cypherpunks-legacy
Threads by month
- ----- 2025 -----
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1996 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1995 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1994 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1993 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1992 -----
- December
- November
- October
- September
July 2018
- 1371 participants
- 9656 discussions
http://www.technologyreview.com/Infotech/18796/
Technology Review - Published by MIT
Wednesday, May 30, 2007
Better Face-Recognition Software
Computers outperform humans at recognizing faces in recent tests.
By Mark Williams
For scientists and engineers involved with face-recognition
technology,the recently released results of the Face Recognition Grand
Challenge--more fully, the Face Recognition Vendor Test (FRVT) 2006 and
the Iris Challenge Evaluation (ICE) 2006--have been a quiet triumph.
Sponsored by the National Institute of Standards and Technology (NIST),
the match up of face-recognition algorithms showed that machine
recognition of human individuals has improved tenfold since 2002 and a
hundredfold since 1995. Indeed, the best face-recognition algorithms now
perform more accurately than most humans can manage. Overall,
facial-recognition technology is advancing rapidly.
Jonathon Phillips, program manager for the NIST tests and lead author of
the agency's report, says that the intended goal of the Face Recognition
Grand Challenge was always an order-of-magnitude improvement in
recognition performance over the results from 2002. Phillips believes
that the necessary decrease in error rate to achieve that goal was due
in large measure to the development of high-resolution still-images and
3-D face-recognition algorithms. "For the FRVT 2006 and the ICE 2006,
sets of high-resolution face images, 3-D face scans, and iris images
were collected of the same people," Phillips says. "The FRVT 2006 for
the first time measured the performance of six 3-D algorithms on a set
of 3-D face scans. The ICE 2006 measured the performance of ten
algorithms on a set of iris images. 3-D face recognition has come into
its own in the last few years because 3-D sensors for face recognition
have become available only recently. What 3-D face recognition
contributes is that it directly captures information about the shapes of
faces."
Among other advantages, 3-D facial recognition identifies individuals by
exploiting distinctive features of a human face's surface--for instance,
the curves of the eye sockets, nose, and chin, which are where tissue
and bone are most apparent and which don't change over time.
Furthermore, Phillips says, "changes in illumination have adversely
affected face-recognition performance from still images. But the shape
of a face isn't affected by changes in illumination." Hence, 3-D face
recognition might even be used in near-dark conditions.
According to Ralph Gross, a researcher at the Carnegie Mellon Robotics
Institute, in Pittsburgh, 3-D facial recognition can also recognize
subjects at different view angles up to 90 degrees--in other words,
faces in profile. "Face recognition has been getting pretty good at full
frontal faces and 20 degrees off, but as soon as you go towards profile,
there've been problems." Gross says that the explanation for
face-recognition software's difficulties with profiles may be no more
complicated than the fact that no one was focusing on the problem. The
main applications of face recognition have been in contexts like ID
cards and face scanners, for which the aim has been recognition of the
full frontal faces of cooperative subjects under controlled lighting.
High-resolution still images have been another factor in the improvement
of face-recognition technology, in part because highly detailed
skin-texture analysis has also become possible. With such analysis, any
patch of skin--called a skin print--can be captured as an image, then
broken up into smaller blocks that algorithms turn into mathematical,
measurable spaces in which lines, pores, and the actual skin texture are
recorded. "It can identify differences between identical twins, which
isn't yet possible using facial-recognition software alone," Gross
explains. "By combining facial recognition with surface-texture
analysis, accurate identification can increase by 20 to 25 percent."
What about the FRVT report's claim that some face-recognition algorithms
equal or exceed humans' recognition capabilities? Phillips explains:
"Humans are very good at recognizing faces of familiar people. However,
they aren't so good at recognizing unfamiliar people." Since many
proposed face-recognition systems would complement or replace humans,
the FRVT's comparative tests of the face-recognition capabilities of
humans and software--the first such testing--were important for
measuring the potential effectiveness of applications. Phillips says
that at low false accept rates (a false accept rate is the measure of
the likelihood that a biometric security system will incorrectly accept
an access attempt by an unauthorized individual), six out of seven
automatic face-recognition algorithms were comparable to or better than
human recognition. These were algorithms from Neven Vision, Viisage,
Cognitec, Identix, Samsung Advanced Institute for Technology, and
Tsinghua University. Unfortunately, Phillips adds, "because the majority
of FRVT 2006 participants haven't disclosed the details of their
methods, it's not possible yet to assess what's distinctive about these
algorithms."
How does the commercial payoff for face recognition look? Quite
promising, because dozens of companies aim to cash in on face
recognition's potential as a biometric for credentialing and
verification purposes. For the FRVT, venerable corporations like Toshiba
and Samsung competed alongside companies like Neven Vision--just
acquired by Google--and Viisage and Identix (which have just merged into
L1 Identity Solutions), as well as alongside researchers from
universities as diverse as Beijing, Cambridge, and Carnegie Mellon. What
applications does a company like Google foresee for the technology
developed by its recent acquisition, Neven Vision? According to a Google
PR person, "We believe it offers promising integration possibilities
with Google's services, such as Picasa and Picasa Web Albums,
particularly in terms of helping users organize and search their own
photos."
At Carnegie Mellon, Ralph Gross says that among other efforts, he and
his colleagues have been "involved with local DMVs in order to scan
images for driver's licenses. I've gotten reports from the state level
to say that, using face-recognition technology, they caught quite a
number of people who applied for licenses in either different states or
in the same state under a different name because their previous license
got suspended." It's a growing trend. States using such technology
include Massachusetts, Illinois, West Virginia, Wisconsin, Colorado,
North and Southern Carolina, Oklahoma, North Dakota, Arkansas, and
Mississippi. Nevertheless, Gross stresses, applying face-recognition
technology to ID photos is a long way from having the capability that
would let law enforcement search a city's webcam networks for specific
individuals. "With driver's license photos, you have a controlled
background, an operator telling you exactly how to position your face;
the images are collected under comparable conditions. It's much more
restricted than the random-face-in-the-crowd problem, where you're
sticking a camera on a building."
Still, Gross says, "you can already see the path building." Until
recently, the video-surveillance industry still mostly relied on analog
cameras, requiring cable to be set up for long distances to connect
those cameras to monitoring equipment. Now, "the industry is switching
to IP-based cameras, with which you can pretty easily tap into already
existing Ethernet networks," Gross says. "So you have wireless cameras
and cameras using POE [Power over Ethernet technology allows IP
telephones, wireless LAN Access Points, and other appliances to receive
power as well as data over existing LAN cabling] where you don't need a
separate power plug. You can buy commercial solutions that are
essentially a TiVo for these cameras, with motion sensors built in so
they only record when there's motion happening. With digital storage,
you can keep the data indefinitely and enhance it in ways that you can't
with analog images. So all these things are coming together."
In principle, therefore, as face-recognition software continues its
rapid advance, it will likely be possible to search for specific faces
across a network of webcams. Accordingly, Gross's recent work at
Carnegie Mellon, in conjunction with colleagues at the Data Privacy Lab
there, has been the development of algorithms to protect individuals'
privacy while under video surveillance. The usual methods that thwart
human recognition of an individual's features on video--for example,
those pixelated fields sometimes covering faces and body parts on
reality-TV shows--already won't fool much face-recognition software.
Completely blacking out each face in a video clip would do the job, but
this would be of limited use if law-enforcement agencies wanted to
follow up evidence of suspicious behavior once they had a court warrant.
The function of the privacy-preserving algorithms that Gross is helping
to create, he explains, is to automatically take the average values of
individuals' faces and, from those, synthesize new facial images, then
superimpose those new images over the originals. "It may seem like the
opposite technology," Gross says, "but actually, it's just the other
side of face recognition."
Copyright Technology Review 2007.
_______________________________________________
tt mailing list
tt(a)postbiota.org
http://postbiota.org/mailman/listinfo/tt
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
(SEMAS-2001)
Date: Fri, 2 Feb 2001 20:04:09 -0800
Sender: bounce-dcsb(a)reservoir.com
Reply-To: "Frank Sudia" <fsudia(a)home.com>
[Other branches of computer science discovering security.]
----- Original Message -----
From: "Dieter Hutter" <hutter(a)dfki.de>
To: <undisclosed-recipients:;>
Sent: Thursday, February 01, 2001 11:30 PM
Subject: CfP - Workshop on Security of Mobile Multiagent Systems
(SEMAS-2001)
This message was sent to several mailing lists.
We apologise if you receive multiple copies of it.
CALL FOR PAPERS
First International Workshop on
SECURITY OF MOBILE MULTIAGENT SYSTEMS (SEMAS-2001)
To be held at the
Fifth International Conference on Autonomous Agents (Agents 2001)
Montreal, Canada
May 29th 2001
http://www.dfki.de/~kuf/semas/
The far reaching influence of the Internet has resulted in an
increased interest in agent technologies, which are poised to play a
key role in the implementation of successful Internet and WWW-based
applications in the future. While there is still considerable hype
concerning agent technologies, there is also an increasing awareness
of the problems involved. In particular, that these applications will
not be successful unless security issues can be adequately
handled. Although there is a large body of work on cryptographic
techniques that provide basic building-blocks to solve specific
security problems, relatively little work has been done in
investigating security in the multiagent system context. The
introduction of mobile software agents significantly increases the
risks involved in Internet and WWW-based applications. For example,
if we allow agents to enter our hosts or private networks, we must
offer the agents a platform so that they can execute correctly but at
the same time ensure that they will not have deleterious effects on
our hosts or any other agents / processes in our network. If we send
out mobile agents, we should also be able to provide guarantees about
specific aspects of their behaviour, i.e., we are not only interested
in whether the agents carry-out their intended task correctly. They
must defend themselves against attacks initiated by other agents, and
survive in potentially malicious environments.
Agent technology can also be used to support network security. For
example in the context of intrusion detection, intelligent guardian
agents may be used to implement active protection strategies on a
firewall or intelligent monitoring agents can be used to analyse the
behaviour of agents migrating through a network. Part of the
inspiration for such multi-agent systems comes from primitive animal
behaviour, such as that of guardian ants protecting their hill or from
biological immune systems.
Topics of Interest
- ------------------
We welcome the submission of papers from the full spectrum of issues
associated with security in mobile multiagent systems, both in the
public Internet and in private networks. We particularly encourage
the discussion of the following topics:
- - security policies for agent environments
- - security mechanisms that can be implemented by using
(mobile) multiple agents
- - reasoning about security in an agent architecture
- - security for agents (against other agents, malicious hosts, and
software failures)
- - security for agent hosts (against agent attacks and agent
deficiency)
- - security through agents (for any form of malfunctioning in the
network)
- - application of security mechanism in a (mobile) multiagent context
- - integration of traditional security mechanisms to the agent realm
- - design methodologies for secure (mobile) multiagent systems
The workshop aims at bringing together people from the two relevant
research fields, information security and agent-oriented programming.
Consequently we would like to encourage discussion papers, conceptual
papers, system papers, and application papers. It is planned to
publish the workshop papers with a scientific publisher after the
workshop.
Submission Details
- ------------------
To participate in the workshop you should submit an original research
paper of up to 5000 words (approximately 8 pages maximum) or a
position paper (up to 2000 words, approximately 3 pages) to the
workshop chair, to arrive no later than 19 March 2001. It is planned
to structure the workshops into invited talks, technical presentations
and panel discussions. The technical presentations will be selected
from the research papers. Formatting instructions can be found at
http://www.acm.org/sigs/pubs/proceed/template.html and should be
strictly followed. The first page should include the full name and
contact details of at least one author (email and full postal
address). Electronic submissions are mandatory. Acceptable formats
are PDF and PostScript.
Important Dates:
- ----------------
Submissions due Monday 19th March 2001
Notifications sent Friday 30th March 2001
Camera ready version due Monday 16th April 2001
Workshop Tuesday 29th May 2001
Organisation:
- -------------
Klaus Fischer and Dieter Hutter, DFKI Saarbr=FCcken, Germany
Program Committee:
- ------------------
Sahin Albayrak, TU Berlin, Germany
David Basin, University of Freiburg, Germany
Ciaran Bryce, University of Geneve, Switzerland
Hans-J=FCrgen B=FCrckert, DFKI GmbH Saarbr=FCcken, Germany
G=FCnter Karjoth, IBM Research Z=FCrich, Switzerland
Luc Moreau, University of Southampton, UK
Volker Roth, Frauenhofer IGD, Germany
Helmut Schwigon, BSI Bonn, Germany
Vipin Swarup, The MITRE Corp, USA
Christian Tschudin, Uppsala University, Sweden
Jan Vitek, Purdue University, USA
Contact Person:
- ---------------
Dr. Klaus Fischer
DFKI GmbH
Stuhlsatzenhausweg 3
D-66123 Saarbr=FCcken
Germany
Tel/Fax +49 681 302-3917/-2235
Email: Klaus.Fischer(a)dfki.de
URL: http://www.dfki.de/~kuf/
__________________________________________________________________________
To be removed from this list, send a message with "unsubscribe info-hol"
as its sole content to majordomo(a)lal.cs.byu.edu
For more information see http://lal.cs.byu.edu/lal/hol-documentation.html
For help on using this list (especially unsubscribing), send a message to
"dcsb-request(a)reservoir.com" with one line of text: "help".
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah(a)ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
1
0
Hello Prof. Faber,
As always, I appreciate your useful list.
Without diminishing whatsoever the probable reality of a determined
threat,
it is worthwhile, I think to note the following sequence, which suggests
whilst applauding the efforts of the police in the UK, the attached
political agenda is also worthy of tracking:
August 9, 2006
Britain facing a new breed of fascist, warns Reid
http://www.timesonline.co.uk/article/0,,2-2305628.html
The British Home Secretary makes a speech on Aug 9 saying '"Sometimes
we may have to modify some of our own freedoms in the short term, in
order to prevent their misuse and abuse by those who oppose our
fundamental values and would destroy all of our freedoms in the long
term." ... He argued that Britain's security apparatus was created
during the Cold War in response to the threat from fascism, but that
the threat was now from "fascist individuals".'
August 10, 2006
Airport chaos after police foil plot to blow up aircraft
http://www.timesonline.co.uk/article/0,,2-2306721,00.html
On Aug 10 (Bush is informed by Blair in the evening of Aug 9), the
Home Secretary says 'a major terrorist plot to allegedly blow up
aircraft in mid-flight has been thwarted. In a pre-recorded statement,
broadcast early this morning, Mr. Reid said that police believed the
alleged plot was "very significant indeed". He said: "Overnight the
police, with the full knowledge of ministers, have carried out a major
counter-terrorism operation to disrupt what we believe to be a major
threat to the UK and international partners. ... At 2am this morning
the Joint Terrorism Analysis Centre raised the UK threat state to its
highest level - critical. .. But as far as is possible we want people
to go about their business as normal."
This forms part of an ongoing political battle:
August 1, 2006
New blow to Reid as he loses control order appeal
http://www.timesonline.co.uk/article/0,,200-2294110.html
"The Court of Appeal today delivered a further blow to the
Government's controversial policy of placing terror suspects under
house arrest using control orders. Three senior judges rejected a
challenge by John Reid, the Home Secretary, against an earlier High
Court ruling that the orders contravened the Human Rights Act. In a
move which marks the latest clash between ministers and judges over
civil rights, Mr. Reid responded furiously to the judgment and vowed to
petition the House of Lords to get it overturned, claiming that
control orders made up an "essential" part in the War on Terror. ...
Dismissing the Home Secretary's appeal, the panel, headed by the Lord
Chief Justice, Lord Phillips, said: "We agree that the facts of this
case fall clearly on the wrong side of the dividing line. The orders
amounted to a deprivation of liberty contrary to Article 5."
Why the need to "modify some of our own freedoms"?
Or am I getting paranoid?
Peter Morgan
peter(a)riversystems.com
>-----Original Message-----
>From: David Farber [mailto:dave@farber.net]
>Sent: August 10, 2006 2:02 PM
>To: ip(a)v2.listbox.com
>Subject: [IP] more on news from the UK
>
>
>
>Begin forwarded message:
>
>From: Twister <twister(a)stop1984.com> (Bettina Winsemann)
>Date: August 10, 2006 9:02:58 AM EDT
>To: dave(a)farber.net
>Subject: Re: [IP] news from the UK
>
>Hi, Dave
>
>regarding the planned attack.
>...
>
>>One feature, if you read the articles, that might be of interest to
>>IP.
>>In the UK, they've banned people from taking electronic equipment on
>>planes: that means laptop computers, mobile phones, and iPods among
>>other items. See for instance:
>>
>> www.nytimes.com/aponline/us/AP-US-Terror-Plot-Glance.html
>>
>>I have no idea what the security basis is for this decision.
>
>The plan was to bomb the planes via liquid explosives which
>is the reason to forbid taking liquid with you into the
>plane. Mother's milk has to be tested by the mother to be
>taken within the plane The security fears that any mobile
>etc. could countain a detonator or used as one.
>
>
>-------------------------------------
>You are subscribed as lists(a)riversystems.com To manage your
>subscription, go to
> http://v2.listbox.com/member/?listname=ip
>
>Archives at:
>http://www.interesting-people.org/archives/interesting-people/
>
>
-------------------------------------
You are subscribed as eugen(a)leitl.org
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
1
0
Begin forwarded message:
1
0
http://www.technologyreview.com/Infotech/18796/
Technology Review - Published by MIT
Wednesday, May 30, 2007
Better Face-Recognition Software
Computers outperform humans at recognizing faces in recent tests.
By Mark Williams
For scientists and engineers involved with face-recognition
technology,the recently released results of the Face Recognition Grand
Challenge--more fully, the Face Recognition Vendor Test (FRVT) 2006 and
the Iris Challenge Evaluation (ICE) 2006--have been a quiet triumph.
Sponsored by the National Institute of Standards and Technology (NIST),
the match up of face-recognition algorithms showed that machine
recognition of human individuals has improved tenfold since 2002 and a
hundredfold since 1995. Indeed, the best face-recognition algorithms now
perform more accurately than most humans can manage. Overall,
facial-recognition technology is advancing rapidly.
Jonathon Phillips, program manager for the NIST tests and lead author of
the agency's report, says that the intended goal of the Face Recognition
Grand Challenge was always an order-of-magnitude improvement in
recognition performance over the results from 2002. Phillips believes
that the necessary decrease in error rate to achieve that goal was due
in large measure to the development of high-resolution still-images and
3-D face-recognition algorithms. "For the FRVT 2006 and the ICE 2006,
sets of high-resolution face images, 3-D face scans, and iris images
were collected of the same people," Phillips says. "The FRVT 2006 for
the first time measured the performance of six 3-D algorithms on a set
of 3-D face scans. The ICE 2006 measured the performance of ten
algorithms on a set of iris images. 3-D face recognition has come into
its own in the last few years because 3-D sensors for face recognition
have become available only recently. What 3-D face recognition
contributes is that it directly captures information about the shapes of
faces."
Among other advantages, 3-D facial recognition identifies individuals by
exploiting distinctive features of a human face's surface--for instance,
the curves of the eye sockets, nose, and chin, which are where tissue
and bone are most apparent and which don't change over time.
Furthermore, Phillips says, "changes in illumination have adversely
affected face-recognition performance from still images. But the shape
of a face isn't affected by changes in illumination." Hence, 3-D face
recognition might even be used in near-dark conditions.
According to Ralph Gross, a researcher at the Carnegie Mellon Robotics
Institute, in Pittsburgh, 3-D facial recognition can also recognize
subjects at different view angles up to 90 degrees--in other words,
faces in profile. "Face recognition has been getting pretty good at full
frontal faces and 20 degrees off, but as soon as you go towards profile,
there've been problems." Gross says that the explanation for
face-recognition software's difficulties with profiles may be no more
complicated than the fact that no one was focusing on the problem. The
main applications of face recognition have been in contexts like ID
cards and face scanners, for which the aim has been recognition of the
full frontal faces of cooperative subjects under controlled lighting.
High-resolution still images have been another factor in the improvement
of face-recognition technology, in part because highly detailed
skin-texture analysis has also become possible. With such analysis, any
patch of skin--called a skin print--can be captured as an image, then
broken up into smaller blocks that algorithms turn into mathematical,
measurable spaces in which lines, pores, and the actual skin texture are
recorded. "It can identify differences between identical twins, which
isn't yet possible using facial-recognition software alone," Gross
explains. "By combining facial recognition with surface-texture
analysis, accurate identification can increase by 20 to 25 percent."
What about the FRVT report's claim that some face-recognition algorithms
equal or exceed humans' recognition capabilities? Phillips explains:
"Humans are very good at recognizing faces of familiar people. However,
they aren't so good at recognizing unfamiliar people." Since many
proposed face-recognition systems would complement or replace humans,
the FRVT's comparative tests of the face-recognition capabilities of
humans and software--the first such testing--were important for
measuring the potential effectiveness of applications. Phillips says
that at low false accept rates (a false accept rate is the measure of
the likelihood that a biometric security system will incorrectly accept
an access attempt by an unauthorized individual), six out of seven
automatic face-recognition algorithms were comparable to or better than
human recognition. These were algorithms from Neven Vision, Viisage,
Cognitec, Identix, Samsung Advanced Institute for Technology, and
Tsinghua University. Unfortunately, Phillips adds, "because the majority
of FRVT 2006 participants haven't disclosed the details of their
methods, it's not possible yet to assess what's distinctive about these
algorithms."
How does the commercial payoff for face recognition look? Quite
promising, because dozens of companies aim to cash in on face
recognition's potential as a biometric for credentialing and
verification purposes. For the FRVT, venerable corporations like Toshiba
and Samsung competed alongside companies like Neven Vision--just
acquired by Google--and Viisage and Identix (which have just merged into
L1 Identity Solutions), as well as alongside researchers from
universities as diverse as Beijing, Cambridge, and Carnegie Mellon. What
applications does a company like Google foresee for the technology
developed by its recent acquisition, Neven Vision? According to a Google
PR person, "We believe it offers promising integration possibilities
with Google's services, such as Picasa and Picasa Web Albums,
particularly in terms of helping users organize and search their own
photos."
At Carnegie Mellon, Ralph Gross says that among other efforts, he and
his colleagues have been "involved with local DMVs in order to scan
images for driver's licenses. I've gotten reports from the state level
to say that, using face-recognition technology, they caught quite a
number of people who applied for licenses in either different states or
in the same state under a different name because their previous license
got suspended." It's a growing trend. States using such technology
include Massachusetts, Illinois, West Virginia, Wisconsin, Colorado,
North and Southern Carolina, Oklahoma, North Dakota, Arkansas, and
Mississippi. Nevertheless, Gross stresses, applying face-recognition
technology to ID photos is a long way from having the capability that
would let law enforcement search a city's webcam networks for specific
individuals. "With driver's license photos, you have a controlled
background, an operator telling you exactly how to position your face;
the images are collected under comparable conditions. It's much more
restricted than the random-face-in-the-crowd problem, where you're
sticking a camera on a building."
Still, Gross says, "you can already see the path building." Until
recently, the video-surveillance industry still mostly relied on analog
cameras, requiring cable to be set up for long distances to connect
those cameras to monitoring equipment. Now, "the industry is switching
to IP-based cameras, with which you can pretty easily tap into already
existing Ethernet networks," Gross says. "So you have wireless cameras
and cameras using POE [Power over Ethernet technology allows IP
telephones, wireless LAN Access Points, and other appliances to receive
power as well as data over existing LAN cabling] where you don't need a
separate power plug. You can buy commercial solutions that are
essentially a TiVo for these cameras, with motion sensors built in so
they only record when there's motion happening. With digital storage,
you can keep the data indefinitely and enhance it in ways that you can't
with analog images. So all these things are coming together."
In principle, therefore, as face-recognition software continues its
rapid advance, it will likely be possible to search for specific faces
across a network of webcams. Accordingly, Gross's recent work at
Carnegie Mellon, in conjunction with colleagues at the Data Privacy Lab
there, has been the development of algorithms to protect individuals'
privacy while under video surveillance. The usual methods that thwart
human recognition of an individual's features on video--for example,
those pixelated fields sometimes covering faces and body parts on
reality-TV shows--already won't fool much face-recognition software.
Completely blacking out each face in a video clip would do the job, but
this would be of limited use if law-enforcement agencies wanted to
follow up evidence of suspicious behavior once they had a court warrant.
The function of the privacy-preserving algorithms that Gross is helping
to create, he explains, is to automatically take the average values of
individuals' faces and, from those, synthesize new facial images, then
superimpose those new images over the originals. "It may seem like the
opposite technology," Gross says, "but actually, it's just the other
side of face recognition."
Copyright Technology Review 2007.
_______________________________________________
tt mailing list
tt(a)postbiota.org
http://postbiota.org/mailman/listinfo/tt
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 7.2, 28 January 2009
Special issue - Data protection day
============================================================
Contents
============================================================
Data Protection Day
1. EU proposal puts confidential communications data at risk
2. Privacy and data protection in the Netherlands in 2008
3. Data protection in Italy: Loudly more of the same
4. Romania: Is really privacy a topic in the public debate?
5. UK: Phorm threat
6. Macedonia: Privacy Developments in 2008
7. Austria: Some EU data protection policy developments in 2008
8. France: Who have they forgotten to control today?
9. Germany: A new fundamental right, a privacy mass movement + surveillance
10. Some EU data protection policy developments in 2008
11. Towards International Data Protection Standards
12. Recommended Action
13. Recommended Reading
14. Agenda
15. About
============================================================
Data Protection Day
============================================================
28 January is the European Data Protection Day. For the third time, in 2009,
this date marks the anniversary of the Council of Europe's Convention 108,
the first legally binding international instrument related to data
protection.
This issue of the EDRi-gram is dedicated to the European Data Protection Day
and marks the privacy developments in some European countries in the
past year, as reported by EDRi members. It also includes a warning from
major civil society groups and the EDPS on the adoption of the "voluntary
data retention" in the telecom package.
European data protection day activities - 28.01.2009
http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Def…
============================================================
1. EU proposal puts confidential communications data at risk
============================================================
Civil liberties groups La Quadrature du Net, European Digital Rights (EDRi),
AK Vorrat, and Netzpolitik.org are urging the European Parliament to heed
advice given by the European Data Protection Supervisor Peter Hustinx and
scrap plans dubbed "voluntary data retention".
"A proposal currently discussed in the European Parliament as part of the
'telecom package' would allow providers to collect a potentially unlimited
amount of sensitive, confidential communications data including our
telephone and e-mail contacts, the geographic position of our mobile phones
and the websites we visit on the Internet", warns Patrick Breyer of German
privacy watchdog AK Vorrat. "Apart from the creation of vast data pools that
could go far beyond what is being collected under the directive on data
retention, the proposal would also permit the passing on of traffic data to
other companies for 'security purposes'. We must not let a potentially
unlimited amount of confidential data be exposed to risks of disclosure or
abuse in this way", he also said.
"This proposal is lobbied for under the guise of 'security', but what it
really means is that users and citizens would have no expectation of privacy
on the Internet anymore," adds Ralf Bendrath from EDRi. "This is a clear
breach of the European tradition of considering privacy a fundamental human
right."
In a paper published earlier this month, European Data Protection Supervisor
Peter Hustinx joined the critics, warning the proposal would constitute a
"risk of abuse" and "may be interpreted as enabling the collection and
processing of traffic data for security purposes for an unspecified period
of time." Hustinx reached "the conclusion that the best outcome would be for
the proposed Article 6.6(a) to be deleted altogether" - a view firmly shared
by La Quadrature du Net, EDRi, netzpolitik.org and AK Vorrat.
"A few months before the elections, citizens will have the opportunity to
see if the Members of European Parliament are willing to protect their
privacy", declares Jirimie Zimmermann, co-founder of the citizen's
initiative La Quadrature du Net. "Every citizen should inform their MEPs and
ask them to massively reject this article 6 (6a) of the ePrivacy directive.
Other crucial issues about content and network neutrality are at stake as
well.We must remind MEPs that they were elected to protect Europeans'
fundamental rights and freedom rather than abolishing them in favour of
particular interests."
In a letter of September last year, 11 German civil liberties, journalists,
lawyers and consumer protection organisations "urgently" asked the
Commission, the Council and Parliament to scrap the proposed article 6 (6a)
and "maintain the successful regulation of traffic data" which they say has
"proven to constitute the best guarantee for our safety in information
society."
Second opinion of the European Data Protection Supervisor on the review of
Directive 2002/58/EC concerning the processing of personal data and the
protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications) (9.01.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu…
Open leter to MEP rapporteurs (8.12.2008)
http://www.laquadrature.net/files/20081208_LaQuadrature_letter-rapporteurs-…
Resistance against watering down of traffic data protection (29.10.08)
http://www.vorratsdatenspeicherung.de/content/view/271/79/lang,en/
Position on the processing of traffic data for "security purposes"
(27.01.2009)
http://www.vorratsdatenspeicherung.de/images/wg_esecurity_position.pdf
============================================================
2. Privacy and data protection in the Netherlands in 2008
============================================================
The year 2008 did not improve the course of privacy and data protection in
the Netherlands. The public debate focused on data collection systems
related to fundamental aspects of Dutch citizens' lives, such as
communications, health and movement. Unfortunately, there are no signs that
concerns or incidental public outcry over privacy will lead to significant
improvements to the design of the systems or reconsideration of their goals,
merit and impact on society.
After years of negotiations, the Dutch Data Protection Authority (DPA)
approved the data protection guarantees in the smart card system for the
public transport sector. Besides other major implementation problems, the
smart card system introduces a major privacy concern due to the planned
registration of all travel movements of users of the Dutch public transport
system in a central database. At the end of 2008, the DPA approved the
system after receiving guarantees that only derived data would be used for
marketing purposes with an opt-out and that for any processing of personal
travel movements opt-in will be sought. As there are no hard guarantees
that all personal travel data will be deleted or that the system will not
make it possible to access travel movements in identifiable form, many have
expressed their disappointment with the approval. Another transport related
privacy problem that re-entered the public debate in 2008 was the planned
system for road charging. The current design for the system entails the
collection of details about personal travel movements.
The Dutch Parliament considered the data retention implementation law in the
first half of 2008. In this context, a group of prominent academics voiced
their concern that Dutch society is turning into a control society and a
police state. After the Parliament adopted the law, lowering the data
retention term from 18 to 12 months, the Senate has been critically looking
at the proposal ever since. The Senate has also another law under
consideration that would streamline access for the national security agency
to datasets in the public, communications, transport and financial sector.
Probably the most prominent discussion about privacy took place in the
health sector. The Electronic Patient File (EPD), a centralized system for
the collection and exchange of medical data for use by medical
professionals, caused widespread privacy concerns and generated 170 000
objections. Like the public transport smart card, the EPD has major
implementation problems and has recently been postponed. A similar national
dossier system for children, proposed to improve child care by building an
extensive digital dossier of each young individual, is still on the
political agenda. The broadly defined dataset, including medical data,
psychosocial data and subjective opinions about children and their parents,
will be updated for all children until they reach the age of nineteen, after
which it will be kept for another 15 years.
Finally, a government commissioned report on the balance between privacy and
security in the public sector was published. The report, titled "Do it
simply, Simply do it", concludes that government and public agencies should
be pragmatic, but do much more to protect privacy and deal with the possible
tension between privacy and security while doing their work. The report
gives a number of recommendations and a reference framework for dealing with
privacy and security issues. It advises to "keep it simple, facilitate and
ensure that security and privacy are mutually reinforcing as far as
possible." The report has been widely interpreted in the media as a call to
stop addressing fundamental questions related to the widespread processing
of personal data in the public sector.
EDRi-gram: Dutch Parliament lowers data retention term to 12 months
(4.06.2008)
http://www.edri.org/edrigram/number6.11/nl-data-retention-12-months
Report, 'DO IT SIMPLY - SIMPLY DO IT, to protect security and privacy', (in
Dutch, Bijlage 4 = English Summary, 22.01.2009)
http://www.minbzk.nl/aspx/download.aspx?file=/contents/pages/96602/rapportg…
OV-Chipkaart roll-out creeps forward (16.01.2009)
http://www.railwaygazette.com/news_view/article/2009/01/9219/ov_chipkaart_r…
(Contribution by Joris van Hoboken)
============================================================
3. Data protection in Italy: Loudly more of the same
============================================================
I am sorry to say that I am skeptical about "days" dedicated to this or that
cause or problem. They are often ignored, sometimes briefly celebrated,
rarely leave any relevant trace over time. There are so many that we shall
soon have one a week - and it won't be more relevant than brunch on Sunday.
On the loud and confusing current debate in Italy about data protection, the
situation could be summarised in four words. More of the same. There has
been a lot of wiretapping (sometimes real, sometimes imaginary or
overstated) for over sixty years (actually also long before that, but it's
reasonable to start from when Italy returned to democracy and freedom after
World War Two). And of course it extended to electronic
networks since the very beginning. It's a notorious, though rarely
published, fact that there were legitimate police forces, as well as
"undercover" spies by secret services or private interests, including
scamsters and organised crime, lurking since the days when networking was
based on BBSs or newsgroups and the extended use of the internet was not yet
developed.
Privacy and data protection were practically ignored until a poorly
conceived law was instated in 1996, creating a bureaucratic body called
"Ufficio del Garante" that was supposed to be an "ombudsman" but, de facto,
has rarely done anything in that role, being much more concerned with
complicated and inefficient formalistic ruling and with occasional attention
to the specific cases of politicians or "famous people" being
embarrassed in their "privacy" or spied in legal or illegal ways.
The currently loud debate is more confusing than it is meaningful. While
everybody is saying that it's about the rights of citizens, the truth is
that it relates to the conflicting interests of politicians and mass media.
There have been, over the years, many episodes (and discussions) about
intercepting private telephone conversations, or online communication -
sometimes legally, sometimes not - including some invasive spying done
secretly by individuals or departments in telecoms - in addition to ISPs
being forced by authorities or police to spy on their customers. Another
source of aggressive debate is the "leaking" to the press of recorded
conversations, including private dialogues unrelated to any criminal
investigation.
At this stage, it's hard to understand what is actually happening and what
may happen in the next few days or weeks - or maybe never. Italy's Prime
Minister has publicly announced that he will make "shattering revelations",
but we don't know if and when he, or some government spokesman, will
actually do so - and what the "scandal" might imply. There is threatening
talk about new legislation, but so far no indication of what, when and how.
Also the issue of data retention is discussed in contradictory and confusing
statements, some proclaiming the need to extend it in size and time and some
saying the opposite (more for the cost and organisation problems of
generating and maintaining vast databases than for the protection of
citizens' privacy).
Is this just more inconclusive noise, as has happened many times, or will it
lead to some action on a national scale or (as has been suggested) as
recommendations to the European Union and/or on a wider international scale,
maybe including the G8 meeting to be hosted in Italy in July 2009?
Quite simply, we don't know. And, as far as we can tell, nobody (so far) has
a clear idea of what those rulings or suggestions might imply. There may be
some news in the next few days, or it could take much longer, or it could
vanish (if only for a while) from the political and media scene as other
priorities prevail. Right now, we can only wait and see.
EDRi-gram: ENDitorial- Seizures and other abuses - from bad to worse
(22.10.2008)
http://www.edri.org/edri-gram/number6.20/seizures-and-other-abuses
ALCEI - Data Retention
http://www.alcei.org/?cat=4
Data retention - not only a privacy issue - Civil rights and ambiguity of
crime "prevention" (24.01.2004)
http://gandalf.it/free/datret.htm
Internet freedom, privacy and culture in Italy (and the activity of NGOs)
(02.2000)
http://gandalf.it/free/ifp.htm
(contribution by Giancarlo Livraghi - EDRi-member ALCEI - Italy)
============================================================
4. Romania: Is really privacy a topic in the public debate?
============================================================
Privacy is a sporadic keyword in the Romanian mass-media. And even less used
in public speech. Becoming an ideal motivation only when talking about some
local stars' private life and their juicy intricacies, the real debate on
the most important issues lacks completely. The Human Rights Committees in
the Parliament seem unfamiliar with the topic and the Data Protection
Authority prefers to keep its quiet status. What to discuss anyway?
A law on the Police DNA database was approved by the Parliament in 2008.
The subject did not seem to be appealing for any public debate and the
Chamber of Deputies Human Rights Committee did not see even a minor problem
with that version, so they adopted it unanimously with no amendments. No
reference or report from the data protection authority was considered
useful, but a "simple reference" to law 677/2001 was indicated. The deletion
of the stored data is possible only by decision of the court or prosecutors
that are investigating the case. Therefore, if they forget about that, you
need to start your own case on this. The law foresees a number of 30 crimes
for which collecting DNA is possible.
The April Eurobarometer that investigated perceptions on data protection
among EU citizens shows that 79% of the Romanians have no idea that there is
a law in the field of personal data. I might add to that: if the other 21%
were asked to name it, probably at least 19% would have found that they were
wrong.
The same study reveals that Romania is number one in EU countries with the
percentage of the people (47%) not knowing that there are laws allowing
you to have access to your personal data kept by others. Not surprising with
a Data Protection Authority which is understaffed and has insignificant
powers or will to be an active voice in the public sphere.
But let's be more positive. How can you not be happy when you might find,
after you finish your master courses at the prestigious Academy of Economic
Sciences (ASE) in Bucharest, that you have an account at a Romanian Bank
without signing any act or being informed about it. Isn't it funny to get a
bank statement home from a bank account you had no idea about? The bad part
is that there is no money in it, only the traditional bank commission. The
Representative of ASE must be right: the students are to blame, because they
did not check the ASE web page.
And let's be smart. We may find already a few websites presenting now real
databases of Personal Numerical Code (CNP) or just simulated CNP that seem
real. CNP is a piece of 13-figure data on everyone's ID, which should be the
"master identifier". One of the reason of these databases is that some
telecom operators are asking for the CNP data to activate some extra-options
on the pre-paid cards. Should we care?
The Romanian Government decided to start issuing biometric passports
starting with 1 January 2009, after postponing it a couple of times.
Although most of the public comments against the law involved arguments
related with the "corporate conspiracy", "devil's hand" or "666 dangerous
number", a court case has been initiated by a lawyer in order to stop its
application on privacy grounds. It remains to be seen what the judge will
decide.
The data retention law was approved by the Parliament, even though all the
major key-actors involved in the discussion have agreed that it is useless
and it will not work. But they have supported it, because Romania can't make
a stand in front of the EU. Not yet, at least. Funny enough, the law
includes the first crime related to the misuse of personal data (the
intentional access to the data without a proper authorization is a crime
punished with prison from 6 months to 2 years.)
Even funnier, after the draft law has received almost no comments and little
interest from the media and general public, the day it entered into force
someone discovered it in the Official Journal and a public outcry started
with tons of newspaper articles on the new law, stating that the law "will
keep all the content of communications, including phone calls, SMSs and
emails."
Politicians started to appear on TV claiming privacy breach, when only 3
months before they raised their hands to support the same law. Another
brave action - an online petition - gathered a lot of signatures claiming
that the Romanian Government will create an "archive of all emails sent
by Romanians." All this when the new law says - in black and white - that
the content is not kept. But saying that, you are already a protector of the
government intrusion into the private life.
So, I am wrong - privacy is in the public debate. With the totally wrong
subject and no legal arguments, but it is somewhere there. Shouldn't we be
happy?
EDRi-gram: Romanian Govt adopts Data retention law, but calls it inefficient
(27.02.2008)
http://www.edri.org/edrigram/number6.4/romania-data-retention
EDRi-gram: Eurobarometers on data protection in EU (23.04.2008)
http://www.edri.org/edrigram/number6.8/eurobarometer-data-protection
Over 300 master students from ASE accuse the institution of opening bank
accounts without their knowledge (only in Romanian, 24.04.2008)
http://economie.hotnews.ro/stiri-finante_banci-2866018-peste-300-fosti-mast…
Law 76/2008 - Police DNA Database (only in Romanian)
http://www.cdep.ro/proiecte/2008/000/10/8/leg_pl018_08.pdf
Some things about biometric passports (only in Romanian, 27.01.2009)
http://legi-internet.ro/blogs/index.php/2009/01/27/citeva-chestii-pasapoart…
(contribution by Bogdan Manolea, EDRi-member APTI - Romania)
============================================================
5. UK: Phorm threat
============================================================
One particular commercial threat to internet privacy should be looked at
very closely by our fellow European Digital Rights campaigners.
That threat is Phorm: an invasive and probably illegal web advertising
technology that could soon be coming to you.
Phorm works by looking at the web traffic between you (an ISP client) and
the sites you visit. Phorm examines the content of the web pages you visit,
and logs keyword information derived from it. Phorm can then deliver adverts
to you based on keyword information.
For instance, if you visit car related sites, and make searches for new car
models, you would start seeing car adverts when you visit Phorm's partner's
websites.
UK EDRi-member Open Right Group (ORG) was alerted last March on the serious
privacy concerns Phorm poses, and has been working hard to establish what is
really being advocated.
We believe the technology is fundamentally invasive and illegal. Permission
to examine data moving from website visitor and owner must be approved in
advance by both parties. Not obtaining permission from both parties is
illegal.
Yet UK ISPs such as BT and Virgin are not seeking to gain permission from
website owners.
Seeing web traffic as belonging to sender and receiver is the right way to
view privacy on the net. The data on websites belongs to many people, and
the data exchanged and the relationship between a client and a website owner
should remain private.
Despite these obvious privacy and legal worries, Phorm could soon be on the
agenda in your country too.
ISPs are interested because it gives them the potential to dominate the
internet advertising sector.
Many 'content creators' and EU governments could be interested in Phorm,
because they perceive ad revenues to be slipping from traditional domestic
outlets.
This is why you need to be interested, as Phorm's invasive technology could
easily be seen to be a panacea for Europe's advertising market troubles.
Foundation for information policy research - Open Letter to the Information
Commissioner (17.03.2008)
http://www.fipr.org/080317icoletter.html
The Phorm storm (12.03.2008)
http://www.openrightsgroup.org/2008/03/12/the-phorm-storm/
4 good reasons not to take part in the BT Webwise trial (30.09.2008)
http://www.openrightsgroup.org/2008/09/30/4-good-reasons-not-to-take-part-i…
What BERR want from Phorm - and what we think they're missing (19.09.2008)
http://www.openrightsgroup.org/2008/09/19/what-berr-want-from-phorm-and-wha…
The Phorm "Webwise" System (18.05.2008)
http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf
(contribution by Jim Killock, EDRi-member Open Rights Group - UK)
============================================================
6. Macedonia: Privacy Developments in 2008
============================================================
Even though the Constitution of the Republic of Macedonia and the Law on
Personal Data Protection (LPDP), the Criminal Code, Law on Organization and
Operation of State Administrative Bodies and other laws recognize and
protect the rights of privacy, data protection and secrecy of
communications, the implementation of these protections has met with major
difficulties during 2008.
A small number of Macedonian NGOs cover the issue of privacy, and during
2008 their main concerns involved the protection of human rights of children
on the Internet-including the privacy of children-and the protection of
privacy by the police and law enforcement agencies.
In July 2008, the Parliament ratified the Additional Protocol of the
Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data regarding supervisory authorities and
trans-border data flow. This document was signed on 4 January 2008. In July
2008, the Parliament also enacted the Law that amends the LPDP and increased
the fines for spamming. Both pieces of legislation (the Additional Protocol
and the amendments) came into force on August 19, 2008.
The main amendments and modifications were made for the harmonization with
the EU acquis and CoE Convention, adding specific provisions regarding video
surveillance, the independence of the Directorate for Personal Data
Protection and the simplification of the notification and complaint handling
procedures.
For the period of 2007-2008, the Directorate gave priority to public
awareness on the right of personal data protection. In cooperation with the
EDRI-member Metamorphosis Foundation it implemented the Norwegian model on
raising public awareness for youngsters, through creation of educational
content and conducting public events in three secondary schools.
During 2008, Metamorphosis Foundation implemented the Children's Rights on
the Internet - Safe and Protected (CRISP) project, co-funded by the European
Initiative for Democracy and Human Rights (EIDHR) and Metamorphosis. It
included establishment of a network of 12 NGOs working on the promotion and
safeguarding of children's rights online in cooperation with the Directorate
for Personal Data Protection. Project activities included developing a
curriculum and educational resources in Macedonian and Albanian, available
both offline and online, and conducting trainings. The trainings covered 50
primary and 20 secondary schools with participation of 8,482 children, 1,138
parents and 1,170 teachers from 12 cities and 7 villages from all parts of
Macedonia.
A public panel on privacy in Macedonia held on 26 August 2008, as part of a
public consultation to elaborate the Macedonia Report for Privacy and Human
Rights Report 2008, reiterated the assertions from the previous year that
there has been no public knowledge about cases of implementation of privacy
protection provisions of the Law on Electronic Communications, and spamming
remains widespread practice in the Macedonian business sector. Moreover, at
least one company continues to provide spamming services for other
companies, and the number of Macedonian legal entities who have a privacy
policy remains insignificant.
Even though wiretapping is regulated and unauthorized wiretapping is
prohibited, the wiretapping cases initiated in the past have not reached
closure in court. The most notable example is the process against the state
initiated by 17 journalists who have been subject to surveillance in the
"Big Ear" affair of 2001. Over seven years, four different judges have
unsuccessfully presided over this trial, and it was finally resolved at a
retrial in June 2007. The state was found guilty, but the 17 plaintiffs
stated that they remain dissatisfied with the compensation and the whole
process. Their representatives stated that they won't discontinue the trial
already underway at the European Court of Human Rights in Strasbourg, based
on their complaint. In September 2008, the Appellate court confirmed the
verdict of the basic court, but lowered the damages from the initial 6.000
Euros to approximately 4.000 Euros per journalist. The journalists have
stated that "they are not satisfied with the compensation, and the precedent
sets a signal that the violation of human rights is cheap in Macedonia."
After the Parliamentary elections of June 2008, the Government and the
Parliament used an unjustified fast-track procedure, to adopt changes and
amendments to over 164 laws in July and 17 laws in the following month
without any public debate. These changes included amendments of the Criminal
Procedure Code and the Law on Communication Interception that widened the
powers of surveillance for the law enforcement agencies.
Prominent NGOs such as Foundation Open Society Institute - Macedonia,
Association for Criminal Justice and Criminology of Macedonia and Helsinki
Committee for Human Rights of the Republic of Macedonia condemned the
legalization of preventive surveillance and removal of need to justify
special investigative measures with evidence of reasonable doubt before the
judiciary. The NGOs warned that these changes can turn Macedonia from a
state based on a rule of law into a "police state unconcerned with respect
of basic human rights and freedoms."
In practice, even the older, stricter legislation was not enforced. The
Parliamentary Committee for the supervision of the application of
communication interception techniques by the Ministry of the Interior and
the Ministry of Defense was denied access to data and did not issue any
reports during 2008.
Metamorphosis Foundation also provided opportunities for raising awareness
of opinion and decision makers, for instance, by including data protection
sessions within the 2008 agenda of the Fourth International Conference
e-Society.mk focused on ICT in Education.
In order to raise the public awareness also, Metamorphosis also formed an
ad-hoc coalition of NGOs and other institutions to celebrate the Freedom Not
Fear Day in Macedonia. FNF coincided with the public holiday of 11 October -
the Day of uprising against fascism in World War II, and involved organizing
public debate at the faculty of law and distribution of information on video
surveillance on university campuses and the centre of Skopje, including an
infostand and public survey. Several thousands of people were reached by
these activities, and most citizens expressed concerns about various ways of
"spying" conducted by the Government, corporations and individuals which
threaten their privacy.
During 2008, legal experts and human rights activists raised concerns about
the extensive use of detention and violation of privacy and the presumption
of innocence. The Macedonian Helsinki Committee and the Human Rights Project
continuously condemned spectacular arrests by the police, which included
inviting the media to film the handcuffed suspects escorted by law
enforcement officers. Only one TV station with license for national
coverage, TV Telma, adopted a policy to no longer broadcast such arrests and
police-escorted transports.
Reacting changes in the legislation the Helsinki Committee also organized
public debate on the reasonable expectations in regard to privacy protection
versus efficiency in the fight against crime and corruption in a state of
laws on 25 November 2005. However, state representatives failed to appear at
the debate and provide arguments that would alleviate the concerns raised by
the representatives of the civil and academic sector.
Metamorphosis Foundation
http://www.metamorphosis.org.mk
International Conference e-Society.mk
http://www.e-society.mk
Macedonia: Public outcry over new legislation for preventive surveillance
http://www.metamorphosis.org.mk/content/view/1198/4/lang,en/
Freedom Not Fear in Macedonia (10-11.10.2008)
http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2008/Skopje
Debate on Privacy in Macedonia (26.08.2008)
http://www.metamorphosis.org.mk/content/view/1250/3/lang,en/
Appellate court confirms: The Big Ear Journalists were
wiretapped (only in Macedonian, 2.09.2008)
http://www.vecer.com.mk/?ItemID=C50F895AE5A071478301A8CF24F47A51
Decree for enacting the Law for changing and amending the Law on Personal
Data Protection (only in Macedonian, 19.08.2008)
http://dzlp.mk:8500/FILES/1164/PUBLIC/CONTENT/57980790416419030709141_FILES…
Fees ranging from 500 to 2000 Euros for unwanted spam-messages (only in
Macedonian, 29.08.2008)
http://www.dnevnik.com.mk/?itemID=1FD6BF9F94C51940AA425A047194D9B5&arc=1
Debate on Privacy in Macedonia, Metamorphosis Foundation (29.09.2008)
http://www.metamorphosis.org.mk/content/view/1250/3/lang,en/
Directorate of Data Protection in Macedonia - Legal grounds for the
protection of personal data in the national legislation
http://www.ceecprivacy.org/main.php?s=2&k=macedonia
Helsinki Committee for Human Rights of the Republic of Macedonia
http://www.mhc.org.mk
Human Rights Support Project
http://www.hrsp.org.mk
(contribution by EDRi-member Metamorphosis Foundation - Macedonia)
============================================================
7. Austria: Some EU data protection policy developments in 2008
============================================================
In Austria the international data protection day on 28 January will pass by
widely unrecognised. This year, as already in 2008, the Data Protection
Commission (DSK; the Austrian Data Protection Authority) and the Data
Protection Council (DSR; a political advisory board) will together organise
a meeting for a strictly limited amount of interested persons (max. 100
participants) where they will present European and international
developments in data protection. In contrary to 2008, where they were
confronted with by far more than 100 registrations, the event was promoted
very poorly. On the homepage of the DSK and on the 'Data Protection Day'
website on the Council of Europe website it is not even mentioned!
This situation is somewhat symptomatic for Austrian data protection. Data
protection here usually is not for the masses, it is an administrative task
that rather involves formalised decisions than public debate and open
discussions. It's a pity that the organisers of this years event chose to
maintain the access restrictions. Opening the event for a broader audience
would have given the option for further development towards an annual
Austrian Data Protection Conference. For this year the chance is gone but
there is another chance next year. We'll keep you informed.
The following paragraphs provide a summary of major developments in the past
year with regard to legislative initiatives, surveillance trends and
important data breaches. Finally an outlook to the coming years will be
presented.
Legislative Initiatives
On 6. December 2007 the Austrian Parliament adopted a reform of the law on
security police. Ten minutes before midnight of that day (the last
parliamentary session of the year) members of the governing parties (Social
Democrats and Conservatives) tabled an amendment that significantly
increased the surveillance possibilities for security police, while ignoring
the usual parliamentarian workflow of discussing amendments in the relevant
committee before voting. Result of this initiative is that mobile
telecommunication and Internet providers have to provide location
information of mobile phones and IP addresses on request of security police.
A court permission is not required! In the first five weeks of 2008 location
data of 82 mobile phone users and the identity of 2.766 subscribers were
requested. According to an article published in the Austrian newspaper "Die
Presse" there are 32 such requests per day. The members of the Parliament
who tabled the mentioned amendment received the Austrian Big Brother Award
2008. Several complaints against the law were filed with the Austrian
Constitutional Court.
In April 2008 an amendment to the Data Protection Act 2000 was published for
comments. Key elements are legal requirements for video surveillance by
private operators, new requirements for private businesses with at least 20
employees to create the position of a data protection supervisors and
harmonisation of responsibilities (the federal government gets all data
protection competences). Currently the Data Protection Commission has to
approve video surveillance installations of private operators. According to
the proposed amendment video surveillance will be allowed in future if
dangerous attacks or criminal offences were committed in that area within
the last 10 years, or if expensive objects worth more than 100.000 EUR or of
exceptional artistic value need to be protected. Video surveillance needs to
be properly announced and will remain prohibited in toilets and changing
rooms. Furthermore the amendment proposes a centralised database of all
private video surveillance installations. If needed the police will be
allowed to access the data of these cameras. In general the retention of
video data will be limited to 48 hours, which can be extended on request to
the DSK. In future it will not be required to file realtime
video-surveillance with the DSK. Police access to highway video surveillance
is envisaged and fortunate discoveries may be used for penal action. Due to
the premature reelections of the Austrian Parliament in 2008 the amendment
to the Data Protection Act 2000 finally did not make its way through the
legislative process. It is expected to re-appear in 2009.
On the proposal of the European Commission on the use of Passenger Name
Record data, a Social Democrat MPs tabled a motion for resolution with the
Austrian Parliament. They proposed to wait for the decision of the European
Court on the structural similar data retention directive and on the entering
into force of the Lisbon treaty. Furthermore they ask to consider the
opinion of Article 29 working group on the Commission proposal, since there
are severe data protection concerns.
Data retention - The data retention directive is still not implemented in
Austria. There are no known plans to do so in the near future.
On biometric passports the Council of Ministers decided in June 2008, that
fingerprints of the two index fingers (if existing) will be stored on an
RFID chip on the passport. The data additionally will be stored for up to
four months at the Staatsdruckerei, which produces the passports. Currently
the parliamentarian decision making process is ongoing: On 21.01.2009 the
National Council adopted the respective law with votes of all represented
parties except the Greens. The Federal Council will vote on it on
27.01.2009, one day before the International Data Protection Day. It is
expected that the law will not be rejected there.
In 2007 the Federal Minister of the Interior and the Federal Minister of
Justice agreed on the implementation of hidden uses of remote forensic
software (so called federal trojan horses) and established a working group
to work on the details of the legal and technical issues. In April 2008 the
working group published its final report. The experts claimed that from a
constitutional point of view a number of fundamental rights are affected
which limit the implementation of such online-searches and constitute
warranty deeds for the state.
Surveillance Trends
The major surveillance trends of 2008 all focus on uses of video
surveillance. In traffic control we saw the introduction of systems for
automated checking of road tax vignettes, automated scanning of vehicle
number plates where the collected data is checked against a wanted vehicles
list, and the use of video surveillance for the execution of speed limits
(section control). In the case of section control Austrian highest courts
decided that it only may be used on a case by case order of the competent
Minister, including a detailed description of the special setup.
Other examples of increased video surveillance are the pilot-use of
video-surveillance in trains of Vienna's underground, where data are stored
for 48 hours, video surveillance in trains from the Austrian Railway and
video surveillance in residential buildings owned by the City of Vienna
where garages, elevators and rooms for dust bin storage will be monitored.
The pilot phase of the so called dust bin monitoring was approved by the DSK
and will last until end 2009. Aim is the protection against vandalism.
Important data breaches
In 2008 the case of a teenage asylum seeker and her family received lots of
media coverage in Austria. When the pressure on the Ministry of the Interior
was too intense, personal data on a family member from the police
information system EKIS and from the police file index leaked to the public.
Pictures from these files together with a corresponding press release were
published on the Internet by a senior official of the Ministry. Police
investigations on this data leakage are ongoing.
The administration of the residential buildings of the City of Vienna,
Wiener Wohnen, sent a questionnaire to all 220 000 renters of their flats
asking for their opinion on their flat, their neighbours, the surrounding of
the building, the security situation, their administration and the City of
Vienna. Wiener Wohnen offered that the questionnaire could be returned
anonymously by blacking the Name printed on the form. The responsible City
Council said, that the barcode on the second page of the form only would be
used as a reference to the administrative district the answer came from.
This was in the best case misleading, since the barcode contained the
renters complete customer number, which allowed for a personalisation of the
answers given on the questionnaire. The director of Wiener Wohnen received
the Austrian Big Brother Award 2008.
Outlook
After the premature reelections in 2008 a new government took office last
year. Their government programme includes the following topics relevant to
data protection: The use of remote forensic software (so called federal
trojan horses) by police will be allowed. It will be clarified that the DSK
is not competent in cases where the Criminial Investigation Department is
active in cases of criminal law. The cooperation with Schengen partners will
be intensified, common Visa- and Biometric-Centers will be established,
possible cooperation with external service providers (outsourcing) will be
analysed. A DNA-Offensive aims for a nationwide collection and analysis of
DNA samples and will serve as a basis for new application areas. Electronic
health records will gain increased importance.
The implementation of the data retention directive is not mentioned in the
government programme. A decision of the Constitutional Court on the
complaints against the law on Security Police is expected in 2009.
At this years election of the Austrian Students Union in May 2009 the
Federal Government wants to run an e-voting pilot. The Austrian Students
Union strongly opposes these plans due to unresolved legal and technical
questions. Also the Data Protection Council advised to refrain from this
plans. This pilot election is commonly considered to be a test-case for the
use of e-voting in elections to the Austrian Parliament.
Data Protection Commission
http://www.dsk.gv.at/
Law on Security Police (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/BNR/BNR_00181/pmh.shtml
Die Presse on access to location information and IP addresses by Security
Police (only in German)
http://diepresse.com/home/panorama/oesterreich/370803/index.do
Austrian Big Brother Awards (only in German)
http://www.bigbrotherawards.at/2008
Proposed amendment to the Data Protection Act 2000 (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/ME/ME_00182/pmh.shtml
Motion for a resolution on PNR-data (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/A/A_00651/pmh.shtml
Parliamentary decision on biometric passports (only in German)
http://www.parlament.gv.at/PG/PR/JAHR_2009/PK0023/PK0023.shtml
Final report of the working group on remote forensic software (so called
federal trojan horses)(only in German)
http://www.justiz.gv.at/_cms_upload/_docs/AG_OnlineDurchsuchung_Endbericht.…
Government programme of the Austrian Federal Government (only in German)
http://www.oevp.at/Common/Downloads/Regierungsprogramm2008-2013.pdf
Opinion of the Data Protection Council on E-Voting at the elections to the
Austrian Students Union (only in German)
http://www.bundeskanzleramt.at/DocView.axd?CobId=31084
(contribution by Michael Hofer and Andreas Krisch - EDRi member VIBE!AT)
============================================================
8. France: Who have they forgotten to control today?
============================================================
The CNIL, the French Data Protection Authority, has published on 20 January
2009 a report on a massive control operation it conducted on the STIC
("Systhme de traitement des infractions constaties" or "Recorded offences
treatment system"), a huge police database. The report reveals that the STIC
is consulted by each one of the 100.000 authorised policemen 200 times a
year on average. This immediately reminded me the old British Telecom's
slogan: "who have you forgotten to call today?"
Police files have been the main concern in France in 2008, especially after
the creation, by decrees published on 1st July 2008, of two new intelligence
databases, EDVIGE and CRISTINA. CRISTINA aims at "Centralising inland
intelligence for homeland security and national interests", and is covered
by the defence secret, which means that no one knows any detail on this
file. This is not the case of EDVIGE, which has generated such a massive
mobilization in the society that the government had finally to withdraw the
EDVIGE decree in November 2008.
EDVIGE would have systematically gathered information on any person having
applied for or exercised a political, union or economical mandate or playing
a significant institutional, economical, social or religious part as well as
information on any person, starting from the age of 13, considered by the
police as a "suspect" potentially capable of disrupting the public order.
After the strong opposition of a large number of associations, political
parties, unions and individuals, with a petition signed by almost 220.000
individuals and 1200 associations, a complaint filed by 12 labour unions and
rights organizations, among them EDRI-member IRIS, before the French highest
administrative court, and a huge national day against EDVIGE on 16 October
where 10.000 persons took part in demonstrations in 60 French cities, the
government finally had to react. It announced a modified project, called
EDVIRSP, not yet published. While the new file would explicitly exclude
information related to people's health or sexual orientation, it would keep
other sensitive personal data such as ethnical origin, as well as political,
philosophical, religious opinions or union affiliation, and would still
allow the police to store data on minors starting at the age of 13 if they
are considered a threat to public safety.
CNIL's President said that "the STIC is more dangerous than EDVIGE", because
of the huge number of errors the CNIL has found in the STIC. But the main
difference is that the CNIL will never be able to establish errors in
EDVIGE, contrarily to the STIC, because EDVIGE will never contain any fact,
but simply presumption of facts that could be committed.
The STIC is dangerous enough, however. The file exists since 1995, but was
officially created only in 2001. The CNIL report established that the STIC
now concerns half of the French population, without any age limitation. An
individual is registered in the STIC by the police after an offence has been
committed. The point is that one can be registered either as a victim, or as
the suspected author of the offence. Then the file is supposed to be updated
after a court decision, which might find that the suspected author is not
guilty. But the CNIL report findings are that this update very seldom
occurs, and that sometimes a victim is mistakenly registered as a suspect.
All in all, the STIC error rate found by the CNIL is 83%. Not only this
error rate is 'staggering' as CNIL's President commented, but also it has
major social consequences, since in 2003 a law extended the STIC's purposes
to the records checking of people applying to a large range of jobs,
especially in the security field. The report evaluates to 1 million the
number of persons who weren't hired, or were fired from their jobs, simply
because they were wrongly recorded in the STIC, sometimes because they
actually were a victim, sometimes because their situation wasn't updated
after a court decision. STIC opponents warned against these dangers as early
as 10 years ago. Here we are now.
In December 2008, another report commissioned by the French Ministry of
Interior has inventoried some 45 police files, whereas 34 were already in
place in 2006. Some of them contain biometric and genetic data.
Among the biometric files, a centralized population database is currently
being established, with the decree on French biometric passport having been
published on 30 April 2008. A complaint filed against the French government
by EDRI-member IRIS and the French Human Rights League is still pending.
Main arguments of the complaint are: the collection of 8 digital
fingerprints of the passport holder (whereas the European Council regulation
requires only 2), the fact that this also applies to children starting from
age 6, and the creation of a centralized database containing all information
on the passport holder, including biometric data.
Another pending complaint against the French government concerns the ELOI
database, created to manage the expulsion of illegal migrants. The complaint
has been filed by EDRI-member IRIS, with the French Human Rights League and
two other French organizations for the support of migrants. This database
has been created by decree on 26 December 2007, after the same organizations
won a previous complaint against a first version of ELOI. For the
plaintiffs, a data retention period of 3 years, as well as the collection of
migrants' children data, remain violating the French and European
legislation on data protection.
These files are only examples of a strong and enduring trend in France,
which consist in huge centralized population databases, increased use of
biometric and genetic data, considering migrants as a target, and, last but
not least, specifically targeting children.
Year 2008 has shown however that the concern is growing in the general
public, and this is a good sign. While the French have not really reacted to
data retention issues, they seem to start considering that police databases
and other files created by other administrations, especially when they
concern children, are now going too far. When the government is facing
massive citizen mobilisation, it has to go backwards. This is the lesson
learnt with EDVIGE in 2008.
Year 2009 needs to be carefully watched out, though. The law implementing
the "graduated response" or the "three strikes approach" against filesharers
is expected to pass this year. New measures to fight cybercrime have also
been announced. EDVIRSP, the new version of EDVIGE, is expected soon. And
the draft law on biometric ID cards is ready for months, and will probably
be submitted to the Parliament as soon as things will calm down on the
privacy front.
CNIL Report: Conclusions on the control of the STIC (only in
French, 20.01.2009)
http://www.cnil.fr/fileadmin/documents/approfondir/dossier/Controles_Sancti…
IRIS Press Release: ' CNIL's control of the STIC: a healthy exercise, but
timorous conclusions' (only in French, 23.01.2009)
http://www.iris.sgdg.org/info-debat/comm-stic0109.html
EDRI-gram: French EDVIGE decree withdrawn (3.12.2008)
http://www.edri.org/edri-gram/number6.23/edvige-retired
French Interior Ministry Report: 'Better controlling mechanisms
implementation to better protect freedoms' (11.12.2008, only in French)
http://lesrapports.ladocumentationfrancaise.fr/BRP/084000748/0000.pdf
EDRI-gram: Complaint Against The French Govt To Annul The Biometric Passport
Decree (16.07.2008)
http://www.edri.org/edrigram/number6.14/complaint-french-biometric-passport
EDRI-gram: Eloi - A French Database To Manage The Expulsion Of Illegal
Migrants (16.01.2008)
http://www.edri.org/edrigram/number6.1/eloi-french-database
(Contribution by Meryem Marzouki, EDRI member IRIS - France)
============================================================
9. Privacy in Germany 2008: A new fundamental right, a privacy mass
movement, and the usual surveillance suspects
============================================================
The year of 2008 can be marked as the year where privacy moved high on the
public agenda in Germany. On 1st of January, the law on data retention went
into effect, which made Germany drop from number one to seven in the country
ranking published by Privacy International. At the same day, a
constitutional challenge was submitted at the supreme court. The German
working group on data retention and its allies managed to have more than
34,000 people participate in this case - the largest constitutional
complaint ever seen in German history. The paperwork had to be brought to
the constitutional court in huge moving boxes, which also offered a nice
photo opportunity for everyone wanting to demonstrate how many people oppose
data retention.
In February we saw the constitutional court decision on secret online
searches of peoples' hard drives (the "federal trojan"). The court limited
the use of this tool for cases where there are "factual indications of a
concrete danger" in a specific case for the life, body and freedom of
persons or for the foundations of the state or the existence of humans,
government agencies may use these measures after approval by a judge. The
decision was widely considered a landmark ruling, because it also
constituted a new "basic right to the confidentiality and integrity of
information-technological systems" as part of the general personality rights
in the German constitution.
In March, the Chaos Computer Club published the fingerprint of the federal
minister for the interior, Wolfgang Schduble. This sparked high public
attention and made frontpage news, and proved that biometric athentication
as introduced in the German passport and identity card is not safe at all.
Inspired by the recent successes, the growing number of privacy activists
held a de-central action day in May. Different kinds of activities, like
demonstrations, flash mobs, information booths, privacy parties, workshops,
and cultural activities took place in all over Germany.
Over the summer, some of the biggest German companies helped in raising
public awareness of the risks of large data collections. Almost every week,
there were reports on a big supermarket chain spying on its employees, on
cd-roms with tens of thousands of customer data sets from call centers -
including bank account numbers - being sold on the grey market, on the
largest German telecommunications provider using retained traffic data for
spying on its supervisory board and on high-ranking union members, on an
airline using its booking system to spy on critical journalists, on two
large universities accidentially making all student data available online,
or on a big mobile phone provider "losing" 17 million customer data sets.
The Federal Government, under building public pressure, introduced some
small changes for the federal data protection law, but at the same time
continued its push for more surveillance measures in the hands of the
federal criminal agency (Bundeskriminalamt, BKA). These included the secret
online searches the constitutional court had just cut down to very
exceptional circumstances a few months earlier. The German public discussed
these moves very critically, especially since journalists are exempted from
special protections that are given to priests, criminal defense lawyers, and
doctors.
Because of the public concern and debate about privacy risks, the call to
another mass street protest was even more successful than ever before. The
"Freedom not Fear"action day on 11th October was the biggest privacy event
of the year. In Berlin, between 50,000 and 70,000 persons protested
peacefully against data retention and other forms of "surveillance mania",
making it the biggest privacy demonstration in German history. Privacy
activists in many cities all over the world participated with very diverse
and creative kinds of activities and turned this day into the first
international action day "Freedom not Fear".
The anti-surveillance protests finally kicked off some serious discussion
within the Social Democratic Party in a number of the German ldnder
(states). This resulted in a loss of the majority for the law on the federal
criminal agency (BKA) in the second chamber (Bundesrat) in the first vote.
It only was passed weeks later, after some changes were introduced, and with
heavy pressure from leading federal Social Democrats. The new law is still
seen as unconstitutional by many legal and privacy experts and in January
2009 a case was submitted to the constitutional court.
Privacy activists in the fall of 2008 also campaigned against the retention
on flight passenger name records, forcing Brigitte Zypries, the German
minister of justice, to freeze her plans on the matter until after the
federal elections in the fall of 2009. More recently, the working group on
data retention attacked the "voluntary data retention" proposed in the EU
telecom package, as well as the renewed data exchange agreements between the
EU and the USA.
EDRi-gram: Germany: New basic right to privacy of computer systems
(27.02.2008)
http://www.edri.org/edrigram/number6.4/germany-constitutional-searches
EDRi-gram: German constitutional challenge on Data Retention (12.03.2008)
http://www.edri.org/edrigram/number6.5/germany-data-retention
EDRi-gram: Fingerprinting the fingerprint proponent (9.04.2008)
http://www.edri.org/edrigram/number6.7/fingerprint-schauble
EDRi-gram: German Protests in over 30 cities against surveillance(2.07.2008)
http://www.edri.org/edrigram/number6.13/german-protests-surveillance
EDRi-gram: International Action Day "Freedom not Fear" (22.10.2008)
http://www.edri.org/edri-gram/number6.20/freedom-not-fear-international-day
(contribution by Annika Kremer, Working Group on Data Retention, and Ralf
Bendrath, EDRi member Netzwerk Neue Medien - Germany)
============================================================
10. Some EU data protection policy developments in 2008
============================================================
Will the 2008 be remembered as the Data Retention implementation year or the
first Freedom not Fear day? As always with the conclusions, we might answer
better this question in 2009 or 2018. But let's look at some facts from the
last year now
One of the main hot privacy topics during 2008 was related to the
implementation of the EU data retention Directive 2006/24/EC in several
European countries. Despite the fact that data retention has been resisted
in some countries in Europe, with 15 March 2009 as the final day for
starting to retain Internet-related data, most of the EU member states
adopted data retention laws only in 2008. The reactions have been strong,
but in just a few cases led to the review of the respective laws.
Germany has seen large debates and protests after the adoption of the data
retention law at the end of 2007. In February 2008, the German Working Group
on Data Retention submitted to the German Federal Constitutional Court the
mandates of over 34 000 citizens willing to fight against the storage of
their telecommunications. A preliminary decision taken by the Court on 19
March 2008 supported the case, considering that parts of the German act are
unconstitutional pending review.
In Bulgaria, on 11 December 2008, the Bulgarian Supreme Administrative Court
(SAC) annulled article 5 of the national legislation that implements the
Data retention Directive, following a lawsuit initiated by Access to
Information Program(AIP). Article 5 of the Bulgarian Regulation # 40 that
was issued by the State Agency on Information Technologies and Communication
and the Ministry of Interior provided for a "passive access through a
computer terminal" by the Ministry of Interior, as well as access without
court permission by security services and other law enforcement bodies, to
all retained data by Internet and mobile communication providers.
The European Court of Justice (ECJ) is still considering the action started
on 6 July 2006 by Ireland against the Council of the European Union and
European Parliament on the formal grounds for adopting the Data Retention
Directive.
A first hearing of the action by ECJ took place on 1 June 2008 in
Luxembourg. The legal basis of the data retention directive was supported by
the European Parliament and Council, but also by the Commission, Spain,
Netherlands and EDPS, Peter Hustinx. On 14 October 2008, the ECJ Advocate
General gave his opinion on the case considering the data retention
directive was founded on an appropriate legal basis, therefore recommending
the dismissal of the action. The decision of the Court will be made public
on 10 February 2009.
The German Working Group on Data Retention drafted an amicus curiae brief in
this case claiming that the data retention directive was also illegal on
human rights grounds, breaching the right to respect for private life and
correspondence, the freedom of expression and the protection of property.
The German Group was joined by several civil liberties NGOs and professional
associations, including EDRi.
It appears that the ECJ will not look into those aspects, but a future
action is possible in asking the European Court to consider the
compatibility with human rights. This could be initiated by the German
Federal Constitutional Court as an issue realted with the action from the
German Working Group of Data Retention and/or by the Irish courts, following
the action initiated by EDRi-member Digital Rights Ireland.
An international day of action against data retention took place on 11
October under the name "Freedom not Fear". During that day, protests took
place in more than 15 countries worldwide against surveillance measures such
as the collection and retention of all telecommunications data. The
surveillance of air travellers and the biometric registration of citizens
was another subject of the "Freedom not Fear" day, as 2008 has seen
developments on the issue.
The PNR US-EU agreement continued to raise questions and worries with many
negotiations between the US government and the European Commission. In
March, the German Working Group on Data Retention published two applications
to the European Court of Justice contesting the transfer of PNR data to the
US arguing that the collection of all PNR data violated the basic right to
privacy and protection of our personal data, authorities were given an
unforeseeable use of the data for other purposes, and that passengers'
sensitive data were not effectively protected against access. A recent
report from US Department of Homeland Security (DHS) regarding the Passenger
Name Record (PNR) information from the EU-US flights confirms a number of
major disfunctionalities, that proves the DHS did not comply with the EU
agreement or with the US legislation in its use of PNR.
At the European level, despite the large opposition, the European Council
decided to extend the PNR scheme to the EU space, following the position of
some governments which expressed their intention to even extend the PNR
scheme to all types of travel and even among EU countries.
The text proposed in October 2008 included the choice of individual states
to take the measure at the national level meaning that PNR would be
collected by all Member States on all flights in and out of the EU and the
choice of surveying intra-community flights belonged to the Member States.
The attempt to pile up DNA databases was continued in 2008 with the UK as
leader. However the European Court of Human Rights (ECHR) decision taken on
4 December in the Marper case could change the way things are working today.
ECHR confirmed that, in agreement with Article 8 of the European Convention
on Human Rights, the retention of cellular samples, fingerprints and DNA
profiles constituted an infringement of the right for private life.
On 24 September 2008, the Telecom Package of rules governing the Internet
and telecoms sectors proposed by the European Commission was approved by the
European Parliament in the first reading. Despite the amendments brought by
the EP, the package is still worrying the civil rights groups, both on data
retention and IP issues. The voluntary data retention issue is one of the
major hot topics contested by the civil society (see also the first article
in this EDRi-gram).
A promising amendment was proposed by the European Parliament to the
ePrivacy Directive that included the obligation of the information society
services providers to notify personal data related security breaches to the
national authorities which was suggested by the European Data Protection
Supervisor's opinion in April. But the new texts suggested by the Commission
and the Council seem to contradict the Parliament and the final decision
will probably be taken in the second reading, estimated for April 2009.
We can not wish to have a conclusion that may clear the waters. The
optimists will look at the full part of the glass where we might see the
ECHR Marper
case. The pesmists mights see the EU PNR scheme or some strange provisions
of the Telecom Package.
EDRI page on data retention
http://www.edri.org/issues/privacy/dataretention
EDRI page on PNR
http://www.edri.org/issues/privacy/pnr
EDRI page on biometrics
http://www.edri.org/issues/technology/biometrics
EDRi page on privacy
http://www.edri.org/issues/privacy
National data retention policies
https://wiki.vorratsdatenspeicherung.de/Transposition
============================================================
11. Towards International Data Protection Standards
============================================================
In October 2008, the 30th International Conference of Privacy and Data
Protection Commissioners in Strassbourg adopted a resolution on the urgent
need for protecting privacy in a borderless world, and for reaching a Joint
Proposal for setting International Standards on Privacy and Personal Data
Protection.
Following this resolution, the Spanish Data Protection Authority (DPA) - as
the organiser of the 31st international DPA Conference to be held in
November 2009 - has set up a working group on drafting this Joint Proposal.
The first meeting of this working group was held on invitation of the
Spanisch DPA and the DPA of Catalonia on 12 January in Barcelona.
Participants in this meeting were not only the interested international Data
Protection Authorities but also data protection experts from academia,
businesses and civil society, amongst which EDRi.
EDRi very much welcomes this standardisation initative of the International
Conference of Privacy and Data Protection Commissioners. Provided that the
defined standards are not set below the requirements of the current European
data protection legislation - which is very unlikely to happen - an
international standard on data protection will not only serve as an
important tool for international data exchange but also as a worldwide
benchmark for data protection legislation. Besides that, it provides the
opportunity to work on issues that are likely to cause difficulties with
emerging technologies (like for example the concept of the data controller
in RFID environments or cloud computing).
As this one day meeting clearly showed, the creation of an international
standard on Privacy and Personal Data Protection is not an easy task and it
is by far unclear whether this task can possibly be completed by the next
International Conference of Privacy and Data Protection Commissioners in
November 2009 in Madrid. But with the draft document provided by the
organisers of the meeting and the inputs provided by the participants in the
meeting a first step is already taken. In the following months the working
group will go into the details and present the outcomes at the Madrid
conference.
Resolution on the urgent need for protecting privacy in a borderless world,
and for reaching a Joint Proposal for setting International Standards on
Privacy and Personal Data Protection adopted by the 30th International
Conference of Privacy and Data Protection Commissioners (17.10.2008)
http://www.privacyconference2008.org/adopted_resolutions/STRASBOURG2008/res…
Announcement of the Barcelona Meeting by the DPA of Catalonia (only in
Spanish, 8.01.2009)
http://www.apdcat.net/noticia.php?not_id=93
Intervention of the director of the DPA of Catalonia (only in Spanish,
14.01.2009)
http://www.apdcat.net/noticia.php?not_id=97
Press statement of the Spanish DPA (only in Spanish, 13.01.2009)
https://www.agpd.es/portalweb/revista_prensa/revista_prensa/2009/notas_pren…
(contribution by Andreas Krisch - EDRi)
============================================================
12. Recommended Action
============================================================
Declaration to Reject the Copyright Term Extension Directive with
signatories (01.2009)
http://www.edri.org/files/Joint_Statement_Final.pdf
Reject term extension directive (21.01.2009)
http://www.edri.org/reject-term-extention-directive
============================================================
13. Recommended Reading
============================================================
Article 29 Working Party - The 2007 Annual Report
English
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_en…
German
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_de…
French
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_fr…
============================================================
14. Agenda
============================================================
3-4 February 2009, Victoria, British Columbia, Canada
10th Annual Privacy and Security Conference "Life in a Digital Fishbowl: A
Struggle for Survival or a Sea of Opportunity?"
http://www.rebootconference.com/privacy2009/
7-8 February 2009, Brussels, Belgium
Free and Open source Software Developers' European Meeting (FOSDEM)
http://www.fosdem.org/2009/
18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/
27-29 March 2009, Manchaster, UK
Oekonux Conference: Free Software and Beyond The World of Peer Production
http://www.oekonux-conference.org/
29-31 March 2009, Edinburgh, UK
Governance Of New Technologies: The Transformation Of Medicine, Information
Technology And Intellectual Property" An International Interdisciplinary
Conference
http://www.law.ed.ac.uk/ahrc/conference09/
1-3 April 2009, Berlin, Germany
re:publica 2009 "Shift happens"
http://www.re-publica.de/09/
Subconference: 2nd European Privacy Open Space
http://www.privacyos.eu/
13-14 May 2009 Uppsala, Sweden
Mashing-up Culture: The Rise of User-generated Content
http://www.counter2010.org/workshop_call
24-28 May 2009, Venice, Italy
ICIMP 2009, The Fourth International Conference on Internet Monitoring
and Protection
http://www.iaria.org/conferences2009/ICIMP09.html
1-4 June 2009, Washington, DC, USA
Computers Freedom and Privacy 2009
http://www.cfp2009.org/
5 June 2009, London, UK
The Second Multidisciplinary Workshop on Identity in the Information
Society (IDIS 09): "Identity and the Impact of Technology"
Call for papers, deadline 13 March 2009
http://is2.lse.ac.uk/idis/2009/
2-3 July 2009, Padova, Italy
3rd FLOSS International Workshop on Free/Libre Open Source Software
Paper submission by 31 March 2009
http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html
13-16 August 2009, Vierhouten, The Netherlands
Hacking at Random
http://www.har2009.org/
23-27 August 2009, Milan, Italy
World Library and Information Congress: 75th IFLA General Conference and
Council: "Libraries create futures: Building on cultural heritage"
http://www.ifla.org/IV/ifla75/index.htm
10-12 September 2009, Potsdam, Germany
5th ECPR General Conference, Potsdam
Section: Protest Politics
Panel: The Contentious Politics of Intellectual Property
First proposals to be submitted by 1 February 2009
http://www.ecpr.org.uk/potsdam/default.asp
16-18 September 2009, Crete, Greece
World Summit on the Knowledge Society WSKS 2009
http://www.open-knowledge-society.org/
October 2009, Istanbul, Turkey
eChallenges 2009
Call for papers by 27 February 2009
http://www.echallenges.org/e2009/default.asp?page=c4p
15-18 November 2009, Sharm El Sheikh, Egypt
UN Internet Governance Forum
http://www.intgovforum.org/
============================================================
15. About
============================================================
EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram(a)edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request(a)edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request(a)edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram(a)edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
Hi all,
As one of those lucky souls with access to almost limitless
bandwidth and the skills (or stupidity) to use it, I suppose an apology
is in order:
I'm sorry- after reviewing what *could* be the consequences, I have
to whimp out based on professional risk factors... I can't run an exit
node. So I have to leave it to other folks who have a different
situation to do the heavy lifting.
What I *am* doing is deploying a couple of heavy iron closed relays
on OC3 or better bandwidth. The first is now deployed after a lot of up
and down testing, and I'll get to the second in due time.
I've been watching Tor for a long time and just recently decided to
get involved. The Iran situation cemented that decision.
Anyhow, here are some random thoughts:
On the "Who uses Tor?" section of the website, I see no mention of
IT people. I've used the Tor network for many practical uses as an IT
Director. These range from bypassing my own firewall to test incoming
connections, to helping my legal department do research on a pending
lawsuit without the opposition *knowing* we even looked at their
website. Having a random and easily accessible IP to initiate
connections from is a priceless testing tool. Especially when dealing
with niggling routing problems.
On one occasion my ISP was having routing/DNS problems, and Tor was
able to find an entrance node and allow me to work even though I
couldn't get to my remote servers directly. This saved my client a lot
of downtime, and might have saved me the account. Also, my employer's
R&D department sometimes needs to look at things they don't want anyone
to know they looked at (All quite legal mind you).
Quite frankly Tor is an undervalued IT tool and it's capabilities
should be trumpeted loudly on the web page. You might also find IT guys
like me throwing up some relays in exchange. After all- who has the
bandwidth anyway?
And before anyone accuses me of it, I'm not nearly stupid enough to
do a port scan over Tor. Phew.
One of the issues I ran into when looking into running an exit relay
had to do with not only the legalities, but identifying a server vendor
that was offshore from my home country and friendly to a Tor exit. In
order for me to run an exit node, I have to be completely shielded.
As it stands now, I can probably run an exit for instant messaging-
and that's it. However, if Tor itself had a relationship with someone
who rents hardware, perhaps a partnership, Tor could get the exit nodes
it needs, and the server vendor could get lots of cash. From my
standpoint, it doesn't matter whether I rent or colocate my hardware. So
if Tor as an organization had a partnership with a few server rental
whores (in multiple countries), it would simplify getting more exits. I
need servers, Tor runs with little impact on my server, I could care
less where my remote hardware is provisioned from. Bingo- more exits.
I read back about 6 months in the or-talk list and there were a
couple of suggestions inferring that *everyone* should be forced to be
an exit node. I think this is a very bad idea, and hurts the security of
the person trying to remain anonymous by causing an identifiable change
in bandwidth usage that could infer Tor usage (Information leakage).
Simply speaking, on a default Windows/Vidalia installation, outgoing
Tor traffic usually looks like https traffic, but on a forced exit, now
Tor is identified by relatively matched traffic on port 443 both in and
out of the client's connection (Unless it's entrance node is a *nix
variant). This could mean death (literal) for a political dissident who
is now identified as having an in/out matching traffic pattern assuming
his entrance node is on Windows. It is more likely, that a country
monitoring it's citizens would miss simple https traffic. But even
myself as a lowly IT director, would have alarm bells going off if https
was initiating in two directions from the same machine. Alternative
ports can also set off alarm bells. But given the nature of Onion
Routing, two way traffic needs to be avoided in the most sensitive
sensitive situations. Forcing exit nodes is a bad idea for users. It
will also drive away anyone who cannot provide an exit node.... that's
chasing away bandwidth as non exit relays run for the hills.
Long post. Too much coffee and too much time staring at routing tables.
Michael
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 7.2, 28 January 2009
Special issue - Data protection day
============================================================
Contents
============================================================
Data Protection Day
1. EU proposal puts confidential communications data at risk
2. Privacy and data protection in the Netherlands in 2008
3. Data protection in Italy: Loudly more of the same
4. Romania: Is really privacy a topic in the public debate?
5. UK: Phorm threat
6. Macedonia: Privacy Developments in 2008
7. Austria: Some EU data protection policy developments in 2008
8. France: Who have they forgotten to control today?
9. Germany: A new fundamental right, a privacy mass movement + surveillance
10. Some EU data protection policy developments in 2008
11. Towards International Data Protection Standards
12. Recommended Action
13. Recommended Reading
14. Agenda
15. About
============================================================
Data Protection Day
============================================================
28 January is the European Data Protection Day. For the third time, in 2009,
this date marks the anniversary of the Council of Europe's Convention 108,
the first legally binding international instrument related to data
protection.
This issue of the EDRi-gram is dedicated to the European Data Protection Day
and marks the privacy developments in some European countries in the
past year, as reported by EDRi members. It also includes a warning from
major civil society groups and the EDPS on the adoption of the "voluntary
data retention" in the telecom package.
European data protection day activities - 28.01.2009
http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Def…
============================================================
1. EU proposal puts confidential communications data at risk
============================================================
Civil liberties groups La Quadrature du Net, European Digital Rights (EDRi),
AK Vorrat, and Netzpolitik.org are urging the European Parliament to heed
advice given by the European Data Protection Supervisor Peter Hustinx and
scrap plans dubbed "voluntary data retention".
"A proposal currently discussed in the European Parliament as part of the
'telecom package' would allow providers to collect a potentially unlimited
amount of sensitive, confidential communications data including our
telephone and e-mail contacts, the geographic position of our mobile phones
and the websites we visit on the Internet", warns Patrick Breyer of German
privacy watchdog AK Vorrat. "Apart from the creation of vast data pools that
could go far beyond what is being collected under the directive on data
retention, the proposal would also permit the passing on of traffic data to
other companies for 'security purposes'. We must not let a potentially
unlimited amount of confidential data be exposed to risks of disclosure or
abuse in this way", he also said.
"This proposal is lobbied for under the guise of 'security', but what it
really means is that users and citizens would have no expectation of privacy
on the Internet anymore," adds Ralf Bendrath from EDRi. "This is a clear
breach of the European tradition of considering privacy a fundamental human
right."
In a paper published earlier this month, European Data Protection Supervisor
Peter Hustinx joined the critics, warning the proposal would constitute a
"risk of abuse" and "may be interpreted as enabling the collection and
processing of traffic data for security purposes for an unspecified period
of time." Hustinx reached "the conclusion that the best outcome would be for
the proposed Article 6.6(a) to be deleted altogether" - a view firmly shared
by La Quadrature du Net, EDRi, netzpolitik.org and AK Vorrat.
"A few months before the elections, citizens will have the opportunity to
see if the Members of European Parliament are willing to protect their
privacy", declares Jirimie Zimmermann, co-founder of the citizen's
initiative La Quadrature du Net. "Every citizen should inform their MEPs and
ask them to massively reject this article 6 (6a) of the ePrivacy directive.
Other crucial issues about content and network neutrality are at stake as
well.We must remind MEPs that they were elected to protect Europeans'
fundamental rights and freedom rather than abolishing them in favour of
particular interests."
In a letter of September last year, 11 German civil liberties, journalists,
lawyers and consumer protection organisations "urgently" asked the
Commission, the Council and Parliament to scrap the proposed article 6 (6a)
and "maintain the successful regulation of traffic data" which they say has
"proven to constitute the best guarantee for our safety in information
society."
Second opinion of the European Data Protection Supervisor on the review of
Directive 2002/58/EC concerning the processing of personal data and the
protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications) (9.01.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu…
Open leter to MEP rapporteurs (8.12.2008)
http://www.laquadrature.net/files/20081208_LaQuadrature_letter-rapporteurs-…
Resistance against watering down of traffic data protection (29.10.08)
http://www.vorratsdatenspeicherung.de/content/view/271/79/lang,en/
Position on the processing of traffic data for "security purposes"
(27.01.2009)
http://www.vorratsdatenspeicherung.de/images/wg_esecurity_position.pdf
============================================================
2. Privacy and data protection in the Netherlands in 2008
============================================================
The year 2008 did not improve the course of privacy and data protection in
the Netherlands. The public debate focused on data collection systems
related to fundamental aspects of Dutch citizens' lives, such as
communications, health and movement. Unfortunately, there are no signs that
concerns or incidental public outcry over privacy will lead to significant
improvements to the design of the systems or reconsideration of their goals,
merit and impact on society.
After years of negotiations, the Dutch Data Protection Authority (DPA)
approved the data protection guarantees in the smart card system for the
public transport sector. Besides other major implementation problems, the
smart card system introduces a major privacy concern due to the planned
registration of all travel movements of users of the Dutch public transport
system in a central database. At the end of 2008, the DPA approved the
system after receiving guarantees that only derived data would be used for
marketing purposes with an opt-out and that for any processing of personal
travel movements opt-in will be sought. As there are no hard guarantees
that all personal travel data will be deleted or that the system will not
make it possible to access travel movements in identifiable form, many have
expressed their disappointment with the approval. Another transport related
privacy problem that re-entered the public debate in 2008 was the planned
system for road charging. The current design for the system entails the
collection of details about personal travel movements.
The Dutch Parliament considered the data retention implementation law in the
first half of 2008. In this context, a group of prominent academics voiced
their concern that Dutch society is turning into a control society and a
police state. After the Parliament adopted the law, lowering the data
retention term from 18 to 12 months, the Senate has been critically looking
at the proposal ever since. The Senate has also another law under
consideration that would streamline access for the national security agency
to datasets in the public, communications, transport and financial sector.
Probably the most prominent discussion about privacy took place in the
health sector. The Electronic Patient File (EPD), a centralized system for
the collection and exchange of medical data for use by medical
professionals, caused widespread privacy concerns and generated 170 000
objections. Like the public transport smart card, the EPD has major
implementation problems and has recently been postponed. A similar national
dossier system for children, proposed to improve child care by building an
extensive digital dossier of each young individual, is still on the
political agenda. The broadly defined dataset, including medical data,
psychosocial data and subjective opinions about children and their parents,
will be updated for all children until they reach the age of nineteen, after
which it will be kept for another 15 years.
Finally, a government commissioned report on the balance between privacy and
security in the public sector was published. The report, titled "Do it
simply, Simply do it", concludes that government and public agencies should
be pragmatic, but do much more to protect privacy and deal with the possible
tension between privacy and security while doing their work. The report
gives a number of recommendations and a reference framework for dealing with
privacy and security issues. It advises to "keep it simple, facilitate and
ensure that security and privacy are mutually reinforcing as far as
possible." The report has been widely interpreted in the media as a call to
stop addressing fundamental questions related to the widespread processing
of personal data in the public sector.
EDRi-gram: Dutch Parliament lowers data retention term to 12 months
(4.06.2008)
http://www.edri.org/edrigram/number6.11/nl-data-retention-12-months
Report, 'DO IT SIMPLY - SIMPLY DO IT, to protect security and privacy', (in
Dutch, Bijlage 4 = English Summary, 22.01.2009)
http://www.minbzk.nl/aspx/download.aspx?file=/contents/pages/96602/rapportg…
OV-Chipkaart roll-out creeps forward (16.01.2009)
http://www.railwaygazette.com/news_view/article/2009/01/9219/ov_chipkaart_r…
(Contribution by Joris van Hoboken)
============================================================
3. Data protection in Italy: Loudly more of the same
============================================================
I am sorry to say that I am skeptical about "days" dedicated to this or that
cause or problem. They are often ignored, sometimes briefly celebrated,
rarely leave any relevant trace over time. There are so many that we shall
soon have one a week - and it won't be more relevant than brunch on Sunday.
On the loud and confusing current debate in Italy about data protection, the
situation could be summarised in four words. More of the same. There has
been a lot of wiretapping (sometimes real, sometimes imaginary or
overstated) for over sixty years (actually also long before that, but it's
reasonable to start from when Italy returned to democracy and freedom after
World War Two). And of course it extended to electronic
networks since the very beginning. It's a notorious, though rarely
published, fact that there were legitimate police forces, as well as
"undercover" spies by secret services or private interests, including
scamsters and organised crime, lurking since the days when networking was
based on BBSs or newsgroups and the extended use of the internet was not yet
developed.
Privacy and data protection were practically ignored until a poorly
conceived law was instated in 1996, creating a bureaucratic body called
"Ufficio del Garante" that was supposed to be an "ombudsman" but, de facto,
has rarely done anything in that role, being much more concerned with
complicated and inefficient formalistic ruling and with occasional attention
to the specific cases of politicians or "famous people" being
embarrassed in their "privacy" or spied in legal or illegal ways.
The currently loud debate is more confusing than it is meaningful. While
everybody is saying that it's about the rights of citizens, the truth is
that it relates to the conflicting interests of politicians and mass media.
There have been, over the years, many episodes (and discussions) about
intercepting private telephone conversations, or online communication -
sometimes legally, sometimes not - including some invasive spying done
secretly by individuals or departments in telecoms - in addition to ISPs
being forced by authorities or police to spy on their customers. Another
source of aggressive debate is the "leaking" to the press of recorded
conversations, including private dialogues unrelated to any criminal
investigation.
At this stage, it's hard to understand what is actually happening and what
may happen in the next few days or weeks - or maybe never. Italy's Prime
Minister has publicly announced that he will make "shattering revelations",
but we don't know if and when he, or some government spokesman, will
actually do so - and what the "scandal" might imply. There is threatening
talk about new legislation, but so far no indication of what, when and how.
Also the issue of data retention is discussed in contradictory and confusing
statements, some proclaiming the need to extend it in size and time and some
saying the opposite (more for the cost and organisation problems of
generating and maintaining vast databases than for the protection of
citizens' privacy).
Is this just more inconclusive noise, as has happened many times, or will it
lead to some action on a national scale or (as has been suggested) as
recommendations to the European Union and/or on a wider international scale,
maybe including the G8 meeting to be hosted in Italy in July 2009?
Quite simply, we don't know. And, as far as we can tell, nobody (so far) has
a clear idea of what those rulings or suggestions might imply. There may be
some news in the next few days, or it could take much longer, or it could
vanish (if only for a while) from the political and media scene as other
priorities prevail. Right now, we can only wait and see.
EDRi-gram: ENDitorial- Seizures and other abuses - from bad to worse
(22.10.2008)
http://www.edri.org/edri-gram/number6.20/seizures-and-other-abuses
ALCEI - Data Retention
http://www.alcei.org/?cat=4
Data retention - not only a privacy issue - Civil rights and ambiguity of
crime "prevention" (24.01.2004)
http://gandalf.it/free/datret.htm
Internet freedom, privacy and culture in Italy (and the activity of NGOs)
(02.2000)
http://gandalf.it/free/ifp.htm
(contribution by Giancarlo Livraghi - EDRi-member ALCEI - Italy)
============================================================
4. Romania: Is really privacy a topic in the public debate?
============================================================
Privacy is a sporadic keyword in the Romanian mass-media. And even less used
in public speech. Becoming an ideal motivation only when talking about some
local stars' private life and their juicy intricacies, the real debate on
the most important issues lacks completely. The Human Rights Committees in
the Parliament seem unfamiliar with the topic and the Data Protection
Authority prefers to keep its quiet status. What to discuss anyway?
A law on the Police DNA database was approved by the Parliament in 2008.
The subject did not seem to be appealing for any public debate and the
Chamber of Deputies Human Rights Committee did not see even a minor problem
with that version, so they adopted it unanimously with no amendments. No
reference or report from the data protection authority was considered
useful, but a "simple reference" to law 677/2001 was indicated. The deletion
of the stored data is possible only by decision of the court or prosecutors
that are investigating the case. Therefore, if they forget about that, you
need to start your own case on this. The law foresees a number of 30 crimes
for which collecting DNA is possible.
The April Eurobarometer that investigated perceptions on data protection
among EU citizens shows that 79% of the Romanians have no idea that there is
a law in the field of personal data. I might add to that: if the other 21%
were asked to name it, probably at least 19% would have found that they were
wrong.
The same study reveals that Romania is number one in EU countries with the
percentage of the people (47%) not knowing that there are laws allowing
you to have access to your personal data kept by others. Not surprising with
a Data Protection Authority which is understaffed and has insignificant
powers or will to be an active voice in the public sphere.
But let's be more positive. How can you not be happy when you might find,
after you finish your master courses at the prestigious Academy of Economic
Sciences (ASE) in Bucharest, that you have an account at a Romanian Bank
without signing any act or being informed about it. Isn't it funny to get a
bank statement home from a bank account you had no idea about? The bad part
is that there is no money in it, only the traditional bank commission. The
Representative of ASE must be right: the students are to blame, because they
did not check the ASE web page.
And let's be smart. We may find already a few websites presenting now real
databases of Personal Numerical Code (CNP) or just simulated CNP that seem
real. CNP is a piece of 13-figure data on everyone's ID, which should be the
"master identifier". One of the reason of these databases is that some
telecom operators are asking for the CNP data to activate some extra-options
on the pre-paid cards. Should we care?
The Romanian Government decided to start issuing biometric passports
starting with 1 January 2009, after postponing it a couple of times.
Although most of the public comments against the law involved arguments
related with the "corporate conspiracy", "devil's hand" or "666 dangerous
number", a court case has been initiated by a lawyer in order to stop its
application on privacy grounds. It remains to be seen what the judge will
decide.
The data retention law was approved by the Parliament, even though all the
major key-actors involved in the discussion have agreed that it is useless
and it will not work. But they have supported it, because Romania can't make
a stand in front of the EU. Not yet, at least. Funny enough, the law
includes the first crime related to the misuse of personal data (the
intentional access to the data without a proper authorization is a crime
punished with prison from 6 months to 2 years.)
Even funnier, after the draft law has received almost no comments and little
interest from the media and general public, the day it entered into force
someone discovered it in the Official Journal and a public outcry started
with tons of newspaper articles on the new law, stating that the law "will
keep all the content of communications, including phone calls, SMSs and
emails."
Politicians started to appear on TV claiming privacy breach, when only 3
months before they raised their hands to support the same law. Another
brave action - an online petition - gathered a lot of signatures claiming
that the Romanian Government will create an "archive of all emails sent
by Romanians." All this when the new law says - in black and white - that
the content is not kept. But saying that, you are already a protector of the
government intrusion into the private life.
So, I am wrong - privacy is in the public debate. With the totally wrong
subject and no legal arguments, but it is somewhere there. Shouldn't we be
happy?
EDRi-gram: Romanian Govt adopts Data retention law, but calls it inefficient
(27.02.2008)
http://www.edri.org/edrigram/number6.4/romania-data-retention
EDRi-gram: Eurobarometers on data protection in EU (23.04.2008)
http://www.edri.org/edrigram/number6.8/eurobarometer-data-protection
Over 300 master students from ASE accuse the institution of opening bank
accounts without their knowledge (only in Romanian, 24.04.2008)
http://economie.hotnews.ro/stiri-finante_banci-2866018-peste-300-fosti-mast…
Law 76/2008 - Police DNA Database (only in Romanian)
http://www.cdep.ro/proiecte/2008/000/10/8/leg_pl018_08.pdf
Some things about biometric passports (only in Romanian, 27.01.2009)
http://legi-internet.ro/blogs/index.php/2009/01/27/citeva-chestii-pasapoart…
(contribution by Bogdan Manolea, EDRi-member APTI - Romania)
============================================================
5. UK: Phorm threat
============================================================
One particular commercial threat to internet privacy should be looked at
very closely by our fellow European Digital Rights campaigners.
That threat is Phorm: an invasive and probably illegal web advertising
technology that could soon be coming to you.
Phorm works by looking at the web traffic between you (an ISP client) and
the sites you visit. Phorm examines the content of the web pages you visit,
and logs keyword information derived from it. Phorm can then deliver adverts
to you based on keyword information.
For instance, if you visit car related sites, and make searches for new car
models, you would start seeing car adverts when you visit Phorm's partner's
websites.
UK EDRi-member Open Right Group (ORG) was alerted last March on the serious
privacy concerns Phorm poses, and has been working hard to establish what is
really being advocated.
We believe the technology is fundamentally invasive and illegal. Permission
to examine data moving from website visitor and owner must be approved in
advance by both parties. Not obtaining permission from both parties is
illegal.
Yet UK ISPs such as BT and Virgin are not seeking to gain permission from
website owners.
Seeing web traffic as belonging to sender and receiver is the right way to
view privacy on the net. The data on websites belongs to many people, and
the data exchanged and the relationship between a client and a website owner
should remain private.
Despite these obvious privacy and legal worries, Phorm could soon be on the
agenda in your country too.
ISPs are interested because it gives them the potential to dominate the
internet advertising sector.
Many 'content creators' and EU governments could be interested in Phorm,
because they perceive ad revenues to be slipping from traditional domestic
outlets.
This is why you need to be interested, as Phorm's invasive technology could
easily be seen to be a panacea for Europe's advertising market troubles.
Foundation for information policy research - Open Letter to the Information
Commissioner (17.03.2008)
http://www.fipr.org/080317icoletter.html
The Phorm storm (12.03.2008)
http://www.openrightsgroup.org/2008/03/12/the-phorm-storm/
4 good reasons not to take part in the BT Webwise trial (30.09.2008)
http://www.openrightsgroup.org/2008/09/30/4-good-reasons-not-to-take-part-i…
What BERR want from Phorm - and what we think they're missing (19.09.2008)
http://www.openrightsgroup.org/2008/09/19/what-berr-want-from-phorm-and-wha…
The Phorm "Webwise" System (18.05.2008)
http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf
(contribution by Jim Killock, EDRi-member Open Rights Group - UK)
============================================================
6. Macedonia: Privacy Developments in 2008
============================================================
Even though the Constitution of the Republic of Macedonia and the Law on
Personal Data Protection (LPDP), the Criminal Code, Law on Organization and
Operation of State Administrative Bodies and other laws recognize and
protect the rights of privacy, data protection and secrecy of
communications, the implementation of these protections has met with major
difficulties during 2008.
A small number of Macedonian NGOs cover the issue of privacy, and during
2008 their main concerns involved the protection of human rights of children
on the Internet-including the privacy of children-and the protection of
privacy by the police and law enforcement agencies.
In July 2008, the Parliament ratified the Additional Protocol of the
Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data regarding supervisory authorities and
trans-border data flow. This document was signed on 4 January 2008. In July
2008, the Parliament also enacted the Law that amends the LPDP and increased
the fines for spamming. Both pieces of legislation (the Additional Protocol
and the amendments) came into force on August 19, 2008.
The main amendments and modifications were made for the harmonization with
the EU acquis and CoE Convention, adding specific provisions regarding video
surveillance, the independence of the Directorate for Personal Data
Protection and the simplification of the notification and complaint handling
procedures.
For the period of 2007-2008, the Directorate gave priority to public
awareness on the right of personal data protection. In cooperation with the
EDRI-member Metamorphosis Foundation it implemented the Norwegian model on
raising public awareness for youngsters, through creation of educational
content and conducting public events in three secondary schools.
During 2008, Metamorphosis Foundation implemented the Children's Rights on
the Internet - Safe and Protected (CRISP) project, co-funded by the European
Initiative for Democracy and Human Rights (EIDHR) and Metamorphosis. It
included establishment of a network of 12 NGOs working on the promotion and
safeguarding of children's rights online in cooperation with the Directorate
for Personal Data Protection. Project activities included developing a
curriculum and educational resources in Macedonian and Albanian, available
both offline and online, and conducting trainings. The trainings covered 50
primary and 20 secondary schools with participation of 8,482 children, 1,138
parents and 1,170 teachers from 12 cities and 7 villages from all parts of
Macedonia.
A public panel on privacy in Macedonia held on 26 August 2008, as part of a
public consultation to elaborate the Macedonia Report for Privacy and Human
Rights Report 2008, reiterated the assertions from the previous year that
there has been no public knowledge about cases of implementation of privacy
protection provisions of the Law on Electronic Communications, and spamming
remains widespread practice in the Macedonian business sector. Moreover, at
least one company continues to provide spamming services for other
companies, and the number of Macedonian legal entities who have a privacy
policy remains insignificant.
Even though wiretapping is regulated and unauthorized wiretapping is
prohibited, the wiretapping cases initiated in the past have not reached
closure in court. The most notable example is the process against the state
initiated by 17 journalists who have been subject to surveillance in the
"Big Ear" affair of 2001. Over seven years, four different judges have
unsuccessfully presided over this trial, and it was finally resolved at a
retrial in June 2007. The state was found guilty, but the 17 plaintiffs
stated that they remain dissatisfied with the compensation and the whole
process. Their representatives stated that they won't discontinue the trial
already underway at the European Court of Human Rights in Strasbourg, based
on their complaint. In September 2008, the Appellate court confirmed the
verdict of the basic court, but lowered the damages from the initial 6.000
Euros to approximately 4.000 Euros per journalist. The journalists have
stated that "they are not satisfied with the compensation, and the precedent
sets a signal that the violation of human rights is cheap in Macedonia."
After the Parliamentary elections of June 2008, the Government and the
Parliament used an unjustified fast-track procedure, to adopt changes and
amendments to over 164 laws in July and 17 laws in the following month
without any public debate. These changes included amendments of the Criminal
Procedure Code and the Law on Communication Interception that widened the
powers of surveillance for the law enforcement agencies.
Prominent NGOs such as Foundation Open Society Institute - Macedonia,
Association for Criminal Justice and Criminology of Macedonia and Helsinki
Committee for Human Rights of the Republic of Macedonia condemned the
legalization of preventive surveillance and removal of need to justify
special investigative measures with evidence of reasonable doubt before the
judiciary. The NGOs warned that these changes can turn Macedonia from a
state based on a rule of law into a "police state unconcerned with respect
of basic human rights and freedoms."
In practice, even the older, stricter legislation was not enforced. The
Parliamentary Committee for the supervision of the application of
communication interception techniques by the Ministry of the Interior and
the Ministry of Defense was denied access to data and did not issue any
reports during 2008.
Metamorphosis Foundation also provided opportunities for raising awareness
of opinion and decision makers, for instance, by including data protection
sessions within the 2008 agenda of the Fourth International Conference
e-Society.mk focused on ICT in Education.
In order to raise the public awareness also, Metamorphosis also formed an
ad-hoc coalition of NGOs and other institutions to celebrate the Freedom Not
Fear Day in Macedonia. FNF coincided with the public holiday of 11 October -
the Day of uprising against fascism in World War II, and involved organizing
public debate at the faculty of law and distribution of information on video
surveillance on university campuses and the centre of Skopje, including an
infostand and public survey. Several thousands of people were reached by
these activities, and most citizens expressed concerns about various ways of
"spying" conducted by the Government, corporations and individuals which
threaten their privacy.
During 2008, legal experts and human rights activists raised concerns about
the extensive use of detention and violation of privacy and the presumption
of innocence. The Macedonian Helsinki Committee and the Human Rights Project
continuously condemned spectacular arrests by the police, which included
inviting the media to film the handcuffed suspects escorted by law
enforcement officers. Only one TV station with license for national
coverage, TV Telma, adopted a policy to no longer broadcast such arrests and
police-escorted transports.
Reacting changes in the legislation the Helsinki Committee also organized
public debate on the reasonable expectations in regard to privacy protection
versus efficiency in the fight against crime and corruption in a state of
laws on 25 November 2005. However, state representatives failed to appear at
the debate and provide arguments that would alleviate the concerns raised by
the representatives of the civil and academic sector.
Metamorphosis Foundation
http://www.metamorphosis.org.mk
International Conference e-Society.mk
http://www.e-society.mk
Macedonia: Public outcry over new legislation for preventive surveillance
http://www.metamorphosis.org.mk/content/view/1198/4/lang,en/
Freedom Not Fear in Macedonia (10-11.10.2008)
http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2008/Skopje
Debate on Privacy in Macedonia (26.08.2008)
http://www.metamorphosis.org.mk/content/view/1250/3/lang,en/
Appellate court confirms: The Big Ear Journalists were
wiretapped (only in Macedonian, 2.09.2008)
http://www.vecer.com.mk/?ItemID=C50F895AE5A071478301A8CF24F47A51
Decree for enacting the Law for changing and amending the Law on Personal
Data Protection (only in Macedonian, 19.08.2008)
http://dzlp.mk:8500/FILES/1164/PUBLIC/CONTENT/57980790416419030709141_FILES…
Fees ranging from 500 to 2000 Euros for unwanted spam-messages (only in
Macedonian, 29.08.2008)
http://www.dnevnik.com.mk/?itemID=1FD6BF9F94C51940AA425A047194D9B5&arc=1
Debate on Privacy in Macedonia, Metamorphosis Foundation (29.09.2008)
http://www.metamorphosis.org.mk/content/view/1250/3/lang,en/
Directorate of Data Protection in Macedonia - Legal grounds for the
protection of personal data in the national legislation
http://www.ceecprivacy.org/main.php?s=2&k=macedonia
Helsinki Committee for Human Rights of the Republic of Macedonia
http://www.mhc.org.mk
Human Rights Support Project
http://www.hrsp.org.mk
(contribution by EDRi-member Metamorphosis Foundation - Macedonia)
============================================================
7. Austria: Some EU data protection policy developments in 2008
============================================================
In Austria the international data protection day on 28 January will pass by
widely unrecognised. This year, as already in 2008, the Data Protection
Commission (DSK; the Austrian Data Protection Authority) and the Data
Protection Council (DSR; a political advisory board) will together organise
a meeting for a strictly limited amount of interested persons (max. 100
participants) where they will present European and international
developments in data protection. In contrary to 2008, where they were
confronted with by far more than 100 registrations, the event was promoted
very poorly. On the homepage of the DSK and on the 'Data Protection Day'
website on the Council of Europe website it is not even mentioned!
This situation is somewhat symptomatic for Austrian data protection. Data
protection here usually is not for the masses, it is an administrative task
that rather involves formalised decisions than public debate and open
discussions. It's a pity that the organisers of this years event chose to
maintain the access restrictions. Opening the event for a broader audience
would have given the option for further development towards an annual
Austrian Data Protection Conference. For this year the chance is gone but
there is another chance next year. We'll keep you informed.
The following paragraphs provide a summary of major developments in the past
year with regard to legislative initiatives, surveillance trends and
important data breaches. Finally an outlook to the coming years will be
presented.
Legislative Initiatives
On 6. December 2007 the Austrian Parliament adopted a reform of the law on
security police. Ten minutes before midnight of that day (the last
parliamentary session of the year) members of the governing parties (Social
Democrats and Conservatives) tabled an amendment that significantly
increased the surveillance possibilities for security police, while ignoring
the usual parliamentarian workflow of discussing amendments in the relevant
committee before voting. Result of this initiative is that mobile
telecommunication and Internet providers have to provide location
information of mobile phones and IP addresses on request of security police.
A court permission is not required! In the first five weeks of 2008 location
data of 82 mobile phone users and the identity of 2.766 subscribers were
requested. According to an article published in the Austrian newspaper "Die
Presse" there are 32 such requests per day. The members of the Parliament
who tabled the mentioned amendment received the Austrian Big Brother Award
2008. Several complaints against the law were filed with the Austrian
Constitutional Court.
In April 2008 an amendment to the Data Protection Act 2000 was published for
comments. Key elements are legal requirements for video surveillance by
private operators, new requirements for private businesses with at least 20
employees to create the position of a data protection supervisors and
harmonisation of responsibilities (the federal government gets all data
protection competences). Currently the Data Protection Commission has to
approve video surveillance installations of private operators. According to
the proposed amendment video surveillance will be allowed in future if
dangerous attacks or criminal offences were committed in that area within
the last 10 years, or if expensive objects worth more than 100.000 EUR or of
exceptional artistic value need to be protected. Video surveillance needs to
be properly announced and will remain prohibited in toilets and changing
rooms. Furthermore the amendment proposes a centralised database of all
private video surveillance installations. If needed the police will be
allowed to access the data of these cameras. In general the retention of
video data will be limited to 48 hours, which can be extended on request to
the DSK. In future it will not be required to file realtime
video-surveillance with the DSK. Police access to highway video surveillance
is envisaged and fortunate discoveries may be used for penal action. Due to
the premature reelections of the Austrian Parliament in 2008 the amendment
to the Data Protection Act 2000 finally did not make its way through the
legislative process. It is expected to re-appear in 2009.
On the proposal of the European Commission on the use of Passenger Name
Record data, a Social Democrat MPs tabled a motion for resolution with the
Austrian Parliament. They proposed to wait for the decision of the European
Court on the structural similar data retention directive and on the entering
into force of the Lisbon treaty. Furthermore they ask to consider the
opinion of Article 29 working group on the Commission proposal, since there
are severe data protection concerns.
Data retention - The data retention directive is still not implemented in
Austria. There are no known plans to do so in the near future.
On biometric passports the Council of Ministers decided in June 2008, that
fingerprints of the two index fingers (if existing) will be stored on an
RFID chip on the passport. The data additionally will be stored for up to
four months at the Staatsdruckerei, which produces the passports. Currently
the parliamentarian decision making process is ongoing: On 21.01.2009 the
National Council adopted the respective law with votes of all represented
parties except the Greens. The Federal Council will vote on it on
27.01.2009, one day before the International Data Protection Day. It is
expected that the law will not be rejected there.
In 2007 the Federal Minister of the Interior and the Federal Minister of
Justice agreed on the implementation of hidden uses of remote forensic
software (so called federal trojan horses) and established a working group
to work on the details of the legal and technical issues. In April 2008 the
working group published its final report. The experts claimed that from a
constitutional point of view a number of fundamental rights are affected
which limit the implementation of such online-searches and constitute
warranty deeds for the state.
Surveillance Trends
The major surveillance trends of 2008 all focus on uses of video
surveillance. In traffic control we saw the introduction of systems for
automated checking of road tax vignettes, automated scanning of vehicle
number plates where the collected data is checked against a wanted vehicles
list, and the use of video surveillance for the execution of speed limits
(section control). In the case of section control Austrian highest courts
decided that it only may be used on a case by case order of the competent
Minister, including a detailed description of the special setup.
Other examples of increased video surveillance are the pilot-use of
video-surveillance in trains of Vienna's underground, where data are stored
for 48 hours, video surveillance in trains from the Austrian Railway and
video surveillance in residential buildings owned by the City of Vienna
where garages, elevators and rooms for dust bin storage will be monitored.
The pilot phase of the so called dust bin monitoring was approved by the DSK
and will last until end 2009. Aim is the protection against vandalism.
Important data breaches
In 2008 the case of a teenage asylum seeker and her family received lots of
media coverage in Austria. When the pressure on the Ministry of the Interior
was too intense, personal data on a family member from the police
information system EKIS and from the police file index leaked to the public.
Pictures from these files together with a corresponding press release were
published on the Internet by a senior official of the Ministry. Police
investigations on this data leakage are ongoing.
The administration of the residential buildings of the City of Vienna,
Wiener Wohnen, sent a questionnaire to all 220 000 renters of their flats
asking for their opinion on their flat, their neighbours, the surrounding of
the building, the security situation, their administration and the City of
Vienna. Wiener Wohnen offered that the questionnaire could be returned
anonymously by blacking the Name printed on the form. The responsible City
Council said, that the barcode on the second page of the form only would be
used as a reference to the administrative district the answer came from.
This was in the best case misleading, since the barcode contained the
renters complete customer number, which allowed for a personalisation of the
answers given on the questionnaire. The director of Wiener Wohnen received
the Austrian Big Brother Award 2008.
Outlook
After the premature reelections in 2008 a new government took office last
year. Their government programme includes the following topics relevant to
data protection: The use of remote forensic software (so called federal
trojan horses) by police will be allowed. It will be clarified that the DSK
is not competent in cases where the Criminial Investigation Department is
active in cases of criminal law. The cooperation with Schengen partners will
be intensified, common Visa- and Biometric-Centers will be established,
possible cooperation with external service providers (outsourcing) will be
analysed. A DNA-Offensive aims for a nationwide collection and analysis of
DNA samples and will serve as a basis for new application areas. Electronic
health records will gain increased importance.
The implementation of the data retention directive is not mentioned in the
government programme. A decision of the Constitutional Court on the
complaints against the law on Security Police is expected in 2009.
At this years election of the Austrian Students Union in May 2009 the
Federal Government wants to run an e-voting pilot. The Austrian Students
Union strongly opposes these plans due to unresolved legal and technical
questions. Also the Data Protection Council advised to refrain from this
plans. This pilot election is commonly considered to be a test-case for the
use of e-voting in elections to the Austrian Parliament.
Data Protection Commission
http://www.dsk.gv.at/
Law on Security Police (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/BNR/BNR_00181/pmh.shtml
Die Presse on access to location information and IP addresses by Security
Police (only in German)
http://diepresse.com/home/panorama/oesterreich/370803/index.do
Austrian Big Brother Awards (only in German)
http://www.bigbrotherawards.at/2008
Proposed amendment to the Data Protection Act 2000 (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/ME/ME_00182/pmh.shtml
Motion for a resolution on PNR-data (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/A/A_00651/pmh.shtml
Parliamentary decision on biometric passports (only in German)
http://www.parlament.gv.at/PG/PR/JAHR_2009/PK0023/PK0023.shtml
Final report of the working group on remote forensic software (so called
federal trojan horses)(only in German)
http://www.justiz.gv.at/_cms_upload/_docs/AG_OnlineDurchsuchung_Endbericht.…
Government programme of the Austrian Federal Government (only in German)
http://www.oevp.at/Common/Downloads/Regierungsprogramm2008-2013.pdf
Opinion of the Data Protection Council on E-Voting at the elections to the
Austrian Students Union (only in German)
http://www.bundeskanzleramt.at/DocView.axd?CobId=31084
(contribution by Michael Hofer and Andreas Krisch - EDRi member VIBE!AT)
============================================================
8. France: Who have they forgotten to control today?
============================================================
The CNIL, the French Data Protection Authority, has published on 20 January
2009 a report on a massive control operation it conducted on the STIC
("Systhme de traitement des infractions constaties" or "Recorded offences
treatment system"), a huge police database. The report reveals that the STIC
is consulted by each one of the 100.000 authorised policemen 200 times a
year on average. This immediately reminded me the old British Telecom's
slogan: "who have you forgotten to call today?"
Police files have been the main concern in France in 2008, especially after
the creation, by decrees published on 1st July 2008, of two new intelligence
databases, EDVIGE and CRISTINA. CRISTINA aims at "Centralising inland
intelligence for homeland security and national interests", and is covered
by the defence secret, which means that no one knows any detail on this
file. This is not the case of EDVIGE, which has generated such a massive
mobilization in the society that the government had finally to withdraw the
EDVIGE decree in November 2008.
EDVIGE would have systematically gathered information on any person having
applied for or exercised a political, union or economical mandate or playing
a significant institutional, economical, social or religious part as well as
information on any person, starting from the age of 13, considered by the
police as a "suspect" potentially capable of disrupting the public order.
After the strong opposition of a large number of associations, political
parties, unions and individuals, with a petition signed by almost 220.000
individuals and 1200 associations, a complaint filed by 12 labour unions and
rights organizations, among them EDRI-member IRIS, before the French highest
administrative court, and a huge national day against EDVIGE on 16 October
where 10.000 persons took part in demonstrations in 60 French cities, the
government finally had to react. It announced a modified project, called
EDVIRSP, not yet published. While the new file would explicitly exclude
information related to people's health or sexual orientation, it would keep
other sensitive personal data such as ethnical origin, as well as political,
philosophical, religious opinions or union affiliation, and would still
allow the police to store data on minors starting at the age of 13 if they
are considered a threat to public safety.
CNIL's President said that "the STIC is more dangerous than EDVIGE", because
of the huge number of errors the CNIL has found in the STIC. But the main
difference is that the CNIL will never be able to establish errors in
EDVIGE, contrarily to the STIC, because EDVIGE will never contain any fact,
but simply presumption of facts that could be committed.
The STIC is dangerous enough, however. The file exists since 1995, but was
officially created only in 2001. The CNIL report established that the STIC
now concerns half of the French population, without any age limitation. An
individual is registered in the STIC by the police after an offence has been
committed. The point is that one can be registered either as a victim, or as
the suspected author of the offence. Then the file is supposed to be updated
after a court decision, which might find that the suspected author is not
guilty. But the CNIL report findings are that this update very seldom
occurs, and that sometimes a victim is mistakenly registered as a suspect.
All in all, the STIC error rate found by the CNIL is 83%. Not only this
error rate is 'staggering' as CNIL's President commented, but also it has
major social consequences, since in 2003 a law extended the STIC's purposes
to the records checking of people applying to a large range of jobs,
especially in the security field. The report evaluates to 1 million the
number of persons who weren't hired, or were fired from their jobs, simply
because they were wrongly recorded in the STIC, sometimes because they
actually were a victim, sometimes because their situation wasn't updated
after a court decision. STIC opponents warned against these dangers as early
as 10 years ago. Here we are now.
In December 2008, another report commissioned by the French Ministry of
Interior has inventoried some 45 police files, whereas 34 were already in
place in 2006. Some of them contain biometric and genetic data.
Among the biometric files, a centralized population database is currently
being established, with the decree on French biometric passport having been
published on 30 April 2008. A complaint filed against the French government
by EDRI-member IRIS and the French Human Rights League is still pending.
Main arguments of the complaint are: the collection of 8 digital
fingerprints of the passport holder (whereas the European Council regulation
requires only 2), the fact that this also applies to children starting from
age 6, and the creation of a centralized database containing all information
on the passport holder, including biometric data.
Another pending complaint against the French government concerns the ELOI
database, created to manage the expulsion of illegal migrants. The complaint
has been filed by EDRI-member IRIS, with the French Human Rights League and
two other French organizations for the support of migrants. This database
has been created by decree on 26 December 2007, after the same organizations
won a previous complaint against a first version of ELOI. For the
plaintiffs, a data retention period of 3 years, as well as the collection of
migrants' children data, remain violating the French and European
legislation on data protection.
These files are only examples of a strong and enduring trend in France,
which consist in huge centralized population databases, increased use of
biometric and genetic data, considering migrants as a target, and, last but
not least, specifically targeting children.
Year 2008 has shown however that the concern is growing in the general
public, and this is a good sign. While the French have not really reacted to
data retention issues, they seem to start considering that police databases
and other files created by other administrations, especially when they
concern children, are now going too far. When the government is facing
massive citizen mobilisation, it has to go backwards. This is the lesson
learnt with EDVIGE in 2008.
Year 2009 needs to be carefully watched out, though. The law implementing
the "graduated response" or the "three strikes approach" against filesharers
is expected to pass this year. New measures to fight cybercrime have also
been announced. EDVIRSP, the new version of EDVIGE, is expected soon. And
the draft law on biometric ID cards is ready for months, and will probably
be submitted to the Parliament as soon as things will calm down on the
privacy front.
CNIL Report: Conclusions on the control of the STIC (only in
French, 20.01.2009)
http://www.cnil.fr/fileadmin/documents/approfondir/dossier/Controles_Sancti…
IRIS Press Release: ' CNIL's control of the STIC: a healthy exercise, but
timorous conclusions' (only in French, 23.01.2009)
http://www.iris.sgdg.org/info-debat/comm-stic0109.html
EDRI-gram: French EDVIGE decree withdrawn (3.12.2008)
http://www.edri.org/edri-gram/number6.23/edvige-retired
French Interior Ministry Report: 'Better controlling mechanisms
implementation to better protect freedoms' (11.12.2008, only in French)
http://lesrapports.ladocumentationfrancaise.fr/BRP/084000748/0000.pdf
EDRI-gram: Complaint Against The French Govt To Annul The Biometric Passport
Decree (16.07.2008)
http://www.edri.org/edrigram/number6.14/complaint-french-biometric-passport
EDRI-gram: Eloi - A French Database To Manage The Expulsion Of Illegal
Migrants (16.01.2008)
http://www.edri.org/edrigram/number6.1/eloi-french-database
(Contribution by Meryem Marzouki, EDRI member IRIS - France)
============================================================
9. Privacy in Germany 2008: A new fundamental right, a privacy mass
movement, and the usual surveillance suspects
============================================================
The year of 2008 can be marked as the year where privacy moved high on the
public agenda in Germany. On 1st of January, the law on data retention went
into effect, which made Germany drop from number one to seven in the country
ranking published by Privacy International. At the same day, a
constitutional challenge was submitted at the supreme court. The German
working group on data retention and its allies managed to have more than
34,000 people participate in this case - the largest constitutional
complaint ever seen in German history. The paperwork had to be brought to
the constitutional court in huge moving boxes, which also offered a nice
photo opportunity for everyone wanting to demonstrate how many people oppose
data retention.
In February we saw the constitutional court decision on secret online
searches of peoples' hard drives (the "federal trojan"). The court limited
the use of this tool for cases where there are "factual indications of a
concrete danger" in a specific case for the life, body and freedom of
persons or for the foundations of the state or the existence of humans,
government agencies may use these measures after approval by a judge. The
decision was widely considered a landmark ruling, because it also
constituted a new "basic right to the confidentiality and integrity of
information-technological systems" as part of the general personality rights
in the German constitution.
In March, the Chaos Computer Club published the fingerprint of the federal
minister for the interior, Wolfgang Schduble. This sparked high public
attention and made frontpage news, and proved that biometric athentication
as introduced in the German passport and identity card is not safe at all.
Inspired by the recent successes, the growing number of privacy activists
held a de-central action day in May. Different kinds of activities, like
demonstrations, flash mobs, information booths, privacy parties, workshops,
and cultural activities took place in all over Germany.
Over the summer, some of the biggest German companies helped in raising
public awareness of the risks of large data collections. Almost every week,
there were reports on a big supermarket chain spying on its employees, on
cd-roms with tens of thousands of customer data sets from call centers -
including bank account numbers - being sold on the grey market, on the
largest German telecommunications provider using retained traffic data for
spying on its supervisory board and on high-ranking union members, on an
airline using its booking system to spy on critical journalists, on two
large universities accidentially making all student data available online,
or on a big mobile phone provider "losing" 17 million customer data sets.
The Federal Government, under building public pressure, introduced some
small changes for the federal data protection law, but at the same time
continued its push for more surveillance measures in the hands of the
federal criminal agency (Bundeskriminalamt, BKA). These included the secret
online searches the constitutional court had just cut down to very
exceptional circumstances a few months earlier. The German public discussed
these moves very critically, especially since journalists are exempted from
special protections that are given to priests, criminal defense lawyers, and
doctors.
Because of the public concern and debate about privacy risks, the call to
another mass street protest was even more successful than ever before. The
"Freedom not Fear"action day on 11th October was the biggest privacy event
of the year. In Berlin, between 50,000 and 70,000 persons protested
peacefully against data retention and other forms of "surveillance mania",
making it the biggest privacy demonstration in German history. Privacy
activists in many cities all over the world participated with very diverse
and creative kinds of activities and turned this day into the first
international action day "Freedom not Fear".
The anti-surveillance protests finally kicked off some serious discussion
within the Social Democratic Party in a number of the German ldnder
(states). This resulted in a loss of the majority for the law on the federal
criminal agency (BKA) in the second chamber (Bundesrat) in the first vote.
It only was passed weeks later, after some changes were introduced, and with
heavy pressure from leading federal Social Democrats. The new law is still
seen as unconstitutional by many legal and privacy experts and in January
2009 a case was submitted to the constitutional court.
Privacy activists in the fall of 2008 also campaigned against the retention
on flight passenger name records, forcing Brigitte Zypries, the German
minister of justice, to freeze her plans on the matter until after the
federal elections in the fall of 2009. More recently, the working group on
data retention attacked the "voluntary data retention" proposed in the EU
telecom package, as well as the renewed data exchange agreements between the
EU and the USA.
EDRi-gram: Germany: New basic right to privacy of computer systems
(27.02.2008)
http://www.edri.org/edrigram/number6.4/germany-constitutional-searches
EDRi-gram: German constitutional challenge on Data Retention (12.03.2008)
http://www.edri.org/edrigram/number6.5/germany-data-retention
EDRi-gram: Fingerprinting the fingerprint proponent (9.04.2008)
http://www.edri.org/edrigram/number6.7/fingerprint-schauble
EDRi-gram: German Protests in over 30 cities against surveillance(2.07.2008)
http://www.edri.org/edrigram/number6.13/german-protests-surveillance
EDRi-gram: International Action Day "Freedom not Fear" (22.10.2008)
http://www.edri.org/edri-gram/number6.20/freedom-not-fear-international-day
(contribution by Annika Kremer, Working Group on Data Retention, and Ralf
Bendrath, EDRi member Netzwerk Neue Medien - Germany)
============================================================
10. Some EU data protection policy developments in 2008
============================================================
Will the 2008 be remembered as the Data Retention implementation year or the
first Freedom not Fear day? As always with the conclusions, we might answer
better this question in 2009 or 2018. But let's look at some facts from the
last year now
One of the main hot privacy topics during 2008 was related to the
implementation of the EU data retention Directive 2006/24/EC in several
European countries. Despite the fact that data retention has been resisted
in some countries in Europe, with 15 March 2009 as the final day for
starting to retain Internet-related data, most of the EU member states
adopted data retention laws only in 2008. The reactions have been strong,
but in just a few cases led to the review of the respective laws.
Germany has seen large debates and protests after the adoption of the data
retention law at the end of 2007. In February 2008, the German Working Group
on Data Retention submitted to the German Federal Constitutional Court the
mandates of over 34 000 citizens willing to fight against the storage of
their telecommunications. A preliminary decision taken by the Court on 19
March 2008 supported the case, considering that parts of the German act are
unconstitutional pending review.
In Bulgaria, on 11 December 2008, the Bulgarian Supreme Administrative Court
(SAC) annulled article 5 of the national legislation that implements the
Data retention Directive, following a lawsuit initiated by Access to
Information Program(AIP). Article 5 of the Bulgarian Regulation # 40 that
was issued by the State Agency on Information Technologies and Communication
and the Ministry of Interior provided for a "passive access through a
computer terminal" by the Ministry of Interior, as well as access without
court permission by security services and other law enforcement bodies, to
all retained data by Internet and mobile communication providers.
The European Court of Justice (ECJ) is still considering the action started
on 6 July 2006 by Ireland against the Council of the European Union and
European Parliament on the formal grounds for adopting the Data Retention
Directive.
A first hearing of the action by ECJ took place on 1 June 2008 in
Luxembourg. The legal basis of the data retention directive was supported by
the European Parliament and Council, but also by the Commission, Spain,
Netherlands and EDPS, Peter Hustinx. On 14 October 2008, the ECJ Advocate
General gave his opinion on the case considering the data retention
directive was founded on an appropriate legal basis, therefore recommending
the dismissal of the action. The decision of the Court will be made public
on 10 February 2009.
The German Working Group on Data Retention drafted an amicus curiae brief in
this case claiming that the data retention directive was also illegal on
human rights grounds, breaching the right to respect for private life and
correspondence, the freedom of expression and the protection of property.
The German Group was joined by several civil liberties NGOs and professional
associations, including EDRi.
It appears that the ECJ will not look into those aspects, but a future
action is possible in asking the European Court to consider the
compatibility with human rights. This could be initiated by the German
Federal Constitutional Court as an issue realted with the action from the
German Working Group of Data Retention and/or by the Irish courts, following
the action initiated by EDRi-member Digital Rights Ireland.
An international day of action against data retention took place on 11
October under the name "Freedom not Fear". During that day, protests took
place in more than 15 countries worldwide against surveillance measures such
as the collection and retention of all telecommunications data. The
surveillance of air travellers and the biometric registration of citizens
was another subject of the "Freedom not Fear" day, as 2008 has seen
developments on the issue.
The PNR US-EU agreement continued to raise questions and worries with many
negotiations between the US government and the European Commission. In
March, the German Working Group on Data Retention published two applications
to the European Court of Justice contesting the transfer of PNR data to the
US arguing that the collection of all PNR data violated the basic right to
privacy and protection of our personal data, authorities were given an
unforeseeable use of the data for other purposes, and that passengers'
sensitive data were not effectively protected against access. A recent
report from US Department of Homeland Security (DHS) regarding the Passenger
Name Record (PNR) information from the EU-US flights confirms a number of
major disfunctionalities, that proves the DHS did not comply with the EU
agreement or with the US legislation in its use of PNR.
At the European level, despite the large opposition, the European Council
decided to extend the PNR scheme to the EU space, following the position of
some governments which expressed their intention to even extend the PNR
scheme to all types of travel and even among EU countries.
The text proposed in October 2008 included the choice of individual states
to take the measure at the national level meaning that PNR would be
collected by all Member States on all flights in and out of the EU and the
choice of surveying intra-community flights belonged to the Member States.
The attempt to pile up DNA databases was continued in 2008 with the UK as
leader. However the European Court of Human Rights (ECHR) decision taken on
4 December in the Marper case could change the way things are working today.
ECHR confirmed that, in agreement with Article 8 of the European Convention
on Human Rights, the retention of cellular samples, fingerprints and DNA
profiles constituted an infringement of the right for private life.
On 24 September 2008, the Telecom Package of rules governing the Internet
and telecoms sectors proposed by the European Commission was approved by the
European Parliament in the first reading. Despite the amendments brought by
the EP, the package is still worrying the civil rights groups, both on data
retention and IP issues. The voluntary data retention issue is one of the
major hot topics contested by the civil society (see also the first article
in this EDRi-gram).
A promising amendment was proposed by the European Parliament to the
ePrivacy Directive that included the obligation of the information society
services providers to notify personal data related security breaches to the
national authorities which was suggested by the European Data Protection
Supervisor's opinion in April. But the new texts suggested by the Commission
and the Council seem to contradict the Parliament and the final decision
will probably be taken in the second reading, estimated for April 2009.
We can not wish to have a conclusion that may clear the waters. The
optimists will look at the full part of the glass where we might see the
ECHR Marper
case. The pesmists mights see the EU PNR scheme or some strange provisions
of the Telecom Package.
EDRI page on data retention
http://www.edri.org/issues/privacy/dataretention
EDRI page on PNR
http://www.edri.org/issues/privacy/pnr
EDRI page on biometrics
http://www.edri.org/issues/technology/biometrics
EDRi page on privacy
http://www.edri.org/issues/privacy
National data retention policies
https://wiki.vorratsdatenspeicherung.de/Transposition
============================================================
11. Towards International Data Protection Standards
============================================================
In October 2008, the 30th International Conference of Privacy and Data
Protection Commissioners in Strassbourg adopted a resolution on the urgent
need for protecting privacy in a borderless world, and for reaching a Joint
Proposal for setting International Standards on Privacy and Personal Data
Protection.
Following this resolution, the Spanish Data Protection Authority (DPA) - as
the organiser of the 31st international DPA Conference to be held in
November 2009 - has set up a working group on drafting this Joint Proposal.
The first meeting of this working group was held on invitation of the
Spanisch DPA and the DPA of Catalonia on 12 January in Barcelona.
Participants in this meeting were not only the interested international Data
Protection Authorities but also data protection experts from academia,
businesses and civil society, amongst which EDRi.
EDRi very much welcomes this standardisation initative of the International
Conference of Privacy and Data Protection Commissioners. Provided that the
defined standards are not set below the requirements of the current European
data protection legislation - which is very unlikely to happen - an
international standard on data protection will not only serve as an
important tool for international data exchange but also as a worldwide
benchmark for data protection legislation. Besides that, it provides the
opportunity to work on issues that are likely to cause difficulties with
emerging technologies (like for example the concept of the data controller
in RFID environments or cloud computing).
As this one day meeting clearly showed, the creation of an international
standard on Privacy and Personal Data Protection is not an easy task and it
is by far unclear whether this task can possibly be completed by the next
International Conference of Privacy and Data Protection Commissioners in
November 2009 in Madrid. But with the draft document provided by the
organisers of the meeting and the inputs provided by the participants in the
meeting a first step is already taken. In the following months the working
group will go into the details and present the outcomes at the Madrid
conference.
Resolution on the urgent need for protecting privacy in a borderless world,
and for reaching a Joint Proposal for setting International Standards on
Privacy and Personal Data Protection adopted by the 30th International
Conference of Privacy and Data Protection Commissioners (17.10.2008)
http://www.privacyconference2008.org/adopted_resolutions/STRASBOURG2008/res…
Announcement of the Barcelona Meeting by the DPA of Catalonia (only in
Spanish, 8.01.2009)
http://www.apdcat.net/noticia.php?not_id=93
Intervention of the director of the DPA of Catalonia (only in Spanish,
14.01.2009)
http://www.apdcat.net/noticia.php?not_id=97
Press statement of the Spanish DPA (only in Spanish, 13.01.2009)
https://www.agpd.es/portalweb/revista_prensa/revista_prensa/2009/notas_pren…
(contribution by Andreas Krisch - EDRi)
============================================================
12. Recommended Action
============================================================
Declaration to Reject the Copyright Term Extension Directive with
signatories (01.2009)
http://www.edri.org/files/Joint_Statement_Final.pdf
Reject term extension directive (21.01.2009)
http://www.edri.org/reject-term-extention-directive
============================================================
13. Recommended Reading
============================================================
Article 29 Working Party - The 2007 Annual Report
English
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_en…
German
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_de…
French
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_fr…
============================================================
14. Agenda
============================================================
3-4 February 2009, Victoria, British Columbia, Canada
10th Annual Privacy and Security Conference "Life in a Digital Fishbowl: A
Struggle for Survival or a Sea of Opportunity?"
http://www.rebootconference.com/privacy2009/
7-8 February 2009, Brussels, Belgium
Free and Open source Software Developers' European Meeting (FOSDEM)
http://www.fosdem.org/2009/
18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/
27-29 March 2009, Manchaster, UK
Oekonux Conference: Free Software and Beyond The World of Peer Production
http://www.oekonux-conference.org/
29-31 March 2009, Edinburgh, UK
Governance Of New Technologies: The Transformation Of Medicine, Information
Technology And Intellectual Property" An International Interdisciplinary
Conference
http://www.law.ed.ac.uk/ahrc/conference09/
1-3 April 2009, Berlin, Germany
re:publica 2009 "Shift happens"
http://www.re-publica.de/09/
Subconference: 2nd European Privacy Open Space
http://www.privacyos.eu/
13-14 May 2009 Uppsala, Sweden
Mashing-up Culture: The Rise of User-generated Content
http://www.counter2010.org/workshop_call
24-28 May 2009, Venice, Italy
ICIMP 2009, The Fourth International Conference on Internet Monitoring
and Protection
http://www.iaria.org/conferences2009/ICIMP09.html
1-4 June 2009, Washington, DC, USA
Computers Freedom and Privacy 2009
http://www.cfp2009.org/
5 June 2009, London, UK
The Second Multidisciplinary Workshop on Identity in the Information
Society (IDIS 09): "Identity and the Impact of Technology"
Call for papers, deadline 13 March 2009
http://is2.lse.ac.uk/idis/2009/
2-3 July 2009, Padova, Italy
3rd FLOSS International Workshop on Free/Libre Open Source Software
Paper submission by 31 March 2009
http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html
13-16 August 2009, Vierhouten, The Netherlands
Hacking at Random
http://www.har2009.org/
23-27 August 2009, Milan, Italy
World Library and Information Congress: 75th IFLA General Conference and
Council: "Libraries create futures: Building on cultural heritage"
http://www.ifla.org/IV/ifla75/index.htm
10-12 September 2009, Potsdam, Germany
5th ECPR General Conference, Potsdam
Section: Protest Politics
Panel: The Contentious Politics of Intellectual Property
First proposals to be submitted by 1 February 2009
http://www.ecpr.org.uk/potsdam/default.asp
16-18 September 2009, Crete, Greece
World Summit on the Knowledge Society WSKS 2009
http://www.open-knowledge-society.org/
October 2009, Istanbul, Turkey
eChallenges 2009
Call for papers by 27 February 2009
http://www.echallenges.org/e2009/default.asp?page=c4p
15-18 November 2009, Sharm El Sheikh, Egypt
UN Internet Governance Forum
http://www.intgovforum.org/
============================================================
15. About
============================================================
EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram(a)edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request(a)edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request(a)edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram(a)edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
Hi all,
As one of those lucky souls with access to almost limitless
bandwidth and the skills (or stupidity) to use it, I suppose an apology
is in order:
I'm sorry- after reviewing what *could* be the consequences, I have
to whimp out based on professional risk factors... I can't run an exit
node. So I have to leave it to other folks who have a different
situation to do the heavy lifting.
What I *am* doing is deploying a couple of heavy iron closed relays
on OC3 or better bandwidth. The first is now deployed after a lot of up
and down testing, and I'll get to the second in due time.
I've been watching Tor for a long time and just recently decided to
get involved. The Iran situation cemented that decision.
Anyhow, here are some random thoughts:
On the "Who uses Tor?" section of the website, I see no mention of
IT people. I've used the Tor network for many practical uses as an IT
Director. These range from bypassing my own firewall to test incoming
connections, to helping my legal department do research on a pending
lawsuit without the opposition *knowing* we even looked at their
website. Having a random and easily accessible IP to initiate
connections from is a priceless testing tool. Especially when dealing
with niggling routing problems.
On one occasion my ISP was having routing/DNS problems, and Tor was
able to find an entrance node and allow me to work even though I
couldn't get to my remote servers directly. This saved my client a lot
of downtime, and might have saved me the account. Also, my employer's
R&D department sometimes needs to look at things they don't want anyone
to know they looked at (All quite legal mind you).
Quite frankly Tor is an undervalued IT tool and it's capabilities
should be trumpeted loudly on the web page. You might also find IT guys
like me throwing up some relays in exchange. After all- who has the
bandwidth anyway?
And before anyone accuses me of it, I'm not nearly stupid enough to
do a port scan over Tor. Phew.
One of the issues I ran into when looking into running an exit relay
had to do with not only the legalities, but identifying a server vendor
that was offshore from my home country and friendly to a Tor exit. In
order for me to run an exit node, I have to be completely shielded.
As it stands now, I can probably run an exit for instant messaging-
and that's it. However, if Tor itself had a relationship with someone
who rents hardware, perhaps a partnership, Tor could get the exit nodes
it needs, and the server vendor could get lots of cash. From my
standpoint, it doesn't matter whether I rent or colocate my hardware. So
if Tor as an organization had a partnership with a few server rental
whores (in multiple countries), it would simplify getting more exits. I
need servers, Tor runs with little impact on my server, I could care
less where my remote hardware is provisioned from. Bingo- more exits.
I read back about 6 months in the or-talk list and there were a
couple of suggestions inferring that *everyone* should be forced to be
an exit node. I think this is a very bad idea, and hurts the security of
the person trying to remain anonymous by causing an identifiable change
in bandwidth usage that could infer Tor usage (Information leakage).
Simply speaking, on a default Windows/Vidalia installation, outgoing
Tor traffic usually looks like https traffic, but on a forced exit, now
Tor is identified by relatively matched traffic on port 443 both in and
out of the client's connection (Unless it's entrance node is a *nix
variant). This could mean death (literal) for a political dissident who
is now identified as having an in/out matching traffic pattern assuming
his entrance node is on Windows. It is more likely, that a country
monitoring it's citizens would miss simple https traffic. But even
myself as a lowly IT director, would have alarm bells going off if https
was initiating in two directions from the same machine. Alternative
ports can also set off alarm bells. But given the nature of Onion
Routing, two way traffic needs to be avoided in the most sensitive
sensitive situations. Forcing exit nodes is a bad idea for users. It
will also drive away anyone who cannot provide an exit node.... that's
chasing away bandwidth as non exit relays run for the hills.
Long post. Too much coffee and too much time staring at routing tables.
Michael
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
[IP] US drafting plan to allow government access to any email or Web search
by David Farber 06 Jul '18
by David Farber 06 Jul '18
06 Jul '18
________________________________________
From: jsq(a)internetperils.com [jsq(a)internetperils.com] On Behalf Of John S. Quarterman [jsq(a)quarterman.org]
Sent: Thursday, January 31, 2008 11:17 AM
To: David Farber
Cc: John S. Quarterman; ip
Subject: Re: [IP] US drafting plan to allow government access to any email or Web search
Dave, for IP:
The New Yorker article is available in HTML now:
http://www.newyorker.com/reporting/2008/01/21/080121fa_fact_wright
Bruce Schneier has nailed the "security vs. privacy" canard that
McConnell promotes:
"The debate isn't security versus privacy. It's liberty versus control."
http://www.wired.com/politics/security/commentary/securitymatters/2008/01/s…
And while people may think that AT&T should worry about losing liability
protection if it filters all traffic, if McConnell's plan goes through
AT&T and other telcos and cablecos will be able to wrap themselves in
the flag while they're doing it:
http://riskman.typepad.com/peerflow/2008/01/policing-cybers.html
-jsq
> From: Rich Kulawiec [rsk(a)gsp.org]
> Sent: Monday, January 14, 2008 6:41 PM
> To: Fergie; David Farber; Richard Forno; Lauren Weinstein
> Subject: US drafting plan to allow government access to any email or Web sear
> ch
>
> Quoting from:
>
> http://rawstory.com/news/2007/US_drafting_plan_to_allow_government_01
> 14.html
>
> National Intelligence Director Mike McConnell is drawing up
> plans for cyberspace spying that would make the current debate
> on warrantless wiretaps look like a "walk in the park," according
> to an interview published in the New Yorker's print edition today.
>
> Debate on the Foreign Intelligence Surveillance Act "will be a
> walk in the park compared to this," McConnell said. "this is going
> to be a goat rope on the Hill. My prediction is that we're going
> to screw around with this until something horrendous happens."
>
> The article, which profiles the 65-year-old former admiral
> appointed by President George W. Bush in January 2007 to oversee
> all of America's intelligence agencies, was not published on
> the New Yorker's Web site. (It can be read here in pdf).
>
> [...]
>
> The PDF link points to:
>
> http://online.wsj.com/public/resources/documents/WashWire.pdf
>
> which I'm unable to access at the moment.
>
> ---Rsk
-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0