July 2018 - cypherpunks-legacy

CRYPTO-GRAM, May 15, 2006
by Bruce Schneier 05 Jul '18

05 Jul '18

CRYPTO-GRAM May 15, 2006 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier(a)counterpane.com http://www.schneier.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>. You can read this issue on the web at <http://www.schneier.com/crypto-gram-0604.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available. ** *** ***** ******* *********** ************* In this issue: Movie Plot Threat Contest: Status Report Who Owns Your Computer? Crypto-Gram Reprints Identity-Theft Disclosure Laws When "Off" Doesn't Mean Off News RFID Cards and Man-in-the-Middle Attacks Software Failure Causes Airport Evacuation Counterpane News Microsoft's BitLocker The Security Risk of Special Cases Comments from Readers ** *** ***** ******* *********** ************* Movie Plot Threat Contest: Status Report On the first of last month, I announced my (possibly First) Movie-Plot Threat Contest. "Entrants are invited to submit the most unlikely, yet still plausible, terrorist attack scenarios they can come up with. "Your goal: cause terror. Make the American people notice. Inflict lasting damage on the U.S. economy. Change the political landscape, or the culture. The more grandiose the goal, the better. "Assume an attacker profile on the order of 9/11: 20 to 30 unskilled people, and about $500,000 with which to buy skills, equipment, etc." As of the end of the month, the blog post has 782 comments. I expected a lot of submissions, but the response has blown me away. Looking over the different terrorist plots, they seem to fall into several broad categories. The first category consists of attacks against our infrastructure: the food supply, the water supply, the power infrastructure, the telephone system, etc. The idea is to cripple the country by targeting one of the basic systems that make it work. The second category consists of big-ticket plots. Either they have very public targets -- blowing up the Super Bowl, the Oscars, etc. -- or they have high-tech components: nuclear waste, anthrax, chlorine gas, a full oil tanker, etc. And they are often complex and hard to pull off. This is the 9/11 idea: a single huge event that affects the entire nation. The third category consists of low-tech attacks that go on and on. Several people imagined a version of the DC sniper scenario, but with multiple teams. The teams would slowly move around the country, perhaps each team starting up after the previous one was captured or killed. Other people suggested a variant of this with small bombs in random public locations around the country. (There's a fourth category: actual movie plots. Some entries are comical, unrealistic, have science fiction premises, etc. I'm not even considering those.) The better ideas tap directly into public fears. In my book, Beyond Fear, I discussed five different tendencies people have to exaggerate risks: to believe that something is more risky than it actually is. 1. People exaggerate spectacular but rare risks and downplay common risks. 2. People have trouble estimating risks for anything not exactly like their normal situation. 3. Personified risks are perceived to be greater than anonymous risks. 4. People underestimate risks they willingly take and overestimate risks in situations they can't control. 5. People overestimate risks that are being talked about and remain an object of public scrutiny. The best plot ideas leverage one or more of those tendencies. Big-ticket attacks leverage the first. Infrastructure and low-tech attacks leverage the fourth. And every attack tries to leverage the fifth, especially those attacks that go on and on. I'm willing to bet that when I find a winner, it will be the plot that leverages the greatest number of those tendencies to the best possible advantage. I also got a bunch of e-mails from people with ideas they thought too terrifying to post publicly. Some of them wouldn't even tell them to me. I also received e-mails from people accusing me of helping the terrorists by giving them ideas. But if there's one thing this contest demonstrates, it's that good terrorist ideas are a dime a dozen. Anyone can figure out how to cause terror. The hard part is execution. Some of the submitted plots require minimal skill and equipment. Twenty guys with cars and guns -- that sort of thing. Reading through them, you have to wonder why there have been no terrorist attacks in the U.S. since 9/11. I don't believe the "flypaper theory" that the terrorists are all in Iraq instead of in the U.S. And despite all the ineffectual security we've put in place since 9/11, I'm sure we have had some successes in intelligence and investigation -- and have made it harder for terrorists to operate both in the U.S. and abroad. But mostly, I think terrorist attacks are much harder than most of us think. It's harder to find willing recruits than we think. It's harder to coordinate plans. It's harder to execute those plans. Terrorism is rare, and for all we've heard about 9/11 changing the world, it's still rare. The submission deadline was the end of April month, but please keep posting plots if you think of them. And please read through some of the others and comment on them; I'm curious as to what other people think are the most interesting, compelling, realistic, or effective scenarios. I'm reading through them, and will have a winner by the next Crypto-Gram. Contest: http://www.schneier.com/blog/archives/2006/04/announcing_movi.html Flypaper theory: http://en.wikipedia.org/wiki/Flypaper_theory_%28strategy%29 The contest made The New York Times: http://www.nytimes.com/2006/04/23/movies/23peterson.html?ex=1303444800&e n=c7ccc8d756fc98e7&ei=5090&partner=rssuserland&emc=rss or http://tinyurl.com/qyh3b ** *** ***** ******* *********** ************* Who Owns Your Computer? When technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive. There's a battle raging on your computer right now -- one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It's the battle to determine who owns your computer. You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes. Using the hacker sense of the term, your computer is "owned" by other people. It used to be that only malicious hackers were trying to own your computers. Whether through worms, viruses, Trojans or other means, they would try to install some kind of remote-control program onto your system. Then they'd use your computers to sniff passwords, make fraudulent bank transactions, send spam, initiate phishing attacks and so on. Estimates are that somewhere between hundreds of thousands and millions of computers are members of remotely controlled "bot" networks. Owned. Now, things are not so simple. There are all sorts of interests vying for control of your computer. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require. And there are software companies that are trying to make money by pleasing not only their customers, but other companies they ally themselves with. All these companies want to own your computer. Some examples: 1. Entertainment software: In October 2005, it emerged that Sony had distributed a rootkit with several music CDs -- the same kind of software that crackers use to own people's computers. This rootkit secretly installed itself when the music CD was played on a computer. Its purpose was to prevent people from doing things with the music that Sony didn't approve of: It was a DRM system. If the exact same piece of software had been installed secretly by a hacker, this would have been an illegal act. But Sony believed that it had legitimate reasons for wanting to own its customers' machines. 2. Antivirus: You might have expected your antivirus software to detect Sony's rootkit. After all, that's why you bought it. But initially, the security programs sold by Symantec and others did not detect it, because Sony had asked them not to. You might have thought that the software you bought was working for you, but you would have been wrong. 3. Internet services: Hotmail allows you to blacklist certain e-mail addresses, so that mail from them automatically goes into your spam trap. Have you ever tried blocking all that incessant marketing e-mail from Microsoft? You can't. 4. Application software: Internet Explorer users might have expected the program to incorporate easy-to-use cookie handling and pop-up blockers. After all, other browsers do, and users have found them useful in defending against Internet annoyances. But Microsoft isn't just selling software to you; it sells Internet advertising as well. It isn't in the company's best interest to offer users features that would adversely affect its business partners. 5. Spyware: Spyware is nothing but someone else trying to own your computer. These programs eavesdrop on your behavior and report back to their real owners -- sometimes without your knowledge or consent -- about your behavior. 6. Update: Automatic update features are another way software companies try to own your computer. While they can be useful for improving security, they also require you to trust your software vendor not to disable your computer for nonpayment, breach of contract or other presumed infractions. Adware, software-as-a-service and Google Desktop search are all examples of some other company trying to own your computer. And Trusted Computing will only make the problem worse. There is an inherent insecurity to technologies that try to own people's computers: They allow individuals other than the computers' legitimate owners to enforce policy on those machines. These systems invite attackers to assume the role of the third party and turn a user's device against him. Remember the Sony story: The most insecure feature in that DRM system was a cloaking mechanism that gave the rootkit control over whether you could see it executing or spot its files on your hard disk. By taking ownership away from you, it reduced your security. If left to grow, these external control systems will fundamentally change your relationship with your computer. They will make your computer much less useful by letting corporations limit what you can do with it. They will make your computer much less reliable because you will no longer have control of what is running on your machine, what it does, and how the various software components interact. At the extreme, they will transform your computer into a glorified boob tube. You can fight back against this trend by only using software that respects your boundaries. Boycott companies that don't honestly serve their customers, that don't disclose their alliances, that treat users like marketing assets. Use open-source software -- software created and owned by users, with no hidden agendas, no secret alliances and no back-room marketing deals. Just because computers were a liberating force in the past doesn't mean they will be in the future. There is enormous political and economic power behind the idea that you shouldn't truly own your computer or your software, despite having paid for it. This essay originally appeared on Wired.com. http://www.wired.com/news/columns/1,70802-0.html Trusted computing: http://www.schneier.com/crypto-gram-0208.html#1 ** *** ***** ******* *********** ************* Crypto-Gram Reprints Crypto-Gram is currently in its ninth year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram-back.html>. These are a selection of articles that appeared in this calendar month in other years. REAL-ID http://www.schneier.com/crypto-gram-0505.html#2 Should Terrorism be Reported in the News? http://www.schneier.com/crypto-gram-0505.html#3 Combating Spam http://www.schneier.com/crypto-gram-0505.html#15 Warrants as a Security Countermeasure http://www.schneier.com/crypto-gram-0405.html#1 National Security Consumers http://www.schneier.com/crypto-gram-0405.html#9 Encryption and Wiretapping http://www.schneier.com/crypto-gram-0305.html#1 Unique E-Mail Addresses and Spam http://www.schneier.com/crypto-gram-0305.html#6 Secrecy, Security, and Obscurity http://www.schneier.com./crypto-gram-0205.html#1 Fun with Fingerprint Readers http://www.schneier.com./crypto-gram-0205.html#5 What Military History Can Teach Network Security, Part 2 http://www.schneier.com/crypto-gram-0105.html#1 The Futility of Digital Copy Protection http://www.schneier.com/crypto-gram-0105.html#3 Security Standards http://www.schneier.com/crypto-gram-0105.html#7 Safe Personal Computing http://www.schneier.com/crypto-gram-0105.html#8 Computer Security: Will we Ever Learn? http://www.schneier.com/crypto-gram-0005.html#1 Trusted Client Software http://www.schneier.com/crypto-gram-0005.html#6 The IL*VEYOU Virus (Title bowdlerized to foil automatic e-mail filters.) http://www.schneier.com/crypto-gram-0005.html#ilyvirus The Internationalization of Cryptography http://www.schneier.com/crypto-gram-9905.html#international The British discovery of public-key cryptography http://www.schneier.com/crypto-gram-9805.html#nonsecret ** *** ***** ******* *********** ************* Identity-Theft Disclosure Laws California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen. Since then, many states have followed suit. Now Congress is debating federal legislation that would do the same thing nationwide. Except that it won't do the same thing: The federal bill has become so watered down that it won't be very effective. I would still be in favor of it -- a poor federal law is better than none -- if it didn't also pre-empt more-effective state laws, which makes it a net loss. Identity theft is the fastest-growing area of crime. It's badly named -- your identity is the one thing that cannot be stolen -- and is better thought of as fraud by impersonation. A criminal collects enough personal information about you to be able to impersonate you to banks, credit card companies, brokerage houses, etc. Posing as you, he steals your money, or takes a destructive joyride on your good credit. Many companies keep large databases of personal data that is useful to these fraudsters. But because the companies don't shoulder the cost of the fraud, they're not economically motivated to secure those databases very well. In fact, if your personal data is stolen from their databases, they would much rather not even tell you: Why deal with the bad publicity? Disclosure laws force companies to make these security breaches public. This is a good idea for three reasons. One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information -- or to refrain from collecting it in the first place. Think of it as public shaming. Companies will spend money to avoid the PR costs of this shaming, and security will improve. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches. This public shaming needs the cooperation of the press and, unfortunately, there's an attenuation effect going on. The first major breach after California passed its disclosure law -- SB1386 -- was in February 2005, when ChoicePoint sold personal data on 145,000 people to criminals. The event was all over the news, and ChoicePoint was shamed into improving its security. Then LexisNexis exposed personal data on 300,000 individuals. And Citigroup lost data on 3.9 million individuals. SB1386 worked; the only reason we knew about these security breaches was because of the law. But the breaches came in increasing numbers, and in larger quantities. After a while, it was no longer news. And when the press stopped reporting, the "cost" of these breaches to the companies declined. Today, the only real cost that remains is the cost of notifying customers and issuing replacement cards. It costs banks about $10 to issue a new card, and that's money they would much rather not have to spend. This is the agenda they brought to the federal bill, cleverly titled the Data Accountability and Trust Act, or DATA. Lobbyists attacked the legislation in two ways. First, they went after the definition of personal information. Only the exposure of very specific information requires disclosure. For example, the theft of a database that contained people's first *initial*, middle name, last name, Social Security number, bank account number, address, phone number, date of birth, mother's maiden name and password would not have to be disclosed, because "personal information" is defined as "an individual's first and last name in combination with ..." certain other personal data. Second, lobbyists went after the definition of "breach of security." The latest version of the bill reads: "The term 'breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individuals to whom the personal information relates." Get that? If a company loses a backup tape containing millions of individuals' personal information, it doesn't have to disclose if it believes there is no "significant risk of identity theft." If it leaves a database exposed, and has absolutely no audit logs of who accessed that database, it could claim it has no "reasonable basis" to conclude there is a significant risk. Actually, the company could point to a ID Analytics study that showed the probability of fraud to someone who has been the victim of this kind of data loss to be less than 1 in 1,000 -- which is not a "significant risk" -- and then not disclose the data breach at all. Even worse, this federal law pre-empts the 23 existing state laws -- and others being considered -- many of which contain stronger individual protections. So while DATA might look like a law protecting consumers nationwide, it is actually a law protecting companies with large databases *from* state laws protecting consumers. So in its current form, this legislation would make things worse, not better. Of course, things are in flux. They're *always* in flux. The language of the bill has changed regularly over the past year, as various committees got their hands on it. There's also another bill, HR3997, which is even worse. And even if something passes, it has to be reconciled with whatever the Senate passes, and then voted on again. So no one really knows what the final language will look like. But the devil is in the details, and the only way to protect us from lobbyists tinkering with the details is to ensure that the federal bill does not pre-empt any state bills: that the federal law is a minimum, but that states can require more. That said, disclosure is important, but it's not going to solve identity theft. As I've written previously, the reason theft of personal information is so common is that the data is so valuable. The way to mitigate the risk of fraud due to impersonation is not to make personal information harder to steal, it's to make it harder to use. Disclosure laws only deal with the economic externality of data brokers protecting your personal information. What we really need are laws prohibiting credit card companies and other financial institutions from granting credit to someone using your name with only a minimum of authentication. But until that happens, we can at least hope that Congress will refrain from passing bad bills that override good state laws -- and helping criminals in the process. California's SB 1386: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_2002 0926_chaptered.html or http://tinyurl.com/dgh0 Existing state disclosure laws: http://www.pirg.org/consumer/credit/statelaws.htm http://www.cwalsh.org/cgi-bin/blosxom.cgi/2006/04/20#breachlaws HR 4127 - Data Accountability and Trust Act: http://thomas.loc.gov/cgi-bin/query/C?c109:./temp/~c109XvxF76 HR 3997: http://thomas.loc.gov/cgi-bin/query/C?c109:./temp/~c109gnLQGA ID Analytics study: http://www.idanalytics.com/news_and_events/20051208.htm My essay on identity theft: http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html A version of this essay originally appeared on Wired.com: http://www.wired.com/news/columns/0,70690-0.html ** *** ***** ******* *********** ************* When "Off" Doesn't Mean Off According to the specs of the new Nintendo Wii (its new game machine), "Wii can communicate with the Internet even when the power is turned off." Nintendo accentuates the positive: "This WiiConnect24 service delivers a new surprise or game update, even if users do not play with Wii," while ignoring the possibility that Nintendo can deactivate a game if it chooses to do so, or that someone else can deliver a different -- not so wanted -- surprise. We all know that, but what's interesting here is that Nintendo is changing the meaning of the word "off." We are all conditioned to believe that "off" means off, and therefore safe. But in Nintendo's case, "off" really means something like "on standby." If users expect the Nintendo Wii to be truly off, they need to pull the power plug -- assuming there isn't a battery foiling that tactic. There seems to be no way to disconnect the Internet, as the Nintendo Wii is wireless only. Maybe there is no way to turn the Nintendo Wii off. There's a serious security problem here, made worse by a bad user interface. "Off" should mean off. http://wii.nintendo.com/hardware.html ** *** ***** ******* *********** ************* News It's a provocative headline: "Triple DES Upgrades May Introduce New ATM Vulnerabilities." Basically, at the same time ATM machine owners upgrading their encryption to triple-DES, they're also moving the communications links from dedicated lines to the Internet. And while the protocol encrypts PINs, it doesn't encrypt any of the other information, such as card numbers and expiration dates. So it's the move from dedicated lines to the Internet that's adding the insecurities, not the triple-DES upgrades. http://www.paymentsnews.com/2006/04/redspin_triple_.html Someone filed change-of-address forms with the post office to divert other people's mail to himself. 170 times. "Postal Service spokeswoman Patricia Licata said a credit card is required for security reasons. 'We have systems in place to prevent this type of occurrence,' she said, but declined further comment on the specific case until officials have time to analyze what happened." Sounds like those systems don't work very well. http://www.wvec.com/news/local/stories/wvec_local_041306_mail_scam.31210 0f4.html A deniable file system: http://www.schneier.com/blog/archives/2006/04/deniable_file_s.html Great hoax video: graffiti on Air Force One: http://www.stillfree.com/ http://abcnews.go.com/Technology/wireStory?id=1875386 The Department of Homeland Security has released a Request for Proposal -- that's the document asking industry if anyone can do what it wants -- for the Secure Border Initiative. http://www.washingtontechnology.com/news/1_1/daily_news/28381-1.html Stuntz and Solove Debate Privacy and Transparency http://www.tnr.com/user/nregi.mhtml?i=20060417&s=stuntz041706 http://www.concurringopinions.com/archives/2006/04/william_stuntzs.html# more or http://tinyurl.com/o4jte http://www.tnr.com/user/nregi.mhtml?i=20060417&s=stuntz041706 http://www.concurringopinions.com/archives/2006/04/stuntz_responds.html or http://tinyurl.com/mqrzt Terrorist travel advisory: "My son and I woke up Sunday morning and drove a rented truck to New York City to move his worldly goods into an apartment there. As we made it to the Holland Tunnel, after traveling the Tony Soprano portion of the Jersey Turnpike with a blue moon in our eyes, the woman in the tollbooth informed us that, since 9/11, trucks were not allowed in the tunnel; we'd have to use the Lincoln Tunnel, she said. So if you are a terrorist trying to get into New York from Jersey, be advised that you're going to have to use the Lincoln Tunnel." http://www.post-gazette.com/pg/06110/683563-294.stm The Kryptos Sculpture is located in the center of the CIA Headquarters in Langley, VA. It was designed in 1990, and contains a four-part encrypted puzzle. The first three parts have been solved, but now we've learned that the second-part solution was wrong and has been re-solved: http://www.elonka.com/kryptos/CorrectedK2Announcement.html http://www.wired.com/news/technology/0,70701-0.html More on the sculpture: http://en.wikipedia.org/wiki/Kryptos http://www.elonka.com/kryptos/ Blog entry URL: http://www.schneier.com/blog/archives/2006/04/the_kryptos_scu.html Mafia boss secures his data with Caesar cipher. http://dsc.discovery.com/news/briefs/20060417/mafiaboss_tec.html Microsoft Vista's endless security warnings: http://www.winsupersite.com/reviews/winvista_5308_05.asp The problem with lots of warning dialog boxes is that they don't provide security. Users stop reading them. They think of them as annoyances, as an extra click required to get a feature to work. Clicking through gets embedded into muscle memory, and when it actually matters the user won't even realize it. http://www.codinghorror.com/blog/archives/000571.html http://west-wind.com/weblog/posts/4678.aspx These dialog boxes are not security for the user, they're CYA security *from* the user. When some piece of malware trashes your system, Microsoft can say: "You gave the program permission to do that; it's not our fault." Warning dialog boxes are only effective if the user has the ability to make intelligent decisions about the warnings. If the user cannot do that, they're just annoyances. And they're annoyances that don't improve security. http://blogs.zdnet.com/Ou/?p=209 Digital cameras have unique fingerprints: http://www.eurekalert.org/pub_releases/2006-04/bu-bur041806.php Interesting research, but there's one important aspect of this fingerprint that the article did not talk about: how easy is it to forge? Can someone analyze 100 images from a given camera, and then doctor a pre-existing picture so that it appeared to come from that camera? My guess is that it can be done relatively easily. Kaspersky Labs reports on extortion scams using malware: http://www.viruslist.com/en/analysis?pubid=184012401#crypto Among other worms, the article discusses the GpCode.ac worm, which encrypts data using 56-bit RSA (no, that's not a typo). The whole article is interesting reading. Larry Beinhart makes an interesting case for the elimination of most government secrecy. http://www.buzzflash.com/contributors/06/04/con06131.html He has a good argument, although I think the issue is a bit more complicated. http://www.schneier.com/crypto-gram-0205.html#1 "Security Myths and Passwords," by Gene Spafford: http://www.cerias.purdue.edu/weblogs/spaf/general/post-30 There was a code in the judge's ruling on the Da Vinci Code plagiarism case. It was solved way too quickly after it was discovered, because the judge gave out some really obvious hints. But you can read about it here: http://www.schneier.com/blog/archives/2006/04/da_vinci_code_r.html As an aside, I am mentioned in Da Vinci Code. No, really. Page 199 of the American hardcover edition. "Da Vinci had been a cryptography pioneer, Sophie knew, although he was seldom given credit. Sophie's university instructors, while presenting computer encryption methods for securing data, praised modern cryptologists like Zimmermann and Schneier but failed to mention that it was Leonardo who had invented one of the first rudimentary forms of public key encryption centuries ago." That's right. I am a realistic background detail. http://fishbowl.pastiche.org/2004/07/06/house_of_cards Technology Review has an interesting article discussing some of the technologies used by the NSA in its warrantless wiretapping program, some of them from the killed Total Information Awareness (TIA) program. http://www.technologyreview.com/read_article.aspx?ch=infotech&sc=&id=167 41&pg=1 or http://tinyurl.com/ruafx John Dvorak argues that Internet Explorer was Microsoft's greatest mistake ever. Certainly its decision to tightly integrate IE with the operating system -- done as an anti-competitive maneuver against Netscape during the Browser Wars -- has resulted in some enormous security problems that Microsoft has still not recovered from. Not even with the introduction of IE7. http://www.pcmag.com/print_article2/0,1217,a=176507,00.asp Security in comics: attackers are adaptable: http://www.comics.com/comics/hedge/archive/hedge-20060423.html We've talked about counterfeit money, counterfeit concert tickets, counterfeit police credentials, and counterfeit police departments. Here's a story about a counterfeit company. http://www.iht.com/articles/2006/04/27/business/nec.php Verizon has announced that it has activated the Access Overload Control (ACCOLC) system, allowing some cell phones to have priority access to the network, even when the network is overloaded. Sounds like you're going to have to enter some sort of code into your handset. I wonder how long before someone hacks that system. http://www.pcsintel.com/content/view/1293/0/ An arson squad blows up a news rack, mistaking a promotion for Tom Cruise's new movie for a bomb. Really; you can't make this kind of stuff up. http://www.editorandpublisher.com/eandp/news/article_display.jsp?vnu_con tent_id=1002425411 or http://tinyurl.com/n3286 Assault weapon that passes through X-ray machines. http://www.promoinnovations.com/xray.htm A man sues Compaq for false advertising. He bought the computer because it was advertised as totally secure. But after he committed some crimes and the FBI got his computer, they were able to recover his data. This is what I said in the article: "Unfortunately, this probably isn't a great case. Here's a man who's not going to get much sympathy. You want a defendant who bought the Compaq computer, and then, you know, his competitor, or a rogue employee, or someone who broke into his office, got the data. That's a much more sympathetic defendant." http://hartfordadvocate.com/gbase/News/content?oid=oid:153106 Infant identity theft victim: http://www.abcnews.go.com/US/story?id=155878&page=1 An improv group in New York dressed up like Best Buy employees and went into a store, secretly videotaping the results. My favorite part: "Security guards and managers started talking to each other frantically on their walkie-talkies and headsets. 'Thomas Crown Affair! Thomas Crown Affair!,' one employee shouted. They were worried that we were using our fake uniforms to stage some type of elaborate heist. 'I want every available employee out on the floor RIGHT NOW!'" http://www.improveverywhere.com/mission_view.php?mission_id=57 Stealing cars with laptops: http://www.leftlanenews.com/2006/05/03/gone-in-20-minutes-using-laptops- to-steal-cars/ or http://tinyurl.com/mkr9s http://slashdot.org/articles/06/05/03/1928256.shtml The rapper MC Plus+ has written a song about cryptography, "Alice and Bob." It mentions DES, AES, Blowfish, RSA, SHA-1, and more. And me! http://www.cs.purdue.edu/homes/anavabi/mp3/MC%20Plus+%20-%20Algorhythms% 20-%20Alice%20and%20Bob.mp3 or http://tinyurl.com/8jov2 Here's an article about "geeksta rap." http://www.wired.com/news/culture/0,1284,67970,00.html The DHS secretly shares European air passenger data in violation of agreement: http://www.aclu.org/privacy/spying/25335prs20060425.html Shell has suspended its chip-and-pin payment system in the UK, after fraudsters stole over one million pounds. Lots of details on my blog: http://www.schneier.com/blog/archives/2006/05/shell_suspends.html According to this article, the ultimate terrorist threat is flying robot drones. The article really pegs the movie-plot threat hype-meter. http://www.physorg.com/news66197469.html A reporter finds an old British Airways boarding pass, and proceeds to use it to find everything else about the person. http://www.guardian.co.uk/g2/story/0,,1766138,00.html Notice the economic pressures: "'The problem here is that a commercial organisation is being given the task of collecting data on behalf of a foreign government, for which it gets no financial reward, and which offers no business benefit in return,' says Laurie. 'Naturally, in such a case, they will seek to minimise their costs, which they do by handing the problem off to the passengers themselves. This has the neat side-effect of also handing off liability for data errors.'" Five stories of RFID hacking: http://www.wired.com/wired/archive/14.05/rfid.html And IBM thinks it has a solution: a removable tag that reduces the range of the RFID chip: http://wired.com/news/technology/0,70793-0.html Why not disable it entirely? Serious computer problems inside the NSA: http://www.baltimoresun.com/news/custom/attack/bal-te.nsa26feb26,0,63111 75.story or http://tinyurl.com/rgrso Meanwhile, the NSA is building a massive traffic-analysis database on Americans' calling patterns: http://www.usatoday.com/news/washington/2006-05-10-nsa_x.htm http://www.prospect.org/weblog/2006/05/post_336.html#002317 http://glenngreenwald.blogspot.com/2006/05/no-need-for-congress-no-need- for.html http://www.orinkerr.com/2006/05/11/thoughts-on-the-legality-of-the-lates t-nsa-surveillance-program/ http://www.orinkerr.com/2006/05/12/more-thoughts-on-the-legality-of-the- nsa-call-records-program/ Major vulnerability found in Diebold election machines. This one is a big deal. http://www.insidebayarea.com/ci_3805089 http://www.blackboxvoting.org/BBVtsxstudy.pdf Comparing the security of election machines with the security of slot machines: http://www.washingtonpost.com/wp-dyn/content/graphic/2006/03/16/GR200603 1600213.html or http://tinyurl.com/gda98 Thief disguises himself as a museum guard and tricks employees into giving him 200,000 euros: http://today.reuters.com/news/articlenews.aspx?type=oddlyEnoughNews&stor yid=2006-05-03T204308Z_01_L02306327_RTRUKOC_0_US-ITALY-THIEF.xml or http://tinyurl.com/j3q6k Fascinating first-person account of being on the TSA's watch list: http://arstechnica.com/news.ars/post/20060506-6767.html Reconceptualizing national intelligence: http://www.fas.org/blog/secrecy/2006/05/curing_analytic_pathologies.html or http://tinyurl.com/lc2of Public-key cryptography for digital notarization in Pennsylvania. http://www.nationalnotary.org/news/index.cfm?Text=newsNotary&newsID=851 or http://tinyurl.com/r9z4w http://www.eweek.com/article2/0,1895,1955701,00.asp ** *** ***** ******* *********** ************* RFID Cards and Man-in-the-Middle Attacks Recent articles about a proposed US-Canada and US-Mexico travel document (kind of like a passport, but less useful), with an embedded RFID chip that can be read up to 25 feet away, have once again made RFID security newsworthy. My views have not changed. The most secure solution is a smart card that only works in contact with a reader; RFID is much more risky. But if we're stuck with RFID, the combination of shielding for the chip, basic access control security measures, and some positive action by the user to get the chip to operate is a good one. The devil is in the details, of course, but those are good starting points. And when you start proposing chips with a 25-foot read range, you need to worry about man-in-the-middle attacks. An attacker could potentially impersonate the card of a nearby person to an official reader, just by relaying messages to and from that nearby person's card. Here's how the attack would work. In this scenario, customs Agent Alice has the official card reader. Bob is the innocent traveler, in line at some border crossing. Mallory is the malicious attacker, ahead of Bob in line at the same border crossing, who is going to impersonate Bob to Alice. Mallory's equipment includes an RFID reader and transmitter. Assume that the card has to be activated in some way. Maybe the cover has to be opened, or the card taken out of a sleeve. Maybe the card has a button to push in order to activate it. Also assume the card has come challenge-reply security protocol and an encrypted key exchange protocol of some sort. 1. Alice's reader sends a message to Mallory's RFID chip. 2. Mallory's reader/transmitter receives the message, and rebroadcasts it to Bob's chip. (Bob is somewhere else, out of Alice's range.) 3. Bob's chip responds normally to a valid message from Alice's reader. He has no way of knowing that Mallory relayed the message. 4. Mallory's reader transmitter receives Bob's message and rebroadcasts it to Alice. Alice has no way of knowing that the message was relayed. 5. Mallory continues to relay messages back and forth between Alice and Bob. Defending against this attack is hard. (I talk more about the attack in Applied Cryptography, Second Edition, page 109.) Time stamps don't help. Encryption doesn't help. It works because Mallory is simply acting as an amplifier. Mallory might not be able to read the messages. He might not even know who Bob is. But he doesn't care. All he knows is that Alice thinks he's Bob. Precise timing can catch this attack, because of the extra delay that Mallory's relay introduces. But I don't think this is part of the spec. The attack can be easily countered if Alice looks at Mallory's card and compares the information printed on it with what she's receiving over the RFID link. But near as I can tell, the point of the 25-foot read distance is so cards can be authenticated in bulk, from a distance. According to the news.com article: "Homeland Security has said, in a government procurement notice posted in September, that "read ranges shall extend to a minimum of 25 feet" in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the proposal says, 'the solution must sense up to 55 tokens.'" If Mallory is on that bus, he can impersonate any nearby Bob who activates his RFID card early. And at a crowded border crossing, the odds of some Bob doing that are pretty good. >From the Federal Computer Week article: "If that were done, the PASS system would automatically screen the cardbearers against criminal watch lists and put the information on the border guard's screen by the time the vehicle got to the station, Williams said." And would predispose the guard to think that everything's okay, even if it isn't. I don't think people are thinking this one through. http://news.com.com/New+RFID+travel+cards+could+pose+privacy+threat/2100 -1028_3-6062574.html or http://tinyurl.com/le82d http://www.fcw.com/article94113-04-18-06-Web My views on RFID identity cards: http://www.schneier.com/blog/archives/2005/08/rfid_passport_s_1.html ** *** ***** ******* *********** ************* Software Failure Causes Airport Evacuation Last month I wrote about airport passenger screening, and mentioned that the X-ray equipment inserts "test" bags into the stream in order to keep screeners more alert. That system failed pretty badly earlier this week at Atlanta's Hartsfield-Jackson Airport, when a false alarm resulted in a two-hour evacuation of the entire airport. The screening system injects test images onto the screen. Normally the software flashes the words "This is a test" on the screen after a brief delay, but this time the software failed to indicate that. The screener noticed the image (of a "suspicious device," according to CNN) and, per procedure, screeners manually checked the bags on the conveyor belt for it. They couldn't find it, of course, but they evacuated the airport and spent two hours vainly searching for it. Hartsfield-Jackson is the country's busiest passenger airport. It's Delta's hub city. The delays were felt across the country for the rest of the day. Okay, so what went wrong here? Clearly the software failed. Just as clearly the screener procedures didn't fail -- everyone did what they were supposed to do. What is less obvious is that the system failed. It failed, because it was not designed to fail well. A small failure -- in this case, a software glitch in a single X-ray machine -- cascaded in such a way as to shut down the entire airport. This kind of failure magnification is common in poorly designed security systems. Better would be for there to be individual X-ray machines at the gates -- I've seen this design at several European airports -- so that when there's a problem the effects are restricted to that gate. Of course, this distributed security solution would be more expensive. But I'm willing to bet it would be cheaper overall, taking into account the cost of occasionally clearing out an airport. http://www.cnn.com/2006/US/04/20/atlanta.airport/index.html What I wrote last month: http://www.schneier.com/blog/archives/2006/03/airport_passeng.html ** *** ***** ******* *********** ************* Counterpane News On May 23, Schneier will be opening a new speaking series by the ACLU with a talk on "The Future of Privacy." http://www.aclu.org/privacy/25551res20060512.html Schneier will be speaking at the Gartner IT Security Summit in Washington DC, June 5-7: http://www.gartner.com/2_events/conferences/sec12.jsp Schneier will be speaking at the ACLU New Jersey Membership Conference: https://www.aclu-nj.org/events/aclunjmembershipconference Schneier will be speaking at the ACLU Vermont Privacy Conference: http://www.acluvt.org/news/display.php?sid=1145047166&PHPSESSID=31bdcefa 418904b0caab1ffbde1f8a64 or http://tinyurl.com/pdzyy Tipping Point is offering Managed Security Services through an alliance with Counterpane: http://www.counterpane.com/pr-20060501.html ** *** ***** ******* *********** ************* Microsoft's BitLocker BitLocker Drive Encryption is a new security feature in Windows Vista, designed to work with the Trusted Platform Module (TPM). Basically, it encrypts the C drive with a computer-generated key. In its basic mode, an attacker can still access the data on the drive by guessing the user's password, but would not be able to get at the drive by booting the disk up using another operating system, or removing the drive and attaching it to another computer. There are several modes for BitLocker. In the simplest mode, the TPM stores the key and the whole thing happens completely invisibly. The user does nothing differently, and notices nothing different. The BitLocker key can also be stored on a USB drive. Here, the user has to insert the USB drive into the computer during boot. Then there's a mode that uses a key stored in the TPM and a key stored on a USB drive. And finally, there's a mode that uses a key stored in the TPM and a four-digit PIN that the user types into the computer. This happens early in the boot process, when there's still ASCII text on the screen. Note that if you configure BitLocker with a USB key or a PIN, password guessing doesn't work. BitLocker doesn't even let you get to a password screen to try. For most people, basic mode is the best. People will keep their USB key in their computer bag with their laptop, so it won't add much security. But if you can force users to attach it to their key chains -- remember that you only need the key to boot the computer, not to operate the computer -- and convince them to go through the trouble of sticking it in their computer every time they boot, then you'll get a higher level of security. There is a recovery key: optional but strongly encouraged. It is automatically generated by BitLocker, and it can be sent to some administrator or printed out and stored in some secure location. There are ways for an administrator to set group policy settings mandating this key. There aren't any back doors for the police, though. You can get BitLocker to work in systems without a TPM, but it's kludgy. You can only configure it for a USB key. And it only will work on some hardware: because BitLocker starts running before any device drivers are loaded, the BIOS must recognize USB drives in order for BitLocker to work. Encryption particulars: The default data encryption algorithm is AES-128-CBC with an additional diffuser. The diffuser is designed to protect against ciphertext-manipulation attacks, and is independently keyed from AES-CBC so that it cannot damage the security you get from AES-CBC. Administrators can select the disk encryption algorithm through group policy. Choices are 128-bit AES-CBC plus the diffuser, 256-bit AES-CBC plus the diffuser, 128-bit AES-CBC, and 256-bit AES-CBC. (My advice: stick with the default.) The key management system uses 256-bit keys wherever possible. The only place where a 128-bit key limit is hard-coded is the recovery key, which is 48 digits (including checksums). It's shorter because it has to be typed in manually; typing in 96 digits will piss off a lot of people -- even if it is only for data recovery. So, does this destroy dual-boot systems? Not really. If you have Vista running, then set up a dual boot system, BitLocker will consider this sort of change to be an attack and refuse to run. But then you can use the recovery key to boot into Windows, then tell BitLocker to take the current configuration -- with the dual boot code -- as correct. After that, your dual boot system will work just fine, or so I've been told. You still won't be able to share any files on your C drive between operating systems, but you will be able to share files on any other drive. The problem is that it's impossible to distinguish between a legitimate dual boot system and an attacker trying to use another OS -- whether Linux or another instance of Vista -- to get at the volume. BitLocker is not a DRM system. However, it is straightforward to turn it into a DRM system. Simply give programs the ability to require that files be stored only on BitLocker-enabled drives, and then only be transferable to other BitLocker-enabled drives. How easy this would be to implement, and how hard it would be to subvert, depends on the details of the system. BitLocker is also not a panacea. But it does mitigate a specific but significant risk: the risk of attackers getting at data on drives directly. It allows people to throw away or sell old drives without worry. It allows people to stop worrying about their drives getting lost or stolen. It stops a particular attack against data. Right now BitLocker is only in the Ultimate and Enterprise editions of Vista. It's a feature that is turned off by default. It is also Microsoft's first TPM application. Presumably it will be enhanced in the future: allowing the encryption of other drives would be a good next step, for example. http://www.microsoft.com/technet/windowsvista/library/help/b7931dd8-3152 -4d3a-a9b5-84621660c5f5.mspx?mfr=true or http://tinyurl.com/fywd7 http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957 -b031-97b4d762cf31.mspx or http://tinyurl.com/h4nc8 Niels Ferguson on back doors: http://blogs.msdn.com/si_team/archive/2006/03/02/542590.aspx BitLocker and dual boot systems: http://www.theregister.co.uk/2006/04/27/schneier_infosec/ http://arstechnica.com/journals/microsoft.ars/2006/4/28/3782 ** *** ***** ******* *********** ************* The Security Risk of Special Cases In Beyond Fear, I wrote about the inherent security risks of exceptions to a security policy. Here's an example, from airport security in Ireland. Police officers are permitted to bypass airport security at the Dublin Airport. They flash their ID, and walk around the checkpoints. "A female member of the airport search unit is undergoing re-training after the incident in which a Department of Transport inspector passed unchecked through security screening. "It is understood that the department official was waved through security checks having flashed an official badge. The inspector immediately notified airport authorities of a failure in vetting procedures. Only gardai are permitted to pass unchecked through security." There are two ways this failure could have happened. One, security person could have thought that Department of Transportation officials have the same privileges as police officers. And two, the security person could have thought she was being shown a police ID. This could have just as easily been a bad guy showing a fake police ID. My guess is that the security people don't check them all that carefully. The meta-point is that exceptions to security are themselves security vulnerabilities. As soon as you create a system by which some people can bypass airport security checkpoints, you invite the bad guys to try and use that system. There are reasons why you might want to create those alternate paths through security, of course, but the trade-offs should be well thought out. http://archives.tcm.ie/businesspost/2006/04/16/story13502.asp ** *** ***** ******* *********** ************* Comments from Readers There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in. http://www.schneier.com/blog ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL. Comments on CRYPTO-GRAM should be sent to schneier(a)counterpane.com. Permission to print comments is assumed unless otherwise stated. Comments may be edited for length and clarity. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of Counterpane Internet Security Inc., and is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>. Counterpane is the world's leading protector of networked information - the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>. Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Counterpane Internet Security, Inc. Copyright (c) 2006 by Bruce Schneier. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

Re: a police state
by Mcget＠aol.com 05 Jul '18

05 Jul '18

Well, since the fastest growing black household in America is the cellblock; since here in Philadelphia I still can hear cops step from their cars asking, "Where'd the nigger go?" in front of black onlookers; since Independence Hall now has a clearly visible surveillance camera in its tower and visitors to the Liberty Bell are searched and wanded multiple times; since the fastest growing group of armed police in the US are private security and prison guard, since without trying very hard, I can read more and more about police getting no-knock powers, about prisoners held incommunicado, etc. -- I think we shouldn't wait until we are all getting routinely Taser'd for getting smart at the latest "preventive" roadblock. It's enough like a police state--or a hall monitor's wet dream -- to get me nervous. --Michael McGettigan One recent example -- a friend of mine who worked transmitters for Motorola was sent to a crime-ridden North Philly high-rise project. His mission -- inspect a repeater transmitter that was inside a steel-doored room atop the building -- the transmitter's function was to boost the signals of the various law enforcement/drug authorities that raided it on a regular basis. They'd found that their hand radios often didn't work well enough. The idea that this high-rise should maybe be razed rather than rigged for a permanent state of drug busts didn't seem to occur to anyone. ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

[IP] more on a police state
by David Farber 05 Jul '18

05 Jul '18

Begin forwarded message:

1 0

EDRi-gram newsletter - Number 7.23, 2 December 2009
by EDRI-gram newsletter 05 Jul '18

05 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 7.23, 2 December 2009 ============================================================ Contents ============================================================ 1. Civil liberties groups ask EU to repeal data retention directive 2. Romanian Constitutional Court decision against data retention 3. Spain warned by Commissioner Reding for cutting off Internet access 4. Austria: BIM delivers draft act on implementing Data Retention Directive 5. Stockholm programme adopted by the European Parliament 6. Legal Complaints and Petition Against Second French "Horror Database" 7. Czech Big Brother Awards 2009 8. EC changes the openess concept in the draft eGov EIF 9. Spanish court revokes its decision to shut down P2P-related sites 10. ENDitorial: IGF 2009: the Forum is the Message (and the Massage as well) 11. ENDitorial: Keeping the "self" in self-regulation 12. Recommended Reading 13. Agenda 14. About ============================================================ 1. Civil liberties groups ask EU to repeal data retention directive ============================================================ Civil liberties groups European Digital Rights (EDRi) and the German Working Group on Data Retention (AK Vorrat) are calling on the European Union to repeal the 2006 directive on the data retention of electronic communications. In the event that the directive is not repealed, they demand that it is amended to introduce an opt-out right allowing Member States to decide whether or not to require the retention of communications data. In a statement to the European Commission published today, AK Vorrat points out that the directive has resulted in less liberty for citizens, in a constant threat that information on personal contacts, mobile phone movements and Internet use may be sold, lost or otherwise cause harm, as well as in higher prices for telecommunications services and in less competition. In a legal complaint regarding the directive filed with the European Court of Justice in 2006 and disclosed today on the Internet, Ireland pointed out that initially, many countries had not imposed any data retention requirements and that "no issue relating to the internal market could justify the imposition upon a Member State of an obligation to require telecommunications operators to retain data (...) where no such obligations previously existed under the law of that State". In several Member States, courts examined and are examining complaints filed by citizens and telecommunications operators, alleging that the indiscriminate collection of communications data violates the human right to privacy. Constitutional Courts in Romania and Bulgaria have already ruled data retention legislation unconstitutional. The German Federal Constitutional Court will hear complaints filed by over 34 000 citizens in December. Another action is pending in Ireland, while an application to the Constitutional Court of the Czech Republic is currently being prepared. "In a landmark decision taken last year, the European Court of Human Rights declared illegal a British DNA and fingerprints database, stating that 'the blanket and indiscriminate nature of the powers of retention (...) constitutes a disproportionate interference' with privacy and 'cannot be regarded as necessary in a democratic society.' The same is the case with the blanket and indiscriminate collection of information on personal contacts, mobile phone movements and Internet use", comments legal expert Patrick Breyer (AK Vorrat). "Anonymity is indispensable for a multitude of activities in a democratic state. Subjecting all citizens to a constant recording of whom they are in touch with is threatening to undermine or even destroy democracy while ostensibly defending it. The Commission must put an end to this Big Brother law now." "EDRi and its members have been campaigning against this directive for years, arguing that such data retention is necessarily a hazardously invasive act. Communication data is well beyond being simple logs of who we've called and when we called them. Traffic data are now used to create a map of human associations and more importantly, a map of human activity and intention," reminds Meryem Marzouki (EDRi). "With the growing use of massive national databases, and the current plans towards their interoperability at EU-level and full access for police purposes, the data retention directive paves the way to further extensions of purposes, where data once collected strictly for the requirements of a given service delivery become used for citizens surveillance and social control, when not for intelligence purposes. This is not acceptable in a democratic society, and should be ended now." This press release is supported by: - Dutch speaking League for Human Rights (Liga voor Mensenrechten) - Belgium - French speaking League for Human Rights (Ligue des droits de l'Homme) - Belgium - Flemish Bar Association (Orde van Vlaamse Balies) - Belgium - French and German speaking Bars of Belgium (Ordre des Barreaux Francophones et Germanophone) - Belgium - General Association of Professional Journalists in Belgium (AGJPB - Association generale des Journalistes Professionnels de Belgique - AVBB : Algemene Vereniging van Beroepsjournalisten in Belgie) - Belgium - Statewatch - UK - Werebuild.eu - Sweden This press release in French - EDRI et AK Vorrat demandent ` l'Union europienne d'abroger la directive "ritention de donnies" (1.12.2009) http://www.iris.sgdg.org/info-debat/comm-retention1209.html In German - B|rgerrechtsvereinigungen fordern EU zur Aufhebung der Richtlinie zur Vorratsdatenspeicherung auf (1.12.2009) http://www.vorratsdatenspeicherung.de/content/view/343/79/lang,de/ Statment from AK Vorrat on Data retention (only in German, 1.12.2009) http://www.vorratsdatenspeicherung.de/images/antworten_kommission_vds_2009-… Summary of AK Vorrat Recommendations in English (1.12.2009) http://www.vorratsdatenspeicherung.de/images/reply_commission_data-retentio… Irish Submission to the European Court of Justice (11.07.2006) http://www.vorratsdatenspeicherung.de/images/ireland_2006-07-11.pdf Romanian Constitutional Court decision against data retention (25.11.2009) http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/rom… Bulgarian case against data retention (17.12.2008) http://www.edri.org/edri-gram/number6.24/bulgarian-administrative-case-data… Germany: Class-action law suit against data retention http://www.vorratsdatenspeicherung.de/content/view/51/70/lang,en/ Action against data retention in Ireland (14.09.2006) http://www.digitalrights.ie/2006/09/14/dri-brings-legal-action-over-mass-su… EDRi' campaign against the data retention http://www.edri.org/campaigns/dataretention ============================================================ 2. Romanian Constitutional Court decision against data retention ============================================================ The decision of the Romanian Constitutional Court (CCR) against the data retention law was finally published in the Official Monitor on 23 November 2009. The motivation of the court, which was made public only with a few days before its publication in the Official Monitor, shows an interesting argument from a Court with no prior jurisprudence in the field of privacy protection. Thus, the court not only criticizes several aspects of the text of the law, but declares the whole law as unconstitutional because it breaches the right to corespondence and to privacy. Even though only several articles were mentioned in the motion of unconstitutionality, the Court went further and examined art 20 of the law that could have been interpreted as an open door for the secret services to access the retain data under any circumstances and without a judicial approval, an issue that was raised by EDRi-member APTI starting with the public consultations in 2007. CCR notes that the principle of limited collection of personal data is emptied through this new regulation that obliges a continuos retention of traffic data for 6 month."The legal obligation that foresees the continuous retention of personal data transforms though the exception from the principle of effective protection of privacy right and freedom of expression, into an absolute rule. The right appears as being regulated in a negative manner, its positive role losing its prevailing character." CCR also makes a comparison with article 91^1 of the Penal Procedure Court (CPP) dealing with audio and video interceptions in crime cases, that was considered constitutional in an earlier ruling. The text of the CPP allows the video interception only in a specific case and person, only with judicial supervision, only for the future and for a period that may not exceed 120 days under any circumstances . The Court concludes that basically, this data retention law deletes the right to privacy in terms of electronic communications: "Therefore, the regulation of a positive obligation that foresees the continuous limitation of the privacy right and secrecy of correspondence makes the essence of the right disappear by removing the safeguards regarding its execution." The court is underlining the fact, already pointed out by European civil organizations even during the adoption of the data retention directive, that the law considers all citizens as potential criminals: "This (data retention) equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes." Finally, the court quotes the ECHR case of Klass and others vs Germany (1978) considering that "taking surveillance measures without adequate and sufficient safeguards can lead to 'destroying democracy on the ground of defending it .'" According to art 147 of the Romanian Constitution, the legal provisions on data retention are now suspended. The Government and Parliament have 45 days to "fix" the unconstitutional provisions. But taking into consideration the CCR reasoning, there are little chances that any text that would ask for a six month blanket data retention would be considered as constitutional in Romania. Moreover, there is currently only an interim government and a new one is unlikely to appear in the next weeks (at least not until the second round of presidential election, which is scheduled for 6 December). Constitutional Court Decision no 1258 of 8 October 2009 (unofficial English translation, 23.11.2009) http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/rom… Constitutional Court Decision no 1258 of 8 October 2009 (only in Romanian, 23.11.2009) http://www.ccr.ro/decisions/pdf/ro/2009/D1258_09.pdf APTI's comments on draft data retention law (only in Romanian, 9.05.2007) http://www.apti.ro/webfm_send/24 Romania: Data retention law declared unconstitutional (21.10.2009) http://www.edri.org/edrigram/number7.20/romania-data-retention-law-unconsti… Art 147 of the Romanian Constitution http://www.cdep.ro/pls/dic/site.page?den=act2_2&par1=5#t5c0s0a147 ============================================================ 3. Spain warned by Commissioner Reding for cutting off Internet access ============================================================ On 23 November 2009, at the Spanish Telecom Regulatory Authority (CMT) international meeting, Viviane Reding warned that the European Commission could take action against Spain if the government decided to cut the Internet access of file-sharers. "Repression alone will certainly not solve the problem of Internet piracy; it may in many ways even run counter to the rights and freedoms which are part of Europe's values since the French Revolution," said the Commissioner who reminded Spain that the new telecom package agreed upon in November by the European Parliament and the Council of Ministers included a provision considering as illegal the internet access cut-off without an official procedure. "The new internet freedom provision now provides that any measures taken regarding access to and use of services and applications must always respect the fundamental rights and freedoms of citizens," and "Effective and timely judicial review is as much guaranteed as a prior, fair and impartial procedure, the presumption of innocence and the right to privacy," said Reding. As she has said on several other occasions, the Commissioner believes that new business models and modern, efficient ways must be found to protect intellectual property and artistic creation. On this occasion, she also criticised France's Hadopi three strikes law, argued that the development of a single European market for online content was a better way to act against Internet piracy and regretted the fragmentation of copyright law across the EU. "The lifting of impediments to the cross-border online distribution of creative works will improve the supply of attractive and affordable services that are legal. In turn, this will reduce the temptation for consumers to indulge in the illicit consumption of copyright-protected material." Reinaldo Rodrmguez, the President of the CMT considers Reding's statements are based on a misunderstanding and is confident that there will be no conflicts between the Spanish legislation and that of the EU. The Spanish Minister of Culture Angeles Gonzalez-Sinde has several times expressed her position against the French model being in favour of prosecuting illegal downloading sites but not users. The Spanish association of operators REDTEL is also opposed to the disconnection of the allegedly illegal downloaders, believing that sectioning measures are only doomed to fail and that raising awareness would be a much more efficient solution. The operators believe that while the citizens ask cultural materials more and more on new channels, the culture industry refrains from directing its offer through the Internet, in a legal form and with attractive deals. On 10 December 2009, a proposition will be presented to the Government by the coalition of content creators. The proposition will be centered on blocking P2P websites downloading contents from the Internet and not on cutting access of users. Reding warns Spain against internet cut-off (24.11.2009) http://euobserver.com/19/29041 Commissioner warns Spain that cutting-off Internet enters into conflict with EU (only in Spanish, 23.11.2009) http://www.hoytecnologia.com/noticias/Comisaria-advierte-Espana-cortar/1418… The European Commissioner warns Spain over regulating P2P (only in Spanish, 23.11.2009) http://www.adslzone.net/article3469-la-comisaria-europea-advierte-a-espana-… The Coallition will ask the Government for the blocking of P2P websites, but never for the disconnection (only in Spanish, 2.11.2009) http://www.adslzone.net/article3403-la-coalicion-pedira-al-gobierno-el-bloq… Spanish activists issue manifesto on the rights of Internet users (2.12.2009) http://www.boingboing.net/2009/12/02/spanish-activists-is.html ============================================================ 4. Austria: BIM delivers draft act on implementing Data Retention Directive ============================================================ In April 2009 - after the EU Commission decided to bring an action against Austria because of non-transposition of the Data Retention Directive 2006/24/EC (DRD) - the Ludwig Boltzmann Institute of Human Rights (BIM) was assigned by the Austrian Federal Ministry for Transport, Innovation and Technology to elaborate a draft act on the amendment to the Telecommunications Act 2003, in order to find a way of transposition that interferes least with fundamental rights of users. Although Austria had supported the Directive in 2006, the newly elected government has delayed the transposition not least because of serious doubts about its conformity with Art. 8 European Convention on Human Rights (ECHR), which provides a right to respect for one's "private and family life, his home and his correspondence". After we had been invited by the Ministry to elaborate such a draft act, we thought very seriously for a while, if we should accept and what the consequences would be. In the past years the BIM had criticised the DRD fundamentally in public and we had published studies on the Directive in the light of the ECHR which brought the result, that Data Retention is incompatible with the Human Rights provisions. So the main problem was (and still is), if a Human Rights Institute of high reputation writes the draft for transposing the directive, the act likely will get the "fundamental rights proofed"- stamp, what would clearly undermine the criticism on the issue in public perception. On the other hand the Austrian Government left no doubt that it is going to transpose the Data Retention, in order to avoid a conviction through the European Court of Justice (ECJ) and the assignment could be the chance to find a version of transposition which provides as much safety elements as possible. But this would not have been enough to decide for this job. The aim was to show in a accompanying scientific analyse, that it is not possible to "repair" the DRD by creating safeguards and transposing just the minimum necessary under Community Law - which of course we did. Even so the Data Retention causes a violation of Art 8 and 10 ECHR, so the BIM recommends, that those parts of the draft act, which stipulate the retention of data, should never enter into force - otherwise their mere existence would violate Human Rights! The BIM organised continuous round table discussions with concerned service providers, non-profit organisations, employee and consumer representations, as well as representatives of concerned ministries and other public authorities. In addition, meetings in small technical groups were held in order to assure clarity of the norm and to take into consideration all technical possibilities, especially concerning data security matters. On 11 September 2009 - almost ironic - the Ludwig Boltzmann Institute of Human Rights delivered the draft act on the amendment to the Telecommunications Act 2003. Presently it is announced for an official public examination. This hopefully perpetuates a public discussion about the non existing necessity of this instrument. Ceterum censeo data-retentionem esse delendam! Draft Law on data retention suggested by the BIM (only in German) http://bim.lbg.ac.at/de/informationsgesellschaft/bimentwurf-zur-vorratsdate… Data retention opponents making their move (only in German, 26.11.2009) http://futurezone.orf.at/stories/1632818/ AK Vorrat Austria http://www.akvorrat.at/ Resistance against Data Retention in Austria (only in German, 1.12.2009) http://futurezone.orf.at/stories/1633168/ (Contribution by Christof Tschohl - Legal Researcher at the BIM and the main author of the BIM-contribution to the Austrian DR draft law) ============================================================ 5. Stockholm programme adopted by the European Parliament ============================================================ After six months of preparation, the European Union has almost reached agreement (somewhat behind schedule) on its 5-year plan for policy in the area of "freedom, security and justice", better known as the "Stockholm Programme". Discussions on this proposal took place in parallel, with the European Parliament preparing its opinion on the dossier at the same time as Member States were working towards finalising the "real" text. While the European Parliament's views have had a limited direct impact on the Stockholm Programme itself, they will have an influence on the practical projects that are subsequently set up by this new plan. The text adopted by the Parliament, in great haste and some chaos, is a mix of some very positive statements and some less helpful ones. On the plus side, an attempt was made to reshape the post-9/11 "balance" metaphor with regard to freedoms and justice: "(...) the EU is rooted in the principle of freedom; points out that, in support of that freedom, security must be pursued in accordance with the rule of law and subject to fundamental rights obligations; states that the balance between security and freedom must be seen from this perspective". There is also a stress on reviewing the impact of measures adopted under the programme and improving the evaluation systems already in place. On the negative side, opportunities were missed with regard to minimum levels of diligence to be required of the European Commission with regard to the issues to be addressed in impact assessments and with regard to the dangers inherent in the use of databases, particularly when these are interlinked. The Council, meanwhile, hit some problems in last minute discussions on the Programme, although at the time of writing, these problems do not appear fatal for the initiative as a whole. Bearing in mind the wish of one Member State Minister expressed during the debate between ministers, that the Stockholm Programme will lead to the "eradication of terrorism" and the wish of another that the programme would deal effectively with petty crime, it appears that some Member States have somewhat unrealistic expectations of the initiative. On the plus side, the text deleted some of the more destructive and populist (blocking of websites) and downright dangerous ("revoking" of the IP addresses of foreign ISPs considered criminal by the police) measures in the European Commission's Communication of June of this year, which was meant to form the basis of the Programme. On the negative side, the Council appears to be slipping into the misconception that IT-based automated policing will somehow produce systems that will be both cheaper and more efficient while also not endangering citizens' rights. This trend is demonstrated by its proposal (albeit neatly framed with words about protection of personal data) on "interoperability of IT systems ensuring full conformity with data protection and data security principles when developing such systems." Within the context, and keeping to this worrying theme, Swedish Minister Beatrice Ask (at the beginning of discussions in the Council) expressed her hope for the creation of "more cost-effective data exchange". As mentioned above, disagreements and delays have significantly slowed the final adoption of the text. While Ministers all agreed that citizens should be happy to trust any government (including foreign governments, following the SWIFT agreement on exchange of banking data) with their personal data, they did not trust each other to be responsible for mutually recognised asylum procedures. As a result, this aspect of the Programme has delayed its adoption. The next stage in this process will be the preparation of concrete projects to be proposed within the context of the adopted text. This will be done by the European Commission, ostensibly with the support of the Spanish Presidency of the Council. Commission Communication (10.06.2009) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0262:FIN:EN:… Last available consolidated text: http://register.consilium.europa.eu/pdf/en/09/st16/st16484-re01.en09.pdf Second-last set of amendments to the Programme (27.11.2009) http://register.consilium.europa.eu/pdf/en/09/st16/st16484-re01ad01.en09.pdf EDRi-gram: Stockholm Programme moves quickly towards adoption (9.09.2009) http://www.edri.org/edri-gram/number7.17/stockholm-programme-european-parli… ============================================================ 6. Legal Complaints and Petition Against Second French "Horror Database" ============================================================ The French coalition of groups, associations, trade unions and political parties from the opposition is making it clear after its first successful 'No to EDVIGE' in 2008 led to the withdrawal of the EDVIGE intelligence database by the French government, after a massive citizen mobilization (more than 220.000 signatures of a first petition, including almost 1200 signatures from organizations, legal complaints, demonstrations, and all possible democratic forms of protest). It now says 'Hell no!' to EDVIGE, after the same government reintroduced almost the same database with two new decrees published on 18 October 2009. The coalition has launched a new petition on 30 November 2009, calling on citizens to sign again against the new surveillance database. As things have developed so far, the French civil society firmness against EDVIGE remains intact: over only less than 3 days, more than 6100 individuals and 80 organizations have already signed, including main national associations, trade unions, and political parties from the opposition. Main members of the coalition, including French EDRI member IRIS, have filed legal complaints on the same day against the French government, asking the highest administrative Court (Conseil d'Etat) to annul the two new decrees. Other coalition members are preparing to join this legal action. The French anger is first due to the government contempt of the democratic process: for the second time, Sarkozy's government by-passed the Parliament to introduce a surveillance database, despite its own commitment in 2008 to have the creation of any new police file decided by the Parliament. Even worse, Members of Parliaments belonging to the President's majority voted on 24 November 2009 amendments to a draft law on 'the simplification of the legislation', explicitly allowing such a creation by simple regulation. Regarding the provisions of the decrees, the petition acknowledges the fact that the previous mobilization has allowed to avoid in the new EDVIGE database the collection of sensitive data related to sexual life and health. This doesn't prevent, however, the LGBT movement and organizations fighting AIDS to take again part in the mobilization against all other EDVIGE features remaining in the new database: it is an intelligence file, and no infraction needs to be committed before being filed to 'prevent violations of public security'; children start being filed at 13; On top of the many and, for some of them, sensitive data as defined by the French data protection Act in accordance with the 1995 directive, that are collected (identity, political, religious, philosophical activities as well as activities related to trade-unions; public activities, behaviours and movements; phone numbers and email addresses, vehicle registration, capital assets, and others that were already in EDVIGE N01), a mysterious 'geographical origin' has been added to the categories of collected data. This latter category, which doesn't correspond to any legal definition, has been qualified as a masked way of gathering information related to the ethnic origin, and anti-racist organizations have soon joined the second 'No to EDVIGE' campaign. EDRI previously reported that, during the Madrid Civil Society Conference on Global privacy Standards held last November, Peter Schaar, the German Federal Data Protection Commissioner, rightly underlined that "EDVIGE is a horror database for us, because it includes many persons that did not breach any laws - they are just 'risky persons'". It is very unfortunate that his French counterpart, Alex T|rk, does not share this point of view. In a communiqui published on 22 October 2009, the CNIL has found that "the new decrees will allow relevant police services to use (the created databases) under conditions guaranteeing citizens rights and freedoms thanks to the CNIL control powers". One might wonder how and against which evidence the CNIL would be able to control the 'risk assessment' having led to file one person in the EDVIGE database, given the fact that no single infraction needs to be committed first. "No to EDVIGE" coalition website (including petition with automatic update of signatures) http://nonaedvige.sgdg.org EDRi-gram: French Edvige Decree Withdrawn (3.12.2008) http://www.edri.org/edri-gram/number6.23/edvige-retired EDRi-gram: France Pushes The Introduction Of Edvige Project Through The Back Door (21.10.2009) http://www.edri.org/edrigram/number7.20/new-two-edvige-files "No to EDVIGE" against police file creation by simple regulation (in French only, 26.11.2009) http://nonaedvige.sgdg.org/spip.php?article1115 EDRi-gram: Declaration On Global Privacy Standards (5.11.2009) http://www.edri.org/edrigram/number7.21/privacy-standards-global CNIL: From "Edvige I' to 'Edvige III": intelligence databases from now on better supervised and better controlled (only in French, 22.10.2009) http://www.cnil.fr/la-cnil/actu-cnil/article/article//de-edvige-i-a-edvige-… (Contribution by Meryem Marzouki, EDRI-member IRIS - France) ============================================================ 7. Czech Big Brother Awards 2009 ============================================================ The results of the fifth annual Big Brother Awards were announced at a festive evening in Prague's Theatre Na Pradle on 12 November 2009. A jury of experts chose from almost 80 nominations entered by the public. Among those awarded are the Czech Ministry of Schools, Youth and Sports for gathering information about pupils and students, Nokia company for its efforts to legalize snooping in its employees' email communication, the social networking site Facebook for its inconsistent approach to user privacy protection, the Czech Ministry of Health, the State Institute for Drug Control and National Health Registries, or the French "HADOPI law", nicknamed the "electronic guillotine". The "Statement of the year" went to the General Manager of the state-owned lottery operator Sazka, for demanding that slot-machines be equipped with ID scanners. He thinks this would prevent people who receive social benefits from gambling. "It is a question of a greater control or an increase in gambling," says Mr. Ales Husak. The positive prize was awarded to the citizens of Iran for boycotting telephones manufactured by Nokia Siemens, because a telecommunication surveillance system was sold by this company to the Government of Iran. The first ceremony in the Czech Republic took place in 2005. Similarly to previous years there are eight categories - Longterm Violation of Human Privacy (for companies and public organizations), Biggest Corporate Snoop (for companies), Biggest Government Agency Snoop (for government organizations), Dangerous New Technology, Big Brother Law, Snoop Among Nations, Statement of a Big Brother and finally the positive award for Achievements in Protecting Privacy. The Czech Awards are held by the EDRi-member Iuridicum Remedium. Big Brother Awards 2009 (only in Czech) http://www.bigbrotherawards.cz/ Czech Big Brother awards press release in English (12.11.2009) http://www.edri.org/files/Czech_BBA09_EN.pdf (Contribution by Katerina Hlatka - EDRi-member IURE) ============================================================ 8. EC changes the openess concept in the draft eGov EIF ============================================================ A second draft of the European Interoperability Framework (EIF) was recently leaked to the press showing that the European Commission (EC) has decided to take the side of Business Software Alliance (BSA), a lobby group for proprietary software vendors. The first draft of EIF is a document produced in 2004 by the "Interoperable delivery of pan-European eGovernment services to public administrations, businesses and citizens" (IDABC) for the European Union. According to EIF I, open standards are the key in obtaining interoperability in pan-European eGovernment services. The document defines the open standard as being a standard that is adopted and maintained by a non-profit organization the development of which "occurs on the basis of an open decision-making procedure available to all interested parties (consensus or majority decision etc.)." An open standard needs also to be published with a standard specification document that "is available either freely or at a nominal charge. It must be permissible to all to copy, distribute and use it for no fee or at a nominal fee." The intellectual property of an open standard (or part of it) "is made irrevocably available on a royalty-free basis" and "there are no constraints on the re-use of the standard." The EC produced a consultation document and launched a public consultation between June and September 2008 for a second version of the EIF. The consultation received 53 comments. The Free Software Foundation Europe (FSFE) has analysed the new version of the text, showing that the Commission has based its result practicaly only on the input of BSA ignoring other opinions from companies, groups and individuals in favour of Open Standards and Free Software. "The European Commission must not make itself the tool of particular interests. The current draft is unacceptable, and so is the total lack of transparency in the process that has led to this text," says Karsten Gerloff, FSFE's President. While the first version of EIF considers open standards as key tools for interoperability, thus strongly supporting Free Software and Open Standards in the public sector, EIF2 contains only a description of a so called "openness continuum", which also includes proprietary specifications. The new text no longer considers that openness is a key factor for interoperability in eGoverment services. "While there is a correlation between openness and interoperability, it is true that interoperability can be obtained without openness, for example via homogeneity of the ICT systems, which implies that all partners use, or agree to use, the same solution to implement a European Public Service" says the new draft. FSFE has sent a letter to the people in charge of eGovernment in EU member states that says: "The current text is not a viable successor to version 1 of the EIF. Instead of leading Europe forward into an interoperable future, it will promote vendor lock-in, block interoperability of eGovernment services, and damage the European software economy. If adopted, it will be a testament to the power which is exerted outside democratic and transparent processes, and will give rise to Euro-scepticism." The letter includes a set of 10 recommendations for the improvement of the draft. A press officer with the Delegation to the European Commission in Washington stated on 6 November that the document being circulated as "EIF 2.0" could not be attributed as an official European Commission document." It seems the EC indicated that the text was a document only intended to test public opinion. However, the second draft of the EIF document was discussed in a meeting between the EC and representatives of the EU Member States on 12 November in Brussels. According to the German Ministry of the Interior, most member states at the meeting considered the document a good starting point, "but there are some points that have to be discussed again, including the definition of interoperability and open source." A spokesman from the Dutch Ministry of Economic Affairs stated the revision was a major step back from the first version. "We informally said we were unhappy with it. The government will respond officially once the document is ready." FSFE: EC caves in to proprietary lobbyists on interoperability (27.11.2009) http://www.fsfe.org/news/2009/news-20091127-01.en.html European Interoperability Framework for European Public Services (EIF) - Version 2.0 - (work document in progress) (11.2009) http://www.bigwobber.nl/wp-content/uploads/2009/11/European-Interoperabilit… U Wants to Re-define "Closed" as "Nearly Open" (2.11.2009) http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2620&blogi… If Not EIF 2.0, Then What? (6.11.2009) http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2629&blogi… ============================================================ 9. Spanish court revokes its decision to shut down P2P-related sites ============================================================ A preliminary shut down decision against two P2P file-sharing link sites has been recently overturned by a Spanish court which also fined the anti-piracy group involved in the case. Two eD2K file-sharing link sites known as Elitelmula and Etmusica were shut down by court order in April 2009 on the basis of an action of by anti-piracy group SGAE. Shortly after, Juan Jose Carrasco Colonel, who ran the two sites, received a visit from a lawyer and a computer expert of SGAE who, under false pretences of coming from the court with a warrant, entered his home and inspected his computers and hard drives to find proofs of music downloads through the two sites between September and December 2007. The two lawyers of the sites succeeded in convincing the court that the hard drive evidence collected during the controversial raid was worthless and therefore the evidence was dismissed and both sites can now be reopened. "The reason for reopening the websites is that a hyperlink, per se, does not violate intellectual property law," said Javier de la Cueva, one of the lawyers, who explained that the dismissal of the hard drive evidence was due to having proved that it was impossible for the site's users' sharing statistics to be stored in it. He also pointed out that SGAE requested injunctions against Etmusic and Elitemula without summoning their client. "When this happens and injunctions are adopted, the defendant should have the opportunity of opposition, and this is what we have won," he said. Furthermore, the court fined SGEA with 500 euros for bad faith ("mala fides") concluding the group had acted on the intention to avoid the right to a defence of the defendants and for having failed to tell the court that earlier criminal proceedings brought by Promusicae to achieve preliminary injunctions against both sites, had already been dismissed. P2P Sites' Injunctions Overturned, Anti-Piracy Group Fined (24.11.2009) http://torrentfreak.com/p2p-sites-injunctions-overturned-anti-piracy-group-… Spain: the judges fining an anti-piracy group guided by SGAE. (only in Spanish, 25.11.2009) http://www.onep2p.it/tag/juan-jose-carrasco-colonel/ The Judge orders the reopening of the two p2p sites and fines SGAE for mala fides in its request for closing down (only in Spanish, 22.11.2009) http://derecho-internet.org/node/497 ============================================================ 10. ENDitorial: IGF 2009: the Forum is the Message (and the Massage as well) ============================================================ Internet Governance Forum or Internet Governance Fair? One might still wonder what the IGF acronym stands for, after the closing of its fourth annual meeting in Sharm El Sheikh, Egypt, on 18 November 2009. As usual, the IGF featured a number (111 over 4 days!) of so-called multi-stakeholder panels and workshops, exhibition booths, launching events and other happenings. One might still equally wonder what 'Internet Governance' means in the IGF context: apparently, any and all Internet issues, roughly categorized under 7 headings: Access, Diversity, Openness, Security, Critical Internet Resources, Development and Capacity Building. The new comer finds it hard to understand the difference between discussion formats: main session (though run in parallel with up to 9 other events), workshop, open forum, best practice forum, dynamic coalition meeting: what's the exact difference in the end? The veteran is still waiting for the 'round-table' format, that is, a more output-oriented format for issues that have reached a certain level of maturity, that one would have expected as a result of the February and May 2009 IGF consultation meetings. But 'outcome' seems a banned concept, if not a jinx, at IGF. Marshall McLuhan would probably have liked it: the Forum is indeed the message and the massage altogether. However, some participants have a precise agenda to advance for better or worse. The Association for Progressive Communication (APC) took further steps on its joint initiative with the Council of Europe and UNECE towards a "Code of Good Practice on Transparency, Information and Participation in Internet governance", which builds on the principles of WSIS and the Aarhus Convention on Access to Information, Public Participation in Decision-Making and Access to Justice in Environmental Matters. The Electronic Privacy Information Center (EPIC) and the international Public Voice Coalition were instrumental in making privacy a key and crosscutting issue at this year IGF, most notably by moderating the main session on "security, openness, and privacy" and by convening high quality informative workshops to put privacy in focus in emerging contexts such as cloud computing, behavioural targeting and social networks. IGF was indeed the perfect opportunity for the Public Voice Coalition, of which EDRI is a main actor, to campaign on and collect more signatures to the recently adopted "Madrid Civil Society Declaration on Global Privacy Standards in a Global World". On the worrying side, no less than 3 workshops were explicitly dedicated to the promotion of the Council of Europe (CoE) Convention on Cybercrime through CoE (privately co-funded) projects. While these projects claim to include data protection and privacy in their objectives, this would certainly be better achieved if the CoE (as well as private companies) were dedicating comparable resources to the promotion of the CoE Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, together with its 2001 additional Protocol regarding supervisory authorities and transborder data flows. Another preoccupying issue is the promotion by many governments, but also by other stakeholders including some NGOs, of regulations and public-private initiatives to fight the "dangers" of the Internet through content regulation measures that have shown, till now, more harm to human rights and especially the rights to freedom of expression, to privacy and to access to knowledge, than effective protection of vulnerable groups. Human rights are not simply a discussion topic: they form a set of international state binding standards. Active campaigning and uncompromising on the softening and dilution of basic universal principles seems to be still required from the civil society side. While APC and some other participants seem to consider that human rights are gaining prominence at the IGF, it remains to be proven that, beyond endless discussions, the realization of human rights in the digital environment is making effective progress thanks to the IGF... or even AT the IGF one should rather say: during an event organized by the Open Net Initiative (ONI) to launch the book entitled "Access controlled", a promotion poster was taken down by security personnel on the grounds that it showed the following sentence: 'China's famous "Great Firewall of China" is one of the first national Internet filtering systems', a display which was claimed to violate UN policy. Should the IGF continue, then? Almost all stakeholders, including civil society ones, advocated in favour of the continuation of the IGF in the written comments they submitted as well as at the main session dedicated to the desirability of the Forum continuation after the expiration of its first 5-years mandate in 2010. Particularly and unanimously praised were the capacity building feature of the IGF and its ability to facilitate open dialogue among different stakeholders and different viewpoints. Governments are divided, though, on whether the IGF should lead to negotiated and/or binding outcomes: Canada, USA, and the EU presidency strongly stood against such idea, rather favouring IGF continuation in its current form. Others, like Brazil, Kenya and Switzerland, advocated for more concrete but not negotiated outcomes. China was the most clear and direct: "without reform to the present IGF, it is not necessary to give the IGF a five-year extension", advocating for a more classical UN style discussion. All developing countries highlighted the need for better inclusion and involvement of participants from the Global South. Since the IGF will probably be continued, the fact that the IGF 2011 will be held in Kenya might bring some improvement on this last issue. Next year's IGF meeting will be in Vilnius, Lithuania, on 14-17 September 2010. Internet Governance Forum, with workshops list and main sessions transcript (15-18.11.2009) http://www.intgovforum.org APC's project for a code of good practice in Internet governance http://www.apc.org/fr/projects/code-good-practice-internet-governance EPIC and The Public Voice workshops on Privacy (15-18.11.2009) http://thepublicvoice.org/events/egypt09/ The Madrid Privacy Declaration (3.11.2009) http://thepublicvoice.org/madrid-declaration/ Council of Europe Projects on Cybercrime http://www.coe.int/cybercrime EDRi-gram: The 2001 Coe Cybercrime Conv. More Dangerous Than Ever (20.07.2007) http://www.edri.org/edrigram/number5.12/cybercrime-convention-dangerous APC's assessment of IGF 2009 (26.11.2009) http://www.apc.org/en/system/files/APCIGF4Assessment_EN.pdf ONI's poster taken down and related videos, including UN Statement on the incident (15.11.2009) http://www.youtube.com/watch?v=d-kxYt2LwKc (Contribution by Meryem Marzouki, EDRI-member IRIS - France) ============================================================ 11. ENDitorial: Keeping the "self" in self-regulation ============================================================ Businesses, particularly in the Internet environment, fear (and often have good reason to fear) government regulation. Traditionally, therefore, Internet Service Providers have pushed for "self-regulatory" solutions to issues surrounding the management and operation of their own networks - as in the case of spam, for example. Self-regulation often seems to be, and often is, the most effective solution. There is, however, a growing and insidious trend in self-regulation, where increasing pressure is being put on Internet access and service providers to treat their own customers as potential criminals and to take on, usually unwillingly, policing roles. It is clear that this development has serious risks both to online freedoms and to the democratic controls that citizens would normally be able to rely on to protect them. Already, with the notable exception of Germany, when ISPs were asked (often under the threat of being portrayed as supporters of child abuse) to introduce "self-regulatory" web blocking, they felt obliged to do so. This activity clearly has little in common with the dictionary definition of "self-regulation". In Germany, the public debate that was provoked by the ISPs' brave and honourable decision not to cave in to moral blackmail lead to the country not taking the first crucial first step towards widespread censorship and an increasingly controlled Internet. Unfortunately, that democratic decision now risks being overturned by the European Commission's populist but profoundly flawed proposal to introduce "blocking" at an EU level. Last week, the telecoms package was approved by the European Parliament. This contains a new right for Member States to require that providers of e-communications networks and services include obligations in their consumer contracts regarding "unlawful activities" and undefined (and indefinable) "harmful content". Only a few weeks ago, we saw a leaked document related to ACTA explaining the United States' view that "ISPs need to put in place policies to deter unauthorised storage and transmission of IP infringing content (ex: clauses in customers' contracts allowing, inter alia, a graduated response)." Therefore, on the one hand, we see the telecoms package creating the power for governments to push private companies into using their contracts to restrict their consumers' use of the Internet. This not alone covers "illegal" activities but also legal activities that government or the ISP or a third party might find useful to restrict under the vague heading of the content being "harmful". This trend is neatly encapsulated in the Dutch "Notice and Takedown Code of Conduct" which explains that the "parties involved are also free to decide for themselves which information is considered as 'undesirable', irrespective of the question of it being in conflict with the law. They can deal with this undesirable information in the same way as information that is in conflict with the law". On the other hand, we see the USA proposing, within the context of ACTA, the introduction of "graduated response" via consumer contracts and therefore outside the scope of democratic oversight. Self-regulatory initiatives are often to promote/protect the interests of ISPs' customers, so self-regulation is neither automatically unwelcome nor negative. However, ISPs and providers of online services are there to do business, so when the cost of defending their users is higher than the cost of fighting pressure from third parties, it is hardly surprising when they take the decision most appropriate to the survival of their business. These activities are, however, outside their normal business practices and, therefore, the trend towards defending third parties and restricting users' rights is also harmful and unwelcome for them. "Self-regulation" risks becoming a way of tipping the cost/benefit balance definitively in favour of third parties and against citizens. The research carried out in 2004 by Dutch NGO Bits of Freedom which assessed the ease with which wholly invalid "notices" of illegal content could cause websites to be taken offline eloquently demonstrates what this trend means for free speech and justice on the Internet. As a result, we have ISPs being subject to a flurry of invitations to have discussions with international organisations from the European Commission to the Council of Europe to the United Nations with regard to "self-regulation" or "public-private partnership" in the field of intellectual property rights, terrorism, identity theft and various other forms of online activity where private companies are asked to duplicate or participate in policing activities. As long as society continues to be mislead by use of words like "self-regulation" or "partnership", the democratic impact and dangers of this trend will not be understood and freedoms will be undermined. Bits of Freedom research - The Multatuli Project ISP Notice & take down (1.10.2004) http://www.bof.nl/docs/researchpaperSANE.pdf Dutch Code of Conduct (in Dutch, 10.2008) http://www.samentegencybercrime.nl/UserFiles/File/,DanaInfo=ex01tp+NTD_Gedr… Dutch Notice and Take down Code of Conduct (10.2008) http://www.samentegencybercrime.nl/UserFiles/File/NTD_Gedragscode_Opmaak_En… ACTA leak (30.09.2009) http://www.wikileaks.com/wiki/European_Commission_"advance_warning"_summary_on_ACTA_Internet_Chapter%2C_30_Sep_2009 (contribution by Joe McNamee - EDRi) ============================================================ 12. Recommended Reading ============================================================ ENISA, supported by a group of subject matter experts comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, a risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations. (20.11.2009) http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-a… UK: Report published by the Human Genetics Commission (HGC), the Government's independent advisers on developments in human genetics (24.11.2009) http://www.hgc.gov.uk/Client/document.asp?DocId=226&CAtegoryId=8 ============================================================ 13. Agenda ============================================================ 4 December 2009, Brussels, Belgium Are you ready for the Internet of Things? Lift Workshop @ Brussels, Council and Tinker.it! http://liftconference.com/lift-at-home/events/2009/12/04/lift-brussel-counc… 9 December 2009, Brussels, Belgium The European OpenSource & Free Software Law Event - EOLE 2009 http://www.eolevent.eu/ 27-30 December 2009, Berlin, Germany 26th Chaos Communication Congress http://events.ccc.de/congress/2009/ 20-22 January 2010, Namur, Belgium The Conference for the 30th Anniversary of the CRID - An Information Society for All : A Legal Challenge http://www.crid.be/30years/ 29-30 January 2009, Turin, Italy "Cultural Commons" - First International Workshop http://www.css-ebla.it/css/ 29-30 January 2009, Brussels, Belgium Third edition of the Computers, Privacy and Data Protection - CPDP 2010 - An Element of Choice http://www.cpdpconferences.org/ 6-7 February 2010, Brussels, Belgium FOSDEM 2010 http://www.fosdem.org/2010/ 26-28 May 2010, Amsterdam, Netherlands World Congress on Information Technology http://www.wcit2010.com/ 9-11 July 2010, Gdansk, Poland Wikimedia 2010 - the 6th annual Wikimedia Conference http://meta.wikimedia.org/wiki/Wikimania_2010 ============================================================ 14. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRi-gram newsletter - Number 7.23, 2 December 2009
by EDRI-gram newsletter 05 Jul '18

05 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 7.23, 2 December 2009 ============================================================ Contents ============================================================ 1. Civil liberties groups ask EU to repeal data retention directive 2. Romanian Constitutional Court decision against data retention 3. Spain warned by Commissioner Reding for cutting off Internet access 4. Austria: BIM delivers draft act on implementing Data Retention Directive 5. Stockholm programme adopted by the European Parliament 6. Legal Complaints and Petition Against Second French "Horror Database" 7. Czech Big Brother Awards 2009 8. EC changes the openess concept in the draft eGov EIF 9. Spanish court revokes its decision to shut down P2P-related sites 10. ENDitorial: IGF 2009: the Forum is the Message (and the Massage as well) 11. ENDitorial: Keeping the "self" in self-regulation 12. Recommended Reading 13. Agenda 14. About ============================================================ 1. Civil liberties groups ask EU to repeal data retention directive ============================================================ Civil liberties groups European Digital Rights (EDRi) and the German Working Group on Data Retention (AK Vorrat) are calling on the European Union to repeal the 2006 directive on the data retention of electronic communications. In the event that the directive is not repealed, they demand that it is amended to introduce an opt-out right allowing Member States to decide whether or not to require the retention of communications data. In a statement to the European Commission published today, AK Vorrat points out that the directive has resulted in less liberty for citizens, in a constant threat that information on personal contacts, mobile phone movements and Internet use may be sold, lost or otherwise cause harm, as well as in higher prices for telecommunications services and in less competition. In a legal complaint regarding the directive filed with the European Court of Justice in 2006 and disclosed today on the Internet, Ireland pointed out that initially, many countries had not imposed any data retention requirements and that "no issue relating to the internal market could justify the imposition upon a Member State of an obligation to require telecommunications operators to retain data (...) where no such obligations previously existed under the law of that State". In several Member States, courts examined and are examining complaints filed by citizens and telecommunications operators, alleging that the indiscriminate collection of communications data violates the human right to privacy. Constitutional Courts in Romania and Bulgaria have already ruled data retention legislation unconstitutional. The German Federal Constitutional Court will hear complaints filed by over 34 000 citizens in December. Another action is pending in Ireland, while an application to the Constitutional Court of the Czech Republic is currently being prepared. "In a landmark decision taken last year, the European Court of Human Rights declared illegal a British DNA and fingerprints database, stating that 'the blanket and indiscriminate nature of the powers of retention (...) constitutes a disproportionate interference' with privacy and 'cannot be regarded as necessary in a democratic society.' The same is the case with the blanket and indiscriminate collection of information on personal contacts, mobile phone movements and Internet use", comments legal expert Patrick Breyer (AK Vorrat). "Anonymity is indispensable for a multitude of activities in a democratic state. Subjecting all citizens to a constant recording of whom they are in touch with is threatening to undermine or even destroy democracy while ostensibly defending it. The Commission must put an end to this Big Brother law now." "EDRi and its members have been campaigning against this directive for years, arguing that such data retention is necessarily a hazardously invasive act. Communication data is well beyond being simple logs of who we've called and when we called them. Traffic data are now used to create a map of human associations and more importantly, a map of human activity and intention," reminds Meryem Marzouki (EDRi). "With the growing use of massive national databases, and the current plans towards their interoperability at EU-level and full access for police purposes, the data retention directive paves the way to further extensions of purposes, where data once collected strictly for the requirements of a given service delivery become used for citizens surveillance and social control, when not for intelligence purposes. This is not acceptable in a democratic society, and should be ended now." This press release is supported by: - Dutch speaking League for Human Rights (Liga voor Mensenrechten) - Belgium - French speaking League for Human Rights (Ligue des droits de l'Homme) - Belgium - Flemish Bar Association (Orde van Vlaamse Balies) - Belgium - French and German speaking Bars of Belgium (Ordre des Barreaux Francophones et Germanophone) - Belgium - General Association of Professional Journalists in Belgium (AGJPB - Association generale des Journalistes Professionnels de Belgique - AVBB : Algemene Vereniging van Beroepsjournalisten in Belgie) - Belgium - Statewatch - UK - Werebuild.eu - Sweden This press release in French - EDRI et AK Vorrat demandent ` l'Union europienne d'abroger la directive "ritention de donnies" (1.12.2009) http://www.iris.sgdg.org/info-debat/comm-retention1209.html In German - B|rgerrechtsvereinigungen fordern EU zur Aufhebung der Richtlinie zur Vorratsdatenspeicherung auf (1.12.2009) http://www.vorratsdatenspeicherung.de/content/view/343/79/lang,de/ Statment from AK Vorrat on Data retention (only in German, 1.12.2009) http://www.vorratsdatenspeicherung.de/images/antworten_kommission_vds_2009-… Summary of AK Vorrat Recommendations in English (1.12.2009) http://www.vorratsdatenspeicherung.de/images/reply_commission_data-retentio… Irish Submission to the European Court of Justice (11.07.2006) http://www.vorratsdatenspeicherung.de/images/ireland_2006-07-11.pdf Romanian Constitutional Court decision against data retention (25.11.2009) http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/rom… Bulgarian case against data retention (17.12.2008) http://www.edri.org/edri-gram/number6.24/bulgarian-administrative-case-data… Germany: Class-action law suit against data retention http://www.vorratsdatenspeicherung.de/content/view/51/70/lang,en/ Action against data retention in Ireland (14.09.2006) http://www.digitalrights.ie/2006/09/14/dri-brings-legal-action-over-mass-su… EDRi' campaign against the data retention http://www.edri.org/campaigns/dataretention ============================================================ 2. Romanian Constitutional Court decision against data retention ============================================================ The decision of the Romanian Constitutional Court (CCR) against the data retention law was finally published in the Official Monitor on 23 November 2009. The motivation of the court, which was made public only with a few days before its publication in the Official Monitor, shows an interesting argument from a Court with no prior jurisprudence in the field of privacy protection. Thus, the court not only criticizes several aspects of the text of the law, but declares the whole law as unconstitutional because it breaches the right to corespondence and to privacy. Even though only several articles were mentioned in the motion of unconstitutionality, the Court went further and examined art 20 of the law that could have been interpreted as an open door for the secret services to access the retain data under any circumstances and without a judicial approval, an issue that was raised by EDRi-member APTI starting with the public consultations in 2007. CCR notes that the principle of limited collection of personal data is emptied through this new regulation that obliges a continuos retention of traffic data for 6 month."The legal obligation that foresees the continuous retention of personal data transforms though the exception from the principle of effective protection of privacy right and freedom of expression, into an absolute rule. The right appears as being regulated in a negative manner, its positive role losing its prevailing character." CCR also makes a comparison with article 91^1 of the Penal Procedure Court (CPP) dealing with audio and video interceptions in crime cases, that was considered constitutional in an earlier ruling. The text of the CPP allows the video interception only in a specific case and person, only with judicial supervision, only for the future and for a period that may not exceed 120 days under any circumstances . The Court concludes that basically, this data retention law deletes the right to privacy in terms of electronic communications: "Therefore, the regulation of a positive obligation that foresees the continuous limitation of the privacy right and secrecy of correspondence makes the essence of the right disappear by removing the safeguards regarding its execution." The court is underlining the fact, already pointed out by European civil organizations even during the adoption of the data retention directive, that the law considers all citizens as potential criminals: "This (data retention) equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes." Finally, the court quotes the ECHR case of Klass and others vs Germany (1978) considering that "taking surveillance measures without adequate and sufficient safeguards can lead to 'destroying democracy on the ground of defending it .'" According to art 147 of the Romanian Constitution, the legal provisions on data retention are now suspended. The Government and Parliament have 45 days to "fix" the unconstitutional provisions. But taking into consideration the CCR reasoning, there are little chances that any text that would ask for a six month blanket data retention would be considered as constitutional in Romania. Moreover, there is currently only an interim government and a new one is unlikely to appear in the next weeks (at least not until the second round of presidential election, which is scheduled for 6 December). Constitutional Court Decision no 1258 of 8 October 2009 (unofficial English translation, 23.11.2009) http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/rom… Constitutional Court Decision no 1258 of 8 October 2009 (only in Romanian, 23.11.2009) http://www.ccr.ro/decisions/pdf/ro/2009/D1258_09.pdf APTI's comments on draft data retention law (only in Romanian, 9.05.2007) http://www.apti.ro/webfm_send/24 Romania: Data retention law declared unconstitutional (21.10.2009) http://www.edri.org/edrigram/number7.20/romania-data-retention-law-unconsti… Art 147 of the Romanian Constitution http://www.cdep.ro/pls/dic/site.page?den=act2_2&par1=5#t5c0s0a147 ============================================================ 3. Spain warned by Commissioner Reding for cutting off Internet access ============================================================ On 23 November 2009, at the Spanish Telecom Regulatory Authority (CMT) international meeting, Viviane Reding warned that the European Commission could take action against Spain if the government decided to cut the Internet access of file-sharers. "Repression alone will certainly not solve the problem of Internet piracy; it may in many ways even run counter to the rights and freedoms which are part of Europe's values since the French Revolution," said the Commissioner who reminded Spain that the new telecom package agreed upon in November by the European Parliament and the Council of Ministers included a provision considering as illegal the internet access cut-off without an official procedure. "The new internet freedom provision now provides that any measures taken regarding access to and use of services and applications must always respect the fundamental rights and freedoms of citizens," and "Effective and timely judicial review is as much guaranteed as a prior, fair and impartial procedure, the presumption of innocence and the right to privacy," said Reding. As she has said on several other occasions, the Commissioner believes that new business models and modern, efficient ways must be found to protect intellectual property and artistic creation. On this occasion, she also criticised France's Hadopi three strikes law, argued that the development of a single European market for online content was a better way to act against Internet piracy and regretted the fragmentation of copyright law across the EU. "The lifting of impediments to the cross-border online distribution of creative works will improve the supply of attractive and affordable services that are legal. In turn, this will reduce the temptation for consumers to indulge in the illicit consumption of copyright-protected material." Reinaldo Rodrmguez, the President of the CMT considers Reding's statements are based on a misunderstanding and is confident that there will be no conflicts between the Spanish legislation and that of the EU. The Spanish Minister of Culture Angeles Gonzalez-Sinde has several times expressed her position against the French model being in favour of prosecuting illegal downloading sites but not users. The Spanish association of operators REDTEL is also opposed to the disconnection of the allegedly illegal downloaders, believing that sectioning measures are only doomed to fail and that raising awareness would be a much more efficient solution. The operators believe that while the citizens ask cultural materials more and more on new channels, the culture industry refrains from directing its offer through the Internet, in a legal form and with attractive deals. On 10 December 2009, a proposition will be presented to the Government by the coalition of content creators. The proposition will be centered on blocking P2P websites downloading contents from the Internet and not on cutting access of users. Reding warns Spain against internet cut-off (24.11.2009) http://euobserver.com/19/29041 Commissioner warns Spain that cutting-off Internet enters into conflict with EU (only in Spanish, 23.11.2009) http://www.hoytecnologia.com/noticias/Comisaria-advierte-Espana-cortar/1418… The European Commissioner warns Spain over regulating P2P (only in Spanish, 23.11.2009) http://www.adslzone.net/article3469-la-comisaria-europea-advierte-a-espana-… The Coallition will ask the Government for the blocking of P2P websites, but never for the disconnection (only in Spanish, 2.11.2009) http://www.adslzone.net/article3403-la-coalicion-pedira-al-gobierno-el-bloq… Spanish activists issue manifesto on the rights of Internet users (2.12.2009) http://www.boingboing.net/2009/12/02/spanish-activists-is.html ============================================================ 4. Austria: BIM delivers draft act on implementing Data Retention Directive ============================================================ In April 2009 - after the EU Commission decided to bring an action against Austria because of non-transposition of the Data Retention Directive 2006/24/EC (DRD) - the Ludwig Boltzmann Institute of Human Rights (BIM) was assigned by the Austrian Federal Ministry for Transport, Innovation and Technology to elaborate a draft act on the amendment to the Telecommunications Act 2003, in order to find a way of transposition that interferes least with fundamental rights of users. Although Austria had supported the Directive in 2006, the newly elected government has delayed the transposition not least because of serious doubts about its conformity with Art. 8 European Convention on Human Rights (ECHR), which provides a right to respect for one's "private and family life, his home and his correspondence". After we had been invited by the Ministry to elaborate such a draft act, we thought very seriously for a while, if we should accept and what the consequences would be. In the past years the BIM had criticised the DRD fundamentally in public and we had published studies on the Directive in the light of the ECHR which brought the result, that Data Retention is incompatible with the Human Rights provisions. So the main problem was (and still is), if a Human Rights Institute of high reputation writes the draft for transposing the directive, the act likely will get the "fundamental rights proofed"- stamp, what would clearly undermine the criticism on the issue in public perception. On the other hand the Austrian Government left no doubt that it is going to transpose the Data Retention, in order to avoid a conviction through the European Court of Justice (ECJ) and the assignment could be the chance to find a version of transposition which provides as much safety elements as possible. But this would not have been enough to decide for this job. The aim was to show in a accompanying scientific analyse, that it is not possible to "repair" the DRD by creating safeguards and transposing just the minimum necessary under Community Law - which of course we did. Even so the Data Retention causes a violation of Art 8 and 10 ECHR, so the BIM recommends, that those parts of the draft act, which stipulate the retention of data, should never enter into force - otherwise their mere existence would violate Human Rights! The BIM organised continuous round table discussions with concerned service providers, non-profit organisations, employee and consumer representations, as well as representatives of concerned ministries and other public authorities. In addition, meetings in small technical groups were held in order to assure clarity of the norm and to take into consideration all technical possibilities, especially concerning data security matters. On 11 September 2009 - almost ironic - the Ludwig Boltzmann Institute of Human Rights delivered the draft act on the amendment to the Telecommunications Act 2003. Presently it is announced for an official public examination. This hopefully perpetuates a public discussion about the non existing necessity of this instrument. Ceterum censeo data-retentionem esse delendam! Draft Law on data retention suggested by the BIM (only in German) http://bim.lbg.ac.at/de/informationsgesellschaft/bimentwurf-zur-vorratsdate… Data retention opponents making their move (only in German, 26.11.2009) http://futurezone.orf.at/stories/1632818/ AK Vorrat Austria http://www.akvorrat.at/ Resistance against Data Retention in Austria (only in German, 1.12.2009) http://futurezone.orf.at/stories/1633168/ (Contribution by Christof Tschohl - Legal Researcher at the BIM and the main author of the BIM-contribution to the Austrian DR draft law) ============================================================ 5. Stockholm programme adopted by the European Parliament ============================================================ After six months of preparation, the European Union has almost reached agreement (somewhat behind schedule) on its 5-year plan for policy in the area of "freedom, security and justice", better known as the "Stockholm Programme". Discussions on this proposal took place in parallel, with the European Parliament preparing its opinion on the dossier at the same time as Member States were working towards finalising the "real" text. While the European Parliament's views have had a limited direct impact on the Stockholm Programme itself, they will have an influence on the practical projects that are subsequently set up by this new plan. The text adopted by the Parliament, in great haste and some chaos, is a mix of some very positive statements and some less helpful ones. On the plus side, an attempt was made to reshape the post-9/11 "balance" metaphor with regard to freedoms and justice: "(...) the EU is rooted in the principle of freedom; points out that, in support of that freedom, security must be pursued in accordance with the rule of law and subject to fundamental rights obligations; states that the balance between security and freedom must be seen from this perspective". There is also a stress on reviewing the impact of measures adopted under the programme and improving the evaluation systems already in place. On the negative side, opportunities were missed with regard to minimum levels of diligence to be required of the European Commission with regard to the issues to be addressed in impact assessments and with regard to the dangers inherent in the use of databases, particularly when these are interlinked. The Council, meanwhile, hit some problems in last minute discussions on the Programme, although at the time of writing, these problems do not appear fatal for the initiative as a whole. Bearing in mind the wish of one Member State Minister expressed during the debate between ministers, that the Stockholm Programme will lead to the "eradication of terrorism" and the wish of another that the programme would deal effectively with petty crime, it appears that some Member States have somewhat unrealistic expectations of the initiative. On the plus side, the text deleted some of the more destructive and populist (blocking of websites) and downright dangerous ("revoking" of the IP addresses of foreign ISPs considered criminal by the police) measures in the European Commission's Communication of June of this year, which was meant to form the basis of the Programme. On the negative side, the Council appears to be slipping into the misconception that IT-based automated policing will somehow produce systems that will be both cheaper and more efficient while also not endangering citizens' rights. This trend is demonstrated by its proposal (albeit neatly framed with words about protection of personal data) on "interoperability of IT systems ensuring full conformity with data protection and data security principles when developing such systems." Within the context, and keeping to this worrying theme, Swedish Minister Beatrice Ask (at the beginning of discussions in the Council) expressed her hope for the creation of "more cost-effective data exchange". As mentioned above, disagreements and delays have significantly slowed the final adoption of the text. While Ministers all agreed that citizens should be happy to trust any government (including foreign governments, following the SWIFT agreement on exchange of banking data) with their personal data, they did not trust each other to be responsible for mutually recognised asylum procedures. As a result, this aspect of the Programme has delayed its adoption. The next stage in this process will be the preparation of concrete projects to be proposed within the context of the adopted text. This will be done by the European Commission, ostensibly with the support of the Spanish Presidency of the Council. Commission Communication (10.06.2009) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0262:FIN:EN:… Last available consolidated text: http://register.consilium.europa.eu/pdf/en/09/st16/st16484-re01.en09.pdf Second-last set of amendments to the Programme (27.11.2009) http://register.consilium.europa.eu/pdf/en/09/st16/st16484-re01ad01.en09.pdf EDRi-gram: Stockholm Programme moves quickly towards adoption (9.09.2009) http://www.edri.org/edri-gram/number7.17/stockholm-programme-european-parli… ============================================================ 6. Legal Complaints and Petition Against Second French "Horror Database" ============================================================ The French coalition of groups, associations, trade unions and political parties from the opposition is making it clear after its first successful 'No to EDVIGE' in 2008 led to the withdrawal of the EDVIGE intelligence database by the French government, after a massive citizen mobilization (more than 220.000 signatures of a first petition, including almost 1200 signatures from organizations, legal complaints, demonstrations, and all possible democratic forms of protest). It now says 'Hell no!' to EDVIGE, after the same government reintroduced almost the same database with two new decrees published on 18 October 2009. The coalition has launched a new petition on 30 November 2009, calling on citizens to sign again against the new surveillance database. As things have developed so far, the French civil society firmness against EDVIGE remains intact: over only less than 3 days, more than 6100 individuals and 80 organizations have already signed, including main national associations, trade unions, and political parties from the opposition. Main members of the coalition, including French EDRI member IRIS, have filed legal complaints on the same day against the French government, asking the highest administrative Court (Conseil d'Etat) to annul the two new decrees. Other coalition members are preparing to join this legal action. The French anger is first due to the government contempt of the democratic process: for the second time, Sarkozy's government by-passed the Parliament to introduce a surveillance database, despite its own commitment in 2008 to have the creation of any new police file decided by the Parliament. Even worse, Members of Parliaments belonging to the President's majority voted on 24 November 2009 amendments to a draft law on 'the simplification of the legislation', explicitly allowing such a creation by simple regulation. Regarding the provisions of the decrees, the petition acknowledges the fact that the previous mobilization has allowed to avoid in the new EDVIGE database the collection of sensitive data related to sexual life and health. This doesn't prevent, however, the LGBT movement and organizations fighting AIDS to take again part in the mobilization against all other EDVIGE features remaining in the new database: it is an intelligence file, and no infraction needs to be committed before being filed to 'prevent violations of public security'; children start being filed at 13; On top of the many and, for some of them, sensitive data as defined by the French data protection Act in accordance with the 1995 directive, that are collected (identity, political, religious, philosophical activities as well as activities related to trade-unions; public activities, behaviours and movements; phone numbers and email addresses, vehicle registration, capital assets, and others that were already in EDVIGE N01), a mysterious 'geographical origin' has been added to the categories of collected data. This latter category, which doesn't correspond to any legal definition, has been qualified as a masked way of gathering information related to the ethnic origin, and anti-racist organizations have soon joined the second 'No to EDVIGE' campaign. EDRI previously reported that, during the Madrid Civil Society Conference on Global privacy Standards held last November, Peter Schaar, the German Federal Data Protection Commissioner, rightly underlined that "EDVIGE is a horror database for us, because it includes many persons that did not breach any laws - they are just 'risky persons'". It is very unfortunate that his French counterpart, Alex T|rk, does not share this point of view. In a communiqui published on 22 October 2009, the CNIL has found that "the new decrees will allow relevant police services to use (the created databases) under conditions guaranteeing citizens rights and freedoms thanks to the CNIL control powers". One might wonder how and against which evidence the CNIL would be able to control the 'risk assessment' having led to file one person in the EDVIGE database, given the fact that no single infraction needs to be committed first. "No to EDVIGE" coalition website (including petition with automatic update of signatures) http://nonaedvige.sgdg.org EDRi-gram: French Edvige Decree Withdrawn (3.12.2008) http://www.edri.org/edri-gram/number6.23/edvige-retired EDRi-gram: France Pushes The Introduction Of Edvige Project Through The Back Door (21.10.2009) http://www.edri.org/edrigram/number7.20/new-two-edvige-files "No to EDVIGE" against police file creation by simple regulation (in French only, 26.11.2009) http://nonaedvige.sgdg.org/spip.php?article1115 EDRi-gram: Declaration On Global Privacy Standards (5.11.2009) http://www.edri.org/edrigram/number7.21/privacy-standards-global CNIL: From "Edvige I' to 'Edvige III": intelligence databases from now on better supervised and better controlled (only in French, 22.10.2009) http://www.cnil.fr/la-cnil/actu-cnil/article/article//de-edvige-i-a-edvige-… (Contribution by Meryem Marzouki, EDRI-member IRIS - France) ============================================================ 7. Czech Big Brother Awards 2009 ============================================================ The results of the fifth annual Big Brother Awards were announced at a festive evening in Prague's Theatre Na Pradle on 12 November 2009. A jury of experts chose from almost 80 nominations entered by the public. Among those awarded are the Czech Ministry of Schools, Youth and Sports for gathering information about pupils and students, Nokia company for its efforts to legalize snooping in its employees' email communication, the social networking site Facebook for its inconsistent approach to user privacy protection, the Czech Ministry of Health, the State Institute for Drug Control and National Health Registries, or the French "HADOPI law", nicknamed the "electronic guillotine". The "Statement of the year" went to the General Manager of the state-owned lottery operator Sazka, for demanding that slot-machines be equipped with ID scanners. He thinks this would prevent people who receive social benefits from gambling. "It is a question of a greater control or an increase in gambling," says Mr. Ales Husak. The positive prize was awarded to the citizens of Iran for boycotting telephones manufactured by Nokia Siemens, because a telecommunication surveillance system was sold by this company to the Government of Iran. The first ceremony in the Czech Republic took place in 2005. Similarly to previous years there are eight categories - Longterm Violation of Human Privacy (for companies and public organizations), Biggest Corporate Snoop (for companies), Biggest Government Agency Snoop (for government organizations), Dangerous New Technology, Big Brother Law, Snoop Among Nations, Statement of a Big Brother and finally the positive award for Achievements in Protecting Privacy. The Czech Awards are held by the EDRi-member Iuridicum Remedium. Big Brother Awards 2009 (only in Czech) http://www.bigbrotherawards.cz/ Czech Big Brother awards press release in English (12.11.2009) http://www.edri.org/files/Czech_BBA09_EN.pdf (Contribution by Katerina Hlatka - EDRi-member IURE) ============================================================ 8. EC changes the openess concept in the draft eGov EIF ============================================================ A second draft of the European Interoperability Framework (EIF) was recently leaked to the press showing that the European Commission (EC) has decided to take the side of Business Software Alliance (BSA), a lobby group for proprietary software vendors. The first draft of EIF is a document produced in 2004 by the "Interoperable delivery of pan-European eGovernment services to public administrations, businesses and citizens" (IDABC) for the European Union. According to EIF I, open standards are the key in obtaining interoperability in pan-European eGovernment services. The document defines the open standard as being a standard that is adopted and maintained by a non-profit organization the development of which "occurs on the basis of an open decision-making procedure available to all interested parties (consensus or majority decision etc.)." An open standard needs also to be published with a standard specification document that "is available either freely or at a nominal charge. It must be permissible to all to copy, distribute and use it for no fee or at a nominal fee." The intellectual property of an open standard (or part of it) "is made irrevocably available on a royalty-free basis" and "there are no constraints on the re-use of the standard." The EC produced a consultation document and launched a public consultation between June and September 2008 for a second version of the EIF. The consultation received 53 comments. The Free Software Foundation Europe (FSFE) has analysed the new version of the text, showing that the Commission has based its result practicaly only on the input of BSA ignoring other opinions from companies, groups and individuals in favour of Open Standards and Free Software. "The European Commission must not make itself the tool of particular interests. The current draft is unacceptable, and so is the total lack of transparency in the process that has led to this text," says Karsten Gerloff, FSFE's President. While the first version of EIF considers open standards as key tools for interoperability, thus strongly supporting Free Software and Open Standards in the public sector, EIF2 contains only a description of a so called "openness continuum", which also includes proprietary specifications. The new text no longer considers that openness is a key factor for interoperability in eGoverment services. "While there is a correlation between openness and interoperability, it is true that interoperability can be obtained without openness, for example via homogeneity of the ICT systems, which implies that all partners use, or agree to use, the same solution to implement a European Public Service" says the new draft. FSFE has sent a letter to the people in charge of eGovernment in EU member states that says: "The current text is not a viable successor to version 1 of the EIF. Instead of leading Europe forward into an interoperable future, it will promote vendor lock-in, block interoperability of eGovernment services, and damage the European software economy. If adopted, it will be a testament to the power which is exerted outside democratic and transparent processes, and will give rise to Euro-scepticism." The letter includes a set of 10 recommendations for the improvement of the draft. A press officer with the Delegation to the European Commission in Washington stated on 6 November that the document being circulated as "EIF 2.0" could not be attributed as an official European Commission document." It seems the EC indicated that the text was a document only intended to test public opinion. However, the second draft of the EIF document was discussed in a meeting between the EC and representatives of the EU Member States on 12 November in Brussels. According to the German Ministry of the Interior, most member states at the meeting considered the document a good starting point, "but there are some points that have to be discussed again, including the definition of interoperability and open source." A spokesman from the Dutch Ministry of Economic Affairs stated the revision was a major step back from the first version. "We informally said we were unhappy with it. The government will respond officially once the document is ready." FSFE: EC caves in to proprietary lobbyists on interoperability (27.11.2009) http://www.fsfe.org/news/2009/news-20091127-01.en.html European Interoperability Framework for European Public Services (EIF) - Version 2.0 - (work document in progress) (11.2009) http://www.bigwobber.nl/wp-content/uploads/2009/11/European-Interoperabilit… U Wants to Re-define "Closed" as "Nearly Open" (2.11.2009) http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2620&blogi… If Not EIF 2.0, Then What? (6.11.2009) http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2629&blogi… ============================================================ 9. Spanish court revokes its decision to shut down P2P-related sites ============================================================ A preliminary shut down decision against two P2P file-sharing link sites has been recently overturned by a Spanish court which also fined the anti-piracy group involved in the case. Two eD2K file-sharing link sites known as Elitelmula and Etmusica were shut down by court order in April 2009 on the basis of an action of by anti-piracy group SGAE. Shortly after, Juan Jose Carrasco Colonel, who ran the two sites, received a visit from a lawyer and a computer expert of SGAE who, under false pretences of coming from the court with a warrant, entered his home and inspected his computers and hard drives to find proofs of music downloads through the two sites between September and December 2007. The two lawyers of the sites succeeded in convincing the court that the hard drive evidence collected during the controversial raid was worthless and therefore the evidence was dismissed and both sites can now be reopened. "The reason for reopening the websites is that a hyperlink, per se, does not violate intellectual property law," said Javier de la Cueva, one of the lawyers, who explained that the dismissal of the hard drive evidence was due to having proved that it was impossible for the site's users' sharing statistics to be stored in it. He also pointed out that SGAE requested injunctions against Etmusic and Elitemula without summoning their client. "When this happens and injunctions are adopted, the defendant should have the opportunity of opposition, and this is what we have won," he said. Furthermore, the court fined SGEA with 500 euros for bad faith ("mala fides") concluding the group had acted on the intention to avoid the right to a defence of the defendants and for having failed to tell the court that earlier criminal proceedings brought by Promusicae to achieve preliminary injunctions against both sites, had already been dismissed. P2P Sites' Injunctions Overturned, Anti-Piracy Group Fined (24.11.2009) http://torrentfreak.com/p2p-sites-injunctions-overturned-anti-piracy-group-… Spain: the judges fining an anti-piracy group guided by SGAE. (only in Spanish, 25.11.2009) http://www.onep2p.it/tag/juan-jose-carrasco-colonel/ The Judge orders the reopening of the two p2p sites and fines SGAE for mala fides in its request for closing down (only in Spanish, 22.11.2009) http://derecho-internet.org/node/497 ============================================================ 10. ENDitorial: IGF 2009: the Forum is the Message (and the Massage as well) ============================================================ Internet Governance Forum or Internet Governance Fair? One might still wonder what the IGF acronym stands for, after the closing of its fourth annual meeting in Sharm El Sheikh, Egypt, on 18 November 2009. As usual, the IGF featured a number (111 over 4 days!) of so-called multi-stakeholder panels and workshops, exhibition booths, launching events and other happenings. One might still equally wonder what 'Internet Governance' means in the IGF context: apparently, any and all Internet issues, roughly categorized under 7 headings: Access, Diversity, Openness, Security, Critical Internet Resources, Development and Capacity Building. The new comer finds it hard to understand the difference between discussion formats: main session (though run in parallel with up to 9 other events), workshop, open forum, best practice forum, dynamic coalition meeting: what's the exact difference in the end? The veteran is still waiting for the 'round-table' format, that is, a more output-oriented format for issues that have reached a certain level of maturity, that one would have expected as a result of the February and May 2009 IGF consultation meetings. But 'outcome' seems a banned concept, if not a jinx, at IGF. Marshall McLuhan would probably have liked it: the Forum is indeed the message and the massage altogether. However, some participants have a precise agenda to advance for better or worse. The Association for Progressive Communication (APC) took further steps on its joint initiative with the Council of Europe and UNECE towards a "Code of Good Practice on Transparency, Information and Participation in Internet governance", which builds on the principles of WSIS and the Aarhus Convention on Access to Information, Public Participation in Decision-Making and Access to Justice in Environmental Matters. The Electronic Privacy Information Center (EPIC) and the international Public Voice Coalition were instrumental in making privacy a key and crosscutting issue at this year IGF, most notably by moderating the main session on "security, openness, and privacy" and by convening high quality informative workshops to put privacy in focus in emerging contexts such as cloud computing, behavioural targeting and social networks. IGF was indeed the perfect opportunity for the Public Voice Coalition, of which EDRI is a main actor, to campaign on and collect more signatures to the recently adopted "Madrid Civil Society Declaration on Global Privacy Standards in a Global World". On the worrying side, no less than 3 workshops were explicitly dedicated to the promotion of the Council of Europe (CoE) Convention on Cybercrime through CoE (privately co-funded) projects. While these projects claim to include data protection and privacy in their objectives, this would certainly be better achieved if the CoE (as well as private companies) were dedicating comparable resources to the promotion of the CoE Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, together with its 2001 additional Protocol regarding supervisory authorities and transborder data flows. Another preoccupying issue is the promotion by many governments, but also by other stakeholders including some NGOs, of regulations and public-private initiatives to fight the "dangers" of the Internet through content regulation measures that have shown, till now, more harm to human rights and especially the rights to freedom of expression, to privacy and to access to knowledge, than effective protection of vulnerable groups. Human rights are not simply a discussion topic: they form a set of international state binding standards. Active campaigning and uncompromising on the softening and dilution of basic universal principles seems to be still required from the civil society side. While APC and some other participants seem to consider that human rights are gaining prominence at the IGF, it remains to be proven that, beyond endless discussions, the realization of human rights in the digital environment is making effective progress thanks to the IGF... or even AT the IGF one should rather say: during an event organized by the Open Net Initiative (ONI) to launch the book entitled "Access controlled", a promotion poster was taken down by security personnel on the grounds that it showed the following sentence: 'China's famous "Great Firewall of China" is one of the first national Internet filtering systems', a display which was claimed to violate UN policy. Should the IGF continue, then? Almost all stakeholders, including civil society ones, advocated in favour of the continuation of the IGF in the written comments they submitted as well as at the main session dedicated to the desirability of the Forum continuation after the expiration of its first 5-years mandate in 2010. Particularly and unanimously praised were the capacity building feature of the IGF and its ability to facilitate open dialogue among different stakeholders and different viewpoints. Governments are divided, though, on whether the IGF should lead to negotiated and/or binding outcomes: Canada, USA, and the EU presidency strongly stood against such idea, rather favouring IGF continuation in its current form. Others, like Brazil, Kenya and Switzerland, advocated for more concrete but not negotiated outcomes. China was the most clear and direct: "without reform to the present IGF, it is not necessary to give the IGF a five-year extension", advocating for a more classical UN style discussion. All developing countries highlighted the need for better inclusion and involvement of participants from the Global South. Since the IGF will probably be continued, the fact that the IGF 2011 will be held in Kenya might bring some improvement on this last issue. Next year's IGF meeting will be in Vilnius, Lithuania, on 14-17 September 2010. Internet Governance Forum, with workshops list and main sessions transcript (15-18.11.2009) http://www.intgovforum.org APC's project for a code of good practice in Internet governance http://www.apc.org/fr/projects/code-good-practice-internet-governance EPIC and The Public Voice workshops on Privacy (15-18.11.2009) http://thepublicvoice.org/events/egypt09/ The Madrid Privacy Declaration (3.11.2009) http://thepublicvoice.org/madrid-declaration/ Council of Europe Projects on Cybercrime http://www.coe.int/cybercrime EDRi-gram: The 2001 Coe Cybercrime Conv. More Dangerous Than Ever (20.07.2007) http://www.edri.org/edrigram/number5.12/cybercrime-convention-dangerous APC's assessment of IGF 2009 (26.11.2009) http://www.apc.org/en/system/files/APCIGF4Assessment_EN.pdf ONI's poster taken down and related videos, including UN Statement on the incident (15.11.2009) http://www.youtube.com/watch?v=d-kxYt2LwKc (Contribution by Meryem Marzouki, EDRI-member IRIS - France) ============================================================ 11. ENDitorial: Keeping the "self" in self-regulation ============================================================ Businesses, particularly in the Internet environment, fear (and often have good reason to fear) government regulation. Traditionally, therefore, Internet Service Providers have pushed for "self-regulatory" solutions to issues surrounding the management and operation of their own networks - as in the case of spam, for example. Self-regulation often seems to be, and often is, the most effective solution. There is, however, a growing and insidious trend in self-regulation, where increasing pressure is being put on Internet access and service providers to treat their own customers as potential criminals and to take on, usually unwillingly, policing roles. It is clear that this development has serious risks both to online freedoms and to the democratic controls that citizens would normally be able to rely on to protect them. Already, with the notable exception of Germany, when ISPs were asked (often under the threat of being portrayed as supporters of child abuse) to introduce "self-regulatory" web blocking, they felt obliged to do so. This activity clearly has little in common with the dictionary definition of "self-regulation". In Germany, the public debate that was provoked by the ISPs' brave and honourable decision not to cave in to moral blackmail lead to the country not taking the first crucial first step towards widespread censorship and an increasingly controlled Internet. Unfortunately, that democratic decision now risks being overturned by the European Commission's populist but profoundly flawed proposal to introduce "blocking" at an EU level. Last week, the telecoms package was approved by the European Parliament. This contains a new right for Member States to require that providers of e-communications networks and services include obligations in their consumer contracts regarding "unlawful activities" and undefined (and indefinable) "harmful content". Only a few weeks ago, we saw a leaked document related to ACTA explaining the United States' view that "ISPs need to put in place policies to deter unauthorised storage and transmission of IP infringing content (ex: clauses in customers' contracts allowing, inter alia, a graduated response)." Therefore, on the one hand, we see the telecoms package creating the power for governments to push private companies into using their contracts to restrict their consumers' use of the Internet. This not alone covers "illegal" activities but also legal activities that government or the ISP or a third party might find useful to restrict under the vague heading of the content being "harmful". This trend is neatly encapsulated in the Dutch "Notice and Takedown Code of Conduct" which explains that the "parties involved are also free to decide for themselves which information is considered as 'undesirable', irrespective of the question of it being in conflict with the law. They can deal with this undesirable information in the same way as information that is in conflict with the law". On the other hand, we see the USA proposing, within the context of ACTA, the introduction of "graduated response" via consumer contracts and therefore outside the scope of democratic oversight. Self-regulatory initiatives are often to promote/protect the interests of ISPs' customers, so self-regulation is neither automatically unwelcome nor negative. However, ISPs and providers of online services are there to do business, so when the cost of defending their users is higher than the cost of fighting pressure from third parties, it is hardly surprising when they take the decision most appropriate to the survival of their business. These activities are, however, outside their normal business practices and, therefore, the trend towards defending third parties and restricting users' rights is also harmful and unwelcome for them. "Self-regulation" risks becoming a way of tipping the cost/benefit balance definitively in favour of third parties and against citizens. The research carried out in 2004 by Dutch NGO Bits of Freedom which assessed the ease with which wholly invalid "notices" of illegal content could cause websites to be taken offline eloquently demonstrates what this trend means for free speech and justice on the Internet. As a result, we have ISPs being subject to a flurry of invitations to have discussions with international organisations from the European Commission to the Council of Europe to the United Nations with regard to "self-regulation" or "public-private partnership" in the field of intellectual property rights, terrorism, identity theft and various other forms of online activity where private companies are asked to duplicate or participate in policing activities. As long as society continues to be mislead by use of words like "self-regulation" or "partnership", the democratic impact and dangers of this trend will not be understood and freedoms will be undermined. Bits of Freedom research - The Multatuli Project ISP Notice & take down (1.10.2004) http://www.bof.nl/docs/researchpaperSANE.pdf Dutch Code of Conduct (in Dutch, 10.2008) http://www.samentegencybercrime.nl/UserFiles/File/,DanaInfo=ex01tp+NTD_Gedr… Dutch Notice and Take down Code of Conduct (10.2008) http://www.samentegencybercrime.nl/UserFiles/File/NTD_Gedragscode_Opmaak_En… ACTA leak (30.09.2009) http://www.wikileaks.com/wiki/European_Commission_"advance_warning"_summary_on_ACTA_Internet_Chapter%2C_30_Sep_2009 (contribution by Joe McNamee - EDRi) ============================================================ 12. Recommended Reading ============================================================ ENISA, supported by a group of subject matter experts comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, a risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations. (20.11.2009) http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-a… UK: Report published by the Human Genetics Commission (HGC), the Government's independent advisers on developments in human genetics (24.11.2009) http://www.hgc.gov.uk/Client/document.asp?DocId=226&CAtegoryId=8 ============================================================ 13. Agenda ============================================================ 4 December 2009, Brussels, Belgium Are you ready for the Internet of Things? Lift Workshop @ Brussels, Council and Tinker.it! http://liftconference.com/lift-at-home/events/2009/12/04/lift-brussel-counc… 9 December 2009, Brussels, Belgium The European OpenSource & Free Software Law Event - EOLE 2009 http://www.eolevent.eu/ 27-30 December 2009, Berlin, Germany 26th Chaos Communication Congress http://events.ccc.de/congress/2009/ 20-22 January 2010, Namur, Belgium The Conference for the 30th Anniversary of the CRID - An Information Society for All : A Legal Challenge http://www.crid.be/30years/ 29-30 January 2009, Turin, Italy "Cultural Commons" - First International Workshop http://www.css-ebla.it/css/ 29-30 January 2009, Brussels, Belgium Third edition of the Computers, Privacy and Data Protection - CPDP 2010 - An Element of Choice http://www.cpdpconferences.org/ 6-7 February 2010, Brussels, Belgium FOSDEM 2010 http://www.fosdem.org/2010/ 26-28 May 2010, Amsterdam, Netherlands World Congress on Information Technology http://www.wcit2010.com/ 9-11 July 2010, Gdansk, Poland Wikimedia 2010 - the 6th annual Wikimedia Conference http://meta.wikimedia.org/wiki/Wikimania_2010 ============================================================ 14. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: Speaking of pattern languages...
by Fabio Barone 05 Jul '18

05 Jul '18

Hi Charles (and all) I have been 'lurking' on this list for a while, contributing occasionally, but generally 'in flames' about the topics and depth of conversation. Too little time to keep up with everything... So if anyone on this list, or in the social network of members on this list > is running these systems please contact me > I'd like to drop a line about my specific interest in complementary currencies. I have been investigating complementary currencies a few years now, have written an (unused) currency system myself, participated in the http://liquiditynetwork.org project and now at the verge of concluding a contract with STRO, the guys who write the http://cyclos.org complementary currency software, which is possibly the software with highest adoption rate in the alt.curr space. I have multi-year experience in Swiss banking environments as a software engineer, IT architect and strategy advisor. I am also active in the Coalition of the Willing group, cotw.cc cheers fabio 2011/4/17 Charles N Wyble <charles(a)knownelement.com> > On 04/16/2011 07:56 PM, Robert Steele wrote: > > Eric Hughes, Anonymous Banking--the original hacker briefed all this at > Hackers Conference in mid-1990's. > > > Yes I've been aware of the space for a few years now. :) > > I just haven't had a chance to get these things setup, tested, secured. > > Does he have such systems in place? Do you know of anyone running these in > any serious capacity? I would love to engage with them. > > I have a background in the financial services sector, so I'm intimately > familiar with the regulatory environment that technological systems > supporting money movement must operate in. In order for this stuff to be > taken seriously, it's critical that it operates in a proper manner. > Regardless of ones stance towards government regulation, the operational > security requirements exist for a reason. > > Now the non technological/operational requirements such as specific > activity reports or "know your customer" .... well that is up for debate. In > my opinion transacting is our private business. I think that using > existing, societal trust systems as key. These systems enable that. > > However there are large scale attack efforts on a continuous basis against > all operating systems and software in use today. If these systems are > deployed at wide scale, they will become THE high value targets for > exploitation by a number of actors: ("friendly") governments, organized > crime etc. > > So if anyone on this list, or in the social network of members on this list > is running these systems please contact me. Starting May 2nd, I will be > focusing all of my efforts on the security of systems to support a digital > economy/currency. Bitcoin in particular, namely for it's attractive > properties for settlement among different virtual currencies. This is my > "old paradigm" thinking, but it helps to have a financial settlement > backbone in place. Settlement among currencies is useful. Certain aspects of > the current global financial system do make sense, and we don't want to > throw the baby out with the bath water. Granted we have SUBSTANTIAL flaws in > the current system and it needs to be supplanted. However we can also learn > from the current system. > > That's all for now. I am in the process of finishing an extensive todo list > that clears my plate for the next several months. I will be monitoring this > list somewhat sporadically. DO NOT HESITATE to contact me directly if you > are operating a digital economy system today and wish to get my attention > early in my evaluation process. > > Thank you. > > > > On Sat, Apr 16, 2011 at 8:48 PM, Charles N Wyble <charles(a)knownelement.com > > wrote: > >> On 04/16/2011 07:44 PM, Venessa Miemis wrote: >> > yep, aware. check out the "Future of Money" section of my blogroll on >> > right sidebar. http://emergentbydesign.com/ >> >> Nice. I had missed that. Good stuff there. >> >> I need to get all of these systems setup and play with them. If I'm >> going to build >> a secure system for banking, I need to deeply understand what I'm >> securing. Money is a >> big deal. >> >> >> >> >> > On Apr 16, 8:37 pm, Charles N Wyble <char...(a)knownelement.com> wrote: >> > >> >> -- >> Charles N Wyble charles(a)knownelement.com @charlesnw >> http://blog.knownelement.com >> Building tomorrows alternate default free zone >> >> >> > > > -- > Charles N Wyble charles(a)knownelement.com @charlesnw > http://blog.knownelement.com > Building tomorrows alternate default free zone > > ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: Speaking of pattern languages...
by Fabio Barone 05 Jul '18

05 Jul '18

Hi Charles (and all) I have been 'lurking' on this list for a while, contributing occasionally, but generally 'in flames' about the topics and depth of conversation. Too little time to keep up with everything... So if anyone on this list, or in the social network of members on this list > is running these systems please contact me > I'd like to drop a line about my specific interest in complementary currencies. I have been investigating complementary currencies a few years now, have written an (unused) currency system myself, participated in the http://liquiditynetwork.org project and now at the verge of concluding a contract with STRO, the guys who write the http://cyclos.org complementary currency software, which is possibly the software with highest adoption rate in the alt.curr space. I have multi-year experience in Swiss banking environments as a software engineer, IT architect and strategy advisor. I am also active in the Coalition of the Willing group, cotw.cc cheers fabio 2011/4/17 Charles N Wyble <charles(a)knownelement.com> > On 04/16/2011 07:56 PM, Robert Steele wrote: > > Eric Hughes, Anonymous Banking--the original hacker briefed all this at > Hackers Conference in mid-1990's. > > > Yes I've been aware of the space for a few years now. :) > > I just haven't had a chance to get these things setup, tested, secured. > > Does he have such systems in place? Do you know of anyone running these in > any serious capacity? I would love to engage with them. > > I have a background in the financial services sector, so I'm intimately > familiar with the regulatory environment that technological systems > supporting money movement must operate in. In order for this stuff to be > taken seriously, it's critical that it operates in a proper manner. > Regardless of ones stance towards government regulation, the operational > security requirements exist for a reason. > > Now the non technological/operational requirements such as specific > activity reports or "know your customer" .... well that is up for debate. In > my opinion transacting is our private business. I think that using > existing, societal trust systems as key. These systems enable that. > > However there are large scale attack efforts on a continuous basis against > all operating systems and software in use today. If these systems are > deployed at wide scale, they will become THE high value targets for > exploitation by a number of actors: ("friendly") governments, organized > crime etc. > > So if anyone on this list, or in the social network of members on this list > is running these systems please contact me. Starting May 2nd, I will be > focusing all of my efforts on the security of systems to support a digital > economy/currency. Bitcoin in particular, namely for it's attractive > properties for settlement among different virtual currencies. This is my > "old paradigm" thinking, but it helps to have a financial settlement > backbone in place. Settlement among currencies is useful. Certain aspects of > the current global financial system do make sense, and we don't want to > throw the baby out with the bath water. Granted we have SUBSTANTIAL flaws in > the current system and it needs to be supplanted. However we can also learn > from the current system. > > That's all for now. I am in the process of finishing an extensive todo list > that clears my plate for the next several months. I will be monitoring this > list somewhat sporadically. DO NOT HESITATE to contact me directly if you > are operating a digital economy system today and wish to get my attention > early in my evaluation process. > > Thank you. > > > > On Sat, Apr 16, 2011 at 8:48 PM, Charles N Wyble <charles(a)knownelement.com > > wrote: > >> On 04/16/2011 07:44 PM, Venessa Miemis wrote: >> > yep, aware. check out the "Future of Money" section of my blogroll on >> > right sidebar. http://emergentbydesign.com/ >> >> Nice. I had missed that. Good stuff there. >> >> I need to get all of these systems setup and play with them. If I'm >> going to build >> a secure system for banking, I need to deeply understand what I'm >> securing. Money is a >> big deal. >> >> >> >> >> > On Apr 16, 8:37 pm, Charles N Wyble <char...(a)knownelement.com> wrote: >> > >> >> -- >> Charles N Wyble charles(a)knownelement.com @charlesnw >> http://blog.knownelement.com >> Building tomorrows alternate default free zone >> >> >> > > > -- > Charles N Wyble charles(a)knownelement.com @charlesnw > http://blog.knownelement.com > Building tomorrows alternate default free zone > > ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: a police state
by Mcget＠aol.com 05 Jul '18

05 Jul '18

Well, since the fastest growing black household in America is the cellblock; since here in Philadelphia I still can hear cops step from their cars asking, "Where'd the nigger go?" in front of black onlookers; since Independence Hall now has a clearly visible surveillance camera in its tower and visitors to the Liberty Bell are searched and wanded multiple times; since the fastest growing group of armed police in the US are private security and prison guard, since without trying very hard, I can read more and more about police getting no-knock powers, about prisoners held incommunicado, etc. -- I think we shouldn't wait until we are all getting routinely Taser'd for getting smart at the latest "preventive" roadblock. It's enough like a police state--or a hall monitor's wet dream -- to get me nervous. --Michael McGettigan One recent example -- a friend of mine who worked transmitters for Motorola was sent to a crime-ridden North Philly high-rise project. His mission -- inspect a repeater transmitter that was inside a steel-doored room atop the building -- the transmitter's function was to boost the signals of the various law enforcement/drug authorities that raided it on a regular basis. They'd found that their hand radios often didn't work well enough. The idea that this high-rise should maybe be razed rather than rigged for a permanent state of drug busts didn't seem to occur to anyone. ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

[IP] more on a police state
by David Farber 05 Jul '18

05 Jul '18

Begin forwarded message:

1 0

Re: BGP (in)security makes the AP wire
by Steven Bellovin 05 Jul '18

05 Jul '18

On May 9, 2010, at 12:30 47PM, Eugen Leitl wrote: > On Sun, May 09, 2010 at 10:54:46AM -0500, Larry Sheldon wrote: > >> And when I drive someplace, I do indeed go by the signs I see, which are >> not erected by a central authority, as I move along. (I don't have a >> route from here to Fairbanks, Alaska, but my MCA shows one from here to >> Council Bluffs, Iowa, and from there there are several I might use, >> depending on what signs I see ("Warning, I29 N closed at Mondamin due to >> flooding") when I get there.) > > Speaking about that, is anyone currently seeing geographic (local-knowledge) > routing and authorityless address (=position) allocation from coordinates > (e.g. WGS 84 position fixes) in any realistic time frame as a major component > on the Internet? > > Presumably, one could prototype something simple and cheap at L2 level > with WGS 84->MAC (about ~m^2 resolution), custom switch firmware and GBIC > for longish (1-70 km) distances, but without a mesh it won't work. It was discussed during the IPng days. My view at the time -- and my view today -- is that there's an inherent conflict between that and multiple competitive ISPs. Suppose there's an IP address corresponding to 40.75013351 west longitude, 73.99700928 north latitude (my building, according to Google maps). To which ISP should it be handed for delivery? Must all ISPs in a given area peer with each other? --Steve Bellovin, http://www.cs.columbia.edu/~smb ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0