Hotels to log internet use to stop child porn access

Ali Bracken, Crime Correspondent

Internet porn: hotel loophole

Paedophiles who download child pornography are using 'open networks' in Irish hotels to avoid detection, it has emerged.

The Sunday Tribune recently revealed there have been almost 5,000 detections of individuals in Ireland downloading or trading in child pornography over the past six months, with several people accessing illegal images hundreds of times a month.

About 800 computers are used every month to download or trade images of children being abused.

To avoid garda detection, paedophiles often use open internet networks so they cannot be traced. A garda source said open internet networks in hotels, and to a lesser extent B&Bs and pubs, all over the country are frequently being used to download child porn.

But the new Communication (Retention of Data) Bill, which comes into effect in November, will introduce strict rules relating to public Wi-Fi/internet access.

All users in public places, such as hotels, must be identified by a log-in process, and businesses must keep data on all of its internet users for two years.

Hotels that fail to store this data will be fully liable for any illegal browsing activity, and reprimanded for non-compliance.

Criminals who download child porn are currently doing so with relative ease on open networks, a source said. Gardaí are anxiously awaiting the introduction of the new law and say privately that the hotel sector has been "particularly slow" in implementing internet security measures to protect themselves.

"Only a handful of hotels around the country are already compliant with the directive. We are disappointed at how unwilling they have been to tackle this problem. It is a straightforward process to change internet access from an open to a secure network. Many of them may get caught out in November if they do not update their systems. At the moment, hotels are a soft touch," the source added.

Last month, software company TLO, which is based in Florida, provided the Sunday Tribune with detailed information on the number of people trading illegal child pornography, along with their locations. One individual in Dublin was detected 315 times in January downloading or sharing images of the sexual abuse of children. In the same month in Cork, a computer was identified as being involved in the same activity 197 times.

Gardaí are deeply concerned about the levels of trading in Ireland and a detective from the Domestic Violence and Sexual Assault Investigation Unit recently completed a training seminar run by TLO in Denmark which explained how to use its technology.

August 1, 2010

Comments

#1 Evert Bopp commented, on August 2, 2010 at 1:39 p.m.:

This is nothing new. People wanting to access illegal content have been using open/unsecured/public wifi networks for ages. This is not just limited to public wifi access in hotels. It also goes for other public venues and even more for unsecured private wifi networks with a range extending beyond the walls of peoples houses. The insecurity of wifi routers shipped by the major ISP is an ongoing and well documented problem (http://bit.ly/1YYnOR).

As for public wifi access offered by hotels, cafes and other public venues; there is a completely different issue at play. Under current EU Data retention laws public wifi providers have to retain a certain amount of user data. The only way to do so is by implementing a so-called "one time registration and session authentication system". This means that every user has to register their details with the provider once after which they will be issued with a user name and password. These credentials will then be required every single time that this user wants to access the service. Note: this does not require charging for the service!
One of the main setbacks of this required security is that in quite a few cases it is being implemented in such a ham-fisted way that it makes accessing the services such a chore than people just give up. Only a few wifi service providers have so far managed to implement a user friendly login procedure.

However in the end all this is not foolproof. As there is no requirement to provide authenticated proof of ID when registering for these services all this can be circumvented. It is no more foolproof than requiring people to register prepaid mobile phones. Last but not least even when the user would be required to provide verifyable proof of ID there are lots of ways "mask" your access websites or services. Anonymous proxies are only one. In a non-totalitarian society there is no way to stop a determined offender...

#2 Warren Edwards commented, on August 3, 2010 at 11:11 a.m.:

Across Europe and in Ireland we have been aware of this since the middle of 2008 and hotels have been notified but the cost of setting up this system was an issue but now the hotel will have to comply see the government link http://www.oireachtas.ie/viewdoc.asp?...)

VDA have a system to help the hotels keep a log of who and where downloads are taking place and can store the logs for 2 years.

Warren Edwards
VDA Ireland
093 36691

#3 Shane Hartigan commented, on August 3, 2010 at 11:33 a.m.:

I agree with the last post but would like to add that in addition to "one time registration and session authentication system" for public Internet access points there should also be an implementation of CALEA

http://en.wikipedia.org/wiki/Communic...

This CALEA law is in force in the US for many years now and is designed to record the minimum amount of data as not to impact a persons privacy but to ensure "Who, When & Where" information is available and stored in the event of a Legal issue arising.

To be CALEA-compliant, telecommunications providers must install new hardware and software, as well as modify old equipment so it doesn't interfere with any law enforcement agency's ability to perform real-time surveillance of any telephone or Internet traffic.

This is going to be a huge cost for many ISP and public internet providers and it will take time to implement this throughout the country.

#4 Evert Bopp commented, on August 3, 2010 at 2:35 p.m.:

@Shane Two comments about CALEA;

1) it's US legislation and does not apply in Ireland (or Europe).

2) CALEA requires communications equipment manufacturers to build a functionality into *all* their equipment to allow law enforcement and other government agencies to monitor traffic to and from individual devices. This means that (theoretically) any devices can be monitored in real-time without any third party involvement or oversight. It basically enables wholesale wiretapping. The current data retention legislation in the EU is retro-spective and allows access to communications data for producing evidence in case of a criminal offense. CALEA's reasoning is that everybody is guilty until proven innocent and constitutes a serious infringement on a persons right to privacy.
I for one would strongly oppose it.

#5 Shane Hartigan commented, on August 4, 2010 at 1:09 a.m.:

Response to @Evert Bopp comments:

In the European Union, the European Council Resolution of 17 January 1995 on the Lawful Interception of Telecommunications mandated similar measures to CALEA on a pan-European basis.

Although some EU member countries reluctantly accepted this resolution out of privacy concerns (which are more pronounced in Europe than the US), there appears now to be general agreement within Europe.

Lawful Inspection (LI) in Europe / Ireland is therefore modeled on CALEA in the US.

It is incorrect to state "communications equipment manufacturers build a functionality into *all* their equipment to allow law enforcement and other government agencies to monitor traffic to and from individual devices."

It will be a legal requirement of the ISP to provide this information. The Law enforcement agency will not be carrying out any monitoring.

CALEA (Lawfull Inspection) is simply implemented by a firewall rule on the Internet Gateway and it is stored on a "Data Retention Server". CALEA must be implemented by the owning ISP and under EU directive Irish ISP's must comply.

Quote DIRECTIVE 2006/24/EC

"Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided "only" to the competent national authorities in specific cases and in accordance with "national" law. The procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in accordance with necessity and proportionality requirements shall be defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights."

It is also incorrect to state that this enables "wholesale wiretapping"

"Member States shall ensure that the data specified in Article 5 are retained in accordance with this Directive in such a way that the data retained and any other necessary information relating to such data "can be" transmitted upon request to the competent authorities without undue delay."

Also it is important to note:

The retained data shall be of the same quality and subject to the same security and protection as those data on the network;

The data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;

The data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only;

It is also incorrect to state "CALEA's reasoning is that everybody is guilty until proven innocent and constitutes a serious infringement on a persons right to privacy."

CALEA is simply tool to carry out Lawfull Inspection by a competent authority and is subject to Irish National Law in all cases.

#6 Evert Bopp commented, on August 5, 2010 at 6:06 p.m.:

In reply to Shane Hegarty:
You only referred to CALEA in your post and not any EU legislation "similar to CALEA".
As for the actual impacts and extent of CALEA I beg to differ, you seem to go by the letter of the actual law while I prefer to go by it's actual implementation and apparent mission creep.

DIRECTIVE 2006/24/EC is full of vague, subjective language. Terms such as "competent", "specific cases" and "necessity and proportionality requirements" are extremely subjective and allow a substantial amount if flexibility in the implementation of this legislation.

Your comment that "CALEA is simply tool to carry out Lawfull Inspection by a competent authority and is subject to Irish National Law in all cases." Does nothing to disproof my calling it an infringement on a persons right to privacy. The simple fact that it is law does not mean that is is or should be acceptable. As for a "competent authority" I have still to see a state run organisation that has proven competence in the area of data retention and storage.

Name	(Required, published)
Email address	(Required, not published)
URL	(Optional)
Comment
If you enter anything in this field your comment will be treated as spam

Comments

Post a comment

Also in Home News

Share this article

Search

This issue 5 years ago

RSS Feeds