Forgot your password?
typodupeerror
Privacy Crime

Norwegian Police, Seeking Info On 2 Bloggers, Take Data From 7,000 Accounts 100

Posted by Soulskill
from the orders-of-magnitude dept.
xiando writes "Norwegian police were asked by officials in Italy to get personal information about two bloggers who were using a server in Oslo. The police decided the best thing to do would be to take the server's hard drive, along with personal information from about 7,000 other users (Google translation of Norwegian original). Other ISPs say this is standard operating procedure in Norway these days."
This discussion has been archived. No new comments can be posted.

Norwegian Police, Seeking Info On 2 Bloggers, Take Data From 7,000 Accounts

Comments Filter:
  •     Damn, I knew I shouldn't have Google'd Autistici to see what the hell they were about. Click one link, get a terrorist charge in Italy.

    • by Elbereth (58257)

      Being autistic is a crime in Italy?

      Bad news for Slashdotters.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        autistici.org has NOTHING to do with Autism...

        • What's so bad about this website? I'm looking at it through Tor from a highly secured browser using HTTPS. I was expecting child porn or the homepage of a terrorist organization.

          • by vegiVamp (518171)

            Maybe it has pictures of Mussol- err, Berlusconi on a bad hair day or something similarly incriminating.

    • yo dawg, I herd you like being under terror...
      so I suspect you of terrorism whenever you hit a non conforming site.

  • And in the USA (Score:5, Interesting)

    by whoever57 (658626) on Sunday January 23, 2011 @03:25AM (#34971142) Journal

    Some time back, there was a judgment that allowed police to trawl through the entire contents of a hard drive if they had a subpoena for one person's data from the drive, so I was wondering if the following scenario would work:

    Police get a subpoena for electronic bank records of an individual. They go to the bank and the bank offers to provide the relevant data. However, the police say: "No, this subpoena is not limited like that. Give us all the hard drives that might contain data on the subject". The bank is compelled to hand over thousands of hard drives. Now the police can trawl through bank records of millions of people unrelated to the original subpoena.

    Could this happen? Will it happen?

    • Re:And in the USA (Score:5, Insightful)

      by Daniel Dvorkin (106857) * on Sunday January 23, 2011 @03:51AM (#34971236) Homepage Journal

      Could this happen? Will it happen?

      Yes and yes, of course. In particular, invoke any of the magic words "terrorism," "national security," "child pornography," "drug dealing," or "intellectual property," and the Constitution no longer applies. The kind of large-scale fishing expedition you describe is entirely in keeping with this policy.

    • Given the state of regulations that currently govern bank disclosures to the feds(ie. your banking records aren't much, if any, less transparent than your phone records, gotta catch them terrorists...), that scenario would almost certainly be counterproductive...

      With a "national security letter" and some TLA dudes with guns, they probably could; but given the sort of IT systems banks use, that would probably net them a container trailer full of hard drives, in no particular order, each one containing fra
    • by Raumkraut (518382)

      Could this happen? Will it happen?

      You forgot two questions:
      Has it happened already? Will we ever find out?

      The banks got a huge bailout, I'm sure they'd not complain too bitterly if they had to sign a "National Security" gag order.

    • Some time back, there was a judgment that allowed police to trawl through the entire contents of a hard drive if they had a subpoena for one person's data from the drive, so I was wondering if ....snip...

      And what if the drive was a massive distributed file system like Google or Yahoo?
      Not even a file system but a distributed data base. Perhaps an Oracle RAC resource.
      And in EU there are data replication issues so the services may be forced off line because no live replicated data exists.
      Might take the Lustre of it when the electric bill arrives.

  • by dcollins (135727) on Sunday January 23, 2011 @03:29AM (#34971156) Homepage

    "Not something that only happens in the U.S."

    Wonderful sub-headline in the linked article. Great example of our worldwide reputation nowadays.

    • by Anonymous Coward on Sunday January 23, 2011 @09:03AM (#34972150)

      "Not something that only happens in the U.S."

      Wonderful sub-headline in the linked article. Great example of our worldwide reputation nowadays.

      It is something that also happens in EU. The root of this is a directive [wikipedia.org] from EU, transformed to Norse law. Norway is in a position where it can oppose directives from EU, but as of yet and as a principle, it has made all EU directives into Norse law.

      The Scandinavian countries has a tradition of keeping the laws on the level of an easy to understand ethical foundation and as much details as possible outside the laws in regulatory frameworks. Most of the laws are written in an easy to understand, hard to twist, plain language (those parts that aren't, are hundreds of years old "fossils", the laws gets rewritten in simpler (more modern) language as they evolve, of course, to sanitise an EU directive into something simple and easy to understand is very challenging). This makes the regulatory frameworks easy to revise when parts of them lead to unfortunate, unexpected, side effects, and to modernize when necessary, without loosing sight of the ethical principles on which they are founded. The principle of simplicity in laws and regulations and the sharp separation of what belongs where, is also the reason Scandinavian citizens take laws and regulations, both the creation of them and the duty to follow them, more serious then other Europeans. EU has a tradition of keeping as much details as possible into its directives (a.k.a. the laws of EU) and they are written in a very bureaucratic language (in Swenglish and Denglish, not real Swedish or Danish, English is mostly a sub-language of the Nordic languages and it just takes a few simple changes (mostly spelling and prepositions) to transform it into formally correct translations, but it gets very ugly and simplistic, on a level of grunts and groans, most Scandinavian EU politicians stick to reading the French and German language versions of proposed EU directives), with lots of special cases, that aim to please the opposing wills of, and within, the EU countries. Proposed EU directives can also be changed the last minute before they are accepted (I think a proposal should be in a stable state at least a couple of weeks before they are accepted, so that people have a chance to understand them). The EU directives are to abundant and to much of a mess for anybody, except experts in the field in which they apply, to understand. The politicians that approves them rarely understand what they approve. In the Scandinavian countries, this means that the full effect of what an EU directive will implicate is not understood before it is rewritten into a national law proposal and then it is already to late to stop it without leaving EU (in Sweden, Finland and Denmark, Norwegians could theoretically still refuse to adopt it), most other European countries just dump the EU directives word-by-word into their own messy laws and then mostly ignore them (as they already do with laws that comes from within the country).

      At least Norway isn't in the position of its neighbours Sweden, Finland and Denmark, that are more closely tied to EU and is obliged to incorporate all EU directives into their own national law.

  • Cloud computing (Score:4, Interesting)

    by flyingfsck (986395) on Sunday January 23, 2011 @03:38AM (#34971190)
    If your data is stored in a cloud, then it is bound to get trawled through multiple times per year due to subpoenas for other people.
    • Re:Cloud computing (Score:4, Interesting)

      by VortexCortex (1117377) <VortexCortex AT ... trograde DOT com> on Sunday January 23, 2011 @01:25PM (#34974094)

      If your data is stored in a cloud, then it is bound to get trawled through multiple times per year due to subpoenas for other people.

      I'm comfortable with that. I'll let as many policing forces trawl through my Gmail as the government agencies desire, provided that I'm allowed to use (PGP) end to end encryption to my heart's content.

      The FBI has been looking into requiring online services to be able to comply with a wire-tap order (and decrypt any encrypted data) -- Google can't comply with a demand to decrypt my data as long as Gmail lets me send arbitrary textual data and/or attachments -- The next step will be outlawing end to end encryption; Mark my words.

      My cloud has a silver lining -- an envelope of end to end encryption.

  • ...without the government getting in your way.

    Anywhere.

    Anymore.

    --
    The principles of Free Software are built atop the principles of intellectual property.

    • That's what my sig means. It's a nice little garden. But do NOT touch the link of knowledge of good and evil! If you do that you will be TOS'ed out of the cozy little garden.

  • by Geminii (954348) on Sunday January 23, 2011 @11:54AM (#34973298)

    How hard would it be to rig the systems so that pulling the drives physically out of the servers rendered them unreadable? I'm thinking some kind of encrypted striping on the individual drives, and the whole array running through a second hardware encryptor hooked up to GPS and a passphrase... maybe also an internal sensor linked to something inside the wall of the server room. Move the encryptor box out of the room and it scrambles the key, rendering the array useless even if the correct passphrase is given. Restore it to the room, and re-enter the passphrase, and it can be used to read the array again.

    Anyone wanting to access the data on the array would have to either do so with the hardware in situ, or demand a copy be run off for them. Confiscating the hardware would net them nothing. And unless they demanded that the keys to the kingdom be handed over, they couldn't trust the information they were getting.

    There could also be a system set up so that if an organisation's access to its own data was compromised in this way, one of the required decryption keys could be remotely scrambled and the original only known by someone overseas and outside of the local authorities' jurisdiction. Run that link through sufficient obscuration methods and it might become impossible to find out precisely who has that key and where they're located, or at least extremely difficult and time-consuming.

    • Well, they could be rigged in such a way that NOBODY, not even the rightful owner, could decrypt the data garbage on them anymore.

      The question is, what ISP would do that? After all, they'd pretty much kill their own business model that way. So, they will buy new HDs, restore from backups and go on with their lives.

    • by ciabs (1972918)
      I could do it with a DRILL and a large rubberband, the DRILL(s) plural? would be aimed at the DRIVE with a large rubber band holding the pressure, then if the cover is removed without disabling the security switch, the drill(s) plural? would start drilling (The drills would be on battery not on mains) Afterwards only an electron microscope would be useful.
    • Obligatory:

      http://xkcd.com/538/ [xkcd.com]

    • a) You can feed fake data to a GPS receiver, or fake receiver data to the running computer.
      b) Moving a running machine from a wall outlet to a portable power supply is not hard. Think about the problem for more than two minutes and let me know what you come up with. :)

    • by cronius (813431)

      A fairly simple solution would be to use a large encryption key that only existed offsite (and offline), so that whenever the power goes, you have no way of decrypting without the key.

      That means you have to physically show up at the data center whenever the power goes (cumbersome), but with uptimes these days that shouldn't be a problem.

      If the police gets a warrant and comes home to your house by surprise, you better have a plan for that though. If you're really paranoid you probably could get a hold of "pa

      • by Geminii (954348)
        Depending on the paranoia level, it shouldn't be too hard to rig up what looks like a standard home PC or server room (depending on requirements) tricked out so that several standard confiscation or takeover actions result in a silent, invisible datapocalypse or disks full of slightly encrypted junk data.
  • From TFA:

    Kopierte hele harddisken i jakten på to brukere
    Copied the entire hard disk in the hunt for two users

    Apparently, the Norwegian politi doesn't know regular expressions. See http://xkcd.com/208/ [xkcd.com]

  • It's nice to see that our police force already wants to protect law-abiding citizens' rights in the search for criminals, now that the data retention directive will most likely be implemented in Norway as well.
  • The norwegian police was asked by the italian police to retrieve this data. The norwegian police is eager to comply with requests from foreign police, as they themselves may need that kind of help abroad later. The loophole is that apparently no norwegian court is involved in the decision and norwegian laws are not consulted.

    The bottom line is that you are not protected by your own country's laws when it comes to confiscating data. It's enough that someone in one of a hundred countries can get a police offi

  • Disclaimer: Can't read norwegian and the translation is blocked at work for some reason.

    So if the disk was part of a raid 5 system the cops would have been screwed? If they only took 1 harddisk...

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...