* Posts by post-truth

27 publicly visible posts • joined 22 Jun 2017

Careful now, UK court ruling says email signature blocks can sign binding contracts


Don't Panic! folks - it's not about sale of land

The instant case Neocleous v Rees https://www.bailii.org/ew/cases/EWHC/Ch/2019/2462.html is about "authenticating intention". Discussion at Law Commission's (current) report: https://s3-eu-west-2.amazonaws.com/lawcom-prod-storage-11jsxou24uy7q/uploads/2019/09/Electronic-Execution-Report.pdf. (Whether the case applies only to contracts of settlement in litigation, rather than contract generally as it is framed, might be open to argument - but it certainly ain't about sale of land)

The article doesn't explain the history, which lawyers can infer, but without that it makes no sense to a layperson. Ultimately *this* litigation is not about sale of land, but about the validity of a contract to settle *other* litigation about rights of access. Thus... the seller instructs their solicitor to compromise on the basis of the stated terms, the solicitor duly make the offer, the buyer's solicitor accepts it. Then the seller turns around and wants more money. Too late, but hey, why don't we burn our solicitor for doing what we instructed...?... Again, the issue was NOT about the formal contract of sale, which was still in the future, but the contract to settle on the basis of drawing up an contract of sale. So it's a fine point about ordinary contract law and (possibly) dispute resolution and public policy, not sale of land, and the Court is left to clean up a case of "seller's remorse by proxy" by ruling on the fine point, with the seller's hapless ex-adviser caught in the middle. The Court makes the seller's behaviour clear, more brutally than I expected, in two paragraphs:

"...46. It must immediately be identified that there is an unattractive aspect to the position taken by the Defendant. As Mr Tear readily accepted in cross-examination, his client had given him instructions to accept the offer. On the face of it, the Defendant's position appears to involve using a serendipitous technical defect in formality to renege upon a deal reached during the course of litigation where the apparent agreement led to a court hearing being vacated on the assumption that the case had been settled.

47. However, as the Defendant rightly points out, the issue before the court is one of principle and cannot be decided simply on the basis of the court's attitude to the stance taken by the parties...."

No doubt the seller's next move will try to airbrush the history and suing their ex-solicitor for failing to follow their instructions... I hope they get everything they deserve. Meanwhile Mr Tear also deserves our sympathy. We've all had clients like his.

Facebook spooked after MPs seize documents for privacy breach probe


Re: Missing Information

Win-win. Well played by both sides.


Re: An early Christmas?

He merely has to resist. Then he's not in contempt. Win-win.


Re: Why?

"> A US court in California has no jurisdiction over the UK [ ... ]

It's a Silicon Valley lawyer. They all believe that Santa Clara Superior Court has jurisdiction over the entire Universe."

Actually... and this may surprise those of a boolean persuasion... but technically BOTH the UK and California have unlimited jurisdiction over the other.

This is one reason why private international law - comity, recognition, and enforcement - has developed over the last eight centuries.To develop "customary" rules by which one or the other will decide, unilaterally, to back off.

If neither backs off, then wham, instant trade war or shutdown of enforcement until one side or the other quietly changes its approach. It happens.

Surprise UK raid of Cambridge Analytica delayed: Nobody expects the British information commissioner!


Re: Powers of entry without warrant

Good points, but they miss the "key points"

- Criminal search warrants can be tricky, and the ICO if they're contemplating criminal charges should simply turn the matter over to the CPS, as happened in respect of all the data protection criminal convictions associated with a certain naval-sounding insurance group a few years back.

- civil Search Orders ought to be relatively straightforward, plus the RCJ has a dedicated Applications court plus a 24/7 duty judge for genuine emergency applications, plus civil judges (paradoxically) have occasionally useful powers instantly to jail people for contempt for up to two years (without charge or trial or appeal). As with a certain notorious cellphone-not-being-switched-off-in-court episode a few years back...

- Here's the amusing "killer" - obviously the publicity has eliminated any chance of any judge considering this an emergency or something that must be done without notice (aka ex parte aka without the other party represented at first hearing). Because if they had factual grounds to need such an order, they wouldn't have blabbed. Which in turn undermines the ICO's opportunities ever to secure the Order it seeks!


Fortunately under the GDPR the ICO is no longer central to to the process. Not irrelevant of course, because the ICO can still impose additional orders and punishments.

Also, any of the other 45 Supervisory Authorities can step in and fine malefactors if they think the ICO is dragging its feet

What the @#$%&!? Microsoft bans nudity, swearing in Skype, emails, Office 365 docs


This could be fun. All justice and law enforcement systems had better get rid of all their Microsoft products then. How would courts or police be able to process:

- accurate testimony, anything being routinely acceptable (except the five-letter F-word - "fraud")?

- photographic evidence?

- much film evidence?

- audio evidence?

- case theories?

- indictments?

- pleadings?

- depositions?

- Court transcripts?

- Court judgments?

- police body cameras? (maybe that's the explanation of why body cams so unaccountably switch themselves off so much, microshaft has been field-trialing their algorithms to avoid recording events that might be crimes and therefore offensive to somebody somewhere...)

Brit retailer Currys PC World says sorry for Know How scam


In emergencies I buy kit from such stores - they're all at it.

My tactics are simple and practical. Once I've chosen the kit and physically verified they do have it in their store, I cut off the next hour of "paperwork" sales BS and exasperation on all sides by giving them a simple ultimatum, goes something like:

"I have to go. You have five minutes to do your paperwork and get this box to the cash registers. If this is too difficult, I can help you out by carrying it there myself. If it's not there in five minutes, I'm gone."

The fact that I mean it, and that they can see that, results in a happy outcome every time.

Ex-Google recruiter: I was fired for opposing hiring caps on white, Asian male nerds


Re: Reverse discrimination is now political correctness.

"Anon because I am genuinely concerned we now live in a society where having a minority opinion will lead to punishment."

Concur. Not only statutes but even common law is heading in the same direction: in the UK, harassment, ASBOs [anti-social behaviour orders] and now the demise of the dual Ghosh tests for dishonesty are perfect examples. Now, if we honestly disagree with someone in the majority or in Authority (whether because we're seen as a kook, or anti-social, or have Aspergers/ADD/whatever, or someone simply takes a dislike to us and can't think of anything specific), we can acquire a criminal record just for being viewed as, quite literally, potentially anti-social for any or no reason at all - without there ever having been a subject-matter-specific offense committed.

(I am not commenting on reverse discrimination or any laws engaging a self-contained actus reus).

MY GOD, IT'S FULL OF CARS: SpaceX parks a Tesla in orbit (just don't mention the barge)


I'm no petrol-head. But you gotta admire the man's style.

Besides, a toast: Confusion to the aliens!

Lauri Love judgment: Extradition would be 'oppressive' and breach forum bar


Re: The argument makes me sick

These jurisdictional arguments are all about angels on the heads of pins.

In the reality that is international law, all nations can ask for extradition of anyone in any other nation to face trial, provided the metalaws associated with extradition treaties etc are satisfied.

Sometimes this becomes absurd - such as when a foreign nation of which I am a citizen criminalized my work teaching encryption and building encryption into software to protect US/European companies from data breach. An extraditable offence for which any citizen of that nation could face ten years imprisonment regardless of where they plied their trade. Happily, they recently updated that particular law to change the citizenship element, but the point is a general one and the UK is no stranger to such calamities in its own laws.

What a Hancock-up: MP's social network app is a privacy disaster


Re: Like the privacy policy on my new LG TV

In reverse order:

"Question is, is there anyone to complain to (that may care?)"

Yes (if they don't tell you about that in advance of 25 May, they're in breach anyway). Any or all of the relevant Supervisory Authorities, for a start. Choose from the 46-odd regulators, for a start (28 Member State data protection.agencies, see http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm, plus the EDPS, plus the German lander authorities).

Then there's the Article 80-promoted non-profit class action companies, such as Max Schrems' http://noyb.eu.

Then there's the Member State Courts. If you can't work out which of your rights have been breached, just plead in respect of the "washup" Article 79. A small claim is sufficient (if your jurisdiction supports that) and is recommended as they are likely to eliminate all legal costs beyond the (usually recoverable if you win) dozen-beers money the Court charges you to file the claim. Post-GDPR the legal burden of proof is now on the defendant, so you arguably don't have to prove a thing beyond providing factual context, it's for them to prove their own compliance. (In England the standard thing is to add a claim, alongside the basic DPA 1998 or now the GDPR/DP Bill, in the new worldwide English tort of misuse of private information, but that uses tort rules so you'd have to prove stuff to Court standards of proof so don't try that in DIY litigation).

"I am not a lawyer/solicitor but the policy wording is so vague as to make it not worth writing all the words they wasted below with details."

If that is right, then it might be inferred that their "privacy policies" already clearly breach Article 12 GDPR, despite it being enacted into all Member States' laws since 2016. To detect breach you're not required to be a lawyer any more, that's the whole point.

Article 12(1) of the GDPR (see p39 http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN), specifying the modalities of information to be provided to data subjects, requires that information be provided in, inter alia, "... concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child...". Ambiguity, or failure to address any material point of the Articles 13/14 Notification requirements, arguably equals non-compliance. In turn non-compliance might equal fines (from any of the 46 empowered regulators in the EU) plus criminal prosecution of directors (conceivably including overseas following extradition). Even the CPS in England has prosecuted data protection offences using anti-racketeering law (POCA) to confiscate profits. Plus private injunctive relief (money for old rope), and compensation/class actions, including tort in or from common law jurisdictions.

Some other fun stuff controllers must get right in advance: see for example https://www.gdpr360.com/gdpr-what-are-the-lawful-bases-under-which-data-can-be-processed

Pro tip: avoid complaining until 1st July 2018 if you can resist. For technical reasons, waiting five weeks may "improve" evidence against defendants, both qualitatively and quantitatively.


Nothing communicated or referenced above is legal advice.

What's GDPR? Survey suggests smaller firms living under rocks as EU privacy regs loom


"I had the misfortune to spend 20 minutes or so with a webcast about GDPR until it became very clear it was about a vendors product and not best practice for an SME like ours.

At least we've been aware of the term since last year, but so far all we've done is make our email list double-opt-in. We all know there is more to be done, it just doesn't seem to be very apparent what needs to be done."

@Anon. In response to your two paras (and assuming hypothetically you're in the UK):

(1) there is no such thing as GDPR "best practice", and *never can be*. This is because all GDPR compliance is unique to the enterprise. Because in practice it's all centred around your Article 30 artefact which is unique to your enterprise. So the best you can do is adopt a methodology that will enable you to comply.

(2) What to do?

(a) build yourself an Article 30 artefact - like a dynamic "information-architecture-lite" populated by systems, datasets (meaning whatever you want it to mean in your own context, even recursively, don't go all IT-precise on me), and processes. Including shadow IT (yes I know, but there are products out there than can identify that for you). Then add to the process repository everything you need for Article 13/14 Notifications, starting with jurisdictions, data-protection-law attributes of the data, legal bases, and purposes, the results will tell you what else you need to add. None of these additions can be done by distinct IT people. Can all be done in spreadsheets and until you know what you're doing (most vendors and consultants have no clue) ought to be.

(b) then urgently create your Notifications, which safely can be done only at this point.

(c) perform any necessary DPIAs per Article 35. Guidance as to when and how in WP29's WP248 document. Remember to document *in advance* when and why you *don't* perform DPIAs for any given process.

(d) do/plan the rest of your data subject rights processing per Articles 12, 15-21.

(e) all other obligations, including security and data breach stuff, are relatively minor pieces of work and can be done in parallel.

As Lord de Ramsey said not so long ago in the House of Lords, "semper in excretia sumus solum profundum variat": we're always in the poo, only the depth varies. Different context, same message, and that's the right attitude (I've even screwed up myself on some past Notifications). Don't be low-hanging fruit!


Oops. I think I feel another blog coming on...

[disclaimer: Yes, I've co-founded a GDPR consultancy and product vendor so I'm conflicted. Yes, I'm a data protection litigator and IT architect and teach this stuff so I'm conflicted. No, I am not here offering legal services and you may not treat any part of this communication as legal advice]

Serverless: Should we be scared? Maybe. Is it a silly name? Possibly


Re: Don't care about how their applications do what they do?

Excellent point on GDPR, @Warm Braw. Just as any jurisdictionally non-deterministic cloud application processing personal data necessarily breaches the GDPR even if the data never actually leaves the EU (if only because ignorance plus mandated advance notification plus reversal of legal burden of proof ipso facto equals breach), the same applies to anything that replicates the same effect.

That said, actually I'm exploring the feasibility of deploying what used to be called "middleware" as BDCAs, even in the context of GDPR control software - so long as you never ever send anything but non-personal metadata into the black box! Then the only issue becomes performance...

US senators vow to filibuster FBI, er, NSA's domestic, errr, foreign mass spying program


Re: Good

Indeed. This "Democracy in America" discussion recalls two comic events to mind.

The first is from 1964 when, on-stage in New York, Peter Cook(or perhaps Alan Bennett?) was carefully explaining to Dudley Moore, deadpan, the differences between the two political systems:

"On the one hand they have the Republican Party... which is the equivalent of our Conservative Party. On the other, they have the Democratic Party... which is the equivalent of our Conservative Party".

The second is from when Mahatma Gandhi, that notorious Inner Temple barrister, was asked his opinion of Western civilization. He purportedly answered: "I think it's a very good idea."

[Caution: I have neither attribution to hand, so my memory may well be at fault]

So America is a shining light on the hill. Or is it a will 'o the wisp? Or a siren calling to drag us to our doom and feast on our remains?

(post-2015 events may be seen as a logical outcome, a mere historical footnote. Many other Western systems are no better equipped to to deal with web-based demagogy cloaked in the same democratic principles adopted, ironically less plausibly, by parliamentary systems centuries ago)

Australia reviews defence export controls, perhaps easing cryptography research


Re: Is this an outbreak of common sense?

What a fabulous method permanently to destabilize the West Island! (Speaking as a West and Far Northwest Islander...)

On the other hand, they'd all migrate northwest to my refugeee camp aka Ukmanus Island, and re-enter politics here. So you're a very mean and nasty person. I'd have to go even further - I think only Iceland qualifies. But after they're kicked out of Ukmanus Island they'll just go to Iceland and take over the Pirate Party, leaving me screwed again...

Facebook notifications to reveal who saw dodgy Russian election ads


"Zuckerberg knows how to do something, and other people don’t, so he does it."

You're right, of course, but it needs some nuance.

What you've done is describe not just Zuck, but also myself, pretty much all hackers, and maybe half the creative IT geeks and politicians across the entire world (paradigmatically including the president of the United States).

We're all sociopaths and narcissists. Most of us are in denial (this is not an excuse, just an observation). Some of us try to face it later on their career and try for redemption (in my case I became a plaintiff lawyer in, coincidentally, the same field trodden by Zuck - though I'm still addicted to doing stuff just because I can).

My point is: when you say the [perceived] problem is down to Zuck's personality you're in danger of trivializing the problem. Witch-burning won't help if we're just swapping out witches... [and now I'm in danger of talking politics so I'll stop there]

Munich council: To hell with Linux, we're going full Windows in 2020


Re: Not sure about Office?

"our company said screw this and went ahead and developed it's own Windows 10-like OS shell and remade the command line interface of Linux to PROPER ENGLISH! We remade LAMP into custom Windows 2016 server-like environment with a decent Active Directory WAN/ALN management system analogue!"

You may be onto something there. Use Linux o/s with Windows-like UI. Just make sure you avoid exactly the same names (to avoid MS legal stupidity). A perfect solution?

When I was young, and dinosaurs roamed the earth, I used to do something similar when teaching my youthful underlings hard lessons about computer security. Basically I'd quietly shoehorn my own pseudo-Unix shell into theirs at login. This mimicked their own. Their commands would act exactly as they expected (simply by passing them through to the real UNIX)... except when they simply failed harmlessly for peculiar reasons. Over time the frequency of failure slowly would increase, and increasingly silly random explanation messages would emerge, referring to say "logic overflow at segment xxx, booleans restored from swap", progressing ultimately to things like "Memory hole detected in BitBucket 3.0, install patch 3.0912". Etc. Cruel? Not entirely. The point was to eliminate a dangerous level of arrogance and replace it with the deliberately paranoid assumption that we're always being played. And the ultimate objective was to motivate them to bring themselves up to the level at which they could do the same to me...

Take off, ya hosers! Silicon Valley court says Google can safely ignore Canadian search ban


"Judging" by the last 13 years of US case law, the lower court judgment routinely will be appealed to the 9th Circuit. The 9th Circuit is generally very good on private international law, and routinely reverses any decisions undermining comity in almost any context. Then the Supreme Court will either find a way to refuse to hear the appeal by technicality-farming (cf Yahoo), or hear it very solemnly and duck the issues with filibuster-like waffling of unsurpassed elegance (cf Aerospatiale), very loosely boiled down to "sod off, yeah sure we can't think of any way to avoid hearing this case but we refuse to disturb the court of appeal finding however silly it might seem to us and everyone else because for the Supreme Court to endorse our own Courts' refusals to follow others' rulings would end the rule of law in international transactions and make us an obvious rogue state and thus defeat public policy".

Simple enough. But who knows what happens this time? Make no mistake, it's important. Not because of the issues here, which are not existential for Google. But because next year we have the GDPR, which is. No doubt that's what Google is thinking, too...

Australia Bureau of Statistics may wind back internet usage data collection


Re: Sack the data scientists & feed global big-data; abuse has no political consequence

WOW! You're dead right. I didn't work for the ABS even in consulting gigs, but I have strong circumstantial evidence supporting your position that they're the most focused on their (albeit informal?) Constitutional duties.

To me the rot set in 1980-ish, when the government ordered the ABS to start focusing collection of its unemployment statistics in obviously deprived areas like South Yarra and Toorak. The ABS, to its eternal credit, went on strike. I have never, before or since, seen such selfless behaviour by any government department in any nation. Didn't work of course, only slowed down the remorseless march of policy mediocrity, but undying kudos. Te morituri salutant!

The reason I remember this is that just beforehand, as a new grad I made my first and only employment application to the APS. The ABS was not one of my options and my chosen departments turned me down after interview (I stupidly revealed my obviously insane ideas about using data to build predictive algorithms in order to support policy). But 4-5 months later, after the strike and after I'd taken a different career path, out of the blue I received an unconditional job offer letter from the ABS piggy-backing on my application. I was no statistician, though my science degree (maths/computer science/physics) included kibitzing a final-year statistics subject: forecasting, which fascinated me enough to start modelling. Perhaps more importantly, my strongest fields were methodology and the philosophy of science, studied repeatedly within my four-year philosophy degree. So perhaps someone realized I might be handy to build internal defences? Nothing else made sense to me. I've always wondered what might-have-been if the timing had been different...


Re: Sack the data scientists & feed global big-data; abuse has no political consequence

Damn, you ninja'd me, I should have read further before posting!


The very best thing about this news is that evidence-based policy is now officially a thing of the past.

Instead, we can get up on our hind legs in the parliament and say, truthfully hand on heart, "our new Space Agency's policy of subsidizing coal-powered rockets is undeniably the best thing since sliced coal, and there is absolutely no evidence suggesting otherwise, and there never will be".

Next move: roll on the dismemberment of the CSIRO (or whatever they call it this week). Scientists are almost as dangerous and un-Australian as statisticians. Some of them are even climate-asserters, and we know climate is a fiction. Stick 'em on the dole queue: it's the only language they understand.

HMRC's switch to AWS killed a small UK cloud business


Do I hear an echo? In the courses I teach, my primary examples of super-vulnerable government departments, even under the old data protection law, are HMRC and the DoH. Especially as they reportedly are insane enough to see the GDPR primarily as an opportunity to screw over their subcontractors...

Oh well. More course material, more evidence for class actions, and more motivation for intervention, Orders, and fines by any of the 45 foreign supervisory authorities that lawfully can ignore the Commission and Member State governments alike. Not all of them adore HMG or HMRC. And even the ICO is being granted financial independence and (limited) Henry VIII powers to make law immune to government veto. Roll on the GDPR!

Equifax mega-leak: Security wonks smack firm over breach notification plan


Re: Right now on the Equifax site

That's another thing the execs have to fear - derivative claims from shareholders. And you don't even need fraud to jail them. With the data protection laws changing, this will have peculiar effects on the "business record" admissibility rules of criminal evidence in each jurisdiction. Interestingly, as Google execs found out the hard way a few years ago, most EU nations award custodial sentences (generally five years or less, though Greece has up to 10) for criminal data protection offenders (i.e. controllers), and breaches undoubtedly will engage those criminal laws.


Re: Go to the organ grinder..

Interestingly, none of the responses in this otherwise rather good geeky brainstorming thread have addressed any of the three biggest GDPR vulnerabilities of the data brokers. Keep working in it, folks. It's going to be fun.


Re: Go to the organ grinder..

Under GDPR Legitimate Interests will become the refuge of the terminally desperate.

Banking websites are 'littered with trackers' ogling your credit risk


The third-party trackers, and credit providers that purchase their services, now have until July 2018 to get their act together or be destroyed. The credit providers, with deep pockets and thus insurers of last resort, will end up paying for the misdeeds of their suppliers.