Talk about the Information Age has filled many seminars, newspapers, books, web-pages, blogs, etc. But has it invited law students and law academia too? Have our students be adequately equipped by the understanding (conceptually, technically and so on) of what Information Age is, and how it challenges the notion of law taught in law schools? These are the questions that preoccupy many legal minds concerned of legal education.

Information Age is about the change, not only on gadgets, but also on the way we live as well as change of perspectives. For legal fraternities (i.e. lawyers, attorneys, judges and legal academia), it is critical to acknowledge this change, and not leaving it only to the hands of computer scientists. This is because the Information Age is a discourse of a cross-disciplinary realm. No less than information scientists, engineers, lawyers, accountants, sociologists, political scientists and business people are all concerned. They could even find themselves incapacitated if they choose to work separately. In the word of Boyle, this is called the collapse of disciplinary boundaries.

The above forms the background of my paper in the international seminar on Cyberlaw soon to be organised by the Faculty of Law, Islamic University of Sultan Agung (UNISSULA), Semarang, Indonesia on Wednesday, 26th October 2011.  Hopefully this can invite a fruitful discussion among the faculty members and the seminar attendees.

The paper basically hypothesizes that in order to capably address legal issues and challenges in future, our legal education should be re-looked at and reformed. The Information Age environment should become an integral consideration in learning law (regardless the area; commercial, civil, criminal, constitutional, administrative, etc.). It argues not only for the introduction of cyber law in the law syllabus, but also the integration of the issues and discussion with other major and disciplines. On top of that, we can borrow Prof Palfrey’s thesis on ‘digital native‘ and ‘digital migrant’ so as to allow law to improve and deliver in the future.

In my last post I made note about why banks should or must care to protect the personal data with them. In this post I just want to put that note in real perspective, learning from real cases and incidents involving major banks in the world.

First, it was reported that Citigroup breach exposed data on 210,000 customers (here for the full report)

Citigroup admitted Wednesday (June 8^th, 2011) that an attack on its website allo

wed hackers to view customers’ names, account numbers and contact information such as email addresses for about 210,000 of its cardholders in North America. Although hackers may have not gained complete information on cardholders, the contact information is enough for scammers to try and elicit more information through targeted attacks. The email addresses, for example, could be used to send “phishing” messages asking for other sensitive information which could potentially give identity thieves enough to start committing fraud.

Second,  you’ll see how Data breaches lead to massive fines for three HSBC firms (here for the report)

Three HSBC firms have been fined more than £3 million by the Financial Services Authority (FSA) for failing to secure customer data. The FSA claimed the three firms sent large amounts of unencrypted data – often on discs sent via the post – and staff were untrained on the issue of identity theft. The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.

Next, the big boys in British bank industry were forced to probe for possible data theft in their outsourcing centres (read it here)

Bloomberg reported that HSBC Holdings Plc, Barclays Plc, and Lloyds TSB Group Plc are investigating claims that customer account details may have been sold by a former call center worker in India to an undercover reporter amid a probe by London police. The breach highlights risks to data as Internet commerce and computer processing increase the amount of customer information exchanged between companies and countries. Visa International Inc. and MasterCard International Inc., the biggest credit-card brands, last week said the FBI was probing a breach that exposed 40 million cards to fraud in what may be the largest such case on record. Working undercover, the Sun reporter was able to buy account details of 1,000 Britons from a former call center worker for $5,000, the newspaper said. The former employee also offered to sell details of mortgages and medical bills.

Last, but not least, the Malaysian story too (get the report here) 

Malaysian bank customers have lost RM4mil through phishing (identity fraud) within the first three months of the year alone. There were 457 cases recorded in the first quarter of the year, exceeding the 353 reported for the whole of last year where the victims lost a total of RM1.2mil. In 2009, only 75 cases were reported with total losses of around RM215,000. Federal Commercial Crime Investigations Department director Commissioner Datuk Syed Ismail Syed Azizan said the number of cases reported this year had reached a record high with authorities and the banking industry being almost powerless to curb it.

pic from: mortgagechiliblog.com

Contrary to the traditional belief, information is no longer a mere business processing tools. It is now the very asset that turns to become the commodity of the business itself – becoming more powerful and valuable than any other physical assets. And this is particularly obvious in financial and banking industries where the acquisition of personal data and the adoption of information technology (IT) have both transformed the banking industry as well as the associated operational risk management.

The demand to protect personal data in banking industry comes mainly from two factors. Firstly, the consumers are getting increasingly aware of their right to data privacy. The bulk of their data such as personal and family data, financial information, credit history, employment records, or legal matters are now the target of many predators who wish to acquire them for their benefit, ranging from unsolicited direct marketing, loyalty program recruitment, credit card applications, and even for malicious intent such as identity theft and fraud (or “phishing”).

Therefore, banks can no longer take it easy in their handling of customers’ personal data. A poor data management would result in the loss of credibility, reputation and consumers. At the end of the day, consumers would prefer those who are best in handling their data.

Another pressure for data protection comes from the perspective of laws and regulations. Banking regulations had firmly upheld the need to protect customers’ privacy and confidentiality. In addition, the international community has now adopted a new legal regime on personal data protection (PDP). Regional community such as European Union is particularly very firm in ensuring industrial compliance, to the extent that they make it as another trade barrier for any non-EU countries who do not have adequate PDP law. The Asia Pacific Economic Cooperation (APEC) has also pledged that the member countries should adhere to certain regulation on data protection.

In ASEAN region, Malaysia and the Philippines had led the initiatives, while it is learned that Singapore, Thailand and Indonesia are following the suit albeit in different speed and urgency. In short, it is believed that laws on personal data protection will soon reshape the business processes and will rewrite the requirements of risk management and corporate governance in the banking industry.

See: Latest incidents on personal data abuse implicating banking sector

“The Starfish and the Spider”, or so we were told about ICANN‘s uniqueness by Rod Beckstorm. This is also the title of the book by Rod, the CEO of ICANN, and his co-author that was generously given out to all the Fellows in one of the ICANN’s Fellowship meetings. I did not have chance to grab him after the forum and to get him sign on the book. But here I want to say a big THANKS for the beautiful gift!

The ICANN’s CEO deliberated about how ICANN works as a ‘bottom-up’, decentralized and multi-stakeholders organization. Even though this has been repeatedly mentioned by many previous speakers, to me his presentation wraps up the whole idea of how ICANN has been working.

My note here is not going to repeat that. What I can appreciate here is that ICANN is truly a unique experiment that is undertaken in the world where it is needed most: the Internet world! At many times, I was amazed by how sustainable it has been in the face of many challenges and criticism. The development of protocols, names, numbers and its processes had been more or less the result of careful bottom-up consultancies. The way I was amazed, I can say, is like love at the first sight!

But having said that, a love at first sight is not totally unassailable especially once you go and know further what it takes to preserve that love. In ICANN world, I believe my journey has just started. It has drastically grown (positively) from my first encounter which was mainly restricted to the issues of Domain Names abuse and its UDRP. That’s it. Now, my understanding is even better. The fact of how UDRP came to existence and how it has been put under potential review alone has shown me the ICANN is much more fun than that. It is a world of its own worthy of investigation, observation, research and elaboration.

My querying mind wishes to know what ICANN should or should not do DESPITE what it has been saying what it should or should not do. This querying mind also wishes to know how much ICANN would sustain and further help develop the future of the Internet, where human being benefits at its most. Ultimately this querying mind wishes to know what role I can play to achieve that goal.

And this book, Rod’s Starfish and Spider, would hopefully guide me to that. Thank You again Rod Beckstrom!

Twenty-three fellows, from twenty countries, of five continents, of diverse background and affiliations, met and gathered in one room called Morrison in Raffles City Convention Centre, Singapore every 7-9 morning from 19th to 24th June 2011.

Under the mentoring of one passionate soul Janice, they intensively learned about a new world famously known for its administration and management of the world’s Internet, and infamously known for its excessive use of acronyms and abbreviations (wink) — ICANN (well.. the Internet Corporation for Assigned Names and Numbers, that’s it). Uuh.. about the excessive acronyms, thank God they created the portal, see it here. ^_^

The ICANN Fellowship is indeed more than just the dawn meeting routine. In fact, in every day in the whole week, there were approximately not less than a dozen meetings, briefings or discussions that may go parallel to ensure the fellows are kept busy. At few occasions some fellows (like me) tried to make use of the Remote Participation facility to grab two or more discussions at once — which ended un-impressively mainly due to our incapability to basically follows two things at one time.

But we are all certain that this Remote Participation facility is there not without a reason. There are times where one could not be there but is willing to follow the discussion, retrieve the materials or even ask questions. And that is what has happened, efficiently! Isn’t that awesome?

At the end of the Fellowship, I figured out few things why we all the 23 Fellows are entitled to feel lucky, here are some:

• The network in the making was strategically great. We never know what each of us will end up being or making; this fellowship has built up the sense of togetherness that hopefully can be capitalized for the future of the Internet and the World;
• The fellows were able to meet in person with those who’s who of ICANN who took turn to speak and take questions in the Fellow morning meetings. This is great because unless there is this occasion, we can only hear those people speak from distance on stage on any given forum — and most likely without similar chance for dialogue, questions or even post-talk chatting.
• The timing of the Fellow meeting is just GRREAAT… Meeting at seven a.m. is unmatched in any professional programmes. And we just did it, attentively and passionately. Well the good news is that they provide good breakfast right before we start.
• The fact that the Fellows are usually the Newcomers are another great factor why we felt lucky. We could have spent hundreds or thousand of hours trying to understand what ICANN is.. and this has been efficiently cut short by the Fellowship programmes. Well, I am not assuming that all the Fellows are now readily capable to explain what ICANN is……. (are you folks?). But at least, we felt that the light and guidance is there as to how to understand ICANN better and easier.
• Among the last thing I could figure out here is that the Fellowship is full not only with professional and intellectual discourse, but ALSO with emotional encounters. As we had laughter and cries all along, especially at the last day of the program. Oops.. I’m not going to write here who cried, who sobbed or who wept (wink), but all of us really had an emotional day. And we will certainly take this emotion together with our passion to for the future’s Internet.

Group Photo (credit: Jorge Etges)

Before I finish my note, I wish to thank to everyone who had shared with me during the one-week Fellowship (and even the pre-fellowship days). I am proud that my friend Waqar is not the only one who can name everyone in the room (he forgot Chris actually;)). I could do it too!

With that, I wish to thank you: Sira, Waqar, Kasyif, Sang, Anandan, Terry, Andrew, Alejandra, Joy, Amrita, Natali, Fatima, Sorina, Wafa, Yousuf, Siva, Valery, Gustavo, Burma, Chris, Saso, Khoudia and Siva! (Phew..!). Let’s keep connecting; and let it be a good, broad, ubiquitous, wireless, secure, bottom up and virtually continuous networking!

BTW: those of you (fellows and others) interested in the next ICANN Global Meeting in Dakar, you can check it out here.

Last but not least, Thank You Janice! Thank you for your guidance, your sharing and caring, your spirit and passion, your smile and hug, your understanding and encouragement. Thank You! They called you teacher, guru, mentor, inspiration, instructor, manager.. but the best I like is… you ARE our Mama Bear! —–>

Thank You for all the speakers and organizers, thank you ICANN!

More News on ICANN 41 Meeting:

• The Straits Times, Singapore: “Internet body approves new web suffixes” (link).
• The Guardian, UK: “Icann announces huge expansion of web domain names from 2012″ (link).
• The New York Times, USA: “An Explosion in Universe of Web Names” (link).
• ZDNet: “ICANN to ramp domain name variations dramatically: Business headaches likely” (link).
• The Associated PRess: “Coming soon to the Internet: The .whatever address” (link).

Nope, this is not (yet) a ready paper. It’s an ongoing research that I am now conducting, funded by an internal research grant. It takes as the background the revolutionary growth of the information and communications technology and its use in the storing, processing and disseminating personal information.

We all know that such phenomenon (ICT+data processing) has unveiled one huge challenge in the form of identity theft. Described as unlawful acquisitions of personal data that belongs to others, identity theft incidents are reported in Malaysian media on regular basis. The lost, stolen or compromised personal data has not become an incident of its own. Rather, it provides “ammunitions” for further action such as credit cards forgery or impersonated bank accounts that are used as a platform for further crimes.

Recently local newspapers had flooded us with news on these, such as these:

“RM4mil (Rp11.2bil) stolen within first three months”

Malaysians have lost RM4mil through phishing (identity fraud) within the first three months of the year alone. There were 457 cases recorded in the first quarter of the year, exceeding the 353 reported for the whole of last year where the victims lost a total of RM1.2mil. In 2009, only 75 cases were reported with total losses of around RM215,000. Federal Commercial Crime Investigations Department director Commissioner Datuk Syed Ismail Syed Azizan said the number of cases reported this year had reached a record high with authorities and the banking industry being almost powerless to curb it. (Click here for the report)

“Bank Negara warns of phishing email”

Bank Negara Malaysia (BNM) has warned of an email aimed at deceiving members of the public into disclosing their personal banking details. A statement issued by the central bank Thursday said the email, which claims to be from Bank Negara, urges people to update their account details through a provided hyperlink. “Intended victims receive emails purportedly from BNM, informing them that BNM is collecting personal banking information to update its database. They will be prompted to either click on a link or reply to the email directly. Once the victim clicks on the link provided in the email, they are directed to a fake website requesting disclosure of personal financial details such as credit or debit cards details including card code verification or other personal identification numbers (PIN),” the statement said. (Click here for the report)

Well well… is law of any help? I could see many shaking heads or raised eyebrows there   Though the trend of the statistics (*yawn*) on identity theft is going up from time to time, it hardly ends up in the hands of prosecution. This incapability of the law has been largely credited to the absence of the specific law on identity theft.

Be that as it may, this situation is expected to improve. The recent enactment of Personal Data Protection Act 2010 (Act 709) seems to trigger a new hope to end the problems of identity theft in Malaysia. Or does it? This proposed research attempts to investigate and find the answers by analyzing the provisions of the new Act in the light of the identity theft problems…

That’s so far what I can share… the work is in progress, insyaAllah..

This is my latest paper that I recently presented in the 1st International Conference on International Relations and Development (ICIRD) organised by a consortium of Thai top universities, and held in the beautiful campus of Thammasat University, Bangkok, Thailand.

This paper investigates the need for global government and especially Malaysia to relook at and redefine the concept of national security amid the changing circumstances especially in relation to the country’s increased reliance on the information and communications technology (ICT).

The challenge is, the more a governance system is exposed to the Internet and ICT, the bigger the risks it would face. When the security of the system is not reliable enough to secure the system, information assets are at stake and the country’s critical information infrastructure (such as defence, communications, energy and medical systems) would become loophole that undermines national security.

At the end of the paper, it examines Malaysia’s readiness by looking at the policy and legal initiatives it has set to adopt. While steps have been taken to provide necessary policies and strategies, this paper argues that the law on national security requires a fresh look and interpretation in order to support the protection of national critical information infrastructure.

(Keywords: national security, digital economy, critical information infrastructure, law and regulation)

Note: Not less than 30 people attended my session (there are three other sessions running concurrently in other halls). Questions were posed that made the session more lively and interesting. One of the questions was about the legal position of ethical hacker. Another asked about the ‘feasibility’ of the courts joining the reform that I instigated in my presentation.

There were some other questions that I received. Overall, it was a nice experience presenting in a multi-disciplinary environment. The conference is now over, but the network built up during that event is just beginning!

Kop kun kaap!

Among the first question people would ask about Personal Data Protection Act (PDPA) 2010 is “whether or not this Act applies to me?” or, if one could answer it in affirmative, “in what why the Act implicates me?”

The PDPA 2010 provides for definition of certain entities that would be in one way or another “implicated.” They are (1) Data User; (2) Data Processore and (3) Data Subject. Thus, the PDPA 2010 operates on these classes of person. It is in this frame you can have your answer whether the Act applies to you, or, in what why it implicates you.

Data User

The first cast under the Act is called “Data User”. Data User is a person who processes any personal data or has control over or authorizes the processing of any personal data, either alone or jointly or in common with other persons. These are the people (including legal persons, i.e. companies) who basically use people data for heir business process, or even as their business commodities. They collect personal data from people, store the data, rearrange the data, disclose it to others or use it for their own purposes.

These are the class of people in the society that is the target of the law. The PDPA 2010 has in its preamble an objective “to regulate the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto.” The data user, I would say, is the main cast in this legislation.

This however does not include those who processes the data not for his own purposes, i.e. only on behalf of another. This category leads us to the second cast, i.e. “Data Processor”.

Data Processor

The Act defines Data Processor, in relation to personal data, as any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes. This includes those to whom data users outsource their data processing or data storing processes.

A good example for this would be those who provides e-payment services to facilitate online banking. The personal data used to verify, process and authorise e-payment may not belong to the service provider, but rather to a particular bank. The fact that those service providers had never collected or controlled the data, but only processed them on their servers for the purpose authorised by data users.

Data Subject

The third category is supposedly the widest of all, i.e. “Data Subject”. It is defined in PDPA 2010 as an individual who is the subject of the personal data. Does this include ‘non-natural person’? No it doesn’t. Because it is only concerned about living individual who is identified or identifiable from the personal data. It is not companies or other non-natural person we are talking about. It does not even include personal data of dead people.

In an organization, the Data Subject covers those people inside the entity such as employees, outsourced providers, vendors as well as business partners and investors. From outside the organisation, it includes customers, both actual and prospective.

This means me, you and everyone whose data are collected, stored and processed elsewhere at various places: at your bank, your employer’s desktop, your insurance company, your hospitals computers, your school, your lawyers or your developer’s customer record. It can be everywhere, and yes, it had been everywhere! We are all Data Subject.

Now everyone can “fly”! Yes we know that. But when you fly, will your personal information fly away in the sky? That, not everyone knows.  This is the simple question that makes the backdrop of my recent paper, to be presented in Singapore’s International Conference of Social Science and Humanities (ICSSH2011) at the end of this month.

The paper is entitled: “Personal Data “Up in the Air” – A Tale of Two Malaysian Airlines in Dealing with Consumers Online Privacy.” It is a joint effort with one of my former students Ms. Maryam Delpisheh.

We know that uncertainties and concerns surrounding the privacy of personal information in Malaysia in the wake of many data abuse incidents had led to the passing of Personal Data Protection Act (PDPA) 2010. In a market where personal data has long been widely traded and unjustifiably exploited, the coming of this law could resemble the arrival of a long-awaited messiah expected to correct the evils and rectify people’s problem in a very immediate manner.

Once the law is in force, a wide range of industries that process personal data of individuals would have to reformulate their entire business processes to comply with the new legal requirements. In order to do that, they will need to perform critical self-assessment to ensure their business practice does not contravene the law and not trigger criminal liabilities.

Against this background, the current paper seeks to analyze how the Malaysian airlines industries – represented by the two biggest players Malaysian Airlines (MAS) and AirAsia – treats consumers’ personal data based on their existing online policies.

The research on this particular sector is very significant for two reasons: firstly, because airlines industry is relatively massive personal data users (especially on their passengers’ data). Secondly, the two companies have now aggressively embarked into online environment which sees them collecting and processing more personal data through their websites and online processing mechanism.

The ultimate goal of this assessment is to see to what extent their existing online privacy policies and practices are in line with the personal data protection principles provided in the PDP Act 2010. Using critical methods of discussion, this paper aims at producing gap analysis and recommendations as to how the industry should improve their privacy policy and make it closer to the legal requirements in protecting consumers’ personal data.

Keywords: E-business; business information management; airline industry; personal data protection; compliance.