July 2018 - cypherpunks-legacy

[IP] READ more on Location tracking -- for people, products, places
by David Farber 05 Jul '18

05 Jul '18

-- is fast coming into its own / It's 11 o'clock. Do you know where your _______ is? X-Mailer: Apple Mail (2.734) Reply-To: dave(a)farber.net Begin forwarded message:

1 0

[cryptography] if MitM via sub-CA is going on, need a name-and-shame catalog (Re: really sub-CAs for MitM deep packet inspectors?)
by Adam Back 05 Jul '18

05 Jul '18

Now we're getting somewhere. If this is going on even the policy enforcement aspect of CAs is broken... CAs are subverting their own certification practice statement. The actions taken by the user of the sub-CA cert are probably illegal also in the US & europe where there are expectations of privacy in work places (and obviously public places). More below: On Fri, Dec 02, 2011 at 11:02:14PM +1300, Peter Gutmann wrote: > Adam Back <adam(a)cypherspace.org> writes: > >> Start of the thread was that Greg and maybe others claim they've seen a cert >> in the wild doing MitM on domains the definitionally do NOT own. > > It's not just a claim, I've seen them too. For example I have a cert issued > for google.com from such a MITM proxy. a public MitM proxy? Or a corporate LAN. > I was asked by the contributor not to reveal any details on it because it > contains the name and other info on the intermediate CA that issued it, but > it's a cert for google.com used for deep packet inspection on a MITM > proxy. That intermediate CA needs publishing, and the CA that issued it. SSL Observatory ought to take an interest in finding catalogging and publishing all of these both public, corporate and government/law-enforcement. It breaks a clear expectation of security and privacy the user, even very sophisitcated user, has about privacy of their communications. >> The real question again is can we catch a boingo or corp lan or government >> using a MitM sub-CA cert, and then we'll know which CA is complicit in issuing >> it, and delist them. > > Given that some of the biggest CAs around sell private-label CA certs, you'd > end up shutting down half the Internet if you did so. There is an important difference between: 1. private label sub-CA (where the holder has signed an agreement not to issue certs for domains they do not own - I know its policy only, there is no crypto enforced mechanism, but thats the same bar as the main CAs themselves). 2. corporate LAN SSL MitM (at least the corporation has probably a contract with all users of the LAN waiving their privacy). Probably even then its illegal re expectation of privacy in workplace in most contexts in US & Europe. 3. public provider SSL MitM - if your ISP, wifi hotspot, 3g data prov, is doing this to you, paid or free, thats illegal IMO. Heads should roll up the CA tree. 4. government SSL MitM - we need to know which CAs have issued MitM sub-CAs for places like Iran, Syria, pre-revolution Egypt etc. If the CA isnt owned by their local government or local company that they leant on, heads need to roll. Similar if US and European governments and Law Enforcement have been up to this, we need to know. Obviously the most interesting ones are 3 & 4. But Peter says he has evidence 2 (LAN mitm) is going on in the name of deep packet inspection I guess in corporate LANs and that itself employees should be aware of that. Adam _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

None
by sunder 05 Jul '18

05 Jul '18

> I tend to just string up lots of characters, so my passphrases look like this: > > ^#.;Odfi9@7f$}'~%42w0,m:Qe_|33+\ and so on. Why the heck would you need a password this big? There are 94 printable characters (0x33 .. 0x7E); a random password 32 chars long (like the above) will thus have ~ 1.38 x 10^63 possibilities, meaning 210 bits of entropy (10^63 = O(2^210)). What, do you intend to use your password as a public key? A password made of the same character set, but only 8 chars long, will provide 94^8 ~= 6 x 10^15 = O(2^50) combinations. I'd say that's plenty - remember, it's a password, not a key. Mark

1 0

Re: [IP] more on Location tracking -- for people, products,
by Seth David Schoen 05 Jul '18

05 Jul '18

places -- is fast coming into its own / It's 11 o'clock. Do you know where your _______ is? David Farber writes: >Begin forwarded message: > >From: Dennis Crowley <dens(a)dodgeball.com> >Date: October 12, 2005 3:37:56 PM EDT >To: dave(a)farber.net >Subject: Re: [IP] Location tracking -- for people, products, places >-- is fast coming into its own / It's 11 o'clock. Do you know where >your _______ is? > > > >>Location enabled and mobile computing have been watchwords for such >>a long time, it's >>nice to be using something that actually makes use of these ideas >>and to see what >>the accidental or deliberate social implications are. >> > >hi dave - > >saw the post about Plazes and wanted to send this along as well. >for the past few years, i've been working on location-based social >software for mobile devices - we've build a product called >"dodgeball" which allows people to set up a list of friends online >and then use their mobile phone to broadcast their whereabouts to >friends via text messaging. once dodgeball knows of your location, >it will look at all the other users who have "checked-in" nearby to >see if it can match you up with a nearby friend-of-friend or someone >from your "crush list". > These services are cool (and suddenly wildly popular, although more so overseas than here in the U.S.), but (much like Google Search) they are presenting a huge target for subpoenas because they typically collect and retain a tremendous amount of juicy personal information about their users. Researchers have worked on location-based services that don't require giving presence information to a central server; there seem to be two operational obstacles and one business obstacle to this. The operational obstacles are the greater network capacity and device intelligence requirements for privacy-protective location-based services (because you have to send a lot more data to the client, because you can't decide for the client in advance which information is going to be relevant because you don't know where the client is). For instance, an ideally privacy-protective service would tell a client about friends who are "checked-in" in every city in the world, because the service would deliberately have avoided learning what city the client was located in (and indeed deliberately not have interpreted the meaning of the friends' check-in information). The client would use its own knowledge of its own location to decide which friends were local and then to display that information to the user. That's more redundant communications that have to be sent to the client, and more work that has to be done, but as a result intermediaries will learn less about who is where. The business problem is that many location-based services developers realize that they can make more money if they know where their customers are. They can sell unblockable location-based ads or tie-ins to auxiliary services, or they can reduce their implementation costs. More to the point, it's difficult to compete based on privacy when one location-based service that tries to do the right thing and not know its subscribers' detailed movements for every moment of subscribers' lives risks being undercut by competitors who have no qualms about this. Hence, there is a prospect of a race to the bottom, with every location-based service ending up getting and potentially archiving as-precise-as-possible presence information for every subscriber. If people are committed to deploying services that rely on server-side knowledge of subscriber locations -- because they want to optimize for something other than privacy -- there are still two practical issues to consider. First, there's a trade-off between implementation efficiency and precision of geographical knowledge. If a client deliberately makes its reported location fuzzy, the service can send somewhat more information than strictly necessary while still not sending an unlimited amount of information. Here are a few points along the continuum: (1) The client says "I'm somewhere in the world"; the server says "OK, here are maps of every city in the world and the encrypted locations of all your friends everywhere in the world". The client then picks out the map and the friends' locations that it concludes are relevant. (If and when we have the communications capacity, this is the ideal for subscriber privacy; the intermediary _does not have to know anyone's location at all_.) (2) The client says "I'm in New York City"; the server says, "OK, here is a map of all of New York City, and the locations of all your friends who told me that they were in New York City". The client then picks out the region of the map that's relevant and displays the locations of friends who appear to be nearby. (3) The client says "I'm on the Upper West Side in New York"; the server says, "OK, here is a map of the Upper Wide Side, and the locations of all your friends in that neighborhood"; the client again displays the subset that it finds relevant. (4) The client says "I'm on the east side of Broadway between 93rd and 94th"; the server says "Your friend Josephine is on Broadway between 94th and 95th; your friend Sam is on Amsterdam Avenue between 92nd and 93rd; your friend Kate is headed west from Central Park; your friend Jim just walked out of the building across the street, take a look!". If people developing these applications are willing to go a little more coarse-grained than what they have the _ability_ to do, privacy will be better protected. Second, there's the question of how long information is retained. If it's retained as long as possible, it's a greater temptation for subpoenas, and a virtual certainty that these subpoenas will eventually become routine -- for law enforcement, divorce, child custody, employment and worker's compensation litigation, and probably other things we haven't thought of yet. Not to mention the traditional risks that it will be stolen, or that some successor-in-interest, in dire financial straits, will decide to sell it off to the highest bidder. It takes an effort to overcome the temptation to keep things forever, but a data-retention policy would do a lot to protect privacy here. -- Seth David Schoen <schoen(a)loyalty.org> | This is a new focus for the security http://www.loyalty.org/~schoen/ | community. The actual user of the PC http://vitanuova.loyalty.org/ | [...] is the enemy. | -- David Aucsmith, IDF 1999 ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

[IP] READ more on Location tracking -- for people, products, places
by David Farber 05 Jul '18

05 Jul '18

-- is fast coming into its own / It's 11 o'clock. Do you know where your _______ is? X-Mailer: Apple Mail (2.734) Reply-To: dave(a)farber.net Begin forwarded message:

1 0

[cryptography] if MitM via sub-CA is going on, need a name-and-shame catalog (Re: really sub-CAs for MitM deep packet inspectors?)
by Adam Back 05 Jul '18

05 Jul '18

Now we're getting somewhere. If this is going on even the policy enforcement aspect of CAs is broken... CAs are subverting their own certification practice statement. The actions taken by the user of the sub-CA cert are probably illegal also in the US & europe where there are expectations of privacy in work places (and obviously public places). More below: On Fri, Dec 02, 2011 at 11:02:14PM +1300, Peter Gutmann wrote: > Adam Back <adam(a)cypherspace.org> writes: > >> Start of the thread was that Greg and maybe others claim they've seen a cert >> in the wild doing MitM on domains the definitionally do NOT own. > > It's not just a claim, I've seen them too. For example I have a cert issued > for google.com from such a MITM proxy. a public MitM proxy? Or a corporate LAN. > I was asked by the contributor not to reveal any details on it because it > contains the name and other info on the intermediate CA that issued it, but > it's a cert for google.com used for deep packet inspection on a MITM > proxy. That intermediate CA needs publishing, and the CA that issued it. SSL Observatory ought to take an interest in finding catalogging and publishing all of these both public, corporate and government/law-enforcement. It breaks a clear expectation of security and privacy the user, even very sophisitcated user, has about privacy of their communications. >> The real question again is can we catch a boingo or corp lan or government >> using a MitM sub-CA cert, and then we'll know which CA is complicit in issuing >> it, and delist them. > > Given that some of the biggest CAs around sell private-label CA certs, you'd > end up shutting down half the Internet if you did so. There is an important difference between: 1. private label sub-CA (where the holder has signed an agreement not to issue certs for domains they do not own - I know its policy only, there is no crypto enforced mechanism, but thats the same bar as the main CAs themselves). 2. corporate LAN SSL MitM (at least the corporation has probably a contract with all users of the LAN waiving their privacy). Probably even then its illegal re expectation of privacy in workplace in most contexts in US & Europe. 3. public provider SSL MitM - if your ISP, wifi hotspot, 3g data prov, is doing this to you, paid or free, thats illegal IMO. Heads should roll up the CA tree. 4. government SSL MitM - we need to know which CAs have issued MitM sub-CAs for places like Iran, Syria, pre-revolution Egypt etc. If the CA isnt owned by their local government or local company that they leant on, heads need to roll. Similar if US and European governments and Law Enforcement have been up to this, we need to know. Obviously the most interesting ones are 3 & 4. But Peter says he has evidence 2 (LAN mitm) is going on in the name of deep packet inspection I guess in corporate LANs and that itself employees should be aware of that. Adam _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[DIYbio] Removing watermarks from pdfs (pdfparanoia)
by Bryan Bishop 05 Jul '18

05 Jul '18

How about removing those pesky watermarks from pdfs? Sometimes they completely obfuscate the contents of a paper we're trying to read, or sometimes they have more sinister purposes. Working proof of concept: https://github.com/kanzure/pdfparanoia https://pypi.python.org/pypi/pdfparanoia Discussion history: https://groups.google.com/group/science-liberation-front/t/c68964cf55d8f6fa People who could theoretically benefit from this: http://scholar.google.com/scholar?q=%22Authorized+licensed+use+limited+to%22 http://scholar.google.com/scholar?q="Redistribution+subject+to+SEG+license+or+copyright"<http://scholar.google.com/scholar?q=%22Redistribution+subject+to+SEG+licens…> http://scholar.google.com/scholar?q="Redistribution+subject+to+AIP"<http://scholar.google.com/scholar?q=%22Redistribution+subject+to+AIP%22> http://scholar.google.com/scholar?q="Downloaded+from+http%3A%2F%2Fpubs.acs.org+on"<http://scholar.google.com/scholar?q=%22Downloaded+from+http%3A%2F%2Fpubs.ac…> http://scholar.google.com/scholar?q="Downloaded+*+*+2001..2013+to+*"<http://scholar.google.com/scholar?q=%22Downloaded+*+*+2001..2013+to+*%22> To get source code: git clone git://github.com/kanzure/pdfparanoia.git To install: sudo pip install pdfparanoia or: sudo easy_install pdfparanoia Right now there's IEEE and AIP support. I need more samples to work with. - Bryan http://heybryan.org/ 1 512 203 0507 -- -- You received this message because you are subscribed to the Google Groups DIYbio group. To post to this group, send email to diybio(a)googlegroups.com. To unsubscribe from this group, send email to diybio+unsubscribe(a)googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/diybio?hl=en Learn more at www.diybio.org --- You received this message because you are subscribed to the Google Groups "DIYbio" group. To unsubscribe from this group and stop receiving emails from it, send an email to diybio+unsubscribe(a)googlegroups.com. To post to this group, send email to diybio(a)googlegroups.com. Visit this group at http://groups.google.com/group/diybio?hl=en. For more options, visit https://groups.google.com/groups/opt_out. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRI-gram newsletter - Number 6.3, 13 February 2008
by EDRI-gram newsletter 05 Jul '18

05 Jul '18

============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 6.3, 13 February 2008 ============================================================ Contents ============================================================ 1. Biometric data from non-EU travellers 2. PirateBay - blocked in Denmark 3. Internet-related privacy issues on the EU institutions' agenda 4. Microsoft's actions investigated again by the European Commission 5. Finnish e-voting system must not stay a trade secret 6. France's gendarmerie goes for open source software 7. Europe spams more than the US 8. Wales said no to ID cards 9. Recommended Reading 10. Agenda 11. About ============================================================ 1. Biometric data from non-EU travellers ============================================================ A set of new measures including biometric data from non-EU travellers are being proposed these days by the European Commission (EC). The proposals, drafted by Franco Frattini, the European Commissioner for Justice, Freedom and Security, are being put forward by the EC, arguing that the cross-border policy has to be revised to face the new challenges related to terrorism, organised crime and illegal migration. The package proposes the creation of an entry/exit register of non-European visitors to the EU bloc that will record the dates of entry and exit of each non-EU individual admitted to the Schengen visa-free area using biometric identifiers. In cases when a person's visa has expired, an alert can be issued to all national authorities. A second measure would be the introduction of a European Border Surveillance System that will use satellites and unmanned aircraft to check on the non-UE travellers on a short-stay visa and to track the movements of suspected illegal migrants. The system is already under construction and may be operational by 2012. The proposals include the setting up of a system requiring travellers from countries with a visa requirement to provide biometric data at European consulates in their country. Those arriving from countries that are not required visas, such as the United States, will have to submit fingerprints and a digitalized facial image. The EC will encourage member states to introduce "automated border-crossing checks" which will include new biometric technologies such as eye scanners. The system should, however, allow EU citizens and "low risk" frequent travellers from outside the bloc to pass through automated checkpoints granting them a status of "registered traveller" being thus able to have their biometric travel documents scanned and checked by machines. Non-Europeans could obtain the fast-track status on condition they have not previously overstayed their visas, have enough funds to pay for their stay in Europe and have a biometric passport. All non-European individuals will have to make an electronic application before travelling to the Schengen area, allowing them to be checked against anti-terror databases in advance. The proposals also suggest a better use of Frontex, the EU's border control agency, especially by means of "intensified" joint operations between member states at sea borders. Privacy advocates, lawmakers and even police representatives criticise the proposals considering the EU is piling up databases without an overall strategy or a clear vision and believing the EC is only trying to copy the United States in their practice to scan fingerprints and pictures of travellers. "It's boys with toys. They want to have the toys the Americans have," said Gus Hosein from Privacy International. "It is not good to have a proliferation of databases without a clear vision (...) The link between them is unclear and leads to gaps" also said Jan Velleman, a spokesman for Eurocop, a European police union. Tony Bunyan, Statewatch editor, comments: "Let us be clear about the effect of these three proposals. Everyone - citizens and visitors - travelling in and out of the EU is going placed under surveillance, have to get permission to enter and checked against national watch-lists whose scope is unknown, with data transferred to unspecified agencies in the EU and outside and records of movements held for years." According to Meryem Marzouki, EDRI board member: "These plans add a new wall to the European Fortress, as they consider any migrant as a potential criminal. This entry/exit system will lead to increased surveillance and social control at national level as soon as an alert will be issued after visa expiration without exit. Europe is on its way towards a totalitarian society. As long as there is not adequate data protection under third pillar, there would be no limit to such plans." Roscam Abbing from the Commission said that according to the reaction of the EU lawmakers and governments, a legislative proposal will follow but did not make any statements on when the systems would come into force and refrained from commenting upon criticisms to the lack of EU strategy in dealing with sensitive databases. It is not clear whether Britain, Ireland and Cyprus which are not members of Schengen area, will adopt the program. All proposed measures could then enter into force between 2012 and 2015. Proposed shake up of EU security includes call for fingerprinting all visitors (13.02.2008) http://www.iht.com/articles/ap/2008/02/13/europe/EU-GEN-EU-Fortress-Europe.… EU plans to require biometrics of all non-European visitors (10.02.2008) http://www.iht.com/articles/2008/02/10/europe/union.php New EU fingerprint scheme fans privacy concerns (10.02.2008) http://www.reuters.com/article/reutersEdge/idUSL1079208520080210 Brussels to tighten EU external borders (6.02.2008) http://euobserver.com/22/25606 EU to announce fingerprinting for all visitors (12.02.2008) http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-560378 ============================================================ 2. PirateBay - blocked in Denmark ============================================================ Following a complaint by IFPI (International Federation of the Phonographic Industry), a Danish bailiff court issued on 4 February 2008 an injunction ordering Tele2, one of the major ISPs in Denmark, to block the access to the PirateBay domains. IFPI asked the court for this injunction because most of the materials referred on PirateBay are copyrighted and the exchange of these materials between PirateBay users is illegal. IFPI considered that Tele2 was not directly liable for the illegal copying, but was contributing to it, by making temporary copies of torrent files. Tele2 has been complying with the injunction so far by DNS filtering (same method as used in the child pornography filters and AllOfMp3), but is determined to fight against the injunction in the upper court in two weeks time. Niels Elgaard Larsen from the IT-Political Association of Denmark explained the situation for EDRi-gram: "We see a slippery slope. Blocking of first child porn, then a non-EU (Russian) site with alleged illegal music (AllOfMp3), and now a search engine inside the EU. Elsewhere in EU we hear politicians that want to block recipes for explosives, ads for non-taxed gambling, etc. This is not about music and movies at piratebay or anywhere else. This is about making ISP's policing the content flowing through their networks. It is about freedom on the internet. Do we want an open or a closed internet ?" But the injunction seema to have no direct effect on PirateBay website, that announces an increase by 12% of the number of visits from Denmark. According to their blog the website "is growing more because of the media attention than people actually coming to learn how to bypass the filter - our guess is that a lot of the users on the site now run OpenDNS instead of the censoring DNS at Tele2.dk." However, the court cases against the popular torrent tracker are not over. PirateBay is preparing for a long trial starting this spring following the 2006 seizure of their servers and 20 months of investigation. According to the Prosecutor Hakan Roswall, the website was commercially exploiting copyright-protected work because it was financed through advertising revenues. Piratebay expects the trial to last for years, especially because the decision in this case will be appealed by one of the parties. They also claim that this will not affect at all their activity. After it has been claimed that PirateBay is supporting trackers with child pornography, the website owners announced that they were collaborating with the Police officers to teach them "how to actually download stuff using the BT protocol. The police has actually been very open and frank with us about their technical difficulties and asking for help is the best solutions for all parties." Bailiff Court Decision (only in Danish, 4.02.2008) http://www.computerworld.dk/modules/davinci/getfile.php?id=18886&attachment Danish ISP shuts access to file-sharing Pirate Bay (4.02.2008) http://www.reuters.com/article/industryNews/idUSL0480268320080204?pageNumbe… Denmark, first look (8.02.2008) http://courtblog.thepiratebay.org/2008/02/08/denmark-first-look/ Pirate Bay hit with legal action (31.01.2008) http://news.bbc.co.uk/2/hi/technology/7219802.stm Prepare for mudwrestling (6.02.2008) http://courtblog.thepiratebay.org/2008/02/06/prepare-for-mudwrestling/ ============================================================ 3. Internet-related privacy issues on the EU institutions' agenda ============================================================ The privacy problems created by the Internet and other new technologies such as RFID have an important place on the agenda of the European institutions that seem to be more anxious than ever to tackle those issues. The hearing at the European Parliament's Civil Liberties Committee reported in the last EDRi-gram seems to be only the top of the iceberg. Article 29 working party will discuss at the next meeting, on 18 February 2008, the highly sensitive topic of privacy & search engines, and it is probable to adopt an Opinion on this topic. But the views of the Working party's members are already public, after the last month meeting at the European Parliament. Moreover, Peter Schaar, Germany's Federal Data Protection Commissioner and Chairman of the Article 29 working party, made some straightforward comments to Financial Times, explaining that the cookie and search data retention period is too long : "For me personally it still seems rather long, and I could imagine I am not alone." He underlined the fact that IP addresses are considered as personal information according to the EU legislation and dismissed security concerns as a reason to keep data: "I cannot imagine that it is necessary to store data such as IP addresses for security reasons. What is the security threat? Security purposes don't justify the long-term storage of this data." Other national data protection agencies are looking into more privacy aspects of computer usage. The Spanish Data Protection defined last year the filtering of information for purposes other than virus and spam protection as "not in conformity with Spanish law". Also Article 29 Working Party plans to investigate targeted advertising, which could cause problems for Google or Yahoo. The European Commission is also working on a document on RFID policy, that will include the privacy aspects, based on the discussions in the RFID working group. It is not clear yet if the document will be a binding regulation or recommendation. EurActiv website points that the Commission will publish, in the next weeks, a new EU survey that shows "an overwhelming majority considers public awareness about privacy and data management to be low, but at the same time almost 75% of respondents say they are worried about leaving personal information on the Internet." Apparently the Commission expects these results and is looking at increasing the funding for awareness-raising campaigns and technologies which improve privacy protection. EU targets online privacy fears (11.02.2008) http://www.ft.com/cms/s/0/8e98263a-d844-11dc-98f7-0000779fd2ac.html?nclick_… EU mulls new measures to protect privacy on the Web (7.02.2008) http://www.euractiv.com/en/infosociety/eu-mulls-new-measures-protect-privac… EDRi-gram: European Parliament hearing on Internet privacy issues (30.01.2008) http://www.edri.org/edrigram/number6.2/ep-hearing-privacy ============================================================ 4. Microsoft's actions investigated again by the European Commission ============================================================ The European Commission has recently extended its formal probes launched on 14 January 2008 against Microsoft in two cases where it has been alleged that the multinational firm had abused its dominant market position. The first case was brought by a complaint from web browser Opera, which complained that the tying of Microsoft's Internet Explorer to its Windows operating system was anti-competitive. The second case under investigation was the complaint filed by the European Committee for Interoperable Systems for the Microsoft's refusal to disclose interoperability information on some Microsoft server products, Office and NET Framework. In relation to this case the Commission also intends to verify Office Open XML (OOXML) file format for not working with its competitors' specifications. In the latter case, the Commission will also check possible influence of the the votes by the company during the ISO standardization process for the OOXML document format. The Commission has asked Microsoft to provide information about its activities during the process wanting to know whether the software firm has put pressure on committees in various countries to ratify OOXML as a standard. ISO members refused to adopt OOXML in September of 2007 and Microsoft was asked to make improvements before the final vote that will take place at the end of February 2008 in Geneva. The Association for a Free Information Infrastructure had revealed, even before the September vote that there were some irregularities in the Microsoft's participation in the committees, calling for the ceasing of the standardization process. Among other charges, Microsoft is suspected of having bought votes in Sweden, of hindering the participation of the competition by limiting the number of seats and by "hijacking" standardization committees in some countries, including the US, Mexico and Columbia. EU looks into Microsoft's influence on ISO standardization process (08.02.2008) http://www.heise.de/english/newsticker/news/103201/ EU investigates Microsoft's OOXML campaign (08.02.2008) http://www.theregister.co.uk/2008/02/08/ooxml_eu_probe_iso/ Microsoft faces additional European antitrust probe (08.02.2008) http://www.marketwatch.com/news/story/microsoft-faces-additional-european-a… EDRi-gram: Opera complains to the EC on Microsoft's Internet Explorer (19.12.2007) http://www.edri.org/edrigram/number5.24/opera-commission-microsoft EDRi-gram: Reactions on the ISO voting procedures (12.09.2007) http://www.edri.org/edrigram/number5.17/iso-procedures ============================================================ 5. Finnish e-voting system must not stay a trade secret ============================================================ A member of Electronic Frontier Finland (Effi), a Finnish association for promoting digital rights and member of EDRi, has recently sent a request of information to the Finnish Ministry of Justice regarding their planned e-voting system. The system will be piloted in the municipal elections during October 2008 and it is based on a DRE (Direct Recording Electronic) type e-voting system from TietoEnator Finland and a Spanish back-end provider, Scytl. In their response, the Ministry of Justice states that, based on the Act on the Openness of Government Activities, the documentation that has been written concerning the specific details of the e-voting system has to be kept secret on the Documents that have to be kept secret include documents related to the information security of the system and documents that contain information about the trade secrets of a private company, in this case, the systems provider. Effi's analysis of the system is only based on high-level documents provided by the Ministry of Justice and a U.S. patent that has been granted to Scytl, and is assumed to form the basis of the Finnish e-voting system core. According to this analysis, the system will not utilise any voter-verified paper ballot system or even the electronic receipt system that is detailed in the Scytl patent. The current, traditional Finnish elections feature a widely distributed ballot counting process, which is carried out manually and collectively by the representatives of the competing parties at each polling station. The results of each polling station are individually published, providing the representatives with the possibility to cross-check that the votes at their polling station have been correctly tallied. The ballots are then separately counted again, independently of the original count, and archived in case of further recounts being deemed necessary. The system is quite fast, providing results in a matter of hours from the whole country, easy to understand, and very resilient. The e-voting system as currently proposed would make recounts that would be independent of the electronic system impossible. It would also make it possible for a much smaller team of individuals to alter the election results, as the software, which counts the ballots, is not public. Since Effi's original press release, the Ministry of Justice has unveiled a plan to contract an audit of the software from the University of Turku in Finland, but this effort seem to be rather under-resourced when compared to US e-voting system audits, and is likely to just scratch the surface. As a counterexample, thirty US states have already made the voter-verified paper ballot a mandatory part of electronic voting. For some reason, the Finnish Ministry of Justice has not seen this as a requirement for the all-electronic voting system in Finland. Ministry of Justice response to a member of Electronic Frontier Finland (only in Finnish, 23.01.2008) http://www.effi.org/system/files?file=om-2008-01-23.txt E-Voting pilot: Technical implementation and information security (only in Finnish, 20.06.2007) http://www.effi.org/system/files?file=Pilotin_tekninen_esittely_v1.0H.pdf Verified voting (28.01.2008) http://www.verifiedvoting.org/ Effi: Voting systems must not be trade secrets. (only in Finnish, 25.01.2008) http://www.effi.org/julkaisut/tiedotteet/lehdistotiedote-2008-01-25.html Municipal elections 2008: Electronic voting in three municipalities. Press release from Ministry of Justice (8.02.2008) http://www.om.fi/en/Etusivu/Ajankohtaista/Uutiset/1201510039860 Web demonstrator and an informational page for the e-voting system (only in Finnish, 11.02.2008) http://www.vaalit.fi/sahkoinenaanestaminen/ (Contribution by EDRi-member Electronic Frontier Finland) ============================================================ 6. France's gendarmerie goes for open source software ============================================================ The Gendarmerie, France's largest administrative body, intends to change in the next years the operating system of 70 000 workstations presently running on Windows XP to Ubuntu. This is a movement that continues the French Government's efforts to promote migration to open source for some years now. The Gendarmerie had already adopted OpenOffice.org and Firefox, the French National Assembly has also recently switched 1100 computers to Linux and the Ministry of Agriculture has started the migration from Windows at the end of 2006. The French Government's plans to migrate to open source was based on a study by technology services company Atos Origin, that: "showed that open-source software will from now on offer functionality adapted to the needs of MPs and will allow us to make substantial savings despite the associated migration and training costs" as was the Parliament's statement in 2006. The reasons for switching to open source software, besides the cost reductions, included a better control of security functions and a greater independence from the software vendors. France's gendarmerie switches to Linux (31.01.2008) http://www.heise.de/english/newsticker/news/102824 The French Gendarmerie throws Windows away (only in French, 31.01.2008) http://www.lexpress.fr/info/economie/infojour/infos.asp?id=141908 EDRi-gram: France Parliament shifts to open source software (6.12.2006) http://www.edri.org/edrigram/number4.23/oss_france ============================================================ 7. Europe spams more than the US ============================================================ According to security vendor Symantec, a shift has taken place in the weight of the spam networks, the European ones having created more unsolicited e-mail than those in the US lately. Thus, approximately 44 per cent of all spam messages are originated from Europe as compared to 35.1 per cent originated from the US. In the opinion of one of Symantec's European product marketing managers, Fredrik Sjostedt, the advantage taken by European spammers is due to the large penetration of broadband. "Historically the majority of spammers were U.S.-based, but now we're seeing a lot of Eastern European and Russian spam gangs active (.) We've moved away from traditional, individual spammers, to loosely tied groups of spam senders, malware coders, and people selling access to botnets," said Sjostedt. The reports also show a very high increase of spamming during the holiday time in December, reaching up to 93 million spam messages. Kelly Conley, Symnatec enterprise security group manager, wrote on its security response blog that, for the holidays, the spammers had changed their techniques by inserting seasonal oriented keywords into URLs, subject lines and embedded images within their messages. Other spam trends reported for the past month are the offering of rapidly dealing with visa problems in Europe or bio-fuel offers. Europe still top source of spam (6.02.2008) http://www.news.com/2100-7349_3-6229352.html EU overtakes US in spam spewing stakes (6.02.2008) http://www.itpro.co.uk/news/163215/eu-overtakes-us-in-spam-spewing-stakes.h… ============================================================ 8. Wales said no to ID cards ============================================================ Welsh Assembly Government proposal for a "smart card" to be used to access public services in Wales was considered by civil liberties groups as a way of introducing identity cards "through the back door" and was rejected by the Liberal Democrats supported by the Labour Party members as well. The Government has claimed that the card was aimed at improving the way people use library and travel services but Suw Charman, founder of the EDRi-member Open Rights Group, considers the scheme as "pointless". "I haven't seen an argument about what's wrong with the existing cards. (...) Why do we need to put all this information on one smart card that's going to keep a log on what people do and where they go? It's treating people like criminals" was her statement to BBC. Concerns were also expressed in relation to the smart cards holding too much information especially in the light of the numerous incidents of data losses in UK during the last two years. Peter Black, social justice spokesperson stated: "We have already seen that Government cannot be trusted with our private data. If that database were also to include details of our medical treatment, our use of local government services and our education records then not only would our entire lives be an open book to anybody with a suitable card reader, but the risk of identity theft and fraud would be magnified many times. We cannot take that risk. (...) The frightening prospect of a draconian future rears in front of us wherein hospitals, police stations and social security offices across Britain, electronic readers will connect scanned cards to a massive central database in order to prove the identities of card-bearers." Mike German, leader of the Welsh Liberal Democrats expressed the satisfaction that the Assembly was unanimous in its position sending "a strong message to your (Labour) colleagues in London that ID cards are not welcome in Wales". He added that "ID cards are an excuse for the state to meddle in peoples' lives. They are an unwarranted intrusion in our lives. They won't combat terrorism and fraud, because we've seen in other countries these crimes still exist". Rights attack on smart card plan (6.02.2008) http://news.bbc.co.uk/2/hi/uk_news/wales/7229920.stm ID cards not welcome in Wales (16.01.2008) http://www.newswales.co.uk/?section=Politics&F=1&id=12922 ============================================================ 9. Recommended Reading ============================================================ Statewatch launches new SEMDOC website providing comprehensive information about EU Justice and Home Affairs policy. Statewatch has been systematically monitoring and documenting the development of EU Justice and Home Affairs (JHA) policy since 1991. The Statewatch European Monitoring and Documentation Centre on Justice and Home Affairs in the European Union seeks to increase public understanding and debate about JHA policy through the provision of comprehensive information about adopted and proposed legislation. http://www.statewatch.org/news/2008/feb/01semdoc.htm Reporters Without Borders Annual Report 2008 - The plight of journalists in 98 countries reviewed. Reporters Without Borders criticises lack of public commitment to press freedom and fears anti-media violence in coming months. http://www.rsf.org/article.php3?id_article=25484 Annual report 2008 http://www.rsf.org/IMG/pdf/rapport_en-2.pdf ============================================================ 10. Agenda ============================================================ 14 February 2008, Brussels, Belgium eIdentity workshop http://www.epractice.eu/workshop/eidentity 23-24 February 2008, Brussels, Belgium Research Room @ FOSDEM: Libre software communities meet research community - Introducing Research Friendly http://libresoft.es/Activities/Research_activities/fosdem2008 10-12 March 2008, Geneva, Switzerland WIPO Standing Committee on Copyright and Related Rights: Sixteenth Session http://www.wipo.int/meetings/en/details.jsp?meeting_id=14502 15 March 2008, London, UK OKCon 2008 - Open Knowledge: Applications, Tools and Services http://www.okfn.org/okcon/ 19 March 2008, London, UK Musicians, fans and online copyright http://www.eventbrite.com/event/98391291 2-4 April 2008, Berlin, Germany re:publica - The Critical Mass http://www.re-publica.de 10-12 April 2008, Amsterdam & Hilversum, Netherlands Economies of the Commons - Strategies for Sustainable Access and Creative Reuse of Images and Sounds Online International Working Conference http://www.ecommons.eu 28-29 April 2008, Vienna, Austria PRISE Final Conference -Towards privacy enhancing security technologies - the next steps http://www.prise.oeaw.ac.at/conference.htm 15-17 May 2008, Ljubljana, Slovenia EURAM Conference 2008 - Track "Creating Value Through Digital Commons" How collective management of IPRs, open innovation models, and digital communities shape the industrial dynamics in the XXI century. http://www.euram2008.org 30-31 May 2008, Bucharest, Romania eLiberatica 2008 - The benefits of Open and Free Technologies http://www.eliberatica.ro/2008/ 17-18 June 2008, Seoul, Korea The Future of the Internet Economy - OECD Ministerial Meeting http://www.oecd.org/FutureInternet 23-25 July 2008, Leuven, Belgium The 8th Privacy Enhancing Technologies Symposium (PETS 2008) http://petsymposium.org/2008/ 8-10 September 2008, Geneva, Switzerland The third annual Access to Knowledge Conference (A2K3) http://isp.law.yale.edu/Wiki/view.aspx/A2K3_Announcements ============================================================ 11. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 28 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[IP] NYTimes.com Article: In an Age of Terror, Safety Is Relative
by David Farber 05 Jul '18

05 Jul '18

In an Age of Terror, Safety Is Relative June 27, 2004 By GREGG EASTERBROOK WASHINGTON - On the subway a few weeks after the Madrid bombings, I noticed a parcel under a seat. I asked other passengers, but no one claimed the object. I looked inside the parcel and saw some papers and an elaborately wrapped object the size of a grapefruit. The train pulled into Metro Center, the main station of the Washington subway. I contemplated that I might be about to pick up a bomb, but then I'd already been stupid enough to look inside, so I carried out the package, put it on a bench and told the station manager. Officers appeared quickly, though trains continued running and people kept milling past. When I first saw the package, should I have used the emergency intercom to alert the motorman? Should he have stopped the train and evacuated everyone? When I alerted the manager, should she have closed the station, bringing the entire system to a halt? Had it turned out to be a bomb, pundits second-guessing the disaster that followed might have said the station manager and I were fools for not pushing the panic button. But what if a trainload of frantic people had been evacuated into a dark tunnel with a high-voltage rail, all because of an elaborately wrapped grapefruit? This is an example of the practical limits to security in the post-9/11 world. With the introduction of sophisticated airport inspections, bomb-screening of checked bags, security stops at building entrances, better passport controls, "smart borders" with improved computers and identity scanners, and hundreds of radiation and bioweapon detectors installed in urban areas, security has significantly improved in just three years. This summer, residents of New York and Boston are seeing lots of extra patrols, bomb-sniffing dogs and police drills, in preparation for the political conventions. But some of what's being done is primarily psychological: to make people feel more safe, regardless of whether they really are. And though the government must try any reasonable idea to counter terrorism, in the next round of security improvements to come there will be serious limits to practicality and affordability. Consider train safety. Recently the Transportation Security Administration tested screening of Amtrak passengers at the New Carrollton, Md., stop. Riders walked one by one through a device that sniffs the air for molecules associated with explosives. Probably anyone carrying a bomb would have been detected. But Amtrak has about 500 stations, half unstaffed whistle-stops. To add bomb-sniffers, plus personnel, to every station would be a significant expense. The New Carrollton stop is a quiet suburban station handling roughly 1,000 passengers a day. The Washington subway system carries half a million passengers a day. Many enter at downtown stations that are mob scenes; to make everyone walk through sniffer machines would be incredibly cumbersome. The New York subway system carries 3.8 million passengers a day, boarding at 468 stations. Screening all those riders would be a logistical nightmare, even if cost were no object. Many New York stations would need extensive re-engineering, and the lines would stretch up the stairs. And cost is an object. An estimated $11 billion has been spent to improve American airline security since Sept. 11, 2001. The airlines board about 1.5 million passengers a day. With the New York subway system alone carrying more than twice that, screening might cost about twice as much as has been spent on airline security. Maybe there's a way to avoid subway passenger screening. Starting in July, Boston transit police will hand-search the packages of travelers on the storied T subway system. Riders will continue to board unscreened. Officers, some with explosives-sniffing dogs, will wander through cars and demand that passengers open packages, briefcases or backpacks. Already there is an excruciating legal dispute about whether the officers should be scanning for those who fit terrorist profiles, or making random searches: that is, ordering grandma to show what's in her purse while ignoring the Middle Eastern-looking young man with the backpack. Set aside the legalities and concentrate on the practical. The Boston system has 247 transit officers, only a fraction of whom will be on trains at any particular time. What are the odds officers will stumble onto the one person, among hundreds of thousands, who is carrying something dangerous? People will feel safer knowing that officers are there, and making people feel safer may be the next best thing to actual safety. In the months after 9/11, National Guard units in battle fatigues patrolled airports: those camouflage outfits would hardly have helped Guard members blend in against a backdrop of vacationers and Chick-Fil-A stands. Officers with assault rifles now walk Times Square, though the chances an assault rifle will be needed are slim. Amtrak now demands that ticket buyers show a driver's license or similar identification. Maybe this will catch a lone deranged person, but the 9/11 attackers made sure their paperwork was in order. Many office buildings now require visitors to show a driver's license, which a low-wage desk worker glances at perfunctorily. During the Democratic National Convention in July, the police will close much of the highway system of downtown Boston. How much has been spent on real action? Steven M. Kosiak, an analyst at the Center for Strategic and Budgetary Assessments, a Washington research group, estimates that since Sept. 11, 2001, about $26 billion has been invested in improving the security of critical infrastructure in the United States. Domestic security over all (personnel and preparedness as well as infrastructure) is a $41.3 billion line in the current federal budget, and President Bush has requested $47.4 billion in fiscal 2005, a request that includes allotments like $3.6 billion to stockpile vaccines and antidotes. Domestic antiterrorism spending is now at nearly 10 times the level of President Bill Clinton's final budget for it. Nonetheless, last year a Council on Foreign Relations report said domestic security was drastically underfinanced. Senator John Kerry, the presumptive Democratic presidential nominee, says he wants still higher spending. He advocates 100,000 more firefighters, 5,000 new police officers trained specifically for antiterrorism, special funds for states and cities whenever an orange-level security alert is issued and other new investments. But money for more security must be weighed against other priorities. The Council on Foreign Relations study, for example, noted, "Only 10 percent of fire departments in the United States have the personnel and equipment to respond to a building collapse." Yet should most fire departments have millions of dollars' worth of equipment to handle a building collapse, when the chances of this happening in any one place, even any one big city, are tiny? Further improvements in security may prove impractical, or threats to liberty. Should bus passengers be screened? Israel, that most security-conscious of nations, has found bus attacks nearly impossible to stop. Should all cars be inspected before entering parking garages? The first World Trade Center attack involved a van bomb in the parking garage. (Cars entering the parking lots at many federal buildings are now inspected; this is not done at most commercial lots under private skyscrapers.) Should everyone carry an identity card with "biometric" data coded into it? The economic considerations are just as daunting. Mr. Kosiak estimates $407 billion has been spent in the wake of 9/11, a figure that includes military operations in Afghanistan and Iraq. If the estimate is correct, then more than 1 percent of the gross domestic product since 9/11 has gone to security improvements and to the wars in Iraq and Afghanistan. National prosperity has declined slightly as a result. Extra security layers also burden the economy. Roadblocks slow the movement of goods; complex inspections of shipments add to processing costs; restricting entry to the United States of the 99.9999 percent of foreign citizens who mean no harm is bad for tourism, for movement of intellectual capital and other aspects of the economy. One reason America has prospered is that it invested heavily in removing friction from the economy by making trade, travel and transactions as convenient as possible. Since 9/11, "we've been putting the friction back in," Brian Michael Jenkins of the RAND Corporation has noted. Consider movement of shipping. Some 20,000 shipping containers a day arrive at United States ports, with perhaps 1 percent inspected. An estimated 250 million shipping containers are in motion around the world. The Central Intelligence Agency is believed to have concluded that a crude atomic bomb or other terror weapon is far more likely to arrive in the United States via shipping container than on a missile from a rogue state. But 20,000 shipping containers per day cannot be fully inspected without significantly slowing the economy. The Department of Homeland Security has a program to place American inspectors overseas at ports like Rotterdam and Singapore. But there's a practical limit to how secure shipping can be, just as there are practical limits to many ideas to improve security. In a world of six billion souls, all it takes is one person a day willing to commit suicide to cause harm and sustain the sense of civilization in jeopardy. Governments will keep trying to improve public safety, but no matter how much is spent, there may be a limit to buying security against that one person. Gregg Easterbrook, a senior editor at The New Republic and a visiting fellow at the Brookings Institution, is the author of "The Progress Paradox." http://www.nytimes.com/2004/06/27/weekinreview/27east.html? ex=1089331778&ei=1&en=3586873e3bb49d79 --------------------------------- Get Home Delivery of The New York Times Newspaper. Imagine reading The New York Times any time & anywhere you like! Leisurely catch up on events & expand your horizons. Enjoy now for 50% off Home Delivery! Click here: http://homedelivery.nytimes.com/HDS/SubscriptionT1.do? mode=SubscriptionT1&ExternalMediaCode=W24AF HOW TO ADVERTISE --------------------------------- For information on advertising in e-mail newsletters or other creative advertising opportunities with The New York Times on the Web, please contact onlinesales(a)nytimes.com or visit our online media kit at http://www.nytimes.com/adinfo For general information about NYTimes.com, write to help(a)nytimes.com. Copyright 2004 The New York Times Company ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

EDRI-gram newsletter - Number 6.3, 13 February 2008
by EDRI-gram newsletter 05 Jul '18

05 Jul '18

============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 6.3, 13 February 2008 ============================================================ Contents ============================================================ 1. Biometric data from non-EU travellers 2. PirateBay - blocked in Denmark 3. Internet-related privacy issues on the EU institutions' agenda 4. Microsoft's actions investigated again by the European Commission 5. Finnish e-voting system must not stay a trade secret 6. France's gendarmerie goes for open source software 7. Europe spams more than the US 8. Wales said no to ID cards 9. Recommended Reading 10. Agenda 11. About ============================================================ 1. Biometric data from non-EU travellers ============================================================ A set of new measures including biometric data from non-EU travellers are being proposed these days by the European Commission (EC). The proposals, drafted by Franco Frattini, the European Commissioner for Justice, Freedom and Security, are being put forward by the EC, arguing that the cross-border policy has to be revised to face the new challenges related to terrorism, organised crime and illegal migration. The package proposes the creation of an entry/exit register of non-European visitors to the EU bloc that will record the dates of entry and exit of each non-EU individual admitted to the Schengen visa-free area using biometric identifiers. In cases when a person's visa has expired, an alert can be issued to all national authorities. A second measure would be the introduction of a European Border Surveillance System that will use satellites and unmanned aircraft to check on the non-UE travellers on a short-stay visa and to track the movements of suspected illegal migrants. The system is already under construction and may be operational by 2012. The proposals include the setting up of a system requiring travellers from countries with a visa requirement to provide biometric data at European consulates in their country. Those arriving from countries that are not required visas, such as the United States, will have to submit fingerprints and a digitalized facial image. The EC will encourage member states to introduce "automated border-crossing checks" which will include new biometric technologies such as eye scanners. The system should, however, allow EU citizens and "low risk" frequent travellers from outside the bloc to pass through automated checkpoints granting them a status of "registered traveller" being thus able to have their biometric travel documents scanned and checked by machines. Non-Europeans could obtain the fast-track status on condition they have not previously overstayed their visas, have enough funds to pay for their stay in Europe and have a biometric passport. All non-European individuals will have to make an electronic application before travelling to the Schengen area, allowing them to be checked against anti-terror databases in advance. The proposals also suggest a better use of Frontex, the EU's border control agency, especially by means of "intensified" joint operations between member states at sea borders. Privacy advocates, lawmakers and even police representatives criticise the proposals considering the EU is piling up databases without an overall strategy or a clear vision and believing the EC is only trying to copy the United States in their practice to scan fingerprints and pictures of travellers. "It's boys with toys. They want to have the toys the Americans have," said Gus Hosein from Privacy International. "It is not good to have a proliferation of databases without a clear vision (...) The link between them is unclear and leads to gaps" also said Jan Velleman, a spokesman for Eurocop, a European police union. Tony Bunyan, Statewatch editor, comments: "Let us be clear about the effect of these three proposals. Everyone - citizens and visitors - travelling in and out of the EU is going placed under surveillance, have to get permission to enter and checked against national watch-lists whose scope is unknown, with data transferred to unspecified agencies in the EU and outside and records of movements held for years." According to Meryem Marzouki, EDRI board member: "These plans add a new wall to the European Fortress, as they consider any migrant as a potential criminal. This entry/exit system will lead to increased surveillance and social control at national level as soon as an alert will be issued after visa expiration without exit. Europe is on its way towards a totalitarian society. As long as there is not adequate data protection under third pillar, there would be no limit to such plans." Roscam Abbing from the Commission said that according to the reaction of the EU lawmakers and governments, a legislative proposal will follow but did not make any statements on when the systems would come into force and refrained from commenting upon criticisms to the lack of EU strategy in dealing with sensitive databases. It is not clear whether Britain, Ireland and Cyprus which are not members of Schengen area, will adopt the program. All proposed measures could then enter into force between 2012 and 2015. Proposed shake up of EU security includes call for fingerprinting all visitors (13.02.2008) http://www.iht.com/articles/ap/2008/02/13/europe/EU-GEN-EU-Fortress-Europe.… EU plans to require biometrics of all non-European visitors (10.02.2008) http://www.iht.com/articles/2008/02/10/europe/union.php New EU fingerprint scheme fans privacy concerns (10.02.2008) http://www.reuters.com/article/reutersEdge/idUSL1079208520080210 Brussels to tighten EU external borders (6.02.2008) http://euobserver.com/22/25606 EU to announce fingerprinting for all visitors (12.02.2008) http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-560378 ============================================================ 2. PirateBay - blocked in Denmark ============================================================ Following a complaint by IFPI (International Federation of the Phonographic Industry), a Danish bailiff court issued on 4 February 2008 an injunction ordering Tele2, one of the major ISPs in Denmark, to block the access to the PirateBay domains. IFPI asked the court for this injunction because most of the materials referred on PirateBay are copyrighted and the exchange of these materials between PirateBay users is illegal. IFPI considered that Tele2 was not directly liable for the illegal copying, but was contributing to it, by making temporary copies of torrent files. Tele2 has been complying with the injunction so far by DNS filtering (same method as used in the child pornography filters and AllOfMp3), but is determined to fight against the injunction in the upper court in two weeks time. Niels Elgaard Larsen from the IT-Political Association of Denmark explained the situation for EDRi-gram: "We see a slippery slope. Blocking of first child porn, then a non-EU (Russian) site with alleged illegal music (AllOfMp3), and now a search engine inside the EU. Elsewhere in EU we hear politicians that want to block recipes for explosives, ads for non-taxed gambling, etc. This is not about music and movies at piratebay or anywhere else. This is about making ISP's policing the content flowing through their networks. It is about freedom on the internet. Do we want an open or a closed internet ?" But the injunction seema to have no direct effect on PirateBay website, that announces an increase by 12% of the number of visits from Denmark. According to their blog the website "is growing more because of the media attention than people actually coming to learn how to bypass the filter - our guess is that a lot of the users on the site now run OpenDNS instead of the censoring DNS at Tele2.dk." However, the court cases against the popular torrent tracker are not over. PirateBay is preparing for a long trial starting this spring following the 2006 seizure of their servers and 20 months of investigation. According to the Prosecutor Hakan Roswall, the website was commercially exploiting copyright-protected work because it was financed through advertising revenues. Piratebay expects the trial to last for years, especially because the decision in this case will be appealed by one of the parties. They also claim that this will not affect at all their activity. After it has been claimed that PirateBay is supporting trackers with child pornography, the website owners announced that they were collaborating with the Police officers to teach them "how to actually download stuff using the BT protocol. The police has actually been very open and frank with us about their technical difficulties and asking for help is the best solutions for all parties." Bailiff Court Decision (only in Danish, 4.02.2008) http://www.computerworld.dk/modules/davinci/getfile.php?id=18886&attachment Danish ISP shuts access to file-sharing Pirate Bay (4.02.2008) http://www.reuters.com/article/industryNews/idUSL0480268320080204?pageNumbe… Denmark, first look (8.02.2008) http://courtblog.thepiratebay.org/2008/02/08/denmark-first-look/ Pirate Bay hit with legal action (31.01.2008) http://news.bbc.co.uk/2/hi/technology/7219802.stm Prepare for mudwrestling (6.02.2008) http://courtblog.thepiratebay.org/2008/02/06/prepare-for-mudwrestling/ ============================================================ 3. Internet-related privacy issues on the EU institutions' agenda ============================================================ The privacy problems created by the Internet and other new technologies such as RFID have an important place on the agenda of the European institutions that seem to be more anxious than ever to tackle those issues. The hearing at the European Parliament's Civil Liberties Committee reported in the last EDRi-gram seems to be only the top of the iceberg. Article 29 working party will discuss at the next meeting, on 18 February 2008, the highly sensitive topic of privacy & search engines, and it is probable to adopt an Opinion on this topic. But the views of the Working party's members are already public, after the last month meeting at the European Parliament. Moreover, Peter Schaar, Germany's Federal Data Protection Commissioner and Chairman of the Article 29 working party, made some straightforward comments to Financial Times, explaining that the cookie and search data retention period is too long : "For me personally it still seems rather long, and I could imagine I am not alone." He underlined the fact that IP addresses are considered as personal information according to the EU legislation and dismissed security concerns as a reason to keep data: "I cannot imagine that it is necessary to store data such as IP addresses for security reasons. What is the security threat? Security purposes don't justify the long-term storage of this data." Other national data protection agencies are looking into more privacy aspects of computer usage. The Spanish Data Protection defined last year the filtering of information for purposes other than virus and spam protection as "not in conformity with Spanish law". Also Article 29 Working Party plans to investigate targeted advertising, which could cause problems for Google or Yahoo. The European Commission is also working on a document on RFID policy, that will include the privacy aspects, based on the discussions in the RFID working group. It is not clear yet if the document will be a binding regulation or recommendation. EurActiv website points that the Commission will publish, in the next weeks, a new EU survey that shows "an overwhelming majority considers public awareness about privacy and data management to be low, but at the same time almost 75% of respondents say they are worried about leaving personal information on the Internet." Apparently the Commission expects these results and is looking at increasing the funding for awareness-raising campaigns and technologies which improve privacy protection. EU targets online privacy fears (11.02.2008) http://www.ft.com/cms/s/0/8e98263a-d844-11dc-98f7-0000779fd2ac.html?nclick_… EU mulls new measures to protect privacy on the Web (7.02.2008) http://www.euractiv.com/en/infosociety/eu-mulls-new-measures-protect-privac… EDRi-gram: European Parliament hearing on Internet privacy issues (30.01.2008) http://www.edri.org/edrigram/number6.2/ep-hearing-privacy ============================================================ 4. Microsoft's actions investigated again by the European Commission ============================================================ The European Commission has recently extended its formal probes launched on 14 January 2008 against Microsoft in two cases where it has been alleged that the multinational firm had abused its dominant market position. The first case was brought by a complaint from web browser Opera, which complained that the tying of Microsoft's Internet Explorer to its Windows operating system was anti-competitive. The second case under investigation was the complaint filed by the European Committee for Interoperable Systems for the Microsoft's refusal to disclose interoperability information on some Microsoft server products, Office and NET Framework. In relation to this case the Commission also intends to verify Office Open XML (OOXML) file format for not working with its competitors' specifications. In the latter case, the Commission will also check possible influence of the the votes by the company during the ISO standardization process for the OOXML document format. The Commission has asked Microsoft to provide information about its activities during the process wanting to know whether the software firm has put pressure on committees in various countries to ratify OOXML as a standard. ISO members refused to adopt OOXML in September of 2007 and Microsoft was asked to make improvements before the final vote that will take place at the end of February 2008 in Geneva. The Association for a Free Information Infrastructure had revealed, even before the September vote that there were some irregularities in the Microsoft's participation in the committees, calling for the ceasing of the standardization process. Among other charges, Microsoft is suspected of having bought votes in Sweden, of hindering the participation of the competition by limiting the number of seats and by "hijacking" standardization committees in some countries, including the US, Mexico and Columbia. EU looks into Microsoft's influence on ISO standardization process (08.02.2008) http://www.heise.de/english/newsticker/news/103201/ EU investigates Microsoft's OOXML campaign (08.02.2008) http://www.theregister.co.uk/2008/02/08/ooxml_eu_probe_iso/ Microsoft faces additional European antitrust probe (08.02.2008) http://www.marketwatch.com/news/story/microsoft-faces-additional-european-a… EDRi-gram: Opera complains to the EC on Microsoft's Internet Explorer (19.12.2007) http://www.edri.org/edrigram/number5.24/opera-commission-microsoft EDRi-gram: Reactions on the ISO voting procedures (12.09.2007) http://www.edri.org/edrigram/number5.17/iso-procedures ============================================================ 5. Finnish e-voting system must not stay a trade secret ============================================================ A member of Electronic Frontier Finland (Effi), a Finnish association for promoting digital rights and member of EDRi, has recently sent a request of information to the Finnish Ministry of Justice regarding their planned e-voting system. The system will be piloted in the municipal elections during October 2008 and it is based on a DRE (Direct Recording Electronic) type e-voting system from TietoEnator Finland and a Spanish back-end provider, Scytl. In their response, the Ministry of Justice states that, based on the Act on the Openness of Government Activities, the documentation that has been written concerning the specific details of the e-voting system has to be kept secret on the Documents that have to be kept secret include documents related to the information security of the system and documents that contain information about the trade secrets of a private company, in this case, the systems provider. Effi's analysis of the system is only based on high-level documents provided by the Ministry of Justice and a U.S. patent that has been granted to Scytl, and is assumed to form the basis of the Finnish e-voting system core. According to this analysis, the system will not utilise any voter-verified paper ballot system or even the electronic receipt system that is detailed in the Scytl patent. The current, traditional Finnish elections feature a widely distributed ballot counting process, which is carried out manually and collectively by the representatives of the competing parties at each polling station. The results of each polling station are individually published, providing the representatives with the possibility to cross-check that the votes at their polling station have been correctly tallied. The ballots are then separately counted again, independently of the original count, and archived in case of further recounts being deemed necessary. The system is quite fast, providing results in a matter of hours from the whole country, easy to understand, and very resilient. The e-voting system as currently proposed would make recounts that would be independent of the electronic system impossible. It would also make it possible for a much smaller team of individuals to alter the election results, as the software, which counts the ballots, is not public. Since Effi's original press release, the Ministry of Justice has unveiled a plan to contract an audit of the software from the University of Turku in Finland, but this effort seem to be rather under-resourced when compared to US e-voting system audits, and is likely to just scratch the surface. As a counterexample, thirty US states have already made the voter-verified paper ballot a mandatory part of electronic voting. For some reason, the Finnish Ministry of Justice has not seen this as a requirement for the all-electronic voting system in Finland. Ministry of Justice response to a member of Electronic Frontier Finland (only in Finnish, 23.01.2008) http://www.effi.org/system/files?file=om-2008-01-23.txt E-Voting pilot: Technical implementation and information security (only in Finnish, 20.06.2007) http://www.effi.org/system/files?file=Pilotin_tekninen_esittely_v1.0H.pdf Verified voting (28.01.2008) http://www.verifiedvoting.org/ Effi: Voting systems must not be trade secrets. (only in Finnish, 25.01.2008) http://www.effi.org/julkaisut/tiedotteet/lehdistotiedote-2008-01-25.html Municipal elections 2008: Electronic voting in three municipalities. Press release from Ministry of Justice (8.02.2008) http://www.om.fi/en/Etusivu/Ajankohtaista/Uutiset/1201510039860 Web demonstrator and an informational page for the e-voting system (only in Finnish, 11.02.2008) http://www.vaalit.fi/sahkoinenaanestaminen/ (Contribution by EDRi-member Electronic Frontier Finland) ============================================================ 6. France's gendarmerie goes for open source software ============================================================ The Gendarmerie, France's largest administrative body, intends to change in the next years the operating system of 70 000 workstations presently running on Windows XP to Ubuntu. This is a movement that continues the French Government's efforts to promote migration to open source for some years now. The Gendarmerie had already adopted OpenOffice.org and Firefox, the French National Assembly has also recently switched 1100 computers to Linux and the Ministry of Agriculture has started the migration from Windows at the end of 2006. The French Government's plans to migrate to open source was based on a study by technology services company Atos Origin, that: "showed that open-source software will from now on offer functionality adapted to the needs of MPs and will allow us to make substantial savings despite the associated migration and training costs" as was the Parliament's statement in 2006. The reasons for switching to open source software, besides the cost reductions, included a better control of security functions and a greater independence from the software vendors. France's gendarmerie switches to Linux (31.01.2008) http://www.heise.de/english/newsticker/news/102824 The French Gendarmerie throws Windows away (only in French, 31.01.2008) http://www.lexpress.fr/info/economie/infojour/infos.asp?id=141908 EDRi-gram: France Parliament shifts to open source software (6.12.2006) http://www.edri.org/edrigram/number4.23/oss_france ============================================================ 7. Europe spams more than the US ============================================================ According to security vendor Symantec, a shift has taken place in the weight of the spam networks, the European ones having created more unsolicited e-mail than those in the US lately. Thus, approximately 44 per cent of all spam messages are originated from Europe as compared to 35.1 per cent originated from the US. In the opinion of one of Symantec's European product marketing managers, Fredrik Sjostedt, the advantage taken by European spammers is due to the large penetration of broadband. "Historically the majority of spammers were U.S.-based, but now we're seeing a lot of Eastern European and Russian spam gangs active (.) We've moved away from traditional, individual spammers, to loosely tied groups of spam senders, malware coders, and people selling access to botnets," said Sjostedt. The reports also show a very high increase of spamming during the holiday time in December, reaching up to 93 million spam messages. Kelly Conley, Symnatec enterprise security group manager, wrote on its security response blog that, for the holidays, the spammers had changed their techniques by inserting seasonal oriented keywords into URLs, subject lines and embedded images within their messages. Other spam trends reported for the past month are the offering of rapidly dealing with visa problems in Europe or bio-fuel offers. Europe still top source of spam (6.02.2008) http://www.news.com/2100-7349_3-6229352.html EU overtakes US in spam spewing stakes (6.02.2008) http://www.itpro.co.uk/news/163215/eu-overtakes-us-in-spam-spewing-stakes.h… ============================================================ 8. Wales said no to ID cards ============================================================ Welsh Assembly Government proposal for a "smart card" to be used to access public services in Wales was considered by civil liberties groups as a way of introducing identity cards "through the back door" and was rejected by the Liberal Democrats supported by the Labour Party members as well. The Government has claimed that the card was aimed at improving the way people use library and travel services but Suw Charman, founder of the EDRi-member Open Rights Group, considers the scheme as "pointless". "I haven't seen an argument about what's wrong with the existing cards. (...) Why do we need to put all this information on one smart card that's going to keep a log on what people do and where they go? It's treating people like criminals" was her statement to BBC. Concerns were also expressed in relation to the smart cards holding too much information especially in the light of the numerous incidents of data losses in UK during the last two years. Peter Black, social justice spokesperson stated: "We have already seen that Government cannot be trusted with our private data. If that database were also to include details of our medical treatment, our use of local government services and our education records then not only would our entire lives be an open book to anybody with a suitable card reader, but the risk of identity theft and fraud would be magnified many times. We cannot take that risk. (...) The frightening prospect of a draconian future rears in front of us wherein hospitals, police stations and social security offices across Britain, electronic readers will connect scanned cards to a massive central database in order to prove the identities of card-bearers." Mike German, leader of the Welsh Liberal Democrats expressed the satisfaction that the Assembly was unanimous in its position sending "a strong message to your (Labour) colleagues in London that ID cards are not welcome in Wales". He added that "ID cards are an excuse for the state to meddle in peoples' lives. They are an unwarranted intrusion in our lives. They won't combat terrorism and fraud, because we've seen in other countries these crimes still exist". Rights attack on smart card plan (6.02.2008) http://news.bbc.co.uk/2/hi/uk_news/wales/7229920.stm ID cards not welcome in Wales (16.01.2008) http://www.newswales.co.uk/?section=Politics&F=1&id=12922 ============================================================ 9. Recommended Reading ============================================================ Statewatch launches new SEMDOC website providing comprehensive information about EU Justice and Home Affairs policy. Statewatch has been systematically monitoring and documenting the development of EU Justice and Home Affairs (JHA) policy since 1991. The Statewatch European Monitoring and Documentation Centre on Justice and Home Affairs in the European Union seeks to increase public understanding and debate about JHA policy through the provision of comprehensive information about adopted and proposed legislation. http://www.statewatch.org/news/2008/feb/01semdoc.htm Reporters Without Borders Annual Report 2008 - The plight of journalists in 98 countries reviewed. Reporters Without Borders criticises lack of public commitment to press freedom and fears anti-media violence in coming months. http://www.rsf.org/article.php3?id_article=25484 Annual report 2008 http://www.rsf.org/IMG/pdf/rapport_en-2.pdf ============================================================ 10. Agenda ============================================================ 14 February 2008, Brussels, Belgium eIdentity workshop http://www.epractice.eu/workshop/eidentity 23-24 February 2008, Brussels, Belgium Research Room @ FOSDEM: Libre software communities meet research community - Introducing Research Friendly http://libresoft.es/Activities/Research_activities/fosdem2008 10-12 March 2008, Geneva, Switzerland WIPO Standing Committee on Copyright and Related Rights: Sixteenth Session http://www.wipo.int/meetings/en/details.jsp?meeting_id=14502 15 March 2008, London, UK OKCon 2008 - Open Knowledge: Applications, Tools and Services http://www.okfn.org/okcon/ 19 March 2008, London, UK Musicians, fans and online copyright http://www.eventbrite.com/event/98391291 2-4 April 2008, Berlin, Germany re:publica - The Critical Mass http://www.re-publica.de 10-12 April 2008, Amsterdam & Hilversum, Netherlands Economies of the Commons - Strategies for Sustainable Access and Creative Reuse of Images and Sounds Online International Working Conference http://www.ecommons.eu 28-29 April 2008, Vienna, Austria PRISE Final Conference -Towards privacy enhancing security technologies - the next steps http://www.prise.oeaw.ac.at/conference.htm 15-17 May 2008, Ljubljana, Slovenia EURAM Conference 2008 - Track "Creating Value Through Digital Commons" How collective management of IPRs, open innovation models, and digital communities shape the industrial dynamics in the XXI century. http://www.euram2008.org 30-31 May 2008, Bucharest, Romania eLiberatica 2008 - The benefits of Open and Free Technologies http://www.eliberatica.ro/2008/ 17-18 June 2008, Seoul, Korea The Future of the Internet Economy - OECD Ministerial Meeting http://www.oecd.org/FutureInternet 23-25 July 2008, Leuven, Belgium The 8th Privacy Enhancing Technologies Symposium (PETS 2008) http://petsymposium.org/2008/ 8-10 September 2008, Geneva, Switzerland The third annual Access to Knowledge Conference (A2K3) http://isp.law.yale.edu/Wiki/view.aspx/A2K3_Announcements ============================================================ 11. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 28 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0