STE WILLIAMS

Ed Vaizey said that introducing a “right to be forgotten” into a revised EU Data Protection Directive might give “false expectations” to people who would seek to have their personal data deleted under the new regime.

“We support the idea that consumers should have more control over the processing of their data. And of course we support greater transparency. But we also need to be clear about the practicalities of any regulation,” Vaizey said in a speech earlier this month.

“For example, how do we enforce the ‘right to be forgotten’ when data can be copied and transferred across the globe in an instant? No government can guarantee that photos shared with the world will be deleted by everyone when someone decides it’s time to forget that drunken night out. We should not give people false expectations,” he said.

Last week EU Justice Commissioner Viviane Reding said that individuals would have a right to force organisations to delete the personal data they store about them under a revised EU Data Protection Directive. Formal proposals for the new laws are set to be announced before the end of January.

Vaizey also questioned proposals outlined by Reding to make non-EU based companies subject to the new data protection laws if they stored EU citizens’ data in “the cloud”.

Cloud computing refers to the storage of files and programs on an internet-based network rather than on local computers.

“We agree; data should be processed in accordance with expectations of privacy in Europe,” Vaizey said. “But we need to be aware that questions of liability could jeopardise the ability of European firms to use the cloud for data processing and storage. We should question the logic of trying to make firms outside of the EU subject to EU law,” he said.

Vaizey said new data protection laws should not “stifle innovation” and must be “future proof”.

“It is all too easy for directives to become irrelevant when dealing with a medium as fast moving as the internet,” Vaizey said. “We need to ensure that the international transfer of data, so critical to economic growth, can continue. And we need to ensure that changes are both practical and proportionate.”

“Good data protection laws will allow innovation to continue, and technologies like the cloud to flourish while also ensuring appropriate protections for peoples’ personal data,” he said.

In his speech at the Internet Advertising Bureau (IAB) in London, Vaizey defended the UK’s approach to implementation of new EU laws on ‘cookies’.

Cookies are small text files that websites store about users to remember their activity on the site. The Privacy and Electronic Communications Directive (E-Privacy Directive), from which laws governing the use of cookies are drawn, states that storing and accessing information on users’ computers is generally only lawful “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing”.

The E-Privacy Directive was implemented into UK law in May. The amended Privacy and Electronic Communications Regulations state that website owners must obtain “informed consent” to tracking users through cookies.

The Information Commissioner’s Office has previously issued guidance on how website owners can comply with this requirement, but it has left it up to individual companies to choose methods they believe comply with the laws. The Government is working with browser manufacturers to come up with a way to gather consent via browser settings.

“I believe our approach to implementation has struck the right balance by keeping in mind the original intent of the directive, complying with the letter of the law and also being flexible enough to allow business to find solutions which suit them best,” Vaizey said in his speech.

“The key is finding solutions which engage users. There is no point in putting a block of text and a tick box in front of users. People will simply ignore it and click through. The consequences of users being forced to make an uninformed decision on something which can so profoundly affect the internet economy are potentially dire,” he said.

Vaizey praised the advertising industry for developing its framework around online behavioural advertising (OBA) and said the self-regulatory code established by the IAB Europe (IABE) and European Advertising Standards Alliance (EASA) earlier this year formed a “crucial part” of the measures needed to comply with EU laws on cookies.

“The IAB’s Online Behavioural Advertising (OBA) Framework … offers users further information about the ads they are seeing without doing so in an obtrusive or disruptive way. And it is a fantastic example of the willingness of industry to work together to find solutions which suit both business and users,” Vaizey said.

“The OBA framework is an essential element of a series of measures being taken across industry, which we believe will give users more control over their privacy online,” he said.

Under the IABE and EASA code website operators must give users access to any easy method for turning off cookie tracking on their site. The code also requires operators to make it known to users that they collect data on them for behavioural advertising.

Operators must also publish details of how they collect and use data, including whether personal or sensitive personal data is involved. Details of which advertisers or groups of advertisers they make the data available to also have to be published.

Companies that adopt the code will also have to display an icon telling users that the adverts track their online activity. Through the use of the icon web users will be able to manage information preferences or stop receiving behavioural advertising via a new pan-European website, www.youronlinechoices.eu. A user can click on the icon to see the relevant information. The initiative is supported by many leading content providers, including the BBC, Financial Times and Telegraph Media Group, as well as AOL, Microsoft and Yahoo!

The code has been criticised by EU privacy watchdogs. The Article 29 Working Party has argued that internet users’ consent to cookies can only be deemed to have been given through statements or actions, rather than “mere silence or inaction”, which it says does not constitute valid consent.

However, Vaizey defended the code and said it was important that website operators and browser manufacturers also help users exercise control over their privacy.

“The OBA framework is a crucial part of our package of compliance but it is not the only part. Obviously this isn’t only about advertisers,” Vaizey said.

“Publishers (website owners) and Browsers have a big role to play here too. Publishers are just as responsible as advertisers for the cookies they place on a user’s machine. So they should do what they can to make the user aware of the cookies they use and consider how best they can seek consent from users especially if they are particularly intrusive. Browsers are also a crucial part of this, they are the natural place for users to exercise control over their privacy settings and by extension are a means to signify consent. We are working closely with browsers to find ways of ensuring users have increased and easy to understand controls, and easier access to those controls,” he said.

Vaizey said that internet users need easily accessible information about why their data is collected and for what purposes, and that they should have “easy to use controls” to modify what information is collected about them.

“People give companies their data because they trust that those companies will not abuse or misuse that data and it is essential that people do not lose that trust in the future,” Vaizey said.

“Behaviourally targeted, or preference based advertising is an incredible innovation that can be of huge benefit to both business and to the consumer,” he said. “But it needs to be done right. Users should not feel stalked around the web by companies wishing to sell them something. Users should be able to understand why they are seeing the ads they are seeing, who is responsible for that ad, and be able to exert a level of control over the extent to which ads are tailored to their preferences.”

“It is important that this is done in a way that allows consumers to genuinely engage with the process and be able to make informed decisions about the information put in front of them,” the Culture Minister said.

“Users should not be forced to make a decision about something they don’t understand and may or may not care about. But that does not mean we shouldn’t give users the ability to make those decisions. There needs to be easy to understand information and easy to use controls in place so users can make those informed decisions and exercise their right to have complete control over their data and their privacy online,” he said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/right_to_be_forgotten_might_not_be_enforcable/

A man tortured, beheaded and dumped close to Mexico’s border with the US in a gruesome cartel-style murder was not the moderator of a local online discussion forum, contrary the earlier reports.

The still unidentified victim was abused and decapitated before his body was left beside a statue of Christopher Columbus outside the town of Nuevo Laredo. A chilling message, scrawled in ink and found next to his remains, read: “Hi, I’m ‘Rascatripas’ and this happened to me because I didn’t understand I shouldn’t post things on social networks.”

Last month a Nuevo Laredo en Vivo moderator Marisol Macias Castaneda – also known as Laredo Girl – was decapitated by local drug lords and dumped in the same location by the Christopher Columbus statue. This, together with the scribbled message, led to the assumption that El Rascatripas (aka The Fiddler or Scratcher) was also a moderator on Nuevo Laredo Live.

However Nuevo Laredo Live has since denied that the victim had anything to do with the site. It described the victim as a scapegoat and said the murder was an act to frighten off other members of its community, according to a tweet on its Twitter feed.

Nuevo Laredo Live reports firefights between drug traffickers and police as well as cartel checkpoints on the region’s dangerous road, among other matters. Mexico’s ultra-violent drug cartels – in particular Los Zetas, a group founded by Mexican special forces deserters who are engaged in a bloody turf war with their former bosses in the Gulf Cartel – regard contributors as little more than police informants.

The Mexican government estimates 35,000 people have died between between 2007 and January 2011 in Mexico’s brutal and ongoing drug wars. Mexico’s military and police are guilty of multiple human right violations in their fight against the cartels, including torture, 39 “disappearances” and 24 extrajudicial killings since 2006, a report by Human Rights Watch out last week alleges.

On the other side, Los Zetas are accused of a string of atrocities, including the execution of an estimated 190 abducted bus passengers in Tamaulipas back in April and the Monterrey casino attack that left more than 50 dead in August. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/mexico_slaying_victim_not_blogger/

Researchers claim to have discovered a vulnerability with the sandbox security mechanism used by Apple.

The sandbox, which is baked into the kernel of Mac OS X, is designed to apply application restrictions, so that code that has no reason to access a network isn’t able to access a corporate LAN or the internet, for example. The restriction means that even if the code contains bugs, hackers will be stuck if they try to exploit the vulnerability to do anything else.

All applications published through the App Store “must implement sandboxing” by the start of March 2012.

However, at least according to Core Security, the sandboxing is flawed. Processes directly spawned by a sandboxed application are blocked but indirectly spawned processes are permitted, according to Core, which has published an advisory containing harmless proof of concept code to illustrate its concerns.

The upshot of this is that “you can use Apple Script to tell OS X to start some other arbitrary program (or a second copy of your own) which won’t inherit your sandbox settings,” explains Paul Ducklin of net security firm Sophos.

Rather than make its sandbox harder to break out of, Apple reportedly wants to address Core’s finding by documenting that its restrictions can’t be assumed to apply to any process other than the sandboxed one. Core is less than satisfied by this response and wants stricter sandbox controls.

The timeline of Core’s dialogue with Apple over the issue once again illustrates the problematic relationship between Apple and security researchers most clearly illustrated by its expulsion of renowned security researcher Charlie Miller from its developer programme last week. Miller found a security hole in iOS that created a means for an application download new unapproved software onto an iPhone or iPad. An application he created exploiting this vulnerability was approved and published on Apple’s App Store.

This earned Apple’s ire, and expulsion, but if Miller hadn’t proved that the problem was real Apple might have been tempted to dismiss it as purely theoretical. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/apple_sandbox_security_fail/

The opening day of a judicial inquiry into phone hacking and other privacy-invading skullduggery by the British media was briefly interrupted on Monday – by a suspected Trojan horse infection.

David Sherborne, a QC representing phone hacking victims during the Leveson Inquiry into press standards, was called back to his judicial chambers after a Trojan was found on its network. The concern was that the malware might extract sensitive data from the network, potentially including case files related to the celebrities and public figures victimised by The News of the World that Sherborne is representing at the inquiry.

This makes fantastic fodder for conspiracy theorists, especially since some staff at NotW‘s publisher News International, and their hired help, are suspected of using malware, as well as phone hacking, in their hunt for celebrity tittle-tattle and gossip on public figures or even (in one alleged case) those handling agents in Northern Ireland. Ian Hurst, a former British army intelligence officer who served in Northern Ireland, claims he was the target of a malware-based hack back in 2006 and accused reporters at News International.

The strain of malware affecting Sherborne’s chambers remains unclear and, in the absence of anything to the contrary, it’s probably safest to assume it just a regular virus infection unless we hear differently.

The Daily Telegraph‘s live blog on the hearing reported that Sherborne raised a few smiles with his remarks when he explained why he had to leave the hearing when he said the threat is “in big red letters much like the font used by the News of the World“. More commentary on the incident can be found in a blog post by net security firm Sophos here.

Aside from the security related interruption, the Leveson Inquiry heard that notes kept by disgraced private detective Glenn Mulcaire suggested he might have worked for the The Sun (also published by News International) and rival tabloid The Daily Mirror as well as the NotW. The names of reporters at both papers were mentioned in his notes, indicating they may have commissioned work from him. There’s no details or much indication on what that work might have been, according to a report of the proceedings. Although Mulcaire was jailed for six months in 2007 after he was convicted of intercepting the voicemail messages of royal aides at the behest of the NotW not all of his work was illegal.

It’s far from the first time suggestions have been made that blagging, phone hacking and other wrongdoing extended across Fleet Street. Heather Mills, the former wife of Paul McCartney, claims that a Mirror journalist admitted hacking into her mobile phone voicemails earlier this year. Actor Jude Law is suing both The Mirror and The Sun over alleged breaches of privacy, The Guardian reports. Both papers deny the allegations, which are yet to be tested in court. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/phone_hack_inquiry_trojan/

Facebook has upset Salman Rushdie after the company initially refused to let the controversial author use his common name rather than his first name when signing up to the network.

The writer, who is a newcomer to the Web2.0 game, explained on Twitter that his full name is Ahmed Salman Rushdie.

“Amazing. 2 days ago FB deactivated my page saying they didn’t believe I was me. I had to send a photo of my passport page. THEN…” he tweeted, “they said yes, I was me, but insisted I use the name Ahmed which appears before Salman on my passport and which I have never used.

“NOW… They have reactivated my FB page as ‘Ahmed Rushdie,’ in spite of the world knowing me as Salman. Morons. @MarkZuckerbergF? Are you listening?”

The author of The Satanic Verses, who was forced into hiding in 1989 when a fatwa ordering Muslims to kill Rushdie was issued against him by Iran’s Ayatollah Khomeini, continued to rant about his Facebook plight on Twitter.

“Maybe @MarkZuckerbergF is a phony. Is the real #Zuckerberg on Twitter? Where are you hiding, Mark? Come out here and give me back my name!” he huffed. “So if @finkd is the real #Zuckerberg: what are your people up to, sir? Why have I been denied my name on FB? An answer would be nice.”

Rushdie kept up the pressure on the dominant social network by continuously tweeting to his 115,000 followers in the hope of getting a response from Zuckerberg’s crew.

He argued that Facebook “forcing” him to change his name was akin to “forcing” F Scott Fitzgerald to have a Facebook profile with the name Francis Fitzgerald instead. He went on to list other people in the public eye who had commonly used their middle names, including James Paul MacCartney, George Orson Welles and William Bradley Pitt.

Eventually, Facebook gave in.

“Victory! #Facebook has buckled! I’m Salman Rushdie again. I feel SO much better. An identity crisis at my age is no fun,” said the author.

He later added that the social network had sent him an apology.

“All is sweetness and light,” was Rushdie’s verdict. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/salman_rushdie_facebook_row/

A Dublin woman who ripped her boyfriend’s scrotum, leaving him with an extruded left testicle, has been spared jail.

There was a gasp in the public gallery on Monday as the prosecution read out the injuries sustained by Eamon Desmond at the hands of Lisa Moran, 42, of Devaney Gardens, Dublin, in the assault, The Irish Independent reports.

Moran had burst into Desmond’s home after taking umbrage at rumours he had made disparaging remarks about her daughter.

After some preliminaries, during which Desmond admitted Moran to the house, she launched an attack on him that included scratching, kicking and slapping.

When Desmond restrained Moran she appeared to calm down, the court was told. But when he released the by-then “frothing at the mouth” Moran, she resumed her assault.

While Desmond was calling the police, he felt “a sharp pain in his scrotum area”, a police officer told the court.

When police arrived they found him with injuries including a lacerated scrotum which left his left testicle extruding, apparently caused by his belt buckle.

Four years on after the attack in 2007, Desmond had made a good recovery but still bore a small scar, the court was told this week, and simply wanted to put the issue behind him.

Judge Nolan accepted the scrotum injury was not intentional, but said Moran was guilty of reckless assault. He sentenced her to 18 months suspended.

Moran is the second woman to have escaped a jail term for scrotal-related violence in the last week. Last Friday a Gateshead woman with given a suspended sentence and 150 hours community service for an assault which left her boyfriend with a ripped and bloodied sac. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/assault_judgement/

Google has magnanimously offered to ignore Wi-Fi hotspots that have been renamed with a trailing “_nomap” to let the snoops know what you don’t want them to know.

Google logs the location of Wi-Fi routers to aid its location pinpointing services, as knowing the nearest router can provide a course location as well as making it easier to get a GPS fix, but even Google accepts that not everyone wants to share.

In the explanatory blog posting, the Chocolate Factory’s “Global Privacy Council” explains that Google considered providing an online tool allowing people to opt out, but rejected that idea as it couldn’t prevent malicious individuals from forcibly opting out those who didn’t want to opt out. We read that to mean Google couldn’t prevent hackers opting everyone out automatically, but either way Google has decided name changes are what’s needed.

Google’s Streetview camera-cars logged the location of every Wi-Fi hotpot they passed, occasionally (and accidentally) grabbing a chunk of data too. Those records remain intact, but are constantly updated when someone uses Google Maps and takes the time to get a GPS fix.

Android phones regularly send back updates to the Googleplex, keeping the locations of every Wi-Fi router (with a publically broadcast SSID) constantly updated and making it easier for everyone else to work out where they are.

GPS works well, but has a hard time getting a signal indoors as well as taking a while to get a fix. If you know roughly where you are then the GPS calculations get a lot easier, so an Android handset first scans for local Wi-Fi routers and asks Google for a rough location based on those (and the cellular base stations, which are kept updated the same way). That rough location is then used to simplify the GPS calculations.

Unless of course the local Wi-Fi router is tagged “_nomap”, in which case Google promises to ignore the information. Local users of Google Maps will just have to step outside and learn to be patient. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/wi_fi_privacy_google/

A commonly invoked anti-hacking law is so overbroad that it criminalizes conduct as innocuous as using a fake user name on Facebook or fibbing about your weight in a Match.com profile, one of the nation’s most respected legal authorities has said.

George Washington University Law School Professor Orin S. Kerr said he hopes the critique will spur changes to the Computer Fraud and Abuse Act, a law that’s frequently invoked against people who exceed authorized access of websites and computers. He released written testimony (PDF) on Monday, one day before he’s scheduled to appear before a US House of Representatives subcommittee on Crime, Terrorism, and Homeland Security.

“The current version of the Computer Fraud and Abuse Act (CFAA) poses a threat to the civil liberties of the millions of Americans who use computers and the internet,” said Kerr, who is a former prosecutor who handled hacking cases. “As interpreted by the Justice Department, many if not most computer users violate the CFAA on a regular basis. Any of them could face arrest and criminal prosecution.”

The CFAA punishes people who intentionally exceed authorized access to obtain information from a protected computer. Kerr said exceeding authorization is as simple as violating a single term of service, such as one imposed by Match.com that forbids users from providing “inaccurate, misleading or false information” to any other member. A user who fibs about her weight or his height and gets access to another member’s profile could well run afoul of the provision, Kerr said.

“The statute does not require that the information be valuable or private,” he wrote. “Any information of any kind is enough. Routine and entirely innocent conduct such as visiting a website, clicking on a hyperlink, or opening an email generally will suffice.”

The critique comes three years after federal prosecutors charged a Missouri mother for using a fraudulent MySpace profile to taunt a teenage girl who later committed suicide. Lori Drew was eventually found guilty, but the conviction was later overturned after the judge criticized the CFAA for criminalizing what would otherwise be a simple breach-of-contract claim in a civil case.

Kerr recommended that the CFAA be amended to clarify that exceeding authorized access doesn’t include terms of service. An alternative statutory fix includes narrowing the law to cover only information that, when obtained in excess of authorization, is “associated with significant harms.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/computer_hacking_law_goes_too_far/

Google Atmosphere There is no need to rewrite the basic internet protocols to beef up security, Vint Cerf has said. He also warned that governments are making increasingly heavy-handed attempts to take control of the interwebs.

Cerf, co-creator of TCP/IP and currently chief internet evangelist at Google, told delegates at the Atmosphere conference in Mountain View, California, that it was perfectly possible to add security features to the basic internet protocols without requiring a ground-up rewrite, simply by using currently available technology.

“The technology is available to do the job, it can be adapted,” he explained. “Don’t listen to those who tell you it can’t be adapted.”

He said that he’d built a secure version of the internet back in 1975 for the American military, but because the work was classified he couldn’t share the technology. However, as moves like DNSSec showed, the basic open internet structure could be adapted.

It is important that we don’t throw the baby out with the bathwater, Cerf warned, particularly on the identity front. There should always be a place for anonymous use of the internet, although tougher security protocols should be available for situations that warranted them – with Cerf highlighting two-factor authentication as a useful example.

However, the role of certification authorities has shown that there is significant room for improvement. Today’s internet is a “hostile environment,” he warned, and the hacking of certification authorities has shown that the model needs serious revision.

Some of the voices calling for change have come from governments that are seeking a greater level of control over the internet, a development of great concern to Cerf. He described the seizure of domains by the US Department of Homeland Security as an example of heavy-handed control, and said that some of the measures being introduced to protect intellectual property were similarly over the top.

“Historically, governments have felt in control on communications mediums,” he explained. “But internet packets don’t recognize borders, and this generates a lot of tension. Governments that feel fragile are concerned, and this is emerging in form of countries seeking control over internet.”

Looking ahead, Cerf acknowledged that there may be a replacement for the internet, which could do a similar job in a more efficient way. But any solution should be open, he said. When asked if the inventor of a better internet would be advised to open source their code, or hire a patent attorney and get copyright, Cerf’s answer was simplicity itself.

“Shoot the patent lawyer,” he joked. “Bob [Kahn] and I knew we would not succeed if we tried to protect our internet design and we published openly to remove any barrier, or excuse for adoption. It worked out pretty well.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/14/no_need_to_rewrite_internet_cerf/

One of the world’s most advanced pieces of malware is being used to spread DNS Changer, a trojan at the heart of a massive click fraud scheme that has already hijacked 4 million PCs, security researchers said.

Just a few days after federal prosecutors in the US shuttered the international conspiracy, researchers from Dell SecureWorks said they discovered DNS Changer is being spread by TDSS. The rootkit, as previously reported, is among the hardest to detect and remove and is often used as a means to install keyloggers, tools for attacking websites, and other malware.

Once installed, DNS Changer is able to alter the DNS, or domain name system, settings that computers and routers use to find the IP numbers that correspond to domain names such as theregister.co.uk and google.com. By replacing legitimate DNS servers with servers under the control of the attackers, they are able to send victims to fraudulent websites instead of the destinations the victims intended to visit.

Last week, seven people from Estonia and Russia were criminally charged in a scam that for more than five years used DNS Charger to generate more than $14 million in profit. The racked up the windfall by redirecting victims to imposter websites that paid advertising fees to the attackers each time they were clicked on. The scheme preyed on users of computers running Microsoft Windows and Apple OS X operating systems. DNS Changer is also able to change DNS configuration settings in certain routers, particularly when they use default usernames and passwords.

The ability of TDSS to evade antivirus protection and other security software is well documented. The rootkit, which is also known as TDL4 and Aleureon, is among the world’s most advanced, with the ability to infect 64-bit versions of Windows, infect a computer’s master boot record, and communicate over the Kad peer-to-peer network. It’s newest payload means that victims now have an easy way to tell if they are infected.

“The real danger of a DNS Changer infection is that it is an indicator that your system is infected with a larger malware cocktail with malware such as Rogue AV, Zeus Banking Trojan, Spam Bot, etc.” an emailed report from Dell SecureWorks stated. “Controlling DNS literally gives an attacker complete access to a system.”

End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

85.255.112.0 through 85.255.127.255

67.210.0.0 through 67.210.15.255

93.188.160.0 through 93.188.167.255

77.67.83.0 through 77.67.83.255

213.109.64.0 through 213.109.79.255

64.28.176.0 through 64.28.191.255

To check DNS settings on Windows open a command prompt and type “ipconfig /all” and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.

FBI officials said 4 million PCs were infected by the DNS Changer used in the operation that was shut down last week. The Dell SecureWorks report said researchers aren’t sure if that number is accurate. Researchers monitoring the command and control servers used in the attack are seeing about 600,000 unique IP addresses connect per day. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/14/tdss_drops_dns_changer/