Slashdot Mirror

For example, let's say you set up a gambling operation there. You're running along happily, until one day the British Gov't comes calling because you've violated the Regulation of Investigatory Powers Act of 2000, which was enacted so that MI5 can listen for bad guys by reading your email. Then some bigwig public official in Norwich happens to be gambling on a game of canasta with the Crown's money, and the Brits get all upset because they can't find out who he is, what he bet, when he plays, etc. So they sue, he sues, everyone sues everyone else. It becomes a big mess, and the anonymous email operation you set up six months prior is caught in the middle of it. How do you repel a DoS attack from the Home Office?

Later on, the providers of HavenCo's bandwidth get pressured from all sorts of people. See, Sealand might be independant, but the companies that give HavanCo their pipe are based in countries which most certainly are not. They can (and will) be pressured. They get leaned on, and then HavenCo gets leaned on. Shit runs downhill. (And don't give me that satellite rap; you know that's only an expensive worst-case backup of dubious technical merit.) The upshot here is that everyone who gave money to HavenCo is now officially S.O.L.

Which is why we need something "friviolous" like a Napster server to take up residence on Sealand. If it goes down because of the Strong Arm of the Law(TM), then it really isn't that big of a deal. It gets sorted out in court and we all wait to see what happens. In the meantime, we run our gambling and pr0n operations off some island like everyone else has been doing. We're listenign to stuff off FreeNet, and grabbign MP3s from OpenNap servers.

But the court will have to decide one way or the other. The RIAA -- for one -- will surely force the issue (like through the U.N., maybe?). And the decision will likely be binding; what's good for Mr. Napster Server Clone is good for you and me (please note: IANAL and I don't want to be one, either). If the verdict is for the Napsterites, then we can all put our servers on Sealand. If the verdict favors whatever government happened to bitch, then we lost no money setting precedent ourselves.

It's a good thing. I want to see it happen.

-B

We do have some form of self-incrimination protection - firstly we have a right not to answer questions put to us (and silence, as I recall, can't be taken to infer guilt) while the Human Rights Act gives us some protection, too. Sorry, not a lawyer so I don't know the details.

I can actually see why they want to do this - there have been cases in Britain of convictions getting thrown out as, even though there was good evidence, part of the evidence was a DNA sample which was taken in a previous investigation but didn't result in a conviction and it wasn't thrown away (whew!). Still not sure it's a good idea, mind you, but it's not as bad as it might look.

Amusing as toilet humour is, the initiative under discussion here is in reality very welcome, and a further example of best practise. Albeit government tends to be a distributed hierarchical kind of an animal, it should be capable of arranging its information asset to that they can be joined together and turned into a resource useful to its citizens. This application achieves that aim. Other governments are doing similar things - such as UK Government's proposed Inforoute system, which will draw together sources of published government information. My view is that Australia steals a march on the rest of us by providing something of immediate practical use to all of its citizens, where the UK application will be appreciated by a small minority os citizens.

A final point. The toilet application verges on a mindset which thinks in terms of publishing everything by default, and restricting on a case by case basis. Certainly in the UK, the mindset still seems fixed on restricting by default, and publishing only on a case by case basis.

Oz may not suck quite as much as you think.

Yes. Now that RIP has been passed we have the Human Rights Act, which incorporates the European Convention on Human Rights into UK law.

Anyone thinking of using this service in the UK (or anywhere in the EU for that matter) should think again. It's (potentially) a criminal offence to collect any data on a person without telling them you're doing it (Data Protection Act 1998, generally and Schedule 1 part I in particular). The fact that you're using a third party based abroad to dig the dirt on your site visitors will avail you nothing with the Data Protection Commissioner if she decides to land on you with both hobnailed boots.

Those privacy statements, whose status in the US I cannot comment on (IAAL but NAUSQL) are binding in the UK and breach of them potentially sounds in damages (section 13 of the Act isn't in force yet, but soon, soon) as well as criminal liability and all manner of interesting and exciting regulatory action.

For the rights of data subjects generally, see Part II of the Act generally and the register of Data Controllers is maintaned at the Data Protection Commissioner's site and is fully searchable. Go on, look up your favourite corporation and dob them in if they aren't playing by the rules. (Non-UK readers may be amused to know that an assortment of pranksters make a point of doing this with political party membership lists when they use them for mailshotting purposes.)

Anyone thinking of using this service in the UK (or anywhere in the EU for that matter) should think again. It's (potentially) a criminal offence to collect any data on a person without telling them you're doing it (Data Protection Act 1998, generally and Schedule 1 part I in particular). The fact that you're using a third party based abroad to dig the dirt on your site visitors will avail you nothing with the Data Protection Commissioner if she decides to land on you with both hobnailed boots.

Those privacy statements, whose status in the US I cannot comment on (IAAL but NAUSQL) are binding in the UK and breach of them potentially sounds in damages (section 13 of the Act isn't in force yet, but soon, soon) as well as criminal liability and all manner of interesting and exciting regulatory action.

For the rights of data subjects generally, see Part II of the Act generally and the register of Data Controllers is maintaned at the Data Protection Commissioner's site and is fully searchable. Go on, look up your favourite corporation and dob them in if they aren't playing by the rules. (Non-UK readers may be amused to know that an assortment of pranksters make a point of doing this with political party membership lists when they use them for mailshotting purposes.)

Anyone thinking of using this service in the UK (or anywhere in the EU for that matter) should think again. It's (potentially) a criminal offence to collect any data on a person without telling them you're doing it (Data Protection Act 1998, generally and Schedule 1 part I in particular). The fact that you're using a third party based abroad to dig the dirt on your site visitors will avail you nothing with the Data Protection Commissioner if she decides to land on you with both hobnailed boots.

Those privacy statements, whose status in the US I cannot comment on (IAAL but NAUSQL) are binding in the UK and breach of them potentially sounds in damages (section 13 of the Act isn't in force yet, but soon, soon) as well as criminal liability and all manner of interesting and exciting regulatory action.

For the rights of data subjects generally, see Part II of the Act generally and the register of Data Controllers is maintaned at the Data Protection Commissioner's site and is fully searchable. Go on, look up your favourite corporation and dob them in if they aren't playing by the rules. (Non-UK readers may be amused to know that an assortment of pranksters make a point of doing this with political party membership lists when they use them for mailshotting purposes.)

Anyone thinking of using this service in the UK (or anywhere in the EU for that matter) should think again. It's (potentially) a criminal offence to collect any data on a person without telling them you're doing it (Data Protection Act 1998, generally and Schedule 1 part I in particular). The fact that you're using a third party based abroad to dig the dirt on your site visitors will avail you nothing with the Data Protection Commissioner if she decides to land on you with both hobnailed boots.

Those privacy statements, whose status in the US I cannot comment on (IAAL but NAUSQL) are binding in the UK and breach of them potentially sounds in damages (section 13 of the Act isn't in force yet, but soon, soon) as well as criminal liability and all manner of interesting and exciting regulatory action.

For the rights of data subjects generally, see Part II of the Act generally and the register of Data Controllers is maintaned at the Data Protection Commissioner's site and is fully searchable. Go on, look up your favourite corporation and dob them in if they aren't playing by the rules. (Non-UK readers may be amused to know that an assortment of pranksters make a point of doing this with political party membership lists when they use them for mailshotting purposes.)

OK, here's the basics:

Here, we have the Bill itself as it emerged from its report to face it's third reading (last stage in parliament before Royal Assent and passage onto the statute book: it comes into force on a date to be fixed thereafter)

Thi s is the complete list of amendments, and you'll notice that Lord Bassam and chums seem to be out with their castrating knives and good on 'em, ain't it handy to have legislators who aren't going to have to face re-election.

This schweinerei is the really offensive part.

Things you ought to know about this Bill:

1. It's already been beaten back once. The really offensive stuff started out in the Electronic Communications Bill (now the Act, minus all the nasty parts and as such totally useless and unlikely ever to be brought into force)
2. On and from 2nd October 2000, when the Human Rights Act 1998 comes into force, it will be more or less impossible to get convictions under clause 53 (it may not retain that section number in the Act-as-it-passes) since the threat of a penalty for non-disclosure amounts to a violation of the privilege against self-incrimination. This particular legal device - questioning under compulsion, a rather genteel and bloodless form of torture - resulted in the defendants in l'affaire Guinness getting judgments in their favour in the EHCR. Because compelled answers to a (non-criminal) DTI inquiry were used as evidence in their eventual (criminal) trial, they were found to have had their human rights violated.
3. The Encryption stuff isn't the big deal. It's the government's automatic right to install whatever variant of the carnivore system they want into any ISP, telecom provider, whatever so that they can monitor whenever they like without prior judicial restraint. The warrants are to be signed by the Secretary of State. And how much scrutiny is he going to give them?
4. There's a Commission going to be appointed to hear complaints. Sure, right. Fact fans, listen carefully: this is what they did last time around, when they passed the old Interception of Telecommunications Act fifteen years ago. In those fifteen years, the Commissioner has heard four (4) complaints. And rejected all of them. Can you say "dead letter?"

I could, and at very small provocation will, go on.

OK, here's the basics:

Here, we have the Bill itself as it emerged from its report to face it's third reading (last stage in parliament before Royal Assent and passage onto the statute book: it comes into force on a date to be fixed thereafter)

Thi s is the complete list of amendments, and you'll notice that Lord Bassam and chums seem to be out with their castrating knives and good on 'em, ain't it handy to have legislators who aren't going to have to face re-election.

This schweinerei is the really offensive part.

Things you ought to know about this Bill:

1. It's already been beaten back once. The really offensive stuff started out in the Electronic Communications Bill (now the Act, minus all the nasty parts and as such totally useless and unlikely ever to be brought into force)
2. On and from 2nd October 2000, when the Human Rights Act 1998 comes into force, it will be more or less impossible to get convictions under clause 53 (it may not retain that section number in the Act-as-it-passes) since the threat of a penalty for non-disclosure amounts to a violation of the privilege against self-incrimination. This particular legal device - questioning under compulsion, a rather genteel and bloodless form of torture - resulted in the defendants in l'affaire Guinness getting judgments in their favour in the EHCR. Because compelled answers to a (non-criminal) DTI inquiry were used as evidence in their eventual (criminal) trial, they were found to have had their human rights violated.
3. The Encryption stuff isn't the big deal. It's the government's automatic right to install whatever variant of the carnivore system they want into any ISP, telecom provider, whatever so that they can monitor whenever they like without prior judicial restraint. The warrants are to be signed by the Secretary of State. And how much scrutiny is he going to give them?
4. There's a Commission going to be appointed to hear complaints. Sure, right. Fact fans, listen carefully: this is what they did last time around, when they passed the old Interception of Telecommunications Act fifteen years ago. In those fifteen years, the Commissioner has heard four (4) complaints. And rejected all of them. Can you say "dead letter?"

I could, and at very small provocation will, go on, but it's 0025 here and frankly I want to go to bed.

Just to pick up a few points, working from the UK implementation of the EU directive, the Data Protection Act 1998:

1. The Data Protection legislation covers paper records as well as computer records.
2. It doesn't extend to anything done other than in the course of a business, so your phone numbers stored in your mobile aren't covered. Incidentally, some of mine are, since they're client's numbers.
3. The data has to be personal data - data from which a person could be identified, however tangentially.
4. The data has to relate to a "data subject", a term which is defined in the legislation to mean more or less anything capable of passing as human. (Yes, that is flippant. No, it's not inaccurate.)
5. Sensitive personal data is a subset of personal data, and it's defined by reference to a list of subject matters: race, religion, political afdfiliation, membership of trade union, mental and physical health and sexual orientation being the ones I can remember without making the thirty-yard trek to the shelf where my copy of the Act is.
6. Sensitive Personal data cannot be collected without the explicit consent of the subject without committing an offence, subject to some tightly-drawn exceptions.
7. The restrictions on processing personal and sensitive personal data when you get it are governed by the Data Protection Principles. See Schedule 1 to the Act for details. Interpretation of the Principles is in Part II to Schedule 1 and further supporting material appears in Schedules 2 and onward.
8. The Data Protection Registrar has already indicated that "opt-outs" for mailing lists do not amount to fair data processing. That's right, spam just became a criminal offence again. Enforcement is another matter, I shouldn't wonder.
9. This item deliberately left blank.
10. Data Controllers (the people who actually carry the can for data processing) have to register as such, disclosing publicly on this register what sort of data they collect, from what kind of people and what they do with it.
11. Part of the registration, which must be renewed annually, is a statement of the security precautions the data controller has taken. They aren't onerous - indeed, I'd regard them as the minimum necessary. However, the actual implementation in practice among my clients - honourable exceptions apart - is woeful at best.

Essentially, the standards may be set higher over this side of the Atlantic, but the actual performance means that the practical difference for the time being is nil.

Anyone in the UK with an expertise in basic computer security has a prime opportunity to make some money selling advice to just about every commercial concern on mainland Britain. And, no doubt, the same goes for the rest of the EU.

AndrewD

Slight disclaimer: don't rely on the above as legal advice for your particular circumstances. I'm only qualified to advise in the UK on English law, and what appears here is only a broad outline statement of that law. In short, relying on comment postings on /. to take business decisions that might cost you money is your own affair and don't come crying to me if it all goes horribly wrong.

At least, in the UK.

Re: Everyone is entitled to monitor any record about themselves.

The Data Protection Act means that any firm must tell you what data they hold about you (I think a small fee may be charged). Isn't it the same in the US? You can also make them change the data if it's inaccurate and sue them if they're holding inappropriate data about you.

Unfortunately this only applies to computer records, so some companies circumvent the law. For example, to get into university you must apply through UCAS and your school gives them a reference about you. But apparently you can't get that info, because they print it out and don't store it on computer. Bastards.

I like the idea about companies being forced to reveal the source of their data though.

Under the UK's Computer Misuse Act 1990, timebombing software and similar methods of disablement are considered unauthorised access and tampering and are punishable by the courts. There's a lot of case history and precedent, from firms whose software needed keys after pre-specified timeout periods and so on.

Here in the UK the 1995 Disability Discrimination
Act makes very similar provisions, the accepted
implication being that an unusable *intranet* site which (say) presented a tool which was
an essential part of your job would be discriminatory, if there was a reasonable
alternative which was not used.

Under the terms of section 19 of the Act,
its very likely that internet sites for web-only
banks (for instance) fall foul of this too.

No test cases launched on this front yet,
but its only a matter of time.

-Baz

It's all explained at: Here I've I got it right, you could request a copy of the information but they are entitled to ask for a small "admin" fee.

and, as you said, not all the laws are true. (The archery one is false).

It is illegal to leave baggage unattended.

Airports like Heathrow have constant reminders that unattended baggage may be removed and destroyed, but I've never seen a suggestion it was a criminal offense to leave it. (Under some circumstances I guess it could be wasting police time or behaviour likely to cause a breach of the peace).

The Prevention of Terrorism (Additional Powers) Act 1996 and Prevention of Terrorism (Temporary Provisions) Act 1989 don't seem to mention it, though the latter is only a summary. There is a section about searches of unaccompanied goods.

Sorry if this feels a little curt - I'd got a lovely reply written when I stopped concentrating for a moment and closed that window instead on another...

This sounds suspiciously similar to the Cookie Problem and so suffers from the same potential problem* as that for us lucky Europeans :) in that you can't collect personal data in the EU and then export it to a less severe jurisdiction to try and bypass data protection legislation.

If this is the case, which ZDNet UK News think it is - I promise I first hit reply to this article without having read their take on it, honest! - then this could get quite interesting. If the EU take this one to trial we could end up with this sort of practise made impractical for the whole net as it couldn't be legally used on a pretty large chunk of the users - I'm told we're currently predicted to be bigger than the USA on the net within 5 years, or something like that anyway. I haven't got the figures to hand, but that was the gist of it, OK? :)

And yes, I know that this article's talking about them releasing the patch and upgrading the privacy statement - but if the software isn't legal without the patch then it gets even nicer as they have to make that the default!

For those who are interested in the details, the UK law is here - as I understand it, other EU countries have roughly the same rules by agreement.


Greg

* Sorry to quote myself. It's just that I know I explained it and I can remember that quicker than I can find if anyone else gave a better explanation...