Protecting the communication: Data protection and security measures under telecommunications regulations in the digital age

This paper aims to provide a comparative overview and evaluation of various legal frameworks for electronic communications security in light of the recent developments in the electronic communications sector. The article also includes an insight on European Union and Turkish legal environment for data protection security in electronic communications sector.     

International mutual legal assistance in criminal law made redundant: A comment on the Belgian Yahoo! case

This article offers a critical examination of the court judgements in a recent Belgian case against Yahoo!. It examines the challenges related to the establishment of jurisdiction for Internet-based services and the role that procedures of mutual legal assistance should play. Belgian law obliges providers of “electronic communications services/electronic communications networks” to cooperate with Belgian law-enforcement authorities and to handle over communication and personal data. Although the terms are derived from the EU Electronic Communications Regulatory Framework, a much broader interpretation to them was finally given by the Belgian Supreme Court. Seemingly this implies that, from now on, a US-based company such as Yahoo! is, at least under Belgian law, under a legal obligation to directly comply with an order issued by Belgian law-enforcement authorities.     

Balancing data protection and privacy – The case of information security sensor systems

This article analyses government deployment of information security sensor systems from primarily a European human rights perspective. Sensor systems are designed to detect attacks against information networks by analysing network traffic and comparing this traffic to known attack-vectors, suspicious traffic profiles or content, while also recording attacks and providing information for the prevention of future attacks. The article examines how these sensor systems may be one way of ensuring the necessary protection of personal data stored in government IT-systems, helping governments fulfil positive obligations with regards to data protection under the European Convention on Human Rights (ECHR), the EU Charter of Fundamental Rights (The Charter), as well as data protection and IT-security requirements established in EU-secondary law. It concludes that the implementation of sensor systems illustrates the need to balance data protection against the negative privacy obligations of the state under the ECHR and the Charter and the accompanying need to ensure that surveillance of communications and associated metadata reach established principles of legality and proportionality. The article highlights the difficulty in balancing these positive and negative obligations, makes recommendations on the scope of such sensor systems and the legal safeguards surrounding them to ensure compliance with European human rights law and concludes that there is a risk of privatised policymaking in this field barring further guidance in EU-secondary law or case law.     

The most ambitious plan in 26 years of telecoms market reform? No way!

The European Commission's claim that their proposed new telecoms regulation² constitutes “the most ambitious plan in 26 years of telecoms market reform” is preposterous. That honour must belong to the set of new European directives in 2002 which transformed the structure of telecoms regulation and facilitated competition throughout Europe. Instead the plans make great play of a number of actually pretty minor changes and, the Body for European Regulators for Electronic Communications (“BEREC”) has been particularly critical that the proposals will create unnecessary complexity and uncertainty and limit innovation and competition.     

Going for the throat: Carnivore in an Echelon World — Part I

Carnivore is a surveillance technology, a software program housed in a computer unit, which is installed by properly authorized FBI agents on a particular Internet Service Provider’s (ISP) network. The Carnivore software system is used together with a tap on the ISP’s network to “intercept, filter, seize and decipher digital communications on the Internet”. The system is described as a “specialized network analyzer” that works by “sniffing” a network and copying and storing a warranted subset of its traffic. In the FBI’s own words “Carnivore chews on all data on the network, but it only actually eats the information authorized by a court order”. This article, in two parts, will provide an overview of the FBI’s Carnivore electronic surveillance system. The Carnivore software’s evolution, its ‘prey’ and the system’s relationship with Internet Service Providers will be the focus of the study. (Although the FBI’s Carnivore surveillance system is now officially called DCS1000, as the surveillance system is more commonly referred to as “Carnivore”, that term will be used throughout). Also addressed in the article are misconceptions about Carnivore, publicly available sniffer programs, Carnivore’s functionality, methods to counter Carnivore as well as the software’s limitations. In addition, the pertinent American law allowing for wiretapping and electronic surveillance as well as programs and policies outside the United States regarding electronic surveillance are surveyed, and an overview of ECHELON, the global interception and relay system, is provided. The aim is to provide the paper’s readers with a better understanding of these surveillance systems: naturally, only through an in-depth knowledge can the benefits and dangers they present for the public (government), private (individual communications users) and technical industry (ISPs) be understood.     

Russian data retention requirements: Obligation to store the content of communications

This paper presents an analysis of Russian data retention regulations. The most controversial point of the Russian data retention requirements is an obligation to keep the content of communications that is untypical for legislation of European and other countries. These regulations that oblige telecom operators and Internet communication services to store the content of communications should come into force on July 1, 2018.The article describes in detail the main components of the data retention mechanism: the triggers for its application, its scope, exemptions and barriers to its enforcement. Attention is paid to specific principles for implementation of content retention requirements based on the concepts of proportionality, reasonableness and effectiveness.Particular consideration is given to the comparative aspects of the Russian data retention legislation and those applying in different countries (mainly EU member states). The article focuses on the differences between the Russian and EU approaches to the question of how to strike a balance between public security interests and privacy. While the EU model of data retention is developing in the context of profound disputes on human rights protection, the Russian model is mostly concentrated on security interests and addresses mainly economic, technological aspects of its implementation.The paper stresses that a range of factors (legal, economic and technological) needs to be taken into account for developing an optimal data retention system. Human rights guarantees play the key role in legitimization of such intrusive measures as data retention. Great attention should be paid to the procedures, precise definitions, specification of entitled authorities and the grounds for access to data, providing legal immunities and privileges, etc. Only this extensive range of legal guarantees can balance intervention effect of state surveillance and justify data retention practices.     

The inadequate legislative response to e-signatures

This article examines the two most influential international initiatives on electronic signatures (UNCITRAL’s 1996 Model Law on Electronic Commerce and the 1999 EU Electronic Signature Directive). It considers whether the legislative approaches in Australia and the United Kingdom based on these initiatives are helpful in deciding whether lower level signature methods such as simple email messages are likely to satisfy a legal requirement for a signature. The conclusion reached is that they are unhelpful. The article goes on to consider whether legislative amendments based on UNCITRAL’s 2001 Model Law on Electronic Signatures or the 2005 UN Convention on the Use of Electronic Communications in International Contracts would improve the identified weaknesses. It concludes that such an update would clarify some issues, but that overall it will not solve the difficulties. The article ends with a brief speculation on the likely attributes of a more helpful approach.     

OTT regulation framework in the context of CJEU Skype case and European Electronic Communications Code

The telecommunications services sector is one of the most dynamically developing segments of the contemporary economy. At the same time, it is undergoing constant change, the result of its adaptation to the needs of modern digital services and the expectations of users. In practice, traditional telecommunications services are being increasingly replaced by those that offer equivalent functionality but are provided via the Internet. Examples of this type of service are VoIP telephony, instant messengers and online chat. This group of services is collectively referred to as OTT.The growing popularity of OTT services not only affects the shape of the telecommunications market, but, from the point of view of legislatures and market regulators, has also led to a number of practical problems. One of them is how to apply a EU regulatory framework established for the electronic communications sector to modern OTT services. Recently, this problem has become an object of interest to both the CJEU and the EU legislature.The purpose of this article is to discuss the effects of the recent Skype adjudication on the regulation of the OTT sector, including the pending entry into force of the European Electronic Communications Code. The analysis considers the technical and regulatory background of issues relating to the judgment, the ongoing legislative work and the importance of the judgment in practice. Ambiguities in interpretation are also identified and discussed, in particular those relating to the attempt to apply the Skype judgment and the entire regulatory framework to OTT services.These aspects will be discussed from the perspective of the protection of users' privacy, an important part of the provision of electronic communications services. The choice of this aspect of OTT services regulation would seem to be particularly apt in light of the ongoing reform of the EU data protection model, which will include the new e-privacy regulation currently being drafted.     

Negotiated Third Party Access—An Industrial Organisation Perspective

In the course of the liberalization of European energy markets, the German government opted—diverging from all other European countries—for Negotiated Third-Party Access. In this article we analyze if, theoretically, this institutional regime can be superior to regulation. We review empirically whether certain aspects of the actual implementation, in particular publication of the network access charges for each network supplier, facilitated or inhibited competition. In the first place we reconsider previous research, showing that NTPA can—under certain conditions—be economically effective. Our empirical analysis shows that the duty of publishing access charges supported market transparency and imposed a regulatory threat, particularly to suppliers with significantly above-average charges. On the other hand observable price adjustments over time serve as an indicator of tacit collusion. Although the expensive suppliers cut their prices, the cheaper ones raised theirs.We thank Maik Heinemann, Joachim Wagner and two anonymous referees for helpful comments and the Lower Saxonian Ministry of Science and Culture for financial support.JEL Classification: D42, L43, L94     

The network structure of malware development,deployment and distribution

The Internet is a global infrastructure, connecting individuals, regardless of their proximity to one another. But, the ability to connect on such a large scale has also been leveraged to coordinate illicit activities. This has led to the emergence of online illicit networks that have enabled broader participation in cybercrime. Online stolen data markets have been of particular interest to researchers, though the networks involved in the development, deployment and distribution of malicious software are far less explored, despite being intricately tied to the growing issue of cyber security. The current study identifies community structures within a larger network of hackers, malware writers and market actors and examines the underlying characteristics of these networks. Results suggest that the network is composed of modular communities formed largely of weak, non-redundant ties that follow the ubiquitous structure of complex networks. Implications, limitations and directions for future research conclude this paper.     

Cross-border certified electronic mailing: A European perspective

Certified mail is the tool of choice in business processes and proceedings to deliver mail items in a secure and susbstantiated way. By returning a receipt, the sender has proof that a document has been delivered to the designated recipient at a certain point in time. Standard electronic communication systems like e-mail do not have the same evidential value as certified mail for traditional postal mail delivery. To benefit from the security advantages of certified mail delivery in the electronic world, in recent years governments have made several certified mail systems available on the Internet. Like postal certified mail delivery of documents in administrative or judicial matters, the certified electronic mail delivery in these systems is regulated by law. With ongoing (digital) globalization and the continuously increasing Digital Single Market in the European Union, there is a strong need for cross-border certified electronic mail. In the past the European Community has started several interoperability initiatives to couple existing certified electronic mail systems. Even if these systems can be made interoperable on a technical level, a harmonized legal basis is still missing. Therefore, the European community is currently working towards a new regulatory framework for trusted services including certified electronic mail. This article sheds light on both aspects and discusses the current state of affairs of cross-border certified electronic mail from both a technical (security) and legal perspective and explains the proposed new regulatory framework.     

How to control interception-does the UK strike the right balance?

This Article critically analyses the regime for intercepting the content of communications under the Regulation of Investigatory Powers Act 2000 in the light of the recent ruling by the European Court of Human Rights in Kennedy v the UK. It looks at the safeguards for privacy protection provided such as the requirement for a warrant and the roles of the Investigatory Powers Tribunal and the Interception of Communications Commissioner and whether these safeguards are compliant with Article 8 of the European Convention of Human Rights.     

From Rai stones to Blockchains: The transformation of payments

Computer technology has dramatically changed the marketplace, including the way we make payments. Electronic access to funds expands liquidity and the relationships within payment networks allow strangers to build bridges of trust, increasing trade and human interaction. But electronic payment channels have also presented new challenges in security and privacy, including new forms of criminal behavior and tax avoidance for governments to address. This essay outlines some of the legal, social, and technological implications from this transformation of payments and assesses future challenges in the electronic payments frontier.     

The economic costs and consequences of mass communications data retention: is the data retention directive a proportionate measure?

This article seeks to determine the economic costs and consequences of implementing the Data Retention Directive (Directive 2006/24/EC), an extraordinary counter terrorism measure that mandates the a priori retention of communications data on every European citizen, by drawing on the insights of economic analysis. It also explores the monetary costs of the Directive on subscribers and communications service providers of Member States within the EU. Furthermore, it examines the implications of the Directive on the economic sector of the European Union, by focusing on the Directive’s impact on EU competitiveness and other EU policies such as the Lisbon Strategy. This analysis is motivated by the following questions: what are the monetary costs of creating and maintaining the proposed database for data retention? What are the effects of these measures on individuals? What obstacles arise for the global competitiveness of EU telecommunications and electronic communications service providers as a result of these measures? Are other policies in the European Union affected by this measure? If so, which ones?     

E-confidence: Offer and acceptance in online contracting

Online contracting, as a focal point of electronic commercial transactions, has been developing since the 1990s. Recent international legislation, namely the 2005 United Nations Convention on the Use of Electronic Communications in International Contracts (the UN Convention) is a significant legal achievement. However, the validity and effectiveness of electronic offer and acceptance is still an issue for debate. This paper aims to seek answers to how law makers may meet the challenge of regulating electronic contracting, and what future improvements that the UN Convention may need to make to boost confidence of contracting online. The paper will introduce the concept and formation of electronic contracts; analyse the current legislative environment of electronic contacting in the international organisations, EU, US and China; discuss the obstacles that electronic contracting has faced; and propose a solution to remove its legal uncertainty.     

公安机关电子数据司法鉴定的现状与挑战

电子数据取证是信息时代公安机关重要的基础工作,是打击涉及互联网各类违法犯罪的“杀手锏”。电子数据鉴定是公安机关电子数据取证工作的重要组成部分,起到最终判定案(事)件性质,为侦查与诉讼提供依据的重要作用。公安机关电子数据鉴定与信息技术共同飞速发展,其领域不断延伸扩展、技术要求越来越高,面对的挑战也越来越多。概要介绍了公安机关电子数据鉴定的法律要求、鉴定资质、鉴定流程等内容,阐述了其面临的挑战。     

Electronic databases: Protecting your investment – An analysis of the legal rights in electronic databases under UK law

Electronic databases are an important part of the information economy. They are now one of the key platforms for the distribution of information and other contents. The European Court of Justice, in November 2004, gave its first rulings on the scope of database right, introduced by Directive 96/9/EC on the legal protection of databases. These rulings significantly curtail the scope of that right, and limit the protection afforded to database producers under that Directive. The UK courts, in January of last year, handed down a judgment which has important implications for the copyright protection afforded database structures and to “look and feel” elements of database application software, and the scope of Section 50D of the Copyright, Designs and Patents Act 1988 (which sets out certain statutory permitted acts in relation to database use). This article looks at the implications of these judgments, it analyses some of the key legal rights that can apply to electronic databases, and the increased importance that rights of confidentiality and contract are likely to have on the commercialisation of electronic databases in light of these rulings.     

Controlling the flow: Security, exclusivity, and criminal intelligence in Ontario

This paper examines security networks in a context where security is increasingly regarded as a problem of intelligence. Data are derived from interviews with officers in criminal intelligence units in Ontario, Canada. A conceptual framework is developed to understand the limits of security intelligence within an emerging security network paradigm, focussing on the normative dimensions governing security networking, and the mechanisms and technologies limiting information deployment among public security agencies. Despite efforts to address security through the sharing of actionable information, security intelligence maintains an exclusive value. Technologies of control promoting this exclusivity also function to prevent intelligence from becoming common knowledge. Because of its limited value, intelligence is ill-suited for export into security governance writ large.     

互联网电子身份管理模式及法律保障

在分析电子身份管理制度构建需应对挑战的基础上,剖析我国网络实名制的发展瓶颈,构建基于我国国情的互联网电子身份管理模式,探讨该模式可能引起的运作机制、信息安全保障、个人隐私权保护和法源依据等问题,并提出相应的法律保障建议。     

The two judgments of the European Court of Justice in the four cases of Privacy International,La Quadrature du Net and Others,French Data Network and Others and Ordre des Barreaux francophones et germanophone and Others: The Grand Chamber is trying hard to square the circle of data retention

On 6 October 2020, the Grand Chamber of the European Court of Justice rendered two landmark judgments in Privacy International, La Quadrature du Net and Others, French Data Network and Others as well as Ordre des barreaux francophones et germanophone and Others. The Grand Chamber confirmed that EU law precludes national legislation which requires a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security.In situations where a Member State is facing a serious threat to national security which proves to be genuine and present or foreseeable, such State may however derogate from the obligation to ensure the confidentiality of data relating to electronic communications by requiring, by way of legislative measures, the general and indiscriminate retention of this data for a period which is limited in time to what is strictly necessary but which may be extended if the threat persists.¹ In respect of combating serious crime and preventing serious threats to public security, a Member State may also provide for the targeted retention of this data and its expedited retention. Such an interference with fundamental rights must be accompanied by effective safeguards and be reviewed by a court or by an independent administrative authority. It is likewise open to a Member State to carry out a general and indiscriminate retention of IP addresses assigned to the source of a communication where the retention period is limited to what is strictly necessary or even to carry out a general and indiscriminate retention of data relating to the civil identity of users of means of electronic communication. In the latter case, the retention is not subject to a specific time limit.