LSPI-ILTC 2010 Logo
links image

 

The 2012 CLSR-LSPI Seminar on Privacy, Data Protection & Cyber- Security

 

Chaired by: Prof Steve Saxby, Editor-in-Chief of Computer Law & Security Review (CLSR)

 

Date: Tuesday October 2, 2012

 

Venue: Coral Hotel

 

Time: 16.30-18.30

 

 

 

This has been a big year for privacy with so much going on within the EU regarding reform of data protection. What are the implications of reform here and what are the issues that concern us about the proposed new data protection regime contained in the proposed Regulation? We hear a lot about the 'right to be forgotten'. How is that possible in the digital age within the online world? And what can be done about the big players who stand charged with the erosion of privacy viz Facebook, Google, Skype & YouTube etc? How can the law keep up with technological change when the latter is moving so fast eg with RFID, Cloud and social networking? To what extent can data breach notification, net neutrality and privacy impact assessment help and how should the law approach issues of liability and criminality in relation to privacy? What is the state of play too in the relationship between privacy policy and state surveillance and, given its implications for privacy, what obligations should governments adopt in response to cybersecurity regulation and data management? Is there a place for privacy self-regulation and if so in what respects and how effective are the Information Commissioners who often complain of being under resourced? In reviewing the way privacy law has emerged do we now need a completely new approach to the whole issue? Has the law crept into its present form simply by default? Do we need some new thinking now that reflects the fact that law is only one dimension in the battle for privacy? If so what are the other factors we need to recognise?

 

Steve Saxby, s.j.saxby@soton.ac.uk

 

CLSR Cover

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I am delighted to introduce the following contributors with a brief outline of their topics:

 

Sylvia Kierkegaard photograph

 

Henrik Tjernberg, Chairman of Micro Systemation (MSAB)

 

Henrik Tjernberg was born 1960 in the north of Sweden and studied Engineering Physics at the Royal Institute of Technology in Stockholm. In 1985 he became development manager at Micro Systemation AB, where he a year later became president and CEO. During the 90s Micro Systemation developed telecommunications software and in conjunction with its IPO in 1999 launched SoftGSM, the first ever entirely software-based GSM modem. Henrik Tjernberg was elected chairman 2002 and the company started the development of XRY, which is now the world's leading product for forensic analysis of mobile devices, mainly mobile phones.

 

 

 

My comments will be on privacy: All citizens have the right to be presumed innocent until proven otherwise - This is the foundation on which Western legal tradition is based. It also implies that citizens should be treated as innocent and not be subjected to monitoring and data collection until a clear suspicion of crime exists.


For me, it means that states and governments must actively, by legislation, be prevented from collecting of data on all of their citizens. Regardless of motives. It is not until there is a reasonable suspicion of crime that data mining and direct surveillance may begin. Europe has chosen a different path and a very dangerous one. The Data Retention Directive is one example how pragmatism and supposed rationality leads EU to compromise on key rule of law.


I believe that the threat does not come from private companies, which, like Facebook, collects data about their users in order to build marketing databases. Users can choose to participate or not. The threat is states and governments, which with legislation will force these companies to provide information whenever they wish. This is dangerous, inefficient and terribly expensive and threatens to destroy the open society as we know it. Did we tear down “that wall” just to import the DDR surveillance society?
Privacy is an absolute value and must not be compromised by the “nothing to hide” argument.


My point here is that instead of collecting irrelevant information on innocent people the authorities should have powerful tools to gather information once a reasonable suspicion can be established.


The new digital world may give the law enforcements authority’s new effective tools to gather evidence and prevent crime. But it also presents governments the possibility of complete monitoring of their citizens. Let’s go the first way and skip the second.
Benjamin Franklin put it something like: People willing to sacrifice freedom for security deserve neither and will lose both.

 

 

 

 

 

 

 

 

Alessandro Mantelero, Politecnico di Torino, Italy.

 

Alessandro Mantelero is Professor of Private Law at Politecnico di Torino, (Fourth School of Engineering Management and Industrial Engineering) and Faculty Fellow at Nexa Center for Internet and Society. He graduated cum laude in Law at the University of Turin on 1998. Ph.D. in Civil Law from the same University.

He is author of numerous publications and is currently focusing his studies on data protection, ISP liability and legal implications of cloud computing and big data. Alessandro Mantelero was admitted to the Italian bar in 2001. He is involved in different national and international research programs and is Project Member at the Network of Excellence in Internet Science and co-director of Cloud Computing Governance Initiative for the Nexa Center. The Cloud Computing Governance Initiative has been launched by the Berkman Center (Harvard University) and involves the following universities and research centers: Harvard University (Berkman Center), Politecnico di Torino ( Nexa Center), Keio University and University of St. Gallen. In 2012 he was Visiting Researcher at Berkman Center for Internet & Society at Harvard University.

 

I will provide a general overview of the different approaches towards data protection in the global world, focusing attention on the US and the EU.

 

 

 

 

 

 

Tamar Gidron and Uri Volovelsky, Haim Striks School of Law, Israel.

 

Tamar Gidron is an expert on Torts Law with special interests in: Tortuous Interference in Commercial Competition, Wrongful Commercial Acts, Consumer Protection Laws, Economic Damages due to Tort of Negligence, Professional Liabilities, Defamation and Slander and the Protection of Privacy. Dr. Gidron received her LL.B. (cum laude) from the Hebrew University, her LL.M. (cum laude) and her D.Jur from Tel-Aviv University. She is a certified Mediator and heads the Conflict Resolution and Mediation field of specialization which she launched as school Dean.

 

 

Uri Volovelsky, LL.M. Fordham University, New York (Banking, Corporate Law & Finance Law) (cum laude); M.B.A., College of Management Academic Studies, Rishon LeZion (Multinational Business Activities); LL.B., College of Management Academic Studies, Rishon LeZion (cum laude); B.A. Interdisciplinary Center, Herzliya (Government, Diplomacy and Strategy) (cum laude). Uri Volovelsky is a practicing attorney specializing in corporate and commercial law and international commercial agreements. Uri served as Deputy Editor and Academic Staff Member of the Hamisphat Law Review as well as Associate Editor of Fordham University's Journal of Corporate and Finance Law. In addition, Uri is a longstanding judge at the Philip C. Jessup "International Law Moot Court Competition". '

 

 

The extraordinary technological developments of recent years have created difficulties and challenges mainly because of the fear that this fast-moving technology will cause harm to rights and interests which the law seeks to protect such as the right to privacy, freedom of information, the right of access to the courts, the right to reputation and copyrights.

 

We wish to emphasize the need for an overall perspective of the current situation and the importance of defining and adopting a comprehensive and systematic arrangement based on the understanding that an ideal solution is one that combines all the relevant "players":

 

1) consumers of technology will be encouraged to be more aware of and protective of their rights;

 

2) providers of technology services and web site owners will be encouraged to conduct themselves ethically and ensure the greatest possible security of the databases containing information about the users of their services, with the result that consumers will be more forthcoming about providing information;

 

3) legislation– conventions, directives, state legislation – will be adjusted to technological developments in a broad manner while also leaving the court judicial discretion to interpret the law, the conventions and the directives in a manner compatible with day to day life as well as in a manner which can contend with the inherent difficulty of foreseeing the full range of situations and questions ensuing from the rapidity of technological developments;

 

4) the courts, which, in our opinion, have so far had the most under-appreciated job and which rarely have been spoken about or had their importance recognized, should, in our view, play a key role in any attempt to protect the fundamental rights entrenched in the law.

 

Legal literature tends to regard technology and the law as enemies or as competitors. Often, the law is perceived as lagging behind technology. And indeed – in factual terms- the law by its nature responds to technological developments. The question, then, is which is the most appropriate institution (in terms of speed of adaptation and flexibility) to draw a balance between "vulnerable" legal rights and technology? Is it the legislature, or the courts which examine the technological developments from one case to another and maintain a constant discourse with the other "players'?

 

Following are some examples of Israeli law which illustrate the importance of the judicial role in protecting privacy and finding the right balance between conflicting interests in the field of technology in the modern era.

 

Two significant examples of legislation which might potentially invade privacy have reached the Israeli Supreme Court for interpretation: The Israeli Biometric Database Act and the Transfer of Communications Data to Public Authorities Act, which was recently expanded. In both instances, the Supreme Court supported the legislature despite the possible impact this might have on privacy; however, the court left an opening for future reconsideration of the two statutes. Courts have also an important role in the interpretation of the concept of "privacy" and "private information". They have a role in determining priorities between the scope of protection of privacy and conflicting interests.

 

Courts have the ability to shape technology through the laws of evidence by virtue of the court's willingness or otherwise to rely on scientific evidence; both scientific evidence in general and technological evidence. Courts can also place conditions on evidence derived from a public computer network – using the "best evidence rule"- and demand that parties wishing to present scientific data prove that is has been derived from a secure system that safeguards the privacy of the information stored within it.

 

The issue of anonymity of publications on the Internet raises another question: what is the best way to deal with the need to protect anonymity on the web – either as an aspect of freedom of speech or as an aspect of the right to privacy – when dealing with a person's application to reveal the IP address of someone infringing his rights by publishing online? The Israeli Supreme Court recently rejected an application to disclose the IP address of someone who had severely defamed the plaintiff. The judgment attracted considerable criticism which focused on the question of whether this issue should really be regulated by legislation, even though that legislation could never catch up with the users who would find ways to conceal their identities, or left to the discretion of the courts which are able to respond quickly and produce an immediate effect on the behaviour of users. The decision as to who decides and in which way, must naturally take into account the injured party's right to access the courts on the one hand, and on the other hand, the freedom of speech and privacy of the person posting on the Internet.

 

 

 

 

 

 

Jochen Moeller, Vice President of the European Association for Data Media Security.

 

Jochen Moeller graduated in Engineering (Dipl. Ing.) in 1985 from the University of Applied Science Moenchengladbach, Germany. Until 1999 he worked in the International Machine Building and Plant engineering industry and regularly delivered lectures on the latest research and development subjects in these industries. Since 1999 Jochen Moeller has been working in the field of high security equipment and thus in close cooperation with different governmental organisations. In 2008 he was one of the Charter members of the EA DMS and now holds the office of Vice-President in this organisation, being responsible for all development and auditing.In this role he has been active as adviser to police, government departments and research institutes in different European countries.

 

Protection of Individuals and Companies – the forgotten Task
The perspective of our association is very much driven by the experiences talking to victims of data theft and data abuse. We think data security and data protection can be structured in 3 different categories, state, business and private.


In the “state category” we are talking about attacks on states or governmental organisations or e.g. asymmetric attacks on infrastructure, called cyber war. Internet is the essential tool to make most of these actions possible. As long as attacks are fend off damages will be low. But a successful attack may have the potential to change the world.


In the “business category” we are talking about data abuse committed by well organised professional structures (legal and illegal). This economic espionage is often called cyber crime, although internet is only one of the tools in use. Conventional theft and abuse is at least as important. Economical damage is extremely severe but difficult to prove. The number of unreported cases is certainly also very high.


In the “private category” most data abuse (legal and illegal) is committed for marketing and sales purposes. The abuse is associated with strong mass marketing tools and the target is accumulated low profile abuses adding up to the intended e.g. profits or savings. In this category data mining and large data pools are vital for the success. The damage per attack may be low, but supporters of course need to hear about police successes and verdicts from time to time.


Governments seem to fully focus their efforts on the “state category”. Legislation is not considered to be relevant to reduce or control the dimension of these problems and should therefore mainly be used to assure full access to all data from all sources at all times.


In the “business category” responsibility is passed over to associations and companies. The philosophy is “buy yourself the degree of safety you need” and “create standards for easy orientation yourself”. But this philosophy will not provide legislation for a practical protection and chance to find compensation for damage.


In the “private category” governments seem to only feign action. Examples show a focus on temporary media awareness but no real understanding of problems and therefore possible solutions using legislation.


With the present focus of European governments a society comes closer, as described by Yevgeny Zamyatin in his famous book; “We”. But if legislation clearly points out who has the ownership of data at a particular time and provides strict rules as to how ownership can be transferred, protection of privacy and protection against economic espionage may still be possible. Governments must be encouraged to develop tools against war and terrorism, which are not dependent on super large data collections. Even huge data pools did not assist the GDR to survive.

 

 

 

 

 

 

 

 

 

 

Janine Hiller, Pamplin College of Business, Virginia Tech, USA.

 

Janine Hiller is Professor of Business Law at the Pamplin College of Business, Virginia Tech, Blacksburg, Virginia, USA. Dr. Hiller's teaching achievements include her designing one of the first Internet Law courses in the country. She currently teaches Internet Law and Policy to graduate students at Virginia Tech, to students at Thunderbird University and INT, France through distance learning. She has also co-authored one of the first textbooks on Internet Law. She has conducted seminars through the Management Development Office and has been a lecturer of Continuing Education Seminars for the Virginia Law Foundation. Dr. Hiller's research focuses on the challenges and policy issues of how traditional law and legal institutions can sufficiently address and accommodate the evolution of the advanced technological environment. Electronic commerce makes her research more complex, since it is international in nature, and therefore, international principles and norms must be considered. Research in electronic commerce and the law has included various aspects of relationships between electronic commerce and privacy, security and trust, and electronic government and privacy. Her research articles have appeared in American Business Law Journal, Banking Law Journal and Real Estate Law Journal.

 

I plan to discuss privacy-by-design, giving a brief definition of what it means, and illustrate by using good and bad examples, including examples from several different countries.  A basic link to identity management will also be made. The underlying message is that both security and privacy are possible, one does not need to choose between the two.

 

 

 

 

 

 

 

 

 

 

 

Wian Erlank, North-West University, Potchefstroom, South Africa.

 

Wian Erlank studied law at the University of Stellenbosch where he obtained his LLB degree in 2002. This was followed with an LLM in international trade law in 2004. He has just completed and submitted his LLD dissertation entitled "Property in Virtual Worlds" and his Doctorate is to be conferred in December. During the course of his studies he also obtained a BA Honours in classical literature from Stellenbosch, as well as a Certificate in Legal Practice from the UNISA College of Law (with distinction). He was admitted as an Advocate of the High Court of South Africa in 2008. After lecturing at Stellenbosch University he was appointed as lecturer at North-West University in 2011 where he has taught and currently teaches land reform, research methodology, legal skills and property law. He spent 3 years a a permanent doctoral candidate and researcher at the South African Research Chair in Property Law and there obtained expert knowledge of national, international and comparative property law as well as the constitutional aspects thereof. His areas of expertise include property law, IT law, virtual property law and space law. He has also published in these areas and regularly presents papers at both national and international conferences. Apart from being and advocate and lecturer he is also a member of the Association for Law, Property and Society (ALPS), Young Property Lawyers Forum (YPL), Academics Promoting the Pedagogy of Effective Advocacy in Law (APPEAL) and an associate of the Centre for Constitutional Rights (CFCR).

 

I will offer a brief introduction about the move of various virtual world operators as well as large social media companies to institute a so-called real/verified user id system. For example, Google has moved in this direction with the usernames and account in YouTube where users have the opportunity to link their YouTube accounts and profiles to their verified Google identities. Although I initially expected a huge public outcry, it would seem as if the voluntary basis of the move has ensured that the adoption of this has been well-received. As part of my other areas of research (Property in Virtual Worlds) I can also discuss the implications of this (the pros and cons) on participation and regulation of virtual worlds. I will be touching on the effect of anonymity on both taxation as well as virtual estates in my full presentation.

 

 

 

 

 

 

 

Susan Corbett, School of Accounting and Commercial Law, Victoria University of Wellington, New Zealand.

 

Susan Corbett (BSc, LLM) is a senior lecturer in commercial law at Victoria University of Wellington, New Zealand. She teaches e-commerce law and marketing law in the Victoria Business School. Her research interests include copyright law and privacy law in the digital environment. Prior to her academic career, she worked as a practising solicitor and a legal editor in London. She has also been admitted as a barrister and solicitor in New Zealand and is an Associate Member of the Arbitrators' and Mediators' Institute of New Zealand.

 

 

I plan to discuss the difficulties of deleting information that has been made available online and the problems of relying solely on domestic privacy regulation. My overall conclusion is that, in the same way as the copyright regime requires international mechanisms for its enforcement, such as the Berne Convention and TRIPs, the most appropriate and practicable solution for online privacy protection must be provided by an international regime.

 

 

 

 

 

 

 

 

Gönenç Gürkaynak, İlay Yılmaz, Derya Durlu of ELIG, Attorneys-at-Law Istanbul, Turkey.

 

Gönenç Gürkaynak holds an L.L.B. degree from Ankara University Law School (1997), and an L.L.M. degree from Harvard Law School (2001). He is a qualified attorney of the Istanbul Bar (1998), the New York Bar (2002), the Brussels Bar (2003), and he is also a Solicitor of the Law Society of England & Wales (2004). Gönenç Gürkaynak has been practicing as an attorney in Istanbul, New York, Brussels and again in Istanbul since 1997. He is one of the founding partners of ELIG, Attorneys-at-Law in Istanbul, which happens to be a leading Turkish law firm with 35 lawyers. In addition to frequently lecturing at three universities in Istanbul, he also holds a permanent teaching position at undergraduate and graduate levels at the Bilkent University Law School in Ankara, where he has been teaching since 2004. Gönenç Gürkaynak heads the Regulatory & Compliance department at ELIG, Attorneys-at-Law. He has had over 80 international and local articles published in English and in Turkish on various fields of law, including competition law, anti-corruption and corporate compliance matters, Internet law and IT law, and employment law and litigation, and two published books, one on competition law, published by the Turkish Competition Authority, and the other on "Fundamental Concepts of Anglo-American Law".

 

The interface between cyber-security and the right to privacy, from the Turkish experience perspective.

I will be addressing “Cross-over of legal and ethical issues concerning the Internet in protecting privacy of public figures and national security” topic at the LSPI seminar.
I intend to narrow down this topic to address two primary issues: data privacy in relation to the use of mapping services in Turkey and privacy of politician’s personal lives. As previously requested, please find below a précis of this discussion topic:


A. A look at data privacy in the use of online maps (such as Google Maps)
1. The controversy of keeping military, governmental and police offices from being visible on mapping services: Legal issues on protecting secret locales for national security reasons.
a. Law No. 657 on General Command of Mapping (published in the Official Gazette (May 2, 1925)).
b. Addendum Article 3 to Law No. 657:
“For the purposes of preventing preparation and use of maps that are not in compliance with the interests of the country and that may be exploited in the international arena, public or private entities or real persons are obliged to obtain compatibility approval from the General Command of Mapping”
c. Criminal sanctions: Turkish Criminal Law (Article 52):
Persons, who publish, distribute or broadcast Maps without obtaining compatibility approval from the General Command of Mapping shall be subject to judicial monetary fine.
d. Confidentiality of address-related information: Is it not safe to disclose this information to the public? Can such information publicly accessible via Google Maps breach Google Maps/Earth’s Terms of Service (“[the user] agree[s] that when using the Products or the Content, [the user] will not defame, abuse, harass, stalk, threaten or otherwise violate the legal rights such as rights of privacy and publicity of others”)?
e. Can the same standard for protecting data related to military, governmental and police offices be applicable to companies/individuals? Or should national security related matters take precedence over protecting confidential data of individuals and consequently, the overall interest of the society at large?


2. Requests to remove addresses and coordinates from mapping services.
a. Legitimacy of requesting removal of address information.
b. Handling removal requests pertaining to texts, visuals and borders of military areas.
B. Removal requests of hidden camera footage of a politician's affair
1. April - June 2011 and the political conundrum when privacy takes precedence over law.
2. Criminal and civil liability per Turkish Criminal Code and the Law of Obligations.


3. What is the standard of “confidentiality” when it relates to information regarding politicians?

 

 

 

 

 

 

 

 

Omphemetse S. Sibanda, University of South Africa, South Africa.

 

Omphemetse Sibanda is a Professor at the College of Law of the University of South Africa, and the Chair of the Department of Criminal and Procedural Law. His qualifications are: LLD in International Economic Law (University of North West); LLM (Georgetown University Law Centre); LLB (Hon) & B JURIS (Vista University, now the new University of Johannesburg). His academic and research interests are of an MIT nature, and include focus on e-governance; international white collar crime; international trade law and remedies; dispute resolution; and interface between trade law and human rights issues such as labour conditions and access to essential medicine. He has written and published a number of articles in academic journals, and presented papers at national and international conferences. He is the Unisa College of Law champion tasked with leading a group of subject experts to design a signature module on social dimensions of justice.

 

 

“Striking a balance between State piracy of personal data and protection of individuals’ cyber privacy”.

 

I will focus on the developments in South Africa with the focus on the data collection and protection laws and regulations, and the ongoing debate about the South African government to clothe itself in complete privacy under the guise of State security, and its rejection of public interest clause in the Information legislation. My contribution anchors around two cardinal acknowledgements, namely:

 

1. There are manifold risk to privacy associated with individual’s use of and participation in the internet environment


2. That the right to privacy is internationally recognised as a fundamental right, including in recognition the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and other regional instruments;


3. The South African Constitution, one of the few most progressive in the world, enshrines the right to privacy


4. Data protection laws are closely linked to privacy laws


5. There is no all-encompassing privacy or data protection legislation in South Africa.


6. The use and disclosure of personal information by governments and corporations is the world’s deadliest threat to civil liberties and fundamental human rights and freedoms.


7. The rapid growth and increasing use of the Internet give rise to many and complex privacy issues, which in turn involves other issues such cyber threats and cyber security.


8. Public accountability may require outside access to personal information as part of democratic governance, and bureaucratic rationality may demand outside access as part of effective functioning of administrative organs.

 

Key talking point of my contribution will unravelled with a revisit of Paul Schwartz’s (2000) observations that “debate about Internet privacy has employed a deeply flawed rhetoric”. And most particularly the so-called (a) the rhetoric that slights the State’s important role in shaping both a privacy market and privacy norms for personal information in cyberspace”; (b) the “flaws in the leading paradigm of information privacy, which conceives of privacy as a personal right to control the use of one’s data”; and (c) the so-called “autonomy trap” of the advocacy of primacy of individual responsibility personal data use to the exclusion of nongovernmental intervention.

 

 

 

 

 

 

Arnaldo Sobrinho de Morais Neto, Brazilian Military Police, Brazil.

 

ARNALDO SOBRINHO DE MORAIS NETO, is Lieutenant Colonel of the Brazilian Military Police. Master of Law by Federal University of Paraiba. Professor of the IESP College in Joao Pessoa, where teaches Criminal Law and IT Law. Researcher associated and executive Coordinator for Brazil of the International Association of Cybercrime Prevention (France). Researcher associated of the International Law Association - ILA (Brazilian branch). Is currently Executive Director of the Penitentiary System of Paraíba, also Penitentiary Council State - member. He served as Coordinator of Planning and Strategic Projects of the General Staff of the Corporation until March 2011.Human Rights International Instructor by Red Cross International. Professor of the Graduate Program in Public Safety and Human Rights UFPB (2008), Latu Sensu Graduate in Management of Public Security (2009-20012). Graduate and post-graduate in Management of Public Securityand post-graduate Criminal Law and Criminology. Active in research on cybercrime in Brazil, where he served in the fight organized crime gangs.

 

 

Topic to be decided