The recent deep fake by the mayor of Kiev – the unforgettable world heavyweight champion Vitali Klitschko – has had a great deal of coverage in the media and deserves to be analyzed from the perspective of the victims. The justification for having fallen into the deception is all in the words of the mayor of Berlin: “There were no elements to realize that the videoconference was not with a real person”. This sentence, almost dropped by chance, is actually the heart of a problem that has been known for over twenty years and rigorously neglected by the institutions: that of the reliability of the information stored in and conveyed through a computer. To this is added another, more or less contemporary: the substantial loss of centrality of the concept of legal identity due to the way in which the digital signature was conceived first and then the SPID to which the role of pillars is also attributed of the Italian “digitization”.
Illegal content and respect for rights, too many problems to solve
by Andrea Monti
Computer forensics, this unknown
I was probably the first – readers will forgive the autobiographical note – to pose in criminal trials the theme of the way in which the police and the judiciary related to computer evidence. It was the early 90s and, as I told together with Stefano Chiccarelli in Spaghetti Hacker, things never seen happened during the Italian Crackdown: mouse and keyboard hijackings justified by the sentences as “appurtenances”, that is “things related” to computers, hard drives simply disassembled and taken away, without any caution and many other “horrors”. Then, in 2002, I had to face a case that ended with the “historic” ruling on “attempted online defamation” against a bank. The author was definitively condemned by the Criminal Cassation, but considered not defamatory by the civil one. The judge of first instance gave proof of the printing of the pages of a website carried out by a technician under the control of a judicial police officer, who however had no idea what was happening. But that’s okay. In 2005 I was faced with the Vjierika case, the first Italian trial for the spread of viruses, and the criminal court of Bologna established, in summary, that it is not up to the prosecution to guarantee that digital data seized without any caution to make them unalterable are “proof “. Instead, it is up to the defense, the judge believed, to prove that there has been some change after the moment in which the data left the suspect’s availability.
Social
Facebook, Twitter and TikTok adhere to the new EU rules against fake news
In reality, over the years, there have also been some sentences more attentive to the importance of the technological components of an investigation. In three cases I found interlocutors more sensitive to these issues. In 2004 the Civitavecchia Criminal Court decided that when sending material by undercover agents it was necessary to take adequate precautions to be sure that what was sent corresponded to what was actually received. In 2005 the court of Chieti decided that the access logs had to be acquired by the investigators and not simply “requested” from the internet provider, while in 2006 the criminal court of breaking latest news did not consider the simple printing of a site performed by the judicial police to be “proof”. Few swallows, however, do not make a spring and to date there have been many more sentences based on a “substantive” approach that overcomes the questions on the technical aspects related to the way in which a file was found, acquired and analyzed. It has come to the point of not even deeming it necessary to ascertain the actual identity of those who connected to a social profile to publish illegal content or, as the first section of the Criminal Cassation held with sentence 3591/22, to attribute value to a simple screen-shot.
Misinformation monitor
From Covid to Ukraine, the important thing is to disinform: fake news sites on the pandemic now talk about war
curated by Alex Cadier
The reasons for this “orientation” of jurisprudence are quite evident: “compensate” for the scarcity of personnel, skills and resources, prevent investigations and processes from ending in nothing due to IT “technicalities” and, at times, not embark on the study of topics objectively complex for those who do not belong to the sector. Yet the alarms were useless not so much by criminal lawyers – always suspected of “private interest” when they talk about the right of defense – but by digital forensics experts who have always warned against over-trusting what is on a computer or which is presented as “computer evidence”.
Reality, Perception, Identity
Having ignored for decades the importance of data security in terms of their integrity and reliability and having legitimized the irrelevance of the issue through the courts has led to the widespread and wrong belief that everything circulating online can be considered good. Therefore, on the basis of the unspoken but ubiquitous principle according to which “if it seems, then it is”, the equivalence between “physical contact” reality and – as Neal Stephenson wrote in 1999 – reality experienced through an interface is no longer in discussion. So much so that “cybersecurity” – the conference-academic-journalistic fashion of the moment – is essentially perceived as “protection from hackers and ransomware” and much less as anything else.
Of course, at least on paper there is talk everywhere about the importance of guaranteeing certainty to the data and identity of those involved in the exchanges that concern them. The useless and bureaucratic regulation for the protection of personal data imposes obligations as stringent as they are inapplicable in this sense, the equally confused legislation on digital signature serves to prevent the author of a file from disregarding its content and the Pec attributes presumed value to the identity of the sender (but, among other things, only if the address is published in certain registers).
In fact, however, the needs of the “information society” cannot be subjected to the “slowdowns” of old-fashioned legal quirks. Everything has to go fast, so fast that the sprinters don’t even realize where they are going. Like the digital signature and the PEC, SPID also works substantially by delegating the “certification” of individual identity to private subjects. However, SPID is not only used to identify a person but also allows you to “sign” contracts with full legal value. It will also be convenient, but we must always consider that the attribution of legal value to this “private certification” “reverses the burden of proof”. It puts on the user’s shoulders the obligation to prove that it was not he who made a specific transaction. Faced with such serious consequences, one would expect the state to maintain absolute and exclusive control over the remote identification of citizens, but this is not the case.
Who needs an identity card?
Thus, Amazon revolutionizes the world of remote contracts using (brilliantly) the credit card as a substitute for the identity card. I don’t need a “copy of the document”: if you have a credit card it means that whoever gave it to you has already struggled to know who you are. You exist if – or why – you can spend.
The process of identity privatization accelerates with the spread of mobile telephony. A number should only be given after the holder has been identified. In fact, however, this happens simply by presenting a document of which the phone shop clerk cannot verify the originality. SIM Swap attacks multiplied until at the end of 2021 – better late than never – Agcom decided to intervene.
During the pandemic, the green pass replaced the identity document because personal identification had assumed a secondary importance: I don’t want to know who you are, but if you are in a certain condition. The rest is not relevant (and, so as not to neglect anything, the digital signatures of customers have been lost, which, in reality, are in the hands of the professionals who assist them and who “sign” in their stead).
This process, which began a long time ago, has changed the function of identification from a legal tool to verify the identity of an individual to a tool to understand if the credential holder can or cannot do certain things (buy, access a public service, exercise a right) regardless who he actually is.
Conclusions
It may also be considered unhistorical to ask such questions when the world has now gone somewhere else. However, the issue of identity and its legal attribution has been too hastily put aside, even in the name of a misunderstood right to “absolute” anonymity. Even Stefano Rodotà spoke of “protected anonymity” demonstrating that some form of guarantee is needed on the relationship between oline appearance and physical substance: the problem is to understand who has to provide it. The choice was to move towards an overall privatization of the system, in which the state will also maintain formal sovereignty, but does not exercise any substantive role.
And therefore, to close the circle, if for decades we have been told that what appears on a computer screen is intrinsically true, that we don’t have to worry too much about “technical stuff” and that we can be or not be whoever we want. , as long as there is someone else who says it, how can we be surprised that a politician or a public administrator is misled by a deep fake?
It could be answered that in the Klitschko case all this reasoning does not work because we are faced with a hostile act committed by foreign subjects in the context of a wider conflict and which does not concern the Italian jurisdiction. It could also be said that someone who works in another profession cannot be expected to possess the technical skills to recognize this type of action.
Apart from the fact that next time the target could be an Italian politician (able to speak English, of course), the theme is that of superficiality in the use of interactive electronic communication. If the real “fake Klitschko” had presented himself in person at the gates of the Rotes Rathaus, he would have had several obstacles to overcome, not least those of the ceremonial, even before those relating to safety. The induction to think of online communication as something “smart”, on the other hand, lets our guard down because everything is as it appears. And that the “security experts” stop with all this emphasis on training and the importance of having people capable of preventing, detecting and blocking attacks of various kinds. On the other hand, we are only in front of a computer screen, right?