YENİ TÜRK TİCARET KANUNU HÜKÜMLERİ IŞIĞINDA "DİJİTAL ŞİRKET" KONFERANSI

Tarih: 11 Ekim 2011 Yer: İstanbul Bilgi Üniversitesi Dolapdere Kampüsü Mahkeme Salonu PROGRAM 09:00-10:00 Kayıt 10:00-10:30 Açılış Konuşmaları Açılış Konuşmaları Prof. Dr. Turgut TARHANLI İstanbul Bilgi Üniversitesi Hukuk Fakültesi Dekanı Prof. Dr. Remzi SANVER İstanbul Bilgi Üniversitesi Rektörü Prof. Dr. Ünal TEKİNALP Türk Ticaret Kanunu Komisyonu Başkanı Hayati YAZICI Gümrük ve Ticaret Bakanı DİJİTAL ŞİRKET PANELİ 10:30-13:30 Oturum Başkanı: Prof. Dr. Ünal TEKİNALP Türk Ticaret Kanunu Komisyon Başkanı İsmail YÜCEL Gümrük ve Ticaret Bakanlığı İç Ticaret Genel Müdürü “Elektronik Ticaret Sicili” Prof. Dr. Vedat AKGİRAY Sermaye Piyasası Kurulu Başkanı Prof. Dr. Tayfun ACARER Bilgi Teknolojileri ve İletişim Kurumu Başkanı “TTK ve Kayıtlı e-Posta Uygulaması” Doç. Dr. Yakup ERGİNCAN Merkezi Kayıt Kuruluşu Genel Müdürü “Kurumsal Yönetim, Yatırımcı İlişkileri ve Şirketler Bilgi Portalı” Ümit YAYLA Merkezi Kayıt Kuruluşu Genel Müdür Yardımcısı “Yeni TTK uyarınca Halka Açık Şirketlerin Genel Kurul Toplantılarına Katılım” Yrd.Doç.Dr. Leyla KESER BERBER İstanbul Bilgi Üniversitesi Bilişim ve Teknoloji Hukuku Enstitüsü Direktörü Türk Ticaret Kanunu Bilişimle İlgili Hükümler İkincil Mevzuat Alt Komisyon Başkanı “Dijital Şirket’e İlişkin Hukuki Çerçeve” 13:30-13:45 Soru/Tartışma 13:45- Kapanış 14:00- Öğle Yemeği

Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar

BİLGİ TEKNOLOJİLERİ VE İLETİŞİM KURULU KARARI Karar Tarihi : 24.08.2011 Karar No : 2011/DK-14/461 Gündem Konusu : Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar. KARAR : 5809 sayılı Kanunun 4 üncü 6 ncı ve 50 inci maddeleri ile 28.07.2010 tarihli ve 27655 sayılı Resmi Gazete’de yayımlanarak yürürlüğe giren Elektronik Haberleşme Sektöründe Tüketici Hakları Yönetmeliğinin 10 uncu maddesi ve ilgili diğer mevzuat hükümleri kapsamında, • 22.02.2011 tarihli ve 2011/DK-10/91 sayılı Kurul Kararı ile onaylanarak yürürlüğe giren “İnternetin Güvenli Kullanımına İlişkin Usul ve Esaslar Taslağı”nın yürürlükten kaldırılması, • Ek’te yer alan “Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar”ın onaylanması, • İşbu Kurul Kararının 22.08.2011 tarihi itibariyle yürürlüğe girmesi hususlarına karar verilmiştir. Ek GÜVENLİ İNTERNET HİZMETİNE İLİŞKİN USUL VE ESASLAR Amaç MADDE 1 – (1) Bu Usul ve Esasların amacı, tercihe dayalı Güvenli İnternet Hizmetine ilişkin Usul ve Esasları düzenlemektir. Kapsam MADDE 2 - (1) Bu Usul ve Esaslar, İnternet hizmeti sunan İşletmeciler ile Güvenli İnternet Hizmetini talep eden aboneleri kapsar. Hukuki dayanak MADDE 3 - (1) Bu Usul ve Esaslar, 28/07/2010 tarih ve 27655 sayılı Resmi Gazete’de yayımlanan Elektronik Haberleşme Sektöründe Tüketici Hakları Yönetmeliğinin 10 uncu maddesine dayanılarak hazırlanmıştır. Tanım ve kısaltmalar MADDE 4 - (1) Bu Usul ve Esaslarda geçen; a) Abone: Mobil İnternet hizmeti dâhil olmak üzere, İşletmeci ile İnternet hizmetinin sunulmasına yönelik olarak yapılan sözleşmeye taraf olan gerçek kişiyi, b) Aile profili: Kurum tarafından İşletmecilere gönderilen aile profiline ilişkin listedeki alan adı, alt alan adı, IP adresi ve portlara abonenin erişiminin sağlanmadığı profili, c) Çocuk profili: Kurum tarafından İşletmecilere gönderilen, çocuk profiline ilişkin listedeki alan adı, alt alan adı, IP adresi ve portlara abonenin erişiminin sağlandığı profili, ç) Dosya bütünlük değeri (Hash Kodu): Bir bilgisayar dosyasının içindeki verilerin matematiksel bir işlemden geçirilmesi sonucu elde edilen ve dosyanın içerisindeki verilerde bir değişiklik yapılıp yapılmadığını kontrol için kullanılan dosyanın özünü belirten değeri, d) Güvenli İnternet Hizmeti: Abonelerin talebi üzerine, ücretsiz olarak sunulan çocuk ve aile profilinden oluşan hizmeti, e) Güvenli İnternet Hizmeti profili: Güvenli İnternet Hizmeti almak isteyen abonelerin ihtiyaçlarına göre seçebilecekleri çocuk ve aile profilinden herhangi birini, f) İşletmeci: Mobil telefon hizmeti sunan İşletmeciler dâhil İnternet erişim hizmeti sunan İşletmecileri ve Türk Telekomünikasyon A.Ş.’yi, g) Kurul: Bilgi Teknolojileri ve İletişim Kurulunu, ğ) Kurum: Bilgi Teknolojileri ve İletişim Kurumunu, h) Profil Düzenleme İnternet Sayfası: İşletmeciler tarafından tasarlanan ve bireysel abonelerin profillerini değiştirmek veya Güvenli İnternet Hizmeti almaktan vazgeçmek istedikleri takdirde söz konusu taleplerini gerçekleştirebildikleri İnternet sayfasını, ı) Uyarıcı ve Bilgilendirici İnternet Sayfası: İşletmeciler tarafından tasarlanan ve kullanıcıların profilleri nedeniyle İnternet sitelerine erişemediklerinde yönlendirilecekleri İnternet sayfasını ifade etmektedir. (2) Bu Usul ve Esaslarda geçen ancak bu maddenin birinci fıkrasında tanımlanmayan kavramlar için ilgili mevzuatta yer alan tanımlar geçerlidir. Mevcut abonelerin durumu MADDE 5 - (1) Güvenli İnternet Hizmetini talep etmeyen abonelerin mevcut İnternet erişim hizmeti, herhangi bir değişiklik olmaksızın sunulmaya devam eder. Güvenli İnternet Hizmeti profilleri MADDE 6 - (1) İşletmeciler, Güvenli İnternet Hizmetini, talep eden abonelere çocuk ve aile profili olmak üzere iki farklı profilde sunarlar. Güvenli İnternet Hizmeti profillerinin seçimi MADDE 7 - (1) Aboneler, Güvenli İnternet Hizmeti taleplerini hizmet aldığı İşletmeciye abonelik sözleşmesinin imzalanması sırasında iletebilir. Ayrıca bu taleplerini çağrı merkezi, bayi kanalı ya da İnternet sitesi aracılığı ile bildirebilir. (2) İşletmeciler Güvenli İnternet Hizmetini abonelere ücretsiz olarak sunarlar. (3) İşletmeciler, abonelik sözleşmelerinde veya abonelik sözleşmelerine ek olarak hazırlanan formlarda ve profil düzenleme sayfasında abonenin kolayca seçim yapabileceği Güvenli İnternet Hizmeti profillerine aşağıda belirtilen şekilde iki profile yer verirler. Abonelerin, aile profilini seçmeleri halinde aşağıda belirtilen alt seçeneklerden birini veya birkaçını seçebilmelerine ya da herhangi bir alt seçim yapmamalarına olanak sağlanır. “Güvenli İnternet Hizmeti talep ediyorsanız aşağıdaki profillerden birisini tercih ediniz. (4) İşletmeciler İnternet erişim hizmeti sunumunda abonenin en son tercihine göre hizmet sunmaya devam ederler. (5) Güvenli İnternet Hizmeti alan abonelere, Profil Düzenleme İnternet Sayfası üzerinden işlem yapabilmeleri amacıyla İşletmeciler tarafından kullanıcı adı ve şifresi sağlanır. (6) İşletmeciler tarafından abonelerine istedikleri an, güvenli bir şekilde kolayca ve ücretsiz olarak profiller arasında geçiş yapabilme ve/veya Güvenli İnternet Hizmeti almaktan vazgeçebilme imkanı sağlanır. Profil düzenleme İnternet sayfası MADDE 8 - (1) Aboneler profillerini değiştirmek veya Güvenli İnternet Hizmeti almaktan vazgeçmek istedikleri takdirde İşletmeciler tarafından tasarlanan Profil Düzenleme İnternet Sayfası aracılığıyla söz konusu taleplerini gerçekleştirebilirler. (2) İşletmeciler Profil Düzenleme İnternet Sayfasında kullanılmak üzere abonelerine ücretsiz olarak mevcut kullanıcı adı ve şifrelerini kullandırabileceği gibi yeni bir kullanıcı adı ve şifre de tahsis edebilirler. (3) Profil Düzenleme İnternet Sayfasında asgari olarak aşağıdaki bilgiler yer alır: a) Ana sayfada yer alan hususlar; i. Geçerli profil, ii. Profil Seçim Menüsü, b) Kullanıcının kullanıcı adı ve şifresini değiştirebileceği bir uygulama ve c) Kurum tarafından gönderilen uyarıcı ve bilinçlendirme amaçlı bilgilendirici metinler. Uyarıcı ve bilgilendirici İnternet sayfası MADDE 9 - (1) Aboneler, profilleri nedeniyle İnternet sitelerine erişemediklerinde İşletmeciler tarafından tasarlanan Uyarıcı ve Bilgilendirici İnternet Sayfasına yönlendirilirler. (2) İşletmeciler Uyarıcı ve Bilgilendirici İnternet Sayfası’nda asgari olarak aşağıdaki bilgileri sunarlar: a) Geçerli profil ve b) Kurum tarafından gönderilen uyarıcı ve bilinçlendirme amaçlı bilgilendirici metinler. Çocuk ve Aile Profil Kriterleri Çalışma Kurulunun yapısı ve görevleri MADDE 10 - (1) Çocuk ve Aile Profil listelerinin oluşturulmasına ilişkin kriterler, Çocuk ve Aile Profil Kriterleri Çalışma Kurulu tarafından tespit edilir. (2) Çocuk ve Aile Profil Kriterleri Çalışma Kurulu, Kurum koordinasyonunda 11 üyeden oluşur. (3) Çocuk ve Aile Profil Kriterleri Çalışma Kurulu, biri başkan olmak üzere Kurumdan 3, Aile ve Sosyal Politikalar Bakanlığından 2, İnternet Kurulunun sivil toplum temsilcisi üyelerinden 2, Türkiye Dijital Oyun Federasyonundan 1 ve psikoloji, pedagoji, sosyoloji, hukuk gibi ilişkili alanlarda uzmanlığı olan kişiler arasından Kurum tarafından seçilen 3 üye’den oluşur. (4) Çocuk ve Aile Profil Kriterleri Çalışma Kurulu’nun tespit ettiği ilkeler çerçevesinde, Çocuk ve Aile Profil listeleri Kurum tarafından belirlenir. Başvuru ve itirazların değerlendirilmesi MADDE 11 - (1) Kullanıcılar ve İnternet site sahipleri, İnternet sitelerinin değerlendirilmesi için Kurumca hazırlanan İnternet sayfası üzerinden başvurabilirler ve itiraz edebilirler. (2) Kullanıcılar, başvurularını Profil Düzenleme İnternet Sayfasında bulunan bağlantı ile, itirazlarını ise Uyarıcı ve Bilgilendirici İnternet Sayfasında bulunan bağlantı vasıtasıyla yaparlar. İlgili başvuru ve itiraza ilişkin İşletmeci adı, kullanıcı profili ile alan adı/IP adresi ve port bilgileri, başvuru ve itirazların doğru değerlendirilebilmesi için İşletmeciler tarafından Kuruma gönderilir. (3) Kurum başvurular ve itirazların değerlendirilmesi için Çocuk ve Aile Profil Kriterleri Çalışma Kurulu'nun görüşüne başvurabilir. Güvenli İnternet Hizmetinin sunumu ve altyapının kurulması MADDE 12 - (1) İşletmeciler Güvenli İnternet Hizmetinin sunulması için gerekli altyapıyı kurarlar ve işletirler. Kurum tarafından İşletmecilere sadece listeler gönderilir. (2) İşletmeciler, Kurum tarafından belirlenen Güvenli İnternet Hizmeti profilleri ile Kurum tarafından İşletmecilere gönderilen listeler üzerinde değişiklik yapamazlar. (3) İşletmeciler, Güvenli İnternet Hizmetine ek olarak değişik isimler altında farklı hizmetler sunabilirler. (4) Toptan düzeyde İnternet hizmetini yeniden satış yöntemi ile sunan İşletmeciler Güvenli İnternet Hizmetini ücretsiz olarak alternatif İşletmecilere sunarlar. Liste veri tabanına erişim MADDE 13 - (1) Güvenli İnternet Hizmeti profillerine ait listeler, İşletmecilerle Kurum arasında kurulmuş bulunan noktadan noktaya güvenli veri hatları üzerinden paylaşılır. (2) Kurum veri tabanında tutulan veriler, güvenli hat üzerinden İşletmecilere gönderilir. İşletmeciler, Kurum tarafından gönderilen verileri ve güncellemeleri sistemlerine en geç 24 saat içinde aktarır ve uygularlar. (3) Kurum tarafından veri tabanında tutulan alan adları ve alt alan adlarının ayrı ayrı dosya bütünlük değeri (hash kodu) alınır ve İşletmecilerle dosya bütünlük değerleri paylaşılır. İşletmeciler kullanıcıların erişmek istediği alan adları ve alt alan adlarının dosya bütünlük değerini alarak kendilerine gönderilen veri tabanından sorgular ve bu yöntemin kullanımı ile ilgili gerekli kontrol mekanizmalarını kurarlar. (4) Kurum veri tabanında tutulan IP adreslerinin ve portların listesi dosya bütünlük değeri hesaplanmaksızın İşletmecilerle paylaşılır. İşletmeciler söz konusu IP adreslerine veya portlara ilişkin sorgulamaları gerçekleştirirler. (5) İşletmeciler, Güvenli İnternet Hizmeti sunumu kapsamında geliştirdikleri yazılım ve donanım çözümlerini yedekli olarak kurarlar. Bilgilendirme metni MADDE 14 - (1) İşletmeciler abonelerine Güvenli İnternet Hizmetinin tanıtımı için içeriği Kurum tarafından uygun görülen bilinçlendirme amaçlı bilgilendirici metinleri gönderirler. İşletmeciler, Usul ve Esasların tanıtımını abonelere fiilen hizmetin sunulmaya başlanılmasından önce kısa mesaj, çağrı merkezi, tek seferde yönlendirilen bilgilendirme sayfası (captive portal), açılır pencere (pop-up) ve/veya fatura yöntemlerinden en az birisi aracılığıyla gerçekleştirirler. Test süreci ve fiilen hizmetin sunulmaya başlanılması MADDE 15 - (1) İşletmeciler Güvenli İnternet Hizmetinin sunulabilmesi için gerekli tüm altyapı ve uygulama çalışmalarını test sürecinin başlamasından önce hazır hale getirirler. (2) Güvenli İnternet Hizmetinin sunumu için test süreci İşletmeciler ile Kurum arasında 22.08.2011 ile 22.11.2011 tarihleri arasında gerçekleştirilir. (3) İşletmecinin uygun görmesi durumunda bu süreçte test amacıyla abone alımı yapılabilir. (4) İşletmeciler 22.11.2011 tarihinden itibaren geçerli olmak üzere test sürecine son vererek abonelere fiilen hizmet sunmaya başlarlar. Yürürlük MADDE 16 - (1) Bu Usul ve Esaslar, 22.08.2011 tarihinde yürürlüğe girer. Yürütme MADDE 17 - (1) Bu Usul ve Esasların hükümlerini Bilgi Teknolojileri ve İletişim Kurulu Başkanı yürütür. . Unofficial translation prepared by ICTA. By-Law on the Principles and Procedures Concerning to the Safe Internet Service Purpose Article 1- (1) The purpose of this By-Law is to define the procedures and principals concerning to the Safe Internet Service requested by subscribers. Scope Article 2- (1) This By-Law covers internet service providers and individual subscribers demanding Safe Internet Service. Legal Basis Article 3- (1) This By-Law is prepared on the basis of Article 10 of “Ordinance on the Consumer Rights In The Telecommunications Sector” published in the Official Gazette dated 28/07/2010 and numbered 27655. Definitions Article 4- (1) The terms used in this By-Law shall have the following meanings: a. Subscriber: Any natural person who is party to a contract with an operator for the provision of internet service, including mobile internet services. b. Family profile: The profile in that the users are not able to access the domain names, sub-domain names, IP addresses, and ports in the list which is sent to the operators by the Authority. c. Child profile: The profile in that the users are only able to access the domain names, sub-domain names, IP addresses and ports in the list related to child profile which is sent to the operators by the Authority. d. Hash code: A hash code is a value obtained by a mathematical function that determines the integrity of a file data. e. Safe Internet Service: The service provided free of charge upon the request of the subscriber and which consists of family and child profiles. f. Safe Internet Service profile: Either child profile or family profile which can be chosen by subscribers who request Safe Internet Service. g. Operator: Any company, which provides internet services including mobile operators and the Turk Telekomunikasyon Inc. h. Board: Information and Communication Technologies Board. i. Authority: Information and Communication Technologies Authority. j. Edit Profile Web Page: The web page, on which individual subscriber can change his/her profile or opt out from Safe Internet Service when he/she wants, designed by the operators. k. Cautionary and informative web page: The web page that is designed by the operators and to which users will be redirected when they try to access a web site being inaccessible according to his/her Safe Internet Service profile. (2) For the terms that have not been defined in the first sub-clause of this article, the definitions set out in other relevant legislations are applicable. Status of existing subscribers Article 5- (1) Existing internet access service of the subscribers, who do not request Safe Internet Service, will continue to be provided in its present form without any change. Safe Internet Service profiles Article 6 – (1) The operators shall provide Safe Internet Service to subscribers, who demand this service, as two separate profiles which are child profile and family profile. Selection of the Safe Internet Service profiles Article 7 – (1) Subscribers can inform the operator about their Safe Internet usage request by means of subscription agreement. Additionally they can inform the operator via dealer, call centre or website. (2) The operators shall provide Safe Internet Service to subscribers free of charge. (3) The operators shall provide Safe Internet Service profile options, which could be easily selected by the subscriber in the subscription agreements or additional subscription forms and in the edit profile web page, as shown below. In case subscribers choose the family profile, selecting one or more of the sub-options mentioned below or selecting none of these sub-options should be made possible for them. “If you want to opt in “Safe Internet Service” please select one of the profiles below. ” (4) The operators shall provide internet access services according to the last preference of the subscriber. (5) A username and a password is provided to the subscribers using Safe Internet Service by the operators in order to enable them to use Edit Profile Web Page. (6) Providing the safety of the system, the operators shall provide opportunity of switching between the profiles and/or of opting out from the Safe Internet Service to the subscribers using Safe Internet Service when they want, in an easy way and free of charge, via call centre or edit profile web page. Edit profile web page ARTICLE 8 – (1) The subscribers can change their profiles or opt out from the Safe Internet Service, when they want, through the Edit Profile Web Page that shall be designed by the operators. (2) The operators can either provide a new username and password to their subscribers or make it possible for subscribers to use their current username and password in the Edit Profile Web Page free of charge. (3) At least the information mentioned below should be provided in the Edit Profile Web Page: a) Information that must take place in the main page; i. Current profile, ii. 'Edit Profile Module' at which username and password will be used, b) An application through which the user can change his/her password and c) Cautionary and informative text sent by the Authority. Cautionary and informative web page ARTICLE 9 – (1) Users are redirected to the Cautionary and Informative Web Page built by the operators, when they try to access to the web pages that are inaccessible according to their profiles. (2) The operators shall provide at least the information listed below in the “Cautionary and Informative Web Page”: a) Current user profile and b) Cautionary and informative texts sent by the Authority. Child and family profiles criteria working board’s structure and tasks ARTICLE 10 – (1) The criteria of the lists that will be used within the concept of the Safe Internet Service is determined by the Child and Family Profiles Criteria Working Board. (2) Child and Family Profiles Criteria Working Board consists of 11 members coordinated by the Authority. (3) Child and Family Profiles Criteria Working Board is made up of 3 members, one of which is the President, from the Authority, 2 members from Ministry of Family and Social Policies, 2 members among non-governmental organization members of the Internet Committee, 1 member from the Digital Games Federation of Turkey, 3 members, who are experts in related branches such as psychology, pedagogy, sociology and law, selected by the Authority. (4) The lists of child and family profiles are determined by the Authority, according to the principles constituted by the Child and Family Profiles Criteria Working Board. Assessment of appeals and objections ARTICLE 11 - (1) The users and owners of the internet sites can appeal and object, via the website provided by the Authority, to the Authority for the assessment of the internet sites. (2) The users can make the appeals via the link on the Edit Profile Web Page and the objections via the link on the Cautionary and Informative Web Page. Operator name, user profile, domain name/IP address and port information, associated with the appeal and objection, are sent to the Authority by the operators for proper assessment of appeals and objections. (3) The Authority can appeal to the opinion of Child and Family Profiles Criteria Working Board regarding the assessment of the objections and appeals. Safe internet service provision and infrastructure building ARTICLE 12 – (1) The operators shall build the infrastructure required for the Safe Internet Service and operate it. Role of the Authority is only to send the lists to the operators. (2) The operators cannot make any change on the Safe Internet Service profiles determined by the Authority and the lists which will be sent by the Authority. (3) In addition to the Safe Internet Service, operators can offer different service packages with different launch names. (4) The operators, which offer internet service via resale, shall offer the Safe Internet Service to alternative operators free of charge. Access to the list database ARTICLE 13 – (1) The lists of Safe Internet Service profiles are shared with operators through point-to-point secure data lines established between the Authority and operators. (2) The data stored in the Authority database will be sent through the secure data line to the operators. The operators shall apply the updates and data sent by the Authority to working systems used for provision of Safe Internet Service in 24 hours. (3) The hash codes of domain and sub-domain names in the database are separately determined by the Authority and these hash codes are shared with the operators. Operators shall search the hash codes of the domain and sub-domain names, which the users want to access, through the database sent to them, and build necessary control mechanisms for the use of this method. (4) The lists of IP addresses and ports in the database of the Authority are shared with the operators without taking the hash codes. The operators shall inquire the said IP addresses or ports. (5) The operators shall set up the systems developed in accordance with the provision of the Safe Internet Service with backups. Informative text ARTICLE 14 – (1) The operators shall send an informative text, the content of which will be determined by the Authority, to the subscribers. Before the service is provided to the users, the operators shall inform the subscribers about introduction of this By-Law using at least one of the methods which are SMS, call centre, captive portal, pop-up and/or billing,. Test process and provision of the service ARTICLE 15 – (1) The operators shall build the required infrastructure and applications for the provision of Safe Internet Service before the test process starts. (2) The test process for the Safe Internet Service shall be carried out between the Authority and the operators from 22.08.2011 to 22.11.2011. (3) If it is considered proper by the operators, the operators can allow subscriptions to the Safe Internet Service during the test process. (3) The test process shall be terminated on 22.11.2011 and the Service shall be provided to the users by this date. Entry into force ARTICLE 16 – (1) This By-Law enters into force in 22.08.2011. Enforcement Article 17 – (1) The provisions of this By-Law shall be enforced by the President of the Information and Communication Technologies Board. Important Notice: In case of divergent interpretation, the original Turkish text shall prevail. Source: http://www.btk.gov.tr/mevzuat/kurul_kararlari/dosyalar/2011%20DK-14-461.pdf

Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar

Bilgi Teknolojileri ve İletişim Kurumu tarafından revize edilen Güvenli İnternet Hizmetine İlişkin usul ve Esaslar Taslağı'na İlşikin Kurul kararı yayımlandı. http://btk.gov.tr/mevzuat/kurul_kararlari/kurul_kararlari_list.php

Deutsche Telekom Wants ’German Cloud’ to Shield Data From U.S.

Deutsche Telekom AG’s T-Systems information technology unit is pushing regulators to introduce a certificate for German or European cloud operators to help companies guard data from the U.S. government. T-Systems plans to lure customers by emphasizing the security of its servers, over which it delivers its Internet- accessed computing services, Reinhard Clemens, the division’s chief executive officer, told reporters in Bonn on Sept. 12. This includes shielding clients from government access such as that allowed by the U.S. Patriot Act, he said. “The Americans say that no matter what happens I’ll release the data to the government if I’m forced to do so, from anywhere in the world,’” Clemens said. “Certain German companies don’t want others to access their systems. That’s why we’re well-positioned if we can say we’re a European provider in a European legal sphere and no American can get to them.” Deutsche Telekom and other telecommunications companies are promoting cloud-computing offerings as a safe way for businesses to outsource their data centers. A government seal may fence off the cloud offerings of T-Systems and European competitors such as Atos SA and Cap Gemini SA and give them an advantage over U.S. rivals such as Hewlett-Packard Co., Microsoft Corp. and International Business Machines Corp. Some of the surveillance powers of the U.S. Patriot Act, passed after the Sept. 11 attacks, have been opposed by some lawmakers and outside groups, including civil liberties activists. “A German cloud” would be a “safe cloud,” Clemens said. U.S. Exit Deutsche Telekom in March agreed to sell its T-Mobile USA unit for $39 billion to AT&T Inc. The German company is currently trying to salvage the deal after the Justice Department sued Dallas-based AT&T and T-Mobile on Aug. 31, saying a combination of the two companies would substantially reduce competition. The global market for cloud services may surge to $148.8 billion in 2014 from $68.3 billion in 2010, according to researcher Gartner Inc. T-Systems predicts it will generate 2 billion euros ($2.74 billion) more in revenue between 2009 and 2015, mostly from delivering software and data storage to customers via the Internet. A German certificate could be issued by the country’s Technical Inspection Association, based on guidelines developed by the Federal Office for Information Security, Clemens said. The office is in talks with European Union officials to develop common standards across the region, which may result in a European certificate, he said. Reliability Issues Telecommunications companies also need to convince clients about the reliability of cloud services. In May, SAP AG’s head of global solutions, Sanjay Poonen, said an outage on Amazon.com Inc.’s cloud-computing services earlier this year, and a controversy around Google Inc.’s delays in providing e-mail services to 30,000 city employees in Los Angeles could make it harder for the software industry to convince clients to use cloud computing services. In the U.S., a group led by Salesforce.com and VCE, a cloud services provider founded by Cisco Systems Inc. and EMC Corp., sent a report to the government on July 26, urging it to accelerate government and commercial uptake of cloud technologies. Apple Inc., aiming to capitalize on a shift away from personal computers, this year introduced the iCloud service that stores music and other files online and keeps devices synchronized wirelessly. The product will let users move their “digital life” from PC hard drives to remote data centers in the “cloud,” the company said at the time. Talks About Standards In the European Union, Commissioner Neelie Kroes, responsible for the region’s Digital Agenda, has asked providers and users of cloud computing to participate in talks about data protection and privacy as well as technical and commercial standards. “The cloud is critical to Europe’s growth,” Kroes said in March. She said the European Union needs to develop the right legal framework, encourage more technology research and push the public sector to use cloud computing. T-Systems’ sales from cloud products are increasing by 49 percent a year, Clemens said, without giving a total sales figure. Companies that operate their own servers tend to run their systems at only as much as 68 percent of capacity because they need to provision for spikes in use, Clemens said. Capacity use in T-Systems’ cloud is higher, he said, declining to provide a figure. Source: http://www.businessweek.com/news/2011-09-14/deutsche-telekom-wants-german-cloud-to-shield-data-from-u-s-.html

FTC Seeks Comment on Proposed Revisions to Children’s Online Privacy Protection Rule

The Federal Trade Commission is seeking public comment on proposed amendments to the Children’s Online Privacy Protection Rule, which gives parents control over what personal information websites may collect from children under 13. The FTC proposes these amendments to ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve. The Commission proposes modifications to the Rule in five areas: definitions, including the definitions of “personal information” and “collection,” parental notice, parental consent mechanisms, confidentiality and security of children’s personal information, and the role of self-regulatory “safe harbor” programs. “In this era of rapid technological change, kids are often tech savvy but judgment poor. We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses,” said FTC Chairman Jon Leibowitz. “We look forward to the continuing thoughtful input from industry, children’s advocates, and other stakeholders as we work to update the Rule.” The Children’s Online Privacy Protection Act (COPPA) requires that operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, obtain verifiable consent from parents before collecting, using, or disclosing such information from children. The FTC’s Rule implementing the COPPA statute became effective in 2000. The FTC previously reviewed the COPPA Rule in 2005 and retained it without change. In light of rapidly evolving technology and changes in the way children use and access the Internet, in 2010 the FTC initiated another review of the Rule on an accelerated schedule. On April 5, 2010, the FTC sought public comment on every aspect of the COPPA Rule, posing numerous questions for the public’s consideration. In addition, the FTC held a public roundtable and reviewed 70 comments received from industry representatives, advocacy groups, academics, technologists, and individual members of the public. A brief summary of some of the major changes is below. Definitions The COPPA Rule requires covered operators to obtain parental consent before collecting personal information from children. The FTC proposes updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising. In addition, the Commission proposes modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public. Parental Notice The proposed amendments also seek to streamline and clarify the direct notice that operators must give parents prior to collecting children’s personal information. The proposed revisions are intended to ensure that key information will be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy. Parental Consent Mechanisms The FTC also proposes adding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done. These supplement the nonexclusive list of methods already set forth in the Rule. The FTC proposes eliminating the less-reliable method of parental consent, known as “e-mail plus,” which is available to operators that collect personal information only for internal use. This method currently allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent. To encourage the development of new consent methods, the Commission proposes establishing a voluntary 180-day notice and comment process whereby parties may seek Commission approval of a particular consent mechanism. In addition, the Commission proposes permitting operators participating in a Commission approved safe-harbor program to use a method permitted by that program. Confidentiality and Security Requirements To better protect children’s personal information, the Commission proposes strengthening the Rule’s current confidentiality and security requirements. Specifically, the Commission proposes adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it, that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal. Safe Harbor Finally, the FTC proposes to strengthen its oversight of self-regulatory “safe harbor programs” by requiring them to audit their members at least annually and report periodically to the Commission the results of those audits. The Commission vote to issue the Federal Register notice was 5-0. Written comments must be received on or before November 28, 2011. Write “COPPA Rule Review, 16 CFR Part 312, Project No. P-104503” on comments, and file your comment online at https://ftcpublic.commentworks.com/ftc/2011copparulereview by following the instructions on the web-based form. To file comments on paper, mail or deliver comments to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex E) 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook and follow us on Twitter. Source: http://www.ftc.gov/opa/2011/09/coppa.shtm

German Minister Urges Government to Quit Facebook

German Consumer Protection Minister Ilse Aigner has called on her cabinet colleagues to stop using Facebook, reflecting ongoing German concern that the social networking site threatens data privacy. "Following an extensive legal probe I think it is essential that we should no longer use the Facebook button on all official government Internet sites under our control," she wrote in a letter seen by SPIEGEL. She sent her request to all government ministries at the end of last week. She added that the ministries should avoid using fan pages, a tool which allows users to access information on an organization. She argued there were "justified legal doubts" about fan pages. She wrote that, "logically enough" her ministry did not have a fan page and did not use the social networking site's "Like" button. Aigner herself quit her Facebook account last year in a high-profile move sparked by her concerns for data privacy . 'Like' Button Complaints She wrote that government departments and parliamentarians should "set a good example and show that they give a high priority to the protection of personal data." She added that Facebook had to respect German and European laws. Her comments follow moves by the state of Schleswig-Holstein, which last month said it aims to ban the site's "Like" button. Critics argue that the "Like" button could allow advertisers to track users' tastes and consumer choices. Web advocates and bloggers were outraged at the plan, calling it "data protection hysterical." Germany is notably vigilant regarding the Internet's threat to personal privacy. Global giants like Facebook and Google have repeatedly been in the firing line and the northern state of Schleswig-Holstein even managed to ban Google Street View from its region in 2008. Source: http://www.spiegel.de/international/germany/0,1518,785712,00.html

New EU Agency to Manage Large IT Systems With Citizen Data

The European Union's General Affairs Council on Monday approved plans to establish a pan-European agency to manage its large-scale IT systems. The new agency will be responsible for the operational management of a vast amount of sensitive data including the second-generation Schengen Information System (a common database which facilitates the exchange of information on individuals between national law enforcement authorities), the Visa Information System (a database that will allow member states to enter, update and consult visa data, including biometric data, electronically) and EURODAC (an IT system for comparing the fingerprints of asylum seekers and illegal immigrants). Given the sensitivity of this information, experts have warned that effective security is essential immediately as large amounts of aggregated data can create a target for cybercriminals. Earlier this year, an attack on the European Commission disrupted email systems, while an attack on the E.U.'s Emissions Trading Scheme saw at least €30 million (US$41 million) of emissions allowances stolen from national registries. The new agency will also be responsible for the management of other IT systems that might be developed in the future. However, any integration of further systems will require a specific decision by the European Council and the European Parliament. The plan is for the agency to start working in summer 2012. The head office will be in Tallin, Estonia, with development and operational management carried out in Strasbourg, France and a back-up site in Sankt Johann im Pongau, Austria. Source: http://www.pcworld.com/businesscenter/article/239852/new_eu_agency_to_manage_large_it_systems_with_citizen_data.html

DigiNotar SSL certificate hack amounts to cyberwar, says expert

"Dutch government revokes certificates used for all its secure online transactions, while CIA, Google, Microsoft and others affected by hack called 'worse than Stuxnet'" The Dutch government says hackers who broke into a web security firm in the Netherlands last month issued hundreds of bogus security certificates that could be used on websites including the CIA and Israel's Mossad, as well as internet giants such as Google, Microsoft and Twitter. More than 500 fake certificates, including some which could be used to send fake Windows updates to computers, and others which could be used when connecting to the CIA's site, were fraudulently issued in the hack, which occurred in July. The Dutch government took the exceptional step of calling a press conference at 1.15am on Saturday morning to announce that it was revoking all trust in digital certificates issued by DigiNotar, which until then had been used for all online tax returns filed in the Netherlands. The government said that browser companies are now rejecting all security certificates issued by the hacked firm. Microsoft's Internet Explorer, Mozilla Firefox and Google's Chrome will all reject certificates from the company. Apple systems require a manual update. Apple has not made any statement on whether it will revoke DigiNotar certificates. The fake certificates could in theory be used to monitor users' communications with those sites without them noticing, but only by an organisation that also has the ability to reroute internet traffic to servers they control – most likely a government. Iran's government has been suspected of involvement in the hack, which led to the creation of hundreds of fake security certificates used to create cryptographically secure links between users and sites. A handful of Iranian users of Google's popular email service are known to have been affected by the faked certificates, which would allow a "man in the middle" attack, where an apparently secure link could in fact be tapped by an intermediary. Security experts noted that earlier this year, Iran announced that it was changing the setup for its domain name servers (DNS) used to make connections to sites – which would give it the ideal opportunity to insert faked certificates into the system. Roel Schouwenberg of the security company Kaspersky warned that the long-term effects of the DigiNotar hack could be more serious than Stuxnet, a computer "worm" that is believed to have been written by US and Israeli computer experts to attack Iran's nuclear facilities by destabilising computer-controlled systems in its uranium centrifuges. "The attack on DigiNotar will put cyberwar on or near the top of the political agenda of western governments," he noted on the Securelist blog. "I remain with my stance that a government operation is the most plausible scenario." He added: "The damage sustained to the Dutch (government) IT infrastructure is quite significant. A lot of services are no longer available. Effectively, communications have been disrupted. Because of this one could make an argument the attack is an act of cyberwar." Source: http://www.guardian.co.uk/technology/2011/sep/05/diginotar-certificate-hack-cyberwar

Bilişim ve Teknoloji Hukuku Sertifika Programı

Bilişim ve Teknoloji Hukuku Enstitüsü, Bilişim ve Teknoloji Hukuku Master Programında yer alan derslerin, dileyen bireyler tarafından "sertifika" alınabilmesi amacıyla seçilmesini olanaklı kılmıştır. Bilişim ve Teknoloji Hukuku Sertifikası alabilmek için, master programında yer alan Güz ve/veya Bahar Dönemi derslerinden, kişilerin yoğunlaşmak istedikleri branşların ve konuların seçilip, sadece bu derslere katılmak gerekmektedir. Her bir ders 14 hafta devam etmektedir. Sertifika Programının ücreti, adayın seçtiği ders sayısına göre belirlenmektedir. Program 26 Eylül tarihi itibariyle başlayacak olup, ilgilenen adayların meldao@bilgi.edu.tr adresine e-posta göndermeleri veya 0212 311 5101 no'lu telefonldan bilgi almaları gerekmektedir.

Sweden argues that transposing data retention directive is unnecessary

On 5 September 2011, the Swedish government responded to the European Court of Justice after the Commission referred Sweden to the Court for failing to transpose the Directive on Data Retention (2006/24/EC). Sweden's main argument is that it is unnecessary to transpose the Data Retention Directive, considering the practical effects of existing Swedish legislation. This implicitly means that transposition would be contrary to the European Convention on Human Rights and the Charter of Fundamental Rights, both of which require restrictions on fundamental rights to be necessary and proportional. The Directive on Data Retention 2006/24/EC was adopted in 2006 and the Member States had until 15 September 2007 to transpose it into the national law, and until 15 March 2009 to implement the retention of communications data relating to Internet services. The Directive concerns the storage of traffic and location data resulting from electronic communications. Traffic and location data retained by Internet service providers and phone companies will be made available only to national law enforcement authorities in specific cases and in accordance with the national law. However, retention periods, purpose limitation and access requirement vary vastly across the EU. The European Court of Justice found that Sweden failed to fulfil its obligations to implement the Data Retention Directive in its national legislation on 4 February 2010. Despite this first ruling, Sweden still has not transposed the Directive 2006/24/EC. In the absence of a precise timetable for the transposition of the Directive, the Commission decided to send a letter of formal notice to Sweden in June last year. The Commission asked Sweden for details on the measures Sweden planned to implement the Directive and comply with the Court's decision. Sweden informed the Commission on 21 January 2011 that draft legislation had been submitted to its Parliament in order to transpose the Directive. The legislation was to be adopted in mid-March. However, the Parliament deferred the vote on the draft legislation implementing the Directive on Data Retention for a year, due to the opposition from a minority of parliamentarians. They used a constitutional rule allowing one-sixth of the MPs to suspend the adoption of a proposed legislation. Following this suspension of the legislative process, the European Commission swiftly referred Sweden for a second time to the European Court of Justice, requesting it to impose financial penalties (Case C-270/11). The Commission asked the Court to impose a daily penalty of 40 947 Euros/day after the second ruling and a lump sum of 9 597 Euros/day for each day between the first and the second ruling. The ECJ will have to determine the level of sanctions and if it will take the form of a penalty and/or a lump sum. In its response to the ECJ, Sweden argues that the penalties are disproportionate considering firstly the fact that Sweden does not often fail to fulfil its implementation obligations regarding European directives and secondly that some other Member States likewise fail to implement the Directive without being penalised by any financial penalties. The Swedish government also indicated that since the first ruling, it has taken all procedurally possible measures to implement the Directive. The delay is due to political and legal matters with regards to the sensitive subjects the Directive is dealing with, such as the right to privacy and those debates are delaying the legislative process. It further points out that this controversy is not limited to Sweden. Moreover, according to Sweden, the failure to implement the Directive does not create any barriers for the Single Market. Bearing in mind the Commission's own assertion of the low costs of implementing the Directive (as described in the implementation report), this seems to be difficult for the Commission to deny. According to Sweden, the harmonisation realised by the Directive on Data Retention is only minimal and does not appear to be crucial in achieving competition on the Single Market. In addition, the Directive does not say who finance data retention. It finally appears that the Swedish Government believes that Directive 2002/58/EC on Privacy and Electronic Communications gives the Member States the ability to adopt legislation covering the field of the Data Retention Directive when necessary and that the 2006 Directive's implementation in Sweden is therefore meaningless. The Swedish government especially underlines that the Swedish crime prevention authorities already have sufficient access to data even without full the implementation of the Directive. Furthermore, the differenceasthe implementations across the EU show the limits of the Data Retention directive and create a lack of harmonisation. According to Sweden, further implementation of the Data Retention Directive is superfluous and unnecessary. The question remaining now is whether the European Court of Justice will follow the Swedish defence on the "necessity" of implementing the Data Retention Directive and the Directive's failure to achieve the task on which its legal base is built - harmonisation. The Commission now faces an unenviable task - it either forces a sovereign Member State to impose unnecessary (and therefore illegal) restrictions on fundamental rights or it accepts the challenge of finally acknowledges the failure of the Directive and the inevitable battle with the Council that will result from any serious effort to fix the broken legislation. Data Retention Directive 2006/24/EC (15.03.2006) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:00... Judgement of the Court Case C-185/09 (4.02.2010) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:080:00... Commission refers Sweden back to Court to transpose EU legislation (6.04.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/409&... European Commission Application (31.05.2011) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2011:226:00... Sweden's response to the ECJ - Case C-270/11 - (5.09.2011) (available only in Swedish) http://www.edri.org/files/sw_C-270-11_slutligt.pdf Source: http://www.edri.org/edrigram/number9.17/sweden-contests-data-retention-unnecessary

Ad industry's do-not-track plan blasted by consumer groups

Top consumer advocacy groups in the U.S. and Europe have just sent this letter to top regulators on both sides of the Atlantic urging them not to be wooed by the online advertising industry's call for law makers to keep their hands off online tracking. The letter was drafted by Trans Atlantic Consumer Dialogue, or TACD, a consortium of advocacy groups that champions consumer protection policies. It was sent to David Vladeck, Director of the Bureau of Consumer Protection at the FTC and Jacob Kohnstamm, Chairman of the Article 29 Working Party. The TACD's letter outlines concerns about a version of a do-not-track mechanism recently rolled out by the the Interactive Advertising Bureau, a trade group whose top members include giant data aggregators and online trackers Google, Microsoft and Facebook. The IAB on Aug. 29 required its 500 members to embrace a brand new code of conduct that requires use of a turquoise-colored triangle icon with a lowercase letter 'i' at center; this is the IAB's preferred mechanism for enabling consumers to choose not to be tracked online. "The icon system was designed to quell the growing public uproar over behavioral targeting -- known as online behavioral advertising, or OBA," says Jeffrey Chester, executive director of the Center for Digital Democracy. TACD is asking "both governments to reject the current OBA self-regulatory regime as inadequate, and work with industry and consumer and privacy groups to ensure that significant revisions are made to protect consumer privacy." Chester says consumer advocates are particularly worried that the Obama administration is preparing a new privacy white paper that "likely will rely on this flimsy self-regulatory system as a way to protect consumer privacy." Mike Zaneis, IAB senior vice president and general counsel, counters that he's confident U.S. regulators and law makers are fully versed on industry's arguments as to why it is vital to continue to let data aggregators and online trackers self-regulate themselves. "We are fortunate enough in the U.S. to have thoughtful regulators that take the time to understand our program and let it fully develop before preemptively deeming it inadequate," says Zaneis. "The FTC wants to read the whole book, whereas others read the first chapter and then write their own ending." Source: http://content.usatoday.com/communities/technologylive/post/2011/09/Ad-industrys-do-not-track-plan-blasted-by-consumer-groups--546423/1

Avrupa'da e-Fatura Sektörünün 2011 Yılı İtibariyle Durumu

Türkiye'de Gelir İdaresi Başkanlığı'nın tekelinde yürütülen e-fatura uygulamasına ilişkin bilgiler "www.efatura.gov.tr" linkinde yer almaktadır. e-Fatura sektörünün, pazarının, e-fatura hizmet sağlayıcıların ve e-fatura yazılımları yapan şirketlerin oluşumuna izin verilmeyen e-fatura uygulamamız, deyim yerindeyse bir sektörün doğmadan öldürülmesinin en güzel örneklrinden birini teşkil etmektedir. e-Fatura'ya ilişkin olarak sadece regülasyonu yapmakla görevli olan kamu kurumunun hem regülasyonu yapıp hem de o işin işletmeciliğine soyunmasının rekabet hukuku ilkeleriyle ne denli bağdaştığı da ayrı tartışma konusudur. e-Fatura uygulamamızın sorunlu diğer bir noktasını da, Türk ispat hukuku oluşturmaktadır. Gerek Türk Ticaret Kanunu gerek Vergi Usul Kanunua göre faturada düzenleyenin imzası bulunmak gerekir. Bu imza; ıslak imza veya 5070 Sayılı Elektronik İmza Kanunu ve onun atıf yaptığı Türk Borçlar Kanunu anlamında güvenli elektronik imza olmak gerekir. 1 Eylül 2011 tarihi itibariyle yürülükte olan Hukuk Muhakemeleri Kanunumuza göre de güvenli elektronik imzalı belgeler mahkeme önünde kesin delil yani senet hükmündedir. Gelir İdaresi Başkanlığı'nın e-fatura uygulamasında ise, bu uygulamadan istifade etmek isteyen şirketlerin kullanmak durumunda bırakıldıkları imza güvenli elektronik imza değil, herhangi bir ssl sertifika niteliğinde olan "mali mühür"'dür. Mali Mühür, Gelir İdaresi Başkanlığı'nın talebi üzerine; aslında görevi tüm kamu sektörüne güvenli elektornik imza vermek olan Tübitak Kamu Sertifikasyon Merkezi tarafından geliştirilen bir uygulamadır (http://mm.kamusm.gov.tr/). 5070 Sayılı Kanun ve ilgili mevzuatı uyarınca BTK tarafından regüle edilen elektronik imza sektöründe Elektronik Sertifika Hizmet Sağlayıcı (ESHS) sıfatıyla görev yapan Tübitak'ın, elektronik imzayı yaygınlaştırıp geliştirmek şeklindeki görevleri ile ve ESHS sıfatıyla bağdaşmayan Mali Mühür Sertifika Himzet Sağlayıcısı sıfatının sorgulanması gerekir. Mali mühür sertifikası ile imzalanmış olan e-faturaların Türk ispat hukuku açısından delil değeri "takdiri delil"'dir. Yani tek başına mahkemeyi, hakimi bağlamayan zayıf delil kategorisidir. Gelir İdaresi Başkanlığı'nın bir kanunla ve ilgili mevzuatla ve regülatör bir Kurumun denetiminde hayatımıza girmiş bulunan güvenli elektronik imzayı yaygınlaştıracak önemli uygulamalardan biri olan e-fatura konusunda, neden güvenli elektronik imza yerine, mali mühür'ü tercih ettiğini açıklaması gerekir. Sektörde faaliyet gösteren Elektronik Sertifika Hizmet Sağlayıcı'ların da regülatörleri olan Bilgi Tenolojileri ve İletişim Kurumu aracılığıyla sorunun takipçisi olmaları gerekir. Ülkemizde e-fatura konusunda durum bu iken, Avrupa'da her geçen yıl büyüyen ve gelişen bir bir pazar mevcuttur. İşte bu pazarın 2011 yılı itibariyle ulaştığı son noktayı ve geleceğini değerli Dostum Bruno Koch'un hazırladığı Rapor'dan öğrenebilirsiniz: http://www.epunet.com/blog/wp-content/uploads/2011/08/Report2011.pdf

Europe Taking Much Stricter Stance on do-not-Track Rules

Europe's privacy regulators are advancing toward adopting much stricter do-not-track rules than what the U.S. online advertising industry prefers. A group called the European Union's Article 29 Data Protection Working Party wants to require data aggregators and advertising networks to obtain specific permission from each European consumer to use each and every tracking cookie -- stealthy programs that track where you go and with whom you associate on the Web. The Working Party has been circulating this document prior to a workshop scheduled later this month with advertising industry representatives. The group is insisting on the use of a form containing a detailed explanation about each tracking cookie, along with an acceptance box consumers must check. The check box must be provided by every entity proposing to place each tracking cookie. "Simply put, the Working Party has rejected every (self-regulation) proposal put forward by industry to avoid the necessity of consumers affirmatively consenting to every placement of cookies by every party proposing to place such cookies," says Chris Wolf, privacy expert at Washington D.C. law firm Hogan Lovells. Why tech giants are worried Europe's insistence on empowering consumers is worrisome for Google, Microsoft, Yahoo, Adobe, AOL, Coremetrics and Quantserve, the giant data aggregators that conduct the ecosystem of tracking cookies, web beacons and other Web tracking mechanisms. It's all part of interlaced tracking networks comprised of dozens more smaller, independent ad networks, data analytics firms and tracking services. "The Article 29 Working Party seemed to convey the message that it's our way or the highway," says Wolf. "That does not send a message to industry that genuine efforts at self-regulation will be recognized and rewarded. That approach could in fact impede business initiatives to advance privacy." It could also impede the tech giants' direct path to online advertising lucre. Research firm eMarketer this week issued fresh projections that the U.S. online advertising market will will grow 20.2% to $31.3 billion in 2011, up from $26 billion in 2010. A primary driver: improved targeting technology. The more intensely data aggregators can track you, the more they will be able to triangulate your online haunts and preferences. That intelligence, in turn, is expected to boost sales of pricey display advertising. The display ad market is expected to grow 24.5% to $12.3 billion in the U.S. this year, up from $9.9 billion in 2010, according to eMarketer. That assumes, of course, that the current set up of self-regulation of the data aggregation industry prevails. However, consensus appears to be gelling in the U.S. and Europe, among consumer and privacy advocates, as well as regulators and politicians, that self-regulation won't cut it. The concerns raised by the EU are being echoed by the Federal Trade Commission, the Federal Communication Commission, the research community, non-governmental organizations, and certain federal lawmakers, led by Sen. Jay Rockefeller, D-WV. "The online advertising industry has been attempting to persuade the FTC and EU regulators that its self-regulatory program is adequate," says Jonathan Mayer, a researcher at the Stanford University Center for Internet and Society. "It's now clear that EU regulators aren't buying it." Here in the U.S., privacy and consumer advocacy groups are rallying behind Sen. Rockefeller's proposed Do Not Track legislation. It would require use of a simple mechanism that empowers consumers to make a universal request not to be tailed around the Web. The ad networks and data aggregators would be required by federal law to honor such requests. Co-mingled tracking data Concern is rising about the advertising industry's wide spread practice of co-mingling tracking data from Internet searches and surfing with the information Internet users disclose at websites for shopping, travel, health or jobs. And personal disclosures made on popular social networks, along with the preferences expressed via Web applications on smartphones and tablet PCs saturating cool smartphones and tablet PCs are getting tossed into the mix. Privacy advocates worry that health companies, insurers, lenders, employers, lawyers, regulators and law enforcement could begin to acquire detailed profiles derived from tracking data to use unfairly against people. Rockefeller's proposed Do Not Track law would give the FTC and state attorneys general power to enforce the law and impose penalties for violations. But Google, Facebook and data aggregators have been lobbying hard to maintain the self-regulated industry. Craig Spiezle, executive director of the Online Trust Alliance, says the tack Europe is taking "underscores the chasm between the EU's privacy perspectives versus that of the U.S." Earlier this week, the Interactive Advertising Bureau -- whose 500 members include Google, Facebook and Microsoft -- made it mandatory for all of its members to begin using a turquoise triangular icon to alert users to tracking cookies and give them a way to request a halt to tracking. While the turquoise icon alert is "a significant first step," Spiezle says what's lacking is a "road map" addressing the entire spectrum of privacy concerns. "We need to move beyond this discussion of interest-based advertising, which I believe is a good thing and provides consumer value, to the broader issues on how else is the data being used and who has access to it," says Spiezle. John Simpson, spokesman for the non-profit Consumer Watchdog advocacy group says "the Europeans have exactly the right approach. They are asking that a consumer must be given the right to opt in before a cookie is placed." Simpson says the IAB's icon alert mechanism is "mostly window dressing." He says if European regulators do end up imposing a strict opt-in rule across Europe, Google, Facebook and the other data aggregators and ad networks will be forced to comply to do business in Europe. At that point, "there is no reason they cannot do the same thing in the United States," says Simpson. "Strict rules in Europe would show the U.S. self-regulatory program to be the sham that it is." Source: http://content.usatoday.com/communities/technologylive/post/2011/09/europe-taking-much-stricter-stance-on-do-not-track-rules/1

Children Should be Taught Importance of Privacy in Mainstream Education, ICO Says

The Information Commissioner's Office (ICO) said that it was important for children to learn about data privacy and freedom of information (FOI) rights, and that both "should be embedded in the formal education process".

The ICO is responsible for ensuring organisations comply with UK data protection laws, FOI laws and regulations on privacy and electronic communications. It said that it was imperative that children learned about privacy after revealing the details of research into the use of social networks by students.

A survey of more than 4,000 young people showed that 88% of secondary school students and 39% of primary school pupils have a social networking site profile, the ICO said. Most respondents had not read the sites' privacy policies, almost a third did not know what one was, and nearly a quarter said they did not know where to find the information, it said.

"Young people today are growing up in an age where an ever increasing amount of information is held about them," Jonathan Bamford, head of strategic liaison at the ICO, said in a statement. "It is vital that they understand their privacy rights and how to exercise them.

The ICO also said children should be encouraged to "exploit" the growing availability of public data.

The Freedom of Information Act (FOIA) and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by Government departments and public bodies.

Under the FOI laws anyone of any nationality living anywhere in the world can make a written request for information and expect a response within 20 working days. The public authority will be obliged to meet that request unless exemptions apply or unless meeting it will be too costly or difficult.

“By being aware of their rights to access information, young people will feel more empowered to ask important questions about the things that matter to them – be it about their local leisure centre, or what the government is doing on university tuition fees or the environment," Bamford said in the ICO statement.

The ICO said it was aware of existing projects and subjects that teach some information rights, but said schools should adopt the teaching of "information rights issues as part of the mainstream education process – giving young people skills that will serve them well throughout their adult lives”.

The ICO said it was looking for a "research partner" to help develop a new project it hopes will eventually make recommendations on how privacy and information rights can be formally introduced to the education system.

Source: http://www.out-law.com/en/articles/2011/august/children-should-be-taught-importance-of-privacy-in-mainstream-education-ico-says/

US Government's First Chief Information Officer Slams Cloud Computing Reticence

SECURITY and privacy concerns are "unfounded and ridiculous" excuses used by federal agencies to avoid adopting cloud computing, says the US government's first chief information officer.
Vivek Kundra said the reasoning didn't gel because Washington was a large IT outsourcing customer, using a variety of external suppliers.

"Security and privacy ... in some ways are very unfounded and ridiculous (reasons) because the US government has outsourced over 4700 systems," Mr Kundra, who left his post earlier this month after more than two years in the role, said.

"This is in the hands of Lockheed, Raytheon, Boeing, Northrop Grumman and yet when it comes to cloud for some reason these fears are raised," he said during a panel discussion at Salesforce.com's Dreamforce event in San Francisco.

"Government contracts are designed to ensure those provisions are taken care of."

He railed against the billions of dollars lost to "IT cartels", who he said had no innovative bones but were experts in navigating government procurement.

"In federal government alone we spent $US80 billion a year (on IT) and one of the most frustrating issues was to actually see project after project fail because it was based on the old IT model.

"That model was essentially vendors would bid for government contracts and their expertise wasn't superior technology or innovation; it was the fact that they had a PhD in understanding how to navigate the complicated procurement process," Mr Kundra said.

"We cannot continue on that path in this tough fiscal environment that we're in. That is why as part of the administration we instituted a "cloud first" policy, recognising that some of the most major innovation is not happening within the old model of what I call the 'IT cartel' where people continue to win this contract and their objective is essentially to put in as many people as possible and bill at exorbitant rates."

He advised governments, including foreign administrations, that current tough economic times meant they had to find innovative ways to serve citizens more effectively.

He admitted poor return-on-investment decisions were made at federal level.

"The government would award multi-million or billion dollar contracts and you fast forward and ask what value did you get two, three, five, 10 years (later) in some cases and there's negative value."

He cited the example of a US Department which spent 10 years and $US850 million trying to implement a personnel system and "there was nothing to show for it a decade later".

Mr Kundra predicts a major shift to cloud services in the public sector over the coming years as agencies grapple with tighter IT budgets.

"You're seeing across the board agencies, whether they are federal, state or local, having to zero out their capital expenditure.

"When you move away and take away all your capex, you're left with opex. How do you innovate in that space?

"What I would encourage is every government, internationally and domestically, better start thinking about how do you not just look at a model where you do more with more or less with less (but) how do we do much more with less," he said.

In 1998 the government had 432 data centres. Today the figure stands at 2094 facilities.

The US manages more than 12,000 major applications across the federal government, he said. It spends $US24bn on IT infrastructure per annum.

"Think about where all the money is going and think about how we actually serve our constituents because all that money's being spent on redundant infrastructure, redundant application that we're not able to optimize," he told conference delegates.

The cloud first policy that he championed had a few wins. The General Services Administration had shaved IT costs by 50 per cent moving to a cloud model.

In a cloud first policy we're already seeing agencies such as GSA, the Recovery Board and USDA actually adopt the cloud first policy.

Mr Kundra said if $US20bn worth of IT projects were transitioned to the cloud, it would deliver savings of $US5bn.

His views on the benefits of cloud were also echoed in an opinion piece published in The New York Times.

Source: http://www.theaustralian.com.au/australian-it/us-governments-first-chief-information-officer-slams-a-retience-to-adopt-cloud-computing/story-e6frgakx-1226127551327