July 2018 - cypherpunks-legacy

Re: Simson Garfinkel analyses Skype - Open Society Institute
by Adam Shostack 06 Jul '18

06 Jul '18

>From owner-cryptography+eugen=leitl.org(a)metzdowd.com Thu Jan 27 01:04:39 2005 User-Agent: Mutt/1.4.2i On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article <41E07994.5060004(a)systemics.com> you write: | >Voice Over Internet Protocol and Skype Security | >Simson L. Garfinkel | >http://www.soros.org/initiatives/information/articles_publications/articles/ security_20050107/OSI_Skype5.pdf | | >Is Skype secure? | | The answer appears to be, "no one knows". The report accurately reports | that because the security mechanisms in Skype are secret, it is impossible | to analyze meaningfully its security. Most of the discussion of the | potential risks and questions seems quite good to me. | | But in one or two places the report says things like "A conversation on | Skype is vastly more private than a traditional analog or ISDN telephone" | and "Skype is more secure than today's VoIP systems". I don't see any | basis for statements like this. Unfortunately, I guess these sorts of | statements have to be viewed as blind guesswork. Those claims probably | should have been omitted from the report, in my opinion -- there is | really no evidence either way. Fortunately, these statements are the | exception and only appear in one or two places in the report. The basis for these statements is what the other systems don't do. My Vonage VOIP phone has exactly zero security. It uses the SIP-TLS port, without encryption. It doesn't encrypt anything. So, its easy to be more secure than that. So, while it may be bad cryptography, it is still better than the alternatives. Unfortunately. Adam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com ----- Forwarded message from Peter Gutmann <pgut001(a)cs.auckland.ac.nz> -----

1 0

Re: Simson Garfinkel analyses Skype - Open Society Institute
by pgut001＠cs.auckland.ac.nz 06 Jul '18

06 Jul '18

David Wagner <daw(a)cs.berkeley.edu> writes: >>Is Skype secure? > >The answer appears to be, "no one knows". There have been other posts about this in the past, even though they use known algorithms the way they use them is completely homebrew and horribly insecure: Raw, unpadded RSA, no message authentication, no key verification, no replay protection, etc etc etc. It's pretty much a textbook example of the problems covered in the writeup I did on security issues in homebrew VPNs last year. (Having said that, the P2P portion of Skype is quite nice, it's just the security area that's lacking. Since the developers are P2P people, that's somewhat understandable). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

Re: [IP] more on USG RFI for "metrics" on the 'terror war'
by Lee Tien 06 Jul '18

06 Jul '18

I'm sure the military folks on the list can suggest better sources. Arreguin-Toft, Ivan. "How the Weak Win Wars: A Theory of Asymmetric Warfare." International Security, vol. 26, no. 1, Summer 2001, pp. 93-128. Paul, T. V. Asymmetric Conflicts: War Initiation by Weaker Powers. Cambridge, MA: Cambridge University Press, 1994. Miles, Franklin B. Asymmetrical Warfare: An Historical Perspective. Carlisle Barracks, PA: Army War College, 1999. See generally http://www.comw.org/rma/fulltext/asymmetric.html Lee At 5:25 PM -0400 10/4/05, David Farber wrote: >Begin forwarded message: > >From: "Robert C. Atkinson" <rca53(a)columbia.edu> >Date: October 4, 2005 4:32:01 PM EDT >To: dave(a)farber.net >Subject: Re: [IP] USG RFI for "metrics" on the 'terror war' > > >Regarding the statement that: > > > >> the continuing belief that a conventional high- tech army >> can defeat a low-tech insurgency (something that has not happened >>in Western >> history to my knowledge)... >> >> > >Things aren't quite that bad: there have been "successes" such as > >- the British and then US "pacification" of North America >(the United States and Canada) and the whole western hemisphere for >that matter) >- the British "pacification" of South Africa, Australia and >New Zealand >- the United States in the Philippine Insurrection at turn >of the 20th century >- British suppression of insurgents in Malaya after WWII? >- British suppression of the Mau Mau in Kenya in the 1950s >- British suppression of the IRA in Northern Ireland > >And in "Western history" Rome's high tech army (for its time) >defeated insurgencies throughout the centuries of the Roman Empire. >There are probably plenty of other examples that historians can >offer. In this day and age, the important thing is to understand >why high tech armies sometimes lose to low-tech insurgencies? My >guess is that the willingness of the high-tech army's "homefront" >to sustain the cost and horror of a long, drawn-out counter- >insurgency (including periodic tactical defeats such as Tet in the >Vietnam) is a very important factor in the longterm success or >failure of the high-tech army. >Thanks > >Bob > > > >David Farber wrote: > > > >> >> >> Begin forwarded message: >> >> From: Richard Forno <rforno(a)infowarrior.org> >> Date: October 4, 2005 2:45:23 PM EDT >> To: Infowarrior List <infowarrior(a)g2-forward.org> >> Cc: Dave Farber <dave(a)farber.net> >> Subject: USG RFI for "metrics" on the 'terror war' >> >> >> >> While I'm all for knowing how to measure one's effectiveness, I >>fear that >> such "metrics" will be nothing more than a rehash of Vietnam-era >>body count >> tallies as the "measure of success" in the 'war' to make juicy and >> positive-sounding quotes for the current iteration of the Five >>O'Clock >> Follies. >> >> This, coupled with the continuing belief that a conventional >>high- tech army >> can defeat a low-tech insurgency (something that has not happened >>in Western >> history to my knowledge) only reinforces my sense that the USG is >>not >> learning from history but rather repeating it. >> >> The fact that a contractor is being asked to develop these >>"metrics" speaks >> volumes, IMHO. You'd think this would be something they'd have >>come up with >> BEFORE launching into the 'war' on terror, right? >> >> -rick >> >> <snip> >> >> >> >> >>> The Contractor shall develop, in conjunction with the Joint >>>Staff, OSD, >>> Combatant and Unified Commands, Services and designated Agencies >>> (stakeholders) a system of metrics to accurately assess US >>>progress in the War >>> on Terrorism, identify critical issues hindering progress and >>> develop and >>> track action plans to resolve the issues identified. In this >>> effort, the >>> contractor shall work as an independent contractor not subject >>>to the >>> supervision and control of the Government. All deliverables >>>become the >>> property of the US Government. >>> >>> >>> >> >> >> Source document: >> http://blogs.washingtonpost.com/earlywarning/files/ >>WarOnTerrorismMetrics.doc >> >> >> >> >> >> ------------------------------------- >> You are subscribed as rca53(a)columbia.edu >> To manage your subscription, go to >> http://v2.listbox.com/member/?listname=ip >> >> Archives at: http://www.interesting-people.org/archives/ >>interesting-people/ >> >> > > > > >------------------------------------- >You are subscribed as tien(a)well.sf.ca.us >To manage your subscription, go to > http://v2.listbox.com/member/?listname=ip > >Archives at: http://www.interesting-people.org/archives/interesting- >people/ > ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

[IP] more on USG RFI for "metrics" on the 'terror war'
by David Farber 06 Jul '18

06 Jul '18

Begin forwarded message:

1 0

EDRI-gram newsletter - Number 4.23, 6 December 2006
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 4.23, 6 December 2006 ============================================================ Contents ============================================================ 1. Google accused in Italy over shock video 2. EDPS warns against EU endangering data protection principles 3. French ISPs need to block websites 4. Hungary's President says no to the PNR agreement 5. Google has taken steps to settle the Belgium lawsuit 6. France - Using Social Security number to identify medical records 7. Article 29 Working Party expressed its opinion in the SWIFT case 8. Britain takes another step toward a new Bill of Rights 9. EU Commission wants to push fight against spam 10. France Parliament shifts to open source software 11. Campaign launched in UK to opt out of central medical database 12. Support EDRI-gram 13. Agenda 14. About ============================================================ 1. Google accused in Italy over shock video ============================================================ A recent shock video published at the end of November on YouTube, the free video hosting service now owned by Google, has triggered extensive reactions in Italy. The video was showing a group of four Italian teenagers attacking a 17-year-old disabled boy in a classroom in Turin. The attackers also made a video of their actions that was posted on YouTube. Although Google had deleted the movie as soon as they were informed about it, the Italian Police has opened a criminal proceeding against Google - the Italian subsidiary. The action included a police raid on the Milan offices of Google. Google Italy has confirmed that the videos published by the users go online automatically and there is no editorial preventive filter from their part. They have also claimed that they delete all the videos that are contrary to their policy or have illegal content, but they rely mostly on their community to signal the illegal content. Google's spokeswoman Rachel Whetstone said: "We've been helping Italian police with the investigation and we're happy to cooperate." However, the Milan prosecutors have started a criminal case against two employees of Google Italy, considering they were responsible for not checking the content of that video before it went online. In this case Google was treated as an Internet content provider, and, according to law 62/2001 and art. 57 Penal Code, the webmaster is responsible also for the third party actions and has also journalistic responsibility to avoid "committing illegal acts". It is interesting that the prosecutors did not consider Google as a hosting provider and did not apply the Italian law 39/2002 that implemented the European Directive 2001/31/EC on electronic commerce. According to this law, there isn't a general obligation of preventive surveillance for Internet providers, and only in the case of a decision of an authority, they should remove or make specific content unavailable. EDRi-member ALCEI has pointed out that there are important comments to take into consideration such as " the responsibility of parents and educators, the widespread deterioration of human and social values, the warping of culture and behavior. " At the same time it has highlighted that some people are using this opportunity to control free speech: "They are "blaming" the internet for this awful episode - while it is obvious that the disgusting idea of placing a video online provided a tool for finding and persecuting the perpetrators, who otherwise would have probably remained unidentified and uncontrolled. Political spokesmen (of different parties across the "partisan" spectrum) are demanding or suggesting new laws and regulations, apparently including and obligation to obtain "written approval" by parents for minors to use the internet, but also to increase censorship, filtering and control by providers. " Italy's Minister of Education, Giuseppe Fioroni, considered the prosecutors had correctly applied to the Internet the same legislation regulating what can be published in newspapers or broadcast on television. The outcome of the legal action against Google is not yet certain, but some legal experts in Italy doubt its success. However, the main problem is setting one more nasty precedent for Internet provider - responsibility and control on user content. In one word - censorship. The "Google case" in Italy: one more excuse for censorship and repression (26.11.2006) http://www.alcei.org/?p=25 Not only the Google case (In Italian only, 27.11.2006) http://gandalf.it/nodi/censura.htm Shock video against a disabled teen. A European directive could help Google (In Italian only, 28.11.2006) http://www.interlex.it/regole/abruzzo12.htm Interlex no 353 The Internetfobia strikes again with absurd legislative proposals (In Italian only, 28.11.2006) http://www.interlex.it/numeri/061128.htm (Thanks to EDRI-member ALCEI ) ============================================================ 2. EDPS warns against EU endangering data protection principles ============================================================ The European Data Protection Supervisor (EDPS), Peter Hustinx, has issued a second opinion, following the one issued on 19 December 2005 on the Proposal of the Commission for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters. The Commission proposal is presently under discussion within the Council of Ministers and although Hustinx appreciates the attention given by the Council to this proposal, he still voices concerns regarding the outcome of the negotiations. The text currently discussed has not included the amendments proposed by the European Parliament in a legislative resolution issued on 27 September 2006 or the EDPS' opinions presented at the Conference of European Data Protection Authorities. The amendments proposed had in view the enhancement of the level of protection afforded by the Framework Decision. In some cases, the provisions of the Commission proposal regarding the protection of citizens' data are even eliminated or very weak. Mr. Hustinx thinks there is a great risk that the level of data protection is even lower than before and warns the officials that they are endangering the data protection principles. Under the circumstances in which the exchange of police and judicial information among Member States becomes more and more significant, a strong legal framework should be in place to protect people's fundamental rights, considers the EDPS. Although he understands the necessity of adopting the Framework Decision as soon as possible, he urges the members of the Council to give some time to the negotiations so that they may allow sufficient protection for the data. "If they succeed in agreeing on a high level of protection for all data, including 'purely' domestic processing, they will at the same time improve trust between EU police and judicial authorities," said Mr.Hustinx talking about the Council members. He also showed concern that the framework might allow processing of data on religion, race or ethnic origin without sufficient protection and also that there was not enough protection for the data obtained by the bodies that are not involved with law enforcement. In this respect, he gave the example of the SWIFT case where bank transaction details were transferred to US. The EDPS proposed a certain consistency of the data protection rules that should apply to all the data exchanged in the police and judicial systems that should not be limited to cross-border exchanges between Member States. One other concern expressed by Mr.Hustinx is related to the right of a person to be informed on the activities related to his (her) personal data. "Some basic rights for data subjects, like the right to be informed, no longer seem to be guaranteed," he stated, considering that making the right to information dependent upon request was not acceptable. The EDPS also believes that the Council should adopt a proposal on processing specific data such as biometric data and DNA-profiles, whether related to the principle of availability or not. A cooperation agreement has been signed between the EDPS's office and the European Ombudsman P Nikiforos Diamandouros with the purpose to inform each other on relevant complaints. A joint statement from both offices said: "Because maladministration includes failure by the EU institutions to comply with their data protection obligations, it is important that we coordinate on cases where our competences partly overlap". Second opinion of the European Data Protection Supervisor on the Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters (29.11.2006) http://www.edps.europa.eu/legislation/Opinions_A/06-11-29_2ndOpinion_third_… llar_EN.pdf Ombudsman and Data Protection Supervisor sign Memorandum of Understanding (30.11.2006) http://www.edps.eu.int/Press/EDPS-2006-12-EN_EO_EDPS_MoU.pdf Data protections are being eroded, says European watchdog (30.11.2006) http://www.out-law.com/page-7539 ============================================================ 3. French ISPs need to block websites ============================================================ The Appeal Court in Paris has decided that the French ISPs need to block the access to website AAARGH, considered as revisionist by the court. This decision was made even though the judges admitted that the measures would be imperfect and the site would still be accessible through other means as well. The action was started by a number of French anti-racist groups that have first asked three US-based hosting providers to shut down the website of AAARGH. But one of them refused to shut down the website and therefore the anti-racist NGOs continued their action in the French court. The 2004 French law that implements the EU E-commerce Directive gives the possibility to the plaintiffs, after all the possible measures to convince the hosting company to take down the illegal access have been exhausted, to impose to the ISPs to filter the illegal content. A first decision was taken in June 2005 when a lower court admitted the action against the major 11 French ISPs. The ISPs have asked in the appeal that the site be included on the blacklists used for parental control and have pointed out that the measure might block other legal websites, since an entire IP address is blocked, not just the URL of a website. They presented arguments that filtering methods are also very costly and not efficient. The ISPs have also asked to pursue directly the authors of that website. The Appeal Court rejected the ISPs appeal considering that their arguments were already rejected within the parliamentary debates for this law. The court also stated that the decision, even if imperfect, "has the merit of reducing, as much as possible in the present technical situation, the access of Internet users to an illegal site." The imperfection of the ISPs filtering solution is obvious in this case, as well. The AAARGH website can be accessed via any search engine. Also, even before the legal procedures were over, the authors of the webpage changed the hosting company and domain name and therefore now they freely explain users how they can use anonymising software to get to their website. Decision Court of Appeal Paris - Tiscali, AFA, etc vs. UEJF, J'Accuse, SOS Racisme, etc. (only in French, 24.11.2006) http://www.juriscom.net/jpt/visu.php?ID=866 Case AAARGH: ISP Filtering obligation confirmed in appeal (only in French 24.11.2006) http://www.zdnet.fr/actualites/internet/0,39020774,39365008,00.htm Case AAARGH: Months of procedure for a inefficient filtering (only in French 27.11.2006) http://www.zdnet.fr/actualites/internet/0,39020774,39365037,00.htm ============================================================ 4. Hungary's President says no to the PNR agreement ============================================================ The Hungarian President Laszlo Solyom decided not to sign the national law regarding the promulgation of the EU-US PNR (Passenger Name Records) agreement and sent it back to the Parliament, considering that it can be improved. This is one of the few set-backs of the new EU-US PNR agreement concluded in October 2006, even though there have been numerous critics to the content of the new agreement that makes possible for air companies to send to US authorities the personal data of the passengers that were registered in the booking system. According to the Hungarian President "it is necessary that the Parliament make possible the forwarding of data in the act on promulgation of the international agreement only in case the person in question has explicitly approved of it. The President's opinion is that a regulation of such content would not be contradictory to the international agreement." Therefore Mr. Solyom asked the Parliament to re-discuss the bill and to complete it with a rule that stipulates for the explicit approval of the person in question to forward of his data abroad. According to the presidential press release, Mr. Solyom has had consultations with the data protection ombudsman and the general director of Malev (Hungarian Airlines). Both of them considered that returning the bill did not prevent the operation of overseas flights of the national air company. Adam Foldes , the Data Protection Program Director within the the Hungarian Civil Liberties Union commented on the events: "Even if the Hungarian law on promulgating the PNR agreement includes provisions on asking for the passengersb consent for handling their personal data, it wonbt be very useful. How can anybody regard the consent as freely given when the passengers are not allowed to board or disembark the airplane without providing them. Although the Presidentbs veto is not futile: the current agreement shall expire no later than 31 July 2007. His veto should be a benchmark for the Hungarian Government in the renegotiations. " The Government might not push too much this issue since the U.S. President promised last week that he will ask the Congress to waive the visa obligations of the new EU member states. Dr. Kinga GC6ncz, the Minister of Foreign Affairs was asked by journalists if the Presidentbs action could jeopardise Hungarybs chances in obtaining a visa free status from the U.S. The minister replied she hopes the problem will be solved soon as it might cause problems in the long run. Communique: Today Laszlo Solyom has returned to the Parliament the bill about the promulgation of the agreement on registration of travellers' data concluded between the European Union and the United States of America. (29.11.2006) http://www.keh.hu/keh_en/news/20061129communique.html The Hungarian President of the Republic has vetoed the ratification of the EU-US PNR Agreement (29.11.2006) http://www.tasz.hu/index.php?op=contentlist2&catalog_id=3496 Draft of the Act on PNR Agreement (only in Hungarian, 10.2006) http://www.parlament.hu/irom38/01097/01097.pdf EDRI-gram: New EU-US interim deal on Passenger Name Record (11.10.2006) http://www.edri.org/edrigram/number4.19/pnr ============================================================ 5. Google has taken steps to settle the Belgium lawsuit ============================================================ Google has decided to settle with SOFAM and SCAM, two of the Belgian newspapers groups having sued the company for using excerpts from their articles in the Google News Belgium service. SOFAM, a group representing the rights of photographers and SCAM, a group representing journalists, had joined Copiepresse which had decided to take legal action against Google in February, arguing that Google should have signed agreements with the Belgium newspapers for using snippets of and links to newspaper stories. After the hearing in August 2006, a ruling obliged Goggle to remove the links to the Belgium newspapers sites from its Google News service threatening the company with a 1 million euro fine in case of non-compliance. On 24 November 2006, during the re-hearing asked by Google, the company reached a settlement with SOFAM and SCAM. Jessica Powell, a spokeswoman for Google stated: "We reached an agreement with SOFAM and SCAM that will help us make extensive use of their content," but did not give any details on the agreement nor did she say whether similar agreements would be signed with other plantiffs. She also added : "Google respects copyright law, which we believe lies at the heart of the creative process. As today's agreement demonstrates our approach is to work in partnership with content creators and owners". Although Goggle lawyers argued that the company did not break any copyright law as it it only showed a link, headlines and a few lines from the articles, Copiepress said Google affected the authors of the articles because it gave away archived articles that authors sell. A ruling on the hearing is expected in early January. Google partially settles Belgian copyright case (27.11.2006) http://www.out-law.com/default.aspx?page=7524 Google settles copyright dispute with 2 groups in Belgium (24.11.2006) http://www.iht.com/articles/2006/11/24/business/google.php EDRI-gram: Belgium says no to Google news (27.09.2006) http://www.edri.org/edrigram/number4.18/google_be ============================================================ 6. France - Using Social Security number to identify medical records ============================================================ A new amendment proposed by the French Minister of Health Xavier Betrand is considering using the National Identification Record (NIR) as the identifier of a patient in the health sector. NIR is a unique number of every person in France, included in the national registry of natural persons. Created from data on the civil status of French nationals and residents, the NIR allows indirect identification of a person. It is made of 15 figures, indicating gender, birth year, month and place (municipality or 99 for foreign countries), and registering number of birth in the municipality. The NIR is used by the Social Security Service and by employers in the management of social benefits The Health Minister has suggested an amendment to the draft law on financing the Social security discussed by the French Senate. The text wants to make the NIR as the key to access the personal medical record. The usage of NIR has been limited, along the time, by the French Data protection authority (CNIL) . But now there are voices within the institution that will accept such an extension, with just a couple of weeks before its opinion on this subject will be taken. However, civil right groups have promptly reacted by pointing out that such usage could open a dangerous backdoor in the security of the medical files and will allow the interconnection of the sensitive data. A public appeal has been initiated and opened for signatures on 2 December 2006 by Human Rights League (LDH) and DELIS (Droits Et Libertes face a l'Informatisation de la Societe). The appeal is highlighting the fact that the NIR could be found in various files and this is just the final step before the interconnection. The NIR could be used as a social security number, but also to access the personal medical records and therefore the privacy right could be easily breached. The appeal wants to prove to CNIL that the French citizens, in order to keep the citizens freedom, do not want the extension of the NIR usage in the personal medical records. Appeal - My private life in the public eye, never ! Don't touch my social security number (only in French, 2.12.2006) http://www.pastouchenumerosecu.org/ Press Release of the LDH (Ligue des droits de l'homme) and DELIS (Droits Et Libertes face a l'Informatisation de la Societe) (only in French, 1.12.2006) http://www.pastouchenumerosecu.org/spip.php?article2 The social security number could become the access key to the medical file (only in French, 14.11.2006) http://www.lemonde.fr/web/article/0,1-0%402-3226,36-834271,0.html ============================================================ 7. Article 29 Working Party expressed its opinion in the SWIFT case ============================================================ On 21-22 November 2006, an opinion was adopted by the Privacy Commissioners represented by Article 29 Working Group ruling against the Society for Worldwide Interbank Financial Telecommunication (SWIFT) for having transferred transaction details to the US. The Privacy Commissioners wanted to point out again that fighting terrorism and crime should not lead to limiting citizens' fundamental rights and strongly emphasized the need to observe data protection principles. The Working Group decided that SWIFT, as a corporative company based in Belgium, was subject to Belgian data protection law that implemented the European Directive on data protection. It also decided that the financial institution in EU using SWIFT were in their turn subject to the national data protection laws implementing the EU directive as well. The Commissioners considered that SWIFT was the primary responsible for the processing and mirroring personal data while some responsibility for the processing of their clients' data came to the financial institutions. They also decided that SWIFT had to comply with the EU directive for data protection and that the financial institutions using SWIFT's services had to comply with the national laws on data protection. Among the obligations, SWIFT must notify the processing and provide an adequate level of protection for the data transferred. The financial institutions have the obligation to verify that SWIFT complies with the law and must have the necessary knowledge on the payment systems with their characteristics and risks. The Working Party also thought that, for the purpose of transparency, the financial institutions should advise their clients in cases when the transfer of their data involved certain risks. It was considered that SWIFT was also in breach of the EU Directive by the lack of transparency and efficient control in the data transfer operations and by not observing the proportionality and necessity principles as well as the guarantees for the personal data transfer to a third country. Regarding the transfer of data to the US Treasury, the Working Party considered that ".. the hidden, systematic, massive and long-term transfer of personal data by SWIFT to the UST in a confidential, non-transparent and systematic manner for years without effective legal grounds and without the possibility of independent control by public data protection supervisory authorities constitutes a violation of the fundamental European principles as regards data protection and is not in accordance with Belgian and European law." The Working Party Opinion asks for the immediate cessation of the infringements by SWIFT and the financial institutions and the compliance with the European and national laws on data protection. It also urges the financial institutions to inform their clients on the way their personal data are processed and to advise them about the fact that US authorities might have access to these data. The Commissioners wanted to emphasize again that the terrorism fighting measures must not limit the fundamental rights of citizens considering that: "A key element of the fight against terrorism involves ensuring the preservation of the fundamental rights which are the basis of democratic societies and the very values that those advocating the use of violence seek to destroy." Press Release on the SWIFT Case following the adoption of the Article 29 Working Party opinion on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) (23/11.2006) http://ec.europa.eu/justice_home/fsj/privacy/news/docs/PR_Swift_Affair_23_1… 06_en.pdf ============================================================ 8. Britain takes another step toward a new Bill of Rights ============================================================ The London School of Economics has commenced a project to help pave the way for strengthened constitutional rights in Britain. The initiative is to be conducted over the next two years by the School's newly formed Policy Engagement Research Group that was founded earlier this year by Privacy International's Simon Davies and Gus Hosein. The issue of constitutional reform, particularly a Bill of Rights, is on the agenda of the main political parties. This year, Opposition Leader David Cameron has made a commitment to replace the Human Rights Act with a Bill of Rights, while the Liberal Democrats are committed to a written constitution. Currently Britain relies on the Human Rights Act as the basis for protections contained in the European Convention on Human Rights. The UK legal provisions are considered by many to be inadequate. The LSE venture called "Future Britain" will undertake a substantial research effort and a national consultation to foster the debate about how Britain should choose and implement a new Bill of Rights. Its aim is to discover how other nations have considered such questions and then, through broad consultation and outreach, assess these options in the context of a modern Britain to see which may be most appropriate and which are most likely to succeed. The project supporters say its most important contribution will be to create a neutral space for engagement. Future Britain aims to be the vehicle that engages and informs the UK on the issue of constitutional rights reform and might well be viewed as the first structured phase in the long road to entrenching rights in a written British constitution. It will be formally launched in February 2007. In the meantime the LSE will consult with constitutional experts and rights groups to arrive at the project terms of reference. The initiative has the support of both the Conservatives and the Liberal Democrats and will work with a wide range of groups including Justice, Charter 88 and the UCL Constitution Unit. Further information can be obtained through Simon Davies at s.g.davies(a)lse.ac.uk Cameron proposes UK Bill of Rights (26.06.2006) http://politics.guardian.co.uk/conservatives/story/0,,1805902,00.html Attorney General considers written constitution (9.10.2006) http://www.politics.co.uk/news/domestic-policy/constitution/monarchy/britain -should-seriously-consider-written-constitution-$454076.htm Liberal Democrat commitment to Bill of Rights (01.2005) http://www.libdems.org.uk/media/documents/policies/11CivilLiberties.pdf ============================================================ 9. EU Commission wants to push fight against spam ============================================================ The European Commission has criticized the member countries, considering that they should better implement the present legal framework and fight against spam, but also take more seriously into consideration the spyware and malicious software issues. According to the recent figures made public by Sophos, approx. 32% of the world's spam comes from European countries, with France, Spain, Poland and Italy on the top. And this situation occurs when all the EU countries have implemented the 2002 E-privacy Directive that has imposed the opt-in principle on spam. Cooperation in effectively implementing the legal acts is lacking in most of the European Countries. The Commission presented two European best practices in the fight against spam. The Netherlands that has succeeded in cutting the domestic spam by 85% through prosecution by OPTA that has 5 full-time employees for this topic and 570 000 euros invested in equipment. In Finland proper filtering measures have reduced spam from 80% to 30%. These measures together with good online commercial practices in line with the data protection law are among the measures envisaged by the Commission. The Commission has also announced that it will reinforce the cooperation on this topic with third countries, especially with the US and Asian countries. Viviane Reding Commissioner for Information Society and Media added: "I will revisit this issue again next year to see whether additional legislative measures against spam are required." In 2007 the Commission might make changes in the EU legislation in order to increase the user privacy and security. The possible changes include the obligation of the service providers to notify the security breaches and the possibilty for any person with a legitimate interest to take legal action against spam. Communication From the Commission on Fighting spam, spyware and malicious software (15.11.2006) http://europa.eu.int/information_society/policy/ecomm/doc/info_centre/commu… c_reports/spam/com_2006_0688_f_en_acte.pdf Fighting spam, spyware and malicious software: Member States should do better, says Commission (27.11.2006) http://europa.eu.int/rapid/pressReleasesAction.do?reference=IP/06/1629 Commission draws knives on spam (27.11.2006) http://www.euractiv.com/en/infosociety/commission-draws-knives-spam/article… 60056 EU Commission urges states to do more against spam (27.11.2006) http://today.reuters.com/news/articlenews.aspx?type=internetNews&storyID=20… -11-27T174440Z_01_L27872269_RTRUKOC_0_US-EU-SPAM.xml ============================================================ 10. France Parliament shifts to open source software ============================================================ Starting with July 2007, the computers used by the French deputies will be equipped with Linux operation system, Open Office software and Firefox browser. The project, initiated at the request of the General Assembly President, was based on a study made by Atos Origin, a technology services company. The study has shown that the open source software can be adapted to the needs of the Members of the Parliament allowing for serious savings in spite of the costs required by the change. Benoit Sibaud, the president of APRIL (Association pour la Promotion et la Recherche en Informatique Libre) which is supporting open source, stated that switching to open source will give the French Parliament a better control over its IT systems without being dependent on the software supplier, at the same time giving the possibility to use the public money for better purposes. Previous initiatives in this sense belong to the French Ministry of Agriculture where open source software was chosen for servers and to the French gendarmes who adopted Open Office and Firefox. Open source software in the General Assembly (only in French - 22.11.2006) http://www.assemblee-nationale.fr/presse/divisionpresse/m01.asp Free Software for the deputies (only in French - 23.11.2006) http://www.april.org/articles/communiques/20061122-assemblee-nationale.txt French parliament dumping Windows for Linux (27.11.2006) http://news.com.com/2100-7344_3-6138372.html ================================================================== 11. Campaign launched in UK to opt out of central medical database ================================================================== A campaign has been launched in the UK to get people to opt out of a government scheme to upload medical records from family doctors' surgeries into a central health database. TheBigOptOut.org was launched in London on 29 November 2006 with support from NGOs such as Foundation for Information Policy Research (FIPR) and No2ID. An opinion poll published at the meeting shows that 53% of UK citizens do not approve of a central medical records database with no right to opt out; another poll the previous week had showed that 51% of family doctors do not intend to upload data without patient consent. The campaign urges people in England to write to their doctors forbidding the upload of their data. The UK government response has included a letter from the Chief Medical Officer which orders doctors to report dissenters to the government; this letter was condemned by the British Medical Association as telling doctors to breach patient confidentiality. The Big Opt Out http://www.thebigoptout.org Media coverage of campaign launch (27.11.2006) http://www.lightbluetouchpaper.org/2006/11/27/developments-on-health-privac… Row between government and BMA, and latest news (1.12.2006) http://www.lightbluetouchpaper.org/2006/12/01/health-privacy-breaking-news/ (Contribution by EDRI-member Foundation for Information Policy Research - UK) ============================================================ 12. Support EDRI-gram ============================================================ European Digital Rights needs your help in upholding digital rights in the EU. Thanks to your last years donations EDRi has been able to issue 24 editions of EDRi-gram in 2006. To continue with EDRi-gram in 2007 we again ask for your support. If you wish to help us promote digital rights, please consider making a private donation, or interest your organisation in sponsorship. We will gladly send you a confirmation for any amount above 250 euro. KBC Bank Auderghem-Centre, Chaussee de Wavre 1662, 1160 Bruxelles, Belgium Name: European Digital Rights Asbl Bank account nr.: 733-0215021-02 IBAN: BE32 7330 2150 2102 BIC: KREDBEBB ============================================================ 13. Agenda ============================================================ 11-12 December 2006, Paris, France LeWeb3: Third Les Blogs Conference http://www.leweb3.com/leweb3 14 December 2006, Madrid, Spain Conference on the Admissibility of Electronic Evidence in Court in Europe. The final event of the project Admissibility of the Electronic Evidence in Court in Europe (A.E.E.C.) funded by the European Commission and led by the Spanish company Cybex. http://www.cybex.es/AGIS2005/ 27-30 December 2006, Berlin, Germany 23rd Chaos Communication Congress: "Who can you trust?" http://events.ccc.de/congress/2006/Home 17-19 January 2007, Geneva, Switzerland Special Session of the Standing Committee on Copyright and Related Rights (SCCR) : First Session http://www.wipo.int/meetings/en/details.jsp?meeting_id=12043 20 January 2007, Paris, France Big Brother Awards France http://bigbrotherawards.eu.org/ 28 January 2007, Europe-wide Data Protection Day: An initiative of the Council of Europe with the support of the European Commission http://www.coe.int/t/e/legal_affairs/legal_co%2Doperation/data_protection/D… ault%20DP%20Day%2016-10-2006.asp 19-23 February 2007, Geneva, Switzerland Provisional Committee on Proposals Related to a WIPO Development Agenda : Third Session http://www.wipo.int/meetings/en/details.jsp?meeting_id=11926 ============================================================ 14. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 25 members from 16 European countries. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

FC: We've filed a motion to quash my subpoena from the DoJ
by Declan McCullagh 06 Jul '18

06 Jul '18

http://www.wired.com/news/politics/0,1283,42735,00.html When Reporting Becomes Testifying by Farhad Manjoo 2:00 a.m. Mar. 30, 2001 PST Declan McCullagh -- the Wired News reporter who on March 8 was subpoenaed by the Justice Department to testify in the case against cypherpunk Jim Bell -- filed a motion on Thursday with the U.S. District Court to quash the subpoena, claiming it would violate the First Amendment protections accorded to journalists. Bell, who is famous for popularizing "Assassination Politics," a site that incorporated digital cash and encryption in a scheme to anonymously off political figures, has been charged with two counts of violating federal stalking laws. The trial is set to begin on Tuesday in Tacoma, Washington. McCullagh has covered the Bell saga for Wired News, and the government says it only needs him to verify the statements attributed to Bell in two of McCullagh's stories, according to an e-mail sent to McCullagh from Assistant U.S. Attorney Robb London. But "that would leave a lot of leeway for the defense to ask me questions -- and that's where it starts to get really messy really quickly," McCullagh said on Thursday from his home in Washington, D.C. [...] ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ ------------------------------------------------------------------------- ----- End forwarded message -----

1 0

EDRI-gram newsletter - Number 4.7, 12 April 2006
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 4.7, 12 April 2006 ============================================================ Contents ============================================================ 1. Article 29 asks for safeguards on data retention 2. US wants access to retained traffic data 3. Free parental control software in France 4. Changes in the Slovenian Intelligence Agency Act 5. Lie detectors in Russian airports 6. UK teachers are spied in classrooms 7. Legal actions against file-sharers in Europe 8. Recommended reading 9. Agenda 10. About ============================================================ 1. Article 29 asks for safeguards on data retention ============================================================ Article 29 Data Protection Working Party has adopted its opinion on data retention directive as adopted by the Council on 21 February 2006, pointing out major criticism to the adoption and to the present text agreed by the Parliament. The Working Party recalls its previous concerns and reservations expressed in its last Opinion 113 of 21 October 2005 on the then draft Directive. The decision to retain communication data for the purpose of combating serious crime was considered as an unprecedented one that may endanger the fundamental values and freedoms all European citizens. The privacy experts consider of utmost importance that the Directive is implemented and accompanied in each Member State by measures protecting privacy. The Directive leaves room for interpretation and therefore adequate and specific safeguards are necessary to protect the vital interests of the individual, mainly the right to confidentiality when using publicly available electronic communications services. The Working Party also thinks the provisions of the Directive should be interpreted and implemented in a harmonised way and proposes a uniform, European-wide implementation of the Directive that would respect the highest level possible of personal data protection. This should also be done in order to reduce the considerable costs borne by the service providers when complying with the Directive. Article 29 is suggesting that the member states should implement adequate safeguards at least on Purpose specification, Access limitation, Data minimization, Data mining, Judicial/ independent scrutiny of authorized access, Retention purposes of providers, System separation and Security measures. The data retention directive is heavily criticized also by other privacy authorities. Peter Hustinx, the European data protection supervisor considered the lawmakers had not protected the privacy of Europeans. His opinion is that "The data retention directive - turned the rules upside down. We were not very pleased with that - we still think there is too little in terms of safeguards." Hustinx also stated: "I believe that politicians, people - you, I, everyone else - have to be aware of the real threats. At the same time, that is not going to justify disproportionate solutions - it is going to hurt the texture of trust and confidence... I think we have reached a point that more and more people start wondering whether legislation is getting excessive and that is a good thing. We have to build in safeguards and keep asking the question of 'is this necessary?'" Opinion 3/2006 on the Directive 2006/XX/EC on the retention of data processed in connection with the provision of public electronic communication services (25.03.2006) http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2006/wp119_en. pdf Tech must not invade privacy, says EU data protection head (7.04.2006) http://www.silicon.com/0,39024729,39157943,00.htm EDRI-gram : Opinion EU privacy authorities on data retention (17.11.2004) http://www.edri.org/edrigram/number2.22/dataretention EDRI-gram : Renewed rejection of data retention by European institutions (5.10.2005) http://www.edri.org/edrigram/number3.20/retention ============================================================ 2. US wants access to retained traffic data ============================================================ Unites States has indicated in a recent meeting with the EU Council that it will be interested in accessing the traffic data collected by the European countries according with the recent Directive on Data Retention. Also the US officials expressed concerns over the draft Framework Decision on Data Protection. During the EU-US informal High Level meeting on Freedom, Security and Justice on 2-3 March 2006, in Vienna, the US officials mentioned in the context of fighting terrorist use of Internet that they were "considering approaching each Member State to ensure that the data collected on the basis of the recently adopted Directive on data retention be accessible to them." The Presidency and the Commission replied that these data were accessible like any other data on the basis of the existing MLA agreements (bilateral as well as EU/US agreement). The Commission would convene an expert meeting on this subject. During the same meeting the US officials lobbied against the provisions in article 15 of the proposal for a framework decision on the protection of personal data processed in the third pillar. " US side expressed serious concerns about the negative impact that the draft Framework Decision on data protection would have on its bilateral relations with Member States if it was to be adopted in its present form (see in particular Article 15 of the draft). The Presidency indicated that agreements already concluded would not be affected by the new legislation. In addition, Member States were divided on the need for such a provision." Article 15 refers to Transfer to competent authorities in third countries or to international bodies. The Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters was initiated in October 2005 when a draft version was sent to the Council. Opinions on the draft have been received from the European Data Protection Supervisor, Conference of European Data Protection Authorities and European member countries. A new version of the Decision, still under discussion within the Multidisciplinary group on organised crime (MDG) - Mixed Committee, was published by Statewatch at the end of March 2006. The conclusions of the G6 of interior ministers of the EU call for a rapid adoption of the framework decision on the sharing of information under the availability principle in police and judicial cooperation in criminal matters, i.e. without waiting for the third pillar data protection framework decision. This would constitute a serious unbalance with regard to the processing of personal information under the third pillar. Tony Bunyan, Statewatch editor, commented " in other words state agencies should be allowed to exchange information and "intelligence" without any data protection rights for the individual being in place." EU Council: Report of the EU-US informal High Level meeting on Freedom, Security and Justice on 2-3 March 2006 in Vienna (27.03.2006) http://www.statewatch.org/news/2006/apr/eu-us-jha-7618-06.pdf Data Protection, EU doc no 6450/1/06, REV 1 (23.03.2006) http://www.statewatch.org/news/2006/mar/eu-dp-coun-draft-pos-6450-rev1-06.p… EDRI-gram : Draft directive data protection in EU police co-operation (21.09.2005) http://www.edri.org/edrigram/number3.19/dataprotection Conclusions of the Meeting of the Interior Ministers of France, Germany, Italy, Poland, Spain and the United Kingdom, Heiligendamm (23.03.2006) http://www.statewatch.org/news/2006/mar/06eu-interior-minister-conclusions.… m ============================================================ 3. Free parental control software in France ============================================================ As a result of the agreement signed between the French ISPs and the Ministry of the Family on 16 November 2005, starting with 1 April 2006, most of the ISPs started providing a free of charge parental control software to their subscribers. The agreement signed between ISPs and the French authorities has followed strong protests relayed in the media, after EDRi-member IRIS unveiled in September 2005 the intention of the government to impose by law "by default" filtering by ISPs for the purpose of parental control. After this, the intentions of the government have been downsized excluding " by default" parental control installed by the ISP. The current agreement still raises many concerns, especially since no real information is provided on the software and its criteria. Starting with 1 April 2006 new subscribers will have the software included in the connection kit with a window opening automatically on the software. Previous complaints addressed the lack of simple access to such kind of software as well as to their insufficient efficiency. For the old subscribers, the ISPs will develop an information campaign through e-mails, newsletters and on their home pages and those interested will be able to get the software from their access provider's site. Several providers are already in the position to provide the software while others are on the point of perfecting their parental control system. Providers like AOL, already advanced in this direction, can ensure various profiles according the child's age, with semantic filtering, more efficient than the URL filtering systems. Other providers like Wanadoo are clearly asking any new subscriber, when installing the connection kit, whether the filtering software should be installed or not. As regards to the software it seems that many ISPs are using the one developed (and updated with lists) by a Spanish company, Optenet. This company has signed a contract with the French Ministry of Education last April. Meryem Marzouki from EDRi-member IRIS notes that "very little information is provided to the user about who chooses the predefined white and black lists, according to which criteria etc. Also, no information is provided on the "plain language" analysis of websites, which are neither on white lists nor on black lists. " The ISPs filter more the Internet (in French only, 4.04.2006) http://www.01net.com/editorial/311150/securite/les-fai-filtrent-plus-net/ Mandatory and free of charge parental control on the Internet (in French only, 16.11.2005) http://www.01net.com/article/295101.html Automatic filtering of contents : the moral order toughens (in French only, 16.09.2005) http://www.iris.sgdg.org/info-debat/comm-filtrage0905.html ============================================================ 4. Changes in the Slovenian Intelligence Agency Act ============================================================ The proposed changes of Slovenian Intelligence Agency Act (ZSOVA) raised questions about its unconstitutionality. The government would like to exclude the current 6-month limitation for use of special operative methods, e.g. mail monitoring, recording of telephone conversations etc. The Government invoked cooperation with EU and NATO in the fight against terrorism as the reason for the proposed changes. There are two main changes being proposed. According to the first one, the competence to ordain measures that invade individual's information privacy would be transferred from the president of Ljubljana Circuit Court to the president of the Slovenian Supreme Court. Legal experts find this solution better, but still not optimal, as the decision-making is still in the hands of one single person. A panel of 3 Supreme Court judges would be a better option. The second and most important change is the exclusion of the current 6-month limitation for the concentrated and continuous monitoring of telecommunications. If the proposed changes pass through the Parliament, the Slovenian Intelligence agency (SOVA) will theoretically be able to perform surveillance over individual's communications for months, years or even decades. Under the current legislation, SOVA may monitor written correspondence and record telephone conversations (of individuals that may pose a threat for national security) for the maximum period of 3 months. Exceptionally, the duration of surveillance may be extended for a month each time, but the total duration must not exceed 6 months. According to the proposed changes to the Slovenian Intelligence Agency Act, the President of Slovenian Supreme Court would be authorised to extend the duration of measures for another 3 months each time, without any limitation of total duration. According to Goran Klemencic from the Faculty of Criminal Justice and Security, the proposed change violates article 37 of the Slovenian Constitution, which says that encroachment upon individual's right to privacy of correspondence and other means of communication may "be suspended for a period of time where it is so necessary for criminal proceedings or national security." Besides, Klemencic says that such a solution would also be disproportionate (regardless of court warrant), as "it cannot be admissible that law enables unlimited concentrated surveillance of an individual". This act broadens the power of the Slovenian Military Intelligence Agency, as well. The government wants the Parliament to discuss and pass the proposed changes using the quick procedure option, where the possibilities for extending discussions and filing amendments are vastly reduced. Longer time of secret surveillance? (only in Slovenian, 14.03.2006) http://www.privacyblog.net/index.php?p=151 Changes to Slovenian Intelligence Agency Act - Will SOVA be able to perform continuous eavesdropping (only in Slovenian, 16.03.2006) http://www.slo-tech.com/script/forum/izpisitemo.php?threadID=211601#neprebr… o Contestable Slovenian Intelligence Agency Act (only in Slovenian, 14.03.2006) http://24ur.com/bin/article.php?article_id=3070870 (Contribution by Aljaz Marn, EDRI observer, privacyblog.net, Slovenia) ============================================================ 5. Lie detectors in Russian airports ============================================================ Lie detectors will be used in Russian airports as part of the security measures starting with July 2006. Meant to identify terrorists or other types of criminals, a lie-detecting device developed in Israel, known as "truth verifier," will be first introduced in Moscow's Domodedovo airport as early as July. The technology, already used by UK insurance companies, is said to be able to detect answers coming from imagination or memory. The passengers will use a handset to answer four questions right after the X-ray check of luggage and shoes and in the beginning, only the suspicious passengers will take the test. Those failing the test will be further on interrogated in a separate cubicle as Vladimir Kornilov, the IT director for East Line, said. Eventually the procedure will be used for all passengers. Officials state that the process should not exceed a minute per passenger. Airline passengers face lie detector tests (6.04.2006) http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2006/04/06/wlie06.xml ============================================================ 6. UK teachers are spied in classrooms ============================================================ Teachers protest against the installation of 50 CCTV systems with microphones in UK schools, used as surveillance measures by the school management. While observation in class was supposed to help teachers in improving their performances, the headmasters, who have also used two-way mirrors to survey the teachers, grade them according to the way they perform in class under observation. TES (The Times Educational Supplement) reported on 7 April that teachers were being "observed to death" and that surveillance was being used more like a punishment. Observed lessons are often graded on a scale of outstanding to poor. The National Association of Schoolmasters Union of Women Teachers (NASUWT), the largest teachers' union in UK, has proposed a conference motion to use "all means necessary" to stop the "yet another example of management bullying". NASUWT survey has found out that one in five teachers was observed more than six times last year. The union also expressed disagreement on the short notice given to some teachers on the installation of surveillance devices. Mary Bousted, general secretary of the Association of Teachers and Lecturers (ATL), said she had met an Oxford graduate having quitted teaching after only a year for having been officially observed at least once every three weeks,". Heads spy on teachers (10.04.2006) http://www.theregister.co.uk/2006/04/10/cctv_teachers/ Teachers revolt against spy in the classroom (7.04.2006) http://www.tes.co.uk/2216214 ============================================================ 7. Legal actions against file-sharers in Europe ============================================================ About 2000 new legal actions are taken in 10 countries by the International Federation of Phonographic Industry (IFPI) against file-sharers amounting now to a total number of 5500 cases outside US. IFPI persists in its actions against uploaders, stating it targets persistent file-sharers, who typically upload thousands of music files. "The campaign started in major music markets where sales were falling sharply; now these legal actions have spread to smaller markets." said John Kennedy, the chairman and chief executive of IFPI. In UK only, where the music industry states a loss of over #1.1bn over the last three years, there are 153 ongoing cases. The first cases have occurred in Portugal as well where the IFPI states sales of tradition al music formats have fallen by 40% in the last four years. Geoff Taylor, IFPI general counsel and executive vice president said the action was aimed at uploaders, but downloaders had to be reminded that their actions were also illegal and also predicted that the copyright owners would go after ISPs as well as users. The IFPI is also keen in warning parents that they are responsible for their children's online activities. As an example, last year Sylvia Price was fined #2,500 after her 14-year-old daughter was accused of sharing music on the internet. If the IFPI wins the cases, the defendants could end up paying several thousand euros. On average, those settling with the IFPI pay around 2,633 euros. Although the industry says that these cases are helping to win the war on illegal file-sharers and are encouraging people to use legal services, a report suggests that illegal downloads keep growing in spite of the legal risks. IFPI bases its actions on a report made by Jupiter Research stating 35% illegal file-sharers have reduced and even stopped while only 14% of them increased their activity and the legal actions were the main reasons for those who stopped their illegal music consumption. However, XTN data, a research firm, suggested in its report that fear of legal action was the least effective in encouraging people to use commercial services and that more efficient measures would be cheaper prices, the removal of digital rights management (DRM), and more user-friendly services. "Clunky software, difficulty in finding tracks and over zealous protection limiting where customers can play music they've bought are continuing to fuel file-sharing," said Greig Harper, founder of XTN Data. He also said: "We're the only big, anonymous UK survey - I'd be surprised if people were so honest to an organisation interested in suing them. There are probably seven million people in the UK file sharing to some extent, even if it's just picking up a track once a month, so legal action against so many people isn't really a realistic option." File-sharers face legal onslaught (4.04.2006) http://news.bbc.co.uk/2/hi/technology/4875142.stm 2000 cases against the P2P-ers (in French only, 5.04.2006) http://www.ratiatum.com/news3002_2000_plaintes_contre_des_P2Pistes.html U.K. music biz vexed by file sharing (4.04.2006) http://news.com.com/2100-1025_3-6057571.html Thousands more file sharers sued (4.04.2006) http://www.theregister.co.uk/2006/04/04/ifpi_sues_more_people/ ============================================================ 8. Recommended reading ============================================================ Racism, Racial Discrimination, Xenophobia and all forms of Discrimination: Comprehensive Implementation of and follow-up to the Durban Declaration and Programme of Action - Report of the Intergovernmental Working Group on the effective implementation of the Durban Declaration and Programme of Action on its fourth session. The report contains the all presentations, discussions, conclusions from the Chair and final recommendations from the High Level Seminar on Racism and the Internet that took place during 16-17 January 2006. Full report (20.03.2006) http://www.ohchr.org/english/bodies/chr/docs/62chr/E.CN.4.2006.18.pdf EDRI-gram : Combating Racism on Internet http://www.edri.org/edrigram/number4.2/internetracism ============================================================ 9. Agenda ============================================================ 12 April 2006, Dublin, Ireland Royal Irish Academy "Enabling Open Access to Scientific Data and Information within the Modern Knowledge Economy; the Case for a Scientific Commons" http://www.codataweb.org/codata-ria/ 15 April 2006, Deadline funding applications Civil rights organisations and initiatives are invited to send funding applications to the German foundation 'Bridge - B|rgerrechte in der digitalen Gesellschaft'. A total of 15 000 euro is available for applications that promote civil rights in the digitised society. http://www.stiftung-bridge.de 21-23 April 2006, Yale Law School, USA Access to Knowledge Conference Yale Information Society Project http://islandia.law.yale.edu/isp/a2kconfmain.html 27-28 April 2006, Washington, USA IP Disputes of the Future - TACD This conference will ask what will be the IP disputes in new fields of technology, and how advances in biotechnology and information technologies will change the nature of IP disputes. http://www.tacd.org/docs/?id=287 30 April - 2 May 2006, Hamburg, Germany LSPI Conference 2006 The First International Conference on Legal, Security and Privacy Issues in IT http://www.kierkegaard.co.uk/ 2-5 May 2006, Washington, USA CFP2006 The Sixteenth Conference on Computers, Freedom & Privacy http://www.cfp2006.org 3-6 May 2006, Wiesbaden, Germany LinuxTag - Europe's biggest fair and congress around free software http://www.linuxtag.org 10 May - 23 July 2006, Austria Annual decentralized community event around free software lectures, panel discussions, workshops, fairs and socialising http://www.linuxwochen.at 19 - 23 May 2006, Geneva, Switzerland A new round of consultations on the convening of the Internet Governance Forum will be held at the United Nations in Geneva on 19 May. The consultations will be followed by a meeting of the IGF Advisory Group on 22 - 23 May 2006. http://www.intgovforum.org 19-20 May 2006, Florence, Italy E-privacy 2006 Trusted Computing, Data retention: privacy between new technologies and new laws. The central theme of this year's edition is data retention, but several interventions on other relevant aspects of privacy protection are planned, including Trusted Computing and the new issues raised by the draft reform of Italian Criminal Law, with specific reference to Cybercrime. http://e-privacy.firenze.linux.it 20 May 2006, Florence, Italy Big Brother Award Italia 2006 Nominations accepted until 21 April 2006 http://bba.winstonsmith.info 21 June 2006, Luxembourg Safer Internet Forum 2006 Focus on two topics: "Children's use of new media" and "Blocking access to illegal content: child sexual abuse images" http://europa.eu.int/information_society/activities/sip/si_forum/forum... 26-27 June 2006, Berlin, Germany The Rising Power of Search-Engines on the Internet: Impacts on Users, Media Policy, and Media Business http://www.uni-leipzig.de/journalistik/suma/home_e.html 16 - 28 July 2006, Oxford, UK Annenberg/Oxford Summer Institute: Global Media Policy: Technology and New Themes in Media Regulation Application deadline 1 May 2006. http://www.pgcs.asc.upenn.edu/events/ox06/index.php 2-4 August 2006, Bregenz, Austria 2nd International Workshop on Electronic Voting 2006 Students may apply for funds to attend the workshop until 30 June 2006. http://www.e-voting.cc/stories/1246056/ =========================================================== 10. About =========================================================== EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 21 members from 14 European countries and 5 observers from 5 more countries (Italy, Ireland, Poland, Portugal and Slovenia). European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/index.php?option=com_content&task=view&id=6… &Itemid=4&lang=mk - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

Re: [p2p-hackers] P2P file storage systems
by Zooko O'Whielacronx 06 Jul '18

06 Jul '18

Dear Michael Militzer: Thanks for your ideas about secure P2P storage, and thanks for your interest in Tahoe-LAFS in particular. Here are a couple of quick responses. I'm an architect and developer of Tahoe-LAFS. On Sun, Feb 20, 2011 at 7:45 AM, Michael Militzer <michael(a)xvid.org> wrote: > > While I don't agree that we should really drop erasure > coding, I however like your approach to keep things simple. I also like that about Octavia. I'd like to see Octavia developed and used more so I can learn more about the consequences of its trade-offs. Since it is so simple it should be relatively easy for a volunteer to implement it or to contribute part of an implementation of it. Somebody out there do that! :-) > Also today > indeed bandwidth should be the more precious resource in a P2P system > compared to storage, which is available in abundance to the home user. > So a simple replication strategy might not be so bad after all... Replication costs more bandwidth on upload than erasure coding does (for a similar degree of fault-tolerance) as well as costing more storage. > If I understood it right, Tahoe clients simply keep a connection with each > storage node in a storage cluster. That's right, We have kicked around some ideas about how to do a more scalable-DHT-like routing instead of keeping a connection open from each client to each server, but even if we had such a thing Tahoe-LAFS grids would still be comprised exclusively of servers whose owners gave you some reason to believe that they were reliable. Scalable routing a la DHT wouldn't be sufficient to allow you to safely rely on strangers for storage, for various reasons that you touched on next: > So if the DHT is deployed on untrusted nodes we need to care about things > like admission control, sybil attack, routing and index poisening, eclipse > attack and so on. Hm, but then you say something that I don't quite follow: > - It may need further modification to be safely usable in a network > comprised of untrusted nodes (sybils, DHT robustness against denial of > service attacks, ...) I think the word "trust" often causes confusion, because it bundles together a lot of concepts into one word. I find that rephrasing things in terms of "reliance" often makes things clearer. So: Tahoe-LAFS users absolutely do *not* rely on the storage servers for confidentiality and integrity. Confidentiality and integrity are guaranteed by the user's client software, using math (cryptography). Even if *all* of the storage servers that you are using turn out to be controlled by a single malicious entity who will stop at nothing to harm you, this doesn't threaten the confidentiality of the data in your files nor its integrity. But, Tahoe-LAFS users *do* rely on the storage servers for the longevity and availability of their data. If the malicious entity that controls all the servers decides to delete all of the ciphertext that they are holding for you, then no mathematical magic will help you get the data back. :-) That is why Tahoe-LAFS users typically limit the set of storage servers that they will entrust their ciphertext. They choose only servers which are operated by friends of theirs, or by a company that they pay for service, or servers operated by members of a group that has collectively agreed to trade storage for storage with each other. I wrote more on this topic in a letter to the tahoe-dev mailing list last night: "BitTorrent for storage" is a bad idea http://tahoe-lafs.org/pipermail/tahoe-dev/2011-February/006150.html > - To guarantee persistence in a P2P network of untrusted and unreliable > nodes Tahoe's information dispersal strategy needs be adapted. The degree > of redundancy must be increased (n/k) but just as well the number of > erasure coded fragments (k) too for storage efficiency. Why do you think these parameters would need to be changed? > I don't know if > this is practically doable within Tahoe's current structure (galois-field > based Reed-Solomon coding is slow with large k and n) or what other side > effects this may have (size of the Merkle trees?). It is plenty efficient for k and n up to about 256. It is also probably efficient enough for k and n up to about 2^16, although I'm skeptical that anyone actually needs k and n that size. There is a Merkle Tree in Tahoe-LAFS which is computed over the identifiers of the n shares, so that Merkle Tree would grow in size as n grew. However that is a small cost that probably wouldn't need much if any optimization. > - Censorship-resistance obviously also depends on availability and data > persistence guarantees. If directed (or undirected) denial of service > attacks are possible on the DHT, the system cannot said to be censorship- > resistant. Hm, so if I understand correctly, Tahoe-LAFS currently doesn't have *scalability* in terms of the number of servers, but it does have nearly optimal *censorship resistance* at a given scale. For example, suppose there are 200 servers which are all joined in the conspiracy to host a repository of Free and Open Source Software, and some evil attacker is expending resources attempting to disrupt that hosting or deny users access to it. If those 200 servers are organized into a traditional scalable DHT like Chord, then a client would have approximately a logarithmic number of connections to servers, say to perhaps eight of them. An attacker who wants to deny that client access to the Free and Open Source software repository would have to take down only eight servers or prevent the client from establishing working connections to them, right? Whereas with a full bipartite graph topology like Tahoe-LAFS the attacker would have to take down or deny access to a substantial constant fraction of all 200 of them (depending on the ratio of k to n). (Note: is assuming that the erasure coding parameter n is turned up to 200, which is already supported in Tahoe-LAFS -- you can configure it in the tahoe.cfg configuration file.) (Note: this is about attacking the storage layer, not the introduction layer. Those are separate in Tahoe-LAFS and while the latter does need some work, it is probably easier to defend the introduction layer than the storage layer since introducers are stateless and have minimal ability to do damage if they act maliciously. Multiple redundant introducers were implemented by MO Faruque Sarker as part of the Google Summer of Code 2010 but it hasn't been merged into trunk yet. You can help! We need code-review, testing, documentation, etc. http://tahoe-lafs.org/trac/tahoe-lafs/ticket/68 :-) ) > And there are other, less-obvious censorship risks too: If a third-party > can force specific node owners (e.g. by court order) to shut down their > storage nodes then certain data can become unavailable in the system. You may be interested in Tahoe-LAFS-over-Tor and Tahoe-LAFS-over-i2p. :-) I'm sure both of those projects would be grateful for bug reports, patches, etc. Regards, Zooko _______________________________________________ p2p-hackers mailing list p2p-hackers(a)lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [p2p-hackers] P2P file storage systems
by Zooko O'Whielacronx 06 Jul '18

06 Jul '18

Dear Michael Militzer: Thanks for your ideas about secure P2P storage, and thanks for your interest in Tahoe-LAFS in particular. Here are a couple of quick responses. I'm an architect and developer of Tahoe-LAFS. On Sun, Feb 20, 2011 at 7:45 AM, Michael Militzer <michael(a)xvid.org> wrote: > > While I don't agree that we should really drop erasure > coding, I however like your approach to keep things simple. I also like that about Octavia. I'd like to see Octavia developed and used more so I can learn more about the consequences of its trade-offs. Since it is so simple it should be relatively easy for a volunteer to implement it or to contribute part of an implementation of it. Somebody out there do that! :-) > Also today > indeed bandwidth should be the more precious resource in a P2P system > compared to storage, which is available in abundance to the home user. > So a simple replication strategy might not be so bad after all... Replication costs more bandwidth on upload than erasure coding does (for a similar degree of fault-tolerance) as well as costing more storage. > If I understood it right, Tahoe clients simply keep a connection with each > storage node in a storage cluster. That's right, We have kicked around some ideas about how to do a more scalable-DHT-like routing instead of keeping a connection open from each client to each server, but even if we had such a thing Tahoe-LAFS grids would still be comprised exclusively of servers whose owners gave you some reason to believe that they were reliable. Scalable routing a la DHT wouldn't be sufficient to allow you to safely rely on strangers for storage, for various reasons that you touched on next: > So if the DHT is deployed on untrusted nodes we need to care about things > like admission control, sybil attack, routing and index poisening, eclipse > attack and so on. Hm, but then you say something that I don't quite follow: > - It may need further modification to be safely usable in a network > comprised of untrusted nodes (sybils, DHT robustness against denial of > service attacks, ...) I think the word "trust" often causes confusion, because it bundles together a lot of concepts into one word. I find that rephrasing things in terms of "reliance" often makes things clearer. So: Tahoe-LAFS users absolutely do *not* rely on the storage servers for confidentiality and integrity. Confidentiality and integrity are guaranteed by the user's client software, using math (cryptography). Even if *all* of the storage servers that you are using turn out to be controlled by a single malicious entity who will stop at nothing to harm you, this doesn't threaten the confidentiality of the data in your files nor its integrity. But, Tahoe-LAFS users *do* rely on the storage servers for the longevity and availability of their data. If the malicious entity that controls all the servers decides to delete all of the ciphertext that they are holding for you, then no mathematical magic will help you get the data back. :-) That is why Tahoe-LAFS users typically limit the set of storage servers that they will entrust their ciphertext. They choose only servers which are operated by friends of theirs, or by a company that they pay for service, or servers operated by members of a group that has collectively agreed to trade storage for storage with each other. I wrote more on this topic in a letter to the tahoe-dev mailing list last night: "BitTorrent for storage" is a bad idea http://tahoe-lafs.org/pipermail/tahoe-dev/2011-February/006150.html > - To guarantee persistence in a P2P network of untrusted and unreliable > nodes Tahoe's information dispersal strategy needs be adapted. The degree > of redundancy must be increased (n/k) but just as well the number of > erasure coded fragments (k) too for storage efficiency. Why do you think these parameters would need to be changed? > I don't know if > this is practically doable within Tahoe's current structure (galois-field > based Reed-Solomon coding is slow with large k and n) or what other side > effects this may have (size of the Merkle trees?). It is plenty efficient for k and n up to about 256. It is also probably efficient enough for k and n up to about 2^16, although I'm skeptical that anyone actually needs k and n that size. There is a Merkle Tree in Tahoe-LAFS which is computed over the identifiers of the n shares, so that Merkle Tree would grow in size as n grew. However that is a small cost that probably wouldn't need much if any optimization. > - Censorship-resistance obviously also depends on availability and data > persistence guarantees. If directed (or undirected) denial of service > attacks are possible on the DHT, the system cannot said to be censorship- > resistant. Hm, so if I understand correctly, Tahoe-LAFS currently doesn't have *scalability* in terms of the number of servers, but it does have nearly optimal *censorship resistance* at a given scale. For example, suppose there are 200 servers which are all joined in the conspiracy to host a repository of Free and Open Source Software, and some evil attacker is expending resources attempting to disrupt that hosting or deny users access to it. If those 200 servers are organized into a traditional scalable DHT like Chord, then a client would have approximately a logarithmic number of connections to servers, say to perhaps eight of them. An attacker who wants to deny that client access to the Free and Open Source software repository would have to take down only eight servers or prevent the client from establishing working connections to them, right? Whereas with a full bipartite graph topology like Tahoe-LAFS the attacker would have to take down or deny access to a substantial constant fraction of all 200 of them (depending on the ratio of k to n). (Note: is assuming that the erasure coding parameter n is turned up to 200, which is already supported in Tahoe-LAFS -- you can configure it in the tahoe.cfg configuration file.) (Note: this is about attacking the storage layer, not the introduction layer. Those are separate in Tahoe-LAFS and while the latter does need some work, it is probably easier to defend the introduction layer than the storage layer since introducers are stateless and have minimal ability to do damage if they act maliciously. Multiple redundant introducers were implemented by MO Faruque Sarker as part of the Google Summer of Code 2010 but it hasn't been merged into trunk yet. You can help! We need code-review, testing, documentation, etc. http://tahoe-lafs.org/trac/tahoe-lafs/ticket/68 :-) ) > And there are other, less-obvious censorship risks too: If a third-party > can force specific node owners (e.g. by court order) to shut down their > storage nodes then certain data can become unavailable in the system. You may be interested in Tahoe-LAFS-over-Tor and Tahoe-LAFS-over-i2p. :-) I'm sure both of those projects would be grateful for bug reports, patches, etc. Regards, Zooko _______________________________________________ p2p-hackers mailing list p2p-hackers(a)lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

FC: We've filed a motion to quash my subpoena from the DoJ
by Declan McCullagh 06 Jul '18

06 Jul '18

http://www.wired.com/news/politics/0,1283,42735,00.html When Reporting Becomes Testifying by Farhad Manjoo 2:00 a.m. Mar. 30, 2001 PST Declan McCullagh -- the Wired News reporter who on March 8 was subpoenaed by the Justice Department to testify in the case against cypherpunk Jim Bell -- filed a motion on Thursday with the U.S. District Court to quash the subpoena, claiming it would violate the First Amendment protections accorded to journalists. Bell, who is famous for popularizing "Assassination Politics," a site that incorporated digital cash and encryption in a scheme to anonymously off political figures, has been charged with two counts of violating federal stalking laws. The trial is set to begin on Tuesday in Tacoma, Washington. McCullagh has covered the Bell saga for Wired News, and the government says it only needs him to verify the statements attributed to Bell in two of McCullagh's stories, according to an e-mail sent to McCullagh from Assistant U.S. Attorney Robb London. But "that would leave a lot of leeway for the defense to ask me questions -- and that's where it starts to get really messy really quickly," McCullagh said on Thursday from his home in Washington, D.C. [...] ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ ------------------------------------------------------------------------- ----- End forwarded message -----

1 0