July 2018 - cypherpunks-legacy

[Politech] German court bans police from installing Trojan Horses remotely [priv]
by Declan McCullagh 06 Jul '18

06 Jul '18

A few thoughts: 1. This seems to preclude German police from doing a remote search (which would have to include malware or some way of exploiting a security hole on the target's computer) even with a court order. 2. In the U.S., the FBI reportedly has developed similar malware called Magic Lantern, which we've discussed here before: http://www.politechbot.com/p-03034.html http://en.wikipedia.org/wiki/Magic_Lantern_%28software%29 3. I can't think of any domestic case offhand when we know for a fact that the FBI has gained unauthorized remote access to a suspect's system. Can anyone? The Scarfo case involved physical access, and this remote intrusion case dealt with a computer in Russia: http://news.zdnet.com/2100-9595_22-529917.html -Declan --- http://www.nytimes.com/aponline/world/AP-Computer-Searches.html?_r=1&oref=s… gin German Court Nixes Hard Drive Search By THE ASSOCIATED PRESS Published: February 5, 2007 Filed at 1:42 p.m. ET BERLIN (AP) -- A German court on Monday ruled that police cannot remotely search criminal suspects' computer hard drives over the Internet without their knowledge. The decision of the Federal Court of Justice in Karlsruhe bars police from using the online ''Trojan horse'' method, which involves using a computer program to search through remote hard drives over an Internet connection, unless parliament passes a law explicitly allowing it. Police will still be allowed to seize evidence from computer hard drives when conducting searches in person. [...remainder snipped...] _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/) ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

EDRi-gram newsletter - Number 8.13, 30 June 2010
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 8.13, 30 June 2010 ============================================================ Contents ============================================================ 1. Data retention - time for evidence-based decision making 2. Same privacy concerns for the new SWIFT treaty 3. ACTA - new criminal sanctions for non-commercial copyright uses? 4. EP calls for a clear legal framework for the Internet of Things 5. Article 29 WP issues opinion on cookies in the new ePrivacy Directive 6. Increased pressure on Turkey to stop Internet blocking 7. Iceland - first steps for a new media haven 8. ENDitorial: Council of Europe draft Recommendation on Profiling 9. Recommended Action 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. Data retention - time for evidence-based decision making ============================================================ In June 2010 the European Parliament adopted a farcical "written declaration" ostensibly on the creation of an "early warning system" to fight pedophiles. Funded by unknown sources, the MEPs in charge (Zaborska from the Czech Republic and Motti from Italy) put together the Declaration in order to promote the retention of communications data and the extension of this practice to "search engines". After tabling the declaration, a highly polished, American-style lobby campaign went into operation. The lobbying neatly avoided mentioning data retention in any of the associated printed materials, in any of the e-mails sent to MEPs and on the campaign's website. The MEPs involved and their staff harangued and harassed parliamentarians, even to the point of putting lobbying material on their desks in the Parliament's hemicycle itself - with the simple message of "sign to fight sexual harassment" using a picture of a vulnerable-looking child. Mainly as a result of the large number of parliamentarians that signed due to mistakenly trusting what they were told about the content of the declaration, it was adopted. The Declaration has now been sent to the European Commission, where Cecillia Malmstrvm, who vehemently opposed the Data Retention Directive in her previous job as a Member of the European Parliament, needs to decide how to respond. Having indicated in the Swedish press that such an approach would be disproportionate, there are reasons to be hopeful that her position will be firm and favourable to citizens' rights. To make Commissioner Malmstrom's task even easier, she took an oath in May of this year to respect the Charter of Fundamental Rights of the European Union. Unequivocal opposition to such extreme proposals is important, particularly at the moment. By the end of this week, the relevant Directorate-General of the Commission will have completed its first draft assessment of the Data Retention Directive, which will then be reviewed by the Commissioner. This will then be followed by a second round of drafting, consultation with the other parts of the Commission and adoption of the final report, probably in the second half of September. In the absence of evidence to suggest that data retention has served any useful purpose, it is to be hoped that the Commissioner will maintain her opposition to the Directive and propose appropriate and ambitious amendments, removing obligations on all Member States to impose long-term blanket data retention on all citizens. This process is all the more important as a result of developments in the Council of Europe, which will soon adopt its Recommendation on Profiling. The current and almost final version of that text lends credibility to Member States that wish to exploit retained data to assign "profiles" to innocent citizens. The Recommendation exempts Member States from having to apply three important chapters: on lawfulness, data quality and sensitive data. In 2008, a report prepared for the Council of Europe pointed out that registration of internet users is "likely to have a chilling effect not just on journalists but on any users that wish to access public or legal, but controversial materials." The implementation of profiling would make this serious chilling effect seem minor in comparison. Campaigning against the Data Retention Directive is already in full swing. More than 100 organisations (including EDRi) from 23 European countries asked last week EU Commissioners Malmstrvm, Reding and Kroes in a joint letter to "propose the repeal of the EU requirements regarding data retention in favour of a system of expedited preservation and targeted collection of traffic data". Among the signatories are civil liberties, data protection and human rights associations as well as crisis line and emergency call operators, professional associations of journalists, jurists and doctors, trade unions, consumer organisations and industry associations. Study undertaken for the Council of Europe on the effects of anti-terror legislation (11.2008) http://www.coe.int/t/dghl/standardsetting/media/Doc/SpeakingOfTerror_en.pdf Written declaration 29 website http://www.smile29.eu Oath sworn by Commissioners (3.05.2010) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/487 Draft Council of Europe Recommendation on profiling (3.06.2010) http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD%20documents/T-… Data retention Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:00… Malmstrom says no to Google Storage (only in Swedish, 28.06.2010) http://www.svd.se/nyheter/inrikes/malmstrom-sager-nej-till-googlelagring_49… Letter to Commissioner (22.06.2010) http://www.vorratsdatenspeicherung.de/images/DRletter_Malmstroem.pdf Civil society calls for an end to compulsory telecommunications data retention (28.06.2010) http://www.vorratsdatenspeicherung.de/content/view/370/79/lang,en/ (Contribution by Joe McNamee - EDRi) ============================================================ 2. Same privacy concerns for the new SWIFT treaty ============================================================ The agreement between the EU and USA on the transfer of bank data through SWIFT was signed on 28 June 2010 after the Spanish Presidency of the Council of Ministers has accepted some of the changes on the text proposed by MEPs, but with no significant improvements from the Agreement rejected by the European Parliament in February 2010. The text of the new SWIFT Agreement will now probably be rushed through the next European Parliament plenary session in Strasbourg (5-8 July). After the draft agreement was initiated by Commissioner Cecilia Malmstrvm on 10 June, MEPs asked for changes to the text concerning the bulk transfer of data, the creation of an EU counterpart to the US Terrorist Finance Tracking Programme (TFTP), and EU oversight of TFTP data-processing in the US. Unfortunately, the new adopted text still allows for bulk data transfers. The Parliament would have liked to replace bulk data with targeted searches carried out by an EU-based authority but according to MEP Birgit Sippel, "We cannot reduce the problem of bulk data for the moment as we do not have the technical capability." The retention period is still 5 years and there is no real system in place from the US on a binding legal redress. The US Privacy Act court clauses only apply to US citizens and legal residents. Therefore there is currently no right of judicial review for foreign citizens and residents (including EU) under the US law. Another key critique to the current text is the role of Europol that should authorize the data transfer requests from the US. Besides the fact that Europol is not a judicial authority, as requested by the European Parliament in May 2010 Resolution, the incentive from this agency to limit the amount of data being transferred is extremely reduced due to the fact that they can actually request data searches from the US. On 25 June, EDPS Peter Hustinx expressed his concerns related to the transfer of bulk amounts of bank data to the U.S. authorities and pointed out the key elements to be improved for data protection, especially as regarding data retention periods, enforceability of the citizens' data protection rights, judicial oversight and independent supervision. "I am fully aware that the fight against terrorism and terrorism financing may require restrictions to the right to the protection of personal data. However, in view of the intrusive nature of the draft agreement, which allows transfers of data in bulk to the US, the necessity of such scheme should first be unambiguously established, especially in relation to already existing instruments. Would this be the case, other key elements should however be improved in order to meet the conditions of the EU legal framework for data protection." As MEP Alexander Alvaro told EurActiv, in terms of the agreement, the European Commission will write a framework for the extraction of data on US soil in order to set up an EU equivalent to TFTP and in case after five years this is not in place, the Commission will have to renegotiate or terminate the present agreement. But the present text automatically extends for one more year if nothing happens. It does not have to be renewed, it just has to be actively terminated. EU, US sign SWIFT agreement (28.06.2010) http://www.europeanvoice.com:80/article/2010/06/eu,-us-sign-swift-agreement… EU wins concessions on US bank data-sharing deal (25.06.2010) http://www.euractiv.com/en/justice/eu-wins-concessions-on-US-bank-data-shar… EU-US new draft agreement on financial data transfers: EDPS calls for further data protection improvements (22.06.2010) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu… EDRi-gram: New SWIFT agreement as bad as the rejected one (16.06.2010) http://www.edri.org/edrigram/number8.12/new-switf-proposal-bad ============================================================ 3. ACTA - new criminal sanctions for non-commercial copyright uses? ============================================================ A new round of negotiations on the Anti-Counterfeiting Trade Agreement (ACTA) is in progress until 1 July 2010 at Luzern, Switzerland between 11 parties including the EU. A document leaked from the EU Presidency dated 7 April 2010 shows that EU member states intended to introduce under ACTA more criminal sanctions for copyright infringements even for non-commercial reasons. The EU Presidency document stated that the position of the EU Member States is still under examination with regard to article 2.14.1 covering copyright or related rights infringements. Some proposals of this article explicitly plan to apply criminal sanctions to "infringements that have no direct or indirect motivation of financial gain". "The ACTA agreement, by its opacity and undemocratic nature, allows criminal sanctions to be simply negotiated. The leaked document shows that the EU Member States are willing to impose prison sanctions for non-commercial usages of copyrighted works on the Internet as well as for 'inciting and aiding', a notion so broad that it could cover any Internet service or speech questioning copyright policies. EU citizens should interrogate their governments about their support to policies that obviously attack freedom of speech, privacy and innovation" says Jirimie Zimmermann, spokesperson for La Quadrature du Net. ACTA will also hinder access to medicine by preventing the production and the exportation of generic molecules. "ACTA would affect the access to treatments worldwide, because it will hinder the access to cheap generic drugs. Without generic drugs, it would have never been possible for 4 millions people to have access to antiretroviral drugs. If concluded, ACTA would be a terrible stepback for millions of people living with HIV worldwide," stated Pauline Londeix, spokesperson for Act Up-Paris. Some countries, such as India, threatened to establish a coalition of countries against the treaty as they believe ACTA is in conflict with international trade law, and it undermines the balance of rights, obligations and flexibilities that already exists within international law. The Swiss Pirate Party together with their Pirate colleagues from Germany and Switzerland organised a rally at the Lucerne train station. The Pirate parties and a group of 12 non-governmental organisations are also having short meetings with the Swiss and other delegations. The Berne Declaration, Midecins Sans Frontihres , ACT UP Paris, Knowledge Ecology International, Oxfam, La Quadrature du Net, Third World Network, and representatives of the Washington College of Law issued on 23 June an urgent ACTA Communique, which attracted a huge number of signatories from MEPs, academics and NGOs. The document states that the new treaty will encourage internet service providers to police the activities of internet users by holding internet providers responsible for the actions of subscribers, conditioning safe harbours on adopting policing policies, and by requiring parties to encourage cooperation between service providers and rights holders. It will also encourage this surveillance, and the potential for punitive disconnections by private actors, without adequate court oversight or due process. In a joint statement of the European associations of fixed and mobile telecoms operators, European internet service providers, cable companies and digital media organisations have also warned that the "proposed obligation on online providers to reveal the identity of their subscribers directly to right holders violates the existing EU data protection obligations." Also, the International Trademark Association and the International Chamber of Commerce's Business Action to Stop Counterfeiting and Piracy submitted joint recommendations and comments on the ACTA text and recommended maintaining the "original, narrow scope of ACTA to trademark counterfeiting and copyright piracy for ACTA's effective implementation in different countries." According to them, "the scope of draft text of the agreement includes a wide range of intellectual property rights, which risks diluting the focus and overall strength of the trade agreement." International Experts Find that Pending Anti-Counterfeiting Trade Agreement Threatens Public Interests (23.06.2010) http://www.wcl.american.edu/pijip/go/acta-communique Leak: EU pushes for criminalizing non-commercial usages in ACTA (24.06.2010) http://www.laquadrature.net/en/leak-eu-pushes-for-criminalizing-non-commerc… ACTA: International 'three strikes', surveillance and worse (23.06.2010) http://www.openrightsgroup.org/blog/2010/acta-international-three-strikes-s… The ACTA casino must be closed (28.06.2010) http://www.laquadrature.net/en/the-acta-casino-must-be-closed Geist: Developing world opposition mounts to anti-counterfeiting agreement (28.06.2010) http://www.thestar.com/news/sciencetech/technology/lawbytes/article/828525-… Scope Of Anti-Counterfeiting Agreement Again A Big Issue In Round Nine (26.06.2010) http://www.ip-watch.org/weblog/2010/06/26/scope-of-anti-counterfeiting-agre… EDRi-gram: ACTA: European Commission transparently ignores European Parliament (21.04.2010) http://www.edri.org/edrigram/number8.8/acta-transparency-european-comission ============================================================ 4. EP calls for a clear legal framework for the Internet of Things ============================================================ In a resolution on the Internet of Things, adopted on 15 June 2010, the European Parliament (EP) welcomes the communication of the Commission on the topic and in principle endorses the broad outlines of the action plan to promote the Internet of Things. The Parliament however takes the view that the development of new applications and the actual functioning and business potential of the Internet of Things will be intrinsically linked to the trust European consumers have in the system, and points out that trust exists when doubts about potential threats to privacy and health are clarified. It stresses that this trust must be based on a clear legal framework, including rules governing the control, collection, processing and use of the data collected and transmitted by the Internet of Things and the types of consent needed from consumers. The Parliament further notes that the Internet of Things will lead to the collection of truly massive amounts of data and calls on the Commission, in this connection, to submit a proposal for the adaptation of the European Data Protection Directive with a view to address the data collected and transmitted by the Internet of Things. In the view of the Parliament, respect for privacy and the protection of personal data together with openness and interoperability are the only ways the Internet of Things will gain wider social acceptance. The EP firmly believes that all users should have control over their personal data and stresses that a precondition for promoting technology is the introduction of legal provisions to reinforce respect for the fundamental values and for the protection of personal data and privacy. In the context of privacy by design, the European Parliament also notes the opinion of the European Data Protection Supervisor (EDPS) on this topic, who stressed the importance of Privacy by Design as the guiding principle and highlighted that in the context of RFID, the existing data protection rules need to be complemented with additional rules imposing specific safeguards, particularly making it mandatory to embed technical solutions (Privacy by Design) in RFID technology. He furthermore expressed his concern that RFID operators in the retail sector may overlook the possibility for RFID tags to be monitored by unwanted third parties and thinks it is conceivable that self-regulation will not deliver the expected results. He therefore called upon the Commission to be ready to propose legislative instruments regulating the main issues of RFID usage in case the effective implementation of the existing legal framework fails. This call for a regulation of the main issues of RFID usage now obviously gained support from the European Parliament which, in addition, underlines that RFID applications must be operated in accordance with the rules on privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The resolution of the Parliament not only addresses the European Commission but also calls on manufacturers to secure the right to "chip silence" and calls for RFID application operators to take all reasonable steps to ensure that data does not relate to an identified or identifiable natural person unless such data is processed in compliance with the applicable principles and legal rules on data protection. It is the believe of the Parliament that a general principle should be adopted whereby Internet of Things technologies should be designed to collect and use only the absolute minimum amount of data needed to perform their function, and should prevent from collecting any supplementary data. It calls for a significant amount of the data shared by the Internet of Things to be made anonymous before being transmitted, in order to secure privacy. The European Parliament believes in the importance of ensuring that all fundamental rights - not only privacy - are protected in the process of developing the Internet of Things and calls on the Commission to monitor closely the implementation of the European regulations already adopted in this area and to present, by the end of the year, a timetable for the guidelines it intends to propose at the EU level for improving the safety of the Internet of Things and of RFID applications. As EDRi-gram reported earlier this year the resolution was drafted by MEP Maria Badia i Cutchet, rapporteur to the European Parliament's Committee on Industry, Research and Energy (ITRE) including opinions of the Committees on International Trade, Internal Market and Consumer Protection and Legal Affairs. The EP Resolution has to be seen not only in the context of the European Commission's communication on the Internet of Things and the EDPS opinion on Privacy by Design, but also of the European Commission's RFID recommendation and the Industry proposal for an RFID Privacy Impact Assessment, which unfortunately fails to identify a single specific risk. In this context, the resolution of the European Parliament can be seen as another strong signal towards the European Commission to act without undue delay to effectively protect the fundamental rights of individuals affected by RFID and other technologies related to the Internet of Things and towards manufacturers and RFID application operators to take their obligations serious and effectively secure privacy and data protection rights of all persons affected by their products and applications. European Parliament resolution of 15 June 2010 on the Internet of Things (2009/2224(INI)) (15.06.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2… Communication to the European Parliament, the Council, the EESC and the committee of the Regions: Internet of Things - An action plan for Europe (18.06.2009) http://ec.europa.eu/information_society/policy/rfid/documents/commiot2009.p… EDRi-gram: EP, EDPS and EDRi on RFID and the Internet of Things (24.03.2010) http://www.edri.org/edrigram/number8.6/ep-edps-edri-policy-rfid EDRi-gram: Industry proposed RFID Privacy Impact Assessment Framework (19.05.2010) http://www.edri.org/edrigram/number8.10/rfid-privacy-impact-assesment-indus… Commission Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (12.05.2009) http://ec.europa.eu/information_society/policy/rfid/documents/recommendatio… (Contribution by Andreas Krisch - EDRi) ============================================================ 5. Article 29 WP issues opinion on cookies in the new ePrivacy Directive ============================================================ The Article 29 Data Protection Working Party (WP) representing the European data protection authorities published on 24 June an opinion clarifying the application of the data protection rules in online behavioural advertising, with a focus on the new text of the ePrivacy Directive. Article 29 Working Party believes that while online behavioural advertising may be beneficial for businesses and users alike, it still raises personal data protection and privacy issues. The opinion states that the advertising providers using tracking cookies are bound, through the revised ePrivacy Directive, to obtain the informed consent of their users before the installation of tracking devices such as cookies. According to the Directive, storing and accessing information on users' computers is lawful only "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information about the purposes of the processing". The only except is in the case a cookie is absolutely necessary for the provision of a certain service required explicitly by a user. In its Opinion, the Working Party asks for simple and effective mechanisms by means of which users can give their consent for online behavioural advertising but also simple and effective mechanisms by means of which they can withdraw their consent. Presently, allowing cookies is a default setting with three out of the four major used browsers and Article 29 WP believes that the users not changing a default setting does not necessarily means consent. The users should be clearly informed, in an understandable manner, on the purposes of tracking and given the choice of having their behaviour browsed or not. "Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies," says the opinion. However, the Working Party considered the consent may be given to an advertising network and not to every single website. "....the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie." Article 29 WP also said that this consent should expire after a year, and that each advertising network should request consent again after that period. It also said that the consent could be withdrawn at any time. The Internet Advertising Bureau Europe, the European Publishers Council and other advertising and publishers' trade bodies reacted to this opinion by issuing a statement saying: "The industry believes this is a gross misinterpretation of the intention of the Directive and a misrepresentation of the type of data typically collected and processed for the purposes of serving interest-based advertising to consumers on our websites." The Article 29 WG's opinion is based on the opinion presented on 23 June 2010 during EP Privacy Platform Meeting by Belgian Data Protection Supervisor Mr. Debeuckelaere which focused on "Transparency, Information, Consent". During the meeting, aspects of behavioural advertising were discussed by more than 100 representatives from industry, privacy activists, EU institutions, governments and European data protection supervisors. The representatives of Privacy International and the Electronic Frontier Foundation argued that the user control tools do not allow for the complete erasure of profiles, and some data collection, for example by flash cookies, remains invisible and outside the control of the user. During the meeting, Mrs Sophia In 't Veld, rapporteur for competition issues in the Economic Affairs committee, suggested that besides consent and transparency, a key word should be "choice". "Often internet users are more or less obliged to give their consent, as there is no alternative. Users must have a real choice, otherwise it is just token consent", said In 't Veld who also pointed out the necessity of having a single set of data protection rules that would apply to the private as well as the public sectors. "We must regulate the use of personal data for commercial purposes, but the same standards of data protection should apply to the use of those same data by public authorities for law enforcement purposes. We often do not realise how government agencies are using data collected by companies for commercial purposes. But different rules apply to the private and public sectors. That must be corrected". Article 29 Data Protection Working Party Opt-out is not sufficient (24.06.2010) http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_26_06_10_en.pdf Opt-out is not sufficient - European Data Protection Authorities clarify EU rules on online behavioural Advertising (22.06.2010) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp171_en.pdf Cookie consent can't be implied from browser settings, say privacy watchdogs (25.06.2010) http://www.out-law.com//default.aspx?page=11176 Transparency, Choice and Consent key words for cookies (24.06.2010) http://www.d66.nl/europa/nieuws/20100624/transparency_choice_and_consent ============================================================ 6. Increased pressure on Turkey to stop Internet blocking ============================================================ As Turkey continues its ban on Google's YouTube and other services, it attracts more and more criticism. After Turkey's President Abdullah Gul himself has taken position against its own government in this matter, it is now OSCE turn to react. On 22 June 2010, Dunja Mijatovic, the OSCE Representative on Freedom of the Media, asked the Turkish authorities to restore access to Google's YouTube and other services and change the much-criticized Law No. 5651 (so-called Internet Law) in order to be in line with international standards on free expression. "I ask the Turkish authorities to revoke the blocking provisions that prevent citizens from being part of today's global information society. I also ask them to carry out a very much needed reform of Law No. 5651," said Mijatovic. OSCE representative has sent a letter to Turkish Foreign Minister Ahmet Davutoglu, showing concern about the new blocking decisions taken at the beginning of June when the ban was extended to other Google services such as Google Translate or Google Docs. The Turkish Communication Minister Binali Yildirim has lately argued that the reason of banning Google services is related to tax disputes and has accused Google of infringing the Turkish law and of failing to cooperate with the Turkish authorities. "This site is waging a battle against the Turkish." But not even the flawed Internet Law includes tax disputes among the reasons for blocking websites, as was pointed out by Mijatovic who added: "My office has been promoting the urgent reform of Law No. 5651, because it considerably limits freedom of expression and severely restricts citizens' right to access information." Google, in its turn, is confident it complies with tax laws in every country where it operates. "We are currently in discussion with the Turkish authorities about this, and are confident we comply with Turkish law. We report profits in Turkey which are appropriate for the activities of our Turkish operations," was Google's statement. A petition has been signed by hundreds of Internet users denouncing the ban as an affront to "free speech and rights to access information" and calling for Binali Yildirim's resignation. Three information technology groups are challenging the ban in courts. Richard Howitt, a British member of the European Parliament and advocate of Turkey's European Union membership, has warned Turkey that the ban puts "the country alongside Iran, North Korea and Vietnam as one of the world's worst offenders for cyber censorship" and the country cannot expect to be considered as a serious candidate for the EU as long as it continues to censor the Internet. On 18 June 2010, as a protest against the decision taken by the Turkish Government, a group of hackers co-ordinated a DoS attack that lasted 10 hours against the websites of the Ministry of Transportation, Information and Communication Technologies Authority and the Telecommunications Communication Presidency, the authorities that have been directly involved in the banning. OSCE media freedom representative asks Turkey to withdraw recent Internet blocking provisions, calls for urgent reform of law (22.06.2010) http://www.osce.org/item/44754.html Turkey tightens Internet control in YouTube feud (26.06.2010) http://www.google.com/hostednews/ap/article/ALeqM5iPZmDTKYEB6SFdyOAv97vXytV… OSCE calls on Turkey to stop blocking YouTube (22.06.2010) http://www.reuters.com/article/idUSTRE65L3MP20100622 Access Denied to Turkish Censorship Authorities' websites (18.06.2010) http://cyberlaw.org.uk/2010/06/18/access-denied-to-turkish-censorship-autho… EDRi-gram: Turkey extends the censorship of YouTube (16.06.2010) http://www.edri.org/edrigram/number8.12/turkey-extends-blocking-youtube ============================================================ 7. Iceland - first steps for a new media haven ============================================================ Iceland's Parliament has recently accepted a proposal by Icelandic Modern Media Initiative (IMMI) asking the Icelandic Government to find "ways to strengthen freedoms of expression and information freedom in Iceland, (and provide) strong protections for sources and whistleblowers." The proposal from IMMI came after secret dealings by a few banks in Iceland in 2009 leading to enormous debts and the lack of regulation and control, almost bankrupted the entire country. The initiative comes also in relation to website Wikileaks, who made those Icelandese dealings public and which has a policy to make public secretly-submitted documents and materials. Its approval by the Parliament may turn Iceland into a haven for media, with one of the strongest freedom of expression and whistleblowing protection laws. "We can create a comprehensive policy and legal framework to protect the free expression needed for investigative journalism and other politically important publishing," says IMMI. The IMMI has proposed several legal reforms including the limitation of the scope of an exception to existing source protection laws, the increase of protections for whistleblowers employed by the state and the creation of a law similar to the free speech-protecting anti-SLAPP (Strategic Litigation against Public Participation) law of California. The plan intends to take advantage of protections in Iceland for material published from web servers based there. "Iceland could become an ideal environment for Internet-based international media and publishers to register their services, start-ups, data centers and human rights organizations. It could be a lever for the economy and create new work employment opportunities," says the initiative. Speaking at a meeting of the European Parliament on 21 June, MP Birgitta Jsnsdsttir said the Icelandic initiative "pulls together the best legislation from around the world to promote transparency" and suggested that such measures for the protection of sources may also be brought in Europe. "The right and ability to communicate knowledge is above most other rights. We must take care when regulating freedom of speech, because that speech is what all other rights are founded upon," said Jsnsdsttir. For those who suffer from breaches of confidence, according to Struan Robertson, a technology lawyer with Pinsent Masons, there will be some safeguards. "If Iceland is granting immunity to websites that host leaked documents, and if it's prepared to reject take-down orders from foreign courts, that gives the overseas content owner a real problem when the threat of domestic sanctions fails to deter a leak. The proposal does not affect copyright law, though. So it may be that take-down demands based on copyright infringement will be more effective than those based on breach of confidence." Icelandic parliament backs 'free speech haven' plan (21.06.2010) http://www.out-law.com//default.aspx?page=11158 Videos of proposal's vote (only in Icelandic) http://www.althingi.is/altext/hlusta.php?raeda=rad20100616T033127&horfa=1 http://www.althingi.is/altext/hlusta.php?raeda=rad20100616T033306&horfa=1 Icelandic Modern Media Initiative (IMMI) http://www.immi.is/?l=en&p=intro A Vision of Iceland as a Haven for Journalists (21.02.2010) http://www.nytimes.com/2010/02/22/business/media/22link.html EU 'must act as role model' in promoting free speech (23.06.2010) http://www.euractiv.com/en/pa/eu-must-act-role-model-promoting-free-speech-… ============================================================ 8. ENDitorial: Council of Europe draft Recommendation on Profiling ============================================================ Approximately in parallel to the work of the EU's Article 29 Committee on cookies, the Council of Europe has been preparing a wider Recommendation on profiling. The document has been discussed for over a year, with a consultation on an earlier draft having been organised at the end of 2009. While obviously responding to the increasing options offered by the digital environment with regard to public and private sector profiling, the text attempts to cover the online and offline environments. The document makes some pertinent statements - in addition to acknowledging the positive benefits of more targeted services, it points out that "the lack of transparency or even "invisibility" of profiling and the lack of accuracy that may derive from the automatic application of pre-established rules of inference can pose significant risks for the individual's rights and freedoms," that "violate the principle of non-discrimination" and that profiling could expose individuals to particularly high risks of discrimination and attacks on their personal rights and dignity. However, it then does little to mitigate these risk and, worse still, appears to increase the chances of such risks being taken with personal data by public authorities. The text copies and pastes definitions from the Convention on Data Protection which seem rather incongruous in this context in the absence of more detailed analysis and practical analysis. From the profiling organisation's perspective, it seems obvious that data should and will be "adequate, relevant and not excessive in relation to the purposes for which they are collected or for which they will be processed". Generally, however, a lot of questions are left open, such as what could be understood by "informed consent", procedures for providing access to and correction of data which is indirectly personally identifiable. Overall, the current draft text does little to clarify the core issues of effective communication to consumers, informed consent, access to and correction of data and the "right to be forgotten". Earlier drafts of the proposal were neutral on the use of profiling by states, indicating that the Recommendation was aimed at the private sector, leaving the choice to Member States to extend it to the public sector if they so wished. This was replaced in the most recent version, which seems to assume the use of profiling by state authorities and implicitly accepts that, when "necessary". Member States can both use profiling and avoid implementation of a large swathe of the Recommendation covering lawfulness, information and the rights of data subjects. Bearing in mind the dangers to fundamental rights identified and enumerated in the text and previous positions taken by the Council of Europe, it appears unlikely that implicit and uncritical support for profiling is the intention of the Recommendation. Draft Recommendation on the Protection of Individuals with regard to automatic processing of personal data in the framework of profiling June 2010 (3.06.2010) http://www.coe.int/t/e/legal_affairs/legal_co-operation/steering_committees… Draft Recommendation on the Protection of Individuals with regard to automatic processing of personal data in the framework of profiling (2.10.2009) http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/eve… EDRi Consultation Response (3.11.2009) http://www.edri.org/docs/edri_CoEprofiling_response_091103.pdf (Contribution by Joe McNamee - EDRi) ============================================================ 9. Recommended Action ============================================================ Public consultation on the open internet and net neutrality. DG Information Society and Media has launched a public consultation on key questions arising from the issue of net neutrality. The consultation covers such issues as whether internet providers should be allowed to adopt certain traffic management practices, prioritising one kind of internet traffic over another; whether such traffic management practices may create problems and have unfair effects for users; whether the level of competition between different internet service providers and the transparency requirements of the new telecom framework may be sufficient to avoid potential problems by allowing consumers' choice; and whether the EU needs to act further to ensure fairness in the internet market, or whether industry should take the lead. http://ec.europa.eu/information_society/policy/ecomm/library/public_consult… http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/860&format=HT… European Commissions4 public consultation on the future direction of EU trade policy Call open until 28 July 2010 http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=FutureTradePolicy http://trade.ec.europa.eu/doclib/docs/2010/june/tradoc_146220.pdf ============================================================ 10. Recommended Reading ============================================================ The European Court of Justice defines the scope of the protection of personal data in the context of access to documents of the Union institutions. Judgment of the Court of Justice in Case C-28/08: Commission v Bavarian Lager http://curia.europa.eu/jcms/jcms/P_65670/ http://curia.europa.eu/jurisp/cgi-bin/form.pl?lang=EN&Submit=rechercher&num… OFCOM: No need for net neutrality http://www.ofcom.org.uk/consult/condocs/net-neutrality/netneutrality.pdf http://www.out-law.com//default.aspx?page=11177 ============================================================ 11. Agenda ============================================================ 9-11 July 2010, Gdansk, Poland Wikimedia 2010 - the 6th annual Wikimedia Conference http://wikimania2010.wikimedia.org/wiki/Main_Page 25-31 July 2010, Meissen, Germany European Summer School on Internet Governance http://www.euro-ssig.eu 29-31 July 2010, Freiburg, Germany IADIS - International Conference ICT, Society and Human Beings 2010 http://www.ict-conf.org/ 2-6 August 2010, Helsingborg, Sweden Privacy and Identity Management for Life (PrimeLife/IFIP Summer School 2010) http://www.cs.kau.se/IFIP-summerschool/ 31 August - 3 September 2010, Budapest, Hungary OpenOffice 2010 Conference http://www.ooocon.org/index.php/ooocon/2010 13-17 September 2010, Crete, Greece Privacy and Security in the Future Internet 3rd Network and Information Security (NIS'10) Summer School http://www.nis-summer-school.eu 14-16 September 2010, Vilnius, Lithuania Internet Governance Forum 2010 http://igf2010.lt/ 8-9 October 2010, Berlin, Germany The 3rd Free Culture Research Conference http://wikis.fu-berlin.de/display/fcrc/Home 25-26 October 2010, Jerusalem, Israel OECD Conference on "Privacy, Technology and Global Data Flows", celebrating the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org/sti/privacyanniversary 27-29 October 2010, Jerusalem, Israel The 32nd Annual International Conference of Data Protection and Privacy Commissioners http://www.privacyconference2010.org/ 28-31 October 2010, Barcelona, Spain oXcars and Free Culture Forum 2010, the biggest free culture event of all time http://exgae.net/oxcars10 http://fcforum.net/10 3-5 November 2010, Barcelona, Spain The Fifth International Conference on Legal, Security and Privacy Issues in IT Law. Call for papers deadline: 10 September 2010 http://www.lspi.net/ 17 November 2010, Gent, Belgium Big Brother Awards 2010 Belgium http://www.winuwprivacy.be/kandidaten ============================================================ 12. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRi-gram newsletter - Number 8.13, 30 June 2010
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 8.13, 30 June 2010 ============================================================ Contents ============================================================ 1. Data retention - time for evidence-based decision making 2. Same privacy concerns for the new SWIFT treaty 3. ACTA - new criminal sanctions for non-commercial copyright uses? 4. EP calls for a clear legal framework for the Internet of Things 5. Article 29 WP issues opinion on cookies in the new ePrivacy Directive 6. Increased pressure on Turkey to stop Internet blocking 7. Iceland - first steps for a new media haven 8. ENDitorial: Council of Europe draft Recommendation on Profiling 9. Recommended Action 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. Data retention - time for evidence-based decision making ============================================================ In June 2010 the European Parliament adopted a farcical "written declaration" ostensibly on the creation of an "early warning system" to fight pedophiles. Funded by unknown sources, the MEPs in charge (Zaborska from the Czech Republic and Motti from Italy) put together the Declaration in order to promote the retention of communications data and the extension of this practice to "search engines". After tabling the declaration, a highly polished, American-style lobby campaign went into operation. The lobbying neatly avoided mentioning data retention in any of the associated printed materials, in any of the e-mails sent to MEPs and on the campaign's website. The MEPs involved and their staff harangued and harassed parliamentarians, even to the point of putting lobbying material on their desks in the Parliament's hemicycle itself - with the simple message of "sign to fight sexual harassment" using a picture of a vulnerable-looking child. Mainly as a result of the large number of parliamentarians that signed due to mistakenly trusting what they were told about the content of the declaration, it was adopted. The Declaration has now been sent to the European Commission, where Cecillia Malmstrvm, who vehemently opposed the Data Retention Directive in her previous job as a Member of the European Parliament, needs to decide how to respond. Having indicated in the Swedish press that such an approach would be disproportionate, there are reasons to be hopeful that her position will be firm and favourable to citizens' rights. To make Commissioner Malmstrom's task even easier, she took an oath in May of this year to respect the Charter of Fundamental Rights of the European Union. Unequivocal opposition to such extreme proposals is important, particularly at the moment. By the end of this week, the relevant Directorate-General of the Commission will have completed its first draft assessment of the Data Retention Directive, which will then be reviewed by the Commissioner. This will then be followed by a second round of drafting, consultation with the other parts of the Commission and adoption of the final report, probably in the second half of September. In the absence of evidence to suggest that data retention has served any useful purpose, it is to be hoped that the Commissioner will maintain her opposition to the Directive and propose appropriate and ambitious amendments, removing obligations on all Member States to impose long-term blanket data retention on all citizens. This process is all the more important as a result of developments in the Council of Europe, which will soon adopt its Recommendation on Profiling. The current and almost final version of that text lends credibility to Member States that wish to exploit retained data to assign "profiles" to innocent citizens. The Recommendation exempts Member States from having to apply three important chapters: on lawfulness, data quality and sensitive data. In 2008, a report prepared for the Council of Europe pointed out that registration of internet users is "likely to have a chilling effect not just on journalists but on any users that wish to access public or legal, but controversial materials." The implementation of profiling would make this serious chilling effect seem minor in comparison. Campaigning against the Data Retention Directive is already in full swing. More than 100 organisations (including EDRi) from 23 European countries asked last week EU Commissioners Malmstrvm, Reding and Kroes in a joint letter to "propose the repeal of the EU requirements regarding data retention in favour of a system of expedited preservation and targeted collection of traffic data". Among the signatories are civil liberties, data protection and human rights associations as well as crisis line and emergency call operators, professional associations of journalists, jurists and doctors, trade unions, consumer organisations and industry associations. Study undertaken for the Council of Europe on the effects of anti-terror legislation (11.2008) http://www.coe.int/t/dghl/standardsetting/media/Doc/SpeakingOfTerror_en.pdf Written declaration 29 website http://www.smile29.eu Oath sworn by Commissioners (3.05.2010) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/487 Draft Council of Europe Recommendation on profiling (3.06.2010) http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD%20documents/T-… Data retention Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:00… Malmstrom says no to Google Storage (only in Swedish, 28.06.2010) http://www.svd.se/nyheter/inrikes/malmstrom-sager-nej-till-googlelagring_49… Letter to Commissioner (22.06.2010) http://www.vorratsdatenspeicherung.de/images/DRletter_Malmstroem.pdf Civil society calls for an end to compulsory telecommunications data retention (28.06.2010) http://www.vorratsdatenspeicherung.de/content/view/370/79/lang,en/ (Contribution by Joe McNamee - EDRi) ============================================================ 2. Same privacy concerns for the new SWIFT treaty ============================================================ The agreement between the EU and USA on the transfer of bank data through SWIFT was signed on 28 June 2010 after the Spanish Presidency of the Council of Ministers has accepted some of the changes on the text proposed by MEPs, but with no significant improvements from the Agreement rejected by the European Parliament in February 2010. The text of the new SWIFT Agreement will now probably be rushed through the next European Parliament plenary session in Strasbourg (5-8 July). After the draft agreement was initiated by Commissioner Cecilia Malmstrvm on 10 June, MEPs asked for changes to the text concerning the bulk transfer of data, the creation of an EU counterpart to the US Terrorist Finance Tracking Programme (TFTP), and EU oversight of TFTP data-processing in the US. Unfortunately, the new adopted text still allows for bulk data transfers. The Parliament would have liked to replace bulk data with targeted searches carried out by an EU-based authority but according to MEP Birgit Sippel, "We cannot reduce the problem of bulk data for the moment as we do not have the technical capability." The retention period is still 5 years and there is no real system in place from the US on a binding legal redress. The US Privacy Act court clauses only apply to US citizens and legal residents. Therefore there is currently no right of judicial review for foreign citizens and residents (including EU) under the US law. Another key critique to the current text is the role of Europol that should authorize the data transfer requests from the US. Besides the fact that Europol is not a judicial authority, as requested by the European Parliament in May 2010 Resolution, the incentive from this agency to limit the amount of data being transferred is extremely reduced due to the fact that they can actually request data searches from the US. On 25 June, EDPS Peter Hustinx expressed his concerns related to the transfer of bulk amounts of bank data to the U.S. authorities and pointed out the key elements to be improved for data protection, especially as regarding data retention periods, enforceability of the citizens' data protection rights, judicial oversight and independent supervision. "I am fully aware that the fight against terrorism and terrorism financing may require restrictions to the right to the protection of personal data. However, in view of the intrusive nature of the draft agreement, which allows transfers of data in bulk to the US, the necessity of such scheme should first be unambiguously established, especially in relation to already existing instruments. Would this be the case, other key elements should however be improved in order to meet the conditions of the EU legal framework for data protection." As MEP Alexander Alvaro told EurActiv, in terms of the agreement, the European Commission will write a framework for the extraction of data on US soil in order to set up an EU equivalent to TFTP and in case after five years this is not in place, the Commission will have to renegotiate or terminate the present agreement. But the present text automatically extends for one more year if nothing happens. It does not have to be renewed, it just has to be actively terminated. EU, US sign SWIFT agreement (28.06.2010) http://www.europeanvoice.com:80/article/2010/06/eu,-us-sign-swift-agreement… EU wins concessions on US bank data-sharing deal (25.06.2010) http://www.euractiv.com/en/justice/eu-wins-concessions-on-US-bank-data-shar… EU-US new draft agreement on financial data transfers: EDPS calls for further data protection improvements (22.06.2010) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu… EDRi-gram: New SWIFT agreement as bad as the rejected one (16.06.2010) http://www.edri.org/edrigram/number8.12/new-switf-proposal-bad ============================================================ 3. ACTA - new criminal sanctions for non-commercial copyright uses? ============================================================ A new round of negotiations on the Anti-Counterfeiting Trade Agreement (ACTA) is in progress until 1 July 2010 at Luzern, Switzerland between 11 parties including the EU. A document leaked from the EU Presidency dated 7 April 2010 shows that EU member states intended to introduce under ACTA more criminal sanctions for copyright infringements even for non-commercial reasons. The EU Presidency document stated that the position of the EU Member States is still under examination with regard to article 2.14.1 covering copyright or related rights infringements. Some proposals of this article explicitly plan to apply criminal sanctions to "infringements that have no direct or indirect motivation of financial gain". "The ACTA agreement, by its opacity and undemocratic nature, allows criminal sanctions to be simply negotiated. The leaked document shows that the EU Member States are willing to impose prison sanctions for non-commercial usages of copyrighted works on the Internet as well as for 'inciting and aiding', a notion so broad that it could cover any Internet service or speech questioning copyright policies. EU citizens should interrogate their governments about their support to policies that obviously attack freedom of speech, privacy and innovation" says Jirimie Zimmermann, spokesperson for La Quadrature du Net. ACTA will also hinder access to medicine by preventing the production and the exportation of generic molecules. "ACTA would affect the access to treatments worldwide, because it will hinder the access to cheap generic drugs. Without generic drugs, it would have never been possible for 4 millions people to have access to antiretroviral drugs. If concluded, ACTA would be a terrible stepback for millions of people living with HIV worldwide," stated Pauline Londeix, spokesperson for Act Up-Paris. Some countries, such as India, threatened to establish a coalition of countries against the treaty as they believe ACTA is in conflict with international trade law, and it undermines the balance of rights, obligations and flexibilities that already exists within international law. The Swiss Pirate Party together with their Pirate colleagues from Germany and Switzerland organised a rally at the Lucerne train station. The Pirate parties and a group of 12 non-governmental organisations are also having short meetings with the Swiss and other delegations. The Berne Declaration, Midecins Sans Frontihres , ACT UP Paris, Knowledge Ecology International, Oxfam, La Quadrature du Net, Third World Network, and representatives of the Washington College of Law issued on 23 June an urgent ACTA Communique, which attracted a huge number of signatories from MEPs, academics and NGOs. The document states that the new treaty will encourage internet service providers to police the activities of internet users by holding internet providers responsible for the actions of subscribers, conditioning safe harbours on adopting policing policies, and by requiring parties to encourage cooperation between service providers and rights holders. It will also encourage this surveillance, and the potential for punitive disconnections by private actors, without adequate court oversight or due process. In a joint statement of the European associations of fixed and mobile telecoms operators, European internet service providers, cable companies and digital media organisations have also warned that the "proposed obligation on online providers to reveal the identity of their subscribers directly to right holders violates the existing EU data protection obligations." Also, the International Trademark Association and the International Chamber of Commerce's Business Action to Stop Counterfeiting and Piracy submitted joint recommendations and comments on the ACTA text and recommended maintaining the "original, narrow scope of ACTA to trademark counterfeiting and copyright piracy for ACTA's effective implementation in different countries." According to them, "the scope of draft text of the agreement includes a wide range of intellectual property rights, which risks diluting the focus and overall strength of the trade agreement." International Experts Find that Pending Anti-Counterfeiting Trade Agreement Threatens Public Interests (23.06.2010) http://www.wcl.american.edu/pijip/go/acta-communique Leak: EU pushes for criminalizing non-commercial usages in ACTA (24.06.2010) http://www.laquadrature.net/en/leak-eu-pushes-for-criminalizing-non-commerc… ACTA: International 'three strikes', surveillance and worse (23.06.2010) http://www.openrightsgroup.org/blog/2010/acta-international-three-strikes-s… The ACTA casino must be closed (28.06.2010) http://www.laquadrature.net/en/the-acta-casino-must-be-closed Geist: Developing world opposition mounts to anti-counterfeiting agreement (28.06.2010) http://www.thestar.com/news/sciencetech/technology/lawbytes/article/828525-… Scope Of Anti-Counterfeiting Agreement Again A Big Issue In Round Nine (26.06.2010) http://www.ip-watch.org/weblog/2010/06/26/scope-of-anti-counterfeiting-agre… EDRi-gram: ACTA: European Commission transparently ignores European Parliament (21.04.2010) http://www.edri.org/edrigram/number8.8/acta-transparency-european-comission ============================================================ 4. EP calls for a clear legal framework for the Internet of Things ============================================================ In a resolution on the Internet of Things, adopted on 15 June 2010, the European Parliament (EP) welcomes the communication of the Commission on the topic and in principle endorses the broad outlines of the action plan to promote the Internet of Things. The Parliament however takes the view that the development of new applications and the actual functioning and business potential of the Internet of Things will be intrinsically linked to the trust European consumers have in the system, and points out that trust exists when doubts about potential threats to privacy and health are clarified. It stresses that this trust must be based on a clear legal framework, including rules governing the control, collection, processing and use of the data collected and transmitted by the Internet of Things and the types of consent needed from consumers. The Parliament further notes that the Internet of Things will lead to the collection of truly massive amounts of data and calls on the Commission, in this connection, to submit a proposal for the adaptation of the European Data Protection Directive with a view to address the data collected and transmitted by the Internet of Things. In the view of the Parliament, respect for privacy and the protection of personal data together with openness and interoperability are the only ways the Internet of Things will gain wider social acceptance. The EP firmly believes that all users should have control over their personal data and stresses that a precondition for promoting technology is the introduction of legal provisions to reinforce respect for the fundamental values and for the protection of personal data and privacy. In the context of privacy by design, the European Parliament also notes the opinion of the European Data Protection Supervisor (EDPS) on this topic, who stressed the importance of Privacy by Design as the guiding principle and highlighted that in the context of RFID, the existing data protection rules need to be complemented with additional rules imposing specific safeguards, particularly making it mandatory to embed technical solutions (Privacy by Design) in RFID technology. He furthermore expressed his concern that RFID operators in the retail sector may overlook the possibility for RFID tags to be monitored by unwanted third parties and thinks it is conceivable that self-regulation will not deliver the expected results. He therefore called upon the Commission to be ready to propose legislative instruments regulating the main issues of RFID usage in case the effective implementation of the existing legal framework fails. This call for a regulation of the main issues of RFID usage now obviously gained support from the European Parliament which, in addition, underlines that RFID applications must be operated in accordance with the rules on privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The resolution of the Parliament not only addresses the European Commission but also calls on manufacturers to secure the right to "chip silence" and calls for RFID application operators to take all reasonable steps to ensure that data does not relate to an identified or identifiable natural person unless such data is processed in compliance with the applicable principles and legal rules on data protection. It is the believe of the Parliament that a general principle should be adopted whereby Internet of Things technologies should be designed to collect and use only the absolute minimum amount of data needed to perform their function, and should prevent from collecting any supplementary data. It calls for a significant amount of the data shared by the Internet of Things to be made anonymous before being transmitted, in order to secure privacy. The European Parliament believes in the importance of ensuring that all fundamental rights - not only privacy - are protected in the process of developing the Internet of Things and calls on the Commission to monitor closely the implementation of the European regulations already adopted in this area and to present, by the end of the year, a timetable for the guidelines it intends to propose at the EU level for improving the safety of the Internet of Things and of RFID applications. As EDRi-gram reported earlier this year the resolution was drafted by MEP Maria Badia i Cutchet, rapporteur to the European Parliament's Committee on Industry, Research and Energy (ITRE) including opinions of the Committees on International Trade, Internal Market and Consumer Protection and Legal Affairs. The EP Resolution has to be seen not only in the context of the European Commission's communication on the Internet of Things and the EDPS opinion on Privacy by Design, but also of the European Commission's RFID recommendation and the Industry proposal for an RFID Privacy Impact Assessment, which unfortunately fails to identify a single specific risk. In this context, the resolution of the European Parliament can be seen as another strong signal towards the European Commission to act without undue delay to effectively protect the fundamental rights of individuals affected by RFID and other technologies related to the Internet of Things and towards manufacturers and RFID application operators to take their obligations serious and effectively secure privacy and data protection rights of all persons affected by their products and applications. European Parliament resolution of 15 June 2010 on the Internet of Things (2009/2224(INI)) (15.06.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2… Communication to the European Parliament, the Council, the EESC and the committee of the Regions: Internet of Things - An action plan for Europe (18.06.2009) http://ec.europa.eu/information_society/policy/rfid/documents/commiot2009.p… EDRi-gram: EP, EDPS and EDRi on RFID and the Internet of Things (24.03.2010) http://www.edri.org/edrigram/number8.6/ep-edps-edri-policy-rfid EDRi-gram: Industry proposed RFID Privacy Impact Assessment Framework (19.05.2010) http://www.edri.org/edrigram/number8.10/rfid-privacy-impact-assesment-indus… Commission Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (12.05.2009) http://ec.europa.eu/information_society/policy/rfid/documents/recommendatio… (Contribution by Andreas Krisch - EDRi) ============================================================ 5. Article 29 WP issues opinion on cookies in the new ePrivacy Directive ============================================================ The Article 29 Data Protection Working Party (WP) representing the European data protection authorities published on 24 June an opinion clarifying the application of the data protection rules in online behavioural advertising, with a focus on the new text of the ePrivacy Directive. Article 29 Working Party believes that while online behavioural advertising may be beneficial for businesses and users alike, it still raises personal data protection and privacy issues. The opinion states that the advertising providers using tracking cookies are bound, through the revised ePrivacy Directive, to obtain the informed consent of their users before the installation of tracking devices such as cookies. According to the Directive, storing and accessing information on users' computers is lawful only "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information about the purposes of the processing". The only except is in the case a cookie is absolutely necessary for the provision of a certain service required explicitly by a user. In its Opinion, the Working Party asks for simple and effective mechanisms by means of which users can give their consent for online behavioural advertising but also simple and effective mechanisms by means of which they can withdraw their consent. Presently, allowing cookies is a default setting with three out of the four major used browsers and Article 29 WP believes that the users not changing a default setting does not necessarily means consent. The users should be clearly informed, in an understandable manner, on the purposes of tracking and given the choice of having their behaviour browsed or not. "Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies," says the opinion. However, the Working Party considered the consent may be given to an advertising network and not to every single website. "....the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie." Article 29 WP also said that this consent should expire after a year, and that each advertising network should request consent again after that period. It also said that the consent could be withdrawn at any time. The Internet Advertising Bureau Europe, the European Publishers Council and other advertising and publishers' trade bodies reacted to this opinion by issuing a statement saying: "The industry believes this is a gross misinterpretation of the intention of the Directive and a misrepresentation of the type of data typically collected and processed for the purposes of serving interest-based advertising to consumers on our websites." The Article 29 WG's opinion is based on the opinion presented on 23 June 2010 during EP Privacy Platform Meeting by Belgian Data Protection Supervisor Mr. Debeuckelaere which focused on "Transparency, Information, Consent". During the meeting, aspects of behavioural advertising were discussed by more than 100 representatives from industry, privacy activists, EU institutions, governments and European data protection supervisors. The representatives of Privacy International and the Electronic Frontier Foundation argued that the user control tools do not allow for the complete erasure of profiles, and some data collection, for example by flash cookies, remains invisible and outside the control of the user. During the meeting, Mrs Sophia In 't Veld, rapporteur for competition issues in the Economic Affairs committee, suggested that besides consent and transparency, a key word should be "choice". "Often internet users are more or less obliged to give their consent, as there is no alternative. Users must have a real choice, otherwise it is just token consent", said In 't Veld who also pointed out the necessity of having a single set of data protection rules that would apply to the private as well as the public sectors. "We must regulate the use of personal data for commercial purposes, but the same standards of data protection should apply to the use of those same data by public authorities for law enforcement purposes. We often do not realise how government agencies are using data collected by companies for commercial purposes. But different rules apply to the private and public sectors. That must be corrected". Article 29 Data Protection Working Party Opt-out is not sufficient (24.06.2010) http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_26_06_10_en.pdf Opt-out is not sufficient - European Data Protection Authorities clarify EU rules on online behavioural Advertising (22.06.2010) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp171_en.pdf Cookie consent can't be implied from browser settings, say privacy watchdogs (25.06.2010) http://www.out-law.com//default.aspx?page=11176 Transparency, Choice and Consent key words for cookies (24.06.2010) http://www.d66.nl/europa/nieuws/20100624/transparency_choice_and_consent ============================================================ 6. Increased pressure on Turkey to stop Internet blocking ============================================================ As Turkey continues its ban on Google's YouTube and other services, it attracts more and more criticism. After Turkey's President Abdullah Gul himself has taken position against its own government in this matter, it is now OSCE turn to react. On 22 June 2010, Dunja Mijatovic, the OSCE Representative on Freedom of the Media, asked the Turkish authorities to restore access to Google's YouTube and other services and change the much-criticized Law No. 5651 (so-called Internet Law) in order to be in line with international standards on free expression. "I ask the Turkish authorities to revoke the blocking provisions that prevent citizens from being part of today's global information society. I also ask them to carry out a very much needed reform of Law No. 5651," said Mijatovic. OSCE representative has sent a letter to Turkish Foreign Minister Ahmet Davutoglu, showing concern about the new blocking decisions taken at the beginning of June when the ban was extended to other Google services such as Google Translate or Google Docs. The Turkish Communication Minister Binali Yildirim has lately argued that the reason of banning Google services is related to tax disputes and has accused Google of infringing the Turkish law and of failing to cooperate with the Turkish authorities. "This site is waging a battle against the Turkish." But not even the flawed Internet Law includes tax disputes among the reasons for blocking websites, as was pointed out by Mijatovic who added: "My office has been promoting the urgent reform of Law No. 5651, because it considerably limits freedom of expression and severely restricts citizens' right to access information." Google, in its turn, is confident it complies with tax laws in every country where it operates. "We are currently in discussion with the Turkish authorities about this, and are confident we comply with Turkish law. We report profits in Turkey which are appropriate for the activities of our Turkish operations," was Google's statement. A petition has been signed by hundreds of Internet users denouncing the ban as an affront to "free speech and rights to access information" and calling for Binali Yildirim's resignation. Three information technology groups are challenging the ban in courts. Richard Howitt, a British member of the European Parliament and advocate of Turkey's European Union membership, has warned Turkey that the ban puts "the country alongside Iran, North Korea and Vietnam as one of the world's worst offenders for cyber censorship" and the country cannot expect to be considered as a serious candidate for the EU as long as it continues to censor the Internet. On 18 June 2010, as a protest against the decision taken by the Turkish Government, a group of hackers co-ordinated a DoS attack that lasted 10 hours against the websites of the Ministry of Transportation, Information and Communication Technologies Authority and the Telecommunications Communication Presidency, the authorities that have been directly involved in the banning. OSCE media freedom representative asks Turkey to withdraw recent Internet blocking provisions, calls for urgent reform of law (22.06.2010) http://www.osce.org/item/44754.html Turkey tightens Internet control in YouTube feud (26.06.2010) http://www.google.com/hostednews/ap/article/ALeqM5iPZmDTKYEB6SFdyOAv97vXytV… OSCE calls on Turkey to stop blocking YouTube (22.06.2010) http://www.reuters.com/article/idUSTRE65L3MP20100622 Access Denied to Turkish Censorship Authorities' websites (18.06.2010) http://cyberlaw.org.uk/2010/06/18/access-denied-to-turkish-censorship-autho… EDRi-gram: Turkey extends the censorship of YouTube (16.06.2010) http://www.edri.org/edrigram/number8.12/turkey-extends-blocking-youtube ============================================================ 7. Iceland - first steps for a new media haven ============================================================ Iceland's Parliament has recently accepted a proposal by Icelandic Modern Media Initiative (IMMI) asking the Icelandic Government to find "ways to strengthen freedoms of expression and information freedom in Iceland, (and provide) strong protections for sources and whistleblowers." The proposal from IMMI came after secret dealings by a few banks in Iceland in 2009 leading to enormous debts and the lack of regulation and control, almost bankrupted the entire country. The initiative comes also in relation to website Wikileaks, who made those Icelandese dealings public and which has a policy to make public secretly-submitted documents and materials. Its approval by the Parliament may turn Iceland into a haven for media, with one of the strongest freedom of expression and whistleblowing protection laws. "We can create a comprehensive policy and legal framework to protect the free expression needed for investigative journalism and other politically important publishing," says IMMI. The IMMI has proposed several legal reforms including the limitation of the scope of an exception to existing source protection laws, the increase of protections for whistleblowers employed by the state and the creation of a law similar to the free speech-protecting anti-SLAPP (Strategic Litigation against Public Participation) law of California. The plan intends to take advantage of protections in Iceland for material published from web servers based there. "Iceland could become an ideal environment for Internet-based international media and publishers to register their services, start-ups, data centers and human rights organizations. It could be a lever for the economy and create new work employment opportunities," says the initiative. Speaking at a meeting of the European Parliament on 21 June, MP Birgitta Jsnsdsttir said the Icelandic initiative "pulls together the best legislation from around the world to promote transparency" and suggested that such measures for the protection of sources may also be brought in Europe. "The right and ability to communicate knowledge is above most other rights. We must take care when regulating freedom of speech, because that speech is what all other rights are founded upon," said Jsnsdsttir. For those who suffer from breaches of confidence, according to Struan Robertson, a technology lawyer with Pinsent Masons, there will be some safeguards. "If Iceland is granting immunity to websites that host leaked documents, and if it's prepared to reject take-down orders from foreign courts, that gives the overseas content owner a real problem when the threat of domestic sanctions fails to deter a leak. The proposal does not affect copyright law, though. So it may be that take-down demands based on copyright infringement will be more effective than those based on breach of confidence." Icelandic parliament backs 'free speech haven' plan (21.06.2010) http://www.out-law.com//default.aspx?page=11158 Videos of proposal's vote (only in Icelandic) http://www.althingi.is/altext/hlusta.php?raeda=rad20100616T033127&horfa=1 http://www.althingi.is/altext/hlusta.php?raeda=rad20100616T033306&horfa=1 Icelandic Modern Media Initiative (IMMI) http://www.immi.is/?l=en&p=intro A Vision of Iceland as a Haven for Journalists (21.02.2010) http://www.nytimes.com/2010/02/22/business/media/22link.html EU 'must act as role model' in promoting free speech (23.06.2010) http://www.euractiv.com/en/pa/eu-must-act-role-model-promoting-free-speech-… ============================================================ 8. ENDitorial: Council of Europe draft Recommendation on Profiling ============================================================ Approximately in parallel to the work of the EU's Article 29 Committee on cookies, the Council of Europe has been preparing a wider Recommendation on profiling. The document has been discussed for over a year, with a consultation on an earlier draft having been organised at the end of 2009. While obviously responding to the increasing options offered by the digital environment with regard to public and private sector profiling, the text attempts to cover the online and offline environments. The document makes some pertinent statements - in addition to acknowledging the positive benefits of more targeted services, it points out that "the lack of transparency or even "invisibility" of profiling and the lack of accuracy that may derive from the automatic application of pre-established rules of inference can pose significant risks for the individual's rights and freedoms," that "violate the principle of non-discrimination" and that profiling could expose individuals to particularly high risks of discrimination and attacks on their personal rights and dignity. However, it then does little to mitigate these risk and, worse still, appears to increase the chances of such risks being taken with personal data by public authorities. The text copies and pastes definitions from the Convention on Data Protection which seem rather incongruous in this context in the absence of more detailed analysis and practical analysis. From the profiling organisation's perspective, it seems obvious that data should and will be "adequate, relevant and not excessive in relation to the purposes for which they are collected or for which they will be processed". Generally, however, a lot of questions are left open, such as what could be understood by "informed consent", procedures for providing access to and correction of data which is indirectly personally identifiable. Overall, the current draft text does little to clarify the core issues of effective communication to consumers, informed consent, access to and correction of data and the "right to be forgotten". Earlier drafts of the proposal were neutral on the use of profiling by states, indicating that the Recommendation was aimed at the private sector, leaving the choice to Member States to extend it to the public sector if they so wished. This was replaced in the most recent version, which seems to assume the use of profiling by state authorities and implicitly accepts that, when "necessary". Member States can both use profiling and avoid implementation of a large swathe of the Recommendation covering lawfulness, information and the rights of data subjects. Bearing in mind the dangers to fundamental rights identified and enumerated in the text and previous positions taken by the Council of Europe, it appears unlikely that implicit and uncritical support for profiling is the intention of the Recommendation. Draft Recommendation on the Protection of Individuals with regard to automatic processing of personal data in the framework of profiling June 2010 (3.06.2010) http://www.coe.int/t/e/legal_affairs/legal_co-operation/steering_committees… Draft Recommendation on the Protection of Individuals with regard to automatic processing of personal data in the framework of profiling (2.10.2009) http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/eve… EDRi Consultation Response (3.11.2009) http://www.edri.org/docs/edri_CoEprofiling_response_091103.pdf (Contribution by Joe McNamee - EDRi) ============================================================ 9. Recommended Action ============================================================ Public consultation on the open internet and net neutrality. DG Information Society and Media has launched a public consultation on key questions arising from the issue of net neutrality. The consultation covers such issues as whether internet providers should be allowed to adopt certain traffic management practices, prioritising one kind of internet traffic over another; whether such traffic management practices may create problems and have unfair effects for users; whether the level of competition between different internet service providers and the transparency requirements of the new telecom framework may be sufficient to avoid potential problems by allowing consumers' choice; and whether the EU needs to act further to ensure fairness in the internet market, or whether industry should take the lead. http://ec.europa.eu/information_society/policy/ecomm/library/public_consult… http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/860&format=HT… European Commissions4 public consultation on the future direction of EU trade policy Call open until 28 July 2010 http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=FutureTradePolicy http://trade.ec.europa.eu/doclib/docs/2010/june/tradoc_146220.pdf ============================================================ 10. Recommended Reading ============================================================ The European Court of Justice defines the scope of the protection of personal data in the context of access to documents of the Union institutions. Judgment of the Court of Justice in Case C-28/08: Commission v Bavarian Lager http://curia.europa.eu/jcms/jcms/P_65670/ http://curia.europa.eu/jurisp/cgi-bin/form.pl?lang=EN&Submit=rechercher&num… OFCOM: No need for net neutrality http://www.ofcom.org.uk/consult/condocs/net-neutrality/netneutrality.pdf http://www.out-law.com//default.aspx?page=11177 ============================================================ 11. Agenda ============================================================ 9-11 July 2010, Gdansk, Poland Wikimedia 2010 - the 6th annual Wikimedia Conference http://wikimania2010.wikimedia.org/wiki/Main_Page 25-31 July 2010, Meissen, Germany European Summer School on Internet Governance http://www.euro-ssig.eu 29-31 July 2010, Freiburg, Germany IADIS - International Conference ICT, Society and Human Beings 2010 http://www.ict-conf.org/ 2-6 August 2010, Helsingborg, Sweden Privacy and Identity Management for Life (PrimeLife/IFIP Summer School 2010) http://www.cs.kau.se/IFIP-summerschool/ 31 August - 3 September 2010, Budapest, Hungary OpenOffice 2010 Conference http://www.ooocon.org/index.php/ooocon/2010 13-17 September 2010, Crete, Greece Privacy and Security in the Future Internet 3rd Network and Information Security (NIS'10) Summer School http://www.nis-summer-school.eu 14-16 September 2010, Vilnius, Lithuania Internet Governance Forum 2010 http://igf2010.lt/ 8-9 October 2010, Berlin, Germany The 3rd Free Culture Research Conference http://wikis.fu-berlin.de/display/fcrc/Home 25-26 October 2010, Jerusalem, Israel OECD Conference on "Privacy, Technology and Global Data Flows", celebrating the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org/sti/privacyanniversary 27-29 October 2010, Jerusalem, Israel The 32nd Annual International Conference of Data Protection and Privacy Commissioners http://www.privacyconference2010.org/ 28-31 October 2010, Barcelona, Spain oXcars and Free Culture Forum 2010, the biggest free culture event of all time http://exgae.net/oxcars10 http://fcforum.net/10 3-5 November 2010, Barcelona, Spain The Fifth International Conference on Legal, Security and Privacy Issues in IT Law. Call for papers deadline: 10 September 2010 http://www.lspi.net/ 17 November 2010, Gent, Belgium Big Brother Awards 2010 Belgium http://www.winuwprivacy.be/kandidaten ============================================================ 12. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: The state-level attack on the SSL CA security model
by Florian Weimer 06 Jul '18

06 Jul '18

* Crist Clark: > Any large, well funded national-level intelligence agency > almost certainly has keys to a valid CA distributed with > any browser or SSL package. It would be trivial for the US > Gov't (and by extension, the whole AUSCANNZUKUS intelligence > community) to simply form a shell company CA that could get > a trusted cert in the distros or enlist a "legit" CA to do > their patriotic duty (along with some $$$) and give up a key. I think this is far too complicated. You just add your state PKI to the browsers, and the CPS does not require any checks on the Common Name, to verify it's actually somehow controlled by the certificate holder. Curiously, such CAs can pass Webtrust audits. Now I'm a realist and assume that the bureaucrats involved are just too incompetent to write a proper CPS (and the auditors to lazy to notice). Authoring policies and paying attention to detail, should be second nature to them, but somehow I doubt that the FPKI (say) issues certificates for non-federal entities to help with ongoing FBI investigations. (Same for the German government agencies who actually managed to get Mozilla approval for their non-CN-checking CAs.) -- Florian Weimer <fweimer(a)bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra_e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: The state-level attack on the SSL CA security model
by Florian Weimer 06 Jul '18

06 Jul '18

* Crist Clark: > Any large, well funded national-level intelligence agency > almost certainly has keys to a valid CA distributed with > any browser or SSL package. It would be trivial for the US > Gov't (and by extension, the whole AUSCANNZUKUS intelligence > community) to simply form a shell company CA that could get > a trusted cert in the distros or enlist a "legit" CA to do > their patriotic duty (along with some $$$) and give up a key. I think this is far too complicated. You just add your state PKI to the browsers, and the CPS does not require any checks on the Common Name, to verify it's actually somehow controlled by the certificate holder. Curiously, such CAs can pass Webtrust audits. Now I'm a realist and assume that the bureaucrats involved are just too incompetent to write a proper CPS (and the auditors to lazy to notice). Authoring policies and paying attention to detail, should be second nature to them, but somehow I doubt that the FPKI (say) issues certificates for non-federal entities to help with ongoing FBI investigations. (Same for the German government agencies who actually managed to get Mozilla approval for their non-CN-checking CAs.) -- Florian Weimer <fweimer(a)bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra_e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Final announcement for ECC 2003
by ECC 2003 06 Jul '18

06 Jul '18

--------------------------------------------------------------------- THE 7TH WORKSHOP ON ELLIPTIC CURVE CRYPTOGRAPHY (ECC 2003) University of Waterloo, Waterloo, Ontario, Canada August 11, 12 & 13 2003 FINAL ANNOUNCEMENT July 19, 2003 ********************************************************************* NOTES: 1) Please note that the deadline for registration is August 1. 2) The last lecture at ECC 2003 will end at 3:00 pm on Wednesday (Aug 13). This will give participants sufficient time to catch flights scheduled to leave Toronto after 7:00 pm. There are hourly flights from Toronto to Ottawa for those who wish to attend SAC 2003. 3) If you would like to be removed from this mailing list please reply with a brief note. You will be immediately removed from the list. ********************************************************************* ********************************************************************* ECC 2003 is the seventh in a series of annual workshops dedicated to the study of elliptic curve cryptography and related areas. The main themes of ECC 2003 will be: - The discrete logarithm problem. - Efficient parameter generation and point counting. - Provably secure cryptographic protocols. - Efficient software and hardware implementation. - Side-channel attacks. - Deployment of elliptic curve cryptography. It is hoped that the meeting will continue to encourage and stimulate further research on the security and implementation of elliptic curve cryptosystems and related areas, and encourage collaboration between mathematicians, computer scientists and engineers in the academic, industry and government sectors. Attendees of ECC 2003 might also wish to attend SAC 2003 (Ottawa, Aug 14-15) and CRYPTO 2003 (Santa Barbara, Aug 17-21). The last lecture at ECC 2003 will end at 3:00 pm on Wednesday (Aug 13). This will give participants sufficient time to catch flights scheduled to leave Toronto after 7:00 pm. There are hourly flights from Toronto to Ottawa. SPONSORS: Certicom Corp. MITACS Motorola The Fields Institute University of Essen University of Waterloo ORGANIZERS: Gerhard Frey (University of Essen) Darrel Hankerson (Auburn University) Alfred Menezes (University of Waterloo) Christof Paar (Ruhr-Universitat Bochum) Edlyn Teske (University of Waterloo) Scott Vanstone (University of Waterloo) SPEAKERS: Hans Dobbertin (Ruhr-Universitat Bochum, Germany) Florian Hess (University of Bristol, UK) Hugo Krawczyk (Technion, Israel, and IBM Research, USA) Tanja Lange (Ruhr-Universitat Bochum, Germany) Reynald Lercier (Centre d'Electronique de L'Armement, France) Ben Lynn (Stanford University, USA) William Martin (National Security Agency, USA) Christof Paar (Ruhr-Universitat Bochum, Germany) John Proos (University of Waterloo, Canada) Jean-Jacques Quisquater (Universite Catholique de Louvain, Belgium) Pankaj Rohatgi (IBM Research, USA) Victor Shoup (New York University, USA) Jerome A. Solinas (National Security Agency, USA) Edlyn Teske (University of Waterloo, Canada) Nicolas Theriault (University of Toronto, Canada) Eran Tromer (Weizmann Institute of Science, Israel) CONFERENCE PROGRAMME: All lectures will take place in Room 1302 of the Davis Center, University of Waterloo ==================== Monday, August 11 ==================== 8:00 - 9:00 am: Coffee and registration 9:00 - 10:00 am: William Martin: High confidence software and systems, an NSA perspective 10:00 - 10:30 am: Mid-morning coffee break 10:30 - 11:30 am: Hans Dobbertin: To be announced 11:30 - 12:30 pm: Eran Tromer: Hardware-based implementation of factoring algorithms 12:30 - 2:00 pm: lunch 2:00 - 3:00 pm: Hugo Krawczyk: Design and analysis of authenticated Diffie-Hellman protocols 3:00 - 4:00 pm: Victor Shoup: Practical verifiable encryption and decryption of discrete logarithms 4:00 - 4:30 pm: Afternoon coffee break 4:30 - 5:30 pm: Pankaj Rohatgi: Power, EM and all that: Is your crypto device really secure? 6:00 pm: Reception at the Waterloo Inn 7:00 pm: Banquet at the Waterloo Inn ===================== Tuesday, August 12 ===================== 8:00 - 9:00 am: Morning coffee 9:00 - 10:00 am: Jean-Jacques Quisquater: 2 or 3 side-channels for ECC 10:00 - 10:30 am: Mid-morning coffee break 10:30 - 11:30 am: Tanja Lange: Efficient arithmetic on (hyper-)elliptic curves over finite fields 11:30 - 12:30 pm: Christof Paar: Hyperelliptic curve cryptosystems for embedded applications 12:30 - 2:00 pm: lunch 2:00 - 3:00 pm: Reynald Lercier: Algorithmic aspects of Mestre's p-adic point counting ideas 3:00 - 4:00 pm: Ben Lynn: Applications of bilinear maps 4:00 - 4:30 pm: Afternoon coffee break 4:30 - 5:30 pm: Jerome A. Solinas: ID-based digital signature algorithms 5:30 - 7:00 pm: Cocktail Reception (Davis Centre, University of Waterloo) ======================= Wednesday, August 13 ======================= 8:00 - 9:00 am: Morning coffee 9:00 - 10:00 am: John Proos: Security in the presence of decryption failures 10:00 - 10:30 am: Mid-morning coffee break 10:30 - 11:30 am: Nicolas Theriault: Index calculus attack for hyperelliptic curves of small genus 11:30 - 1:00 pm: lunch 1:00 - 2:00 pm: Florian Hess: The GHS attack revisited 2:00 - 3:00 pm: Edlyn Teske: Weak fields for ECC REGISTRATION: There will be a registration fee this year of $250 Cdn or $170 US ($150 Cdn or $100 US for full-time graduate students). Sorry, but we cannot accept payment in Euros. PLEASE REGISTER AS SOON AS POSSIBLE AS SPACE IS LIMITED FOR THIS WORKSHOP; REGISTRATION IS ON A FIRST-COME FIRST-SERVE BASIS. We cannot process a registration until all fees are paid in full. The deadline for all fees to be paid and registration completed has been set for the 1st of August, 2003. However, you are encouraged to register earlier than Aug 1 since some hotels have a cutoff date of June 29. To register, complete, in full, the attached REGISTRATION FORM and return it along with your payment to: Mrs. Adrienne Richter, C&O Dept., University of Waterloo, Waterloo, Ontario, Canada N2L 3G1. You can also send your registration form by fax (519-725-5441) or by email (ecc2003(a)math.uwaterloo.ca) Confirmation of your registration will be sent by email when payment is received in full. ------------------------cut from here--------------------------------- ECC 2003 CONFERENCE REGISTRATION FORM Fullname: _________________________________________________________ Affiliation: _________________________________________________________ Address: _________________________________________________________ _________________________________________________________ _________________________________________________________ _________________________________________________________ _________________________________________________________ E-Mail Address: _________________________________________________________ Telephone #: _________________________________________________________ Registration Fee: Please check the appropriate box: [ ] Registration .......$250.00 CAD ..............$________ [ ] Registration .......$170.00 USD ..............$________ [ ] Full-time Student ..$150.00 CAD ..............$________ [ ] Full-time Student ..$100.00 USD ..............$________ Registration Fee includes Banquet: Attending [ ] Yes [ ] No Vegetarian [ ] Yes [ ] No TOTAL AMOUNT PAYABLE: ............................$________ **Make Cheque/Money Order Payable to: ECC 2003 Credit Card Payments: [ ] Visa [ ] MasterCard Cardholder's Name: ________________________________________________ Card Number: ______________________________________________________ Expiration Date: __________________________________________________ Signature: ________________________________________________________ Additional Information: ___________________________________________ -------------------------cut from here------------------------------- TRAVEL: Kitchener-Waterloo is approximately 100 km/60 miles from Pearson International Airport in Toronto. Ground transportation to Kitchener-Waterloo can be pre-arranged with Airways Transit. TRANSPORTATION TO AND FROM TORONTO AIRPORT PROVIDED BY AIRWAYS TRANSIT It is advisable to book your transportation between the Pearson Airport, Toronto, and Waterloo in advance to receive the advance booking rate of $38 CAD per person, one way, with Airways Transit (open 24 hours a day). Please quote "ECC2003" when making your reservation. Airways is a door-to-door service; they accept cash (Cdn or US funds), MasterCard, Visa and American Express. Upon arrival: Terminal 1: proceed to Ground Transportation Booth, Arrivals Level. Terminal 2: proceed to Airways Transit desk, Arrivals Level, Area E. Terminal 3: proceed to Ground Transportation Booth, Arrivals Level, between Doors B and C. You can make a reservation through their web site: www.airwaystransit.com Or, you can complete the form below and send by mail or fax (519-886-2141) well in advance of your arrival to Airways Transit. They will not fax confirmations: your fax transmission record is confirmation of your reservation. -------------------------cut from here--------------------------------- AIRWAYS TRANSIT ADVANCE BOOKING FORM - ECC 2003 ARRIVAL INFORMATION: ____________________________________________________________ Surname First name ____________________________________________________________ Toronto Arrival Date Airline Flight # ____________________________________________________________ Arrival Time Arriving From ____________________________________________________________ Destination in Kitchener/Waterloo No. in party DEPARTURE INFORMATION: ____________________________________________________________ Surname First name ____________________________________________________________ Toronto Departure Date Airline Flight # ____________________________________________________________ Departure Time Flight # Destination ____________________________________________________________ Pickup From No. in party ____________________________________________________________ Signature Date Send or Fax to: Airways Transit 99A Northland Road Waterloo, Ontario Canada, N2V 1Y8 Fax: (519) 886-2141 Telephone: (519) 886-2121 -----------------------------cut form here-------------------------------- ACCOMMODATIONS: There is a limited block of rooms set aside on a first-come first-serve basis at the Waterloo Inn for the evenings of August 10, 11, 12 and 13, and at the Comfort Inn for the evenings of August 9, 10, 11, 12 and 13. Please note that the Waterloo Inn is sold out for the evening of August 9. COMFORT INN Address: 190 Weber Street North, Waterloo, Ontario, Canada N2J 3H4 Phone: (519) 747-9400 Rate: $80 Cdn plus taxes/night for a single or double room Please quote "ECC 2003" when making your reservation Availability: Evenings of August 9, 10, 11, 12, 13 Cut-off date: July 7, 2003 WATERLOO INN Address: 475 King Street North, Waterloo, Ontario, Canada N2J 2Z5 Phone: (519) 884-0222 Fax: (519) 884-0321 Toll Free: 1-800-361-4708 Website: www.waterlooinn.com Rate: $118 Cdn plus taxes/night for a single or double room Please quote "ECC 2003" when making your reservation Availability: Evenings of August 10, 11, 12, 13 Cut-off date: June 29, 2003 Other hotels close to the University of Waterloo are: UNIVERSITY OF WATERLOO CONFERENCE CENTRE (on-campus accommodation; no air conditioning) Ron Eydt Village, Box 16610, Waterloo, Ontario, Canada N3J 4C1 Phone: 519-884-5400, 519-746-7599 Website: www.conferences.uwaterloo.ca (see "Room Registration") Approx rate: $52 Cdn plus taxes/night DESTINATION INN 547 King Street North, Waterloo, Ontario, Canada N2L 5Z7 Phone: (519) 884-0100 Website: www.destinationinn.com Approx rate: $73 Cdn plus taxes/night BEST WESTERN INN St. Jacobs Country Inn 50 Benjamin Road East, Waterloo, Ontario, Canada N2V 2J9 Phone: (519) 884-9295 Website: www.stjacobscountryinn.com Approx rate: $129 Cdn plus taxes/night THE WATERLOO HOTEL 2 King Street North, Waterloo, Ontario, Canada N2J 2W7 Phone: (519) 885-2626 Website: www.countryinns.org/inn_waterloo.html Approx rate: $120-160 Cdn plus taxes/night HOTEL TO CONFERENCE TRANSPORTATION: A shuttle to/from the campus will be available each day of the conference from the Waterloo Inn and Comfort Inn only. Place and times for pickup and drop-off will be emailed to registrants a week before the workshop. FURTHER INFORMATION: For further information or to return your Registration, please contact: Mrs. Adrienne Richter Department of Combinatorics & Optimization University of Waterloo Waterloo, Ontario, Canada N2L 3G1 e-mail: ecc2003(a)math.uwaterloo.ca Fax: (519) 725-5441 Phone: (519) 888-4027 --------------------------------------------------------------------- --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0

[Politech] German court bans police from installing Trojan Horses remotely [priv]
by Declan McCullagh 06 Jul '18

06 Jul '18

A few thoughts: 1. This seems to preclude German police from doing a remote search (which would have to include malware or some way of exploiting a security hole on the target's computer) even with a court order. 2. In the U.S., the FBI reportedly has developed similar malware called Magic Lantern, which we've discussed here before: http://www.politechbot.com/p-03034.html http://en.wikipedia.org/wiki/Magic_Lantern_%28software%29 3. I can't think of any domestic case offhand when we know for a fact that the FBI has gained unauthorized remote access to a suspect's system. Can anyone? The Scarfo case involved physical access, and this remote intrusion case dealt with a computer in Russia: http://news.zdnet.com/2100-9595_22-529917.html -Declan --- http://www.nytimes.com/aponline/world/AP-Computer-Searches.html?_r=1&oref=s… gin German Court Nixes Hard Drive Search By THE ASSOCIATED PRESS Published: February 5, 2007 Filed at 1:42 p.m. ET BERLIN (AP) -- A German court on Monday ruled that police cannot remotely search criminal suspects' computer hard drives over the Internet without their knowledge. The decision of the Federal Court of Justice in Karlsruhe bars police from using the online ''Trojan horse'' method, which involves using a computer program to search through remote hard drives over an Internet connection, unless parliament passes a law explicitly allowing it. Police will still be allowed to seize evidence from computer hard drives when conducting searches in person. [...remainder snipped...] _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/) ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

[tt] NS: Laptops could betray users in the developing world
by Premise Checker 06 Jul '18

06 Jul '18

Laptops could betray users in the developing world http://technology.newscientist.com/article.ns?id=mg19826596.100&print=true 8.6.5 Colin Barras IN JANUARY, a court in Mazar-e-Sharif, Afghanistan, sentenced a young journalism student to death. Sayed Pervez Kambaksh's crime was to download and distribute a document about Islam and women's rights to his fellow students at Balkh University in Mazar, an action that the court considered blasphemous. Despite widespread international condemnation, the Afghan Senate later passed a motion confirming the death sentence. Kambaksh was caught because some of his fellow students reported him to the authorities. But oppressive governments could soon have a simple way to track the internet activity of their citizens directly, potentially paving the way for many more such cases. For security reasons, sensitive data sent over the internet, such as that used for online banking transactions, is digitally signed at source with a signature that can be traced to the user's computer. This helps validate their identity and guard against fraud. The system is known as non-repudiation, because the person creating the digital signature can reasonably be assumed to be the source of the sensitive data and, in a fraud case, for example, cannot repudiate this. If this system were to become the default setting for all traffic on a network, there would be nothing to stop authorities from tracing the source of any online activity, says Len Sassaman, a computer security researcher at the Catholic University of Leuven (KUL) in Belgium. Users would be stripped of their anonymity and authorities could identify anyone that criticised them. "If countries like Afghanistan were to switch to a system where the user cannot refute any action they took on the internet, I suspect we'll see more cases like Kambaksh's," says Sassaman. Now Sassaman and his colleague Meredith Patterson at the University of Iowa in Iowa City claim a prominent philanthropic organisation is inadvertently in the process of introducing just such a system across the developing world. The One Laptop per Child foundation (OLPC), the brainchild of Nicholas Negroponte, hopes to provide children around the world with a cheap laptop, called the XO, and access to the internet. But rolling out internet-ready laptops to inexperienced users across the developing world poses a huge security problem, not least because the devices could easily get stolen. To minimise this risk, the OLPC security team, formerly led by Ivan Krsti at Harvard University, developed the Bitfrost security model. Bitfrost has garnered praise from security experts around the world for its innovations, such as its anti-theft system, P_THEFT. Each laptop automatically phones an anti-theft server each day, sending its serial number. The server responds with an activation lease, valid for the next 24 hours. Any laptop that has been reported stolen is denied activation and becomes a useless lump of plastic and metal. While this will discourage theft, Sassaman and Patterson think there is a crucial element missing from the Bitfrost security model - personal privacy. Because the XO laptops will often be used in areas with limited internet connectivity, the OLPC team chose to use a mesh network, in which all XO computers in the region act as nodes. This means a message might pass through many XOs before it reaches its target, so each one is digitally signed to authenticate its source. While it is possible to use a digital signature that simply confirms the device is legitimate without identifying it, Bitfrost uses non-repudiable digital signatures. These can be traced to a specific laptop and - since children must register their details with a central database on taking possession of their XO - an individual child. "If a government happens to be monitoring, perhaps by inserting itself into the network between two XOs, it can prove to the world that the communicating parties said what they said," says Sassaman. Then, taking advantage of the P_THEFT system, the government could silence the user by simply denying their laptop a new activation key. Steven Murdoch, a privacy and security researcher at the University of Cambridge, says that Sassaman and Patterson have made a useful contribution to the Bitfrost model. "What I found most surprising about the Bitfrost specification is that it doesn't appear to consider governments as a risk to security," he says. Simson Garfinkel, a former security consultant for OLPC, dismisses the claims. He says Bitfrost does not use the signature to track user activity, adding that the model was intensely scrutinised by security experts after it was developed. "It's an issue of intent versus possibility," counters Sassaman. "They may not intend for the signatures to be used for non-repudiation, but it's possible to use them for this purpose." That won't be an issue, says Ricky Greenwald, a clinical psychologist and founder of the Child Trauma Institute in Greenfield, Massachusetts. Governments won't need to monitor the internet activity of 5 to 10-year-olds. "Children that age are more likely to use their computer for games and schoolwork," he says. It's very unlikely that a child's laptop would be deactivated by an oppressive regime, he says. Sassaman disagrees. "Remember where these computers are being deployed," he says. "We have 11-year-olds in some of these countries being drafted as child soldiers. Why would we not want to give them the ability to whistleblow?" Furthermore, Sassaman points out that it is unlikely that XO laptops will be used by children alone. "The OLPC project is laying the groundwork for a major network across the Third World," he says. "It's rather short-sighted to think that this would be limited to children, or to education." With rumours that an adult XO programme is in development, it is important to tackle security issues now, he says. To this end, Sassaman and Patterson are working on a modified version of Bitfrost that will allow XO laptops to identify each other without eroding the privacy of their users. Their work is at a preliminary stage, but will be based on existing cryptographic techniques that cannot be used for non-repudiation. With recent changes at the OLPC project it remains to be seen how widely Bitfrost will be installed in the XO laptops (see "Education, or just the laptop?"). The security system was designed to run alongside the Linux operating system and the experimental Sugar graphical user interface developed for the project. Last month, however, OLPC announced that the latest XO laptops will run Windows XP, although the foundation said the machines will eventually be able to run both operating systems. So far, there are 1000 XOs in Mongolia and 8000 in Uruguay using Bitfrost, with thousands more due to be delivered this year. Other countries that have agreed to buy XOs include Peru, Libya, Nigeria and Rwanda. Meanwhile Walter Bender, the former president of software and content at the OLPC, has begun talks with a number of ultra-low-cost laptop manufacturers that might see Sugar deployed on non-XO laptops in the near future. "Bitfrost is a far-reaching design," Bender says. "Much of it is of general use, and aspects of Bitfrost will be folded into the Sugar efforts." Sassaman welcomes this development. "Don't get me wrong, Bitfrost is a highly ambitious project. It's an application of lessons learned in software security and in that respect it has done a great job," he says. "They just happened to overlook a significant issue - user privacy. But those problems can be fixed without changing the goals of Bitfrost." At the time New Scientist went to press, after four months of international pressure, the Afghan authorities appear to be on the verge of freeing Kambaksh. With modifications to Bitfrost, Sassaman and Patterson hope that, in similar cases, at least people's computers won't betray them. Computer Viruses - Learn more about the threats to your PC in our comprehensive special report. Education, or just the laptop? Earlier this year, Nicholas Negroponte claimed that One Laptop per Child, the organisation he founded, had been acting "like a terrorist group" and needed to be managed "more like Microsoft". Since then, OLPC has lost some of its key members and all but abandoned a Linux operating system in favour of the ubiquitous Microsoft Windows XP. Reports suggest Negroponte took the decision to adopt Windows after requests from developing countries, which were stalling on placing orders for the XO. Critics argue, though, that the switch, coupled with the recent resignations of Walter Bender, president of software and content, and Ivan Krsti, director of security architecture, are signs that OLPC has abandoned its original mission to educate, and is now simply a laptop manufacturer. "Teaching children to use a proprietary system such as Windows does not make the world a better place, because it puts them under the power of the system's developer," wrote Richard Stallman, founder of the Free Software Foundation, on the foundation's blog. Krsti argues that a Windows computer is as useful an educational tool as one running free software, but he agrees that OLPC's priorities have changed. "I quit when Nicholas told me that learning was never part of the mission. The mission was, in his mind, always getting as many laptops as possible out there," he wrote on his personal blog. Related Articles Hackers have poor nations' PCs in their sights http://technology.newscientist.com/article/mg19626345.700 15 December 2007 $100-laptop created for world's poorest countries http://technology.newscientist.com/article/dn8338 17 November 2005 Developing nations to test new $150 laptops http://technology.newscientist.com/article/dn11177 13 February 2007 Weblinks One Laptop Per Child http://laptop.org/ _______________________________________________ tt mailing list tt(a)postbiota.org http://postbiota.org/mailman/listinfo/tt ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[tt] NS: Laptops could betray users in the developing world
by Premise Checker 06 Jul '18

06 Jul '18

Laptops could betray users in the developing world http://technology.newscientist.com/article.ns?id=mg19826596.100&print=true 8.6.5 Colin Barras IN JANUARY, a court in Mazar-e-Sharif, Afghanistan, sentenced a young journalism student to death. Sayed Pervez Kambaksh's crime was to download and distribute a document about Islam and women's rights to his fellow students at Balkh University in Mazar, an action that the court considered blasphemous. Despite widespread international condemnation, the Afghan Senate later passed a motion confirming the death sentence. Kambaksh was caught because some of his fellow students reported him to the authorities. But oppressive governments could soon have a simple way to track the internet activity of their citizens directly, potentially paving the way for many more such cases. For security reasons, sensitive data sent over the internet, such as that used for online banking transactions, is digitally signed at source with a signature that can be traced to the user's computer. This helps validate their identity and guard against fraud. The system is known as non-repudiation, because the person creating the digital signature can reasonably be assumed to be the source of the sensitive data and, in a fraud case, for example, cannot repudiate this. If this system were to become the default setting for all traffic on a network, there would be nothing to stop authorities from tracing the source of any online activity, says Len Sassaman, a computer security researcher at the Catholic University of Leuven (KUL) in Belgium. Users would be stripped of their anonymity and authorities could identify anyone that criticised them. "If countries like Afghanistan were to switch to a system where the user cannot refute any action they took on the internet, I suspect we'll see more cases like Kambaksh's," says Sassaman. Now Sassaman and his colleague Meredith Patterson at the University of Iowa in Iowa City claim a prominent philanthropic organisation is inadvertently in the process of introducing just such a system across the developing world. The One Laptop per Child foundation (OLPC), the brainchild of Nicholas Negroponte, hopes to provide children around the world with a cheap laptop, called the XO, and access to the internet. But rolling out internet-ready laptops to inexperienced users across the developing world poses a huge security problem, not least because the devices could easily get stolen. To minimise this risk, the OLPC security team, formerly led by Ivan Krsti at Harvard University, developed the Bitfrost security model. Bitfrost has garnered praise from security experts around the world for its innovations, such as its anti-theft system, P_THEFT. Each laptop automatically phones an anti-theft server each day, sending its serial number. The server responds with an activation lease, valid for the next 24 hours. Any laptop that has been reported stolen is denied activation and becomes a useless lump of plastic and metal. While this will discourage theft, Sassaman and Patterson think there is a crucial element missing from the Bitfrost security model - personal privacy. Because the XO laptops will often be used in areas with limited internet connectivity, the OLPC team chose to use a mesh network, in which all XO computers in the region act as nodes. This means a message might pass through many XOs before it reaches its target, so each one is digitally signed to authenticate its source. While it is possible to use a digital signature that simply confirms the device is legitimate without identifying it, Bitfrost uses non-repudiable digital signatures. These can be traced to a specific laptop and - since children must register their details with a central database on taking possession of their XO - an individual child. "If a government happens to be monitoring, perhaps by inserting itself into the network between two XOs, it can prove to the world that the communicating parties said what they said," says Sassaman. Then, taking advantage of the P_THEFT system, the government could silence the user by simply denying their laptop a new activation key. Steven Murdoch, a privacy and security researcher at the University of Cambridge, says that Sassaman and Patterson have made a useful contribution to the Bitfrost model. "What I found most surprising about the Bitfrost specification is that it doesn't appear to consider governments as a risk to security," he says. Simson Garfinkel, a former security consultant for OLPC, dismisses the claims. He says Bitfrost does not use the signature to track user activity, adding that the model was intensely scrutinised by security experts after it was developed. "It's an issue of intent versus possibility," counters Sassaman. "They may not intend for the signatures to be used for non-repudiation, but it's possible to use them for this purpose." That won't be an issue, says Ricky Greenwald, a clinical psychologist and founder of the Child Trauma Institute in Greenfield, Massachusetts. Governments won't need to monitor the internet activity of 5 to 10-year-olds. "Children that age are more likely to use their computer for games and schoolwork," he says. It's very unlikely that a child's laptop would be deactivated by an oppressive regime, he says. Sassaman disagrees. "Remember where these computers are being deployed," he says. "We have 11-year-olds in some of these countries being drafted as child soldiers. Why would we not want to give them the ability to whistleblow?" Furthermore, Sassaman points out that it is unlikely that XO laptops will be used by children alone. "The OLPC project is laying the groundwork for a major network across the Third World," he says. "It's rather short-sighted to think that this would be limited to children, or to education." With rumours that an adult XO programme is in development, it is important to tackle security issues now, he says. To this end, Sassaman and Patterson are working on a modified version of Bitfrost that will allow XO laptops to identify each other without eroding the privacy of their users. Their work is at a preliminary stage, but will be based on existing cryptographic techniques that cannot be used for non-repudiation. With recent changes at the OLPC project it remains to be seen how widely Bitfrost will be installed in the XO laptops (see "Education, or just the laptop?"). The security system was designed to run alongside the Linux operating system and the experimental Sugar graphical user interface developed for the project. Last month, however, OLPC announced that the latest XO laptops will run Windows XP, although the foundation said the machines will eventually be able to run both operating systems. So far, there are 1000 XOs in Mongolia and 8000 in Uruguay using Bitfrost, with thousands more due to be delivered this year. Other countries that have agreed to buy XOs include Peru, Libya, Nigeria and Rwanda. Meanwhile Walter Bender, the former president of software and content at the OLPC, has begun talks with a number of ultra-low-cost laptop manufacturers that might see Sugar deployed on non-XO laptops in the near future. "Bitfrost is a far-reaching design," Bender says. "Much of it is of general use, and aspects of Bitfrost will be folded into the Sugar efforts." Sassaman welcomes this development. "Don't get me wrong, Bitfrost is a highly ambitious project. It's an application of lessons learned in software security and in that respect it has done a great job," he says. "They just happened to overlook a significant issue - user privacy. But those problems can be fixed without changing the goals of Bitfrost." At the time New Scientist went to press, after four months of international pressure, the Afghan authorities appear to be on the verge of freeing Kambaksh. With modifications to Bitfrost, Sassaman and Patterson hope that, in similar cases, at least people's computers won't betray them. Computer Viruses - Learn more about the threats to your PC in our comprehensive special report. Education, or just the laptop? Earlier this year, Nicholas Negroponte claimed that One Laptop per Child, the organisation he founded, had been acting "like a terrorist group" and needed to be managed "more like Microsoft". Since then, OLPC has lost some of its key members and all but abandoned a Linux operating system in favour of the ubiquitous Microsoft Windows XP. Reports suggest Negroponte took the decision to adopt Windows after requests from developing countries, which were stalling on placing orders for the XO. Critics argue, though, that the switch, coupled with the recent resignations of Walter Bender, president of software and content, and Ivan Krsti, director of security architecture, are signs that OLPC has abandoned its original mission to educate, and is now simply a laptop manufacturer. "Teaching children to use a proprietary system such as Windows does not make the world a better place, because it puts them under the power of the system's developer," wrote Richard Stallman, founder of the Free Software Foundation, on the foundation's blog. Krsti argues that a Windows computer is as useful an educational tool as one running free software, but he agrees that OLPC's priorities have changed. "I quit when Nicholas told me that learning was never part of the mission. The mission was, in his mind, always getting as many laptops as possible out there," he wrote on his personal blog. Related Articles Hackers have poor nations' PCs in their sights http://technology.newscientist.com/article/mg19626345.700 15 December 2007 $100-laptop created for world's poorest countries http://technology.newscientist.com/article/dn8338 17 November 2005 Developing nations to test new $150 laptops http://technology.newscientist.com/article/dn11177 13 February 2007 Weblinks One Laptop Per Child http://laptop.org/ _______________________________________________ tt mailing list tt(a)postbiota.org http://postbiota.org/mailman/listinfo/tt ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRi-gram newsletter - Number 10.18, 26 September 2012
by EDRi-gram 06 Jul '18

06 Jul '18

====================================================================== EDRi-gram biweekly newsletter about digital civil rights in Europe Number 10.18, 26 September 2012 ======================================================================= Contents ======================================================================= 1. Facebook gives up its face recognition feature in EU 2. European Parliament steps back from promoting ISP liability 3. Ancillary copyright madness in Germany and France 4. EDRi responds to Commission b self-regulationb consultation 5. EU Parliament approves directive on orphan works 6. Data protection package: a proposed timetable in the EP 7. The Netherlands against ACTA in all its forms 8. Mapping Net Neutrality worldwide 9. Freedom Not Fear 2012 10. First victim of French 3 strikes law is found guilty for negligence 11. ENDitorial: Clean IT is just a symptom of the pinata politics of privatised online enforcement 12. Recommended Reading 13. Agenda 14. About ======================================================================= 1. Facebook gives up its face recognition feature in EU ======================================================================= Following pressure from Data Protection offices in EU, Facebook has decided to give up the controversial face recognition feature in EU. The feature used by Facebook was taking information given by users when tagging friends' faces in photo, with the declared purpose to make suggestions on tags for future images, thus making the process simpler and faster. This comes as a result of the work of the Irish Data Protection Authority (Office of the Data Protection Commissioner of Ireland - DPCI) which, in December 2011, performed an audit assessing Facebook Irelandbs (FB-I) compliance with the Irish Data protection law as well as the EU law and made a series of recommendations to Facebook. On 21 September 2012, DPCI issued the outcomes of its Review Implementation of Audit Recommendations finding that most recommendations by the Audit had been met by the company, most notably the turning off of the face recognition feature. At the same time, DPCI gave Facebook four weeks to solve the remaining issues that are still to be met. Among other things, Facebook has been asked to provide more detailed information about the use of the "fr" cookie and to explain the consent collected for this cookie. It has also been asked to introduce a "robust process" to "irrevocably delete user accounts and data upon request within 40 days" of being notified and to address the concerns regarding the possibility of targeted advertising utilising sensitive data on the network. b I am satisfied that the Review has demonstrated a clear and ongoing commitment on the part of FB-I to comply with its data protection responsibilities by way of implementation or progress towards implementation of the recommendations in the Audit Report. I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice. This feature has already been turned off for new users in the EU and templates for existing users will be deleted by 15 October, pending agreement with my Office on the most appropriate means of collecting user consent. By doing so it is sending a clear signal of its wish to demonstrate its commitment to best practice in data protection compliance,b said Billy Hawkes, the Irish Data Protection Commissioner. Facebook declared it intends to re-introduce the tag feature in the future, but it would do that under new guidelines and, according to Billy Hawkes, the tool would only return if Facebook agreed on the b most appropriate means of collecting user consentb. Report of Review of Facebook Irelandbs Implementation of Audit Recommendations Published b Facebook turns off Tag Suggest in the EU (21.09.2012) http://dataprotection.ie/viewdoc.asp?DocID=1233&m=f Facebook Ireland Ltd b Report of Re-Audit (21.09.2012) http://dataprotection.ie/documents/press/Facebook_Ireland_Audit_Review_Repo… Facebook given 4 weeks to FULLY SATISFY Irish data commissioner - Review mainly leads to whiskey doubles all round (21.09.2012) http://www.theregister.co.uk/2012/09/21/irish_data_protection_commissioner_… Facebook abandons face recognition within the EU (only in French, updated 24.09.2012) http://www.01net.com/editorial/573553/facebook-abandonne-la-reconnaissance-… Facebook to switch off controversial facial recognition feature following data protection concerns (22.09.2012) http://www.dailymail.co.uk/news/article-2207098/Facebook-switch-controversi… ======================================================================= 2. European Parliament steps back from promoting ISP liability ======================================================================= On 11 September 2012, the European Parliament voted on an own-initiative report of Mr Jean-Marie Cavada (EPP, France) on the online distribution of audiovisual works. As we reported in the EDRi-gram after the vote in the leading Committee, the Culture and Education Committee, last July, the report was containing some surprising and potentially very problematic terms on the liability of networks operators. The text was calling for b ways to encourage network operators to standardise their technical toolsb for copyright enforcement and arguing that the current trend was towards a removal of liability of networks operators. This is factually wrong, could lead to privatisation of censorship and would encourage enforcement outside the rule of law. Finally, this is in no way pursuing the goal of the report, which is to promote and develop access to cultural content. This problematic part of the report (point 59 of the final report) was thankfully rejected in the final vote of the European Parliament on the dossier following a lot of behind the scenes activity by EDRi. This vote is important for three reasons. Firstly, the European Parliament would have faced difficulties convincing the other institutions of its credibility on the dossier. A report containing (obviously) inaccurate statements will not be particularly credible. Secondly, encouraging network operators to standardise their b technical toolsb means encouraging Internet service providers to monitor, filter and possibly block access to content. This call was going against recent decisions of the Court of Justice of the European Union that protecting intellectual property could not override other fundamental rights such as the right to privacy, the freedom of information and the freedom to conduct business. (C-70/10 Scarlet/SABAM and C-360/10 SABAM/Netlog). The mix of b technical toolsb creates the motive, means and opportunity for Internet companies to appoint themselves as the judge, jury and executioner of online law enforcement. Finally, and most importantly, it shows the willingness of the European Parliament to move away from concentrating all intellectual property related issues on enforcement b particularly privatised enforcement by Internet companies. It is a clear reversal of the Parliament's previous approach in the so-called b Gallo reportb adopted by the European Parliament in 2010 that demanded b appropriate solutionsb from Internet Service Providers in b dialogueb with stakeholders. One such b dialogueb was the one convened by the European Commission, which suggested the b voluntaryb implementation of exactly the kinds of filtering systems that the European Court of Justice subsequently ruled to be in breach of citizens' fundamental rights. This vote is in tune with the recently adopted Opinion of the Industry Committee of the European Parliament on Completing Digital Single Market, led by Italian Conservative Parliamentarian Aldo Patriciello. In that report, Parliamentarians focussed on eliminating the many barriers to online services in Europe, demanding in particular b a harmonised approach to copyright exceptions and limitationsb. This reflects a growing awareness that it is time to move away from trying to use disproportionate tools to enforce a copyright system that is devoid of credibility and towards building a more credible approach. The road will still be long to adapt the current framework to the digital revolution and to overcome the barriers that prevent consumers to access, use and enjoy cultural content but the European Parliament has made it clear that it was the direction it wanted to take. EDRi-gram: EP: Surprises in the online distribution of audiovisual works' report (18.07.2012) http://www.edri.org/edrigram/number10.14/online-distribution-works Patriciello Opinion Not yet published by Parliament Cavada Report (25.07.2012) http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A7-2012… Gallo Report (22.10.2012) http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference… (Contribution by Marie Humeau - EDRi) ======================================================================= 3. Ancillary copyright madness in Germany and France ======================================================================= On 29 August 2012, the German government decided to pass a draft legislative proposal for ancillary copyright (so-called "Leistungsschutzrecht") aimed at b protectingb publishing houses' online content from being quoted in news aggregation sites and on search engines. This draft law would give publishers the right to limit or forbid any publication or reproduction by third parties of snippets of their content. Services (Google in particular) which publish (or "steal") even very small parts or snippets as a means of helping end-users find interesting information would have to obtain a license and pay a tax in order to do so. The law would have an extensive impact since any website, aggregator or blog could be affected by this. A couple of years ago, German publishers suddenly realised that there were companies on the internet which make billions of Euro from advertising. Advertising has traditionally been the publishers' business model and they have failed to adapt this part of their business to the online environment. They therefore argue that companies that are able to make money in the digital environment should subsidise their pre-existing business model. Ironically, though, those companies are still able to make significant profits. For example, Germany's biggest publisher Axel Springer recently announced an increase in 55% for its online products in the first half of 2012. Just a few days ago, French magazine TC)lC)rama.fr revealed a draft proposal written by the press association IPG and inspired by the developments in Germany, in order to tax Google and cream off its billion euro profits in France. The draft b lex Googleb wants to give publishers the exclusive right to reproduce snippets from articles, under penalty of a fine of 30 000 euro and 3 years imprisonment for offenders. The somewhat incomprehensive German and French provisions create a disincentive for online companies to help people find the publishers' online content and b compensateb the publishers when their content is found. Following the same logic, concert venues could ban taxi drivers to take people to their concerts, unless they pay b compensationb to the venue for bringing customers to their doors. In an environment where expensive, disjointed and out-of-date copyright law is already causing significant damage to the European economy, this approach may be a joke, but it certainly is not funny. Civil society groups as well as the German association of internet economy eco have highlighted the absurdities and negative consequences of ancillary copyright provisions repeatedly. They have pointed out that the current terms of the law are more than unclear, that it is difficult to establish what makes a website "commercial" and therefore leads to legal uncertainty. In addition, the current German draft would restrict the diversity of information on the internet. Civil society groups have also pointed out the complete superfluousness of such provisions - publishers are already protected by copyright provisions and are given extensive rights by journalists through contracts or general terms and conditions. Due to the vague definition of a "press product", search engines would need to conclude thousands of individual contracts. Smaller publishers and bloggers do not have the capacity to do the same. It is thus likely to result in adverse effects: a creation of exceptions for monopolies, leading to an uncompetitive market situation. Ultimately, this will also limit the freedom of communication and freedom to do business. 3rd revision of the German draft proposal (only in German) http://irights.info/userfiles/3_%20Referentenentwurf-LSR-Kabinettsfassung_S… Axel Springer online profit (only in German, 8.08.2012) http://www.welt.de/wirtschaft/article108532273/Axel-Springer-steigert-Gewin… eco Comments on Planned Ancillary Copyright (10.07.2012) http://international.eco.de/2012/news/eco-comments-on-planned-ancillary-cop… TC)lC)rama reveals press publishers' project (only in French, 21.09.2012) http://www.telerama.fr/medias/taxe-google-telerama-devoile-le-projet-des-ed… Common declaration of French and German publishers (only in German, 19.09.2012) http://www.bdzv.de/fileadmin/bdzv_hauptseite/aktuell/bdzv_branchendienste/b… (Contribution by Kirsten Fiedler - EDRi) ======================================================================= 4. EDRi responds to Commission b self-regulationb consultation ======================================================================= The Commission is asking for feedback on a draft b codeb for what it describes as b multistakeholder actionsb. The intention is to use the final text as a blueprint for future self- and co-regulatory actions, in order to ensure that certain best practices are respected. The deadline is at the end of this week (30 September 2012) and EDRi has already submitted its response. We have been (sometimes very!) critical of the Commission's approach to self-regulation b most particularly when it is not self-regulation at all but privatised law enforcement, as we see in the now infamous Clean IT project and as was also proposed in ACTA. If the Commission were currently following the draft code, many of the excesses that we see today would not be happening. For example, the chaotic and expensive two-year b brainstormingb of Clean IT would never have happened because the code stipulates the establishment, from the outset, of b clear and unambiguousb objectives, b starting from a well-defined baseline.b Indeed, the confusion regarding the specific aims of the project is one of the main reasons that EDRi felt that it was inappropriate to participate in that group. While the draft proposed by the European Commission would represent a solid step forward, there are still valuable improvements that would need to be made. For example, contrary to the process followed by Clean IT, there should be an b up frontb understanding that any outcome cannot legally result in restrictions of fundamental rights. Secondly, it is very important that any involvement from public authorities in self-regulatory measures result in those authorities agreeing to take a formal position to either endorse or reject the outcome of the project. The alternative is power without responsibility b a public authority can convene industry discussions, push for a particular outcome and then claim that the entire process was b industry's idea.b We also suggest that the involvement of the public authority be under constant review and only allowed to continue when a majority of stakeholders are in favour. Power without responsibility is a corrosive and corrupting factor for any administration. Our response therefore highlights this point as being one of critical importance. The third major point of our response refers to the actions that should be taken if a stakeholder group resigns from a multi-stakeholder process. In the Commission's draft code, representativeness is given a high degree of priority, but the guarantees to ensure this is actually respected are somewhat weak. For example, there is no clarity as to what should be done if a stakeholder group loses faith in the process and resigns. Our suggestion is that the group should have the right to produce a statement of objections and for this to be appended to the final, published agreement. We also suggest that the resignation of key stakeholder groups or an agreed proportion of participants would automatically trigger the ending of the project. In the same vein, we propose that a level of non-compliance should be agreed which, if attained, would also lead to the ending of the project. The Commission consultation comes in two parts b a short questionnaire and a PDF/DOC of the draft code, which should be submitted with b tracked changesb after being edited in line with the respondent's views. We encourage other civil society groups and also individuals to respond b and we will not complain if any of our analysis is plagiarised. On-line public consultation on Code for Effective Open Voluntarism: Good design principles for self- and co-regulation and other multistakeholder actions Deadline: 30 September 2012 http://ec.europa.eu/information_society/digital-agenda/actions/consultation/ EDRi's tracked changes document http://edri.org/files/EC_code_final.pdf (Contribution by Joe McNamee - EDRi) ======================================================================= 5. EU Parliament approves directive on orphan works ======================================================================= On 13 September 2012, the EU Parliament approved the draft legislation on orphan works proposed in 2011, completed by the EU Parliament and Council compromise in June 2012. The European Commission issued an Impact Assessment in 2011 accompanying the proposal for a directive on certain permitted used of orphan works, considering there was an urgent need of a legislative initiative on orphan works, as a result of the situation created by the US Google Books Settlement (in its original formulation orphan works were to be automatically included in the scope of the Google Books Settlement), the need to obtain prior copyright permissions for the use of orphan works in Europe and the risk of a knowledge gap in case orphan works could not become part of European Digital Library projects. The Commission also considered a key action of the Digital Agenda for Europe was the creation of a legal framework to facilitate the digitisation and dissemination of orphan works (works for which no author is identified or located). The proposed directive was intended to make it "safer and easier for public institutions such as museums and libraries to search for and use orphan works (...)." The directive defines what works that can be considered orphan works and it stipulates that the public institutions would be required to carry out a prior b diligent searchb, in terms with the proposed directive requirements, in the Member State where the work was first published. When the diligent search establishes the orphan status of a work, it would be considered an orphan work all over the EU. Thus, orphan works can be made available online for cultural and educational purposes without prior authorisation, unless (or until) the owner of the work puts an end to such status. Following certain concerns and criticism, in June 2012, the draft proposal was completed with two points which established that in case the right holder showed up, he would be entitled to claim compensation for the use of his own work and that public institutions should be allowed to generate some revenue from the use of an orphan work to be used to pay for the search and the digitisation process. The approved text by the European Parliament also includes some other additions such as that the diligent search will not be necessary for each work but "in good faith" and "prior to the use of the work." A new article was also added - the new Directive b shall be without prejudice to the Member Statesb arrangements concerning mass-scale digitisation of works, such as those relating to out-of-commerce works." Although considered a good idea, the proposed directive does not impress everybody. MEP Christian EngstrC6m, of the Swedish Pirate Party, believes the directive is not bold enough and b is not going to help to make the European common cultural heritage available the way it is drafted so I would urge everyone to reconsider because at the moment it simply isn't useful.b Another difficulty is that when dealing with musical works, a cultural heritage institution will have to consider the future rules that will result from the proposed directive on collective rights management and multi-territorial licensing of rights in musical works for online uses. Commission's Vice-President Neelie Kroes has recently pointed out that although the proposals on orphan works, as well as the proposal on collective rights management, were good steps in the way to improve EU copyright, there were also other problems beyond licensing or orphan works and that "we need to focus also on substantive copyright reform." Orphan works directive approved by EU Parliament (14.09.2012) http://ipkitten.blogspot.nl/2012/09/orphan-works-directive-approved-by-eu.h… Are European orphans about to be freed? (21.09.2012) http://kluwercopyrightblog.com/2012/09/21/are-european-orphans-about-to-be-… Finding a good home for orphan works online (12.09.2012) http://www.europarl.europa.eu/news/en/headlines/content/20120706STO48456/ht… "Orphan" works: informal deal done between MEPs and Council (6.06.2012) http://www.europarl.europa.eu/news/en/pressroom/content/20120606IPR46383/ht… European Parliament legislative resolution of 13 September 2012 on the proposal for a directive of the European Parliament and of the Council on certain permitted uses of orphan works (COM(2011)0289 b C7-0138/2011 b 2011/0136(COD) (13.09.2012) http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2012-… ======================================================================= 6. Data protection package: a proposed timetable in the EP ======================================================================= Last week, on 19 September 2012, the Civil Liberties, Justice and Home Affairs (LIBE) Committee discussed the data protection package, in particular the planned timetable. LIBE is the Committee leading the dossier in the European Parliament and will issue two reports, one on the proposal for a General Data Protection Regulation ( b the Regulationb) and one on the proposal for a Directive b on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such datab (b the Directiveb). The two Rapporteurs, Mr Jan-Philipp Albrecht (Greens, Germany) for the Regulation and Mr Droutsas (S&D, Greece) for the Directive, decided to follow a package approach because of the important links between the two proposed legislative measures. However, Mr Droutsas underlined the difficulties that the Council seems to encounter on the Directive with the position of certain Member States. The joint parliamentary meeting taking place on 9 and 10 October is going to be crucial in solving this issue, he added. Because of the problems in the Council, the feasibility of the package approach was questioned by Mr Alvaro (ALDE, Germany) b even though he recognised the benefit of such an approach - and Mr Kirkhope (ECR, United Kingdom). The cooperative approach of the dossier, desired by the Rapporteurs, was warmly welcomed by the other members of the European Parliament from all political groups. Important issues were underlined several times during the debate such as the importance of a good implementation and of a strong enforcement of data protection, the need for clarity, the necessity of protecting fundamental rights and finally the issue of data flow to third countries. Even if no final agreement on those issues was found during the debate, the debate was very helpful to understand the forthcoming steps in the process. Mr Albrecht indeed presented his forecasted timetable for the Regulation. The current plan is to have the Regulation definitely voted before the end of this legislature, i.e. in 2014. To achieve this goal, he would like to provide a second working paper for the joint parliamentary meeting taking place beginning of October. At that time, the paper will be available only in English and will subsequently be translated for a debate in the Committee that will take place on 5 or 6 November 2012. The Rapporteur intends to have a draft report ready by December of this year, so the vote can take place between February and April 2013, to enable negotiation with the Council later on. The envisaged timeframe is very important as it gives a great perspective on the forthcoming steps. However, this timetable is foreseen as being very ambitious by Mr Alvaro, Mr Kirkhope and Mr Voss (EPP, Germany), the b Shadow Rapporteursb. During the debate, they expressed the necessity to favour quality over speed. It is a very important issue and the process should not be rushed. Mr Albrecht concluded by underlining the importance of a coherent and harmonised framework and the necessity of consolidating the current system of data protection. Good legislation needs good implementation and a strong enforcement system. EU citizens have to be protected when their data are processed, he said. Therefore, he agreed that if more time was needed to make a good and strong legislation, then this time will be taken. More information on the procedure being followed and a glossary of the key terminology is available in EDRibs b Activist Guide to the Brussels Mazeb (2012) http://www.edri.org/files/2012EDRiPapers/activist_guide_to_the_EU.pdf The entire debate is available on the Parliament website (19.09.2012) http://www.europarl.europa.eu/ep-live/en/committees/video?event=20120919-09… (Contribution by Marie Humeau - EDRi) ======================================================================= 7. The Netherlands against ACTA in all its forms ======================================================================= In response to an open letter sent by EDRi-member Bits of Freedom (BoF), the Dutch government has confirmed that it opposes any controversial ACTA-provisions in whatever form. This confirmation was provoked by the news, only six days after ACTA was rejected by the European Parliament, that a draft text of the Canada b EU Trade Agreement contained provisions that were virtually identical to provisions from ACTA. As the Netherlands set an important example by rejecting ACTA long before the vote in the European Parliament, Bits of Freedom requested the government to do the same with CETA or any agreement alike. And it did. More specifically in its letter of 17 September 2012, the government b upon BoF request b confirmed that it would not agree to the ACTA-provisions in CETA or any other treaty in which such provisions may appear. It stated: "The European Commission rightly agreed to respect the vote of the European Parliament against ACTA and to observe this vote concerning CETA. ACTA-provisions 27(3) and 27(4) regarding the liability of Internet Service Providers are no longer part of the current draft of CETA. Other provisions relating to the enforcement of intellectual property rights are currently being studied with the aforementioned vote in mind. If provisions do not correspond thereto, they will be changed or deleted." and: "In light of resolution 288 of the House of Representatives [2], this government will not agree b in whatever agreement this may be b to any ACTA-provisions it voted against. Examples are provisions on the strict enforcement of intellectual property on the internet and provisions that stand in the way of future intellectual property reforms." The government further noted that currently there were no other treaties similar to ACTA being negotiated. This confirmation by the Dutch government is of course very good news. However, due to recent elections, a note of caution is in place: the new government that is currently being formed may decide differently. Seeing the latest positions of the two major parties there is not too much reason for concern: in their election campaign, the liberal party (VVD) took a position against ACTA and similar treaties; the labour party (PvdA) took position only against ACTA but did support resolution 288 (also mentioned above) by which the government was requested to vote against treaties similar to ACTA. Bits of Freedom hopes that the formal position of the Dutch government against controversial ACTA-provisions in whatever form serves as an example to policymakers in other countries to do the same. This will hopefully help the European Commission accept its loss and realize that the only constructive way forward is to start looking for acceptable alternatives in an open and transparent way. Translation open letter: Dutch government must reject CETA (1.08.2012) https://www.bof.nl/2012/08/01/translation-open-letter-dutch-government-must… Translations of Dutch parliamentary resolutions against ACTA (29.05.2012) https://www.bof.nl/2012/05/29/translations-of-dutch-parliamentary-resolutio… (Contribution by Simone Halink - EDRi-member Bits of Freedom, Netherlands) ======================================================================= 8. Mapping Net Neutrality worldwide ======================================================================= When questioned about Net Neutrality the European Commission previously claimed that only little data existed to show that net neutrality violations had occurred. A new project: netneutralitymap.org shows net neutrality violations worldwide based on tests for shaping. It documents the need for net neutrality legislation. Although Net Neutrality is currently discussed throughout Europe, very little actual data is used for campaigning. A new project tries to change this by mapping data from Measurement Lab's global "Glasnost" tests. The map uses the same metric previously used by the researchers of Measurement Lab to detect violations of Net Neutrality along one year and display them on a map. The map clearly shows: violations of Net Neutrality are commonplace throughout Europe. Especially the Bittorrent protocol is frequently shaped. While data from small countries are sparse - data from larger countries confirm that net neutrality violations are indeed common. The map was created by activists around the Austrian EDRi member VIBE.at and "Initiative fuer Netzfreiheit" which recently started a campaign to promote Net Neutrality in Austria. "I did not perceive Net Neutrality violations as a problem until I first looked at the map we created" says Michael Bauer of VIBE.at. "It is striking how common shaping is in todaybs internet". The European Commission previously claimed a lack of data on Net Neutrality violations as the main reason for not punishing them. Measurement lab had this data since 2009. With this new way of presenting the data it is clear that the lack of data is not a reason for delaying net neutrality regulation any longer. The Net Neutrality map http://netneutralitymap.org Austrian campaign on Net Neutrality (only in German) http://unsernetz.at Measurement Lab - open platform for researchers to deploy Internet measurement tools http://measurementlab.net Initiative fur Netzfreiheit (only in German) http://netzfreiheit.org (contribution by Michael Bauer - EDRi-member VIBE.AT - Austria) ======================================================================= 9. Freedom Not Fear 2012 ======================================================================= The 4-day "Freedom Not Fear 2012" (FNF 2012) event came to a successful end on Monday, 17 September 2012. Organisations and individuals from 11 EU-member states participated to raise their voice for better privacy safeguards, to protest against emerging surveillance measures and to exchange views on digital rights issues The Brussels action in which several EDRi members participated (FoeBuD, Digitale Gesellschaft, IuRe, Panoptykon, Bits of Freedom, VibeAt and the Liga voor Mensenrechten) was accompanied by protest events in the US, Argentina, Luxembourg and Australia. Bits of Freedom (Netherlands) attended the FNF weekend in Brussels focusing mainly on the events around the review of the data protection framework. They consider it great to meet many activists working on different topics of which many are related to the activities of the Dutch organisation. Also, BoF found it inspiring to see which important issues exist outside the scope of their work. FoeBuD (Germany) said that several excellent results were produced at FNF 2012. FoeBuD members really enjoyed the internationality this year - and will continue working to bring even more organisations to next year's event. One topic that FoeBuD has recently focused on is the European Data Protection Regulation, and some good work on this was done during the FNF activists' weekend and the meetings with European officials. Another focus is the project to investigate and hopefully start a European Citizens' Initiative (ECI) against data retention, on which some valuable exchanges took place during FNF. The next step on this will be to organise an international conference in Amsterdam to talk about the ECI. Three Digitale Gesellschaft (Germany) members were able to participate in this year's FNF12. This was a perfect occasion for them to put their energy into pan-European networking between activists and to explain their position to European policy makers. During the conference, the members gave a short introduction and overview of the German national campaign on net neutrality. The FNF 2012 started on Friday afternoon with a discussion about the consultations of the EU Commission about a European notice-and-takedown system of content on the Internet. Mr. Werner Stengg, Head of the EC Unit "Online Services" presented the Commission's point of view on this sensitive topic. The talk was followed by two hours of discussions with Mr. Peter Hustinx, European Data Protection Supervisor, about the upcoming EU Data Protection Reform. He started with a detailed explanation of his interpretation of the Freedom Not Fear motto: "Fear is always a bad adviser." He emphasized the need to keep on striving for positive developments on privacy issues. Mentioning the whole range of various kinds of activism, from single person engagement up to professional privacy activism: "Keep on going - we need you!" Three more days of the barcamp-like conference filled with meetings, lectures and discussions followed, also including a colorful demonstration within the city of Brussels and one more outside action named the "Camspotting Game". One of the results of b Freedom Not Fearb was the establishment of the International Working Group on Video Surveillance, which announced a campaign targeting the latest developments in privacy-intrusive technology such as "Facewatch" in the UK. Freedom Not Fear 2012 http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2012 Walk of Protest FNF 2012 http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2012/Walk-of-protest ======================================================================= 10. First victim of French 3 strikes law is found guilty for negligence ======================================================================= After almost two years since the 3-strikes law has entered into force in France, the first Internet user was sentenced by the court to a 150 euro fine for negligence for not using the Internet access security measures and because the user has innocently confessed it. Since October 2010, about 3 million French IP addresses have been identified by rightholders of being possible infringers. Out of these, Hadopi considered 1.15 million worthy of a b first strikeb notice, about 102 000 of a second warning, and only 340 of a third warning. Only 14 cases were sent to court, so far. This is the first fine applied for the Hadopi law because the infringement must be proven and this is not easy to do. In order to be punished for negligence, one has to have failed to apply security means to his Internet connection or to have not used accordingly these means, both being rather difficult to prove. However, this particular Internet user gave himself up by admitting that he had not used any security means to prevent access to his Internet account. By trying to defend himself, the Internet user summoned by the court for repeated infringements, gave the court the motives to condemn him for negligence. He argued he was himself unable to download material from the Internet and blamed his wife (with whom he is under divorce procedures) for having illegally downloaded material from the Internet. The woman confirmed she had downloaded Rhianna songs. b By saying he knew she was downloading infringing content, but didnbt prevent her from doing so, he self-incriminated,b explained Guillaume Champeau of Numerama. So, although actually innocent, the man is now to pay for being responsible for the downloading, because he did not prevent it. Hadopi: one first condemned person, by ingenuity (only in French, 13.09.2012) http://www.numerama.com/magazine/23715-hadopi-un-premier-condamne-par-naium… Hadopi confirms that the first condemned betrayed himself (only in French, 13.09.2012) http://www.numerama.com/magazine/23718-la-hadopi-confirme-que-son-1er-conda… French 3 Strikes: Court Fines First File-Sharer, Even Though Hebs Innocent (13.09.2012) http://torrentfreak.com/french-3-strikes-court-fines-first-file-sharer-even… ======================================================================= 11. ENDitorial: Clean IT is just a symptom of the pinata politics of privatised online enforcement ======================================================================= There has been a lot of attention to the b Clean ITb project since EDRi published a leaked draft document last week, on 21 September 2011. Since then, the project organisers have said that the statement on the front page saying that b this document contains detailed recommendationsb was incorrect and that it also contained (unidentified) other mistakes. Project coordinator But Klaasen explained on Twitter that the leak was little more than a b discussion document.b According to the Clean IT website, this is the output of two day meetings in Amsterdam (October 2011), Madrid (January 2012), Brussels (March 2012) Berlin (June 2012) and Utrecht(September 2012). According to the website of Clean IT, which has produced 23 pages of bullet points of policy suggestions, there will be just one more meeting (Vienna, November 2012) before a final presentation is made in February 2013. Mr Klaasen also explained on Twitter that all suggestions received thus far are only b food for discussionb, because they do not censor the ideas they receive. Clean IT is therefore part of a wider problem b a conveyor-belt of ill-defined projects whereby industry is expected to do b somethingb to solve ill - or even undefined problems on the Internet. For example, it takes an almost impressive amount of fragmentation for the European Commission to be simultaneously funding two different and uncoordinated projects (Clean IT and CEO Coalition on a Safer Internet for Kids) developing b voluntaryb industry standards on b notice and takedownb, on b upload filtersb, on b reporting buttonsb and all with little or no analysis of the specific problems that need to be solved. Worse still, Clean IT was born out of a failed b voluntaryb project organised directly by the European Commission on b illegal online contentb. That project failed because it did not have a problem definition. Without knowing what problems it was trying to solve, it ended up going round in ever smaller circles before finally disappearing down the proverbial drain. Sadly, no lessons were learned before the Commission committed to funding Clean IT, which is currently making the same mistakes all over again. Even bigger mistakes have not been learned from in this approach. In the Commission-organised b dialogue on illegal uploading and downloadingb, a proposal was made for widespread b voluntaryb filtering of peer-to-peer networks. This was resisted by the Internet access provider industry and ultimately ruled by the European Court of Justice (Scarlet/Sabam case C70/10) to be in breach of fundamental rights. All of this experience meant that EDRi could not possibly participate in Clean IT without seeking to ensure that the project did not make the same mistakes that we have seen over and over again. In 2011, as a precondition of participation, we therefore set very reasonable demands: 1. Identify the specific problems to be solved. (At different moments, Clean IT was meant to address b Al Quaida influencedb networks, b terrorist and extremist 'use' of the Internetb and b discriminationb/b illegal softwareb.) 2. Identify the scope of the industry involvement. Listing every single type of online intermediary is neither credible nor effective. 3. Actively seek to identify and avoid possibilities for unintended consequences for both fundamental rights and addressing illegal content. The project leader rejected all of these preconditions, regrettably leaving us no option but to stay outside the process. As a result, we have a project that seeks to use unspecified industry participants to solve unidentified problems in ways which may or may not be in breach of the Union and international law. It would be unconscionable for EDRi to participate in these circumstances. We have also been contacted via Twitter by Commissioner Kroes' spokesperson. Mr Heath's comments suggest that CleanIT is only a b brainstormingb session and the Commission has spent hundreds of thousands of Euro just for lists of possible policies. It is very important to stress that absolutely nothing in the document that we released last week has been officially approved as European Commission policy. The recommendations, insofar as they are recommendations, are the sole responsibility of the CleanIT project. Commissioner MalmstrC6m has acted to distance herself from the project and has made this very clear via Twitter messages. There are, however, serious questions that are still to be asked regarding the budget approval processes that lead to such projects being approved for public funding. The law is quite clear b the Charter of Fundamental Rights, the Convention on Human Rights and the International Covenant on Civil and Political Rights are quite clear b restrictions on fundamental rights must be foreseen by law and not introduced as unpredictable, ad hoc projects by industry. The rule of law cannot be defended by abandoning the rule of law and EDRi will continue to defend this principle. EDRi: Clean IT b Leak shows plans for large-scale, undemocratic surveillance of all communications (21.09.2012) http://edri.org/cleanIT Clean IT rebuttal of our comments http://www.cleanitproject.eu/edri-publishes-clean-it-discussion-document/ Mr Heath's comments https://twitter.com/EDRi_org/status/250524464499023872 Mr Klaasen's tweet https://twitter.com/ButKlaasen/status /249145735453487105 Commissioner MalmstrC6m's tweets https://twitter.com/MalmstromEU/status/250573911471845376 https://twitter.com/MalmstromEU/status/250574119991660545 https://twitter.com/MalmstromEU/status/250641266038173696 (Contribution by Joe McNamee - EDRi) ======================================================================= 12. Recommended Reading ======================================================================= Islands of Resilience Comparative Model for Energy, Connectivity and Jurisdiction Realizing European ICT possibilities through a case study of Iceland http://islandsofresilience.eu/ http://icg.greens-efa.org/pipermail/hub/attachments/20120925/83bf78da/attac… JoaquC-n Almunia Vice President of the European Commission responsible for Competition Policy - Competition enforcement in the knowledge economy Fordham University/ New York City (20.09.2012) http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/12/629&forma… EDPS issues comments on DG MARKT's public consultation on procedures for notifying and acting on illegal content hosted by online intermediaries (13.09.2012) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu… The internet in pieces Harried by cyberattacks, Iran is making good on a vow to build its own web. Others could follow (23.09.2012) http://www.guardian.co.uk/commentisfree/2012/sep/23/iran-us-cyber-espionage… ======================================================================= 13. Agenda ======================================================================= 27 September 2012, Paris, France Open Data - La ConfC)rence http://www.opendata-laconference.com/agenda.html 7-10 October 2012, Amsterdam, Netherlands 2012 Amsterdam Privacy Conference http://www.apc2012.org/ 11-12 October 2012, Amsterdam, Netherlands Economies of the commons 3 - Sustainable Futures for Digital Archives http://ecommons.eu/ 25-28 October 2012, Barcelona, Spain Free Culture Forum 2012 http://fcforum.net/ 3-4 November 2012, Baku, Azerbaijan Best Bits b a strategic gathering of NGOs around Internet governance and Internet principles http://igf-online.net/bestbits.pdf 6-9 November 2012, Baku, Azerbaijan Seventh Annual IGF Meeting: "Internet Governance for Sustainable Human, Economic and Social Development" http://www.intgovforum.org/cms/ 9-11 November 2012, Fulda, Germany Digitalisierte Gesellschaft - Wege und Irrwege FIfF Annual Conference in cooperation with Fuldaer Informatik Kollquium http://www.fiff.de/2012 29-30 November 2012, Brussels, Belgium For Your Eyes Only: Privacy, Empowerment and Technology in the context of Social Networks http://www.foryoureyesonly.be 4 December 2012, Brussels, Belgium 3rd Annual European Data Protection and Privacy Conference http://www.eu-ems.com/summary.asp?event_id=123&page_id=983 23-25 January 2013, Brussels, Belgium CPDP 2013 Conference - Reloading data protection CfP by 19 October 2012 http://www.cpdpconferences.org/callforpapers.html 6-8 May 2013, Berlin, Germany re:publica 2013 http://re-publica.de/12/2012/08/28/der-termin-steht-vom-06-08-mai-2013-geht… 31 July b 4 August 2013, Geestmerambacht, Netherlands Observe. Hack. Make. - OHM2013 https://ohm2013.org/ ============================================================ 14. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 32 members based or with offices in 20 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/mk/vesti/edri - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0