July 2018 - cypherpunks-legacy

None
by Gil Hamilton 06 Jul '18

06 Jul '18

> Mark, don't worry, the real programmers among us aren't afraid to > compete (actually, right now, there's plenty of work for everyone > who is competent so there's little need for real competetition). > Fortunately, these losers are unlikely to be successful in their > organizational and lobbying efforts. Thanks. I hope so... Free access to the US market has already enabled me to switch from $100 / month to $500 / month while in Romania, and to $3,500 / month here in Atlanta. [Yeah, I'm still far from Bill Gates, but it's still 35 times more than I made two years ago <g>] Mark

1 0

None
by Gil Hamilton 06 Jul '18

06 Jul '18

> Mark, don't worry, the real programmers among us aren't afraid to > compete (actually, right now, there's plenty of work for everyone > who is competent so there's little need for real competetition). > Fortunately, these losers are unlikely to be successful in their > organizational and lobbying efforts. Thanks. I hope so... Free access to the US market has already enabled me to switch from $100 / month to $500 / month while in Romania, and to $3,500 / month here in Atlanta. [Yeah, I'm still far from Bill Gates, but it's still 35 times more than I made two years ago <g>] Mark

1 0

EDRi-gram newsletter - Number 9.23, 30 November 2011
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 9.23, 30 November 2011 ============================================================ Contents ============================================================ 1. Scarlet v SABAM: a win for fundamental rights and Internet freedoms 2. Proposed US-EU PNR Agreement made public 3. Dutch Parliament: no discussions on ACTA if negotiations are still secret 4. Turkey launches Internet filtering scheme 5. US crackdown on global domain names and IP addresses continues 6. Italian Police blocks sites that had banners to alleged illegal websites 7. EU-US summit joint statement ignores European civil rights 8. Two years into the Stockholm Programme: on the way to e-Fortress Europe? 9. New Guidelines to RFID Privacy Impact Assessments 10. ENDitorial: Advocate General on Data Retention: Strange answer&question 11. Recommended Action 12. Recommended Reading 13. Agenda 14. About ============================================================ 1. Scarlet v SABAM: a win for fundamental rights and Internet freedoms ============================================================ On 24 November 2011, the European Court of Justice decided that an Internet service provider (ISP) can not be ordered to install a system of filtering of all electronic communications and blocking certain content in order to protect intellectual property rights. The Court largely based its decision on the Charter of Fundamental Rights. The ruling is hugely important for the openness of the Internet, and therefore for the fundamental rights value and the economic value of the Internet. SABAM (the Belgian collective society - Sociiti belge des auteurs, compositeurs et iditeurs) wanted the ISP Scarlet to install a generalised filtering system for all incoming and outgoing electronic communications passing through its services and to block potentially unlawful communications. In First Instance, while refusing the liability of the ISP, the Brussels Court concluded that the SABAM's claim was legitimate and that a filtering system had to be deployed. Scarlet appealed and the case was referred to the Court of Justice of the European Union. In its decision, the Court of Justice ruled that a filtering and blocking system for all its customers for an unlimited period, in abstracto and as preventive measure, violates fundamental rights, more particularly the right to privacy, freedom of communication and freedom of information. In addition, it breaches the freedom of ISPs to conduct business. The EU ruling underlines the importance of an open and neutral Internet, respecting fundamental rights. The alternative would have lead to a permanent surveillance and filtering of all European networks. The consequences would have been catastrophic for democracy, civil rights and the Internet economy. The role of Internet intermediaries is to provide the infrastructures and services that allow users to access and use the Internet, not to police the flows of traffic to privately enforce intellectual property rights. By protecting ISPs, the ruling is likely to preserve key elements of the online economy and society. The Court sought the right balance between the interest of the rightsholders on the one hand and the interests of the ISPs and of citizens on the other hand. Internet blocking is not completely banned by the decision neither does it deny ISPs' liability in every situation. On the former, the EU Court had to rule on the liability of the type of blocking/filtering that was proposed. On that point, it declared that the level of filtering and blocking asked for in the case was too broad in terms of material and geographic scopes, that the legitimate interests of society as a whole outweighed the other interests at stake and that the unlimited and open-ended nature of the blocking was excessive. As a result, the Court ruled that the proposed measures were in violation of the European law. The Court could not have made a ruling on unknown future technologies and developments or answered questions it was not asked. On ISP liability, the ruling avoids the circumvention of the existing EU law. In the current framework in the e-commerce Directive (2000/31/EC), the ISP cannot be held liable for its customers' behaviour when the ISP is unaware of illegal activity. Far from creating a law free zone, the ruling sets safeguards to better protect fundamental rights on the Internet. The decision re-establishes the importance of the rule of law in the digital environment. Illegal behaviour remains illegal but the policing stays the responsibility of the state, and the liability stays on the person responsible for the illegal content. ECJ Decision Scarlet vs Sabam (24.11.2011) http://curia.europa.eu/jurisp/cgi-bin/gettext.pl?where=&lang=en&num=7988887… Press release and FAQ from EDRi (24.11.2011) http://edri.org/scarlet_sabam_win Press release from ECJ (24.11.2011) http://curia.europa.eu/jcms/upload/docs/application/pdf/2011-11/cp110126en.… (Contribution by Marie Humeau - EDRi) ============================================================ 2. Proposed US-EU PNR Agreement made public ============================================================ On 17 November 2011, U.S. and EU officials initialled a proposed agreement to authorize airlines to forward passenger name record (PNR) data to the U.S. Department of Homeland Security (DHS). Although the agreement cannot take effect without the approval of the European Parliament and the Council, MEPs could read the proposed agreement only in a sealed room where they could not take notes or make copies. This week the complete text on which the European Parliament will vote has finally been made public, revealing a failure to address the concerns raised by the Parliament and continued shortfalls in data protection, due process, and protection of fundamental rights. In its resolution of 5 May 2010, the Parliament said that the PNR agreement should take the form of a treaty, recognize the fundamental right to freedom of movement, prohibit the use of PNR data for data mining or profiling, and take into consideration "PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU." The proposed agreement does not meet these criteria, and does not mention any of these issues. The agreement would require that DHS copies of PNRs be "depersonalized" after 6 months. But the "depersonalized" DHS copy of each PNR would still include a unique record locator. There is no data protection law in the U.S. for commercial data. So, at any time - secretly, without a court order, and without violating U.S. law or the U.S.-EU agreement - the DHS could use the record locator to obtain a copy of the complete PNR from the computer reservation systems. The agreement claims that all DHS access to PNR data will be logged. But when individuals have requested these logs, both the DHS and European airlines have said that they didn't exist. Without access logs, there can be no accountability or oversight. According to the agreement, any individual is entitled to "request" access or corrections to their PNR data under the Freedom of Information Act (FOIA). But most PNR data is exempt from FOIA. Under both the agreement and U.S. law, you are entitled to request your PNR data, and the DHS is entitled to say "No". FOIA is not a data protection law. FOIA never requires any accounting of usage or disclosure of data. FOIA never requires correction of records. FOIA does not restrict what information is collected or how it is used. U.S. courts have no authority under FOIA to take any action against misuse or disclosure of personal information. The agreement says that individuals may "seek" or "petition" for judicial review in U.S. courts. But such a petition related to violations of the agreement would be denied. The proposed agreement would protect travel companies against enforcement of EU data protection laws, while failing to protect the rights of travellers. Because the proposed agreement does not provide an adequate level of protection for the processing of personal data, as required by the EU Data Protection Directive and Article 8 of the Charter of Fundamental Rights, EDRi recommends that the Council and the Parliament should reject the proposed agreement. Text of the PNR Agreement (23.11.2011) http://www.ipex.eu/IPEXL-WEB/dossier/dossier.do?code=NLE&year=2011&number=0… Analysis of the proposed U.S.-EU agreement on PNR transfers to the DHS (with links to the full text in English, German, and French, 28.11.2011) http://papersplease.org/wp/2011/11/28/revised-eu-us-agreement-on-pnr-data-s… Analysis of the proposed agreement by NoPNR! (only in in German, 28.11.2011) http://www.nopnr.org/fluggastdaten-an-die-usa-analyse/ EDRi archive of articles about PNR http://www.edri.org/issues/privacy/pnr (Contribution by Edward Hasbrouck, PapersPlease.org - EDRi observer) ============================================================ 3. Dutch Parliament: no discussions on ACTA if negotiations are still secret ============================================================ ACTA is creating quite some noise, not only internationally but also domestically. National Parliaments, including the Dutch Parliament, will have to decide whether they will approve ACTA or not. In order to correctly assess the implications of ACTA, the Dutch Parliament requested publication of all preparatory documents on ACTA. The Dutch Minister of Economic Affairs, Agriculture and Innovation, Maxime Verhagen, would only hand over these documents if parliamentarians vowed not to reveal anything about these documents. Last week, the Dutch Parliament debated the imposed restrictions. A majority of the Parliament indicated that ACTA could not be discussed in Parliament before all information on the negotiations is disclosed without conditions. EDRi-member Bits of Freedom sent, in preparation of this debate, a letter to the Parliament that underlined the problems associated with ACTA and advised to not accept the imposed restrictions, as these would prohibit the Parliament from discussing the treaty freely in public and consult experts. Dutch parliament refuses ACTA secrecy (23.11.2011) http://acta.ffii.org/?p=924 Absurd obligation of confidentiality on ACTA blocks public debate (only in Dutch, 21.11.2011) https://www.bof.nl/2011/11/21/absurde-zwijgplicht-over-acta-blokkeert-publi… Parliament demands moratorium on anti-counterfeiting treaty ACTA (only in Dutch, 23.11.2011) https://www.bof.nl/2011/11/23/kamer-eist-moratorium-op-anti-namaakverdrag-a… (Contribution by Rebecca Roskam EDRi-member Bits of Freedom volunteer - Netherlands) ============================================================ 4. Turkey launches Internet filtering scheme ============================================================ Turkish Information Technologies and Communications Authority (BTK) launched the Internet safety scheme on 22 November 2011, as planned, but on a voluntary basis, following the fierce criticism and opposition to the original plans to introduce a mandatory filtering system. Internet users may sign up with their ISPs for the free of charge filtering system which blocks "objectionable content", being able to choose from three variants: child, family and domestic. When an Internet user wants to choose one of the filtering variants, BTK issues a new user name and password enabling the user's access to the chosen filtering system. The users who want to stop using the Internet filtering can change back to a standard no-filter profile. Although voluntary, the system still raises concerns, one of them being the supervision of the system by a new committee called Child and Family Profiles Criteria Working Committee which, in the opinion of law professor Yaman Akdeniz of Bilgi University in Istanbul "... does not look independent nor impartial." The professor also believes that the state authorities may be in the position to impose moral values. More worrying is the fact that the filter blocks not only adult content, but some 130 search terms, including "separatist" content from the PKK and Kurdish rights groups. "I also believe that the Turkish authorities are not only trying to protect children but also adults from the 'so called harmful content '," said Akdeniz. Moreover, as frequently proven by liberty activists and IT experts, filtering is not a real solution to solve real Internet threats to children. Filters are easy to circumvent, costly and, in most of the case, can lead to blocking innocent content in the process. State censorship can be easily masked by apparently justified reasons such as threats to family and children. Under the cover of protecting children, governments may try to include political censorship by including on the filtering list words that relate more to political criticism and opposition than to child pornography or terrorism. This Week in Internet Censorship: Opaque Censorship in Turkey, Russia, and Britain (23.11.2011) https://www.eff.org/deeplinks/2011/11/week-internet-censorship-opaque-censo… New Internet filtering system available after 3-month test period (21.11.2011) http://www.todayszaman.com/news-263471-new-internet-filtering-system-availa… EDRigram: Turkey postpones its Internet filtering plans (24.08.2011) http://www.edri.org/edrigram/number9.16/turkey-postpones-internet-filtering ============================================================ 5. US crackdown on global domain names and IP addresses continues ============================================================ US authorities have resumed their "Operation in Our Sites" in order to attempt to fight counterfeit and piracy-related websites. During this second annual "Cyber Monday" crackdown, the Immigration and Customs Enforcement (ICE) has shut down 150 websites from all over the world. The recent introduction of draft bills, such as the Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA) now aims at providing a legal basis for domain names and IP address seizures. SOPA's broad definitions could indeed mean that no online resource in the global Internet would be outside US jurisdiction. In response to these legislative proposals and repeated unilateral measures against European websites, the European Parliament adopted a resolution on 17 November 2011 in preparation of the EU/US summit stressing "the need to protect the integrity of the global internet and freedom of communication by refraining from unilateral measures to revoke IP addresses or domain names." The joint EU/US summit declaration published on 28 November 2011 indeed says: "We share a commitment to a single, global Internet, and will resist unilateral efforts to weaken the security, reliability, or independence of its operations". However, despite the big show of opposition to the US bills and the Parliament's actions, Internet filtering and blocking schemes like SOPA and PIPA are still on the agenda on the other side of the Atlantic claiming worldwide jurisdiction for domain names and IP addresses. According to recent reports, attempts to terminate the Internet's end-to-end architecture also seem to get even closer to the core of the Internet. This sort of access restriction is an experiment with key functions of the Internet, increasing the risk of fragmentation of the global Internet and as one co-chair of RIPE's DNS Working group stated, this gives restrictive tools "to the bad guys". Another attempt to govern the Internet is for instance the latest international law enforcement action by the FBI against a large botnet. During this action, the FBI, without a court order or without a legal basis, took over the address blocks used by the botnet's nameservers and then assigned those address blocks to Internet Systems Consortium's (ISC) nameservers. The European Regional Internet Registry RIPE-NCC was rather concerned about the implications of getting involved in policy and governance issues and has now sued the public prosecutor's office to get a judicial decision on the question whether they had sufficient legal ground to order the temporary "lock" of the registrations. The implications of RIPE having to respond to such orders, particularly due to the very wide geographic coverage of its activities, would be very severe indeed. List of blocked web sites by the Immigration and Customs Enforcement (ICE) (28.11.2011) http://www.ice.gov/doclib/news/releases/2011/111128washingtondc.pdf EU-US Summit Resolution by the European Parliament (15.11.2011) http://www.europarl.europa.eu/sides/getDoc.do?type=MOTION&reference=P7-RC-2… EU-US Summit Joint Declaraion (28.11.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/842 Civil society, human rights groups urge Congress to reject the Stop Online Piracy Act (15.11.2011) https://www.accessnow.org/policy-activism/press-blog/urge-congress-to-rejec… IP Watch: Filtering and Blocking Closer To The Core Of The Internet? (20.11.2011) http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-… RIPE NCC Intends to Seek Clarification from Dutch Court on Police Order to Temporarily Lock Registration (16.11.2011) https://www.ripe.net/internet-coordination/news/about-ripe-ncc-and-ripe/rip… (Contribution by Kirsten Fiedler - EDRi) ============================================================ 6. Italian Police blocks sites that had banners to alleged illegal websites ============================================================ The Italian cybercrime police, Guardia di Finanza Agropoli, has recently DNS blocked a series of websites that were offering links to content indexed on BitTorrent, cyberlockers and eDonkey networks. Five of the blocked sites belonged to Italianshare.net network, which were allegedly releasing the links to the movies, games or music before their commercial release. Two more websites that had nothing to do with that network were also blocked. According to Guardia di Finanza, the sites had advertising and donation accounts operating through PayPal giving the authority the reason to investigate them under commercial piracy and tax evasion accusations. The on-going investigation has led to complaints filed by several anti-piracy groups against the alleged leaders of the websites, resulting in the seizure of their computer equipment. But also two innocent websites, italianstylewebsite.net and freeplayclub.org, have fallen victim of this action being, apparently by mistake, associated to the investigated sites. The owners of the two websites have both reacted by stating their sites were perfectly legal, their only link with Italianshare.net being an exchange of banners. Their sites hosted only legal links to free downloadable software of computer games. Furthermore, the two owners stated that they had received no previous warning from the authorities and that initially they thought they had problems with their DNS. Having not received any official notification, they did not even know to whom to address in order to prove the legality of their sites. Fulvio Sarzana, the lawer of the alleged owner of Italianshare.net network, stated that, after a first analysis, he believed there had been an obvious anomaly of the preventive seizure procedure. Sarzana's opinion is that the measures taken by the police are incompatible with the free flow of information on the web, as well as the free expression of thought in online forums. "The principle which we must begin with is that any illegality should be suppressed and not encouraged, when you are certain of course, without prejudice and preconceived ideas about the navigability associated with the P2P service which was used for illegal activity. And when the instruments used to preventively suppress are not in the position to harm constitutional values or rights of third parties." The lawyer warned on the fact that if such preventive seizure can be thus used "without a scrupulous control of alternative means to repress illegal content", this instrument can also be used in cases of defamation through the information media or just blogs. "With a very strong impact upon the freedom of information on the Internet." Italianshare, the word to the defenders (only in Italian, 17.11.2011) http://punto-informatico.it/3339573/PI/Interviste/italianshare-parola-alla-… Free Play Club, a surprise seizure (only in Italian, 16.11.2011) http://punto-informatico.it/3337434/PI/Lettere/free-play-club-un-sequestro-… Italianstylewebsite / another surprise seizure (only in Italian, 17.11.2011) http://punto-informatico.it/3339385/PI/Lettere/italianstylewebsite-altro-se… Italian Anti-Piracy Blockade Takes Legit Sites Offline (18.11.2011) http://torrentfreak.com/italian-anti-piracy-blockade-takes-legit-sites-offl… Cybercrime Police Shut Down Five File-Sharing Sites (11.11.2011) http://torrentfreak.com/cybercrime-police-shut-down-five-file-sharing-sites… ============================================================ 7. EU-US summit joint statement ignores European civil rights ============================================================ A common statement issued at the EU-US summit that took place on 28 November 2011 at the White House in Washington included several aspects with direct impact on digital civil rights that shows the US have succeeded again in obtaining what they wanted, while the European Union representatives have failed to protect the EU citizens fundamental rights, especially the right to privacy. The statement clearly states that while the PNR agreement was negotiated, there is still no deadline for an EU-US data protection agreement. "We welcome the successful completion of negotiations on a new Passenger Name Record agreement, and look forward to its early adoption and ratification" says item 18 of the statement which continues by mentioning the intention to finalize negotiations on a "comprehensive EU-U.S. data privacy and protection agreement that provides a high level of privacy protection for all individuals and thereby facilitates the exchange of data needed to fight crime and terrorism." US have also pushed in support for the CoE Cybercrime Convention, but there is nothing stated in relation with a commitment to ratify or at least start to negotiate any of the fundamental rights conventions of the CoE. Also, the US has rejected a request from the Commission to include net neutrality in the statement, but they have managed to get in their wording on the engagement with the private sector. "We welcome the progress made by the EU-U.S. Working Group on Cyber-security and Cyber-crime, notably the successful Cyber Atlantic 2011 exercise. We endorse its ambitious goals for 2012, including combating online sexual abuse of children; enhancing the security of domain names and Internet Protocol addresses; promotion of international ratification, including by all EU Member States, of the Budapest Convention on Cybercrime ideally by year's end; establishing appropriate information exchange mechanisms to jointly engage with the private sector; and confronting the unfair market access barriers that European and U.S. technology companies face abroad," says item18 of the joint statement. EU-U.S. Summit joint statement (28.11.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/842 ============================================================ 8. Two years into the Stockholm Programme: on the way to e-Fortress Europe? ============================================================ It has been two years now since the Stockholm Programme - a 5-year plan for Justice and Home Affairs - was adopted. On 24 November 2011, an experts' and activists' round table, organised in the European Parliament, raised the question whether Europe was on its way to an e-Fortress. The discussions focused on the proposal for so-called smart borders, the processing of air passenger data (PNR) and the creation of a European Border Surveillance System (EUROSUR). With the introduction of smart borders, the European Commission aims at implementing more effective border surveillance against "irregular migration" by the use of drone planes, satellite and surveillance systems, unmanned ground or marine vehicles and even combat robots. EUROSUR is a further attempt by the European Commission to reduce the number of illegal immigrants entering the European Union, to develop common tools and instruments for Member States and to permit an EU-wide exchange of data. A legislative proposal is expected to be published by the Commission around 7 December 2011. Sergio Carrera, first speaker of the round table and senior research fellow at the Centre for European Policy Studies (CEPS), criticised the current policy making in the field of security saying that it was not evidence based and that debates on necessity were non-existent, thus fundamental rights always play a secondary role. During the development of every new project, the presumption of innocence, the consent of individuals and the principle of non-discrimination are rarely taken into account. He doubted that the gaps of Frontex could be closed by EUROSUR. Owe Langfeldt and Gabriel Blaj from the EDPS stressed the importance that the Commission should provide clear proof that future security policy measures were necessary and effective after their implementation. They also warned of a function creep, called for clear purpose limitation and criticised that through the introduction of profiling, for example via PNR agreements, a generalised suspicion was laid upon society. Blaj added that the subgroup on borders and law enforcement of the Article 29 Working Group has recently decided to react on the proposals by the Commission. Erich Tvpfer's (Cilip & Statewatch) short input focused on the corporate interest in the field of security policy and on the fact that border and security measures involve a powerful security-industry complex. Detailed information can be found in "Arming Big Brother" analysis and in a report for the Transnational Institute which explains how most of the European security research projects have been outsourced to the corporations that have the most to gain from their implementation and examines the EU security-industrial complex. An open debate followed the short presentations during which the participants of the round table discussed future activities, possible arguments, cooperation and initiatives. The debate centred on useful arguments to counter those in favor of the introduction of more surveillance measures. The participants agreed on the necessity of an evaluation of existing systems, of impact and cost assessments. Highlighting the export of Western surveillance technologies to the Middle East was suggested, in order to name and shame companies. At the same time, It is crucial for civil society to provide MEPs with counter-facts (regarding EU-PNR for instance). Tony Bunyan, Director of Statewatch, summarized the debated issues at the end of the event. He pointed out that a very first proposal for EU-PNR already collapsed in 2007 when the European Parliament opposed it. Now, the Parliament and the Commission only needed to be reminded of their own history. However, Bunyan also emphasized the necessity of campaigns outside the Parliament, from the "ground", which would be far more effective than those that focus on winning a majority in the EP only. European Commission Communication: Smart Border - options and the way ahead (25.11.2011) http://ec.europa.eu/home-affairs/news/intro/docs/20111025/20111025-680%20en… Statewatch Analysis: Arming Big Brother http://www.statewatch.org/analyses/bigbrother.pdf Transnational Institute : NeoConOpticon Report, The EU Security-Industrial Complex http://www.statewatch.org/analyses/neoconopticon-report.pdf Programme of the event: Two Years into the Stockholm Programme - on the way to e-Fortress Europe? (24.11.2011) http://www.ska-keller.de/images/stories/files/roundtable_e-fortress-europe%… (Contribution by Kirsten Fiedler - EDRi) ============================================================ 9. New Guidelines to RFID Privacy Impact Assessments ============================================================ On 25 November 2011 the German Federal Office for Information Security (BSI) and the Institute for Management Information Systems of the Vienna University of Economics and Business (WU) held an expert symposium on RFID Privacy Impact Assessments in Berlin and presented their BSI Privacy Impact Assessment (PIA) Guidelines. The PIA guidelines are based on the RFID PIA Framework, a kind of co-regulation instrument that was signed by Vice President of the European Commission Neelie Kroes and industry representatives earlier this year. The goal of the guidelines is to explain the PIA Framework and to provide RFID application operators with an in-depth understanding of the framework terminology and proposed procedures. The methodology outlined in the document is understood to be a concretion of the generic process outlined in the PIA framework. The PIA guidelines will help European RFID operators to ensure a high level of data protection, which can be seen as an important aspect of quality and a unique selling proposition for European companies, said Professor Sarah Spiekermann, Head of the Institute for Management Information Systems. The PIA guidelines are available from the symposium website. PIA case studies for three different sectors will soon be published by BSI. In his presentation at the symposium the German Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, explained that, while Data Protection Authorities (DPAs) might not be able to check each and every PIA report, in future, the results of privacy impact assessments and the implementation of their results will be important aspects in data protection inspections. He therefore asked, that PIA reports and the data protection goals identified in the course of the PIA process should be made transparent to DPAs and individuals. Furthermore, Mr. Schaar called for PIA frameworks being defined on the European level and for the establishment of a European data protection competence centre, which should work on technical means and measures for data protection. The European Data Protection Supervisor, Peter Hustinx, stressed in his contribution the need to reduce the unhelpful diversity in EU member states' data protection legislation. While there is no need to reinvent data protection, it is necessary to make the current principles work better, to improve the definition of responsibilities and to ensure a better compliance, he said. With regard to privacy impact assessments, Mr. Hustinx envisaged that these could be optional in some cases while being compulsory in others. A coherent European approach to the implementation of the RFID Privacy Impact Assessment Framework will be in the centre of a conference organised by the European Commission on 8 February 2012 in Brussels, where experiences with the PIA Framework and the future of the European Commission's RFID Recommendation will be discussed. As EDRi already expressed earlier, the success of RFID Privacy Impact Assessments will, to a large extend, depend on the quality of the assessment. In particular, it will be crucial to address and eliminate risks that stem from third parties and are not directly related with the RFID applications operated by a given company, but facilitate the RFID tags disseminated by the company. Expert Symposium on RFID Privacy Impact Assessments, 25.11.2011, Austrian Embassy Berlin http://www.wu.ac.at/ec/events/piasymposium RFID Privacy Impact Assessment Guidelines http://www.wu.ac.at/ec/events/pia_guideline Federal Office for Security in Information technology - RFID PIA (only in German) https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/RadioFrequencyIdent… EDRi-gram: EU supports RFID with proper protection of consumers' privacy (20.05.2009) http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommand… EDRi-gram: RFID Privacy Impact Assessment Framework formally adopted (06.04.2011) http://www.edri.org/edrigram/number9.7/rfid-pia-adopted-eu EDRi-gram: ENDitorial: RFID PIA: Check against delivery http://www.edri.org/edrigram/number9.10/rfid-pia-check-against-delivery European Commission Conference: 08.02.2012: Implementation of the RFID Privacy Impact Assessment (PIA) Framework Invitation: http://ec.europa.eu/information_society/policy/rfid/documents/piaconference… Programme: http://ec.europa.eu/information_society/policy/rfid/documents/piaconference… (Contribution by Andreas Krisch - EDRi) ============================================================ 10. ENDitorial: Advocate General on Data Retention: Strange answer&question ============================================================ The Advocate General of the European Court of Justice recently issued an opinion on the case of Bonnier Audio vs Perfect Communication Sweden (case no. C-461/10). The question to be answered was whether data retention Directive and/or articles 3, 4, 5 and 11 of the E-Privacy Directive prevent Member States from permitting internet service providers in civil proceedings to be ordered to give copyright holders information on subscribers that allegedly infringed intellectual property rights, as foreseen by Article 8 of the IPR Enforcement Directive. The question partly seeks to answer itself, by explicitly demanding an assumption that the measure is proportionate and that evidence has been "adduced" evidence of an infringement. The answer from the Advocate General is, "no", there is nothing in the Data Retention Directive nor the E-Privacy Directive which would prevent a national administration from imposing a measure requiring stored data to be used to identify people within the scope of the IPR Enforcement Directive. However, such information should be stored for the purpose of possible disclosure to IPR holders, according to detailed national provisions and compliant with EU law on data protection. He bases this view on various elements. Firstly, regarding the Data Retention Directive, he explains that this is not relevant in the context of this specific case. However, his views on the E-Privacy Directive are the most interesting and difficult to comprehend. This analysis explains that Member States may impose data retention for purposes outside the scope of the legal basis of the Directives. This analysis was confirmed by the European Commission in a declaration at the time of adoption of the Directive. As the Commission explained in its position on the common position, "the present Directive based on Article 95 of the Treaty cannot include substantive provisions on law enforcement measures. It should neither prohibit nor approve any particular measure Member States may deem necessary." Article 15 of the E-Privacy Directive does explain that such an infringement of the fundamental right to privacy must be adequately justified - namely that any such measure be "necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC." However, the Advocate General is clear that the restrictions described in Article 15.1 of the E-Privacy Directive must be respected for any data storage to be legal. The Advocate General makes no effort to explain why such a measure would or could be "necessary" as well as being proportionate (the question attempts to preempt the court by explaining that proportionality is assumed). This is surprising when we bear in mind the only position taken so far on long-term, suspicionless retention of data on innocent citizens - the Telefonica/Promusicae case. In that case, the Advocate General argued that "(i)t may be doubted whether the storage of traffic data of all users without any concrete suspicion - laying in a stock, as it were - is compatible with fundamental rights." How did we move from a situation before the adoption of the Charter of Fundamental Rights where an Advocate General said that data retention per se is of questionable legality, to a position now, under the Charter, where an Advocate General believes it is permissible for narrow business interests - ignoring the fact that data retention was explicitly implemented under the condition that it was for fighting "serious crime"? Maybe the answer lies in the fact that the question demands that the ECJ makes the very dubious assumption that the measure being imposed is "proportionate". Having ignored the part of the Telefonica/Promusicae case that highlighted the serious dangers of data retention for fundamental rights, perhaps the oddest interpretation is the one that relies on analysis in that case. The Advocate General explains that, during the implementation of Directives in national law, a fair balance of different fundamental rights must be respected. This is odd because the case in question does not concern implementation of EU Directives into national laws, it concerns the question whether new, additional and unforeseen implementations of data retention are forbidden by the relevant legislation or not. Starting from this questionable logical basis, the Advocate General treats private property "rights" of narrow business interests as fully equal to the rights of citizens as a whole. While this is unfortunately, in abstract terms, correct, he then fails to address the fact that, in specific terms, it is not appropriate to treat narrow business interests as of equal value as the privacy of the entire society. This position has, thankfully, already been contradicted by the Court in last week's Scarlet/Sabam case, where the judges ruled that "The protection of the right to intellectual property is indeed enshrined in Article 17(2) of the Charter of Fundamental Rights of the European Union. There is, however, nothing whatsoever in the wording of that provision or in the Court's case-law to suggest that that right is inviolable and must for that reason be absolutely protected." However, the ultimate conclusion that the Advocate General comes to is probably the only possible one as a result of the very leading way in which the question was posed. Having been asked to assume that any such measure was proportionate (and assuming that intellectual property breaches are criminal offences), there is nothing in the Directives mentioned in the question which would prevent a Member State from introducing a new law to require data retention for intellectual property enforcement purposes - as long as the minimum criteria set out in the E-Privacy Directive are respected. It is to be hoped that the Court will not restrict itself to the very questionable assumption of proportionality and address necessity and proportionality as well. If it does, the result should be quite different, as Advocate General Kokott already pointed out in the Telefonica/Promusicae case. Commission Declaration http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52002PC0338:EN:… Data Retention Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:00… E-Privacy Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:N… ECJ Cases: Telefonica/Promusicae: Case C-275/06 Scarlet/Sabam: Case C-70/10 Bonnier Audio/Perfect Communications: Case: 461/10 all accessible at http://curia.europa.eu/jcms/jcms/j_6/ (Contribution by Joe McNamee - EDRi) ============================================================ 11. Recommended Action ============================================================ Stop ACTA! http://www.edri.org/stopacta ============================================================ 12. Recommended Reading ============================================================ EDPS calls for strengthening of proposed Regulation on the Internal Market Information System (22.11.2011) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/… http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu… Sweden: Net Neutrality: Mobile Broadband Suppliers Discriminate Against BitTorrent (22.11.2011) http://torrentfreak.com/net-neutrality-mobile-broadband-suppliers-discrimin… http://www.iis.se/docs/N%C3%A4tneutralitet2011.pdf Data losses from local authorities in UK (23.11.2011) http://www.bigbrotherwatch.org.uk/home/2011/11/local-authority-data-loss-ex… http://bigbrotherwatch.org.uk/la-data-loss-breakdown.pdf ============================================================ 13. Agenda ============================================================ 7 December 2011, Bruxelles, Belgium "Self"-regulation: Should online companies police the Internet? http://selfregulation.tumblr.com/ 9 December 2011, The Hague, Amsterdam Conference on internet freedom hosted by the Dutch Ministry of Foreign Affairs http://www.minbuza.nl/en/ministry/conference-on-internet-freedom/internetfr… 27-30 December 2011, Berlin, Germany 28C3 - 28th Chaos Communication Congress http://events.ccc.de/category/28c3/ http://events.ccc.de/congress/2011/ 25-27 January 2012, Brussels, Belgium Computers, Privacy and Data Protection 2012 http://www.cpdpconferences.org/ 16-18 April 2012, Cambridge, UK Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance Education OER12 and the OCW Consortium's Global Conference http://conference.ocwconsortium.org/index.php/2012/uk 14-15 June 2012, Stockholm, Sweden EuroDIG 2012 http://www.eurodig.org/ 9-10 July 2012, Barcelona, Spain 8th International Conference on Internet Law & Politics: Challenges and Opportunities of Online Entertainment Abstracts deadline: 20 December 2011 http://edcp.uoc.edu/symposia/idp2012/cfp/?lang=en ============================================================ 14. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 28 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. This EDRi-gram has been published with financial support from the EU's Fundamental Rights and Citizenship Programme. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [cryptography] cryptanalysis of 923-bit ECC?
by Matthew Green 06 Jul '18

06 Jul '18

I'm definitely /not/ an ECC expert, but this is a pairing-friendly curve, which means it's vulnerable to a type of attack where EC group elements can be mapped into a field (using a bilinear map), then attacked using an efficient field-based solver. (Coppersmith's). NIST curves don't have this property. In fact, they're specifically chosen so that there's no efficiently-computable pairing. Moreover, it seems that this particular pairing-friendly curve is particularly tractable. The attack they used has an estimated running time of 2^53 steps. While the 'steps' here aren't directly analogous to the operations you'd use to brute-force a symmetric cryptosystem, it gives a rough estimate of the symmetric-equivalent key size. (Apologies to any real ECC experts whose work I've mangled hereb& :) Matt On Jun 20, 2012, at 10:59 AM, Charles Morris wrote: > "NIST guidelines state that ECC keys should be twice the length of > equivalent strength symmetric key algorithms." > So according to NIST solving a 923b ECC is like brute-forcing a 461b > bit symmetric key (I assume in a perfect cipher?). > > Of course there are weak keys in almost any system e.g. badly > implemented RSA picking p=q > > I wonder if a weak-key scenario has occurred, or if this is a genuine > generalized mathematical advance? > Comments from ECC experts? _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

None
by Gil Hamilton 06 Jul '18

06 Jul '18

> Mark, don't worry, the real programmers among us aren't afraid to > compete (actually, right now, there's plenty of work for everyone > who is competent so there's little need for real competetition). > Fortunately, these losers are unlikely to be successful in their > organizational and lobbying efforts. Thanks. I hope so... Free access to the US market has already enabled me to switch from $100 / month to $500 / month while in Romania, and to $3,500 / month here in Atlanta. [Yeah, I'm still far from Bill Gates, but it's still 35 times more than I made two years ago <g>] Mark

1 0

EDRi-gram newsletter - Number 9.23, 30 November 2011
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 9.23, 30 November 2011 ============================================================ Contents ============================================================ 1. Scarlet v SABAM: a win for fundamental rights and Internet freedoms 2. Proposed US-EU PNR Agreement made public 3. Dutch Parliament: no discussions on ACTA if negotiations are still secret 4. Turkey launches Internet filtering scheme 5. US crackdown on global domain names and IP addresses continues 6. Italian Police blocks sites that had banners to alleged illegal websites 7. EU-US summit joint statement ignores European civil rights 8. Two years into the Stockholm Programme: on the way to e-Fortress Europe? 9. New Guidelines to RFID Privacy Impact Assessments 10. ENDitorial: Advocate General on Data Retention: Strange answer&question 11. Recommended Action 12. Recommended Reading 13. Agenda 14. About ============================================================ 1. Scarlet v SABAM: a win for fundamental rights and Internet freedoms ============================================================ On 24 November 2011, the European Court of Justice decided that an Internet service provider (ISP) can not be ordered to install a system of filtering of all electronic communications and blocking certain content in order to protect intellectual property rights. The Court largely based its decision on the Charter of Fundamental Rights. The ruling is hugely important for the openness of the Internet, and therefore for the fundamental rights value and the economic value of the Internet. SABAM (the Belgian collective society - Sociiti belge des auteurs, compositeurs et iditeurs) wanted the ISP Scarlet to install a generalised filtering system for all incoming and outgoing electronic communications passing through its services and to block potentially unlawful communications. In First Instance, while refusing the liability of the ISP, the Brussels Court concluded that the SABAM's claim was legitimate and that a filtering system had to be deployed. Scarlet appealed and the case was referred to the Court of Justice of the European Union. In its decision, the Court of Justice ruled that a filtering and blocking system for all its customers for an unlimited period, in abstracto and as preventive measure, violates fundamental rights, more particularly the right to privacy, freedom of communication and freedom of information. In addition, it breaches the freedom of ISPs to conduct business. The EU ruling underlines the importance of an open and neutral Internet, respecting fundamental rights. The alternative would have lead to a permanent surveillance and filtering of all European networks. The consequences would have been catastrophic for democracy, civil rights and the Internet economy. The role of Internet intermediaries is to provide the infrastructures and services that allow users to access and use the Internet, not to police the flows of traffic to privately enforce intellectual property rights. By protecting ISPs, the ruling is likely to preserve key elements of the online economy and society. The Court sought the right balance between the interest of the rightsholders on the one hand and the interests of the ISPs and of citizens on the other hand. Internet blocking is not completely banned by the decision neither does it deny ISPs' liability in every situation. On the former, the EU Court had to rule on the liability of the type of blocking/filtering that was proposed. On that point, it declared that the level of filtering and blocking asked for in the case was too broad in terms of material and geographic scopes, that the legitimate interests of society as a whole outweighed the other interests at stake and that the unlimited and open-ended nature of the blocking was excessive. As a result, the Court ruled that the proposed measures were in violation of the European law. The Court could not have made a ruling on unknown future technologies and developments or answered questions it was not asked. On ISP liability, the ruling avoids the circumvention of the existing EU law. In the current framework in the e-commerce Directive (2000/31/EC), the ISP cannot be held liable for its customers' behaviour when the ISP is unaware of illegal activity. Far from creating a law free zone, the ruling sets safeguards to better protect fundamental rights on the Internet. The decision re-establishes the importance of the rule of law in the digital environment. Illegal behaviour remains illegal but the policing stays the responsibility of the state, and the liability stays on the person responsible for the illegal content. ECJ Decision Scarlet vs Sabam (24.11.2011) http://curia.europa.eu/jurisp/cgi-bin/gettext.pl?where=&lang=en&num=7988887… Press release and FAQ from EDRi (24.11.2011) http://edri.org/scarlet_sabam_win Press release from ECJ (24.11.2011) http://curia.europa.eu/jcms/upload/docs/application/pdf/2011-11/cp110126en.… (Contribution by Marie Humeau - EDRi) ============================================================ 2. Proposed US-EU PNR Agreement made public ============================================================ On 17 November 2011, U.S. and EU officials initialled a proposed agreement to authorize airlines to forward passenger name record (PNR) data to the U.S. Department of Homeland Security (DHS). Although the agreement cannot take effect without the approval of the European Parliament and the Council, MEPs could read the proposed agreement only in a sealed room where they could not take notes or make copies. This week the complete text on which the European Parliament will vote has finally been made public, revealing a failure to address the concerns raised by the Parliament and continued shortfalls in data protection, due process, and protection of fundamental rights. In its resolution of 5 May 2010, the Parliament said that the PNR agreement should take the form of a treaty, recognize the fundamental right to freedom of movement, prohibit the use of PNR data for data mining or profiling, and take into consideration "PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU." The proposed agreement does not meet these criteria, and does not mention any of these issues. The agreement would require that DHS copies of PNRs be "depersonalized" after 6 months. But the "depersonalized" DHS copy of each PNR would still include a unique record locator. There is no data protection law in the U.S. for commercial data. So, at any time - secretly, without a court order, and without violating U.S. law or the U.S.-EU agreement - the DHS could use the record locator to obtain a copy of the complete PNR from the computer reservation systems. The agreement claims that all DHS access to PNR data will be logged. But when individuals have requested these logs, both the DHS and European airlines have said that they didn't exist. Without access logs, there can be no accountability or oversight. According to the agreement, any individual is entitled to "request" access or corrections to their PNR data under the Freedom of Information Act (FOIA). But most PNR data is exempt from FOIA. Under both the agreement and U.S. law, you are entitled to request your PNR data, and the DHS is entitled to say "No". FOIA is not a data protection law. FOIA never requires any accounting of usage or disclosure of data. FOIA never requires correction of records. FOIA does not restrict what information is collected or how it is used. U.S. courts have no authority under FOIA to take any action against misuse or disclosure of personal information. The agreement says that individuals may "seek" or "petition" for judicial review in U.S. courts. But such a petition related to violations of the agreement would be denied. The proposed agreement would protect travel companies against enforcement of EU data protection laws, while failing to protect the rights of travellers. Because the proposed agreement does not provide an adequate level of protection for the processing of personal data, as required by the EU Data Protection Directive and Article 8 of the Charter of Fundamental Rights, EDRi recommends that the Council and the Parliament should reject the proposed agreement. Text of the PNR Agreement (23.11.2011) http://www.ipex.eu/IPEXL-WEB/dossier/dossier.do?code=NLE&year=2011&number=0… Analysis of the proposed U.S.-EU agreement on PNR transfers to the DHS (with links to the full text in English, German, and French, 28.11.2011) http://papersplease.org/wp/2011/11/28/revised-eu-us-agreement-on-pnr-data-s… Analysis of the proposed agreement by NoPNR! (only in in German, 28.11.2011) http://www.nopnr.org/fluggastdaten-an-die-usa-analyse/ EDRi archive of articles about PNR http://www.edri.org/issues/privacy/pnr (Contribution by Edward Hasbrouck, PapersPlease.org - EDRi observer) ============================================================ 3. Dutch Parliament: no discussions on ACTA if negotiations are still secret ============================================================ ACTA is creating quite some noise, not only internationally but also domestically. National Parliaments, including the Dutch Parliament, will have to decide whether they will approve ACTA or not. In order to correctly assess the implications of ACTA, the Dutch Parliament requested publication of all preparatory documents on ACTA. The Dutch Minister of Economic Affairs, Agriculture and Innovation, Maxime Verhagen, would only hand over these documents if parliamentarians vowed not to reveal anything about these documents. Last week, the Dutch Parliament debated the imposed restrictions. A majority of the Parliament indicated that ACTA could not be discussed in Parliament before all information on the negotiations is disclosed without conditions. EDRi-member Bits of Freedom sent, in preparation of this debate, a letter to the Parliament that underlined the problems associated with ACTA and advised to not accept the imposed restrictions, as these would prohibit the Parliament from discussing the treaty freely in public and consult experts. Dutch parliament refuses ACTA secrecy (23.11.2011) http://acta.ffii.org/?p=924 Absurd obligation of confidentiality on ACTA blocks public debate (only in Dutch, 21.11.2011) https://www.bof.nl/2011/11/21/absurde-zwijgplicht-over-acta-blokkeert-publi… Parliament demands moratorium on anti-counterfeiting treaty ACTA (only in Dutch, 23.11.2011) https://www.bof.nl/2011/11/23/kamer-eist-moratorium-op-anti-namaakverdrag-a… (Contribution by Rebecca Roskam EDRi-member Bits of Freedom volunteer - Netherlands) ============================================================ 4. Turkey launches Internet filtering scheme ============================================================ Turkish Information Technologies and Communications Authority (BTK) launched the Internet safety scheme on 22 November 2011, as planned, but on a voluntary basis, following the fierce criticism and opposition to the original plans to introduce a mandatory filtering system. Internet users may sign up with their ISPs for the free of charge filtering system which blocks "objectionable content", being able to choose from three variants: child, family and domestic. When an Internet user wants to choose one of the filtering variants, BTK issues a new user name and password enabling the user's access to the chosen filtering system. The users who want to stop using the Internet filtering can change back to a standard no-filter profile. Although voluntary, the system still raises concerns, one of them being the supervision of the system by a new committee called Child and Family Profiles Criteria Working Committee which, in the opinion of law professor Yaman Akdeniz of Bilgi University in Istanbul "... does not look independent nor impartial." The professor also believes that the state authorities may be in the position to impose moral values. More worrying is the fact that the filter blocks not only adult content, but some 130 search terms, including "separatist" content from the PKK and Kurdish rights groups. "I also believe that the Turkish authorities are not only trying to protect children but also adults from the 'so called harmful content '," said Akdeniz. Moreover, as frequently proven by liberty activists and IT experts, filtering is not a real solution to solve real Internet threats to children. Filters are easy to circumvent, costly and, in most of the case, can lead to blocking innocent content in the process. State censorship can be easily masked by apparently justified reasons such as threats to family and children. Under the cover of protecting children, governments may try to include political censorship by including on the filtering list words that relate more to political criticism and opposition than to child pornography or terrorism. This Week in Internet Censorship: Opaque Censorship in Turkey, Russia, and Britain (23.11.2011) https://www.eff.org/deeplinks/2011/11/week-internet-censorship-opaque-censo… New Internet filtering system available after 3-month test period (21.11.2011) http://www.todayszaman.com/news-263471-new-internet-filtering-system-availa… EDRigram: Turkey postpones its Internet filtering plans (24.08.2011) http://www.edri.org/edrigram/number9.16/turkey-postpones-internet-filtering ============================================================ 5. US crackdown on global domain names and IP addresses continues ============================================================ US authorities have resumed their "Operation in Our Sites" in order to attempt to fight counterfeit and piracy-related websites. During this second annual "Cyber Monday" crackdown, the Immigration and Customs Enforcement (ICE) has shut down 150 websites from all over the world. The recent introduction of draft bills, such as the Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA) now aims at providing a legal basis for domain names and IP address seizures. SOPA's broad definitions could indeed mean that no online resource in the global Internet would be outside US jurisdiction. In response to these legislative proposals and repeated unilateral measures against European websites, the European Parliament adopted a resolution on 17 November 2011 in preparation of the EU/US summit stressing "the need to protect the integrity of the global internet and freedom of communication by refraining from unilateral measures to revoke IP addresses or domain names." The joint EU/US summit declaration published on 28 November 2011 indeed says: "We share a commitment to a single, global Internet, and will resist unilateral efforts to weaken the security, reliability, or independence of its operations". However, despite the big show of opposition to the US bills and the Parliament's actions, Internet filtering and blocking schemes like SOPA and PIPA are still on the agenda on the other side of the Atlantic claiming worldwide jurisdiction for domain names and IP addresses. According to recent reports, attempts to terminate the Internet's end-to-end architecture also seem to get even closer to the core of the Internet. This sort of access restriction is an experiment with key functions of the Internet, increasing the risk of fragmentation of the global Internet and as one co-chair of RIPE's DNS Working group stated, this gives restrictive tools "to the bad guys". Another attempt to govern the Internet is for instance the latest international law enforcement action by the FBI against a large botnet. During this action, the FBI, without a court order or without a legal basis, took over the address blocks used by the botnet's nameservers and then assigned those address blocks to Internet Systems Consortium's (ISC) nameservers. The European Regional Internet Registry RIPE-NCC was rather concerned about the implications of getting involved in policy and governance issues and has now sued the public prosecutor's office to get a judicial decision on the question whether they had sufficient legal ground to order the temporary "lock" of the registrations. The implications of RIPE having to respond to such orders, particularly due to the very wide geographic coverage of its activities, would be very severe indeed. List of blocked web sites by the Immigration and Customs Enforcement (ICE) (28.11.2011) http://www.ice.gov/doclib/news/releases/2011/111128washingtondc.pdf EU-US Summit Resolution by the European Parliament (15.11.2011) http://www.europarl.europa.eu/sides/getDoc.do?type=MOTION&reference=P7-RC-2… EU-US Summit Joint Declaraion (28.11.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/842 Civil society, human rights groups urge Congress to reject the Stop Online Piracy Act (15.11.2011) https://www.accessnow.org/policy-activism/press-blog/urge-congress-to-rejec… IP Watch: Filtering and Blocking Closer To The Core Of The Internet? (20.11.2011) http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-… RIPE NCC Intends to Seek Clarification from Dutch Court on Police Order to Temporarily Lock Registration (16.11.2011) https://www.ripe.net/internet-coordination/news/about-ripe-ncc-and-ripe/rip… (Contribution by Kirsten Fiedler - EDRi) ============================================================ 6. Italian Police blocks sites that had banners to alleged illegal websites ============================================================ The Italian cybercrime police, Guardia di Finanza Agropoli, has recently DNS blocked a series of websites that were offering links to content indexed on BitTorrent, cyberlockers and eDonkey networks. Five of the blocked sites belonged to Italianshare.net network, which were allegedly releasing the links to the movies, games or music before their commercial release. Two more websites that had nothing to do with that network were also blocked. According to Guardia di Finanza, the sites had advertising and donation accounts operating through PayPal giving the authority the reason to investigate them under commercial piracy and tax evasion accusations. The on-going investigation has led to complaints filed by several anti-piracy groups against the alleged leaders of the websites, resulting in the seizure of their computer equipment. But also two innocent websites, italianstylewebsite.net and freeplayclub.org, have fallen victim of this action being, apparently by mistake, associated to the investigated sites. The owners of the two websites have both reacted by stating their sites were perfectly legal, their only link with Italianshare.net being an exchange of banners. Their sites hosted only legal links to free downloadable software of computer games. Furthermore, the two owners stated that they had received no previous warning from the authorities and that initially they thought they had problems with their DNS. Having not received any official notification, they did not even know to whom to address in order to prove the legality of their sites. Fulvio Sarzana, the lawer of the alleged owner of Italianshare.net network, stated that, after a first analysis, he believed there had been an obvious anomaly of the preventive seizure procedure. Sarzana's opinion is that the measures taken by the police are incompatible with the free flow of information on the web, as well as the free expression of thought in online forums. "The principle which we must begin with is that any illegality should be suppressed and not encouraged, when you are certain of course, without prejudice and preconceived ideas about the navigability associated with the P2P service which was used for illegal activity. And when the instruments used to preventively suppress are not in the position to harm constitutional values or rights of third parties." The lawyer warned on the fact that if such preventive seizure can be thus used "without a scrupulous control of alternative means to repress illegal content", this instrument can also be used in cases of defamation through the information media or just blogs. "With a very strong impact upon the freedom of information on the Internet." Italianshare, the word to the defenders (only in Italian, 17.11.2011) http://punto-informatico.it/3339573/PI/Interviste/italianshare-parola-alla-… Free Play Club, a surprise seizure (only in Italian, 16.11.2011) http://punto-informatico.it/3337434/PI/Lettere/free-play-club-un-sequestro-… Italianstylewebsite / another surprise seizure (only in Italian, 17.11.2011) http://punto-informatico.it/3339385/PI/Lettere/italianstylewebsite-altro-se… Italian Anti-Piracy Blockade Takes Legit Sites Offline (18.11.2011) http://torrentfreak.com/italian-anti-piracy-blockade-takes-legit-sites-offl… Cybercrime Police Shut Down Five File-Sharing Sites (11.11.2011) http://torrentfreak.com/cybercrime-police-shut-down-five-file-sharing-sites… ============================================================ 7. EU-US summit joint statement ignores European civil rights ============================================================ A common statement issued at the EU-US summit that took place on 28 November 2011 at the White House in Washington included several aspects with direct impact on digital civil rights that shows the US have succeeded again in obtaining what they wanted, while the European Union representatives have failed to protect the EU citizens fundamental rights, especially the right to privacy. The statement clearly states that while the PNR agreement was negotiated, there is still no deadline for an EU-US data protection agreement. "We welcome the successful completion of negotiations on a new Passenger Name Record agreement, and look forward to its early adoption and ratification" says item 18 of the statement which continues by mentioning the intention to finalize negotiations on a "comprehensive EU-U.S. data privacy and protection agreement that provides a high level of privacy protection for all individuals and thereby facilitates the exchange of data needed to fight crime and terrorism." US have also pushed in support for the CoE Cybercrime Convention, but there is nothing stated in relation with a commitment to ratify or at least start to negotiate any of the fundamental rights conventions of the CoE. Also, the US has rejected a request from the Commission to include net neutrality in the statement, but they have managed to get in their wording on the engagement with the private sector. "We welcome the progress made by the EU-U.S. Working Group on Cyber-security and Cyber-crime, notably the successful Cyber Atlantic 2011 exercise. We endorse its ambitious goals for 2012, including combating online sexual abuse of children; enhancing the security of domain names and Internet Protocol addresses; promotion of international ratification, including by all EU Member States, of the Budapest Convention on Cybercrime ideally by year's end; establishing appropriate information exchange mechanisms to jointly engage with the private sector; and confronting the unfair market access barriers that European and U.S. technology companies face abroad," says item18 of the joint statement. EU-U.S. Summit joint statement (28.11.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/842 ============================================================ 8. Two years into the Stockholm Programme: on the way to e-Fortress Europe? ============================================================ It has been two years now since the Stockholm Programme - a 5-year plan for Justice and Home Affairs - was adopted. On 24 November 2011, an experts' and activists' round table, organised in the European Parliament, raised the question whether Europe was on its way to an e-Fortress. The discussions focused on the proposal for so-called smart borders, the processing of air passenger data (PNR) and the creation of a European Border Surveillance System (EUROSUR). With the introduction of smart borders, the European Commission aims at implementing more effective border surveillance against "irregular migration" by the use of drone planes, satellite and surveillance systems, unmanned ground or marine vehicles and even combat robots. EUROSUR is a further attempt by the European Commission to reduce the number of illegal immigrants entering the European Union, to develop common tools and instruments for Member States and to permit an EU-wide exchange of data. A legislative proposal is expected to be published by the Commission around 7 December 2011. Sergio Carrera, first speaker of the round table and senior research fellow at the Centre for European Policy Studies (CEPS), criticised the current policy making in the field of security saying that it was not evidence based and that debates on necessity were non-existent, thus fundamental rights always play a secondary role. During the development of every new project, the presumption of innocence, the consent of individuals and the principle of non-discrimination are rarely taken into account. He doubted that the gaps of Frontex could be closed by EUROSUR. Owe Langfeldt and Gabriel Blaj from the EDPS stressed the importance that the Commission should provide clear proof that future security policy measures were necessary and effective after their implementation. They also warned of a function creep, called for clear purpose limitation and criticised that through the introduction of profiling, for example via PNR agreements, a generalised suspicion was laid upon society. Blaj added that the subgroup on borders and law enforcement of the Article 29 Working Group has recently decided to react on the proposals by the Commission. Erich Tvpfer's (Cilip & Statewatch) short input focused on the corporate interest in the field of security policy and on the fact that border and security measures involve a powerful security-industry complex. Detailed information can be found in "Arming Big Brother" analysis and in a report for the Transnational Institute which explains how most of the European security research projects have been outsourced to the corporations that have the most to gain from their implementation and examines the EU security-industrial complex. An open debate followed the short presentations during which the participants of the round table discussed future activities, possible arguments, cooperation and initiatives. The debate centred on useful arguments to counter those in favor of the introduction of more surveillance measures. The participants agreed on the necessity of an evaluation of existing systems, of impact and cost assessments. Highlighting the export of Western surveillance technologies to the Middle East was suggested, in order to name and shame companies. At the same time, It is crucial for civil society to provide MEPs with counter-facts (regarding EU-PNR for instance). Tony Bunyan, Director of Statewatch, summarized the debated issues at the end of the event. He pointed out that a very first proposal for EU-PNR already collapsed in 2007 when the European Parliament opposed it. Now, the Parliament and the Commission only needed to be reminded of their own history. However, Bunyan also emphasized the necessity of campaigns outside the Parliament, from the "ground", which would be far more effective than those that focus on winning a majority in the EP only. European Commission Communication: Smart Border - options and the way ahead (25.11.2011) http://ec.europa.eu/home-affairs/news/intro/docs/20111025/20111025-680%20en… Statewatch Analysis: Arming Big Brother http://www.statewatch.org/analyses/bigbrother.pdf Transnational Institute : NeoConOpticon Report, The EU Security-Industrial Complex http://www.statewatch.org/analyses/neoconopticon-report.pdf Programme of the event: Two Years into the Stockholm Programme - on the way to e-Fortress Europe? (24.11.2011) http://www.ska-keller.de/images/stories/files/roundtable_e-fortress-europe%… (Contribution by Kirsten Fiedler - EDRi) ============================================================ 9. New Guidelines to RFID Privacy Impact Assessments ============================================================ On 25 November 2011 the German Federal Office for Information Security (BSI) and the Institute for Management Information Systems of the Vienna University of Economics and Business (WU) held an expert symposium on RFID Privacy Impact Assessments in Berlin and presented their BSI Privacy Impact Assessment (PIA) Guidelines. The PIA guidelines are based on the RFID PIA Framework, a kind of co-regulation instrument that was signed by Vice President of the European Commission Neelie Kroes and industry representatives earlier this year. The goal of the guidelines is to explain the PIA Framework and to provide RFID application operators with an in-depth understanding of the framework terminology and proposed procedures. The methodology outlined in the document is understood to be a concretion of the generic process outlined in the PIA framework. The PIA guidelines will help European RFID operators to ensure a high level of data protection, which can be seen as an important aspect of quality and a unique selling proposition for European companies, said Professor Sarah Spiekermann, Head of the Institute for Management Information Systems. The PIA guidelines are available from the symposium website. PIA case studies for three different sectors will soon be published by BSI. In his presentation at the symposium the German Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, explained that, while Data Protection Authorities (DPAs) might not be able to check each and every PIA report, in future, the results of privacy impact assessments and the implementation of their results will be important aspects in data protection inspections. He therefore asked, that PIA reports and the data protection goals identified in the course of the PIA process should be made transparent to DPAs and individuals. Furthermore, Mr. Schaar called for PIA frameworks being defined on the European level and for the establishment of a European data protection competence centre, which should work on technical means and measures for data protection. The European Data Protection Supervisor, Peter Hustinx, stressed in his contribution the need to reduce the unhelpful diversity in EU member states' data protection legislation. While there is no need to reinvent data protection, it is necessary to make the current principles work better, to improve the definition of responsibilities and to ensure a better compliance, he said. With regard to privacy impact assessments, Mr. Hustinx envisaged that these could be optional in some cases while being compulsory in others. A coherent European approach to the implementation of the RFID Privacy Impact Assessment Framework will be in the centre of a conference organised by the European Commission on 8 February 2012 in Brussels, where experiences with the PIA Framework and the future of the European Commission's RFID Recommendation will be discussed. As EDRi already expressed earlier, the success of RFID Privacy Impact Assessments will, to a large extend, depend on the quality of the assessment. In particular, it will be crucial to address and eliminate risks that stem from third parties and are not directly related with the RFID applications operated by a given company, but facilitate the RFID tags disseminated by the company. Expert Symposium on RFID Privacy Impact Assessments, 25.11.2011, Austrian Embassy Berlin http://www.wu.ac.at/ec/events/piasymposium RFID Privacy Impact Assessment Guidelines http://www.wu.ac.at/ec/events/pia_guideline Federal Office for Security in Information technology - RFID PIA (only in German) https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/RadioFrequencyIdent… EDRi-gram: EU supports RFID with proper protection of consumers' privacy (20.05.2009) http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommand… EDRi-gram: RFID Privacy Impact Assessment Framework formally adopted (06.04.2011) http://www.edri.org/edrigram/number9.7/rfid-pia-adopted-eu EDRi-gram: ENDitorial: RFID PIA: Check against delivery http://www.edri.org/edrigram/number9.10/rfid-pia-check-against-delivery European Commission Conference: 08.02.2012: Implementation of the RFID Privacy Impact Assessment (PIA) Framework Invitation: http://ec.europa.eu/information_society/policy/rfid/documents/piaconference… Programme: http://ec.europa.eu/information_society/policy/rfid/documents/piaconference… (Contribution by Andreas Krisch - EDRi) ============================================================ 10. ENDitorial: Advocate General on Data Retention: Strange answer&question ============================================================ The Advocate General of the European Court of Justice recently issued an opinion on the case of Bonnier Audio vs Perfect Communication Sweden (case no. C-461/10). The question to be answered was whether data retention Directive and/or articles 3, 4, 5 and 11 of the E-Privacy Directive prevent Member States from permitting internet service providers in civil proceedings to be ordered to give copyright holders information on subscribers that allegedly infringed intellectual property rights, as foreseen by Article 8 of the IPR Enforcement Directive. The question partly seeks to answer itself, by explicitly demanding an assumption that the measure is proportionate and that evidence has been "adduced" evidence of an infringement. The answer from the Advocate General is, "no", there is nothing in the Data Retention Directive nor the E-Privacy Directive which would prevent a national administration from imposing a measure requiring stored data to be used to identify people within the scope of the IPR Enforcement Directive. However, such information should be stored for the purpose of possible disclosure to IPR holders, according to detailed national provisions and compliant with EU law on data protection. He bases this view on various elements. Firstly, regarding the Data Retention Directive, he explains that this is not relevant in the context of this specific case. However, his views on the E-Privacy Directive are the most interesting and difficult to comprehend. This analysis explains that Member States may impose data retention for purposes outside the scope of the legal basis of the Directives. This analysis was confirmed by the European Commission in a declaration at the time of adoption of the Directive. As the Commission explained in its position on the common position, "the present Directive based on Article 95 of the Treaty cannot include substantive provisions on law enforcement measures. It should neither prohibit nor approve any particular measure Member States may deem necessary." Article 15 of the E-Privacy Directive does explain that such an infringement of the fundamental right to privacy must be adequately justified - namely that any such measure be "necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC." However, the Advocate General is clear that the restrictions described in Article 15.1 of the E-Privacy Directive must be respected for any data storage to be legal. The Advocate General makes no effort to explain why such a measure would or could be "necessary" as well as being proportionate (the question attempts to preempt the court by explaining that proportionality is assumed). This is surprising when we bear in mind the only position taken so far on long-term, suspicionless retention of data on innocent citizens - the Telefonica/Promusicae case. In that case, the Advocate General argued that "(i)t may be doubted whether the storage of traffic data of all users without any concrete suspicion - laying in a stock, as it were - is compatible with fundamental rights." How did we move from a situation before the adoption of the Charter of Fundamental Rights where an Advocate General said that data retention per se is of questionable legality, to a position now, under the Charter, where an Advocate General believes it is permissible for narrow business interests - ignoring the fact that data retention was explicitly implemented under the condition that it was for fighting "serious crime"? Maybe the answer lies in the fact that the question demands that the ECJ makes the very dubious assumption that the measure being imposed is "proportionate". Having ignored the part of the Telefonica/Promusicae case that highlighted the serious dangers of data retention for fundamental rights, perhaps the oddest interpretation is the one that relies on analysis in that case. The Advocate General explains that, during the implementation of Directives in national law, a fair balance of different fundamental rights must be respected. This is odd because the case in question does not concern implementation of EU Directives into national laws, it concerns the question whether new, additional and unforeseen implementations of data retention are forbidden by the relevant legislation or not. Starting from this questionable logical basis, the Advocate General treats private property "rights" of narrow business interests as fully equal to the rights of citizens as a whole. While this is unfortunately, in abstract terms, correct, he then fails to address the fact that, in specific terms, it is not appropriate to treat narrow business interests as of equal value as the privacy of the entire society. This position has, thankfully, already been contradicted by the Court in last week's Scarlet/Sabam case, where the judges ruled that "The protection of the right to intellectual property is indeed enshrined in Article 17(2) of the Charter of Fundamental Rights of the European Union. There is, however, nothing whatsoever in the wording of that provision or in the Court's case-law to suggest that that right is inviolable and must for that reason be absolutely protected." However, the ultimate conclusion that the Advocate General comes to is probably the only possible one as a result of the very leading way in which the question was posed. Having been asked to assume that any such measure was proportionate (and assuming that intellectual property breaches are criminal offences), there is nothing in the Directives mentioned in the question which would prevent a Member State from introducing a new law to require data retention for intellectual property enforcement purposes - as long as the minimum criteria set out in the E-Privacy Directive are respected. It is to be hoped that the Court will not restrict itself to the very questionable assumption of proportionality and address necessity and proportionality as well. If it does, the result should be quite different, as Advocate General Kokott already pointed out in the Telefonica/Promusicae case. Commission Declaration http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52002PC0338:EN:… Data Retention Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:00… E-Privacy Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:N… ECJ Cases: Telefonica/Promusicae: Case C-275/06 Scarlet/Sabam: Case C-70/10 Bonnier Audio/Perfect Communications: Case: 461/10 all accessible at http://curia.europa.eu/jcms/jcms/j_6/ (Contribution by Joe McNamee - EDRi) ============================================================ 11. Recommended Action ============================================================ Stop ACTA! http://www.edri.org/stopacta ============================================================ 12. Recommended Reading ============================================================ EDPS calls for strengthening of proposed Regulation on the Internal Market Information System (22.11.2011) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/… http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu… Sweden: Net Neutrality: Mobile Broadband Suppliers Discriminate Against BitTorrent (22.11.2011) http://torrentfreak.com/net-neutrality-mobile-broadband-suppliers-discrimin… http://www.iis.se/docs/N%C3%A4tneutralitet2011.pdf Data losses from local authorities in UK (23.11.2011) http://www.bigbrotherwatch.org.uk/home/2011/11/local-authority-data-loss-ex… http://bigbrotherwatch.org.uk/la-data-loss-breakdown.pdf ============================================================ 13. Agenda ============================================================ 7 December 2011, Bruxelles, Belgium "Self"-regulation: Should online companies police the Internet? http://selfregulation.tumblr.com/ 9 December 2011, The Hague, Amsterdam Conference on internet freedom hosted by the Dutch Ministry of Foreign Affairs http://www.minbuza.nl/en/ministry/conference-on-internet-freedom/internetfr… 27-30 December 2011, Berlin, Germany 28C3 - 28th Chaos Communication Congress http://events.ccc.de/category/28c3/ http://events.ccc.de/congress/2011/ 25-27 January 2012, Brussels, Belgium Computers, Privacy and Data Protection 2012 http://www.cpdpconferences.org/ 16-18 April 2012, Cambridge, UK Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance Education OER12 and the OCW Consortium's Global Conference http://conference.ocwconsortium.org/index.php/2012/uk 14-15 June 2012, Stockholm, Sweden EuroDIG 2012 http://www.eurodig.org/ 9-10 July 2012, Barcelona, Spain 8th International Conference on Internet Law & Politics: Challenges and Opportunities of Online Entertainment Abstracts deadline: 20 December 2011 http://edcp.uoc.edu/symposia/idp2012/cfp/?lang=en ============================================================ 14. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 28 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. This EDRi-gram has been published with financial support from the EU's Fundamental Rights and Citizenship Programme. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [cryptography] cryptanalysis of 923-bit ECC?
by Matthew Green 06 Jul '18

06 Jul '18

I'm definitely /not/ an ECC expert, but this is a pairing-friendly curve, which means it's vulnerable to a type of attack where EC group elements can be mapped into a field (using a bilinear map), then attacked using an efficient field-based solver. (Coppersmith's). NIST curves don't have this property. In fact, they're specifically chosen so that there's no efficiently-computable pairing. Moreover, it seems that this particular pairing-friendly curve is particularly tractable. The attack they used has an estimated running time of 2^53 steps. While the 'steps' here aren't directly analogous to the operations you'd use to brute-force a symmetric cryptosystem, it gives a rough estimate of the symmetric-equivalent key size. (Apologies to any real ECC experts whose work I've mangled hereb& :) Matt On Jun 20, 2012, at 10:59 AM, Charles Morris wrote: > "NIST guidelines state that ECC keys should be twice the length of > equivalent strength symmetric key algorithms." > So according to NIST solving a 923b ECC is like brute-forcing a 461b > bit symmetric key (I assume in a perfect cipher?). > > Of course there are weak keys in almost any system e.g. badly > implemented RSA picking p=q > > I wonder if a weak-key scenario has occurred, or if this is a genuine > generalized mathematical advance? > Comments from ECC experts? _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRI-gram newsletter - Number 6.13, 2 July 2008
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 6.13, 2 July 2008 ============================================================ Contents ============================================================ 1. Control on Internet users pushed through the new Telecom package 2. France promotes the three-strike scheme in Europe 3. The US-EU agreement on personal data exchange by law enforcement 4. ePrivacy Directive debated in the EP's Civil Liberties Committee 5. ECJ first hearing on data retention case 6. ICAAN supports custom domains and discusses whois privacy issues 7. German Protests in over 30 cities against surveillance 8. ENDitorial: Sweden is listening to all internet and phone conversations 9. Recommended Action 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. Control on Internet users pushed with the new telecom package ============================================================ An appeal from three European NGOs - La Quadrature du Net, netzpolitik.org and EDRi-member Open Rights Group - reveal some disturbing MEPs amendments to the draft directives to reform the EU framework on electronic communications (telecom package). The review of the telecom package was merely focusing on telecom-related issues (except for discussions on the ePrivacy directive, which is the subject of another EDRi-gram article in the current issue), but some of the 800 amendments on the 5 directives that form the current package might go further than just establishing the rules for a functioning electronic communications market and could endanger the principle of the neutrality of the Internet. Some amendments will transform the ISPs from technical intermediaries that have no obligation to prior surveillance of contents into law enforcers. Therefore they might be asked to block their users from lawful activities in the interests of their security or to work with content producers and rights-holders' organizations, including sending intimidating messages, with no judicial approval. The amendment meant to support Intellectual Property Rights owners could open the door to censorship and might mean in practice the loss on privacy on the Internet. "The politicians who engage in these summer manoeuvres dishonour Europe and their mandate. They rely on the fact that nobody watches them few days before Parliamentary holiday, to divert the Telecom package from its primary objectives of consumer protection. They pave the way for the monitoring and filtering of the Internet by private companies, exceptional courts and Orwellian technical measures. It is inconceivable for freedom but also for European economic development. We call on all MEPs to oppose what they have already rejected." said Christophe Espern, co-founder of La Quadrature du Net (Squaring the Net). The appeal of the three organisations comes just before the 7 July vote in the ITRE and IMCO Committees of the European Parliament on the suggested amendments to the telecom package. The plenary discussion and vote for the whole package will take place in September, but the vote in the two committees could have a significant impact on the final result. Mobilization Package Telecom (in English, German and French) http://www.laquadrature.net/wiki/Mobilisation_Paquet-Telecom Telecom Package warning document for IMCO/ITRE vote (30.06.2008) http://www.laquadrature.net/files/note-IMCO-ITRE-quadrature-20080630.pdf The commented amendments in HTML format http://www.laquadrature.net/wiki/Telecom-Package_Compromise-Amendments_ITRE… Participate: Europe-wide action against the telecom package (only in German, 1.07.2008) http://netzpolitik.org/2008/mitmachen-europaweite-aktion-gegen-das-telekom-… Write to your MEP: say no to "3 strikes" through the backdoor (2.07.2008) http://www.openrightsgroup.org/2008/07/02/write-to-your-mep-say-no-to-3-str… ============================================================ 2. France promotes the three-strike scheme in Europe ============================================================ With France taking over the presidency of the European Union on 1 July 2008, the French Minister of Culture, Christine Albanel, wants to get a consensus in the fight against p2p downloading by translating the French model to the entire Europe. Christine Albane presented on 19 June to the French Council of Ministers her proposal for the controversial Internet and Creation law, initiated first by Denis Olivennes, former CEO of Fnac, designed to fight online piracy, mainly through the implementation of the so-called "three-strikes" scheme. A newly-created independent authority, entitled HADOPI (Haute Autoriti pour la diffusion des oeuvres et la protection des droits sur Internet), is to be responsible with issuing warnings and potentially cutting Internet subscriptions in cases of infringements. At the request of rights holder, HADOPI will have the power to demand from ISPs the identity of copyright-infringing computer users, followed afterwards by a three-step process. A warning by email will be first sent, and in case the infringements persist, the warning will be sent by a registered letter. For the third infringement, HADOPI will be entitled to cut the Internet access of the user for three up to 12 months. This period may be shortened to one to three months if the infringer commits to stop the alleged illicit downloading. The law has been approved by the French Government and it will be debated in the two chambers of the Parliament. Despite Albanel's confidence in the draft law and her determination to make it pass, the law is facing a large range of opposition starting with the European Parliament, CNIL, ISOC, reservations from the State Council, ARCEP and ending with criticism from parliamentarians, public opinion, access suppliers and press. Having this in view, it seems SACEM (Sociiti des auteurs, compositeurs et iditeurs de musique) is already thinking of an alternative. As stated by Bernard Miyet, President of SACEM board of directors, the organisation is not thinking of a global licence but of a contribution from the ISPs. "When you are a cable distributor such as Numericable and you transport programmes, you pay royalties. When you are a satellite platform, it is the same. On the Internet side, the ISPs have succeeded in avoiding any legal or financial responsibility or, it is well known, that they created all their development on music" he said. There is no discussion however of balancing the fee for the ISPs with a new right for the Internet users as in the case of the global licence that would allow Internet users to download music and make it available free for everybody. The global licence would also increase the revenues of the music creators and artists but not those of the music distributors or recording companies who are afraid of loosing control and therefore part of the market. While in France the HADOPI law is under dispute and although the European Parliament has initially opposed the French model, it seems the European Commission has in view to adopt a recommendation that would approve the gradual type of reaction to illicit downloading. Gradual response: France proposes its model to the European homologues (only in French, 24.06.2008) http://www.zdnet.fr/actualites/internet/0,39020774,39381916,00.htm Hadopi project: return to the expectations and forces in presence (only in French, 23.06.2008) http://www.zdnet.fr/actualites/internet/0,39020774,39381902,00.htm Gradual response : Sacem already has a plan B (only in French, 30.06.2008) http://www.numerama.com/magazine/10119-Riposte-gradue-la-Sacem-a-dj-un-plan… ============================================================ 3. The US-EU agreement on personal data exchange by law enforcement ============================================================ As stated by the New York Times on 26 June 2008, the United States and the European Union are close to conclude an agreement allowing the exchange of personal data of their citizens, including credit card information, travel history and Internet browsing information in order to be shared with the law enforcement and security agencies. According to an internal report revealed by the newspaper, the potential agreement that has been negotiated since February 2007 between the US Department of Homeland Security (DHS), the Justice and State departments and their European counterparts will make clear that it is lawful for European governments and companies to transfer personal information to the United States, and vice versa. One of the issues still to be solved is that of whether European citizens should be able to sue the United States government in case it violates data privacy rules or, on the basis of incorrect personal information, it takes an adverse action against them such as denying them entry into the country or placing them on a no-fly list. The European law generally gives citizens the possibility to file a case and ask for damages from the governments and so does US Privacy Act of 1974 which however does not extend to foreigners. The US officials are reluctant to accept it and try co convinces the EU that there are other possibilities to correct such cases like asking an agency to correct the misinformation through administrative procedures. The European Union still insists on its position that its citizens should have "the ability to bring suit in U.S. courts specifically under the Privacy Act for an agreement to be reached on redress". Such a concession would mean for the US administration to create new legislation which they are trying to avoid. Some privacy rights advocates in Europe have warned on certain issues of concerns. The two negotiating parties have agreed that information related to race, religion, political opinion, health or "sexual life" may not be used by a government "unless domestic law provides appropriate safeguards." However, the agreement does not specify what an appropriate safeguard should be, leaving the decision to each government. "I am very worried that once this will be adopted, it will serve as a pretext to freely share our personal data with anyone, so I want it to be very clear about exactly what it means and how it will work," said MEP Sophia in 't Veld. The negotiators are trying to agree on minimum standards for privacy rights protection. The European law establishes independent government agencies to check whether personal data is being used lawfully and to assist citizens concerned about invasions of their privacy. As the United States has no such independent agency the Europeans have agreed, as a concession, that the American government's internal oversight system should be able to account for the use of Europeans' data. US officials say they would like to resolve the problem before the end of Bush administration in January 2009. The European Parliament will have the power to ratify any agreements between US and Member States If the agreement does not require legislative action, Mr. Bush could complete it. It appears that the Europeans would like to wait until 2009 but the finalisation process might be delayed as Irish voters rejected it in a referendum this month. In March, the United States and Germany concluded a bilateral deal facilitating the automatic exchange of data on suspected terrorists, that might be taken as a model for similar accords between the US and other European countries, applied to a wide-ranging exchange of information, including the fingerprints and DNA of suspects. A similar deal was made between Hungary and US in June 2008, and it was considered as a big step in the Memorandum between the two countries that strives for the Hungarian membership in the Visa Waiver Program. The Hungarian-US agreement was published in the Hungarian Official Gazette on 20 June. U.S. and Europe Near Agreement on Private Data (28.06.2008) http://www.nytimes.com/2008/06/28/washington/28privacy.html US-EU private data sharing agreement at hand: report (29.06.2008) http://www.physorg.com/news133928961.html Report: US, EU Near Agreement on Personal Data Exchange (28.06.2008) http://www.dw-world.de/dw/article/0,2144,3445491,00.html FBI ready to demand detailed logs of Britons' internet and travel habits (29.06.2008) http://www.guardian.co.uk/technology/2008/jun/29/privacy.internet ============================================================ 4. ePrivacy Directive debated in the EP's Civil Liberties Committee ============================================================ On 25 June 2008, the European Parliament's Standing Committee on Civil Liberties, Justice and Home Affairs asked for measures to correct the European Commission's proposal to amend the Directive on Privacy and Electronic Communications (called ePrivacy Directive). "We have introduced a few points directed towards better consumer protection and manageability" in order to "improve data protection overall and bring it in line with the changed situation" stated Rapporteur for the project MEP Alexander Alvaro (FDP). Peter Hustinx, the European Data Protection Supervisor (EDPS), adopted, on 14 April, an Opinion on the European Commission's proposal amending, among others, the ePrivacy Directive. The EDPS basically supported the EC proposal giving a few recommendations such as the obligation to notify any breach of security not only from providers of public electronic communication services in public networks but also from providers of information society services which process sensitive personal data. What the MEPs are now asking for is a procedure to inform users, in case of security breaches at service providers and a better protection from surveillance. For the measures requiring providers of electronic services to inform users of breaches of data protection, the MEPs intend to involve an intermediary body. The companies will inform national telecommunications regulators or other "competent authorities" on "serious" security breaches of personal data and the regulatory bodies will decide if consumers need to be rapidly informed. The companies might also be asked to report the occurrence of security problems in their annual reports. One of the aspects that was largely debated within the Committee was related to the collection of personal data such as IP addresses, a compromise being reached in the end considering that an online identity should be specifically considered as an item of personal information needing special protection when it is related to an individual in combination with other information. The EP Committee asked the European Commission to submit, in consultation with EU data protection officials, within the next two years, specific draft legislation for treating IP addresses as personal data. Alvaro's proposal to apply the provision allowing member states to enact their own legislation to relax protection of connection and location data for public security and the prevention, detection and prosecution of criminal acts or illegal use of electronic communications systems, to cases when ownership rights are infringed, failed as concerns have been expressed by data protection officials, such as German data protection commissioner Peter Schaar. However Alvaro succeeded in passing several other proposals such as the future application of the directive to publicly accessible private telecommunications networks including university networks or social networks such as StudiVZ or Facebook. Companies offering applications attempting to access personal data on hard drives, or other IT systems, such as USB flash drives, will have to get the user's consent beforehand on the basis of the opt-in principle. Alvaro drew the attention that a user setting his browser to accept cookies would be considered to give consent to data collection. However, according to the directive, in the future, cookies for storing user data using the Flash multimedia application will require separate consent. According to Alvaro, the amendments proposed by the Standing Committee on Civil Liberties, Justice and Home Affairs will be incorporated into the report of the Internal Market and Consumer Protection committee, primarily responsible for the telecommunications package. The entire package for regulating telecommunications companies and ISPs will be voted in September after a first reading at a plenary session. The European Council will be then required to submit comments. During its 66th plenary session that took place in Brussels between 24-25 June, the Article 29 Working Party expressed its opinion on the review of the E-privacy Directive fully supporting "the proposed strengthening of Article 4 'Security' by requiring providers of publicly available communication services to notify security breaches, and underlines the importance of informing all persons concerned when their personal data have been compromised or are at risk of being compromised." However, the Working Party 29 considers there are issues that still need to be covered such as the need to extend the scope of the obligation to notify security breaches to the providers of information society services as well as the scope of the recipients of the notification to include all persons concerned rather than only the "subscribers". MEPs adopt draft "e-privacy directive" reforms (27.06.2008) http://www.heise.de/english/newsticker/news/110110 Press Release - Article 29 Working Party (26.06.2008) http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_30_06_08_en.pdf EDRIgram - EDPS endorses data breach notification provision in ePrivacy Directive (23.04.2008) http://www.edri.org/edrigram/number6.8/edps-data-breach-notification ============================================================ 5. ECJ first hearing on data retention case ============================================================ On 1 June 2008, the first hearing by the European Court of Justice (ECJ) on Ireland's action for the annulment of the directive on data retention took place in Luxembourg. Ireland, later on joined by Slovakia, filed an action with ECJ against the European Council and Parliament in July 2006 for the annulment of Directive 2006/24/EC for data retention claiming an incorrect legal basis. The action has been largely supported by various bodies and private advocates ever since but despite the strong opposition, the European Parliament made a compromise and adopted the directive the 14 December 2007. Unfortunately, the legal basis of the data retention directive is supported not only by the European Parliament and Council, but also by the Commission, Spain, Netherlands and EDPS, Peter Hustinx. The latter argues that Art 95 EC Treaty, the legal base used, is appropriate as the retained data would not otherwise fall under the EU Privacy Directives. Also Hustinx did not mention any aspects regarding the data retention directive & infringement of the human rights. EDRi-member Joris van Hoboken commented on this situation: "These reasons are pragmatic and without doubt EDPS argued similarly when the Council was still pursuing a Framework Decision in the Third Pillar. The reasons why the European Parliament wanted to have data retention in the First Pillar was because they wanted to have a co-decision procedure, in which they have more powers." However Slovakia also questioned if the present directive does not breach the rights of the individuals in respect with their personal data. It is not clear if the court will took consideration the breach of privacy by the directive, since the subject was not brought up by the main plaintiff. Civil liberties campaigners: Communications Data Retention will be stopped (30.06.2008) http://www.vorratsdatenspeicherung.de/content/view/236/79/lang,en/ European Court of Justice in negotiations on retention of telecommunications data (only in German, 1.07.2008) http://www.heise.de/newsticker/Europaeischer-Gerichtshof-verhandelt-ueber-V… Hearing of European Court of Justice on Data Retention Directive (1.07.2008) http://www.jorisvanhoboken.nl/?p=167 EDRIgram - European parliament adopts data retention directive (18.01.2006) http://www.edri.org/edrigram/number4.1/dataretention ============================================================ 6. ICAAN supports custom domains and discusses whois privacy issues ============================================================ During its 32nd International Public Meeting in Paris of 22-26 June, the Internet Corporation for Assigned Names and Numbers (ICANN) approved the proposal to expand the world's Domain Name System. Dr Paul Twomey, ICANN's president and CEO, said in a statement: "The Board today accepted a recommendation from its global stakeholders that it is possible to implement many new names to the Internet, paving the way for an expansion of domain name choice and opportunity. (...) The potential here is huge. It represents a whole new way for people to express themselves on the Net. It's a massive increase in the 'real estate' of the Internet." "This was an extremely successful meeting that will be remembered as a milestone in the development of the Internet. (...) New generic Top Level Domains and Internationalized Domain Names (IDNs) will open up the Internet and make it look as diverse as the people who use it," said Peter Dengate Thrush, ICANN's Board Chairman. Presently, users have only a limited range of 21 top-level domains (TLDs) to choose from, such as .com, .org or .info. ICANN authorises the launch of every new TLD, the launch being made by an ICANN-approved registry and the domain names being sold by registrars. With the new proposal, applicants for new TLDs can select their domain name themselves and operate as a registry and they can use the names for their own purposes or offer them for sale to third parties through registrars. Applicants from anywhere in the world will have a "limited application period" and the applications will go through an evaluation process, expected to last nine months. Although trade marks will not be automatically reserved, owners will benefit of an objection-based mechanism to consider their arguments for protection. Offensive names will also be subject to an objection-based process "based on public morality and order" as stated by ICAAN. A final version of the implementation plan must be approved by the ICANN Board before the new process is launched. It is intended that the final version will be published in early 2009 and applications for new names are planned to be available in the second quarter of 2009. On the same occasion, at a meeting before the private network administration session, Suzanne Sene, a US government representative, said the Governmental Advisory Committee (GAC) wanted ICANN to organize new studies of the use and misuse of Whois data about the owners of Internet domains and pay for these studies. There is no common agreement yet on a Whois model, the debate between rights holders and the data-protection authorities having lasted long on providing more security for the Whois databases which list the owners of domains. Representatives of US crime-fighting authorities as well as some European counterparts have frequently expressed the opinion that access to Whois data should be granted to those having a "justified interest" claiming that online spammers or swindlers could be investigated properly only by a completely free access to the databases, without the knowledge of the parties involved and without a court order. As a result, many proxy servers, whose data are recorded in Whois instead of those of clients appeared in US. Following the introduction of some barriers to the publication of extensive information about domain owners, the British Nominet gives private users an opt-out to remove their personal data from the publicly accessible Whois database. And after many debates, EU registrars registering generic TLDs such as .info and .com benefit from derogation from the ICANN regulations by submitting a clear request on the part of their own authorities, which however, has not been achieved yet. Internet administrators in dispute over data protection for domain owners (24.06.2008) http://www.heise.de/english/newsticker/news/109882 ICANN backs custom domains, gives brand-owners nightmares (27.06.2008) http://www.out-law.com/page-9214 ICANN Concludes Successful 32nd Meeting in Paris (26.06.2008) http://www.icann.org/en/announcements/announcement-3-26jun08-en.htm Biggest Expansion in gTLDs Approved for Implementation (26.06.2008) http://www.icann.org/en/announcements/announcement-4-26jun08-en.htm ============================================================ 7. German Protests in over 30 cities against surveillance ============================================================ On 31 May 2008, privacy activists organized new rallies in more than 30 cities across Germany. Following the November 2007 protests under the motto "Freedom not Fear"("Freiheit statt Angst"), thousands of citizens participated in this year street actions. Numerous demonstrations, rallies, information events, as well as workshops and art performances sent clear signals to protect constitutional rights and limit the rampant proliferation of surveillance. The rallies had the goal of demonstrating to the ruling grand coalition, a decisive NO of citizens to the blanket collection and storage of data, as well as to the surveillance of all details of daily life. The activities were therefore supported by a multitude of notable organizations and allowed new alliances to be formed in many cities. This underlined the growing force developing behind the well connected movement, the work group stated. According to the German Work Group on Data Retention (Arbeitskreis Vorratsdatenspeicherung), the nationwide protests were a full success: "We were able to use the numerous smaller and larger activities to raise awareness in the population and win new supporters. The responses were positive throughout," explained Ricardo Cristof Remmert-Fontes, one of the organizers of the activities. In Hamburg, Frankfurt (Main), and Munich, peaceful conventional rallies were held which received a large turnout. In Munich, 2500 people additionally demonstrated against the draft of a new law restricting the right of free assembly. In order to depict the loss of privacy, activists in Nuremberg reacted with an art installation by erecting an entire living room in the city's pedestrian zone. In Bonn, the installation "Transition to surveillance" visualized current developments. In Jena, over-sized surveillance cameras were set up, while in Berlin, a host of talks, hands-on workshops and a preview of the art piece "Pigeon Project" were presented. The live-broadcast of events over radio, realized by a network of independent radio broadcasters, also premiered on the day. The recordings will be available for listening on the website of the German Work Group on Data Retention. In all cities where the work group is present with local dependencies signatures were collected against the planned "BKA law" (Federal Criminal Police Office law). The petition was signed online by more than 10 000 people by 1 July. The German Work Group on Data Retention is now preparing multiple Europe-wide campaigns which will culminate in mass protests in 11 October across all of Europe. "This is just the beginning - we will continue!" commented Michel Blumenstein during the Berlin activities of the work group. German Press Release from German Work Group on Data Retention (only in German, 1.06.2008) http://www.vorratsdatenspeicherung.de/content/view/227/1/lang,de/ The "Pigeon Project" - international artists of the Amsterdam Sandberg Institute http://www.pigeonproject.net Recordings of the independent radio station broadcasts (only in German, 31.05.2008) http://wiki.vorratsdatenspeicherung.de/Radio Petition against the BKA law (Federal Criminal Police Office law) (only in German) http://www.bka-petition.de/ (contribution by German Work Group on Data Retention - Germany) ============================================================ 8. ENDitorial: Sweden is listening to all internet and phone conversations ============================================================ In Denmark we already have Data Retention in place and the rest of Europe will follow soon. That means that our own countries demand that Internet companies and phone companies log who we phone, email with, chat with, which websites we visit, etc. This is something that the IT-Political Associations of Denmark (IT-Pol) fights against. Sweden has now taken one more step towards the complete surveillance of its citizens as well as citizens of the rest of the world. The Swedish Parliament (Riksdagen) passed a law that instructs all telephone and Internet operators to deliver a copy of all phone and Internet communication crossing Swedish borders to the Swedish intelligence service FRA. FRA will then use a big spying network and one of the most powerful supercomputers in the world to investigate the content of this communication. For a phone or Internet customer inside or outside Sweden, it is for all practical purposes impossible to know if a phone call or Internet connection crosses the Swedish border. For example, Denmark is located next to Sweden, several big Swedish phone and Internet companies operate in Denmark, and there are many high capacity sea cables between Denmark and Sweden. Much of the traffic from Russia also passes Sweden and that is probably one of the motivations for the law. It is not possible to know beforehand whether e.g. an email or web-page viewing will go through Sweden and after all you can never be sure that your traffic did not go through Sweden. However in some cases you can tell if your traffic did go through Sweden. IT-Pol has investigated various uses of the Internet and has discovered that for example Internet traffic to the Ministry of Ecclesiastical Affairs goes through Sweden. That means that the Swedish FRA intelligence will listen to every email from Danes to a Danish priest. Computerworld Denmark wrote that communication from the Danish intelligence also passes through Sweden. IT-Pol believes that Internet users should not be subjected to such a massive and systematic surveillance and bugging. There are probably many intelligence organizations around the world that try to tap Internet traffic. But in our part of the world it is exceptional that a government require all operators to deliver a copy of internet users' private data to the intelligence service. IT-Pol has twice contacted the Swedish Parliament. The letters (in Danish) are available at itpol.dk. This law has caused massive public opposition in Sweden and the vote barely got passed in the Parliament. It is important that citizens, politicians, and organizations outside of Sweden also speak out and make it clear that this monitoring madness is not acceptable. Internet providers outside of Sweden can alleviate the effects of the Swedish monitoring by not sending Internet traffic through Sweden unless the recipient is in Sweden. Alternatively, they can encrypt all traffic going through Sweden. Tolstrup from the Telecommunication Industries Association in Denmark said in a statement to the Internet magazine ComOn that FRA can require Danish operators to hand over encryption keys. This is not obvious from the text of the FRA-law and IT-Pol is still investigating if this is really true. We have asked some members of the Swedish Parliament about it, but received no answer. If it is true, it is an even more serious attack on the freedom of the users of the Internet. Content providers inside and outside of Sweden can encrypt their content. On most webservers a simple change in the configuration will enable SSL-encryption so that users of the website are protected against the Swedish snooping, even if the content passes the Swedish border. Users can also protect their privacy, even against FRA. They can use encrypted IP telephony, they can use the TOR network to surf the Web, they can send and receive their e-mail encrypted, etc. IT-Pol has taken the initiative of the Polippix project, which provides a live CD, enabling users to take advantage of these technologies. Polippix is now an international project, translated into several languages and used in many countries including Denmark, Germany, France, Thailand and Sweden. IT-Political Association of Denmark http://www.itpol.dk/presentation-of-it-pol TOR Project http://www.torproject.org Polippix http://www.polippix.org 'Yes' to surveillance law (18.06.2008) http://www.thelocal.se/12534/20080618/ EDRi-gram: ENDitorial: A new "NSA FRAnchise" set up in Sweden? (4.06.2008) http://www.edri.org/edrigram/number6.11/nsa-fra-sweden (Contribution by Niels Elgaard Larsen - Chairman, IT-Political Association of Denmark) ============================================================ 9. Recommended Action ============================================================ The Commission has opened a public consultation by 31 July 2008 on age verification, cross media rating & classification and online social networking The purpose of the public consultation is to gather the knowledge and views of all relevant stakeholders (including public bodies, child safety and consumer organisations, industry). The gathered information will be fed into this year's Safer Internet Forum 2008, which will be dedicated to the above mentioned topics. http://ec.europa.eu/information_society/activities/sip/public_consultation/… ============================================================ 10. Recommended Reading ============================================================ Article 29 Working Party - Opinion 2/2007 on information to passengers about the transfer of PNR data to US authorities, Adopted on 15 February 2007 and revised and updated on 24 June 2008 http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp151_en.pdf Kieran Poynter's Review of information security at HM Revenue and Customs http://www.hm-treasury.gov.uk/media/0/1/poynter_review250608.pdf Independent Police Complaints Commission report into loss of data at HMRC http://www.ipcc.gov.uk/final_hmrc_report_25062008.pdf Sir Gus O'Donnell's report on Data Handling Procedures in government http://www.cabinetoffice.gov.uk/~/media/assets/www.cabinetoffice.gov.uk/csi… Sir Edmund Burton's report into the Loss of MOD Personal Data http://www.mod.uk/NR/rdonlyres/3E756D20-E762-4FC1-BAB0-08C68FDC2383/0/burto… ============================================================ 11. Agenda ============================================================ 7-8 July 2008, London, UK Developing New Models Of Content Delivery Online & Innovative Strategies For Effectively Tackling Copyright Infringement http://www.isp-content-regulation.com/conference.agenda.asp 7-9 July 2008, Cambridge, UK Privacy Laws & Business 21st Annual International Conference http://www.privacylaws.com/templates/AnnualConferences.aspx?id=641 19-20 July 2008, Stockholm, Sweden International Association for Media and Communication Research pre-conference - Civil Rights in Mediatized Societies: Which data privacy against whom and how ? http://www.iamcr.org/content/view/301/1/ 23-25 July 2008, Leuven, Belgium The 8th Privacy Enhancing Technologies Symposium (PETS 2008) http://petsymposium.org/2008/ 8-10 September 2008, Geneva, Switzerland The third annual Access to Knowledge Conference (A2K3) http://isp.law.yale.edu/ 22 September 2008, Istanbul, Turkey Workshop on Applications of Private and Anonymous Communications http://www.alpaca-workshop.org/ 24-28 September 2008, Athens, Greece World Summit on the Knowledge Society http://www.open-knowledge-society.org/summit.htm ============================================================ 12. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 28 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

FC: Update on anti-terror bill: House about to vote on a *new* bill
by Declan McCullagh 06 Jul '18

06 Jul '18

Here's what's happening right now (turn on CSPAN): 1. The House Judiciary committee approved the "PATRIOT Act" 36-0, with a two-year expiration date for wiretapping: http://www.politechbot.com/p-02614.html 2. The Senate voted last night 96-1 for the USA Act without Sen. Feingold's privacy amendments: http://www.politechbot.com/p-02651.html 3. The House Rules committee met early this morning to set a rule that specified what bill would go to the floor: http://www.house.gov/rules/107rule2975.htm 4. According to the speaker's office, the bill is the "base Senate text" of the USA Act with five or six changes that Rep. Conyers had wanted. One of those is that the wiretap sections expire in December 2004 -- unless the president decides it is in the "national interest" to continue them, which would expire them in December 2006. 4. The House voted 211-205 midday today (along party lines) on a preliminary procedural step allowing the bill to be considered. 5. Now they're about to vote on the rule. The rule does not allow amendments, just provides for an up-or-down vote on the USA Act v2.0. CSPAN is carrying this debate. 5. When the House approves the USA Act v2.0 -- I say "when" because I think it's very likely -- it'll be sent back to the Senate for approval. Because the changes (besides the expiration date) are minor, the Senate may vote for it unchanged and send it to the president, something Rep. Senenbrenner predicts will happen. 6. That means no conference committee is necessary. 7. You can find the USA Act v2.0 here: http://www.house.gov/rules/sensen_028.pdf (525 KB) http://www.well.com/user/declan/sep11/usa.act.v2.0.101201.pdf (a mirror site) -Declan ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ ------------------------------------------------------------------------- ----- End forwarded message -----

1 0

FYI: paper on privacy and price discrimination
by odlyzko＠dtc.umn.edu 06 Jul '18

06 Jul '18

The paper "Privacy, Economics, and Price Discrimination on the Internet," to appear in the Proc. 5th International Conference on eCommerce, is now available on my Web page. I thought it might be of interest to you, and apologize for the spam if it is not. Best regards, Andrew Odlyzko full paper URL: http://www.dtc.umn.edu/~odlyzko/doc/privacy.economics.pdf Privacy, Economics, and Price Discrimination on the Internet Andrew Odlyzko Digital Technology Center University of Minnesota Minneapolis, Minnesota odlyzko(a)umn.edu http://www.dtc.umn.edu/~odlyzko Abstract: The rapid erosion of privacy poses numerous puzzles. Why is it occurring, and why do people care about it? This paper proposes an explanation for many of these puzzles in terms of the increasing importance of price discrimination. Privacy appears to be declining largely in order to facilitate differential pricing, which offers greater social and economic gains than auctions or shopping agents. The thesis of this paper is that what really motivates commercial organizations (even though they often do not realize it clearly themselves) is the growing incentive to price discriminate, coupled with the increasing ability to price discriminate. It is the same incentive that has led to the airline yield management system, with a complex and constantly changing array of prices. It is also the same incentive that led railroads to invent a variety of price and quality differentiation schemes in the 19th century. Privacy intrusions serve to provide the information that allows sellers to determine buyers' willingness to pay. They also allow monitoring of usage, to ensure that arbitrage is not used to bypass discriminatory pricing. Economically, price discrimination is usually regarded as desirable, since it often increases the efficiency of the economy. That is why it is frequently promoted by governments, either through explicit mandates or through indirect means. On the other hand, price discrimination often arouses strong opposition from the public. There is no easy resolution to the conflict between sellers' incentives to price discriminate and buyers' resistance to such measures. The continuing tension between these two factors will have important consequences for the nature of the economy. It will also determine which technologies will be adopted widely. Governments will likely play an increasing role in controlling pricing, although their roles will continue to be ambiguous. Sellers are likely to rely to an even greater extent on techniques such as bundling that will allow them to extract more consumer surplus and also to conceal the extent of price discrimination. Micropayments and auctions are likely to play a smaller role than is often expected. In general, because of the strong conflicting influences, privacy is likely to prove an intractable problem that will be prominent on the the public agenda for the foreseeable future. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0