cypherpunks-legacy
Threads by month
- ----- 2025 -----
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1996 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1995 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1994 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1993 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1992 -----
- December
- November
- October
- September
July 2018
- 1371 participants
- 9656 discussions
My guess is that HMAC is not vulnerable. The basic structure of HMAC is
Hash (key1 || Hash(key2 || Msg))
The attacker does not know the key(s) and is allowed to request MACs
on chosen messages; then he must produce a valid MAC on a new message.
The initial paper from Wang eg al announcing the results is unusual in
that it merely exhibits the collisions, while providing no information
whatsoever about how they were obtained. They are simply presented as
a fait accompli, astonishing in their very existence. It reminds me
of the story of how Cole demonstrated that the 67th Mersenne number was
nonprime, by silently walking to the backboard and patiently working out
the value of 2^67 - 1, and then the product of its two factors, by hand.
The nature of the exhibited hash collisions is that they are values which
differ in only a very few bits: 6 bits out of 1024 for the MD5 collisions;
4 bits out of 512 for the MD4. Obviously it's not the case that for
most strings, you can toggle these 4 or 6 bits and produce a collision!
Instead, the authors must have some technique to create very special
strings which allow the changes made by these few bits to cancel each
other out.
If the attacker could find two messages such that there was an inner hash
collision, Hash(key2 || Msg1) == Hash(key2 || Msg2), he could break
HMAC. He'd get a MAC on Msg1 and then he could use that same MAC on Msg2.
But it seems impossible to find a collision like this without knowing
key2. These hash functions are highly nonlinear and the choice of Msg1
and Msg2 would be completely dependent on key2. Change 1 bit of key2
and half the bits of Msg1 and Msg2 would very probably have to change.
If the attacker knew key2, it sounds like the new attacks would likely
work to find an inner collision. But without knowing that, there would
be no way to choose Msg1 and Msg2.
Given the special form of the colliding values, it appears that the
new technique does not solve hash inversion, or finding collisions
with arbitrary bit differentials. The one possibility that I could
imagine for a threat to HMAC is their comment that the attack on MD4
(for which collisions were already known) is so easy that it can be done
by hand calculation. Maybe that would suggest that given the proper
differentials, a non-negligible fraction of randomly chosen values would
collide. Then conceivably you could get lucky and find a collision
without even knowing key2. But that seems like a very remote possibility.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah(a)ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
1
0
[p2p-hackers] good-bye, Mnet, and good luck. I'm going commercial! plus my last design doc
by Zooko O'Whielacronx 06 Jul '18
by Zooko O'Whielacronx 06 Jul '18
06 Jul '18
contents of this message: "good-bye, Mnet", "The Fully Connected
Topology", "Rate-Limited Structured Flood", "A Nice Slow Network", "Did
you say 'BROADCAST SEARCH'?" "Persistent Tit-for-Tat == Bilateral
Accounting"
Dear mnet-devel and p2p-hackers:
I am about to accept an exciting job that will preclude me from
contributing to open source projects in the distributed file-system
space.
I will miss the Mnet project! Good luck without me!
I'm writing the following as a record of the most advanced design that
I have thought of for Mnet. (See Acknowledgements section below.)
Most or all of the design written below has previously been published
in different web pages, e-mail messages, and IRC transcripts, and a
brief presentation I made at Privacy Enhancing Technologies Workshop
2004.
The design described below is almost but not quite what is currently
implemented, by myself and others, in Mnet v0.7, available at [1].
*** Design of Mnet v0.7+:
I. Network connectivity -- the Fully Connected Topology
I.A. Local peer database. Each node remembers the nodeId of for each
node that it has ever heard of or received a message from. There is a
maximum number of nodeIds, in deference to memory and computation costs
(your local memory and your local computation). I don't know what that
maximum number should be. If you have more than the maximum number of
nodeIds in your database, you can flush some of the
least-recently-alive ones.
I.B. Exponential Backoff. With every peer in your db is stored a
"deadness level". When the deadness level is equal to 0, that means
that the most recent thing that happened is that you receive a message
from that peer -- whether it was a reponse to a request of yours or if
it were a request from him to you. We say that the peers with deadness
level 0 are "the live peers". If a peer has deadness level 1, then
that means that the most recent time that you sent a request to that
peer, he didn't write back. Now, whenever you want to choose from a
set of peers in order to send a request to one of them, the set you
choose from is all of the deadness level 0 peers, plus with 50%
probability all of the deadness level 1 peers, plus with 25%
probability all of the deadness level 2 peers, and so on. Deadness
level 2 means that the peer was in deadness level 1, and you chose to
query him (with 50% probability), and he didn't write back again.
I.C. Lookup of Peer Contact Info. When you want to find the current
contact info (i.e. current IP address+port number, or current Relay
Server) for a peer, you send a query to a certain number of other peers
(called "MetaTrackers" when they are serving this purpose) -- a "lookup
contact info" query. How many peers? Approximately log(N) where N is
the number of peers in your local peer database. Which peers? You use
the Chord distribution -- you query the peer closest to your target,
the one closest to the point halfway around the circle from your
target, the one closest to the point a quarter of the way around the
circle, and cetera.
Obviously, you need to publish your current contact info to *your*
MetaTrackers whenever you join the network or whenever your contact
info changes. Your MetaTrackers are the peer in your db which is
closest to you, the peer in your db which is closest to the point
halfway around the circle, etc.
I.D. Discovery of New Peers. Rate-Limited Structured Flood. Every 60
minutes, you send an update to each of your MetaTrackers. That update
contains the list of the peerIds of every new peer. A "new peer" for
this purpose is defined as follows: you've never before announced this
peer to MetaTrackers, and this peer currently has deadness level 0 in
your local db. If the complete (compressed) message containing the
information about the new peers would exceed 256 KB, then select a
random subset of the new peers to announce in this announcement so that
the message doesn't exceed 256 KB. This is a rate-limited structured
flood. The flooding nature of it means that eventually you will find
out about the arrival of every new peer. The structured nature of it
means that it will take only log(N) time intervals before you find out,
and you will receive only (;-)) log(N) separate notifications of the
arrival of a new peer. (And you will send log(N) separate
announcements of new peers -- one announcement to each of your
MetaTrackers.) The rate-limited nature of it means that if new peers
are arriving so fast that these notifications would take more than
log(N)*256 KB per hour bandwidth, that instead they take up only
log(N)*256 KB per hour and it takes longer for you to find out about
the arrival of every new peer.
I.E. Relay. You choose some peer which you can make a TCP connection
to and appoint it to be your RelayServer. How you choose it, and
dynamically update your choice, is complicated -- see the
implementation in RelayClient.py. Whenever someone wants to send a
message to you and they find it impossible to open a TCP connection to
you (which is all the time when you are behind a NAT or firewall that
prevents incoming TCP connections) then they send the message to your
RelayServer instead. See also [2, 3, 4].
II. Filesystem.
II.A. Encoding of a file. This is already described fully and
succinctly in [5]. Here is a capsule summary: 1. Erasure code the
file, 2. Encrypt the blocks, 3. Put the list of the Ids of the
encrypted blocks into a new file named the inode, 4. Encrypt the
inode, 5. The Id of the inode, combined with the secret key used for
encryption are the mnetURI of the file.
II.B. Push each block to the BlockServer which has an nodeId closest
to the blockId (in the Chord metric).
II.C. In order to download a file, given its mnetURI, you first have
to download the inode, and then you have to download a sufficient
number of the erasure coded blocks. For each block that you want to
download, you query the BlockServer whose Id is closest to that block's
Id. If he doesn't have it, then you ask the BlockServer whose Id is
the next-closest. Etc. If the file is not actually reconstructable at
all because there are not enough blocks present at all on the network,
then this search algorithm devolves to a broadcast search.
This concludes the basic description of the design of Mnet v0.7+.
There are other aspects of the design that are not included here,
including a metadata search facility invented by Myers Carpenter. In
addition, there are many specifics or added features in the core
network+filestore that are excluded from this description for brevity.
*** Discussion:
III. A Nice Slow Network. The deliberate pace of announcement of new
peers is a feature, not a bug. For starters it is convenient to
implement, because for various reasons it is easier to efficiently
manage 256 KB every hour than 72 bytes every second even though they
amount to the same bandwidth over the long term.
However, beyond it being convenient, it is also useful for
discriminating among our peers, because we don't want to start using
new peers until they've been around for a while anyway. Fresh peers
are more likely to disappear than older ones. In earlier versions of
this system, we heard about new peers more quickly, and then we had to
add logic to avoid using them until time had passed.
However, beyond it being convenient and useful, it is also desirable to
me, because I wanted Mnet to be more amenable to deliberate and
long-term use than to urgent and impulsive use. Brad Templeton argued
to me in the year 2002 that if a distributed filesystem were primarily
for acquiring novelty videos, pop songs, and porn, then instant
gratification would be important, but if it were primarily for
acquiring classic works of literature, political and historical
documents, or backup copies of your own data, then instant
gratification isn't so important. His argument made an impression on
me.
IV. Scalability Issues and other problems.
IV.A. Size of the local Peer DB. One limitation on scale is the size
of the local peer db. For a modernish desktop machine, the local peer
db could probably be on the order of 2^20 entries with no noticeable
problem. The limit could probably be made much higher by optimizing
the db. The current db is trivial -- it consists of a Python dict in
memory which gets serialized by Python pickle and then written to a
file every hour or so.
IV.A.i. In practice, almost all peers which fall into high deadness
levels will never revive. If you purge a peer from your local db and
then that peer does revive and reconnect to the network, and if he
sends you a request, then you will re-add him to your db just as if he
were a brand new peer. So if your local peer db is too big, you could
purge peers, starting with the most dead ones.
IV.B. Announcement of New Peers. Each newly arrived peer will be
announced to each current peer. If the rate of arrivals of new peers
is sufficiently small, then it will take log(N) time intervals for all
peers to learn about the new peer. My estimate is that "sufficiently
small" is about 2000 new peers per hour, with the current
implementation. It could doubled or quadrupled by better compression
of the announcement messages. If the rate of arrival of new peers
exceeds this, then the time before all peers have heard about the new
peer increases proportionally to the rate.
IV.C. Block store churn. There is currently no way for a block server
to indicate that its store of blocks is full and that it refuses to
accept new blocks being pushed into it, so you should give them to
someone else. Absent this "back pressure", the stores of nodes with
small storage capacity are likely to get flushed out by new
publications even while the stores of nodes with large capacity are
underutilized. This inefficient distribution reduces the half-life of
files by some unknown constant.
IV.D. Did you say "BROADCAST SEARCH"? Well, consider what would
happen if you stopped searching for a block after your first query.
Then we would similar likelihood of finding a block as in e.g. the
Chord File System, with minimal message complexity -- a single query.
The problem is that maybe the block isn't on that node but is on a
nearby node (either because that node joined the network after the
block was published, or because the publisher of the block wasn't yet
aware of that node when he published the block). This problem can be
solved in one of three ways:
1. When a new node arrives, it requests copies of all of the relevant
blocks from the node(s) that it shadows. This is a bad idea for this
system.
2. As nodes arrive and leave, they keep track of which other nodes
they shadow, then they forward requests which might be satisfied by
other nodes. Interesting possibility, but I couldn't figure out how to
do it in a way that wouldn't be very complicated and still end up
falling in the worst case to the third approach:
3. When a downloader doesn't find the desired block on the server
closest to the blockId, it chooses whether to broaden the search and
query other servers that are further from the blockId.
The interesting thing about 3 is that the decision about how broad to
make the search is made by the agent who has the most information about
its importance (such as whether other erasure coded blocks have been
found that can replace the missing block, or whether the user considers
downloading this file important enough to impose additional burden on
the network). This same agent that has the most information is also
the one that has the incentive to want the download to succeed, so it
is this agent who should choose whether or not to impose the additional
burden on the network of a broader search. See also section V --
"Persistent Tit-for-Tat == Bilateral Accounting".
V. Persistent Tit-for-Tat == Bilateral Accounting. Mnet v0.7+ lacks
something -- an incentive mechanism to limit excessive costs imposed on
the network and simultaneously to motivate users to contribute
resources to the network. I was always deeply impressed with the
simplicity and robustness of Bram Cohen's "Tit-for-tat" incentive
mechanism for BitTorrent. Suppose we wanted a similar "tit-for-tat"
mechanism for Mnet v0.7++, but we wanted the peer relationships to
extend through time and across multiple files and multiple user
operations. Then we would probably invent a bilateral accounting
scheme for each node to keep track of how much goodness each of its
peers has done for it, and to reward helpful peers. This would then
turn out to be more or less identical to the "bilateral accounting"
scheme that was originally invented by Jim McCoy and Doug Barnes in
Mojo Nation [footnote *].
*** Acknowledgements
I know that I am doomed before I start to accidentally exclude
important and deserving people from this section. Sorry. This is in
roughly chronological order of their earliest contributions to this
design, as far as I can remember.
Obviously this design owes a great debt to the original designers of
its direct ancestor Mojo Nation: Jim McCoy and Doug Barnes, as well as
to the Evil Geniuses -- especially Greg Smith, Bram Cohen, and Drue
Lowenstern. Also: Raph Levien, Sergei Osokine, the Freenet folks --
Ian Clarke, Oskar Sandberg, and Adam Langley among others -- Justin
Chapweske of Swarmcast, Brandon Wiley, Martin Peck, the Chord folks,
the Pastry folks, the CAN ("Content-Addressable Network") folks, the
OceanStore folks, The Mnet Hackers [7] -- Hauke Johannknecht, Jukka
Santala, Myers Carpenter, Oscar Haegar, Arno Waschk, Luke Nelson --
Mark S. Miller, Bram Cohen again (and Drue Lowenstern again) with
BitTorrent, the Kademlia folks, numerous contributors to the
p2p-hackers mailing list and the #p2p-hackers IRC channel. Like I said
-- sorry about those omissions.
[footnote *] Once upon a time there was digital cash, as pioneered by
David Chaum. When Jim McCoy and Doug Barnes invented Mojo Nation, they
used digital cash, and added bilateral accounting so that a pair of
peers wouldn't require a transaction with a central token server in
order to incentivize each other. The first three employees they hired
to implement Mojo Nation in 1999 were Greg Smith, Bram Cohen, and
myself. (Greg might have started in 1998 -- I'm not sure.) Several of
the ideas in BitTorrent -- which Bram started writing in 2001 -- can be
understood as radical simplifications of ideas in Mojo Nation. One
such perspective is to think of BitTorrent's tit-for-tat incentives as
being time-limited, file-specific, and non-transferrable bilateral
accounting. This is not condemnation of BitTorrent's ideas, but praise
of them -- they demonstrate the virtue of radical simplification.
[1] http://mnetproject.org/
[2] http://mnetproject.org/repos/mnet/doc/network_overview.html
[3] http://mnetproject.org/repos/mnet/doc/EGTPv1_Architecture.txt
[4] http://mnetproject.org/repos/mnet/doc/messages_overview.html
[5] http://mnetproject.org/repos/mnet/doc/new_filesystem.html
[6] http://mnetproject.org/repos/mnet/CREDITS
_______________________________________________
p2p-hackers mailing list
p2p-hackers(a)zgp.org
http://zgp.org/mailman/listinfo/p2p-hackers
_______________________________________________
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature]
1
0
Hello all,
I wanted to let the Tor community know about a little side project of
mine, a .onion address generator.
Basically, all that it does is generate RSA key-pairs, determine the
associated onion address (as for a hidden service) and attempts to
match it to a provided regular expression. If there is a match, the
program exports the key to a directory in a ready-made format for use
as a hidden service directory. If there is not a match, the entropy
doesn't have to be wasted; the generated keys can be logged to a file
(933 bytes per onion). This file can then be read back in by the
program to test against other regular expressions.
The program is also setup to take advantage of multi-core machines for
the creation of RSA keys, though a there is a synchronous bottleneck
that I'm looking at removing in the near future to get a much better
speedup. Also, as I'll note later, this implementation is on top of
Mono. Thus, implementations with managed crypto stacks are slower than
those with native crypto stacks (.NET on Windows).
There are no shortcuts taken here in the address generation; if there
were any, then the security of hidden services in general would be
suspect. Only pure brute-force is used. Hence its utility is limited,
but if you wanted a hidden service that had, say "wiki" in the onion
address, this would help you get there (eventually). It does have
another application; if your entropy sink is just too darn random, the
onion generator will help you burn that excess digital entropy into
heat energy.
The onion generator is one part (and currently the only part) of a
greater project I'm calling PurpleOnion, short for Purple Onion
Router, mainly as I'm partial to the color. I started off by writing
the onion generator and found that I'd written a couple of reusable
components that, with some work, could be used in a greater exercise
to write another implementation of the Tor Onion Router.
PurpleOnion is written on the Mono framework in C# using MonoDevelop,
requires Mono 2.0 to compile, and is licensed under the MIT/X11
license. I've also tested the compiled binary copied into a Windows
environment (with Mono.Security available). The program runs great on
Windows, and I added some exception handling to allow the compiled
binary to JIT properly even without OS Posix support.
The project is being hosted on github at:
http://github.com/neoeinstein/purpleonion
The repository is still a little bit dirty as I work on figuring out
namespacing, so the Makefile is out of service. You can compile using
MonoDevelop, but if you have gmcs, the following command in the
repository root should get you a properly built generator:
# gmcs -t:exe -o:build/Por.OnionGenerator.exe \
-r:System -r:System.Core -r:Mono.Security \
-r:Mono.Posix src/Por.OnionGenerator/*.cs
# mono Por.OnionGenerator.exe --help
I'd love to hear comments, both on the .onion address generator in
specific and the possibility of a compliant onion router on a managed
runtime,
--
Marcus Griep
bb
NN:N1N:N9N1 WW*.ON?B4, 3B0
(Excuse the double post if it occurred; I first sent this from an
un-subscribed address)
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
Re: <nettime> FW: [IP] WikiLeaks sold classified intel, claims website's co-founder
by John Young 06 Jul '18
by John Young 06 Jul '18
06 Jul '18
At 10:49 AM 12/7/2010 +1100, you wrote:
>> Do you have a pointer to this stuff?
The early private Wikileaks email messages, leaked:
http://cryptome.org/wikileaks/wikileaks-leak.htm
http://cryptome.org/wikileaks/wikileaks-leak2.htm
The goal to raise $5M in a half-year is in the first URL,
near the bottom, 7 Jan 2007.
Lately, that goal appears realistic -- Julian claims over
$1m donated in the few months after the gun ship video
and war logs release -- and thanks to inducing the MSM
to launder WL's rising profits through its approved channels
for selling leaked classified information after checking
with officials about what will keep the mutually beneficial
leaks flowing.
Nobody comes close to profiting as much by selling
leaks like governments and other authoritatives. Leaks
were invented for that purpose, insider spin, press
offices obligatory, research grants, conferences,
tete a tetes, hot sheets, lost laptops, Lady Gaga CD
burnings.
There will be stings to entrap extortionists. Bank of
America hard disks. Swedish honeys. Rats inside
and outside WL.
On Ted's point about Cryptome: it is a library of sorts
not a hot sheet. 90 per cent of its traffic is for archived
material. Totally untrustworthy. Damaging to seekers
of authoritativeness. Not worth a centavo. Don't go
there. Fuck off. Fuck yourself. Fuck me. Fuck WL.
Fuck this.
# distributed via <nettime>: no commercial use without permission
# <nettime> is a moderated mailing list for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: http://mail.kein.org/mailman/listinfo/nettime-l
# archive: http://www.nettime.org contact: nettime(a)kein.org
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 9.7, 7 April 2011
============================================================
Contents
============================================================
1. Czech Constitutional Court rejects data retention legislation
2. EDRi responds to IPR Enforcement consultation
3. EDPS criticizes the EU PNR scheme
4. Ten Internet Rights & Principles for Human Rights and Social Justice
5. Judicial Review of the Digital Economy Act
6. German Internet blocking law to be withdrawn
7. 80 NGOs ask CoE to investigate government collection of biometrics
8. RFID Privacy Impact Assessment Framework formally adopted
9. Website blocking and suspension discussions in the UK
10. Big Brother Awards Germany 2011
11. Privatised online enforcement series: B. Is "self-regulation" worse than
useless?
12. ENDitorial Data Retention: Is the EC trying to dig itself out of a hole?
13. Recommended Action
14. Recommended Reading
15. Agenda
16. About
============================================================
1. Czech Constitutional Court rejects data retention legislation
============================================================
The Czech Constitutional Court declared national data retention legislation
unconstitutional on 31 March 2011. This is part of the Electronic
Communications Act and its implementing legislation according to which
records of e-mails, phone calls, and SMS as well as websites accesses of
every citizen should be retained by telecommunications companies for a time
period of six months, as an implementation of the Data Retention Directive.
This court decision followed previous decisions of the constitutional courts
of Germany and Romania.
The complaint filed with the Constitutional Court was prepared by activists
from EDRi-member Czech civic rights organisation Iuridicum Remedium and 51
MPs from the Civic Democratic Party (ODS) and the Green Party (SZ) who
signed it in March 2010.
The Constitutional Court decision criticizes the Czech transposition of the
Data Retention Directive. The Czech legislation requires the retaining of a
larger number of data than the directive demands, where the use of data is
not limited to investigating terrorism and serious organised crime. There
was a lack of the principle of subsidiarity in the legislation related to
eavesdropping, although these data are equally sensitive. This has led to a
large number of requests for such data by the police. The national
legislation lacked, according to the constitutional court, clear and
detailed rules for the protection of personal data as well as the obligation
to inform the person whose data has been requested.
The court said that EU law was not part of the constitution of the Czech
Republic and that the directive could therefore not be reviewed by the
Constitutional Court. According to the court decision, the content of the
Data Retention Directive gives the Czech Republic sufficient space for
its constitutionally conformal transposition. However, the Constitutional
Court has doubts about the necessity and proportionality of the data
retention principle in the obiter dictum paragraphs (p. 55-57). The court
doubted whether the blanket monitoring of the communications of all citizens
in terms of intensity of intervention into the private sphere is necessary
and appropriate. The court also doubted the effectiveness of the use of the
retained data in combating crime, particularly with reference to the
possibility of anonymising communications. The police statistics show that
despite a significant increase in the number of requests for traffic and
location data, this did not translate into a proportional number of
committed and solved crimes.
The Constitutional Court also regards certain provisions of the
Criminal Act concerning the use of such data by authorities engaged in
criminal proceeding as highly questionable and it called on MPs to consider
its modification. According to the Court, it will be necessary to consider
each individual case in which data have already been requested in order to
be used in criminal proceedings, with respect to the principle of
proportionality regarding privacy rights infringement.
Text of the complaint (only in Czech)
http://www.slidilove.cz/content/plne-zneni-stiznosti-us-kvuli-ceskemu-data-…
Text of the court decision (only in Czech) - to be translated in English in
the next 2 weeks
http://www.concourt.cz/clanek/GetFile?id=5075
Constitutional Court: Spying on Communication Declared Unconstitutional
(31.03.2011)
http://www.slidilove.cz/en/english/constitutional-court-spying-communicatio…
Constitutional Court invalidates telecommunications data retention
law (1.04.2011)
http://www.radio.cz/en/section/curraffrs/constitutional-court-invalidates-t…
Czech Republic: Constitutional Court Overturns Parts of Data Retention Law
(01.04.2011)
http://www.loc.gov/lawweb/servlet/lloc_news?disp3_2601_text
(Contribution by Jan Voboril - EDRi-member IuRe - Czech Republic)
============================================================
2. EDRi responds to IPR Enforcement consultation
============================================================
European Digital Rights has submitted on 31 March 2011 its response to the
European Commission's consultation on the implementation of the IPR
Enforcement Directive.
The response examines the claims made by the Commission, the evidence (or
lack thereof) for its assumptions and the lessons that it draws and fails to
draw from the experience of European citizens with the implementation of the
Directive. The first section of the response deals with the overall approach
of the Commission and its reaction to what it calls "ubiquitous"
unauthorised filesharing online. EDRi questions whether many of the
assumptions regarding the "cost" of such filesharing are correct,
particularly with a growing body of research indicating that the impact is
either zero or close to zero.
This leads on to a more fundamental question of the legitimacy of current
copyright legislation. If breaches really are "ubiquitous," is a response
which is mainly or wholly based on repression either proportionate or
effective? With equally ubiquitous problems concerning the cost, the format
and the availability of audiovisual material, would it not be better to
properly service the market rather enforce respect for a broken market?
With regard to criminal law and unauthorised access to audiovisual content,
EDRi argues that the Commission's current approach of treating
"counterfeiting and piracy" as one phenomenon, as if the causes and
solutions for counterfeit medication are the same as for private music
downloading, is simply wrong. Indeed, worst than that, treating both as the
same can only result in either counterfeit drugs being subject to unduly
weak countermeasures or unauthorised access to audiovisual material being
treated disproportionally harshly.
The response pays particular attention to the vague and dangerous assertion
that the fundamental right to privacy can somehow be re-balanced against the
right, included in the Charter of Fundamental Rights, to property. The
response points out that a balance between rights can never be done in the
abstract, rendering the whole approach by the Commission meaningless. It
goes on to point to the UNESCO Convention on Protection and Promotion of the
Diversity of Cultural Expressions (which the EU collectively and almost all
Member States individually have signed up to), which, in article 2, explains
that cultural diversity can be protected and promoted only if human rights
and fundamental freedoms, such as freedom of expression, information and
communication, as well as the ability of individuals to choose cultural
expressions, are guaranteed."
In its report, the Commission also subtly mentions that "it could be useful
to clarify that injunctions should not depend on the liability of the
intermediary". What this means in practice is that courts could ignore the
provisions of the E-Commerce Directive on "mere conduit" (regarding access
to illegal material) and on the imposition of a "general obligation to
monitor". The Commission's view - and the view that it has given to the
European Court of Justice in the Scarlet/Sabam case - is that national
courts may (and should) impose monitoring, blocking and filtering
obligations on Internet service providers and that the E-Commerce Directive
should not prevent them from doing this. The Commission's analysis fails to
acknowledge, let alone address, how this would be compatible with the
European Charter of Fundamental Rights - the same Charter that it so eagerly
uses to defend the weakening of the fundamental right to privacy.
The EDRi response concludes by listing a set of issues to be addressed in
any impact assessment used to justify a re-opening and extension of the IPR
Enforcement Directive.
EDRi response to IPRED Consultation (31.03.2011)
http://www.edri.org/files/edri_ipred_110331.pdf
Report on the enforcement of intellectual property rights (COM(2010) 779)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52010DC0779:EN:…
Analysis of the application of Directive 2004/48/EC on the enforcement of
intellectual property rights in the Member States (SEC(2010) 1589)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SEC:2010:1589:FIN:EN:…
(Contribution by Joe McNamee - EDRi)
============================================================
3. EDPS criticizes the EU PNR scheme
============================================================
Peter Hustinx, the European Data Protection Supervisor (EDPS) issued on 25
March 2011 his opinion on the European Commission's proposal to oblige
airline carriers to provide EU Member States with personal data (PNR) on
passengers entering or leaving the EU space, with the declared purpose to
fight serious crime and terrorism.
On 2 February 2011, the European Commission made a new proposal for a PNR
Directive, to extend the passenger-tracking systems already in use in the UK
and US to all flights to and from the EU. PNR data may include personal
information such as home addresses, email addresses, mobile phone numbers,
frequent flyer information, and even credit card information.
In the EDPS' opinion, although the new proposal is an improved version as
compared to the previous document released in 2007, particularly due to the
addition of data protection safeguards, the restriction of the proposal's
scope and the conditions for PNR data processing under EU data protection
law, it is still unjustified.
The EDPS draws attention to the fact that the Proposal does not meet
"the essential prerequisite to any development of a PNR scheme - i.e.
compliance with necessity and proportionality principles".
The EDPS emphasizes that the need to collect or store massive amounts of
personal data must be substantiated by a clear demonstration of the
relationship between use and result (necessity principle). Hustinx believes
the proposal and the accompanying Impact Assessment fail to demonstrate the
necessity and the proportionality of a large collection of PNR data for the
purpose of the systematic assessment of all passengers.
The EDPS raises concerns related to the use of PNR data "in a systematic
and indiscriminate way" and believes that the only measure compliant with
data protection requirements would be the use of PNR data on cases when
there is a serious threat established by concrete indicators on a
case-by-case basis.
Hustinx makes a series of recommendations, among which a further limitation
of the proposal's scope that would exclude minor crimes and the possibility
for Member States to extend its reach. He also questions the
inclusion of serious crimes which have no relation to terrorism.
One recommendation is the limitation of the data retention period to 30
days, except for cases which require further investigation. The data
should be retained in an identifiable form.
The EDPS recommends a higher standard of safeguards, especially in relation
to the data subjects' rights and transfers to third countries.
While welcoming the fact that sensitive data were not included in the list
of data to be collected, the EDPS still considers the list to be too
extensive and recommends its further reduction in agreement with
the recommendations of the Article 29 Working Party and the EDPS.
Hustinx says that an assessment of the EU PNR system "should be based on
comprehensive data, including the number of persons effectively convicted -
and not only prosecuted - on the basis of the processing of their data." He
also recommends the assessment of the system "in a broader perspective
including the ongoing general evaluation of all EU instruments in the field
of information exchange management launched by the Commission in January
2010. In particular, the results of the current work on the European
Information Exchange Model expected for 2012 should be taken into
consideration in the assessment of the need for an EU PNR scheme."
Meanwhile, the UK Home Office has expressed concern over the delay of the
draft PNR Directive and has shown its support for the extension of any
passenger-tracking system to flights between EU countries as well as those
outside EU territory. The House of Lords has recently urged the
Government to opt in to the proposal, ensuring its change to include all
international flights.
EU Passenger Name Record: proposed system fails to meet necessity
requirement, says EDPS (28.03.2011)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/…
Opinion of the European Data Protection Supervisor on the Proposal for a
Directive of the European Parliament and of the Council on the use of
Passenger Name Record data for the prevention, detection, investigation and
prosecution of terrorist offences and serious crime (25.03.2011)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu…
PNR should be deleted after 30 days, says EU privacy watchdog (1.04.2011)
http://www.out-law.com//default.aspx?page=11847
EDRi-gram: Commission's proposal for PNR Directive fails to impress MEPs
(9.02.2011)
http://www.edri.org/edrigram/number9.3/commission-pnr-directive
============================================================
4. Ten Internet Rights & Principles for Human Rights and Social Justice
============================================================
The Internet Rights and Principles Dynamic Coalition (DC-IRP) launched on 31
March 2011 its "10 Internet Rights and Principles" for an Internet
governance rooted in human rights and social justice.
These 10 Internet Rights and Principles are part of a global initiative
undertaken in the framework of the UN Internet Governance Forum (IGF), by
the DC-IRP to develop a comprehensive Charter of Human Rights and Principles
for the Internet. In addition to the 10 Internet Rights and Principles, the
Charter is built into two sections. The first interprets human rights and
defines principles that stem from these rights for the purposes and concerns
of the information society. The second section addresses the roles that
different actors and stakeholders should play in order to uphold these
rights and principles.
This Charter is not an attempt to create new rights, but to reinterpret and
explain universal human rights standards in a new context - the Internet.
The Charter re-emphasizes that human rights apply online as they do offline:
human rights standards, as defined in international law, are non-negotiable.
The Charter also identifies principles, deriving from human rights, which
are necessary to preserve the Internet as a medium for civil, political,
economic, social and cultural development. It describes the responsibilities
that states have in relation to the Internet as well as the part that all
individuals and society organs have to play, considering that the Internet
is, through its design, a trans-boundary multi-stakeholder environment where
no single entity has control.
In this context, the 10 Internet Rights and Principles outline the core
demands in order to defend and expand the Internet as a space which is
empowering, open and accessible to all. To this end, they identify the main
requirements that should be met in the online environment, with regards to:
universality and equality; rights and social justice; accessibility;
expression and association; privacy and data protection; life, liberty and
security; diversity; network equality; standards and regulation; and
Governance. Such guidelines for policy and practice are much needed at a
time where human rights and social justice are under a double threat on the
Internet, from governments (both authoritarian and democratic) who seek to
control it, and from businesses who seek to monetise it.
The 10 Internet Rights and Principles were launched at the second expert
meeting on "Freedom of Expression and the Internet" in Stockholm, convened
on 30-31 March 2011 by the Swedish Ministry for Foreign Affairs. The UN
Special Rapporteur for Freedom of Opinion and Expression and the OSCE
Representative on Freedom of the Media, who attended this launching event,
welcomed this initiative.
The DC-IRP is an international multi-stakeholder network of people and
organisations - among them a number of EDRi members and observers - who are
working to uphold human rights on and through the Internet. Its Charter is
currently released as a beta version, and the Coalition welcomes comments
and contributions on its website. The 10 Internet Rights and Principles
derive from the Charter, distilling it down into 10 core demands. They are
already available in more than 15 languages, with further translations still
expected.
DC-IRP main website with the 10 Internet Rights and Principles
http://internetrightsandprinciples.org/
DC-IRP website dedicated to its Charter
http://www.irpcharter.org
Second Expert Meeting on Human Rights and the Internet Stockholm
(30-31.03.2011)
http://www.regeringen.se/sb/d/14187/a/165534
(Contribution by Meryem Marzouki, EDRi-member IRIS - France)
============================================================
5. Judicial Review of the Digital Economy Act
============================================================
In July 2010 UK ISPs TalkTalk and BT filed papers seeking a Judicial Review
(JR) of the Digital Economy Act, and were then granted a hearing. In the UK,
JRs are rare. They can be brought when there is concern that a UK law
contradicts over-riding legislation (e.g. European law). They sought the
Review on four grounds: that the UK government didn't notify the EU as
required under the Technical Standards Directive; that the Act does not
comply with e-privacy laws; that the Act does not comply with e-commerce
legislation; and that the Act has a "disproportionate" effect on ISPs,
businesses and the public. More recently a fifth ground was added, related
to the Costs Sharing Order and its consistency with the "Authorisation
Directive."
The hearing began on 23 March and finished on 28 March 2011.
The Claimants BT and TalkTalk were joined by Consumer Focus
and Article 19, who submitted evidence of the "chilling effect" of the
DEAct. EDRi-member Open Rights Group submitted evidence as a "friend of the
court", covering primarily the effect on public Wi-Fi provision, the privacy
questions, and the weaknesses of IP evidence. As well as legal submissions
from Francis Davey, we submitted a witness statement from Jim Killock and an
expert report on the technical questions behind a reliance on IP address
evidence from Richard Clayton.
The primary Defendant is the Secretary of State for Business, Skills and
Industry (ie the Minister in charge of the department that was responsible
for the Bill / Act the time of passing). They were joined by the BPI, the
British Video Association Limited, Broadcasting Entertainment Cinematograph
and Theatre Union, Equity, Film Distributors' Association, the Premier
League, the MPA, The Musicians Union, Producers Alliance for Cinema and
Television, and Unit.
A full daily summary of the JR hearing is up on our blog. There seemed (to
this not-legally-trained observer) to be two key points and one interesting
observation. First, that the Defence spent a long time arguing that the
substantive powers to which the grounds of the JR should apply are not
contained in the Act and will be in the yet-to-be-published final 'Initial
Obligations Code'. A key question for the Judge is the extent to which
the Act determines the important substantive details concerning the
obligations on ISPs and consumers, which would make it possible for the
Judge to decide on whether the Act as it stands with or without the IOC is
in breach of EU law - or whether in fact it is the IOC that will in effect
enact substantive powers.
Second, the judge was very careful in his assessment of the nature of the
"proportionality" test he was being asked to consider, and the extent to
which he was being asked to make a judgement on the policy judgements that
Parliament have made. He seemed to be reluctant to be drawn into a judgement
on the accuracy or wisdom of a public policy assessment.
One interesting point is that many of the arguments that policy wonks
might think are most important, for example concerning how robust the
evidence used to justify the Act is, or the likely benefits of the Act, were
seemingly some of the least important in legal terms.
It is very hard indeed to guess which way the Judge will fall. He listened
carefully to all arguments. The Judge said that he'll take his time to
consider the submissions; we expect (speculation) that this means 6 to 8
weeks from the end of the hearing.
Judicial review of the Digital Economy Act (8.07.2010)
http://www.talktalkblog.co.uk/2010/07/08/judicial-review-of-the-digital-eco…
Digital Economy Act 2010 to Face Judicial Review (9.12.2010)
http://www.olswang.com/newsarticle.asp?sid=558&aid=3224
Submission to the Judicial Review of the Digital Economy Act (1.02.2011)
http://www.openrightsgroup.org/ourwork/reports/submission-to-the-judicial-r…
DEA Judicial Review - Day 1 (23.03.2011)
http://www.openrightsgroup.org/blog/2011/dea-judicial-review-day-1
(Contribution by Peter Bradwell - EDRi-member Open Rights Group - UK)
============================================================
6. German Internet blocking law to be withdrawn
============================================================
On 5 April 2011, Germany's governing conservative and liberal
parties agreed in a coalition committee meeting that the disputed law on
Internet blocking of child abuse material (Zugangserschwerungsgesetz,
ZugErschwG, "Access Impediment Act") will be dropped.
The law had been enacted by the previous parliament in June 2009, but it had
never been fully implemented after the newly elected coalition decided to
only use the law's provisions for take-down, not those for blocking. After a
one-year "trial period", the new consensus seems to be that the law will be
withdrawn through a new act of the Parliament.
There is speculation that the decision could be part of a wider "package
deal" that might see Germany's data retention revived after the German
Constitutional Court had declared the previous data retention law partly
unconstitutional, but this was denied by speakers for Germany's liberal
party, FDP. German digital rights groups welcomed the decision on the
blocking law, but they will be watching how it is implemented in detail.
Last EDRi-gram article on Germany's Internet blocking law, reporting on
the law's history and a pending constitutional challenge that would be
rendered obsolete if the law is now withdrawn (23.02.2011)
http://www.edri.org/edrigram/number9.4/germany-constitutional-case-web-bloc…
EDRi-gram on the ruling against Germany's data retention law (10.03.2010)
http://www.edri.org/edrigram/number8.5/german-decision-data-retention-uncon…
(Contribution by Sebastian Lisken, EDRI member FoeBuD)
============================================================
7. 80 NGOs ask CoE to investigate government collection of biometrics
============================================================
An international alliance of organisations, including EDRi and several
EDRi-members, and individuals from 27 countries has lodged a petition
calling on the Council of Europe to start an in-depth survey on the
collection and storage of biometric data by member states.
European governments are increasingly demanding the storage of biometric
data (fingerprints and facial scans) from individuals. These include storage
on contactless "RFID" chips in passports and/or ID cards. Some are going
even further by implementing database storage e.g. France, Lithuania and the
Netherlands.
The alliance of more than 80 signatories has asked Secretary General
Thorbjxrn Jagland of the Council of Europe to urgently request the countries
involved to explain under Article 52 ECHR whether their national law on this
subject is in line with the European Convention on Human Rights (ECHR) and
rulings of the European Court of Human Rights.
In the petition to Strasbourg the alliance states: "It is vital to obtain an
overview of the current 'patchwork' of different national laws that regulate
this sensitive and important subject. An in-depth survey has to be conducted
on whether the human rights guarantees and conditions of necessity
(proportionality, subsidiarity and safety guarantees) set by the Convention
are indeed upheld."
These rights include the protection of human treatment (Article 3 ECHR),
safety (Article 5), a fair trial (the privilege against self-incrimination
and presumption of innocence) (Article 6), physical integrity and family and
private life (Article 8), effective national legal remedies (Article 13),
non-discrimination (Article 14) and the right to leave your country (Article
2 Protocol 4).
"Article 52 clearly designates the Secretary General of the Council of
Europe as the guardian of the fundamental rights placed at risk by this
practice. We would like to emphasize that national biometric registration
legislation (often in combination with other laws) should not 'lead to
destroying democracy on the ground of defending it'", the alliance warns.
"In a democratic society the collection of the biometrics of an entire
population is a disproportionate and for other reasons unnecessary
interference with the right to privacy and other rights like the presumption
of innocence, protected by the Convention. Because of these concerns the
United Kingdom Government recently abandoned the policy of collecting
fingerprints of citizens. Yet most countries are keen to fingerprint groups
and populations of people who have committed no crime, thus increasing the
chances of identity fraud", says Simon Davies of Privacy International,
which co-ordinated the online petition initiative.
The signatories include, amongst others, digital, civil and human rights
defenders, media, legal and medical organisations, academia, politicians and
personal victims without a passport because of objections involving the
biometric storage.
The press release in other languages: Dutch, French, German, Spanish,
Lithuanian and Slovak - for immediate publication (see bottom of the page)
https://www.privacyinternational.org/article/alliance-raises-concerns-about…
Text of petition (with the list of signatories) (31.03.2011)
https://www.privacyinternational.org/article/petition-council-europe-govern…
EDRi-gram: Final call for petition on government use of citizens' biometrics
(9.03.2011)
http://www.edri.org/edrigram/number9.5/petition-coe-privacy-biometrics
Highlights of the petition (6.03.2011)
http://www.pogowasright.org/?p=22180&cpage=1#comment-334
(Thanks to Robin Caron from the Alliance)
============================================================
8. RFID Privacy Impact Assessment Framework formally adopted
============================================================
The Privacy Impact Assessment Framework for RFID applications (RFID PIA) was
officially signed by European Commission Vice President Neelie Kroes,
representatives of the RFID industry, the chairman of the Article 29 Working
Party, Jacob Kohnstamm, and the Executive Director of the European Network
and Information Security Agency (ENISA), Udo Helmbrecht. The ceremony took
place today, 6 April 2011, in the European Commission's Berlaymont building
in Brussels.
In its 2009 recommendation on the implementation of privacy and data
protection principles in RFID applications, the European Commission
suggested that the RFID industry should develop a framework for RFID privacy
and data protection impact assessments. In the months following this
recommendation a first draft PIA framework was developed by an informal
working group of industry representatives to which EDRi and other
stakeholders were also invited to contribute their views.
This first draft RFID PIA framework was submitted for endorsement to the
Article 29 Working Party, which did not endorse the framework but published
on 13 July 2010 in its working paper no. 175 a request for improvements.
Further improvements were suggested by ENISA in July 2010.
In January 2011 a revised PIA Framework was submitted to the Article 29
Working Party, which formally endorsed it by publishing the framework as
an annex to its working paper no.180 on 11.02.2011.
In EDRi's opinion the RFID PIA Framework, that was formally signed today,
properly follows a risk assessment methodology, which addresses the data
protection targets defined in the European data protection legal framework
and provides therefore a sound basis for a meaningful assessment of data
protection risks for RFID applications.
The RFID PIA Framework is an important milestone on the way to the
implementation of privacy friendly RFID applications. Now it is important
that industry quickly but thoroughly implements the PIA in practice.
Today's formal signing ceremony took place before the background of the
German Big Brother Awards, which were presented in Bielefeld only a few days
earlier. One of the unpopular awards was given to the European Fashion Label
Peuterey for violating the data protection rights of their customers by
secretly tagging their fashion products with RFID chips.
The next twelve months will show how the new RFID PIA Framework is
received by industry, as the European Commission is expected to present its
report on the implementation of the RFID recommendation, its effectiveness
and its impact on operators and consumers in May 2012.
EDRi sincerely hopes that today's important milestone will be followed by a
number of serious implementation efforts and that last week's German Big
Brother Award was the last one in Europe that will be awarded to a RFID
operator.
Commission Recommendation on the implementation of privacy and
data protection principles in applications supported by radio-frequency
identification (12.05.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/recommendatio…
EDRi-gram 7.10: EU supports RFID with proper protection of consumers'
privacy (20.05.2009)
http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommand…
Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a
Privacy and Data Protection Impact Assessment Framework for RFID
Applications
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp175_en.pdf
ENISA Opinion on the Industry Proposal for a Privacy and Data Protection
Impact Assessment Framework for RFID Applications (31.03.2010)
http://www.enisa.europa.eu/media/news-items/enisa-opinion-on-pia
EDRi-gram 8.15: ENDitorial: Industry RFID PIA: not endorsed in its current
form (28.07.2010)
http://www.edri.org/edrigram/number8.15/article-29-no-to-rfid-pia
Article 29 Working Party: Opinion 9/2011 on the revised Industry Proposal
for a Privacy and Data Protection Impact Assessment Framework for RFID
Applications
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en.pdf
Annex: Privacy and Data Protection Impact Assessment Framework for RFID
Applications
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_annex_e…
(contribution by Andreas Krisch - EDRi)
============================================================
9. Website blocking and suspension discussions in the UK
============================================================
UK Minister Ed Vaizey is involved in discussions for private blocking
schemes to prevent access to copyright infringing websites. This follows the
delays in implementing the Digital Economy Act. It is believed by the
EDRi-member Open Rights Group and others that music and film lobby groups
are pushing for private measures that would avoid the need for legaislation
and potentially human rights considerations such as due process and freedom
of expression.
Nominet, the .uk registry is also engaging a wide range of bodies to create
procedures for suspension of domains believed to be involved in criminal
activity. Over the last two years, they have been suspending domains on
request from the police, with appeals procedure but no examination of the
legal and human rights implications. The consultation therefore presents a
step forward in creating transparency but also a longer term danger, as
registry suspensions could be abused as a short cut for law enforcement
agencies.
Silence from the website blocking Working Group (5.04.2011)
http://www.openrightsgroup.org/blog/2011/silence-from-the-website-blocking-…
Nominet talks about domain suspensions (5.04.2011)
http://www.openrightsgroup.org/blog/2011/nominet-talks-about-domain-suspens…
(Contribution by Jim Killock - EDRi-member Open Rights Group - UK)
============================================================
10. Big Brother Awards Germany 2011
============================================================
The eleventh German Big Brother Awards were bestowed on Friday 1 April
2011 in Bielefeld, Germany. Organized by EDRi member FoeBuD, the
ceremony featured eight negative awards in various categories.
In the "Communication" category, Facebook was one winner for
"systematically poking its nose into people and their relationships,
behind the friendly fagade of an ostensibly free service". In the awards
speech, Facebook was described as a "gated community" on the Internet,
comparing it, in several aspects, to the closed housing estates found in
an increasing number of places across the world.
Another "Communication" award went to Apple for virtually "blackmailing"
its customers into accepting a dubious privacy policy as part of a terms
and conditions document that, when displayed on the iPhone, takes up 117
pages. Consent to the privacy conditions should be voluntary, according
to Germany's data protection law, but without consent, the iPhone's
functions are reduced to telephony. With consent, Apple and partners
receive excessive amounts of data, including the device's location.
One winner in the "Workplace" category was German car maker Daimler, one
of several employers that demand blood tests from their employees, which,
in most cases, was not required by industrial law - in the words of the
award speech, a form of modern-day vampirism.
Another "Workplace" award went to the German Customs authority, for
promoting a certification named "Authorized Economic Operator" (AEO) to
companies with international business relationships. The certification
involves checking each employee against EU or US anti-terror lists. This
use of personal data has no legal foundation, meaning that German
Customs encourage companies to use their employees' personal data in an
illegal way.
In the "Technology" category, the fashion brand Peuterey was cited for
introducing RFID in clothing, not as theft-prevention attachments but
sewn into jackets under a label saying "do not remove this label".
The "Consumer Protection" award went to a publishing house called
"Knowledge and Information" (Verlag f|r Wissen und Information) that
doesn't actually produce and trade its own books but asks schools to
distribute book coupons which can only be redeemed if names and
addresses of the pupil and at least one parent are supplied. A blogger's
investigation uncovered that the "publisher's"s business model was mainly
a partnership with financial investment advisers and with a manufacturer
of vitamin pills. Those that accepted and used the coupons were offered a
telephone "interview" on the subject of "learning, health, and future".
One award was actually collected by its winner (only the third time that
this has happened in eleven years): Gert Wagner, head of the "census
commission" that promotes this year's German census, defended the
project against the accusation that it collects excessive and dangerous
amounts of data, with too little information and without legal recourse.
Mr Wagner's courage was appreciated, but when he attempted to put down
his critics as "living in a parallel universe" and stressed that the
census was justified by the mere fact that it had proper legal
foundation, it did not win him many friends in the audience.
The winner in the "Politics" category was the Interior Minister in the
state of Lower Saxony, Uwe Sch|nemann, for the first known use of a
police drone for clandestine monitoring of a public gathering during
protests against a nuclear waste transport to Germany's main storage
facility at Gorleben in the Wendland region.
The audience award for the most "impressive, surprising, shocking, or
outrageous" winner went to Facebook, on just over a third of the votes.
Nominations for the next Big Brother Awards are open until the end of
this year.
BigBrotherAwards Germany 2011 (1.04.2011)
http://www.bigbrotherawards.de/2011-en?set_language=en
(Contribution by Sebastian Lisken - EDRi-member FoeBuD)
============================================================
11. Privatised online enforcement series:
B. Is "self-regulation" worse than useless?
============================================================
Much of the policy with regard to "self-regulation" in the context of
illegal online content is developed on the basis that anything that industry
can do to help fight crime is automatically a good thing. The assumption is
that, however distasteful it is that private companies should be regulating
and enforcing the law in the online world, it is better that "somebody" is
doing "something". The reality is, however, very different.
The first area where Internet intermediaries started enforcing the law is in
relation to child abuse images. The European Commission funds "hotlines" to
receive reports of child abuse images and these send reports to law
enforcement authorities and Internet hosting providers and, sometimes,
Internet access providers. Law enforcement authorities are supposed to play
their role in investigation and prosecution, while Internet providers are
supposed to play their role, in diligently and within the rule of law,
removing content that has been shown to be illegal and supporting collection
of evidence by law enforcement authorities.
At a recent meeting of the European Commission "dialogue" on dissemination
of illegal content within the European Union", the Safer Internet Unit of
the Commission gave a different and more worrying analysis. A representative
explained that many EU police forces did not prioritise online child abuse
and even if it was on the priority list in some countries, it was at the
bottom. The proposal was made, therefore, that hotlines should send reports
directly to Internet hosting providers to delete the websites. The fact that
this would facilitate and propagate the alleged inaction of the police
appears not to be a consideration.
This approach is confirmed by the European Commission's guidelines for
co-funded hotlines on notice and takedown (that are, unsurprisingly, not
publicly available), which suggest that agreements should be signed between
the hotlines and the police. These guidelines suggest that "the agreement
should preferably stipulate a deadline for the police to react after which
the hotline would proceed with giving notice". In other words, law
enforcement authorities would be assured that, if they remained wholly
inactive for an agreed period, the evidence of their failure to address
serious crimes would be diligently hidden by the hotlines, in cooperation
with well-meaning "industry self-regulation".
This is, unfortunately, far from the only example. As mentioned above,
hotlines also contact Internet access providers. In some countries, these
take it upon themselves to undertake technically limited "blocking" against
sites identified as being illegal. In Sweden, for example, ISPs "block"
sites and receive an updated list from the police every two weeks. The
pointlessness of this whole process is shown by the fact that, while the
lists are updated every 14 days, the British hotline, the IWF, has produced
statistics showing that the average length of time the sites remain online
is only twelve days. In other words, on average, there are no functioning
sites at all on the "blocking" list one day out of every seven.
Unfortunately, this activity is not just useless, it is worse than useless.
In a speech given to the German Parliament, a Danish police official
explained that, having "blocked" the websites domestically, the police in
that country do not see any point in communicating evidence of serious
crimes against children to the police forces in the United States and
Russia, because they probably wouldn't be interested. It is difficult to
imagine another crime which would be treated in such a trivial way.
Reports from the European Commission are that there will be a major push to
increase the "safer internet" budget, which is currently being reviewed. As
yet, there are no signs that any lessons are being learned regarding the
failures of "self-regulation" under the current programme.
Internet Watch Foundation Annual Report 2010
http://www.iwf.org.uk/assets/media/annual-reports/Internet%20Watch%20Founda…
EDRi-gram: Dialogue on illegal online content (28.06.2010)
http://www.edri.org/edrigram/number8.15/edri-euroispa-notice-takedown-comis…
Child abuse is difficult to stop on the web (only in Swedish, 29.09.2010)
http://www.dn.se/nyheter/sverige/overgrepp-pa-barn-svart-stoppa-pa-natet
Danish police statement
http://www.edri.org/files/Written_Statement_Underbjerg.pdf
Privatised Online Enforcement Series
A. Abandonment of the rule of law (23.03.2011)
http://www.edri.org/edrigram/number9.6/abandonment-rule-of-law
(Contribution by Joe McNamee - EDRi)
============================================================
12.ENDitorial: Data retention: Is the EC trying to dig itself out of a hole?
============================================================
The Data Retention Directive was adopted in 2006 in very controversial
circumstances. Article 15 of the Directive placed a clear obligation on the
European Commission (EC), to submit "no later than 15 September 2010" a
report on the evaluation of the Directive and its impact on economic
operators and consumers". Today is the 203rd day since that evaluation
report was due to be published. This raises the obvious question - why has
the Commission, as "guardian of the treaties" failed to respect its legal
obligation and when will it finally comply?
The main reason for the delay is that some crucial mistakes were made at the
beginning of the review process. Firstly, the Commission failed to recognise
that, under the Charter on Fundamental Rights, the Directive is only legal
if it is both "necessary and genuinely meet(s) objectives of general
interest." Its second mistake was to reach its conclusion ("data retention
is here to stay") before starting the research, thereby limiting its scope
and assuming that the Member States would have answers to its questions
about the assumed value of data retention. The Commission then limited
itself further by not seeking any information from Member States that had
not implemented the Directive. This definitively prevented the Commission
from being able to compare how much essential extra data is stored as a
result of the Directive, thereby making the legislation "necessary".
As a result, when the Commission asked for data in the second quarter of
2010, it received little useable information from the Member States. As a
result, Commissioner Malmstrvm made a personal plea to Member States during
the July 15 Justice and Home Affairs Council, followed by a letter (linked
below) from the Commission to Member States. The letter betrays the
Commission's disregard for the Charter (which each Commissioner swore a
legally binding oath to support) by showing that it is not seeking to
demonstrate "necessity" - "without this information it will be difficult for
the Commission to adequately demonstrate that the Directive is useful". It
further lowered the level of evidence it was requesting by asking for
examples of where data retained under the Directive "played a determining
role", rather than asking for examples of where data that would not
otherwise have been retained played a determining role.
Having created this untenable situation, the Commission managed to dig
itself even deeper during the "Taking on the Data Retention Directive"
conference in December 2010. For reasons that are far from obvious,
Commissioner Malmstrvm made a speech arguing that "data retention is here to
stay", despite the fact that inadequate information had been received from
the Member States (who mostly ignored her personal plea at the July Council
meeting) and despite the fact that her services were still months away from
being able to provide a useable summary of the paltry information that was
provided by the Member States.
So, where are we now? The Home Affairs Directorate General (DG HOME) of the
European Commission submitted a draft evaluation report at the end of
February, resplendent in blank spaces where the Member State information
should have been put, for review by colleagues from the rest of the
Commission. These have now provided their feedback which, by all accounts,
did not lavish praise on the work done so far. When and how the DG HOME will
update the document based on this feedback is not yet clear - what is clear
is the disastrous position their prejudging of the outcome of this process
has created.
The Commission has simply no basis, on the weak evidence presented by the
Member States, to argue that the value added to law enforcement by the
Directive shows that it is "necessary" (and therefore legal). It therefore
cannot move forward with a revision of the Directive. For the same reason,
it cannot opt simply to do nothing. It also cannot refine the Directive by
learning from the experience of Member States, like Germany and Romania,
that have not implemented the Directive, for the simple reason that it did
not request any information from those countries. And, having pandered to
the wishes of certain large Member States by proclaiming that "data
retention is here to stay," even a tactical retreat seems politically
difficult, even if it is legally and practically the only reasonable step
left.
Perhaps the Commission should stop digging and start listening, learning
from the insightful words of a Swedish Liberal MEP on the day that the
Directive was adopted in the European Parliament. "This is a difficult issue
on which to adopt a position. Reflection is required, together with a solid
factual basis in relation to the privacy aspect, the technical consequences
and the actual costs for telecommunications operators and thus consumers."
Data retention Directive
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:00…
Letter from the Commission to Member States (27.06.2011)
http://www.edri.org/files/drd_letter.pdf
Czech Constitutional Court rejects Data Retention Law (31.03.2011)
http://www.edri.org/czech-decision-data-retention
EDRi-gram: Romanian Constitutional Court Decision against Data Retention
(2.12.2009)
http://www.edri.org/edrigram/number7.23/romania-decision-data-retention
EDRi-gram: German Federal Constitutional Court Rejects Data Retention Law
(10.03.2010)
http://www.edri.org/edrigram/number8.5/german-decision-data-retention-uncon…
Commissioner Malmstrvm's "data retention is here to stay" speech (3.12.2010)
http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/10/723
Explanations of vote in the Euopean Parliament on the Data Retention
Directive
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+CRE+200512…
(Contribution by Joe McNamee - EDRi)
============================================================
13. Recommended Action
============================================================
Public consultation on on-line gambling in the Single Market. The final
questions in the Green Paper asks about the value of, and options for,
blocking of gambling websites.
Deadline: 31 July 2011
http://ec.europa.eu/internal_market/services/gambling_en.htm
============================================================
14. Recommended Reading
============================================================
Paul de Hert / Rocco Bellanova: Transatlantic Cooperation on Travelers'
Data Processing: From Sorting Countries to Sorting Individuals
(Migration Policy Institute, 2011)
http://www.migrationpolicy.org/pubs/dataprocessing-2011.pdf
European Data Protection Commissioners insist on the need for a
comprehensive EU approach to data protection (6.04.2011)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/…
EU survey: 72% of Europeans not informed about their fundamental rights
(18.03.2011)
http://europa.eu/rapid/pressReleasesAction.do?reference=EO/11/6&format=HTML…
============================================================
15. Agenda
============================================================
7-8 April 2011, Amsterdam, Netherlands
European Legal Network Conference "Free Software law for the next ten years"
http://fsfe.org/projects/ftf/legal-conference.en.html
13-15 April 2011, Berlin, Germany
Re:publica XI: Conference about blogs, social media and the digital society
http://re-publica.de/11/en/
5-6 May 2011, Milano, Italy
The European Thematic Network on Legal Aspects of Public Sector
Information - public conference
http://www.lapsi-project.eu/milan
17-18 May 2011, Berlin Germany
European Data Protection Reform & International Data Protection Compliance
http://www.edpd-conference.com
30-31 May 2011, Belgrade, Serbia
Pan-European dialogue on Internet governance (EuroDIG)
http://www.eurodig.org/
2-3 June 2011, Krakow, Poland
4th International Conference on Multimedia, Communication, Services and
Security organized by AGH in the scope of and under the auspices of INDECT
project
http://mcss2011.indect-project.eu/
12-15 June 2011, Bled, Slovenia
24th Bled eConference, eFuture: Creating Solutions for the Individual,
Organisations and Society
http://www.bledconference.org/index.php/eConference/2011
14-16 June 2011, Washington DC, USA
CFP 2011 - Computers, Freedom & Privacy
"The Future is Now"
http://www.cfp.org/2011/wiki/index.php/Main_Page
11-12 July 2011, Barcelona, Spain
7th International Conference on Internet, Law & Politics (IDP 2011): Net
Neutrality and other challenges for the future of the Internet
http://edcp.uoc.edu/symposia/lang/en/idp2011/?lang=en
============================================================
16. About
============================================================
EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram(a)edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request(a)edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request(a)edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edri/2.html
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram(a)edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
Re: <nettime> FW: [IP] WikiLeaks sold classified intel, claims website's co-founder
by John Young 06 Jul '18
by John Young 06 Jul '18
06 Jul '18
At 10:49 AM 12/7/2010 +1100, you wrote:
>> Do you have a pointer to this stuff?
The early private Wikileaks email messages, leaked:
http://cryptome.org/wikileaks/wikileaks-leak.htm
http://cryptome.org/wikileaks/wikileaks-leak2.htm
The goal to raise $5M in a half-year is in the first URL,
near the bottom, 7 Jan 2007.
Lately, that goal appears realistic -- Julian claims over
$1m donated in the few months after the gun ship video
and war logs release -- and thanks to inducing the MSM
to launder WL's rising profits through its approved channels
for selling leaked classified information after checking
with officials about what will keep the mutually beneficial
leaks flowing.
Nobody comes close to profiting as much by selling
leaks like governments and other authoritatives. Leaks
were invented for that purpose, insider spin, press
offices obligatory, research grants, conferences,
tete a tetes, hot sheets, lost laptops, Lady Gaga CD
burnings.
There will be stings to entrap extortionists. Bank of
America hard disks. Swedish honeys. Rats inside
and outside WL.
On Ted's point about Cryptome: it is a library of sorts
not a hot sheet. 90 per cent of its traffic is for archived
material. Totally untrustworthy. Damaging to seekers
of authoritativeness. Not worth a centavo. Don't go
there. Fuck off. Fuck yourself. Fuck me. Fuck WL.
Fuck this.
# distributed via <nettime>: no commercial use without permission
# <nettime> is a moderated mailing list for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: http://mail.kein.org/mailman/listinfo/nettime-l
# archive: http://www.nettime.org contact: nettime(a)kein.org
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 9.7, 7 April 2011
============================================================
Contents
============================================================
1. Czech Constitutional Court rejects data retention legislation
2. EDRi responds to IPR Enforcement consultation
3. EDPS criticizes the EU PNR scheme
4. Ten Internet Rights & Principles for Human Rights and Social Justice
5. Judicial Review of the Digital Economy Act
6. German Internet blocking law to be withdrawn
7. 80 NGOs ask CoE to investigate government collection of biometrics
8. RFID Privacy Impact Assessment Framework formally adopted
9. Website blocking and suspension discussions in the UK
10. Big Brother Awards Germany 2011
11. Privatised online enforcement series: B. Is "self-regulation" worse than
useless?
12. ENDitorial Data Retention: Is the EC trying to dig itself out of a hole?
13. Recommended Action
14. Recommended Reading
15. Agenda
16. About
============================================================
1. Czech Constitutional Court rejects data retention legislation
============================================================
The Czech Constitutional Court declared national data retention legislation
unconstitutional on 31 March 2011. This is part of the Electronic
Communications Act and its implementing legislation according to which
records of e-mails, phone calls, and SMS as well as websites accesses of
every citizen should be retained by telecommunications companies for a time
period of six months, as an implementation of the Data Retention Directive.
This court decision followed previous decisions of the constitutional courts
of Germany and Romania.
The complaint filed with the Constitutional Court was prepared by activists
from EDRi-member Czech civic rights organisation Iuridicum Remedium and 51
MPs from the Civic Democratic Party (ODS) and the Green Party (SZ) who
signed it in March 2010.
The Constitutional Court decision criticizes the Czech transposition of the
Data Retention Directive. The Czech legislation requires the retaining of a
larger number of data than the directive demands, where the use of data is
not limited to investigating terrorism and serious organised crime. There
was a lack of the principle of subsidiarity in the legislation related to
eavesdropping, although these data are equally sensitive. This has led to a
large number of requests for such data by the police. The national
legislation lacked, according to the constitutional court, clear and
detailed rules for the protection of personal data as well as the obligation
to inform the person whose data has been requested.
The court said that EU law was not part of the constitution of the Czech
Republic and that the directive could therefore not be reviewed by the
Constitutional Court. According to the court decision, the content of the
Data Retention Directive gives the Czech Republic sufficient space for
its constitutionally conformal transposition. However, the Constitutional
Court has doubts about the necessity and proportionality of the data
retention principle in the obiter dictum paragraphs (p. 55-57). The court
doubted whether the blanket monitoring of the communications of all citizens
in terms of intensity of intervention into the private sphere is necessary
and appropriate. The court also doubted the effectiveness of the use of the
retained data in combating crime, particularly with reference to the
possibility of anonymising communications. The police statistics show that
despite a significant increase in the number of requests for traffic and
location data, this did not translate into a proportional number of
committed and solved crimes.
The Constitutional Court also regards certain provisions of the
Criminal Act concerning the use of such data by authorities engaged in
criminal proceeding as highly questionable and it called on MPs to consider
its modification. According to the Court, it will be necessary to consider
each individual case in which data have already been requested in order to
be used in criminal proceedings, with respect to the principle of
proportionality regarding privacy rights infringement.
Text of the complaint (only in Czech)
http://www.slidilove.cz/content/plne-zneni-stiznosti-us-kvuli-ceskemu-data-…
Text of the court decision (only in Czech) - to be translated in English in
the next 2 weeks
http://www.concourt.cz/clanek/GetFile?id=5075
Constitutional Court: Spying on Communication Declared Unconstitutional
(31.03.2011)
http://www.slidilove.cz/en/english/constitutional-court-spying-communicatio…
Constitutional Court invalidates telecommunications data retention
law (1.04.2011)
http://www.radio.cz/en/section/curraffrs/constitutional-court-invalidates-t…
Czech Republic: Constitutional Court Overturns Parts of Data Retention Law
(01.04.2011)
http://www.loc.gov/lawweb/servlet/lloc_news?disp3_2601_text
(Contribution by Jan Voboril - EDRi-member IuRe - Czech Republic)
============================================================
2. EDRi responds to IPR Enforcement consultation
============================================================
European Digital Rights has submitted on 31 March 2011 its response to the
European Commission's consultation on the implementation of the IPR
Enforcement Directive.
The response examines the claims made by the Commission, the evidence (or
lack thereof) for its assumptions and the lessons that it draws and fails to
draw from the experience of European citizens with the implementation of the
Directive. The first section of the response deals with the overall approach
of the Commission and its reaction to what it calls "ubiquitous"
unauthorised filesharing online. EDRi questions whether many of the
assumptions regarding the "cost" of such filesharing are correct,
particularly with a growing body of research indicating that the impact is
either zero or close to zero.
This leads on to a more fundamental question of the legitimacy of current
copyright legislation. If breaches really are "ubiquitous," is a response
which is mainly or wholly based on repression either proportionate or
effective? With equally ubiquitous problems concerning the cost, the format
and the availability of audiovisual material, would it not be better to
properly service the market rather enforce respect for a broken market?
With regard to criminal law and unauthorised access to audiovisual content,
EDRi argues that the Commission's current approach of treating
"counterfeiting and piracy" as one phenomenon, as if the causes and
solutions for counterfeit medication are the same as for private music
downloading, is simply wrong. Indeed, worst than that, treating both as the
same can only result in either counterfeit drugs being subject to unduly
weak countermeasures or unauthorised access to audiovisual material being
treated disproportionally harshly.
The response pays particular attention to the vague and dangerous assertion
that the fundamental right to privacy can somehow be re-balanced against the
right, included in the Charter of Fundamental Rights, to property. The
response points out that a balance between rights can never be done in the
abstract, rendering the whole approach by the Commission meaningless. It
goes on to point to the UNESCO Convention on Protection and Promotion of the
Diversity of Cultural Expressions (which the EU collectively and almost all
Member States individually have signed up to), which, in article 2, explains
that cultural diversity can be protected and promoted only if human rights
and fundamental freedoms, such as freedom of expression, information and
communication, as well as the ability of individuals to choose cultural
expressions, are guaranteed."
In its report, the Commission also subtly mentions that "it could be useful
to clarify that injunctions should not depend on the liability of the
intermediary". What this means in practice is that courts could ignore the
provisions of the E-Commerce Directive on "mere conduit" (regarding access
to illegal material) and on the imposition of a "general obligation to
monitor". The Commission's view - and the view that it has given to the
European Court of Justice in the Scarlet/Sabam case - is that national
courts may (and should) impose monitoring, blocking and filtering
obligations on Internet service providers and that the E-Commerce Directive
should not prevent them from doing this. The Commission's analysis fails to
acknowledge, let alone address, how this would be compatible with the
European Charter of Fundamental Rights - the same Charter that it so eagerly
uses to defend the weakening of the fundamental right to privacy.
The EDRi response concludes by listing a set of issues to be addressed in
any impact assessment used to justify a re-opening and extension of the IPR
Enforcement Directive.
EDRi response to IPRED Consultation (31.03.2011)
http://www.edri.org/files/edri_ipred_110331.pdf
Report on the enforcement of intellectual property rights (COM(2010) 779)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52010DC0779:EN:…
Analysis of the application of Directive 2004/48/EC on the enforcement of
intellectual property rights in the Member States (SEC(2010) 1589)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SEC:2010:1589:FIN:EN:…
(Contribution by Joe McNamee - EDRi)
============================================================
3. EDPS criticizes the EU PNR scheme
============================================================
Peter Hustinx, the European Data Protection Supervisor (EDPS) issued on 25
March 2011 his opinion on the European Commission's proposal to oblige
airline carriers to provide EU Member States with personal data (PNR) on
passengers entering or leaving the EU space, with the declared purpose to
fight serious crime and terrorism.
On 2 February 2011, the European Commission made a new proposal for a PNR
Directive, to extend the passenger-tracking systems already in use in the UK
and US to all flights to and from the EU. PNR data may include personal
information such as home addresses, email addresses, mobile phone numbers,
frequent flyer information, and even credit card information.
In the EDPS' opinion, although the new proposal is an improved version as
compared to the previous document released in 2007, particularly due to the
addition of data protection safeguards, the restriction of the proposal's
scope and the conditions for PNR data processing under EU data protection
law, it is still unjustified.
The EDPS draws attention to the fact that the Proposal does not meet
"the essential prerequisite to any development of a PNR scheme - i.e.
compliance with necessity and proportionality principles".
The EDPS emphasizes that the need to collect or store massive amounts of
personal data must be substantiated by a clear demonstration of the
relationship between use and result (necessity principle). Hustinx believes
the proposal and the accompanying Impact Assessment fail to demonstrate the
necessity and the proportionality of a large collection of PNR data for the
purpose of the systematic assessment of all passengers.
The EDPS raises concerns related to the use of PNR data "in a systematic
and indiscriminate way" and believes that the only measure compliant with
data protection requirements would be the use of PNR data on cases when
there is a serious threat established by concrete indicators on a
case-by-case basis.
Hustinx makes a series of recommendations, among which a further limitation
of the proposal's scope that would exclude minor crimes and the possibility
for Member States to extend its reach. He also questions the
inclusion of serious crimes which have no relation to terrorism.
One recommendation is the limitation of the data retention period to 30
days, except for cases which require further investigation. The data
should be retained in an identifiable form.
The EDPS recommends a higher standard of safeguards, especially in relation
to the data subjects' rights and transfers to third countries.
While welcoming the fact that sensitive data were not included in the list
of data to be collected, the EDPS still considers the list to be too
extensive and recommends its further reduction in agreement with
the recommendations of the Article 29 Working Party and the EDPS.
Hustinx says that an assessment of the EU PNR system "should be based on
comprehensive data, including the number of persons effectively convicted -
and not only prosecuted - on the basis of the processing of their data." He
also recommends the assessment of the system "in a broader perspective
including the ongoing general evaluation of all EU instruments in the field
of information exchange management launched by the Commission in January
2010. In particular, the results of the current work on the European
Information Exchange Model expected for 2012 should be taken into
consideration in the assessment of the need for an EU PNR scheme."
Meanwhile, the UK Home Office has expressed concern over the delay of the
draft PNR Directive and has shown its support for the extension of any
passenger-tracking system to flights between EU countries as well as those
outside EU territory. The House of Lords has recently urged the
Government to opt in to the proposal, ensuring its change to include all
international flights.
EU Passenger Name Record: proposed system fails to meet necessity
requirement, says EDPS (28.03.2011)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/…
Opinion of the European Data Protection Supervisor on the Proposal for a
Directive of the European Parliament and of the Council on the use of
Passenger Name Record data for the prevention, detection, investigation and
prosecution of terrorist offences and serious crime (25.03.2011)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu…
PNR should be deleted after 30 days, says EU privacy watchdog (1.04.2011)
http://www.out-law.com//default.aspx?page=11847
EDRi-gram: Commission's proposal for PNR Directive fails to impress MEPs
(9.02.2011)
http://www.edri.org/edrigram/number9.3/commission-pnr-directive
============================================================
4. Ten Internet Rights & Principles for Human Rights and Social Justice
============================================================
The Internet Rights and Principles Dynamic Coalition (DC-IRP) launched on 31
March 2011 its "10 Internet Rights and Principles" for an Internet
governance rooted in human rights and social justice.
These 10 Internet Rights and Principles are part of a global initiative
undertaken in the framework of the UN Internet Governance Forum (IGF), by
the DC-IRP to develop a comprehensive Charter of Human Rights and Principles
for the Internet. In addition to the 10 Internet Rights and Principles, the
Charter is built into two sections. The first interprets human rights and
defines principles that stem from these rights for the purposes and concerns
of the information society. The second section addresses the roles that
different actors and stakeholders should play in order to uphold these
rights and principles.
This Charter is not an attempt to create new rights, but to reinterpret and
explain universal human rights standards in a new context - the Internet.
The Charter re-emphasizes that human rights apply online as they do offline:
human rights standards, as defined in international law, are non-negotiable.
The Charter also identifies principles, deriving from human rights, which
are necessary to preserve the Internet as a medium for civil, political,
economic, social and cultural development. It describes the responsibilities
that states have in relation to the Internet as well as the part that all
individuals and society organs have to play, considering that the Internet
is, through its design, a trans-boundary multi-stakeholder environment where
no single entity has control.
In this context, the 10 Internet Rights and Principles outline the core
demands in order to defend and expand the Internet as a space which is
empowering, open and accessible to all. To this end, they identify the main
requirements that should be met in the online environment, with regards to:
universality and equality; rights and social justice; accessibility;
expression and association; privacy and data protection; life, liberty and
security; diversity; network equality; standards and regulation; and
Governance. Such guidelines for policy and practice are much needed at a
time where human rights and social justice are under a double threat on the
Internet, from governments (both authoritarian and democratic) who seek to
control it, and from businesses who seek to monetise it.
The 10 Internet Rights and Principles were launched at the second expert
meeting on "Freedom of Expression and the Internet" in Stockholm, convened
on 30-31 March 2011 by the Swedish Ministry for Foreign Affairs. The UN
Special Rapporteur for Freedom of Opinion and Expression and the OSCE
Representative on Freedom of the Media, who attended this launching event,
welcomed this initiative.
The DC-IRP is an international multi-stakeholder network of people and
organisations - among them a number of EDRi members and observers - who are
working to uphold human rights on and through the Internet. Its Charter is
currently released as a beta version, and the Coalition welcomes comments
and contributions on its website. The 10 Internet Rights and Principles
derive from the Charter, distilling it down into 10 core demands. They are
already available in more than 15 languages, with further translations still
expected.
DC-IRP main website with the 10 Internet Rights and Principles
http://internetrightsandprinciples.org/
DC-IRP website dedicated to its Charter
http://www.irpcharter.org
Second Expert Meeting on Human Rights and the Internet Stockholm
(30-31.03.2011)
http://www.regeringen.se/sb/d/14187/a/165534
(Contribution by Meryem Marzouki, EDRi-member IRIS - France)
============================================================
5. Judicial Review of the Digital Economy Act
============================================================
In July 2010 UK ISPs TalkTalk and BT filed papers seeking a Judicial Review
(JR) of the Digital Economy Act, and were then granted a hearing. In the UK,
JRs are rare. They can be brought when there is concern that a UK law
contradicts over-riding legislation (e.g. European law). They sought the
Review on four grounds: that the UK government didn't notify the EU as
required under the Technical Standards Directive; that the Act does not
comply with e-privacy laws; that the Act does not comply with e-commerce
legislation; and that the Act has a "disproportionate" effect on ISPs,
businesses and the public. More recently a fifth ground was added, related
to the Costs Sharing Order and its consistency with the "Authorisation
Directive."
The hearing began on 23 March and finished on 28 March 2011.
The Claimants BT and TalkTalk were joined by Consumer Focus
and Article 19, who submitted evidence of the "chilling effect" of the
DEAct. EDRi-member Open Rights Group submitted evidence as a "friend of the
court", covering primarily the effect on public Wi-Fi provision, the privacy
questions, and the weaknesses of IP evidence. As well as legal submissions
from Francis Davey, we submitted a witness statement from Jim Killock and an
expert report on the technical questions behind a reliance on IP address
evidence from Richard Clayton.
The primary Defendant is the Secretary of State for Business, Skills and
Industry (ie the Minister in charge of the department that was responsible
for the Bill / Act the time of passing). They were joined by the BPI, the
British Video Association Limited, Broadcasting Entertainment Cinematograph
and Theatre Union, Equity, Film Distributors' Association, the Premier
League, the MPA, The Musicians Union, Producers Alliance for Cinema and
Television, and Unit.
A full daily summary of the JR hearing is up on our blog. There seemed (to
this not-legally-trained observer) to be two key points and one interesting
observation. First, that the Defence spent a long time arguing that the
substantive powers to which the grounds of the JR should apply are not
contained in the Act and will be in the yet-to-be-published final 'Initial
Obligations Code'. A key question for the Judge is the extent to which
the Act determines the important substantive details concerning the
obligations on ISPs and consumers, which would make it possible for the
Judge to decide on whether the Act as it stands with or without the IOC is
in breach of EU law - or whether in fact it is the IOC that will in effect
enact substantive powers.
Second, the judge was very careful in his assessment of the nature of the
"proportionality" test he was being asked to consider, and the extent to
which he was being asked to make a judgement on the policy judgements that
Parliament have made. He seemed to be reluctant to be drawn into a judgement
on the accuracy or wisdom of a public policy assessment.
One interesting point is that many of the arguments that policy wonks
might think are most important, for example concerning how robust the
evidence used to justify the Act is, or the likely benefits of the Act, were
seemingly some of the least important in legal terms.
It is very hard indeed to guess which way the Judge will fall. He listened
carefully to all arguments. The Judge said that he'll take his time to
consider the submissions; we expect (speculation) that this means 6 to 8
weeks from the end of the hearing.
Judicial review of the Digital Economy Act (8.07.2010)
http://www.talktalkblog.co.uk/2010/07/08/judicial-review-of-the-digital-eco…
Digital Economy Act 2010 to Face Judicial Review (9.12.2010)
http://www.olswang.com/newsarticle.asp?sid=558&aid=3224
Submission to the Judicial Review of the Digital Economy Act (1.02.2011)
http://www.openrightsgroup.org/ourwork/reports/submission-to-the-judicial-r…
DEA Judicial Review - Day 1 (23.03.2011)
http://www.openrightsgroup.org/blog/2011/dea-judicial-review-day-1
(Contribution by Peter Bradwell - EDRi-member Open Rights Group - UK)
============================================================
6. German Internet blocking law to be withdrawn
============================================================
On 5 April 2011, Germany's governing conservative and liberal
parties agreed in a coalition committee meeting that the disputed law on
Internet blocking of child abuse material (Zugangserschwerungsgesetz,
ZugErschwG, "Access Impediment Act") will be dropped.
The law had been enacted by the previous parliament in June 2009, but it had
never been fully implemented after the newly elected coalition decided to
only use the law's provisions for take-down, not those for blocking. After a
one-year "trial period", the new consensus seems to be that the law will be
withdrawn through a new act of the Parliament.
There is speculation that the decision could be part of a wider "package
deal" that might see Germany's data retention revived after the German
Constitutional Court had declared the previous data retention law partly
unconstitutional, but this was denied by speakers for Germany's liberal
party, FDP. German digital rights groups welcomed the decision on the
blocking law, but they will be watching how it is implemented in detail.
Last EDRi-gram article on Germany's Internet blocking law, reporting on
the law's history and a pending constitutional challenge that would be
rendered obsolete if the law is now withdrawn (23.02.2011)
http://www.edri.org/edrigram/number9.4/germany-constitutional-case-web-bloc…
EDRi-gram on the ruling against Germany's data retention law (10.03.2010)
http://www.edri.org/edrigram/number8.5/german-decision-data-retention-uncon…
(Contribution by Sebastian Lisken, EDRI member FoeBuD)
============================================================
7. 80 NGOs ask CoE to investigate government collection of biometrics
============================================================
An international alliance of organisations, including EDRi and several
EDRi-members, and individuals from 27 countries has lodged a petition
calling on the Council of Europe to start an in-depth survey on the
collection and storage of biometric data by member states.
European governments are increasingly demanding the storage of biometric
data (fingerprints and facial scans) from individuals. These include storage
on contactless "RFID" chips in passports and/or ID cards. Some are going
even further by implementing database storage e.g. France, Lithuania and the
Netherlands.
The alliance of more than 80 signatories has asked Secretary General
Thorbjxrn Jagland of the Council of Europe to urgently request the countries
involved to explain under Article 52 ECHR whether their national law on this
subject is in line with the European Convention on Human Rights (ECHR) and
rulings of the European Court of Human Rights.
In the petition to Strasbourg the alliance states: "It is vital to obtain an
overview of the current 'patchwork' of different national laws that regulate
this sensitive and important subject. An in-depth survey has to be conducted
on whether the human rights guarantees and conditions of necessity
(proportionality, subsidiarity and safety guarantees) set by the Convention
are indeed upheld."
These rights include the protection of human treatment (Article 3 ECHR),
safety (Article 5), a fair trial (the privilege against self-incrimination
and presumption of innocence) (Article 6), physical integrity and family and
private life (Article 8), effective national legal remedies (Article 13),
non-discrimination (Article 14) and the right to leave your country (Article
2 Protocol 4).
"Article 52 clearly designates the Secretary General of the Council of
Europe as the guardian of the fundamental rights placed at risk by this
practice. We would like to emphasize that national biometric registration
legislation (often in combination with other laws) should not 'lead to
destroying democracy on the ground of defending it'", the alliance warns.
"In a democratic society the collection of the biometrics of an entire
population is a disproportionate and for other reasons unnecessary
interference with the right to privacy and other rights like the presumption
of innocence, protected by the Convention. Because of these concerns the
United Kingdom Government recently abandoned the policy of collecting
fingerprints of citizens. Yet most countries are keen to fingerprint groups
and populations of people who have committed no crime, thus increasing the
chances of identity fraud", says Simon Davies of Privacy International,
which co-ordinated the online petition initiative.
The signatories include, amongst others, digital, civil and human rights
defenders, media, legal and medical organisations, academia, politicians and
personal victims without a passport because of objections involving the
biometric storage.
The press release in other languages: Dutch, French, German, Spanish,
Lithuanian and Slovak - for immediate publication (see bottom of the page)
https://www.privacyinternational.org/article/alliance-raises-concerns-about…
Text of petition (with the list of signatories) (31.03.2011)
https://www.privacyinternational.org/article/petition-council-europe-govern…
EDRi-gram: Final call for petition on government use of citizens' biometrics
(9.03.2011)
http://www.edri.org/edrigram/number9.5/petition-coe-privacy-biometrics
Highlights of the petition (6.03.2011)
http://www.pogowasright.org/?p=22180&cpage=1#comment-334
(Thanks to Robin Caron from the Alliance)
============================================================
8. RFID Privacy Impact Assessment Framework formally adopted
============================================================
The Privacy Impact Assessment Framework for RFID applications (RFID PIA) was
officially signed by European Commission Vice President Neelie Kroes,
representatives of the RFID industry, the chairman of the Article 29 Working
Party, Jacob Kohnstamm, and the Executive Director of the European Network
and Information Security Agency (ENISA), Udo Helmbrecht. The ceremony took
place today, 6 April 2011, in the European Commission's Berlaymont building
in Brussels.
In its 2009 recommendation on the implementation of privacy and data
protection principles in RFID applications, the European Commission
suggested that the RFID industry should develop a framework for RFID privacy
and data protection impact assessments. In the months following this
recommendation a first draft PIA framework was developed by an informal
working group of industry representatives to which EDRi and other
stakeholders were also invited to contribute their views.
This first draft RFID PIA framework was submitted for endorsement to the
Article 29 Working Party, which did not endorse the framework but published
on 13 July 2010 in its working paper no. 175 a request for improvements.
Further improvements were suggested by ENISA in July 2010.
In January 2011 a revised PIA Framework was submitted to the Article 29
Working Party, which formally endorsed it by publishing the framework as
an annex to its working paper no.180 on 11.02.2011.
In EDRi's opinion the RFID PIA Framework, that was formally signed today,
properly follows a risk assessment methodology, which addresses the data
protection targets defined in the European data protection legal framework
and provides therefore a sound basis for a meaningful assessment of data
protection risks for RFID applications.
The RFID PIA Framework is an important milestone on the way to the
implementation of privacy friendly RFID applications. Now it is important
that industry quickly but thoroughly implements the PIA in practice.
Today's formal signing ceremony took place before the background of the
German Big Brother Awards, which were presented in Bielefeld only a few days
earlier. One of the unpopular awards was given to the European Fashion Label
Peuterey for violating the data protection rights of their customers by
secretly tagging their fashion products with RFID chips.
The next twelve months will show how the new RFID PIA Framework is
received by industry, as the European Commission is expected to present its
report on the implementation of the RFID recommendation, its effectiveness
and its impact on operators and consumers in May 2012.
EDRi sincerely hopes that today's important milestone will be followed by a
number of serious implementation efforts and that last week's German Big
Brother Award was the last one in Europe that will be awarded to a RFID
operator.
Commission Recommendation on the implementation of privacy and
data protection principles in applications supported by radio-frequency
identification (12.05.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/recommendatio…
EDRi-gram 7.10: EU supports RFID with proper protection of consumers'
privacy (20.05.2009)
http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommand…
Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a
Privacy and Data Protection Impact Assessment Framework for RFID
Applications
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp175_en.pdf
ENISA Opinion on the Industry Proposal for a Privacy and Data Protection
Impact Assessment Framework for RFID Applications (31.03.2010)
http://www.enisa.europa.eu/media/news-items/enisa-opinion-on-pia
EDRi-gram 8.15: ENDitorial: Industry RFID PIA: not endorsed in its current
form (28.07.2010)
http://www.edri.org/edrigram/number8.15/article-29-no-to-rfid-pia
Article 29 Working Party: Opinion 9/2011 on the revised Industry Proposal
for a Privacy and Data Protection Impact Assessment Framework for RFID
Applications
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en.pdf
Annex: Privacy and Data Protection Impact Assessment Framework for RFID
Applications
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_annex_e…
(contribution by Andreas Krisch - EDRi)
============================================================
9. Website blocking and suspension discussions in the UK
============================================================
UK Minister Ed Vaizey is involved in discussions for private blocking
schemes to prevent access to copyright infringing websites. This follows the
delays in implementing the Digital Economy Act. It is believed by the
EDRi-member Open Rights Group and others that music and film lobby groups
are pushing for private measures that would avoid the need for legaislation
and potentially human rights considerations such as due process and freedom
of expression.
Nominet, the .uk registry is also engaging a wide range of bodies to create
procedures for suspension of domains believed to be involved in criminal
activity. Over the last two years, they have been suspending domains on
request from the police, with appeals procedure but no examination of the
legal and human rights implications. The consultation therefore presents a
step forward in creating transparency but also a longer term danger, as
registry suspensions could be abused as a short cut for law enforcement
agencies.
Silence from the website blocking Working Group (5.04.2011)
http://www.openrightsgroup.org/blog/2011/silence-from-the-website-blocking-…
Nominet talks about domain suspensions (5.04.2011)
http://www.openrightsgroup.org/blog/2011/nominet-talks-about-domain-suspens…
(Contribution by Jim Killock - EDRi-member Open Rights Group - UK)
============================================================
10. Big Brother Awards Germany 2011
============================================================
The eleventh German Big Brother Awards were bestowed on Friday 1 April
2011 in Bielefeld, Germany. Organized by EDRi member FoeBuD, the
ceremony featured eight negative awards in various categories.
In the "Communication" category, Facebook was one winner for
"systematically poking its nose into people and their relationships,
behind the friendly fagade of an ostensibly free service". In the awards
speech, Facebook was described as a "gated community" on the Internet,
comparing it, in several aspects, to the closed housing estates found in
an increasing number of places across the world.
Another "Communication" award went to Apple for virtually "blackmailing"
its customers into accepting a dubious privacy policy as part of a terms
and conditions document that, when displayed on the iPhone, takes up 117
pages. Consent to the privacy conditions should be voluntary, according
to Germany's data protection law, but without consent, the iPhone's
functions are reduced to telephony. With consent, Apple and partners
receive excessive amounts of data, including the device's location.
One winner in the "Workplace" category was German car maker Daimler, one
of several employers that demand blood tests from their employees, which,
in most cases, was not required by industrial law - in the words of the
award speech, a form of modern-day vampirism.
Another "Workplace" award went to the German Customs authority, for
promoting a certification named "Authorized Economic Operator" (AEO) to
companies with international business relationships. The certification
involves checking each employee against EU or US anti-terror lists. This
use of personal data has no legal foundation, meaning that German
Customs encourage companies to use their employees' personal data in an
illegal way.
In the "Technology" category, the fashion brand Peuterey was cited for
introducing RFID in clothing, not as theft-prevention attachments but
sewn into jackets under a label saying "do not remove this label".
The "Consumer Protection" award went to a publishing house called
"Knowledge and Information" (Verlag f|r Wissen und Information) that
doesn't actually produce and trade its own books but asks schools to
distribute book coupons which can only be redeemed if names and
addresses of the pupil and at least one parent are supplied. A blogger's
investigation uncovered that the "publisher's"s business model was mainly
a partnership with financial investment advisers and with a manufacturer
of vitamin pills. Those that accepted and used the coupons were offered a
telephone "interview" on the subject of "learning, health, and future".
One award was actually collected by its winner (only the third time that
this has happened in eleven years): Gert Wagner, head of the "census
commission" that promotes this year's German census, defended the
project against the accusation that it collects excessive and dangerous
amounts of data, with too little information and without legal recourse.
Mr Wagner's courage was appreciated, but when he attempted to put down
his critics as "living in a parallel universe" and stressed that the
census was justified by the mere fact that it had proper legal
foundation, it did not win him many friends in the audience.
The winner in the "Politics" category was the Interior Minister in the
state of Lower Saxony, Uwe Sch|nemann, for the first known use of a
police drone for clandestine monitoring of a public gathering during
protests against a nuclear waste transport to Germany's main storage
facility at Gorleben in the Wendland region.
The audience award for the most "impressive, surprising, shocking, or
outrageous" winner went to Facebook, on just over a third of the votes.
Nominations for the next Big Brother Awards are open until the end of
this year.
BigBrotherAwards Germany 2011 (1.04.2011)
http://www.bigbrotherawards.de/2011-en?set_language=en
(Contribution by Sebastian Lisken - EDRi-member FoeBuD)
============================================================
11. Privatised online enforcement series:
B. Is "self-regulation" worse than useless?
============================================================
Much of the policy with regard to "self-regulation" in the context of
illegal online content is developed on the basis that anything that industry
can do to help fight crime is automatically a good thing. The assumption is
that, however distasteful it is that private companies should be regulating
and enforcing the law in the online world, it is better that "somebody" is
doing "something". The reality is, however, very different.
The first area where Internet intermediaries started enforcing the law is in
relation to child abuse images. The European Commission funds "hotlines" to
receive reports of child abuse images and these send reports to law
enforcement authorities and Internet hosting providers and, sometimes,
Internet access providers. Law enforcement authorities are supposed to play
their role in investigation and prosecution, while Internet providers are
supposed to play their role, in diligently and within the rule of law,
removing content that has been shown to be illegal and supporting collection
of evidence by law enforcement authorities.
At a recent meeting of the European Commission "dialogue" on dissemination
of illegal content within the European Union", the Safer Internet Unit of
the Commission gave a different and more worrying analysis. A representative
explained that many EU police forces did not prioritise online child abuse
and even if it was on the priority list in some countries, it was at the
bottom. The proposal was made, therefore, that hotlines should send reports
directly to Internet hosting providers to delete the websites. The fact that
this would facilitate and propagate the alleged inaction of the police
appears not to be a consideration.
This approach is confirmed by the European Commission's guidelines for
co-funded hotlines on notice and takedown (that are, unsurprisingly, not
publicly available), which suggest that agreements should be signed between
the hotlines and the police. These guidelines suggest that "the agreement
should preferably stipulate a deadline for the police to react after which
the hotline would proceed with giving notice". In other words, law
enforcement authorities would be assured that, if they remained wholly
inactive for an agreed period, the evidence of their failure to address
serious crimes would be diligently hidden by the hotlines, in cooperation
with well-meaning "industry self-regulation".
This is, unfortunately, far from the only example. As mentioned above,
hotlines also contact Internet access providers. In some countries, these
take it upon themselves to undertake technically limited "blocking" against
sites identified as being illegal. In Sweden, for example, ISPs "block"
sites and receive an updated list from the police every two weeks. The
pointlessness of this whole process is shown by the fact that, while the
lists are updated every 14 days, the British hotline, the IWF, has produced
statistics showing that the average length of time the sites remain online
is only twelve days. In other words, on average, there are no functioning
sites at all on the "blocking" list one day out of every seven.
Unfortunately, this activity is not just useless, it is worse than useless.
In a speech given to the German Parliament, a Danish police official
explained that, having "blocked" the websites domestically, the police in
that country do not see any point in communicating evidence of serious
crimes against children to the police forces in the United States and
Russia, because they probably wouldn't be interested. It is difficult to
imagine another crime which would be treated in such a trivial way.
Reports from the European Commission are that there will be a major push to
increase the "safer internet" budget, which is currently being reviewed. As
yet, there are no signs that any lessons are being learned regarding the
failures of "self-regulation" under the current programme.
Internet Watch Foundation Annual Report 2010
http://www.iwf.org.uk/assets/media/annual-reports/Internet%20Watch%20Founda…
EDRi-gram: Dialogue on illegal online content (28.06.2010)
http://www.edri.org/edrigram/number8.15/edri-euroispa-notice-takedown-comis…
Child abuse is difficult to stop on the web (only in Swedish, 29.09.2010)
http://www.dn.se/nyheter/sverige/overgrepp-pa-barn-svart-stoppa-pa-natet
Danish police statement
http://www.edri.org/files/Written_Statement_Underbjerg.pdf
Privatised Online Enforcement Series
A. Abandonment of the rule of law (23.03.2011)
http://www.edri.org/edrigram/number9.6/abandonment-rule-of-law
(Contribution by Joe McNamee - EDRi)
============================================================
12.ENDitorial: Data retention: Is the EC trying to dig itself out of a hole?
============================================================
The Data Retention Directive was adopted in 2006 in very controversial
circumstances. Article 15 of the Directive placed a clear obligation on the
European Commission (EC), to submit "no later than 15 September 2010" a
report on the evaluation of the Directive and its impact on economic
operators and consumers". Today is the 203rd day since that evaluation
report was due to be published. This raises the obvious question - why has
the Commission, as "guardian of the treaties" failed to respect its legal
obligation and when will it finally comply?
The main reason for the delay is that some crucial mistakes were made at the
beginning of the review process. Firstly, the Commission failed to recognise
that, under the Charter on Fundamental Rights, the Directive is only legal
if it is both "necessary and genuinely meet(s) objectives of general
interest." Its second mistake was to reach its conclusion ("data retention
is here to stay") before starting the research, thereby limiting its scope
and assuming that the Member States would have answers to its questions
about the assumed value of data retention. The Commission then limited
itself further by not seeking any information from Member States that had
not implemented the Directive. This definitively prevented the Commission
from being able to compare how much essential extra data is stored as a
result of the Directive, thereby making the legislation "necessary".
As a result, when the Commission asked for data in the second quarter of
2010, it received little useable information from the Member States. As a
result, Commissioner Malmstrvm made a personal plea to Member States during
the July 15 Justice and Home Affairs Council, followed by a letter (linked
below) from the Commission to Member States. The letter betrays the
Commission's disregard for the Charter (which each Commissioner swore a
legally binding oath to support) by showing that it is not seeking to
demonstrate "necessity" - "without this information it will be difficult for
the Commission to adequately demonstrate that the Directive is useful". It
further lowered the level of evidence it was requesting by asking for
examples of where data retained under the Directive "played a determining
role", rather than asking for examples of where data that would not
otherwise have been retained played a determining role.
Having created this untenable situation, the Commission managed to dig
itself even deeper during the "Taking on the Data Retention Directive"
conference in December 2010. For reasons that are far from obvious,
Commissioner Malmstrvm made a speech arguing that "data retention is here to
stay", despite the fact that inadequate information had been received from
the Member States (who mostly ignored her personal plea at the July Council
meeting) and despite the fact that her services were still months away from
being able to provide a useable summary of the paltry information that was
provided by the Member States.
So, where are we now? The Home Affairs Directorate General (DG HOME) of the
European Commission submitted a draft evaluation report at the end of
February, resplendent in blank spaces where the Member State information
should have been put, for review by colleagues from the rest of the
Commission. These have now provided their feedback which, by all accounts,
did not lavish praise on the work done so far. When and how the DG HOME will
update the document based on this feedback is not yet clear - what is clear
is the disastrous position their prejudging of the outcome of this process
has created.
The Commission has simply no basis, on the weak evidence presented by the
Member States, to argue that the value added to law enforcement by the
Directive shows that it is "necessary" (and therefore legal). It therefore
cannot move forward with a revision of the Directive. For the same reason,
it cannot opt simply to do nothing. It also cannot refine the Directive by
learning from the experience of Member States, like Germany and Romania,
that have not implemented the Directive, for the simple reason that it did
not request any information from those countries. And, having pandered to
the wishes of certain large Member States by proclaiming that "data
retention is here to stay," even a tactical retreat seems politically
difficult, even if it is legally and practically the only reasonable step
left.
Perhaps the Commission should stop digging and start listening, learning
from the insightful words of a Swedish Liberal MEP on the day that the
Directive was adopted in the European Parliament. "This is a difficult issue
on which to adopt a position. Reflection is required, together with a solid
factual basis in relation to the privacy aspect, the technical consequences
and the actual costs for telecommunications operators and thus consumers."
Data retention Directive
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:00…
Letter from the Commission to Member States (27.06.2011)
http://www.edri.org/files/drd_letter.pdf
Czech Constitutional Court rejects Data Retention Law (31.03.2011)
http://www.edri.org/czech-decision-data-retention
EDRi-gram: Romanian Constitutional Court Decision against Data Retention
(2.12.2009)
http://www.edri.org/edrigram/number7.23/romania-decision-data-retention
EDRi-gram: German Federal Constitutional Court Rejects Data Retention Law
(10.03.2010)
http://www.edri.org/edrigram/number8.5/german-decision-data-retention-uncon…
Commissioner Malmstrvm's "data retention is here to stay" speech (3.12.2010)
http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/10/723
Explanations of vote in the Euopean Parliament on the Data Retention
Directive
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+CRE+200512…
(Contribution by Joe McNamee - EDRi)
============================================================
13. Recommended Action
============================================================
Public consultation on on-line gambling in the Single Market. The final
questions in the Green Paper asks about the value of, and options for,
blocking of gambling websites.
Deadline: 31 July 2011
http://ec.europa.eu/internal_market/services/gambling_en.htm
============================================================
14. Recommended Reading
============================================================
Paul de Hert / Rocco Bellanova: Transatlantic Cooperation on Travelers'
Data Processing: From Sorting Countries to Sorting Individuals
(Migration Policy Institute, 2011)
http://www.migrationpolicy.org/pubs/dataprocessing-2011.pdf
European Data Protection Commissioners insist on the need for a
comprehensive EU approach to data protection (6.04.2011)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/…
EU survey: 72% of Europeans not informed about their fundamental rights
(18.03.2011)
http://europa.eu/rapid/pressReleasesAction.do?reference=EO/11/6&format=HTML…
============================================================
15. Agenda
============================================================
7-8 April 2011, Amsterdam, Netherlands
European Legal Network Conference "Free Software law for the next ten years"
http://fsfe.org/projects/ftf/legal-conference.en.html
13-15 April 2011, Berlin, Germany
Re:publica XI: Conference about blogs, social media and the digital society
http://re-publica.de/11/en/
5-6 May 2011, Milano, Italy
The European Thematic Network on Legal Aspects of Public Sector
Information - public conference
http://www.lapsi-project.eu/milan
17-18 May 2011, Berlin Germany
European Data Protection Reform & International Data Protection Compliance
http://www.edpd-conference.com
30-31 May 2011, Belgrade, Serbia
Pan-European dialogue on Internet governance (EuroDIG)
http://www.eurodig.org/
2-3 June 2011, Krakow, Poland
4th International Conference on Multimedia, Communication, Services and
Security organized by AGH in the scope of and under the auspices of INDECT
project
http://mcss2011.indect-project.eu/
12-15 June 2011, Bled, Slovenia
24th Bled eConference, eFuture: Creating Solutions for the Individual,
Organisations and Society
http://www.bledconference.org/index.php/eConference/2011
14-16 June 2011, Washington DC, USA
CFP 2011 - Computers, Freedom & Privacy
"The Future is Now"
http://www.cfp.org/2011/wiki/index.php/Main_Page
11-12 July 2011, Barcelona, Spain
7th International Conference on Internet, Law & Politics (IDP 2011): Net
Neutrality and other challenges for the future of the Internet
http://edcp.uoc.edu/symposia/lang/en/idp2011/?lang=en
============================================================
16. About
============================================================
EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram(a)edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request(a)edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request(a)edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edri/2.html
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram(a)edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
[serval-project-dev] Re: We have store-and-forward SMS working on the mesh
by Paul Gardner-Stephen 06 Jul '18
by Paul Gardner-Stephen 06 Jul '18
06 Jul '18
Hello,
On Nov 22, 11:23 pm, Outback Dingo <outbackdi...(a)gmail.com> wrote:
> On Tue, Nov 22, 2011 at 8:00 AM, Paul Gardner-Stephen
>
> <p...(a)servalproject.org> wrote:
> > Seehttp://servalpaul.blogspot.com/2011/11/demonstrating-serval-rhizome-s...
> > for some details, video and cartoon to explain a little of how it
> > works. I am also working on a white paper that describes it in much
> > more detail.
>
> Sounds nice in theory, but what about message security....... if
> someone elses phone contains the message as a courier device
> could it not be intercepted and read by a devious user?
I am writing a paper at the moment that describes the solution in more
detail, but what we intend to do is use the public key in a Curve25519
auth-crypt cryptosystem that is a recipient's network address on a
Serval network to encrypt the message so that only the rightful
recipient can decrypt it.
Thus we are already planning to do what Breno suggested. Curve25519 is
a nice crypto system for this, because it is quite fast, which is good
for phones, and it is also very strong with relatively short keys (256
bits), offering something close to RSA2048 in terms of resistance to
known attacks. On the down side, it has not been out very long, so we
might get exposed by some future vulnerability.
If the public key is not known, a fallback that offers deterrent value
only is to use the recipient's phone number to generate a hash that is
used as the basis of the encryption for the message, so that you need
to know the phone number the message is addressed to to receive it.
This isn't amazing protection, but it is better than nothing if the
public key is not known ahead of time. We will warn users before
applying this fall-back scheme that there is basically no security.
Paul.
>
> > --
> > You received this message because you are subscribed to the Google Groups "village-telco-dev" group.
> > To post to this group, send email to village-telco-dev(a)googlegroups.com.
> > To unsubscribe from this group, send email to village-telco-dev+unsubscribe(a)googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/village-telco-dev?hl=en.
--
You received this message because you are subscribed to the Google Groups "Serval Project Developers" group.
To post to this group, send email to serval-project-developers(a)googlegroups.com.
To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com.
For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
My guess is that HMAC is not vulnerable. The basic structure of HMAC is
Hash (key1 || Hash(key2 || Msg))
The attacker does not know the key(s) and is allowed to request MACs
on chosen messages; then he must produce a valid MAC on a new message.
The initial paper from Wang eg al announcing the results is unusual in
that it merely exhibits the collisions, while providing no information
whatsoever about how they were obtained. They are simply presented as
a fait accompli, astonishing in their very existence. It reminds me
of the story of how Cole demonstrated that the 67th Mersenne number was
nonprime, by silently walking to the backboard and patiently working out
the value of 2^67 - 1, and then the product of its two factors, by hand.
The nature of the exhibited hash collisions is that they are values which
differ in only a very few bits: 6 bits out of 1024 for the MD5 collisions;
4 bits out of 512 for the MD4. Obviously it's not the case that for
most strings, you can toggle these 4 or 6 bits and produce a collision!
Instead, the authors must have some technique to create very special
strings which allow the changes made by these few bits to cancel each
other out.
If the attacker could find two messages such that there was an inner hash
collision, Hash(key2 || Msg1) == Hash(key2 || Msg2), he could break
HMAC. He'd get a MAC on Msg1 and then he could use that same MAC on Msg2.
But it seems impossible to find a collision like this without knowing
key2. These hash functions are highly nonlinear and the choice of Msg1
and Msg2 would be completely dependent on key2. Change 1 bit of key2
and half the bits of Msg1 and Msg2 would very probably have to change.
If the attacker knew key2, it sounds like the new attacks would likely
work to find an inner collision. But without knowing that, there would
be no way to choose Msg1 and Msg2.
Given the special form of the colliding values, it appears that the
new technique does not solve hash inversion, or finding collisions
with arbitrary bit differentials. The one possibility that I could
imagine for a threat to HMAC is their comment that the attack on MD4
(for which collisions were already known) is so easy that it can be done
by hand calculation. Maybe that would suggest that given the proper
differentials, a non-negligible fraction of randomly chosen values would
collide. Then conceivably you could get lucky and find a collision
without even knowing key2. But that seems like a very remote possibility.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah(a)ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
1
0
[p2p-hackers] good-bye, Mnet, and good luck. I'm going commercial! plus my last design doc
by Zooko O'Whielacronx 06 Jul '18
by Zooko O'Whielacronx 06 Jul '18
06 Jul '18
contents of this message: "good-bye, Mnet", "The Fully Connected
Topology", "Rate-Limited Structured Flood", "A Nice Slow Network", "Did
you say 'BROADCAST SEARCH'?" "Persistent Tit-for-Tat == Bilateral
Accounting"
Dear mnet-devel and p2p-hackers:
I am about to accept an exciting job that will preclude me from
contributing to open source projects in the distributed file-system
space.
I will miss the Mnet project! Good luck without me!
I'm writing the following as a record of the most advanced design that
I have thought of for Mnet. (See Acknowledgements section below.)
Most or all of the design written below has previously been published
in different web pages, e-mail messages, and IRC transcripts, and a
brief presentation I made at Privacy Enhancing Technologies Workshop
2004.
The design described below is almost but not quite what is currently
implemented, by myself and others, in Mnet v0.7, available at [1].
*** Design of Mnet v0.7+:
I. Network connectivity -- the Fully Connected Topology
I.A. Local peer database. Each node remembers the nodeId of for each
node that it has ever heard of or received a message from. There is a
maximum number of nodeIds, in deference to memory and computation costs
(your local memory and your local computation). I don't know what that
maximum number should be. If you have more than the maximum number of
nodeIds in your database, you can flush some of the
least-recently-alive ones.
I.B. Exponential Backoff. With every peer in your db is stored a
"deadness level". When the deadness level is equal to 0, that means
that the most recent thing that happened is that you receive a message
from that peer -- whether it was a reponse to a request of yours or if
it were a request from him to you. We say that the peers with deadness
level 0 are "the live peers". If a peer has deadness level 1, then
that means that the most recent time that you sent a request to that
peer, he didn't write back. Now, whenever you want to choose from a
set of peers in order to send a request to one of them, the set you
choose from is all of the deadness level 0 peers, plus with 50%
probability all of the deadness level 1 peers, plus with 25%
probability all of the deadness level 2 peers, and so on. Deadness
level 2 means that the peer was in deadness level 1, and you chose to
query him (with 50% probability), and he didn't write back again.
I.C. Lookup of Peer Contact Info. When you want to find the current
contact info (i.e. current IP address+port number, or current Relay
Server) for a peer, you send a query to a certain number of other peers
(called "MetaTrackers" when they are serving this purpose) -- a "lookup
contact info" query. How many peers? Approximately log(N) where N is
the number of peers in your local peer database. Which peers? You use
the Chord distribution -- you query the peer closest to your target,
the one closest to the point halfway around the circle from your
target, the one closest to the point a quarter of the way around the
circle, and cetera.
Obviously, you need to publish your current contact info to *your*
MetaTrackers whenever you join the network or whenever your contact
info changes. Your MetaTrackers are the peer in your db which is
closest to you, the peer in your db which is closest to the point
halfway around the circle, etc.
I.D. Discovery of New Peers. Rate-Limited Structured Flood. Every 60
minutes, you send an update to each of your MetaTrackers. That update
contains the list of the peerIds of every new peer. A "new peer" for
this purpose is defined as follows: you've never before announced this
peer to MetaTrackers, and this peer currently has deadness level 0 in
your local db. If the complete (compressed) message containing the
information about the new peers would exceed 256 KB, then select a
random subset of the new peers to announce in this announcement so that
the message doesn't exceed 256 KB. This is a rate-limited structured
flood. The flooding nature of it means that eventually you will find
out about the arrival of every new peer. The structured nature of it
means that it will take only log(N) time intervals before you find out,
and you will receive only (;-)) log(N) separate notifications of the
arrival of a new peer. (And you will send log(N) separate
announcements of new peers -- one announcement to each of your
MetaTrackers.) The rate-limited nature of it means that if new peers
are arriving so fast that these notifications would take more than
log(N)*256 KB per hour bandwidth, that instead they take up only
log(N)*256 KB per hour and it takes longer for you to find out about
the arrival of every new peer.
I.E. Relay. You choose some peer which you can make a TCP connection
to and appoint it to be your RelayServer. How you choose it, and
dynamically update your choice, is complicated -- see the
implementation in RelayClient.py. Whenever someone wants to send a
message to you and they find it impossible to open a TCP connection to
you (which is all the time when you are behind a NAT or firewall that
prevents incoming TCP connections) then they send the message to your
RelayServer instead. See also [2, 3, 4].
II. Filesystem.
II.A. Encoding of a file. This is already described fully and
succinctly in [5]. Here is a capsule summary: 1. Erasure code the
file, 2. Encrypt the blocks, 3. Put the list of the Ids of the
encrypted blocks into a new file named the inode, 4. Encrypt the
inode, 5. The Id of the inode, combined with the secret key used for
encryption are the mnetURI of the file.
II.B. Push each block to the BlockServer which has an nodeId closest
to the blockId (in the Chord metric).
II.C. In order to download a file, given its mnetURI, you first have
to download the inode, and then you have to download a sufficient
number of the erasure coded blocks. For each block that you want to
download, you query the BlockServer whose Id is closest to that block's
Id. If he doesn't have it, then you ask the BlockServer whose Id is
the next-closest. Etc. If the file is not actually reconstructable at
all because there are not enough blocks present at all on the network,
then this search algorithm devolves to a broadcast search.
This concludes the basic description of the design of Mnet v0.7+.
There are other aspects of the design that are not included here,
including a metadata search facility invented by Myers Carpenter. In
addition, there are many specifics or added features in the core
network+filestore that are excluded from this description for brevity.
*** Discussion:
III. A Nice Slow Network. The deliberate pace of announcement of new
peers is a feature, not a bug. For starters it is convenient to
implement, because for various reasons it is easier to efficiently
manage 256 KB every hour than 72 bytes every second even though they
amount to the same bandwidth over the long term.
However, beyond it being convenient, it is also useful for
discriminating among our peers, because we don't want to start using
new peers until they've been around for a while anyway. Fresh peers
are more likely to disappear than older ones. In earlier versions of
this system, we heard about new peers more quickly, and then we had to
add logic to avoid using them until time had passed.
However, beyond it being convenient and useful, it is also desirable to
me, because I wanted Mnet to be more amenable to deliberate and
long-term use than to urgent and impulsive use. Brad Templeton argued
to me in the year 2002 that if a distributed filesystem were primarily
for acquiring novelty videos, pop songs, and porn, then instant
gratification would be important, but if it were primarily for
acquiring classic works of literature, political and historical
documents, or backup copies of your own data, then instant
gratification isn't so important. His argument made an impression on
me.
IV. Scalability Issues and other problems.
IV.A. Size of the local Peer DB. One limitation on scale is the size
of the local peer db. For a modernish desktop machine, the local peer
db could probably be on the order of 2^20 entries with no noticeable
problem. The limit could probably be made much higher by optimizing
the db. The current db is trivial -- it consists of a Python dict in
memory which gets serialized by Python pickle and then written to a
file every hour or so.
IV.A.i. In practice, almost all peers which fall into high deadness
levels will never revive. If you purge a peer from your local db and
then that peer does revive and reconnect to the network, and if he
sends you a request, then you will re-add him to your db just as if he
were a brand new peer. So if your local peer db is too big, you could
purge peers, starting with the most dead ones.
IV.B. Announcement of New Peers. Each newly arrived peer will be
announced to each current peer. If the rate of arrivals of new peers
is sufficiently small, then it will take log(N) time intervals for all
peers to learn about the new peer. My estimate is that "sufficiently
small" is about 2000 new peers per hour, with the current
implementation. It could doubled or quadrupled by better compression
of the announcement messages. If the rate of arrival of new peers
exceeds this, then the time before all peers have heard about the new
peer increases proportionally to the rate.
IV.C. Block store churn. There is currently no way for a block server
to indicate that its store of blocks is full and that it refuses to
accept new blocks being pushed into it, so you should give them to
someone else. Absent this "back pressure", the stores of nodes with
small storage capacity are likely to get flushed out by new
publications even while the stores of nodes with large capacity are
underutilized. This inefficient distribution reduces the half-life of
files by some unknown constant.
IV.D. Did you say "BROADCAST SEARCH"? Well, consider what would
happen if you stopped searching for a block after your first query.
Then we would similar likelihood of finding a block as in e.g. the
Chord File System, with minimal message complexity -- a single query.
The problem is that maybe the block isn't on that node but is on a
nearby node (either because that node joined the network after the
block was published, or because the publisher of the block wasn't yet
aware of that node when he published the block). This problem can be
solved in one of three ways:
1. When a new node arrives, it requests copies of all of the relevant
blocks from the node(s) that it shadows. This is a bad idea for this
system.
2. As nodes arrive and leave, they keep track of which other nodes
they shadow, then they forward requests which might be satisfied by
other nodes. Interesting possibility, but I couldn't figure out how to
do it in a way that wouldn't be very complicated and still end up
falling in the worst case to the third approach:
3. When a downloader doesn't find the desired block on the server
closest to the blockId, it chooses whether to broaden the search and
query other servers that are further from the blockId.
The interesting thing about 3 is that the decision about how broad to
make the search is made by the agent who has the most information about
its importance (such as whether other erasure coded blocks have been
found that can replace the missing block, or whether the user considers
downloading this file important enough to impose additional burden on
the network). This same agent that has the most information is also
the one that has the incentive to want the download to succeed, so it
is this agent who should choose whether or not to impose the additional
burden on the network of a broader search. See also section V --
"Persistent Tit-for-Tat == Bilateral Accounting".
V. Persistent Tit-for-Tat == Bilateral Accounting. Mnet v0.7+ lacks
something -- an incentive mechanism to limit excessive costs imposed on
the network and simultaneously to motivate users to contribute
resources to the network. I was always deeply impressed with the
simplicity and robustness of Bram Cohen's "Tit-for-tat" incentive
mechanism for BitTorrent. Suppose we wanted a similar "tit-for-tat"
mechanism for Mnet v0.7++, but we wanted the peer relationships to
extend through time and across multiple files and multiple user
operations. Then we would probably invent a bilateral accounting
scheme for each node to keep track of how much goodness each of its
peers has done for it, and to reward helpful peers. This would then
turn out to be more or less identical to the "bilateral accounting"
scheme that was originally invented by Jim McCoy and Doug Barnes in
Mojo Nation [footnote *].
*** Acknowledgements
I know that I am doomed before I start to accidentally exclude
important and deserving people from this section. Sorry. This is in
roughly chronological order of their earliest contributions to this
design, as far as I can remember.
Obviously this design owes a great debt to the original designers of
its direct ancestor Mojo Nation: Jim McCoy and Doug Barnes, as well as
to the Evil Geniuses -- especially Greg Smith, Bram Cohen, and Drue
Lowenstern. Also: Raph Levien, Sergei Osokine, the Freenet folks --
Ian Clarke, Oskar Sandberg, and Adam Langley among others -- Justin
Chapweske of Swarmcast, Brandon Wiley, Martin Peck, the Chord folks,
the Pastry folks, the CAN ("Content-Addressable Network") folks, the
OceanStore folks, The Mnet Hackers [7] -- Hauke Johannknecht, Jukka
Santala, Myers Carpenter, Oscar Haegar, Arno Waschk, Luke Nelson --
Mark S. Miller, Bram Cohen again (and Drue Lowenstern again) with
BitTorrent, the Kademlia folks, numerous contributors to the
p2p-hackers mailing list and the #p2p-hackers IRC channel. Like I said
-- sorry about those omissions.
[footnote *] Once upon a time there was digital cash, as pioneered by
David Chaum. When Jim McCoy and Doug Barnes invented Mojo Nation, they
used digital cash, and added bilateral accounting so that a pair of
peers wouldn't require a transaction with a central token server in
order to incentivize each other. The first three employees they hired
to implement Mojo Nation in 1999 were Greg Smith, Bram Cohen, and
myself. (Greg might have started in 1998 -- I'm not sure.) Several of
the ideas in BitTorrent -- which Bram started writing in 2001 -- can be
understood as radical simplifications of ideas in Mojo Nation. One
such perspective is to think of BitTorrent's tit-for-tat incentives as
being time-limited, file-specific, and non-transferrable bilateral
accounting. This is not condemnation of BitTorrent's ideas, but praise
of them -- they demonstrate the virtue of radical simplification.
[1] http://mnetproject.org/
[2] http://mnetproject.org/repos/mnet/doc/network_overview.html
[3] http://mnetproject.org/repos/mnet/doc/EGTPv1_Architecture.txt
[4] http://mnetproject.org/repos/mnet/doc/messages_overview.html
[5] http://mnetproject.org/repos/mnet/doc/new_filesystem.html
[6] http://mnetproject.org/repos/mnet/CREDITS
_______________________________________________
p2p-hackers mailing list
p2p-hackers(a)zgp.org
http://zgp.org/mailman/listinfo/p2p-hackers
_______________________________________________
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature]
1
0