July 2018 - cypherpunks-legacy

Re: [FoRK] Recommendations for a reliable subscription-based SSL VPN or proxy service for "secure, portable, virtual" office?
by Stephen D. Williams 06 Jul '18

06 Jul '18

On 12/26/12 10:05 AM, Ben (B.K.) DeLong wrote: > Hi all - > > Hope everyone had/is having an enjoyable holiday break. I'm at my new > gig and thinking about being more vigilant regarding the separation of > personal life and work technologically. Any access of personal files > or activities, while at work, is done via a Portable Apps setup > through a Mountable TrueCrypt drive stored on DropBox. Surprised that works well without corruption... Although for a whole drive it would be a bit of an efficient storage use issue (requiring just periodic reset maintenance), SparkleShare+Gitolite git server via ssh is a great combination, with clients for Windows/Macosx/Linux or you can use any git client. If the git server were storing into a TrueCrypt loopback on the server, you'd ruin offline attacks against your data. Simply sync to another drive somewhere to get redundancy. Why not run an ephemeral VM (VirtualBox is free) that mounts a local host TrueCrypt volume that is a cache for SparkleShare/Git. You could run the VM from the TrueCrypt volume, but then it would be mounted on the local OS and Panopticon-like admin / system software would get to it. An ephemeral VM (that doesn't save updates to disk) that mounts the TrueCrypt volume is more difficult to attack. This was always a feature of VMWare; not sure how to do it with VirtualBox. Perhaps with snapshots or similar COW drive mounts with the drives in the TrueCrypt loopback. The VM should tunnel all network traffic over SSH to a shell server somewhere, home if you properly setup incoming ports. Use dynamic DNS to get to it or something simpler (file on the ssh server is enough). It's not to hard to get the beginnings of cover traffic to make traffic analysis tough. This could be done various ways from random data, traffic sensing reaction, to a smart tunnel that directly augments traffic patterns with chaff. Modify netcat and then run that over SSH socket proxies. > > It syncs regularly and while most of the activity is over SSL, I'd > like to ensure any and all activity being done from those particular > applications are done either over an encrypted hosted VPN or (if I > must) a hosted virtual machine that I can VPN/remote into from work. > > I'm not trying to be surreptitious here at my new job, but at the same > time, I've been trying to find the sweet-spot to this "secure, > portable, backed-up virtual office" solution for a while and the VPN > or Virtual machine setup is my last piece. > > I'm looking for something that's no more than $10-$30 a month. But I > am open to alternatives if I replace the dropbox solution. I've been running a colocated machine one way or another since 1992, with my own DNS server, etc. When I get around to building almost-never-fail mini-servers, I have at least two other stable but seldom visited locations to put servers. I currently have an underused Linux box with 4 large drives and 10Mb symmetric unlimited use. The hard drive wears out about once every 2 years; it gets rebooted about once every 6-12 months. It would probably be a good idea to share it and defray some of the costs, especially while I'm in (relative) vow-of-poverty startup mode again. > > Many thanks in advance for thoughts. I'll share what I come up with. > sdw _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

FC: GOP legislators to Supremes: Save our anti-Internet porn law!
by Declan McCullagh 06 Jul '18

06 Jul '18

The amicus brief to be filed Friday: http://www.politechbot.com/docs/copa.congress.072501.html Politech archive on the Child Online Protection Act law and lawsuit: http://www.politechbot.com/cgi-bin/politech.cgi?name=copa Supreme Court agrees to hear case: http://www.politechbot.com/p-02048.html Federal judge rules that COPA violates First Amendment: http://www.politechbot.com/p-00217.html Note from Bruce Taylor <BruceTaylor(a)NationalLawCenter.org>, who drafted the brief: >(we made changes to the cover and page 1 on Interest of Amici, since Senator >Coats cannot be an amicus because of his nomination to be Ambassador to >Germany) > >Attached is a corrected final Brief of Members of Congress in Ashcroft v >ACLU, No. 00-1293, to be filed Friday, July 27th, instead of tomorrow. > >We renamed it "COPA final USSC Cong amicus brief 7-27-01" > >Transmissions scrambled some formatting and we had to re-justify the margins >and re-send to the printer. This one should be fully justified, but >otherwise same text. If you copy or post, please use this one, which will >look like the printed one filed with the Court (hopefully). -Declan *********** http://www.politechbot.com/docs/copa.congress.072501.html Summary Of Argument The Court of Appeals committed clear error in its refusal to narrowly construe the Child Online Protection Act's definition of "Harmful To Minors," 47 U.S.C. § 231 (e)(6), within a constitutionally valid scope and lend the necessary authoritative construction intended by Congress as a limitation on the test for what is "Obscene For Minors" to a constitutionally valid, non-geographic "adult" age community standard, rather than an unconstitutionally territorial geographic community standard. ACLU v. Reno, 217 F.3d 162, 173-78 (3d Cir. 2000), reh. denied (2000). Congress enacted COPA with specific recognition of this Court's mandate that the application of obscenity-related tests for separating pornography that may be regulated from First Amendment protected speech depends on the medium. FCC v. Pacifica Foundation, 438 U.S. 726, 750 (1978). The Congressional intent expressed in its Report of the House Committee on Commerce, H. Rept. No. 105-775, at 28 (1998) (House Report to accompany H.R. 3783, 105th Cong., 2d Sess.), was that COPA was to be adapted to the World Wide Web by using a "new" standard of what the American adult-age community as a whole would find prurient and offensive for minors in the probable recipient age group. The Third Circuit refused to adopt this Congressionally intended customization of the "harmful to minors" test and, by such refusal, interpreted the Act in an unconstitutional fashion. ACLU, 217 F.3d at 178. By doing so, that Court, as had the District Court below, failed in its duty to properly construe this federal statute so as to save it for valid application within constitutional boundaries. For these reasons, this Court should reverse the decision of the Court of Appeals, and remand the cause to the Third Circuit for a narrowing authoritative construction to guide the District Court in the trial on the merits. Remainder at: http://www.politechbot.com/docs/copa.congress.072501.html ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ ------------------------------------------------------------------------- ----- End forwarded message -----

1 0

EDRI-gram newsletter - Number 4.19, 11 October 2006
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 4.19, 11 October 2006 ============================================================ Contents ============================================================ 1. New EU-US interim deal on Passenger Name Record 2. The European Parliament ready to vote on EPLA 3. The broadcast treaty stalled by WIPO General Assembly 4. Filesharing and digital evidence case in Sweden 5. SWIFT found in breach of Belgian laws 6. European e-voting machines cracked by Dutch group 7. Open Letter against the revision of the Swiss copyright law 8. Digital Restriction Management - drm.info 9. ENDitorial : PNR & Institutional Mechanisms of Privacy Protection 10. Recommended reading 11. Agenda 12. About ============================================================ 1. New EU-US interim deal on Passenger Name Record ============================================================ The previous agreement adopted in 2004 on EU-US personal data sharing was annulled by the European Court of Justice in Luxembourg in May 2006, invoking the wrong legal basis. After a series of negotiations between UE and US a new interim agreement was concluded on 6 October 2006. The old agreement was kept in force by the Court decision until 30 September. This explains the rush of the EU and US officials in agreeing on a new decision. From the privacy point of view, the new agreement is worse than the previous act. According with the new deal, 34 types of passenger data - including names, telephone numbers, addresses, credit card information, bank account numbers, email addresses, type of meals served on board and other details of their reservation for US - will be send to the US authorities. The agreement foresees that the US officials will not "pull" the information from airlines computers, but the data will be "pushed", so the data will be much more easily accessible. The data should be sent by the airlines to the US authorities databases within 15 minutes after of a plane takes off from an EU country to US. It appears that the new "push" system would be tested before the end of the year. Following the pressure from the US authorities, the PNR data will be available also to several US counter-terrorism agencies, if they have "comparable standards of data protection " with EU as the Commissioner Frattini underlined. The carriers who do not provide the right information are liable for fines up to 5 000 EUR/passenger or even the withdrawal of the landing rights. The new deal will be formally approved by the Justice Ministers across EU that should meet later this week. This agreement will be in force until the end of July 2007, but new negotiations for a permanent deal will probably begin in November. A lot of criticism to the PNR interim deal occurred soon from the civil rights groups, but also from members of the European Parliament. Cem Ozdemir (DE-Greens) considered : "It is disturbing that the EU capitulated to US demands to allow more agencies access the data." Sophie In't Veld (NL, ALDE group), the EP rapporteur on PNR issues, has planned a public debate on the matter for 11 October during the plenary session of the Parliament. Ms. Veld has also sent a letter to Commissioner Frattini asking him to clarify a series of issues of the PNR deal for this debate. Passenger information row settled (6.10.2006) http://www.guardian.co.uk/uklatest/story/0,,-6129789,00.html EU and US strike deal on air passenger data (6.10.2006) http://euobserver.com/9/22590 Passenger data deal for US and EU (6.10.2006) http://news.bbc.co.uk/1/hi/world/europe/5412092.stm EU-USA Agreement on PNR : EU put in danger the saftey of European citizens and residents (only in French, 6.10.2006) http://www.iris.sgdg.org/info-debat/comm-pnr1006.html Letter from Sophie In't Veld to Commissioner Frattini asking a series of questions on the agreement (10.06.2006) http://www.statewatch.org/news/2006/oct/eu-us-pnr-letter-to-commission.pdf Transfer of passenger name records (PNR) : the new agreement between the EU and the USA is an unacceptable infringement of the respect for human rights and data protection (9.10.06) English version http://www.aedh.net/eng/index.php?cat=com_ex&com=last&com_id=92 French Version http://www.aedh.net/index.php?cat=com_ex&com=last&com_id=91 EDRI-gram : EU-US agreement on passenger data transfer annulled (7.06.2006) http://www.edri.org/edrigram/number4.11/pnr ============================================================ 2. The European Parliament ready to vote on EPLA ============================================================ The European Patent Litigation Agreement (EPLA) will be the subject of a motion for a resolution in the European Parliament, after a compromise was made and filed by the three big groups of MEPs (EPP-ED, PES and ALDE). The three groups drafted a motion that " urges the Commission to explore all possible ways of improving the patent and patent litigation systems in the EU, including participation in further discussions on the EPLA and acceding to the Munich Convention as well as revising the Community Patent proposals; as regards the EPLA, considers that the proposed text needs significant improvements and a satisfactory proposal for the Rules of Procedure of the EPLA Court". Florian Mueller, anti-software patent campaigner referred to the proposal made by the three groups as a "pretty reasonable compromise", and a "defensive victory" for the anti-EPLA partisans. The Foundation for a Free Information Infrastructure (FFII) has described the same resolution proposal as "a compromised compromise" but expects the EP to adopt an improved version. FFII staff works to gain substantial improvements. The European Patent Office is pushing hard towards the creation of an "enhanced patent culture" in Europe, as expressed by its President, Alain Pompidou during the EPO online services conference in Lisbon on 9 October. The critics of the proposal believe that EPO will be given too much power, that it would result in an increase of costs for enforcing and challenging a patent. This would also lead to legitimising software patents and undermine the judiciary systems. EP will vote on 12 October 2006 on a motion for a resolution concerning the EPLA. The Greens, GUE/NGL and a group of EPP/PES/ALDE MEPs lead by Zverina MEP have each tabled their own amendments which could improve the motion. Jonas Maebe from FFII commented on this : " They want to remove a request for the EU to accede to the European Patent Convention, since that would transfer many EU patent-related competences to the mostly unaccountable European Patent Organisation. And rather than merely asking to improve the EPLA, they mention the actual problems with this draft agreement: the lack of accountability, cost and judicial independence concerns. Finally, they also ask for an opinion of the European Court of Justice regarding treaty-related concerns and once more stress the quality problems that plague the European Patent Office's output. We hope that these modest yet important amendments will receive significant support from MEPs. Not amended, the compromise motion would only call for removing democratic control and independent judicial oversight from as many EU patent competences as possible. We do not believe this is something most Members really want." FFII France - Patents and Innovation in danger at the European Parliament (only in French, 11.10.2006) http://www.ffii.fr/epla-vote-amendements Patentmeister weighs in on Euro IP system (9.10.06) http://www.theregister.co.uk/2006/10/09/epo_supports_epla/ A compromise in European patenting debate? (5.10.06) http://www.theregister.co.uk/2006/10/05/compromise/ Commissioner says EU patent doubts 'legitimate' (29.09.06) http://www.theregister.co.uk/2006/09/29/legitimate_doucts/ Commission statement - Future action in the field of patents European Parliament Plenary Session, Strasbourg, (28.09.2006) http://europa.eu.int/rapid/pressReleasesAction.do?reference=SPEECH/06/546&f… mat=HTML&aged=0&language=EN&guiLanguage=en EDRI-gram: Europe faces software patents threat again (27.09.2006) http://www.edri.org/edrigram/number4.18/patsoft ============================================================ 3. The broadcast treaty stalled by WIPO General Assembly ============================================================ The General Assembly of the World Intellectual Property Organisation (WIPO) has decided that the very controversial proposed treaty on the protection of broadcasting organizations, including cablecasting organizations, must be approved by two more meetings before being put for discussion in a diplomatic conference established to take place from 19 November to 7 December 2007. The General Assembly considered these two meetings as necessary to achieve enough consensus among member states, as India, US and Brazil had objected to introducing the treaty immediately to a conference. Addressing the General Assembly, Robin Gross, executive director of IP Justice, said: "A diplomatic conference is now contingent upon member states reaching consensus where there are currently great differences such as the inclusion of anti-circumvention measures in the treaty and outlawing Internet retransmissions of programs." Discussions will continue in the January 2007 meeting at WIPO and in June 2007 at a meeting held along with a preparatory meeting for the Diplomatic Conference. The proposed treaty creates a new right for broadcasters on the content of broadcasts, even if the creator of the content is a third party. However this might lead to the situation when the creators no longer have permanent control over the content for which they have copyright. The 2007 conference will define the scope of a future treaty, as well as the duration of any protection granted. This decision of the General Assembly is encouraging, showing that WIPO is not a simple tool in the hands of the industries. Broadcast treaty needs sounding out, says WIPO (4.10.06) http://www.out-law.com/page-7357 General Assembly approves convening of diplomatic conference on the protection of broadcasting organizations (2.10.06) http://www.wipo.int/edocs/prdocs/en/2006/wipo_pr_2006_460.html U.N. convenes broadcasting treaty talks in 2007 (2.10.06) http://today.reuters.com/news/articlenews.aspx?type=industryNews&storyID=20… -10-02T175644Z_01_L02127263_RTRIDST_0_INDUSTRY-TELECOM-WIPO-DC.XML WIPO broadcast treaty abandons rights-based approach (3.10.06) http://arstechnica.com/news.ars/post/20061003-7891.html WIPO General Assembly Puts Brakes on Broadcast Treaty, Overrules Chairman (2.10.06) http://ipjustice.org/wp/2006/10/02/wipo-general-assembly-decision-on-broadc… t-treaty-2/ EDRI-gram : Opposition to draft WIPO Broadcast Treaty (13.09.06) http://www.edri.org/edrigram/number4.17/wipobroadcast ============================================================ 4. Filesharing and digital evidence case in Sweden ============================================================ Andreas Bawer was accused in 2005 of sharing a film, called Hip Hip Hora, breaching the Swedish Penal Code. He was found guilty in the Swedish Court of First Instance, (Vdstmanlands Tingrdtt) in December 2005. However, in a recent decision on 2 October 2006 of the Swedish Appeal Court (Svea Hovrdtt) he was acquitted, the court identifying several faults in the digital evidences presented. Bawer, having allegedly shared film files, could, in accordance with the Swedish penal code, be sentenced for criminal liability on condition it was proven beyond reasonable doubt that the IP address used for file sharing was assigned to the computer Bawer owned or used, and that the court could not rule out others had used the said computer at the time of the alleged file sharing. The legal question in issue was whether there was sufficient evidence of probability that Bawer had shared a film file Hip Hip Hora. In Swedish law, the prosecuting authority has the burden of proof both for the subjective and objective conditions for criminal liability, and only evidence proven before the court make up the basis for the court4s assessment and judgement. In the Bawer-case the prosecuting authority contended the IP address was connected to Bawer4s computer. The evidence was a record made by the Swedish Antipiratbyren (Swedish Antipiracybureau) of Bawer4s file sharing. Antipiratbyren had access to a file sharing service named Walhall through which it made a search for the film Hip Hip Hora which allegedly was made available by Bawer. Antipiratbyren requested to download the film from Bawer using the file-sharing service Walhall, through which a download was performed. With the control program CommView, the Antipiratbyren recorded the traffic data between the computer of Antipiratbyren and Bawer's computer. Expert witnesses proved several faults with the record of the traffic data carried out by the Antipiratbyren through its use of the control program CommView. First, the recorded IP address could have belonged to a router or a firewall, which in turn, could have assigned the IP address to the culprit to use for filesharing. Second, the control program CommView monitored simultaneously file sharing carried out with different IPaddresses, whereas only one filesharing was recorded without any description of how the evidence was secured. Third, the record of the file sharing did not show a transcript of the time zone used for the record. Fourth, the record of the file sharing did not show a transcript of the date and time for the file sharing allegedly committed by Bawer. Fifth, the programs used to define the time of the record on the CD/DVD made by the Antipiratbyren showed discrepancies. Hence, the Swedish Appeal Court could not prove beyond reasonable doubt that the film file was shared from Bawer's computer. Consequently, Bawer was acquitted. The judgement shows the difficulties in proving with sufficient probability who acted, from where and at what time. The problems of digital evidence are complex and of a heterogeneous character. Electronic evidence, such as traffic, location and time data, can originate, be scattered and end on different formats and different coordinates in time and space, and may easily be manipulated and hard to identify, due to services offering anonymity or pseudonymity. Court citation- Judgement - Svea Hovrdtt (Swedish Appeal Court)(in Swedish only, 2.10.2006) http://www.domstol.se/default____966.aspx File Sharer acquitted (in Swedish only, 3.10.2006) http://www.aftonbladet.se/vss/rss/story/0,2789,898480,00.html Freedom of actions for file sharers ? ( in Norvegian only, 5.10.2006) http://forbruker.no/digital/nyheter/data/article1480842.ece (Contribution by Georg Philip Krog, doctoral researcher in Private International Law, University of Oslo - Norway) =========================================================== 5. SWIFT found in breach of Belgian laws =========================================================== A report issued by the Belgian Government on the very discussed SWIFT case of transfer of financial transaction data to the U.S. Government, concluded that SWIFT breached the Belgian law. The Belgian Commission responsible with the first report on the case stated: "The Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas." The report says: "SWIFT should have complied with its obligations under the Belgian privacy law, amongst which the notification of the processing, the information, and the obligation to comply with the rules concerning personal data transfer to countries outside the EU." The report also states that SWIFT, in transferring data to the US Treasury should have observed the fundamental principles of European law such as "the principle of proportionality, the limited retention period, the principle of traprotection level." The commission reckoned SWIFT had tried to provide certain guarantees through its negotiations with the U.S. Treasury, but considered these attempts were inappropriate. It also stated that SWIFT should have notified Privacy Commissioners and not only G-10 banks. The European Data Protection Supervisor (EDPS) has also criticised the European Central Bank (ECB) as a SWIFT customer, for not stopping the Belgian banking company from sending European transaction details to US authorities. EDPS stated: "As to the role of the ECB as a SWIFT customer, the EDPS could not avoid feeling that it had accepted an inappropriate risk by continuing to transfer financial data through SWIFT after becoming aware of the arrangement with the US authorities. As to the role of the ECB as financial overseer, the EDPS would have expected more initiative to bring this arrangement - of which it was made aware in February 2002 - to the notice of relevant authorities and responsible governments". According to a set of recent non-answers provided by SWIFT to the questions from EDRi-member quintessenz, SWIFT confirmed is still confronted with ongoing subpoenas by US treasury and they still hand over large datasets . Belgian Prime Minister condemns SWIFT data transfers to U.S. as 'illegal' (28.09.06) http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-543789 EU privacy chief slams central bank over SWIFT claims (4.10.06) http://www.out-law.com/page-7359 SWIFT answers to quintessenz Questions (2.10.2006) http://quintessenz.org/doqs/000100003696/2006_10_02,SWIFT_Questions.pdf EDRi-gram: European bodies discuss the SWIFT case (30.08.2006) http://www.edri.org/edrigram/number4.16/swift =========================================================== 6. European e-voting machines cracked by Dutch group =========================================================== The voting computers used to cast 90% of the votes in Netherlands were cracked by a Dutch Group called "Wij vertrouwen stemcomputers niet" (We do not trust voting computers). In a live public show on 4 October 2006 on the Dutch television channel Nederland 1, the group proved how the control program of such a voting machine - called Nedap/Groenendaal ES3B - could be replaced by exchanging 2 EPROMS on the board. The entire demonstration lasted less than 5 minutes. The demonstration was followed by a public report released on 6 October that explains how the program works, how the software was created and how they can gain complete control over the election results. It is almost impossible for election monitors or voters to detect any change. Moreover, it also shows how the group discovered that radio emanations from an unmodified ES3B can be received at several meters distance and be used to tell who votes what. The report comes at a delicate moment, with just one month and a half before the Parliamentary elections in Netherlands where the e-voting machines should be extensively used. The same computer voting is also being used in parts of Germany and France, with minor modifications. Use of this machine in Ireland is now on hold after significant doubts were raised. Colm MacCarthaigh from Irish Citizens for Trustworthy E-voting, after looking at the compromised Nedap machines, said that : "The attack presented by the Dutch group would not need significant modification to run on the Irish systems". Maurice Wessling, of Wij vertrouwen stemcomputers niet, underlined: "Compromising the system requires replacing only a single component, roughly the size of a stamp, and is impossible to detect just by looking at the machine". After the Irish reaction, the German NGO Computer Chaos Club has also asked for a ban on this e-voting machine, considering that it does not meet the basic standard of the German law. The Dutch report showed flaws similar to those discovered in Diebold Election Systems Inc.'s touch-screen voting machine, by Edward Felten, director of Princeton University's Center for Information Technology Policy. The flaws were presented in a public report released in September 2006 - Security Analysis of the Diebold AccuVote-TS Voting Machine. "We do not trust voting computers" Foundation http://www.wijvertrouwenstemcomputersniet.nl/Nedap-en Nedap/Groenendaal ES3B - voting computer a security analysis (6.10.2006) http://www.wijvertrouwenstemcomputersniet.nl/images/9/91/Es3b-en.pdf Dutch citizens group cracks Nedap's voting computer (7.10.2006) http://www.webwereld.nl/articles/43217/flaws-found-in-european-voting-machi… s.html E-voting machines successfully hacked (5.10.2006) http://www.siliconrepublic.com/news/news.nv?storyid=single7158 Dutch citizens group cracks Nedap's voting computer (6.10.2006) http://www.heise.de/english/newsticker/news/79106 Computer Chaos Club demands prohibition of voting computers in Germany (5.10.2006) http://www.ccc.de/updates/2006/wahlcomputer Security Analysis of the Diebold AccuVote-TS Voting Machine(13.09.2006) http://itpolicy.princeton.edu/voting/ =========================================================== 7. Open Letter against the revision of the Swiss copyright law =========================================================== At the end of September 2006, a new initiative, called kunstfreiheit.ch (freedom of art) was launched in Switzerland. It is basically an open letter to the Swiss Minister of Justice and the Swiss parliamentarians calling attention to the fact that the reform/expansion of copyright, which is currently being debated, is not in the interest of artists. After 40 prominent Swiss artists, curators and professors have signed it in advance, now the open letter is available to the public for further support from Internet users. Switzerland is one of the last European countries to revise its copyright law following the 1996 WIPO treaties. The main aim of the open letter is to make public the differing interests between artists and industry, helping to undermine the myth, which is still politically powerful, that the industry represents the interests of artists. The letter is drafted around three main principles that should be reflected in the new copyright law: a. Protection of artistic works should be in the heart of the copyright rather than having a higher control them b. Legal certainty in the usage of the present copyrighted works c. New artistic creativity should not be undermined by the DRMs The response from the visitors have been positive in the first week, with 400 artists and art professionals having signed the open letter. Kunstfreiheit (Freedom of Art) (in German only) http://www.kunstfreiheit.ch Open letter on copyright - Kunstfreiheit (29.09.2006) In German http://www.kunstfreiheit.ch/serendipity/uploads/Kunstfreiheit-brief.pdf In French http://www.kunstfreiheit.ch/serendipity/uploads/Kunstfreiheit-brief_f.pdf In Italian http://www.kunstfreiheit.ch/serendipity/uploads/Kunstfreiheit-brief_i.pdf Initiative Freedom of Art crticises the Swiss copyright plans (2.10.2006) http://www.heise.de/newsticker/meldung/78932 Succesful initiative again copyright revision (3.10.2006) http://www.kleinreport.ch/print_meld.phtml?id=36931 (Contribution by Felix Stalder - Department of New Media, HGK Zurich - Switzerland) =========================================================== 8. Digital Restriction Management - drm.info =========================================================== On 3 October 2006, the first Anti-DRM, a new collaborative information platform about the potential dangers of Digital Restriction Management (DRM) was launched. The DRM.info was initiated by the Free Software Foundation Europe (FSFE) and is supported by a group of organisations and authors. The main message of the new website is 'Your devices don't trust you!' as Joachim Jakobs, FSFE's media coordinator explains: "In fact they trust you so little that they will not even tell you that they put you under surveillance." DRM.info wants to inform and involve people in decisions that will affect them on a very personal level. All the contributors to the new platform have a shared concern about the lack of a social debate on issues surrounding DRM technologies. Georg Greve, FSFE's president underlined one of the dangers of DRM: "DRM technologies are based on the principle that a third party has more influence over your devices than you, and that their interests will override yours when they come in conflict. That is even true where your interest is perfectly legitimate and legal, and possibly also for your own data." DRM.info - Digital Restriction Management http://drm.info/ FSF Europe launches anti-DRM site (5.10.2006) http://www.heise.de/english/newsticker/news/79049 Digital Rights Management (only in German, 3.10.2006) http://netzpolitik.org/2006/digital-rights-management/ The European anti-DRM campaign has started (only in Italian, 4.10.2006) http://punto-informatico.it/p.aspx?id=1678123&r=PI =========================================================== 9. ENDitorial : PNR & Institutional Mechanisms of Privacy Protection =========================================================== A small detail on the EU-US agreement over the transfer of air passenger name records (PNR), and a non-related statement by US president George W. Bush, taken together give a nice highlight on the institutional mechanisms of privacy protection. EU Commissioner Frattini told the press on 6 October 2006 that under the new PNR agreement, the passenger data will be accessible to other US agencies involved in counter-terrorism and law enforcement "on the condition that these have a comparable level of data protection". This formulation of course is absurd if you allow the basically unlimited transfer of data, as the core idea of data protection consists in the protection against further transfer. It is also interesting, because under the 1995 EU data protection directive, data transfers to third countries are only allowed if there is an "adequate" level of protection. But let us accept it for the moment. What could be a comparable level of protection? Institutionally, the EU has adopted the German idea of a special privacy and data protection commissioner within government agencies or companies. This officer has to be independent from executive orders, because his or her job is exactly to provide control over the way the agency or company handles personal data of citizens, customers, or employees. The public data protection commissioners in Europe are also independent because they are elected by the national parliaments. The model has become quite popular in the last ten years. Many US-based corporations now also have their chief privacy officers (CPOs) basically fulfilling the same task. The Department of Homeland Security was the first government agency in the US that ever got a chief privacy officer. The position was institutionalized with the Homeland Security Act of 2002 (section 222) which established the department. By doing this, the Bush government tried to attenuate the harsh criticism from privacy advocates against the surveillance and data-mining programs concentrated in the DHS. But the DHS chief privacy officer is not independent. He (currently Hugo Teufel, III) is nominated by the Secretary for Homeland Security and is reporting to the executive branch it is supposed to control, not to Congress. At the annual international conferences of privacy and data protection commissioners, the DHS privacy officer therefore was never really recognized as "one of them", and was not allowed to participate as a peer in the internal meetings of national commissioners. Congress has repeatedly tried to increase the independence of the DHS CPO. This was done again in the 2007 spending bill for the Homeland Security Department. Section 522 states that: "None of the funds made available in this Act may be used by any person other than the Privacy Officer appointed under section 222 of the Homeland Security Act of 2002 (6 U.S.C. 142) to alter, direct that changes be made to, delay, or prohibit the transmission to Congress of any report prepared under paragraph (6) of such section." This is a complicated way (because it's a spending bill) of saying that only the privacy officer can edit the reports about how the department obeys privacy rules. Now, President Bush, when he signed the bill, attached a signing statement to it, which gives himself the authority to make changes to the agency's privacy office annual and other reports. Bush directs that: "the executive branch shall construe section 522 of the Act, relating to privacy officer reports, in a manner consistent with the President's constitutional authority to supervise the unitary executive branch." Do not assume that the DHS privacy officer has been a sharp watchdog yet. For example, the report on privacy protection of passenger name record information, published by his office in September 2005, basically says "everything is great and data is protected perfectly". So Bush is just insisting on his last word as the commander-in-chief. It becomes clearer if you look at the big picture: The EU allows the DHS to transfer passenger data to other agencies if they have a comparable level of data protection. The other departments and agencies do not have privacy officers who could ensure that this level of protection is really enforced. The DHS privacy officer does not have a level of independence comparable to his European colleagues. But even if he wants to report breaches of the weak privacy protection levels in US government agencies, President Bush and the White House can do the final editing of the reports and tell the privacy officer to shut up. So, the EU is giving its citizens' data away, and what it gets in return is no more than a "trust us" from the US Government. It reminds me of a recent statement by the German Ministry of Finances in the SWIFT affair. When asked by a conservative (!) member of the Parliament about the possibility of the US using the finacial data for economic espionage, the spokesman replied: Yes, they had discussed this with their American counterpart, but the US Government would not see this danger. The idea of having an independent privacy commissioner was one way of substituting this "trust me" model with institutionalized checks and balances. This is what democracy is all about, compared to authoritarian systems: Not having to trust the government, but instead controlling it. http://bendrath.blogspot.com/2006/10/passenger-records-and-institutional.ht… (Contribution by Ralf Bendrath, EDRi member Netzwerk Neue Medien e.V., Germany) =========================================================== 10. Recommended Reading =========================================================== EU data protection in police and judicial cooperation matters: Rights of suspects and defendants under attack by law enforcement demands http://www.statewatch.org/news/2006/oct/eu-dp.pdf Statewatch's Observatory on data protection in the EU http://www.statewatch.org/eu-dp.htm =========================================================== 11. Agenda =========================================================== 16 October 2006, Brussels, Belgium The European Commission will organise in Brussels on Monday 16 October a final conference on Radio Frequency Identification (RFID). http://www.rfidconsultation.eu/ 16-18 October 2006, Paris, France UNESCO Consultation meetings on WSIS Action Lines - Access to information and knowledge (C3), E-learning (C7), Ethical dimensions of the Information Society (C10) http://portal.unesco.org/ci/en/ev.php-URL_ID=17637&URL_DO=DO_TOPIC&URL_SECT… N=201.html 19-20 October 2006 Kirchberg, Luxembourg Hack.lu 2006 Hack.lu is an open convention /conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. http://www.hack.lu/index.php/Main_Page 19-20 October 2006, Tallinn, Estonia The Digital Future of Cultural and Scientific Heritage http://telmemor.net/conference/ 20 October 2006, Bielefeld, Germany Big Brother Awards Germany http://www.bigbrotherawards.de/ 20 October 2006 , Bielefeld, Germany Demonstration "Freedom instead of Fear" (Freiheit statt Angst), against Security and Surveillance Delusion http://www.freiheitstattangst.de/ http://www.vorratsdatenspeicherung.de/ 23-24 October 2006, Brussels, Belgium Conference on International Transfers of Personal Data, organized by the European Commission jointly with the Article 29 Data Protection Working Party and the United States Department of Commerce's International Trade Administration. http://ec.europa.eu/justice_home/news/events/news_events_en.htm 25 October 2006, Vienna, Austria Big Brother Awards Austria http://www.bigbrotherawards.at 27-28 October 2006, Sofia, Bulgaria Cyber Terrorism as a new security threat http://www.crime-research.org/cyberterrorism07 29 October 2006, Athens, Greece First annual conference -Global Internet Governance Academic Network (GigaNet) http://www.internetgovernance.org/pdf/GigaNet.Athens.CFP.8.Sept.2006__2_.pdf 30 October - 2 November 2006, Athens, Greece Internet Governance Forum http://www.intgovforum.org/ 30 October 2006, Prague, Czech Republic Czech Big Brother Awards http://www.bigbrotherawards.cz 31 October 2006 - deadline for nominations Stupid Security Awards - Privacy International. The awards aim to highlight the absurdities of the security industry. The competition is open to anyone from any country. http://www.privacyinternational.org/stupidsecurity 1 November 2006, London, United Kingdom The database state? This workshop will feature expert speakers on two major UK databases: the Children's Information Sharing Index and the NHS Care Records Service. http://dooooooom.blogspot.com/2006/10/database-state.html 2-3 November 2006, London, United Kingdom 28th International Data Protection and Privacy Commissioners' Conference http://www.privacyconference2006.co.uk/ 15-16 November 2006, Skopje, Macedonia International Conference "e-Society.Mk" http://www.e-society.org.mk/ 30 November - 1 December 2006, Berlin, Germany The New Surveillance - A critical analysis of research and methods in Surveillance Studies. A two day international Conference hosted at the Centre for Technology and Society of the Technical University Berlin. http://www.ztg.tu-berlin.de/surveillance 14 December 2006, Madrid, Spain Conference on the Admissibility of Electronic Evidence in Court in Europe. The final event of the project Admissibility of the Electronic Evidence in Court in Europe (A.E.E.C.) funded by the European Commission and led by the Spanish company Cybex. http://www.cybex.es/AGIS2005/ =========================================================== 12. About =========================================================== EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 21 members from 14 European countries and 5 observers from 5 more countries (Italy, Ireland, Poland, Portugal and Slovenia). European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

Re: <nettime> James Ball: The bankers' blockade of WikiLeaks must end(Guardian)
by John Young 06 Jul '18

06 Jul '18

Despite the money machine Wikileaks has become for the thousands exploiting its product and notoriety, it deserves maximum support in ways that help avoid dependency upon rigged markets and leveraged endorsements. In comparison to the braggardy and IP theft of secrecy-protected 1% MSM, governments and corporations hiding behind branded Representative Democracy, WL -- and its kind -- are genuinely supportive of direct democracy. Individual support for these initiatives is crucial to avoid the trap of 1% funding which has enlisted millions with sinecure indulgences from gov, mil and edu -- not least those of the hypnotic debt-swap easy loan of the Internet which allows siphoning personal information without limit, TOR one of many indulgences. Hopefully WL will not be revealed to be one of those goodwill industries. The disclosed legal expenses for Assange which appear to soon outweigh WL operating costs do not augur well for the initiative remaining unfettered democratic. No explanation of why the legal costs are not donated -- unless they are being used to launder money in the same old practice of claiming "expenses" used by the 1%. # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime(a)kein.org ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [cryptography] How are expired code-signing certs revoked? (nonrepudiation)
by Adam Back 06 Jul '18

06 Jul '18

Stefan Brands credentials [1] have an anti-lending feature where you have to know all of the private components in order to make a signature with it. My proposal related to what you said was to put a high value ecash coin as one of the private components. Now they have a direct financial incentive - if they get hacked and their private keys stolen they lose $1m untraceably. Now thats quite reassuring - and encapsulates a smart contract where they get an automatic fine, or good behavior bond. I think you could put a bitcoin in there instead of a high value Brands based ecash coin. Then you could even tell that it wasnt collected by looking in the spend list. Adam [1] http://www.cypherspace.org/credlib/ a library implementing Brands credentials - it has pointers to the uprove spec, Brands thesis in pdf form etc. On Thu, Dec 22, 2011 at 07:17:21AM +0000, John Case wrote: > > On Wed, 7 Dec 2011, Jon Callas wrote: > >> Nonrepudiation is a somewhat daft belief. Let me give a >> gedankenexperiment. Suppose Alice phones up Bob and says, "Hey, Bob, I >> just noticed that you have a digital nature from me. Well, ummm, I >> didn't do it. I have no idea how that could have happened, but it >> wasn't me." Nonrepudiation is the belief that the probability that >> Alice is telling the truth is less than 2^{-128}, assuming a 3K RSA >> key or 256-bit ECDSA key either with SHA-256. Moreover, if that >> signature was made with an ECDSA-521 bit key and SHA-512, then the >> probability she's telling the truth goes down to 2^{-256}. >> >> I don't know about you, but I think that the chance that Alice was >> hacked is greater than 1 in 2^128. In fact, I'm willing to believe >> that the probability that somehow space aliens, or Alice has an >> unknown evil twin, or some mad scientist has invented a cloning ray >> is greater than one in 2^128. Ironically, as the key size goes up, >> then Alice gets even better excuses. If we used a 1k-bit ECDSA key >> and a 1024-bit hash, then new reasonable excuses for Alice suggest >> themselves, like that perhaps she *considered* signing but didn't in >> this universe, but in a nearby universe (under the many-worlds >> interpretation of quantum mechanics, which all the cool kids believe >> in this week) she did, and that signature from a nearby universe >> somehow leaked over. > > > This is silly - it assumes that there are only two intepretations of > her statement: > > - a true "collision" (something arbitrary computes to her digital > signature, which she did not actually invoke) which is indeed as > astronomically unlikely as you propose. > > - another unlikely event whose probability happens to be higher than > the "collision". > > But of course there is a much simpler, far more likely explanation, and > that is that she is lying. > > However ... this did get me to thinking ... > > Can't this problem be solved by forcing Alice to tie her signing key to > some other function(s)[1] that she would have a vested interest in > protecting AND an attacker would have a vested interest in exploiting ? > > I'm thinking along the lines of: > > "I know Alice didn't get hacked because I see her bank account didn't > get emptied, or I see that her ecommerce site did not disappear". > > "I know Alice didn't get hacked because the bitcoin wallet that we > protected with her signing key still has X bitcoins in it, where X is > the value I perceived our comms/transactions to be worth." > > Or whatever. _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [cryptography] [info] The NSA Is Building the Countrybs Biggest Spy Center (Watch What You Say)
by Seth David Schoen 06 Jul '18

06 Jul '18

ianG writes: > On 26/03/12 07:43 AM, Jon Callas wrote: > > >This is precisely the point I've made: the budget way to break crypto is to buy a zero-day. And if you're going to build a huge computer center, you'd be better off building fuzzers than key crackers. > > point of understanding - what do you mean by fuzzers? Automatically trying to make software incur faults with large amounts of randomized (potentially invalid) input. https://en.wikipedia.org/wiki/Fuzz_testing If you get an observable fault you can repeat the process under a debugger and try to understand why it occurred and whether it is an exploitable bug. Here's a pretty detailed overview: https://www.blackhat.com/presentations/bh-usa-07/Amini_and_Portnoy/Whitepap… When it was first invented, fuzzing basically just consisted of feeding random bytes to software, but now it can include sophisticated understanding of the kinds of data that a program expects to see, with some model of the internal state of the program. I believe there are also fuzzers that examine code coverage, so they can give feedback to the tester about whether there are parts of the program that the fuzzer isn't exercising. -- Seth David Schoen <schoen(a)loyalty.org> | No haiku patents http://www.loyalty.org/~schoen/ | means I've no incentive to FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150 | -- Don Marti _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

FC: GOP legislators to Supremes: Save our anti-Internet porn law!
by Declan McCullagh 06 Jul '18

06 Jul '18

The amicus brief to be filed Friday: http://www.politechbot.com/docs/copa.congress.072501.html Politech archive on the Child Online Protection Act law and lawsuit: http://www.politechbot.com/cgi-bin/politech.cgi?name=copa Supreme Court agrees to hear case: http://www.politechbot.com/p-02048.html Federal judge rules that COPA violates First Amendment: http://www.politechbot.com/p-00217.html Note from Bruce Taylor <BruceTaylor(a)NationalLawCenter.org>, who drafted the brief: >(we made changes to the cover and page 1 on Interest of Amici, since Senator >Coats cannot be an amicus because of his nomination to be Ambassador to >Germany) > >Attached is a corrected final Brief of Members of Congress in Ashcroft v >ACLU, No. 00-1293, to be filed Friday, July 27th, instead of tomorrow. > >We renamed it "COPA final USSC Cong amicus brief 7-27-01" > >Transmissions scrambled some formatting and we had to re-justify the margins >and re-send to the printer. This one should be fully justified, but >otherwise same text. If you copy or post, please use this one, which will >look like the printed one filed with the Court (hopefully). -Declan *********** http://www.politechbot.com/docs/copa.congress.072501.html Summary Of Argument The Court of Appeals committed clear error in its refusal to narrowly construe the Child Online Protection Act's definition of "Harmful To Minors," 47 U.S.C. § 231 (e)(6), within a constitutionally valid scope and lend the necessary authoritative construction intended by Congress as a limitation on the test for what is "Obscene For Minors" to a constitutionally valid, non-geographic "adult" age community standard, rather than an unconstitutionally territorial geographic community standard. ACLU v. Reno, 217 F.3d 162, 173-78 (3d Cir. 2000), reh. denied (2000). Congress enacted COPA with specific recognition of this Court's mandate that the application of obscenity-related tests for separating pornography that may be regulated from First Amendment protected speech depends on the medium. FCC v. Pacifica Foundation, 438 U.S. 726, 750 (1978). The Congressional intent expressed in its Report of the House Committee on Commerce, H. Rept. No. 105-775, at 28 (1998) (House Report to accompany H.R. 3783, 105th Cong., 2d Sess.), was that COPA was to be adapted to the World Wide Web by using a "new" standard of what the American adult-age community as a whole would find prurient and offensive for minors in the probable recipient age group. The Third Circuit refused to adopt this Congressionally intended customization of the "harmful to minors" test and, by such refusal, interpreted the Act in an unconstitutional fashion. ACLU, 217 F.3d at 178. By doing so, that Court, as had the District Court below, failed in its duty to properly construe this federal statute so as to save it for valid application within constitutional boundaries. For these reasons, this Court should reverse the decision of the Court of Appeals, and remand the cause to the Third Circuit for a narrowing authoritative construction to guide the District Court in the trial on the merits. Remainder at: http://www.politechbot.com/docs/copa.congress.072501.html ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ ------------------------------------------------------------------------- ----- End forwarded message -----

1 0

EDRI-gram newsletter - Number 4.19, 11 October 2006
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 4.19, 11 October 2006 ============================================================ Contents ============================================================ 1. New EU-US interim deal on Passenger Name Record 2. The European Parliament ready to vote on EPLA 3. The broadcast treaty stalled by WIPO General Assembly 4. Filesharing and digital evidence case in Sweden 5. SWIFT found in breach of Belgian laws 6. European e-voting machines cracked by Dutch group 7. Open Letter against the revision of the Swiss copyright law 8. Digital Restriction Management - drm.info 9. ENDitorial : PNR & Institutional Mechanisms of Privacy Protection 10. Recommended reading 11. Agenda 12. About ============================================================ 1. New EU-US interim deal on Passenger Name Record ============================================================ The previous agreement adopted in 2004 on EU-US personal data sharing was annulled by the European Court of Justice in Luxembourg in May 2006, invoking the wrong legal basis. After a series of negotiations between UE and US a new interim agreement was concluded on 6 October 2006. The old agreement was kept in force by the Court decision until 30 September. This explains the rush of the EU and US officials in agreeing on a new decision. From the privacy point of view, the new agreement is worse than the previous act. According with the new deal, 34 types of passenger data - including names, telephone numbers, addresses, credit card information, bank account numbers, email addresses, type of meals served on board and other details of their reservation for US - will be send to the US authorities. The agreement foresees that the US officials will not "pull" the information from airlines computers, but the data will be "pushed", so the data will be much more easily accessible. The data should be sent by the airlines to the US authorities databases within 15 minutes after of a plane takes off from an EU country to US. It appears that the new "push" system would be tested before the end of the year. Following the pressure from the US authorities, the PNR data will be available also to several US counter-terrorism agencies, if they have "comparable standards of data protection " with EU as the Commissioner Frattini underlined. The carriers who do not provide the right information are liable for fines up to 5 000 EUR/passenger or even the withdrawal of the landing rights. The new deal will be formally approved by the Justice Ministers across EU that should meet later this week. This agreement will be in force until the end of July 2007, but new negotiations for a permanent deal will probably begin in November. A lot of criticism to the PNR interim deal occurred soon from the civil rights groups, but also from members of the European Parliament. Cem Ozdemir (DE-Greens) considered : "It is disturbing that the EU capitulated to US demands to allow more agencies access the data." Sophie In't Veld (NL, ALDE group), the EP rapporteur on PNR issues, has planned a public debate on the matter for 11 October during the plenary session of the Parliament. Ms. Veld has also sent a letter to Commissioner Frattini asking him to clarify a series of issues of the PNR deal for this debate. Passenger information row settled (6.10.2006) http://www.guardian.co.uk/uklatest/story/0,,-6129789,00.html EU and US strike deal on air passenger data (6.10.2006) http://euobserver.com/9/22590 Passenger data deal for US and EU (6.10.2006) http://news.bbc.co.uk/1/hi/world/europe/5412092.stm EU-USA Agreement on PNR : EU put in danger the saftey of European citizens and residents (only in French, 6.10.2006) http://www.iris.sgdg.org/info-debat/comm-pnr1006.html Letter from Sophie In't Veld to Commissioner Frattini asking a series of questions on the agreement (10.06.2006) http://www.statewatch.org/news/2006/oct/eu-us-pnr-letter-to-commission.pdf Transfer of passenger name records (PNR) : the new agreement between the EU and the USA is an unacceptable infringement of the respect for human rights and data protection (9.10.06) English version http://www.aedh.net/eng/index.php?cat=com_ex&com=last&com_id=92 French Version http://www.aedh.net/index.php?cat=com_ex&com=last&com_id=91 EDRI-gram : EU-US agreement on passenger data transfer annulled (7.06.2006) http://www.edri.org/edrigram/number4.11/pnr ============================================================ 2. The European Parliament ready to vote on EPLA ============================================================ The European Patent Litigation Agreement (EPLA) will be the subject of a motion for a resolution in the European Parliament, after a compromise was made and filed by the three big groups of MEPs (EPP-ED, PES and ALDE). The three groups drafted a motion that " urges the Commission to explore all possible ways of improving the patent and patent litigation systems in the EU, including participation in further discussions on the EPLA and acceding to the Munich Convention as well as revising the Community Patent proposals; as regards the EPLA, considers that the proposed text needs significant improvements and a satisfactory proposal for the Rules of Procedure of the EPLA Court". Florian Mueller, anti-software patent campaigner referred to the proposal made by the three groups as a "pretty reasonable compromise", and a "defensive victory" for the anti-EPLA partisans. The Foundation for a Free Information Infrastructure (FFII) has described the same resolution proposal as "a compromised compromise" but expects the EP to adopt an improved version. FFII staff works to gain substantial improvements. The European Patent Office is pushing hard towards the creation of an "enhanced patent culture" in Europe, as expressed by its President, Alain Pompidou during the EPO online services conference in Lisbon on 9 October. The critics of the proposal believe that EPO will be given too much power, that it would result in an increase of costs for enforcing and challenging a patent. This would also lead to legitimising software patents and undermine the judiciary systems. EP will vote on 12 October 2006 on a motion for a resolution concerning the EPLA. The Greens, GUE/NGL and a group of EPP/PES/ALDE MEPs lead by Zverina MEP have each tabled their own amendments which could improve the motion. Jonas Maebe from FFII commented on this : " They want to remove a request for the EU to accede to the European Patent Convention, since that would transfer many EU patent-related competences to the mostly unaccountable European Patent Organisation. And rather than merely asking to improve the EPLA, they mention the actual problems with this draft agreement: the lack of accountability, cost and judicial independence concerns. Finally, they also ask for an opinion of the European Court of Justice regarding treaty-related concerns and once more stress the quality problems that plague the European Patent Office's output. We hope that these modest yet important amendments will receive significant support from MEPs. Not amended, the compromise motion would only call for removing democratic control and independent judicial oversight from as many EU patent competences as possible. We do not believe this is something most Members really want." FFII France - Patents and Innovation in danger at the European Parliament (only in French, 11.10.2006) http://www.ffii.fr/epla-vote-amendements Patentmeister weighs in on Euro IP system (9.10.06) http://www.theregister.co.uk/2006/10/09/epo_supports_epla/ A compromise in European patenting debate? (5.10.06) http://www.theregister.co.uk/2006/10/05/compromise/ Commissioner says EU patent doubts 'legitimate' (29.09.06) http://www.theregister.co.uk/2006/09/29/legitimate_doucts/ Commission statement - Future action in the field of patents European Parliament Plenary Session, Strasbourg, (28.09.2006) http://europa.eu.int/rapid/pressReleasesAction.do?reference=SPEECH/06/546&f… mat=HTML&aged=0&language=EN&guiLanguage=en EDRI-gram: Europe faces software patents threat again (27.09.2006) http://www.edri.org/edrigram/number4.18/patsoft ============================================================ 3. The broadcast treaty stalled by WIPO General Assembly ============================================================ The General Assembly of the World Intellectual Property Organisation (WIPO) has decided that the very controversial proposed treaty on the protection of broadcasting organizations, including cablecasting organizations, must be approved by two more meetings before being put for discussion in a diplomatic conference established to take place from 19 November to 7 December 2007. The General Assembly considered these two meetings as necessary to achieve enough consensus among member states, as India, US and Brazil had objected to introducing the treaty immediately to a conference. Addressing the General Assembly, Robin Gross, executive director of IP Justice, said: "A diplomatic conference is now contingent upon member states reaching consensus where there are currently great differences such as the inclusion of anti-circumvention measures in the treaty and outlawing Internet retransmissions of programs." Discussions will continue in the January 2007 meeting at WIPO and in June 2007 at a meeting held along with a preparatory meeting for the Diplomatic Conference. The proposed treaty creates a new right for broadcasters on the content of broadcasts, even if the creator of the content is a third party. However this might lead to the situation when the creators no longer have permanent control over the content for which they have copyright. The 2007 conference will define the scope of a future treaty, as well as the duration of any protection granted. This decision of the General Assembly is encouraging, showing that WIPO is not a simple tool in the hands of the industries. Broadcast treaty needs sounding out, says WIPO (4.10.06) http://www.out-law.com/page-7357 General Assembly approves convening of diplomatic conference on the protection of broadcasting organizations (2.10.06) http://www.wipo.int/edocs/prdocs/en/2006/wipo_pr_2006_460.html U.N. convenes broadcasting treaty talks in 2007 (2.10.06) http://today.reuters.com/news/articlenews.aspx?type=industryNews&storyID=20… -10-02T175644Z_01_L02127263_RTRIDST_0_INDUSTRY-TELECOM-WIPO-DC.XML WIPO broadcast treaty abandons rights-based approach (3.10.06) http://arstechnica.com/news.ars/post/20061003-7891.html WIPO General Assembly Puts Brakes on Broadcast Treaty, Overrules Chairman (2.10.06) http://ipjustice.org/wp/2006/10/02/wipo-general-assembly-decision-on-broadc… t-treaty-2/ EDRI-gram : Opposition to draft WIPO Broadcast Treaty (13.09.06) http://www.edri.org/edrigram/number4.17/wipobroadcast ============================================================ 4. Filesharing and digital evidence case in Sweden ============================================================ Andreas Bawer was accused in 2005 of sharing a film, called Hip Hip Hora, breaching the Swedish Penal Code. He was found guilty in the Swedish Court of First Instance, (Vdstmanlands Tingrdtt) in December 2005. However, in a recent decision on 2 October 2006 of the Swedish Appeal Court (Svea Hovrdtt) he was acquitted, the court identifying several faults in the digital evidences presented. Bawer, having allegedly shared film files, could, in accordance with the Swedish penal code, be sentenced for criminal liability on condition it was proven beyond reasonable doubt that the IP address used for file sharing was assigned to the computer Bawer owned or used, and that the court could not rule out others had used the said computer at the time of the alleged file sharing. The legal question in issue was whether there was sufficient evidence of probability that Bawer had shared a film file Hip Hip Hora. In Swedish law, the prosecuting authority has the burden of proof both for the subjective and objective conditions for criminal liability, and only evidence proven before the court make up the basis for the court4s assessment and judgement. In the Bawer-case the prosecuting authority contended the IP address was connected to Bawer4s computer. The evidence was a record made by the Swedish Antipiratbyren (Swedish Antipiracybureau) of Bawer4s file sharing. Antipiratbyren had access to a file sharing service named Walhall through which it made a search for the film Hip Hip Hora which allegedly was made available by Bawer. Antipiratbyren requested to download the film from Bawer using the file-sharing service Walhall, through which a download was performed. With the control program CommView, the Antipiratbyren recorded the traffic data between the computer of Antipiratbyren and Bawer's computer. Expert witnesses proved several faults with the record of the traffic data carried out by the Antipiratbyren through its use of the control program CommView. First, the recorded IP address could have belonged to a router or a firewall, which in turn, could have assigned the IP address to the culprit to use for filesharing. Second, the control program CommView monitored simultaneously file sharing carried out with different IPaddresses, whereas only one filesharing was recorded without any description of how the evidence was secured. Third, the record of the file sharing did not show a transcript of the time zone used for the record. Fourth, the record of the file sharing did not show a transcript of the date and time for the file sharing allegedly committed by Bawer. Fifth, the programs used to define the time of the record on the CD/DVD made by the Antipiratbyren showed discrepancies. Hence, the Swedish Appeal Court could not prove beyond reasonable doubt that the film file was shared from Bawer's computer. Consequently, Bawer was acquitted. The judgement shows the difficulties in proving with sufficient probability who acted, from where and at what time. The problems of digital evidence are complex and of a heterogeneous character. Electronic evidence, such as traffic, location and time data, can originate, be scattered and end on different formats and different coordinates in time and space, and may easily be manipulated and hard to identify, due to services offering anonymity or pseudonymity. Court citation- Judgement - Svea Hovrdtt (Swedish Appeal Court)(in Swedish only, 2.10.2006) http://www.domstol.se/default____966.aspx File Sharer acquitted (in Swedish only, 3.10.2006) http://www.aftonbladet.se/vss/rss/story/0,2789,898480,00.html Freedom of actions for file sharers ? ( in Norvegian only, 5.10.2006) http://forbruker.no/digital/nyheter/data/article1480842.ece (Contribution by Georg Philip Krog, doctoral researcher in Private International Law, University of Oslo - Norway) =========================================================== 5. SWIFT found in breach of Belgian laws =========================================================== A report issued by the Belgian Government on the very discussed SWIFT case of transfer of financial transaction data to the U.S. Government, concluded that SWIFT breached the Belgian law. The Belgian Commission responsible with the first report on the case stated: "The Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas." The report says: "SWIFT should have complied with its obligations under the Belgian privacy law, amongst which the notification of the processing, the information, and the obligation to comply with the rules concerning personal data transfer to countries outside the EU." The report also states that SWIFT, in transferring data to the US Treasury should have observed the fundamental principles of European law such as "the principle of proportionality, the limited retention period, the principle of traprotection level." The commission reckoned SWIFT had tried to provide certain guarantees through its negotiations with the U.S. Treasury, but considered these attempts were inappropriate. It also stated that SWIFT should have notified Privacy Commissioners and not only G-10 banks. The European Data Protection Supervisor (EDPS) has also criticised the European Central Bank (ECB) as a SWIFT customer, for not stopping the Belgian banking company from sending European transaction details to US authorities. EDPS stated: "As to the role of the ECB as a SWIFT customer, the EDPS could not avoid feeling that it had accepted an inappropriate risk by continuing to transfer financial data through SWIFT after becoming aware of the arrangement with the US authorities. As to the role of the ECB as financial overseer, the EDPS would have expected more initiative to bring this arrangement - of which it was made aware in February 2002 - to the notice of relevant authorities and responsible governments". According to a set of recent non-answers provided by SWIFT to the questions from EDRi-member quintessenz, SWIFT confirmed is still confronted with ongoing subpoenas by US treasury and they still hand over large datasets . Belgian Prime Minister condemns SWIFT data transfers to U.S. as 'illegal' (28.09.06) http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-543789 EU privacy chief slams central bank over SWIFT claims (4.10.06) http://www.out-law.com/page-7359 SWIFT answers to quintessenz Questions (2.10.2006) http://quintessenz.org/doqs/000100003696/2006_10_02,SWIFT_Questions.pdf EDRi-gram: European bodies discuss the SWIFT case (30.08.2006) http://www.edri.org/edrigram/number4.16/swift =========================================================== 6. European e-voting machines cracked by Dutch group =========================================================== The voting computers used to cast 90% of the votes in Netherlands were cracked by a Dutch Group called "Wij vertrouwen stemcomputers niet" (We do not trust voting computers). In a live public show on 4 October 2006 on the Dutch television channel Nederland 1, the group proved how the control program of such a voting machine - called Nedap/Groenendaal ES3B - could be replaced by exchanging 2 EPROMS on the board. The entire demonstration lasted less than 5 minutes. The demonstration was followed by a public report released on 6 October that explains how the program works, how the software was created and how they can gain complete control over the election results. It is almost impossible for election monitors or voters to detect any change. Moreover, it also shows how the group discovered that radio emanations from an unmodified ES3B can be received at several meters distance and be used to tell who votes what. The report comes at a delicate moment, with just one month and a half before the Parliamentary elections in Netherlands where the e-voting machines should be extensively used. The same computer voting is also being used in parts of Germany and France, with minor modifications. Use of this machine in Ireland is now on hold after significant doubts were raised. Colm MacCarthaigh from Irish Citizens for Trustworthy E-voting, after looking at the compromised Nedap machines, said that : "The attack presented by the Dutch group would not need significant modification to run on the Irish systems". Maurice Wessling, of Wij vertrouwen stemcomputers niet, underlined: "Compromising the system requires replacing only a single component, roughly the size of a stamp, and is impossible to detect just by looking at the machine". After the Irish reaction, the German NGO Computer Chaos Club has also asked for a ban on this e-voting machine, considering that it does not meet the basic standard of the German law. The Dutch report showed flaws similar to those discovered in Diebold Election Systems Inc.'s touch-screen voting machine, by Edward Felten, director of Princeton University's Center for Information Technology Policy. The flaws were presented in a public report released in September 2006 - Security Analysis of the Diebold AccuVote-TS Voting Machine. "We do not trust voting computers" Foundation http://www.wijvertrouwenstemcomputersniet.nl/Nedap-en Nedap/Groenendaal ES3B - voting computer a security analysis (6.10.2006) http://www.wijvertrouwenstemcomputersniet.nl/images/9/91/Es3b-en.pdf Dutch citizens group cracks Nedap's voting computer (7.10.2006) http://www.webwereld.nl/articles/43217/flaws-found-in-european-voting-machi… s.html E-voting machines successfully hacked (5.10.2006) http://www.siliconrepublic.com/news/news.nv?storyid=single7158 Dutch citizens group cracks Nedap's voting computer (6.10.2006) http://www.heise.de/english/newsticker/news/79106 Computer Chaos Club demands prohibition of voting computers in Germany (5.10.2006) http://www.ccc.de/updates/2006/wahlcomputer Security Analysis of the Diebold AccuVote-TS Voting Machine(13.09.2006) http://itpolicy.princeton.edu/voting/ =========================================================== 7. Open Letter against the revision of the Swiss copyright law =========================================================== At the end of September 2006, a new initiative, called kunstfreiheit.ch (freedom of art) was launched in Switzerland. It is basically an open letter to the Swiss Minister of Justice and the Swiss parliamentarians calling attention to the fact that the reform/expansion of copyright, which is currently being debated, is not in the interest of artists. After 40 prominent Swiss artists, curators and professors have signed it in advance, now the open letter is available to the public for further support from Internet users. Switzerland is one of the last European countries to revise its copyright law following the 1996 WIPO treaties. The main aim of the open letter is to make public the differing interests between artists and industry, helping to undermine the myth, which is still politically powerful, that the industry represents the interests of artists. The letter is drafted around three main principles that should be reflected in the new copyright law: a. Protection of artistic works should be in the heart of the copyright rather than having a higher control them b. Legal certainty in the usage of the present copyrighted works c. New artistic creativity should not be undermined by the DRMs The response from the visitors have been positive in the first week, with 400 artists and art professionals having signed the open letter. Kunstfreiheit (Freedom of Art) (in German only) http://www.kunstfreiheit.ch Open letter on copyright - Kunstfreiheit (29.09.2006) In German http://www.kunstfreiheit.ch/serendipity/uploads/Kunstfreiheit-brief.pdf In French http://www.kunstfreiheit.ch/serendipity/uploads/Kunstfreiheit-brief_f.pdf In Italian http://www.kunstfreiheit.ch/serendipity/uploads/Kunstfreiheit-brief_i.pdf Initiative Freedom of Art crticises the Swiss copyright plans (2.10.2006) http://www.heise.de/newsticker/meldung/78932 Succesful initiative again copyright revision (3.10.2006) http://www.kleinreport.ch/print_meld.phtml?id=36931 (Contribution by Felix Stalder - Department of New Media, HGK Zurich - Switzerland) =========================================================== 8. Digital Restriction Management - drm.info =========================================================== On 3 October 2006, the first Anti-DRM, a new collaborative information platform about the potential dangers of Digital Restriction Management (DRM) was launched. The DRM.info was initiated by the Free Software Foundation Europe (FSFE) and is supported by a group of organisations and authors. The main message of the new website is 'Your devices don't trust you!' as Joachim Jakobs, FSFE's media coordinator explains: "In fact they trust you so little that they will not even tell you that they put you under surveillance." DRM.info wants to inform and involve people in decisions that will affect them on a very personal level. All the contributors to the new platform have a shared concern about the lack of a social debate on issues surrounding DRM technologies. Georg Greve, FSFE's president underlined one of the dangers of DRM: "DRM technologies are based on the principle that a third party has more influence over your devices than you, and that their interests will override yours when they come in conflict. That is even true where your interest is perfectly legitimate and legal, and possibly also for your own data." DRM.info - Digital Restriction Management http://drm.info/ FSF Europe launches anti-DRM site (5.10.2006) http://www.heise.de/english/newsticker/news/79049 Digital Rights Management (only in German, 3.10.2006) http://netzpolitik.org/2006/digital-rights-management/ The European anti-DRM campaign has started (only in Italian, 4.10.2006) http://punto-informatico.it/p.aspx?id=1678123&r=PI =========================================================== 9. ENDitorial : PNR & Institutional Mechanisms of Privacy Protection =========================================================== A small detail on the EU-US agreement over the transfer of air passenger name records (PNR), and a non-related statement by US president George W. Bush, taken together give a nice highlight on the institutional mechanisms of privacy protection. EU Commissioner Frattini told the press on 6 October 2006 that under the new PNR agreement, the passenger data will be accessible to other US agencies involved in counter-terrorism and law enforcement "on the condition that these have a comparable level of data protection". This formulation of course is absurd if you allow the basically unlimited transfer of data, as the core idea of data protection consists in the protection against further transfer. It is also interesting, because under the 1995 EU data protection directive, data transfers to third countries are only allowed if there is an "adequate" level of protection. But let us accept it for the moment. What could be a comparable level of protection? Institutionally, the EU has adopted the German idea of a special privacy and data protection commissioner within government agencies or companies. This officer has to be independent from executive orders, because his or her job is exactly to provide control over the way the agency or company handles personal data of citizens, customers, or employees. The public data protection commissioners in Europe are also independent because they are elected by the national parliaments. The model has become quite popular in the last ten years. Many US-based corporations now also have their chief privacy officers (CPOs) basically fulfilling the same task. The Department of Homeland Security was the first government agency in the US that ever got a chief privacy officer. The position was institutionalized with the Homeland Security Act of 2002 (section 222) which established the department. By doing this, the Bush government tried to attenuate the harsh criticism from privacy advocates against the surveillance and data-mining programs concentrated in the DHS. But the DHS chief privacy officer is not independent. He (currently Hugo Teufel, III) is nominated by the Secretary for Homeland Security and is reporting to the executive branch it is supposed to control, not to Congress. At the annual international conferences of privacy and data protection commissioners, the DHS privacy officer therefore was never really recognized as "one of them", and was not allowed to participate as a peer in the internal meetings of national commissioners. Congress has repeatedly tried to increase the independence of the DHS CPO. This was done again in the 2007 spending bill for the Homeland Security Department. Section 522 states that: "None of the funds made available in this Act may be used by any person other than the Privacy Officer appointed under section 222 of the Homeland Security Act of 2002 (6 U.S.C. 142) to alter, direct that changes be made to, delay, or prohibit the transmission to Congress of any report prepared under paragraph (6) of such section." This is a complicated way (because it's a spending bill) of saying that only the privacy officer can edit the reports about how the department obeys privacy rules. Now, President Bush, when he signed the bill, attached a signing statement to it, which gives himself the authority to make changes to the agency's privacy office annual and other reports. Bush directs that: "the executive branch shall construe section 522 of the Act, relating to privacy officer reports, in a manner consistent with the President's constitutional authority to supervise the unitary executive branch." Do not assume that the DHS privacy officer has been a sharp watchdog yet. For example, the report on privacy protection of passenger name record information, published by his office in September 2005, basically says "everything is great and data is protected perfectly". So Bush is just insisting on his last word as the commander-in-chief. It becomes clearer if you look at the big picture: The EU allows the DHS to transfer passenger data to other agencies if they have a comparable level of data protection. The other departments and agencies do not have privacy officers who could ensure that this level of protection is really enforced. The DHS privacy officer does not have a level of independence comparable to his European colleagues. But even if he wants to report breaches of the weak privacy protection levels in US government agencies, President Bush and the White House can do the final editing of the reports and tell the privacy officer to shut up. So, the EU is giving its citizens' data away, and what it gets in return is no more than a "trust us" from the US Government. It reminds me of a recent statement by the German Ministry of Finances in the SWIFT affair. When asked by a conservative (!) member of the Parliament about the possibility of the US using the finacial data for economic espionage, the spokesman replied: Yes, they had discussed this with their American counterpart, but the US Government would not see this danger. The idea of having an independent privacy commissioner was one way of substituting this "trust me" model with institutionalized checks and balances. This is what democracy is all about, compared to authoritarian systems: Not having to trust the government, but instead controlling it. http://bendrath.blogspot.com/2006/10/passenger-records-and-institutional.ht… (Contribution by Ralf Bendrath, EDRi member Netzwerk Neue Medien e.V., Germany) =========================================================== 10. Recommended Reading =========================================================== EU data protection in police and judicial cooperation matters: Rights of suspects and defendants under attack by law enforcement demands http://www.statewatch.org/news/2006/oct/eu-dp.pdf Statewatch's Observatory on data protection in the EU http://www.statewatch.org/eu-dp.htm =========================================================== 11. Agenda =========================================================== 16 October 2006, Brussels, Belgium The European Commission will organise in Brussels on Monday 16 October a final conference on Radio Frequency Identification (RFID). http://www.rfidconsultation.eu/ 16-18 October 2006, Paris, France UNESCO Consultation meetings on WSIS Action Lines - Access to information and knowledge (C3), E-learning (C7), Ethical dimensions of the Information Society (C10) http://portal.unesco.org/ci/en/ev.php-URL_ID=17637&URL_DO=DO_TOPIC&URL_SECT… N=201.html 19-20 October 2006 Kirchberg, Luxembourg Hack.lu 2006 Hack.lu is an open convention /conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. http://www.hack.lu/index.php/Main_Page 19-20 October 2006, Tallinn, Estonia The Digital Future of Cultural and Scientific Heritage http://telmemor.net/conference/ 20 October 2006, Bielefeld, Germany Big Brother Awards Germany http://www.bigbrotherawards.de/ 20 October 2006 , Bielefeld, Germany Demonstration "Freedom instead of Fear" (Freiheit statt Angst), against Security and Surveillance Delusion http://www.freiheitstattangst.de/ http://www.vorratsdatenspeicherung.de/ 23-24 October 2006, Brussels, Belgium Conference on International Transfers of Personal Data, organized by the European Commission jointly with the Article 29 Data Protection Working Party and the United States Department of Commerce's International Trade Administration. http://ec.europa.eu/justice_home/news/events/news_events_en.htm 25 October 2006, Vienna, Austria Big Brother Awards Austria http://www.bigbrotherawards.at 27-28 October 2006, Sofia, Bulgaria Cyber Terrorism as a new security threat http://www.crime-research.org/cyberterrorism07 29 October 2006, Athens, Greece First annual conference -Global Internet Governance Academic Network (GigaNet) http://www.internetgovernance.org/pdf/GigaNet.Athens.CFP.8.Sept.2006__2_.pdf 30 October - 2 November 2006, Athens, Greece Internet Governance Forum http://www.intgovforum.org/ 30 October 2006, Prague, Czech Republic Czech Big Brother Awards http://www.bigbrotherawards.cz 31 October 2006 - deadline for nominations Stupid Security Awards - Privacy International. The awards aim to highlight the absurdities of the security industry. The competition is open to anyone from any country. http://www.privacyinternational.org/stupidsecurity 1 November 2006, London, United Kingdom The database state? This workshop will feature expert speakers on two major UK databases: the Children's Information Sharing Index and the NHS Care Records Service. http://dooooooom.blogspot.com/2006/10/database-state.html 2-3 November 2006, London, United Kingdom 28th International Data Protection and Privacy Commissioners' Conference http://www.privacyconference2006.co.uk/ 15-16 November 2006, Skopje, Macedonia International Conference "e-Society.Mk" http://www.e-society.org.mk/ 30 November - 1 December 2006, Berlin, Germany The New Surveillance - A critical analysis of research and methods in Surveillance Studies. A two day international Conference hosted at the Centre for Technology and Society of the Technical University Berlin. http://www.ztg.tu-berlin.de/surveillance 14 December 2006, Madrid, Spain Conference on the Admissibility of Electronic Evidence in Court in Europe. The final event of the project Admissibility of the Electronic Evidence in Court in Europe (A.E.E.C.) funded by the European Commission and led by the Spanish company Cybex. http://www.cybex.es/AGIS2005/ =========================================================== 12. About =========================================================== EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 21 members from 14 European countries and 5 observers from 5 more countries (Italy, Ireland, Poland, Portugal and Slovenia). European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

Re: <nettime> James Ball: The bankers' blockade of WikiLeaks must end(Guardian)
by John Young 06 Jul '18

06 Jul '18

Despite the money machine Wikileaks has become for the thousands exploiting its product and notoriety, it deserves maximum support in ways that help avoid dependency upon rigged markets and leveraged endorsements. In comparison to the braggardy and IP theft of secrecy-protected 1% MSM, governments and corporations hiding behind branded Representative Democracy, WL -- and its kind -- are genuinely supportive of direct democracy. Individual support for these initiatives is crucial to avoid the trap of 1% funding which has enlisted millions with sinecure indulgences from gov, mil and edu -- not least those of the hypnotic debt-swap easy loan of the Internet which allows siphoning personal information without limit, TOR one of many indulgences. Hopefully WL will not be revealed to be one of those goodwill industries. The disclosed legal expenses for Assange which appear to soon outweigh WL operating costs do not augur well for the initiative remaining unfettered democratic. No explanation of why the legal costs are not donated -- unless they are being used to launder money in the same old practice of claiming "expenses" used by the 1%. # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime(a)kein.org ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [cryptography] How are expired code-signing certs revoked? (nonrepudiation)
by Adam Back 06 Jul '18

06 Jul '18

Stefan Brands credentials [1] have an anti-lending feature where you have to know all of the private components in order to make a signature with it. My proposal related to what you said was to put a high value ecash coin as one of the private components. Now they have a direct financial incentive - if they get hacked and their private keys stolen they lose $1m untraceably. Now thats quite reassuring - and encapsulates a smart contract where they get an automatic fine, or good behavior bond. I think you could put a bitcoin in there instead of a high value Brands based ecash coin. Then you could even tell that it wasnt collected by looking in the spend list. Adam [1] http://www.cypherspace.org/credlib/ a library implementing Brands credentials - it has pointers to the uprove spec, Brands thesis in pdf form etc. On Thu, Dec 22, 2011 at 07:17:21AM +0000, John Case wrote: > > On Wed, 7 Dec 2011, Jon Callas wrote: > >> Nonrepudiation is a somewhat daft belief. Let me give a >> gedankenexperiment. Suppose Alice phones up Bob and says, "Hey, Bob, I >> just noticed that you have a digital nature from me. Well, ummm, I >> didn't do it. I have no idea how that could have happened, but it >> wasn't me." Nonrepudiation is the belief that the probability that >> Alice is telling the truth is less than 2^{-128}, assuming a 3K RSA >> key or 256-bit ECDSA key either with SHA-256. Moreover, if that >> signature was made with an ECDSA-521 bit key and SHA-512, then the >> probability she's telling the truth goes down to 2^{-256}. >> >> I don't know about you, but I think that the chance that Alice was >> hacked is greater than 1 in 2^128. In fact, I'm willing to believe >> that the probability that somehow space aliens, or Alice has an >> unknown evil twin, or some mad scientist has invented a cloning ray >> is greater than one in 2^128. Ironically, as the key size goes up, >> then Alice gets even better excuses. If we used a 1k-bit ECDSA key >> and a 1024-bit hash, then new reasonable excuses for Alice suggest >> themselves, like that perhaps she *considered* signing but didn't in >> this universe, but in a nearby universe (under the many-worlds >> interpretation of quantum mechanics, which all the cool kids believe >> in this week) she did, and that signature from a nearby universe >> somehow leaked over. > > > This is silly - it assumes that there are only two intepretations of > her statement: > > - a true "collision" (something arbitrary computes to her digital > signature, which she did not actually invoke) which is indeed as > astronomically unlikely as you propose. > > - another unlikely event whose probability happens to be higher than > the "collision". > > But of course there is a much simpler, far more likely explanation, and > that is that she is lying. > > However ... this did get me to thinking ... > > Can't this problem be solved by forcing Alice to tie her signing key to > some other function(s)[1] that she would have a vested interest in > protecting AND an attacker would have a vested interest in exploiting ? > > I'm thinking along the lines of: > > "I know Alice didn't get hacked because I see her bank account didn't > get emptied, or I see that her ecommerce site did not disappear". > > "I know Alice didn't get hacked because the bitcoin wallet that we > protected with her signing key still has X bitcoins in it, where X is > the value I perceived our comms/transactions to be worth." > > Or whatever. _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0