Thursday, October 27, 2005

SPLOGS - Are "spam blogs" illegal?

SPLOGS or fake blogs are created by spammers to increase the search engine rankings of their web sites used to sell their wares. Technorati reported that over recent weeks there were 805,000 new weblogs created out of which 39,000 are new fake and/or spam weblogs.

Splogs have apparently caused losses for the blog service providers as well as search engines. With search engines registering useless results providing links to spam sites - causing a general perception of unreliability. But while spam regulation is being developed globally, this new direction taken by spammers appear to be a clever way of getting the attention of the public without being liable to any known law. However, as with spam, splogs are costing innocent businesses a fair amount of resource.

Will splogs ever be featured in the regulation against spam? Or should the solution be a technical one - to prevent the automatic creation of new blogs mechanically by software. All this somehow sounds very familiar.

WSJ.com - 'Splogs' Roil Web, and Some Blame Google

Wednesday, October 19, 2005

What are the Legal & Policy Challenges in the use of Biometrics?

CNET reported that UK's National Identity Card system that incorporates Biometric technology will in fact turn out to be a probably security risk did not come as a surprise to many in the tech security industry. The UK system works on centralised database system and the dangers are well spelt out in the CNET Report found here. [print version] Microsoft exec: ID cards pose security risk | CNET News.com

However, its worthwhile considering the question posed in the header here. The answer, in my opinion is in two basic parts. The first relates to the regulation of the collection and protection of biometrics data. Second, the interaction of evidence law and biometrics.

Securing Biometric Data:
Biometric data is usually stored either on the token smart card or on centralized database systems. Unfortunately, a critical risk of centralized biometrics database system is the opportunity it provides to hackers and errant employees to exploit it.

Further, there is a real risk that once the biometric data of a subject is compromised (whether distributed or centralized), he or she will be permanently excluded from using the system unless new biometric data is scanned and stored – presuming those data have not already been compromised. It is critical to remember that each individual has a limited amount of biometric information. Hence, once the security of the biometric database has been breached, it cannot be cured by changing the authentication parameters (i.e. it is not possible to change the ‘password’) because the biometric identifiers by their nature are unique to the individual.

Further it is also important to realize that the compromise of one biometrics database security system will impact other third party biometric systems because all biometrics based systems essentially share a common biometric data (i.e. the same fingerprint or iris scan).

Accordingly, there is a need for some form of regulation to protect the manner of collection, storage and use of biometric data – possibly similar to the European Union Data Protection Directive - if biometrics is to take root in Singapore as a commonly utilized form of authentication. What
exactly then is envisioned by such regulation? Hopefully it would be able to mirror the provisions of the European directive and have the force of law as well as forceful sanctions for breach to prevent private organizations and private individuals from misusing the biometric data.

Biometrics use under the Law
As for the second issue, a central concern of biometrics is that of reliability. It must be understood that biometrics is not a panacea to problems of identification and verification as its reliability varies depending on the technologies used and the chosen calibration of the false rejection rate. The calibration allows for the statistical rate for scans to be accepted or rejected. Hence the process is clearly one determined by probability and not certainty.

It must also be noted that biometric information carries with it the risk of being tampered with or falsified. As such, everyone in the legal profession as well as in law enforcement must understand that biometrics does not create a fail safe environment vis-à-vis proof and that like all authentication system, its security and accuracy is only as good as its weakest link (whether systemic or user).

In conclusion, contrary to popular belief, biometrics should not be used as a replacement for passwords and that it is ideally used as an enhancement only (i.e. as the second of a two factor authentication process) or as the username function.

Sunday, October 09, 2005

Will jail time end racist blogging?

Associated Press reported that on Friday Oct 7th the Singapore courts sentenced the two Singapore bloggers for their racist remarks on their blogs as well as their posts on forums. Mr Koh was sentenced to a month jail time while Mr Lim was to spend a day's jail and fined $5000.

It’s important to note that both of them could have been sentenced to a maximum of 3 years. The AP reported the comments made by the Senior District Judge which lays the grounds why he sentenced both bloggers as he did.

To many observers round the world, the sentence may appear harsh especially from the view of liberal societies. This is especially so when the technology that allows users to universally blog freely appear now to be hampened by national laws.

Unfortunately for many users of the technology, it is easy to be deluded into the belief that cyberspace is the place to simply rant and vent all of one's personal irritations frustrations and bias - without any likelihood of recriminations. After all, they see it easily done by other users in blogsphere. The problem is while the blogsphere is one universal space where most believe that the free speech there is unregulated, the reality is that each individual is regulated and conversely protected by the laws of his or her domicile.

We may be the free citizens of the internet in theory but in reality, we are still very much the citizens of the country that issued our passports. And in the context of Singapore, while we are still undergoing the slow process of development and integration of social freedoms, we have to remember that we are located physically in a region where religious tolerance is absolutely key - something that the blogsphere does not concern itself about, the boundaries of national countries.

I suspect that very soon the educational institutions in Singapore will review their curriculum on the basis of our national harmony – racial tolerance by understanding the differences of our races and religion. Also, to learn that free speech while universally desired, it is not without any regulations or limitation when it harms individuals or classes of people. While this case may result in a reality check for many bloggers, I am not optimistic that it will stop completely how Singaporeans will blog with regards to sensitive issues.

Nevertheless, I hope to see a national effort put into place to educate children about the dangers of racist or defamatory speech. I think only then there may be real possibility of having the Singapore netizens use their combined energy to stop racist speech or other similar misconduct online.

Singapore Jails Bloggers for Racist Speech on Yahoo! News
Site Meter