." [2] "...you can't store it or save it remotely." -- Roland Perry From matthew at pemble.net Sun Jan 16 13:56:37 2011 From: matthew at pemble.net (Matthew Pemble) Date: Sun, 16 Jan 2011 13:56:37 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D32AD86.2030507@pmsommer.com> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net> <4D32AD86.2030507@pmsommer.com> Message-ID: On 16 January 2011 08:34, Peter Sommer wrote: > > So the prosecution route is via s 1 CMA 1990 - maximum punishment (I am > pretty sure): 5 years. > > Now, if illegal interception was punishable by at least 5 years (max is actually 2 on indictment, or a fine on summary), we'd finally have a use for s2 CMA! s1 CMA, unless I've missed something vital, is also a max of 2 years on indictment (raised from 6 months by PCJA 2006)? M. -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew at pemble.net Sun Jan 16 14:01:44 2011 From: matthew at pemble.net (Matthew Pemble) Date: Sun, 16 Jan 2011 14:01:44 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> Message-ID: On 16 January 2011 11:42, Roland Perry wrote: > I don't pretend to understand the details of how that security is > implemented though. But if it's good enough for them, would it be good > enough for the NHS? > > It's not good enough for CESG. At a basic level, you can copy the material other than using the computer - a photo of the screen or just writing it down would be enough for data sensitive other than through mere bulk. The "information" has clearly transfered to a human located in India ... I'll admit I don't quite understand your porn-magnate counter-example. Happy to get pointers directly if you think I'm missing something basic that the rest of the list are entirely clueful of :) M. -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at pmsommer.com Sun Jan 16 14:44:01 2011 From: peter at pmsommer.com (Peter Sommer) Date: Sun, 16 Jan 2011 14:44:01 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net> <4D32AD86.2030507@pmsommer.com> Message-ID: <4D330431.7050406@pmsommer.com> Yes, it is 2 years for s 1 CMA - I didn't have full access either to the 'net or my own files when I posted this morning. s 2 CMA is unauthorised access with intent to commit or facilitate commission of futher offences (http://www.legislation.gov.uk/ukpga/1990/18/section/2) but identifying the "further offence" in the NOTW situation might be difficult. On 16/01/2011 13:56, Matthew Pemble wrote: > On 16 January 2011 08:34, Peter Sommer > wrote: > > > So the prosecution route is via s 1 CMA 1990 - maximum punishment > (I am pretty sure): 5 years. > > > Now, if illegal interception was punishable by at least 5 years (max > is actually 2 on indictment, or a fine on summary), we'd finally have > a use for s2 CMA! > > s1 CMA, unless I've missed something vital, is also a max of 2 years > on indictment (raised from 6 months by PCJA 2006)? > > M. > > > -- > Matthew Pemble > > > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > No virus found in this message. > Checked by AVG - www.avg.com > Version: 10.0.1191 / Virus Database: 1435/3383 - Release Date: 01/15/11 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard at highwayman.com Sun Jan 16 14:42:43 2011 From: richard at highwayman.com (Richard Clayton) Date: Sun, 16 Jan 2011 14:42:43 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> Message-ID: In article , Matthew Pemble writes > I'll admit I don't quite understand your porn-magnate > counter-example. Happy to get pointers directly if you think I'm > missing something basic that the rest of the list are entirely > clueful of :) I think Roland may be referring to R v Waddon 1999 and R v Perrin 2002 (easy to locate with your favourite search engine), where people in the UK were operating [adult material] obscene websites in the US. If they had been in the US then it would be different, but since they were in the UK and publishing material that could be seen in the UK they were both convicted under the 1957 Act because the publishing activities were committed within the jurisdiction. Child sexual abuse images are more complex (or simpler!) to consider because there are offences of mere possession to consider, along with some extra-territorial provisions (for sex tourism for example). -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From peter at pmsommer.com Sun Jan 16 15:36:33 2011 From: peter at pmsommer.com (Peter Sommer) Date: Sun, 16 Jan 2011 15:36:33 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> Message-ID: <4D331081.2020700@pmsommer.com> Waddon was prosecuted under the Obscene Publications Act and the issue was "place of publication". For the purposes of that piece of legislation, "publication" took place at the point of uploading (the UK) though the servers were in the US. (I was the defence computer expert). On 16/01/2011 14:42, Richard Clayton wrote: > In article> , Matthew Pemble writes >> I'll admit I don't quite understand your porn-magnate >> counter-example. Happy to get pointers directly if you think I'm >> missing something basic that the rest of the list are entirely >> clueful of :) > I think Roland may be referring to R v Waddon 1999 and R v Perrin 2002 > (easy to locate with your favourite search engine), where people in the > UK were operating [adult material] obscene websites in the US. > > If they had been in the US then it would be different, but since they > were in the UK and publishing material that could be seen in the UK they > were both convicted under the 1957 Act because the publishing activities > were committed within the jurisdiction. > > Child sexual abuse images are more complex (or simpler!) to consider > because there are offences of mere possession to consider, along with > some extra-territorial provisions (for sex tourism for example). > From zenadsl6186 at zen.co.uk Sun Jan 16 15:39:17 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sun, 16 Jan 2011 15:39:17 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D32AD86.2030507@pmsommer.com> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net> <4D32AD86.2030507@pmsommer.com> Message-ID: <4D331125.6010107@zen.co.uk> Peter Sommer wrote: > If you stick to RIPA and interception, the general view is that > interception only occurs when something is in the course of transmission > (as Caspar report). Once it has been received it is no longer "in the > course of transmission" That's not what RIPA says - according to RIPA a message can have been received and still be in transmission. This is the mistake which the Police, CPS etc have been making, and hopefully will stop making. I made this mistake myself too for a while, as did many other people here - it's only about a year ago I said here to much disagreement (and apparently one or two people still disagree) that I thought that according to RIPA whether a message has been read has no bearing on whether it is in transmission or not - so don't blame them too much. If you are used to looking at things like letters which are either in transmission or not, it's hard to take the step to a message which can be both in transmission and not in transmission at the same time. I know the law doesn't actually do this, but might be easier to look at an electronic message as lots of copies. If a copy was created inside a transmission system it is is transmission. Forever. If you copy that copy, or even just look at it [7], it's interception unless you are the sender/recipient, or you are doing so in order to transmit it to the recipient. This is actually almost identical to what RIPA actually says, but in very different form - and it's also the doormat. But it's a step to get here, too ... :) -- Peter Fairbrother [7] it is of course at least impractical to look at a copy without copying it, and it's theoretically impossible if you define look and copy right. From pwt at iosis.co.uk Sun Jan 16 18:17:36 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 16 Jan 2011 18:17:36 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D331125.6010107@zen.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net><4D32AD86.2030507@pmsommer.com> <4D331125.6010107@zen.co.uk> Message-ID: <4D333640.7060400@iosis.co.uk> On 16/01/2011 15:39, Peter Fairbrother wrote: > Peter Sommer wrote: > >> If you stick to RIPA and interception, the general view is that >> interception only occurs when something is in the course of >> transmission (as Caspar report). Once it has been received it is no >> longer "in the course of transmission" > > That's not what RIPA says - according to RIPA a message can have been > received and still be in transmission. This is the mistake which the > Police, CPS etc have been making, and hopefully will stop making. > > I made this mistake myself too for a while, as did many other people > here - it's only about a year ago I said here to much disagreement > (and apparently one or two people still disagree) that I thought that > according to RIPA whether a message has been read has no bearing on > whether it is in transmission or not - so don't blame them too much. > > If you are used to looking at things like letters which are either in > transmission or not, it's hard to take the step to a message which can > be both in transmission and not in transmission at the same time. > Which is what I was arguing earlier today, albeit from analysing the real world rather than RIPA. Peter > > I know the law doesn't actually do this, but might be easier to look > at an electronic message as lots of copies. If a copy was created > inside a transmission system it is is transmission. Forever. > > > If you copy that copy, or even just look at it [7], it's interception > unless you are the sender/recipient, or you are doing so in order to > transmit it to the recipient. > > This is actually almost identical to what RIPA actually says, but in > very different form - and it's also the doormat. > > But it's a step to get here, too ... :) > > > -- Peter Fairbrother > > [7] it is of course at least impractical to look at a copy without > copying it, and it's theoretically impossible if you define look and > copy right. > > From cryptome at earthlink.net Sun Jan 16 17:34:29 2011 From: cryptome at earthlink.net (John Young) Date: Sun, 16 Jan 2011 12:34:29 -0500 Subject: Starmer dumps doormat? In-Reply-To: <4D331125.6010107@zen.co.uk> References: <4D32AD86.2030507@pmsommer.com> <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net> <4D32AD86.2030507@pmsommer.com> Message-ID: >it's hard to take the step to a message which can >be both in transmission and not in transmission at the same time. Quite philosophically challenging and not altogether unprecedented in the reletivaty of simultaneity. Mistakes in interpretation by officials and citizens might be eased by describing this state of simultaneily more understandably. For example when does this condition occur and what should it be called rather than both-in and not-in. To be sure, there are those who want the confusion to continue in favor of maximizing benefits for one side against the other. Transmission is the problematic needing clarification, along with reception. Each is extendable to the far reaches of the other. Reception commences with transmission initiation, so patents declare, and transmission continues to the end of reception, other patents assert, neither of which may be terminable due to leakage in data packets, machinic faults and sensory-brain limitations, aided and abetted by wizard lawyers and expert witnesses hairsplitting and braiding. Not to say extrasensory signals well known to emanate from every electromagnetic emitter-absorber intergalactically. More earthly, harvesting emanating fiber is now so trivial that dangers of simultaneous transreception must be in use as diverting camouflage. No doubt dissertations have solved this a long time ago. My mouth to your ear as if our skulls and stems did not aim at unparented progeny, as if signals just appeared from nowhere, no law broken your honor, I swear on a stack of miswritten manuals and deceiptful privacy policies. From igb at batten.eu.org Sun Jan 16 22:46:00 2011 From: igb at batten.eu.org (Ian Batten) Date: Sun, 16 Jan 2011 22:46:00 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> Message-ID: > > On the other hand, I read an article this week about BYOC (bring you own computer), which is a scheme to outsource the supply of thin clients to employees. It's hardly news: BP and Cisco are apparently doing it de jure, and in universities it's happening de facto. I have a suspicion that some university staff conceal that they're mostly using their own laptops, for fear of the IT bogieman, but it seems very common, and of course the infrastructure is mostly open to non-issued machines because undergraduates are increasingly self-providing. > > http://www.bbc.co.uk/news/business-12181570 [1] > > And the "global law firm" (and their supplier) which was quoted must have done a proper audit of the security issues of data leaking off[2] Citrix PCs and into the local (potentially hostile and unsafe harbour) environment. I don't pretend to understand the details of how that security is implemented though. But if it's good enough for them, would it be good enough for the NHS? Well, there are a variety of thin and semi-thin solutions which in various ways make it harder than it might otherwise be to access USB sticks (for example). Some are fairly crude (the thin viewer can disable cut and paste outside itself), some are rather fancier (type 2 hypervisors). I'm not remotely convinced they're either used or effective. Not used, because environments in which people never need to move data via USB sticks are rare. Not effective, because (again invoking my concept of "law abiding criminals") if someone is being paid to obtain half a dozen addresses, they can carry the data out of the environment in their head, on a piece of handwritten paper, using a camera to photograph the screen, etc, etc. Just because you erect a defence against the theft of bulk data doesn't mean your adversary is going to helpfully abjure from any attempt to steal individual items. In the case of the NHS, what's the perceived threat? That someone downloads the whole demographic database? In which case, yes, worrying about data location and endpoint security matters. That someone looks up names for money and returns individual postcodes? Well, that's a horse of an entirely different colour. > > Digressing slightly, I'm not a great fan of thin clients due to seeing various industry colleagues struggling to read their emails over dodgy connectivity in far flung parts of the world; whereas all I need is a whiff of port 110 now and again. Thin clients aren't necessarily a good solution for fully mobile staff. They're a great solution for call centre workers. The debate is therefore the middle ground between those extremes. ian From zenadsl6186 at zen.co.uk Mon Jan 17 01:58:19 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Mon, 17 Jan 2011 01:58:19 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <4D32AD86.2030507@pmsommer.com> <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net> <4D32AD86.2030507@pmsommer.com> Message-ID: <4D33A23B.9080302@zen.co.uk> John Young wrote: >> it's hard to take the step to a message which can >> be both in transmission and not in transmission at the same time. > > Quite philosophically challenging and not altogether unprecedented > in the reletivaty of simultaneity. > > Mistakes in interpretation by officials and citizens might be eased > by describing this state of simultaneily more understandably. > Actually I misspoke slightly, my apologies, and strictly speaking under RIPA a message can't be both in transmission and not in transmission at once {note1}. However a communication can still be in transmission even after it has been transmitted. An example: I have received an email, and released a copy to the public to do with as they please. There is also a copy of the email stored in my ISP's server, which I can access. Because there is a copy at my ISP which I can access, as far as RIPA is concerned the email is still in transmission. It's not just the copy at the ISP which is still in transmission, it's the entire "communication" which is still in transmission - including the copy which I have received, read and released to the public. Now you can read copy bend fold spindle and mutilate the copy of the communication which I have released to the public, and that cannot be interception. This is not because that copy of the communication isn't in transmission (it is in transmission), it's because in order for an action to be interception it has to involve the system by which the communication was/is being transmitted, and any reading, copying, bending etc. of the copy I have released will not involve that system. However if you even look at the ISP's copy, then it could well be interception. Even though I have read it, and given you a legitimate copy of your own. -- Peter Fairbrother {note1} probably, though perhaps it could be in transmission for s.2 purposes and not in transmission for other RIPA purposes From pwt at iosis.co.uk Mon Jan 17 09:38:12 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Mon, 17 Jan 2011 09:38:12 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D33A23B.9080302@zen.co.uk> References: <4D32AD86.2030507@pmsommer.com> <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net> <4D32AD86.2030507@pmsommer.com> <4D33A23B.9080302@zen.co.uk> Message-ID: <4D340E04.1040403@iosis.co.uk> On 17/01/2011 01:58, Peter Fairbrother wrote: > John Young wrote: >>> it's hard to take the step to a message which can be both in >>> transmission and not in transmission at the same time. >> >> Quite philosophically challenging and not altogether unprecedented >> in the reletivaty of simultaneity. >> >> Mistakes in interpretation by officials and citizens might be eased >> by describing this state of simultaneily more understandably. >> > > Actually I misspoke slightly, my apologies, and strictly speaking > under RIPA a message can't be both in transmission and not in > transmission at once {note1}. > > However a communication can still be in transmission even after it has > been transmitted. > > > An example: I have received an email, and released a copy to the > public to do with as they please. There is also a copy of the email > stored in my ISP's server, which I can access. > > Because there is a copy at my ISP which I can access, as far as RIPA > is concerned the email is still in transmission. > > It's not just the copy at the ISP which is still in transmission, it's > the entire "communication" which is still in transmission - including > the copy which I have received, read and released to the public. Which satisfies my concern that, unlike a snail mail letter, voicemail and email messages are simultaneously already heard or seen by me and stored in the service provider's system. I just wish that regulators and prosecutors would understand and abide by that, but it seems that we are still fighting the battle. Peter From cryptome at earthlink.net Mon Jan 17 12:51:11 2011 From: cryptome at earthlink.net (John Young) Date: Mon, 17 Jan 2011 07:51:11 -0500 Subject: Starmer dumps doormat? In-Reply-To: <4D340E04.1040403@iosis.co.uk> References: <4D33A23B.9080302@zen.co.uk> <4D32AD86.2030507@pmsommer.com> <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net> <4D32AD86.2030507@pmsommer.com> <4D33A23B.9080302@zen.co.uk> Message-ID: That would be Peter Fairbrother, assayer of near simultaneity, not Peter Tomlinson. Excuse. From tony.naggs at googlemail.com Mon Jan 17 12:48:51 2011 From: tony.naggs at googlemail.com (Tony Naggs) Date: Mon, 17 Jan 2011 12:48:51 +0000 Subject: New York Times on Stuxnet In-Reply-To: <4D32B7C9.8030101@iosis.co.uk> References: <4D32B7C9.8030101@iosis.co.uk> Message-ID: The NY Times article certainly sounds plausible. Today's Torygraph has an interesting article - based on Russian nuclear experts' view that the Stuxnet incident may compromise the safety of the Iranian reactor at Bushehr, planned to be commissioned this summer: http://www.telegraph.co.uk/news/worldnews/europe/russia/8262853/Stuxnet-virus-attack-Russia-warns-of-Iranian-Chernobyl.html ttfn, Tony On 16 January 2011 09:18, Peter Tomlinson wrote: > For information: long article in New York Times online edition today, about > Stuxnet: > > http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&nl=todaysheadlines&emc=tha2 > > Peter > > > From lee at nerds.org.uk Mon Jan 17 14:13:50 2011 From: lee at nerds.org.uk (Lee Brotherston) Date: Mon, 17 Jan 2011 14:13:50 +0000 Subject: New York Times on Stuxnet In-Reply-To: References: <4D32B7C9.8030101@iosis.co.uk> Message-ID: <20110117141350.GK82611@nerds.org.uk> On Mon, Jan 17, 2011 at 12:48:51PM +0000, Tony Naggs wrote: > The NY Times article certainly sounds plausible. It also throws up another question for me... Previously, when the originator of Stuxnet was assumed by many to be Israel. The certificates stolen from Realtek and JMicron used to sign rootkits have been linked together by the presence of both companies at Hsinchu Science Park in Taiwan. Presumably inferring that either physical security head been breeched or that some sort of bribery/infiltration had taken place in those buildings. However, if the US is indeed shown to be involved with or sponsoring this, it would seem possible that they could have access to the private keys at the certificate authority and that the Hsinchu addresses are either coincidence or nice bit of counter-intelligence. Needless to say, that if any government authorities had access to the keys held by a certificate authority, then that would have wide ranging implications for us all. Thanks Lee -- Lee Brotherston - -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3964 bytes Desc: not available URL: From richard at highwayman.com Mon Jan 17 15:51:49 2011 From: richard at highwayman.com (Richard Clayton) Date: Mon, 17 Jan 2011 15:51:49 +0000 Subject: New York Times on Stuxnet In-Reply-To: <20110117141350.GK82611@nerds.org.uk> References: <4D32B7C9.8030101@iosis.co.uk> <20110117141350.GK82611@nerds.org.uk> Message-ID: In article <20110117141350.GK82611 at nerds.org.uk>, Lee Brotherston writes >Previously, when the originator of Stuxnet was assumed by many to be >Israel. The Times blithely repeats the "myrtus" story (which links the malware tangentially to the Book of Esther) rather than seeing it as "my RTU s" (where RTUs are components of a SCADA system). Also it is perhaps noteworthy that the stories today are almost entirely concentrating on the payload (the code that messed with the industrial control systems) rather than the distribution system -- which could have come from an entirely different source (either written to order, or indeed provided as COTS!) >The certificates stolen from Realtek and JMicron used to sign >rootkits have been linked together by the presence of both companies >at Hsinchu Science Park in Taiwan. Presumably inferring that either >physical security head been breeched or that some sort of >bribery/infiltration had taken place in those buildings. The off-the-record (sorry) information I have is that there wasn't all that much physical security to breach, along with a very wide choice indeed as to who to bribe. viz: these certificates were apparently not being treated with the respect they deserved :( -- richard richard.clayton @ h i g h w a y m a n . com "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From cryptome at earthlink.net Mon Jan 17 12:49:38 2011 From: cryptome at earthlink.net (John Young) Date: Mon, 17 Jan 2011 07:49:38 -0500 Subject: Starmer dumps doormat? In-Reply-To: <4D340E04.1040403@iosis.co.uk> References: <4D33A23B.9080302@zen.co.uk> <4D32AD86.2030507@pmsommer.com> <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31CEBB.3020703@pelicancrossing.net> <4D32AD86.2030507@pmsommer.com> <4D33A23B.9080302@zen.co.uk> Message-ID: With technologial limitations to understand the fine grains of packet transmission I am biting off more than chewable: In nearly instantaneous, but not quite, action the first ACK of a transmittal may be seen as part of transmission or of receipt since it must go to the receiver's system for indication of correct target as well as a useful path to the target. Hand properly shook by a battery of indicators associated with the ACK and its system-required follow-ups, content transmittal begins but is not instantaneous despite analogue-world appearances by miserably limited human sensors. Multiple packets are generated and hurled to distant processors before gradual reassembly as an analogue-perceptible content. Among the packet processors are caches of previously used routes stored for expediting the packet distribution and reassembly. Bits of the content may be stored as well, that is not clear, but would make efficiency sense. Algorithms exist for identifying often used phrases for encapsulation, condensation and re-use. "I love you beyond compare, cupcake." "Sell immediately," and so on. And you thought garble and incoherency was attributable not deliberate. The snarl between service providers and authorities in changing from analogue interception to digital is based, I understand, on the different means of transmittal as well as how content is coded and decoded. The split between analogue pen register access and interception of message allowed authorities to trace connections without accessing content, the latter requiring a more stringent court approval (so it is asserted despite regular abuse). Splitting digital transmission from digital content was considerably more difficult due to the continuous interplay between the two and packet technology requirements. What seems to have been done is to establish a kind of analogy for legal dummies between two comms that are not accurately analogizable. That is, to assert a separation of transmission from received content which was actually not quite possible except with suspension of disbelief, always a prime undergirding of law if not science. Transmission and receipt unfolded, if you will, as Peter Tomlinson suggested, in near simultaneity but actually in rapid fire alternation: every packet carried code to tell it where to wind up no matter how far bounced through multiple kinds of transmitters. And not just between the origin and destination but at a large number of way stations -- switches, cabling and hubs, satellites, wireless hubs and tracking gadgets galore scattered widely but operated by humans and their precious gear all happily concealed by the greatly expansible term "system administration." A favorite interception technique is to exploit access to the way stations without the originator or the receiver, and most importantly, the regulators, having a clue this is being done. Sysadmins are crucial to this for they know just how to do this without being detected. A couple of whistleblown on the practice but most keep quiet. What is wondrous is how suspension of disbelief in sysadmins is sustained. They constitute a covert priesthood almost as unregulated as hackers and cybersecurity experts, well, to some credulous sacks of blood and bones they are indistinguishable. A law and science unto themselves, beware, or revere as if Assange walking the earth. At 09:38 AM 1/17/2011 +0000, you wrote: >On 17/01/2011 01:58, Peter Fairbrother wrote: >> John Young wrote: >>>> it's hard to take the step to a message which can be both in >>>> transmission and not in transmission at the same time. >>> >>> Quite philosophically challenging and not altogether unprecedented >>> in the reletivaty of simultaneity. >>> >>> Mistakes in interpretation by officials and citizens might be eased >>> by describing this state of simultaneily more understandably. >>> >> >> Actually I misspoke slightly, my apologies, and strictly speaking >> under RIPA a message can't be both in transmission and not in >> transmission at once {note1}. >> >> However a communication can still be in transmission even after it has >> been transmitted. >> >> >> An example: I have received an email, and released a copy to the >> public to do with as they please. There is also a copy of the email >> stored in my ISP's server, which I can access. >> >> Because there is a copy at my ISP which I can access, as far as RIPA >> is concerned the email is still in transmission. >> >> It's not just the copy at the ISP which is still in transmission, it's >> the entire "communication" which is still in transmission - including >> the copy which I have received, read and released to the public. >Which satisfies my concern that, unlike a snail mail letter, voicemail >and email messages are simultaneously already heard or seen by me and >stored in the service provider's system. I just wish that regulators and >prosecutors would understand and abide by that, but it seems that we are >still fighting the battle. > >Peter > From rich at annexia.org Mon Jan 17 16:03:23 2011 From: rich at annexia.org (Richard W.M. Jones) Date: Mon, 17 Jan 2011 16:03:23 +0000 Subject: New York Times on Stuxnet In-Reply-To: <20110117141350.GK82611@nerds.org.uk> References: <4D32B7C9.8030101@iosis.co.uk> <20110117141350.GK82611@nerds.org.uk> Message-ID: <20110117160323.GA6682@annexia.org> On Mon, Jan 17, 2011 at 02:13:50PM +0000, Lee Brotherston wrote: > Needless to say, that if any government authorities had access to the > keys held by a certificate authority, then that would have wide > ranging implications for us all. I absolutely assume this is true anyway. Another reason to hate the stupid Firefox warning when you access a website that is encrypted but not authenticated. Rich. -- Richard Jones Red Hat From k.brown at bbk.ac.uk Tue Jan 18 13:30:11 2011 From: k.brown at bbk.ac.uk (ken) Date: Tue, 18 Jan 2011 13:30:11 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D31DDFE.4010303@iosis.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net><4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> Message-ID: <4D3595E3.4090306@bbk.ac.uk> On 15/01/2011 17:48, Peter Tomlinson wrote: > ...I think that I want > something stronger in law, something that responds to the very > nature of these voicemail messages (and of emails) It seems hard to define the limits of such a law in a way that doesn't make quite normal behaviour illegal. I have a phone on my desk. Once I've listened to a message on it, that message is, pretty much, a sound recording in my possession, just like the CD or DVD. Is it illegal to listen to that recording without permission? I have a pile of CDs and DVDs on a shelf behind me, and various bits of equipment capable of playing them. Dozens of people have some sort of legitimate access to this office. If one of them - say the person sitting next to me - picks up one of my CDs and plays it have they broken a law? If I have a CD in my computer and walk away leaving the machine on, has someone who restarts it and listens to it broken a law? If Peter is keeping his phone messages on his computer, presumably they are backed up. Maybe even on to the same media as his music MP3s or JPEGs. Does one law apply to one kind of content and another to another? If I am looking at the contents of a recording and suddenly find out that it includes private messages, does the alw require me to stop reading or listening there and then and seek permission to go on? Morality and decency do require that I think - if I find a personal letter in the pages of a book I have been lent I ought not to read it - but does the law require it? Should the law require it? If a guest in my house turns on my TV to watch it I suspect they haven't broken any laws, even though I have given no explicit permission. Its the sort of thing that reasonable people might assume is implied by the invitation to spend time in my house. Most peopel might assume such an invitatiom does not imply permission to listen to recorded phone messages. But were I to record broadcast TV programmes, and they watched such a recording, without asking, should they have they broken a law? My TV is at least as much a computer as my desk phone is. Does CMA apply to it? Lots of phone messages are kept in the servers of the phone company rather than on the customer's equipment. If it is illegal to listen to those without explicit permission, is it illegal for someone watching my TV with permission to use a "play it again" service without explicitly seeking my permission for that? If it is pay-per-view, then they will have taken money oput of my account, but loads of them are free. Does that make a difference? It gets more complicated the more I think about it. From zenadsl6186 at zen.co.uk Tue Jan 18 17:46:31 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Tue, 18 Jan 2011 17:46:31 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D3595E3.4090306@bbk.ac.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net><4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> Message-ID: <4D35D1F7.5060304@zen.co.uk> ken wrote: > On 15/01/2011 17:48, Peter Tomlinson wrote: > >> ...I think that I want >> something stronger in law, something that responds to the very >> nature of these voicemail messages (and of emails) > > It seems hard to define the limits of such a law in a way that doesn't > make quite normal behaviour illegal. Here's the actual bit in RIPA: "...the times while a communication is being transmitted by means of a telecommunication system [and therefore can be the subject matter of interception] shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it." Now I am no fan of RIPA, but this seems sensible to me [1]. Communications in the system are being protected by law - when the message leaves the system it it is up to the recipient to protect it, if he wishes, but by then it is in his possession, not in the possession of the system. If, after the recipient has received a copy, there is a copy left in the system, that copy should still be protected by law. And it mostly is. I'd suggest that the bit from "in a a manner" onwards should be deleted - it doesn't matter why the copy is still in the system, it should still be protected by law. Another part of RIPA says that you can only intercept a message by doing things to the system. If a copy of a message is outside the system, nothing you do to look at that copy should involve doing anything to the system, so it won't be interception. The infamous doormat btw is when the communication leaves the system - and that is what Lord Bassam actually said; it has passed the doormat _because it has left_ the system. There are some more clues in RIPA, or rather around it, about how far this is meant to go - for instance the explanatory notes strongly suggest that messages stored in a pager are still to be considered to be in transmission, and whether or not they have been read has no bearing on that. It's a very short step from there to saying texts stored in mobile phones are in transmission even when read ; and not too far a step further to suggest that emails in computers are as well - *but* only insofar as the computer forms or formed part of the system by which the communication was transmitted. So if a repairman looks at an email in your inbox, it's interception. If he looks at the same email on your home folder, or on a backup copy, it probably isn't. And that's about where RIPA itself draws the the line - though where the Police and Courts think the line is is often a different matter. [1] in RIPA's legal context - RIPA's legal context on the other hand sucks .. -- Peter Fairbrother From pwt at iosis.co.uk Tue Jan 18 18:09:56 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Tue, 18 Jan 2011 18:09:56 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D3595E3.4090306@bbk.ac.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net><4D31B494.20803@pelicancrossing.net><000c01cbb4d2$f6781db0$e3685910$@gmx.net><4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> Message-ID: <4D35D774.9010305@iosis.co.uk> On 18/01/2011 13:30, ken wrote: > On 15/01/2011 17:48, Peter Tomlinson wrote: > >> ...I think that I want >> something stronger in law, something that responds to the very >> nature of these voicemail messages (and of emails) > > It seems hard to define the limits of such a law in a way that doesn't > make quite normal behaviour illegal. > > I have a phone on my desk. Once I've listened to a message on it, that > message is, pretty much, a sound recording in my possession, just like > the CD or DVD. Is it illegal to listen to that recording without > permission? > > I have a pile of CDs and DVDs on a shelf behind me, and various bits > of equipment capable of playing them. Dozens of people have some sort > of legitimate access to this office. If one of them - say the person > sitting next to me - picks up one of my CDs and plays it have they > broken a law? > > If I have a CD in my computer and walk away leaving the machine on, > has someone who restarts it and listens to it broken a law? > > If Peter is keeping his phone messages on his computer, presumably > they are backed up. Maybe even on to the same media as his music MP3s > or JPEGs. Does one law apply to one kind of content and another to > another? If I am looking at the contents of a recording and suddenly > find out that it includes private messages, does the alw require me to > stop reading or listening there and then and seek permission to go on? > Morality and decency do require that I think - if I find a personal > letter in the pages of a book I have been lent I ought not to read it > - but does the law require it? Should the law require it? > > If a guest in my house turns on my TV to watch it I suspect they > haven't broken any laws, even though I have given no explicit > permission. Its the sort of thing that reasonable people might assume > is implied by the invitation to spend time in my house. Most peopel > might assume such an invitatiom does not imply permission to listen to > recorded phone messages. But were I to record broadcast TV programmes, > and they watched such a recording, without asking, should they have > they broken a law? My TV is at least as much a computer as my desk > phone is. Does CMA apply to it? > > Lots of phone messages are kept in the servers of the phone company > rather than on the customer's equipment. If it is illegal to listen > to those without explicit permission, is it illegal for someone > watching my TV with permission to use a "play it again" service > without explicitly seeking my permission for that? If it is > pay-per-view, then they will have taken money oput of my account, but > loads of them are free. Does that make a difference? > > It gets more complicated the more I think about it. I don't see a problem. But I do see a fusion of the two channels: voicemail and email. In both cases, the copy (or copies) that I have is/are my responsibility, I protect them, and breaking into the stores of those copies should be subject to one law. The copies residing in service supplier systems are their responsibility, and breaking into the stores of those should be subject to another law. There is a door, and the lawyers and legislators simply need to understand that there can be and often is a copy or copies on both sides of the door. (And the doormat is firmly on my side of the door.) Peter From k.brown at bbk.ac.uk Tue Jan 18 19:58:48 2011 From: k.brown at bbk.ac.uk (ken) Date: Tue, 18 Jan 2011 19:58:48 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D35D774.9010305@iosis.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net><4D31B494.20803@pelicancrossing.net><000c01cbb4d2$f6781db0$e3685910$@gmx.net><4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D774.9010305@iosis.co.uk> Message-ID: <4D35F0F8.2040105@bbk.ac.uk> On 18/01/2011 18:09, Peter Tomlinson wrote: > I don't see a problem. But I do see a fusion of the two > channels: voicemail and email. It all merges. Facebook. Twitter. World of Warcraft. Blackboard. PMs on web-based bulletin boards. And it increasingly merges "messaging" with "entertainment" with "education" with any other arbitrary content. I'm not sure that "email" and "phone calls" and "software" and "documents" and "files" and "web content" are really differernt things. Not any more. From lists at andros.org.uk Tue Jan 18 19:56:44 2011 From: lists at andros.org.uk (Andrew McLean) Date: Tue, 18 Jan 2011 19:56:44 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> Message-ID: <4D35F07C.4030405@andros.org.uk> On 16/01/2011 14:01, Matthew Pemble wrote: > It's not good enough for CESG. At a basic level, you can copy the > material other than using the computer - a photo of the screen or just > writing it down would be enough for data sensitive other than through > mere bulk. The "information" has clearly transfered to a human located > in India ... Another analogous situation is export controls on "technologies" (i.e. intangibles). Do you think anyone would get away with "Your honour I didn't export the plans for the ****, they remained on a server in the UK. Yes, they could be viewed on a client workstation in Iran, but the plans stayed in the UK". Andrew From lists at internetpolicyagency.com Wed Jan 19 10:01:49 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 19 Jan 2011 10:01:49 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D35D1F7.5060304@zen.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> Message-ID: In article <4D35D1F7.5060304 at zen.co.uk>, Peter Fairbrother writes >It's a very short step from there to saying texts stored in mobile >phones are in transmission even when read I think one of the problems that RIPA was trying to work around (whether it was successfully drafted, or is successfully interpreted, is another matter - which I leave for others to discuss) is avoiding the situation where someone is guilty of Interception if they misappropriate[1] a mobile phone, laptop, or even a server. And would that be a sledgehammer to crack a nut. I suppose the analogy is: Do you want people to be prosecuted for Interception if they hijack a mail van, or are there other more suitable offences? Several years ago I also wrote a mini-paper about the situation in places like an office, where a "boss" (sorry for the stereotyping) diverts his phone and voicemail to a secretary, and therefore the first person to get (and listen to) them is not the intended recipient. Make that in spades when it's the secretary who sets up the diversion on her own initiative. [nb in these scenarios, the recipient can be argued to have given permission, but the sender hasn't; and many corporates use what are in effect public networks as a virtual PABX, so it's not necessarily being done on a private network either. There are parallels for these scenarios in email (and other electronic communications), but I'll stick to phones for now as they are easier to describe. And there are other issues with (eg) one-to-many emails where RIPA doesn't really fit. What I've thought for several years now is that the whole idea of "Interception" needs to be re-examined from first principles, and a fresh start made with the drafting. FWIW, the EU Commission has recently admitted that its Data Protection and Electronic Commerce Directives are now "out of date" because they didn't anticipate (nor perhaps should they have been expected to) the explosion in online communications, and modes, and need to be revised from the ground up [eg the split between "Mere conduit", "Caching" and "Hosting" is over simplistic these days]. They've said that trying to "over-interpret" those Directives in today's marketplace is unhelpful, although that's what does happen if you don't revise them. Ten years on (for all of the above legislation) is arguably 30 "Internet Years", so an all round Spring Clean might be a good idea. [1] Which could be stealing, but could also be seizure by the police in circumstances where they didn't have a suitable explicit exemption for doing so. -- Roland Perry From matthew at pemble.net Wed Jan 19 10:32:01 2011 From: matthew at pemble.net (Matthew Pemble) Date: Wed, 19 Jan 2011 10:32:01 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <4D35F07C.4030405@andros.org.uk> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> <4D35F07C.4030405@andros.org.uk> Message-ID: On 18 January 2011 19:56, Andrew McLean wrote: > On 16/01/2011 14:01, Matthew Pemble wrote: > >> It's not good enough for CESG. At a basic level, you can copy the material >> other than using the computer - a photo of the screen or just writing it >> down would be enough for data sensitive other than through mere bulk. The >> "information" has clearly transfered to a human located in India ... >> > > Another analogous situation is export controls on "technologies" (i.e. > intangibles). Do you think anyone would get away with "Your honour I didn't > export the plans for the ****, they remained on a server in the UK. Yes, > they could be viewed on a client workstation in Iran, but the plans stayed > in the UK". > > The US Professor Roth case is quite interesting in this context: http://www.exportlawblog.com/archives/2762 For some of the charges the 'export' occurred when the Chinese and Iranian students viewed the material in Knoxville, Tennessee. -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Wed Jan 19 11:07:46 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 19 Jan 2011 11:07:46 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D3595E3.4090306@bbk.ac.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> Message-ID: In article <4D3595E3.4090306 at bbk.ac.uk>, ken writes >> ...I think that I want >> something stronger in law, something that responds to the very >> nature of these voicemail messages (and of emails) > >It seems hard to define the limits of such a law in a way that doesn't >make quite normal behaviour illegal. Agreed. And the current law concentrates mainly on what hoops the authorities have to jump through in order to do classic "wiretapping" (and its analogues). The prospect of nosey civilians (including corporates) snooping on one another doesn't really enter into it - and hence, I'm sure, the long term disinclination of the police to even investigate. It's the same with the other provisions, for comms data and surveillance - it's all about what public authorities can and can't do - none of which helps me (as an individual with a grievance) tracing that eBay scammer of Facebook stalker -- Roland Perry From Andrew.Cormack at ja.net Wed Jan 19 13:37:22 2011 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Wed, 19 Jan 2011 13:37:22 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> Message-ID: <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry > Sent: 19 January 2011 10:02 > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: Starmer dumps doormat? > > Several years ago I also wrote a mini-paper about the situation in > places like an office, where a "boss" (sorry for the stereotyping) > diverts his phone and voicemail to a secretary, and therefore the first > person to get (and listen to) them is not the intended recipient. Make > that in spades when it's the secretary who sets up the diversion on her > own initiative. [nb in these scenarios, the recipient can be argued to > have given permission, but the sender hasn't; and many corporates use > what are in effect public networks as a virtual PABX, so it's not > necessarily being done on a private network either. Roland Did you consider the possibility that in that scenario the secretary may actually be acting as a legal agent for the boss? It was discussed on another list last year where we concluded that if the secretary wasn't the "intended recipient" then there was no way out of the conclusion that they were acting unlawfully, because of the requirement for both parties to have consented. None of us knew the law of agency in detail (and I haven't had time since to look it up). But it seemed that if that resulted in the secretary acting *as* the boss for a particular subset of his work then the secretary/boss *is* the intended recipient and the interception problem goes away. That seemed a reasonable fit for the paper-based world where, if I get a letter signed "pp CEO" then I treat it as coming from the CEO, even though it's very obvious that it hasn't. It also seemed to make it the boss's responsibility to define the extent of actions for which the secretary could act as agent, and if the boss doesn't make that clear then it's their problem and not the secretary's. It seemed a bit unfair to us if the poor secretary carried the can for misinterpreting unclear instructions, which seems to be another consequence of trying to justify it as interception-with-consent :( Andrew -- Andrew Cormack, Chief Regulatory Adviser, JANET(UK) Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK Phone: +44 (0) 1235 822302 Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG From David_Biggins at usermgmt.com Wed Jan 19 18:05:59 2011 From: David_Biggins at usermgmt.com (David Biggins) Date: Wed, 19 Jan 2011 18:05:59 -0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <4D35F07C.4030405@andros.org.uk> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> <4D35F07C.4030405@andros.org.uk> Message-ID: > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Andrew McLean > Sent: 18 January 2011 7:57 PM > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: outsourcing GP appointments to India: is this legal under DPA? > Another analogous situation is export controls on "technologies" (i.e. > intangibles). Do you think anyone would get away with "Your honour I didn't > export the plans for the ****, they remained on a server in the UK. Yes, they > could be viewed on a client workstation in Iran, but the plans stayed in the > UK". A little over a decade ago, this was the position with respect to strong encryption technology - at least according to CESG and the DTI at the time. Sending a strong crypto algorithm to certain countries would be an offence. But putting them on a server where someone could download them, was not. It seemed rather ridiculous even then, and has not grown less so with time. D. From igb at batten.eu.org Wed Jan 19 19:50:37 2011 From: igb at batten.eu.org (Ian Batten) Date: Wed, 19 Jan 2011 19:50:37 +0000 Subject: Starmer dumps doormat? In-Reply-To: <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: On 19 Jan 2011, at 13:37, Andrew Cormack wrote: > > Did you consider the possibility that in that scenario the secretary > may actually be acting as a legal agent for the boss? It was > discussed on another list last year where we concluded that if the > secretary wasn't the "intended recipient" then there was no way out > of the conclusion that they were acting unlawfully, because of the > requirement for both parties to have consented. Of course, you don't even need to construct scenarios of the workplace to get this problem. Households with a shared answering machine, for example. ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From nbohm at ernest.net Wed Jan 19 18:17:36 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Wed, 19 Jan 2011 18:17:36 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> <4D35F07C.4030405@andros.org.uk> Message-ID: <4D372AC0.60406@ernest.net> On 19/01/2011 18:05, David Biggins wrote: >> -----Original Message----- >> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- >> bounces at chiark.greenend.org.uk] On Behalf Of Andrew McLean >> Sent: 18 January 2011 7:57 PM >> To: ukcrypto at chiark.greenend.org.uk >> Subject: Re: outsourcing GP appointments to India: is this legal under > DPA? > > >> Another analogous situation is export controls on "technologies" (i.e. >> intangibles). Do you think anyone would get away with "Your honour I > didn't >> export the plans for the ****, they remained on a server in the UK. > Yes, they >> could be viewed on a client workstation in Iran, but the plans stayed > in the >> UK". > > A little over a decade ago, this was the position with respect to > strong encryption technology - at least according to CESG and the DTI at > the time. > > Sending a strong crypto algorithm to certain countries would be an > offence. > > But putting them on a server where someone could download them, was not. > > It seemed rather ridiculous even then, and has not grown less so with > time. > > D. The question is, who does the exporting? And the answer, now - I think - as then, is that it is the person who does the acts which cause the data to be exported. That may indeed be the person who, from outside the UK, sends the request to the UK website which makes the data readable abroad. Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Thu Jan 20 07:25:26 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 20 Jan 2011 07:25:26 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: In article , Ian Batten writes >Did you consider the possibility that in that scenario the secretary >may actually be acting as a legal agent for the boss? It was discussed >on another list last year where we concluded that if the secretary >wasn't the "intended recipient" then there was no way out of the >conclusion that they were acting unlawfully, because of the requirement >for both parties to have consented. > >Of course, you don't even need to construct scenarios of the workplace >to get this problem. ? Households with a shared answering machine, for >example But that example (maybe even literally in Parliamentary debate) is one of the reasons for it not being an offence to intercept on a private network. And everything beyond BT's white terminating box is a private network. (The difference in the corporate situation, upon which I was relying, was the idea that a Centrex system, or Centrex-for-mobiles (whether that might be called) is comprised mainly of public networking, especially the point at which the diversion takes place.) -- Roland Perry From lists at internetpolicyagency.com Thu Jan 20 07:45:48 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 20 Jan 2011 07:45:48 +0000 Subject: Starmer dumps doormat? In-Reply-To: <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: In article <61E52F3A5532BE43B0211254F13883AE033A58 at EXC001>, Andrew Cormack writes > > >> -----Original Message----- >> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- >> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry >> Sent: 19 January 2011 10:02 >> To: ukcrypto at chiark.greenend.org.uk >> Subject: Re: Starmer dumps doormat? >> >> Several years ago I also wrote a mini-paper about the situation in >> places like an office, where a "boss" (sorry for the stereotyping) >> diverts his phone and voicemail to a secretary, and therefore the first >> person to get (and listen to) them is not the intended recipient. Make >> that in spades when it's the secretary who sets up the diversion on her >> own initiative. [nb in these scenarios, the recipient can be argued to >> have given permission, but the sender hasn't; and many corporates use >> what are in effect public networks as a virtual PABX, so it's not >> necessarily being done on a private network either. > >Roland >Did you consider the possibility that in that scenario the secretary >may actually be acting as a legal agent for the boss? It was discussed >on another list last year where we concluded that if the secretary >wasn't the "intended recipient" then there was no way out of the >conclusion that they were acting unlawfully, because of the requirement >for both parties to have consented. > >None of us knew the law of agency in detail (and I haven't had time >since to look it up). Me neither, and this is the first time I've heard of the concept being applied to RIPA. Without (no, really) wishing to re-open an old debate, perhaps one could argue that a virus checker (supplied in the network) that I have subscribed to, is also my agent? [And, cough, a behavioural advertising platform (that I've agreed to on behalf of my family) too]. > But it seemed that if that resulted in the secretary acting *as* the >boss for a particular subset of his work then the secretary/boss *is* >the intended recipient and the interception problem goes away. That >seemed a reasonable fit for the paper-based world where, if I get a >letter signed "pp CEO" then I treat it as coming from the CEO, even >though it's very obvious that it hasn't. But what about inbound items (email or postal) marked "Private and Confidential"? >It also seemed to make it the boss's responsibility to define the >extent of actions for which the secretary could act as agent, and if >the boss doesn't make that clear then it's their problem and not the >secretary's. It seemed a bit unfair to us if the poor secretary carried >the can for misinterpreting unclear instructions, which seems to be >another consequence of trying to justify it as interception-with-consent :( I think we are back in the situation I was describing earlier - there might be one outcome dictated by common sense (based on a deeper understanding of these 'private sector interception' issues than perhaps was exposed in the ICOA Review in 1999), and another by the way the current law is drafted. Roland. >-- >Andrew Cormack, Chief Regulatory Adviser, JANET(UK) -- Roland Perry From pwt at iosis.co.uk Thu Jan 20 08:11:26 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 20 Jan 2011 08:11:26 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net><4D31B494.20803@pelicancrossing.net><000c01cbb4d2$f6781db0$e3685910$@gmx.net><4D31DDFE.4010303@iosis.co.uk><4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk><61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: <4D37EE2E.4070304@iosis.co.uk> On 20/01/2011 07:45, Roland Perry wrote: > But what about inbound items (email or postal) marked "Private and > Confidential"? > Seems to me that expecting third parties to respect that just because of the way the message is marked has to rely on the integrity of those encountering the message, not on the law. Peter From otcbn at callnetuk.com Thu Jan 20 11:09:12 2011 From: otcbn at callnetuk.com (Peter Mitchell) Date: Thu, 20 Jan 2011 11:09:12 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <4D372AC0.60406@ernest.net> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> <4D35F07C.4030405@andros.org.uk> <4D372AC0.60406@ernest.net> Message-ID: <4D3817D8.1000202@callnetuk.com> Nicholas Bohm wrote on 19-01-11 18:17: > The question is, who does the exporting? And the answer, now - I think > - as then, is that it is the person who does the acts which cause the > data to be exported. That may indeed be the person who, from outside > the UK, sends the request to the UK website which makes the data > readable abroad. In the recent Sportradar case, the High Court Chancery Division decided that "a company is responsible for 'making available' internet-hosted material in the country where its host server is based, not in the country where the material is read or used". http://www.bailii.org/ew/cases/EWHC/Ch/2010/2911.html This seems relevant to our "exporting" controversy. But I do not know to what extent judgments of a court that deals with one particular area of the law are regarded as binding on courts that deal with other areas. Probably it is decided on a case by case basis, the main desideratum being whatever best suits the authorities. Re outsourcing medical data to India; it has been done routinely for a decade at least, and for material that is far more sensitive than appointments. Several specialist companies have been set up to do it, and AFAIK are flourishing. -- Pete Mitchell From nbohm at ernest.net Thu Jan 20 11:46:21 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 20 Jan 2011 11:46:21 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <4D3817D8.1000202@callnetuk.com> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> <4D35F07C.4030405@andros.org.uk> <4D372AC0.60406@ernest.net> <4D3817D8.1000202@callnetuk.com> Message-ID: <4D38208D.5060702@ernest.net> On 20/01/2011 11:09, Peter Mitchell wrote: > Nicholas Bohm wrote on 19-01-11 18:17: >> The question is, who does the exporting? And the answer, now - I think >> - as then, is that it is the person who does the acts which cause the >> data to be exported. That may indeed be the person who, from outside >> the UK, sends the request to the UK website which makes the data >> readable abroad. > > In the recent Sportradar case, the High Court Chancery Division > decided that "a company is responsible for 'making available' > internet-hosted material in the country where its host server is > based, not in the country where the material is read or used". > http://www.bailii.org/ew/cases/EWHC/Ch/2010/2911.html > > This seems relevant to our "exporting" controversy. But I do not know > to what extent judgments of a court that deals with one particular > area of the law are regarded as binding on courts that deal with other > areas. Probably it is decided on a case by case basis, the main > desideratum being whatever best suits the authorities. > Re outsourcing medical data to India; it has been done routinely for a > decade at least, and for material that is far more sensitive than > appointments. Several specialist companies have been set up to do it, > and AFAIK are flourishing. An interesting case. The judge said at 74: "I have come to the conclusion that the better view is that the act of making available to the public by online transmission is committed and committed only where the transmission takes place. It is true that the placing of data on a server in one state can make the data available to the public of another state but that does not mean that the party who has made the data available has committed the act of making available by transmission in the State of reception. I consider that the better construction of the provisions is that the act only occurs in the state of transmission." This is a case about copyright and database right, and the meaning of an expression used in that legislative context. It has no binding effect in relation to legislation on other subjects, even if the same expression were used (which isn't always the case anyway). It can be referred to in argument, of course, but its effectiveness would depend on how good the analogy was between the two sets of circumstances. It is interesting that it comes to the same conclusion as I suggested applies to exports, but in no way decisive. Nicholas -- Contact and PGP key here From clive at davros.org Thu Jan 20 09:14:17 2011 From: clive at davros.org (Clive D.W. Feather) Date: Thu, 20 Jan 2011 09:14:17 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: <20110120091416.GA60575@davros.org> Roland Perry said: >> Of course, you don't even need to construct scenarios of the workplace >> to get this problem. ? Households with a shared answering machine, for >> example > > But that example (maybe even literally in Parliamentary debate) is one > of the reasons for it not being an offence to intercept on a private > network. Yes, it is, unless the interception is done by the owner of the private network or with her authority: 1.(6) The circumstances in which a person makes an interception of a communication in the course of its transmission by means of a private telecommunication system are such that his conduct is excluded from criminal liability under subsection (2) if - (a) he is a person with a right to control the operation or the use of the system; or (b) he has the express or implied consent of such a person to make the interception. [Is it me, or is that a sentence fragment with no primary verb?] If I change the settings on my answering machine, that's legal. If a visitor changes them without my knowledge, that's unlawful. If my adult daughter does it without asking me, that depends on whether she has my implied consent. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From Andrew.Cormack at ja.net Thu Jan 20 09:31:01 2011 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Thu, 20 Jan 2011 09:31:01 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: <61E52F3A5532BE43B0211254F13883AE034061@EXC001> > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry > Sent: 20 January 2011 07:46 > To: ukcrypto at chiark.greenend.org.uk > Subject: Re: Starmer dumps doormat? > > In article <61E52F3A5532BE43B0211254F13883AE033A58 at EXC001>, Andrew > Cormack writes > > > > > >> -----Original Message----- > >> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > >> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry > >> Sent: 19 January 2011 10:02 > >> To: ukcrypto at chiark.greenend.org.uk > >> Subject: Re: Starmer dumps doormat? > >> > >> Several years ago I also wrote a mini-paper about the situation in > >> places like an office, where a "boss" (sorry for the stereotyping) > >> diverts his phone and voicemail to a secretary, and therefore the > first > >> person to get (and listen to) them is not the intended recipient. > Make > >> that in spades when it's the secretary who sets up the diversion on > her > >> own initiative. [nb in these scenarios, the recipient can be argued > to > >> have given permission, but the sender hasn't; and many corporates > use > >> what are in effect public networks as a virtual PABX, so it's not > >> necessarily being done on a private network either. > > > >Roland > >Did you consider the possibility that in that scenario the secretary > >may actually be acting as a legal agent for the boss? It was discussed > >on another list last year where we concluded that if the secretary > >wasn't the "intended recipient" then there was no way out of the > >conclusion that they were acting unlawfully, because of the > requirement > >for both parties to have consented. > > > >None of us knew the law of agency in detail (and I haven't had time > >since to look it up). > > Me neither, and this is the first time I've heard of the concept being > applied to RIPA. Without (no, really) wishing to re-open an old debate, > perhaps one could argue that a virus checker (supplied in the network) > that I have subscribed to, is also my agent? [And, cough, a behavioural > advertising platform (that I've agreed to on behalf of my family) too]. From igb at batten.eu.org Thu Jan 20 14:34:18 2011 From: igb at batten.eu.org (Ian Batten) Date: Thu, 20 Jan 2011 14:34:18 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: On 20 Jan 11, at 0725, Roland Perry wrote: > In article , Ian Batten writes >> Did you consider the possibility that in that scenario the secretary may actually be acting as a legal agent for the boss? It was discussed on another list last year where we concluded that if the secretary wasn't the "intended recipient" then there was no way out of the conclusion that they were acting unlawfully, because of the requirement for both parties to have consented. >> >> Of course, you don't even need to construct scenarios of the workplace to get this problem. Households with a shared answering machine, for example > > But that example (maybe even literally in Parliamentary debate) is one of the reasons for it not being an offence to intercept on a private network. And everything beyond BT's white terminating box is a private network. How does that work in the context of 1571 (Callminder), which is a voice mail service offered by the network operator and hosted within the operator's data centre? There's only one mail mailbox associated with the line. When I call 1571, the messages could be for anyone. ian From nbohm at ernest.net Thu Jan 20 14:37:56 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 20 Jan 2011 14:37:56 +0000 Subject: Starmer dumps doormat? In-Reply-To: <61E52F3A5532BE43B0211254F13883AE034061@EXC001> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <61E52F3A5532BE43B0211254F13883AE034061@EXC001> Message-ID: <4D3848C4.7050002@ernest.net> On 20/01/2011 09:31, Andrew Cormack wrote: ... > From papers at law conferences discussing whether avatars could be > agents (really!) I suspect that in current law an agent has to be > human. But there are definitely legal problems around the status of > "software agents", so that may be the way the law is heading. If I > find time to investigate I'll try to remember to report back here. ... An agent is a person with power to alter the legal relationships of his principal. Both must be entities recognised by the law as having legal personality (i.e. individuals or corporations). Nicholas -- Contact and PGP key here From zenadsl6186 at zen.co.uk Thu Jan 20 15:28:12 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Thu, 20 Jan 2011 15:28:12 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <4D372AC0.60406@ernest.net> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> <4D35F07C.4030405@andros.org.uk> <4D372AC0.60406@ernest.net> Message-ID: <4D38548C.1030602@zen.co.uk> Nicholas Bohm wrote: > On 19/01/2011 18:05, David Biggins wrote: >> A little over a decade ago, this was the position with respect to >> strong encryption technology - at least according to CESG and the DTI at >> the time. >> >> Sending a strong crypto algorithm to certain countries would be an >> offence. >> >> But putting them on a server where someone could download them, was not. >> >> It seemed rather ridiculous even then, and has not grown less so with >> time. Iirc, the reason putting crypto software on a server would be legal when directly exporting it wouldn't be legal was (and is) because doing so made the software generally available to anyone, and therefore the software would be excluded from export controls by the GSN (General Software Note, part of the Wassenaar agreement). > The question is, who does the exporting? And the answer, now - I think > - as then, is that it is the person who does the acts which cause the > data to be exported. Anyone who does any acts which cause the data to be exported, perhaps - I can't see that it is somehow limited to one person. The foreign guy's act was sufficient in itself to cause the export, given the existing situation, so he is guilty. The home guy can say "my act alone was insufficient". Whether that would fly .. well looking at things like mod chips, it could go either way, probably based on mens rea mostly. I don't think there is any duty to prevent export? -- Peter Fairbrother > That may indeed be the person who, from outside > the UK, sends the request to the UK website which makes the data > readable abroad. > > Nicholas From pwt at iosis.co.uk Thu Jan 20 15:34:42 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Thu, 20 Jan 2011 15:34:42 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D3848C4.7050002@ernest.net> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk><4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <61E52F3A5532BE43B0211254F13883AE034061@EXC001> <4D3848C4.7050002@ernest.net> Message-ID: <4D385612.1000102@iosis.co.uk> On 20/01/2011 14:37, Nicholas Bohm wrote: > On 20/01/2011 09:31, Andrew Cormack wrote: > > ... >> From papers at law conferences discussing whether avatars could be >> agents (really!) I suspect that in current law an agent has to be >> human. But there are definitely legal problems around the status of >> "software agents", so that may be the way the law is heading. If I >> find time to investigate I'll try to remember to report back here. > ... > > An agent is a person with power to alter the legal relationships of his > principal. I thought that that is the definition of a representative. But maybe I sometimes move in different circles... > Both must be entities recognised by the law as having legal > personality (i.e. individuals or corporations). > > Nicholas From zenadsl6186 at zen.co.uk Thu Jan 20 16:01:07 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Thu, 20 Jan 2011 16:01:07 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: <4D385C43.9040303@zen.co.uk> Roland Perry wrote: > In article <61E52F3A5532BE43B0211254F13883AE033A58 at EXC001>, Andrew > Cormack writes >>> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry >>> Several years ago I also wrote a mini-paper about the situation in >>> places like an office, where a "boss" (sorry for the stereotyping) >>> diverts his phone and voicemail to a secretary, and therefore the first >>> person to get (and listen to) them is not the intended recipient. Make >>> that in spades when it's the secretary who sets up the diversion on her >>> own initiative. [nb in these scenarios, the recipient can be argued to >>> have given permission, but the sender hasn't; and many corporates use >>> what are in effect public networks as a virtual PABX, so it's not >>> necessarily being done on a private network either. >> >> Roland >> Did you consider the possibility that in that scenario the secretary >> may actually be acting as a legal agent for the boss? It was discussed >> on another list last year where we concluded that if the secretary >> wasn't the "intended recipient" then there was no way out of the >> conclusion that they were acting unlawfully, because of the >> requirement for both parties to have consented. >> >> None of us knew the law of agency in detail (and I haven't had time >> since to look it up). > > Me neither, and this is the first time I've heard of the concept being > applied to RIPA. Without (no, really) wishing to re-open an old debate, > perhaps one could argue that a virus checker (supplied in the network) > that I have subscribed to, is also my agent? [And, cough, a behavioural > advertising platform (that I've agreed to on behalf of my family) too]. > >> But it seemed that if that resulted in the secretary acting *as* the >> boss for a particular subset of his work then the secretary/boss *is* >> the intended recipient and the interception problem goes away. That >> seemed a reasonable fit for the paper-based world where, if I get a >> letter signed "pp CEO" then I treat it as coming from the CEO, even >> though it's very obvious that it hasn't. I don't think agency is relevant here. It's whether the secretary is an/the intended recipient, as Andrew himself says. It's in the *intention* of the sender, sort-of. It's who the sender *intends* the message for - and as in the case of eg an email all he has is an email address, the expression and interpretation of that intention is necessarily a bit fuzzy. If you send Steve Jobs an email at apple, you cannot expect he will be the only person to read it, or even that he will read it at all - but you do expect that someone will read it. The intended recipient may therefore be presumed to be whoever an average person would expect it to be, given that email address. It may be a single person, or it may include secretaries, lawyers, mail clerks, the roadies and groupies, etc. > But what about inbound items (email or postal) marked "Private and > Confidential"? I think there is some precedent from letters here, but I don't know what it is. -- Peter Fairbrother From zenadsl6186 at zen.co.uk Thu Jan 20 16:55:14 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Thu, 20 Jan 2011 16:55:14 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <4D38208D.5060702@ernest.net> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> <4D35F07C.4030405@andros.org.uk> <4D372AC0.60406@ernest.net> <4D3817D8.1000202@callnetuk.com> <4D38208D.5060702@ernest.net> Message-ID: <4D3868F2.5030500@zen.co.uk> Nicholas Bohm wrote: > On 20/01/2011 11:09, Peter Mitchell wrote: >> Nicholas Bohm wrote on 19-01-11 18:17: >>> The question is, who does the exporting? And the answer, now - I think >>> - as then, is that it is the person who does the acts which cause the >>> data to be exported. That may indeed be the person who, from outside >>> the UK, sends the request to the UK website which makes the data >>> readable abroad. >> In the recent Sportradar case, the High Court Chancery Division >> decided that "a company is responsible for 'making available' >> internet-hosted material in the country where its host server is >> based, not in the country where the material is read or used". >> http://www.bailii.org/ew/cases/EWHC/Ch/2010/2911.html > An interesting case. > > The judge said at 74: "I have come to the conclusion that the better > view is that the act of making available to the public by online > transmission is committed and committed only where the transmission > takes place. > It is true that the placing of data on a server in one > state can make the data available to the public of another state but > that does not mean that the party who has made the data available has > committed the act of making available by transmission in the State of > reception. The last sentence is obvious, in hindsight anyway. The company who did the act of putting the data online in country A thereby made the data available in country B - but they did not commit that act in country B. The first sentence however apparently ignores the possibility that a person in country B might also be making data (more) available by requesting it - something which afaict [1] the judge did not consider, as he was only considering the actions of the company who put the data online. I therefore think he merely misspoke on that point, on which no weight can be given to his remarks. So it doesn't really touch on the meaning of "make available" in any deep way, and it doesn't have anything much to do with outsourcing data processing to India afaics - the company did the act of putting the data online in country A. [1] I think - it's a horribly complex judgement. -- Peter Fairbrother From nbohm at ernest.net Thu Jan 20 19:07:02 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Thu, 20 Jan 2011 19:07:02 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D385612.1000102@iosis.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk><4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <61E52F3A5532BE43B0211254F13883AE034061@EXC001> <4D3848C4.7050002@ernest.net> <4D385612.1000102@iosis.co.uk> Message-ID: <4D3887D6.8020309@ernest.net> On 20/01/2011 15:34, Peter Tomlinson wrote: > > On 20/01/2011 14:37, Nicholas Bohm wrote: >> On 20/01/2011 09:31, Andrew Cormack wrote: >> >> ... >>> From papers at law conferences discussing whether avatars could be >>> agents (really!) I suspect that in current law an agent has to be >>> human. But there are definitely legal problems around the status of >>> "software agents", so that may be the way the law is heading. If I >>> find time to investigate I'll try to remember to report back here. >> ... >> >> An agent is a person with power to alter the legal relationships of his >> principal. > I thought that that is the definition of a representative. But maybe I > sometimes move in different circles... >> Both must be entities recognised by the law as having legal >> personality (i.e. individuals or corporations). >> >> Nicholas > "Agent" is a term with a specific legal meaning, though of course it isn't always used with that meaning (e.g. "software agent"). "Representative" has no general legal meaning (though it does have some particular ones, as in "legal personal representative" which means an executor or administrator of the estate of someone who has died). In a commercial context a representative might have agency powers, and be capable of committing a principal to a sale, but equally might not, and might be a mere introducer. Nicholas -- Contact and PGP key here From james2 at jfirth.net Thu Jan 20 16:11:50 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 20 Jan 2011 16:11:50 -0000 Subject: Digital Economy Act update, draft SI Message-ID: <00bb01cbb8bc$bf3b2d40$3db187c0$@net> For anyone on this list following the progress of the Digital Economy Act, I got a tip that Ofcom has released a draft of the Statutory Instrument for the Initial Obligations Code as required by the enabling primary legislation passed last year. When I downloaded it (from Europa EU - MS Word doc caution - draft not yet available on parliament or legislation.gov.uk): http://ec.europa.eu/enterprise/tris/pisa/cfcontent.cfm?vFile=120100633EN.DOC ... It was clear this was only half - or less than half of the required legislation for the Initial Obligations Code. It only covers distribution of costs between ISPs and rights holders. (A whopping 75% to rights holders, 25% to ISPs). On one hand one could assume work on the code has been delayed following the Judicial Review pencilled in for March 22nd. But what if the JR failed? Then by my reckoning Ofcom is well behind the timescales to produce the code outlined in S6 of the Digital Economy Act. I'm hearing on the grapevine that the Culture Secretary is keen to get the full obligations code out soon, which makes sense, given I know constituents of Jeremy Hunt who were told point blank that Mr Hunt supported the moves to stamp out online piracy. So why split the code and push this SI out now, as the JR approaches? Monica Horten at IPTegrity has blogged this could be due to cost saving, as it gives the government a mandate to include costs ALREADY incurred by Ofcom in the overheads of running the graduated response scheme: http://www.iptegrity.com/index.php?option=com_content&task=view&id=610&Itemi d=9 I'm not convinced by this explanation, as a graduated response scheme can't be operated until the full Initial Obligations Code is passed by both houses - unless I'm missing something. So why publish the cost split legislation ahead of the full code? Really I wondered if anyone else on the list was following this car crash and had any thoughts? James Firth From fjmd1a at gmail.com Thu Jan 20 20:52:14 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Thu, 20 Jan 2011 20:52:14 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: <4D3817D8.1000202@callnetuk.com> References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> <4D35F07C.4030405@andros.org.uk> <4D372AC0.60406@ernest.net> <4D3817D8.1000202@callnetuk.com> Message-ID: On 20/01/2011, Peter Mitchell wrote: > This seems relevant to our "exporting" controversy. But I do not know to > what extent judgments of a court that deals with one particular area of the > law are regarded as binding on courts that deal with other areas. Probably As Nicholas has explained - it varies, but often not a lot. I've sat in on a Court of Appeal hearing where the court decided (for good reason) that the exact same phrase used only a few sections later in the same act had an entirely different meaning. If they had meant the same thing, then a large chunk of the rest of the act would have made no sense. We all metaphorically rolled our eyes at Parliament's inability to produce coherent legislation. > it is decided on a case by case basis, the main desideratum being whatever > best suits the authorities. Absolutely not - or else it would be a waste of time running arguments against public bodies, which it rarely is. On the whole the judiciary try to apply fairly objective rules to statutory interpretation though (see above) the material they have to work with can be pretty wretched. > > Re outsourcing medical data to India; it has been done routinely for a > decade at least, and for material that is far more sensitive than > appointments. Several specialist companies have been set up to do it, and > AFAIK are flourishing. > Doesn't mean its lawful. There have been quite a number of judgments which found that widespread and common practice was illegal - a good example being local authority interest rate swap agreements. -- Francis Davey From Andrew.Cormack at ja.net Thu Jan 20 22:07:38 2011 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Thu, 20 Jan 2011 22:07:38 +0000 Subject: Digital Economy Act update, draft SI In-Reply-To: <00bb01cbb8bc$bf3b2d40$3db187c0$@net> References: <00bb01cbb8bc$bf3b2d40$3db187c0$@net> Message-ID: <61E52F3A5532BE43B0211254F13883AE0343C2@EXC001> James Well spotted, thanks. It's now in the draft SI section of legislation.gov.uk as http://www.legislation.gov.uk/ukdsi/2011/9780111505779/contents But it is only the cost sharing part, i.e. implementing the 75:25 split that was consulted on last spring by DBIS, and pretty much unaltered in their response in September. It may be (comments from those better informed very welcome) that once the two paths (cost sharing and obligations code) went into separate bodies (the former in DBIS the latter with OFCOM) then they have to be kept separate as SIs too? Come to think of it, this one is *draft* and specifies things that must be in the initial obligations code. So I wonder whether that means that Ofcom *can't* publish the draft Code SI until this one has gone from draft to final? So there could be a minimum of two SI approval windows to go, perhaps? However I note that the definitions section of this one still seems to expect the notification period to *end* on either 31st March 2012 or 31st March 2013. I note that it *doesn't* say that that period will start on 1st April 2011... Andrew -- Andrew Cormack, Chief Regulatory Adviser, JANET(UK) Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK Phone: +44 (0) 1235 822302 Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of James Firth > Sent: 20 January 2011 16:12 > To: 'UK Cryptography Policy Discussion Group' > Subject: Digital Economy Act update, draft SI > > For anyone on this list following the progress of the Digital Economy > Act, > > I got a tip that Ofcom has released a draft of the Statutory Instrument > for > the Initial Obligations Code as required by the enabling primary > legislation > passed last year. > > When I downloaded it (from Europa EU - MS Word doc caution - draft not > yet > available on parliament or legislation.gov.uk): > http://ec.europa.eu/enterprise/tris/pisa/cfcontent.cfm?vFile=120100633E > N.DOC > > ... It was clear this was only half - or less than half of the required > legislation for the Initial Obligations Code. It only covers > distribution > of costs between ISPs and rights holders. (A whopping 75% to rights > holders, 25% to ISPs). > > On one hand one could assume work on the code has been delayed > following the > Judicial Review pencilled in for March 22nd. But what if the JR > failed? > Then by my reckoning Ofcom is well behind the timescales to produce the > code > outlined in S6 of the Digital Economy Act. > > I'm hearing on the grapevine that the Culture Secretary is keen to get > the > full obligations code out soon, which makes sense, given I know > constituents > of Jeremy Hunt who were told point blank that Mr Hunt supported the > moves to > stamp out online piracy. > > So why split the code and push this SI out now, as the JR approaches? > > Monica Horten at IPTegrity has blogged this could be due to cost > saving, as > it gives the government a mandate to include costs ALREADY incurred by > Ofcom > in the overheads of running the graduated response scheme: > > http://www.iptegrity.com/index.php?option=com_content&task=view&id=610& > Itemi > d=9 > > I'm not convinced by this explanation, as a graduated response scheme > can't > be operated until the full Initial Obligations Code is passed by both > houses > - unless I'm missing something. So why publish the cost split > legislation > ahead of the full code? > > Really I wondered if anyone else on the list was following this car > crash > and had any thoughts? > > James Firth > > > From Andrew.Cormack at ja.net Thu Jan 20 22:16:47 2011 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Thu, 20 Jan 2011 22:16:47 +0000 Subject: Digital Economy Act update, draft SI In-Reply-To: <61E52F3A5532BE43B0211254F13883AE0343C2@EXC001> References: <00bb01cbb8bc$bf3b2d40$3db187c0$@net> <61E52F3A5532BE43B0211254F13883AE0343C2@EXC001> Message-ID: <61E52F3A5532BE43B0211254F13883AE0343E3@EXC001> Just spotted an article this morning in the FT (http://www.ft.com/cms/s/0/0ef01288-248d-11e0-8c0e-00144feab49a.html); most of it is about the decline in growth in music sales (based on an IFPI report), but it ends: "The coalition government is also reviewing intellectual property law relating to the internet. Asked by Julian Huppert, a Liberal Democrat MP, whether the digital economy act might be repealed, Nick Clegg, deputy prime minister, said that he agreed "there are legitimate concerns about the workability of some aspects of the Digital Economy Act. The government are looking actively at those questions now, and we will make an announcement in due course." He added: "This government do not believe that people should be able to share content unlawfully but we are disappointed that the industry has not made faster progress towards adapting its business models to meet consumer demand."" Interesting times! Andrew -- Andrew Cormack, Chief Regulatory Adviser, JANET(UK) Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK Phone: +44 (0) 1235 822302 Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Andrew Cormack > Sent: 20 January 2011 22:08 > To: UK Cryptography Policy Discussion Group > Subject: RE: Digital Economy Act update, draft SI > > James > Well spotted, thanks. It's now in the draft SI section of > legislation.gov.uk as > http://www.legislation.gov.uk/ukdsi/2011/9780111505779/contents > > But it is only the cost sharing part, i.e. implementing the 75:25 split > that was consulted on last spring by DBIS, and pretty much unaltered in > their response in September. It may be (comments from those better > informed very welcome) that once the two paths (cost sharing and > obligations code) went into separate bodies (the former in DBIS the > latter with OFCOM) then they have to be kept separate as SIs too? > > Come to think of it, this one is *draft* and specifies things that must > be in the initial obligations code. So I wonder whether that means that > Ofcom *can't* publish the draft Code SI until this one has gone from > draft to final? So there could be a minimum of two SI approval windows > to go, perhaps? > > However I note that the definitions section of this one still seems to > expect the notification period to *end* on either 31st March 2012 or > 31st March 2013. I note that it *doesn't* say that that period will > start on 1st April 2011... > > Andrew > > -- > Andrew Cormack, Chief Regulatory Adviser, JANET(UK) > Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK > Phone: +44 (0) 1235 822302 > Blog: http://webmedia.company.ja.net/edlabblogs/regulatory- > developments/ > > JANET, the UK's education and research network > > JANET(UK) is a trading name of The JNT Association, a company limited > by guarantee which is registered in England under No. 2881024 > and whose Registered Office is at Lumen House, Library Avenue, > Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG > > > -----Original Message----- > > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > > bounces at chiark.greenend.org.uk] On Behalf Of James Firth > > Sent: 20 January 2011 16:12 > > To: 'UK Cryptography Policy Discussion Group' > > Subject: Digital Economy Act update, draft SI > > > > For anyone on this list following the progress of the Digital Economy > > Act, > > > > I got a tip that Ofcom has released a draft of the Statutory > Instrument > > for > > the Initial Obligations Code as required by the enabling primary > > legislation > > passed last year. > > > > When I downloaded it (from Europa EU - MS Word doc caution - draft > not > > yet > > available on parliament or legislation.gov.uk): > > > http://ec.europa.eu/enterprise/tris/pisa/cfcontent.cfm?vFile=120100633E > > N.DOC > > > > ... It was clear this was only half - or less than half of the > required > > legislation for the Initial Obligations Code. It only covers > > distribution > > of costs between ISPs and rights holders. (A whopping 75% to rights > > holders, 25% to ISPs). > > > > On one hand one could assume work on the code has been delayed > > following the > > Judicial Review pencilled in for March 22nd. But what if the JR > > failed? > > Then by my reckoning Ofcom is well behind the timescales to produce > the > > code > > outlined in S6 of the Digital Economy Act. > > > > I'm hearing on the grapevine that the Culture Secretary is keen to > get > > the > > full obligations code out soon, which makes sense, given I know > > constituents > > of Jeremy Hunt who were told point blank that Mr Hunt supported the > > moves to > > stamp out online piracy. > > > > So why split the code and push this SI out now, as the JR approaches? > > > > Monica Horten at IPTegrity has blogged this could be due to cost > > saving, as > > it gives the government a mandate to include costs ALREADY incurred > by > > Ofcom > > in the overheads of running the graduated response scheme: > > > > > http://www.iptegrity.com/index.php?option=com_content&task=view&id=610& > > Itemi > > d=9 > > > > I'm not convinced by this explanation, as a graduated response scheme > > can't > > be operated until the full Initial Obligations Code is passed by both > > houses > > - unless I'm missing something. So why publish the cost split > > legislation > > ahead of the full code? > > > > Really I wondered if anyone else on the list was following this car > > crash > > and had any thoughts? > > > > James Firth > > > > > > > From pwt at iosis.co.uk Fri Jan 21 06:32:23 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 21 Jan 2011 06:32:23 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D3887D6.8020309@ernest.net> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk><4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <61E52F3A5532BE43B0211254F13883AE034061@EXC001> <4D3848C4.7050002@ernest.net><4D385612.1000102@iosis.co.uk> <4D3887D6.8020309@ernest.net> Message-ID: <4D392877.2060008@iosis.co.uk> On 20/01/2011 19:07, Nicholas Bohm wrote: > On 20/01/2011 15:34, Peter Tomlinson wrote: >> On 20/01/2011 14:37, Nicholas Bohm wrote: >>> On 20/01/2011 09:31, Andrew Cormack wrote: >>> >>> ... >>>> From papers at law conferences discussing whether avatars could be >>>> agents (really!) I suspect that in current law an agent has to be >>>> human. But there are definitely legal problems around the status of >>>> "software agents", so that may be the way the law is heading. If I >>>> find time to investigate I'll try to remember to report back here. >>> ... >>> >>> An agent is a person with power to alter the legal relationships of his >>> principal. >> I thought that that is the definition of a representative. But maybe I >> sometimes move in different circles... >>> Both must be entities recognised by the law as having legal >>> personality (i.e. individuals or corporations). >>> >>> > "Agent" is a term with a specific legal meaning, though of course it > isn't always used with that meaning (e.g. "software agent"). > > "Representative" has no general legal meaning (though it does have some > particular ones, as in "legal personal representative" which means an > executor or administrator of the estate of someone who has died). In a > commercial context a representative might have agency powers, and be > capable of committing a principal to a sale, but equally might not, and > might be a mere introducer. Yet Googling "Representative" quickly turns up use of the term in UK situations where it has the air of authority about it. It is traceable back a long way, Old French being referred to. It also appears in theology, where I believe that its use is derived from the situation where a person in power in a [middle eastern] community sent a Representative to another community, conferring on that person power to act for his principal (quite possibly on pain of death if he returns having screwed up the mission). But back to the UK where we merely sack people if they mess up, and then risk an action for unfair dismissal... http://www.hse.gov.uk/involvement/hsrepresentatives.htm Health and safety representatives have functions given by law. * If you are a trade union-appointed health and safety representative, your functions are set out in the Safety Representatives and Safety Committees Regulations 1977 * If you are a representative of employee safety, your functions are set out in the Health and Safety (Consultation with Employees) Regulations 1996 http://www.fsa.gov.uk/Pages/doing/regulated/notify/reps/index.shtml The definition of an appointed representative is set out in s39 of The Financial Services and Markets Act 2000 (FSMA) and is contained in the Glossary to the FSA Handbook. http://www.ukba.homeoffice.gov.uk/workingintheuk/othercategories/solerepresentatives/representatives/ Sole representatives of overseas firms Can I use a representative to apply for leave to remain under the sole representative of an overseas firm category? This page explains whether you can use a representative, such as a solicitor or other agent, when applying for leave to remain as a sole representative of an overseas firm. If you would like to use a representative when applying for leave to remain, you should make sure that they are registered with the Office of the Immigration Services Commissioner (OISC) or are exempt from the requirement to be registered (see below). Anyone who gives advice or acts on your behalf but is not registered could be committing a criminal offence. http://www.direct.gov.uk/en/Employment/TradeUnions/Tradeunionsintheworkplace/DG_179246 If your employer deals with trade unions, you may be represented in your workplace by colleagues who are trade union representatives. You may even wish to become a representative and talk to your employer on behalf of your colleagues. What is a trade union representative? A trade union representative (rep) is a member of a trade union who represents their work colleagues in dealings with an employer. They often provide advice on employment matters directly to colleagues. Trade union reps are also called ?lay representatives? or ?lay officials? to separate them from officials who are employees of the trade union. Trade union reps are volunteers. They do not receive extra pay for their work as reps, though many are entitled to time off with pay to undertake their role as a rep. The role of trade union reps Trade union reps are there to: * discuss any concerns you have with your employer * accompany you to disciplinary or grievance hearings * represent you in collective bargaining over your pay and your terms and conditions of employment * talk to your employer to try and find agreements to resolve any workplace issues * engage with your employer to develop best practice in various workplace areas, such as health and safety Your employer should consult trade union reps if: * there is a business transfer or takeover * they are planning to make 20 or more employees redundant within a period of 90 days And an international one: http://www.tonyblairoffice.org/quartet/ (5/1/11) VIDEO: Tony Blair talks to Sky News about the need to give credibility to the negotiations for Middle East peace Watch Quartet Representative Tony Blair talk to Sky News during his latest trip to the Middle East: "Our task - and I think we measure this in terms of weeks not months - is to give credibility to this negotiation.". And that is only from the first page of the Google results. So I maintain that "Representative" is a very powerful word. And, as a consequence, there is a lot of law codifying the powers of a Representative in particular situations, showing that, where the two parties are in a position to directly communicate with each other (far more likely these days than in times past), often the Representative is not an Agent. Peter From james2 at jfirth.net Fri Jan 21 08:03:54 2011 From: james2 at jfirth.net (James Firth) Date: Fri, 21 Jan 2011 08:03:54 -0000 Subject: Digital Economy Act update, draft SI In-Reply-To: <61E52F3A5532BE43B0211254F13883AE0343E3@EXC001> References: <00bb01cbb8bc$bf3b2d40$3db187c0$@net> <61E52F3A5532BE43B0211254F13883AE0343C2@EXC001> <61E52F3A5532BE43B0211254F13883AE0343E3@EXC001> Message-ID: <004e01cbb941$bfaf2350$3f0d69f0$@net> > Just spotted an article this morning in the FT > (http://www.ft.com/cms/s/0/0ef01288-248d-11e0-8c0e-00144feab49a.html); > most of it is about the decline in growth in music sales (based on an > IFPI report), but it ends: > > "The coalition government is also reviewing intellectual property law > relating to the internet. Asked by Julian Huppert, a Liberal Democrat > MP, whether the digital economy act might be repealed, Nick Clegg, > deputy prime minister, said that he agreed "there are legitimate > concerns about the workability of some aspects of the Digital Economy > Act. The government are looking actively at those questions now, and we > will make an announcement in due course." > > He added: "This government do not believe that people should be able to > share content unlawfully but we are disappointed that the industry has > not made faster progress towards adapting its business models to meet > consumer demand."" This was from Oral Questions to the DPM on Tuesday - I saw someone tweeting about this but forgot to follow it up when Hansard was available so many thanks for this. I'm not sure it has much significance. I'm hearing from my contacts that one of the loudest voiced of opposition is coming from libraries and other public intermediaries. I went to a session last year at the British Library on the subject of public intermediaries and the DEA and they had a very focussed area of concern: http://www.slightlyrightofcentre.com/2010/11/public-intermediaries-and-digit al.html I know from very well placed sources that opposition from public libraries in particular is putting pressure on Ofcom. Meanwhile a reminder that the DCMS select committee is conducting a parallel enquiry into the Protection of Intellectual Property Rights Online. Submissions are open until 23rd March (day after the next JR hearing is due to open on 22nd Marchttp://www.parliament.uk/business/committees/committees-a-z/commons-sele ct/culture-media-and-sport-committee/news/committee-announces-new-inquiry/h at the High Court): James Firth From maryhawking at tigers.demon.co.uk Fri Jan 21 08:12:00 2011 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Fri, 21 Jan 2011 08:12:00 -0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC><20110113161528.GA32177@annexia.org><2UsGRqDqGhMNFAIm@perry.co.uk><5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org><4D35F07C.4030405@andros.org.uk><4D372AC0.60406@ernest.net> <4D3817D8.1000202@callnetuk.com> Message-ID: Mary Hawking -----Original Message----- From: Francis Davey [mailto:fjmd1a at gmail.com] > > Re outsourcing medical data to India; it has been done routinely for a > decade at least, and for material that is far more sensitive than > appointments. Several specialist companies have been set up to do it, and > AFAIK are flourishing. > Doesn't mean its lawful. There have been quite a number of judgments which found that widespread and common practice was illegal - a good example being local authority interest rate swap agreements. GPs are always being reminded of the importance of confidentiality and observing the Data Protection Act - which forbids the export of personally identifiable data to countries outside the EU with data protection laws which do not match EU standards. Both India and the USA fall into this category. True, there have been companies doing typing of medical letters in India for some time ("it isn't identifiable if there is no name or NHS number attached") but that does not make it legal. It is really disturbing when the NHS tries to force this illegality on the NHS via the NHS Shared Business Services - and I have no doubt that GP Consortia - if not GP practices themselves - will be effectively forced to use these services for back-office functions on grounds of economy. Assuming I am right in this, where will legal liability for the possible breach of confidentiality and the breach of Data Protection regulations lie? Mary Hawking -- Francis Davey From matthew at pemble.net Fri Jan 21 08:32:27 2011 From: matthew at pemble.net (Matthew Pemble) Date: Fri, 21 Jan 2011 08:32:27 +0000 Subject: outsourcing GP appointments to India: is this legal under DPA? In-Reply-To: References: <3908C7790EDD48B4B907A3B57EA0623E@MaryPC> <20110113161528.GA32177@annexia.org> <2UsGRqDqGhMNFAIm@perry.co.uk> <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE@batten.eu.org> <4D35F07C.4030405@andros.org.uk> <4D372AC0.60406@ernest.net> <4D3817D8.1000202@callnetuk.com> Message-ID: On 21 January 2011 08:12, Mary Hawking wrote: > > GPs are always being reminded of the importance of confidentiality and > observing the Data Protection Act - which forbids the export of personally > identifiable data to countries outside the EU with data protection laws > which do not match EU standards. > Both India and the USA fall into this category. > Not quite - if there isn't an equivalent (& approved) legal standard, you can still export provided you ensure adequate protection: (from the ico site) Yes, if you are satisfied that in the particular circumstances there is an > adequate level of protection. You can: > > - assess adequacy yourself; > - use contracts, including the European Commission approved model > contractual clauses; > - get your Binding Corporate Rules approved by the Information > Commissioner; or > - rely on the exceptions from the rule. > > > Assuming I am right in this, where will legal liability for the possible > breach of confidentiality and the breach of Data Protection regulations > lie? > With the Data Controller - which I assume is usually the GP partnership. M. -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From nbohm at ernest.net Fri Jan 21 09:41:50 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 21 Jan 2011 09:41:50 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D392877.2060008@iosis.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk><4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <61E52F3A5532BE43B0211254F13883AE034061@EXC001> <4D3848C4.7050002@ernest.net><4D385612.1000102@iosis.co.uk> <4D3887D6.8020309@ernest.net> <4D392877.2060008@iosis.co.uk> Message-ID: <4D3954DE.505@ernest.net> On 21/01/2011 06:32, Peter Tomlinson wrote: > On 20/01/2011 19:07, Nicholas Bohm wrote: >> On 20/01/2011 15:34, Peter Tomlinson wrote: >>> On 20/01/2011 14:37, Nicholas Bohm wrote: >>>> On 20/01/2011 09:31, Andrew Cormack wrote: >>>> >>>> ... >>>>> From papers at law conferences discussing whether avatars could be >>>>> agents (really!) I suspect that in current law an agent has to be >>>>> human. But there are definitely legal problems around the status of >>>>> "software agents", so that may be the way the law is heading. If I >>>>> find time to investigate I'll try to remember to report back here. >>>> ... >>>> >>>> An agent is a person with power to alter the legal relationships of >>>> his >>>> principal. >>> I thought that that is the definition of a representative. But maybe I >>> sometimes move in different circles... >>>> Both must be entities recognised by the law as having legal >>>> personality (i.e. individuals or corporations). >>>> >>>> >> "Agent" is a term with a specific legal meaning, though of course it >> isn't always used with that meaning (e.g. "software agent"). >> >> "Representative" has no general legal meaning (though it does have some >> particular ones, as in "legal personal representative" which means an >> executor or administrator of the estate of someone who has died). In a >> commercial context a representative might have agency powers, and be >> capable of committing a principal to a sale, but equally might not, and >> might be a mere introducer. > Yet Googling "Representative" quickly turns up use of the term in UK > situations where it has the air of authority about it. It is traceable > back a long way, Old French being referred to. It also appears in > theology, where I believe that its use is derived from the situation > where a person in power in a [middle eastern] community sent a > Representative to another community, conferring on that person power > to act for his principal (quite possibly on pain of death if he > returns having screwed up the mission). > > But back to the UK where we merely sack people if they mess up, and > then risk an action for unfair dismissal... > > http://www.hse.gov.uk/involvement/hsrepresentatives.htm > > Health and safety representatives have functions given by law. > > * If you are a trade union-appointed health and safety representative, > your functions are set out in the Safety Representatives and Safety > Committees Regulations 1977 > * If you are a representative of employee safety, your functions are > set out in the Health and Safety (Consultation with Employees) > Regulations 1996 > > http://www.fsa.gov.uk/Pages/doing/regulated/notify/reps/index.shtml > > The definition of an appointed representative is set out in s39 of The > Financial Services and Markets Act 2000 (FSMA) and is contained in the > Glossary to the FSA Handbook. > > http://www.ukba.homeoffice.gov.uk/workingintheuk/othercategories/solerepresentatives/representatives/ > > > Sole representatives of overseas firms > > Can I use a representative to apply for leave to remain under the sole > representative of an overseas firm category? > > This page explains whether you can use a representative, such as a > solicitor or other agent, when applying for leave to remain as a sole > representative of an overseas firm. > > If you would like to use a representative when applying for leave to > remain, you should make sure that they are registered with the Office > of the Immigration Services Commissioner (OISC) or are exempt from the > requirement to be registered (see below). Anyone who gives advice or > acts on your behalf but is not registered could be committing a > criminal offence. > > http://www.direct.gov.uk/en/Employment/TradeUnions/Tradeunionsintheworkplace/DG_179246 > > > If your employer deals with trade unions, you may be represented in > your workplace by colleagues who are trade union representatives. You > may even wish to become a representative and talk to your employer on > behalf of your colleagues. > > What is a trade union representative? > > A trade union representative (rep) is a member of a trade union who > represents their work colleagues in dealings with an employer. They > often provide advice on employment matters directly to colleagues. > Trade union reps are also called ?lay representatives? or ?lay > officials? to separate them from officials who are employees of the > trade union. > > Trade union reps are volunteers. They do not receive extra pay for > their work as reps, though many are entitled to time off with pay to > undertake their role as a rep. > > The role of trade union reps > > Trade union reps are there to: > > * discuss any concerns you have with your employer > * accompany you to disciplinary or grievance hearings > * represent you in collective bargaining over your pay and your terms > and conditions of employment > * talk to your employer to try and find agreements to resolve any > workplace issues > * engage with your employer to develop best practice in various > workplace areas, such as health and safety > > Your employer should consult trade union reps if: > > * there is a business transfer or takeover > * they are planning to make 20 or more employees redundant within a > period of 90 days > > And an international one: http://www.tonyblairoffice.org/quartet/ > (5/1/11) > > VIDEO: Tony Blair talks to Sky News about the need to give credibility > to the negotiations for Middle East peace > > Watch Quartet Representative Tony Blair talk to Sky News during his > latest trip to the Middle East: "Our task - and I think we measure > this in terms of weeks not months - is to give credibility to this > negotiation.". > > And that is only from the first page of the Google results. > > So I maintain that "Representative" is a very powerful word. And, as a > consequence, there is a lot of law codifying the powers of a > Representative in particular situations, showing that, where the two > parties are in a position to directly communicate with each other (far > more likely these days than in times past), often the Representative > is not an Agent. Fascinating stuff. It shows that "representative" is often used in statute for people who represent others, though not necessarily as their agents. It seems to me to have a wider range of meanings than "agent", and no particular general legal meaning when used outside a specific statutory context. Does this matter? Nicholas -- Contact and PGP key here From marcus at connectotel.com Fri Jan 21 09:47:17 2011 From: marcus at connectotel.com (Marcus Williamson) Date: Fri, 21 Jan 2011 09:47:17 +0000 Subject: More on the DEA: ACS Law UK In More Hot Water Over Illegal Broadband ISP File Sharing Cases Message-ID: ACS Law UK In More Hot Water Over Illegal Broadband ISP File Sharing Cases http://www.ispreview.co.uk/story/2011/01/18/acs-law-uk-in-more-hot-water-over-illegal-broadband-isp-file-sharing-cases.html This follows the court hearing on 17 January. The cases will be heard again on 24 January. ACS Law is one of the companies involved in "speculative invoicing", which Lord Lucas spoke of in the House of Lords as being "straightforward legal blackmail"... From lists at internetpolicyagency.com Fri Jan 21 08:48:03 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 21 Jan 2011 08:48:03 +0000 Subject: Starmer dumps doormat? In-Reply-To: <4D37EE2E.4070304@iosis.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <4D37EE2E.4070304@iosis.co.uk> Message-ID: <7RpNZ8IDhUONFApP@perry.co.uk> In article <4D37EE2E.4070304 at iosis.co.uk>, Peter Tomlinson writes >> But what about inbound items (email or postal) marked "Private and >>Confidential"? >> >Seems to me that expecting third parties to respect that just because >of the way the message is marked has to rely on the integrity of those >encountering the message, not on the law. It seems a pretty clear way of expressing consent (or lack of). And if the law is formed around the concept of consent, surely you have to make some effort to determine consent (isn't that what the current RIPA amendments are all about?) -- Roland Perry From fjmd1a at gmail.com Fri Jan 21 10:49:34 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Fri, 21 Jan 2011 10:49:34 +0000 Subject: More on the DEA: ACS Law UK In More Hot Water Over Illegal Broadband ISP File Sharing Cases In-Reply-To: References: Message-ID: The report is not strictly accurate. At the 17 January hearing, the judge wondered whether permission was needed by Media C.A.T. to discontinue. The hearing was adjourned to 24th January and in the meantime the notices of discontinuance were stayed (i.e. put on hold). There has, as yet, been no final decision about it. On 21/01/2011, Marcus Williamson wrote: > > ACS Law UK In More Hot Water Over Illegal Broadband ISP File Sharing Cases > > http://www.ispreview.co.uk/story/2011/01/18/acs-law-uk-in-more-hot-water-over-illegal-broadband-isp-file-sharing-cases.html > > This follows the court hearing on 17 January. The cases will be heard again > on 24 > January. > > ACS Law is one of the companies involved in "speculative invoicing", which > Lord > Lucas spoke of in the House of Lords as being "straightforward legal > blackmail"... > > > > -- Francis Davey From chl at clerew.man.ac.uk Fri Jan 21 12:56:35 2011 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Fri, 21 Jan 2011 12:56:35 -0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: On Thu, 20 Jan 2011 14:34:18 -0000, Ian Batten wrote: > How does that work in the context of 1571 (Callminder), which is a voice > mail service offered by the network operator and hosted within the > operator's data centre? There's only one mail mailbox associated with > the line. When I call 1571, the messages could be for anyone. I would think such messages residing in the operator's data centre would be quite obviously still "in the course of transmission". -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From lists at internetpolicyagency.com Fri Jan 21 14:53:06 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 21 Jan 2011 14:53:06 +0000 Subject: Starmer dumps doormat? In-Reply-To: <61E52F3A5532BE43B0211254F13883AE034061@EXC001> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <61E52F3A5532BE43B0211254F13883AE034061@EXC001> Message-ID: <8A2PfdAS3ZONFA4y@perry.co.uk> In article <61E52F3A5532BE43B0211254F13883AE034061 at EXC001>, Andrew Cormack writes >> I think we are back in the situation I was describing earlier - there >>might be one outcome dictated by common sense (based on a deeper >>understanding of these 'private sector interception' issues than >>perhaps was exposed in the ICOA Review in 1999), and another by the >>way the current law is drafted. > >I suspect we are. But what's puzzling is that I would expect MPs to have understood the PA situation from their own experience so to have >talked about it. Since, as far as I know, they didn't, that made me wonder if there was an obvious (to them) answer to the problem that we >techies were missing. But it may be that all the examples in their world are covered by clear definitions of the doormat/BT box etc. and it's >only in things like e-mail, voicemail, Centrex, with which they weren't familiar in 1999 that the location of the doormat isn't clear, so the >possibility that the PA is on the "wrong" side of it arises. The only mention I recall (in debates etc) of PABX's and the various edge cases they throw up is in the Comms Data provisions where the "authorisations" were illustrated by the example of a hotel unable to find anyone on the staff capable of interrogating the PABX, so the police could decide to do it for themselves. -- Roland Perry From lists at internetpolicyagency.com Fri Jan 21 15:03:10 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 21 Jan 2011 15:03:10 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: In article , Charles Lindsey writes >> How does that work in the context of 1571 (Callminder), which is a >>voice mail service offered by the network operator and hosted within >>the operator's data centre? There's only one mail mailbox >>associated with the line. When I call 1571, the messages could be >>for anyone. > >I would think such messages residing in the operator's data centre >would be quite obviously still "in the course of transmission". And when I type "1571", and listen to a message to my wife, have I intercepted it, and did I do so lawfully. (It seems odd to be discussing such an everyday activity like this). -- Roland Perry From igb at batten.eu.org Fri Jan 21 21:47:34 2011 From: igb at batten.eu.org (Ian Batten) Date: Fri, 21 Jan 2011 21:47:34 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> Message-ID: <731509C0-5F9D-4D2B-91ED-21B0FA91FA05@batten.eu.org> > > And when I type "1571", and listen to a message to my wife, have I > intercepted it, and did I do so lawfully. On what basis is it legal, whereas other scenarios are illegal? ian From matthew at pemble.net Fri Jan 21 22:03:28 2011 From: matthew at pemble.net (Matthew Pemble) Date: Fri, 21 Jan 2011 22:03:28 +0000 Subject: Starmer dumps doormat? In-Reply-To: <731509C0-5F9D-4D2B-91ED-21B0FA91FA05@batten.eu.org> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <731509C0-5F9D-4D2B-91ED-21B0FA91FA05@batten.eu.org> Message-ID: On 21 January 2011 21:47, Ian Batten wrote: > >> And when I type "1571", and listen to a message to my wife, have I >> intercepted it, and did I do so lawfully. >> > > On what basis is it legal, whereas other scenarios are illegal? > Roland does seem to be asking rather than declaiming - and as you clearly do, I think it a valid question. The answer being "the law is an ass" but, as ever, the lawmakers being ass's arses, I can't see it being improved in the near future. Cynically thine, M -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Sat Jan 22 11:17:00 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 22 Jan 2011 11:17:00 +0000 Subject: Starmer dumps doormat? In-Reply-To: <731509C0-5F9D-4D2B-91ED-21B0FA91FA05@batten.eu.org> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <731509C0-5F9D-4D2B-91ED-21B0FA91FA05@batten.eu.org> Message-ID: <2TZ9riEsyrONFA5W@perry.co.uk> In article <731509C0-5F9D-4D2B-91ED-21B0FA91FA05 at batten.eu.org>, Ian Batten writes >> And when I type "1571", and listen to a message to my wife, have I >>intercepted it, and did I do so lawfully. > >On what basis is it legal, whereas other scenarios are illegal? Perhaps the sender has given consent by leaving the message on what he can presumably identify as an answering machine service that might be accessed by multiple household members, and the recipient similarly has given consent for all household members to dial 1571. I'm not sure that the same assumptions about consent necessarily scale to the generally less well defined/understood (by the callers anyway) corporate environment, though. In article , Matthew Pemble writes >Roland does seem to be asking rather than declaiming I'm thinking out loud, wondering if anyone else has considered these scenarios, that the current law (and enforcers) would seem to regard as pesky edge cases, but are in fact everyday occurrences. -- Roland Perry From matthew at pemble.net Sat Jan 22 11:52:02 2011 From: matthew at pemble.net (Matthew Pemble) Date: Sat, 22 Jan 2011 11:52:02 +0000 Subject: Starmer dumps doormat? In-Reply-To: <2TZ9riEsyrONFA5W@perry.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <731509C0-5F9D-4D2B-91ED-21B0FA91FA05@batten.eu.org> <2TZ9riEsyrONFA5W@perry.co.uk> Message-ID: On 22 January 2011 11:17, Roland Perry wrote: > In article <731509C0-5F9D-4D2B-91ED-21B0FA91FA05 at batten.eu.org>, Ian > Batten writes > > Perhaps the sender has given consent by leaving the message on what he can > presumably identify as an answering machine service that might be accessed > by multiple household members, and the recipient similarly has given consent > for all household members to dial 1571. > In which case, are you lawfully allowed to listen passed the "traffic data", "This is a message for Jennifer"? And do you want, hypothetically, your kids listening to some of your messages? Even though you can stop them dialling 1571 (at, least, not without attracting the attention of the s.s.) M, -- Matthew Pemble -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Sat Jan 22 12:19:39 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sat, 22 Jan 2011 12:19:39 +0000 Subject: Starmer dumps doormat? In-Reply-To: References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <731509C0-5F9D-4D2B-91ED-21B0FA91FA05@batten.eu.org> <2TZ9riEsyrONFA5W@perry.co.uk> Message-ID: In article , Matthew Pemble writes >On 22 January 2011 11:17, Roland Perry >wrote: > In article <731509C0-5F9D-4D2B-91ED-21B0FA91FA05 at batten.eu.org>, Ian > Batten writes > > Perhaps the sender has given consent by leaving the message on what > he can presumably identify as an answering machine service that > might be accessed by multiple household members, and the recipient > similarly has given consent for all household members to dial 1571. > >In which case, are you lawfully allowed to listen passed the "traffic >data", "This is a message for Jennifer"? Etiquette would sometimes decree that one stopped listening, yes; but my observation is that in the overwhelming number of cases in *our* household, even if the message is *for* Jennifer, she'd expect me to listen to it and relay it to her. And we'd want to avoid the "why didn't you tell me so-and-so called" scenario, and you might not get the "who" until the end of the message! In a bit of thread convergence with NHS issues, I note that they withhold their number, and are much coyer about what messages they leave, or what they say to "other people" who answer the phone. So to some extent custom and practice is "sender beware". >And do you want, hypothetically, your kids listening to some of your >messages? Even though you can stop them dialling 1571 (at, least, not >without attracting the attention of the s.s.) Dialling 1571 appears to be in the same camp as putting their clothes away in the wardrobe and loading dirty plates into the dishwasher - they don't seem to understand how it's done. (Unlike setting the VCR, where they are better at it than the adults). -- Roland Perry From igb at batten.eu.org Sun Jan 23 09:24:18 2011 From: igb at batten.eu.org (Ian Batten) Date: Sun, 23 Jan 2011 09:24:18 +0000 Subject: Starmer dumps doormat? In-Reply-To: <2TZ9riEsyrONFA5W@perry.co.uk> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <731509C0-5F9D-4D2B-91ED-21B0FA91FA05@batten.eu.org> <2TZ9riEsyrONFA5W@perry.co.uk> Message-ID: <5D1713F8-7C4A-4210-B5E6-307E0A0B41B9@batten.eu.org> On 22 Jan 2011, at 11:17, Roland Perry wrote: > In article <731509C0-5F9D-4D2B-91ED-21B0FA91FA05 at batten.eu.org>, Ian Batten writes > >>> And when I type "1571", and listen to a message to my wife, have I intercepted it, and did I do so lawfully. >> >> On what basis is it legal, whereas other scenarios are illegal? > > Perhaps the sender has given consent by leaving the message on what he can presumably identify as an answering machine service that might be accessed by multiple household members A lot of people don't change the outgoing message, though, so unless you know people's domestic arrangements, you won't know if it's accessible by multiple people. Especially as a lot of younger callers, whose experience is more with mobiles than landlines, may assume that it's like mobile voicemail which is generally only accessibly by the intended recipient and the News of the World. And later: > Unlike setting the VCR, where they are better at it than the adults). VCR, grandad? ian From lists at internetpolicyagency.com Sun Jan 23 14:28:55 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 23 Jan 2011 14:28:55 +0000 Subject: Starmer dumps doormat? In-Reply-To: <5D1713F8-7C4A-4210-B5E6-307E0A0B41B9@batten.eu.org> References: <003001cbb49d$5cdaa810$168ff830$@gmx.net> <4D31B494.20803@pelicancrossing.net> <000c01cbb4d2$f6781db0$e3685910$@gmx.net> <4D31DDFE.4010303@iosis.co.uk> <4D3595E3.4090306@bbk.ac.uk> <4D35D1F7.5060304@zen.co.uk> <61E52F3A5532BE43B0211254F13883AE033A58@EXC001> <731509C0-5F9D-4D2B-91ED-21B0FA91FA05@batten.eu.org> <2TZ9riEsyrONFA5W@perry.co.uk> <5D1713F8-7C4A-4210-B5E6-307E0A0B41B9@batten.eu.org> Message-ID: In article <5D1713F8-7C4A-4210-B5E6-307E0A0B41B9 at batten.eu.org>, Ian Batten writes >>>> And when I type "1571", and listen to a message to my wife, have I >>>>intercepted it, and did I do so lawfully. >>> >>> On what basis is it legal, whereas other scenarios are illegal? >> >> Perhaps the sender has given consent by leaving the message on what >>he can presumably identify as an answering machine service that might >>be accessed by multiple household members > >A lot of people don't change the outgoing message, though, so unless >you know people's domestic arrangements, you won't know if it's >accessible by multiple people. What I meant was that the answering machine/service in most families can be presumed to be accessible by at least all those members of the family who can be bothered. >Especially as a lot of younger callers, whose experience is more with >mobiles than landlines, may assume that it's like mobile voicemail >which is generally only accessibly by the intended recipient and the >News of the World. Are they really as naive as that? Most will surely have been exposed to a conventional answering machine/service while growing up. And as for the privacy of mobiles, I often see kids grabbing one another's mobiles so they can flick through the SMS. >And later: > >> Unlike setting the VCR, where they are better at it than the adults). > >VCR, grandad? Oh yes. Although today I first encountered DLNA, and maybe need a switched on kid to fly it for me... -- Roland Perry From tony.naggs at googlemail.com Tue Jan 25 10:04:03 2011 From: tony.naggs at googlemail.com (Tony Naggs) Date: Tue, 25 Jan 2011 10:04:03 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia Message-ID: It appears that since June 2010 in Tunisia the government authorities systematically intercepted access to at least Facebook, Gmail, Yahoo mail and stole usernames & passwords. Then during the recent protests these stolen credentials were then used to disable or discredit accounts or groups of protestors using online services to organise themselves. Report at The Register - http://www.theregister.co.uk/2011/01/25/tunisia_facebook_password_slurping/ Excerpt below: Tunisia plants country-wide keystroke logger on Facebook Gmail and Yahoo! too By Dan Goodin in San Francisco Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports. The rogue JavaScript, which was individually customized to steal passwords for each site, worked when users tried to login without availing themselves of the secure sockets layer protection designed to prevent man-in-the-middle attacks. It was found injected into Tunisian versions of Facebook, Gmail, and Yahoo! in late December, around the same time that protestors began demanding the ouster of Zine el-Abidine Ben Ali, the president who ruled the country from 1987 until his ouster 10 days ago. Danny O'Brien, internet advocacy coordinator for the Committee to Protect Journalists, told The Register that the script was most likely planted using an internet censorship system that's long been in place to control which pages Tunisian citizens can view. Under this theory, people inside Tunisian borders were led to pages that were perfect facsimiles of the targeted sites except that they included about 40 extra lines that siphoned users' login credentials. ... From marcus at connectotel.com Tue Jan 25 11:13:18 2011 From: marcus at connectotel.com (Marcus Williamson) Date: Tue, 25 Jan 2011 11:13:18 +0000 Subject: ACS:Law halts "speculative invoicing" activity Message-ID: Law firm ACS: Law stops 'chasing illegal file-sharers http://www.bbc.co.uk/news/technology-12253746 From james2 at jfirth.net Tue Jan 25 11:28:03 2011 From: james2 at jfirth.net (James Firth) Date: Tue, 25 Jan 2011 11:28:03 -0000 Subject: Law halts "speculative invoicing" activity In-Reply-To: References: Message-ID: <007b01cbbc82$ef3b1c70$cdb15550$@net> > Law firm ACS: Law stops 'chasing illegal file-sharers > http://www.bbc.co.uk/news/technology-12253746 I was just reading that. I'm not sure how much evidence there is to support Mr Crossley's assertions: "I have ceased my work...I have been subject to criminal attack. My e-mails have been hacked. I have had death threats and bomb threats," he said in the statement, read to the court by MediaCAT's barrister Tim Ludbrook." I'm reminded of this great piece on Andrew Crossley and ACS:Law http://www.telegraph.co.uk/culture/8110261/Are-you-a-middle-class-pirate-Thi s-man-wants-a-word-with-you....html "Crossley says he's big enough and ugly enough to look after himself - he'll get no argument from his many detractors on that point - and insists he won't be intimidated. 'I don't care what people say about me,' he shrugs." That whole Telegraph article is long but well worth a read for anyone interested in the antics of ACS:Law James Firth From rich at annexia.org Tue Jan 25 11:35:27 2011 From: rich at annexia.org (Richard W.M. Jones) Date: Tue, 25 Jan 2011 11:35:27 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: References: Message-ID: <20110125113527.GA29527@annexia.org> JGC's blog has the technical details: http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html Moral of the story is to use https:// URLs to fetch the initial form (ie. https://facebook.com/). The Firefox HTTPS-Everywhere extension automates this completely (https://www.eff.org/https-everywhere) -- no thought or technical skills required. Rich. -- Richard Jones Red Hat From amidgley at gmail.com Tue Jan 25 14:57:11 2011 From: amidgley at gmail.com (Adrian Midgley) Date: Tue, 25 Jan 2011 14:57:11 +0000 Subject: Law halts "speculative invoicing" activity In-Reply-To: <007b01cbbc82$ef3b1c70$cdb15550$@net> References: <007b01cbbc82$ef3b1c70$cdb15550$@net> Message-ID: > "Crossley says he's big enough and ugly enough to look after himself - > he'll > get no argument from his many detractors on that point - and insists he > won't be intimidated. 'I don't care what people say about me,' he shrugs." > > I expect it is a great comfort to him that he does not care what people say about him. -- Adrian Midgley http://www.defoam.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From amidgley at gmail.com Tue Jan 25 14:58:14 2011 From: amidgley at gmail.com (Adrian Midgley) Date: Tue, 25 Jan 2011 14:58:14 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <20110125113527.GA29527@annexia.org> References: <20110125113527.GA29527@annexia.org> Message-ID: I wonder how much this applies within the NHS network. -- Adrian Midgley http://www.defoam.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From tony.naggs at googlemail.com Tue Jan 25 15:44:15 2011 From: tony.naggs at googlemail.com (Tony Naggs) Date: Tue, 25 Jan 2011 15:44:15 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: References: <20110125113527.GA29527@annexia.org> Message-ID: Hi Adrian On 25 January 2011 14:58, Adrian Midgley wrote: > I wonder how much this applies within the NHS network. I am not clear what you question is, nor do I know how the NHS networks are operated. If you are using the NHS network to access the Internet then your security can in theory be subverted quite easily, e.g.: 1. If you are using a non-secure protocol (e.g. http for web browsing) the data can be snooped on, or the web pages modified in a similar manner to that reported. 2. If you are using a secure protocol (e.g. https) the web browser only checks that the certificate matches the site, and that the signature is trusted. If PC is issued / maintained by the NHS the public key of signing certificate controlled by the NHS (or at least one of their security service providers) can be installed as trusted when the PC is prepared or updated. Although many people would simply install the signing certificate the first time they access a NHS service and are prompted to do so. For clarity: I don't know that the NHS does any of these things, but they are not terribly unusual on the networks of large commercial organisations. They are usually justified as measures to assist investigation of suspected leaking of company confidential information. (Product designs, price lists, tender documents, etc...) If your PC does not belong to the NHS and your Internet access does not go through the NHS network then you are safe from these issues. Cheers, Tony From passiveprofits at yahoo.com Tue Jan 25 16:18:47 2011 From: passiveprofits at yahoo.com (Passive PROFITS) Date: Tue, 25 Jan 2011 08:18:47 -0800 (PST) Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <20110125113527.GA29527@annexia.org> Message-ID: <853336.29452.qm@web110513.mail.gq1.yahoo.com> That would not deal with the falsifying of certificates. Assuming the code-base of this is not intentional corrupt, the addition of an extension such as certpatrol is also required (a firefox extension), to notify one when the SSL cert swap by the government/ISP (using the browser accepted as 'true' passported C.A.(s) under their control) has taken place (a MiTM is in progress notification function). The other known way would be manual/local (each time) inspection of the cert fingerprint(s). e.g. you note Facebook's fingerprint then check each time it's got the same 'print. Then (once under notice the hack is under progress) you could retreat, or start playing your own pre-planned counter-measures ... depending on the peril of the situation, tactics, etc, call the government, depending on the nature of your business, etc. :/ Best, PP --- On Tue, 1/25/11, Richard W.M. Jones wrote: > From: Richard W.M. Jones > Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia > To: "UK Cryptography Policy Discussion Group" > Date: Tuesday, January 25, 2011, 3:35 AM > > JGC's blog has the technical details: > > http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html > > Moral of the story is to use https:// URLs to fetch the > initial form > (ie. https://facebook.com/).? The Firefox > HTTPS-Everywhere extension > automates this completely (https://www.eff.org/https-everywhere) -- no > thought or technical skills required. > > Rich. > > -- > Richard Jones > Red Hat > > From passiveprofits at yahoo.com Tue Jan 25 16:02:05 2011 From: passiveprofits at yahoo.com (Passive PROFITS) Date: Tue, 25 Jan 2011 08:02:05 -0800 (PST) Subject: Law halts "speculative invoicing" activity In-Reply-To: <007b01cbbc82$ef3b1c70$cdb15550$@net> Message-ID: <280579.43290.qm@web110510.mail.gq1.yahoo.com> --- On Tue, 1/25/11, James Firth wrote: > From: James Firth > Subject: RE: Law halts "speculative invoicing" activity > To: marcus at connectotel.com, "'UK Cryptography Policy Discussion Group'" > Date: Tuesday, January 25, 2011, 3:28 AM > > Law firm ACS: Law stops 'chasing > illegal file-sharers > > http://www.bbc.co.uk/news/technology-12253746 > > I was just reading that.? I'm not sure how much > evidence there is to support > Mr Crossley's assertions: > > "I have ceased my work...I have been subject to criminal > attack. My e-mails > have been hacked. I have had death threats and bomb > threats," he said in the > statement, read to the court by MediaCAT's barrister Tim > Ludbrook." > > I'm reminded of this great piece on Andrew Crossley and > ACS:Law > > http://www.telegraph.co.uk/culture/8110261/Are-you-a-middle-class-pirate-Thi > s-man-wants-a-word-with-you....html Hi James, I'm not so sure you could call this anything other than a great piece of disinfo, as usual, from the Daily Laughagraph (nb: din't read the other link): "The law was certainly on their side in one respect: under the Copyright, Designs and Patents Act 1988, it?s illegal to make a copyright work available for download by others on a file-sharing network" This of course is a WHOLLY misleading statement (note that it is made with reassuring/absolute certainty, too; the way the best disinfo-artists always slip it in [i.e. in an otherwise AFAICS correct article, where you won't notice it) ;)). I have not checked, but feel sure if I did the relevant Act would only prohibit the making available of a copyrighted work ....'without the consent of the copyright(s) holder(s)' or something similar. Anyone correct that? Best, PP From fjmd1a at gmail.com Tue Jan 25 18:17:06 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Tue, 25 Jan 2011 18:17:06 +0000 Subject: Law halts "speculative invoicing" activity In-Reply-To: <280579.43290.qm@web110510.mail.gq1.yahoo.com> References: <007b01cbbc82$ef3b1c70$cdb15550$@net> <280579.43290.qm@web110510.mail.gq1.yahoo.com> Message-ID: On 25/01/2011, Passive PROFITS wrote: [snip] > > I have not checked, but feel sure if I did the relevant Act would only > prohibit the making available of a copyrighted work ....'without the > consent of the copyright(s) holder(s)' or something similar. > That's basically right. Making the work available is an "act restricted by copyright" (section 18) http://www.legislation.gov.uk/ukpga/1988/48/section/18 The copyright owner has an exclusive right to do the acts restricted by copyright (section 2) http://www.legislation.gov.uk/ukpga/1988/48/section/2 Section 16(2) reminds us of this right and tells us that it is an infringement to do any of those acts without the copyright owner's permission (licence), but subject to Chapter III and Chapter VII. That last "subject to" is important as Chapter III includes all the fair dealing exceptions that make something that would otherwise be an infringement not so. ... and then section 96 actually tells you that the copyright owner can sue you for infringement. If that makes it "illegal" then I guess that's enough. -- Francis Davey From james2 at jfirth.net Tue Jan 25 18:23:10 2011 From: james2 at jfirth.net (James Firth) Date: Tue, 25 Jan 2011 18:23:10 -0000 Subject: Digital Economy Act update, draft SI In-Reply-To: <00bb01cbb8bc$bf3b2d40$3db187c0$@net> References: <00bb01cbb8bc$bf3b2d40$3db187c0$@net> Message-ID: <018301cbbcbc$ec2ac2d0$c4804870$@net> > For anyone on this list following the progress of the Digital Economy > Act, > > I got a tip that Ofcom has released a draft of the Statutory Instrument > for > the Initial Obligations Code as required by the enabling primary > legislation > passed last year. Update: I just got hold of a list of EC questions and concerns submitted to the UK "competent authority" in respect of the above mentioned draft SI. I published them and blogged about them here: http://www.slightlyrightofcentre.com/2011/01/exclusive-ec-raised-concerns-on -uk.html For me the stand-out concern relates so compatibility with the so-called "Authorisation Directive" (2002/20/EC) which could, given the limited information I have at the moment (I don't for example have the UK government's response - if any) form further grounds for challenge from ISPs. James Firth From igb at batten.eu.org Tue Jan 25 20:24:58 2011 From: igb at batten.eu.org (Ian Batten) Date: Tue, 25 Jan 2011 20:24:58 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <853336.29452.qm@web110513.mail.gq1.yahoo.com> References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> Message-ID: <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> On 25 Jan 2011, at 16:18, Passive PROFITS wrote: > That would not deal with the falsifying of certificates. Assuming the code-base of this is not intentional corrupt, the addition of an extension such as certpatrol is also required (a firefox extension), to notify one when the SSL cert swap by the government/ISP (using the browser accepted as 'true' passported C.A.(s) under their control) has taken place (a MiTM is in progress notification function). The other known way would be manual/local (each time) inspection of the cert fingerprint(s). e.g. you note Facebook's fingerprint then check each time it's got the same 'print. Then (once under notice the hack is under progress) you could retreat, or start playing your own pre-planned counter-measures ... depending on the peril of the situation, tactics, etc, call the government, depending on the nature of your business, etc. There's been some recent, if un-startling, discussion of this: http://www.freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate-authority-trust-model I suspect that once you have more than a handful of CAs, it's for practical purposes impossible to get any meaningful assurance that they are all legitimate. If CAs delegate their authority, it's difficult to even know that certificates whose chain of trust goes back to a CA you trust was actually issued by that CA. And for as long as any CA can issue a certificate in any name, any domain can be subverted by any one of the CAs. Which means that certificates are as weak as the weakest CA you trust, unless that CA in turn trusts a yet weaker CA. I've not looked at this in detail (perhaps I should) but I think it's possible in most browsers to trust _no_ CAs and yet trust individual certificates, which might have the required semantics: when a certificate is encountered, you check it (by whatever out of band mechanism you deem appropriate) and then add it to your certificate store, but you do not add its certifying keys. ian From ukcrypto at absent-minded.com Wed Jan 26 09:18:11 2011 From: ukcrypto at absent-minded.com (Mark Lomas) Date: Wed, 26 Jan 2011 09:18:11 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> Message-ID: Some years ago (probably in 2000) I persuaded a major bank to remove the majority of CA certificates from the key store of the browser they had deployed. The IT department regarded the change as a nuisance, but the Legal department understood the problem as soon as I showed them the list of CAs. May I conduct an informal survey? Who on this mailing list has not removed any of the CA certificates that were pre-installed by whoever supplied your browser? Mark On 25 January 2011 20:24, Ian Batten wrote: > > On 25 Jan 2011, at 16:18, Passive PROFITS wrote: > > > That would not deal with the falsifying of certificates. Assuming the > code-base of this is not intentional corrupt, the addition of an extension > such as certpatrol is also required (a firefox extension), to notify one > when the SSL cert swap by the government/ISP (using the browser accepted as > 'true' passported C.A.(s) under their control) has taken place (a MiTM is in > progress notification function). The other known way would be manual/local > (each time) inspection of the cert fingerprint(s). e.g. you note Facebook's > fingerprint then check each time it's got the same 'print. Then (once under > notice the hack is under progress) you could retreat, or start playing your > own pre-planned counter-measures ... depending on the peril of the > situation, tactics, etc, call the government, depending on the nature of > your business, etc. > > There's been some recent, if un-startling, discussion of this: > http://www.freedom-to-tinker.com/blog/sroosa/flawed-legal-architecture-certificate-authority-trust-model > > I suspect that once you have more than a handful of CAs, it's for practical > purposes impossible to get any meaningful assurance that they are all > legitimate. If CAs delegate their authority, it's difficult to even know > that certificates whose chain of trust goes back to a CA you trust was > actually issued by that CA. And for as long as any CA can issue a > certificate in any name, any domain can be subverted by any one of the CAs. > > Which means that certificates are as weak as the weakest CA you trust, > unless that CA in turn trusts a yet weaker CA. > > I've not looked at this in detail (perhaps I should) but I think it's > possible in most browsers to trust _no_ CAs and yet trust individual > certificates, which might have the required semantics: when a certificate is > encountered, you check it (by whatever out of band mechanism you deem > appropriate) and then add it to your certificate store, but you do not add > its certifying keys. > > ian > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nbohm at ernest.net Wed Jan 26 10:44:17 2011 From: nbohm at ernest.net (Nicholas Bohm) Date: Wed, 26 Jan 2011 10:44:17 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> Message-ID: <4D3FFB01.5060407@ernest.net> On 26/01/2011 09:18, Mark Lomas wrote: > Some years ago (probably in 2000) I persuaded a major bank to remove > the majority of CA certificates from the key store of the browser they > had deployed. > > The IT department regarded the change as a nuisance, but the Legal > department understood the problem as soon as I showed them the list of > CAs. > > May I conduct an informal survey? Who on this mailing list has not > removed any of the CA certificates that were pre-installed by whoever > supplied your browser? I have removed none - I regard them as equally untrustworthy for all practical purposes; I could not establish liability against any of them since to do so would require me to provide evidence that they had failed in the limited duties they assume under their applicable terms and conditions, which would be impracticable. Nicholas -- Contact and PGP key here From lists at internetpolicyagency.com Wed Jan 26 10:49:55 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 26 Jan 2011 10:49:55 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> Message-ID: In article , Mark Lomas writes >May I conduct an informal survey? Who on this mailing list has not >removed any of the CA certificates that were pre-installed by whoever >supplied your browser? I haven't (it's outside of my life's-too-short envelope). On the other hand I do note (with sadness) whenever a blue-chip site's certificates seem to have expired. And then there's the famous brand of login-requiring public wifi hotspot with a side effect of making the log-in screen appear to have a duff certificate (it's to do with the way they spoof the DNS to bring up the log-in screen I think). -- Roland Perry From bdm at fenrir.org.uk Wed Jan 26 11:26:54 2011 From: bdm at fenrir.org.uk (Brian Morrison) Date: Wed, 26 Jan 2011 11:26:54 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> Message-ID: <20110126112654.00001448@surtees.fenrir.org.uk> On Wed, 26 Jan 2011 09:18:11 +0000 Mark Lomas wrote: > May I conduct an informal survey? Who on this mailing list has not > removed any of the CA certificates that were pre-installed by whoever > supplied your browser? Not me. All I have done is add the CACert root certificate so that some of my own certificates work. Having said that, I don't ignore any error or warning messages, and I do quite often check certificate fingerprints. In a widely rolled-out deployment of SSL the security you gain is there to raise the bar to compromise, not to eliminate it. -- Brian Morrison From ukcrypto at absent-minded.com Wed Jan 26 11:58:13 2011 From: ukcrypto at absent-minded.com (Mark Lomas) Date: Wed, 26 Jan 2011 11:58:13 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <20110126112654.00001448@surtees.fenrir.org.uk> References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> <20110126112654.00001448@surtees.fenrir.org.uk> Message-ID: Perhaps I should have been more explicit about the reason for my question. It is alleged that somebody is interfering with traffic to Facebook. The suggested countermeasure is to insist upon an SSL connection from the outset - not to trust the standard HTTP page. If those same attackers can persuade *any *of the CAs trusted by the browser to issue a duplicate Facebook certificate then they can interfere with SSL connections as well. Most browsers will not display any warning message in such circumstances. You can reduce (but not eliminate) this risk by paring down the list of trusted CAs. Now consider which SSL sites you visit. Perhaps your e-mail service or your bank. Are you happy that *all* of the CAs trusted by your browser are permitted to sign certificates purporting to represent your e-mail service or bank? Mark On 26 January 2011 11:26, Brian Morrison wrote: > On Wed, 26 Jan 2011 09:18:11 +0000 > Mark Lomas wrote: > > > May I conduct an informal survey? Who on this mailing list has not > > removed any of the CA certificates that were pre-installed by whoever > > supplied your browser? > > Not me. All I have done is add the CACert root certificate so that > some of my own certificates work. > > Having said that, I don't ignore any error or warning messages, and I > do quite often check certificate fingerprints. In a widely rolled-out > deployment of SSL the security you gain is there to raise the bar to > compromise, not to eliminate it. > > -- > > Brian Morrison > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From igb at batten.eu.org Wed Jan 26 12:36:00 2011 From: igb at batten.eu.org (Ian Batten) Date: Wed, 26 Jan 2011 12:36:00 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <20110126112654.00001448@surtees.fenrir.org.uk> References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> <20110126112654.00001448@surtees.fenrir.org.uk> Message-ID: On 26 Jan 11, at 1126, Brian Morrison wrote: > On Wed, 26 Jan 2011 09:18:11 +0000 > Mark Lomas wrote: > >> May I conduct an informal survey? Who on this mailing list has not >> removed any of the CA certificates that were pre-installed by whoever >> supplied your browser? > > Not me. All I have done is add the CACert root certificate so that > some of my own certificates work. > > Having said that, I don't ignore any error or warning messages, and I > do quite often check certificate fingerprints. In a widely rolled-out > deployment of SSL the security you gain is there to raise the bar to > compromise, not to eliminate it. I've just written a quick analyser for my certificate store (Mac) to look for things that seems to be CAs, and pull out their country of origin. It seems that for whatever reason the root store I have doesn't seem to have a wide range of countries of origin: I presume that the certificate authorities in those countries rely on a root certificate held by someone else. My test for a CA is bad --- openssl x509 -purpose contains "CRL Signing CA : Yes" --- and I've attached my script in case anyone has a better suggestion of how to find CAs in the key store. But broken down by country code and whether or not the certificate is self-signed or signed by another key, we have: 36 US signed 13 US self 7 DE signed 4 GB self 3 UK self 3 GB signed 3 FR self 3 DE self 2 ZA signed 2 IL signed 1 ZA self 1 SE signed 1 SE self 1 NL signed 1 IT signed 1 FR signed 1 BE signed None of those countries leap off the page as places that would naturally assist the Tunisian government in doing bad stuff. ian -------------- next part -------------- A non-text attachment was scrubbed... Name: certalyse Type: application/octet-stream Size: 1063 bytes Desc: not available URL: From bdm at fenrir.org.uk Wed Jan 26 13:24:26 2011 From: bdm at fenrir.org.uk (Brian Morrison) Date: Wed, 26 Jan 2011 13:24:26 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> <20110126112654.00001448@surtees.fenrir.org.uk> Message-ID: <20110126132426.000015f8@surtees.fenrir.org.uk> On Wed, 26 Jan 2011 11:58:13 +0000 Mark Lomas wrote: > Perhaps I should have been more explicit about the reason for my > question. > > It is alleged that somebody is interfering with traffic to Facebook. > The suggested countermeasure is to insist upon an SSL connection from > the outset > - not to trust the standard HTTP page. I use https: as a matter of course, I have the HTTPS-Everywhere extension in Firefox and otherwise will choose it in preference to http if available. Oh, and I don't have an FB account.... > > If those same attackers can persuade *any *of the CAs trusted by the > browser to issue a duplicate Facebook certificate then they can > interfere with SSL connections as well. Most browsers will not > display any warning message in such circumstances. True. That's one reason why, after some thought, I've decided I don't really trust anyone, or any organisation that doesn't have my interests at heart ;-) > > You can reduce (but not eliminate) this risk by paring down the list > of trusted CAs. True, but are any CAs already present *really* more trustworthy than the others? I suspect not. > > Now consider which SSL sites you visit. Perhaps your e-mail service > or your bank. Are you happy that *all* of the CAs trusted by your > browser are permitted to sign certificates purporting to represent > your e-mail service or bank? > My bank has gone along with the Chip'n'PIN fiction, so to be honest I don't really trust them much anyway. All they want is to move the responsibility for their mistakes to me, and seeing as I'm part of a group of taxpayers that have provided them with tens of billions to prop up their broken finances, I don't see that fighting them for a few quid if something goes wrong with their broken system makes much difference alongside that bail-out. Apologies if my cynicism is showing. > Mark > > > On 26 January 2011 11:26, Brian Morrison wrote: > > > On Wed, 26 Jan 2011 09:18:11 +0000 > > Mark Lomas wrote: > > > > > May I conduct an informal survey? Who on this mailing list has not > > > removed any of the CA certificates that were pre-installed by > > > whoever supplied your browser? > > > > Not me. All I have done is add the CACert root certificate so that > > some of my own certificates work. > > > > Having said that, I don't ignore any error or warning messages, and > > I do quite often check certificate fingerprints. In a widely > > rolled-out deployment of SSL the security you gain is there to > > raise the bar to compromise, not to eliminate it. > > > > -- > > > > Brian Morrison > > > > > -- Brian Morrison From Andrew.Cormack at ja.net Wed Jan 26 17:48:44 2011 From: Andrew.Cormack at ja.net (Andrew Cormack) Date: Wed, 26 Jan 2011 17:48:44 +0000 Subject: FW: Changes to Councils' RIPA Powers Message-ID: <61E52F3A5532BE43B0211254F13883AE03902D@EXC001> Forwarded with permission from the JISCmail data protection list, thanks to Ibrahim Andrew -- Andrew Cormack, Chief Regulatory Adviser, JANET(UK) Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK Phone: +44 (0) 1235 822302 Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ JANET, the UK's education and research network JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG > -----Original Message----- > From: This list is for those interested in Data Protection issues > [mailto:data-protection at JISCMAIL.AC.UK] On Behalf Of Ibrahim Hasan > Sent: 26 January 2011 16:19 > To: data-protection at JISCMAIL.AC.UK > Subject: Changes to Councils' RIPA Powers > > Today (26th Jan 2011) the Home Office published its long awaited review > of counter-terrorism and security powers. The main documents can be > found on the Home Office website: > > http://twurl.nl/z132oa > > Amongst all the headlines and controversy about control orders, it is > easy to miss the proposed changes to local authorities' powers to > carry out surveillance under RIPA. > > > The key changes recommended by the review are discussed on my blog: > > > http://www.informationlaw.org.uk/page8.htm#85488 > > Our next RIPA Update workshops will examine these proposals in details > and help you prepare for them. > > More Details: http://www.actnow.org.uk/courses/RIPA/Surveillance_Law > > > Regards > > Ibrahim Hasan > Solicitor and Director > Act Now Training Limited > > www.actnow.org.uk > www.informationlaw.org.uk > http://twitter.com/ActNowTraining > > > > > > > > > ________________________________ > > All archives of messages are stored permanently and are available to > the world wide web community at large at > http://www.jiscmail.ac.uk/lists/data-protection.html > > Selected commands (the command has been filled in below in the body of > the email if you are receiving emails in HTML format): > > * Leaving this list: send leave data-protection to > listserv at JISCMail.ac.uk data-protection> > * Suspending emails from all JISCMail lists: send SET * NOMAIL to > listserv at JISCMail.ac.uk NOMAIL> > * To receive emails from this list in text format: send SET data- > protection NOHTML to listserv at JISCMail.ac.uk > > * To receive emails from this list in HTML format: send SET data- > protection HTML to listserv at JISCMail.ac.uk > > > All user commands can be found at > http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body > of an otherwise blank email to listserv at JISCMAIL.ac.uk > > Any queries about sending or receiving messages please send to the list > owner data-protection-request at JISCMail.ac.uk > > (Please send all commands to listserv at JISCMail.ac.uk not the list or > the moderators, and all requests for technical help to > helpline at JISCMail.ac.uk, the general office helpline) > > ________________________________ From rich at annexia.org Wed Jan 26 19:24:25 2011 From: rich at annexia.org (Richard W.M. Jones) Date: Wed, 26 Jan 2011 19:24:25 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <20110126132426.000015f8@surtees.fenrir.org.uk> References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> <20110126112654.00001448@surtees.fenrir.org.uk> <20110126132426.000015f8@surtees.fenrir.org.uk> Message-ID: <20110126192425.GA20647@annexia.org> On Wed, Jan 26, 2011 at 01:24:26PM +0000, Brian Morrison wrote: > True, but are any CAs already present *really* more trustworthy than > the others? I suspect not. I think this gets to the nub of it. There's literally no criterion for trusting a CA except that I set it up myself (and even then I'm suspicious :-) Why wouldn't the NSA have the private keys used by Verisign? I'd actually consider them to be failing in their job if they *hadn't* got them. Rich. -- Richard Jones Red Hat From DaveHowe at gmx.co.uk Wed Jan 26 21:45:40 2011 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Wed, 26 Jan 2011 21:45:40 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <7709868A-B145-4026-97AD-F67FDA4F7590@batten.eu.org> Message-ID: <4D409604.1050506@gmx.co.uk> On 26/01/2011 09:18, Mark Lomas wrote: > Some years ago (probably in 2000) I persuaded a major bank to remove the > majority of CA certificates from the key store of the browser they had > deployed. > > The IT department regarded the change as a nuisance, but the Legal > department understood the problem as soon as I showed them the list of CAs. > > May I conduct an informal survey? Who on this mailing list has not > removed any of the CA certificates that were pre-installed by whoever > supplied your browser? I haven't bothered - as has been pointed out by others, None of the current lot are trustworthy; none of them would even resist a demand from a TLA in their jurisdiction to mint a few extra certs, none will accept any liability for any loss I might suffer due to spoofed site getting any of my details, and none have a good track record when it comes to *not* mistakenly issuing certs to those not authorized to have them. I *do* have Cert Patrol installed, but that throws up some curious anomalies; for instance, TSB appear to have some sort of farm for their web service, but have different certificates on each. This causes CP a certain amount of distress every time I visit there... From cryptome at earthlink.net Thu Jan 27 00:43:31 2011 From: cryptome at earthlink.net (John Young) Date: Wed, 26 Jan 2011 19:43:31 -0500 Subject: nationwide interception of Facebook & webmail login credentialsin Tunisia In-Reply-To: <853336.29452.qm@web110513.mail.gq1.yahoo.com> References: <20110125113527.GA29527@annexia.org> Message-ID: Is it not now conventional cybersecurity wisdom that there is no secure means of digital network communication? That any network system -- with certs or not, with end-to-end-encryption or not, with TOR-like and cloud-like mechanisms or not, as well as any other network comms means -- requires a supplemental offline physical implement of security. Such as a token, card or other physical tools which assure absolute, non-TEMPEST-able isolation from a network for at least for first step of the comms and at the last step of receipt. Along the network path all flow is penetrable and interceptible, even the onion-layers and foolsgold .smil, .intel and kin. Perhaps that is the security FUD of token, card and other means, but recently the NSA claimed in a public security conference that there could be no network security, none. Perhaps that too is NSA FUD, all too commonly practiced by security agencies as a means of lowering expectations as budgets are decreased. It is true that NSA and ilk regularly pronounce such and such security is either too strong or too weak, and parade, publish, leak, leave behind laptops, redact FOI releases, unleash demon hackers, and rue disclosures by experts who betray national interests for transient vainglory, and such fomulaics, in order to promulgate too much or too little certainty about security. So how can befuddled members of parliaments and congresses much less law enforment authorities and pitable citizenry know what to do about edicts of ambiguity amplified almost beyond comprehension by implementing directives, trials and errors, academics and researchers pinheading gaffs and gaps, data breaches true and false, boondoggling contractors and their obfuscating legal counsels angling for prolonged litigation out of sight of oversight? Why would titans of cybersecurity throw up hands and state impossible except, except, except perhaps another billion would do it if renewed annually, bespeaking mantrically "no absolutes in security." While similar this is not medieval selling indulgences. It's cyberwarfare, by crikey. At 08:18 AM 1/25/2011 -0800, you wrote: >That would not deal with the falsifying of certificates. Assuming the code-base of this is not intentional corrupt, the addition of an extension such as certpatrol is also required (a firefox extension), to notify one when the SSL cert swap by the government/ISP (using the browser accepted as 'true' passported C.A.(s) under their control) has taken place (a MiTM is in progress notification function). The other known way would be manual/local (each time) inspection of the cert fingerprint(s). e.g. you note Facebook's fingerprint then check each time it's got the same 'print. Then (once under notice the hack is under progress) you could retreat, or start playing your own pre-planned counter-measures ... depending on the peril of the situation, tactics, etc, call the government, depending on the nature of your business, etc. > >:/ > >Best, > >PP > > >--- On Tue, 1/25/11, Richard W.M. Jones wrote: > >> From: Richard W.M. Jones >> Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia >> To: "UK Cryptography Policy Discussion Group" >> Date: Tuesday, January 25, 2011, 3:35 AM >> >> JGC's blog has the technical details: >> >> http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html >> >> Moral of the story is to use https:// URLs to fetch the >> initial form >> (ie. https://facebook.com/). The Firefox >> HTTPS-Everywhere extension >> automates this completely (https://www.eff.org/https-everywhere) -- no >> thought or technical skills required. >> >> Rich. >> >> -- >> Richard Jones >> Red Hat >> >> > > > > From lists at internetpolicyagency.com Thu Jan 27 09:20:47 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 27 Jan 2011 09:20:47 +0000 Subject: FW: Changes to Councils' RIPA Powers In-Reply-To: <61E52F3A5532BE43B0211254F13883AE03902D@EXC001> References: <61E52F3A5532BE43B0211254F13883AE03902D@EXC001> Message-ID: In article <61E52F3A5532BE43B0211254F13883AE03902D at EXC001>, Andrew Cormack writes >Forwarded with permission from the JISCmail data protection list, >thanks to Ibrahim The proposal is doomed, because it already contains the thin end of a wedge (or alternatively a frog boiler) "underage sales of alcohol and tobacco". The criminal justice system either ranks the seriousness of offences by the maximum custodial sentence, or it doesn't. If, as is implied, these two offences don't carry a six month maximum, it's a bit rich to start cherry-picking them: "nevertheless we need these powers", so let's make an exception". Incidentally, I still don't agree with the characterisation of a ban ["don't do surveillance unless..."] as a "power", but it seems this meme is as well entrenched as "identity theft" and other well known distraction nomenclature. On the other hand, acquiring comms data *is* a power. Are they proposing to amend all the "other powers" (for example contained in various anti-fraud legislation) to make it clear they can't be used for comms data. Currently, as I understand it, the use of "other powers" (for comms data) is deprecated by the Home Office and CSPs, but maybe local authorities still try to use them? Roland. >-- >Andrew Cormack, Chief Regulatory Adviser, JANET(UK) >Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK >Phone: +44 (0) 1235 822302 >Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/ > >JANET, the UK's education and research network > >JANET(UK) is a trading name of The JNT Association, a company limited >by guarantee which is registered in England under No. 2881024 >and whose Registered Office is at Lumen House, Library Avenue, >Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG > > >> -----Original Message----- >> From: This list is for those interested in Data Protection issues >> [mailto:data-protection at JISCMAIL.AC.UK] On Behalf Of Ibrahim Hasan >> Sent: 26 January 2011 16:19 >> To: data-protection at JISCMAIL.AC.UK >> Subject: Changes to Councils' RIPA Powers >> >> Today (26th Jan 2011) the Home Office published its long awaited review >> of counter-terrorism and security powers. The main documents can be >> found on the Home Office website: >> >> http://twurl.nl/z132oa >> >> Amongst all the headlines and controversy about control orders, it is >> easy to miss the proposed changes to local authorities' powers to >> carry out surveillance under RIPA. >> >> >> The key changes recommended by the review are discussed on my blog: >> >> >> http://www.informationlaw.org.uk/page8.htm#85488 >> >> Our next RIPA Update workshops will examine these proposals in details >> and help you prepare for them. >> >> More Details: http://www.actnow.org.uk/courses/RIPA/Surveillance_Law >> >> >> Regards >> >> Ibrahim Hasan >> Solicitor and Director >> Act Now Training Limited >> >> www.actnow.org.uk >> www.informationlaw.org.uk >> http://twitter.com/ActNowTraining >> >> >> >> >> >> >> >> >> ________________________________ >> >> All archives of messages are stored permanently and are available to >> the world wide web community at large at >> http://www.jiscmail.ac.uk/lists/data-protection.html >> >> Selected commands (the command has been filled in below in the body of >> the email if you are receiving emails in HTML format): >> >> * Leaving this list: send leave data-protection to >> listserv at JISCMail.ac.uk > data-protection> >> * Suspending emails from all JISCMail lists: send SET * NOMAIL to >> listserv at JISCMail.ac.uk > NOMAIL> >> * To receive emails from this list in text format: send SET data- >> protection NOHTML to listserv at JISCMail.ac.uk >> >> * To receive emails from this list in HTML format: send SET data- >> protection HTML to listserv at JISCMail.ac.uk >> >> >> All user commands can be found at >> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body >> of an otherwise blank email to listserv at JISCMAIL.ac.uk >> >> Any queries about sending or receiving messages please send to the list >> owner data-protection-request at JISCMail.ac.uk >> >> (Please send all commands to listserv at JISCMail.ac.uk not the list or >> the moderators, and all requests for technical help to >> helpline at JISCMail.ac.uk, the general office helpline) >> >> ________________________________ > > -- Roland Perry From igb at batten.eu.org Thu Jan 27 12:18:02 2011 From: igb at batten.eu.org (Ian Batten) Date: Thu, 27 Jan 2011 12:18:02 +0000 Subject: Data Retention of Calling Parties Message-ID: So the story appears to run that Sienna Miller's step-mother, finding that someone other than her was attempting to change the PIN on her voice mail, was able to get a court order forcing Vodafone to reveal the number of the calling party that attempted to make the change and, later, to connect that number with a name. So that implies that Voda are keeping records of the _calling_ party for long enough for a court order to be obtained, and that the information is liable to be released on the basis of an order in a civil court (ie, not terrorism or the four horsemen). They're quite at liberty to do so, of course, but it's a new slant on matters: any attempt to find out who called the complainant's phone is inevitably ex parte the caller, because at that point neither the complainant nor the court know who they are, but one would naively have thought that they have some right to be represented in the process. ian [[ In passing, you have to admire the stupidity of a journalist trying to change the PIN: although in most mobile phone environments the victim wouldn't notice, because when you call from the linked mobile you aren't asked for a PIN, why change it? It's an immediate alarm bell if the legitimate user _does_ try to access their voicemail from another line. I wonder if it implies that phone hacking was so widespread in newspapers that he wanted to exclude the opposition from also listening in, but we shall see. ]] -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Thu Jan 27 12:46:39 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 27 Jan 2011 12:46:39 +0000 Subject: Data Retention of Calling Parties In-Reply-To: References: Message-ID: In article , Ian Batten writes >So the story appears to run that Sienna Miller's step-mother, finding >that someone other than her was attempting to change the PIN on her >voice mail, was able to get a court order forcing Vodafone to reveal >the number of the calling party that attempted to make the change and, >later, to connect that number with a name. Whereas Mr Mitchell (McCann's spokesperson, in the news last week) didn't seem to have gone that far - his investigations with Vodafone seemed to stop at the point where calls (to customer services rather than voicemail) were made impersonating him. I got the impression from his description that Vodafone had retained the notes of the conversation, but not the traffic data. -- Roland Perry From tugwilson at gmail.com Thu Jan 27 13:58:20 2011 From: tugwilson at gmail.com (John Wilson) Date: Thu, 27 Jan 2011 13:58:20 +0000 Subject: Data Retention of Calling Parties In-Reply-To: References: Message-ID: On 27 January 2011 12:46, Roland Perry wrote: > In article , Ian Batten > writes [snip] > > Whereas Mr Mitchell (McCann's spokesperson, in the news last week) didn't > seem to have gone that far - his investigations with Vodafone seemed to stop > at the point where calls (to customer services rather than voicemail) were > made impersonating him. I got the impression from his description that > Vodafone had retained the notes of the conversation, but not the traffic > data. My recollection of his Radio 4 interview was that he asked for the details some considerable time after the event so the caller details were not available but the notes on the database were. John Wilson From lists at internetpolicyagency.com Thu Jan 27 14:26:25 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 27 Jan 2011 14:26:25 +0000 Subject: Data Retention of Calling Parties In-Reply-To: References: Message-ID: In article , John Wilson writes >> Whereas Mr Mitchell (McCann's spokesperson, in the news last week) didn't >> seem to have gone that far - his investigations with Vodafone seemed to stop >> at the point where calls (to customer services rather than voicemail) were >> made impersonating him. I got the impression from his description that >> Vodafone had retained the notes of the conversation, but not the traffic >> data. > >My recollection of his Radio 4 interview was that he asked for the >details some considerable time after the event so the caller details >were not available but the notes on the database were. If we were to surmise that his enquiries were more than six months after, that might lead us to conclude something about the data retention policy. I don't think he implied it was more than (say) two years. -- Roland Perry From tugwilson at gmail.com Thu Jan 27 15:02:18 2011 From: tugwilson at gmail.com (John Wilson) Date: Thu, 27 Jan 2011 15:02:18 +0000 Subject: Data Retention of Calling Parties In-Reply-To: References: Message-ID: On 27 January 2011 14:26, Roland Perry wrote: > In article , > John Wilson writes [snip] >> My recollection of his Radio 4 interview was that he asked for the >> details some considerable time after the event so the caller details >> were not available but the notes on the database were. > > If we were to surmise that his enquiries were more than six months after, > that might lead us to conclude something about the data retention policy. I > don't think he implied it was more than (say) two years. The report is here http://www.bbc.co.uk/news/uk-12245765 The last attempt to to access the account was July 2008. He was approached by the BBC and encouraged to check if this had happened, it would appear that this was quite recent (I can't see why the BBC would sit on this information for any appreciable time). So to time between the event and the inquiry was over two years. You will see that the article says "Mr Mitchell was told that records of calls made and received were routinely destroyed after about a year." Of course this information was part of their record of calls to their customer service department. It's a big leap to assume it tells us anything about thier data retention policies in respect of other call details. John Wilson From richard at highwayman.com Thu Jan 27 15:15:43 2011 From: richard at highwayman.com (Richard Clayton) Date: Thu, 27 Jan 2011 15:15:43 +0000 Subject: FW: Changes to Councils' RIPA Powers In-Reply-To: References: <61E52F3A5532BE43B0211254F13883AE03902D@EXC001> Message-ID: In article , Roland Perry writes >On the other hand, acquiring comms data *is* a power. Are they proposing >to amend all the "other powers" (for example contained in various >anti-fraud legislation) to make it clear they can't be used for comms >data. Currently, as I understand it, the use of "other powers" (for >comms data) is deprecated by the Home Office and CSPs, but maybe local >authorities still try to use them? You may recall, from one of the LSE meetings, a discussion of the Department of Work & Pensions -- which does have powers (many legacy, others in the Social Security Fraud Act) to access comms data (which, for a conceptual example, they could in an attempt to prove cohabitation) and that they had refused Simon's (ie the Home Office's) requests to defer to a RIPA regime instead. Seems that the HO is going to try again -- albeit the wording in this part of the report Based on this assessment, the review recommends that: i. Government departments, agencies, regulatory authorities and CSPs should be consulted to establish the range of non-RIPA legislative frameworks by which communications data can in principle be acquired from CSPs, and for what purposes. This consultation is currently taking place. ii. These legal frameworks should then be streamlined to ensure that as far as possible RIPA is the only mechanism by which communications data can be acquired. contains the weasel words "as far as possible" which presumably is there in case the DWP wins this round as well! The other example which the report mentions is the Financial Services and Markets Act... IIRC, the owners of these acts argue that since they postdate RIPA, Parliament intended them to be a law unto themselves! -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From DaveHowe at gmx.co.uk Sat Jan 29 18:15:34 2011 From: DaveHowe at gmx.co.uk (Dave Howe) Date: Sat, 29 Jan 2011 18:15:34 +0000 Subject: nationwide interception of Facebook & webmail login credentialsin Tunisia In-Reply-To: References: <20110125113527.GA29527@annexia.org> Message-ID: <4D445946.6030607@gmx.co.uk> On 27/01/2011 00:43, John Young wrote: > Is it not now conventional cybersecurity wisdom that there is > no secure means of digital network communication? That any > network system -- with certs or not, with end-to-end-encryption > or not, with TOR-like and cloud-like mechanisms or not, as well > as any other network comms means -- requires a supplemental > offline physical implement of security. Such as a token, card or > other physical tools which assure absolute, non-TEMPEST-able > isolation from a network for at least for first step of the comms > and at the last step of receipt. Along the network path all flow > is penetrable and interceptible, even the onion-layers and > foolsgold .smil, .intel and kin. that is FUD, pure and simple. There are almost certainly flaws in almost every solution, which with enough time and money you could exploit - but in most cases you would need to work forward (black bag the endpoints) and if you already know who to bug, why bother with the fancy interception when a simple logger app will do just fine? > Perhaps that is the security FUD of token, card and other > means, but recently the NSA claimed in a public security > conference that there could be no network security, none. Consider the source there. With decreasing budget and increasing traffic, even low grade cryptography is a threat - there is a limit in practical terms how many (even 40 bit) sessions you can intercept and scan for keywords and/or vox recognition, so if even 40 bit crypto became the norm, the task of blanket scanning would become beyond even the abilities of an organization with unlimited budget, never mind one with real world limits. Conventional wisdom should, therefore, be that, given a highly targeted and personal attack, only the most stringent (and intrusive) of personal security regimes has a hope of keeping your traffic private, and any endpoint device left out of your control for more than five minutes should be considered compromised. I doubt things have gotten as far as blanket inclusion of such intrusive measures in all commodity pcs sold (although I could see that as a "feature" of TCM/TPM beyond just the basic specs :) > Perhaps that too is NSA FUD, all too commonly practiced > by security agencies as a means of lowering expectations > as budgets are decreased. > > It is true that NSA and ilk regularly pronounce such and such > security is either too strong or too weak, and parade, publish, > leak, leave behind laptops, redact FOI releases, unleash demon > hackers, and rue disclosures by experts who betray national > interests for transient vainglory, and such fomulaics, in order > to promulgate too much or too little certainty about security. The NSA and its ilk are paid to give competent advice on such things to those who pay them. They aren't paid to give such advice to you, and certainly don't have a great track record of being to honest to those who DO pay them. The truth still is though - the vast majority of compromises out there come from either deliberate action or accidental loss of data, from those authorized to access it, whenever their own desire to copy otherwise secure data onto an insecure medium outweighs (in their opinion) the security guidelines telling them not to do so. The NSA and its ilk are caught between two stools - they would LOVE to make endpoints secure, in their role as security advisor, but would hate anyone (even their own clients) actually doing so, as that would make their role as communications interceptor much, much harder. Where they draw that line (and what they say in private, as opposed to public statements) is obviously unknowable. From passiveprofits at yahoo.com Mon Jan 31 14:19:51 2011 From: passiveprofits at yahoo.com (Passive PROFITS) Date: Mon, 31 Jan 2011 06:19:51 -0800 (PST) Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <853336.29452.qm@web110513.mail.gq1.yahoo.com> Message-ID: <967819.51174.qm@web110516.mail.gq1.yahoo.com> Hi All, So Cert Patrol just picked up an SSL certificate switch for encrypted.google.com; here's the new SHA1 fingerprint I've got... F1:BD:D4:59:78:7F:6B:EB:2F:4D:A8:72:E1:74:86:53:79:6B:3A:DD Anyone confirm they've also had a switch - it's not impossible I'm under attack, having fairly recently discovered a MiTM attack in progress, some months ago (mainly due to a fluke; didn't have cert patrol then!). TIA for any assistance on this matter. Best, PP "The man who owns a slave, or lives by exploiting others, whether slave or not, is not himself a free man. He is a man who must look over his shoulder all the time, in fear. True freedom lies in a deep concern for the freedom of others, and if this is accepted it should make every man, out of pure selfishness, the ardent devotee of the freedom of his neighbor." -Leonard Wibberly, 1776 - And All That (1975), p. 72. --- On Tue, 1/25/11, Passive PROFITS wrote: > From: Passive PROFITS > Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia > To: "UK Cryptography Policy Discussion Group" > Date: Tuesday, January 25, 2011, 8:18 AM > That would not deal with the > falsifying of certificates.? Assuming the code-base of > this is not intentional corrupt, the addition of an > extension such as certpatrol is also required (a firefox > extension), to notify one when the SSL cert swap by the > government/ISP (using the browser accepted as 'true' > passported C.A.(s) under their control) has taken place (a > MiTM is in progress notification function).? The other > known way would be manual/local (each time) inspection of > the cert fingerprint(s).? e.g. you note Facebook's > fingerprint then check each time it's got the same > 'print.? Then (once under notice the hack is under > progress) you could retreat, or start playing your own > pre-planned counter-measures ... depending on the peril of > the situation, tactics, etc, call the government, depending > on the nature of your business, etc. > > :/ > > Best, > > PP > > > --- On Tue, 1/25/11, Richard W.M. Jones > wrote: > > > From: Richard W.M. Jones > > Subject: Re: nationwide interception of Facebook & > webmail login credentials in Tunisia > > To: "UK Cryptography Policy Discussion Group" > > Date: Tuesday, January 25, 2011, 3:35 AM > > > > JGC's blog has the technical details: > > > > http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html > > > > Moral of the story is to use https:// URLs to fetch > the > > initial form > > (ie. https://facebook.com/).? The Firefox > > HTTPS-Everywhere extension > > automates this completely (https://www.eff.org/https-everywhere) -- no > > thought or technical skills required. > > > > Rich. > > > > -- > > Richard Jones > > Red Hat > > > > > > > > > From richard at highwayman.com Mon Jan 31 15:46:11 2011 From: richard at highwayman.com (Richard Clayton) Date: Mon, 31 Jan 2011 15:46:11 +0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <967819.51174.qm@web110516.mail.gq1.yahoo.com> References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <967819.51174.qm@web110516.mail.gq1.yahoo.com> Message-ID: <66qdYNGDltRNFADw@highwayman.com> In article <967819.51174.qm at web110516.mail.gq1.yahoo.com>, Passive PROFITS writes >So Cert Patrol just picked up an SSL certificate switch for >encrypted.google.com; here's the new SHA1 fingerprint I've got... > >F1:BD:D4:59:78:7F:6B:EB:2F:4D:A8:72:E1:74:86:53:79:6B:3A:DD > >Anyone confirm they've also had a switch Yes I have that one too... apparently it is valid from 5Jan11 to 5Jan12 My guess would be that the previous cert was about to expire so they have bought a new one, and now pushed it out... ... means the next push will be smack in the middle of Xmas/New Year next year. Some lucky sysadmin will not be pleased! I note that Google have chosen to go with a 1024bit cert again, despite strong US Government encouragement for 2048bits. I expect that's because they can't face making the longer certs work on mobile platforms. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From james2 at jfirth.net Mon Jan 31 16:10:58 2011 From: james2 at jfirth.net (James Firth) Date: Mon, 31 Jan 2011 16:10:58 -0000 Subject: nationwide interception of Facebook & webmail login credentials in Tunisia In-Reply-To: <66qdYNGDltRNFADw@highwayman.com> References: <853336.29452.qm@web110513.mail.gq1.yahoo.com> <967819.51174.qm@web110516.mail.gq1.yahoo.com> <66qdYNGDltRNFADw@highwayman.com> Message-ID: <003f01cbc161$736f8cf0$5a4ea6d0$@net> > >So Cert Patrol just picked up an SSL certificate switch for > >encrypted.google.com; here's the new SHA1 fingerprint I've got... > > > >F1:BD:D4:59:78:7F:6B:EB:2F:4D:A8:72:E1:74:86:53:79:6B:3A:DD > > > >Anyone confirm they've also had a switch > > Yes I have that one too... apparently it is valid from 5Jan11 to > 5Jan12 > Well I get one 21/10/2010 to 21/10/2011 - without panicking myself I assume Google have more than one certificate, with overlapping dates. Interestingly I opened a second browser on a different OS from the same ISP connection and got the above fingerprint, 5th Jan for 1 yr. James Firth