As long ago as January 2018, Dick Smith was on record, warning the investigation industry in the UK that the introduction of the imminent GDPR laws would benefit two schools . . . the Treasury and the scammers. Information Commissioners’ Offices throughout Europe were employing extra staff to help enforce massive fines for breaches, whilst the withdrawal of sections of the public database of domain names, such as WHOIS for example, would be a godsend to crooks who produce false websites.
With a long and distinguished background in law-enforcement, Dick has been partnered by his son, Greg; their UK-based firm, IP Forensics [GB], has built up a 20-year reputation for integrity and success in carrying out complex investigations for a raft of multi-national rights holders. They specialize in obtaining incriminating evidence through robust test-purchasing programs, investigating those responsible for distribution and producing the evidence to take them down; increasingly through civil courts. Dick is also the Immediate Past President of the Association of British Investigators [ABI].
“In our day-to-day work, we need to establish who the individuals are who distribute the counterfeit goods we test-buy online. It does appear to us that the latest legislation has gone too far . . . protecting the identity of a crook has become more important than helping the people he is stealing from!
Rights and responsibilities
“The individual’s right to privacy has long been a principle which we would be foolish not to support,” commented Dick, “but would those individuals, who are so often the victims of fraud, really want their legislators to make life so much easier for fraudsters? Along with rights comes responsibility, and our legislators owe it to us to be responsible.
“I will give you an example of how things have gone wrong,” he continued. “Around the time I was issuing that warning, I received a personal text advising me that there was suspicious activity on my bank account and would I respond immediately. My smart-phone was not that ‘smart’ as it recognized the text as being from my bank. Would you really trust your phone’s algorithms? Not likely! I quickly checked the URL on WHOIS, unsurprisingly discovering the ‘bank’ domain had been set up just a few weeks beforehand by one ‘Jim Clean’, using a provincial address which I immediately established was false. The probability was the ‘Jim Clean’ was actually located a few thousand miles east of the UK, but at least I, and any member of the public, had the ability at that time to immediately check if this was potentially a scam.
“A few weeks later, on 25th May 2018, the General Data Protection Regulations [GDPR] were enforced across Europe and each country necessarily introduced the appropriate legislation. Fiscal departments within governments were undoubtedly exhilarated by the prospect of levying astronomical fines on corporations which might fall foul of these new rules. At a stroke, however, the new laws imposed fresh barriers for the ‘good guys’; investigators both within law enforcement in addition to those employed in private industry, partly due to an ineffectual response to crime by the very agencies set up for our protection! What it also sadly achieved was an increased inability for commerce, as well as the public at large, to effectively conduct proper due diligence on those with whom they might be entrusting their finances. Countless overnight changes were made to the way that information was lawfully recorded and exchanged, amongst which was the predicted realization that it was now illegal for something as simple and protective as the domain tool, WHOIS, to provide the identity of the registrant behind that authentic-looking website. Those crooks and spies in Beijing and Moscow must have been laughing all the way to their cryptocurrency banks! “
Ability to protect . . . severely hampered
“Within six weeks of the introduction of GDPR, the National Crime Agency in England & Wales was publicly admitting that being denied ready access to domain registrant data, other than by costly and time-delaying application to courts, was causing them to be even more selective about investigating which crimes came to their attention. A statement read, ‘Without access to it [WHOIS], our ability to protect the UK from serious organized crime via investigations into data breaches, malware and DDoS [denial of service cyber] attacks, as well as into child sexual exploitation and abuse, will be significantly hampered.’ [Source: Daily Telegraph]
“It doesn’t just stop at commonplace crime,” continued Dick. “No one should be surprised that an additional benefactor has been terrorism. Gregory Mounier, head of Outreach and Internet Governance at Europol’s Cybercrime Centre, was quoted as saying, ‘The internet has become less safe because of an overly conservative interpretation of the GDPR by the ICANN community,’ [source Bloomberg]
“In recent years, US, European and Canadian law enforcement officials claimed success in eradicating the militant group Islamic State’s online propaganda network, partly by the use of public domain names databases; cracking down on websites, blogs, and Twitter accounts relaying IS propaganda whenever there was an attack. 400 such IS supporting domains were identified and arrests made. Because both technical and personal data of registrants have been redacted, this type of work is now much more difficult. Mounier admitted that ‘More and more investigations are just dropped or severely delayed because we can’t have direct access to WHOIS registration data information.’ “
Ground-breaking incentive for British investigators
“Investigators nevertheless have no option but to take GDPR seriously. Here in the UK, the ABI has been running workshops for our members since 2018, providing training in understanding the complex legislation and developing systems for use by each member to ensure that they process personal data lawfully in each case they take on. That has now gone a step further by the drawing up of a Code of Conduct which the Association hopes will receive official certification.
“Were this ABI Code of Conduct to succeed in being certified by the UK Information Commissioner’s Office, it is likely to be the first from any sector in the UK, possibly even the EU. Media interest is anticipated. Who, after all, would have guessed it would be the investigative sector that leads in protecting peoples’ privacy?
According to Dick, the proposed Code, [latest draft HERE], has been circulated for consultation to ABI members and relevant stakeholders throughout the UK, who have until the end of this month to provide feedback. For the Code of Conduct to work in practical terms, it will require the full support of those who engage investigative and litigation support services. That is, first and foremost, the legal profession.
Tony Imossi, who heads up the ABI Secretariat, is the main architect behind the Code. “If accepted, lawyers will be wise to ensure their chosen service providers are verified Code Members,” he said. “Why would they not? Failing to engage with certificated investigators would be an unnecessary reputational risk. It could even be perceived as a negligent disregard of the Code’s safety measures, which are in place for the protection of personal data. Moreover, it safeguards the public’s right to privacy, which is at the very core of the Code. Code Member status is easily within the reach of every law-abiding, honest, and compliant practitioner. So it is down to the legal profession to lead by example!”
“At least there may be some hope on the horizon,” concluded Dick. “As the UK moves away from the liberal-leaning EU, and in a welcome move to counter the problem of online anonymity, the UK’s security intelligence agency, GCHQ, is exploring a solution. [Source Demos.] Earlier this year, a UK think-tank proposed introducing a British Identity Corporation [BIDC] as a body to verify identities for tackling serious online abuse, allowing people more control and opening up to public scrutiny.”
Disclaimer: IPPIBlog.com is offered as a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, with regard to content provided in IPPIBlog.com. We disclaim any and all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such person and the accuracy and validity of the information provided by them. This blog is provided for general information purposes only and is not intended to provide legal or other professional advice.