To view the ITU/EBU conference via webcam, click here.

More information about this meeting can be found here.

The International Telecommunication Union (ITU) and the European Broadcasting Union (EBU) will jointly organize a Meeting of High-Level Experts on “Competitive Platforms for the Delivery of Digital Content” to identify global trends and to address the new technological and policy challenges in the digital content delivery environment.

ITU Member States, EBU Membership, meeting participants and other interested parties are encouraged to send in their competitive platforms for digital content related contributions to the meeting at digitalcontent@itu.int

Click here to see the meeting agenda.

Onlline registration is available here.

Information about this meeting can be found here.

A recent article in ComputerWorld Australia reports that a common e-crime reporting format to electronically report fraudulent activities will be fully operational in Australia by July, 2007.

In an interview with with Anti-Phishing Working Group (APWG) Secretary-General, the need for a structured data model to improve incident reporting, share information and allow forensic searches and investigations was highlighted. Secreatry-General Cassidy said that "the first base specification was submitted in June 2005 and the Incident Object Description Exchange Format (IODEF) XML Schema with e-crime relevant extensions will be a recognized IETF standard in about six weeks." This will futhermore be automated with greater ease using a standard schema. He also gave an example to show how it is planned to work:  an Asian country CERT (Computer Emergency Response Team) reporting an incident can send it to a European bank, which then can treat the specific request . 

The Anti-Phishing Working Group (APWG) is currently talking to ISPs to increase phishing data from the field. Cassidy continues, "Reporting is improving. The average time live for a phishing site is now four days: we should be able to reduce this to a single day. We want to make it harder for organized crime by frustrating them and pulling down the sites as quickly as possible. "We don't want it to be easy for them to make a profit so they have to return to old standbys like extortion and drugs."

Cassidy estimates there are upwards of 50 full-time phishing gangs operating worldwide at any given time. While four days may seem a long time the average was well over a week when the working group was first established. He said it can depend on reaching the right person within an organization. "We have ISPs that can bring down sites in minutes but there are some organizations that have an approval process that has to be cleared by three levels of management; even after 20 faxes and two weeks later nothing is done". "Some organizations just aren't interested".

Access the full ComputerWorld article here.

Wired News in an article reports on the recent Anti-Phishing Working Group's Counter e-Crime Operations Summit which took place in San Francisco, United States. The meeting gathered internet-crime fighters from security companies, law enforcement agencies, banks and e-commerce sites to confer on new tactics in the war on cybercrime. "And while nearly everyone agreed the internet has become an infected and dangerous breeding ground for malware and scams, no one could quite agree on what do."

Proposed solutions included:

• the online fraud problem had become so bad due to the neglect of ISPs, users and private corporations alike that the only recourse was to build government-funded free clinics for infected computers;
• the botnet threat requires some top-down authority to fix the problem, the current remediation model which mostly involves running from one computer to another installing patches cannot keep up with attackers that are now better organized and better funded than the security community;
• the increased use of ingress filtering that prevents one computer from successfully spoofing the internet IP address of another (to be widely adopted by ISPs and router manufacturers);
• etc. see the Anti-Phishing Working Group's Counter e-Crime Operations Summit for further information.

Service providers and everyday users were singled out by meeting panelists and audience members for not taking enough responsibility. Attendees slammed ISPs for not searching for rogue computers on their network or shutting off internet access to compromised PCs reported to them by security companies, charging that ISPs were endangering the internet to avoid support calls from cut off customers.

Is was stated that users don't care about security because the rogue zombie software often only uses minimal computing power, making the background spam-spouting code not their problem. A few audience members argued seriously that computer users should have to take a test to get an internet license, maintain botnet insurance and have their machines inspected for information-super highway worthiness. Others countered that individuals shouldn't have to know how to secure their own computers, the machines should simply be more inherently secure.

In the article a senior researcher for security company RSA, told Wired News that "none of those solutions would work, because new technical specifications for a security score would take years, and the other proposals wouldn't have the international reach needed to make a dent in the global internet infosphere." "The solution? Money. Governments need to provide rewards to ISPs for taking down botnets, the researcher explains."Governments are the only body with money and the incentive to take down botnets. If you are looking at either a carrot or stick approach, I would go carrot. If you are paying ISPs to get rid of the botnets, then it's international. Everyone wants to make money."

Read the full Wired News article here.

MSNBC news reports in a recent article that a new mutation of the old phishing scam surfaced. Like thousands of previous phishing e-mails, this bogus bank notice asks for your personal information. But in a strange and novel twist, it tries to turn your own phone against you.

In an e-mail message from a bank you see text like: "During our regular update and verification we could not verify your current phone number". You are told to confirm your phone number right away or your account will be suspended indefinitely.Then you’re instructed to forward your phone to the number provided. It’s supposedly the phone number for the bank’s security department. "The bank will verify your phone number and will disable call forward within 20 minutes," the e-mail says. However, this e-mail is not from the bank, and the number does not go to their security department. It’s a Skype number that goes straight to the identity thieves who can be anywhere in the world.

If this new approach works, we are likely to see similar messages pretending to be from other financial institutions asking people to forward their phone number. "After an identity thief steals your credit card number, he needs a way to make money with it. He can charge things or sell the number for others to use. In either case, once the charges start piling up on your account, the bank’s computers are likely to flag these abnormal or out of profile transactions and alert the fraud department."

The Anti-Phishing Working Group, a consortium of hundreds of banks, e-tailers, technology companies and government agencies, warns that a growing number of phishing attacks are being designed to steal your personal information by downloading crime-ware onto your computer. They do that when you click the link that’s embedded in the phisher’s e-mail message, the one that’s supposed to take you to the financial institution’s Web site.

For tips on how to protect yourself, and for more information on this new scam, read the full MSNBC article.

The European Association for the Co-ordination of Consumer Representation in Standardisation (ANEC) held its General Assembly on 1 June 2007 in Brussels. For the first time, the group considered issues relating to RFID and digital identity, and in particular the impact that these technologies may have on consumer interests. ITU's Lara Srivastava spoke at the assembly, emphasizing the need for a better understanding of the wide-reaching implications of RFID and the development of global solutions to the digital identity problem. Her presentation is available here.

The Internet Engineering Task Force (IETF) recently gave its preliminary approval to a powerful technology designed to detect and block fake e-mail messages. It's called DomainKeys Identified Mail (DKIM), and it promises to give Internet users to identify and stop the seemingly endless flow of fraudulent junk e-mail by providing a method for validating an identity that is associated with a message, during the time it is transferred over the Internet. That identity then can then be held accountable for the message.

The draft standard that the Internet Engineering Task Force adopted is a promising solution because it harnesses the power of cryptographically secure digital signatures to thwart online miscreants.

Read the full article on CNET News.

The Internet Society of New Zealand (InternetNZ) has recently released the ISP Spam Code of Practice for public consultation. The Code is posted on the InternetNZ website. Four weeks have been allowed for comment to be received, with a deadline of 18 June 2007.

The Code has been prepared by a working group comprising representatives of the Telecommunications Carriers’ Forum, the Marketing Association, and InternetNZ. According to the website, InternetNZ executive director Keith Davidson says the preparation of the Code is an excellent example of how the industry is working together to fight a common enemy. "Spam is clogging up our inboxes, soaking up our bandwidth, and providing vectors for scams and malware." "The ISP Spam Code of Practice recognises that Service Providers can assist in the minimisation of Spam through their technical approach, by being a first port of call for information and complaints from internet users, and by working with law enforcement agencies."

The ISP Spam Code of Practice is complementary to the New Zealand government’s Unsolicited Electronic Messages Act in that it outlines the responsibilities of ISPs under a self-regulatory model. This was anticipated in the passing of the Act. It is planned that the Code will go live on the same date as the Act of 5 September 2007. It is also complementary to the Marketing Association’s Code of Practice for Direct Marketing, the TCF’s SMS Ant-Spam Code and the TCF’s Customer Complaints Code.

See the Internet Society of New Zealand website for further details.

Under the aegis of the Shaping Tomorrow’s Networks Initiative and in line with the stated objectives of the WSIS Geneva Declaration of Principles (December 2003), which affirms “…the common desire and commitment to build a people-centred, inclusive and development-oriented Information Society, where everyone can create, access, utilize and share information and knowledge, enabling individuals, communities and peoples to achieve their full potential in promoting their sustainable development and improving their quality of life…” the International Telecommunication Union (ITU) and the European Broadcasting Union (EBU) will jointly organize a Meeting of High-Level Experts on “Competitive Platforms for the Delivery of Digital Content” to identify global trends and to address the new technological and policy challenges in the digital content delivery environment.

ITU Member States, EBU Membership, meeting participants and other interested parties are encouraged to send in their competitive platforms for digital content related contributions to the meeting at digitalcontent@itu.int 

To register for the upcoming ITU/EBU Meeting of High-Level Experts on Competitive Platforms for the Delivery of Digital Content, please click here or contact Ms. Cristina Bueti at digitalcontent@itu.int

More information about this meeting is available here.

As part of its mandate given by the World Summit on the Information Society to build confidence in the use of ICT, ITU announces an ambitious two-year plan to curb cybercrime. The announcement was made by ITU Secretary-General Dr Hamadoun Touré at a ceremony to present the 2007 ITU World Information Society Award.

Cybercrime takes several forms, from breaching network security, financial fraud, invasion of privacy and identity theft to virus attacks, spam or online child pornography. With schools, hospitals, and government organizations increasingly dependant on online services, the vulnerability of the system and everyone connected to it becomes frighteningly apparent. As we are only as secure as the weakest link, a global concerted response is needed to ensure there are no safe havens for cybercriminals.

Against this background, ITU Secretary-General Dr Hamadoun Touré set out a comprehensive Global Cybersecurity Agenda to tackle the issue within a framework of international cooperation. "With more than one billion Internet users in the world today, not only is the number of crimes committed in cyberspace increasing at an alarming rate, but the sophistication in the way these crimes are committed keeps evolving," Dr Touré said.

The goal of the Agenda is to foster a common understanding of the importance of cybersecurity and bring together all relevant stakeholders (governments, intergovernmental organizations, the private sector, and civil society) to work on concrete solutions to deal with cybercrime. This is all the more important as criminals use weaknesses wherever they can be found and leverage them internationally. While there are a number of existing frameworks, they are enforceable only within geographical boundaries, either national or regional, thus leaving room for criminals to use loopholes to their advantage and in almost total impunity as they shift their operations to countries where appropriate and enforceable laws are not yet in place. It is vital to work on bringing together these initiatives within a framework of international cooperation and focus on solutions that leverage the broad range of existing expertise and initiatives in order to avoid duplication and make real progress in building confidence and security in the use of ICT.

"Today, the loss is estimated to run into several billion dollars, both from fraud on the Internet and from costs related to fixing networks that have suffered cyberattacks. But with children, students, and senior citizens communicating by Internet or mobile phone, tomorrow’s losses can be devastating. Just one word change on a patient’s medical file in a hospital could kill that patient, and hackers who can thwart sophisticated banking systems have no trouble breaking into a hospital’s network," said Dr Hamadoun Touré, ITU Secretary-General. This is becoming a major concern for public authorities.

The Global Cybersecurity Agenda, which will have a two-year timetable, rests on five pillars:

The 2nd WSIS Action Line C5 Facilitation Meeting, dedicated to building confidence and security in the use of ICTs, was held 14-15 May 2007 at ITU Headquarters in Geneva, Switzerland. The meeting was open to all stakeholders and held in conjunction with a cluster of events 14-25 May surrounding World Telecommunication and Information Society Day (May 17th).

Full documentation for the meeting, including the final agenda, all presentations, meeting contributions, audio archives, is available on the event website.

Enquiries related to the event or generally with regards to ITU cybersecurity activities can be directed to cybersecurity@itu.int.

Under the aegis of the Shaping Tomorrow’s Networks Initiative and in line with the stated objectives of the WSIS Geneva Declaration of Principles (December 2003), which affirms “…the common desire and commitment to build a people-centred, inclusive and development-oriented Information Society, where everyone can create, access, utilize and share information and knowledge, enabling individuals, communities and peoples to achieve their full potential in promoting their sustainable development and improving their quality of life…” the International Telecommunication Union (ITU) and the European Broadcasting Union (EBU) will jointly organize a High-Level Experts Meeting on “Competitive Platforms for Digital Content” to identify global trends and to address the new technological and policy challenges in the digital content delivery environment.

ITU Member States, EBU Membership, meeting participants and other interested parties are encouraged to send in their competitive platforms for digital content related contributions to the meeting at digitalcontent@itu.int

More information about the Call for Papers is available here.

The second edition of the World Information Society Report: Beyond WSIS is going to be launched on the occasion of the World Information Society Day on 16 May 2007.

Published by ITU and UNCTAD, this report looks beyond the World Summit on the Information Society (WSIS, Geneva 2003 - Tunis 2005) to the creation of an inclusive, people-centered and development-oriented Information Society, open to all. Some of the themes covered in the report are: the evolution of the digital divide, trends in the information society, ICT growth strategies, cybersecurity and WSIS implementation. The report tracks progress in digital opportunity for 181 economies over the past few years since the start of the WSIS process and is accompanied by a series of tables providing the latest statistics on the development of Information and Communication Technologies (ICTs) worldwide.

The report has been created by the “Digital Opportunity Platform”, an open multi-stakeholder platform with contributions from governments, private sector, academics and civil society, as well as inter-governmental organizations.

More information on the forthcoming publication will be made available on its website in due course.

The Indian Merchants' Chamber held its 5th international conference on communications convergence on 16-17 March 2007 in Mumbai, focusing on the theme: new technologies, new business horizons (webcast).

Speakers included, among others, J. Patil (Minister for Finance and Planning), S. Pitroda, V. Bhatkar (Chairman, ETH Research Lab), R.A. Mashelkar (Former Director-General, CSIR), N. Rupani (Chairman, Enkay Technologies), R. Patel (Chairman, Bombay Stock Exchange Ltd), S. Chowdury (CIO, Reliance Communications Ltd), K. Goyal (Chief General Manager, BSNL) and K. Dasgupta (CEO, Sony Entertainment Television Pvt. Ltd).

ITU's Lara Srivastava delivered a talk in the plenary session entitled "communications convergence and the new global village". Her presentation is available here.

The first steps towards a globally harmonized approach to identity management (IdM) have been taken during a meeting of the ITU Focus Group on Identity Management (FG IdM) bringing together, for the first time, the world’s key players in the IdM space.

IdM promises to reduce the need for multiple user names and passwords for each service used, while maintaining privacy of personal information. A global IdM solution will help diminish identity theft and fraud. Further, IdM is one of the key enablers for a simplified and secure interaction between customers and services such as e-commerce. Experts at the meeting concurred that interoperability between existing IdM solutions will provide significant benefits such as increased trust by users of on-line services as well as cybersecurity, reduction of spam and seamless "nomadic” roaming between services worldwide. Abbie Barbir, chairman of the Focus Group on Identity Management: "Our main focus is on how to achieve the common goals of the telecommunication and IdM communities. Nobody can go it alone in this space, an IdM system must have global acceptance. There was a very positive feeling at the meeting that we can achieve this and crucially we saw a great level of participation from all key players."

The meeting of the FG IdM brought together developers, software vendors, standards forums, manufacturers, telcos, solutions providers and academia from around the world to share their knowledge and coordinate their IdM efforts. Interoperability among solutions so far has been minimal. One conclusion of attendees is that cooperation is crucial and that players cannot exist in isolation.

The spirit of the meeting was that everyone will gain by providing an open mechanism that will allow different IdM solutions to communicate even as each IdM solution continues to evolve. Such a "trust metric" does not exist today experts say. Work will continue online and during Focus Group meetings in April, May, and July 2007. An analysis of what IdM is used for will be followed by a gap analysis between existing IdM frameworks now being developed by industry fora and consortiums. These gaps should be addressed before the interworking and interoperability between the various solutions can be achieved. The aim is to provide the basis for a framework which can then be conveyed to the relevant standard bodies including ITU-T Study Groups. The document will include details on the requirements for the additional functionality needed within next generation networks. ITU has a long history of innovation in this field, with key work on trusted, interoperable identity framework standards including Recommendation X.509 that today serves as the primary "public key" technical mechanism for communications security across all telecom and internet infrastructures.

See more information on the Focus Group on Identity Management (FG IdM) website.

Kaspersky Lab, a developer of secure content management solutions, recently announced its annual report on malware and spam evolution. The report, authored by Kaspersky Lab analysts, surveys the trends of 2006 and looks at what 2007 may bring.

Malware Evolution: 2006. The report provides an overview of the most important incidents in the malware world, highlights the main trends, and examines how the situation will evolve. Particular stress is laid on the continuing increase in the number of Trojan programs, particularly those designed to steal online gaming account data; the first viruses and worms for MacOS; and Trojans for J2ME, which are designed to steal funds from mobile user accounts. The number of new malicious programs was up 41% on 2005. As for the future evolution of malicious programs, Kaspersky Lab virus analysts believe that virus writers and spammers will work ever more closely together; the number of Trojans will continue to increase; and that virus writers will be on the lookout for exploitable vulnerabilities in Vista.

Spam Evolution: 2006. Data provided by the Kaspersky Spam Lab shows that in 2006, between 70% and 80% of mail traffic on the Russian Internet was spam. The majority of spam sent to Russian users originates in Russia, the U.S.A. and China. Spammers actively used graphics in order to evade spam filters. They are also continued to send spam masquerading as personal correspondence in order to get the recipient to read the whole message and then act as the spammers intended, whether by calling a designated number or clicking on a link. The report on spam evolution also highlights how mass mailings differ from each other according to language: most Russian language spam offers education and training, and a wide range of goods ranging from busts of the Russian president to a device which will 'translate' a dog's bark. English language spam, on the other hand, tends to focus on advertising for stocks and shares, viagra and cheap software. The report also notes that spam became increasingly criminalized in 2006, with spammers actively using SMS to spread spam.

The company's analysts believe that technologies currently in use will continue to evolve in 2007, together with further development of graphical spam, and increased criminalization of mass mailings.

Read the executive summaries here: Malware Evolution: 2006 and Spam Evolution: 2006.
The full annual report can be found here.  

This news item was accessed through Russia Newswire.

The New York Times has published an article on the early moves by European governments to implement the European Union Data Retention Directive.  The initial programs proposed by the governments of Germany and the Netherlands are more stringent than the directive requires.  The New York Times has noted that some of the people involved in this issue are concerned that these programs may represent a policy shift within Europe, which has traditionally followed a policy of protecting individuals' privacy rights.

More information can be found here.

The New York Times article can be found here.

This summary provides a general discussion of the amended Information Network and Privacy Protection Act (“INPPA”) of Korea. INPPA sets out the minimum procedural requirements for lawful online transmissions in Korea whereby transmissions of advertised materials against recipients’ refusal to accept are strictly prohibited. Although these rules are applicable to unsolicited commercial e-mails via the internet, they were intended to apply to all modes of telecommunication such as cellular phones, facsimiles, etc.

The Korean government has made continuing efforts since 1999 to curb the increase in spam mail and has since been monitoring the effectiveness of the implementation of additional provisions. The new law targets senders of spam mail that are commercial in nature. Consistent with its effort to protect minors from being exposed to obscene and violent materials online, the Korean government has also included a provision in the INPPA that requires senders to label those materials as such.

More information can be found here. 

An international conference on the impact of technology on society was held in Geneva, Switzerland, from 7-9 February. LIFT 2007 welcomed more than 40 international speakers, from F. Devouard (Chair, Wikipedia) to Jaewoong Lee (Founder, Daum Communications).

Sessions included, among others: technological overload, digital divide, the social web, post-industrial worlds, from robots to cyborgs, perspectives on ubiquitous computing, technological opportunities for society. In this latter session, ITU's Lara Srivastava gave a presentation on "communication technologies and new forms of social interaction". 

Lara Srivastava also participated as a panelist in the session "Digital Divide: Bringing it Home". Her presentation entitled "digital divide, digital disconnect" is available here.

The conference includes a LIFT + feature, a living and creative platform intended to develop new ideas through the active interaction of participants.

More information about LIFT can be found here.

Almost 40 countries will participate in the fourth edition of Safer Internet Day (SID) which this year takes place on 6 February.

The event is organised by European Schoolnet, coordinator of Insafe, the European safer internet network. Viviane Reding, EU Commissioner for the Information Society and Media is once again patron of Safer Internet Day, as in the past two years.

The highlight of the day will once again be a worldwide blogathon, which will reach Australia on 6th February and progress westward through the day to finish up in the USA and Canada. Following the huge success encountered in 2006, this year’s blogathon goes one step further to include the voices of hundreds of youngsters.

In the framework of a competition launched in October 2006, more than 200 schools in 25 countries across the globe have been working in pairs, using technology to cross geographical borders, to create internet safety awareness material on one of three themes: e-privacy, netiquette, and power of image. On Safer Internet Day, all of the projects they have produced will be uploaded to the blogathon. The 4 prize-winning teams in the competition will be announced on 6 February when the blogathon opens to well over 100 organisations waiting on the starting block to add their postings on this year’s theme, Crossing borders.

To find out more about young people’s use of the internet and mobile phones, Insafe has been collecting data over the past two months through an online survey. Preliminary results will be made available on Safer Internet Day along with a wealth of other information tailored to the needs of not only media but also parents, teachers and youngsters in an online media room specially set up at www.saferinternet.org to mark the event.

On Safer Internet Day in the Netherlands, HRH Princess Maxima will be the special guest at an event featuring theatre, music and stories. In Slovenia, young people will showcase art projects and Slovenian national television will broadcast internet safety clips.

Across the globe, hundreds of other events will highlight the growing importance of internet safety in the lives of us all.
For further information see the following links:

Insafe
National nodes of Insafe
Safer Internet Day Blogathon
Safer Internet Programme
eTwinning (partner in the Safer Internet Day competition for schools)

In today's interconnected world of networks, threats can now originate anywhere − our collective cybersecurity depends on the security practices of every connected country, business, and citizen. The International Telecommunication Union (ITU), a specialized agency within the United Nations system, would like to draw Safer Internet Day participants' interest to a number of information resources dedicated to cybersecurity and spam.

The ITU Cybersecurity Gateway is an easy-to-use online information resource on national and international cybersecurity related initiatives worldwide. A vast number of resources and links are available and organizations are invited to join in partnership with the ITU and other stakeholders to build confidence and security in the use of information and communication technologies (ICTs).

The StopSpamAlliance is a joint initiative to gather information and resources on combating spam. This initiative was undertaken by Asia-Pacific Economic Cooperation (APEC), the EU's Contact Network of Spam Authorities (CNSA), International Telecommunication Union (ITU), the London Action Plan, Organisation for Economic Co-operation and Development (OECD) and the Seoul-Melbourne Anti-Spam group. The StopSpamAlliance.org website contains an overview about each of these organization’s activities in countering spam and related threats.

The outcome documents from the two phases of the World Summit on the Information Society (WSIS) emphasize that building confidence and security in the use of information and communication technologies (ICTs) is a necessary pillar for building a global information society. ITU has been asked to play the main facilitator role for to assist stakeholders in building confidence and security in the use of ICTs. To stress the importance of the multi-stakeholder implementation of this task, ITU has named this the Partnerships for Global Cybersecurity (PGC) initiative.

In commenting on the Safer Internet initiative, newly elected ITU Secretary-General Hamadoun Toure stressed the need for greater cooperation between regulators, government, security firms, communication service providers, and end users in dealing with the challenges to building a safe and secure information society.

The International Telecommunication Union wishes you all a very successful Safer Internet Day 2007!

Enquiries related to ITU activities in the area of cybersecurity can be directed to cybersecurity@itu.int.

About ITU

The International Telecommunication Union (ITU) is an international organization (specialized agency) within the United Nations System where governments and the private sector coordinate global telecommunication networks and services. Through its standards, development, and policy research activities, ITU has a long-standing track record in security for information and communication systems. There are currently more than seventy ITU recommendations focusing on security.

According to a recent article in The Register, two young Dutch hackers who built a large botnet were sentenced to prison earlier this week. The main suspect, now 20, was handed a two-year sentence and a €9,000 f($11,800) fine, while his 28-year-old partner was given 18 months and ordered to pay €4,000 0 ($5,200).

As stated by the article, the men, part of a larger hacking ring, and one other suspect, were arrested in 2005 for extorting a US company, stealing identities to purchase cameras and games consoles, and distribute spyware. The operation netted an estimated €60,000 over a period of six months.

Read the full The Register article here.

The European Parliament held an STOA Workshop on "RFID in the everyday life of Europeans: A citizen's perspective on ambient intelligence" on 24 January 2007. The workshop was organized as part of the project "RFID and identity management: Case Studies from the frontline of the development towards ambient intelligence" commissioned by the Scientific Technology Options Assessment (STOA) Panel of the European Parliament, and carried out by the European Technology Assessment Group.

ITU's Lara Srivastava delivered a presentation on the topic "Is our enviroment getting smarter? Are we". Her presentation is available here. 

The 8^th edition of the ITU Internet Reports, entitled "digital.life" was prepared especially for ITU TELECOM World 2006 (December 4-8 2006, Hong Kong). The report examines how innovation in digital technology is radically changing individual and societal lifestyles.

Chapter four, identity.digital, explores the changing nature of the digital individual and the need for greater emphasis on the creation and management of digital identity. Individuals today spend more and more time using digital means to communicate and transact, be that sending and receiving e-mail, talking on a mobile phone, participating in a social networking site, buying music, booking vacations over the internet, or playing an online game. The complexity of the interaction between technology, personal consumption and the construction of identity in the virtual space is a growing area of research. Users of digital technologies have a wide scope for constructing their virtual identity.

The mostly nameless and faceless environments of cyberspace create an ideal background for developing alternate identities or digital personae. At the same time, there is an alarming increase in the amount and quality of data generated, collected and stored in the digital world. The sheer amount of this data is alarming, but so too is its nature, which is ever more detailed and personal. The public and private spheres of existence are experiencing a progressive blurring of the boundary separating them. These developments create a new set of concerns relating to human identity, data privacy and protection.

Information regarding individual identities is becoming an increasingly valuable commodity, and as a consequence, its protection and management are vital to a healthy and inclusive digital world. To learn more about these issues, download identity.digital.

For more information, please contact lara.srivastava(a)itu.int. All chapters of the digital.life report are available online free of cost.

ITU-T Focus Group on Security Baseline for Network Operators has issued a survey which seeks to assess the security preparedness of network operators. The results from the survey will be used in preparation of a new ITU-T Recommendation: "Security Baseline for Network Operators". Participants are asked about their level of preparedness for various security threats.

Once approved the ITU-T Recommendation will show the readiness and ability of operators to collaborate and coordinate counteraction against security threats arising from interconnected networks. The Security Baseline will allow network operators to assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied. It will also identify security Recommendations and standards to support evaluation of operators’ network security and information security.

Commencement of the first draft of the Recommendation will begin towards the end of 2006.
See the online survey which is aimed at network and service providers.

A deadline of 24 November 2006 has been set for survey responses.

Computer World reports of a new kind of spam called "targeted spam or spear phising". This type of spam, currently on the rise, is particularly hard to catch for spam filters because the spammer is able to "spoof" the sending e-mail address to make it look like it's coming from within the organization of the recipient. Unlike traditional spam, spammers send just a few of these messages at the same time, making antispam technology’s job even harder.

These attacks affect essentially large organizations or very well-known brands. Once the company has been alerted, blocking it is pretty easy. But detecting such well-crafted messages is becoming harder as the sophistication level of spam increases.

For more information, read the full Computer World article.

"In a sweeping set of measures, the German Federal Network Agency has ordered more than 80 network operators and service providers not to bill or collect for any phone numbers used illegally. A large number of consumers had complained to the German Federal Network Agency about so-called ping calls and other forms of telephone spamming."

"A ping call is where a call is made to a telephone number and broken off after just one ring. The subscriber’s display shows a “missed call” with an expensive premium-rate number or an 0137 number. In addition to these ping calls, another form of telephone spamming promises prizes where the person called hears a prerecorded message saying that they have won a large amount of money that can be collected by calling an expensive premium-rate number."

"The Federal Network Agency’s stringent measures are a continuation of the intense battle against telephone spam. Since May 2006 alone, the Federal Network Agency has disconnected 237 call numbers on account of ping calls and prize promises. In addition, a ban has been imposed on billing and collecting for 78 call numbers. These bans protect consumers that have called a spam number back, and prevents them from having to pay any charges. The spammer does not receive any payment for the calls initiated."

See the Federal Network Agency's press release here.

"Authentication processes can contribute to the protection of privacy by reducing the risk of unauthorized disclosures, but only if they are appropriately designed given the sensitivity of the information and the risks associated with the information. Overly rigorous authentication process, or requiring individuals to authenticate themselves unnecessarily, can be privacy intrusive."

The Office of the Privacy Commissioner of Canada's recently released new Guidelines for Identification and Authentication. The Guidelines are intended to help organizations develop appropriate identification and authentication processes in ways that respect the fair information practices in the Personal Information Protection and Electronic Documents Act (PIPEDA) and ensure compliance with its security provisions by providing the strongest protection for customers’ personal information. The scope of the document is limited to identification and authentication techniques between organizations and individuals.

These guidelines were released by the Canadian Privacy Comissioner, is a good document discussing both privacy risks and security threats:

See also a more detailed document published by Industry Canada in 2004 named "Principles for Electronic Authentication".

This article was accessed through Schneier's blog: Schneier on Security.

On 16 October 2006, Mauritius officially launched their Anti-Spam Awareness Campaign. On this occasion the Minister of IT and Telecommunications also presented a dedicated Anti-Spam Website with resource aimed at raising awareness and sharing information on spam, malwares, etc.

In Mauritius, the spamming problem is gaining in magnitude and there is a need to have a concerted approach to address this issue. Without remedial action to address the problem of spam in Mauritius, the country runs the risk of being seen as a safe haven for spammers and there is the risk that legitimate email traffic from Mauritius to other countries which have anti-spam legislation, could be blocked. In this context, the National Computer Board has set up a National Anti Spam Committee to co-ordinate activities at the national level with regards to combating spam.

The Anti-Spam Co-ordination Committee consists of representatives from the following national organisations: National Computer Board; IT Security Unit, Ministry of IT and Telecommunications; Ministry of Education and Human Resources; Ministry of Industry, Commerce, Small and Medium Enterprises and Cooperatives; Ministry of Foreign Affairs, International Trade and Cooperation Joint Economic Council; Mauritius Chamber of Commerce and Industry (MCCI); State Law Office; ICT Authority; Mauritius IT Industry Association; Internet Society; University of Mauritius (UOM); University of Technology; Telecom Plus/Mauritius Telecom ACT.

For further information see the newly launched Anti-Spam Website and Mauritius' Anti-Spam Action Plan.

The Journal du Net states in a recent article that organized cybercrimes represent a growing risk for internet users. Hackers use new techniques to hide and make their attacks more efficient. Their main goal is not to destroy computers. With the rapid development of e-commerce, hackers want to take over personal data and make as much profit as they can with it.

To achieve this, they use different forms of worms or trojans send from servers hosted in countries where the legislation is less strict. To protect their economic interests, businesses need to include employees in their security policies so they do not become the weak link in the security chain.

See Journal du Net for the full article in French.

The first meeting of the Internet Governance Forum (IGF) will be held in Athens, Greece from 30 October - 2 November 2006.

The current programme is available here.

A couple of related websites have been unveiled:

• Australian academic Jeremy Malcolm has established IGFWatch at igfwatch.org.
  
• Jeremy Malcolm and also joined with UK journalist Kieren McCarthy to establish the IGF Community Site at www.igf2006.info for interaction before, during and after the event.

CircleID has a related article asking What Will Be the Outcome of the Internet Governance Forum Meeting in Athens?

Business Week Online shows in a recent article entitled "Needed: A National Cyber Security Law'" that more and more people have their personal information lost, stolen or compromised. Security breaches are eroding their trust in the capability of the Internet to deal with their private personal information. This growing confidence-deficit represents a serious threat to the economic growth of each country, according to the article. Therefore, it is time for officials to act by passing strong data-security laws. These national laws must aim to both prevent further data breaches and address leaks once they occur.

"To accomplish these goals, lawmakers should establish reasonable security measures, create a consistent and recognizable notification standard, encourage best practices such as encryption, and include effective enforcement capabilities".

See Business Week Online for the full article.

Computer World released an article entitled “Ten security trends worth watching”, based on Bruce Schneier’s speech at last month’s Hack in the Box Security Conference in Kuala Lumpur, Malaysia.

Mr. Schneier identified 10 trends affecting information security today:

1. Information is more valuable than ever.
2. Networks are critical infrastructure. "If the Net goes down, or part of the Net goes down, it really affects the economy".
3. Users do not necessarily control information about themselves. For example, Internet service providers have control over records the Web sites that users visit and email messages they send and receive.
4. Hacking is increasingly a criminal profession. More and more, attacks are organized and led by criminals who are driven by a profit motive.
5. Complexity is your enemy. "As systems get more complex they get less secure". Mr. Schneier mentioned that the Internet is "the most complex machine ever built".
6. Attacks are faster than patches. New vulnerabilities and exploits are being discovered faster than vendors can patch them.
7. Worms are more sophisticated than ever. 
8. The endpoint is the weakest link. "It doesn't matter how good your authentication schemes are if the remote computer isn't trustworthy".
9. End users are seen as threats.
10. Regulations will drive security audits.

See Computer World for the full article.

"The existing identity infrastructure of the Internet is no longer sustainable. The level of fraudulent activity online has grown exponentially over the years and is now threatening to cripple e-commerce. Something must be done now before consumer confidence and trust in online activities are so diminished as to lead to its demise." A recently released paper by the Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, tries to address this: 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age. 

See more information on the 7 Laws in the related news release and brochure.

The European Commission held its final conference on Radio Frequency Identification (RFID) on 16 October 2006 in Brussels, to close the series of consultations initiatives announced by Commissioner Viviane Reding at CeBit in March 2006. The conference (RFID: Heading for the Future) was opened by the Commissioner and featured Commission officials, members of the European Parliament, and relevant stakeholders from industry, government and civil society who have been involved in the ongoing European debate about RFID. ITU's Lara Srivastava spoke at the conference on the topic "RFID: from identification to identity" and her presentation is available here.

More information about the EU's RFID consultation is available here.

As a result of a British documentary, India is now under pressure to strengthen its laws combating data theft and other electronic crimes in the country. Amendments to India’s IT Act of 2000 have been proposed and should be enacted by the national parliament in its upcoming winter.

Read the full Information Week article here.

See also Department of Information Technology, Ministry of Communication and Information Technologies for more information.

An Open Event on "Security and Identity Management in a Federated World" was held on 2 October 2006, hosted by the Ecole Polytechnique Federale de Lausanne (EPFL) in collaboration with Sun Microsystems. Speakers included Sun Microsystems' John Gage and Liberty Alliance's Hellmuth Broda. ITU's Lara Srivastava participated in the event and spoke on "the problem of identity in networked spaces". Her presentation is available here.

The subject of digital identity will be examined more closely in the forthcoming 2006 ITU Internet Report entitled "digital.life", to be released at ITU Telecom World 2006, 4-8 December 2006 (Hong Kong, China).

Wired News in an article brings attention to the insecurity of some of the new technologies online. “VOIP and Ajax -- are dangerously insecure, and likely to only get worse as they become more prevalent, according to security researchers presenting their findings at the ToorCon security conference.”

"Voice over internet protocol is going mainstream, available to consumers and increasingly replacing the private phone systems in businesses of all sizes. Like the traditional phone, a VOIP call is broken into two parts, or channels. The first is signaling, which negotiates things like when to start and stop a call, what to do if another call comes in, and what to do if something about the call changes. The second part is media, the bit where we talk. In most VOIP systems neither of these channels is actually encrypted."

"According to Dustin Trammell, VOIP security researcher at Tipping Point, this leaves most VOIP calls vulnerable. Calls can be hijacked without either party's knowledge anywhere along the route over the net that connects the call, and nearly all VOIP systems can fall victim to signal-channel attacks that can fake caller ID, degrade call quality, end calls suddenly, and crash the end device -- either your VOIP phone or computer. Internet telephony can even fall victim to denial-of-service attacks that flood a phone with fake requests to start a call, rendering it useless."

Read the full Wired News article on VOIP and AJAX security issues.

The ITU and the EU's Daidalos Project plan a workshop on "Digital Identity for NGN" Dec. 5 in Geneva, officials said Mon. The Daidalos Project and VeriSign are advancing global standardization of digital identity management at the ITU, officials said. Proposals have been floated at ITU on handling the issue, but consensus is still forming. The aim of the workshop is to understand better providers' need to offer digital identity across layers of communication systems, administrative domains and other boundaries, documents said. Key challenges for developing a more consistent approach are to tackle the conflicting requirements of privacy, identification and security, documents said. The NGN-GSI Event will focus on identity management as a key theme during its meeting Oct. 23-Nov. 3, said an official involved in the work. The past year or 2, several research institutes in Japan, S. Korea and Switzerland have been interested in sensor network identifiers, he added. There's supposed to be an identity management piece in the October 23-24 Grid Workshop as well, the official said: "There's a whole burgeoning world of communicating sensor devices, and [they] will need some kind of identity to communicate whatever kind of sensing information they have."

Source: Warren's Washington Internet Daily

The United States National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, aims to educate the public about core security protections this October, during the national cyber security awareness month, with its campaign on 'Cyber Security: Make It A Habit'.

U.S. National Cyber Security Awareness Month is a national campaign designed to increase the public’s awareness of cyber security and crimes issues, so that users can take precautions to avoid these threats on the Internet. The month will feature public relations activities, educational programs, events and initiatives throughout October that targets Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online.

In a press release, Gartner, Inc. advises businesses to plan for five increasingly prevalent cyberthreats that have the potential to inflict significant damage on organisations during the next two years. These threats are:

• Targeted threats (Targeted threats are cyber attacks with a financial motivation that are aimed at one company or one industry);
• Identity theft (Identity theft refers to the theft of an individual's personal or financial information for the purpose of stealing money or committing other types of crimes);
• Spyware (Spyware is malicious software that can probe systems, reporting user behaviour to an advertiser or other party without the user’s knowledge);
• Social engineering (Social engineering is the practice of obtaining confidential information by manipulating legitimate users);
• Viruses (Viruses are malicious programmes that use a propagation method to enable widespread distribution.)

According to Amrit Williams, research director at Gartner, "We are seeing an increasingly hostile environment fuelled by financially motivated and targeted cyber attacks. By 2008 we expect that 40 percent of organisations will be targeted by financially motivated cybercrime."

"Cyber attacks are not new, but what is changing is the motivation behind them. They are no longer just executed by hackers for hobby or cybervandilism, but by professionals with a targeted aim at one person, one company or one industry," said Williams.

"For example, we have recently seen several companies hiring private investigators to spy on their competitors. Private investigators used Trojans to install targeted spyware on competitors’ computers to gather confidential information about such things as upcoming bids and customers."

Gartner said that social engineering and viruses will remain an everyday nuisance for chief information security officers through 2009. It warned that in the next two years, at least 50 percent of organisations will experience a social engineering or a virus attack."

Access the full report and Gartner news release here.

The Vietnamese Ministry of Trade is drafting a circular governing advertising activities by electronic means, including emails, pop-ups and mobile phone messages.

"Local Internet users have been bombarded with spam mails but most of them are from overseas. Now such a circular is necessary as local spamming activities are on the rise.

The circular has basic requirements for users to fight spams such as opt-out options, genuine sender addresses, sender telephone numbers and obvious headings. But it seems that the draft circular is too lenient towards spammers when it provides them five working days before they have to stop their spams in case recipients choose to opt out. It also allows for the collection of personal data including email addresses and telephone numbers. Even though the circular requires collecting parties to ask for permission first and to keep those data confidential, this provision can be abused and can cause disputes later on.

This is all the more possible because the circular provides two scenarios: A complete ban of sales of email addresses and telephone numbers to advertisers; or allowing such an activity. Unsolicited short mobile messages are now possible because some carriers are selling subscribers’ numbers to various advertising companies. Users are especially frustrated when senders use some automatic message generation device so that they might receive an advertising message in the middle of the night.

The fines provided in the draft circular are from VND5 million to VND20 million, which many say are not heavy enough to prevent harmful violations of personal information."

[via APCAUCE and Viet Nam News]

The International Herald Tribune has an article about the growing problem of "cyberviolence" in South Korea, which has one of the world's most developed Internet communities:

'Complaints filed with the government's Korea Internet Safety Commission more than doubled to 42,643 last year from 18,031 in 2003. Women have reported sexual harassment. A 16-year- old schoolgirl accused of informing on an abusive teacher ran away after her photos and insults were splashed on her school Web site. A singer struggled with rumors that she was a man. Twist Kim, a singer and comedian, had a nervous breakdown after pornographic Web sites proliferated under his name, as if he had created them, causing television stations to spurn him.

In most countries, Internet users oppose government attempts to censor the Internet. In South Korea, however, in both government-funded and private surveys, a majority of people support official intervention to check unbridled freedom of speech on the Internet.

A poll taken in November showed that nearly one of 10 South Koreans from 13 to 65 said they had experienced cyberviolence.

The problem in South Korea may presage what will happen in other countries, according to the authorities, who have begun cracking down on the problem.

"In the past few years, the Internet has grown in South Korea explosively," said Kim Sung Ho, secretary general at Kinternet, a lobby of domestic portals. "The Internet community has developed faster and stronger in South Korea than elsewhere. So we are struggling with its side effects earlier than other nations."

Since last year, dozens of people have been indicted on charges of criminal contempt or slander for writing or spreading malicious online insults about victims like Kim Myong Jae. They face fines of as much as 2 million won, or $2,067.

This month, the National Assembly will debate a bill that would require the nation's 30 major Internet portals and newspaper Web sites to confirm the identities of visitors before allowing them to use bulletin boards, the main channel of cyberviolence.

"The idea is to make people feel more responsible for what they are posting on the Net," said Oh Sang Kyoon, a director at the Ministry of Information and Communications. "Victims cannot live a normal life. They quit jobs and run away from society. They even flee the country. It's like lynching victims in a 'people's court on the Web.'"

Some critics question whether such a law would solve the problem. Cyberviolence, they say, has been increasing even though most of the country's major Web sites are already applying the policy.

"This is violating privacy in the name of protecting it," said Oh Byoung Il, director general at jinbo.net, a civic group. "It discourages anonymous whistle- blowers. It impedes the free flow of communication, the soul of the Internet."

Official interference will also discriminate in favor of foreign portals like Google, said Kim of Kinternet. For instance, when users search for "sex" in a South Korean portal, they must first prove they are adults by supplying personal data - a requirement that does not apply to the Korean-language Google, which operates with an overseas server.

But Kim Myong Jae condemned the portals as willing accomplices in online mob attacks. While painfully slow to respond to victims' complaints, Kim said, the portals - the largest of which, naver.com, attracts 15 million users a day - highlight real-time lists of the most- clicked-on news, thus helping spread sensational, and often libelous, items.

Kim said he had filed suit against the nation's top four portals: Naver, Daum, Yahoo! Korea and Nate.

And portals say they are now screening their contents more vigorously. "Rather than being an arena for sound debate, the Web bulletin boards have to some extent become a place for verbal defecation," said Choi Soo Yeon, a naver.com spokeswoman. "We have 300 monitors who work round the clock to delete abusive and defamatory language." But ultimately, the portals say, the users who post on the Web should be responsible for content.

South Korea saw an explosion of Internet users as the country emerged from decades of military rule, and citizens jumped on the new technology as a way of expressing long-suppressed views. About 33 million South Koreans - out of a population of 48 million - use the Internet, most of them with broadband connections. And many of them are not shy about their feelings.

News articles on portals or newspaper Web sites often are accompanied by feedback sections, where readers comments. Some news articles attract thousands of entries, ranging from thoughtful comments to raving obscenities. When suspicions first emerged last year that the cloning expert Hwang Woo Suk had faked his groundbreaking work, few dared to speak in public against the man lionized as a hero. Scientists, who unveiled evidence of fabrication through anonymous postings, brought about Hwang's downfall.

One of the most famous victims of online mob rule was the so-called "dog-poop girl." A cellphone photograph of a girl who failed to clean up after her dog in a subway car was posted on the Internet. For weeks, people pursued her relentlessly; the girl reportedly dropped out of school as a result.

To Kim Myong Jae, it was familiar. "Two months after I became the target, I visited a plaza near my old company. I dressed differently. Still a person reported my appearance on the Web, how I looked and how that person felt sick to see me," Kim said. "It's a handicap I may have to carry for a long time."'

"As cell phones and PDAs become more technologically advanced, attackers are finding new ways to target victims. By using text messaging or email, an attacker could lure you to a malicious site or convince you to install malicious code on your portable device."

The U.S. CERT (Computer Emergence Readiness Team) recently published a list of tips for users on how they can protect themselves against these increasing threats.

What unique risks do cell phones and PDAs present?

Most current cell phones have the ability to send and receive text messages. Some cell phones and PDAs also offer the ability to connect to the internet. Although these are features that you might find useful and convenient, attackers may try to take advantage of them. As a result, an attacker may be able to accomplish the following:

• Abuse your service;
• Lure you to a malicious web site;
• Use your cell phone or PDA in an attack;
• Gain access to account information.

What can you do to protect yourself?

• Follow general guidelines for protecting portable devices;
• Be careful about posting your cell phone number and email address;
• Do not follow links sent in email or text messages;
• Be wary of downloadable software;
• Evaluate your security settings.

Read the full article on the U.S. CERT website.

The top three antivirus programs -- from Symantec, McAfee, and Trend Micro -- are less likely to detect new viruses and worms than less popular programs, because virus writers specifically test their work against those programs:

"On Wednesday, the general manager of Australia's Computer Emergency Response Team (AusCERT), Graham Ingram, described how the threat landscape has changed -- along with the skill of malware authors.

"We are getting code of a quality that is probably worthy of software engineers. Not application developers but software engineers," said Ingram.

However, the actual reason why the top selling antivirus applications don't work is because malware authors are specifically testing their Trojans and viruses to make sure they can bypass these applications before releasing them in the wild.

It's interesting to watch the landscape change, as malware becomes less the province of hackers and more the province of criminals. This is one move in a continuous arms race between attacker and defender."

[via Schneier on Security]

In separate reporting on the Black Hat USA conference, experts say that the spyware problem has "gotten so bad that it is unlikely it can ever be solved on a technical level. Instead, the solution will have to come from regulators and law enforcement agencies" .

"It's not technically feasible to stop spyware. You will not be able to stop this technically "This problem lives at the legal-technical boundary. We can't go around arresting people," said Dan Kaminsky, senior security researcher and founder of Seattle-based Doxpara Research, speaking on a spyware panel at the recent Black Hat USA 2006 event. "We need to create standards that clearly delineate legitimate code from illegitimate code where you throw people in jail."

"To protect Internet users from online fraudsters and defend the Internet against scammers commandeering network resources, the two most influential global trade associations combating Internet crime have jointly released an explicit new set of Best Practices to combat “phishing,” a major cause of online identify theft and fraud. The recommendations will help Internet Service Providers (ISPs) and mailbox providers better police their own infrastructures and filter traffic traversing their networks."

The Anti-Phishing Working Group (APWG) and the Messaging Anti-Abuse Group (MAAWG) jointly developed the recommendations outlined in "Anti-Phishing Best Practices for ISPs and Mailbox Providers." The paper provides technical and business practices to help ISPs and mailbox providers thwart phishing attacks and other malevolent network abuses and also includes practices to respond constructively when these attacks occur. “Phishing” employs deceptive technology such as spoofing and social engineering to steal consumers' personal identity and financial account data, and has become a major concern."

To download the full recommendations, click here.

The Secretary-General of the United Nations has announced the convening of the Internet Governance Forum, to be held in Athens on 30 October - 2 November 2006.

The Secretary-General's message is available in all UN languages: [English] [Français] [中文] [عربي] [Русский] [Español]. The message in English reads:

"The second phase of the World Summit on the Information Society (WSIS), held in Tunis on 13-15 November 2005, invited me to convene a new forum for multi-stakeholder policy dialogue -- called the Internet Governance Forum (IGF). The Summit asked me to convene the Forum by the second quarter of 2006 and to implement this mandate in an open and inclusive process.

The Government of Greece made the generous offer to host the first meeting of the IGF and proposed that it take place in Athens on 30 October - 2 November 2006.

I have asked my Special Adviser for Internet Governance, Mr. Nitin Desai, to assist me in the task of convening the IGF and I have also set up a small secretariat in Geneva to support this process. Two rounds of consultations open to all stakeholders held in Geneva on 16-17 February and 19 May have contributed towards a common understanding with regard to the format and content of the first IGF meeting. I have also appointed an Advisory Group with the task of assisting me in preparing the IGF meeting.

The Advisory Group held a meeting in Geneva on 22 and 23 May 2006 and made recommendations for the agenda and the programme, as well as the structure and format of the first meeting of the IGF in Athens.

As the IGF is about the Internet, it is appropriate to make use of electronic means of communication to convene its inaugural meeting. The document adopted by WSIS -- the Tunis Agenda for the Information Society -- calls on me "to extend invitations to all stakeholders and relevant parties to participate at the inaugural meeting of the IGF". Therefore, it is my pleasure to make use of the World Wide Web to invite all stakeholders -- governments, the private sector and civil society, including the academic and technical communities, to attend the first meeting of the IGF in Athens. The overall theme of the meeting will be "Internet Governance for Development". The agenda will be structured along the following broad themes.

• Openness - Freedom of expression, free flow of information, ideas and knowledge
• Security - Creating trust and confidence through collaboration
• Diversity - Promoting multilingualism and local content
• Access - Internet Connectivity: Policy and Cost

Capacity-building will be a cross-cutting priority.

The meeting will be open for all WSIS accredited entities. Other institutions and persons with proven expertise and experience in matters related to Internet governance may also apply to attend.

In its short life, the Internet has become an agent of dramatic, even revolutionary change and maybe one of today's greatest instruments of progress. It is a marvelous tool to promote and defend freedom and to give access to information and knowledge. WSIS saw the beginning of a dialogue between two different cultures: the non-governmental Internet community, with its traditions of informal, bottom-up decision-making; and the more formal, structured world of governments and intergovernmental organizations. It is my hope that the IGF will deepen this dialogue and contribute to a better understanding of how we can make full use of the potential the Internet has to offer for all people in the world.

(Signed) Kofi A. Annan" 

[via the Internet Governance Forum]

In a new scam, called vishing, identity thieves use bogus phone numbers instead of Web sites, reports PC World in a recent article featuring phishing scams on VoIP phones.

"Related to phishing scams, the new scheme uses cheaply obtained VoIP numbers as bogus credit card or financial services telephone numbers", the article continues.  "With Internet users being warned about clicking on hyperlinks in unsolicited e-mail, the new scam includes a phone number instead". "It's a natural elevation of the art to move it to the telephone. People are getting nervous about clicking on links", the article states.

The articles gives examples of how these new scams take place: "In one vishing case, scammers targeted PayPal users by including a telephone number in a spam e-mail. In the other case, the criminals configured an automatic telephone dialer to dial phone numbers, and when the phone was answered, played an automated recording saying their credit card has had fraudulent activity. The recording asked the telephone customer to call a number with a spoofed caller ID related to the credit card issuer. Once users call, they are asked for personal account information."

VoIP numbers are easy to obtain anonymously, but an industry expert interviewed for the story did not fault VoIP providers for vishing scams. "A larger problem is the ease of obtaining credit online or over the telephone. Consumers are comfortable with obtaining credit online or by dialing automated telephone services to get credit, but if credit-granting businesses required physical contact, phishing and vishing scams would be almost eliminated. In today's environment, it's absurd," the industry stated.

Read the full article on the PC World news website.

The ITU held an international workshop under its New Initiatives Programme on the topic "The Regulatory Environment for Future Mobile Multimedia Services" in Mainz (Germany) from 21-23 June 2006. The final report [PDF]  of the chairman has now been published.

Workshop presentations can be found here. Background documents, including country case studies and thematic papers are also available on the workshop homepage.

United Kingdom's Ofcom is currently working on a publication examining various national and international approaches to protecting consumers on the internet.

Coincidening with this publication, the regulator will hold a seminar will that allow stakeholders to examine the results of Ofcom's survey, hear the views of Internet industry stakeholders and discuss what can be done in the future to better protect consumers on the Internet. Ofcom organising such an event is a measure of the challenge posed to both regulator and consumer by the growth of net services and the collision of the highly regulated world of broadcasting with the virtually unregulated world of the internet.

This news item was accessed through Roger Darlington's CommsWatch blog.

According to a recently released article by CircleID, the United Kingdom today is one of the main attack targets by phishing organized crime groups, globally. Worldwide it is estimated (CircleID) that phishing damages will amount to about two billions USD in 2006 -- not counting risk management measures such as preventative measures, counter-measures, incident response and PR damages.

In most cases, phishing is caused by the fault of the users, either by entering the wrong web page, not keeping their computers secure or falling for cheap scams. Often this is due to lack of awareness or ability in the realm of Internet use rather than incompetence by the users.

For more information see CircleID article on Phishing: Competing on Security. 

The ITU has just published an Issues Paper on the Regulatory Environment for Future Mobile Multimedia Services, available for download here (.pdf format).

The paper was prepared by Lara Srivastava, of the Strategy and Policy Unit (ITU), and Ingrid Silver & Rod Kirwan of the law practice of Denton Wilde Sapte.

Together with case studies (on Germany, China, Hong Kong SAR) and a thematic paper on spectrum flexibility, these background papers will form part of the input material for an international ITU New Initiatives Workshop on The Regulatory Environment for Future Mobile Multimedia Services, to be held in Mainz (Germany) from 21-23 June 2006, and jointly hosted by Germany's Federal Network Agency.

The Advance Programme for the workshop is now on-line, and will be regularly updated.

More information about the ITU New Initiatives Programme can be found here.
More information about the international workshop on the topic can be found here.  

The 5th Annual Mobility Roundtable was held in Helsinki from 1-2 June 2006, hosted by the Helsinki School of Economics. Since 2002, mobility roundtables have been held in Tokyo (Japan), Stockholm (Sweden), Austin (United States), and Hong Kong, China. The main objectives of the roundtables are:

1. to build and support a sustainable international network of research and industry best practices for the mobile communication and computing business, market and industry;
2. to exchange research and knowledge about best practices for different mobile modes of business; and
3. to facilitate communication and collaboration among global researchers, practitioners and policy makers.

The 2006 programme, and all final papers can be found here. There were four keynote speakers at the event: Jarkko Sairanen (Vice President and Head of Corporate Strategy, Nokia), Dr. Elizabeth Keating (University of Texas at Austin), Ari Tolonen (CEO, InfoBuild), and Lara Srivastava (ITU).   Lara Srivastava is a member of the international advisory committee for the mobility roundtables. Her keynote address was entitled "Mobiles for a Smaller World" and is available here.

The 6th roundtable will be held in Los Angeles (California) in June 2007, hosted by the University of Southern California.

Do not panic if your data is hidden by virus writers demanding a ransom. A woman from Greater Manchester has become a victim of an internet scam in which hackers hijack computer files and blackmail owners to get them back.

More information can be found here.

The German government is preparing a law that would allow the use of mobile phone jammers during major events and in prisons. The blocking of mobile phone use by criminals is seen as an important measure in the war against crime and terrorism.

By transmitting on the same radio frequencies as the mobile phone, a phone jammer can effortlessly stifle annoying chatter in movie theatres, at funerals or in hospitals. However, in many countries, including Germany, the technology is officially illegal. Phone jammers not only disrupt licensed services operated by the mobile carriers, but might also disrupt other services operating in adjacent bands.

Read the full article from The Register here.

Take Back the Net is an initiative of The Institute for Spam and Internet Public Policy (ISIPP). ISIPP is committed to helping to rid the Internet of spam and other illegal activities, and to helping people to secure their computers. Thanks to Suresh Ramasubramanian for the pointer.

Bruce Schneier's Schneier on Security points to an article explaining the steps that someone has taken to deal with identity theft.

In a press release today, ITU announced a global opinion survey to assess trust of online transactions and awareness of cybersecurity measures. The survey was conducted by ITU in conjunction with World Telecommunication Day, celebrated on 17 May to commemorate the founding of ITU in 1865. The theme chosen this year — Promoting Global Cybersecurity — aims to highlight the serious challenges of ensuring the safety and security of networked information and communication systems.

The announcement of the results of the survey coincides with the launch of an ITU Cybersecurity Gateway portal. The portal is a global online reference source of national cybersecurity initiatives and websites around the world and provides an integrated platform for sharing cybersecurity related information and resources. Presenting information tailored to four specific audiences: citizens, businesses, governments, and international organizations, the portal also provides information resources on topical cybersecurity concerns such as spam, spyware, phishing, scams and frauds, worms and viruses, denial of service attacks, etc.

With thousands of links to relevant materials, ITU intends to constantly update the portal with information on cybersecurity initiatives and resources gathered from contributors around the globe. For example, a number of countries are now ramping up national critical information infrastructure protection (CIIP) programmes and sharing information on these initiatives through the portal can assist both developed and developing economies in promoting global cybersecurity.

These efforts highlight work being carried out as follow-up to the World Summit on the Information Society (WSIS) Action line C5 dealing with "Building confidence and security in the use of ICT", for which ITU is the facilitator/moderator.

Update: UN Secretary-General Kofi Annan has made the following statement in conjunction with World Telecommunication Day giving his perspectives on promoting global cybersecurity.

The Filipino telecoms watchdog, the National Telecommunications Commission (NTC), says it will revoke the mobile licence of any operator found guilty of breaking its guidelines on unsolicited broadcast messaging via SMS. The amended rules and regulations also require content providers – alleged to have sent out spam promos to subscribers – to register with the NTC.

This will serve as the basis of an application with the Department of Trade and Industry that grants permits to allow companies to advertise promos. Mobile phone operators and content providers risk being blacklisted if found guilty of violating the agency’s rules.

More information can be found here.

The Draft Amendement to the Rules and Regulations on Broadcast Messaging Service is available here.

The European Commission has launched a public consultation on RFID, with a view to developing a coherent RFID Policy for Europe. In order to prepare for the consultation, the Commission is organizing a series of workshops (5) between March and June 2006, in which experts and stakeholders from all over Europe and the world come together to debate the key issues.

ITU's Lara Srivastava spoke at the first workshop (6-7 March 2006), and also at the third workshop in the series held 16-17 May 2006 on "RFID Security, Data Protection & Privacy, Health and Safety Issues" (see the presentation here). The Policy Framework Paper written by the Commission in advance of the meeting highlighted the vision of the ITU's 2006 Internet Report on "The Internet of Things" released in November 2005.

Two more workshops are planned in early June, after which the Commission will open up the debate for a wider on-line public consultation, resulting in a Communication on RFID to be issued later this year.

For more information, including webcasts, see the European Commission RFID Consultation Website.

The Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML) authored by OASIS (Organization for the Advancement of Structured Information Standards) have been consented as internationally recognised ITU-T Recommendations. The announcement is the first result of the formal relationship between the standardization sector of ITU and OASIS.

The standards (ITU-T Recommendations X.1141 (SAML) and X.1142 (XACML)) address the concern of how to allow safe single sign-on, a system that enables a user to authenticate once and gain access to the resources of multiple software systems. While solutions existed in this space, all were proprietary, and therefore not addressing the problem on a global level.

SAML and XACML are designed to control access to devices and applications on a network. The need for standards in this area has become more of an issue as business networks increasingly use the public Internet.

SAML addresses authentication and provides a mechanism for transferring authentication and authorization decisions between cooperating entities, XACML leverages this information to determine access to resources by focusing on the mechanism for arriving at those authorization decisions.

An additional feature of SAML is that it allows organizations to communicate information without any change to their own internal security architectures.

The Secretariat of the Internet Governance Forum (IGF) has released a summary of the discussions and contributions for the substantive agenda of the first meeting of the IGF, to be held in Greece later this year.

Singapore’s mobile users – 99.8% of Singapore’s population, according to the Infocomm Development Authority’s (IDA) February 2006 stats – will have more protection against mobile spam in the future. IDA has put its foot down on this issue, warning of “swift enforcement” of penalties should mobile operators continue to fail to resolve mobile spam issues satisfactorily.

A strong warning letter was sent to SingTel, StarHub and M1, the three mobile operators in Singapore. In addition, IDA decided to make an example of errant content operator mTouche in the highly publicized mTouche spam case. Between 30th January to 5th February this year, 300,000 mobile end users were billed S$1 for unsolicited SMSes sent by mTouche through the three telcos.

More information can be found here.

China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law. The new email licensing clause is just a small part of a new anti-spam law formulated by China's Ministry of Information Industry (MII).

The impact on corporate email servers, which are commonly used by companies with more than a handful of employees, appears to have gone unnoticed until now. However, Singapore-based technology consultant, James Seng, who first drew attention to the new email licence requirement, believes the inclusion of the prohibition on mail servers is no accident.

More information can be found here.

The "Survey on Industry Measures taken to comply with National Measures implementing Provisions of the Regulatory Framework for Electronic Communications relating to the Security of Services" conducted by the Technical Department of ENISA, Section Security Policies is available here.

The US Federal Communications Commission today adopted a Second Report and Order and Memorandum Opinion and Order (Order) that addresses several issues regarding implementation of the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994. Among other things, the Order affirms that the CALEA compliance deadline for facilities-based broadband Internet access and interconnected VoIP services will be May 14, 2007, as established by the First Report and Order in this proceeding. The Order concludes that this deadline gives providers of these services sufficient time to develop compliance solutions, and notes that standards developments for these services are already well underway. Further details and background are available in the FCC news release and statement by individual FCC commissioners:

• News Release: Word | Acrobat
• Martin Statement: Word | Acrobat
• Copps Statement: Word | Acrobat
• Adelstein Statement: Word | Acrobat
• Tate Statement: Word | Acrobat

A new wave of spam could be on the way that tricks recipients by looking like it’s a message sent from their friends' e-mail address. This sort of spam would bypass even those filters that currently weed out 99% of the bad stuff, says John Aycock, an assistant professor of computer science at the University of Calgary.

Aycock and student Nathan Friess conducted research and wrote a paper dubbed "Spam Zombies from Outer Space" to show that generating such customized spam -- such as in the form of e-mail replies -- would not be too difficult, as has been assumed in the past. Spammers have leaned toward bulk e-mail generation that is less customized.

More information can be found here.

In a press release, the European Commission has indicated its views on follow-up to the international policy commitments made at WSIS:

To keep up the momentum of the successful World Summit on Information Society (Tunis, 16-18 November 2005), the European Commission has set out today its priorities for implementing the international policy commitments made at the Summit. These priorities include safeguarding and strengthening human rights, in particular the freedom to receive and access information. Information and communication technologies (ICTs) should be used to contribute to open democratic societies and to economic and social progress worldwide. The Commission calls for continuing international talks to improve Internet governance through the two new processes created by the Summit: the multi-stakeholder Internet Governance Forum and the mechanism of enhanced cooperation that will involve all governments on an equal footing.

The EC has also issued a FAQ on Internet Governance.

Looking back, 2005 saw a rise in profit-driven attacks. These were reflected by phishing, which now represents as much as one percent of the global e-mail traffic and is far more effective than spamming.

Viruses, worms, and malicious software are becoming part and parcel of information and communications technology. According to Trend Micro's report, called Virus and Spam Roundup 2005 and Predictions for 2006, this year will see more spy phishing and spear phishing on the Internet.

More information can be found here.

Though the United States is making progress in the war on unsolicited commercial e-mail, or spam, it still generates more than any other nation in the world, according to recent statistics from Sophos, a provider of anti-malware solutions.

Sophos ranked spam outputs of the top 12 countries and top six continents based on messages it received in its “global network of spam traps” between January and March, according to the group’s release.

More information can be found here.

The Federal Trade Commission (FTC) joined 29 other countries in calling for increased cooperation between nations in combating spam. The FTC signed off on a set of anti-spam recommendations by the Organization for Economic Cooperation and Development (OECD), a coalition of 30 countries organized to promote economic growth and trade.

More information about OECD activities on  countering spam can be found here.

Please clik here to read the article.

The ITU has released the Results of its 2006-2007 Questionnaire on Future Topics  for workshops under the ITU New Initiatives Programme.

The top three winners are as follows:

1. Pushing the Boundaries - Wireless Networking

2. The Future of Voice

3. Privacy and Data Protection in Telecommunications

More information about the ITU New Initiatives Programme can be found here.

The Federal Trade Commission and members of the International Consumer Protection and Enforcement Network (ICPEN) are meeting in Jeju, Korea, on March 26-28, to discuss the progress of international efforts to combat cross-border fraud and explore new international initiatives to protect consumers around the world.

The FTC’s participation in ICPEN is one part of the agency’s ongoing effort to combat a rising number of cross-border fraud complaints from American consumers. ICPEN members discussed the results of a recent Internet surf for Web sites that are “hidden traps online.”

Over 30 countries participated in the international surf. In the United States, the focus was on Web sites with fraudulent claims advertising “miracle cures” for diabetes, with the FTC, FDA, and several states Attorneys General offices participating.

The FTC and its partners reviewed over 1,000 Web sites and identified over 150 with potentially misleading diabetes claims. The FTC will follow-up, sending warning letters to Web sites that appear to have deceptive or false claims.

More information can be found here.

World Telecommunication Day (WTD) commemorates the founding of ITU on 17 May 1865. This year, WTD could carry added significance as 17 May has been identified by the Tunis phase of the World Summit on the Information Society as “World Information Society Day”.

While World Information Society Day is yet to be proclaimed, ITU, as the leading ICT agency of the UN system, upholds the idea and looks forward to its members to raise awareness of the role of ICT in achieving the development goals of all people.

For WTD 2006, the ITU Council chose the theme of Promoting Global Cybersecurity to highlight the serious challenges we face in ensuring the safety and security of networked information and communication systems.

In today’s interconnected and increasingly networked world, societies are vulnerable to a wide variety of threats, including deliberate attacks on critical information infrastructures with debilitating effects on our economies and on our societies. In order to safeguard our systems and infrastructure and in order to instill confidence in online trade, commerce, banking, telemedicine, e-government and a host of other applications, we need to strengthen the security practices of each and every networked country, business, and citizen, and develop a global culture of cybersecurity.

The urgency of promoting cybersecurity has been called for by the ITU Plenipotentiary Conference in 2002, the World Telecommunication Standardization Assembly (WTSA-2004) as well as the United Nations General Assembly (resolutions 58/199, 2004, and 57/239, 2002).

Invitations to organize national programmes in the context of promoting the theme Promoting Global Cybersecurity for WTD 2006 were sent to all ITU Member States and ITU Sector Members. Sector Members represent over 647 public and private companies and organizations with an interest in telecommunications. Also in conjunction with WTD 2006, the ITU is conducting a survey of cybersecurity trust and awareness. A list of links to the related materials includes:

• Message from the ITU Secretary-General, Yoshio Utsumi
• Circular Letter sent to ITU Member States
• Circular Letter sent to ITU Sector Members
• Cybersecurity Trust and Awareness Survey

Internet service providers could face huge fines if they do not provide spam filtering or impose email sending limits under new rules set down by a communications watchdog. The Australian Communications and Media Authority (ACMA) today registered the world's first legislative code of practice for internet and email service providers.

More information can be found here.

At a technology forum in Brussels hosted by EuroISPA - the European Internet Services Providers Association, and co-sponsored by Interpol, Neil Holloway, president, Microsoft (Europe, Middle East and Africa), inaugurated a global law enforcement campaign targeted at cybercriminals responsible for phishing attacks.

This is part of Microsoft's larger program dubbed - the Global Phishing Enforcement Initiative (GPEI), that aims at co-ordinating and expanding the company's anti-phishing efforts globally.

More information can be found here.

On 23-24 March 2006 at ITU headquarters, the ITU Strategy and Policy Unit hosted a high-level experts workshop entitled What Rules for IP-enabled NGNs? focused on the policy and regulatory challenges related to the deployment of IP-enabled NGNs. The following materials are now available:

• The original workshop concept document providing details on the objectives of the workshop
• Final Agenda
• Background papers:
  • Ruling the New and Emerging Markets in the Telecommunication Sector by Christian Wey, Pio Baake and Sven Heitzler 
  • Interconnection in an IP-enabled NGN Environment by Scott Marcus
  • Universal Service in an IP-enabled NGN Environment by Patrick Xavier
• All presentations and contributions
• Webcast archives

A public talk was given on 22 March 2006 at Michigan State University's Quello Center for Telecommunication Management and Law on "The Changing Face of Cyberspace" (Lara Srivastava, ITU). 

Communications points to an interesting presentation on reverse engineering Skype given by Philippe BIONDI & Fabrice DESCLAUX at the Blackhat Europe conference in Amsterdam, March 2nd & 3rd. Warning: 115 highly technical slides including this conclusion:

The OECD hosted a workshop entitled The Future of the Internet in Paris on 8 March 2006. Presentations given at the event will serve at "food for thought" for future OECD work.

The Economist has a related article entitled Reinventing the Internet.

Including data from some of the world's largest Internet Service Providers, MAAWG (Messaging Anti-Abuse Working Group) has developed its first metrics report outlining the scope of the problem and validating that approximately 85 percent of Internet traffic today is abusive email.

The report, "MAAWG Email Metrics Program: The Network Operators' Perspective," provides data for the fourth quarter of 2005 and will continue to be updated on a quarterly basis as an objective tool for tracking the industry's efforts at controlling abusive email.

For more information, please click here.

Efforts by governments to counter internet spam by tracking down and prosecuting spammers have had limited impact and require far more resources than most countries can muster, the United Nations telecoms agency (ITU) warned on Tuesday.

It says in a report that while all countries need anti-spam legislation so that spammers have nowhere to hide, a more effective approach would be to require the establishment of enforceable codes of conduct by internet service providers (ISPs).

For more information about the article, please click here.

For more information about the report "Stemming the International Tide of Spam", please click here.

According to a press release from the UN, the UN Secretary-General has decided to establish a small Secretariat in Geneva to assist in the convening of the Internet Governance Forum (IGF).  The Secretary-General was asked by the World Summit on the Information Society, held in Tunis in November, to convene such a Forum for multi-stakeholder policy dialogue.

Nitin Desai, the Secretary-General’s Special Adviser for the Summit, held open consultations on 16 and 17 February in Geneva aimed at reaching a common understanding on how the Forum should function.  Those discussions produced a consensus that the IGF should have a strong development orientation.  It was also felt that the Forum should be open and inclusive, and allow for the participation of all interested stakeholders with proven expertise and experience in Internet-related matters.

The Secretariat will be headed by Markus Kummer, who has been the Executive Coordinator of the Secretariat of the Working Group on Internet Governance, which was established by the Secretary-General at the request of the first phase of the Summit, in Geneva in 2003.  The first meeting of the Forum is expected to take place later this year in Athens, Greece from October 30 - November 2 2006.

On a separate issue, the Secretary-General has also decided to ask Mr. Desai to consult informally on how to start a process aimed at enhancing cooperation on international public policy issues related to the Internet.  The Summit had requested the Secretary-General to start such a process in paragraphs 69-71 of the WSIS Tunis Agenda for the Information Society.

This publication, with a foreword by Nitin Desai, provides an overview of the key debates on Internet governance. It presents the work of the Open Regional Dialogue on Internet Governance, an Asia-Pacific Development Information Programme (APDIP) initiative that has collected perspectives from regional experts and end users.

In line with paragraph 108 and the Annex of the Tunis Agenda for the Information Society, a consultation is being held on 15-16 May 2006, at ITU Headquarters in Geneva, on WSIS Action Line C5: Building Confidence and Security in the use of ICTs. The purpose of the meeting is to discuss the WSIS multi-stakeholder implementation process for Action Line C5.

The meeting is open to all WSIS stakeholders that are interested and involved in the implementation process in the field of building confidence and security in the use of ICTs.

A draft agenda for the consultation on WSIS Action Line C5 Facilitation and the invitation letter to the meeting from ITU Secretary-General Yoshio Utsumi can be viewed on the WSIS C5 Implementation website.

More information on the activities related to WSIS implementation and follow-up can be viewed here.

China's Ministry of Information Industry launched its anti-spam center, www.anti-spam.cn, today as part of their net safety efforts. There are ongoing efforts to also enhance its email management sometime between March and April 2006.

Additionally, the Chinese government issued a regulation on the management of emails, which will take effect on 30 March 2006. Sending advertisement emails without the receiver's permission is banned, according to this new regulation.

For more information, click here

Circle ID has an interesting piece entitled Internet Governance: An Antispam Perspective by Meng Wong, who is known for his work on the email authentication mechanism SPF*:

I believe that we must move to a default-deny model for email to solve phishing; at the same time we must preserve the openness that made email the killer app in the first place. The tension between these poles creates a tremendous opportunity for innovation and social good if we get things right, and for shattering failure if we get things wrong.

FCC Examines Need For Tougher Privacy Rules.

• News Release: Word | Acrobat
• Martin Statement: Word | Acrobat
• Copps Statement: Word | Acrobat
• Adelstein Statement: Word | Acrobat
• Tate Statement: Word | Acrobat

"In a Notice of Proposed Rulemaking (NPRM) adopted today, the Commission seeks comment on a variety of issues related to customer privacy, including what security measures carriers currently have in place, what inadequacies exist in those measures, and what kind of security measures may be warranted to better protect consumers’ privacy. The Notice grants a petition for rulemaking filed by the Electronic Privacy Information Center (EPIC) expressing concerns about whether carriers are adequately protecting customer call records and other customer proprietary network information, or CPNI. EPIC claims that some data brokers have taken advantage of inadequate security standards to gain access to the information under false pretenses, such as by posing as the customer, and then offering the records for sale on the Internet. The practice is known as "pretexting.""

The ITU is hosting a workshop on Radio-Frequency Identification (RFID) from 14-15 February 2006, bringing the spotlight on the emergence of a so-called "Internet of Things", enabling ubiquitous network connectivity, anytime and anywhere. The agenda and an accompanying press release are available.

Update: The workshop is being audiocast live and archived.

The Financial Times has an article entitled Privacy Under Pressure in Europe

A European directive is in preparation that will require the providers of publicly available communications services to retain details of fixed-line, mobile phone and e-mail communications for at least six months, and possibly up to two years. It is a requirement that even the US has not imposed in its war on terror.

Bruce Schneier's blog Schneier on Security points to the final version of a paper by Daniel J. Solove and Chris Hoofnagle titled "A Model Regime of Privacy Protection." 

Abstract: A series of major security breaches at companies with sensitive personal information has sparked significant attention to the problems with privacy protection in the United States. Currently, the privacy protections in the United States are riddled with gaps and weak spots. Although most industrialized nations have comprehensive data protection laws, the United States has maintained a sectoral approach where certain industries are covered and others are not. In particular, emerging companies known as "commercial data brokers" have frequently slipped through the cracks of U.S. privacy law. In this article, the authors propose a Model Privacy Regime to address the problems in the privacy protection in the United States, with a particular focus on commercial data brokers. Since the United States is unlikely to shift radically from its sectoral approach to a comprehensive data protection regime, the Model Regime aims to patch up the holes in existing privacy regulation and improve and extend it. In other words, the goal of the Model Regime is to build upon the existing foundation of U.S. privacy law, not to propose an alternative foundation. The authors believe that the sectoral approach in the United States can be improved by applying the Fair Information Practices -- principles that require the entities that collect personal data to extend certain rights to data subjects. The Fair Information Practices are very general principles, and they are often spoken about in a rather abstract manner. In contrast, the Model Regime demonstrates specific ways that they can be incorporated into privacy regulation in the United States.

The December 2005 edition of the Internet Protocol Journal has two articles on countering spam:

• Challenges in Anti-Spam Efforts by Dave Crocker
  
• Taking Another Look at the Spam Problem by John Klensin
  

Another take on marketing the Internet of Things (via IP). The source can be found here.

Two recent articles on the growing influence of national governments over the internet.

1. Legal Affairs has just published Digital Borders By Jack Goldsmith and Timothy Wu. The article is an excerpt from the book Who Controls the Internet?: Illusions of a Borderless World

In this provocative new book, Jack Goldsmith and Tim Wu tell the fascinating story of the Internet's challenge to governmental rule in the 1990s, and the ensuing battles with governments around the world. It's a book about the fate of one idea--that the Internet might liberate us forever from government, borders, and even our physical selves. We learn of Google's struggles with the French government and Yahoo's capitulation to the Chinese regime; of how the European Union sets privacy standards on the Net for the entire world; and of eBay's struggles with fraud and how it slowly learned to trust the FBI. In a decade of events the original vision is uprooted, as governments time and time again assert their power to direct the future of the Internet. The destiny of the Internet over the next decades, argue Goldsmith and Wu, will reflect the interests of powerful nations and the conflicts within and between them.

While acknowledging the many attractions of the earliest visions of the Internet, the authors describe the new order, and speaking to both its surprising virtues and unavoidable vices. Far from destroying the Internet, the experience of the last decade has lead to a quiet rediscovery of some of the oldest functions and justifications for territorial government. While territorial governments have unavoidable problems, it has proven hard to replace what legitimacy governments have, and harder yet to replace the system of rule of law that controls the unchecked evils of anarchy. While the Net will change some of the ways that territorial states govern, it will not diminish the oldest and most fundamental roles of government and challenges of governance.

2. First Monday has published The filtering matrix: Integrated mechanisms of information control and the demarcation of borders in cyberspace by Nart Villeneuve.

Increasingly, states are adopting practices aimed at regulating and controlling the Internet as it passes through their borders. Seeking to assert information sovereignty over their cyber–territory, governments are implementing Internet content filtering technology at the national level. The implementation of national filtering is most often conducted in secrecy and lacks openness, transparency, and accountability. Policy–makers are seemingly unaware of significant unintended consequences, such as the locking of content that was never intended to be blocked. Once a national filtering system is in place, governments may be tempted to use it as a tool of political censorship or as a technological "quick fix" to problems that stem from larger social and political issues. As non–transparent filtering practices meld into forms of censorship the effect on democratic practices and the open character of the Internet are discernible. States are increasingly using Internet filtering to control the environment of political speech in fundamental opposition to civil liberties, freedom of speech, and free expression. The consequences of political filtering directly impact democratic practices and can be considered a violation of human rights.

The internet as we know it is set to transform radically, according to a new ITU Internet Report entitled The Internet of Things, specially prepared to coincide with the World Summit on the Information Society (WSIS) in Tunis in November 2005. From an academic network for the chosen few created in the late 1960s, the internet is now a mass-market, consumer-oriented network being accessed by over 900 million people worldwide, through personal computers, mobile phones and other wireless devices. But this is only the beginning. According to ITU’s report, we are standing on the brink of a new ubiquitous computing and communication era, one that will radically transform the Internet, and with it, our corporate, community, and personal spheres. The new ITU report looks at key enabling technologies for ubiquity (e.g. RFID, sensors and sensor networks, telematics, robotics, nanotechnology) and how they might impact the future human and technological landscape.

At WSIS, the report was launched at a Press Conference and Panel Debate moderated by Kenn Cukier of The Economist. The lively debate included the following speakers and panelists: Nicholas Negroponte - MIT Media Lab, Olivier Baujard - CTO of Alcatel, Hitomi Murakami - VP General Manager of KDDI (Japan), Jonathan Murray - VP and CTO, Microsoft EMEA, Walid Moneimne, Senior VP and Head of EMEA Networks - Nokia, John Gage, Chief Researcher and Director of the Science Office - Sun Microsystems, and from the ITU, Lara Srivastava, lead author of the report.

"Computer security isn't a technological problem -- it's an economic one." That is the message Bruce Schneier, Counterpane Internet Security, emphasized in his presentation at an infoSecurity Conference according to an article in InternetNews.com.

"The future of security is getting harder to predict". Industry professionals "must start paying attention to the economics of security if they hoped for technology to keep pace." "To understand the difference it's necessary to understand the basic economic incentives of companies and how businesses are affected by liabilities" Mr. Schneier pointed out in his presentation. "The problem is that most of the costs of insecure software fall on the users." In economics, this is known as an externality: an effect of a decision not borne by the decision maker", according to Schneier. "When a company leaks data they are not the victim -- you as a user are."

"Depending on where you put liability, security improves or it doesn't," Mr. Schneier added. "Put the liability on the responsible party than we can do something," he said. That liability usually comes through legislation or lawsuits, according to Schneier. Mr. Schneier also pointed out that "Security is a process, it is not a product," he said.

Access the full article here.

The WSIS Stocktaking Report has been officially launched during the World Summit on the Infrmation Society in Tunis. The report has been prepared on the basis of activities entered to the WSIS Stocktaking Database that by November 2005 contained more then 2500 entries. 

For the launch presentation see Stocktaking.pdf (1.47 MB).

For the WSIS Stocktaking Database see here. 

The final documents submitted to the second phase of WSIS being held 16-18 November 2005 in Tunis have been posted. They are:

• Tunis Agenda for the Information Society
• The Tunis Commitment

In The Tunis Agenda for the Information Society, paragraphs 3-28 related to Financial Mechanisms for Meeting the Challenges of ICTs for Development, paragraphs 29-82 relate to Internet Governance, and paragraphs 83-122 relate to Implementation and Follow-up.

The latest edition of ITU News has a commentary from Yoshio Utsumi, ITU Secretary-General on the expectations beyond the upcoming Tunis phase of the World Summit on the Information Society.

We started on the long journey to Tunis in 1998, when the government of Tunisia proposed to the ITU’s Plenipotentiary Conference in Minneapolis to hold a World Summit on the Information Society (WSIS). We have accomplished much during this journey. At the first phase of WSIS in Geneva in December 2003, we developed a common vision of the information society. In particular, we declared our common desire and commitment to build a people-centred, inclusive and development-oriented society where the potential of information and communication technologies (ICT) is used to promote sustainable development and improve the quality of life. It is a society where everyone, anywhere should have an opportunity to participate and no one should be excluded from the benefits the information society offers.

At the second phase of the Summit in Tunis on 16-18 November 2005, we will be closing one chapter, but we will be opening a new and much bigger chapter on the implementation of that vision. In this endeavour, we should really recognize the true value of ICT as a central theme in national development policies. ICT is changing our society in ways which are as fundamental as the changes wrought by steam engines in the 19th century or motor cars in the 20th century. As those machines did, ICTs help us to be more productive and efficient than ever before to fulfil our natural desire for a better life....

Nowhere are the challenges to the conventional sovereign State greater than in the realm of cyberspace. And Internet governance has dominated our discussions since the conclusion of the Geneva phase.

The traditional principles of “national sovereignty” that have been applied to telecommunications —namely that each State regulates its telecommunication sector as it sees fit — are not working for the Internet. The Internet, which started in one country, has rapidly penetrated everywhere. Now that the Internet has become a basic element of infrastructure for every nation, it is natural that nations wish to claim sovereignty over the Internet as they do over traditional telecommunication infrastructure.

However, the value of the Internet lies in the value of information created and consumed by users rather than in the infrastructure itself. So, Internet governance requires a multi-stakeholder approach in which users and consumers of information alike agree, at a global level, to cooperate on a basic set of guidelines on such issues as security, privacy protection and efficient operation.

That is why our discussion of Internet governance has been so difficult: because the existing models do not work well. We need to embrace a new model, which I will call “new communication sovereignty.” In this model, we must fight to defend the “right to communicate” rather than the “right to govern.”

Communication is a basic human need and the foundation of all social organization. What matters is whether you have guaranteed access to information or the means to communicate with others, rather than the ability to control the means of communication. The “right to communicate” is a fundamental human right in the information society.

As the Secretary-General for the World Summit on the Information Society, I feel truly honoured to have been given the opportunity to serve the international community at this key moment of change in its history. As the wheel of change continues to turn, we must work together to create a more just and equitable information society.

Schneier on Security is reporting that Microsoft has released a document outlining a series of steps it would like to see the US Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information. According to their press release:

[Microsoft's senior vice president and general counsel Brad] Smith described four core principles that Microsoft believes should be the foundation of any federal legislation on data privacy:

• Create a baseline standard across all organizations and industries for offline and online data collection and storage. This federal standard should pre-empt state laws and, as much as possible, be consistent with privacy laws around the world.
• Increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and features that permit individuals to access and manage their personal information collected online.
• Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals' consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice.
• Ensure a minimum level of security for personal information in storage and transit. A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information.

For the upcoming Global Symposium for Regulators (GSR) to be held in Hammamet, Tunisia, 14-15 November 2005, just before the second phase of the World Summit on the Information Society (WSIS), the ITU has released a paper by Tracy Cohen, Olli Mattila and Russel Southwood, entitled VoIP and Regulation, which will be presented at the GSR:

Voice over Internet Protocol (VoIP) is generally viewed as a “disruptive technology”. All the current market indications show that IP networks and services like Voice over Internet Protocol (VoIP) will replace traditional PSTN networks and services. ITU estimates that by 2008, at least 50 percent of international minutes will be carried on IP networks and that many carriers will have all-IP networks. Recent trends are certainly headed in this direction. For example, in the United States, residential VoIP subscriber numbers have increased from 150,000 at the end of 2003 to over 2 million in March 2005. It is predicted that subscribers in the US will exceed 4.1 million by 2006, generating over USD 1 billion in gross revenues for the year. In March 2005, the Chilean broadband operator VTR launched the first telecommunication network for residential services based on IP technology. The operator expects to expand its platform and reach 2 million customers in five years. There are approximately 35,000 residential telephones that use IP technology in Chile, either through Chilean operators or through Vonage...

This paper examines how VoIP services will affect future regulation. Due to the starkly contrasting global perceptions of VoIP however, it is difficult to present a unified approach to regulatory treatment of VoIP and this paper aims to reflect regulatory experiences from a wide range of countries that are grappling with the transition to VoIP. The three sections of this paper are structured to answer both the broad and specific questions raised by VoIP services, including the overall approach to regulating VoIP as a mainstream service; how VoIP has changed voice business models and the various ways of classifying the services it has created; and finally, other related issues frequently raised in connection with VoIP, such as quality of service; network integrity; emergency calling, numbering, communication security and lawful interception.

For the upcoming Global Symposium for Regulators (GSR) to be held in Hammamet, Tunisia, 14-15 November 2005, just before the second phase of the World Summit on the Information Society (WSIS), the ITU has released a paper by John Palfrey entitled Stemming the International Tide of Spam: a Draft Model Law, which will be presented at the GSR:

This discussion paper primarily takes up the question of what – beyond coordinating with technologists and other countries’ enforcement teams and educating consumers – legislators and regulators might consider by way of legal mechanisms. First, the paper takes up the elements that might be included in an anti-spam law. Second, the paper explores one alternative legal mechanism which might be built into an anti-spam strategy, the establishment of enforceable codes of conduct for Internet Service Providers (ISPs). Third, this paper also examines a variant of the legal approach where ISPs are formally encouraged by regulators to develop their own code of conduct. ISPs should be encouraged to establish and enforce narrowly-drawn codes of conduct that prohibit their users from using that ISP as a source for spamming and related bad acts, such as spoofing and phishing, and not to enter into peering arrangements with ISPs that do not uphold similar codes of conduct. Rather than continue to rely upon chasing individual spammers, regulators in the most resource-constrained countries in particular would be more likely to succeed by working with and through the ISPs that are closer to the source of the problem, to their customers, and to the technology in question. The regulator’s job would be to ensure that ISPs within their jurisdiction adopt adequate codes of conduct as a condition of their operating license and then to enforce adherence to those codes of conduct. The regulator can also play a role in sharing best practices among ISPs and making consumers aware of the good works of the best ISPs. While effectively just shifting the burden of some of the anti-spam enforcement to ISPs is not without clear drawbacks, and cannot alone succeed in stemming the tide of spam, such a policy has a far higher likelihood of success in the developing countries context than the anti-spam enforcement tactics employed to date.

The ITU Strategy and Policy Unit, in collaboration with the Italian Ministry of Communications, the Ugo Bordoni Foundation and the Aosta Valley regional authority, organized a Workshop on “Tomorrow’s Network Today” on 7-8 October 2005.

The workshop considered five broad themes:

• International Visions of Ubiquitous Networks and Next Generation Networks
• National Visions of Ubiquitous Networks and Next Generation Networks
• Creating an Enabling Environment
• The Italian Path Towards Ubiquitous Networks
• An example of Italian best practice: "Being Digital in the Aosta Valley"

Now available on the workshop website  are the agenda, with links to presentations as they were delivered and the two Case Studies on Italy – “Bridging the Gap: Taking Tomorrow’s Network Today” presented by Marco Obiso and “Ubiquitous Networks Societies: The Case of Italy” presented by Cristina Bueti - as well as background papers and voluntary contributions produced for the workshop.

During the event, Tim Kelly, Head of the Strategy and Policy Unit (ITU) presented “Tomorrow’s Network and the Internet of Things”, showing some of the outcomes of the forthcoming ITU Internet Reports publication that this year will be dedicated to the theme of the “Internet of Things “.

A final report of the workshop will be available in the next few weeks at the workshop website.

Links to documents from WSIS Prepcom-3 (19-30 September 2005) Sub-Committee A, which dealt with the topic of Internet Governance, can be found on the WSIS website. The key documents from Prepcom-3 include:

• Report of the Work of Sub-Committee A [WSIS-II/PC-3/DOC/11 (Rev. 1)]
• Chair's "Food for Thought" (Section Five) [WSIS-II/PC-3/DT/15]
• Internet Governance proposals [WSIS-II/PC-3/DT/17] to [WSIS-II/PC-3/DT/25]
• Chair's paper (after fourth reading): Chapter three [WSIS-II/PC-3/DT/10(Rev.4)]
• Report from the WGIG [WSIS-II/PC-3/DOC/5]
• Compilation of comments [WSIS-II/PC-3/DT/14(Rev.2)]
• All Chair's Papers
• Contributions

According to the Report of the Work of Sub-Committee A, in order to complete the work in time for the Summit, document DT/10 Rev. 4 is offered as basis for further negotiations. The following documents elaborated during PrepCom-3 are offered as a further input to future negotiations:

• DT/15 containing a food for thought paper from the chairman;
• DT/17 (African common position, submitted by Ghana
• DT/18 (Argentina)
• DT/19 (Brazil)
• DT/20 (Canada)
• DT/21 (European Union position, submitted by United Kingdom)
• DT/22 (Islamic Republic of Iran)
• DT/23 (Japan)
• DT/24 (Russian Federation/Azerbaijan/Belarus/Moldova)
• DT/25 (position of Arab Group, submitted by Saudi Arabia).

Highlights from the discussions at WSIS Prepcom-3 19-21 September 2005 can be found here.

From TPRC 2005: DNSSEC and Hardening Security in the Internet Infrastructure: The Public Policy Questions by Amy Friedlander, Stephen Crocker, Allison Mankin, W. Douglas Maughan, Douglas Montgomery, Shinkuro Inc.

This is a paper from the practitioner community. We are engaged in an effort to strengthen security in the Internet infrastructure. Our immediate task is to deploy a new Internet protocol, DNS Security Extensions (DNSSEC), which promises to harden features of the Domain Name System (DNS), a key element in the infrastructure of the Internet. In our work, we find ourselves at the intersection of the following questions:

How do we stimulate innovation in infrastructure services when those services are provided in a competitive, largely private commercial environment and the returns are likely to occur in the long term and will also be shared?

What is the appropriate role of government in fostering infrastructure development when we are committed to largely privately-owned and operated infrastructure facilities and services?

What is the balance among national and homeland security interests and global Internet management - or governance?

EC Press Release: The European Commission has adopted today a proposal for a Directive on the retention of communications traffic data. The proposal provides for an EU-wide harmonisation of the obligations on providers of publicly available electronic communications, or a public telecommunications network, to retain data related to mobile and fixed telephony for a period of one year, and internet communication data, for six month. The proposed Directive would not be applicable to the actual content of the communications. It also includes a provision ensuring that the service or network providers will be reimbursed for the demonstrated additional costs they will have. For its adoption, the proposal requires the approval both of the European Parliament and the Council. The Council is currently discussing an alternative text, a Framework Decision which would allow for data retention of up to 3 years and could be adopted by the Council alone. A related memo with additional information is available.

The third meeting of the Preparatory Committee (PrepCom-3 of the Tunis phase) for the upcoming World Summit on the Information Society (WSIS). The meeting takes place at the United Nations in Geneva from 19-30 September. The primary topics of discussion are finalizing texts for the WSIS and Internet Governance and the event is being webcast. Some quick links to related materials:

• Documents and contributions
• Webcast
• Newsroom
• Speeches at the Opening Ceremony
• Reports to PrepCom-3 on Regional and Thematic Meetings
• Information for Participants
• List of Participants
• Announced list of participants
• List of participants (present)
• Participants finder
• List of accredited NGOs, civil society and business sector entities
• Invitation letters
• Internet Governance
• The Golden Book: Stakeholders Commitments
• Information session for governments on the drawing of lots to establish the list of speakers of the Summit
• Parallel and Side Events
• Registration
• Media accreditation and registration

SwissInfo is reporting that data-protection commissioners from 40 countries have called on the United Nations to prepare a binding legal instrument to enhance data protection.

A related press release and the final Montreux Declaration are available.

Roger Darlington has a note about a new UK cybersecurity initiative to be launched soon called Get Safe Online. 

"I spent yesterday at a conference with the title eConfidence - Spam, Scams And Security and posted a short report. I mentioned that a major awareness campaign is due to be launched at the end of next month. It has been nine months in conception and creation and was planned under the name "Project Endurance", but it is being launched under the banner Get Safe Online. At yesterday's event, Tony Neate of the National Hi-Tech Crime Unit described the content as "outstanding", but so far the only public presence is one page on the web. As you can see from this page, eight companies have joined the Home Office and the National Hi-Tech Crime Unit to sponsor the campaign, but more sponsors are sought. I understand that the Netherlands and Norway have run similar campaigns against spam, scams and viruses. Anyone out there got any relevant information? I welcome this initiative. My concern is that there are now a variety of web sites and organisations providing advice on different forms of Internet content and activity - with some major gaps, such as harmful and offensive content -and what the consumer needs is a 'one stop shop' linking all these resources in a high-profile, user-friendly manner."

The Chairman's report (PDF) from the ITU WSIS Thematic Meeting on Cybersecurity held June 28 - July 1 2005 has been released.

The event was organized in the framework of the implementation of the Declaration of Principles and Plan of Action adopted on 12 December 2003, at the first phase of the World Summit on the Information Society (WSIS) and in preparation for the Tunis phase of WSIS, to be held from 16 to 18 November, 2005. The event website provides links to the final agenda, all background papers, presentations, electronic contributions, the Chairman’s Report and audio archives.

The four-day meeting was structured to consider and debate six broad themes in promoting international dialogue and cooperative measures among governments, the private sector and other stakeholders as well as promotion of a global culture of cybersecurity. These include information sharing of national and regional approaches, good practices and guidelines; developing watch, warning and incident response capabilities; technical standards and industry solutions; harmonizing national legal approaches and international legal coordination; privacy, data and consumer protection; and developing countries and cybersecurity.

The first day of the meeting focused on countering spam as follow-up to the ITU WSIS Thematic Meeting on Countering Spam, held in July 2004.

At the recent ITU WSIS Thematic Meeting on Cybersecurity, Maria Cristina Bueti, Policy Analyst, Strategy and Policy Unit, ITU, presented a background paper entitled ITU Survey of Anti-Spam Laws and Authorities Worldwide. The survey was conducted in April 2005 and sent to ITU’s 189 Member States. The survey results, based on 58 responses received, showed that there are a number of countries that have already implemented anti-spam legislation. In some cases, countries use data protection laws or consumer protection laws to cope with spam issues. A number of countries do not have anti-spam legislation or any laws applicable to spam. A slide from her presentation is shown below.

Phishing emails go formal - New method hides the true web address: Researchers have discovered a new method used by criminals to hide the location of phishing websites in email messages. The technique uses a form that sends the users to phishing websites after they have pushed a button. Traditionally phishers employ a link in the body of the email message, security watchdog, the SANS Internet Storm Centre has warned. Forms are commonly used by websites to allow users to send information back to the sites, for instance to enter user names and passwords for log ins. A phishing email tries to lure the recipient to a website that the message claims is from a trusted organisation like a bank or credit card company. The aim of the message is to steal confidential information such as login names and passwords.

From VNUnet, SANS Internet Storm Center - diary via Ewan Sutherland's weblog.

The final version of a paper commissioned by the ITU entitled A Comparative Analysis of Spam Laws: The Quest for a Model Law (PDF) has been released. The paper was authored by Derek E. Bambauer, John G. Palfrey, Jr., and David E. Abrams, Berkman Center for Internet & Society, Harvard Law School, for the ITU WSIS Thematic Meeting on Cybersecurity held in Geneva, 28 June - 1 July 2005.

Executive Summary

Spam presents a significant challenge to users, Internet service providers, states, and legal systems worldwide. The costs of spam are significant and growing, and the increasing volume of spam threatens to destroy the utility of electronic mail communications.

The Chairman’s Report from the ITU WSIS Thematic Meeting on Countering Spam in July 2004 emphasized the importance of a multi-faceted approach to solving the problem of spam and named legal governance as one of the necessary means. Our paper focuses on the potential nature of the legal regulation of spam, specifically the importance of harmonizing regulations in the form of a model spam law. We agree with the Chairman that the law is only one means towards this end and we urge regulators to incorporate other modes of control into their efforts, including technical methods, market-based means, and norm-based modalities.

Spam uniquely challenges regulation because it easily transverses borders. The sender of a message, the server that transmits it, and the recipient who reads it may be located in three different states, all of which are under unique legal governance. If spam laws are not aligned in these states, enforcement will suffer because the very differences between spam laws may mean that a violation in one state is a permissible action in another. Moreover, spammers have an incentive to locate operations in places with less regulation, and the opportunity to states to create a domestic spam hosting market may engage them in a race to the bottom.

Harmonizing laws that regulate spam offers considerable benefits, insofar as a model law could assist in establishing a framework for cross-border enforcement collaboration. To those enforcing the regulation of spam, harmonization as a model law effort offers: clear guidelines, easy adoption, enhanced enforcement, stronger norms, fewer havens for spammers, and the increased sharing of best practices. If such regulators then agree that harmonization can aid legal regimes intent on curbing spam, they must initially address four critical tasks: defining prohibited content, setting default rules for contacting recipients, harmonizing existing laws, and enforcing such rules effectively. This legal approach must be concurrently matched by efforts that employ other modes of regulation, such as technical measures, user education, and market-based approaches.

Our analysis of existing spam legislation gathered by the ITU Strategy and Policy Unit evaluated these laws’ elements to determine whether they were commonly included or not, and whether provisions were uniformly implemented or varying when present. Our research documents seven instances in which extant laws strongly converge: a focus on commercial content, the mandatory disclosure of sender/advertiser/routing, bans on fraudulent or misleading content, bans on automated collection or generation of recipient addresses, the permission to contact recipients where there is an existing relationship, the requirement to allow recipients to refuse future messages, and a mix of graduated civil and criminal liability. Also documented are five key areas of disagreement which are vital to a harmonized spam law but which have evaded consensus thus far: a prior consent requirement for contacting recipients, a designated enforcer, label requirements for spam messages, the definition of spam (whether it is limited to e-mail communication, or includes other applications, such as SMS), and the jurisdictional reach of the system’s spam laws. Naturally, a harmonization effort must tackle and narrow these zones of divergence in order to succeed.

Spam laws, whether harmonized or not, are at best only part of the solution to the spam problem and must be developed in concert with technical, market, and norms-based tools if the scourge of spam is to be substantially reduced. Efforts to harmonize the legal regulation of spam can serve as one effective means to solving the unique challenges spam presents. A model spam law is possible to develop, despite the many differences among the world’s spam laws.

The ITU Council has approved that the theme for World Telecommunication Day 2006 (May 17) be Promoting Global Cybersecurity.

Here is the background of this decision as contained in the proposal to ITU Council:

The United Nations General Assembly adopted, in 2002, a resolution entitled UNGA Resolution 57/239: Creation of a global culture of cybersecurity, calling for international organizations to consider measures to foster a global culture of cybersecurity and invited Member States to develop throughout their societies a culture of cybersecurity in the application and use of information technologies. The General Assembly also stressed the necessity to facilitate the transfer of information technology and capacity-building to developing countries, in order to help them to take measures in cybersecurity.

The ITU Plenipotentiary in 2002 adopted Resolution 130: Strengthening the role of ITU in information and communication network security, instructing the Secretary General and the Directors of the Bureaux to intensify work within existing ITU study groups and inviting ITU Member States and Sector Members to participate actively in the ongoing work of the relevant ITU study groups.

In 2004, a second resolution, UNGA Resolution 58/199: Creation of a global culture of cybersecurity and the protection of critical information infrastructure, was adopted by the United Nations on the global culture of cybersecurity and the protection of critical information infrastructure. The General Assembly, through this Resolution, encouraged Member States, regional and international organizations that have developed strategies to deal with cybersecurity and the protection of critical information infrastructures to share their best practices and measures that could assist other Member States in their efforts to facilitate the achievement of cybersecurity; it also stressed the necessity for enhanced efforts to close the digital divide, to achieve universal access to information and communication technologies and to protect critical information infrastructures by facilitating the transfer of information technology and capacity-building, in particular to developing countries so that all States may benefit fully from information and communication technologies for their socio-economic development.

In 2004, the World Telecommunication Standardization Assembly (WTSA) adopted Resolution 50 on Cybersecurity, requesting the ITU-T to continue to raise awareness, of the need to defend information and communication systems against the threat of cyberattack, and continue to promote cooperation among appropriate entities in order to enhance exchange of technical information in the field of information and communication network security.

In accordance with PP Resolution 130 and WTSA Resolution 50, it was proposed that ITU should take a lead role in promoting a global cybersecurity campaign. The vehicle of World Telecommunication Day can be used to build an awareness campaign in support of this objective. In implementing this campaign, ITU would work in close cooperation with organizations involved in global cybersecurity issues, including the European Network and Information Security Agency, the Organization for Economic Cooperation and Development as well as other national, regional and international interested entities.

The International Privacy Regime by Tim WU

"Privacy has joined one of many areas of law understandable only by reference to the results of overlapping and conflicting national agendas. What has emerged as the de facto international regime is complex. Yet based on a few simplifying principles, we can nonetheless do much to understand it and predict its operation. First, the idea that self-regulation by the internet community will be the driving force in privacy protection must be laid to rest. The experience of the last decade shows that nation-states, powerful nation-states in particular, drive the system of international privacy. The final mix of privacy protection that the world's citizens receive is disproportionately dictated by the choices and preferences of powerful nation-states and their respective effects on giant and small targets. Second, traditional conflicts analysis can help explain and predict the future course of privacy analysis. Privacy regulation can be understood as a species of information regulation to which companies and individuals will respond in predictable ways. The analysis here shows an international privacy system that has fractured into three distinct regulatory patterns. Mainstream privacy, or transactional privacy, has become dominated by the rule of the most restrictive state, a pattern familiar to other areas like the world's regulation of competition (antitrust). Conversely, the problem of information theft has been pushed by the international system toward a kind of a race to the bottom, or to the least restrictive rule. Most akin to international piracy (the kind on boats), it is a familiar problem to international law that will nonetheless take considerable political will to reverse. And finally, while there is a potential for the international system to influence how governments handle the privacy information of their own citizens, the direct collision of interests have limited the extent to which governments police one another."

From SSRN via weblog of Ewan Sutherland.

Finnish citizens are to be offered the opportunity to use mobile telephones equipped with digital certificates to identify themselves when conducting business online.

The first SIM cards equipped with the security certificate are now being offered by Elisa, Finland's second-largest mobile network operator, for official transactions with the Finnish Population Register Centre.

If, for example, a citizen wants to register a move to a new home online, he opens the corresponding page on the Internet, fills out the form, and receives a message from the registration office on his mobile telephone requesting him to enter his mobile signature for the online request. The citizen enters a personal PIN to permit the generation of the digital signature. This is generated by the SIM card and returned to the registration office as a special encrypted message.

Citizens who want to use the mobile signature can register at a local police station and sign up for the service. The 128KB, Java-based SIM cards have been supplied by Giesecke & Devrient and are currently available at selected Elisa outlets.

By the end of 2005, the Finnish OKO Bank, the social insurance agency, the Tax Administration, as well as the Ministry of Labour want to offer the mobile citizen certificate as a new form of authentication for their services.

The article above was published on the Finextra.com website.

A study titled "Open to Exploitation: American Shoppers Online and Offline" finds that "Internet users in the United States are dangerously ignorant about the type of data that Website owners collect from them and how that data is used, making them vulnerable to fraud and misuse of their personal information".

For the full story click here.

Article published in InfoWorld, accessed through fergie's blog.

Steve Linford of the Spamhaus Project is speaking at the ITU WSIS Thematic Meeting on Cybersecurity on the first day which is concentrating on countering spam. Some of his remarks:

• Spamhaus blocks approximatley 8 billion spam messages per day
• They estimate there are 4 million infected zombie machines which have been compromised with 60-100,000 newly infected per week
• These are used to launch Distributed Denial of Service (DDOS) Attacks
• This is increasingly a criminal activity with "spam supermarkets"
• Mostly American and Russian spammers using Chinese hosting. These are technically smart users who firewall their sites from their hosting companies.
• Spammers in Russia are more criminal than US counterparts. They are involved in
• The largest Russian ISP, Rostelecom says they cannot terminate accounts as Russian law does not permit it.
• Australian spam laws are best in the world, penalties are high enough to make a dent in spam
• Consumer confidence in the Internet is dropping every day
• Spam is a cancer and it is fast killing the Internet

Some of Steve's conclusions include:

• You must ban and not regulate spam
• Governments must give resources to law enforcement agencies
• Make it criminal for ISPs to host spammers
• Require a 24 hour point of contact for all ISPs to terminate problems
• Educate users to not reply to spam

The meeting is also being audiocast live over the Internet. Mr. Linford's talk is the beginning of Session 2.

In an article from Reuters: A bill for mandatory logging of emails, phone calls and other electronic communications to combat terrorism and fraud will limit data storage to a year at most, the European Commission said on Wednesday.

Viviane Reding, Commissioner for Information Society and Media, said a similar proposal put forward by four member states in 2004 wanted data to be stored for three to four years, which she said would impose a costly burden on phone and internet companies.

[Via Fergie's Tech Blog and Reuters]

In the framework of its Technology Watch activities, ITU-T has recently published a technical paper on radio frequency identification (RFID) and opportunities for its use in mobile telecommunication services. RFID enables data to be transmitted by a tiny portable device, called a tag, which is read by an RFID reader and processed according to the needs of a particular application. It is only recently that the technology has begun to take off in the mass market. Analysts predict that RFID will revolutionize areas of industry, such as supply chain management and the retail business, for example by reducing costs with better stock management. The technical paper presents several ideas for applications of RFID technology in mobile telecommunication services as well as possible areas for standardization efforts. Apart from purely technical concepts, the challenging aspects of security and privacy are discussed. A PowerPoint presentation of the paper is also available.

ITU-T recently set up a correspondence group on RFID in the framework of its Technology Watch and a dedicated e-mail reflector on the matter for initiating studies on the technology. Additionally, ITU-T is to hold a workshop on RFID standardization issues in the first quarter of 2006. [via ITU-T Newslog]

The OECD has just published an excellent paper by Suresh RAMASUBRAMANIAN on Spam Issues in Developing Countries (PDF), which is linked to from the OECD antispam toolkit.

Via iwar: GAO: Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, May 26, 2005

While DHS has initiated multiple efforts to fulfill its responsibilities, it has not fully addressed any of the 13 responsibilities, and much work remains ahead. For example, the department established the United States Computer Emergency Readiness Team as a public/private partnership to make cybersecurity a coordinated national effort, and it established forums to build greater trust and information sharing among federal officials with information security responsibilities and law enforcement entities. However, DHS has not yet developed national cyber threat and vulnerability assessments or government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. These key challenges include achieving organizational stability, gaining organizational authority, overcoming hiring and contracting issues, increasing awareness about cybersecurity roles and capabilities, establishing effective partnerships with stakeholders, achieving two-way information sharing with these stakeholders, and demonstrating the value DHS can provide. In its strategic plan for cybersecurity, DHS identifies steps that can begin to address the challenges. However, until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructures.

Complete Report...

From the FTC's Operation Spam Zombies page:

Spammers use home computers to send bulk emails by the millions. They take advantage of security weaknesses to install hidden software that turns consumer computers into mail or proxy servers. They route bulk email through these "spam zombies," obscuring its true origin.

As part of a worldwide effort to prevent these abuses, the FTC announces "Operation Spam Zombies." In partnership with 20 members of the London Action Plan and 16 additional government agencies from around the world, the Commission is sending letters to more than 3000 Internet service providers (ISPs) internationally, encouraging them to take the following zombie-prevention measures:

• block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers.
• apply rate-limiting controls for email relays.
• identify computers that are sending atypical amounts of email, and take steps to determine if the computer is acting as a spam zombie. When necessary, quarantine the affected computer until the source of the problem is removed.
• give your customers plain-language advice on how to prevent their computers from being infected by worms, trojans, or other malware that turn PCs into spam zombies, and provide the appropriate tools and assistance.
• provide, or point your customers to, easy-to-use tools to remove zombie code if their computers have been infected, and provide the appropriate assistance.

In a later phase, the Operation plans to notify Internet providers worldwide that apparent spam zombies were identified on their systems, and urge them to implement measures to prevent that problem.

• Press Release (May 24, 2005)
• List of Participating Agencies

Business Guidance

• Letter to Internet Service Providers [PDF]

Letter text translations (provided by participating agencies):

• Chinese [PDF]
• Japanese [PDF]
• Danish [PDF]
• Lithuanian [PDF]
• Greek [PDF]
• Norwegian [PDF]

CNN/Money is reporting that US Bank of America Corp. and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security breach to hit the banking industry.

Account information on the customers was illegally sold by bank employees to a man identified as Orazio Lembo, whom police said was doing business by illegally posing as a collection agency.

[via Slashdot]

Gregg Keizer writes on TechWeb: Spammers and phishers are using new kinds of attacks to build wide-ranging profiles of online users -- everything from their political views to their sexual preference -- a security firm said Monday.

[via Fergie's Tech Blog]

From Slashdot: Canada's National Task Force on Spam released its final report today. Despite prior spam actions on privacy grounds in Canada, the task force is calling for a tough new anti-spam law including penalties for failure to obtain appropriate opt-in consents before sending commercial email as well as private right of action to encourage Canadian lawsuits against spammers. Professor Michael Geist, who headed up the legal aspects of the task force, provides a good summary of the recommendations.

The Tokyo Ubiquitous Network Conference (WSIS thematic meeting): Toward the realization of a Ubiquitous Network Society, organized by Japan's Ministry of Internal Affairs and Communications (MIC), the International Telecommunication Union (ITU) and United Nations University (UNU), has opened. The programme and related presentations/documents are available on the meeting website.

Business Inaction Could Lead to Cybersecurity Law

U.S. businesses for years have urged the government to let them set computer-security standards of their own, but their inability to do so could now prompt Congress to step in, experts say.

Those who worry that regulation may stifle innovation say the business community may have already missed an opportunity to prove the government's help is not needed. "The market is in a much better position to respond to this challenge ... but corporate America has not provided evidence across the board that they've taken this issue seriously enough to protect consumers," said Bob Dix, a lobbyist for Citadel Security Software Inc., who until last year handled cybersecurity for a congressional subcommittee. The private sector is under scrutiny after a string of incidents at data brokers, retailers and other businesses exposed at least half a million U.S. citizens to identity theft.

The business community for years has argued that any government regulations would quickly become outdated in a rapidly changing field, and a 2003 Bush administration plan called on the private sector to set its own standards.

Working with the the Homeland Security Department, an industry-led task force issued a set of guidelines in April 2004 that called for company chief executives to take direct responsibility for their computer systems. One year later, only two companies have adopted the guidelines: Entrust Inc. and RSA Security Inc., whose chief executives co-chaired the task force.

Corporate lawyers warned that any public security promises could open the door for lawsuits in the wake of a security breach, said Entrust CEO Bill Connor.

From Reuters [via my weblog]

[via Nanog]: Very interesting talk on legal intercept in IP networks by Jaya Baloo at the the HiverCon corporate security conference held in Dublin, Ireland on November 26th and 27th, 2002: Lawful Interception of IP Traffic in the European Context.

Last July 2002, the OECD updated its Guidelines for the Security of Information Systems and Networks. Last week they made available a related suggested Implementation Plan (PDF), which most significantly, makes specific suggestions on the exact role of government in fostering and promoting security.