Mistaken identity,identity theft and problems of remote authentication in e-commerce

The problem of mistaken identity in e-commerce transactions brings together seemingly unrelated issues: privacy, network security, digital signatures – and classic contract law. Combining an academic exercise with the practical implications of the insecurity of the Internet, this paper draws some unexpected conclusions regarding cases of mistaken identity and exposes flaws in popular legal arguments on the subject. Problems of mistaken identity must be analysed afresh with a number of factors in mind: the more widespread use of fictitious identities in on-line transactions, the higher incidence of identity theft and the greater difficulty of authenticating the other transacting party. The trend to preserve the privacy of Internet users indirectly clashes with efforts to ensure transactional security in e-commerce. An indispensable prerequisite of the latter is the ability to identify the other party to the contract. The problem of mistaken identity is not new – but it assumes a different scale in e-commerce transactions.     

Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.     

It wasn't all white light before Prism: Law enforcement practices in gathering data abroad,and proposals for further transnational access at the Council of Europe

This is a brief comment on a meeting held at the Council of Europe in Strasbourg, which discussed ways of improving transnational access to data by law enforcement through the Cybercrime Convention. In particular, the possible introduction of a new protocol, and a guidance note on art. 32(b), were considered. It is argued that there are serious concerns with both proposals. Moreover, the meeting revealed a surprising lack of knowledge as to current levels of cooperation between law enforcement and foreign service providers.