1. Copyright 2012 1 I.T. Challenges to Information Law Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy, U.N.S.W. Visiting Professor in Computer Science, A.N.U. Chair, Australian Privacy Foundation (APF) Secretary, Internet Society of Australia (ISOC-AU) http://www.rogerclarke.com/EC/AGS-121116.ppt NPG, Canberra, 16 November 2012

2. Copyright 2012 2 I.T. Challenges to Information Law Agenda Some Obvious Things Cloudsourcing Jurisdictions of Convenience Extra-Territorial Reach Some Less Obvious Things Transaction Assurance Identity Threats Some Non-Solutions Technology Neutrality Privacy Law Some Solutions Misinformation PETs, Obfuscation Social Media?

3. Copyright 2012 3 Cloudsourcing from the User Perspective A service that satisfies all of the following conditions: 1.It is delivered over a telecommunications network 2.The service depends on virtualised resources i.e. the user does not know which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located 3.The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used 4.The user organisation places reliance on the service for data access and/or data processing 5.The user organisation has legal responsibilities

4. Copyright 2012 4 Shortlist of Major Cloudsourcing Risks Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, consistency Robustness – the incidence of unavailability (97% up = 5 hr pwk) Service Survival, e.g. supplier withdrawal Data Survival Lateral Compatibility – multi-sourcing Authentication, Authorisation Convenient client access Denial of access to imposters Compliance Evidence Discovery Law Financial Regulations Security Treaty Obligations Confidentiality Strategic, Commercial, Governmental Privacy. esp. Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach')

5. Copyright 2012 5 Consumer Computing Email clients, using smtp/pop/imap Personal Web-Sites Dedicated Devices Office on the Desktop FTP-server and -client Functions Applications 1975-2005/08 Email Personal Galleries Personal Music Doc Prep File-Sharing

6. Copyright 2012 6 Consumer Computing Email clients, using smtp/pop/imap Personal Web-Sites Dedicated Devices Office on the Desktop FTP-server and -client Webmail, using http / https Flickr, Picasa iTunes Zoho, Google Docs Dropbox Functions Applications ==>> Services 1975-2005/08 2000- Email Personal Galleries Personal Music Doc Prep File-Sharing

7. Copyright 2012 7 Results from a Survey of Terms of Service Consumers dependent on C.C. Services are at dire risk Service malfunctions, loss of data, provider exploitation of their data, low standards of accessibility and clarity of Terms, largely unfettered scope for providers to change the Terms Consumer Protections are essential, but seriously inadequate Transnationality of Internet commerce, dominance of US marketing morés, pro-corporate and anti-consumer stance of US regulators, meekness of regulators in other countries, the lack of organised resistance by consumer reps, advocacy bodies Serious consumer disappointments are inevitable Recriminations against cloud-sourcing are inevitable http://www.rogerclarke.com/EC/CCC.html

8. Copyright 2012 8 Cloudsourcing of Email ANU recently announced adoption of MS 365 MS 365 is hosted in Singapore and Hong Kong, but can be hosted anywhere The data is subject to the PATRIOT Act ANU has a high concentration of staff and students who have families at risk in un-free nations Some of those un-free nations are (from time to time) friends of the US Administration There are some nervous ANU staff and students

9. Copyright 2012 9 I.T. Challenges to Information Law Agenda Some Obvious Things Cloudsourcing Jurisdictions of Convenience Extra-Territorial Reach Some Less Obvious Things Transaction Assurance Identity Threats Some Non-Solutions Technology Neutrality Privacy Law Some Solutions Misinformation PETs, Obfuscation Social Media?

10. Copyright 2012 10 Transaction Assurance

11. Copyright 2012 11 Transaction Assurance Check the Critical Assertions 'Value Authentication' L iquid assets are of appropriate quality and quantity 'Data Authentication' The key data accurately reflects reality 'Attribute Authentication' The entity has the relevant attribute, especially: -eligibility for a subsidy, concession or tariff, or to purchase age-restricted goods or services -the power to perform acts on behalf of another entity

12. Copyright 2012 12 Transaction Assurance Check the Critical Assertions 'Value Authentication' L iquid assets are of appropriate quality and quantity 'Data Authentication' The key data accurately reflects reality 'Attribute Authentication' The entity has the relevant attribute, especially: -eligibility for a subsidy, concession or tariff, or to purchase age-restricted goods or services -the power to perform acts on behalf of another entity '(Id)entity Authentication' The data is associated with the correct (id)entity

13. Copyright 2012 13 The Huge Quality Problems with Biometric Applications Dimensions of Quality Reference-Measure Association Test-Measure Comparison Result-Computation Other Aspects of Quality Vulnerabilities Quality Measures Counter-Measures Spiralling Complexity

14. Copyright 2012 14 Consequences of the Quality Problems There is never 'a perfect match'; it's fuzzy A Tolerance Range has to be allowed 'False Positives' / 'False Acceptances' arise 'False Negatives' / 'False Rejections' arise Tighter Tolerances (to reduce False Negatives) increase the rate of False Positives; and vice versa The Scheme Sponsor sets (and re-sets) the Tolerances Frequent exceptions are mostly processed cursorily Occasional scares slow everything, annoy everyone

15. Copyright 2012 15 Identity-Related Crimes Use of an identifier and/or authenticators for: Identity Fraud to financially advantage or disadvantage someone... Identity Theft... to such an extent, or with such a negative impact, as to effectively preclude further use by the person who previously used the identity Identity-Facilitated Criminal Acts Proceeds of crime laundering, tax avoidance, trafficking... The identity that is compromised may be someone else's, may be 'fictional', or may even be the person's own

16. Copyright 2012 16 Responses to Identity-Related Crime Strategy Piggy-back on, reinforce national security extremism 'Real Names Policies' Denial of Nymity Denial of Multiple Separate Identities Imposition of a Singular Identity per Person Consolidation, Re-Purposing of Personal Data Hardened Id Requirements Identity Declaration demanded more often Identity Authentication imposed Biometrics imposed (Entity, not Identity) Social Networks Exploitation Inferencing

17. Copyright 2012 17 Responses to Identity-Related Crime The Consequences Greatly increased scope for Id-Related Crime ! Many more high-value / soft-target datasets Routinisation of id capture Exposure of Persons-at-Risk Destruction of Social Trust Encouragement to Lie, Cheat and Obfuscate

18. Copyright 2012 18 I.T. Challenges to Information Law Agenda Some Obvious Things Cloudsourcing Jurisdictions of Convenience Extra-Territorial Reach Some Less Obvious Things Transaction Assurance Identity Threats Some Non-Solutions Technology Neutrality Privacy Law Some Solutions Misinformation PETs, Obfuscation Social Media?

19. Copyright 2012 19 Technology Neutrality is Harmful Mythology Japanese legislators and regulators comprehensively apologised to the Japanese people because: Nuclear power stations were subjected to generic regulatory measures when they should have imposed regulations specific to the nuclear context

20. Copyright 2012 20 Technology Neutrality is Harmful Mythology Japanese legislators and regulators comprehensively apologised to the Japanese people because: Nuclear power stations were subjected to generic regulatory measures when they should have imposed regulations specific to the nuclear context Software is a 'literary work'. Oh, really?? Okay, we need a (sort-of) sui generis arrangement

21. Copyright 2012 21 The Accidental Extension of Copyright-Owner Power There has never been any right to preclude people from accessing copyright-objects, whether to read them, listen to them, look at them, or watch them But the act of accessing digital copyright-objects involves the making of copies Because of the wording of copyright law, this intermediate step generally represents a breach of an copyright, and requires a licence This simple accident gave copyright-owners a great deal of lobbying power The principle of balance has been subverted http://www.rogerclarke.com/EC/ETCU.html (1999) 'Copies ain't Copies'

22. Copyright 2012 22 Letters were: anonymous secret in transit untracked And the postman wasn't responsible for their contents. eLetters should be no different. (And especially not if the purpose is to prop up dying business models for publishing industries). Rick Falkvinge 4 November 2012 http://torrentfreak.com/why-offline-privacy- values-must-live-on-in-the-digital-age-121104/

23. Copyright 2012 23 Telecommunications 'Interception' Powers The PSTN has given way to: Mobiles VoIP incl. Skype Change was/is needed to sustain some powers such as named-person / many-'line' warrants Some of the AGD's demands of the Parliament have been warranted If the AGD consulted with public advocacy groups, and sought support, they would get it

24. Copyright 2012 24 Telecommunications 'Interception' Powers PSTN: Call Records cf. Call Content DigitalEra:'Metadata'?? cf. 'Call' Content Ephemera have become recorded data, as as audio, text (email, IM, SMS), and video 'Interception' has become 'I & Access' The carefully protected has become unprotected The principle of balance has been subverted

25. Copyright 2012 25 Technology Neutrality is Harmful Mythology Japanese legislators and regulators comprehensively apologised to the Japanese people because: Nuclear power stations were subjected to generic regulatory measures when they should have imposed regulations specific to the nuclear context Software is a 'literary work' Okay, we need a (sort-of) sui generis arrangement Copying is a breach, until it's part of network functionality Telecomms Interception has to be continually re-defined (but not in ways that abuse civil freedoms!)

26. Copyright 2012 26 Privacy Law is Adaptive, Right? The OECD Guidelines are predicated on the computing of the 1970s, not the IT of the 2010s (They were also designed to facilitate business and government, not to protect privacy) Australian law is a very weak implementation Australian law has been subverted by myriad subsequent statutes Australian Privacy law may shortly be ripped to shreds by the current, consumer-hostile Bill There is no right to sue, no criminal sanctions, no enforcement action by the PC'er, and the PC'er actively avoids the creation of case law Any adaptive function is negative, not positive

27. Copyright 2012 27 I.T. Challenges to Information Law Agenda Some Obvious Things Cloudsourcing Jurisdictions of Convenience Extra-Territorial Reach Some Less Obvious Things Transaction Assurance Identity Threats Some Non-Solutions Technology Neutrality Privacy Law Some Solutions Misinformation PETs, Obfuscation Social Media?

28. Copyright 2012 28 Privacy-Enhancing Technologies (PETs) 1.PIT Countermeasures Cookie-Cutters Cookie-Managers Personal Data Managers (e.g. 'eWallets') Personal Intermediaries / Proxies Data Protection Tools Client-Side Security Tools Channel, Server and Proxy/Firewall Security Tools

29. Copyright 2012 29 2. Savage PETs Deny identity Provide anonymity Genuinely anonymous ('Mixmaster') remailers, ToR, web-surfing proxies, ePayment mechanisms, value authentication, attribute authentication

30. Copyright 2012 30 3. Gentle PETs Balance nymity and accountability through Protected Pseudonymity Intermediary Tools and Proxies, Client-Side Agents, Pseudonymous Connection, Remailers, Web-Surfers

31. Copyright 2012 31 Will Consumers Come to be Banned From Owning General-Purpose Computing Devices? Some powerful groups might like to achieve it Copyright-Dependent Corporations Government Censors The Moral Minority, who want governments to extend censorship to whatever content the moral minority thinks the majority shouldn't have access to [Stop Press?] (Dominant) Computing Device Providers Law Enforcement & National Security Agencies (LEANS) 'Fraud Experts' Re 'fraud experts': http://www.itnews.com.au/News/263042, jailbroken-phones-not-safe-for-banking.aspx – 8 Jul 2011

32. Copyright 2012 32 Consumer-Oriented Social Media To Address the Catalogue of Social Media Privacy Concerns 1Privacy-Abusive Data Collection 2Privacy-Abusive Service-Provider Rights 3Privacy-Abusive Functionality and User Interfaces 4Privacy-Abusive Data Exploitation http://www.rogerclarke.com/II/COSMO-1211.html

33. Copyright 2012 33 Location – from Added-Extra to Intrinsic Physical Address / Geo-Location knowledge of the cell that a mobile-phone is in, is intrinsic to the services operation more precise geo-location is increasingly feasible location is becoming readily available to the device location is being acquired by service-providers Location-based services can be valuable to users A primary use is in consumer marketing For most current-round SMS, location is an extra For the coming round, Geo-Location is intrinsic Privacy sensitivity about Social Media will leap

34. Copyright 2012 34 The Primary Geolocation Technologies

35. Copyright 2012 35 I.T. Challenges to Information Law Agenda Some Obvious Things Cloudsourcing Jurisdictions of Convenience Extra-Territorial Reach Some Less Obvious Things Transaction Assurance Identity Threats Some Non-Solutions Technology Neutrality Privacy Law Some Solutions Misinformation PETs, Obfuscation Social Media?

36. Copyright 2012 36 I.T. Challenges to Information Law Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy, U.N.S.W. Visiting Professor in Computer Science, A.N.U. Chair, Australian Privacy Foundation (APF) Secretary, Internet Society of Australia (ISOC-AU) http://www.rogerclarke.com/EC/AGS-121116.ppt NPG, Canberra, 16 November 2012