July 2018 - cypherpunks-legacy

Re: [serval-project-dev] Architecture questions
by Paul Gardner-Stephen 06 Jul '18

06 Jul '18

Hello, On Tue, Nov 29, 2011 at 1:31 AM, WenZhan Song <wenzhan.song(a)gmail.com> wrote: > We are new to Android and thank Paul help us to make Serval work on > our Android device LG GT540. It has been my pleasure to help. > We decide to try serval as a starting point to extend BATMAN mesh > network for 4D volcano tomography: > http://sensorweb.cs.gsu.edu/?q=VolcanoSRI. We do not necessarily need > VOIP functionality, but utilize Android device's computation and mesh > networking capability for collaborative sensing and computing. > > We are also looking for (1) documentation of Serval software > architecture - core serval team, please consider documentation as a > very important part to attract more people to particpate, as it has > significant impact on learning curve; Increasing the documentation is something that we are critically aware that we need to do, and we are working on this, but our available resources are limited. We would certainly welcome any assistance that people may be inclined to provide on this. For example, it would be great for people to choose a particular aspect of the Serval technology, e.g., DNA, and begin documenting it by examining the code, asking lots of questions and grabbing material from the wiki (which we apologise is being reinstalled this week). > (2) low-cost customized android > devices - replacing with high-gain wifi radio and accelerometer. So the Huawei IDEOS U8150/U8180 phones do have an accelerometer as I recall, and are certainly cheap, being as cheap as AUD$60. That just leaves the antenna gain, or more precisely, the maximum range between devices as the issue. Increasing the gain will only work to a limited extent, as that gain comes at the expense of omnidirectionality, and given that volcanoes are not generally flat (I forget which type of cone your volcano has), will present some difficulties to very directional links. My estimate is that you need about 9db gain if using ordinary wifi gear. As I recall, you are looking for ~500m range between nodes. WiFi typically does ~200m fine, but it can certainly do 500m in ideal conditions, such as when the Fresnel zones are clear, which can be achieved by mounting antennas on ~8m poles. Of course that is a problem if the antenna is in the phone and also is supposed to be measuring ground movement... So no immediate solution there using off the shelf equipment. It may be worth trying a few different models of phones to see if any have better wifi antennas than others. Otherwise, I guess you will have no choice but to make custom hardware of some sort, whether phone based, Arduino based or otherwise. Paul. > We > also look for MS/PhD research assistants or POSTDOC research > associates to work on VolcanoSRI project, if anyone in serval > community is interested to participate, we warmly welcome. > > If anyone has those related information, please provide and/or forward > to someone who might be interested. Thanks! > > WenZhan > http://sensorweb.cs.gsu.edu/~song/ > > On Mon, Nov 28, 2011 at 12:44 AM, Paul Gardner-Stephen > <paul(a)servalproject.org> wrote: >> Hello Ben, >> >> On Mon, Nov 28, 2011 at 12:30 PM, Ben Hughes <ben(a)benrhughes.com> wrote: >>> So getting DNA working on a non-mesh network would still be a useful >>> starting point? >> >> Absolutely that would be valuable. While you wait for a handset, you >> can try it out on windows machines, which will also be useful. >> >>> I should be able to keep DNA coupled loosely to the >>> routing layer, so we can swap other routing logic in in the future. I >>> haven't looked closely at the java source yet to see exactly how much >>> DNA relies on batman, but I'll keep messing around and see how I go. >> >> DNA doesn't depend on BATMAN at all -- it makes use of it if it is >> running to get a list of peers, but that is all. >> >>> I'm happy to document things as I find them, but it looks like the >>> wiki is in some sort of error state: >>> http://developer.servalproject.org/twiki/ >> >> Sorry about that, the wiki is getting re-installed while I type. >> Hopefully it should be back up in a day or two. >> >>> As an aside - I'm yet to get my hands on a WP7 handset - I'm keeping >>> an eye on ebay but if anyone sees one available relatively cheaply >>> please let me know. >> >> Will do. Sign up as a Nokia developer and you can get one of theirs >> half price, I think. >> >> Paul. >> >>> Cheers, >>> >>> Ben >>> >>> On Sun, Nov 27, 2011 at 10:40 PM, Paul Gardner-Stephen >>> <paul(a)servalproject.org> wrote: >>>> Hi Ben, >>>> >>>> A WP7 port is actually very useful. As Jeremy mentions, we can still >>>> do a pile of stuff, just sub-optimally in some cases. It also gives >>>> us greater traction, e.g., for partnering with a handset vendor to >>>> make a patched firmware that provides full support. >>>> >>>> Paul. >>>> >>>> On Sun, Nov 27, 2011 at 8:40 PM, Ben Hughes <ben(a)benrhughes.com> wrote: >>>>> Thanks Jeremy, that's helpful. >>>>> >>>>> I had just assumed that WP7 could connect to ad-hoc networks, but from >>>>> what I've been reading it looks like support is somewhere between very >>>>> flakey and non-existent. So that kinda kills the idea of any sort of >>>>> useful port, at least until MS fix it. >>>>> >>>>> I'm still interested in contributing to the project though so I guess >>>>> I'll take a look at the big tracker and see if there's anything I can >>>>> wrap my head around :) >>>>> >>>>> Ben >>>>> >>>>> On 27/11/2011, at 8:11 PM, Jeremy Lakeman <jeremy(a)servalproject.org> wrote: >>>>> >>>>>> Yes we currently default to using BATMAN to generate the route's >>>>>> between nodes on the network. We also support olsr as the underlying >>>>>> mesh routing protocol. And we can run our software with a network of >>>>>> just an access point and its clients, mainly to support clients that >>>>>> don't allow the right wifi modes for mesh networking. And longer term >>>>>> we intend to replace the mesh routing layer with our own protocol >>>>>> layer. >>>>>> >>>>>> Our long term goals also include removing the need for running a full >>>>>> blown asterisk installation, and SIP client, on a phone with >>>>>> effectively only one extension. This would also drastically reduce our >>>>>> installation size. >>>>>> >>>>>> The main pieces of work that will need to be done for any port as I see them; >>>>>> - see if we can connect to, or start, an adhoc wifi network. May be impossible. >>>>>> - compile and run dna for number -> network address resolution. >>>>>> - minimal VOIP server, perhaps with simplified network protocol, to >>>>>> handle in/out call state. Porting asterisk might work, but is >>>>>> overkill. >>>>>> - UI layer for user interaction, dialing, answering and configuration. >>>>>> >>>>>> On Sun, Nov 27, 2011 at 6:21 PM, Ben Hughes <ben(a)benrhughes.com> wrote: >>>>>>> This is my basic understanding of the Serval architecture, please let me >>>>>>> know if it's misguided: >>>>>>> >>>>>>> - BATMAN is the underlying protocol that is used to connect nodes on the >>>>>>> mesh >>>>>>> - DNA is a layer on top of batman that lets you use claimed numbers (and a >>>>>>> public/private key pair) to identify nodes on the batman mesh >>>>>>> - when you make a mesh call, DNA resolves the number to a batman ip, and >>>>>>> then attempts to establish a SIP connection (via asterix) to that address >>>>>>> >>>>>>> I know that there's more to it than that (social verification of claimed >>>>>>> numbers, bridging networks, DID etc) but is that basically correct? >>>>>>> >>>>>>> If so, batman seems as though it's a vital (and complex) component in the >>>>>>> stack. And from what I can tell, it seems pretty tied to *nix. >>>>>>> >>>>>>> If I'm looking to port DNA to WP7, do I first need to port batman? Or put >>>>>>> another way: is there any value in a batman-less DNA? >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Ben >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google Groups >>>>>>> "Serval Project Developers" group. >>>>>>> To post to this group, send email to >>>>>>> serval-project-developers(a)googlegroups.com. >>>>>>> To unsubscribe from this group, send email to >>>>>>> serval-project-developers+unsubscribe(a)googlegroups.com. >>>>>>> For more options, visit this group at >>>>>>> http://groups.google.com/group/serval-project-developers?hl=en. >>>>>>> >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >>>>>> To post to this group, send email to serval-project-developers(a)googlegroups.com. >>>>>> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >>>>>> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >>>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >>>>> To post to this group, send email to serval-project-developers(a)googlegroups.com. >>>>> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >>>>> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >>>>> >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >>>> To post to this group, send email to serval-project-developers(a)googlegroups.com. >>>> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >>>> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >>>> >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >>> To post to this group, send email to serval-project-developers(a)googlegroups.com. >>> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >>> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >>> >>> >> >> -- >> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >> To post to this group, send email to serval-project-developers(a)googlegroups.com. >> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. > To post to this group, send email to serval-project-developers(a)googlegroups.com. > To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. > For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. To post to this group, send email to serval-project-developers(a)googlegroups.com. To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

US State Department extends FTO list to include Internet sites
by None 06 Jul '18

06 Jul '18

http://washingtontimes.com/national/20031010-112733-8086r.htm 4 Jewish Web sites deemed 'terrorist' By Jerry Seper THE WASHINGTON TIMES Four Internet Web sites operated by two extremist Jewish groups have been included by the State Department on its list of "foreign terrorist organizations" the first time the list has been extended to include Internet sites. The four Web sites are: www.newkach.org, www.Kahane.org, www.Kahane.net and www.Kahanetzadak.com, the department said in a notice in the Federal Register. They offer news, commentary and links to other sites of interest to followers of Meir Kahane. The impact of the listing was not immediately clear, since all four sites exist in cyberspace. The designation makes it illegal for persons in the United States to donate money or other material support to the Web sites. The three accessible sites yesterday included information on where contributions could be sent, what items could be donated and offered a number items for sale, including pendants and books.

1 0

Re: 4g hack
by Joakim Aronius 06 Jul '18

06 Jul '18

* Christopher Morrow (morrowc.lists(a)gmail.com) wrote: > On Thu, Aug 11, 2011 at 2:32 AM, Charles N Wyble > <charles(a)knownelement.com> wrote: > > http://seclists.org/fulldisclosure/2011/Aug/76 > > > > Wondering what folks think about this? If this was true then we just > > entered a whole new era of mass WAN exploitation. > > > > This isn't really all that new is it? haven't people been able to buy > 3g/pcs/etc antennae and such off ebay for a while and intercept > conversations/data/etc for a long time? GSM was 'hacked' (decrypted > via some rainbow tables) several years ago as well. > > If you ship it over the air and there isn't a reasonable encryption > scheme in place, don't you expect it to be seen? GSM and GPRS are vulnerable to MitM due to lack of two factor authentication etc. WCDMA (3G) and LTE (4G) should be safe as they have much better security. Not sure about 3GPP2 (CDMA) or WiMAX systems, perhaps early version of CDMA has similar problems as GSM. But saying that '4G' is vulnerable is a pretty broad statement as it consists of at least LTE and WiMAX, and some US operators also refer to their WCDMA HSPA as 4G. There is also a difference between 'the standard has security flaws' and 'the operator has deployed an insecure network' as operators might run their network with security features turned off. Anyway, the paranoid should turn of GSM and run WCDMA instead. /Joakim ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [serval-project-dev] Architecture questions
by Paul Gardner-Stephen 06 Jul '18

06 Jul '18

Hello, On Tue, Nov 29, 2011 at 1:31 AM, WenZhan Song <wenzhan.song(a)gmail.com> wrote: > We are new to Android and thank Paul help us to make Serval work on > our Android device LG GT540. It has been my pleasure to help. > We decide to try serval as a starting point to extend BATMAN mesh > network for 4D volcano tomography: > http://sensorweb.cs.gsu.edu/?q=VolcanoSRI. We do not necessarily need > VOIP functionality, but utilize Android device's computation and mesh > networking capability for collaborative sensing and computing. > > We are also looking for (1) documentation of Serval software > architecture - core serval team, please consider documentation as a > very important part to attract more people to particpate, as it has > significant impact on learning curve; Increasing the documentation is something that we are critically aware that we need to do, and we are working on this, but our available resources are limited. We would certainly welcome any assistance that people may be inclined to provide on this. For example, it would be great for people to choose a particular aspect of the Serval technology, e.g., DNA, and begin documenting it by examining the code, asking lots of questions and grabbing material from the wiki (which we apologise is being reinstalled this week). > (2) low-cost customized android > devices - replacing with high-gain wifi radio and accelerometer. So the Huawei IDEOS U8150/U8180 phones do have an accelerometer as I recall, and are certainly cheap, being as cheap as AUD$60. That just leaves the antenna gain, or more precisely, the maximum range between devices as the issue. Increasing the gain will only work to a limited extent, as that gain comes at the expense of omnidirectionality, and given that volcanoes are not generally flat (I forget which type of cone your volcano has), will present some difficulties to very directional links. My estimate is that you need about 9db gain if using ordinary wifi gear. As I recall, you are looking for ~500m range between nodes. WiFi typically does ~200m fine, but it can certainly do 500m in ideal conditions, such as when the Fresnel zones are clear, which can be achieved by mounting antennas on ~8m poles. Of course that is a problem if the antenna is in the phone and also is supposed to be measuring ground movement... So no immediate solution there using off the shelf equipment. It may be worth trying a few different models of phones to see if any have better wifi antennas than others. Otherwise, I guess you will have no choice but to make custom hardware of some sort, whether phone based, Arduino based or otherwise. Paul. > We > also look for MS/PhD research assistants or POSTDOC research > associates to work on VolcanoSRI project, if anyone in serval > community is interested to participate, we warmly welcome. > > If anyone has those related information, please provide and/or forward > to someone who might be interested. Thanks! > > WenZhan > http://sensorweb.cs.gsu.edu/~song/ > > On Mon, Nov 28, 2011 at 12:44 AM, Paul Gardner-Stephen > <paul(a)servalproject.org> wrote: >> Hello Ben, >> >> On Mon, Nov 28, 2011 at 12:30 PM, Ben Hughes <ben(a)benrhughes.com> wrote: >>> So getting DNA working on a non-mesh network would still be a useful >>> starting point? >> >> Absolutely that would be valuable. While you wait for a handset, you >> can try it out on windows machines, which will also be useful. >> >>> I should be able to keep DNA coupled loosely to the >>> routing layer, so we can swap other routing logic in in the future. I >>> haven't looked closely at the java source yet to see exactly how much >>> DNA relies on batman, but I'll keep messing around and see how I go. >> >> DNA doesn't depend on BATMAN at all -- it makes use of it if it is >> running to get a list of peers, but that is all. >> >>> I'm happy to document things as I find them, but it looks like the >>> wiki is in some sort of error state: >>> http://developer.servalproject.org/twiki/ >> >> Sorry about that, the wiki is getting re-installed while I type. >> Hopefully it should be back up in a day or two. >> >>> As an aside - I'm yet to get my hands on a WP7 handset - I'm keeping >>> an eye on ebay but if anyone sees one available relatively cheaply >>> please let me know. >> >> Will do. Sign up as a Nokia developer and you can get one of theirs >> half price, I think. >> >> Paul. >> >>> Cheers, >>> >>> Ben >>> >>> On Sun, Nov 27, 2011 at 10:40 PM, Paul Gardner-Stephen >>> <paul(a)servalproject.org> wrote: >>>> Hi Ben, >>>> >>>> A WP7 port is actually very useful. As Jeremy mentions, we can still >>>> do a pile of stuff, just sub-optimally in some cases. It also gives >>>> us greater traction, e.g., for partnering with a handset vendor to >>>> make a patched firmware that provides full support. >>>> >>>> Paul. >>>> >>>> On Sun, Nov 27, 2011 at 8:40 PM, Ben Hughes <ben(a)benrhughes.com> wrote: >>>>> Thanks Jeremy, that's helpful. >>>>> >>>>> I had just assumed that WP7 could connect to ad-hoc networks, but from >>>>> what I've been reading it looks like support is somewhere between very >>>>> flakey and non-existent. So that kinda kills the idea of any sort of >>>>> useful port, at least until MS fix it. >>>>> >>>>> I'm still interested in contributing to the project though so I guess >>>>> I'll take a look at the big tracker and see if there's anything I can >>>>> wrap my head around :) >>>>> >>>>> Ben >>>>> >>>>> On 27/11/2011, at 8:11 PM, Jeremy Lakeman <jeremy(a)servalproject.org> wrote: >>>>> >>>>>> Yes we currently default to using BATMAN to generate the route's >>>>>> between nodes on the network. We also support olsr as the underlying >>>>>> mesh routing protocol. And we can run our software with a network of >>>>>> just an access point and its clients, mainly to support clients that >>>>>> don't allow the right wifi modes for mesh networking. And longer term >>>>>> we intend to replace the mesh routing layer with our own protocol >>>>>> layer. >>>>>> >>>>>> Our long term goals also include removing the need for running a full >>>>>> blown asterisk installation, and SIP client, on a phone with >>>>>> effectively only one extension. This would also drastically reduce our >>>>>> installation size. >>>>>> >>>>>> The main pieces of work that will need to be done for any port as I see them; >>>>>> - see if we can connect to, or start, an adhoc wifi network. May be impossible. >>>>>> - compile and run dna for number -> network address resolution. >>>>>> - minimal VOIP server, perhaps with simplified network protocol, to >>>>>> handle in/out call state. Porting asterisk might work, but is >>>>>> overkill. >>>>>> - UI layer for user interaction, dialing, answering and configuration. >>>>>> >>>>>> On Sun, Nov 27, 2011 at 6:21 PM, Ben Hughes <ben(a)benrhughes.com> wrote: >>>>>>> This is my basic understanding of the Serval architecture, please let me >>>>>>> know if it's misguided: >>>>>>> >>>>>>> - BATMAN is the underlying protocol that is used to connect nodes on the >>>>>>> mesh >>>>>>> - DNA is a layer on top of batman that lets you use claimed numbers (and a >>>>>>> public/private key pair) to identify nodes on the batman mesh >>>>>>> - when you make a mesh call, DNA resolves the number to a batman ip, and >>>>>>> then attempts to establish a SIP connection (via asterix) to that address >>>>>>> >>>>>>> I know that there's more to it than that (social verification of claimed >>>>>>> numbers, bridging networks, DID etc) but is that basically correct? >>>>>>> >>>>>>> If so, batman seems as though it's a vital (and complex) component in the >>>>>>> stack. And from what I can tell, it seems pretty tied to *nix. >>>>>>> >>>>>>> If I'm looking to port DNA to WP7, do I first need to port batman? Or put >>>>>>> another way: is there any value in a batman-less DNA? >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Ben >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google Groups >>>>>>> "Serval Project Developers" group. >>>>>>> To post to this group, send email to >>>>>>> serval-project-developers(a)googlegroups.com. >>>>>>> To unsubscribe from this group, send email to >>>>>>> serval-project-developers+unsubscribe(a)googlegroups.com. >>>>>>> For more options, visit this group at >>>>>>> http://groups.google.com/group/serval-project-developers?hl=en. >>>>>>> >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >>>>>> To post to this group, send email to serval-project-developers(a)googlegroups.com. >>>>>> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >>>>>> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >>>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >>>>> To post to this group, send email to serval-project-developers(a)googlegroups.com. >>>>> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >>>>> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >>>>> >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >>>> To post to this group, send email to serval-project-developers(a)googlegroups.com. >>>> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >>>> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >>>> >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >>> To post to this group, send email to serval-project-developers(a)googlegroups.com. >>> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >>> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >>> >>> >> >> -- >> You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. >> To post to this group, send email to serval-project-developers(a)googlegroups.com. >> To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. > To post to this group, send email to serval-project-developers(a)googlegroups.com. > To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. > For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. To post to this group, send email to serval-project-developers(a)googlegroups.com. To unsubscribe from this group, send email to serval-project-developers+unsubscribe(a)googlegroups.com. For more options, visit this group at http://groups.google.com/group/serval-project-developers?hl=en. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: NYT covers China cyberthreat
by Steven Bellovin 06 Jul '18

06 Jul '18

On Feb 20, 2013, at 1:33 PM, valdis.kletnieks(a)vt.edu wrote: > On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said: >> boys and girls, all the cyber-capable countries are cyber-culpable. you >> can bet that they are all snooping and attacking eachother, the united >> states no less than the rest. news at eleven. > > The scary part is that so many things got hacked by a bunch of people > who made the totally noob mistake of launching all their attacks from > the same place.... This strongly suggests that it's not their A-team, for whatever value of "their" you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security. Aside: A few years ago, a non-US friend of mine mentioned a conversation he'd had with a cyber guy from his own country's military. According to this guy, about 130 countries had active military cyberwarfare units. I don't suppose that the likes of Ruritania has one, but I think it's a safe assumption that more or less every first and second world country, and not a few third world ones are in the list. The claim here is not not that China is engaging in cyberespionage. That would go under the heading of "I'm shocked, shocked to find that there's spying going on here." Rather, the issue that's being raised is the target: commercial firms, rather than the usual military and government secrets. That is what the US is saying goes beyond the usual rules of the game. In fact, the US has blamed not just China but also Russia, France, and Israel (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note that that's an Israeli news site) for such activities. France was notorious for that in the 1990s; there were many press reports of bugged first class seats on Air France, for example. The term for what's going on is "cyberexploitation", as opposed to "cyberwar". The US has never come out against it in principle, though it never likes it when aimed at the US. (Every other nation feels the same way about its companies and networks, of course.) For a good analysis of the legal aspects, see http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strateg… --Steve Bellovin, https://www.cs.columbia.edu/~smb ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRi-gram newsletter - Number 9.15, 27 July 2011
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 9.15, 27 July 2011 ============================================================ Contents ============================================================ 1. Draft Council conclusions on Net Neutrality 2. EU countries to explain lack of implementation of the Telecoms Package 3. Germany's salaries database bites the dust 4. Slovakia: Court asks website to filter public procurement open data 5. Voluntary agreements on blocking are interfering with human rights 6. Belgium: Francophone press goes out and back in Google Search 7. Britain: Government reneges on DNA privacy promise 8. ENDitorial: Phone hacking and self regulation 9. Recommended Action 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. Draft Council conclusions on Net Neutrality ============================================================ On 15 July 2011, the Council (of the EU Member States) published Draft "Conclusions" (a policy statement) on Net Neutrality. In the document, the Council underlined the need to preserve the open and neutral character of the Internet and established net neutrality as "a policy objective." While this seems - and is - positive at first reading, the document also refers to "affordable and secure high bandwidth communications and rich and diverse content and services" as "an important policy objective" - apparently establishing net neutrality as a somewhat secondary priority. In summary, therefore, the Council indicates its willingness to embrace the concept of "net neutrality" in further regulatory activities without being entirely clear on what status this "policy objective" has in the hierarchy of its communications policy. Nonetheless, the importance of net neutrality for the economy is spelled out in some detail, with the document pointing to the fundamental role of telecommunications and broadband development for investment, job creation and economic recovery. The document points to "the need to maintain the openness of Internet while ensuring that it can continue to provide high-quality services in a framework that promotes and respects fundamental rights such as freedom of expression and freedom to conduct business." This appears to diverge very positively from more extremist and populist views expressed recently about "civilising" the Internet and, in the US environment, experimenting with the fundamental building blocks of the Internet in order to protect the perceived needs of a narrow range of stakeholders. The draft Conclusions take a further step away from this approach when it refers to "the importance of ensuring that users can create, distribute and access content and services of their choice," moving away from the implicit support for policing of content by Internet intermediaries in the OECD Communiqui on Principles for Internet Policy-Making which made repeated references to the right to access "legitimate" content and "legitimate" sharing of information. The biggest challenge facing the Council when seeking to defend this positive approach is the range of demands for Internet intermediaries to interfere with traffic to protect narrow vested interests such as intellectual property owners and the willingness of certain intermediaries to "voluntarily" engage in such interferences as an underhand means of "normalising" interferences by access providers in citizens' communications. It will be increasingly difficult for Member States (as indeed it is already beginning to be the case for the European Commission) to demand that Internet intermediaries meddle with citizens' communications for the perceived benefit of certain vested interests and, simultaneously, demand that the same intermediaries not meddle with citizens' communications for their own business interests. Draft Council conclusions on Net Neutrality (15.07.2011) http://register.consilium.europa.eu/pdf/en/11/st12/st12950.en11.pdf Consolidated EU telecoms regulatory framework (12.2009) http://ec.europa.eu/information_society/policy/ecomm/doc/library/regframefo… OECD Communiqui on Principles for Internet Policy-Making (28-29.06.2011) http://www.oecd.org/dataoecd/40/21/48289796.pdf (Contribution by Joe McNamee and Daniel Dimov - EDRi) ============================================================ 2. EU countries to explain lack of implementation of the Telecoms Package ============================================================ The European Commission has sent letters of formal notice requesting information from 20 EU countries regarding the reasons why they have not yet fully implemented the EU Telecoms Package. The EU member states were supposed to produce national legislation that would implement, by 25 May 2011, the EU Telecoms Package, adopted late 2009, but only seven states have fully complied until now. The Telecoms Package includes amendments to the EU's Privacy and Electronic Communications Directive providing a new requirement for website owners to obtain consent from users to track their online behaviour through "cookies". According to the EU Directive, storing and accessing information on users' computers was lawful provided "the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information about the purposes of the processing". The 20 member states have begun the process of drawing up new laws and some have even implemented some of the new telecoms laws requirements but not the entire Telecoms Package. In June, EU Commissioner Neelie Kroes warned the member states that the Commission would use its "full powers" against those countries that would not comply with the Directive. Yet, Peter Hustinx, the European Data Protection Supervisor (EDPS), stated that the Commission has not offered consistent guidance on how the EU states should comply with the new legislation. Hustinx also criticised Kroes for supporting self-regulatory methods undertaken by the online advertising industry and for her support for the US "do not track" measures allowing users to request websites not to monitor their activity, as the system relies on websites reacting to the users' requests. The formal letter sent by the Commission to the 20 countries represent a first legal stage in the identification of infringements from countries that have not enacted EU laws and could be referred to the European courts. The 20 state members are supposed to reply to the letters within two months. "If they fail to reply or if it is not satisfied with the answer, the Commission can send the member states concerned a formal request to implement the legislation, and ultimately refer them to the European Court of Justice (ECJ)," the Commission said. The ECJ can order EU member countries to implement EU Directives and fine them if they do not. European Commission begins legal action against countries that have still to implement telecoms laws (20.07.2011) http://www.out-law.com/page-12098 Digital Agenda: Commission starts legal action against 20 Member States on late implementation of telecoms rules (19.07.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/905&format=HT… ============================================================ 3. Germany's salaries database bites the dust ============================================================ The German government announced, in a press release on 18 July 2011, that it was going to abandon its central database and registration procedure for salaries, ELENA ("Elektronischer Entgeltnachweis"/ "electronic salary record"), as soon as possible. With this decision, German civil rights group and EDRi-member FoeBuD can celebrate the successful outcome of a complaint they had handed in at Germany's Federal Constitutional Court even before the court came to consider its ruling. The complaint has been signed by more than 22 000 petitioners. In FoeBuD's analysis, the government finally had to pull the plug on this ill-fated project after more than a year of procrastination. A joint press statement by the Federal Ministries of Economics and of Labour points to an insufficient uptake of the "qualified electronic signature" as the reason to abandon the project. FoeBuD and their lawyers call it regrettable that technical issues were highlighted and no mention was made of the doubtful constitutional legality of the procedure, which required all employers to transmit data on all salaries to a central database operated by Germany's state pension insurance. More than 400 million records of employee salaries have already been collected, although most of this data was not even required for the intended electronic records. The press release gives reason to suspect that the government has by no means given up on their idea to establish an electronic register of employee data. As the statement says, "the Federal Ministry for Labour and Social Affairs will formulate a concept on how the infrastructure and know-how established through ELENA can be used for a simpler and less bureaucratic procedure to record social security data." As the intention to collect all German citizens' sensitive data in central databases lingers on, there is reason to stay alert after the current success regarding ELENA. FoeBuD will continue to monitor future developments to guard against a replacement for this disproportionate procedure being introduced through the back door. Press statement by the Federal Ministry of Economics and Technology and the Federal Ministry of Labour and Social Affairs (only in German, 18.07.2011) http://www.bmwi.de/BMWi/Navigation/Presse/pressemitteilungen,did=424742.html In-depth response by one of the lawyers in FoeBuD's Constitutional Complaint, Meinhard Starostik (only in German, 19.07.2011) https://www.foebud.org/datenschutz-buergerrechte/arbeitnehmerdatenschutz/el… (Contribution by Sebastian Lisken, EDRi member FoeBuD / redacted translation of FoeBuD's German press release) ============================================================ 4. Slovakia: Court asks website to filter public procurement open data ============================================================ Fair-Play Alliance (AFP), a Slovak non-governmental organization operating znasichdani.sk site, was required by a Bratislava District Court to take down from the website information related to certain public procurement contracts. The website was created in March 2011 in order to provide "a tool that would enable journalists and watchdogs to cross-check information about companies successful in public procurements with influential persons in these companies". The basic idea was to connect the information on the Public Procurement bulletin with that in the database of Business register of the Slovak republic "in a way that would match persons with the names of companies in which these persons are or once were active, and with financial volume of the companies' state contracts," stated Eva Vozarova from AFP. Recently, the District Court of Bratislava II has issued a preliminary injunction, ordering Fair-Play Alliance to withdraw from the website any information related to a particular private individual, the statutory representative of the large construction company Strabag which had won good contracts paid with public money. The decision of the court is that AFP must remove the financial totals of public procurement orders won by Strabag, and all other companies in which this person was involved. This preliminary ruling had no detailed explanation on why this was necessary. AFP considers the decision of the court inappropriate, unconstitutional and threatens the right to freedom of speech. Moreover, the website only puts together already publicly available data. It contains a register of people known to be behind companies that have benefited from state orders. When searching for a particular person, the site lists the companies to which the name of the respective person is or was related to and the state orders those companies have won, as well as the amounts received from public funds. The court's decision is also unclear as, normally, it should instruct on how to perform the action required. AFP was supposed to refrain from publishing the persons' name, surname and title from the website znasichdani.sk which could directly connect the claimant's person with the financial value gained from public procurement. The site however makes no connections of financial values to the claimant's name but only filters information showing the results side by side. The total of occurrences of the claimant's name can hardly be technically erased without compromising the rest of the service. "The alliance has done nothing else but make possible simultaneous searches in two publicly accessible databases," stated lawyer Vladimmr Sarnik who added that the preliminary decision of the court contains both formal and factual mistakes. The court decision was issued even before the plaintiff had submitted her complaint (as the Slovak legal system makes this possible), which could lead to a paradoxical situation when the preliminary decision may remain in place for an indefinite period without a formal complaint being submitted. Ironically, a few days ahead, on 17 June 2011, the Znasichdani.sk site was awarded first prize at Open Data Challenge, a European competition sponsored by the Open Knowledge Foundation and backed by the European Commission. AFP has immediately appealed the court's preliminary decision. Court orders removal of public procurement data (4.07.2011) http://spectator.sme.sk/articles/view/43180/2/court_orders_removal_of_publi… Why censoring Slovak spending app means bad news for open data (18.07.2011) http://blog.okfn.org/2011/07/18/why-censoring-slovak-spending-app-means-bad… Fair-play Watchdog Angered by Court ruling (29.06.2011) http://www.thedaily.sk/2011/06/29/top-news/fair-play-watchdog-angered-by-co… ============================================================ 5. Voluntary agreements on blocking are interfering with human rights ============================================================ Following the agreement of the EU institutions on a web blocking compromise text which fails to adequately address the lawless blocking which is undertaken in several EU countries, a careful reading of recent research on the legality of this approach is called for. Last month, Professor Yaman Akdeniz (Istanbul Bilgi University, Turkey) prepared a report on Freedom of Expression on the Internet for the Organisation for Security and Cooperation in Europe (OSCE). The report contained an investigation on legal provisions and practices related to freedom of expression, the free flow of information and media pluralism on the Internet in OSCE participating States. In his study, Professor Yaman Akdeniz observed that blocking measures in the OSCE region are not always provided for by law nor were they always subject to due process principles. In particular, he noted that blocking decisions were not necessarily taken by the courts of law, but by administrative bodies or Internet hotlines run by the private sector. They decided which content, website or platform should be blocked. In many cases, such "voluntary" blocking procedures lacked transparency and accountability. In addition, the appeal in such procedures were either not in place or, where they were in place, they were often not efficient. That is why the compatibility of blocking with the fundamental right of freedom of expression must be questioned. In particular, in the absence of a legal basis for blocking access to online content, the compatibility of "voluntary" blocking agreements and systems with OSCE commitments, Article 19 of the Universal Declaration and Article 10 of the European Convention on Human Rights was problematic. Also, such a "voluntary interference" might be contradictory to the conclusions of the Final Document of the Moscow Meeting of the Conference on the Human Dimension of the CSCE. With regard to the compatibility of blocking with the fundamental right of freedom of expression, Professor Akdeniz also pointed out that both the 1994 Budapest OSCE Summit Document and the European Court of Human Rights reiterated the importance of freedom of expression as one of the preconditions for a functioning democracy. In Budapest, "(t)he participating States reaffirm(ed) that freedom of expression is a fundamental human right and a basic component of a democratic society. In this respect, independent and pluralistic media were essential to a free and open society and accountable systems of government." According to Akdeniz, an "effective" exercise of this freedom does not depend merely on the state's duty not to interfere, but might require positive measures to protect this fundamental freedom. Consequently, a blocking system relying exclusively on self-regulation or "voluntary agreements" could be in a non-legitimate interference with fundamental rights. Yaman A.: Report on Freedom of Expression on the Internet http://www.osce.org/fom/80723 The Final Document of the Moscow Meeting of the Conference on the Human Dimension of the CSCE http://www.osce.org/odihr/elections/14310 1994 Budapest OSCE Summit Document http://www.osce.org/mc/39554 The Universal Declaration of Human Rights http://www.un.org/en/documents/udhr/ The European Convention on Human Rights http://www.hri.org/docs/ECHR50.html EDRi-gram: OSCE: Access to the Internet should be a human right (13.07.2011) http://www.edri.org/edrigram/number9.14/oecd-study-internet-freedom (Contribution by Daniel Dimov - EDRi) ============================================================ 6. Belgium: Francophone press goes out and back in Google Search ============================================================ As a result of Google's conflict with Copiepresse, the search engine announced on 15 July 2011 that it would not index titles from the Belgium francophone press. Google stated that in doing so, it only complied with the decision of the Appeal Court of 5 May 2011 that backed a court decision of February 2011 forbidding Google to publish Belgium press articles on Google News and Google Search, with a fine reaching 25 000 euro in case of non-compliance. Google's reaction looked like a punishment that would put some pressure on Belgium's francophone press as the measure actually went beyond the court's decision which only asked for the removal of Copiepresse articles and not their complete erasing from the search engine. The measure was however successful. "We would be happy to re-include Copiepresse if they would indicate their desire to appear in Google Search and waive the potential penalties," said Google spokesman William Echikson. Which, Copiepress did on 18 July 2011. Le Soir and La Libre Belgique stated on their sites that an agreement had been reached with Google that would re-index the excluded sites. "It is necessary to distinguish the Google search engine from the Google news service," said an article on La Libre website adding: "The news editors do not oppose having their content referenced by the Google search engine, they refuse on the other hand for their informational content to be included in Google News." Google censures the Francophone press (only in French, 15.07.2011) http://www.lecho.be/actualite/entreprises_technologie/Google_censure_la_pre… Google re-indexes the Belgium press on its engine (up-date) (only in French, 18.07.2011) http://www.01net.com/editorial/536000/google-supprime-la-presse-belge-de-so… Google will re-index the francophone press (only in French, 18.07.2011) http://www.lecho.be/actualite/entreprises_media/Google_va_reindexer_la_pres… EDRi-gram: Google found guilty in Belgium for newspapers' copyright infringement (18.05.2011) http://www.edri.org/edrigram/number9.10/google-looses-copiepresse-case ============================================================ 7. Britain: Government reneges on DNA privacy promise ============================================================ In Britain, the Conservative-Liberal Democrat coalition government has announced that it will not delete the DNA records of suspects who were arrested but subsequently acquitted or never charged. It had promised to delete them following the Marper judgement, where the European Court of Human Rights found it was unlawful to keep the DNA of acquitted people indefinitely; this promise was enshrined in the Coalition Agreement that set up the Government after the indecisive 2010 election. But the Government now says it will rely on "anonymisation". The DNA records of innocent people will be retained by the forensic service without the suspect's names and addresses. When a match is found with crime-scene DNA in the future, the innocent former suspect can be identified by matching the sample bar code with the records of the police force that arrested him last time. The Government may argue that this complies with UK data protection law, which is a defective implementation of the Data Protection Directive. However it fails to satisfy European and human-rights law. The announcement was made quietly on Monday, 25 July 2011, while the press's focus was on the killings in Norway. Innocent people's DNA profiles won't be deleted after all, minister admits (26.07.2011) http://www.telegraph.co.uk/news/uknews/law-and-order/8660821/Innocent-peopl… Database State (2009) http://www.cl.cam.ac.uk/~rja14/Papers/database-state.pdf (Contribution by Ross Anderson - EDRi-member FIPR - UK) ============================================================ 8. ENDitorial: Phone hacking and self regulation ============================================================ The self-regulatory authority for the British press, the Press Complaints Commission (PCC), has itself become one of the victims of the "phone hacking" scandal, as self-regulation failed to not alone prevent but even identify problems now believed to be endemic among UK newspapers. Phone hacking - guessing or brute-force attacking voicemail accounts to access messages - is a criminal offence in the UK. Cases at the News of the World (NoW) were prosecuted under the Regulation of Investigatory Powers Act (RIPA), and could also be offences under the Computers Misuse Act. In 2007, private investigator Glen Mulcaire and NoW royal editor Clive Goodman were convicted and imprisoned for RIPA interception offences. Thus to date, the prosecutions have focused on reporters and investigators, rather than their employers at News International. In May 2007, the PCC found that there was no evidence of widespread phone hacking at News of the World. Since that date, further allegations, investigations by Parliamentary committees and threats of private legal action have put pressure on the police to re-open the investigations. Allegations of the excessively close relationships between the police and News International and NoW, including possible payments, have meant that senior police officials at the Metropolitan (London) Police have now resigned. One question that needs to be addressed is the extent to which "self regulation" has failed in this arena. With strong motivations from their members not to look at the behaviour of those same being regulated, the PCC might well be expected to fail. But this wasn't obvious when the PCC was set up. The reasoning behind press self-regulation was at least more principled than that behind Internet "self regulation". The press, it was argued, needs to be strong and free. The methodology is also more coherent - it is, to a large extent, "self-"regulation, unlike much Internet "self-regulation", which is actually regulation of content or consumers by the Internet industry. Thus it was thought better for the press to impose their own rules, rather than relying on legislation and politicians, who have an inbuilt desire to control and limit their activities. Yet, it has comprehensively failed. A combination of high pressure for more sales in a declining market, an unsafe technology and malleable or inattentive enforcement let citizens' interests be ignored. As it is often stated, but rarely politically accepted, once privacy is stripped away, the ability of those threatened with privacy abuses to speak out is vastly reduced. Thus, it was those who had already suffered exposure by the News of the World who had to be brave enough to speak out. The UK's political leadership was frequently too frightened to comment. We may well ask why, if the PCC cannot balance the public interest, free speech, privacy and business interests, the behavioural advertisers and Internet Service Providers should be expected to do a better job. Purely pragmatically, self-regulation may be expected to work where the interests of end users are well-aligned with those doing the regulation: but where those are strongly divergent, they are unlikely to. Unfortunately, as the PCC has shown, the balance of interests can quickly shift with technology. Thus we are left to conclude that, in the absence of procedures and structures that are fit to cope with such shifts, legal protections and official regulators are in fact the more important part of public protection. A second lesson just how politicians completely misunderstand the complexities of industry "self-regulation." If the PCC could fail so badly in the comparatively straightforward task of regulating its own industry, why on earth can politicians feel that they can speak so blithely and simplistically about private internet intermediaries "self-"regulating the key democratic fundamental rights of our society - privacy and freedom of communication? Phone Hacking articles at The Guardian http://www.guardian.co.uk/media/phone-hacking News of the World phone hacking scandal investigations http://en.wikipedia.org/wiki/News_of_the_World_phone_hacking_scandal_invest… The UK phone hacking scandal: there's worse to come - much worse (23.07.2011) https://www.privacyinternational.org/blog/uk-phone-hacking-scandal-theres-w… The Government still wants to hack your phone (14.07.2011) http://www.openrightsgroup.org/blog/2011/the-government-still-wants-to-hack… (Contribution by Jim Killock - EDRi-member Open Rights Group - UK) ============================================================ 9. Recommended Action ============================================================ Public consultation on personal data breach notifications under ePrivacy Directive. Deadline: 9 September 2011 http://ec.europa.eu/information_society/policy/ecomm/library/public_consult… EU - Open access to scientific information - Commission seeks views A public consultation on access to, and preservation of, digital scientific information has been launched by the European Commission. Deadline: 9 September 2011 http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/890 ============================================================ 10. Recommended Reading ============================================================ Article 29 Data Protection Working Party - Opinion on Consent (14.07.2011) http://ec.europa.eu/justice/policies/privacy/news/docs/press_release%20opin… http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf 86 cents for one year without blanket telecommunications data retention (25.07.2011) http://www.vorratsdatenspeicherung.de/content/view/471/79/lang,en/ ============================================================ 11. Agenda ============================================================ 10-14 August 2011, Finowfurt near Berlin, Germany Chaos Communication Camp 2011 http://events.ccc.de/camp/2011 25-27 August 2011, Washington DC, USA Global Congress on Public Interest Intellectual Property Law http://infojustice.org/public-events/global-congress 7 September 2011, Berlin, Germany Balancing the interests in the context of data retention Registration by 15 August 2011 http://www.uni-kassel.de/einrichtungen/iteg/forschung/invodas/invodas-absch… 10-17 September 2011 Freedom Not Fear - International Action Week http://www.freedomnotfear.org 16-18 September 2011, Warsaw, Poland Creative Commons Global Summit 2011 http://wiki.creativecommons.org/Global_Summit_2011 27-30 September 2011, Nairobi, Kenya Sixth Annual IGF Meeting: Internet as a catalyst for change: access, development, freedoms and innovation http://www.intgovforum.org/cms/nairobipreparatory 11 October 2011, Brussels, Belgium ePractice Workshop: Addressing evolving needs for cross-border eGovernment services http://www.epractice.eu/en/events/epractice-workshop-cross-border-services 13-14 October 2011, Lisbon, Portugal 2nd International Graduate Conference in Communication and Culture: The Culture of Remix http://blogs.nyu.edu/projects/materialworld/2011/05/cfp_the_culture_of_remi… 20-21 October 2011, Warsaw, Poland Open Govrenment Data Camp http://opengovernmentdata.org/camp2011/ 27-30 October 2011, Barcelona, Spain Free Culture Forum 2011 http://fcforum.net/ 9 November 2011, Bucharest, Romania Inet Conference: Access, Trust and Freedom: Coordinates for future Internet http://www.isoc.org/isoc/conferences/inet/11/bucharest-agenda.shtml 11-13 November 2011, Gothenburg, Sweden FSCONS is the Nordic countries' largest gathering for free culture, free software and a free society. http://fscons.org/ 25-27 January 2012, Brussels, Belgium Computers, Privacy and Data Protection 2012 http://www.cpdpconferences.org/ ============================================================ 12. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 28 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRi-gram newsletter - Number 9.15, 27 July 2011
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 9.15, 27 July 2011 ============================================================ Contents ============================================================ 1. Draft Council conclusions on Net Neutrality 2. EU countries to explain lack of implementation of the Telecoms Package 3. Germany's salaries database bites the dust 4. Slovakia: Court asks website to filter public procurement open data 5. Voluntary agreements on blocking are interfering with human rights 6. Belgium: Francophone press goes out and back in Google Search 7. Britain: Government reneges on DNA privacy promise 8. ENDitorial: Phone hacking and self regulation 9. Recommended Action 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. Draft Council conclusions on Net Neutrality ============================================================ On 15 July 2011, the Council (of the EU Member States) published Draft "Conclusions" (a policy statement) on Net Neutrality. In the document, the Council underlined the need to preserve the open and neutral character of the Internet and established net neutrality as "a policy objective." While this seems - and is - positive at first reading, the document also refers to "affordable and secure high bandwidth communications and rich and diverse content and services" as "an important policy objective" - apparently establishing net neutrality as a somewhat secondary priority. In summary, therefore, the Council indicates its willingness to embrace the concept of "net neutrality" in further regulatory activities without being entirely clear on what status this "policy objective" has in the hierarchy of its communications policy. Nonetheless, the importance of net neutrality for the economy is spelled out in some detail, with the document pointing to the fundamental role of telecommunications and broadband development for investment, job creation and economic recovery. The document points to "the need to maintain the openness of Internet while ensuring that it can continue to provide high-quality services in a framework that promotes and respects fundamental rights such as freedom of expression and freedom to conduct business." This appears to diverge very positively from more extremist and populist views expressed recently about "civilising" the Internet and, in the US environment, experimenting with the fundamental building blocks of the Internet in order to protect the perceived needs of a narrow range of stakeholders. The draft Conclusions take a further step away from this approach when it refers to "the importance of ensuring that users can create, distribute and access content and services of their choice," moving away from the implicit support for policing of content by Internet intermediaries in the OECD Communiqui on Principles for Internet Policy-Making which made repeated references to the right to access "legitimate" content and "legitimate" sharing of information. The biggest challenge facing the Council when seeking to defend this positive approach is the range of demands for Internet intermediaries to interfere with traffic to protect narrow vested interests such as intellectual property owners and the willingness of certain intermediaries to "voluntarily" engage in such interferences as an underhand means of "normalising" interferences by access providers in citizens' communications. It will be increasingly difficult for Member States (as indeed it is already beginning to be the case for the European Commission) to demand that Internet intermediaries meddle with citizens' communications for the perceived benefit of certain vested interests and, simultaneously, demand that the same intermediaries not meddle with citizens' communications for their own business interests. Draft Council conclusions on Net Neutrality (15.07.2011) http://register.consilium.europa.eu/pdf/en/11/st12/st12950.en11.pdf Consolidated EU telecoms regulatory framework (12.2009) http://ec.europa.eu/information_society/policy/ecomm/doc/library/regframefo… OECD Communiqui on Principles for Internet Policy-Making (28-29.06.2011) http://www.oecd.org/dataoecd/40/21/48289796.pdf (Contribution by Joe McNamee and Daniel Dimov - EDRi) ============================================================ 2. EU countries to explain lack of implementation of the Telecoms Package ============================================================ The European Commission has sent letters of formal notice requesting information from 20 EU countries regarding the reasons why they have not yet fully implemented the EU Telecoms Package. The EU member states were supposed to produce national legislation that would implement, by 25 May 2011, the EU Telecoms Package, adopted late 2009, but only seven states have fully complied until now. The Telecoms Package includes amendments to the EU's Privacy and Electronic Communications Directive providing a new requirement for website owners to obtain consent from users to track their online behaviour through "cookies". According to the EU Directive, storing and accessing information on users' computers was lawful provided "the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information about the purposes of the processing". The 20 member states have begun the process of drawing up new laws and some have even implemented some of the new telecoms laws requirements but not the entire Telecoms Package. In June, EU Commissioner Neelie Kroes warned the member states that the Commission would use its "full powers" against those countries that would not comply with the Directive. Yet, Peter Hustinx, the European Data Protection Supervisor (EDPS), stated that the Commission has not offered consistent guidance on how the EU states should comply with the new legislation. Hustinx also criticised Kroes for supporting self-regulatory methods undertaken by the online advertising industry and for her support for the US "do not track" measures allowing users to request websites not to monitor their activity, as the system relies on websites reacting to the users' requests. The formal letter sent by the Commission to the 20 countries represent a first legal stage in the identification of infringements from countries that have not enacted EU laws and could be referred to the European courts. The 20 state members are supposed to reply to the letters within two months. "If they fail to reply or if it is not satisfied with the answer, the Commission can send the member states concerned a formal request to implement the legislation, and ultimately refer them to the European Court of Justice (ECJ)," the Commission said. The ECJ can order EU member countries to implement EU Directives and fine them if they do not. European Commission begins legal action against countries that have still to implement telecoms laws (20.07.2011) http://www.out-law.com/page-12098 Digital Agenda: Commission starts legal action against 20 Member States on late implementation of telecoms rules (19.07.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/905&format=HT… ============================================================ 3. Germany's salaries database bites the dust ============================================================ The German government announced, in a press release on 18 July 2011, that it was going to abandon its central database and registration procedure for salaries, ELENA ("Elektronischer Entgeltnachweis"/ "electronic salary record"), as soon as possible. With this decision, German civil rights group and EDRi-member FoeBuD can celebrate the successful outcome of a complaint they had handed in at Germany's Federal Constitutional Court even before the court came to consider its ruling. The complaint has been signed by more than 22 000 petitioners. In FoeBuD's analysis, the government finally had to pull the plug on this ill-fated project after more than a year of procrastination. A joint press statement by the Federal Ministries of Economics and of Labour points to an insufficient uptake of the "qualified electronic signature" as the reason to abandon the project. FoeBuD and their lawyers call it regrettable that technical issues were highlighted and no mention was made of the doubtful constitutional legality of the procedure, which required all employers to transmit data on all salaries to a central database operated by Germany's state pension insurance. More than 400 million records of employee salaries have already been collected, although most of this data was not even required for the intended electronic records. The press release gives reason to suspect that the government has by no means given up on their idea to establish an electronic register of employee data. As the statement says, "the Federal Ministry for Labour and Social Affairs will formulate a concept on how the infrastructure and know-how established through ELENA can be used for a simpler and less bureaucratic procedure to record social security data." As the intention to collect all German citizens' sensitive data in central databases lingers on, there is reason to stay alert after the current success regarding ELENA. FoeBuD will continue to monitor future developments to guard against a replacement for this disproportionate procedure being introduced through the back door. Press statement by the Federal Ministry of Economics and Technology and the Federal Ministry of Labour and Social Affairs (only in German, 18.07.2011) http://www.bmwi.de/BMWi/Navigation/Presse/pressemitteilungen,did=424742.html In-depth response by one of the lawyers in FoeBuD's Constitutional Complaint, Meinhard Starostik (only in German, 19.07.2011) https://www.foebud.org/datenschutz-buergerrechte/arbeitnehmerdatenschutz/el… (Contribution by Sebastian Lisken, EDRi member FoeBuD / redacted translation of FoeBuD's German press release) ============================================================ 4. Slovakia: Court asks website to filter public procurement open data ============================================================ Fair-Play Alliance (AFP), a Slovak non-governmental organization operating znasichdani.sk site, was required by a Bratislava District Court to take down from the website information related to certain public procurement contracts. The website was created in March 2011 in order to provide "a tool that would enable journalists and watchdogs to cross-check information about companies successful in public procurements with influential persons in these companies". The basic idea was to connect the information on the Public Procurement bulletin with that in the database of Business register of the Slovak republic "in a way that would match persons with the names of companies in which these persons are or once were active, and with financial volume of the companies' state contracts," stated Eva Vozarova from AFP. Recently, the District Court of Bratislava II has issued a preliminary injunction, ordering Fair-Play Alliance to withdraw from the website any information related to a particular private individual, the statutory representative of the large construction company Strabag which had won good contracts paid with public money. The decision of the court is that AFP must remove the financial totals of public procurement orders won by Strabag, and all other companies in which this person was involved. This preliminary ruling had no detailed explanation on why this was necessary. AFP considers the decision of the court inappropriate, unconstitutional and threatens the right to freedom of speech. Moreover, the website only puts together already publicly available data. It contains a register of people known to be behind companies that have benefited from state orders. When searching for a particular person, the site lists the companies to which the name of the respective person is or was related to and the state orders those companies have won, as well as the amounts received from public funds. The court's decision is also unclear as, normally, it should instruct on how to perform the action required. AFP was supposed to refrain from publishing the persons' name, surname and title from the website znasichdani.sk which could directly connect the claimant's person with the financial value gained from public procurement. The site however makes no connections of financial values to the claimant's name but only filters information showing the results side by side. The total of occurrences of the claimant's name can hardly be technically erased without compromising the rest of the service. "The alliance has done nothing else but make possible simultaneous searches in two publicly accessible databases," stated lawyer Vladimmr Sarnik who added that the preliminary decision of the court contains both formal and factual mistakes. The court decision was issued even before the plaintiff had submitted her complaint (as the Slovak legal system makes this possible), which could lead to a paradoxical situation when the preliminary decision may remain in place for an indefinite period without a formal complaint being submitted. Ironically, a few days ahead, on 17 June 2011, the Znasichdani.sk site was awarded first prize at Open Data Challenge, a European competition sponsored by the Open Knowledge Foundation and backed by the European Commission. AFP has immediately appealed the court's preliminary decision. Court orders removal of public procurement data (4.07.2011) http://spectator.sme.sk/articles/view/43180/2/court_orders_removal_of_publi… Why censoring Slovak spending app means bad news for open data (18.07.2011) http://blog.okfn.org/2011/07/18/why-censoring-slovak-spending-app-means-bad… Fair-play Watchdog Angered by Court ruling (29.06.2011) http://www.thedaily.sk/2011/06/29/top-news/fair-play-watchdog-angered-by-co… ============================================================ 5. Voluntary agreements on blocking are interfering with human rights ============================================================ Following the agreement of the EU institutions on a web blocking compromise text which fails to adequately address the lawless blocking which is undertaken in several EU countries, a careful reading of recent research on the legality of this approach is called for. Last month, Professor Yaman Akdeniz (Istanbul Bilgi University, Turkey) prepared a report on Freedom of Expression on the Internet for the Organisation for Security and Cooperation in Europe (OSCE). The report contained an investigation on legal provisions and practices related to freedom of expression, the free flow of information and media pluralism on the Internet in OSCE participating States. In his study, Professor Yaman Akdeniz observed that blocking measures in the OSCE region are not always provided for by law nor were they always subject to due process principles. In particular, he noted that blocking decisions were not necessarily taken by the courts of law, but by administrative bodies or Internet hotlines run by the private sector. They decided which content, website or platform should be blocked. In many cases, such "voluntary" blocking procedures lacked transparency and accountability. In addition, the appeal in such procedures were either not in place or, where they were in place, they were often not efficient. That is why the compatibility of blocking with the fundamental right of freedom of expression must be questioned. In particular, in the absence of a legal basis for blocking access to online content, the compatibility of "voluntary" blocking agreements and systems with OSCE commitments, Article 19 of the Universal Declaration and Article 10 of the European Convention on Human Rights was problematic. Also, such a "voluntary interference" might be contradictory to the conclusions of the Final Document of the Moscow Meeting of the Conference on the Human Dimension of the CSCE. With regard to the compatibility of blocking with the fundamental right of freedom of expression, Professor Akdeniz also pointed out that both the 1994 Budapest OSCE Summit Document and the European Court of Human Rights reiterated the importance of freedom of expression as one of the preconditions for a functioning democracy. In Budapest, "(t)he participating States reaffirm(ed) that freedom of expression is a fundamental human right and a basic component of a democratic society. In this respect, independent and pluralistic media were essential to a free and open society and accountable systems of government." According to Akdeniz, an "effective" exercise of this freedom does not depend merely on the state's duty not to interfere, but might require positive measures to protect this fundamental freedom. Consequently, a blocking system relying exclusively on self-regulation or "voluntary agreements" could be in a non-legitimate interference with fundamental rights. Yaman A.: Report on Freedom of Expression on the Internet http://www.osce.org/fom/80723 The Final Document of the Moscow Meeting of the Conference on the Human Dimension of the CSCE http://www.osce.org/odihr/elections/14310 1994 Budapest OSCE Summit Document http://www.osce.org/mc/39554 The Universal Declaration of Human Rights http://www.un.org/en/documents/udhr/ The European Convention on Human Rights http://www.hri.org/docs/ECHR50.html EDRi-gram: OSCE: Access to the Internet should be a human right (13.07.2011) http://www.edri.org/edrigram/number9.14/oecd-study-internet-freedom (Contribution by Daniel Dimov - EDRi) ============================================================ 6. Belgium: Francophone press goes out and back in Google Search ============================================================ As a result of Google's conflict with Copiepresse, the search engine announced on 15 July 2011 that it would not index titles from the Belgium francophone press. Google stated that in doing so, it only complied with the decision of the Appeal Court of 5 May 2011 that backed a court decision of February 2011 forbidding Google to publish Belgium press articles on Google News and Google Search, with a fine reaching 25 000 euro in case of non-compliance. Google's reaction looked like a punishment that would put some pressure on Belgium's francophone press as the measure actually went beyond the court's decision which only asked for the removal of Copiepresse articles and not their complete erasing from the search engine. The measure was however successful. "We would be happy to re-include Copiepresse if they would indicate their desire to appear in Google Search and waive the potential penalties," said Google spokesman William Echikson. Which, Copiepress did on 18 July 2011. Le Soir and La Libre Belgique stated on their sites that an agreement had been reached with Google that would re-index the excluded sites. "It is necessary to distinguish the Google search engine from the Google news service," said an article on La Libre website adding: "The news editors do not oppose having their content referenced by the Google search engine, they refuse on the other hand for their informational content to be included in Google News." Google censures the Francophone press (only in French, 15.07.2011) http://www.lecho.be/actualite/entreprises_technologie/Google_censure_la_pre… Google re-indexes the Belgium press on its engine (up-date) (only in French, 18.07.2011) http://www.01net.com/editorial/536000/google-supprime-la-presse-belge-de-so… Google will re-index the francophone press (only in French, 18.07.2011) http://www.lecho.be/actualite/entreprises_media/Google_va_reindexer_la_pres… EDRi-gram: Google found guilty in Belgium for newspapers' copyright infringement (18.05.2011) http://www.edri.org/edrigram/number9.10/google-looses-copiepresse-case ============================================================ 7. Britain: Government reneges on DNA privacy promise ============================================================ In Britain, the Conservative-Liberal Democrat coalition government has announced that it will not delete the DNA records of suspects who were arrested but subsequently acquitted or never charged. It had promised to delete them following the Marper judgement, where the European Court of Human Rights found it was unlawful to keep the DNA of acquitted people indefinitely; this promise was enshrined in the Coalition Agreement that set up the Government after the indecisive 2010 election. But the Government now says it will rely on "anonymisation". The DNA records of innocent people will be retained by the forensic service without the suspect's names and addresses. When a match is found with crime-scene DNA in the future, the innocent former suspect can be identified by matching the sample bar code with the records of the police force that arrested him last time. The Government may argue that this complies with UK data protection law, which is a defective implementation of the Data Protection Directive. However it fails to satisfy European and human-rights law. The announcement was made quietly on Monday, 25 July 2011, while the press's focus was on the killings in Norway. Innocent people's DNA profiles won't be deleted after all, minister admits (26.07.2011) http://www.telegraph.co.uk/news/uknews/law-and-order/8660821/Innocent-peopl… Database State (2009) http://www.cl.cam.ac.uk/~rja14/Papers/database-state.pdf (Contribution by Ross Anderson - EDRi-member FIPR - UK) ============================================================ 8. ENDitorial: Phone hacking and self regulation ============================================================ The self-regulatory authority for the British press, the Press Complaints Commission (PCC), has itself become one of the victims of the "phone hacking" scandal, as self-regulation failed to not alone prevent but even identify problems now believed to be endemic among UK newspapers. Phone hacking - guessing or brute-force attacking voicemail accounts to access messages - is a criminal offence in the UK. Cases at the News of the World (NoW) were prosecuted under the Regulation of Investigatory Powers Act (RIPA), and could also be offences under the Computers Misuse Act. In 2007, private investigator Glen Mulcaire and NoW royal editor Clive Goodman were convicted and imprisoned for RIPA interception offences. Thus to date, the prosecutions have focused on reporters and investigators, rather than their employers at News International. In May 2007, the PCC found that there was no evidence of widespread phone hacking at News of the World. Since that date, further allegations, investigations by Parliamentary committees and threats of private legal action have put pressure on the police to re-open the investigations. Allegations of the excessively close relationships between the police and News International and NoW, including possible payments, have meant that senior police officials at the Metropolitan (London) Police have now resigned. One question that needs to be addressed is the extent to which "self regulation" has failed in this arena. With strong motivations from their members not to look at the behaviour of those same being regulated, the PCC might well be expected to fail. But this wasn't obvious when the PCC was set up. The reasoning behind press self-regulation was at least more principled than that behind Internet "self regulation". The press, it was argued, needs to be strong and free. The methodology is also more coherent - it is, to a large extent, "self-"regulation, unlike much Internet "self-regulation", which is actually regulation of content or consumers by the Internet industry. Thus it was thought better for the press to impose their own rules, rather than relying on legislation and politicians, who have an inbuilt desire to control and limit their activities. Yet, it has comprehensively failed. A combination of high pressure for more sales in a declining market, an unsafe technology and malleable or inattentive enforcement let citizens' interests be ignored. As it is often stated, but rarely politically accepted, once privacy is stripped away, the ability of those threatened with privacy abuses to speak out is vastly reduced. Thus, it was those who had already suffered exposure by the News of the World who had to be brave enough to speak out. The UK's political leadership was frequently too frightened to comment. We may well ask why, if the PCC cannot balance the public interest, free speech, privacy and business interests, the behavioural advertisers and Internet Service Providers should be expected to do a better job. Purely pragmatically, self-regulation may be expected to work where the interests of end users are well-aligned with those doing the regulation: but where those are strongly divergent, they are unlikely to. Unfortunately, as the PCC has shown, the balance of interests can quickly shift with technology. Thus we are left to conclude that, in the absence of procedures and structures that are fit to cope with such shifts, legal protections and official regulators are in fact the more important part of public protection. A second lesson just how politicians completely misunderstand the complexities of industry "self-regulation." If the PCC could fail so badly in the comparatively straightforward task of regulating its own industry, why on earth can politicians feel that they can speak so blithely and simplistically about private internet intermediaries "self-"regulating the key democratic fundamental rights of our society - privacy and freedom of communication? Phone Hacking articles at The Guardian http://www.guardian.co.uk/media/phone-hacking News of the World phone hacking scandal investigations http://en.wikipedia.org/wiki/News_of_the_World_phone_hacking_scandal_invest… The UK phone hacking scandal: there's worse to come - much worse (23.07.2011) https://www.privacyinternational.org/blog/uk-phone-hacking-scandal-theres-w… The Government still wants to hack your phone (14.07.2011) http://www.openrightsgroup.org/blog/2011/the-government-still-wants-to-hack… (Contribution by Jim Killock - EDRi-member Open Rights Group - UK) ============================================================ 9. Recommended Action ============================================================ Public consultation on personal data breach notifications under ePrivacy Directive. Deadline: 9 September 2011 http://ec.europa.eu/information_society/policy/ecomm/library/public_consult… EU - Open access to scientific information - Commission seeks views A public consultation on access to, and preservation of, digital scientific information has been launched by the European Commission. Deadline: 9 September 2011 http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/890 ============================================================ 10. Recommended Reading ============================================================ Article 29 Data Protection Working Party - Opinion on Consent (14.07.2011) http://ec.europa.eu/justice/policies/privacy/news/docs/press_release%20opin… http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf 86 cents for one year without blanket telecommunications data retention (25.07.2011) http://www.vorratsdatenspeicherung.de/content/view/471/79/lang,en/ ============================================================ 11. Agenda ============================================================ 10-14 August 2011, Finowfurt near Berlin, Germany Chaos Communication Camp 2011 http://events.ccc.de/camp/2011 25-27 August 2011, Washington DC, USA Global Congress on Public Interest Intellectual Property Law http://infojustice.org/public-events/global-congress 7 September 2011, Berlin, Germany Balancing the interests in the context of data retention Registration by 15 August 2011 http://www.uni-kassel.de/einrichtungen/iteg/forschung/invodas/invodas-absch… 10-17 September 2011 Freedom Not Fear - International Action Week http://www.freedomnotfear.org 16-18 September 2011, Warsaw, Poland Creative Commons Global Summit 2011 http://wiki.creativecommons.org/Global_Summit_2011 27-30 September 2011, Nairobi, Kenya Sixth Annual IGF Meeting: Internet as a catalyst for change: access, development, freedoms and innovation http://www.intgovforum.org/cms/nairobipreparatory 11 October 2011, Brussels, Belgium ePractice Workshop: Addressing evolving needs for cross-border eGovernment services http://www.epractice.eu/en/events/epractice-workshop-cross-border-services 13-14 October 2011, Lisbon, Portugal 2nd International Graduate Conference in Communication and Culture: The Culture of Remix http://blogs.nyu.edu/projects/materialworld/2011/05/cfp_the_culture_of_remi… 20-21 October 2011, Warsaw, Poland Open Govrenment Data Camp http://opengovernmentdata.org/camp2011/ 27-30 October 2011, Barcelona, Spain Free Culture Forum 2011 http://fcforum.net/ 9 November 2011, Bucharest, Romania Inet Conference: Access, Trust and Freedom: Coordinates for future Internet http://www.isoc.org/isoc/conferences/inet/11/bucharest-agenda.shtml 11-13 November 2011, Gothenburg, Sweden FSCONS is the Nordic countries' largest gathering for free culture, free software and a free society. http://fscons.org/ 25-27 January 2012, Brussels, Belgium Computers, Privacy and Data Protection 2012 http://www.cpdpconferences.org/ ============================================================ 12. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 28 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

Re: [tor-talk] possible to identify tor user via hardware DRM?
by Seth David Schoen 06 Jul '18

06 Jul '18

Nick M. Daly writes: > I've actually been reading similar concerns (about hardware-based > tracking) on the FreedomBox list, and I have no basis for validating the > claims. Wondering if anybody could shed some light on just how serious > these claims are and how they'd impact Tor users (or privacy generally)? > The mail seems full of generalizations, but the author seems genuine: > > http://lists.alioth.debian.org/pipermail/freedombox-discuss/2012-June/00404… I find this message misleading in various ways. The basic thing that I've been telling people is that there are few situations in which either PSN or TPM uniqueness makes things qualitatively worse. There are lots of hardware unique IDs. On Linux, try "sudo lshw" and be surprised at all the things that have unique serial numbers. There are also things that are unique about your machine that are not hardware serial numbers, like filesystem serial numbers and observed combinations of software configurations. These can be bad for privacy because software can tell which computer it's running on. If the software has an adversarial relationship with you, it can then use that information in a way that you don't like. We would be better off in some regards if operating systems let us hide local uniqueness from software so that the software couldn't tell what machine it was running on, or set fake values for these unique identifiers. Some proprietary software including Microsoft Windows already makes a sophisticated profile of the local machine, including many kinds of observations, to tie a copy of the software (or an "activation") to a particular device (!). The only substantive difference with the TPM uniqueness is that the TPM uniqueness lets you prove (like a smartcard) to a remote system that you're running some software on the same machine as before. Even if the OS did let you set fake values when software tried to examine the system it was running on, the remote system could see that the TPM-related values were fake. That's useful for some applications, including but not limited to DRM-like ones. I've argued that this is bad in some ways, but at least you can still turn off the TPM. Then your system can't attempt to offer that kind of proof. As far as I know, turning off the TPM is pretty robust: it really is turned off. All of these things are anonymity problems in particular when some software on your computer is actively _trying_ to tell someone else what machine you're running on, either because it's programmed to do so or because someone has broken into your computer and installed spyware and is trying to use it to monitor you. If you're not in that situation, there is nothing especially magical about having unique hardware IDs in your machine, because everyone's machine has some uniqueness, and (for the most part) that uniqueness isn't part of standard network protocols like TCP/IP and doesn't automatically leak out to anyone and everyone you communicate with over the Internet. (There is a possible exception about clock skew, which you can read about in Steven Murdoch's paper from 2006.) Similarly, having a GPS receiver in your phone does not mean that everyone you send an SMS to or everyone you call will learn your exact physical location. However, it does mean that if there's spyware on your phone, that spyware is able to use the GPS to learn your location and leak it. If you're worried about spyware threats on your phone, which can be quite a realistic concern, the GPS itself isn't necessarily the unique core of the threat, because there are also lots of other things in the phone that can be read to help physically locate you (like wifi base station MAC addresses, taking photographs of your surroundings with the phone's camera, recording the identities and signal strengths of the GSM base stations your phone sees...). So a more fundamental question might be whether your phone operating system is able to either prevent you from getting malware or prevent the malware from accessing the sensors on your phone. In the case of a desktop PC, the hardware uniqueness is _there to be read by software_, and if it's in a TPM it _may be able to give the software remotely verifiable cryptographic proof that the software is really running on the machine containing that particular TPM_. In neither case does the hardware uniqueness directly broadcast itself to other machines, and in neither case does the hardware uniqueness prevent the operating system from preventing other software from reading it. If you do have some kind of software running on your machine that's trying to track you or trying to help other people track you, hardware uniqueness is one thing that the software might look at. But if you're a Tor user, a more basic thing for the software to try to do is make network connections to leak your real IP address in order to associate your Tor-based network activity with your non-Tor-based network activity. That might be even easier because the tracking software could just try to make a direct network connection. If you're not using Tor, at least not at a particular moment, but are still concerned about tracking, there's another problem, which is that all existing browsers _already_ reveal a great deal of software-based uniqueness to any interested web site, usually enough to make your browser unique. See https://panopticlick.eff.org/browser-uniqueness.pdf This is important because it doesn't require there to be any malicious software on your computer, just a traditional web browser. One of the defenses people have talked about against hardware fingerprinting is running inside a virtual machine. Normally, software inside the virtual machine, even if it's malicious, doesn't learn much about the physical machine that hosts the VM. If you always use Tor inside a VM, then even if there's a bug that lets someone take over your computer (or if they trick you into installing spyware), the malicious software won't be able to read much real uniqueness from the host hardware, unless there's also a bug in the VM software. Running in a VM isn't exactly a defense against software fingerprinting (like browser fingerprinting) if you use the VM for various non-Tor activities that you don't want to be linked to one another, because the software configuration inside the VM might be, or become, sufficiently different from others that it can be recognized. There's probably more research to be done about the conditions under which VMs can be uniquely identified both "from the inside" by malware, and remotely by remote software fingerprinting, absent VM bugs that give unintended access to the host. -- Seth Schoen <schoen(a)eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 _______________________________________________ tor-talk mailing list tor-talk(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[IP] When police ask your name, you must give it, Supreme Court says
by dave＠farber.net 06 Jul '18

06 Jul '18

___ Dave Farber +1 412 726 9889 ...... Forwarded Message ....... From: Kurt Albershardt <kurt(a)nv.net> To: dave(a)farber.net Date: Mon, 21 Jun 2004 16:44:00 -0700 Subj: When police ask your name, you must give it, Supreme Court says By GINA HOLLAND, Associated Press Writer WASHINGTON - A sharply divided Supreme Court ruled Monday that people who refuse to give their names to police can be arrested, even if they've done nothing wrong. The court previously had said police may briefly detain people they suspect of wrongdoing, without any proof. But until now, the justices had never held that during those encounters a person must reveal their identity. The court's 5-4 decision upholds laws in at least 21 states giving police the right to ask people their name and jail those who don't cooperate. Law enforcement officials say identification requests are a routine part of detective work. Privacy advocates say the decision gives police too much power. Once officers have a name, they can use computer databases to learn all kinds of personal information about the person. The loser in Monday's decision was Nevada cattle rancher Larry "Dudley" Hiibel, who was arrested and convicted of a misdemeanor after he told a deputy that he didn't have to give out his name or show an ID. The encounter happened after someone called police to report arguing between Hiibel and his daughter in a truck parked along a road. An officer asked him 11 times for his identification or his name. Hiibel repeatedly refused, at one point saying, "If you've got something, take me to jail" and "I don't want to talk. I've done nothing. I've broken no laws." In fighting the arrest, Hiibel became an unlikely constitutional privacy rights crusader. He wore a cowboy hat, boots and a bolo tie to the court this year when justices heard arguments in his appeal. "A Nevada cowboy courageously fought for his right to be left alone, but lost," said his attorney, Harriet Cummings. The court ruled that forcing someone to give police their name does not violate their Fourth Amendment protection from unreasonable searches. The court also said name requests do not violate the Fifth Amendment right against self-incrimination, except in rare cases. "One's identity is, by definition, unique; yet it is, in another sense, a universal characteristic. Answering a request to disclose a name is likely to be so insignificant in the scheme of things as to be incriminating only in unusual circumstances," Justice Anthony M. Kennedy wrote for the majority. "A name can provide the key to a broad array of information about the person, particularly in the hands of a police officer with access to a range of law enforcement databases," he wrote in a dissent. Justices David H. Souter, Ruth Bader Ginsburg (news - web sites) and Stephen Breyer (news - web sites) also disagreed with the ruling. Crime-fighting and justice groups had argued that a ruling the other way would have protected terrorists and encouraged people to refuse to cooperate with police. "The constant danger of renewed terrorist activity places enormous pressure on law enforcement to identify suspected terrorists before they strike," said Charles Hobson, an attorney with the Sacramento-based Criminal Justice Legal Foundation. But Tim Lynch, an attorney with the libertarian-oriented think tank Cato Institute, said the court "ruled that the government can turn a person's silence into a criminal offense." "Ordinary Americans will be hopelessly confused about when they can assert their right to remain silent without being jailed like Mr. Hiibel," said Lynch, who expects the ruling will lead more cities and states, and possibly Congress, to consider laws like the one in Nevada. Justices had been told that at least 20 states have similar laws to the Nevada statute: Alabama, Arkansas, California, Colorado, Delaware, Florida, Georgia, Illinois, Kansas, Louisiana, Massachusetts, Montana, Nebraska, New Hampshire, New Mexico, New York, North Dakota, Rhode Island, Utah, Vermont, and Wisconsin. The ruling was a follow up to a 1968 decision that said police may briefly detain someone on reasonable suspicion of wrongdoing, without the stronger standard of probable cause, to get more information. Justices said that during such brief detentions, known as Terry stops after the 1968 ruling, people must answer questions about their identities. Marc Rotenberg, head of the Electronic Privacy Information Center, said America is different 36 years after the Terry decision. "In a modern era, when the police get your identification, they are getting an extraordinary look at your private life." The case is Hiibel v. Sixth Judicial District Court of the state of Nevada, 03-5554. ------------------------------------- You are subscribed as eugen(a)leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

Re: CRYPTO2004 Rump Session Presentations, was Re: A collision in MD5'
by james hughes 06 Jul '18

06 Jul '18

I have 2 items of note for this list. 1. The web site is updated with program and the times. http://www.iacr.org/conferences/crypto2004/rump.html 2. I was typing fast, and mistyped my title. I am General Chair this year, not 2002 as was stated. Enjoy. On Aug 17, 2004, at 1:39 PM, james hughes wrote: > Yes, my mistake. the link has an 'o' at the end. > > mms://128.111.55.99/crypto > > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah(a)ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

1 0