- cypherpunks-legacy - lists.cpunks.org

EDRi-gram newsletter - Number 8.20, 20 October 2010
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 8.20, 20 October 2010 ============================================================ Contents ============================================================ 1. Guidelines for more rigorous respect of the Fundamental Rights Charter 2. Facebook applications raise new privacy concerns again 3. French DNS management must respect constitutional freedoms 4. Danish tax authorities want to mirror hard disks of private companies 5. Informal discussion in European Parliament on net neutrality 6. Lives put at risk by communications data retention 7. European Commission high-level discussions on data protection 8. UK Government will introduce an open data licence 9. Spanish DPA opens infringement procedures for Google Streetview 10. ENDitorial: Irish court rejects music industry demands for three strikes 11. Recommended Action 12. Recommended Reading 13. Agenda 14. About ============================================================ 1. Guidelines for more rigorous respect of the Fundamental Rights Charter ============================================================ The European Commission has adopted a strategy which is aimed at ensuring that the EU Charter of Fundamental Rights is respected at every stage of the EU legislative process. At the initiative of Commissioner Reding, the intention is to create a template to make it easier for the Commission to measure its own respect for the Charter and, by extension, to give the public a clearer yardstick by which to measure the actions of the Commission. As is Commissioner Reding's trademark, the Communication is very ambitious, arguing that the "Union must be exemplary" in matters of fundamental rights and demands that "the Charter must serve as compass for the Union's policies and their implementation by the Member States." Since the adoption of the Lisbon Treaty, which made the Charter legally binding, all Commissioners took a personal oath to respect the Charter. However, in the absence of a methodology to incorporate this into policy development, the Commission has struggled to "mainstream" this new element of legislative development into all of its activities. For example, when the Commission re-tabled the draft Framework Decision on Child Exploitation, it changed the proposal in a way which, according to its own impact assessment, was contrary to the European Convention on Fundamental Rights (the "meaning and rights" of which are incorporated into the Charter). One of the clearest pedagogical elements of the Communication is a "Fundamental Rights 'Check List'", listing the questions that the Commission must ask at each stage of the legislative process when assessing the possible impact of the proposed legislation. This is to be repeated at each step of all legislative processes, from preparatory consultations thorough the impact assessment process and the legislative process. This includes, "using all means at its disposal" to fight noncompliant amendments tabled by other institutions. It is, unfortunately, very obvious that the Communication will not solve all or even most of the failures of the Commission with regard to respect for fundamental rights protected by the Charter and Convention of Fundamental Rights. However, it is also clear that the Communication establishes a new and very clear set of standards and guidelines against which the Commission can now be measured. This is an important step in the right direction and a significant achievement by Commissioner Reding. European Commission adopts strategy to ensure respect for EU Charter of Fundamental Rights (19.10.2010) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1348&format=H… European Commission Communication - Strategy for the effective implementation of the Charter of Fundamental Rights by the European Union (19.10.2010) http://ec.europa.eu/justice/news/intro/doc/com_2010_573_4_en.pdf (Contribution by Joe McNamee - EDRi) ============================================================ 2. Facebook applications raise new privacy concerns again ============================================================ Facebook continues to raise concerns related to the privacy of its users' personal data. According to an investigation made by Wall Street Journal (WSJ), Facebook applications such as FarmVille have been supplying identifying information of its users to several online advertising and tracking companies. Already in May 2010 it was revealed that under certain circumstances, when a user was clicking on an ad, Facebook was transmitting its ID codes that were used to look up individual profiles, including the user's real name, age, hometown and other data. Although Facebook has interrupted the practice, it has now come Facebook applications were doing the same practice. The practice affects millions of users including those who have placed their data under the strictest privacy settings. According to WSJ, at least ten of the most popular Facebook applications also transmitted personal information about the user's friends to external companies. Two Facebook users from California, David Gould and Mike Robertson, have filed a federal lawsuit against the social network for allegedly sharing their real names and other private information with some advertisers, considering Facebook was thus in direct violation of the federal law that protects the privacy of electronic communications, the California computer-crime law as well as the company's own privacy policy. "A Facebook user ID may be inadvertently shared by a user's Internet browser or by an application," stated a spokesman from Facebook on 16 October 2010, who added that the company would introduce new technology to address the problem. According to the company, there is no basis for the law suit. As a Facebook user's ID is a public part of any Facebook profile, anyone can use this number to look up a person's name, by using a standard Web browser, even if that person has posted Facebook information as private. Facebook IDs reveal information that the users have set to share with everyone. Most applications on Facebook are created by independent software developers and it is not yet clear whether their developers knew that their applications were transmitting Facebook ID numbers. The applications use a common Web standard, known as a "referer" which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referers can expose a user's identity. While the supporters of online tracking argue that this kind of surveillance is benign when being carried out anonymously, WSJ has found out that RapLeaf, a data-collection firm, had linked Facebook users' ID information obtained from applications to its own database of Internet users. The company is selling its database and has transmitted Facebook IDs to several other firms. "We didn't do it on purpose," stated Joel Jewitt, vice president of business development for RapLeaf. After being contacted by the WSJ, Facebook has changed its system so that the ID codes are no longer sent to other websites and has apparently also shut down some applications transmitting user IDs. Since 15 October, the users having tried to access certain applications have received an error message being reverted to Facebook's home screen. "We have taken immediate action to disable all applications that violate our terms," a Facebook spokesman said. Facebook in Privacy Breach (18.10.2010) http://online.wsj.com/article/SB10001424052702304772804575558484075236968.h… Facebook apps 'leaking details to advertisers' (18.10.2010) http://www.guardian.co.uk/technology/2010/oct/18/facebook-apps-data-privacy Facebook Faces Suit Over Earlier Breach (17.10.2010) http://blogs.wsj.com/digits/2010/10/17/facebook-faces-suit-over-earlier-bre… EDRi-gram: Facebook under pressure for not observing its privacy principles (19.05.2010) http://www.edri.org/edrigram/number8.10/privacy-google-article-29 ============================================================ 3. French DNS management must respect constitutional freedoms ============================================================ In a ruling issued on 6 October 2010, the French Constitutional Council affirmed the constitutional value of domain names. According to this decision, which applies to the whole French DNS, a domain name attribution, renewal, transfer or cancellation process must not only respect intellectual property rights, but also freedom of expression and freedom of entrepreneurship. The ruling was issued in the framework of a new procedure, that allows questioning the constitutionality of an existing law in the course of legal proceedings related to the application of the given law. In this case, the plaintiff was questioning the constitutionality of article L.45 of the French Posts and Electronic Communication Code, adopted in 2004 as part of the French law on trust in the digital economy ('Loi pour la confiance dans l'iconomie numirique' or LCEN). This article provides that the French Domain Name System (DNS) registries are appointed by the government; that each French ccTLD is managed by a unique registry; and that the government ensures that domain names are attributed by these registries "in view of the general interest, according to non discriminatory rules made publicly available and ensuring the respect, by the domain name holder, of intellectual property rights". The ruling follows the plaintiff argument that the article in question was infringing Article 34 of the Constitution which provides, inter alia, that "law shall lay down the basic principles of (...) systems of ownership, property rights and civil and commercial obligations". Therefore, due to the absence of precise enough safeguards, Article L.45 of the French Posts and Electronic Communication Code gives the Administration and the designed registries too much latitude regarding the management of the French DNS. In particular, the Constitutional Council found that, as currently defined, the law indeed protects intellectual property rights but neither freedom of expression nor freedom of entrepreneurship, since the last two may be restricted by the registry through denial of a domain name registration or renewal, or through its transfer or cancellation. AFNIC, the main French registry, manages the .fr as well as .re (Riunion Island), .pm (Saint-Pierre and Miquelon), .tf (French Southern and Antarctic Territories), .wf (Wallis and Futuna) and .yt (Mayotte). Other French ccTLDs are managed by different registries; .mq (Martinique), .gp (Guadeloupe) and .gf (French Guiana) are delegated to registrars; while.nc (New Caledonia) and .pf (French Polynesia) are administrated by the respective territories. The ccTLDs of the two other French territories (Saint Barthelemy and Saint Martin) have no assigned registries yet, and the corresponding domains (.bl and .mf) are not yet present in the root zone. All these registries have to comply with the provision of Article L.45 of the French Posts and Electronic Communication Code. As a result of this decision, the law should now be amended by 1 July 2011. The Constitutional Council gave this delay in order to avoid a major disruption that would otherwise threaten the legal continuity and security of the French domain name space. After this deadline, any decision from the government and/or from the registries designed pursuant to current Article L.45 of the French Posts and Electronic Communication Code would be deemed illegal. It must be noted that this ruling only concerns registries designated by the French government, according to the provisions having been found unconstitutional. It does not extend to any other ccTLD than that of the French national territory, nor to any gTLD. Furthermore, the Constitutional Council decision has no impact on the question of whether the registration of a domain name implies any property rights over this name or only the right to use this name for the registration period. However, and this is the major outcome of this decision, such a ruling may be seen as a breakthrough from a political point of view for all those who consider domain names as one of the means of freedom of expression and communication in the digital environment. French Constitutional Council decision and related dossier (only in French, 06.10.2010) http://www.conseil-constitutionnel.fr/conseil-constitutionnel/francais/les-… AFNIC (.fr registry) webiste http://www.afnic.fr (Contribution by Meryem Marzouki, French EDRI-member IRIS) ============================================================ 4. Danish tax authorities want to mirror hard disks of private companies ============================================================ A new proposed law would allow the Danish tax authorities to simply mirror entire hard disks of companies without a court order and before they have a reason to suspect the company has engaged in unlawful activities. The proposal adds the following two paragraphs to the law of tax auditing (unofficial translation): "Paragraph. 6. Customs and tax administration can make identical electronic copies (mirrors) of the content of electronic media that falls under the control of the customs and tax administrations, and can take the copied material away for subsequent review. The copied material must be deleted, if the customs and tax administration determines that the material does not contain information that is relevant for the control exercised by the customs and tax administration. However, if the customs and tax agency decides to proceed with the case, the copied material must be deleted only after the case is finally decided. Paragraph. 7. The minister of taxation determines, after submission to the National Board of Taxation, further rules regarding the customs and tax administration's right to make identical electronic copies (mirrors) of the data content of electronic media, that are part of an inspection, including rules on the retention and deletion of the copied material. " In the comments to the proposal, the issue of proportionality in relation to the Human Rights Convention article 8.2 is discussed. It was concluded that since the tax authorities will only use mirroring in cases where they would otherwise not get the necessary information, and only after they have determined in each case that less drastic measures would not be sufficient, then the impact on the individuals subject to the control is limited. The tax authorities argue the law will make their job easier, they promise not to abuse their new powers, and are willing to make adjustments if the consultation should point out minor problems. The proposal from the liberal/conservative government is supported by the largest opposition party, the Social Democrats, as Nick Hfkkerup said to Berlingske newspaper. He wants to ensure that the mirrors are only used for taxation, with the exception that if the tax authorities happen to discover child abuse images, it should be reported to the police. Conversely, the proposal has met hard criticism from the Danish Data Protection Agency, major medias, think tank CEPOS, blogs, etc. Draft law (only in Danish, 1.09.2010) https://www.borger.dk/Lovgivning/Hoeringsportalen/dl.aspx?hpid=24994 Civil liberty under pressure (only in Danish, 4.10.2010) http://www.berlingske.dk/ledere/borgerlig-frihed-under-pres Tax authorities requires free access to the hard disk (only in Danish, 4.10.2010) http://www.business.dk/oekonomi/skat-kraever-fri-adgang-til-harddisken Politicians welcomed the mirroring (only in Danish, 4.10.2010) http://www.business.dk/oekonomi/politikere-ser-positivt-paa-spejling (Contribution by Niels Elgaard Larsen, EDRI-member IT-POL Denmark) ============================================================ 5. Informal discussion in European Parliament on net neutrality ============================================================ For possibly the first time since the adoption of the "telecoms package", an informal discussion on the issue of "net neutrality" took place at a breakfast meeting hosted by Catherine Trautmann MEP. This happened ahead of upcoming the net neutrality "summit" planned to take place in the European Parliament. None of the positions defended by the industry or consumer representatives were particularly surprising, with Telefonica arguing that the "nightmare" of increased demands of their services had to be responded to by increased "management". In the same way as roads are not built to cope with maximum possible demands, it would be wasteful to build networks to have enough capacity to cope with maximum demand. Skype argued that the virtuous circle created by the open Internet, whereby openness fosters innovation which attracts more users, which increases the incentives to innovate, must be protected. Skype and the European Consumers Bureau (BEUC) argued that research shows clearly that transparency is insufficient to protect consumers from non-neutral access providers because of the difficulties involved in changing broadband providers. The Commission said that there were over 300 responses to the recently closed net neutrality consultation and that the priority was to ensure a level playing field and to avoid fragmentation. The issue of deep packet inspection, which BEUC said should be banned, was avoided by the Commission, which argued that other technologies "must be possible". During the debate, both Ivailo Kalfin (S+D, Bulgaria) and Edit Herczog (S+D, Hungary) briefly raised the thorny issue of content regulation, presumably because increased interference with citizens' communications for business purposes will make it harder for access providers to avoid caving in to demands to restrict or monitor access to data on the basis of government requests or media pressure. Telefonica (whose subsidiary O2 accidentally blocked the entirely innocent Imgur website because the "technology behind the service is more far reaching than anticipated and on occasion a site which should not be blocked may be") said that it was not interested in censoring online material. EDRi response to Commission consultation on net neutrality (30.09.2010) http://www.edri.org/docs/netneutralityreaction300910.pdf (Contribution by Joe McNamee - EDRi) ============================================================ 6. Lives put at risk by communications data retention ============================================================ A report published on 8 October 2010 by German civil liberties activists reveals that human lives are put at risk by the retention of all telecommunication data. According to the report, the data retention policy has endangered scientific research, caused unemployment, encouraged corruption, promoted the abuse of personal data and hindered the prosecution of crime. The report gives examples of cases when the registration of communication data failed to help the police in stopping criminals and how criminals might have used more discreet ways of communicating and internet cafes to disguise the origin and destination of messages. Crisis lines have also been hindered in their work to persuade potential perpetrators not to commit violent crimes by the traceability of anonymous calls. Already a 2009 study showed that the communications data retention law had resulted in 12.8% of those surveyed already using an anonymisation service, 6.4% moving to a service provider that didn't store data and 5.1% using internet cafis, The report also revealed that journalists had lost their sources for fear of being traced. The legislation also opened the door to abuse. In 2006, a T-Mobile co-worker sold a database containing the personal data of 17 million customers, including private addresses and secret numbers of politicians, ministers, an ex-federal president, industrial leaders, billionaires and religious leaders. "Even if one investigation was facilitated by collecting all call details, the policy has frustrated many other investigations and put human lives at risk," stated the Working Group on Data Retention adding: "Blanket and indiscriminate recording of details on every phone call, e-mail and internet connection was useless for the prosecution of crime and totally disproportionate." In June 2010, more than 100 organisations (including EDRi) from 23 European countries sent a letter to EU Commissioners Malmstrvm, Reding and Kroes asking for the data retention law to be repealed and be replaced by "a system of expedited preservation and targeted collection of traffic data". Communications data retention puts human lives at risk! (8.10.2010) http://www.vorratsdatenspeicherung.de/content/view/390/55/lang,en/ Data retention boosts crime, says civil liberties group (8.10.2010) http://www.computerweekly.com/Articles/2010/10/08/243246/Data-retention-boo… Liberties Groups' Report (only in German, 13.10.2010) http://wiki.vorratsdatenspeicherung.de/images/Bericht_Sicherheit-vor-Sammel… Civil society calls for an end to compulsory telecommunications data retention (28.06.2010) http://www.vorratsdatenspeicherung.de/content/view/370/79/lang,en/ EDRi-gram: German civil society calls for a definitive end to telecom data retention (21.04.2010) http://www.edri.org/edrigram/number8.8/german-ngos-repeal-data-retention ============================================================ 7. European Commission high-level discussions on data protection ============================================================ Commissioner Reding recently invited a wide variety of representatives from industry, civil society, academia and law enforcement bodies to a high-level meeting in the European Commission headquarters in Brussels. The dossier is clearly a major priority for Ms Reding, who was very keen to discuss the minutiae of the legislation with experts. One of the most interesting elements of the discussions was the apparently unanimous agreement across all stakeholders that the current data protection regime is fragmented, ineffective and out of date. This environment unfortunately leads to civil society groups and industry representatives argue about jurisdiction rules when a key reason that jurisdiction is a major issue is not jurisdiction itself, it is incoherence in implementation of the Directive that makes both citizens and business afraid of having to interact with foreign authorities with varying and sometimes unpredictable interpretations of the Directive. Industry speakers were also keen to reduce bureaucracy - one representative said that the move of a data centre from Germany to the Switzerland costs half a million euro in data protection-related legal fees. A number of industry speakers were in favour of more detailed ex post checks and a reduction in ex ante obligations. The Commission is clearly open to finding ways of reducing the bureaucracy involved in data protection, although no public statement has been made yet on what that could mean in practice. The next stage in this process will be the publication next week of a Communication by the European Commission establishing the broad direction that the Commission intends to take with regard to updating existing elements of the Directive and broadening the scope to a take account of the Lisbon Treaty, which brings the former "third pillar" (police and judicial cooperation) within the scope of the Treaty. One interesting question is whether the Commission will seriously consider proposing a Regulation (directly applicable on all Member States) as a way of overcoming the current fragmentation in the implementation of the Directive. European Commission Data Protection: http://ec.europa.eu/justice/policies/privacy/index_en.htm EDRi response to the first round of consultations (23.12.2009) http://www.edri.org/files/Response%20EDRi%20on%20personal%20data%20consulta… (Contribution by Joe McNamee - EDRi) ============================================================ 8. UK Government will introduce an open data licence ============================================================ A perpetual, royalty-free licence called Open Government Licence (OGL) allowing the re-use of Governmental and public information will be introduced by the UK Government. "The Government grants a worldwide, royalty-free, perpetual and non-exclusive licence under the conditions laid out in the OGL. The OGL governs the re-use of public sector information, including material produced by government departments, Parliaments, agencies, local authorities and Trading Funds, but excludes personal data," is the government's statement. According to the National Archives the licence will replace the present Click-Use Licence and will also cover Crown Copyright, databases and source codes. Moreover, OGL will not require the registration of users or a formal application to get permission to re-use data. The licence is meant to make governmental activities more transparent and to enable and encourage the civil society and private sector to re-use this information, assisting them in promoting creative and innovative activities. It will be machine readable and therefore flexible, being able to work in parallel with other licensing models recognised internationally such as Creative Commons. "We believe (transparency) is the best way for the public to hold politicians and public bodies to account, encourage innovation and deliver better value for money in public spending," said Francis Maude, Minister for the Cabinet Office. The types of information to be used and re-used will cover "non-personal information collected and produced by government and the public sector, including works subject to copyright and database right (much of this information will be accessible on public sector web sites or already published by the public sector), previously unpublished datasets released by the public sector on portals, such as data.gov.uk and original and open source software and source code." The Government has also issued a framework governing the use of the licence by Government departments and other public bodies. "The UK Government Licensing Framework (UKGLF) provides a policy and legal overview for licensing the re-use of public sector information both in central government and the wider public sector. It sets out best practice, standardises the licensing principles for government information and recommends the use of the UK Open Government Licence (OGL) for public sector information." The framework makes it compulsory for central Government departments and agencies to use the OGL for their freely available public information and is intended to meet the needs and interests of community groups and social organisations, the information re-user community in the private sector and civil society and the public data developer community. Government publishes open data license (7.10.2010) http://www.out-law.com//default.aspx?page=11426 UK Government Licensing Framework for public sector information http://www.nationalarchives.gov.uk/documents/uk-government-licensing-framew… EDRi-gram: New governmental usage of open licenses in the Netherlands and UK (7.04.2010) http://www.edri.org/edrigram/number8.7/open-content-government-uk-netherlan… ============================================================ 9. Spanish DPA opens infringement procedures for Google Streetview ============================================================ The Spanish Data Protection Agency (AEPD) has opened an infringement proceeding against Google after completing the preliminary inspection activities which started in May on the collection and storage without consent of Wi-Fi networks location data and traffic data associated with them (payload) by the vehicles used to photograph streets of several Spanish cities, for the company's Street View application. Moreover, once the infringement proceeding has been initiated, the AEPD has forwarded to the court the final inspection report, and according to the Administrative Procedure law, has adjourned the proceedings, pending the outcome of criminal proceedings in which the company is involved in the Court of Instruction No. 45 of Madrid. The opening of an infringement proceeding by the Spanish Data Protection Agency follows the conclusion of the investigations carried out by the AEPD's inspection, which have revealed the presence of signs of a total of five violations -two serious and three very serious- of the Spanish Data Protection Act. Two of them are attributable to Google in its capacity as responsible for providing the service and designing the software that collects data for the Street View service. The other three are attributable to Google Spain, as Google representatives in Spain are responsible for collecting and storing the data in Spain and for transferring it to the United States. Specifically, the investigations carried out by the Spanish DPA have verified the collection and storage by Google vehicles of personal data of various types transmitted through open Wi-Fi networks. Between the typology of personal data transmitted through these Wi- Fi networks, the AEPD has established the collection and storage by Google of email addresses, with names and surnames, addresses associated with email messages or instant messaging, access to social network accounts and websites or user names and passwords with personal data identifying its owners and, in some cases, allowing access to special sensitive data, among others. Furthermore, the investigation established the collection by Google of location and identification data of wireless networks, such as SSID, identifiers or names of the Wi-Fi network, that in some cases, contains the real name of the subscriber, and the MAC addresses- that identify the router, connected devices and the geographic position in which they were collected. In addition, it has been established the international transfer of personal data by Google to United States, without demonstrating the compliance of the guarantees provided by the Data Protection Act that authorizes the international transfers. In this regard, the decision starting the infringement proceedings charges both Google Spain and Google Inc with the commission of serious violations of the Organic Act 15/1999 - subject to fines from 60 000 euro to 300 000 euro each - due to the processing of personal data without the consent of the data subject, as well as very serious violations of collecting and processing of personal data with special protection or without the explicit consent of the data subject, as stated by the Data Protection Act. Also, Google Spain is charged with another very serious violation of the Organic Law because of the international transfer of data to the United States of America without the guarantees foreseen by the Data Protection Act. By virtue of section 7 of the Royal Decree 1398/1993, the Spanish Data Protection Agency had to adjourn the administrative proceedings because of the criminal proceedings started by the First-instance Court number 45 of Madrid. Once the criminal proceedings are finalised, the Spanish Data Protection Agency will resume the administrative proceedings in accordance with the legal procedural rules, In that sense, the affected entities will have a term for bringing pleadings or evidence, before the final resolution of the Authority deciding on the infringements and on their legal categorisation is determined. Press release in Spanish (18.10.2010) https://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_… (Thanks to Spanish DPA Press Release) ============================================================ 10. ENDitorial: Irish court rejects music industry demands for three strikes ============================================================ On 11 October 2010, Mr. Justice Peter Charleton of the Irish High Court gave judgment in EMI and Others v. UPC , rejecting music industry claims that broadband provider UPC was responsible under Irish law for policing their users and preventing copyright infringement by them. In this case, EMI, Sony, Universal, Warner and WEA sought an injunction which would require UPC to introduce a three strikes system and to block users' access to The Pirate Bay. This followed the music industry's success in an earlier case against Eircom (Ireland's largest ISP). In that case, Eircom settled and agreed to establish a three strikes system and not to oppose the application to court to block access to The Pirate Bay. In two subsequent decisions arising from that settlement, Charleton J. held that (a) the court had the power to order Eircom to block access to particular sites and (b) that the three strikes system which was agreed between Eircom and the music industry did not conflict with data protection law. Unlike Eircom, however, UPC fought the music industry action, leading for the first time in the Irish courts to a full, contested hearing on the obligations of internet service providers in relation to filesharing. In a lengthy judgment, Charleton J. found that UPC users were engaged in extensive illegal downloading and uploading. He found that it would be possible for UPC to effectively reduce this by making use of systems such as CopySense peer to peer filtering or the detection and disconnection of users who are making available infringing copies, and made a specific finding that such systems would be accurate, practicable and not disproportionately expensive or burdensome. He found that other remedies available to the music industry, in particular identifying infringing users and bringing action against them, were inadequate. He also found that no privacy interest was implicated by the monitoring which these systems would entail. Charleton J. also held that the blocking of The Pirate Bay would be "both educative and helpful", rejecting expert testimony that blocking would be easily evaded and futile. Notwithstanding these findings, however, Charleton J. held that, under the Irish law, the court did not have the authority to grant an injunction requiring an ISP to introduce such systems or to block access to particular sites. The relevant Irish law was identified as section 40(4) of the Copyright and Related Rights Act 2000, which provides that: "where a person who provides facilities [to make a work available to the public] is notified by the owner of the copyright in the work concerned that those facilities are being used to infringe the copyright in that work and that person fails to remove that infringing material as soon as practicable thereafter that person shall also be liable for the infringement." The court found that this section, referring to the removal of infringing material, primarily envisaged situations where a defendant hosted material rather than simply permitted transit of material. Consequently, it could not be used to justify the grant of an injunction in relation to transit, and Charleton J. acknowledged that his earlier decision ordering Eircom to block access to The Pirate Bay was incorrect. Charleton J. went on to consider the effect of the European law and in particular the E-Commerce Directive and the Copyright Directive. He found that Article 15 of the E-Commerce Directive (prohibiting a general obligation to monitor) was irrelevant, holding that the use of deep packet inspection: "is not the seeking of information which is in the course of transmission. Instead, it identifies the nature of transmissions, whether encrypted or otherwise, by reference to the ports which they use, and the protocol employed, so as to identify peer-to-peer communication. UPC does this already for legitimate commercial purposes related to the management of transmissions. If it suited, they could also easily identify the file # of copyright works and block them or divert the search in aid of theft to a legal site. This is not a general search for information." He also held that UPC was a mere conduit for the purposes of the E-Commerce Directive, but that this, nevertheless, left open the possibility for a court to require an internet provider to terminate or prevent an infringement, and went on to hold that the Copyright Directive required Member States to introduce laws which would provide for these remedies. Consequently, as the Irish law did not provide for these remedies Charleton J. found that Ireland "is not yet fully in compliance with its obligations under European law". Following this judgment, and in particular its finding that Irish law has failed to correctly implement the Copyright Directive, it is likely that the issue of filesharing will be high on the political agenda in Ireland. Representatives of the music industry have already called for legislative intervention, and have also threatened to sue the Irish state for losses caused by failure to tackle filesharing. Against this, however, the judgment can be criticised on a number of fronts. Concern has been expressed about the figures relied on by the judge for the extent of piracy, which have been described as inflated. The confident description of deep packet inspection as not involving a "general duty to monitor" is also unusual in light of the preliminary reference to the European Court of Justice in SABAM v. Scarlet (Tiscali) in which this would seem to be a live issue. Similarly, the claim that no privacy issues are involved in three strikes and blocking systems seems to be undermined by the fact that the Data Protection Commissioner took no part in these proceedings so that an important viewpoint went unrepresented, and also fails to take account of developments elsewhere (such as Switzerland) where opposite conclusions have been reached. It is also unclear where this leaves the three strikes and blocking systems which Eircom has already introduced. To date there has been no indication from Eircom as to whether it intends to continue with these systems despite the ruling, and despite the competitive disadvantage which it would appear to impose on it. EMI v. UPC (Unreported, High Court, 11.10.2010) http://www.scribd.com/doc/39104491/EMI-v-UPC John Collins and Ronan McGreevy, "Music labels to rethink fight against piracy" (12.10.2010) http://www.irishtimes.com/newspaper/frontpage/2010/1012/1224280879811.html Ronan McGreevy, "U2 manager criticises UPC defence", Irish Times (14.10.2010) http://www.irishtimes.com/newspaper/breaking/2010/1014/breaking52.html Justin Mason, "Aslan's hard times, from the UPC judgment", taint.org (11.10.2010) http://taint.org/2010/10/11/231501a.html Rossa McMahon, "Strike 1?", A Clatter of the Law (13.10.2010) http://aclatterofthelaw.com/2010/10/13/strike-one/ (Contribution by TJ McIntyre - EDRi-member Digital Rights Ireland) ============================================================ 11. Recommended Action ============================================================ An on-line survey on the PSI Directive The Digital Agenda for Europe lists the revision of the Directive 2003/98/EC on the re-use of public sector information (PSI Directive) among its first key actions. It highlights that governments can stimulate content markets by making PSI available on transparent, effective and non-discriminatory terms. Deadline: 30 November 2010 http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=psidirective2010 Technolife debate: social and ethical implications of biometrics and mobility http://biometrics.kertechno.net/ ============================================================ 12. Recommended Reading ============================================================ Opinion of the European Data Protection Supervisor on the Communication from the Commission on the global approach to transfers of Passenger Name Record (PNR) data to third countries (19.10.2010) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu… New microshort film on the Public Domain Calculators (12.10.2010) http://blog.okfn.org/2010/10/12/new-microshort-film-on-the-public-domain-ca… Brussels: There are no guarantees in terms of controlling the secret police in Macedonia (14.10.2010) http://metamorphosis.org.mk/macedonia/brisel-nema-garancii-kako-da-se-kontr… ============================================================ 13. Agenda ============================================================ 25 October 2010, Brussels, Belgium Hearing by the European Parliament's Committee on Civil Liberties, Justice, and Home Affairs (LIBE): "Data Protection in a Transatlantic Perspective. Future EU-US data protection agreement in the framework of police and judicial cooperation in criminal matters", 15.00-18.30, Room ASP 3E002. Programme http://www.europarl.europa.eu/document/activities/cont/201010/20101013ATT86… Live-Stream http://www.europarl.europa.eu/wps-europarl-internet/frd/live/live-video?lan… 25-26 October 2010, Jerusalem, Israel OECD Conference on "Privacy, Technology and Global Data Flows", celebrating the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org/sti/privacyanniversary 26 October 2010, Brussels, Belgium Future Internet Architecture (FIArch) Open Workshop on the Future Internet Architecture Limitations http://ec.europa.eu/information_society/activities/foi/research/fiarch/inde… 27-29 October 2010, Jerusalem, Israel The 32nd Annual International Conference of Data Protection and Privacy Commissioners http://www.privacyconference2010.org/ 28-31 October 2010, Barcelona, Spain oXcars and Free Culture Forum 2010, the biggest free culture event of all time http://exgae.net/oxcars10 http://fcforum.net/10 3-5 November 2010, Barcelona, Spain The Fifth International Conference on Legal, Security and Privacy Issues in IT Law. http://www.lspi.net/ 5-7 November 2010, Cologne, Germany Transparency, Work, Surveillance Joint Annual Meeting of FIfF and DVD http://fiff.de/veranstaltungen/fiff-jahrestagungen/JT2010/jt2010_uebersicht 5-7 November 2010, Gothenburg, Sweden Free Society Conference and Nordic Summit http://www.fscons.org/ 17 November 2010, Gent, Belgium Big Brother Awards 2010 Belgium http://www.winuwprivacy.be/kandidaten 27-30 December 2010, Berlin, Germany 27th Chaos Communication Congress (27C3) http://events.ccc.de/congress/2010 25-28 January 2011, Brussels, Belgium The annual Conference Computers, Privacy & Data Protection CPDP 2011 European Data Protection: In Good Health? Submission deadline for Full Papers and Position Papers: 16 November 2010 http://www.cpdpconferences.org/ ============================================================ 14. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRi-gram newsletter - Number 8.20, 20 October 2010
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 8.20, 20 October 2010 ============================================================ Contents ============================================================ 1. Guidelines for more rigorous respect of the Fundamental Rights Charter 2. Facebook applications raise new privacy concerns again 3. French DNS management must respect constitutional freedoms 4. Danish tax authorities want to mirror hard disks of private companies 5. Informal discussion in European Parliament on net neutrality 6. Lives put at risk by communications data retention 7. European Commission high-level discussions on data protection 8. UK Government will introduce an open data licence 9. Spanish DPA opens infringement procedures for Google Streetview 10. ENDitorial: Irish court rejects music industry demands for three strikes 11. Recommended Action 12. Recommended Reading 13. Agenda 14. About ============================================================ 1. Guidelines for more rigorous respect of the Fundamental Rights Charter ============================================================ The European Commission has adopted a strategy which is aimed at ensuring that the EU Charter of Fundamental Rights is respected at every stage of the EU legislative process. At the initiative of Commissioner Reding, the intention is to create a template to make it easier for the Commission to measure its own respect for the Charter and, by extension, to give the public a clearer yardstick by which to measure the actions of the Commission. As is Commissioner Reding's trademark, the Communication is very ambitious, arguing that the "Union must be exemplary" in matters of fundamental rights and demands that "the Charter must serve as compass for the Union's policies and their implementation by the Member States." Since the adoption of the Lisbon Treaty, which made the Charter legally binding, all Commissioners took a personal oath to respect the Charter. However, in the absence of a methodology to incorporate this into policy development, the Commission has struggled to "mainstream" this new element of legislative development into all of its activities. For example, when the Commission re-tabled the draft Framework Decision on Child Exploitation, it changed the proposal in a way which, according to its own impact assessment, was contrary to the European Convention on Fundamental Rights (the "meaning and rights" of which are incorporated into the Charter). One of the clearest pedagogical elements of the Communication is a "Fundamental Rights 'Check List'", listing the questions that the Commission must ask at each stage of the legislative process when assessing the possible impact of the proposed legislation. This is to be repeated at each step of all legislative processes, from preparatory consultations thorough the impact assessment process and the legislative process. This includes, "using all means at its disposal" to fight noncompliant amendments tabled by other institutions. It is, unfortunately, very obvious that the Communication will not solve all or even most of the failures of the Commission with regard to respect for fundamental rights protected by the Charter and Convention of Fundamental Rights. However, it is also clear that the Communication establishes a new and very clear set of standards and guidelines against which the Commission can now be measured. This is an important step in the right direction and a significant achievement by Commissioner Reding. European Commission adopts strategy to ensure respect for EU Charter of Fundamental Rights (19.10.2010) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1348&format=H… European Commission Communication - Strategy for the effective implementation of the Charter of Fundamental Rights by the European Union (19.10.2010) http://ec.europa.eu/justice/news/intro/doc/com_2010_573_4_en.pdf (Contribution by Joe McNamee - EDRi) ============================================================ 2. Facebook applications raise new privacy concerns again ============================================================ Facebook continues to raise concerns related to the privacy of its users' personal data. According to an investigation made by Wall Street Journal (WSJ), Facebook applications such as FarmVille have been supplying identifying information of its users to several online advertising and tracking companies. Already in May 2010 it was revealed that under certain circumstances, when a user was clicking on an ad, Facebook was transmitting its ID codes that were used to look up individual profiles, including the user's real name, age, hometown and other data. Although Facebook has interrupted the practice, it has now come Facebook applications were doing the same practice. The practice affects millions of users including those who have placed their data under the strictest privacy settings. According to WSJ, at least ten of the most popular Facebook applications also transmitted personal information about the user's friends to external companies. Two Facebook users from California, David Gould and Mike Robertson, have filed a federal lawsuit against the social network for allegedly sharing their real names and other private information with some advertisers, considering Facebook was thus in direct violation of the federal law that protects the privacy of electronic communications, the California computer-crime law as well as the company's own privacy policy. "A Facebook user ID may be inadvertently shared by a user's Internet browser or by an application," stated a spokesman from Facebook on 16 October 2010, who added that the company would introduce new technology to address the problem. According to the company, there is no basis for the law suit. As a Facebook user's ID is a public part of any Facebook profile, anyone can use this number to look up a person's name, by using a standard Web browser, even if that person has posted Facebook information as private. Facebook IDs reveal information that the users have set to share with everyone. Most applications on Facebook are created by independent software developers and it is not yet clear whether their developers knew that their applications were transmitting Facebook ID numbers. The applications use a common Web standard, known as a "referer" which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referers can expose a user's identity. While the supporters of online tracking argue that this kind of surveillance is benign when being carried out anonymously, WSJ has found out that RapLeaf, a data-collection firm, had linked Facebook users' ID information obtained from applications to its own database of Internet users. The company is selling its database and has transmitted Facebook IDs to several other firms. "We didn't do it on purpose," stated Joel Jewitt, vice president of business development for RapLeaf. After being contacted by the WSJ, Facebook has changed its system so that the ID codes are no longer sent to other websites and has apparently also shut down some applications transmitting user IDs. Since 15 October, the users having tried to access certain applications have received an error message being reverted to Facebook's home screen. "We have taken immediate action to disable all applications that violate our terms," a Facebook spokesman said. Facebook in Privacy Breach (18.10.2010) http://online.wsj.com/article/SB10001424052702304772804575558484075236968.h… Facebook apps 'leaking details to advertisers' (18.10.2010) http://www.guardian.co.uk/technology/2010/oct/18/facebook-apps-data-privacy Facebook Faces Suit Over Earlier Breach (17.10.2010) http://blogs.wsj.com/digits/2010/10/17/facebook-faces-suit-over-earlier-bre… EDRi-gram: Facebook under pressure for not observing its privacy principles (19.05.2010) http://www.edri.org/edrigram/number8.10/privacy-google-article-29 ============================================================ 3. French DNS management must respect constitutional freedoms ============================================================ In a ruling issued on 6 October 2010, the French Constitutional Council affirmed the constitutional value of domain names. According to this decision, which applies to the whole French DNS, a domain name attribution, renewal, transfer or cancellation process must not only respect intellectual property rights, but also freedom of expression and freedom of entrepreneurship. The ruling was issued in the framework of a new procedure, that allows questioning the constitutionality of an existing law in the course of legal proceedings related to the application of the given law. In this case, the plaintiff was questioning the constitutionality of article L.45 of the French Posts and Electronic Communication Code, adopted in 2004 as part of the French law on trust in the digital economy ('Loi pour la confiance dans l'iconomie numirique' or LCEN). This article provides that the French Domain Name System (DNS) registries are appointed by the government; that each French ccTLD is managed by a unique registry; and that the government ensures that domain names are attributed by these registries "in view of the general interest, according to non discriminatory rules made publicly available and ensuring the respect, by the domain name holder, of intellectual property rights". The ruling follows the plaintiff argument that the article in question was infringing Article 34 of the Constitution which provides, inter alia, that "law shall lay down the basic principles of (...) systems of ownership, property rights and civil and commercial obligations". Therefore, due to the absence of precise enough safeguards, Article L.45 of the French Posts and Electronic Communication Code gives the Administration and the designed registries too much latitude regarding the management of the French DNS. In particular, the Constitutional Council found that, as currently defined, the law indeed protects intellectual property rights but neither freedom of expression nor freedom of entrepreneurship, since the last two may be restricted by the registry through denial of a domain name registration or renewal, or through its transfer or cancellation. AFNIC, the main French registry, manages the .fr as well as .re (Riunion Island), .pm (Saint-Pierre and Miquelon), .tf (French Southern and Antarctic Territories), .wf (Wallis and Futuna) and .yt (Mayotte). Other French ccTLDs are managed by different registries; .mq (Martinique), .gp (Guadeloupe) and .gf (French Guiana) are delegated to registrars; while.nc (New Caledonia) and .pf (French Polynesia) are administrated by the respective territories. The ccTLDs of the two other French territories (Saint Barthelemy and Saint Martin) have no assigned registries yet, and the corresponding domains (.bl and .mf) are not yet present in the root zone. All these registries have to comply with the provision of Article L.45 of the French Posts and Electronic Communication Code. As a result of this decision, the law should now be amended by 1 July 2011. The Constitutional Council gave this delay in order to avoid a major disruption that would otherwise threaten the legal continuity and security of the French domain name space. After this deadline, any decision from the government and/or from the registries designed pursuant to current Article L.45 of the French Posts and Electronic Communication Code would be deemed illegal. It must be noted that this ruling only concerns registries designated by the French government, according to the provisions having been found unconstitutional. It does not extend to any other ccTLD than that of the French national territory, nor to any gTLD. Furthermore, the Constitutional Council decision has no impact on the question of whether the registration of a domain name implies any property rights over this name or only the right to use this name for the registration period. However, and this is the major outcome of this decision, such a ruling may be seen as a breakthrough from a political point of view for all those who consider domain names as one of the means of freedom of expression and communication in the digital environment. French Constitutional Council decision and related dossier (only in French, 06.10.2010) http://www.conseil-constitutionnel.fr/conseil-constitutionnel/francais/les-… AFNIC (.fr registry) webiste http://www.afnic.fr (Contribution by Meryem Marzouki, French EDRI-member IRIS) ============================================================ 4. Danish tax authorities want to mirror hard disks of private companies ============================================================ A new proposed law would allow the Danish tax authorities to simply mirror entire hard disks of companies without a court order and before they have a reason to suspect the company has engaged in unlawful activities. The proposal adds the following two paragraphs to the law of tax auditing (unofficial translation): "Paragraph. 6. Customs and tax administration can make identical electronic copies (mirrors) of the content of electronic media that falls under the control of the customs and tax administrations, and can take the copied material away for subsequent review. The copied material must be deleted, if the customs and tax administration determines that the material does not contain information that is relevant for the control exercised by the customs and tax administration. However, if the customs and tax agency decides to proceed with the case, the copied material must be deleted only after the case is finally decided. Paragraph. 7. The minister of taxation determines, after submission to the National Board of Taxation, further rules regarding the customs and tax administration's right to make identical electronic copies (mirrors) of the data content of electronic media, that are part of an inspection, including rules on the retention and deletion of the copied material. " In the comments to the proposal, the issue of proportionality in relation to the Human Rights Convention article 8.2 is discussed. It was concluded that since the tax authorities will only use mirroring in cases where they would otherwise not get the necessary information, and only after they have determined in each case that less drastic measures would not be sufficient, then the impact on the individuals subject to the control is limited. The tax authorities argue the law will make their job easier, they promise not to abuse their new powers, and are willing to make adjustments if the consultation should point out minor problems. The proposal from the liberal/conservative government is supported by the largest opposition party, the Social Democrats, as Nick Hfkkerup said to Berlingske newspaper. He wants to ensure that the mirrors are only used for taxation, with the exception that if the tax authorities happen to discover child abuse images, it should be reported to the police. Conversely, the proposal has met hard criticism from the Danish Data Protection Agency, major medias, think tank CEPOS, blogs, etc. Draft law (only in Danish, 1.09.2010) https://www.borger.dk/Lovgivning/Hoeringsportalen/dl.aspx?hpid=24994 Civil liberty under pressure (only in Danish, 4.10.2010) http://www.berlingske.dk/ledere/borgerlig-frihed-under-pres Tax authorities requires free access to the hard disk (only in Danish, 4.10.2010) http://www.business.dk/oekonomi/skat-kraever-fri-adgang-til-harddisken Politicians welcomed the mirroring (only in Danish, 4.10.2010) http://www.business.dk/oekonomi/politikere-ser-positivt-paa-spejling (Contribution by Niels Elgaard Larsen, EDRI-member IT-POL Denmark) ============================================================ 5. Informal discussion in European Parliament on net neutrality ============================================================ For possibly the first time since the adoption of the "telecoms package", an informal discussion on the issue of "net neutrality" took place at a breakfast meeting hosted by Catherine Trautmann MEP. This happened ahead of upcoming the net neutrality "summit" planned to take place in the European Parliament. None of the positions defended by the industry or consumer representatives were particularly surprising, with Telefonica arguing that the "nightmare" of increased demands of their services had to be responded to by increased "management". In the same way as roads are not built to cope with maximum possible demands, it would be wasteful to build networks to have enough capacity to cope with maximum demand. Skype argued that the virtuous circle created by the open Internet, whereby openness fosters innovation which attracts more users, which increases the incentives to innovate, must be protected. Skype and the European Consumers Bureau (BEUC) argued that research shows clearly that transparency is insufficient to protect consumers from non-neutral access providers because of the difficulties involved in changing broadband providers. The Commission said that there were over 300 responses to the recently closed net neutrality consultation and that the priority was to ensure a level playing field and to avoid fragmentation. The issue of deep packet inspection, which BEUC said should be banned, was avoided by the Commission, which argued that other technologies "must be possible". During the debate, both Ivailo Kalfin (S+D, Bulgaria) and Edit Herczog (S+D, Hungary) briefly raised the thorny issue of content regulation, presumably because increased interference with citizens' communications for business purposes will make it harder for access providers to avoid caving in to demands to restrict or monitor access to data on the basis of government requests or media pressure. Telefonica (whose subsidiary O2 accidentally blocked the entirely innocent Imgur website because the "technology behind the service is more far reaching than anticipated and on occasion a site which should not be blocked may be") said that it was not interested in censoring online material. EDRi response to Commission consultation on net neutrality (30.09.2010) http://www.edri.org/docs/netneutralityreaction300910.pdf (Contribution by Joe McNamee - EDRi) ============================================================ 6. Lives put at risk by communications data retention ============================================================ A report published on 8 October 2010 by German civil liberties activists reveals that human lives are put at risk by the retention of all telecommunication data. According to the report, the data retention policy has endangered scientific research, caused unemployment, encouraged corruption, promoted the abuse of personal data and hindered the prosecution of crime. The report gives examples of cases when the registration of communication data failed to help the police in stopping criminals and how criminals might have used more discreet ways of communicating and internet cafes to disguise the origin and destination of messages. Crisis lines have also been hindered in their work to persuade potential perpetrators not to commit violent crimes by the traceability of anonymous calls. Already a 2009 study showed that the communications data retention law had resulted in 12.8% of those surveyed already using an anonymisation service, 6.4% moving to a service provider that didn't store data and 5.1% using internet cafis, The report also revealed that journalists had lost their sources for fear of being traced. The legislation also opened the door to abuse. In 2006, a T-Mobile co-worker sold a database containing the personal data of 17 million customers, including private addresses and secret numbers of politicians, ministers, an ex-federal president, industrial leaders, billionaires and religious leaders. "Even if one investigation was facilitated by collecting all call details, the policy has frustrated many other investigations and put human lives at risk," stated the Working Group on Data Retention adding: "Blanket and indiscriminate recording of details on every phone call, e-mail and internet connection was useless for the prosecution of crime and totally disproportionate." In June 2010, more than 100 organisations (including EDRi) from 23 European countries sent a letter to EU Commissioners Malmstrvm, Reding and Kroes asking for the data retention law to be repealed and be replaced by "a system of expedited preservation and targeted collection of traffic data". Communications data retention puts human lives at risk! (8.10.2010) http://www.vorratsdatenspeicherung.de/content/view/390/55/lang,en/ Data retention boosts crime, says civil liberties group (8.10.2010) http://www.computerweekly.com/Articles/2010/10/08/243246/Data-retention-boo… Liberties Groups' Report (only in German, 13.10.2010) http://wiki.vorratsdatenspeicherung.de/images/Bericht_Sicherheit-vor-Sammel… Civil society calls for an end to compulsory telecommunications data retention (28.06.2010) http://www.vorratsdatenspeicherung.de/content/view/370/79/lang,en/ EDRi-gram: German civil society calls for a definitive end to telecom data retention (21.04.2010) http://www.edri.org/edrigram/number8.8/german-ngos-repeal-data-retention ============================================================ 7. European Commission high-level discussions on data protection ============================================================ Commissioner Reding recently invited a wide variety of representatives from industry, civil society, academia and law enforcement bodies to a high-level meeting in the European Commission headquarters in Brussels. The dossier is clearly a major priority for Ms Reding, who was very keen to discuss the minutiae of the legislation with experts. One of the most interesting elements of the discussions was the apparently unanimous agreement across all stakeholders that the current data protection regime is fragmented, ineffective and out of date. This environment unfortunately leads to civil society groups and industry representatives argue about jurisdiction rules when a key reason that jurisdiction is a major issue is not jurisdiction itself, it is incoherence in implementation of the Directive that makes both citizens and business afraid of having to interact with foreign authorities with varying and sometimes unpredictable interpretations of the Directive. Industry speakers were also keen to reduce bureaucracy - one representative said that the move of a data centre from Germany to the Switzerland costs half a million euro in data protection-related legal fees. A number of industry speakers were in favour of more detailed ex post checks and a reduction in ex ante obligations. The Commission is clearly open to finding ways of reducing the bureaucracy involved in data protection, although no public statement has been made yet on what that could mean in practice. The next stage in this process will be the publication next week of a Communication by the European Commission establishing the broad direction that the Commission intends to take with regard to updating existing elements of the Directive and broadening the scope to a take account of the Lisbon Treaty, which brings the former "third pillar" (police and judicial cooperation) within the scope of the Treaty. One interesting question is whether the Commission will seriously consider proposing a Regulation (directly applicable on all Member States) as a way of overcoming the current fragmentation in the implementation of the Directive. European Commission Data Protection: http://ec.europa.eu/justice/policies/privacy/index_en.htm EDRi response to the first round of consultations (23.12.2009) http://www.edri.org/files/Response%20EDRi%20on%20personal%20data%20consulta… (Contribution by Joe McNamee - EDRi) ============================================================ 8. UK Government will introduce an open data licence ============================================================ A perpetual, royalty-free licence called Open Government Licence (OGL) allowing the re-use of Governmental and public information will be introduced by the UK Government. "The Government grants a worldwide, royalty-free, perpetual and non-exclusive licence under the conditions laid out in the OGL. The OGL governs the re-use of public sector information, including material produced by government departments, Parliaments, agencies, local authorities and Trading Funds, but excludes personal data," is the government's statement. According to the National Archives the licence will replace the present Click-Use Licence and will also cover Crown Copyright, databases and source codes. Moreover, OGL will not require the registration of users or a formal application to get permission to re-use data. The licence is meant to make governmental activities more transparent and to enable and encourage the civil society and private sector to re-use this information, assisting them in promoting creative and innovative activities. It will be machine readable and therefore flexible, being able to work in parallel with other licensing models recognised internationally such as Creative Commons. "We believe (transparency) is the best way for the public to hold politicians and public bodies to account, encourage innovation and deliver better value for money in public spending," said Francis Maude, Minister for the Cabinet Office. The types of information to be used and re-used will cover "non-personal information collected and produced by government and the public sector, including works subject to copyright and database right (much of this information will be accessible on public sector web sites or already published by the public sector), previously unpublished datasets released by the public sector on portals, such as data.gov.uk and original and open source software and source code." The Government has also issued a framework governing the use of the licence by Government departments and other public bodies. "The UK Government Licensing Framework (UKGLF) provides a policy and legal overview for licensing the re-use of public sector information both in central government and the wider public sector. It sets out best practice, standardises the licensing principles for government information and recommends the use of the UK Open Government Licence (OGL) for public sector information." The framework makes it compulsory for central Government departments and agencies to use the OGL for their freely available public information and is intended to meet the needs and interests of community groups and social organisations, the information re-user community in the private sector and civil society and the public data developer community. Government publishes open data license (7.10.2010) http://www.out-law.com//default.aspx?page=11426 UK Government Licensing Framework for public sector information http://www.nationalarchives.gov.uk/documents/uk-government-licensing-framew… EDRi-gram: New governmental usage of open licenses in the Netherlands and UK (7.04.2010) http://www.edri.org/edrigram/number8.7/open-content-government-uk-netherlan… ============================================================ 9. Spanish DPA opens infringement procedures for Google Streetview ============================================================ The Spanish Data Protection Agency (AEPD) has opened an infringement proceeding against Google after completing the preliminary inspection activities which started in May on the collection and storage without consent of Wi-Fi networks location data and traffic data associated with them (payload) by the vehicles used to photograph streets of several Spanish cities, for the company's Street View application. Moreover, once the infringement proceeding has been initiated, the AEPD has forwarded to the court the final inspection report, and according to the Administrative Procedure law, has adjourned the proceedings, pending the outcome of criminal proceedings in which the company is involved in the Court of Instruction No. 45 of Madrid. The opening of an infringement proceeding by the Spanish Data Protection Agency follows the conclusion of the investigations carried out by the AEPD's inspection, which have revealed the presence of signs of a total of five violations -two serious and three very serious- of the Spanish Data Protection Act. Two of them are attributable to Google in its capacity as responsible for providing the service and designing the software that collects data for the Street View service. The other three are attributable to Google Spain, as Google representatives in Spain are responsible for collecting and storing the data in Spain and for transferring it to the United States. Specifically, the investigations carried out by the Spanish DPA have verified the collection and storage by Google vehicles of personal data of various types transmitted through open Wi-Fi networks. Between the typology of personal data transmitted through these Wi- Fi networks, the AEPD has established the collection and storage by Google of email addresses, with names and surnames, addresses associated with email messages or instant messaging, access to social network accounts and websites or user names and passwords with personal data identifying its owners and, in some cases, allowing access to special sensitive data, among others. Furthermore, the investigation established the collection by Google of location and identification data of wireless networks, such as SSID, identifiers or names of the Wi-Fi network, that in some cases, contains the real name of the subscriber, and the MAC addresses- that identify the router, connected devices and the geographic position in which they were collected. In addition, it has been established the international transfer of personal data by Google to United States, without demonstrating the compliance of the guarantees provided by the Data Protection Act that authorizes the international transfers. In this regard, the decision starting the infringement proceedings charges both Google Spain and Google Inc with the commission of serious violations of the Organic Act 15/1999 - subject to fines from 60 000 euro to 300 000 euro each - due to the processing of personal data without the consent of the data subject, as well as very serious violations of collecting and processing of personal data with special protection or without the explicit consent of the data subject, as stated by the Data Protection Act. Also, Google Spain is charged with another very serious violation of the Organic Law because of the international transfer of data to the United States of America without the guarantees foreseen by the Data Protection Act. By virtue of section 7 of the Royal Decree 1398/1993, the Spanish Data Protection Agency had to adjourn the administrative proceedings because of the criminal proceedings started by the First-instance Court number 45 of Madrid. Once the criminal proceedings are finalised, the Spanish Data Protection Agency will resume the administrative proceedings in accordance with the legal procedural rules, In that sense, the affected entities will have a term for bringing pleadings or evidence, before the final resolution of the Authority deciding on the infringements and on their legal categorisation is determined. Press release in Spanish (18.10.2010) https://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_… (Thanks to Spanish DPA Press Release) ============================================================ 10. ENDitorial: Irish court rejects music industry demands for three strikes ============================================================ On 11 October 2010, Mr. Justice Peter Charleton of the Irish High Court gave judgment in EMI and Others v. UPC , rejecting music industry claims that broadband provider UPC was responsible under Irish law for policing their users and preventing copyright infringement by them. In this case, EMI, Sony, Universal, Warner and WEA sought an injunction which would require UPC to introduce a three strikes system and to block users' access to The Pirate Bay. This followed the music industry's success in an earlier case against Eircom (Ireland's largest ISP). In that case, Eircom settled and agreed to establish a three strikes system and not to oppose the application to court to block access to The Pirate Bay. In two subsequent decisions arising from that settlement, Charleton J. held that (a) the court had the power to order Eircom to block access to particular sites and (b) that the three strikes system which was agreed between Eircom and the music industry did not conflict with data protection law. Unlike Eircom, however, UPC fought the music industry action, leading for the first time in the Irish courts to a full, contested hearing on the obligations of internet service providers in relation to filesharing. In a lengthy judgment, Charleton J. found that UPC users were engaged in extensive illegal downloading and uploading. He found that it would be possible for UPC to effectively reduce this by making use of systems such as CopySense peer to peer filtering or the detection and disconnection of users who are making available infringing copies, and made a specific finding that such systems would be accurate, practicable and not disproportionately expensive or burdensome. He found that other remedies available to the music industry, in particular identifying infringing users and bringing action against them, were inadequate. He also found that no privacy interest was implicated by the monitoring which these systems would entail. Charleton J. also held that the blocking of The Pirate Bay would be "both educative and helpful", rejecting expert testimony that blocking would be easily evaded and futile. Notwithstanding these findings, however, Charleton J. held that, under the Irish law, the court did not have the authority to grant an injunction requiring an ISP to introduce such systems or to block access to particular sites. The relevant Irish law was identified as section 40(4) of the Copyright and Related Rights Act 2000, which provides that: "where a person who provides facilities [to make a work available to the public] is notified by the owner of the copyright in the work concerned that those facilities are being used to infringe the copyright in that work and that person fails to remove that infringing material as soon as practicable thereafter that person shall also be liable for the infringement." The court found that this section, referring to the removal of infringing material, primarily envisaged situations where a defendant hosted material rather than simply permitted transit of material. Consequently, it could not be used to justify the grant of an injunction in relation to transit, and Charleton J. acknowledged that his earlier decision ordering Eircom to block access to The Pirate Bay was incorrect. Charleton J. went on to consider the effect of the European law and in particular the E-Commerce Directive and the Copyright Directive. He found that Article 15 of the E-Commerce Directive (prohibiting a general obligation to monitor) was irrelevant, holding that the use of deep packet inspection: "is not the seeking of information which is in the course of transmission. Instead, it identifies the nature of transmissions, whether encrypted or otherwise, by reference to the ports which they use, and the protocol employed, so as to identify peer-to-peer communication. UPC does this already for legitimate commercial purposes related to the management of transmissions. If it suited, they could also easily identify the file # of copyright works and block them or divert the search in aid of theft to a legal site. This is not a general search for information." He also held that UPC was a mere conduit for the purposes of the E-Commerce Directive, but that this, nevertheless, left open the possibility for a court to require an internet provider to terminate or prevent an infringement, and went on to hold that the Copyright Directive required Member States to introduce laws which would provide for these remedies. Consequently, as the Irish law did not provide for these remedies Charleton J. found that Ireland "is not yet fully in compliance with its obligations under European law". Following this judgment, and in particular its finding that Irish law has failed to correctly implement the Copyright Directive, it is likely that the issue of filesharing will be high on the political agenda in Ireland. Representatives of the music industry have already called for legislative intervention, and have also threatened to sue the Irish state for losses caused by failure to tackle filesharing. Against this, however, the judgment can be criticised on a number of fronts. Concern has been expressed about the figures relied on by the judge for the extent of piracy, which have been described as inflated. The confident description of deep packet inspection as not involving a "general duty to monitor" is also unusual in light of the preliminary reference to the European Court of Justice in SABAM v. Scarlet (Tiscali) in which this would seem to be a live issue. Similarly, the claim that no privacy issues are involved in three strikes and blocking systems seems to be undermined by the fact that the Data Protection Commissioner took no part in these proceedings so that an important viewpoint went unrepresented, and also fails to take account of developments elsewhere (such as Switzerland) where opposite conclusions have been reached. It is also unclear where this leaves the three strikes and blocking systems which Eircom has already introduced. To date there has been no indication from Eircom as to whether it intends to continue with these systems despite the ruling, and despite the competitive disadvantage which it would appear to impose on it. EMI v. UPC (Unreported, High Court, 11.10.2010) http://www.scribd.com/doc/39104491/EMI-v-UPC John Collins and Ronan McGreevy, "Music labels to rethink fight against piracy" (12.10.2010) http://www.irishtimes.com/newspaper/frontpage/2010/1012/1224280879811.html Ronan McGreevy, "U2 manager criticises UPC defence", Irish Times (14.10.2010) http://www.irishtimes.com/newspaper/breaking/2010/1014/breaking52.html Justin Mason, "Aslan's hard times, from the UPC judgment", taint.org (11.10.2010) http://taint.org/2010/10/11/231501a.html Rossa McMahon, "Strike 1?", A Clatter of the Law (13.10.2010) http://aclatterofthelaw.com/2010/10/13/strike-one/ (Contribution by TJ McIntyre - EDRi-member Digital Rights Ireland) ============================================================ 11. Recommended Action ============================================================ An on-line survey on the PSI Directive The Digital Agenda for Europe lists the revision of the Directive 2003/98/EC on the re-use of public sector information (PSI Directive) among its first key actions. It highlights that governments can stimulate content markets by making PSI available on transparent, effective and non-discriminatory terms. Deadline: 30 November 2010 http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=psidirective2010 Technolife debate: social and ethical implications of biometrics and mobility http://biometrics.kertechno.net/ ============================================================ 12. Recommended Reading ============================================================ Opinion of the European Data Protection Supervisor on the Communication from the Commission on the global approach to transfers of Passenger Name Record (PNR) data to third countries (19.10.2010) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consu… New microshort film on the Public Domain Calculators (12.10.2010) http://blog.okfn.org/2010/10/12/new-microshort-film-on-the-public-domain-ca… Brussels: There are no guarantees in terms of controlling the secret police in Macedonia (14.10.2010) http://metamorphosis.org.mk/macedonia/brisel-nema-garancii-kako-da-se-kontr… ============================================================ 13. Agenda ============================================================ 25 October 2010, Brussels, Belgium Hearing by the European Parliament's Committee on Civil Liberties, Justice, and Home Affairs (LIBE): "Data Protection in a Transatlantic Perspective. Future EU-US data protection agreement in the framework of police and judicial cooperation in criminal matters", 15.00-18.30, Room ASP 3E002. Programme http://www.europarl.europa.eu/document/activities/cont/201010/20101013ATT86… Live-Stream http://www.europarl.europa.eu/wps-europarl-internet/frd/live/live-video?lan… 25-26 October 2010, Jerusalem, Israel OECD Conference on "Privacy, Technology and Global Data Flows", celebrating the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org/sti/privacyanniversary 26 October 2010, Brussels, Belgium Future Internet Architecture (FIArch) Open Workshop on the Future Internet Architecture Limitations http://ec.europa.eu/information_society/activities/foi/research/fiarch/inde… 27-29 October 2010, Jerusalem, Israel The 32nd Annual International Conference of Data Protection and Privacy Commissioners http://www.privacyconference2010.org/ 28-31 October 2010, Barcelona, Spain oXcars and Free Culture Forum 2010, the biggest free culture event of all time http://exgae.net/oxcars10 http://fcforum.net/10 3-5 November 2010, Barcelona, Spain The Fifth International Conference on Legal, Security and Privacy Issues in IT Law. http://www.lspi.net/ 5-7 November 2010, Cologne, Germany Transparency, Work, Surveillance Joint Annual Meeting of FIfF and DVD http://fiff.de/veranstaltungen/fiff-jahrestagungen/JT2010/jt2010_uebersicht 5-7 November 2010, Gothenburg, Sweden Free Society Conference and Nordic Summit http://www.fscons.org/ 17 November 2010, Gent, Belgium Big Brother Awards 2010 Belgium http://www.winuwprivacy.be/kandidaten 27-30 December 2010, Berlin, Germany 27th Chaos Communication Congress (27C3) http://events.ccc.de/congress/2010 25-28 January 2011, Brussels, Belgium The annual Conference Computers, Privacy & Data Protection CPDP 2011 European Data Protection: In Good Health? Submission deadline for Full Papers and Position Papers: 16 November 2010 http://www.cpdpconferences.org/ ============================================================ 14. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

None
by Ken Brown 06 Jul '18

06 Jul '18

> I think you hit the nail on the head here. For most USAns these days the > word "socialism" doesn't really mean anything specific Socialism: state intervention in private transactions. By extension, any state is socialist, or it's not really a state, but a company in the defense (and maybe law) business. Mark

1 0

[i2p] weekly status notes [jan 25]
by jrandom 06 Jul '18

06 Jul '18

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi y'all, quick weekly status update * Index 1) 0.5 status 2) sam.net 3) gcj progress 4) udp 5) ??? * 1) 0.5 status Over the past week, there's been a lot of progress on the 0.5 side. The issues we were discussing before have been resolved, dramatically simplifying the crypto and removing the tunnel looping issue. The new technique [1] has been implemented and the unit tests are in place. Next up I'm putting together more of the code to integrate those tunnels into the main router, then build up the tunnel management and pooling infrastructure. After thats in place, we'll run it through the sim and eventually onto a parallel net to burn it in before wrapping a bow on it and calling it 0.5. [1]http://dev.i2p.net/cgi-bin/cvsweb.cgi/i2p/router/doc/tunnel-alt.html?rev=H EAD * 2) sam.net smeghead has put together a new port of the SAM protocol to .net - c#, mono/gnu.NET compatible (yay smeghead!). This is in cvs under i2p/apps/sam/csharp/ with nant and other helpers - now all y'all .net devs can start hacking with i2p :) * 3) gcj progress smeghead is definitely on a tear - at last count, with some modifications the router is compiling under the latest gcj [2] build (w00t!). It still doesn't work yet, but the modifications to work around gcj's confusion with some inner class constructs is definitely progress. Perhaps smeghead can give us an update? [2] http://gcc.gnu.org/java/ * 4) udp Not much to say here, though Nightblade did bring up an interesting set of concerns [3] on the forum asking why we're going with UDP. If you've got similar concerns or have other suggestions on how we can address the issues I replied with, please, chime in! [3] http://forum.i2p.net/viewtopic.php?t=280 * 5) ??? Yeah, ok, I'm late with the notes again, dock my pay ;) Anyway, lots going on, so either swing by the channel for the meeting, check the posted logs afterwards, or post up on the list if you've got something to say. Oh, as an aside, I've given in and started up a blog within i2p [4]. =jr [4] http://jrandom.dev.i2p/ (key in http://dev.i2p.net/i2p/hosts.txt) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB9r1VGnFL2th344YRAvb5AJ9+Y5l9JZOo5znrnY2sunAr0lOJzgCghHpy W/EO4gPSteZWp+rBogWfB3M= =nnfw -----END PGP SIGNATURE----- _______________________________________________ i2p mailing list i2p(a)i2p.net http://i2p.dnsalias.net/mailman/listinfo/i2p ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

1 0

[Dewayne-Net] THE END OF THE INTERNET?
by Dewayne Hendricks 06 Jul '18

06 Jul '18

[Note: Worth reading. Also, check out some of the white papers the article points to. One of note: "Network Neutrality: A Broadband Wild West?". DLH] THE END OF THE INTERNET? [SOURCE: The Nation, AUTHOR: Jeff Chester] [Commentary] Verizon, Comcast, Bell South and other communications giants are developing strategies that would track and store information on our every move in cyberspace in a vast data-collection and marketing system, the scope of which could rival the National Security Agency. According to white papers now being circulated in the cable, telephone and telecommunications industries, those with the deepest pockets--corporations, special-interest groups and major advertisers -- would get preferred treatment. Content from these providers would have first priority on our computer and television screens, while information seen as undesirable, such as peer-to-peer communications, could be relegated to a slow lane or simply shut out. Under the plans they are considering, all of us--from content providers to individual users -- would pay more to surf online, stream videos or even send e-mail. Industry planners are mulling new subscription plans that would further limit the online experience, establishing "platinum," "gold" and "silver" levels of Internet access that would set limits on the number of downloads, media streams or even e-mail messages that could be sent or received. To make this pay-to-play vision a reality, phone and cable lobbyists are now engaged in a political campaign to further weaken the nation's communications policy laws. They want the federal government to permit them to operate Internet and other digital communications services as private networks, free of policy safeguards or governmental oversight. Indeed, both the Congress and the Federal Communications Commission are considering proposals that will have far-reaching impact on the Internet's future. Ten years after passage of the ill-advised Telecommunications Act of 1996, telephone and cable companies are using the same political snake oil to convince compromised or clueless lawmakers to subvert the Internet into a turbo-charged digital retail machine. <http://www.thenation.com/doc/20060213/chester> Links to White Papers mentioned above: <http:// www.democraticmedia.org/issues/netneutrality.html> Weblog at: <http://weblog.warpspeed.com> ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

[Politech] Texas government targets peer-to-peer software use on state computers [ip]
by Declan McCullagh 06 Jul '18

06 Jul '18

Excerpt: "The Department of Information Resources shall develop a statewide policy for use by each state agency, department, board, and commission which prohibits unauthorized or illegal use of peer-to-peer software programs." -------- Original Message -------- Subject: Texas peer to peer policy Date: Fri, 7 Apr 2006 09:54:01 -0500 From: James Henson <jhenson(a)mail.la.utexas.edu> To: 'Declan McCullagh' <declan(a)well.com> Declan - Maybe of some interest to Politechers. http://www.governor.state.tx.us/divisions/press/exorders/rp58 Best - Jim Henson James Henson, Ph.D. Executive Producer, Texas Politics 512.471-0090 http://texaspolitics.laits.utexas.edu _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/) ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0

EDRi-gram newsletter - Number 8.14, 14 July 2010
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 8.14, 14 July 2010 ============================================================ Contents ============================================================ 1. SWIFT agreement adopted by the European Parliament 2. European Parliament invents Google Nanny 3. Increased Internet censorship in Belarus 4. The Digital Economy Act brought to court by two UK ISPs 5. Belgium ISPs are not obliged to block The Pirate Bay 6. Blocking of innocent websites by O2 Ireland 7. Facebook faces serious fines in Germany 8. Yahoo is not bound to give personal data to Belgian authorities 9. ENDitorial: French biometric passport: case still pending after 2 years 10. Recommended Action 11. Recommended Reading 12. Agenda 13. About ============================================================ 1. SWIFT agreement adopted by the European Parliament ============================================================ The European Parliament has adopted the so-called SWIFT agreement on 8 July 2010 allowing sharing EU citizens' bank data with the US authorities, but failing to stick to its initial position on privacy safeguards from February 2010. The text was adopted with 484 votes in favour and 109 against. The supporters of the current version claim that the new text was significantly improved by gaining a number of important concessions from the US. These include the limitation of bulk data being transfer to the US or the role of Europol in overseeing the transfer process. However, even the data protection European bodies - EDPS and the Article 29 Working Party - have underlined that the current agreement does not meet the European privacy standards. As EDRi has explained in a FAQ made public shortly before the vote, there is no prior judicial ruling required for transfer of data, the definition of "terrorism" is very broad and there is still no legal redress available for EU citizens in the US against data transfers or the possibly serious consequences thereof. Also, in practice, SWIFT can't currently limit data searches to specific individuals or single transactions. Actually, it will have to (and has in the past) transfer data about all transactions from a certain country or a certain bank on a certain date. There have been reports that the US Treasury has received up to 25% of all SWIFT transactions, which number in the billions each year. As regards the Europol's position, the EU body is far from a judicial authority and it is now authorized to request information from the US searches in the transferred data, which drastically reduces any incentive to limit the transferred amount of data in the first place. This agreement will enter into force on 1 August 2010. The current text will be valid for 5 years and then automatically extends for one year at a time. In order to terminate the agreement, one of the parties has to take an initiative. Even if it is terminated, all transferred data will remain at the disposal of US authorities. The data provided to the American authorities will be subject to a retention period of 5 years. Agreement between the EU and the USA on the processing and transfer of financial messaging data from the EU to the USA for purposes of the Terrorist Finance Tracking Program (8.07.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2… The Parliament shows the green light for the SWIFT II agreement (only in French, 8.07.2010) http://www.europarl.europa.eu/news/public/focus_page/008-76988-176-06-26-90… US to access Europeans' bank data in new deal (8.07.2010) http://news.bbc.co.uk/2/hi/world/europe/10552630.stm Frequently Asked Questions on the Terrorist Finance Tracking Program / "SWIFT" Agreement (7.07.2010) http://www.edri.org/faq-2-swift-agreement-edri EDRi-gram: Same privacy concerns for the new SWIFT treaty (30.06.2010) http://www.edri.org/edrigram/number8.13/new-swift-treaty-privacy-concerns ============================================================ 2. European Parliament invents Google Nanny ============================================================ The Environment, Public Health and Consumer Protection of the European Parliament has found another use for Google. From now on, Google should read what we are searching for and, if the search implies any risky behaviour, Google should tell us to be careful. Of course, it would not be just Google but any "search engine" and nobody felt to that it was necessary define what exactly a "search engine" would be in this context. The first such "risky" behaviour would be looking for information about medication. In a report about falsified medicine, the Committee agreed to a proposal to insert warnings in search engines in the event of a search for medicinal products on the internet. Whether or not people exist who would both be foolish enough to search for (and buy?) dangerous medicines from uncertified sources online, but yet clever enough to accept Google's wise counsel, is not yet clear. A further question is how one could implement such a policy without scaring people away from using entirely legitimate and verified online pharmacies. One can, however, see lots of useful ways in which this measure can be spread into other areas where people may be searching for things which could, in some circumstances, be dangerous. There are vast numbers of things which are at least as dangerous as searching for information about medication online, although the biggest danger of all seems to be the creation of a society whose common sense has atrophied through living in a nanny state where people are no longer expected to think for themselves. Undemocratic countries will also be looking with interest on what can be done using such a system. Belarus claims that its new laws restricting the Internet are based on legislation introduced in France and the United Kingdom. The prospect of search engines giving a warning of the consequences of accessing certain online resources would be an interesting new addition to an armoury of internet restrictions. The Committee report (adopted by 46 votes to zero, with two abstentions) will be probably voted in a plenary session of the European Parliament in September. It is unclear if alternative proposals will be tabled or whether the European Commission will support the measure. Draft report on the proposal for a directive of the European Parliament and of the Council amending Directive 2001/83/EC as regards the prevention of the entry into the legal supply chain of medicinal products which are falsified in relation to their identity, history or source (7.05.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+… (Contribution by Joe McNamee - EDRi) ============================================================ 3. Increased Internet censorship in Belarus ============================================================ The Belarus government has adopted new measures increasing the control of the Internet and restrictions on online freedom of expression. Following Decree no.60 (On measures for improving use of the national Internet network) issued on 1 February 2010 by President Alyaksandr Lukashenka, Belarus Council of Ministers adopted five resolutions with new Internet regulations introducing the compulsory registration of all web sites and the collection of personal data of Internet cafe users. The decree will enter fully into force on 1 September but the police has already started interrogations and equipment seizures in a campaign meant to intimidate Internet users and online journalists. According to the new regulations, all ISPs on the territory of Belarus, irrespective of their commercial or non-commercial nature, must register with the Communication and Information Ministry and provide technical details about online information resources, networks and systems used to connect to the Internet, including computers and mobile phones. The Council of Ministers issued on 29 April 2010 a decree "On some questions of improving usage of the national segment of global Internet computer network" according to which the information on registered Internet resources gathered by a registering organisation is to be further on passed to the Operative-Analytical Center. The body created by the same Decree no.60 will be subordinated to the President's office and will have the task to monitor the content before it is put online, meaning it will actually be a censorship organism. At the request of the Center, ISPs are to close down any website within 24 hours. The Belarusian State Telecommunication Inspection will make a list of forbidden websites on the ground of proposals of appropriate governmental bodies. If a Belarusian site is included on the blacklist, the owner will receive a notice about that. The blacklist will further on be published on the Telecommunication Inspection website, but the national ISPs may extend that if they want. Also any person accessing the Internet in an Internet cafi or using a shared connection with one, must provide an identification document and a record of all his (her) online connections will be kept for a year. Based on the new legislation, Beltelecom, the state-own ISP has recently blocked access to kurier.vitebsk.by, Vitebsky Kuryer's newspaper's website which had not registered with the authorities for ideological reasons. The reasons are actually political ones as the site criticized local and national policies. The decree appears to be in fact aimed at blocking opposition's Internet resources in view of the upcoming presidential elections. The decree has been strongly opposed and criticized by the media community and international human rights organizations, including OSCE. Nine members of the National Bolshevik Party who made an unauthorised demonstration on the Freedom Square in Minsk on 23 June 2010, waving placards and wearing T-shirts with the words "Internet Freedom", were arrested, convicted and fined for the infringement of the procedures for holding demonstrations. Authorities step up Internet restrictions, harassment of online journalists (6.07.2010) http://en.rsf.org:80/belarus-authorities-step-up-internet-06-07-2010,37867.… All legal sites placed in .by domain will be obliged to move to Belarusian hosting (27.05.2010) http://e-belarus.org/news/201005271.html Full text of Internet censorship regulation released in Belarus (6.07.2010) http://www.charter97.org/en/news/2010/7/6/30382/ No Entry to Belarusian Internet Cafes without Passport (2.07.2010) http://telegraf.by/2010/07/no-entry-to-belarusian-internet-cafes-without-pa… EDRi-gram: New Belarus Internet regulations require compulsory web registration (19.05.2010) http://www.edri.org/edrigram/number8.10/censorship-belarus-registration-web… ============================================================ 4. The Digital Economy Act brought to court by two UK ISPs ============================================================ The two big UK ISPs, BT and TalkTalk, have asked the High Court to carry out a judicial review of the most controversial aspects of the Digital Economy Act, in order to establish whether it is in contradiction with existing privacy and electronic communication laws. The law will force ISPs to disconnect their customers deemed by intellectual property rights holders to have allegedly infringed copyrights. "The companies share a concern that obligations imposed by the Act may not be compatible with important European rules that are designed to ensure that national laws are proportionate, protect users' privacy, restrict the role of ISPs in policing the Internet and maintain a single market," says a statement of the two ISPs. Regulator Ofcom, which is in charge of drawing up detailed plans on how the legislation will work, has recently publicly presented the draft policy to deal with illegal file-sharers, requiring ISPs to send warning letters to customers who allegdly illegally download films, music and TV programs. A provision was added at the last moment stipulating that several rounds of consultation would be required before the implementation of such measures. The two ISPs believe they are also disadvantaged by the Digital Economy Act as, presently, the code of practice applies only to ISPs with more than 400 000 subscribers and therefore they may see all lot of their customers move to smaller ISPs which are not subject to the legislation. Technology lawyer Struan Robertson of Pinsent Masons stated that the court could not do much about a law that has already been approved by the Parliament: "All the court can do is make a declaration that a law is in breach of other obligations. That declaration would put pressure on Parliament to revisit the act." Although, according to BBC, Deputy Prime Minister Nick Clegg said that the Digital Economy Act "badly needs to be repealed" the new coalition government has no plans to change it. "The Digital Economy Act sets out to protect our creative economy from the continued threat of online copyright infringement, which industry estimates costs the creative industries, including creators, #400m per year," read a statement from the Department of Business, Innovation and Skills which also said: "We believe measures are consistent with EU legislation and that there are enough safeguards in place to protect the rights of consumers and ISPs and will continue to work on implementing them." ISPs take Digital Economy Act to the courts (8.07.2010) http://www.out-law.com:80//default.aspx?page=11211 BT and TalkTalk challenge Digital Economy Act (8.07.2010) http://news.bbc.co.uk/2/hi/technology/10542400.stm EDRi-gram: UK Digital Economy Bill voted by the Parliament (21.04.2010) http://www.edri.org/edrigram/number8.8/digital-economy-bill-uk ============================================================ 5. Belgium ISPs are not obliged to block The Pirate Bay ============================================================ Two Belgian ISPs have won their court battle against an anti-piracy group which had demanded that they block the access to The Pirate Bay. On 9 July 2010, the Antwerp Commercial Court rejected the blocking demands made by the Belgium Anti-Piracy Federation against the two ISPs, considering that the measure would be "disproportionate". The entertainment industry has exerted pressures recently on ISPs to block the Pirate Bay but most of them are refusing to comply. The negotiations the Anti-Piracy Federation had with Belgacom and Telenet ended up in court but the court ruled in favour of the ISPs. The ISPs argued they were merely technical operators and did not have the capacity to judge which sites were illegal and should be blocked. "It is not the role of Telenet to decide which sites should be available or not to our users. As a service provider, this is not within our competence," said a spokesperson for one of the ISPs. Also in Norway, the main ISP has refused to block access to The Pirate Bay considering that "asking from an ISP to control and establish what its users can or not download is as bad as asking from a post office to open and read any letter and to decide which should or not be delivered" as explained Ragnar Kerus, Telenor Director who added that it was not a question of being for or against copyright but of knowing whether it was "reasonable for ISPs to have the role of Internet censor in order to make certain rights observed". Another action follows the OpenBitTorrent that moved to the Spanish hosting company SoloGigabit. Spain is one of the countries where BitTorrent search trackers are not considered to infringe the law. Even so, IFPI has decided to go after the OpenBitTorrent's new Spanish host and has sent a letter to SoloGigabit stating that the hosting company could be "liable for aiding and abetting criminal copyright infringements and receiving payments from criminal activity." According to the Spanish legislation, BitTorrent search trackers are considered legal although some of their users may use it to download copyright infringing content. The OpenBitTorrent tracker is just a communication facilitator between torrent users. "According to all Spanish legal resolutions, a link does not communicate nor reproduces the work under intellectual property. So, linking is not a violation, hosting without the rights holders permission is," told copyright expert and lawyer Javier de la Cueva to TorrentFreak. It is not yet certain what position will SoloGigabit take, having in view that the company is a rather small one and might not be able to face a long and costly trial even if it does not infringe the Spanish law. ISPs Don't Have To Block The Pirate Bay, Court Rules (10.07.2010) http://torrentfreak.com/isps-dont-have-to-block-the-pirate-bay-court-rules-… The Belgium justice refuses to impose the blocking of The Pirate Bay (only in French, 10.07.2010) http://www.numerama.com/magazine/16222-la-justice-belge-refuse-d-imposer-le… IFPI threatens OpenBitTorrent's host, despite the Spanish jurisprudence (only in French, 12.07.2010) http://www.numerama.com/magazine/16224-l-ifpi-menace-l-hebergeur-d-openbitt… Music Industry Threatens OpenBitTorrent's New Hosting Provider (11.07.2010) http://torrentfreak.com/music-industry-threaten-openbittorrents-new-hosting… ============================================================ 6. Blocking of innocent websites by O2 Ireland ============================================================ The Irish mobile operator O2 has acknowledged accidentally blocking the image hosting website IMGUR through its system for blocking alleged child abuse material. There appears to have been no indication that there was, in fact, any illegal material hosted on that site. Furthermore, it is not obvious on what basis O2 could have made the decision to undertake the blocking. In a statement provided to the Irish hotline, which was not published but simply made available to people who enquired about the problem, O2 explained that "the technology behind the service (to block child abuse images) is more far reaching than anticipated and on occasion a site which should not be blocked may be." It is impossible to tell how many other innocent, but smaller and therefore less noticeable, websites are similarly blocked by accident, due to this "far reaching technology." O2 undertakes its blocking system on a voluntary basis, despite the fact that, according to the European Commission, "such measures must indeed be subject to law, or they are illegal"(according to the Commission's impact assessment on the draft Directive on child exploitation). Nonetheless, the European Commission is also now supporting such extra-judicial measures and it is now also proposing to use taxpayers' money to fund them. A six million euro call for proposals launched in June 2010 refers to funding for "blocking access to child pornography OR blocking the access to illegal Internet content through public-private cooperation". This call, by the Commission, for "self-regulatory" blocking of allegedly illegal content in general was made just a few weeks after Commissioner Malmstrvm explained at a conference that "the Commission has absolutely no plans to propose blocking of other types of content - and I would personally very strongly oppose any such idea". It is likely that further deliberate and accidental blocking of websites will now spread in Ireland, due to the fact that the Irish former monopoly Eircom agreed to block sites accused of containing unauthorised material, while mobile operator Vodafone has reportedly also indicated that it will introduce extra-judicial measures against any of its customers repeatedly accused of infringements. Many blogs and online message boards accused the Irish Internet hotline of having prepared a faulty blocking list and this was what led to IMGUR being blocked. As the Irish internet hotline does not prepare a blocking list, but simply acts in its capacity as a hotline, these allegations were incorrect. Commission impact assessment - Accompanying document to the Proposal for a Council Framework Decision on combating the sexual abuse, sexual exploitation of children and child pornography, repealing Framework Decision 2004/68/JHA - Impact assessment {COM(2009) 135} {SEC(2009) 356 (25.03.2010) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52009SC0355:EN:… Irish Internet hotline http://www.hotline.ie Vodafone in line to join file-sharing clampdown (16.06.2010) http://www.irishtimes.com/newspaper/ireland/2010/0616/1224272615990.html European Commission call for proposals: "Prevention of and fight against crime" http://ec.europa.eu/justice_home/funding/isec/doc/tc2_call_2010_en.pdf Commissioner Malmstrvm speech: "Combating sexual abuse, sexual exploitation of children and child pornography: the Commission's proposed Directive" (6.05.2010) http://ec.europa.eu/commission_2010-2014/malmstrom/archive/Speech%20%20Malm… FOI shows Department of Justice planning internet blocking for Ireland (16.04.2010) http://www.digitalrights.ie/2010/04/16/foi-shows-department-of-justice-plan… Internet Filtering in Ireland: More Information from the Seanad (1.06.2010) http://www.digitalrights.ie/2010/06/01/internet-filtering-in-ireland-more-i… (Contribution by Joe McNamee - EDRi) ============================================================ 7. Facebook faces serious fines in Germany ============================================================ The Hamburg Commissioner for Data Protection and Freedom of Information John Caspar has launched legal proceedings against the operator of the social network Facebook for illegally accessing and saving personal data of people who don't use the respective social networking site. "We consider the saving of data from third parties, in this context, to be against personal data laws," said Caspar. Germany benefits of one of the strictest privacy laws in the world that includes precise limits to the access to personal data and has already launched an investigation on Google, as well as in relation to its Street View mapping system. Facebook was given until 11 August 2010 to give a formal response to the legal complaint which may lead to its being fined tens of thousands of euro, if the response is not acceptable. Although Facebook has changed its privacy settings in order to allow its users to block access to their e-mail address contacts, the Commissioner argues that the already saved contacts have not been erased and are used for marketing purposes. Facebook collects data also on non-members, by using, for instance, the Facebook application for iPhones which allows the transfer of all the contacts from the mobile phone to the social network. This offers the option to transfer all available contacts in the mobile phone on Facebook. Also, when somebody creates a new account on Facebook, the system offers to search into the new member's e-mail accounts to find friends on the network. Caspar stated that many citizens had recently "complained about the use of third party data" meaning that they had been contacted by Facebook after it had obtained their e-mail addresses from contacts of network members. The Consumer Protection Minister Ilse Aigner announced in June that she was planning to give up her Facebook account considering the social network was not doing enough to protect users' data. Germany takes legal steps against Facebook (6.07.2010) http://www.google.com:80/hostednews/ap/article/ALeqM5jipwYBDk87V1KRECUQ_C2a… Hamburg data protection commissioner initiated penalty proceedings against Facebook (7.07.2010) http://www.heise.de/newsticker/meldung/Hamburgs-Datenschuetzer-leitet-Bussg… Penalty proceedings against Facebook for storing the data of others (only in German, 7.07.2010) http://www.hamburg.de/pressearchiv-fhh/2365106/datenschutz-facebook.html ============================================================ 8. Yahoo is not bound to give personal data to Belgian authorities =========================================================== The Belgian Court of Appeal of Gand ruled on 30 June 2010 that Yahoo was not obliged to hand over personal data of its users to the Belgian authorities, in a case where the first instance had issued a contrary ruling. In 2009, following a cybercrime investigation by the Belgian police, it was discovered that a group was using Yahoo e-mail addresses to commit online fraud. The members of the group stole data from various companies and used the data to order goods without paying. Yahoo was requested by the Belgian Public Prosecutor to hand over the IDs related to the e-mail addresses used by the group but the company refused to comply and, on 2 March 2009, received a 55 000 euro fine from a Termonde judge who also imposed a daily penalty fee of 10 000 euro in case of non-compliance with the judgment. The court did not consider Yahoo's argument that it was not subject to the Belgian law as it had no legal entity in Belgium and did not store any customer data in Belgium. The appeal court has now decided that there was no legal basis for the 2009 ruling against the company. "There is not enough evidence that the providers of free of charge e-mail addresses are also electronic communication services. In other words, there is no proof that Yahoo deals directly with sending the signals. It has no control over the network as an e-mail provider" said the decision of the Appeal Court. It is reported that, throughout the whole process, no attempt was ever made by the Belgian authorities to use existing Mutual Legal Assistance Treaty to obtain the requested data via recognised legal channels. Gand: Yahoo! acquitted in appeal for not having transmitted data to justice (only in French, 30.06.2010) http://levif.rnews.be/fr/news/belga-generique/gand-yahoo-acquitte-en-appel-… A Win for Yahoo! And for Privacy in Belgium (6.07.2010) http://www.yhumanrightsblog.com/blog/2010/07/06/a-win-for-yahoo-and-for-pri… EDRi-gram: Yahoo penalised in Belgium for not disclosing personal data (11.03.2009) http://www.edri.org/edri-gram/number7.5/belgium-decision ============================================================ 9. ENDitorial: French biometric passport: case still pending after 2 years ============================================================ It took more than two years after the complaint against the French biometric passport was filed to have the conclusions of the "public rapporteur" publicly presented at the Conseil d'Etat (French highest administrative Court), on 30 June 2010. While the final court decision was expected some weeks later as it usually occurs, the plaintiffs received instead an official note that the conclusions presented on 30 June were dismissed, and that some more analysis was needed: the case will now be heard on October 2010. The French biometric passport entered into force after a decree was published on 4 May 2008. On 4 July 2008, a case was jointly filed before the Conseil d'Etat by two NGOs: French EDRI member IRIS and the French Human Rights League, to obtain the annulment of this decree. Other complaints were filed by a group of 10 citizens from Toulouse, and by photographers associations and companies, the latter complaint highlighting economic issues with the decree. The main provisions targeted by the two NGOs are: the establishment of a centralized national biometric database; the collection and storage in the database of 8 fingerprints (only 2 of them being also stored in the passport chip), instead of the 2 required by the European regulation on biometric passports; the collection of fingerprints of children starting from age 6. Legal substantive and procedural arguments against these provisions are provided in the complaint. In the French Conseil d'Etat judicial system, the "public rapporteur" is a member of the Council in charge of presenting to the court the claim put forward in the complaint, of analyzing the circumstances and the applicable law, and of proposing independent and impartial conclusions and recommendations regarding the final decision. Usually, the court follows these conclusions, or simply makes slight modifications before delivering its judgement. Two years after the complaint was filed, the "public rapporteur" recommended the annulment of the provision requiring to collect and store in the centralized database the 6 additional fingerprints, on the basis that this was disproportionate with respect to the European regulation. While he didn't recommend the annulment of the provision creating a centralized database, the "public rapporteur" pointed out that this was not required by the European regulation, and that French and European data protection institutions, as well as the European Parliament, voiced strong concerns against this provision. However, the "public rapporteur" considered, following the opinions of the French Ministry of Interior, that this centralized database is necessary to avoid identity fraud and passport trafficking, including in the case of children starting from age of 6. Apparently, these timid conclusions were still too provocative for the Conseil d'Etat or were they, on the contrary, indeed too timid in the Court's view as well? No one knows yet why the Conseil d'Etat considered that they needed to be dismissed, and that four additional months of investigations and discussions were still needed to reach a decision. In the mean time, the deployment of the French biometric passport has been going on since the publication of the decree, given that such complaints do not have any suspensive effect. EDRi-gram: Complaint Against The French Govt To Annul The Biometric Passport Decree. The French Government goes against CNIL in biometric passports (16.07.2008) http://www.edri.org/edrigram/number6.14/complaint-french-biometric-passport French biometric passport dossier (all available documents, only in French) http://www.ines.sgdg.org/spip.php?page=recherche&recherche=passeport (Contribution by Meryem Marzouki - EDRi-member IRIS - France) ============================================================ 10. Recommended Action ============================================================ Over 300 MEPs have signed the Written Declaration on ACTA. Please continue to contact your MEPs and ask them to sign the Written Declaration at the next Strasbourg plenary session on 6-9 September. Less than 70 signatures needed by 9 September 2010 ! http://www.eff.org/action/eu-action-alert-urge-your-mep-take-stand-internet… http://www.laquadrature.net/wiki/Written_declaration_ACTA_12/2010 http://www.laquadrature.net/wiki/Help_sign_the_Written_Declaration_12/2010_… ============================================================ 11. Recommended Reading ============================================================ Joint Comments EDRi and EuroISPA to the Dialogue on Notice and Take Down of illegal content (07.2010) http://www.edri.org/files/090710_dialogue_NTD_illegal_content_EuroISPA-EDRI… New Challenges to Data Protection study for DG Justice, Freedom and Security (8.07.2010) Executive summary http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638945 Final report http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1636706 In French http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638920 In German http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638917 Country-specific reports http://ec.europa.eu/justice_home/fsj/privacy/studies/index_en.htm Report on the implementation of open content licenses in developing and transition countries http://www.eifl.net/cps/sections/services/eifl-oa/docs/report-on-implementa… ============================================================ 12. Agenda ============================================================ 24 July 2010, London, UK ORGCon, first ever conference dedicated to digital rights in the UK. http://www.openrightsgroup.org/blog/2010/book-now-first-ever-orgcon-24-july 25-31 July 2010, Meissen, Germany European Summer School on Internet Governance http://www.euro-ssig.eu 29-31 July 2010, Freiburg, Germany IADIS - International Conference ICT, Society and Human Beings 2010 http://www.ict-conf.org/ 2-6 August 2010, Helsingborg, Sweden Privacy and Identity Management for Life (PrimeLife/IFIP Summer School 2010) http://www.cs.kau.se/IFIP-summerschool/ 31 August - 3 September 2010, Budapest, Hungary OpenOffice 2010 Conference http://www.ooocon.org/index.php/ooocon/2010 13-17 September 2010, Crete, Greece Privacy and Security in the Future Internet 3rd Network and Information Security (NIS'10) Summer School http://www.nis-summer-school.eu 14-16 September 2010, Vilnius, Lithuania Internet Governance Forum 2010 http://igf2010.lt/ 20-21 September 2010, Helsinki Finland Finnish Internet Forum http://internetforum.fi 8-9 October 2010, Berlin, Germany The 3rd Free Culture Research Conference http://wikis.fu-berlin.de/display/fcrc/Home 25-26 October 2010, Jerusalem, Israel OECD Conference on "Privacy, Technology and Global Data Flows", celebrating the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org/sti/privacyanniversary 27-29 October 2010, Jerusalem, Israel The 32nd Annual International Conference of Data Protection and Privacy Commissioners http://www.privacyconference2010.org/ 28-31 October 2010, Barcelona, Spain oXcars and Free Culture Forum 2010, the biggest free culture event of all time http://exgae.net/oxcars10 http://fcforum.net/10 3-5 November 2010, Barcelona, Spain The Fifth International Conference on Legal, Security and Privacy Issues in IT Law. Call for papers deadline: 10 September 2010 http://www.lspi.net/ 17 November 2010, Gent, Belgium Big Brother Awards 2010 Belgium http://www.winuwprivacy.be/kandidaten ============================================================ 13. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

EDRi-gram newsletter - Number 8.14, 14 July 2010
by EDRI-gram newsletter 06 Jul '18

06 Jul '18

============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 8.14, 14 July 2010 ============================================================ Contents ============================================================ 1. SWIFT agreement adopted by the European Parliament 2. European Parliament invents Google Nanny 3. Increased Internet censorship in Belarus 4. The Digital Economy Act brought to court by two UK ISPs 5. Belgium ISPs are not obliged to block The Pirate Bay 6. Blocking of innocent websites by O2 Ireland 7. Facebook faces serious fines in Germany 8. Yahoo is not bound to give personal data to Belgian authorities 9. ENDitorial: French biometric passport: case still pending after 2 years 10. Recommended Action 11. Recommended Reading 12. Agenda 13. About ============================================================ 1. SWIFT agreement adopted by the European Parliament ============================================================ The European Parliament has adopted the so-called SWIFT agreement on 8 July 2010 allowing sharing EU citizens' bank data with the US authorities, but failing to stick to its initial position on privacy safeguards from February 2010. The text was adopted with 484 votes in favour and 109 against. The supporters of the current version claim that the new text was significantly improved by gaining a number of important concessions from the US. These include the limitation of bulk data being transfer to the US or the role of Europol in overseeing the transfer process. However, even the data protection European bodies - EDPS and the Article 29 Working Party - have underlined that the current agreement does not meet the European privacy standards. As EDRi has explained in a FAQ made public shortly before the vote, there is no prior judicial ruling required for transfer of data, the definition of "terrorism" is very broad and there is still no legal redress available for EU citizens in the US against data transfers or the possibly serious consequences thereof. Also, in practice, SWIFT can't currently limit data searches to specific individuals or single transactions. Actually, it will have to (and has in the past) transfer data about all transactions from a certain country or a certain bank on a certain date. There have been reports that the US Treasury has received up to 25% of all SWIFT transactions, which number in the billions each year. As regards the Europol's position, the EU body is far from a judicial authority and it is now authorized to request information from the US searches in the transferred data, which drastically reduces any incentive to limit the transferred amount of data in the first place. This agreement will enter into force on 1 August 2010. The current text will be valid for 5 years and then automatically extends for one year at a time. In order to terminate the agreement, one of the parties has to take an initiative. Even if it is terminated, all transferred data will remain at the disposal of US authorities. The data provided to the American authorities will be subject to a retention period of 5 years. Agreement between the EU and the USA on the processing and transfer of financial messaging data from the EU to the USA for purposes of the Terrorist Finance Tracking Program (8.07.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2… The Parliament shows the green light for the SWIFT II agreement (only in French, 8.07.2010) http://www.europarl.europa.eu/news/public/focus_page/008-76988-176-06-26-90… US to access Europeans' bank data in new deal (8.07.2010) http://news.bbc.co.uk/2/hi/world/europe/10552630.stm Frequently Asked Questions on the Terrorist Finance Tracking Program / "SWIFT" Agreement (7.07.2010) http://www.edri.org/faq-2-swift-agreement-edri EDRi-gram: Same privacy concerns for the new SWIFT treaty (30.06.2010) http://www.edri.org/edrigram/number8.13/new-swift-treaty-privacy-concerns ============================================================ 2. European Parliament invents Google Nanny ============================================================ The Environment, Public Health and Consumer Protection of the European Parliament has found another use for Google. From now on, Google should read what we are searching for and, if the search implies any risky behaviour, Google should tell us to be careful. Of course, it would not be just Google but any "search engine" and nobody felt to that it was necessary define what exactly a "search engine" would be in this context. The first such "risky" behaviour would be looking for information about medication. In a report about falsified medicine, the Committee agreed to a proposal to insert warnings in search engines in the event of a search for medicinal products on the internet. Whether or not people exist who would both be foolish enough to search for (and buy?) dangerous medicines from uncertified sources online, but yet clever enough to accept Google's wise counsel, is not yet clear. A further question is how one could implement such a policy without scaring people away from using entirely legitimate and verified online pharmacies. One can, however, see lots of useful ways in which this measure can be spread into other areas where people may be searching for things which could, in some circumstances, be dangerous. There are vast numbers of things which are at least as dangerous as searching for information about medication online, although the biggest danger of all seems to be the creation of a society whose common sense has atrophied through living in a nanny state where people are no longer expected to think for themselves. Undemocratic countries will also be looking with interest on what can be done using such a system. Belarus claims that its new laws restricting the Internet are based on legislation introduced in France and the United Kingdom. The prospect of search engines giving a warning of the consequences of accessing certain online resources would be an interesting new addition to an armoury of internet restrictions. The Committee report (adopted by 46 votes to zero, with two abstentions) will be probably voted in a plenary session of the European Parliament in September. It is unclear if alternative proposals will be tabled or whether the European Commission will support the measure. Draft report on the proposal for a directive of the European Parliament and of the Council amending Directive 2001/83/EC as regards the prevention of the entry into the legal supply chain of medicinal products which are falsified in relation to their identity, history or source (7.05.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+… (Contribution by Joe McNamee - EDRi) ============================================================ 3. Increased Internet censorship in Belarus ============================================================ The Belarus government has adopted new measures increasing the control of the Internet and restrictions on online freedom of expression. Following Decree no.60 (On measures for improving use of the national Internet network) issued on 1 February 2010 by President Alyaksandr Lukashenka, Belarus Council of Ministers adopted five resolutions with new Internet regulations introducing the compulsory registration of all web sites and the collection of personal data of Internet cafe users. The decree will enter fully into force on 1 September but the police has already started interrogations and equipment seizures in a campaign meant to intimidate Internet users and online journalists. According to the new regulations, all ISPs on the territory of Belarus, irrespective of their commercial or non-commercial nature, must register with the Communication and Information Ministry and provide technical details about online information resources, networks and systems used to connect to the Internet, including computers and mobile phones. The Council of Ministers issued on 29 April 2010 a decree "On some questions of improving usage of the national segment of global Internet computer network" according to which the information on registered Internet resources gathered by a registering organisation is to be further on passed to the Operative-Analytical Center. The body created by the same Decree no.60 will be subordinated to the President's office and will have the task to monitor the content before it is put online, meaning it will actually be a censorship organism. At the request of the Center, ISPs are to close down any website within 24 hours. The Belarusian State Telecommunication Inspection will make a list of forbidden websites on the ground of proposals of appropriate governmental bodies. If a Belarusian site is included on the blacklist, the owner will receive a notice about that. The blacklist will further on be published on the Telecommunication Inspection website, but the national ISPs may extend that if they want. Also any person accessing the Internet in an Internet cafi or using a shared connection with one, must provide an identification document and a record of all his (her) online connections will be kept for a year. Based on the new legislation, Beltelecom, the state-own ISP has recently blocked access to kurier.vitebsk.by, Vitebsky Kuryer's newspaper's website which had not registered with the authorities for ideological reasons. The reasons are actually political ones as the site criticized local and national policies. The decree appears to be in fact aimed at blocking opposition's Internet resources in view of the upcoming presidential elections. The decree has been strongly opposed and criticized by the media community and international human rights organizations, including OSCE. Nine members of the National Bolshevik Party who made an unauthorised demonstration on the Freedom Square in Minsk on 23 June 2010, waving placards and wearing T-shirts with the words "Internet Freedom", were arrested, convicted and fined for the infringement of the procedures for holding demonstrations. Authorities step up Internet restrictions, harassment of online journalists (6.07.2010) http://en.rsf.org:80/belarus-authorities-step-up-internet-06-07-2010,37867.… All legal sites placed in .by domain will be obliged to move to Belarusian hosting (27.05.2010) http://e-belarus.org/news/201005271.html Full text of Internet censorship regulation released in Belarus (6.07.2010) http://www.charter97.org/en/news/2010/7/6/30382/ No Entry to Belarusian Internet Cafes without Passport (2.07.2010) http://telegraf.by/2010/07/no-entry-to-belarusian-internet-cafes-without-pa… EDRi-gram: New Belarus Internet regulations require compulsory web registration (19.05.2010) http://www.edri.org/edrigram/number8.10/censorship-belarus-registration-web… ============================================================ 4. The Digital Economy Act brought to court by two UK ISPs ============================================================ The two big UK ISPs, BT and TalkTalk, have asked the High Court to carry out a judicial review of the most controversial aspects of the Digital Economy Act, in order to establish whether it is in contradiction with existing privacy and electronic communication laws. The law will force ISPs to disconnect their customers deemed by intellectual property rights holders to have allegedly infringed copyrights. "The companies share a concern that obligations imposed by the Act may not be compatible with important European rules that are designed to ensure that national laws are proportionate, protect users' privacy, restrict the role of ISPs in policing the Internet and maintain a single market," says a statement of the two ISPs. Regulator Ofcom, which is in charge of drawing up detailed plans on how the legislation will work, has recently publicly presented the draft policy to deal with illegal file-sharers, requiring ISPs to send warning letters to customers who allegdly illegally download films, music and TV programs. A provision was added at the last moment stipulating that several rounds of consultation would be required before the implementation of such measures. The two ISPs believe they are also disadvantaged by the Digital Economy Act as, presently, the code of practice applies only to ISPs with more than 400 000 subscribers and therefore they may see all lot of their customers move to smaller ISPs which are not subject to the legislation. Technology lawyer Struan Robertson of Pinsent Masons stated that the court could not do much about a law that has already been approved by the Parliament: "All the court can do is make a declaration that a law is in breach of other obligations. That declaration would put pressure on Parliament to revisit the act." Although, according to BBC, Deputy Prime Minister Nick Clegg said that the Digital Economy Act "badly needs to be repealed" the new coalition government has no plans to change it. "The Digital Economy Act sets out to protect our creative economy from the continued threat of online copyright infringement, which industry estimates costs the creative industries, including creators, #400m per year," read a statement from the Department of Business, Innovation and Skills which also said: "We believe measures are consistent with EU legislation and that there are enough safeguards in place to protect the rights of consumers and ISPs and will continue to work on implementing them." ISPs take Digital Economy Act to the courts (8.07.2010) http://www.out-law.com:80//default.aspx?page=11211 BT and TalkTalk challenge Digital Economy Act (8.07.2010) http://news.bbc.co.uk/2/hi/technology/10542400.stm EDRi-gram: UK Digital Economy Bill voted by the Parliament (21.04.2010) http://www.edri.org/edrigram/number8.8/digital-economy-bill-uk ============================================================ 5. Belgium ISPs are not obliged to block The Pirate Bay ============================================================ Two Belgian ISPs have won their court battle against an anti-piracy group which had demanded that they block the access to The Pirate Bay. On 9 July 2010, the Antwerp Commercial Court rejected the blocking demands made by the Belgium Anti-Piracy Federation against the two ISPs, considering that the measure would be "disproportionate". The entertainment industry has exerted pressures recently on ISPs to block the Pirate Bay but most of them are refusing to comply. The negotiations the Anti-Piracy Federation had with Belgacom and Telenet ended up in court but the court ruled in favour of the ISPs. The ISPs argued they were merely technical operators and did not have the capacity to judge which sites were illegal and should be blocked. "It is not the role of Telenet to decide which sites should be available or not to our users. As a service provider, this is not within our competence," said a spokesperson for one of the ISPs. Also in Norway, the main ISP has refused to block access to The Pirate Bay considering that "asking from an ISP to control and establish what its users can or not download is as bad as asking from a post office to open and read any letter and to decide which should or not be delivered" as explained Ragnar Kerus, Telenor Director who added that it was not a question of being for or against copyright but of knowing whether it was "reasonable for ISPs to have the role of Internet censor in order to make certain rights observed". Another action follows the OpenBitTorrent that moved to the Spanish hosting company SoloGigabit. Spain is one of the countries where BitTorrent search trackers are not considered to infringe the law. Even so, IFPI has decided to go after the OpenBitTorrent's new Spanish host and has sent a letter to SoloGigabit stating that the hosting company could be "liable for aiding and abetting criminal copyright infringements and receiving payments from criminal activity." According to the Spanish legislation, BitTorrent search trackers are considered legal although some of their users may use it to download copyright infringing content. The OpenBitTorrent tracker is just a communication facilitator between torrent users. "According to all Spanish legal resolutions, a link does not communicate nor reproduces the work under intellectual property. So, linking is not a violation, hosting without the rights holders permission is," told copyright expert and lawyer Javier de la Cueva to TorrentFreak. It is not yet certain what position will SoloGigabit take, having in view that the company is a rather small one and might not be able to face a long and costly trial even if it does not infringe the Spanish law. ISPs Don't Have To Block The Pirate Bay, Court Rules (10.07.2010) http://torrentfreak.com/isps-dont-have-to-block-the-pirate-bay-court-rules-… The Belgium justice refuses to impose the blocking of The Pirate Bay (only in French, 10.07.2010) http://www.numerama.com/magazine/16222-la-justice-belge-refuse-d-imposer-le… IFPI threatens OpenBitTorrent's host, despite the Spanish jurisprudence (only in French, 12.07.2010) http://www.numerama.com/magazine/16224-l-ifpi-menace-l-hebergeur-d-openbitt… Music Industry Threatens OpenBitTorrent's New Hosting Provider (11.07.2010) http://torrentfreak.com/music-industry-threaten-openbittorrents-new-hosting… ============================================================ 6. Blocking of innocent websites by O2 Ireland ============================================================ The Irish mobile operator O2 has acknowledged accidentally blocking the image hosting website IMGUR through its system for blocking alleged child abuse material. There appears to have been no indication that there was, in fact, any illegal material hosted on that site. Furthermore, it is not obvious on what basis O2 could have made the decision to undertake the blocking. In a statement provided to the Irish hotline, which was not published but simply made available to people who enquired about the problem, O2 explained that "the technology behind the service (to block child abuse images) is more far reaching than anticipated and on occasion a site which should not be blocked may be." It is impossible to tell how many other innocent, but smaller and therefore less noticeable, websites are similarly blocked by accident, due to this "far reaching technology." O2 undertakes its blocking system on a voluntary basis, despite the fact that, according to the European Commission, "such measures must indeed be subject to law, or they are illegal"(according to the Commission's impact assessment on the draft Directive on child exploitation). Nonetheless, the European Commission is also now supporting such extra-judicial measures and it is now also proposing to use taxpayers' money to fund them. A six million euro call for proposals launched in June 2010 refers to funding for "blocking access to child pornography OR blocking the access to illegal Internet content through public-private cooperation". This call, by the Commission, for "self-regulatory" blocking of allegedly illegal content in general was made just a few weeks after Commissioner Malmstrvm explained at a conference that "the Commission has absolutely no plans to propose blocking of other types of content - and I would personally very strongly oppose any such idea". It is likely that further deliberate and accidental blocking of websites will now spread in Ireland, due to the fact that the Irish former monopoly Eircom agreed to block sites accused of containing unauthorised material, while mobile operator Vodafone has reportedly also indicated that it will introduce extra-judicial measures against any of its customers repeatedly accused of infringements. Many blogs and online message boards accused the Irish Internet hotline of having prepared a faulty blocking list and this was what led to IMGUR being blocked. As the Irish internet hotline does not prepare a blocking list, but simply acts in its capacity as a hotline, these allegations were incorrect. Commission impact assessment - Accompanying document to the Proposal for a Council Framework Decision on combating the sexual abuse, sexual exploitation of children and child pornography, repealing Framework Decision 2004/68/JHA - Impact assessment {COM(2009) 135} {SEC(2009) 356 (25.03.2010) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52009SC0355:EN:… Irish Internet hotline http://www.hotline.ie Vodafone in line to join file-sharing clampdown (16.06.2010) http://www.irishtimes.com/newspaper/ireland/2010/0616/1224272615990.html European Commission call for proposals: "Prevention of and fight against crime" http://ec.europa.eu/justice_home/funding/isec/doc/tc2_call_2010_en.pdf Commissioner Malmstrvm speech: "Combating sexual abuse, sexual exploitation of children and child pornography: the Commission's proposed Directive" (6.05.2010) http://ec.europa.eu/commission_2010-2014/malmstrom/archive/Speech%20%20Malm… FOI shows Department of Justice planning internet blocking for Ireland (16.04.2010) http://www.digitalrights.ie/2010/04/16/foi-shows-department-of-justice-plan… Internet Filtering in Ireland: More Information from the Seanad (1.06.2010) http://www.digitalrights.ie/2010/06/01/internet-filtering-in-ireland-more-i… (Contribution by Joe McNamee - EDRi) ============================================================ 7. Facebook faces serious fines in Germany ============================================================ The Hamburg Commissioner for Data Protection and Freedom of Information John Caspar has launched legal proceedings against the operator of the social network Facebook for illegally accessing and saving personal data of people who don't use the respective social networking site. "We consider the saving of data from third parties, in this context, to be against personal data laws," said Caspar. Germany benefits of one of the strictest privacy laws in the world that includes precise limits to the access to personal data and has already launched an investigation on Google, as well as in relation to its Street View mapping system. Facebook was given until 11 August 2010 to give a formal response to the legal complaint which may lead to its being fined tens of thousands of euro, if the response is not acceptable. Although Facebook has changed its privacy settings in order to allow its users to block access to their e-mail address contacts, the Commissioner argues that the already saved contacts have not been erased and are used for marketing purposes. Facebook collects data also on non-members, by using, for instance, the Facebook application for iPhones which allows the transfer of all the contacts from the mobile phone to the social network. This offers the option to transfer all available contacts in the mobile phone on Facebook. Also, when somebody creates a new account on Facebook, the system offers to search into the new member's e-mail accounts to find friends on the network. Caspar stated that many citizens had recently "complained about the use of third party data" meaning that they had been contacted by Facebook after it had obtained their e-mail addresses from contacts of network members. The Consumer Protection Minister Ilse Aigner announced in June that she was planning to give up her Facebook account considering the social network was not doing enough to protect users' data. Germany takes legal steps against Facebook (6.07.2010) http://www.google.com:80/hostednews/ap/article/ALeqM5jipwYBDk87V1KRECUQ_C2a… Hamburg data protection commissioner initiated penalty proceedings against Facebook (7.07.2010) http://www.heise.de/newsticker/meldung/Hamburgs-Datenschuetzer-leitet-Bussg… Penalty proceedings against Facebook for storing the data of others (only in German, 7.07.2010) http://www.hamburg.de/pressearchiv-fhh/2365106/datenschutz-facebook.html ============================================================ 8. Yahoo is not bound to give personal data to Belgian authorities =========================================================== The Belgian Court of Appeal of Gand ruled on 30 June 2010 that Yahoo was not obliged to hand over personal data of its users to the Belgian authorities, in a case where the first instance had issued a contrary ruling. In 2009, following a cybercrime investigation by the Belgian police, it was discovered that a group was using Yahoo e-mail addresses to commit online fraud. The members of the group stole data from various companies and used the data to order goods without paying. Yahoo was requested by the Belgian Public Prosecutor to hand over the IDs related to the e-mail addresses used by the group but the company refused to comply and, on 2 March 2009, received a 55 000 euro fine from a Termonde judge who also imposed a daily penalty fee of 10 000 euro in case of non-compliance with the judgment. The court did not consider Yahoo's argument that it was not subject to the Belgian law as it had no legal entity in Belgium and did not store any customer data in Belgium. The appeal court has now decided that there was no legal basis for the 2009 ruling against the company. "There is not enough evidence that the providers of free of charge e-mail addresses are also electronic communication services. In other words, there is no proof that Yahoo deals directly with sending the signals. It has no control over the network as an e-mail provider" said the decision of the Appeal Court. It is reported that, throughout the whole process, no attempt was ever made by the Belgian authorities to use existing Mutual Legal Assistance Treaty to obtain the requested data via recognised legal channels. Gand: Yahoo! acquitted in appeal for not having transmitted data to justice (only in French, 30.06.2010) http://levif.rnews.be/fr/news/belga-generique/gand-yahoo-acquitte-en-appel-… A Win for Yahoo! And for Privacy in Belgium (6.07.2010) http://www.yhumanrightsblog.com/blog/2010/07/06/a-win-for-yahoo-and-for-pri… EDRi-gram: Yahoo penalised in Belgium for not disclosing personal data (11.03.2009) http://www.edri.org/edri-gram/number7.5/belgium-decision ============================================================ 9. ENDitorial: French biometric passport: case still pending after 2 years ============================================================ It took more than two years after the complaint against the French biometric passport was filed to have the conclusions of the "public rapporteur" publicly presented at the Conseil d'Etat (French highest administrative Court), on 30 June 2010. While the final court decision was expected some weeks later as it usually occurs, the plaintiffs received instead an official note that the conclusions presented on 30 June were dismissed, and that some more analysis was needed: the case will now be heard on October 2010. The French biometric passport entered into force after a decree was published on 4 May 2008. On 4 July 2008, a case was jointly filed before the Conseil d'Etat by two NGOs: French EDRI member IRIS and the French Human Rights League, to obtain the annulment of this decree. Other complaints were filed by a group of 10 citizens from Toulouse, and by photographers associations and companies, the latter complaint highlighting economic issues with the decree. The main provisions targeted by the two NGOs are: the establishment of a centralized national biometric database; the collection and storage in the database of 8 fingerprints (only 2 of them being also stored in the passport chip), instead of the 2 required by the European regulation on biometric passports; the collection of fingerprints of children starting from age 6. Legal substantive and procedural arguments against these provisions are provided in the complaint. In the French Conseil d'Etat judicial system, the "public rapporteur" is a member of the Council in charge of presenting to the court the claim put forward in the complaint, of analyzing the circumstances and the applicable law, and of proposing independent and impartial conclusions and recommendations regarding the final decision. Usually, the court follows these conclusions, or simply makes slight modifications before delivering its judgement. Two years after the complaint was filed, the "public rapporteur" recommended the annulment of the provision requiring to collect and store in the centralized database the 6 additional fingerprints, on the basis that this was disproportionate with respect to the European regulation. While he didn't recommend the annulment of the provision creating a centralized database, the "public rapporteur" pointed out that this was not required by the European regulation, and that French and European data protection institutions, as well as the European Parliament, voiced strong concerns against this provision. However, the "public rapporteur" considered, following the opinions of the French Ministry of Interior, that this centralized database is necessary to avoid identity fraud and passport trafficking, including in the case of children starting from age of 6. Apparently, these timid conclusions were still too provocative for the Conseil d'Etat or were they, on the contrary, indeed too timid in the Court's view as well? No one knows yet why the Conseil d'Etat considered that they needed to be dismissed, and that four additional months of investigations and discussions were still needed to reach a decision. In the mean time, the deployment of the French biometric passport has been going on since the publication of the decree, given that such complaints do not have any suspensive effect. EDRi-gram: Complaint Against The French Govt To Annul The Biometric Passport Decree. The French Government goes against CNIL in biometric passports (16.07.2008) http://www.edri.org/edrigram/number6.14/complaint-french-biometric-passport French biometric passport dossier (all available documents, only in French) http://www.ines.sgdg.org/spip.php?page=recherche&recherche=passeport (Contribution by Meryem Marzouki - EDRi-member IRIS - France) ============================================================ 10. Recommended Action ============================================================ Over 300 MEPs have signed the Written Declaration on ACTA. Please continue to contact your MEPs and ask them to sign the Written Declaration at the next Strasbourg plenary session on 6-9 September. Less than 70 signatures needed by 9 September 2010 ! http://www.eff.org/action/eu-action-alert-urge-your-mep-take-stand-internet… http://www.laquadrature.net/wiki/Written_declaration_ACTA_12/2010 http://www.laquadrature.net/wiki/Help_sign_the_Written_Declaration_12/2010_… ============================================================ 11. Recommended Reading ============================================================ Joint Comments EDRi and EuroISPA to the Dialogue on Notice and Take Down of illegal content (07.2010) http://www.edri.org/files/090710_dialogue_NTD_illegal_content_EuroISPA-EDRI… New Challenges to Data Protection study for DG Justice, Freedom and Security (8.07.2010) Executive summary http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638945 Final report http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1636706 In French http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638920 In German http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1638917 Country-specific reports http://ec.europa.eu/justice_home/fsj/privacy/studies/index_en.htm Report on the implementation of open content licenses in developing and transition countries http://www.eifl.net/cps/sections/services/eifl-oa/docs/report-on-implementa… ============================================================ 12. Agenda ============================================================ 24 July 2010, London, UK ORGCon, first ever conference dedicated to digital rights in the UK. http://www.openrightsgroup.org/blog/2010/book-now-first-ever-orgcon-24-july 25-31 July 2010, Meissen, Germany European Summer School on Internet Governance http://www.euro-ssig.eu 29-31 July 2010, Freiburg, Germany IADIS - International Conference ICT, Society and Human Beings 2010 http://www.ict-conf.org/ 2-6 August 2010, Helsingborg, Sweden Privacy and Identity Management for Life (PrimeLife/IFIP Summer School 2010) http://www.cs.kau.se/IFIP-summerschool/ 31 August - 3 September 2010, Budapest, Hungary OpenOffice 2010 Conference http://www.ooocon.org/index.php/ooocon/2010 13-17 September 2010, Crete, Greece Privacy and Security in the Future Internet 3rd Network and Information Security (NIS'10) Summer School http://www.nis-summer-school.eu 14-16 September 2010, Vilnius, Lithuania Internet Governance Forum 2010 http://igf2010.lt/ 20-21 September 2010, Helsinki Finland Finnish Internet Forum http://internetforum.fi 8-9 October 2010, Berlin, Germany The 3rd Free Culture Research Conference http://wikis.fu-berlin.de/display/fcrc/Home 25-26 October 2010, Jerusalem, Israel OECD Conference on "Privacy, Technology and Global Data Flows", celebrating the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org/sti/privacyanniversary 27-29 October 2010, Jerusalem, Israel The 32nd Annual International Conference of Data Protection and Privacy Commissioners http://www.privacyconference2010.org/ 28-31 October 2010, Barcelona, Spain oXcars and Free Culture Forum 2010, the biggest free culture event of all time http://exgae.net/oxcars10 http://fcforum.net/10 3-5 November 2010, Barcelona, Spain The Fifth International Conference on Legal, Security and Privacy Issues in IT Law. Call for papers deadline: 10 September 2010 http://www.lspi.net/ 17 November 2010, Gent, Belgium Big Brother Awards 2010 Belgium http://www.winuwprivacy.be/kandidaten ============================================================ 13. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram(a)edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request(a)edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request(a)edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram(a)edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[p2p-hackers] p2p/mesh economies: observations/speculations + an attempt to define some useful terms
by Jon Cox 06 Jul '18

06 Jul '18

Dear p2p-hackers, After thinking about the similarities between the commons issues faced by the PaulGardner-Stephen's Serval project & Zooko's Tahoe LAFS, I was motivated try (yet again!) to refine my understanding of currency systems, barter and money. I'd like some help! These concepts seem to have direct bearing on problems that arise when bootstrapping new users into a p2p/mesh system, trust, credit, fairness protocols & so on, yet I lack a standard terminology for talking about them in a precise way. First, I'd like to share a speculation: My guess is that it would be best if Tahoe LAFS computed all credits and debits in terms of its native "commodity currencies" (this term is defined below) like storage, availability, bandwidth, latency, and priority, and then possibly mapped these things to other currencies via forward contracts in a fairly pluggable manner. While Bitcoins might be interesting as one of several possible side-channels to establish "credit" for the system's own native currencies when dealing with non-boostrapped strangers, or for those who would otherwise hit their "debt ceiling", I'm hoping that friends could still offer credits for "native" commodities denominated as such *directly*, without needing to think about a fluctuating 3rd-party / non-native currency abstraction. That said, here's my first shot at defining a few terms, along with a note to the Serval project that may be of more general interest: o Benefit That which produces a net increase in some desired state of being. o Intrinsic value Non-bartered perceived benefit. o Value Optimally bartered perceived benefit. o Money The mathematical abstraction of value Note: this can be a positive or negative quantity. o Currency The concrete manifestation of money. Note: currency always has a non-negative value. Example: physical dollars & coins. o Pure liability Something of negative value that isn't the result of owing anybody something. Example: an inadequate reputation o Debt A liability resulting from owing something of positive value to another party. o Pure asset Positive value that isn't the result of someone owing you. Example: good health. o Credit A liability that another party owes to you and recognizes. o Commodity currency Some fungible good or service that is easy measurable and comparable, transferable and transportable, sufficiently divisible and durable, widely bartered with known rates of exchange, and derives its value from its intrinsic usefulness rather than its role as a currency or as an item of speculation predicated on the existence of a greater fool. Example: cigarettes in a POW camp. o Native commodity currency A commodity currency whose production and consumption are intrinsic to the economy itself. Example: Carpool rides in a ride-sharing network. o Collectible currency Like a commodity currency, except that its value comes from the mutual speculation of those who create demand for it, rather than its intrinsic worth to any end user. Example 1: Bitcoin is a perfect example of a collectible currency because its intrinsic worth is exactly zero (you can't even use them to line the bottom of a bird cage). Example 2: Gold and silver are best thought of as being somewhere between commodity and collectible currencies; however, the volatility of silver prices relative to its supply and industrial demand shows it's more on the speculation- driven "collectible" side if things. o Fiat obligation currency Like a collectible currency, except that every unit created represents the transfer of value from someone who has actually produced a good or service of non-zero intrinsic worth to a person or institution that has offered nothing in exchange for it but the currency itself. Crucially, the production of fiat obligation currency is restricted by law, and demand for it is created by requiring its use. Hence, every unit represents a claim by its producer to simply extract things of actual value from those who cannot create the currency themselves, and yet are bound to use it by law or necessity. Example: The deceptively named "Fed", a group of privately owned for-profit banks, create legal tender (US dollars) out of thin air, then "exchange" them for US Treasury for T-bills. The T-bills have real value in that they represent fractional ownership of the US government's ability to extract goods and services from its own citizens, and from the citizens of foreign countries. To do this at home, it puses the IRS, federal marshals, and the legal system. Abroad, it uses military and/or political power to enforce its will directly, or it can use intermediaries in its thrall, such as the IMF, The World Bank, various resource-rich or strategic client governments, and so-called "Coalitions of the Willing". Hence, every dollar represents the assertion of a one-sided obligation; they aren't coupons for anything of intrinsic value that the Fed used to barter with the US Treasury in exchange for a fraction of the tribute our government is able to demand. Instead, they are more like souvenirs commemorating an outright confiscation of it that has already taken place. The obscene material wealth and power held by those happy few who are on the receiving end of this arrangement is the direct result of the compulsory exchange of intrinsically valuable goods and services for inherently valueless slips of paper decorated with stars, eagles, and the faces of dead presidents. o Fiat commonwealth currency Like a fiat obligation currency, except that the value extracted in the process of its creation goes to the community's own public fund, rather than being siphoned off by a private aristocracy. Example (I think): Treasury-issued "United States Notes". ----------------------------------------------------------------- Here are some comments I made to the Serval project recently. I'd love to get some feedback on them. Hopefully, the ideas I'm tossing around are of wide enough applicability to merit general interest and/or or an informed & corrective critique ----------------------------------------------------------------- Serval already has at least three commodities with universal value, and native non-speculative demand: bandwidth, latency, and priority. Using these in combination with a system of reputation and credit as a "commodity currency" makes a lot more sense than dragging in a collectible currency. Assuming nodes in a Serval mesh are free to associate in different virtual communities of reputation (as humans do in real life), all a community needs to do is restrict mesh access ("the commons") in ways it sees fit to discourage behavior it dislikes, or grant special credit for positive actions (eg: donating bandwidth, particularly in times of shortage). It seems as though you could even model the policies of Serval "community" as an autonomous System (AS) on the Internet, and then go on to think about communities honoring each other's credits with bandwidth, latency, and priority as parameters like a AS-AS forex. This would keep every community free from central domination by other groups, yet open to engage in mutually beneficial data transfers. It seems likely that a few huge communities would naturally arise, along with lots of little ones. Users might like to have different policies for each of them, as different levels of generosity (or blind trust) might be appropriate; one might have reputations in personal groups, affinity, regional/global, etc. It seems like the core requirement is the ability to assign a policy profile to a group ID, and the ability to have more than one. If someone with a sufficiently large balance and community reputation never gets bumped by somebody who might be free-riding or has no reputation, it makes sense to build a positive and credible "accounts receivable" bandwidth balance. Someone could always cheat you with a series of bogus IDs, if doing so entails them being second-class citizens the entire time, there isn't much incentive. I think it's good to place the main focus on first degree contacts, as has been done with great success in hawala networks. The hawala system is well known for its efficiency and real-world security, even over wide geographical areas lacking any common authority sanctioned to use powers of state (such as garnishment) in order to enforce contracts. Reputation-based access to the commons can go a long way to regulate behavior. Diamond traders that operate via handshake agreements are another nice example of regulation by community restriction. More generally, the principles and practices of Islamic banking look like they're worthy of serious study. I've only begun to explore this topic, but the prohibition against outright interest seems to have generated a fascinating array of partnership-oriented contracts and non-leveraged financial relationships -- all with a bare minimum of bookkeeping. If an adversary's goal is to hunt down all copies of a message and destroy it, another consideration emerges: perservering ignorance. Example: Julian Assange has no idea how to reclaim all copies of insurance.aes256; therefore, he cannot be forced to help anybody else do so either, even under the threat of torture. Had a recording been made of every person who downloaded the file, then thugs could go after these people too, even if they number in the tens of thousands. However, what if these folks placed the same data on the net in a way that couldn't be detected, and was then downloaded by yet another set of people that's unknown to the first group. The same logic applies to the release of the key to unlock the encrypted data. You probably want some sort of anonymous quorum where the various members don't actually know all the other members, but share an ability to look at a common "outer envelope" wrapping a sig and an inner blob. The disconnected cliques have these blob-bearing coconuts floating between them, yet the inner blob part within the coconut cannot be cracked solo by any one clique; however portions of the key to crack it can be posted publicly by them (in any form: wrapped by the group envelope or not, steganographically or not, signed or not, and so on). Cheers, -Jon _______________________________________________ p2p-hackers mailing list p2p-hackers(a)lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

1 0

[Dewayne-Net] THE END OF THE INTERNET?
by Dewayne Hendricks 06 Jul '18

06 Jul '18

[Note: Worth reading. Also, check out some of the white papers the article points to. One of note: "Network Neutrality: A Broadband Wild West?". DLH] THE END OF THE INTERNET? [SOURCE: The Nation, AUTHOR: Jeff Chester] [Commentary] Verizon, Comcast, Bell South and other communications giants are developing strategies that would track and store information on our every move in cyberspace in a vast data-collection and marketing system, the scope of which could rival the National Security Agency. According to white papers now being circulated in the cable, telephone and telecommunications industries, those with the deepest pockets--corporations, special-interest groups and major advertisers -- would get preferred treatment. Content from these providers would have first priority on our computer and television screens, while information seen as undesirable, such as peer-to-peer communications, could be relegated to a slow lane or simply shut out. Under the plans they are considering, all of us--from content providers to individual users -- would pay more to surf online, stream videos or even send e-mail. Industry planners are mulling new subscription plans that would further limit the online experience, establishing "platinum," "gold" and "silver" levels of Internet access that would set limits on the number of downloads, media streams or even e-mail messages that could be sent or received. To make this pay-to-play vision a reality, phone and cable lobbyists are now engaged in a political campaign to further weaken the nation's communications policy laws. They want the federal government to permit them to operate Internet and other digital communications services as private networks, free of policy safeguards or governmental oversight. Indeed, both the Congress and the Federal Communications Commission are considering proposals that will have far-reaching impact on the Internet's future. Ten years after passage of the ill-advised Telecommunications Act of 1996, telephone and cable companies are using the same political snake oil to convince compromised or clueless lawmakers to subvert the Internet into a turbo-charged digital retail machine. <http://www.thenation.com/doc/20060213/chester> Links to White Papers mentioned above: <http:// www.democraticmedia.org/issues/netneutrality.html> Weblog at: <http://weblog.warpspeed.com> ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

1 0