Τρίτη, 20 Δεκεμβρίου 2016

Legal Issues with Regard to Dynamic IP Addresses

by Ezekiel Aborishade, LL.M Candidate, Leibniz University Hannover, Germany

Despite the fact that a dynamic internet protocol address ('IP address') is inherently an identification number, its qualification as personal data or non-personal data under Article 2 (a) of Directive 95/46/EC[1] had generated quite many controversies.[2] But in the cyberage[3], where the very existence of persons seem to be invariably connected to the internet, there is a need for certainty regarding the legal status of a dynamic IP address. To say the least, legal certainty in the context of a dynamic IP address is 'important for many business models in a data-driven economy and for preserving data subjects’ privacy with regard to today’s monitoring and profiling possibilities – both of government institutions and of high-tech companies.'[4]
Certainly, data controllers[5] such as providers of services on the internet have a stake in the dynamic IP addresses of the devices used by visitors to access their websites. If such addresses were classified as personal data, subject to relevant exceptions,[6] a controller has always to obtain the informed consent of data subjects prior to processing.[7] This represents a practical problem for website owners as data subjects might maliciously withhold or withdraw consent.[8] Such state of affairs would have a negative impact on one of the objectives of the Data Protection Directive (DPD) - which is to ensure free data flows.[9] Thus, 'consent' lies at the heart of the debate about the scope of Article 2(a) DPD, vis a vis dynamic IP addresses.
In that connection, Article 7(f) DPD provides a respite for website owners. It legitimizes processing operations carried out without the consent of data subjects. The only condition attached to enjoying that exception is that "processing is necessary for the purposes of the legitimate interests pursued by the controller".[10] Howbeit, the question needs to be asked as to the circumstances in which processing a dynamic IP address (assuming it were personal data) would be deemed necessary for the purposes of the legitimate interests of website owners.
 On 19 October, 2016 the Court of Justice of the European Union (CJEU) answered that question when (within the framework of Articles 2(a) and 7(f) DPD) it tackled some of the vexing issues concerning dynamic IP addresses. Before discussing the decision[11] of the CJEU, a brief description of the subject matter (dynamic IP addresses) will first be undertaken in order to lay a technical foundation which served as a springboard for the ruling.[12]

Technical Nature of a Dynamic IP Address
A dynamic IP address is a sequence of numbers[13] assigned to a device for identification and communication purposes.[14] Generally, when a device connects to an electronic communications network (the internet), a permanent or temporary identification number is assigned to it by an internet service provider ('ISP'). The temporary identification number is known as a dynamic IP address, because it changes with each new connection to the internet. This is in contrast with the permanent identification number which remains the same, hence the name static IP address. In more elementary terms,
[w]hen you sign up with your ISP, your ISP either assigns you a static IP address or a dynamic IP address depending on the contract. If you need to setup a web server or an email service, you'll need a static IP address. If you are just browsing an Internet (sic), you may just get by with a dynamic IP address.[15]
In the same vein,
internet service providers allocate to the computers of internet users either a ‘static’ IP address or a ‘dynamic’ IP address, that is to say an IP address which changes each time there is a new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established, through files accessible to the public, between a given computer and the physical connection to the network used by the internet service provider.[16]
For purposes of clarity and emphasis, a dynamic IP address is not an identification number in the sense that the owner of a given device could be identified by a mere look at the number. Rather, it must be combined with additional data (such as those kept by an ISP) in order to identify the owner of said device.[17]

Build up to CJEU Decision in Patrick Breyer v Bundesrepublik Deutschland (Germany)
There has been much discussion of whether IP addresses are personal data, and the majority opinion considers them to be always personal data when they are fixed [static] IP addresses that identify a specific computer. If they are movable [dynamic] IP addresses that are assigned by the access provider every time the user logs in, then they are personal data only if the service provider has enough information to actually identify the user, which will usually be the case.[18]
Whether dynamic IP addresses fall under the definition of personal data under Article 2(a) DPD is the baseline test for their eligibility for protection as such. The CJEU in the case of Scarlet Extended v SABAM had referred to this question in passing when it stated that IP addresses are personal data 'because they allow those users to be precisely identified.'[19]
However, it is clear that the CJEU made that statement in the context of an ISP which had in its possession, the IP addresses and other personal data of its clients (making precise identification both possible and effortless). As a result, the above judicial opinion has been put into context by the relativists who argue, that IP addresses are not to be treated as personal data in every given scenario. They posit that the character of an entity (data controller), together with the (dis)proportionate effort with which it could obtain additional data necessary for the identification of a data subject, must be taken into account for purposes of bringing a particular IP address within the meaning of Article 2(a).[20] 'Therefore, only realistic chances of combining data in order to identify an individual are taken into account – and not highly theoretical identification risks.'[21] This line of thinking, which favours a case by case treatment of dynamic IP addresses, is thus summarized by the CJEU:
According to a ‘relative’ criterion, such data [IP address] may be regarded as personal data in relation to an entity such as Mr. Breyer’s internet service provider because they allow the user to be precisely identified . . . , but not being regarded as such with respect to another entity [website owner], since that operator does not have, if Mr. Breyer has not disclosed his identity during the consultation of those websites, the information necessary to identify him without disproportionate effort.[22]
A counter argument is put forth by the proponents of an objective or absolute test. These insist that the mere existence of a legal channel for identifying a data subject is sufficient. They maintain that all that is required for a dynamic IP address to be treated as personal data is for a data subject to be identifiable, whether directly or indirectly, as foreseen by the drafters of Article 2(a) and Recital 26[23] DPD. Therefore, they insist, it is of no relevance if the additional data needed to identify a data subject is in the possession of a third party, as against a controller.[24] In a nutshell:
a user is identifiable — and, therefore, the IP address is personal data capable of protection — when, regardless of the abilities and means of the provider of a service on the Internet, it is feasible to identify him, solely by combining that dynamic IP address with data provided by a third party [for example, the Internet service provider].[25]
These conflicting views came to a head in the case of Patrick Breyer v. Bundesrepublik Deutschland[26] and constituted one of the questions which arose from there to the CJEU. There, the CJEU was ultimately requested to decide between the relative and absolute criterion in the interpretation of Article 2(a) and Recital 26 of the Directive. The reference for a preliminary ruling was made by the Bundesgerichtshof (Federal Court of Justice, Germany), the national court seised of the matter.
Included in the reference was an ancillary[27] question concerning the construction of the sixth principle under Article 7 DPD (which 'sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as being lawful'[28]). In particular, Article 7(f) DPD mandates member states to enact in their national data protection laws, a principle of 'legitimate interests'.[29] This is to guarantee processing of personal data without the consent of the data subject where:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject".[30]
Transposing the above provision into national law,[31] the German federal legislature enacted Article 15 of the Telemedia Act (TMG).[32] However, the provision in the TMG was not as robust as Article 7(f) of the DPD.[33] It granted an exemption from the consent of the data subject only in two strictly defined cases, namely, "to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned".[34]
Consequently, in the context of 'non-consensual' processing of personal data, the notion of the legitimate interests pursued by the controller was radically narrowed. What this meant was that controllers such as website owners could not, without the consent of users, process dynamic IP addresses (if they were personal data), save for purposes of facilitating and charging for the specific use of  the telemedium by the user concerned. It would not matter even where such processing was for the legitimate purpose of ensuring the continued functionality of the controller's system, after the specific use by a data subject.
Following are the facts of the case, the decision of the CJEU therein, as well as the author's appraisal of that decision.

The facts of the case
German Federal Institutions (the Institutions) operated websites through which services were provided to the public. Details of visitors' access to those websites were registered and stored in logfiles. The contents of those logfiles ranged from the: dynamic IP address of the device used in gaining access, time of access, search terms, requested webpage or file name, the quantity of data transferred, failure or success of access.[35] This was done in order to prevent attacks against those websites. And if there was an attack, those institutions wanted to be able to identify the hypothetical culprit(s) and also bring criminal action.[36]
Mr. Patrick Breyer was one of the visitors to those websites. Dispute arose after he requested the Institutions to discontinue the storage of his dynamic IP Address. Referring to Article 2(a) and Recital 26 DPD, Mr. Breyer insisted that his dynamic IP address was his personal data because it made him identifiable.[37] For this reason, he claimed, it should not be processed without his consent, unless processing was 'required in order to restore the availability of the telemedium in the event of a fault occurring'.[38] Of course such an exception was not provided for under Article 15 TMG (the supposed national equivalent of Article 7{f} DPD).
That suggestion was sharply opposed by the Institutions. They argued that Mr. Breyer's dynamic IP address did not qualify as personal data. That was the case because the dynamic IP address did not make him identifiable. The logic behind their argument was that the Institutions were not in possession of the additional data which must be combined with Mr. Breyer's dynamic IP address in order to identify him. In essence, the Institutions were saying that the CJEU opinion in Scarlet[39] applied only to ISPs, and not to website owners; ISPs were in possession of the additional data needed in order to identify a data subject, website owners were not.[40]
Moreover, the Institutions argued further, Article 7(f) DPD allowed them to process a website user's dynamic IP address without his consent- if at all this could be deemed as personal data. The import of this second leg of the Institutions' argument was to call into question, the validity of the aforementioned national provision (Article 15 TMG) which put a cap on Article 7(f) of the DPD.
Due to the irreconcilable differences in opinion, Mr. Breyer brought an action before the German administrative courts. He sought an injunction restraining the institutions:
from storing or arranging for third parties to store, after consultation of the websites accessible to the public run by the German Federal institutions’ online media services, the IP address of the applicant’s host system except in so far as its storage is unnecessary (sic) in order to restore the availability of those media in the event of a fault occurring.[41]
That action was thrown out by the court of first instance. Upon appeal, the court of appeal held that the dynamic IP addresses in question were personal data only if Mr. Breyer had revealed his identity (by supplying additional data such as his name or email address) while consulting the websites.[42] Dissatisfied with this result, both parties made an appeal to the Bundesgerichtshof, which itself turned to the CJEU for answers to the following questions:
"(1) Must Article 2(a) of Directive 95/46 … be interpreted as meaning that an internet protocol address (IP address) which an [online media] service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?[43]
(2) Does Article 7(f) of [that directive] preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?"[44]

CJEU Answer to the First Question
Responding to the first question, the CJEU stated that information relating to both identified and identifiable natural persons are captured by the definition of personal data under Article 2(a) DPD.[45] This means that for information to qualify as personal data, it has to relate to either an identified or identifiable natural person. In the context of a dynamic IP address, the CJEU made it abundantly clear that 'such an address does not directly reveal the identity of the natural person who owns the computer from which a website was accessed, or that of another person who might use that computer.'[46] In other words, a dynamic IP address 'does not constitute information relating to an "identified natural person"'.[47]
Having made that exclusion, the place of a dynamic IP address was sought within the notion of an identifiable natural person:
[I]n order to determine whether … a dynamic IP address constitutes personal data within the meaning of Article 2(a) of Directive 96/45 in relation to an online media services provider, it must be ascertained whether such an IP address, registered by such a provider, may be treated as data relating to an "identifiable natural person".[48]
Upon a joint reading[49] of Article 2(a) and Recital 26 DPD, the CJEU was satisfied that a dynamic IP address (without other data) in the hands of website owners constituted information relating to an identifiable natural person, and therefore was personal data:
Having regard to all the foregoing considerations, the answer to the first question is that Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.[50]

CJEU Answer to the Second Question
With regard to the second question, the CJEU began by considering the exclusionary provision under the first indent of Article 3(2)[51] DPD. The purpose of this inquiry was to ascertain the applicability (or otherwise) of the DPD to the processing of personal data by the Institutions. Under the said provision, the DPD does not extend to the processing of personal data:
in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law.[52]
However, the CJEU was persuaded[53] that the Institutions each operated their websites in an individual capacity, irrespective of their legal status as public authorities. By so doing, the Institutions were brought within the remit of the DPD. Therefore, the above exclusionary provision was held not to apply to the instant case.
The applicability of the DPD having been established, the CJEU proceeded to examine more closely, the compatibility of the national provision (Paragraph 15 TMG) to Article 7(f) of the DPD. It held that Paragraph 15 TMG overly circumscribes the notion of the legitimate interests of a controller enshrined under Article 7(f) DPD. While Paragraph 15 TMG recognized only two conditions for processing of personal data without the consent of the data subject, Article 7(f) DPD contemplates a broader allowance:
In the present case, it appears that Paragraph 15 of the TMG, if it were interpreted in the strict manner mentioned in paragraph 55 of the present judgment, has a more restrictive scope than that of the principle laid down in Article 7(f) of Directive 95/46.[54]
Therefore Paragraph 15 TMG was declared to be inconsistent with Article 7(f) of the DPD as it failed to embrace a core principle in the field of EU data protection law, which is, striking a fair balance between the personal data privacy rights of natural persons and the need to ensure free flow of such data. Specifically, 'by excluding the possibility to balance the objective of ensuring the general operability of the online media against the interests or fundamental rights and freedoms of those users',[55] Paragraph 15 TMG came close only in its attempt to transpose the letters of Article 7(f) DPD, but not its spirit.
One of the considerations which lead to the above conclusion was that Article 5 DPD is not a stand-alone provision. It must be read in conjunction with Articles 1[56] and 7 thereof. So, in transposing the principles set forth in Article 7 DPD, the national legislature has to keep in mind that the liberty given to Member States under Article 5 DPD (to 'determine more precisely the conditions under which the processing of personal data is lawful'[57]) is not a carte blanche.[58] Rather, member states are to be guided by the principles set out in Chapter II of the DPD as well as "the objective pursued by that directive of maintaining a balance between the free movement of personal data and the protection of private life."[59]
Summing up, the CJEU declared that:
the answer to the second question is that Article 7(f) of Directive 95/46 must be interpreted as meaning that it precludes the legislation of a Member State under which an online media services provider may collect and use personal data relating to a user of those service, without his consent, only in so far as the collection and use of that information are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after consultation of those websites.[60]

As far as the answer to the first question is concerned, the reasoning and conclusion of the CJEU is logical. A dynamic IP address might prima facie be an unintelligible sequence of numbers, but when combined with other data, it makes a website user to be identifiable. In so far as the Institutions could legally[61] have approached Mr. Breyer's ISP in order to collect his additional data, the risk of identification was not more apparent than real. And the fact that those additional data were in the possession of a third party (the ISP) should not matter, seeing this presented a prospect for an indirect identification for which Article 2(a) DPD provides. Recital 26 DPD lends credence to this reasoning since it expects a consideration of 'all the means likely reasonably to be used either by the controller [such as a website operator] or by any other person to identify the said person'.[62]
It must be conceded that the foregoing submission does not in any way discountenance the apprehension of those who argue, that such a wide interpretation of identifiability 'could turn out to be a pyrrhic victory',[63] due to its extensive ramifications for data protection law. Indeed it would be counterproductive to give a literal interpretation to Recital 26 DPD- so that every conceivable means (legal or illegal) of obtaining additional data is not ruled out. As such, that provision ought to be read and applied contextually. And as exemplified by the CJEU in this case, the 'means likely reasonably to be used' was pinned down to approaching a specified ISP through existing legal channels.[64]
The answer to the second question simply follows the same line of reasoning in the joined CJEU cases of ASNEF and FECEMD,[65] with the result that Member states still have to rely on guess work in the exercise of the discretion afforded them under Article 5 DPD. This is because the difference which the CJEU sought to draw between ‘mere clarification’ and ‘amending the scope’ of a principle under Article 7 DPD is nothing more than an exercise in semantics. For it is highly unlikely, that an acceptable clarification could be attained, without ‘amending the scope’ of a notion (of legitimate interests) which is lacking in scope. But this approach is understandable in the light of the need for a uniform interpretation of EU law in all member states.
As there can be no definite answer from the CJEU on the actual scope of the notion of legitimate interests, it would seem that its boundaries are without limits. If that were the case, then national courts might have to turn to Luxembourg whenever a question touching on Article 7(f) resurfaces in proceedings before them. Another implication is that controllers could exploit the decision as a license to unilaterally process dynamic IP addresses, without the consent of website users. For sure, it does not require rocket science to put the tag of legitimate interests on such processing operation. Informed consent could therefore be easily discarded under the cloak of an open ended principle known as legitimate interests.
That being said, it is important to look at the decision with the lens of public policy. In the wake of the recent surge in cyber attacks,[66] the CJEU answer to the second question could not have been timelier. It provides a guarantee that so called hactivists and their ilk could be identified and, where feasible, brought to book. If nothing, this represents a legitimate interest for website owners. It is also in the interest of society as a whole because some critical infrastructures rely in part on the proper functioning of electronic communication systems.
In all, legal persons (both in the private and public sectors) operating a website in their individual capacity within the EU are bound to comply with the judgment. Prior to performing ‘post-consultation period’ processing operation on the dynamic IP addresses of the devices used by visitors to access their websites, they must obtain the consent of such visitors. That will not be the case if they could show that such processing is for purposes of the legitimate interests pursued by them.

[1] Personal data shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
[2] See for example a summary on the conflicting decisions by two French Courts of Appeal in: European Commission, Directorate-General for Communication Networks, Content and Technology, "Study of case law on circumstances in which IP addresses are considered personal data" (Final report, 2011) 101-105  available at <http://www.timelex.eu/frontend/files/userfiles/files/publications/2011/IP_addresses_report_-_Final.pdf> accessed 7 November 2016.
[3] Your Dictionary, <www.yourdictionary.com/cyberage> accessed 7 November 2016.
[4] Spindler G, Schmechel P, ‘Personal Data and Encryption in the European General Data Protection Regulation’, 7 (2016) JIPITEC 163 para 2.  Available at <http://www.jipitec.eu/issues/jipitec-7-2-2016/4440/spindler_schmechel_gdpr_encryption_jipitec_7_2_2016_163.pdf>  (Spindler, Schmechel)  accessed 8 November 2016.
[5] 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. DPD, Art 2(d).
[6] DPD, Art 7(b) - (f).
[7] 'Processing' is "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." DPD, Art 2(b).
[8] Keppeler L, Computer und Recht ( 2016), p 360 (364).
[9] DPD, Art 1(2).
[10] DPD, Art 7(f).
[11] Case C-582/14 – Patrick Breyer v Bundesrepublik Deutschland (Judgment of 19 October 2016. ECLI:EU:C:2016:779) (Breyer).
[12] ibid paras 14-16; Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland, Opinion of Advocate General Campos Sánchez-Bordona (Delivered 12 May 2016), points 1-4. Both the CJEU and the Advocate General began with the technical details surrounding a dynamic IP address. 
[13] Such as  the random number here used only for illustration:
[14] Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland, Opinion of Advocate General Campos Sánchez-Bordona (Delivered 12 May 2016. ECLI:EU:C:2016:339) (AG Opinion), point 2.
[15] IP Location, 'What is the difference between a static and dynamic IP address?' <https://www.iplocation.net/static-vs-dynamic-ip-address> accessed 14 November 2016.
[16] Breyer (n 12) para 16.                                                                                                                                                                                                   
[17] AG Opinion (n 15) point 4.
[18] Library of Congress, 'Online Privacy Law: Germany', para 23, available at <https://www.loc.gov/law/help/online-privacy-law/germany.php#_ftn52> (Library of Congress) accessed 17 November 2016 (footnote omitted).
[19] Case C-70/10 (ECJ, 24 November 2011), (Scarlet) para 51.
[20] AG Opinion (n 15) point 53.
[21] Spindler, Schmechel (n 5) para 14 (footnote omitted).
[22] Breyer (n 12) para 25.                                                                                                    
[23] DPD (Preamble), Recital 26.
[24] Spindler, Schmechel (n 5), para 12 (footnote omitted).
[25] AG Opinion (n 15) point 52.
[26] Breyer (n 12).
[27]  'The German Government argues that it is not necessary to address the second question, raised only in the event that the first question should be answered in the affirmative, which is not the case in its view, for the above reasons.' AG Opinion (n 15), point 40.
[28] Breyer (n 12) para 57.
[29] Supra (n 11).
[30] DPD, Art 7(f)
[31] 'The German Federal Data Protection Act has separate provisions for data processing in the public and private sectors. In addition, Germany has special privacy provisions for electronic information and communication services (telemedia) and yet another set of privacy rules for the providers of services that transmit electronic signals. All these laws apply to some extent to the providers of online services. Through these laws Germany transposed European Union (EU) Directives 95/46 and 2002/58, albeit in a very complex and differentiated manner. Some German experts find that this complexity interferes with the requirement of transparency in that it keeps consumers from being aware of their rights and from exercising them.' Library of Congress (n 19) para 1.
[32] Telemediengesetz (TMG), Feb. 26, 2007, BUNDESGESETZBLATT [BGBL.] I at 179, available at <http://www.gesetze-im-internet.de/tmg/index.html> accessed 17 November 2016.
[33] AG Opinion (n 15), point 95.
[34] TMG, Art 15 (emphasis added).
[35] Breyer (n 12) para 14.
[36] ibid.
[37] AG Opinion (n 15), point 54.
[38] AG Opinion (n 15), point 24.
[39] Scarlet (n 20).
[40] AG Opinion (n 15), points 33-35.
[41] Breyer (n 12), para 17.
[42] Breyer (n 12) para 19-20.
[43]  Breyer (12), para 29.
[44] Breyer (12), para 30.
[45] Breyer (n 12), para 32.
[46] Breyer (n 12), para 38.
[47] ibid.
[48] Breyer (n 12), para 39.
[49] Breyer (12), para 40, 42.
[50]  Breyer (12), para 49.
[51] DPD, Art 3(2) First Indent.
[52] ibid.
[53] 'Subject to verifications to be made by the referring court': Breyer (n 12), para 53.
[54] Breyer (n 12), para 59.
[55] Breyer (n 12), para 63.
[56] See DPD, Art 1 on the Objectives of the DPD.
[57] DPD, Art 5.
[58] Breyer (n 12), para 58.
[59] ibid.
[60]   Breyer (12), para .
[61] Through the competent public authority. See Breyer (n 12), para 47.
[62] DPD, Art 26.
[63] Spindler, Schmechel (n 5), para 31.
[64]  Breyer (n 12), para 48.
[65] Joined cases C‑468/10 and C‑469/10 (Judgment of 24 November 2011. EU:C:2011:777) paras 30-40, 47-48. cf Breyer (n 12), paras 57, 58, 62.
[66]In December three Ukrainian regional power firms experienced short-term blackouts as a result of malicious software in their networks. Experts have described the incident as the first known power outage caused by a cyber attack.’ Available at <http://euractiv.com/section/Europe-s-east/news/Ukraine-says-russian-cyber-attacks-targeted-its-main-airport/> accessed 24 November 2016; 'Last month, German Chancellor Angela Merkel said she could not rule out Russia interfering in Germany’s 2017 election through internet attacks and misinformation campaigns.'
Available at <https://www.euractiv.com/section/global-europe/news/german-spy-agency-warns-of-rise-in-russian-propaganda-and-cyber-attacks/> accessed 24 November 2016;  'Estonia has acted to shore up its cyber security after attacks that shut down private and government websites in 2007, which Estonia blamed on Russia.'

Δεν υπάρχουν σχόλια:

Δημοσίευση σχολίου