Ciao ciao AirVPN, grazie Piracy Shield

Friday rant del mercoledì:
#fridayrant #quellidelfascicolop #quellascemenzadellasera

io comprendo la esigenza di bloccare la pirateria dei contenuti legittimamente offerti dalle piattaforme che li hanno acquistati, ma talvolta la cura proposta è semplicemente aberrante.

Ogni riferimento al nostro Piracy Shield, creata dalla mai doma #AGICOM (ica) è dovuto: l’ennesimo esempio di come implementare male una pessima idea.

Non devo neanche scriverci, tutto è già stato scritto qui da #AirVPN annunciando che lascia il mercato italiano.

Il cosiddetto “Scudo Italiano Anti-Pirateria” è un quadro normativo con regolamento attuativo dell’AGCOM (Autorità Italiana per le Telecomunicazioni) che obbliga gli operatori che offrono servizi in Italia a bloccare l’accesso ai servizi finali attraverso il blocco IP e/o l’avvelenamento DNS. L’elenco degli indirizzi IP e dei nomi a dominio da bloccare viene stilato da organismi privati ​​autorizzati dall’AGCOM (attualmente, ad esempio, Sky e DAZN). Questi enti privati ​​inseriscono le blocking list in una piattaforma specifica. I blocchi devono essere imposti entro 30 minuti dalla loro prima comparsa da parte degli operatori che offrono qualsiasi servizio ai residenti in Italia.

Non esiste alcun controllo giurisdizionale e nessun controllo da parte dell’AGCOM. Il blocco deve essere eseguito inaudita altera parte e senza possibilità di reale rifiuto, anche in caso di errore manifesto. L’eventuale opposizione della parte lesa potrà essere proposta solo in una fase successiva, dopo l’imposizione del blocco.

Posted Last Monday at 6:45 PM

Hello!

We regret to inform you that we will be discontinuing the service to residents of Italy as of February the 19th, 2024.
From the above date, any user registering on the platform must declare that he/she is not a resident of Italy. The purchase page will have IP address-based geolocation and will not be served to IP addresses located in Italy. We will not interrupt the service to current subscribers until the natural expiry date and the refund policy will be granted as usual.
 

REASONS FOR DISCONTINUATION

The so-called “Italian Piracy Shield” is a legal framework with implementing regulation by AGCOM (Italian Telecommunications Authority) that forces operators offering services in Italy to block access to end services through IP blocking and/or DNS poisoning.  The list of IP addresses and domain names to be blocked is drawn up by private bodies authorised by AGCOM (currently, for example, Sky and DAZN). These private bodies enter the blocking lists in a specific platform. The blocks must be enforced within 30 minutes of their first appearance by operators offering any service to residents of Italy.

There is no judicial review and no review by AGCOM. The block must be enforced inaudita altera parte and without the possibility of real time refusal, even in the case of manifest error. Any objection by the aggrieved party can only be made at a later stage, after the block has been imposed. For further details:
https://www-wired-it.translate.goog/article/piracy-shield-agcom-piattaforma-streaming-pirata-calcio-segnalazioni/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

The above requirements are too burdensome for AirVPN, both economically and technically. They are also incompatible with AirVPN’s mission and would negatively impact service performance. They pave the way for widespread blockages in all areas of human activity and possible interference with fundamental rights (whether accidental or deliberate). Whereas in the past each individual blockade was carefully evaluated either by the judiciary or by the authorities, now any review is completely lost. The power of those private entities authorized to compile the block lists becomes enormous as the blocks are not verified by any third party and the authorized entities are not subject to any specific fine or statutory damage for errors or over-blocking.

By withdrawing service availability from Italy, AirVPN will be able to stay outside the scope of the framework and maintain integrity and efficient operations.

We certainly sympathise with our fellow Italian citizens, and we will be happy to offer advice and alternatives. We would also like to remind them of our more than ten years of support for the Tor network, which is freely accessible even from Italy, and which is becoming increasingly reliable and fast thanks to a myriad of small contributions like ours.

Kind regards and datalove
AirVPN Staff

AirPN

Insomma neanche nato e piracy shield de no artri già miete successi.

Del resto cosa può andare male a fronte ti tanta genialità, abbiamo pure una safelist per evitare problemi.

• certo uno potrebbe far notare che un IP può essere utilizzato da più di un servizio, e alcuni potrebbero essere assolutamente legittimi e quindi “bloccati” senza ragione

• uno potrebbe osservare che senza un monitoraggio attento il rischio di avere in blocklist ip importanti per un “errore” o per attività malevola non è nullo (immaginatevi di bloccare 8.8.8.8 o qualche nodo BGP importante)
• Uno potrebbe discutere sulla liceità di blocchi che non consentano una contestuale ed immediata opposizione

Ma perchè fermarsi di fronte a certe sciocchezze. La cosa certa che i successi arrivano e qui abbiamo la dimostrazione autoreferenziale indiscutibile ed indiscussa:

Che cosa significhi che hanno bloccato 65 DNS lo chiedo agli esperti 🙂

Per ulteriori indicazioni:

https://www.wired.it/article/piracy-shield-piattaforma-agcom-pezzotto-streaming-illegale/

https://www.wired.it/article/piracy-shield-agcom-piattaforma-streaming-pirata-calcio-segnalazioni/#due

Ops! Privacy Shield, bye-bye

I was not in the mood to write again on GDPR, there are soo many experts here my voice would be useless (and I Know my fellow accomplices of the #quellidelfascicoloP would agree) but I could not refrain myself from this.

Max Schrems did it again and Privacy Shield is gone as his predecessor (safe harbor).

This should not come as a surprise, well not at least at this side of the pond. I understand the USA does not have a clue on what we’re talking about, privacy is also a cultural matter and we have a profoundly different approach here, but European fellows should not be surprised at all.

Basically what happened is that EJC agreed with the basic concept that if the processor is in a country where the European data will not be treated fairly then it will not be safe nor sound to send data there.

But this was the main idea behind privacy shield: the USA has a privacy and data protection framework that is not aligned with European rights and laws but to not stop business we (European) will accept to jeopardize our rights with a framework that is way less effective and strict compared to what it is imposed in Europe.

Mr. Shrems is not new to have a problem with this approach and moved from court to court to the EJC to force them to rule on the subject as he did for the infamous safe harbor.

So we were all expecting this and should not come as a surprise, in the end, we should remember that the USA under several arbitrary conditions (as an investigation moved from NSA) do not need a judge to come and see data stored in the USA (they do not care even if the data are stored outside, another story) and they do not care if those data are related to a European Citizen, do not feel any need to inform European authorities and the European citizens and, under their framework, does not have a problem performing massive surveillance and data gathering (remember Prism?).

Now that the “privacy shield” was doomed as soon as this matter arrived at the EJC was something many of us were expecting, but the “Privacy Shield” is not the only way to allow data exchange between us and them.

There is also something called SCC – Standard Contractual Clauses. A ruleset agreed between the parties that determine how to deal with data coming from the old world to the new one.

The European Court of Justice on this (Case C-311/18) told us those clauses are effective and valid so only privacy shield has been affected. But if we read the things a little deeper and closer we realized that EJC provides us an interesting point of view on ECC.

The European Court says (in paragraphs 134 & 135) that:

“[…] as the Advocate General stated in point 126 of his Opinion, the contractual mechanism provided for in Article 46(2)(c) of the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is, therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.

Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.”

The upshot of this is that it is not enough to simply have SCCs in place but that due diligence also has to be undertaken, and possibly additional protections added. That due diligence will need to be done not only on the other party to the agreement but also on the legal regime in the country where it is based.

Data protection authorities across the EU will also be expected to step up their enforcement of the data transfer requirements of GDPR including looking at how organizations are using SCCs. This comes at a time when investigations in most EU countries are on the rise.

In one sense, because the European Court has ruled that SCCs are valid, it’s business as usual concerning SCCs. However, as the European Court has indicated, even where a business relies on SCCs, data protection additional due diligence may still be required. Additionally, it is expected that under GDPR the European Commission will be revising SCCs – so businesses may at some point in the future need to adapt/update their existing SCCs.

It is, therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection

This means that even if the agreement between two subjects is under SCC this is not a safe pass to heaven, and the data controller is not released from his\her\its duty to verify the data are processed fairly and correctly. And the legislative framework of the country where data are moved\stored has to be taken into account.

Ok Ok I stop it.

ciao 🙂

#quellidelfascicolop #vaccatadellasera #pensieriinlibertà #datasecurity #dataprivacy #deliridelvenerdì