cypherpunks-legacy
Threads by month
- ----- 2025 -----
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1998 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1997 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1996 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1995 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1994 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1993 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1992 -----
- December
- November
- October
- September
July 2018
- 1371 participants
- 9656 discussions
On Sun, 2 Oct 2005, cyphrpunk wrote:
>1. Limting token requests by IP doesn't work in today's internet. Most
Hopeless negativism. I limit by IP because that's what Wikipedia is already
doing. Sure, hashcash would be easy to add, and I looked into it just last
night. Of course, as several have observed, hashcash also leads to
whack-a-mole problems, and the abuser doesn't even have to be savvy enough
to change IPs.
Why aren't digital credential systems more widespread? As has been suggested
here and elsewhere at great length, it takes too much infrastructure. It's
too easy when writing a security paper to call swaths of CAs into existance
with the stroke of the pen. To assume that any moment now, people will
start carrying around digital driver's licenses and social security cards
(issued in the researcher's pet format), which they'll be happy to show the
local library in exchange for a digital library card.
That's why I'm so optimistic about nym. A reasonable number of Tor users, a
technically inclined group of people on average, want to access a single
major site. That site isn't selling ICBMs; they mostly want people to have
access anyway. They have an imperfect rationing system based on IPs. The
resource is cheap, the policy is simple, and the user needs to conceal a
single attribute about herself. There's a simple mathematical solution that
yields certificates which are already supported by existing software. That,
my friend, is a problem we can solve.
>I suggest a proof of work system a la hashcash. You don't have to use
>that directly, just require the token request to be accompanied by a
>value whose sha1 hash starts with say 32 bits of zeros (and record
>those to avoid reuse).
I like the idea of requiring combinations of scarce resources. It's
definitely on the wishlist for future releases. Captchas could be
integrated as well.
>2. The token reuse detection in signcert.cgi is flawed. Leading zeros
>can be added to r which will cause it to miss the saved value in the
>database, while still producing the same rbinary value and so allowing
>a token to be reused arbitrarily many times.
Thanks for pointing that out! Shouldn't be hard to fix.
>3. signer.cgi attempts to test that the value being signed is > 2^512.
>This test is ineffective because the client is blinding his values. He
>can get a signature on, say, the value 2, and you can't stop him.
>
>4. Your token construction, sign(sha1(r)), is weak. sha1(r) is only
>160 bits which could allow a smooth-value attack. This involves
>getting signatures on all the small primes up to some limit k, then
>looking for an r such that sha1(r) factors over those small primes
>(i.e. is k-smooth). For k = 2^14 this requires getting less than 2000
>signatures on small primes, and then approximately one in 2^40 160-bit
>values will be smooth. With a few thousand more signatures the work
>value drops even lower.
Oh, I think I see. The k-smooth sha1(r) values then become "bonus" tokens,
so we use a large enough h() that the result is too hard to factor (or, I
suppose we could make the client present properly PKCS padded preimages).
I'll do some more reading, but I think that makes sense. Thanks!
-J
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
1
0
On 09/08/2011 05:23 PM, Matthew wrote:
>
> http://www.guardian.co.uk/world/2011/aug/30/pakistan-bans-encryption-softwa…
>
>
Very disturbing. I wonder if its possible to hide encrypted traffic as
seemingly unencrypted http traffic in much the same way as a gpg key is
rendered as ascii armored, or stenographically inside images. Although
such methods may be inefficient, they may be good enough for some purposes.
It would be good to know what technologies these ISPs will implement to
do the packet inspection for encrypted tunnels. Half the problem is you
don't really know what they'll be looking for and so you don't know how
to circumvent.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
_______________________________________________
tor-talk mailing list
tor-talk(a)lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
On 7/3/12 3:51 AM, darrob wrote:
> We've been using the multi-introducer patch on I2P since Tahoe-LAFS
> 1.8.3 and it has indeed proven to be more robust. The
> single-introducer grid we started out with simply fell apart when the
> introducer disappeared. It then took a long time before everybody
> learned the new introducer's address and adjusted their
> configurations. Time and files were lost. This hasn't happened again
> since we've started using the patched version.
>
> The administrative burden is definitely there. However, I'd argue
> against it being worse. At least nodes that only know about a subset
> of introducers (e.g. only I2 in your example below) are in no rush of
> adding the rest (I3) because the grid is still functional.
Ah, that's an excellent data point. Thanks! Yeah, multi-introducers are
a bit like RAID: you have more time to respond to a failure before the
whole system starts having problems.
>> If you generalize this, then all nodes can function as introducers,
>> and there's no need for dedicated Introducer nodes. As long as at
>> least one node with a public IP is up at any given time, everybody
>> else can learn the current state of the world.
>
> This sounds perfect. I wonder if this system is susceptible to
> introducer spam attacks of some sort, though. I image those would be
> an annoyance at best.
Yeah, I think the worst-case attack is a DoS, where somebody floods
useless information into the system. The key is the signed
announcements: you may hear about all sorts of garbage, but you'll only
pay attention to announcements that are signed by someone you've
Invited, or who Invited you, or to whom you're transitively connected by
Invitations.
Ideally we can use that same criteria to limit how Announcements are
flooded, so unrecognized garbage (i.e. "a stranger") doesn't travel
further than a single node.
cheers,
-Brian
_______________________________________________
tahoe-dev mailing list
tahoe-dev(a)tahoe-lafs.org
https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
On 20/07/11 9:08 PM, Eugen Leitl wrote:
> On Wed, Jul 20, 2011 at 11:56:06AM +0200, Alfonso De Gregorio wrote:
>
>> I'd better rephrase it in: expectation to have "money backed by
>> bitcoins" exhibiting all the desirable properties of a perfect
>> currency (ie, stable money) are greatly exaggerated.
>
> The question is not whether it's perfect, but whether it's good enough.
The question is whether it is even close. It's pretty clear it can never
be stable enough to be a currency. Pretty much all currencies lean on some
form of stability; BitCoin does not, and suggests "when it's big enough,
supply v. demand will stabilise it..."
Only gold/silver has ever pulled off that trick, and emulating gold is not
what you'd call a winning strategy. Actually there's a name for it:
alchemy. BitCoin is cryptographic alchemy.
> BTC is basically a global version of http://en.wikipedia.org/wiki/Local_currency
> or http://en.wikipedia.org/wiki/Alternative_currency and hence
> isn't something completely new.
Sure, and those things have rules too. Local currency is local; BitCoin is
not. The difference is that in local currencies we can rely on the trust
and reputation networks to stop people stealing. In BitCoin, we can't. In
local currencies, when the currency moves outside the very tight trust
circle where everyone knows each other, they fail, because someone moves
into the currency who has no reputation to lose.
(Alternative currency is just a term used by the regulated currency
people, it doesn't really tell us anything.)
> It would be intesting to see whether BTC's successors
> could improve the scheme, by allowing a (subexponential)
> growth, built-in devaluation to encourage circulation and
> discourage hoarding (this would be probably hard to
> do), and so on.
Not really. It's problem isn't its mathematics or its release rate, but
that it has no ground to stand on. Which is to say, if people want to bid
it to the sky, they can. If people want to dump it to the bottom of the
ocean, they can too...
With a currency that is backed on something stable, the stable commodity
forms an anchor around which value gyrates. So, it is worth holding if
the price goes up too low, because you can always use it for its stable
thing. E.g., in US of A, the american people are quite happy to hold $$$
because they can pay their taxes with it. They really don't care that much
what the exchange rate is doing, up or down. This anchor means USD is a
good currency.
Possibly what people don't realise is that it is very easy to corner a
market. However, the fundamental value of the unit (the commodity) will
stabilise and punish the speculator who corners the market. With BitCoin
there is no underlying anchor to punish the person cornering the market, so
the games will be excessive, and volatility will be too high to be
"current."
iang
PS: having said all that negative stuff, I quite like BitCoin. If it got
the econ right, we'd be having different conversations :)
_______________________________________________
cryptography mailing list
cryptography(a)randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 9.17, 7 September 2011
============================================================
Contents
============================================================
1. The EC tries to increase government control of the Internet
2. Sweden argues that transposing data retention directive is unnecessary
3. Diginotar breach leads to grave security concerns
4. EU privacy watchdog still displeased with online behavioural advertising
5. EP study on "Consumer Behaviour in a Digital Environment"
6. ECHR to analyse Azeri bloggers' complaint against unjust imprisonment
7. EP committee supports the introduction of body scanners in EU airports
8. ENDitorial: Abuse of Irish police databases
9. Recommended Reading
10. Agenda
11. About
============================================================
1. The EC tries to increase government control of the Internet
============================================================
The European Commission (EC) Information Society and Media
Directorate-General have recently drawn up a series of six policy papers
intended to increase government control over the Internet.
The policies have in view measures that include governmental control
over the domain names that can be registered, the veto power of governments
over new Internet domain names, significant structural changes at the level
of ICANN (Internet Corporation for Assigned Names and Numbers), an
obligation of the organisation to follow governments' advice (except for
cases considered illegal or damaging to the Internet stability) and the
creation of two bodies that would oversee ICANN decision-making and
finances.
The measures brought forth by the new policies would provide governments
with de facto control over the Internet's naming systems and would end up
the independent and autonomous approach of the Internet's domain name
system. The new suggestion seems a logical consequence of the position of
the head of European Comisson's Audiovisual, Media and Internet
Directorate - Gerard de Graaf - at an ICANN meeting in Singapore in June
2011.
The recent EC papers come to argue for increased government control
and foresee the shift in power toward governments within the next 12 months.
According to the new policies, the governments are notified about the
applications received and are to indicate which TLDs might raise "public
policy concerns." This actually means that governments can try to block or
censor any content or applicant that they want, by using the "public policy
concerns" argument. The Governmental Advisory Committee (GAC) will be able
to raise formal objections later in the process.
GAC, which presently has no legal authority, will soon become a legislator
that can create a list of words that no Internet user in the world can
register, as proposed by the EC papers. GAC members (should be able to)
request the reservation or blocking of domain names at the second level
under new gTLDs. It should do this by constructing a censorship list, which
it calls a "reference list for all new gTLD operators to use and ICANN" say
the EC documents.
Milton Mueller from IGP (Internet Governance Project) explains that the fate
of the new registries and new domain names should be determined by users
and consumers, and not by a central planning authority dominated by
governments and special interest groups. "The new TLD program is also
important because domain names are a form of expression on the Internet. Any
policy that regulates the creation or operation of new domains based on
their meaning or the content underneath them is, de facto, a form of
globalized content regulation. Thus, even people who think domain names are
not that important need to pay attention to what happens in this space,
especially now that domain take-downs are becoming an increasingly common
form of state intervention."
EC's second paper is damaging for the freedom of expression by
introducing huge, unnecessary economic barriers to entry. What it proposes
is to subordinate the Internet community's self-governance to a hierarchical
control by the state, replacing ICANN's gTLD policy with a new one that will
allow governments through GAC, to take complete control over what new top
level domain names are allowed to exist.
These EC papers were developed not under public consultancy,
but secretly, thus lacking in democratic legitimacy. The plans are to
formally raise or even implement the proposed measures by the end of this
year, in particular at ICANN's meeting in Senegal in October.
The second EC ICANN Paper: How low can they go? (4.09.2011)
http://blog.internetgovernance.org/blog/_archives/2011/9/4/4893009.html
European Commission calls for greater government control over Internet
(31.08.2011)
http://news.dot-nxt.com/2011/08/31/ec-greater-government-control
Analysis: EC policy papers on ICANN (31.08.2011)
http://news.dot-nxt.com/2011/08/31/ec-papers-analysis
ICANN - informal background paper - New gTLD process (1.09.2011)
http://blog.internetgovernance.org/pdf/EC-TLD-censorship.pdf
Payback time: The European Commission papers on ICANN (2.09.2011)
http://blog.internetgovernance.org/blog/_archives/2011/9/2/4891821.html
============================================================
2. Sweden argues that transposing data retention directive is unnecessary
============================================================
On 5 September 2011, the Swedish government responded to the European Court
of Justice after the Commission referred Sweden to the Court for failing to
transpose the Directive on Data Retention (2006/24/EC).
Sweden's main argument is that it is unnecessary to transpose the Data
Retention Directive, considering the practical effects of existing Swedish
legislation. This implicitly means that transposition would be contrary to
the European Convention on Human Rights and the Charter of Fundamental
Rights, both of which require restrictions on fundamental rights to be
necessary and proportional.
The Directive on Data Retention 2006/24/EC was adopted in 2006 and the
Member States had until 15 September 2007 to transpose it into the national
law, and until 15 March 2009 to implement the retention of communications
data relating to Internet services. The Directive concerns the storage of
traffic and location data resulting from electronic communications. Traffic
and location data retained by Internet service providers and phone companies
will be made available only to national law enforcement authorities in
specific cases and in accordance with the national law. However, retention
periods, purpose limitation and access requirement vary vastly across the
EU.
The European Court of Justice found that Sweden failed to fulfil its
obligations to implement the Data Retention Directive in its national
legislation on 4 February 2010. Despite this first ruling, Sweden still has
not transposed the Directive 2006/24/EC. In the absence of a precise
timetable for the transposition of the Directive, the Commission decided to
send a letter of formal notice to Sweden in June last year. The Commission
asked Sweden for details on the measures Sweden planned to implement the
Directive and comply with the Court's decision.
Sweden informed the Commission on 21 January 2011 that draft legislation had
been submitted to its Parliament in order to transpose the Directive. The
legislation was to be adopted in mid-March. However, the Parliament deferred
the vote on the draft legislation implementing the Directive on Data
Retention for a year, due to the opposition from a minority of
parliamentarians. They used a constitutional rule allowing one-sixth of the
MPs to suspend the adoption of a proposed legislation.
Following this suspension of the legislative process, the European
Commission swiftly referred Sweden for a second time to the European Court
of Justice, requesting it to impose financial penalties (Case C-270/11). The
Commission asked the Court to impose a daily penalty of 40 947 Euros/day
after the second ruling and a lump sum of 9 597 Euros/day for each day
between the first and the second ruling. The ECJ will have to determine the
level of sanctions and if it will take the form of a penalty and/or a lump
sum.
In its response to the ECJ, Sweden argues that the penalties are
disproportionate considering firstly the fact that Sweden does not often
fail to fulfil its implementation obligations regarding European directives
and secondly that some other Member States likewise fail to implement the
Directive without being penalised by any financial penalties.
The Swedish government also indicated that since the first ruling, it has
taken all procedurally possible measures to implement the Directive. The
delay is due to political and legal matters with regards to the sensitive
subjects the Directive is dealing with, such as the right to privacy and
those debates are delaying the legislative process. It further points out
that this controversy is not limited to Sweden.
Moreover, according to Sweden, the failure to implement the Directive does
not create any barriers for the Single Market. Bearing in mind the
Commission's own assertion of the low costs of implementing the Directive
(as described in the implementation report), this seems to be difficult for
the Commission to deny. According to Sweden, the harmonisation realised by
the Directive on Data Retention is only minimal and does not appear to be
crucial in achieving competition on the Single Market. In addition, the
Directive does not say who finance data retention.
It finally appears that the Swedish Government believes that Directive
2002/58/EC on Privacy and Electronic Communications gives the Member States
the ability to adopt legislation covering the field of the Data Retention
Directive when necessary and that the 2006 Directive's implementation in
Sweden is therefore meaningless. The Swedish government especially
underlines that the Swedish crime prevention authorities already have
sufficient access to data even without full the implementation of the
Directive. Furthermore, the differenceasthe implementations across the EU
show the limits of the Data Retention directive and create a lack of
harmonisation.
According to Sweden, further implementation of the Data Retention Directive
is superfluous and unnecessary. The question remaining now is whether the
European Court of Justice will follow the Swedish defence on the "necessity"
of implementing the Data Retention Directive and the Directive's failure to
achieve the task on which its legal base is built - harmonisation. The
Commission now faces an unenviable task - it either forces a sovereign
Member State to impose unnecessary (and therefore illegal) restrictions on
fundamental rights or it accepts the challenge of finally acknowledges the
failure of the Directive and the inevitable battle with the Council that
will result from any serious effort to fix the broken legislation.
Data Retention Directive 2006/24/EC (15.03.2006)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:00…
Judgement of the Court Case C-185/09 (4.02.2010)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:080:0006:00…
Commission refers Sweden back to Court to transpose EU legislation
(6.04.2011)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/409&format=HT…
European Commission Application (31.05.2011)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2011:226:0017:00…
Sweden's response to the ECJ - Case C-270/11 - (5.09.2011) (available only
in Swedish)
http://www.edri.org/files/sw_C-270-11_slutligt.pdf
(Contribution by Marie Humeau - EDRi)
============================================================
3. DigiNotar breach leads to grave security concerns
============================================================
A breach in the computer systems of Dutch certificate company Diginotar
led to grave concerns regarding the security of internet users in Iran
and Dutch government communications. On 2 September 2011, the Dutch
government denounced their trust in certificates issued by DigiNotar
after the discovery of fraudulent certificates. It advised Dutch
citizens not to log in on websites using these certificates, until the
certificates are replaced. Meanwhile, there is credible evidence that
the confidential communication of hundreds of thousands of Iranians with
Gmail has been intercepted.
In June 2011, the servers of DigiNotar were intruded and certificates
were fraudulently issued in the weeks after. Although some of these
certificates were revoked, DigiNotar kept the breach secret. Only weeks
later, following a message posted on a forum by someone from Iran who
tried to log in to Gmail and received a warning about a non-authentic
DigiNotar certificate for Google, did DigiNotar acknowledge the breach.
On 29 August 2011, the Dutch government was notified about the incident.
DigiNotar revoked the rogue Google certificate and asked a Dutch
security firm to perform an investigation into the breach. The report of
the investigation showed that DigiNotar did not observe basic security
measures and hundreds of false certificates were issued on its systems.
The rogue Google certificate proved to be in use since 27 July 2011.
Active abuse was observed between 4 and 29 August 2011. It is likely
that hundreds of thousands of sessions with Google from Iran were
intercepted using this certificate.
DigiNotar issues several types of certificates, including PKI-Overheid
certificates - typically used by the Dutch government for its websites -
and 'simple' certificates. As it could not be excluded that false
government certificates were also issued, the Dutch government decided
to switch to certificates from other authorities.
The incident with DigiNotar also raises questions about the safety and
trustworthiness of the certificate system in general. Worldwide, there
are hundreds of companies providing these certificates. Supervision on
these companies is limited. They can sell certificates as long as they
meet the conditions of the browser manufacturers. There is no guarantee
that all of them take adequate measures to prevent and detect breaches.
This should be a wake-up call for governments and organisations all over
the world to actively start working on better, more robust certification
systems.
Message about rogue certificate (28.08.2011)
https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl…
Letter from the Dutch government about the intrusion at DigiNotar (only
in Dutch, 5.09.2011)
http://www.rijksoverheid.nl/documenten-en-publicaties/kamerstukken/2011/09/…
Interim report from Fox-IT about the DigiNotar Certificate Authority breach
(5.09.2011)
http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/…
(Contributed by Marjolein van der Heide - EDRi-member Bits of Freedom -
Netherlands)
============================================================
4. EU privacy watchdog still displeased with online behavioural advertising
============================================================
In a letter sent to IAB Europe and European Advertising Standards Alliance
(EASA), Article 29 Working Party (WP) made some observations regarding the
self-regulatory framework for online behavioural advertising.
The WP considers that the companies having signed the self-regulatory code
may still be in breach of the EU laws in the use of cookies to track users'
online behaviour for targeted advertising.
The self-regulatory code, established in April 2011 by IAB Europe and EASA,
imposes the display of an icon on the companies' websites that tells users
that the adverts track their online activity. By using the icon, users may
manage information preferences or stop receiving behavioural advertising.
The code also says that operators must give users access to an easy method
to turn off cookies and must inform users that they collect data on them for
behavioural advertising and give details on the advertisers they provide the
respective data. They also have to publish details of how they collect and
use the data, including whether personal or sensitive personal data is
involved.
However, Article 29 WP has shown in its letter that it did not consider
these measures enough to comply with the EU's e-Privacy Directive which
provides in its new form that storing and accessing information on users'
computers is only lawful "on condition that the subscriber or user concerned
has given his or her consent, having been provided with clear and
comprehensive information about the purposes of the processing".
The Directive establishes an exception where the cookie is "strictly
necessary" for the provision of a service "explicitly requested" by the
user.
"The mechanisms proposed by the EASA/IAB Code enable people to object to
being tracked for the purposes of serving behavioural advertising. However,
tracking and serving ads takes place unless people exercise the objection,"
said Jacob Kohnstamm, chairman of the Working Party, in the letter.
The WP believes the advertising icon used by companies that signed up to the
online behavioural advertising code did not actually provide users with "the
legally required information allowing them to make informed choices about
cookie tracking."
In Article 29 WP's opinion, the text of the code is rather confusing and
insufficiently clear which could lead to some users thinking "tracking has
no privacy implications for them". Kohnstamm says in the letter that the
information made available through clicking the icon should be more
accessible and be directly visible.
Ad network providers should "provide the necessary information before the
cookie is sent and rely on users' actions ... to signify their agreement to
receive the cookie and to be tracked". Valid consent can be received by
the provider by asking users to click a box to "accept" cookie tracking.
Each advertising network must also obtain consent from users even when
websites work with multiple ad network providers.
By obtaining prior, informed consent from the users, the ad provider no
longer needs to ask the user for subsequent access and transmissions of
cookies for the same purpose. However, the "opt out" ability should still be
available.
Kohnstamm also says that browser settings will not be enough to meet the
cookie consent requirements until they automatically reject third-party
cookies as default and allow users to take "affirmative action to accept
cookies from specific websites for a specific purpose." Browsers must also
advise users that the cookies tracking their data are being used by ad
network providers, in addition to informing them of what network providers
do with the cookies.
In June 2011, EU Commissioner Neelie Kroes told EU companies that they had a
year to find methods that achieve the legal standard for gaining consent, as
failure to do so would result in the Commission's action toward
non-compliant businesses.
Letter from the Article 29 Working Party addressed to Online Behavioural
Advertising (OBA) Industry regarding the self-regulatory Framework
(23.08.2011)
http://ec.europa.eu/justice/data-protection/article-29/documentation/other-…
Advertising code not cookie law compliant, data protection watchdogs say
(29.08.2011)
http://www.out-law.com/en/articles/2011/august/advertising-code-not-cookie-…
EDRi-gram: Article 29 WP issues opinion on cookies in the new ePrivacy
Directive (30.06.2010)
http://www.edri.org/edrigram/number8.13/article-29-cookie-eprivacy
============================================================
5. EP study on "Consumer Behaviour in a Digital Environment"
============================================================
The European Parliament (EP) has published a study on "Consumer Behaviour in
a Digital environment" that it commissioned from London School of Economics
(LSE). The study involved a limited stakeholder consultation, which included
an extensive exchange of views with EDRi and also looked at existing
literature and market developments. The study is part of an ongoing
reflection in the EU institutions on how to better achieve an effective
single market, particularly in the digital space.
The study identifies the following factors affecting the demand and supply
for illegal content:
1.the price;
2.the rise of the "prosumer" (users as both producers and consumers);
3.the exchange of products and files online between consumers; and
4.large economic incentives for providing what the authors of the study
refer to as"illegal content".
The conclusions of the study focus entirely on a positive agenda, seeking to
address the source of problems rather than looking at ways of dealing with
symptoms. For example, regarding unauthorised use of copyright-protected
content, the study proposes the development of innovative pricing and
payment systems as well as reforming copyright in a way that would eliminate
the inefficiencies that come from the fragmentation of the single market.
The authors of the research clearly prioritise positive measures to minimise
the causes of the unauthorised activity, rather than negative and defensive
measures that would punish consumers without addressing underlying causes.
Similarly, the report conclusions support efforts at improving awareness of
consumer protection legislation, enhanced dispute resolution and removal of
practical barriers to cross-border trade. The study also discusses the rise
of "prosumers", concluding that this development "potentially leads to
innovation, creativity and consumer empowerment. However, prosumers cannot
fully develop under current legal framework. The copyright exceptions regime
and cross-border licensing problems are singled out as current challenges".
While generally being a very positive and well-thought out piece of
research, the main negative point in the report is the repeated conflation
of "illegal content" with "illegal use of content," which, legally,
practically and societally are entirely different problems.
Finally, the research team identifies the following challenges faced by
copyright law with regard to illegal access to content ("illegal content" in
the vocabulary of the report):
a) the exceptions to copyright still differ significantly from Member
State to Member State;
b) licensing arrangements through collecting societies have not been
harmonised;
c) some Member States have introduced laws allowing restrictions on
internet access for connections where illegal file-sharing has been
conducted (or suspected), which may lead to market distortions and raises
the question of whether the right to Internet access introduced by the
Framework Directive is infringed;
d) the issue of who is responsible for clearing copyright on social media
such as YouTube is not clearly defined in the E-Commerce Directive because
peer-to-peer services were much less prevalent when the Directive was
written. (This final point is somewhat odd because the E-Commerce Directive
does not cover rights clearance and YouTube is a hosting service which
therefore renders the question of peer-to-peer somewhat irrelevant.)
Consumer Behaviour in a Digital Environment (2011)
http://www.europarl.europa.eu/meetdocs/2009_2014/documents/imco/dv/consumer…
Framework Directive - Directiev 2002/21/EC as amended by Directive
2009/140/EC and Regulation 544/2009
http://ec.europa.eu/information_society/policy/ecomm/doc/140framework.pdf
(Contribution by Daniel Dimov - intern at EDRi)
============================================================
6. ECHR to analyse Azeri bloggers' complaint against unjust imprisonment
============================================================
The Azeri bloggers that have been imprisoned for one year and a half under
alleged hooliganism accusations, have filed a complaint to the European
Court of Human Rights which will decide whether their detention was in
breach of the European Convention on Human Rights.
Emin Milli and Adnan Hajizade were arrested in Baku in July 2009, being
accused of hooliganism, after having reported to the police that they had
been physically attacked in a restaurant. Under pressure from the
international community, the two bloggers, detained in reality for attacks,
on their blogs, against the Government and the fact that they had
disseminated a video making fun of corrupt politicians, were finally
released in November 2010. Their release is however conditional and their
convictions have not been overturned.
Consequently, the two bloggers are now seeking official recognition that the
Azerbaijani authorities violated their rights. The fact that despite with
injuries they were not treated medically in prison, breaches article 3 of
the European Convention. The Azeri government was also in breach of article
5 that protects the right to freedom and security and says that a person may
only be detained when suspected of a crime or when sentenced to
imprisonment.
According to the Convention, the bloggers should have been informed of the
reasons for their arrest and they had a right to be tried within a
reasonable time or to be released pending trial. Milli and Hajizade were
held for the two months before the start of their trial and were still in
prison after than four months after their arrest.
The complaint also says that article 6, on the right to a fair trial, was
violated because the two people were allowed only belated access to their
lawyers because the court took no account of what their lawyers said.
Article 8 on respect for private and family life was also violated as
the two bloggers were denied family visits while held and certain family
members were not allowed to testify at the trial.
The Azeri government violated Article 10 as well which protects the right to
freedom of expression, including the "freedom to hold opinions and to
receive and impart information and ideas without interference by public
authority and regardless of frontiers." The two people were jailed
for criticizing the authorities.
Hajizade and Milli filed a complaint before a Baku court on 8 July 2009
which was rejected on 23 July 2009. On 10 August 2009, a separate complaint
against the interior ministry, Baku police and prosecutor's office of
failing to respect the right to be presumed innocent was also rejected.
A confidential cable from the US embassy in Baku on 9 July
2009, posted on the WikiLeaks website on 26 August, confirmed the fact that
the two bloggers did not receive medical treatment for their injuries during
their first night in detention and revealed that embassy officers' requests
to visit the two bloggers in prison were denied.
The cable also drew attention over the fact that on 10 July 2009 Milli was
to work as the interpreter for the PACE Special Rapporteur for Political
Prisoners which seems a rather strange coincidence.
European Court to examine case of two bloggers who were unjustly jailed
(2.09.2011)
http://en.rsf.org/azerbaijan-european-court-to-examine-case-of-02-09-2011,4…
US embassy thought two bloggers' arrest was suspicious (1.09.2011)
http://en.rsf.org/us-embassy-thought-two-bloggers-01-09-2011,40902.html
EDRi-gram: Azeri bloggers released from prison (1.12.2010)
http://www.edri.org/edrigram/number8.23/azeri-bloggers-released-prison
============================================================
7. EP committee supports the introduction of body scanners in EU airports
============================================================
To the dismay of liberal groups, the European Parliament's Transport
Committee decided on 31 August 2011 to back up the European Commission in
the introduction of body scanners in EU airports.
Although imposing certain conditions such as excluding x-ray technology, the
EP committee did not oppose the EC rules which do not specifically rule out
the use of naked imagery. "The rules do exclude the use of x-ray technology,
which is something we wanted. But it doesn't oblige producers to use stick
figures instead of the actual body image," stated Benjamin Krieger, a
spokesperson for the German Liberals in the European Parliament.
This decision comes when some European countries have reached the conclusion
that body scanners are not performing properly.
The German interior ministry has recently decided to postpone the
introduction of body scanners at airports for security reasons, after the
devices used for trial failed to do their job, giving false alerts at a 49%
rate. The errors included confusing sweaty armpits with concealed bomb
chemicals while body scanners are supposed to detect plastic or ceramic
elements concealed under clothing.
The technology has been strongly opposed by human rights groups, religious
organizations and even the European Parliament because it shows a real
outline of one's bodily features, which raises serious privacy concerns. The
devices are also expensive, reaching up to 130 000 euro/piece.
In 2010, Italy also fell back on the plan to implement the technology in
airports after experiencing the same results during the trial period.
Germany ditches body scanners after repeat false alerts (1.09.2011)
http://euobserver.com/22/113479
Meeting minutes TRAN Committee (30-31.08.2011)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL…
EP transport committee votes in favour of body scanners (31.08.2011)
http://euobserver.com/1016/113478
Welcome to body scanners at EU airports (6.07.2011)
http://www.europolitics.info/sectoral-policies/welcome-to-body-scanners-at-…
Parliament sets conditions for airport body scanners (6.07.2011)
http://www.eubusiness.com/news-eu/security-aviation.b5r
EDRi-gram: MEPs approve body scanners on airports on a voluntarily basis
(1.06.2011)
http://www.edri.org/edrigram/number9.11/body-scanners-airports-ep
============================================================
8. ENDitorial: Abuse of Irish police databases
============================================================
In 2003, the then Minister for Justice, Michael McDowell, stated that he
"knew that journalists were bribing gardam (police)". This was said in the
context of proposed legislation which would create a crime of leaking
information. Unfortunately, the intervening years seem to have confirmed the
continued existence of police abuse of confidential information, resulting
in a recent announcement by the Data Protection Commissioner of a national
audit into garda compliance with data protection law.
The audit will focus on access to the main police database system, known as
PULSE, which was introduced in 1999. While that system has a read/write
audit trail, this has not acted as a deterrent to abuse - some police have
sought to evade the audit trail by requesting others to carry out searches
on their behalf, and login sharing has also been a problem. Consequently, in
his 2010 Annual Report the Data Protection Commissioner stated that:
"In 2007 we agreed a data protection Code of Practice with the Gardam which
included undertakings to monitor access to the Garda PULSE system. It is
disappointing to report that, despite our repeated engagements on this
issue, the monitoring of access by members of An Garda Smochana to PULSE
falls short of the standards we expect. We wish to see significant progress
by the Gardam in pro-actively monitoring PULSE access in 2011 and will be
carrying out an audit to satisfy ourselves of this progress."
The most recent allegations generally concern personal use of the system,
for example by using it to check on daughters' boyfriends or to check the
history of cars which they are buying. However, allegations of more serious
abuses are also common, including the sale of information to insurance
companies and even criminals.
Unfortunately, it is difficult to provide a full assessment of abuses which
have taken place. While many allegations have been published by the media
and some internal garda investigations carried out, the results of these
investigations have not been published, disciplinary sanctions (if any) are
seldom made public and there is no comprehensive official report. This
secrecy is a failing in itself and makes it impossible for the public to
have confidence in the system.
Nevertheless, there have been a number of cases in which abuses have been
clearly established and some significant examples from recent years include
a court award of 70 000 Euros damages to a family who were harmed by a garda
leak (2007), the dismissal of a garda for leaking information to a drug
dealer (2010) and most recently the finding that a detective sergeant abused
her position to monitor an ex-boyfriend through his phone records (2011). A
particularly telling example in 2007 followed the high profile death of a
person struck by a car driven by an off-duty garda. In that case, 187
individual gardai accessed that person's PULSE record following his death,
without apparent justification. An investigation into that incident
recommended that:
"supervisory ranks should regularly monitor the use of PULSE to ensure that
members adhere to their legal and disciplinary obligations in regard to its
proper use [and] suitable measures [should] be put in place by the Garda
authorities to ensure that audit-trails of the usage of PULSE and any other
official information systems can always be accurate and verifiable."
Unfortunately, it seems that several years later this has yet to be done.
GRA's concern about bribery claim, RTI News (04.08.2003)
http://www.rte.ie/news/2003/0904/justice.html
Family awarded 70,000 Euros over garda leak, RTI News (17.01.2007)
http://www.rte.ie/news/2007/0117/gray.html
Report by the Commission following the death of Mr. Derek O'Toole on March
4th 2007 and subsequent complaints and investigation under Section 98,
Garda Smochana Act, 2005 (10.2008)
http://www.gardaombudsman.ie/GSOC/Report_October2008.pdf
Garda Data Protection Code of Practice (12.11.2007)
http://www.garda.ie/Controller.aspx?Page=136&Lang=1
Gardam line up 17 officers for quizzing over leaks to 'Don', Evening Herald
(16.10.2009)
http://www.herald.ie/news/gardai-line-up-17-officers-for-quizzing-over-leak…
Walsh, Human Rights and Policing in Ireland (Dublin: Clarus Press, 2009),
Ch. 32
Garda sacked for leaked secrets to Don's crime gang, Evening Herald
(18.06.2010)
http://www.herald.ie/news/garda-sacked-for-leaking-secrets-to-dons-crime-ga…
2010 Annual Report of the Data Protection Commissioner (03.2010)
http://www.dataprotection.ie/documents/annualreports/2010AR.pdf
EDRi-gram: No effective sanction for Police abuse of Irish data retention
system (24.08.2011)
http://www.edri.org/edrigram/number9.16/abuse-data-retention-ireland
(Contribution by TJ McIntyre - EDRi-member Digital Rights Ireland)
============================================================
9. Recommended Reading
============================================================
Statewatch Analysis: UK: Internet censorhip looms as government finds
alternatives to flawed Digital Economy Act by Max Rowlands:
The routine blocking of websites believed to facilitate copyright
infringement has moved a step closer - despite concerns about the
proportionality and effectiveness of the practice - following a landmark
High Court ruling on the application of the Copyright, Designs and Patents
Act. Meanwhile, the much criticised Digital Economy Act continues to
flounder, with the introduction of its controversial copyright protection
scheme - which would allow the government to suspend the internet
connections of individuals accused of persistent copyright infringement -
now delayed until 2012 at the earliest.
http://www.statewatch.org/analyses/no-147-internet-censorship.pdf
Europe's Odd Anti-Piracy Stance: Send Money to the US! (4.09.2011)
http://torrentfreak.com/europes-odd-anti-piracy-stance-send-money-to-the-us…
Naming Names on the Internet (4.09.2011)
http://www.nytimes.com/2011/09/05/technology/naming-names-on-the-internet.h…
Open Data: Emerging trends, issues and best practices - a research project
about openness of public data in EU local administration (2011)
http://www.lem.sssup.it/WPLem/odos/odos_report_2.pdf
============================================================
10. Agenda
============================================================
8-9 September 2011, Brussels, Belgium
6th Annual Conference of the European Policy for Intellectual Property
Fine-Tuning IPR debates
http://www.epip.eu/conferences/epip06/
10-17 September 2011
Freedom Not Fear - International Action Week
http://www.freedomnotfear.org
16-18 September 2011, Warsaw, Poland
Creative Commons Global Summit 2011
http://wiki.creativecommons.org/Global_Summit_2011
16 September 2011, Leeds, UK
Conference "Human Rights in the Digital Era"
http://digitalrights.leeds.ac.uk
17 September 2011, Worldwide
Software Freedom Day 2011
http://softwarefreedomday.org/
27-30 September 2011, Nairobi, Kenya
Sixth Annual IGF Meeting: Internet as a catalyst for change: access,
development, freedoms and innovation
http://www.intgovforum.org/cms/nairobipreparatory
11 October 2011, Brussels, Belgium
ePractice Workshop: Addressing evolving needs for cross-border eGovernment
services
http://www.epractice.eu/en/events/epractice-workshop-cross-border-services
13-14 October 2011, Lisbon, Portugal
2nd International Graduate Conference in Communication and Culture: The
Culture of Remix
http://blogs.nyu.edu/projects/materialworld/2011/05/cfp_the_culture_of_remi…
20-21 October 2011, Warsaw, Poland
Open Govrenment Data Camp
http://opengovernmentdata.org/camp2011/
27-30 October 2011, Barcelona, Spain
Free Culture Forum 2011
http://fcforum.net/
9 November 2011, Bucharest, Romania
Inet Conference: Access, Trust and Freedom: Coordinates for future Internet
http://www.isoc.org/isoc/conferences/inet/11/bucharest-agenda.shtml
11-13 November 2011, Gothenburg, Sweden
FSCONS is the Nordic countries' largest gathering for free culture, free
software and a free society.
http://fscons.org/
25-27 January 2012, Brussels, Belgium
Computers, Privacy and Data Protection 2012
http://www.cpdpconferences.org/
============================================================
11. About
============================================================
EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 28 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.
This EDRi-gram has been published with financial support from the EU's
Fundamental Rights and Citizenship Programme.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram(a)edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request(a)edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request(a)edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edri/2.html
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram(a)edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
On 20/07/11 9:08 PM, Eugen Leitl wrote:
> On Wed, Jul 20, 2011 at 11:56:06AM +0200, Alfonso De Gregorio wrote:
>
>> I'd better rephrase it in: expectation to have "money backed by
>> bitcoins" exhibiting all the desirable properties of a perfect
>> currency (ie, stable money) are greatly exaggerated.
>
> The question is not whether it's perfect, but whether it's good enough.
The question is whether it is even close. It's pretty clear it can never
be stable enough to be a currency. Pretty much all currencies lean on some
form of stability; BitCoin does not, and suggests "when it's big enough,
supply v. demand will stabilise it..."
Only gold/silver has ever pulled off that trick, and emulating gold is not
what you'd call a winning strategy. Actually there's a name for it:
alchemy. BitCoin is cryptographic alchemy.
> BTC is basically a global version of http://en.wikipedia.org/wiki/Local_currency
> or http://en.wikipedia.org/wiki/Alternative_currency and hence
> isn't something completely new.
Sure, and those things have rules too. Local currency is local; BitCoin is
not. The difference is that in local currencies we can rely on the trust
and reputation networks to stop people stealing. In BitCoin, we can't. In
local currencies, when the currency moves outside the very tight trust
circle where everyone knows each other, they fail, because someone moves
into the currency who has no reputation to lose.
(Alternative currency is just a term used by the regulated currency
people, it doesn't really tell us anything.)
> It would be intesting to see whether BTC's successors
> could improve the scheme, by allowing a (subexponential)
> growth, built-in devaluation to encourage circulation and
> discourage hoarding (this would be probably hard to
> do), and so on.
Not really. It's problem isn't its mathematics or its release rate, but
that it has no ground to stand on. Which is to say, if people want to bid
it to the sky, they can. If people want to dump it to the bottom of the
ocean, they can too...
With a currency that is backed on something stable, the stable commodity
forms an anchor around which value gyrates. So, it is worth holding if
the price goes up too low, because you can always use it for its stable
thing. E.g., in US of A, the american people are quite happy to hold $$$
because they can pay their taxes with it. They really don't care that much
what the exchange rate is doing, up or down. This anchor means USD is a
good currency.
Possibly what people don't realise is that it is very easy to corner a
market. However, the fundamental value of the unit (the commodity) will
stabilise and punish the speculator who corners the market. With BitCoin
there is no underlying anchor to punish the person cornering the market, so
the games will be excessive, and volatility will be too high to be
"current."
iang
PS: having said all that negative stuff, I quite like BitCoin. If it got
the econ right, we'd be having different conversations :)
_______________________________________________
cryptography mailing list
cryptography(a)randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 9.17, 7 September 2011
============================================================
Contents
============================================================
1. The EC tries to increase government control of the Internet
2. Sweden argues that transposing data retention directive is unnecessary
3. Diginotar breach leads to grave security concerns
4. EU privacy watchdog still displeased with online behavioural advertising
5. EP study on "Consumer Behaviour in a Digital Environment"
6. ECHR to analyse Azeri bloggers' complaint against unjust imprisonment
7. EP committee supports the introduction of body scanners in EU airports
8. ENDitorial: Abuse of Irish police databases
9. Recommended Reading
10. Agenda
11. About
============================================================
1. The EC tries to increase government control of the Internet
============================================================
The European Commission (EC) Information Society and Media
Directorate-General have recently drawn up a series of six policy papers
intended to increase government control over the Internet.
The policies have in view measures that include governmental control
over the domain names that can be registered, the veto power of governments
over new Internet domain names, significant structural changes at the level
of ICANN (Internet Corporation for Assigned Names and Numbers), an
obligation of the organisation to follow governments' advice (except for
cases considered illegal or damaging to the Internet stability) and the
creation of two bodies that would oversee ICANN decision-making and
finances.
The measures brought forth by the new policies would provide governments
with de facto control over the Internet's naming systems and would end up
the independent and autonomous approach of the Internet's domain name
system. The new suggestion seems a logical consequence of the position of
the head of European Comisson's Audiovisual, Media and Internet
Directorate - Gerard de Graaf - at an ICANN meeting in Singapore in June
2011.
The recent EC papers come to argue for increased government control
and foresee the shift in power toward governments within the next 12 months.
According to the new policies, the governments are notified about the
applications received and are to indicate which TLDs might raise "public
policy concerns." This actually means that governments can try to block or
censor any content or applicant that they want, by using the "public policy
concerns" argument. The Governmental Advisory Committee (GAC) will be able
to raise formal objections later in the process.
GAC, which presently has no legal authority, will soon become a legislator
that can create a list of words that no Internet user in the world can
register, as proposed by the EC papers. GAC members (should be able to)
request the reservation or blocking of domain names at the second level
under new gTLDs. It should do this by constructing a censorship list, which
it calls a "reference list for all new gTLD operators to use and ICANN" say
the EC documents.
Milton Mueller from IGP (Internet Governance Project) explains that the fate
of the new registries and new domain names should be determined by users
and consumers, and not by a central planning authority dominated by
governments and special interest groups. "The new TLD program is also
important because domain names are a form of expression on the Internet. Any
policy that regulates the creation or operation of new domains based on
their meaning or the content underneath them is, de facto, a form of
globalized content regulation. Thus, even people who think domain names are
not that important need to pay attention to what happens in this space,
especially now that domain take-downs are becoming an increasingly common
form of state intervention."
EC's second paper is damaging for the freedom of expression by
introducing huge, unnecessary economic barriers to entry. What it proposes
is to subordinate the Internet community's self-governance to a hierarchical
control by the state, replacing ICANN's gTLD policy with a new one that will
allow governments through GAC, to take complete control over what new top
level domain names are allowed to exist.
These EC papers were developed not under public consultancy,
but secretly, thus lacking in democratic legitimacy. The plans are to
formally raise or even implement the proposed measures by the end of this
year, in particular at ICANN's meeting in Senegal in October.
The second EC ICANN Paper: How low can they go? (4.09.2011)
http://blog.internetgovernance.org/blog/_archives/2011/9/4/4893009.html
European Commission calls for greater government control over Internet
(31.08.2011)
http://news.dot-nxt.com/2011/08/31/ec-greater-government-control
Analysis: EC policy papers on ICANN (31.08.2011)
http://news.dot-nxt.com/2011/08/31/ec-papers-analysis
ICANN - informal background paper - New gTLD process (1.09.2011)
http://blog.internetgovernance.org/pdf/EC-TLD-censorship.pdf
Payback time: The European Commission papers on ICANN (2.09.2011)
http://blog.internetgovernance.org/blog/_archives/2011/9/2/4891821.html
============================================================
2. Sweden argues that transposing data retention directive is unnecessary
============================================================
On 5 September 2011, the Swedish government responded to the European Court
of Justice after the Commission referred Sweden to the Court for failing to
transpose the Directive on Data Retention (2006/24/EC).
Sweden's main argument is that it is unnecessary to transpose the Data
Retention Directive, considering the practical effects of existing Swedish
legislation. This implicitly means that transposition would be contrary to
the European Convention on Human Rights and the Charter of Fundamental
Rights, both of which require restrictions on fundamental rights to be
necessary and proportional.
The Directive on Data Retention 2006/24/EC was adopted in 2006 and the
Member States had until 15 September 2007 to transpose it into the national
law, and until 15 March 2009 to implement the retention of communications
data relating to Internet services. The Directive concerns the storage of
traffic and location data resulting from electronic communications. Traffic
and location data retained by Internet service providers and phone companies
will be made available only to national law enforcement authorities in
specific cases and in accordance with the national law. However, retention
periods, purpose limitation and access requirement vary vastly across the
EU.
The European Court of Justice found that Sweden failed to fulfil its
obligations to implement the Data Retention Directive in its national
legislation on 4 February 2010. Despite this first ruling, Sweden still has
not transposed the Directive 2006/24/EC. In the absence of a precise
timetable for the transposition of the Directive, the Commission decided to
send a letter of formal notice to Sweden in June last year. The Commission
asked Sweden for details on the measures Sweden planned to implement the
Directive and comply with the Court's decision.
Sweden informed the Commission on 21 January 2011 that draft legislation had
been submitted to its Parliament in order to transpose the Directive. The
legislation was to be adopted in mid-March. However, the Parliament deferred
the vote on the draft legislation implementing the Directive on Data
Retention for a year, due to the opposition from a minority of
parliamentarians. They used a constitutional rule allowing one-sixth of the
MPs to suspend the adoption of a proposed legislation.
Following this suspension of the legislative process, the European
Commission swiftly referred Sweden for a second time to the European Court
of Justice, requesting it to impose financial penalties (Case C-270/11). The
Commission asked the Court to impose a daily penalty of 40 947 Euros/day
after the second ruling and a lump sum of 9 597 Euros/day for each day
between the first and the second ruling. The ECJ will have to determine the
level of sanctions and if it will take the form of a penalty and/or a lump
sum.
In its response to the ECJ, Sweden argues that the penalties are
disproportionate considering firstly the fact that Sweden does not often
fail to fulfil its implementation obligations regarding European directives
and secondly that some other Member States likewise fail to implement the
Directive without being penalised by any financial penalties.
The Swedish government also indicated that since the first ruling, it has
taken all procedurally possible measures to implement the Directive. The
delay is due to political and legal matters with regards to the sensitive
subjects the Directive is dealing with, such as the right to privacy and
those debates are delaying the legislative process. It further points out
that this controversy is not limited to Sweden.
Moreover, according to Sweden, the failure to implement the Directive does
not create any barriers for the Single Market. Bearing in mind the
Commission's own assertion of the low costs of implementing the Directive
(as described in the implementation report), this seems to be difficult for
the Commission to deny. According to Sweden, the harmonisation realised by
the Directive on Data Retention is only minimal and does not appear to be
crucial in achieving competition on the Single Market. In addition, the
Directive does not say who finance data retention.
It finally appears that the Swedish Government believes that Directive
2002/58/EC on Privacy and Electronic Communications gives the Member States
the ability to adopt legislation covering the field of the Data Retention
Directive when necessary and that the 2006 Directive's implementation in
Sweden is therefore meaningless. The Swedish government especially
underlines that the Swedish crime prevention authorities already have
sufficient access to data even without full the implementation of the
Directive. Furthermore, the differenceasthe implementations across the EU
show the limits of the Data Retention directive and create a lack of
harmonisation.
According to Sweden, further implementation of the Data Retention Directive
is superfluous and unnecessary. The question remaining now is whether the
European Court of Justice will follow the Swedish defence on the "necessity"
of implementing the Data Retention Directive and the Directive's failure to
achieve the task on which its legal base is built - harmonisation. The
Commission now faces an unenviable task - it either forces a sovereign
Member State to impose unnecessary (and therefore illegal) restrictions on
fundamental rights or it accepts the challenge of finally acknowledges the
failure of the Directive and the inevitable battle with the Council that
will result from any serious effort to fix the broken legislation.
Data Retention Directive 2006/24/EC (15.03.2006)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:00…
Judgement of the Court Case C-185/09 (4.02.2010)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:080:0006:00…
Commission refers Sweden back to Court to transpose EU legislation
(6.04.2011)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/409&format=HT…
European Commission Application (31.05.2011)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2011:226:0017:00…
Sweden's response to the ECJ - Case C-270/11 - (5.09.2011) (available only
in Swedish)
http://www.edri.org/files/sw_C-270-11_slutligt.pdf
(Contribution by Marie Humeau - EDRi)
============================================================
3. DigiNotar breach leads to grave security concerns
============================================================
A breach in the computer systems of Dutch certificate company Diginotar
led to grave concerns regarding the security of internet users in Iran
and Dutch government communications. On 2 September 2011, the Dutch
government denounced their trust in certificates issued by DigiNotar
after the discovery of fraudulent certificates. It advised Dutch
citizens not to log in on websites using these certificates, until the
certificates are replaced. Meanwhile, there is credible evidence that
the confidential communication of hundreds of thousands of Iranians with
Gmail has been intercepted.
In June 2011, the servers of DigiNotar were intruded and certificates
were fraudulently issued in the weeks after. Although some of these
certificates were revoked, DigiNotar kept the breach secret. Only weeks
later, following a message posted on a forum by someone from Iran who
tried to log in to Gmail and received a warning about a non-authentic
DigiNotar certificate for Google, did DigiNotar acknowledge the breach.
On 29 August 2011, the Dutch government was notified about the incident.
DigiNotar revoked the rogue Google certificate and asked a Dutch
security firm to perform an investigation into the breach. The report of
the investigation showed that DigiNotar did not observe basic security
measures and hundreds of false certificates were issued on its systems.
The rogue Google certificate proved to be in use since 27 July 2011.
Active abuse was observed between 4 and 29 August 2011. It is likely
that hundreds of thousands of sessions with Google from Iran were
intercepted using this certificate.
DigiNotar issues several types of certificates, including PKI-Overheid
certificates - typically used by the Dutch government for its websites -
and 'simple' certificates. As it could not be excluded that false
government certificates were also issued, the Dutch government decided
to switch to certificates from other authorities.
The incident with DigiNotar also raises questions about the safety and
trustworthiness of the certificate system in general. Worldwide, there
are hundreds of companies providing these certificates. Supervision on
these companies is limited. They can sell certificates as long as they
meet the conditions of the browser manufacturers. There is no guarantee
that all of them take adequate measures to prevent and detect breaches.
This should be a wake-up call for governments and organisations all over
the world to actively start working on better, more robust certification
systems.
Message about rogue certificate (28.08.2011)
https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl…
Letter from the Dutch government about the intrusion at DigiNotar (only
in Dutch, 5.09.2011)
http://www.rijksoverheid.nl/documenten-en-publicaties/kamerstukken/2011/09/…
Interim report from Fox-IT about the DigiNotar Certificate Authority breach
(5.09.2011)
http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/…
(Contributed by Marjolein van der Heide - EDRi-member Bits of Freedom -
Netherlands)
============================================================
4. EU privacy watchdog still displeased with online behavioural advertising
============================================================
In a letter sent to IAB Europe and European Advertising Standards Alliance
(EASA), Article 29 Working Party (WP) made some observations regarding the
self-regulatory framework for online behavioural advertising.
The WP considers that the companies having signed the self-regulatory code
may still be in breach of the EU laws in the use of cookies to track users'
online behaviour for targeted advertising.
The self-regulatory code, established in April 2011 by IAB Europe and EASA,
imposes the display of an icon on the companies' websites that tells users
that the adverts track their online activity. By using the icon, users may
manage information preferences or stop receiving behavioural advertising.
The code also says that operators must give users access to an easy method
to turn off cookies and must inform users that they collect data on them for
behavioural advertising and give details on the advertisers they provide the
respective data. They also have to publish details of how they collect and
use the data, including whether personal or sensitive personal data is
involved.
However, Article 29 WP has shown in its letter that it did not consider
these measures enough to comply with the EU's e-Privacy Directive which
provides in its new form that storing and accessing information on users'
computers is only lawful "on condition that the subscriber or user concerned
has given his or her consent, having been provided with clear and
comprehensive information about the purposes of the processing".
The Directive establishes an exception where the cookie is "strictly
necessary" for the provision of a service "explicitly requested" by the
user.
"The mechanisms proposed by the EASA/IAB Code enable people to object to
being tracked for the purposes of serving behavioural advertising. However,
tracking and serving ads takes place unless people exercise the objection,"
said Jacob Kohnstamm, chairman of the Working Party, in the letter.
The WP believes the advertising icon used by companies that signed up to the
online behavioural advertising code did not actually provide users with "the
legally required information allowing them to make informed choices about
cookie tracking."
In Article 29 WP's opinion, the text of the code is rather confusing and
insufficiently clear which could lead to some users thinking "tracking has
no privacy implications for them". Kohnstamm says in the letter that the
information made available through clicking the icon should be more
accessible and be directly visible.
Ad network providers should "provide the necessary information before the
cookie is sent and rely on users' actions ... to signify their agreement to
receive the cookie and to be tracked". Valid consent can be received by
the provider by asking users to click a box to "accept" cookie tracking.
Each advertising network must also obtain consent from users even when
websites work with multiple ad network providers.
By obtaining prior, informed consent from the users, the ad provider no
longer needs to ask the user for subsequent access and transmissions of
cookies for the same purpose. However, the "opt out" ability should still be
available.
Kohnstamm also says that browser settings will not be enough to meet the
cookie consent requirements until they automatically reject third-party
cookies as default and allow users to take "affirmative action to accept
cookies from specific websites for a specific purpose." Browsers must also
advise users that the cookies tracking their data are being used by ad
network providers, in addition to informing them of what network providers
do with the cookies.
In June 2011, EU Commissioner Neelie Kroes told EU companies that they had a
year to find methods that achieve the legal standard for gaining consent, as
failure to do so would result in the Commission's action toward
non-compliant businesses.
Letter from the Article 29 Working Party addressed to Online Behavioural
Advertising (OBA) Industry regarding the self-regulatory Framework
(23.08.2011)
http://ec.europa.eu/justice/data-protection/article-29/documentation/other-…
Advertising code not cookie law compliant, data protection watchdogs say
(29.08.2011)
http://www.out-law.com/en/articles/2011/august/advertising-code-not-cookie-…
EDRi-gram: Article 29 WP issues opinion on cookies in the new ePrivacy
Directive (30.06.2010)
http://www.edri.org/edrigram/number8.13/article-29-cookie-eprivacy
============================================================
5. EP study on "Consumer Behaviour in a Digital Environment"
============================================================
The European Parliament (EP) has published a study on "Consumer Behaviour in
a Digital environment" that it commissioned from London School of Economics
(LSE). The study involved a limited stakeholder consultation, which included
an extensive exchange of views with EDRi and also looked at existing
literature and market developments. The study is part of an ongoing
reflection in the EU institutions on how to better achieve an effective
single market, particularly in the digital space.
The study identifies the following factors affecting the demand and supply
for illegal content:
1.the price;
2.the rise of the "prosumer" (users as both producers and consumers);
3.the exchange of products and files online between consumers; and
4.large economic incentives for providing what the authors of the study
refer to as"illegal content".
The conclusions of the study focus entirely on a positive agenda, seeking to
address the source of problems rather than looking at ways of dealing with
symptoms. For example, regarding unauthorised use of copyright-protected
content, the study proposes the development of innovative pricing and
payment systems as well as reforming copyright in a way that would eliminate
the inefficiencies that come from the fragmentation of the single market.
The authors of the research clearly prioritise positive measures to minimise
the causes of the unauthorised activity, rather than negative and defensive
measures that would punish consumers without addressing underlying causes.
Similarly, the report conclusions support efforts at improving awareness of
consumer protection legislation, enhanced dispute resolution and removal of
practical barriers to cross-border trade. The study also discusses the rise
of "prosumers", concluding that this development "potentially leads to
innovation, creativity and consumer empowerment. However, prosumers cannot
fully develop under current legal framework. The copyright exceptions regime
and cross-border licensing problems are singled out as current challenges".
While generally being a very positive and well-thought out piece of
research, the main negative point in the report is the repeated conflation
of "illegal content" with "illegal use of content," which, legally,
practically and societally are entirely different problems.
Finally, the research team identifies the following challenges faced by
copyright law with regard to illegal access to content ("illegal content" in
the vocabulary of the report):
a) the exceptions to copyright still differ significantly from Member
State to Member State;
b) licensing arrangements through collecting societies have not been
harmonised;
c) some Member States have introduced laws allowing restrictions on
internet access for connections where illegal file-sharing has been
conducted (or suspected), which may lead to market distortions and raises
the question of whether the right to Internet access introduced by the
Framework Directive is infringed;
d) the issue of who is responsible for clearing copyright on social media
such as YouTube is not clearly defined in the E-Commerce Directive because
peer-to-peer services were much less prevalent when the Directive was
written. (This final point is somewhat odd because the E-Commerce Directive
does not cover rights clearance and YouTube is a hosting service which
therefore renders the question of peer-to-peer somewhat irrelevant.)
Consumer Behaviour in a Digital Environment (2011)
http://www.europarl.europa.eu/meetdocs/2009_2014/documents/imco/dv/consumer…
Framework Directive - Directiev 2002/21/EC as amended by Directive
2009/140/EC and Regulation 544/2009
http://ec.europa.eu/information_society/policy/ecomm/doc/140framework.pdf
(Contribution by Daniel Dimov - intern at EDRi)
============================================================
6. ECHR to analyse Azeri bloggers' complaint against unjust imprisonment
============================================================
The Azeri bloggers that have been imprisoned for one year and a half under
alleged hooliganism accusations, have filed a complaint to the European
Court of Human Rights which will decide whether their detention was in
breach of the European Convention on Human Rights.
Emin Milli and Adnan Hajizade were arrested in Baku in July 2009, being
accused of hooliganism, after having reported to the police that they had
been physically attacked in a restaurant. Under pressure from the
international community, the two bloggers, detained in reality for attacks,
on their blogs, against the Government and the fact that they had
disseminated a video making fun of corrupt politicians, were finally
released in November 2010. Their release is however conditional and their
convictions have not been overturned.
Consequently, the two bloggers are now seeking official recognition that the
Azerbaijani authorities violated their rights. The fact that despite with
injuries they were not treated medically in prison, breaches article 3 of
the European Convention. The Azeri government was also in breach of article
5 that protects the right to freedom and security and says that a person may
only be detained when suspected of a crime or when sentenced to
imprisonment.
According to the Convention, the bloggers should have been informed of the
reasons for their arrest and they had a right to be tried within a
reasonable time or to be released pending trial. Milli and Hajizade were
held for the two months before the start of their trial and were still in
prison after than four months after their arrest.
The complaint also says that article 6, on the right to a fair trial, was
violated because the two people were allowed only belated access to their
lawyers because the court took no account of what their lawyers said.
Article 8 on respect for private and family life was also violated as
the two bloggers were denied family visits while held and certain family
members were not allowed to testify at the trial.
The Azeri government violated Article 10 as well which protects the right to
freedom of expression, including the "freedom to hold opinions and to
receive and impart information and ideas without interference by public
authority and regardless of frontiers." The two people were jailed
for criticizing the authorities.
Hajizade and Milli filed a complaint before a Baku court on 8 July 2009
which was rejected on 23 July 2009. On 10 August 2009, a separate complaint
against the interior ministry, Baku police and prosecutor's office of
failing to respect the right to be presumed innocent was also rejected.
A confidential cable from the US embassy in Baku on 9 July
2009, posted on the WikiLeaks website on 26 August, confirmed the fact that
the two bloggers did not receive medical treatment for their injuries during
their first night in detention and revealed that embassy officers' requests
to visit the two bloggers in prison were denied.
The cable also drew attention over the fact that on 10 July 2009 Milli was
to work as the interpreter for the PACE Special Rapporteur for Political
Prisoners which seems a rather strange coincidence.
European Court to examine case of two bloggers who were unjustly jailed
(2.09.2011)
http://en.rsf.org/azerbaijan-european-court-to-examine-case-of-02-09-2011,4…
US embassy thought two bloggers' arrest was suspicious (1.09.2011)
http://en.rsf.org/us-embassy-thought-two-bloggers-01-09-2011,40902.html
EDRi-gram: Azeri bloggers released from prison (1.12.2010)
http://www.edri.org/edrigram/number8.23/azeri-bloggers-released-prison
============================================================
7. EP committee supports the introduction of body scanners in EU airports
============================================================
To the dismay of liberal groups, the European Parliament's Transport
Committee decided on 31 August 2011 to back up the European Commission in
the introduction of body scanners in EU airports.
Although imposing certain conditions such as excluding x-ray technology, the
EP committee did not oppose the EC rules which do not specifically rule out
the use of naked imagery. "The rules do exclude the use of x-ray technology,
which is something we wanted. But it doesn't oblige producers to use stick
figures instead of the actual body image," stated Benjamin Krieger, a
spokesperson for the German Liberals in the European Parliament.
This decision comes when some European countries have reached the conclusion
that body scanners are not performing properly.
The German interior ministry has recently decided to postpone the
introduction of body scanners at airports for security reasons, after the
devices used for trial failed to do their job, giving false alerts at a 49%
rate. The errors included confusing sweaty armpits with concealed bomb
chemicals while body scanners are supposed to detect plastic or ceramic
elements concealed under clothing.
The technology has been strongly opposed by human rights groups, religious
organizations and even the European Parliament because it shows a real
outline of one's bodily features, which raises serious privacy concerns. The
devices are also expensive, reaching up to 130 000 euro/piece.
In 2010, Italy also fell back on the plan to implement the technology in
airports after experiencing the same results during the trial period.
Germany ditches body scanners after repeat false alerts (1.09.2011)
http://euobserver.com/22/113479
Meeting minutes TRAN Committee (30-31.08.2011)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL…
EP transport committee votes in favour of body scanners (31.08.2011)
http://euobserver.com/1016/113478
Welcome to body scanners at EU airports (6.07.2011)
http://www.europolitics.info/sectoral-policies/welcome-to-body-scanners-at-…
Parliament sets conditions for airport body scanners (6.07.2011)
http://www.eubusiness.com/news-eu/security-aviation.b5r
EDRi-gram: MEPs approve body scanners on airports on a voluntarily basis
(1.06.2011)
http://www.edri.org/edrigram/number9.11/body-scanners-airports-ep
============================================================
8. ENDitorial: Abuse of Irish police databases
============================================================
In 2003, the then Minister for Justice, Michael McDowell, stated that he
"knew that journalists were bribing gardam (police)". This was said in the
context of proposed legislation which would create a crime of leaking
information. Unfortunately, the intervening years seem to have confirmed the
continued existence of police abuse of confidential information, resulting
in a recent announcement by the Data Protection Commissioner of a national
audit into garda compliance with data protection law.
The audit will focus on access to the main police database system, known as
PULSE, which was introduced in 1999. While that system has a read/write
audit trail, this has not acted as a deterrent to abuse - some police have
sought to evade the audit trail by requesting others to carry out searches
on their behalf, and login sharing has also been a problem. Consequently, in
his 2010 Annual Report the Data Protection Commissioner stated that:
"In 2007 we agreed a data protection Code of Practice with the Gardam which
included undertakings to monitor access to the Garda PULSE system. It is
disappointing to report that, despite our repeated engagements on this
issue, the monitoring of access by members of An Garda Smochana to PULSE
falls short of the standards we expect. We wish to see significant progress
by the Gardam in pro-actively monitoring PULSE access in 2011 and will be
carrying out an audit to satisfy ourselves of this progress."
The most recent allegations generally concern personal use of the system,
for example by using it to check on daughters' boyfriends or to check the
history of cars which they are buying. However, allegations of more serious
abuses are also common, including the sale of information to insurance
companies and even criminals.
Unfortunately, it is difficult to provide a full assessment of abuses which
have taken place. While many allegations have been published by the media
and some internal garda investigations carried out, the results of these
investigations have not been published, disciplinary sanctions (if any) are
seldom made public and there is no comprehensive official report. This
secrecy is a failing in itself and makes it impossible for the public to
have confidence in the system.
Nevertheless, there have been a number of cases in which abuses have been
clearly established and some significant examples from recent years include
a court award of 70 000 Euros damages to a family who were harmed by a garda
leak (2007), the dismissal of a garda for leaking information to a drug
dealer (2010) and most recently the finding that a detective sergeant abused
her position to monitor an ex-boyfriend through his phone records (2011). A
particularly telling example in 2007 followed the high profile death of a
person struck by a car driven by an off-duty garda. In that case, 187
individual gardai accessed that person's PULSE record following his death,
without apparent justification. An investigation into that incident
recommended that:
"supervisory ranks should regularly monitor the use of PULSE to ensure that
members adhere to their legal and disciplinary obligations in regard to its
proper use [and] suitable measures [should] be put in place by the Garda
authorities to ensure that audit-trails of the usage of PULSE and any other
official information systems can always be accurate and verifiable."
Unfortunately, it seems that several years later this has yet to be done.
GRA's concern about bribery claim, RTI News (04.08.2003)
http://www.rte.ie/news/2003/0904/justice.html
Family awarded 70,000 Euros over garda leak, RTI News (17.01.2007)
http://www.rte.ie/news/2007/0117/gray.html
Report by the Commission following the death of Mr. Derek O'Toole on March
4th 2007 and subsequent complaints and investigation under Section 98,
Garda Smochana Act, 2005 (10.2008)
http://www.gardaombudsman.ie/GSOC/Report_October2008.pdf
Garda Data Protection Code of Practice (12.11.2007)
http://www.garda.ie/Controller.aspx?Page=136&Lang=1
Gardam line up 17 officers for quizzing over leaks to 'Don', Evening Herald
(16.10.2009)
http://www.herald.ie/news/gardai-line-up-17-officers-for-quizzing-over-leak…
Walsh, Human Rights and Policing in Ireland (Dublin: Clarus Press, 2009),
Ch. 32
Garda sacked for leaked secrets to Don's crime gang, Evening Herald
(18.06.2010)
http://www.herald.ie/news/garda-sacked-for-leaking-secrets-to-dons-crime-ga…
2010 Annual Report of the Data Protection Commissioner (03.2010)
http://www.dataprotection.ie/documents/annualreports/2010AR.pdf
EDRi-gram: No effective sanction for Police abuse of Irish data retention
system (24.08.2011)
http://www.edri.org/edrigram/number9.16/abuse-data-retention-ireland
(Contribution by TJ McIntyre - EDRi-member Digital Rights Ireland)
============================================================
9. Recommended Reading
============================================================
Statewatch Analysis: UK: Internet censorhip looms as government finds
alternatives to flawed Digital Economy Act by Max Rowlands:
The routine blocking of websites believed to facilitate copyright
infringement has moved a step closer - despite concerns about the
proportionality and effectiveness of the practice - following a landmark
High Court ruling on the application of the Copyright, Designs and Patents
Act. Meanwhile, the much criticised Digital Economy Act continues to
flounder, with the introduction of its controversial copyright protection
scheme - which would allow the government to suspend the internet
connections of individuals accused of persistent copyright infringement -
now delayed until 2012 at the earliest.
http://www.statewatch.org/analyses/no-147-internet-censorship.pdf
Europe's Odd Anti-Piracy Stance: Send Money to the US! (4.09.2011)
http://torrentfreak.com/europes-odd-anti-piracy-stance-send-money-to-the-us…
Naming Names on the Internet (4.09.2011)
http://www.nytimes.com/2011/09/05/technology/naming-names-on-the-internet.h…
Open Data: Emerging trends, issues and best practices - a research project
about openness of public data in EU local administration (2011)
http://www.lem.sssup.it/WPLem/odos/odos_report_2.pdf
============================================================
10. Agenda
============================================================
8-9 September 2011, Brussels, Belgium
6th Annual Conference of the European Policy for Intellectual Property
Fine-Tuning IPR debates
http://www.epip.eu/conferences/epip06/
10-17 September 2011
Freedom Not Fear - International Action Week
http://www.freedomnotfear.org
16-18 September 2011, Warsaw, Poland
Creative Commons Global Summit 2011
http://wiki.creativecommons.org/Global_Summit_2011
16 September 2011, Leeds, UK
Conference "Human Rights in the Digital Era"
http://digitalrights.leeds.ac.uk
17 September 2011, Worldwide
Software Freedom Day 2011
http://softwarefreedomday.org/
27-30 September 2011, Nairobi, Kenya
Sixth Annual IGF Meeting: Internet as a catalyst for change: access,
development, freedoms and innovation
http://www.intgovforum.org/cms/nairobipreparatory
11 October 2011, Brussels, Belgium
ePractice Workshop: Addressing evolving needs for cross-border eGovernment
services
http://www.epractice.eu/en/events/epractice-workshop-cross-border-services
13-14 October 2011, Lisbon, Portugal
2nd International Graduate Conference in Communication and Culture: The
Culture of Remix
http://blogs.nyu.edu/projects/materialworld/2011/05/cfp_the_culture_of_remi…
20-21 October 2011, Warsaw, Poland
Open Govrenment Data Camp
http://opengovernmentdata.org/camp2011/
27-30 October 2011, Barcelona, Spain
Free Culture Forum 2011
http://fcforum.net/
9 November 2011, Bucharest, Romania
Inet Conference: Access, Trust and Freedom: Coordinates for future Internet
http://www.isoc.org/isoc/conferences/inet/11/bucharest-agenda.shtml
11-13 November 2011, Gothenburg, Sweden
FSCONS is the Nordic countries' largest gathering for free culture, free
software and a free society.
http://fscons.org/
25-27 January 2012, Brussels, Belgium
Computers, Privacy and Data Protection 2012
http://www.cpdpconferences.org/
============================================================
11. About
============================================================
EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 28 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.
This EDRi-gram has been published with financial support from the EU's
Fundamental Rights and Citizenship Programme.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram(a)edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request(a)edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request(a)edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edri/2.html
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram(a)edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
Format Note: If you cannot easily read the text below, or you prefer to
receive Secrecy News in another format, please reply to this email to let
us know.
SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2012, Issue No. 116
November 15, 2012
Secrecy News Blog: http://www.fas.org/blog/secrecy/
** ACADEMY REPORT ON ELECTRIC GRID WITHHELD FOR FIVE YEARS
** EAVESDROPPING STATUTES, AND MORE FROM CRS
ACADEMY REPORT ON ELECTRIC GRID WITHHELD FOR FIVE YEARS
Over the objections of its authors, the Department of Homeland Security
classified a 2007 report from the National Academy of Sciences on the
potential vulnerability of the U.S. electric power system until most of it
was finally released yesterday.
http://www8.nationalacademies.org/onpinews/newsitem.aspx?RecordID=12050
The report generally concluded, as other reports have, that the electric
grid is lacking in resilience and is susceptible to disruption not only
from natural disasters but also from deliberate attack.
But even though the report was written for public release, the entire
document was classified by DHS and could not be made available for public
deliberation. Amazingly, it took five years for the classification
decision to be reviewed and reversed. As Academy leaders explained in the
Foreword to the report:
"DHS concluded that the report would be classified in its entirety under
the original classification authority vested in the DHS undersecretary for
science and technology. Because the committee believed that the report as
submitted contained no restricted information, the NRC [National Research
Council] requested the formal classification guidance constituting the
basis for the classification decision. That guidance was not provided, and
so in August 2010, the NRC submitted a formal request for an updated
security classification review. Finally, in August 2012, the current full
report was approved for public release, reversing the original
classification decision, except that several pages of information deemed
classified are available to readers who have the necessary security
clearance."
"We regret the long delay in approving this report for public release,"
wrote Ralph J. Cicerone, president of the National Academy of Sciences, and
Charles M. Vest, president of the National Academy of Engineering in the
Foreword.
"We understand the need to safeguard security information that may need to
remain classified," they wrote. "But openness is also required to
accelerate the progress with current technology and implementation of
research and development of new technology to better protect the nation
from terrorism and other threats."
They said that a workshop was planned to address changes that have
occurred since the report was completed in 2007.
See "Terrorism and the Electric Power Delivery System," National Research
Council, released November 14, 2012:
http://www.nap.edu/catalog.php?record_id=12050
Classification policy at the Department of Homeland Security has become
somewhat more streamlined lately as a result of the Obama Administration's
Fundamental Classification Guidance Review.
Of the Department's 74 security classification guides, 45 were revised and
16 were cancelled. Overall, 157 subtopics that had been classified -- and
that could be used to justify classification of DHS records -- "were
determined to no longer require classification," according to the DHS final
report on the Fundamental Classification Guidance Review of July 16, 2012.
http://www.fas.org/sgp/isoo/fcgr/dhs.pdf
EAVESDROPPING STATUTES, AND MORE FROM CRS
New or newly updated reports from the Congressional Research Service that
have not been made readily available to the public include the following.
Privacy: An Abbreviated Outline of Federal Statutes Governing Wiretapping
and Electronic Eavesdropping, October 9, 2012:
http://www.fas.org/sgp/crs/intel/98-327.pdf
Privacy: An Overview of Federal Statutes Governing Wiretapping and
Electronic Eavesdropping, October 9, 2012:
http://www.fas.org/sgp/crs/intel/98-326.pdf
Privacy: An Overview of the Electronic Communications Privacy Act, October
9, 2012:
http://www.fas.org/sgp/crs/misc/R41733.pdf
Privacy: An Abridged Overview of the Electronic Communications Privacy
Act, October 9, 2012:
http://www.fas.org/sgp/crs/misc/R41734.pdf
Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions,
November 9, 2012:
http://www.fas.org/sgp/crs/natsec/R42114.pdf
Medical Marijuana: The Supremacy Clause, Federalism, and the Interplay
Between State and Federal Laws, November 9, 2012:
http://www.fas.org/sgp/crs/misc/R42398.pdf
The Budget Control Act of 2011: Budgetary Effects of Proposals to Replace
the FY2013 Sequester, November 9, 2012:
http://www.fas.org/sgp/crs/misc/R42675.pdf
El Salvador: Political and Economic Conditions and U.S. Relations,
November 9, 2012:
http://www.fas.org/sgp/crs/row/RS21655.pdf
The U.S.-Colombia Free Trade Agreement: Background and Issues, November 9,
2012:
http://www.fas.org/sgp/crs/row/RL34470.pdf
Trade Preferences: Economic Issues and Policy Options, November 14, 2012:
http://www.fas.org/sgp/crs/misc/R41429.pdf
The Distribution of Household Income and the Middle Class, November 13,
2012:
http://www.fas.org/sgp/crs/misc/RS20811.pdf
_______________________________________________
Secrecy News is written by Steven Aftergood and published by the
Federation of American Scientists.
The Secrecy News Blog is at:
http://www.fas.org/blog/secrecy/
To SUBSCRIBE to Secrecy News, go to:
http://www.fas.org/sgp/news/secrecy/subscribe.html
To UNSUBSCRIBE, go to
http://www.fas.org/sgp/news/secrecy/unsubscribe.html
OR email your request to saftergood(a)fas.org
Secrecy News is archived at:
http://www.fas.org/sgp/news/secrecy/index.html
Support the FAS Project on Government Secrecy with a donation:
http://www.fas.org/member/donate_today.html
_______________________
Steven Aftergood
Project on Government Secrecy
Federation of American Scientists
web: www.fas.org/sgp/index.html
email: saftergood(a)fas.org
voice: (202) 454-4691
twitter: @saftergood
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
Hi all.
I'm watching and playing with tahoe to use it as a family/personal
backup solution. Nothing working yet, just playing by now :) I tried
once with the code but too difficult, too little time by then. At
least, I added some novice notes to the docs, along the way. But, now
I'm at it, I would like to say that I think Tahoe-LAFS is a brilliant
piece of software with great ideas in it worth watching evolve. Thanks
for the awesome work!
Now I'm at another different thing. Thinking in ditributed/clustered
web serving, I wonder what would be the best way to use Tahoe-LAFS as
the file backend, if possible. I mean, you throw a bunch of webservers
at the front, say Apache or nginx and point their webroots to a
locally stored tahoe cap and serve/run files and scripts from there
(PHP, for instance). Let's leave MySQL for another story :)
Mounting would need to be read/write and performant enough for running
apps such as CMS and other complex scripts. I still don't have a true
sense/measurement of its performance by my current experience, and I'm
not sure of it being possible to be handled.
I know tahoe has its webapi but seems not easily pluggable into
apache, without much coding (too far for me). I need to do it by
gluing some pieces, and don't know where to look next. I suppose it
has to be mounted in the filesystem r/w. In my experience don't think
the FTP frontend being stable and current enough to handle it, let
alone the complexity and layer performance hit. I recall seeing it
somewhere being used as some web app backend, but the app was
tahoe-specifically coded, I think.
Inbetween of those some Apache-plugged reverse proxying module + WebAV
trick could be the way, but my knowledge in that area is still
limited. Or maybe WebDAV is currently working well enough to be used
with davfs fuse.
Any tried and tested stable mounting solution anybody can recommend?
Any WebDAV/fuse/whatever layer (the lighter, the better) anyone can
point to? Creating a package mounting a tahoe root in the appropiate
place in the filesystem for the webserver makes it a tempting
low-hanging fruit :)
The file usage would be more reads than writes, since lots of software
depend on DBs for really frequently used data and (perhaps?) file
writes will be majority a single object with less frequent updates.
There will be updates, anyway. But usage-wise, maybe I'm too CMS
biased, anyway. Maybe it's not that relevant, but just for
completeness.
The write performance/consistency/concurrency/name-your-issue of
several web servers has to be taken in account the first. I don't have
any clue about its overhead and implications. But at least, it may be
good enough to having a hot-standby or point-in-time secondary web
server, anyway. Or maybe there is a better/easier way of doing this
without tahoe-LAFS that I just don't know about. But if finally it
makes sense for me, it will have a lot of sense to discuss it in
public, too. So, pardon my verbosity.
BTW, I should confess that about the hosted apps I'm a bit more biased
to the Drupal CMS, since with its pluggable storage backends, even in
a reduced version, tahoe might have sense for it as a file storage.
And this would be a big pool of developers to attract their interest,
the least. Might make for a howto. But I prefer to keep it general if
possible.
So, before exploring any further route, I would like to ask. How the
bright minds I've seen here by lurking for some time would address
this scenario? Since there an overwhemling number of moving parts and
possibilities here for me, nobody with better knowledge than people in
this list can provide feedback about the whole use case.
It might be achievable maybe in a bunch of config files or scripts?
(grid-updates smartness comes to mind). I would be happy in
collaborating/sharing my work in a repo to make it a valid use case,
when the time comes (no python by now, just bash scripting). But at
least, if it is feasible, it makes for sure worth seeding some docs in
the wiki to open discussion about it, and who knows, compiling some
repos if some passerby decides it's worth going for it. Combined with
some spice such as already existing Puppet manifests could make it a
trully awesome tahoe-LAFS based solution, IMO.
Many thanks in advance.
Regards,
--
Alfonso M. L.
_______________________________________________
tahoe-dev mailing list
tahoe-dev(a)tahoe-lafs.org
https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0
06 Jul '18
This is a great conversation, and I really like the fact that some of these "old as new" technologies are being talked about. I spent much of early 1990s and Russia and the former Soviet Union. Fido7 or Region 50, in Fido terms, was at one point in time the largest FidoNet network in the world! I wrote a paper about this in the mid-1990s, but the bottom line was that FidoNet that time allowed people to use Internet like technologies (email/newsgroups) avoiding the high tariff rates that were set on the Russian Internet, which at that time was UUCP/PC-based and charged for traffic by the kilobyte. The FidoNet protocols were also tenacious and worked really well crappy and very noisy aluminum wiresb&
However, I don't think it's practical to go back to the days of old style alternative networks. This is because in the intervening 20 or
years, telecommunication carriers have evolved from purveyors of wires and switches, that availed themselves to overlay networks like the Internet, to becoming the intelligent network in and of themselves. The intelligence migrated from the edges to the core of the network. Telecom carriers now run all-IP core networks, and with advanced DPI, they can detect data signals on voice circuits. That means the opportunity of hiding data traffic on virtual voice switched networks isn't as practical as it once was. I think there's still a future for wireless-based alternative networks. And by that I don't mean satellite (BGAN or VSAT), but long-distance directional Wi-Fi, and even old fashioned IP over VHF/HF. There are challenges here, not least of which that these kinds of wireless radio networks are good targets for RDF. But in some respects, fishing for signals in the ether is a lot more challenging than detecting them on the wire.
Rafal
PS. Any one wanting to read my old paper of on the Russian Internet in the 1990's can find it here:
http://unpan1.un.org/intradoc/groups/public/documents/untc/unpan015092.pdf
The part about Fidonet starts around page 11.
IP over VHF : www.southgatearc.org/articles/internetgateways.htm ... In the late 1990's the UN (WFP) used a system like this for Deep Field communications in Africa's Great Lakes regions
Sent by PsiPhone mobile. Please excuse typos or other oddities.
On 2013-01-07, at 6:34 PM, "Gary Garriott (ggarriott(a)INTERNEWS.ORG)"
<ggarriott(a)internews.org> wrote:
> FWIW, over the weekend I discovered I still have an unused SEAdog package dating from the late eighties. SEAdog was a commercial adaptation of the Fidonet Electronic Mail Protocol and which for a bunch of years we used extensively in another NGO to make overseas modem calls to far flung partners and associates, usually scheduled in the middle of the night. SEAdog also includes a provision for UUCP gateway addressing.
>
> Gary
>
> -----Original Message-----
> From: liberationtech-bounces(a)mailman.stanford.edu [mailto:liberationtech-bounces@mailman.stanford.edu] On Behalf Of Rich Kulawiec
> Sent: Sunday, January 06, 2013 4:57 PM
> To: liberationtech
> Subject: Re: [liberationtech] Modern FIDONET for net disable countries?
>
> On Thu, Dec 27, 2012 at 01:21:38PM -0500, Miles Fidelman wrote:
>> That's a rather intriguing concept, though I might look at starting
>> from UUCP & NNTP, or perhaps BITNET, rather than the FIDO model - the
>> software is a bit more mature, and UUCP at least is still supported.
>> Mobile devices could associate themselves, via local WiFi, when in
>> range of each other, and messages would just flow through normal news
>> exchange protocols.
>
> I'll second this. Usenet is still the most successful experiment in distributed communication, it's resource-frugal (after all, it was developed at a time when we thought 1200 baud modems were speedy), it's highly resilient, it's delay-tolerant, it's scalable, it's agnostic about transport, and it supports undirected broadcast communication -- something useful when trying to evade traffic analysis. It supports bidirectional mail<->news gateways, it runs on minimal hardware, and among other things, it could be used to provide prolific news feeds (albeit with some delay) into areas that are heavily censored.
>
> ---rsk
>
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
1
0