The Screen Bubble - Jordan Brown interviews Katina Michael

So what do I see? I see little tiny cameras in everyday objects, we’ve already been speaking about the Internet of Things—the web of things and people—and these individual objects will come alive once they have a place via IP on the Internet. So you will be able to speak to your fridge; know when there is energy being used in your home; your TV will automatically shut off when you leave the room. So all of these appliances will not only be talking with you, but also with the suppliers, the organisations that you bought these devices from. So you won’t have to worry about warranty cards; the physical lifetime of your device will alert you to the fact that you’ve had this washing machine for two years, it requires service. So our everyday objects will become smart and alive, and we will be interacting with them. So it’s no longer people-to-people communications or people-to-machine, but actually the juxtaposition of this where machines start to talk to people.

Read More

Big Data's Big Unintended Consequences


marcus wigan.jpg

Businesses and governments exploit big data without regard for issues of legality, data quality, disparate data meanings, and process quality. This often results in poor decisions, with individuals bearing the greatest risk. The threats harbored by big data extend far beyond the individual, however, and call for new legal structures, business processes, and concepts such as a Private Data Commons. The Web extra at is a video in which author Marcus Wigan expands on his article "Big Data's Big Unintended Consequences" and discusses how businesses and governments exploit big data without regard for issues of legality, data quality, disparate data meanings, and process quality. This often results in poor decisions, with individuals bearing the greatest risk. The threats harbored by big data extend far beyond the individual, however, and call for new legal structures, business processes, and concepts such as a Private Data Commons.

Citation: "Big Data's Big Unintended Consequences", Computer (Volume: 46, Issue: 6, June 2013), pp. 46 - 53, 07 June 2013, DOI: 10.1109/MC.2013.195

Corporate Governance of Big Data: Perspectives on Value, Risk, and Cost


Prof Paul Tallon

Prof Paul Tallon

Finding data governance practices that maintain a balance between value creation and risk exposure is the new organizational imperative for unlocking competitive advantage and maximizing value from the application of big data. The first Web extra at is a video in which author Paul Tallon expands on his article "Corporate Governance of Big Data: Perspectives on Value, Risk, and Cost" and discusses how finding data governance practices that maintain a balance between value creation and risk exposure is the new organizational imperative for unlocking competitive advantage and maximizing value from the application of big data. The second Web extra at is a video in which author Paul Tallon discusses the supplementary material to his article "Corporate Governance of Big Data: Perspectives on Value, Risk, and Cost" and how projection models can help individuals responsible for data handling plan for and understand big data storage issues.

Citation: Paul Tallon, Computer (Volume: 46, Issue: 6, June 2013), pp. 32 - 38, Date of Publication: 23 May 2013, DOI: 10.1109/MC.2013.155.

Public Policy Considerations for Data-Driven Innovation


Jess Hemerly from Google, Inc.

Jess Hemerly from Google, Inc.

To achieve the maximum benefits from data-driven innovation, policymakers must take into account the possibility that regulation could preclude economic and societal benefits. The proposed framework for policy discussions examines three main areas of policy interest: privacy and security, ownership and transfer, and infrastructure and data civics. The Web extra at is a video in which author Jess Hemerly expands on her article "Public Policy Considerations for Data-Driven Innovation," in which she discusses how regulation could preclude some of the economic and societal benefits of data-driven innovation.

Citation: Jess Hemerly, "Public Policy Considerations for Data-Driven Innovation", Computer (Volume: 46, Issue: 6, June 2013), pp. 25 - 31, Date of Publication: 13 May 2013, DOI: 10.1109/MC.2013.186

Roger Clarke - the Privacy Expert

In 1971, I was working in the (then) computer industry, and undertaking a 'social issues' unit towards my degree.  A couple of chemical engineering students made wild claims about the harm that computers would do to society.  After spending time debunking most of what they said, I was left with a couple of points that they'd made about the impact of computers on privacy that were both realistic and serious.  I've been involved throughout the four decades since then, as consultant, as researcher and as advocate.

Read More

Big Data in Neonatal Intensive Care

Carolyn McGregor discussing neonatal issues with a doctor at UOIT.

Carolyn McGregor discussing neonatal issues with a doctor at UOIT.

The effective use of big data within neonatal intensive care units has great potential to support a new wave of clinical discovery, leading to earlier detection and prevention of a wide range of deadly medical conditions. The Web extra at is a video in which author Carolyn McGregor expands on her article "Big Data in Neonatal Intensive Care" and discusses how the effective use of big data within neonatal intensive care units has great potential to support a new wave of clinical discovery, leading to earlier detection and prevention of a wide range of deadly medical conditions.

Citation: Carolyn McGregor, Computer (Volume: 46, Issue: 6, June 2013), pp. 54 - 59, Date of Publication: 03 May 2013, Print ISSN: 0018-9162, DOI: 10.1109/MC.2013.157


Transforming Big Data into Collective Awareness


Professor Jeremy Pitt

Professor Jeremy Pitt

Integrating social and sensor networks can transform big data, if treated as a knowledge commons, into a higher form of collective awareness that can motivate users to self-organize and create innovative solutions to various socioeconomic problems. The Web extra at is a video in which author Jeremy Pitt expands on his article "Transforming Big Data into Collective Awareness" and discusses how integrating social and sensor networks can transform big data, if it's treated as a knowledge commons, into a higher form of collective awareness that can motivate users to self-organize and create innovative solutions to various socioeconomic problems.

Citation: Jeremy Pitt, "Transforming Big Data into Collective Awareness", Computer (Volume: 46, Issue: 6, June 2013), pp. 40 - 45, 29 April 2013, DOI: 10.1109/MC.2013.153

Wendy Syfret of VICE Australia interviews Katina Michael

Wendy Syfret now Head of Verticals at VICE Media

Wendy Syfret now Head of Verticals at VICE Media

WS: The upsides of these technologies are clear, and shown to us everyday, what are some of the downsides that people may not be considering fully?

  • Cybercrime, illegal material gathering
  • Trust, relationships
  • Privacy, secrecy
  • Covert surveillance, human rights
  • Uberveillance, information manipulation- misrepresentation of data- misinterpretation; context is missing
  • Much more...

WS: Why is it important for people to be aware of their relationship and dependence of technology?

KM: There comes a point where one needs to question whether they are being enslaved by technology or liberated by it. Human autonomy is a quality that makes our life free and grants us the ability to make decisions for ourselves. Some people take breaks away from technology to "live off the grid" by consciously turning off their mobile phones or not taking their laptop with them when they travel for leisure. There are unforeseen consequences when we strap technology to our bodies- and here I am not simply referring to belt buckle smart phone clips on, but full blown wearable technologies, some of these even head-mounted. What happens when we forget technology is even "there" and actively recording the space around us? We may not be impacting our own self, but the camera may be encroaching on the human rights of others. We can argue that this is how CCTV works- that most of us forget it is even on and present- but then wearables are overseen by their wearer, by individuals who may choose to do what they wish with the captured footage and are not regulated by acceptable use policies or procedures.

WS: What are some of the fears that surround physically embracing new technologies and allowing them to join with us?

KM: I wouldn't so much call them fears but unintended consequences. When we put on these technologies do we become a piece of technology ourselves? What does that mean for life-long dependencies? Do we lose our freedom? Are we subjugating ourselves to a life of upgrades? What happens when we wish to take off the camera but feel we cannot because of health repercussions like the focus of our eyes (or even mind) with respect to digital glass. Do we become so enthralled in the online world that we forget about offline functions, like eating and going to the toilet? What kinds of addictions might this new technology ignite? We won't know the answers to some of these questions for some time but we can definitely anticipate some of the major concerns that might eventuate through scenario-based planning.

WS: What are some of the risks if these technologies are misused?

KM: All technologies can be misused. Some technologies however come endowed with intrinsic inherent functionality that lend themselves to greater human risks than others. A table is a piece of technology I use to write letters on, it can be hurled at someone to cause physical harm but that is perhaps the limits of its utility. New technologies that are more complex pieces of innovation are not just products but embedded in processes. The more advanced the technologies the more the harm might be psychological and not just physical. We can learn a great deal from case law- just last month there was an Australian case of how a GPS device was strapped onto a vehicle of a victim by a stranger to stalk them in order to learn about their precise movements. The heinous crime is described here: Now I do not wish to extend the analogy here at all- but crimes against the person proliferate, and these technologies might be misused in any number of ways. I have gone on record previously as stating the issues as follows:-- "one can quickly imagine this new technology being misused by cybercriminals- namely for crimes against the person. In effect, we are providing a potential capability to share visual surveillance in real-time with people in underground networks of all sorts- for the distribution of child pornography, for grooming, cyberstalking, voyeurism and even for corporate fraud where "the computer" is the ultimate target." Before too long, direct visual evidence captured might even be used to render an insurance policy void- whether it has to do with rehabilitation, life insurance or any other aspect of life.

WS: Is there any work or proposed work at the moment in these fiels that worry you?

KM: At the moment my primary concern has to do with how people might react to wearers of this technology after the novelty effect wears off.

See "veillance"  community G+ group.

“I am getting not so excited (uncomfortable) looks in public toilets when I pony up to the urinal wearing Google Glass.”
— Brandon Allgood

KM: This reminds me of the alleged repercussions of Mann wearing his camera at a McDonalds store in France.

Please also read the issue with people accepting the "video evidence" in place of eyewitness accounts or otherwise. Supposedly direct evidence cannot lie- but in my opinion the wearer is in control of their point of eye and what they choose to record or not to record. See this blogpost:

I also hold grave concerns for how Google Glass will affect minors, especially children in general:

The abuses of Digital Glass, at least in the first few months by trial participants won't show the ugly side of wearable recording. No one exploring the ugly side of Glass is going to post up their video of a heinous application-- they will for the present go undetected.

Aside: Simply the difference between a handheld recording device and a body worn recording device is that you have two hands free in the latter case.

WS: If you allow me to be dramatic, what's the worst thing that could happen if people totally embrace the melding between humans as we know it and these technologies?

KM: We become something other than human and we lose our ability to differentiate between reality and augmediated reality. In essence we lose control over our decision making processes either because we cannot distinguish what is real and what is not or because we cannot transition between the online and offline world. We become like a vinyl record which has been scratched with an inability to move on.

It is cute when people paint a picture of Digital Glass as being able to help us recollect memories and the like- but actually in the real world why would people wish to make records of ultra painful moments in their life? Is it healthy to replay moments of suffering, wrong doings and the like? Does this propel positively the development of an individual human being (either the offender or the sufferer)?

Perhaps there is a potentially ugly side to POV and the glamour of capturing “every moment of your life”... While going through a bitter divorce most people would be inclined to naturally try to move on by deleting or removing images and video footage from sight when for a variety of reasons things just don’t work out. What then to POV if taken in the same way as a reality TV show?

This is true of any relationship- not just marriages... the same can pertain to partnerships, friendships and the like.

There are some who would discount that there is an ugly side to real-time POV... but what next? A break-up video? How I caught you on camera with someone else? The swearing and the shouting captured while the children are crying? The tears that follow and the anguish?

The point I am trying to make is that there is an occasion for all things. A video invitation is a great idea for the happy couple who want a “time capsule” to remember perhaps the most carefree time of their life... something that can be handed down to children as a long-lasting representation of love in the immediate family. But those who tout real-time POV, all the time for every occasion, have to rethink what “always on” REALLY means and the consequences of such an existence.
— Katina Michael

WS: In your opinion, what should people be worried about? Or maybe, looking out for?

KM: People need to think about what it means to record others without their permission whether in a public or private space. Checking in at a location might mean revealing someone's personal information for instance without their permission. We also need to think about the convergence of Digital Glass with social media and other apps out there. We must not be naive about the uses- history has proven time and time again- early adopters of new technologies will exploit them in ways that were never intended and not beneficial to society. The problem with unleashing a technology that has no real obvious utility is that we are letting the imagination stretch- that might be great for app building and creative industries- but also might be ugly with respect to negative uses. We like to read about novel applications and "benefits to humanity" stories but don't like to venture into stories of abuse.

We often forget about the asymmetry that comes with new innovations, or belittle the side effects as being applicable to the unlucky few and teething problems of a prototype. Tell that to the mother of a teenager who has committed suicide after her partner has uploaded comprising video/images to the Internet that have subsequently gone viral.  Just one of many cases which are tragic- The point here is not that the attackers would not have done what they did without a smartphone to take pictures of the attack but that in the future we will simply see more explicit evidence. Our acts might be seen as a part of a reality tv show, but wearers might not realise the repercussions of their actions in the physical world.

We need to introduce adequate policies within for instance the educational use of digital glass, the workplace use of digital glass, and need to educate consumers using scenarios about when it might or might not be appropriate to turn on glass. The other issue has to do with legislation. Wearers might find themselves in conflict with the law and they need to know their rights but also when they are breaking the law by their actions. In this case, one size does NOT fit all.

WS: You mentioned Francis Fukuyama calling these some of the worlds most dangerous ideas, what does that mean?

KM: It has to do with the nature of control and surveillance. Fukuyama looks at the impact of drones and their consequences. You will find his work quoted in many places- he is a political scientist at Stanford University.

WS: Could these technologies fall into the "wrong hands"?

KM: Sure they can. Imagine a crowd full of people wearing Glass and recording- now imagine trying to capture someone who is conducting covert surveillance? A bit of an oxymoron. This leads to the privatisation of intelligence gathering (spy agencies not of that given State). I have written a blogpost talking about human drones-- wearers of cameras that act like drones, being paid potentially to gather first-person video up and down public streets- for applications in retail among many others.

WS: What could the consequences of those be?

KM: We lose our trust in social structures where we have previously felt safe. This breaks down the very fibres that make society work. There is an immediate chilling effect- people, especially those suffering from mental illness will find it difficult to venture out into "safe" zones for fear of being recorded or otherwise.

WS: Are people ignorant to the changing world around them?

KM: I think for the greater part people are aware of the rapid changes happening via new technologies but feel powerless as to what to do about it. They also do not have time to sit and think about the implications of policies they have agreed to because things move at webspeed and no sooner have they adopted one technology than they are barraged with even newer technologies to "try and buy". It is an endless spiral- we have to have the latest gadget these days, or be on board the latest social media app making waves or we simple aren't with it etc. Ask most technology developers/providers these days and they will sell you the story that new technologies will enable you to be empowered. Yes, I agree, if used the right way you can certainly apply new technology for good, to help in time management, for reflection, for knowledge discovery and knowledge sharing. But these new technologies are also changing the dynamics between how people communicate, engage one another, and belong to a group or community, at times detrimentally, lending themselves to anti-social behaviours either deliberately or through negligence.

Where will all this data be stored? Who will have access to it? What are individual privacy rights? Intellectual property rights? Do we "YouTubify" our life? How does that profit us? What are the risks of the new PersonView world? What next? Implantable cameras? * here is a patent by Steve Mann in 2000 on the implantable camera--

Are we thus beckoning forth an uberveillance society? Always on implantables? Big brother on the inside looking out?

Dan DeFilippi - Credit Card Fraud: Behind the Scenes

Katina Michael: Dan, let’s start at the end of your story which was the beginning of your reformation. What happened the day you got caught for credit card fraud?

Dan DeFilippi: It was December 2004 in Rochester, New York. I was sitting in my windowless office getting work done, and all of a sudden the door burst open, and this rush of people came flying in. “Get down under your desks. Show your hands. Hands where I can see them.” And before I could tell what was going on, my hands were cuffed behind my back and it was over. That was the end of that chapter of my life.

Katina Michael: Can you tell us what cybercrimes you committed and for how long?

Dan DeFilippi: I had been running credit card fraud, identity theft, document forgery pretty much as my fulltime job for about three years, and before that I had been a hacker.

Katina Michael: Why fraud? What led you into that life?

Dan DeFilippi: Everybody has failures. Not everybody makes great decisions in life. So why fraud? What led me to this? I mean, I had great parents, a great upbringing, a great family life. I did okay in school, and you know, not to stroke my ego too much, but I know I am intelligent and I could succeed at whatever I chose to do. But when I was growing up, one of the things that I’m really thankful for is my parents taught me to think for myself. They didn’t just focus on remembering knowledge. They taught me to learn, to think, to understand. And this is really what the hacker mentality is all about. And when I say hacker, I mean it in the traditional sense. I don’t mean it as somebody in there stealing from your company. I mean it as somebody out there seeking knowledge, testing the edges, testing the boundaries, pushing the limits, and seeing how things work. So growing up, I disassembled little broken electron­ics and things like that, and as time went on this slowly progressed into, you know, a so-called hacker.

Katina Michael: Do you remember when you actually earned your first dollar by conducting cybercrime?

Dan DeFilippi: My first experience with money in this field was towards the end of my high school. And I realized that my electronics skills could be put to use to do something beyond work. I got involved with a small group of hackers that were trying to cheat advertising systems out of money, and I didn’t even make that much. I made a couple of hundred dollars over, like, a year or something. It was pretty much insignificant. But it was that experience, that first step, that kind of showed me that there was something else out there. And at that time I knew theft and fraud was wrong. I mean, I thought it was stealing. I knew it was stealing. But it spiraled downwards after that point.

Katina Michael: Can you elaborate on how your thinking developed towards earn­ing money through cybercrime?

Dan DeFilippi: I started out with these little things and they slowly, slowly built up and built up and built up, and it was this easy money. So this initial taste of being able to make small amounts, and eventually large amounts of money with almost no work, and doing things that I really enjoyed doing was what did it for me. So from there, I went to college and I didn’t get involved with credit card fraud right away. What I did was, I tried to find a market. And I’ve always been an entrepreneur and very business-minded, and I was at school and I said, “What do people here need? ... I need money, I don’t really want to work for somebody else, I don’t like that.” I realized people needed fake IDs. So I started selling fake IDs to college students. And that again was a taste of easy money. It was work but it wasn’t hard work. And from there, there’s a cross-over here between forged documents and fraud. So that cross-over is what drew me in. I saw these other people doing credit card fraud and mak­ing money. I mean, we’re talking about serious money. We’re talking about thousands of dollars a day with only a few hours of work and up.

Katina Michael: You strike me as someone who is very ethical. I almost cannot imagine you committing fraud. I’m trying to understand what went wrong?

Dan DeFilippi: And where were my ethics and morals? Well, the problem is when you do something like this, you need to rationalize it, okay? You can’t worry about it. You have to rationalize it to yourself. So everybody out there commit­ting fraud rationalizes what they’re doing. They justify it. And that’s just how our brains work. Okay? And this is something that comes up a lot on these online fraud forums where people discuss this stuff openly. And the question is posed: “Well, why do you do this? What motivates you? Why, why is this fine with you? Why are you not, you know, opposed to this?” And often, and the biggest thing I see, is like, you know, the Robin Hood scenario- “I’m just stealing from a faceless corporation. It’s victimless.” Of course, all of us know that’s just not true. It impacts the consumers. But everybody comes up with their own reason. Everybody comes up with an explanation for why they’re doing it, and how it’s okay with them, and how they can actually get away with doing it.

Katina Michael: But how does a sensitive young man like you just not realize the impact they were having on others during the time of committing the crimes?

Dan DeFilippi: I’ve never really talked about that too much before... Look the aver­age person when they know they’ve acted against their morals feels they have done wrong; it’s an emotional connection with their failure and emotionally it feels negative. You feel that you did something wrong no one has to tell you the crime type, you just know it is bad. Well, when you start doing these kinds of crimes, you lose that discerning voice in your head. I was completely dis­connected from my emotions when it came to these types of fraud. I knew that they were ethically wrong, morally wrong, and you know, I have no interest in committing them ever again, but I did not have that visceral reaction to this type of crime. I did not have that guilty feeling of actually stealing something. I would just rationalize it.

Katina Michael: Ok. Could I ask you whether the process of rationalization has much to do with making money? And perhaps, how much money did you actu­ally make in conducting these crimes?

Dan DeFilippi: This is a pretty common question and honestly I don’t have an answer. I can tell you how much I owe the government and that’s ... well, I suppose I owe Discover Card ... I owed $209,000 to Discover Card Credit Card Company in the US. Beyond that, I mean, I didn’t keep track. One of the things I did was, and this is kind of why I got away with it for so long, is I didn’t go crazy. I wasn’t out there every day buying ten laptops. I could have but chose not to. I could’ve worked myself to the bone and made millions of dollars, but I knew if I did that the risk would be significantly higher. So I took it easy. I was going out and doing this stuff one or two days a week, and just living comfortably but not really in major luxury. So honestly, I don’t have a real figure for that. I can just tell you what the government said.

Katina Michael: There is a perception among the community that credit card fraud is sort of a non-violent crime because the “actor” being defrauded is not a person but an organization. Is this why so many people lie to the tax office, for instance?

Dan DeFilippi: Yeah, I do think that’s absolutely true. If we are honest about it, everyone has lied about something in their lifetime. And people... you’re right, you’re absolutely right, that people observe this, and they don’t see it in the big picture. They think of it on the individual level, like I said, and people see this as a faceless corporation, “Oh, they can afford it.” You know, “no big deal”. You know, “Whatever, they’re ripping off the little guy.” You know. People see it that way, and they explain it away much easier than, you know, somebody going off and punching someone in the face and then proceeding to steal their wallet. Even if the dollar figure of the financial fraud is much higher, people are generally less concerned. And I think that’s a real problem because it might entice some people into committing these crimes because they are considered “soft”. And if you’re willing to do small things, it’s going to, as in my case, eventually spiral you downwards. I started with very small fraud, and then got larger. Not that everybody would do that. Not that the police officer taking the burger for free from Burger King is going to step up to, you know, to extortion or something, but certainly it could, could definitely snowball and lead to something.

Katina Michael: It has been about 6 years since you were arrested. Has much has changed in the banking sector regarding triggers or detection of cybercriminal acts?

Dan DeFilippi: Yeah. What credit card companies are doing now is pattern match­ing and using software to find and root out these kind of things. I think that’s really key. You know, they recognize patterns of fraud and they flag it and they bring it out. I think using technology to your advantage to identify these patterns of fraud and investigate, report and root them out is probably, you know, one of the best techniques for dollar returns.

Katina Michael: How long were you actually working for the US Secret Service, as a matter of interest? Was it the length of your alleged, or so-called prison term, or how did that work?

Dan DeFilippi: No. So I was arrested early December 2004. I started working with the Secret Service in April 2005, so about six months later. And I worked with them fulltime almost for two years. I cut back on the hours a little bit towards the end, because I went back to university. But it was, it was almost exactly two years, and most of it was fulltime.

Katina Michael: I’ve heard that the US is tougher on cybercrime relative to other crimes. Is this true?

Dan DeFilippi: The punishment for credit card fraud is eight-and-a-half years in the US.

Katina Michael: Do these sentences reduce the likelihood that someone might get caught up in this kind of fraud?

Dan DeFilippi: It’s a contested topic that’s been hotly debated for a long time. And also in ethics, you know, it’s certainly an interesting topic as well. But I think it depends on the type of person. I wasn’t a hardened criminal, I wasn’t the fella down on the street, I was just a kid playing around at first that just got more serious and serious as time went on. You know, I had a great upbring­ing, I had good morals. And I think to that type of person, it does have an impact. I think that somebody who has a bright future, or could have a bright future, and could throw it all away for a couple of hundred thousand dollars, or whatever, they recognize that, I think. At least the more intelligent people recognize it in that ... you know, “This is going to ruin my life or potentially ruin a large portion of my life.” So, I think it’s obviously not the only deterrent but it can certainly be useful.

Katina Michael: You note that you worked alone. Was this always the case? Did you recruit people to assist you with the fraud and where did you go to find these people?

Dan DeFilippi: Okay. So I mainly worked alone but I did also work with other people, like I said. I was very careful to protect myself. I knew that if I had partners that I worked with regularly it was high risk. So what I did was on these discussion forums, I often chatted with people beyond just doing the credit card fraud, I did other things as well. I sold fake IDs online. I sold the printed cards online. And because I was doing this, I networked with people, and there were a few cases where I worked with other people. For example, I met somebody online. Could have been law enforcement, I don’t know. I would print them a card, send it to them, they would buy something in the store, they would mail back the item, the thing they bought, and then I would sell them online and we would split the money 50/50.

Katina Michael: Was this the manner you engaged others? An equal split?

Dan DeFilippi: Yes, actually, exactly the same deal for instance, with the person I was working with in person, and that person I met through my fake IDs. When I had been selling the fake IDs, I had a network of people that resold for me at the schools. He was one of the people that had been doing that. And then when he found out that I was going to stop selling IDs, I sort of sold him my equipment and he kind of took over. And then he realized I must have something else going on, because why would I stop doing it, it must be pretty lucrative. So when he knew that, you know, he kept pushing me. “What are you doing? Hey, I want to get involved.” And this and that. So it was that person that I happened to meet in person that in the end was my downfall, so to speak.

Katina Michael: Did anyone, say a close family or friend, know what you were doing?

Dan DeFilippi: Absolutely not. No. And I, I made it a point to not let anyone know what I was doing. I almost made it a game, because I just didn’t tell anybody anything. Well, my family I told I had a job, you know, they didn’t know... but all my friends, I just told them nothing. They would always ask me, you know, “Where do you get your money? Where do you get all this stuff?” and I would just say, “Well, you know, doing stuff.” So it was a mystery. And I kind of enjoyed having this mysterious aura about me. You know. What does this guy do? And nobody ever thought it would be anything illegitimate. Everybody thought I was doing something, you know, my own webs ites, or maybe thought I was doing something like pornography or something. I don’t know. But yeah, I definitely did not tell anybody else. I didn’t want anybody to know.

Katina Michael: What was the most outrageous thing you bought with the money you earned from stolen credit cards?

Dan DeFilippi: More than the money, the outrageous things that I did with the cards is probably the matter. In my case the main motivation was not the money alone, the money was almost valueless to a degree. Anything that anyone could buy with a card in a store, I could get for free. So, this is a mind-set change a fraudster goes through that I didn’t really highlight yet. But money had very little value to me, directly, just because there was so much I could just go out and get for free. So I would just buy stupid random things with these stolen cards. You know, for example, the case where I actually ended up leading to my arrest, we had gone out and we had purchased a laptop before that one that failed, and we bought pizza. You know? So you know, a $10 charge on a stolen credit card for pizza, risking arrest, you know, for, for a pizza. And I would buy stupid stuff like that all the time. And just because I knew it, I had that experience, I could just get away with it mostly.

Katina Michael: You’ve been pretty open with interviews you’ve given. Why?

Dan DeFilippi: It helped me move on and not to keep secrets.

Katina Michael: And on that line of thinking, had you ever met one of your victims? And I don’t mean the credit card company. I actually mean the individual whose credit card you defrauded?

Dan DeFilippi: So I haven’t personally met anyone but I have read statements. So as part of sentencing, the prosecutor solicited statements from victims. And the mind-set is always, “Big faceless corporation, you know, you just call your bank and they just, you know, reverse the charges and no big deal. It takes a little bit of time, but you know, whatever.” And the prosecutor ended up get­ting three or four statements from individuals who actually were impacted by this, and honestly, you know, I felt very upset after reading them. And I do, I still go back and I read them every once in a while. I get this great sinking feeling, that these people were affected by it. So I haven’t actually personally met anyone but just those statements.

Katina Michael: How much of hacking do you think is acting? To me traditional hacking is someone sort of hacking into a website and perhaps downloading some data. However, in your case, there was a physical presence, you walked into the store and confronted real people. It wasn’t all card-not-present fraud where you could be completely anonymous in appearance.

Dan DeFilippi: It was absolutely acting. You know, I haven’t gone into great detail in this interview, but I did hack credit card information and stuff, that’s where I got some of my info. And I did online fraud too. I mean, I would order stuff off websites and things like that. But yeah, the being in the store and playing that role, it was totally acting. It was, like I mentioned, you are playing the part of a normal person. And that normal person can be anybody. You know. You could be a high-roller, or you could just be some college student going to buy a laptop. So it was pure acting. And I like to think that I got reasonably good at it. And I would come up with scenarios. You know, ahead of time. I would think of scenarios. And answers to situations. I came up with techniques that I thought worked pretty well to talk my way out of bad situations. For example, if I was going to go up and purchase something, I might say to the cashier, before they swiped the card, I’d say, “Oh, that came to a lot more than I thought it would be. I hope my card works.” So that way, if something happened where the card was declined or it came up call for authorization, I could say, “Oh yeah, I must not have gotten my payment” or something like that. So, yeah, it was definitely acting.

Katina Michael: You’ve mentioned this idea of downward spiraling. Could you elaborate?

Dan DeFilippi: I think this is partially something that happens and it happens if you’re in this and do this too much. So catching people early on, before this takes effect is important. Now, when you’re trying to catch people involved in this, you have to really think about these kinds of things. Like, why are they doing this? Why are they motivated? And the thought process, like I was saying, is definitely very different. In my case, because I had this hacker background, and I wasn’t, you know, like some street thug who just found a computer. I did it for more than just the money. I mean, it was certainly because of the chal­lenge. It was because I was doing things I knew other people weren’t doing. I was kind of this rogue figure, this rebel. And I was learning at the edge. And especially, if I could learn something, or discover something, some technique, that I thought nobody else was using or very few people were using it, to me that was a rush. I mean, it’s almost like a drug. Except with a drug, with an addict, you’re chasing that “first high” but can’t get back to it, and with credit card fraud, your “high” is always going up. The more money you make, the better it feels. The more challenges you complete, the better you feel.

Katina Michael: You make it sound so easy. That anyone could get into cybercrime. What makes it so easy?

Dan DeFilippi: So really, you’ve got to fill the holes in the systems so they can’t be exploited. What happens is crackers, i.e. criminal hackers, and fraudsters, look for easy access. If there are ten companies that they can target, and your company has weak security, and the other nine have strong security, they’re going after you. Okay? Also, in the reverse. So if your company has strong security and nine others have weak security, well, they’re going to have a field-day with the others and they’re just going to walk past you. You know, they’re just going to skip you and move on to the next target. So you need to patch the holes in your technology and in your organization. I don’t know if you’ve noticed recently, but there’s been all kinds of hacking in the news. The PlayStation network was hacked and a lot of US targets. These are basic things that would have been discovered had they had proper controls in place, or proper security auditing happening.

Katina Michael: Okay, so there is the systems focus of weaknesses. But what about human factor issues?

Dan DeFilippi: So another step to the personnel is training. Training really is key. And I’m going to give you two stories, very similar but with totally different outcomes, that happened to me. So a little bit more about what I used to do frequently. I would mainly print fake credit cards, put stolen data on those cards and use them in store to go and purchase items. Electronics, and things like that, to go and re-sell them. So ... and in these two stories, I was at a big- box well-known electronics retailer, with a card with a matching fake ID. I also made the driver’s licenses to go along with the credit cards. And I was at this first location to purchase a laptop. So pick up your laptop and then go through the standard process. And when committing this type of crime you have to have a certain mindset. So you have to think, “I am not committing a crime. I am not stealing here. I am just a normal consumer purchasing things. So I am just buying a laptop, just like any other person would go into the store and buy a laptop.” So in this first story, I’m in the store, purchasing a laptop. Picked it out, you know, went through the standard process, they went and swiped my card. And it came up with a ‘CFA’ – call for authorization. Now, a call for authorization is a case where it’s flagged on the computer and you actually have to call in and talk to an operator that will then verify additional information to make sure it’s not fraud. If you’re trying to commit fraud, it’s a bad thing. You can’t verify this, right? Right? So this is a case where it’s very possible that you could get caught, so you try to talk your way out of the situation. You try to walk away, you try to get out of it. Well, in this case, I was unable to escape. I was unable to talk my way out of it, and they did the call for authorization. They called in. We had to go up to the front of the store, there was a customer service desk, and they had somebody up there call it in and discuss this with them. And I didn’t overhear what they were saying. I had to stand to the side. About five or ten minutes later, I don’t know, I pretty much lost track of time at that point, they come back to me and they said, “I’m sorry, we can’t complete this transaction because your information doesn’t match the information on the credit card account.” That should have raised red flags. That should have meant the worse alarm bells possible.

Katina Michael: Indeed.

Dan DeFilippi: There should have been security coming up to me immediately. They should have notified higher people in the organization to look into the matter. But rather than doing that, they just came up to me, handed me back my cards and apologized. Poor training. So just like a normal consumer, I act surprised and alarmed and amused. You know, and I kind of talked my way out of this too, “You know, what are you talking about? I have my ID and here’s my card. Obviously this is the real information.” Whatever. They just let me walk out of the store. And I got out of there as quickly as possible. And you know, basically walked away and drove away. Poor training. Had that person had the proper training to understand what was going on and what the situation was, I probably would have been arrested that day. At the very least, there would have been a foot-chase.

Katina Michael: Unbelievable. That was very poor on the side of the cashier. And the other story you were going to share?

Dan DeFilippi: The second story was the opposite experience. The personnel had proper training. Same situation. Different store. Same big-box electronic store at a different place. Go in. And this time I was actually with somebody else, who was working with me at the time. We go in together. I was posing as his friend and he was just purchasing a computer. And this time we, we didn’t really approach it like we normally did. We kind of rushed because we’d been out for a while and we just wanted to leave, so we kind of rushed it faster than a normal person would purchase a computer. Which was unusual, but not a big deal. The person handling the transaction tried to upsell, upsell some things, warranties, accessories, software, and all that stuff, and we just, “No, no, no, we don’t ... we just want to, you know, kind of rush it through.” Which is kind of weird, but okay, it happens.

Katina Michael: I’m sure this would have raised even a little suspicion however.

Dan DeFilippi: So when he went to process the transaction, he asked for the ID with the credit card, which happens at times. But at this point the person I was with started getting a little nervous. He wasn’t as used to it as I was. My biggest thing was I never panicked, no matter what the situation. I always tried to not show nervousness. And so he’s getting nervous. The guy’s checking his ID, swipes the card, okay, finally going to go through this, and call for authorization. Same situation. Except for this time, you have somebody here who’s trying to
do the transaction and he is really, really getting nervous. He’s shifting back and forth. He’s in a cold sweat. He’s fidgeting. Something’s clearly wrong with this transaction. Now, the person who was handling this transaction, the person who was trying to take the card payment and everything, it happened to be the manager of this department store. He happened to be well-trained. He happened to know and realize that something was very wrong here. Something
was not right with this transaction. So the call for authorization came up. Now, again, he had to go to the front of the store. He, he never let that credit card and fake ID out of his hands. He held on to them tight the whole time. There was no way we could have gotten them back. So he goes up to the front and he says, “All right, well, we’re going to do this.” And we said, “Okay, well, we’ll go and look at the stock while you’re doing it.” You know. I just sort of tried to play off, and as soon as he walked away, I said, “We need to get out of here.” And we left; leaving behind the ID and card. Some may not realize it as I am retelling the story, but this is what ended up leading to my arrest. They ran his photo off his ID on the local news network, somebody recognized him, turned him in, and he turned me in. So this was an obvious case of good, proper training. This guy knew how to handle the situation, and he not only prevented that fraud from happening, he prevented that laptop from leaving the store. But he also helped to catch me, and somebody else, and shot down what I was doing. So clearly, you know, failing to train people leads to failure. Okay? You need to have proper training. And you need to be able to handle the situation.

Katina Michael: What did you learn from your time at the Secret Service?

Dan DeFilippi: So a little bit more in-depth on what I observed of cybercriminals when I was working with the Secret Service. Now, this is going to be a little aside here, but it’s relevant. So people are arrogant. You have to be arrogant to commit a crime, at some level. You have to think you can get away with it. You’re not going to do it if you can’t, you know, if you think you’re going to get caught. So there’s arrogance there. And this same arrogance can be used against them. Up until the point where I got caught in the story I just told you that led to my arrest, I was arrogant. I actually wasn’t protecting myself as well as I had been, should have been. Had I been investigated closer, had law enforcement being monitoring me, they could have caught me a lot earlier. I left traces back to my office. I wasn’t very careful with protecting my office, and they could have come back and found me. So you can play off arrogance but also ignorance, obviously. They go hand-in-hand. So the more arrogant somebody is, the more risk they’re willing to take. One of the things we found frequently works to catch people was email. Most people don’t realize that email actually contains the IP address of your computer. This is the identifier on the Internet to distinguish who you are. Even a lot of criminals who are very intelligent, who are involved in this stuff, do not realize that email shows this. And it’s very easy. You just look at the source of the email and boom, there you go. You’ve got somebody’s location. This was used countless times, over and over, to catch people. Now, obviously the real big fish, the people who are really intelligent and really in this, take steps to protect themselves with that, but then those are the people who are supremely arrogant.

Katina Michael: Can you give us a specific example?

Dan DeFilippi: One case that happened a few years ago, let’s call the individual “Ted”. He actually ran a number of these online forums. These are “carding” forums, online discussion boards, where people commit these crimes. And he was extremely arrogant. He was extremely, let’s say, egotistical as well. He was very good at what he did. He was a good cracker, though he got caught multiple times. So he actually ran one of these sites, and it was a large site, and in the process, he even hacked law enforcement computers and found out information about some of these other operations that were going on. Actu­ally outed some, some informants, but the people didn’t believe him. A lot of people didn’t believe him. And his arrogance is really what led to his downfall. Because he was so arrogant he thought that he could get away with everything. He thought that he was protecting himself. And the fact of the matter was, law enforcement knew who he was almost the whole time. They tracked him back using basic techniques just like using email. Actually email was used as part of the evidence, but they actually found him before that. And it was his arrogance that really led to his getting arrested again, because he just didn’t protect himself well enough. And this really I cannot emphasize it enough, but this can really be used against people.

Katina Michael: Do you think that cybercrimes will increase in size and number and impact?

Dan DeFilippi: Financial crime is going up and up. And everybody knows this. The reality is that technology works for criminals as much as it works for businesses. Large organizations just can’t evolve fast enough. They’re slow in comparison to cybercriminals.

Katina Michael: How so?

Dan DeFilippi: A criminal’s going to use any tools they can to commit their crimes. They’re going to stay on top of their game. They’re going to be at the forefront of technology. They’re going to be the ones out there pioneering new tech­niques, finding the holes before anybody else, in new systems to get access to your data. They’re going to be the ones out there, and combining that with the availability of information. When I started hacking back in the ‘90s, it was not easy to learn. You really pretty much had to go into these chat-rooms and become kind of like an apprentice. You had to have people teach you.

Katina Michael: And today?

Dan DeFilippi: Well after the 2000s, when I started doing the identification stuff, there was easier access to data. There were more discussion boards, places where you could learn about these things, and then today it’s super easy to find any of this information. Myself, I actually wrote some tutorials on how to conduct credit card fraud. I wrote, like, a guide to in-store carding. I included how to go about it, what equipment to use, what to purchase, and it’s all out there in the public domain. You don’t even have to understand any of this. You know, you could know nothing about technology, spend a few hours online searching for this stuff, learn how to do it, and order the stuff overnight and the next day you could be out there going and doing this stuff. That’s how easy it is. And that’s why it’s really going up, in my opinion.

Katina Michael: Do you think credit card fraudsters realize the negative conse­quences of their actions?

Dan DeFilippi: People don’t realize that there is a real negative consequence to this nowadays. I’m not sure what the laws are in Australia about identity theft and credit card fraud, but in the United States, it used to be very, very easy to get away with. If you were caught, it would be a slap on the wrist. You would get almost nothing happening to you. It was more like give the money back, and possibly serve jail time if it was a repeat offence, but really that was no deterrent. Then it exploded post dot com crash, then a few years ago, we passed a new law that it’s a mandatory two years in prison if you commit identity theft. And credit card fraud is considered identity theft in the United States. So you’re guaranteed of some time in jail if caught.

Katina Michael: Do you think people are aware of the penalties?

Dan DeFilippi: People don’t realize it. And they think, “Oh, it’s nothing, you know, a slap on the wrist.” There is a need for more awareness, and campaigning on this matter. People need to be aware of the consequences of their actions. Had I realized how much time I could serve for this kind of crime, I probably would have stopped sooner. Long story short, because I worked with the Se­cret Service and trained them for a few years, I managed to keep myself out of prison. Had I not done that, I would have actually been facing eight-and-a-half years. That’s serious, especially for somebody who’s in their early 20s. And really had that happened, my future would have been ruined, I think. I probably would have become a lifelong criminal because prisons are basically teaching institutions for crime. So really I, had I known, had I realized it, I wouldn’t have done it. And I think especially younger people, if they realize that the major consequences to these actions, that they can be caught nowadays, that there are people out there looking to catch them, that really would help cut back on this. Also catching people earlier of course is more ideal. Had I been caught early on, before my mind-set had changed and the emotional ties had been broken, I think I would have definitely stopped before it got this far. It would have made a much bigger impact on me. And that’s it.

The Social Implications of Radio-Frequency IDentification

Good afternoon everyone. My name is William Herbert, and for identification purposes only I am the Deputy Chair of the New York State Public Employment Relations Board. You may be wondering why am I here.  In fact, my scholarship has been involved with issues involving RFID, GPS and other forms of technology, as a legal perspective.  I was asked to moderate, I think partially, this panel because of my background in labour relations, in which we have conflicting views frequently in labour, and my agency’s role is frequently brought in to try to bring some kind of bridges between varying positions on issues, at least in the workplace.  We have over the past two days been very fortunate to hear very diverse viewpoints on the issue of RFID.  And I thought it was appropriate that we try to bring those diverging voices together in seeking to bring some degree of bridging of these different ideas to try to aim towards bringing some degree of harmony about a perspective, or at least the first steps towards that perspective.  As Roger Clarke mentioned earlier in his talk, there is a need for this kind of dialogue and I think this panel will be a very good first step or second step in that process.

So the question I'm going to be asking for the panellists today is: can societies develop a balanced response to radio-frequency identification (RFID)?  And when I use the word RFID, I'm discussing both the technology, not limited to implants, but just the technology itself.  So with that question, I'm going to first ask Roger to discuss whether societies can develop a balanced response to RFID technology.

Read More

DangerousThings - Amal Graafstra Presents at ISTAS10

Public reaction – angry. I get a lot of angry emails, calls, and things like that. There are some people that wish I’d just go away, and there are others claiming that I am somehow helping “the conspiracy”. This is just kind of a little thing that I thought up, about the cycle of fear that I’ve noticed when talking to people. So when people come to me and they’re angry about things, I try to engage them in conversation but usually they’re afraid of misconceptions about the technology. They think that somehow the GPS satellites are communicating with this tag – which really only has a three-inch read range – and somehow reporting my location, “Can’t they track you?” … the elusive “they”.

So you know, they’re afraid of something they’re not sure of and they take action because they’re afraid. Then people that know about it respond, usually poorly. This interaction reveals to the angry people that they really don’t know what it is they’re talking about. And what’s interesting is that they have a new fear then, and that fear causes them not to want to learn about the technology. They don’t want to engage, because they somehow feel that if they learn about it, maybe their fears are unfounded or whatever. But it’s a cycle that repeats quite often. So the concept is that, you know, somehow now your body is up for sale, and companies and governments are vying for it.

Read More

Peter Mahy on S and Marper at ECtHR

Katina Michael interviewed Mr Peter Mahy of Howells LLP who represented S and Marper at the European Court of Human Rights


Abstract: Mr Peter Mahy, Partner at Howells LLP and the lawyer who represented S & Marper in front of the Grand Chamber at the European Court of Human Rights was interviewed by Katina Michael on the 10th of October 2009 while she was studying towards a Masters of Transnational Crime Prevention in the Faculty of Law at the University of Wollongong. In 2010 Peter Mahy received the Legal Aid Lawyer of the Year award for his contribution to the field. Mahy received his honours law degree from Sheffield University and a Masters in Criminology from the University of Cambridge. He did his Legal Practice Course at the University of Northumbria, Newcastle and joined Howells in 1996, qualifying in 1998.

Keywords: S & Marper v United Kingdom, European Court of Human Rights, DNA, national database, proportionality, government, police, citizens

Katina Michael: Peter, thank you for the opportunity to conduct this interview with you. I will begin by asking you to distinguish between the collection and storage of DNA samples as opposed to DNA profiles? Or do you see both collection types are ‘equal’ in value?

Peter Mahy: I do distinguish between DNA sampling and DNA profiling. And in fact, the UK government is now also distinguishing between DNA samples and profiling, stating in their consultation paper, Keeping the right people on the DNA database, that samples will be destroyed. I think there is a particular distinction in that there is a fear with how samples may be used in the future, and how they might be analysed into the future. However to me personally, I think the collection and storage of DNA profiles as opposed to DNA samples is marginal and that both are of a huge concern.

Katina Michael: So the UK government has now publicly stated that they will destroy all samples on their national database?

Peter Mahy: Yes. So what they are saying now is that the DNA sample will be destroyed once it has been uploaded to a profile.

Katina Michael: Could you make a general comment about the British Police and Criminal Evidence (PACE) Act 1984 and how it has changed since its introduction?

Peter Mahy: So prior to 2001, the UK took the position that if you had your DNA taken on charge then it could be kept but if you were acquitted or the charge was not continued then it had to be destroyed. That was changed in 2001, so that DNA could be retained even after acquittal or if charges were dropped. And then the law again changed so that a DNA sample could be taken just on arrest, not charge. So the PACE in terms of the collection of DNA was significantly watered down.

Katina Michael: Is it true that PACE has been watered down so much that it has been applied to the collection of DNA samples for what society generally considers petty misdeeds? Was DNA collected first for violent crimes alone, and then later due to changes in PACE for minor misdemeanors?

Peter Mahy: So what has happened now, is about police powers with respect to recordable offences. And so every 6-12 months, the notion of what constitutes a recordable offence is redefined, and each time it gets redefined more offences are introduced into PACE, including more lower level crimes. So there has been a widening of the definition on what constitutes a recordable offence, to include more minor offences.

Katina Michael: Some analysts, early on (e.g. Ireland 1989) have argued that PACE did a good job of balancing the right of an accused person against the need for police to have adequate powers for law enforcement. Do you agree? Peter Mahy: I think the problem in the UK is that you see an increasing amount of criminal legislation. There has been 3000 changes to acts of parliament related to criminal legislation since the Labour government has been in, so there has been a creep to the erosion of civil liberties, a hemming in if you like, and so it seems to be a constant battle to keep the rights that were enshrined in PACE and the Human Rights Act.

Katina Michael: Do you see then, that the increase in police authority and powers represents a commensurate loss in the individual rights of UK citizens? Peter Mahy: So I think there is sort of a constant creep against civil liberties, and a constant battle to preserve them. And it is not clear cut. The UK enacted the Human Rights Act which was a massive step forward but that is under threat at the moment. There is a conservative party here that is saying they are going to take away the Human Rights Act. This could be seen a battle between the left and right all the time, trying to keep the rights that have been hard fought for. Katina Michael: As a solicitor representing persons in cases to do with civil liberties, how do you feel about the collection of DNA samples for crimes such as: petty misdeeds such as begging, or being under the influence of alcohol, and acting in a disorderly fashion?

Peter Mahy: I think an interesting issue in this whole case and this whole debate is that no one has really grappled with why DNA has been taken from a person at all. If a person is presumed innocent, I mean, why should you take their DNA on arrest or on charge? That lead into the question really. Is it right to take the DNA of a person for very low level offences? I think that no one has really grappled with this, of when do you draw the line and when should it be taken?

Katina Michael: I agree. I am actually interested in this very question. And perhaps more specifically I am interested in why more citizens do not speak up about the collection and long term storage of their DNA samples and profiles. Is it that citizens feel powerless? Or that they do not know how to fully participate in such a process of questioning?

Peter Mahy: I think that what has been absolutely amazing in this case is that when this case started out it was pretty much just me challenging the law. There was so little interest in the divisional courts, little interest in the Court of Appeal. Even at the House of Lords, the media was not really interested, not at all, so there was really no profile. When we got called from the European Court of Human Rights things began to get a little bit more exciting. And then there was the Nuffield report that was big publicity. And after the European Court there seems to be something on DNA in the press every day, and I think now it has a high profile. When you listen to documentaries on television here, or question time which is very popular, there is just about something on this every week because this really is a big issue now and it has come as a result of the stand that we took. And it seems that this is a major issue. In terms of people challenging government and taking it forward- I understand that Chief Constables are virtually inundated with daily requests at the moment and citizens voicing and demanding their rights.

Katina Michael: That is great to hear. And I do hope it sets an example for others to follow, causing a ripple effect through the Europe, and the rest of the world. Does the UK government actually have about 9% of all UK citizen DNA samples?

Peter Mahy: Yes it does. The figures that we have over here are that there are just over 5 million samples on the DNA database with about a 60 million population in the UK, so it is roughly between 8%-9%. I mean it is a particular problem here because these are the statistics that we have been given over the years by the Government, but they seem to change a lot and are quite unreliable, and that is one of the key problems. So I am rather skeptical about the UK figures that they are putting forward but it seems to be around the 5 million mark. Katina Michael: So when you compare the percentage of the UK population that has had their DNA sample stored (about 9%) on the national DNA database with other countries in the world (about 2%) do you believe that the collection is ‘grossly disproportionate’? Are we to believe that crime rates are so high in the UK, or there are other historical reasons to describe this kind of sampling?

Peter Mahy: I think the UK in the last few years has become fairly obsessed with crime and it has been a policy of the government to focus on this. And the government was particularly proud in this case to say that they were the vanguard of DNA and of the biggest database and therefore they would be able to conduct crime detection but without really thinking about the implications. So it was actually the Government who wanted to have the biggest database. I think the government also saw it as a cheap way of fighting crime, and cutting costs and trying to keep the public happy.

Katina Michael: And are the retention laws in the UK, post S & Marper bound to change?

Peter Mahy: This is quite a difficult question. The government has been doing as little as possible to comply with the judgment but the Council of Ministers is ensuring that they do comply with the judgment. So although to date, they have been doing as little as they can, in the end they are going to have to comply.

Katina Michael: Could you elaborate on the main issue the ECtHR case identified which was to do with the principle of “proportionality” and an individual’s right to respect for private life? Was this the key finding? What were some of the other findings from your viewpoint?

Peter Mahy: I think one of the important things to realise is that in the UK courts, we traveled from the Divisional Court, the Court of Appeal, and the House of Lords, and while in the UK it was stated that Article 8(1) the ‘right to private life’ was probably not even engaged. The feeling in the UK was very much that this was not a very important issue and why are you here for. And we had a fairly rough ride in the UK courts, some even commented that they could not see any basis for the case at all. In the ECtHR, they said clearly that article 8(1) was engaged and that was an important finding, from the UK point of view certainly that these rights have to be taken seriously. I think the other major finding was identification from the court that there was no independent system in the UK for review, and so you have to ask the Chief Constable to remove your DNA and simply that is not fair. That is something that the UK Government has tried to whitewash a bit, saying that well, we are going to keep that, and the Council of Ministers are saying well that is not good enough. So the finding that you should have the opportunity to have somebody else make the decision was important. But the main findings from the European Court were what is called the Article 8(2) right, which is the proportionality argument. They said that they were struck that in the UK there was a blanket policy so that everybody’s DNA was retained until they were 100 or until they died, no matter who they are or what offence they committed. And they found that the UK had overstepped what is called the margin of appreciation, that is the right for each country to determine its own laws and try to strike a fair balance. So all in all, they found that not only was Article 8 (1) engaged but that Article 8(2) on proportionality where states have a lot of lee­way that the UK had just gone too far and were adopting a blanket one-for-all policy.

Katina Michael: How do you think the United Kingdom have reacted to the ECtHR ruling? And have they reacted enough and at the required speed?

Peter Mahy: What happened in December 2008 the Home Secretary, who has of course now been chucked out, said there was going to be a white paper and that the matter was going to be fully debated with common sense standards. Not soon after that, around about February 2009 time, the Government said they were going to make regulations and secondary legislation so the matter would not be debated. And that is now in jeopardy because the House of Lords Committee said that would be an unlawful. The Government then introduced the consultation paper, Keeping the right people on the DNA database, in May of this year, and importantly, based their statistics from the Jill Dando Institute. The Jill Dando Institute recently said that the statistics that the consultation is based on were not finished. So that puts the whole consultation up in the air. And most importantly the Council of Ministers debated this on the 15th and 16th of September this year, and looked at the UK proposals and they basically said that for most of them that if they were enacted, then they would be unlawful. So I think the UK is in a very difficult position because 10 months on they have not complied with the judgment. And that they have put proposals forward that are based on flawed statistics and which the Council of Ministers have said would probably be unlawful.

Katina Michael: And you have mentioned the citizen response has been to inundate the Chief Constables with requests to remove DNA samples. How have you felt about the consultative process as of May 2009?

Peter Mahy: Part of the problem with the consultation process from my point of view, is that for a public consultation the Government provided a very long and a very complex document. It is not the sort of document that most members of the public can easily read. It was not in an easy format. There was no sort of response leaflet that had five or six questions that you could answer and send in. There was none of that, no guidance of how to respond. I think for many members of the public that would have been difficult to respond to. We were told that there were however about 500 people that responded. And of course, it was only people who knew about the consultation and could access and understand the document and then just send their response to it.

Katina Michael: So S & Marper’s DNA samples were removed after the ECtHR ruling? And what about the samples of other innocents? Were they destroyed or are they still on the database?

Peter Mahy: Our clients’ samples were destroyed in December 2008, almost immediately after we requested destruction, after the ECtHR ruling. What has been happening in the UK is that the Government, the Home Office, have been telling forces to send a standard letter out to people who have requested destruction of their samples, saying that the law and policy in the UK has not changed and therefore they would have to wait for a change in the law or policy. And that is what the majority of the people get. And I guess for people who cannot afford to pay privately or eligible for legal aid, they think that that is it, and they do not know any different. We have had quite a lot of clients who have come to us about their situation and we have been challenging it and to date all of our clients DNA samples have been destroyed and taken off but I think the problem is that the majority of people are not fully aware of their rights and are accepting what is said. They do not know how to challenge the government in what they are saying.

Katina Michael: What is the next step in this process? What will it take for the UK Government to destroy the samples?

Peter Mahy: The Labour Government here is very reluctant and I think in truth that they are hoping that this issue is just going to go away before the general election which is scheduled for the next six months or so. I am skeptical that they are going to do anything before then but they have Europe on their back and the Conservative Government which is interestingly seen as more right wing has said that they will comply with the ECtHR judgment, and will destroy the DNA samples of all innocents as will the Liberal Democrat Party. So it all depends on who is in power. But I think either way eventually the UK is going to have to comply with the judgment and destroy DNA samples of innocents or at least have a fairly limited retention period as they do in Scotland.

Katina Michael: Do you wish to comment about reports in the media that Mr S has somehow found his way back onto the DNA ‘archive’? Authorities would have us believe that Mr S’s details should never have been removed from the National DNA Database (NDNA) in the first place, but is the real story more about the ‘ease’ with which one’s DNA sample can end up on the N DNA?

Peter Mahy: I think in a way it is the Government trying to make the most of it, but it is a false premise really, because the point is that Mr S was arrested again, and his DNA was put back on the NDNA. But they did not need his DNA to get there, i.e., it made no difference that his DNA was taken off in the first place. As I understand it, DNA was not involved in either of the cases at all. In fact, DNA was not a feature of either case, so it would not have made any difference at all.

Katina Michael: So your response is basically, what is the point of collecting and storing DNA when it cannot add any value to the actual case in question?

Peter Mahy: Yes, in the case of our client, what did it matter, DNA played no part at all.

Katina Michael: So why have the UK adopted such a stance? Are they attempting to make their statistical inferences more robust when DNA is being analysed in criminal proceedings?

Peter Mahy: Certainly the UK’s policy has always been that they have wanted the largest database possible. I think if it was not for the ECtHR ruling, they would have gone for a fully fledged national DNA database.

Katina Michael: So I gather from my reading that the motivation for such a national DNA database has to do with providing a greater probability and confidence level between the DNA evidence found at the scene of a crime and a match with the DNA sample of a suspect and to eliminate such problems linked to the need to conduct sub-group sampling?

Peter Mahy: Many of the commentators now- and this is where we are getting into more scientific discussion and more areas of argument- are saying that they consider four to five million samples to be the largest for an accurate DNA database. And that if your database size goes over five million that your chances of getting false hits and false readings increase. I was reading one article that was discussing how the chances of false hits is now increasing as a result of increasing records on the NDNA.

Katina Michael: What do you think the ‘Father of DNA’ thinks about all this?

Peter Mahy: Well in fact, Alec Jeffreys has gone on record over the last few years saying that the DNA samples of innocents should not be kept and should be destroyed.

Katina Michael: Could you make a comment about the collection of DNA samples from:

a) Children?

b) Persons under the age of 18?

c) Or of particular ethnic/racial/familial backgrounds and what impact this might have in a court of law?

Peter Mahy: This was something we relied on the UN Convention on the Rights of the Child and the European Court certainly saw that as a big issue, and that children are entitled to special consideration. And we also made the discrimination argument that there are so many more people of ethnic backgrounds than Caucasians as well. But in the end the ECtHR did not need to rule on that matter at all, as they ruled on the importance of a right to private life. Personally, I am not sure that there is a huge difference, and personally I think that the same rules should apply to everybody. If you are innocent, then it should not really matter what age you are, or what background you are from.

Katina Michael: So how is the Government proposing to change DNA retention laws by age and type of offence?

Peter Mahy: So there are proposals from the Government to that end. For a serious violent, sexual or terrorism-related offence, the DNA of a child would be retained for 12 years. For children between the ages of 10 and 18 years who are arrested but not convicted on one occasion, DNA is retained for 6 years then deleted on the 18th birthday, whichever happens first. And if a child is arrested on 2 occasions, their DNA is retained for the full 6 year term. So yes, a different regime for the retention of DNA for children.

Katina Michael: What would it take to raise the profile of the importance of removing DNA samples from public databases, especially in the European Union or Council of Europe states? Will it take more cases like S & Marper to front up to the ECtHR or various EU states to remove samples from databases? What strategy would you adopt?

Peter Mahy: I think we now have the judgment and it is now in the political debate and the Government will have to respond to the consultation submissions shortly. And after the ECtHR judgment the Government has been under constant pressure. There will be more test cases from people like me. I see the next test case could be somebody who tries to have their DNA destroyed only to be told by the Chief Constable that it cannot. At the moment the Chief Constable is relying on guidelines from 2006 which says the House of Lords ruling is the law. And I think that that is just crazy. The Government is not even taking into account the ECtHR judgment really. I think there would also be an interesting test case on whether it is lawful to take DNA on arrest given that there is no evidential threshold at that stage and I think there is going to be another test case on the issue of keeping DNA for ever and for minor crimes. I think there is going to be lots of test cases as well as the Council of Ministers driving the political debate, so altogether really.

Katina Michael: Could you make a comment on the collection and exchange of DNA data as a result of the Prüm Treaty? Do you see this as magnifying the problem of collecting DNA samples of innocents and those acquitted?

Peter Mahy: To be honest, we never got to the bottom of how this works in practice. For instance, if someone has there DNA sample taken in the UK and a DNA profile is exchanged between EU states and then a request for deletion is made and granted in the UK, who knows where your information has been saved? Has it been saved in different places all around the world? I am not sure even the Government has a handle on what they have been doing with this information. Katina Michael: Yes the loss of information is a critical issue for such sensitive databases.

Peter Mahy: I do not know if you heard but in the UK last year, there was a database of DNA profiles with known sex offenders sent from the Dutch police to the UK). Somehow the disc was misplaced and found over a year later. There has been a whole history here in the UK of data going missing, including prison inmate details, bank account details etc. The point is that mishandling of such information is possible. The matter seems to have gone quiet now but this seems to be a huge issue. It seems to me however that there are even more fundamental issues. Say for instance we are sharing DNA profiles with country X who is currently considered our ‘friend’ and then 10-20 years down the track they become our ‘enemy’. This then becomes a serious terrorist threat. These DNA samples and profiles can then be used against us and to cause huge threat against us.

Katina Michael: Given my background is in information technology, I do read so many articles on the losses of data such as disks left behind at train stations and airports, unencrypted data being intercepted, and the theft of laptops of very important persons. But I really had not gone to that next step to consider the way in which DNA profile data in particular, could be used to attack and to make the most of a potential terrorist act. That is fascinating-

Peter Mahy: Yes, it is pretty scary... You could just imagine that even on 5 million samples in the UK getting into the wrong hands and from those records you could determine which type of chemical or biological warfare could wipe out 90% of the UK population but would allow other states to be somewhat unaffected. There would be a significant danger.

Katina Michael: When government authorities quote statistics related to the number of cold cases solved using DNA evidence/samples, or the number of successful convictions based on the process of matching DNA profiles, are we really to believe them?

Peter Mahy: Well, again, the government statistics are extremely unreliable. I think an important thing to note is that from the Council of Ministers discussion a couple of weeks ago, the information they have actually been given from the Government themselves is that of the 850000 or so samples that are potentially from innocent people that 350000 are from people who have been convicted or acquitted. And from those 500000 samples that are left they do not know what happened to those individuals. So when you have a database with 10% of samples of which the Government has no idea of whether those people were convicted or innocent then I think that just shows how very statistically unreliable the data sources are.

Katina Michael: I would like you to comment on the use of force in obtaining intimate and non-intimate DNA samples without the suspect’s consent? What does ‘refusal without good cause’ actually mean in the United Kingdom with respect to PACE? Do you know of any cases where this has occurred and innocent person has not been incriminated? The exact phrase that is used in s. 62(10) is: “Where the consent by the detained person is refused without ‘good cause’, the court, and the court and jury, may draw inferences that may amount to corroboration of any evidence against the person in relation to the refusal s. 62(10).”

Peter Mahy: I can answer that in a slightly different way using an example of a case that I recently dealt with where I had a very well respected client in the community, who with his wife was arrested for stealing their own car. At the police station they were asked for their DNA sample and they refused and it was taken by force. We have been battling to get that DNA destroyed for 2 years or so, and only post Marper and only recently, in fact only in the last month or two, we finally got it destroyed. And to those people I think that the whole way it was approached by the police initially in taking the DNA sample by force from somebody who clearly had not committed an offense and who were not charged at the police station and were let go after that, simply to boost the number of people in the database, is horrific and unnecessary. And the battle for 2 years after, alienates people and I think that is why the Government has gone wrong on this issue because you should be policing by consent rather than by coercion. Those two clients before this ordeal were engaged helping the police and very appropriately will now be very reluctant to help the police and there are hundreds of thousands of other people who feel the same way.

Katina Michael: Perhaps it is a good time now to ask you about initiatives such as the Innocence Project in the United States (1992) and the Innocence Network in the United Kingdom (2004). Do you believe that increasingly DNA evidence is rightly being used as a critical component of many judicial proceedings? Or do you think it is being overused? That is, DNA evidence can be used to both inculpate and exculpate a suspect; that DNA evidence has the power to convict the guilty or exonerate the innocent in criminal litigation. Do you have any thoughts on this process?

Peter Mahy: Well, I can see that DNA is very useful in a criminal case and it may solve a crime or prove that somebody is innocent. In the UK now, DNA is routinely used in family cases related to issues of paternity. In fact, DNA is used routinely in immigration cases. But it seems to me though that the essential issue to grapple with is when DNA should be taken without consent because that is an interference of people’s rights, and so should it be taken on arrest or should it be taken when you are charged, or only voluntarily? And that is just the dividing line. I think there is a big mix up and a lot of false prophecy in the UK in how DNA should be used. The UK Government has always proclaimed the importance of DNA, but this question was also answered in the European case. Well that is not disputed. The question is, when you should take DNA from people who do not wish to give it?

Katina Michael: I have just finished reading Ron C. Michaelis, Robert G. Flanders and Paula H. Wulff, A Litigator’s Guide to DNA: from the Laboratory to the Courtroom (2008) who state on p. 99 that the “ideal DNA database would contain the profiles of every person in the country” [United States]. But they go on to claim that “[a] database such as this will obviously never be compiled, so forensic analysts must use the data that have been collected, from a tiny portion of the population, to estimate the frequency of an allele in the larger population.” Do you believe as Michaelis et al. do that the UK will never seek to implement a national DNA database? Is the idea as far-fetched as it might seemingly initially appear?

Peter Mahy: I think if we had not won the S & Marper case that this would have happened in the UK. There was mention in the UK courts that the Government was mostly relying on the principle that DNA was taken at the police station, that it was a historical fact and that it was not a big deal. And there were some reports that suggested that DNA samples should be taken from babies at hospitals when they were born because at that point the procedure could be done fairly easily. And of course, you would not need to do it for everybody because of the capability to conduct familial searching with DNA. For instance, 15 to 20 million samples would probably be enough to identify almost anybody in the UK. It might not be that person but it might be their brother. And that clearly was attractive to the UK and I think that that might have come. But now because of the ECtHR judgment that is clearly in retreat now. I mean the Government here is proposing IDentification cards with biometric data on them. I think that is on very shaky ground now. My best guess now is that the Government is not going to go ahead with that, apart from the fact that they are fairly bankrupt. So initially yes, I think the idea was of a blanket coverage DNA database and that probably would have happened but I think now it is unlikely.

Katina Michael: Do you see the collection and storage of biometric data like fingerprints to be equally harmful as the collection and storage of DNA samples or profiles?

Peter Mahy: I do not see fingerprints as being as big an issue as DNA. I think with DNA it is the fear of future uses that worries people and people do not understand exactly what DNA is and what it could be used for. Whereas fingerprints are seen more as a signature and that less pieces could be extracted from it. But I think generally, especially with my clients, they are less concerned about fingerprints or a photograph than they are about DNA.

Katina Michael: I have a PhD student that is co-supervised by me and someone from the medical school that is working on the secondary uses of patient medical data including for instance the use of blood samples to aid in the discovery of cures. Her main aim is to develop a patient consent matrix. What I can say I am witnessing is a major push by the medical field, including medical practitioners and associated suppliers of medicines such as pharmaceutical companies to gain access to large amounts of what was once considered confidential databases in the hope that they can create medical breakthroughs. And there are also now quite a few health databases that contain hundreds of thousands of records and have been created voluntarily by the community adding their personal details to registers. Is it possible that we get to the point that the medical field almost overtakes the criminal/civil proceedings collection of DNA samples?

Peter Mahy: I was talking to some doctors in Leeds about this very topic earlier in the week. Doctors in hospitals are collecting blood samples every day for one thing or another. And I think there is a very important distinction they mentioned to me is that they have to ask the person if they consent at the start. And they also have the right to withdraw their consent and their details and samples taken off entirely in the future. And of course what we are talking about here is taking the DNA without consent and keeping them forever never bothering to take them off. But to me it seems that the big difference is consent.

Katina Michael: And how we would achieve true consent? Would you ask the individual periodically whether they consent to their DNA data being stored on a medical database for medical discovery? Do you ask them every three months? This is a question we are finding hard to answer.

Peter Mahy: In the medical field of course, it may be, I do not know, say in three or four years time that they decide that DNA samples are going to be sold to insurance companies who are very interested in this data especially if you are going to be ill down the track. But at that stage a person might think, I do not want to be on that medical database anymore and I want to be taken off. I think those are the sort of scenarios that will cause the major development because then they could withdraw their consent. For instance, imagine a company who obtains this data and later turns out to be engaged in unethical practices, how would you then withdraw your consent. Again, to me, a major issue here is that you may give your DNA to a limited company who then sends it abroad. I do not really see how you can really control it and to ensure that if you withdraw consent at a later date; that you can indeed really get your DNA back or get it destroyed from the database?

Katina Michael: I am really interested in the role that self-interest groups have had in the S & Marper case from the very beginning to the present time. I have come up with the following groups, and I would like you to let me know if any are missing to your recollection. In no order of importance I have come up with the Nuffield Council on Bioethics, Liberty, GeneWatch, StateWatch, the Genetic Interest Group, and the NDNA Ethics Group, Amberhawk, and Where is Your Data.

Peter Mahy: There is a letter that was written by the interest groups to the Council of Ministers about a fortnight ago. And I think that all of these groups are important because they will influence particular decisions. You should add to your list Privacy International UK, Black Mental Health UK, Action on Rights for Children, and No2ID.

Katina Michael: One thing I am trying to do is to look at the S & Marper case from the view of different stakeholders- the government and policymakers, the citizens, the media, the academic papers that have been written on the S & Marper case such as case comments and notes, and of course, the self-interest groups that are lobbying on behalf of the rights of citizens.

Peter Mahy: To be perfectly honest what happened, is that while we were taking the case through the courts in the UK, we were on our own. In the Divisional Court there was little media interest, and nobody was interested. In the Court of Appeal, Liberty tried to intervene but they could not come to the hearing. In the House of Lords, again, Liberty intervened and they were threatened by the Government that if they did and they came to the hearing there would be costs against them and Liberty was fearful of that. So in fact, Liberty did not come to the House of Lords. So we were really the only ones against the Police and the Government and we were hugely outgunned. It was not until we got to the European Court that Liberty put some submissions in, and importantly Privacy International UK put in some really good work but for the actual ECtHR hearing we were on our own again. There was seriously little back up then, but now that the judgment has come to pass there is a lot of interest from interest groups who are doing good work. Non-government organizations have a right to participate in the Council of Ministers debate, and that is why now they actually have some power.

Katina Michael: Peter, could you tell me how to describe your exact role on the S & Marper case?

Peter Mahy: The solicitor, who acted for the claimant in the S & Marper v United Kingdom case.

Katina Michael: And can I ask, why Mr S and Mr Marper? How did it come to pass that you chose these two individuals? Had they approached Howells LLP? Peter Mahy: So the reality was that South Yorkshire Police had written a letter to all solicitors saying that because the law had changed they were going to keep all DNA samples of people. In other words they were saying- “[s]top asking for the DNA samples to be destroyed.” And then when the email came around and I read this letter, I immediately thought, well that does not really sound right and we should challenge it. And very quickly I had Mr S and Mr Marper in the office who had written to the police asking for destruction of their DNA samples. I think till that point, I do not really think anyone else had really thought about it as the legislation in the UK was just out, and few perhaps saw it as an issue and worth challenging.

Katina Michael: Just as a final summary Peter, what were the tangible/intangible or explicit/implicit impact(s) of the ECtHR ruling on the United Kingdom?

Peter Mahy: Tangible is that the ECtHR ruling has created change and at the moment there is a lot of debate, a lot of talking between parties here. I think in a way it has drawn a line in the sand, and hopefully in the next 10-20 years we will look back and say that was an important case. That that was a case, where we took a good look at what was going on in the UK and put a stop to the erosion of rights.

Katina Michael: Any final comments that you might have on this S & Marper case? 

Peter Mahy: I think one thing that is important to mention is how poorly funded we were. We were granted some legal aid from the European Court which was 2,613 euros. That was for myself and the barrister and included traveling expenses. So we were probably looking at something like 600-1 ,000 euro for the both of us, some 200-300 pounds each. It was an immense amount of work- boxes and boxes of documents. But at the same time, the Government lawyers were probably getting paid about 200-300 pounds per hour for the case. And we expect that the UK Government spent hundreds of thousands of pounds, if not millions of pounds just on the hearing. We made a request to freedom of information from the UK Government and they refused them, on the basis that this information was commercially sensitive. I think this just highlights the inequality of people trying to win a case versus the Government and the State. And now that we won the case we got paid fairly reasonably but we are sure, nothing like what the Government got paid. I think it shows the importance of people taking a stand but it is very difficult to communicate that lesson.

Katina Michael: Well, I for one, having researched this case over the last 12 months, am quite in awe of what you have achieved. And I am unsure if you perceive the great importance of S & Marper for other nation states, but this case ruling will set a precedent for others to follow. Thank you for conducting this interview with me.

Serafin Vilaplana - The Baja Beach Club IT Manager

Well, the owner-manager of the Baja Beach Club visited the United States, and he got the idea while traveling over there and hearing about the trial of the chip implant that was linked to electronic health records. These implants were first being used for the elderly and the sick.

Read More