Data Protection & Privacy gaffes in Greece: Is it the heat?

Forensics News

Preamble: In case any of you were wondering about the lack of further postings for some time now…No, I did not cancel the blog. I was merely on a 3-week holiday in Greece, after a rough couple of weeks of PhD-related work.

So, summer holidays: Sun, Sea, other-things-beginning-with-the-S-letter and some interesting bits of news from Greece.

For the interesting bit of news now: According to information published in the Eleftherotypia newspaper, data contained on hard drives NOT connected to the internet are now NOT considered to be personal information and therefore are NOT protected by the Greek equivalent of the Data Protection Act.

Mr Karoutsos, assistant judge of the high court of Greece, and responsible for the introduction of the above law, further states that (translated) “the hard drive of a computer, components and parts [of a computer] as well as electronic sound evidence found on a computer are not considered to be communication mediums”. (Article in the Greek language: http://www.enet.gr/online/online_text/c=112,id=90609728)

So, what can one make of this law, then? A deliberate violation of the constitutional free speech rights, or someone’s stupid idea based on lack of proper advice on technology issues? Or both?

First of all, exactly HOW can one ascertain without the shadow of doubt (Greece has a non-adversarial justice system), or even with an error margin lower than 50%, that a storage medium has not been at any point in its lifetime connected to the internet or to a Local Area Network that is itself connected to the Internet?

Given that all motherboards nowadays contain either a network card or a modem+network card (laptops) by default, how do we determine it has not been used, automatically placing the hard-drive within the bounds of the DPA?

And what of USB drives and memory cards? If the digital camera (with the memory card inside) is connected at any point in time to a computer (thereby automatically mounting itself as a seperate DISK DRIVE) that has been at any point in time connected to the Internet itself, the memory card is itself “tainted” and thereby it too falls within the bounds of the DPA. USB drives are even worse as there can be NO conclusive proof that they have not been used on an Internet-connected computer.

And, of course, there is that further statement of Mr. Karoutsos….the one I quoted… Ummm, as I recall, every standard high-school textbook on Computing clearly explains how the different components of a computer “communicate”, not to mention the definition of a hard-drive, its relationship to the software called an Operating System and its role as both a transient and non-transient storage of information as a result of the act of communication.

Thus, exactly HOW does one PROVE a storage medium has NEVER been connected to the Internet?

To some degree I understand a bit of what they are trying to achieve, here, and I commend them on wanting to achieve it, given the CP cases that have cropped up and all.

What I do NOT understand and therefore DO NOT commend or condone is their use of such twisted logic resulting from their lack of knowledge of technology!

DarkSYN @ August 29, 2008