============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 8.4, 24 February 2010 ============================================================ Contents ============================================================ 1. Leaked ACTA text confirms suspicions 2. First decision in the Italian criminal case against Google executives 3. France's Parliament pursues its goal to censor the Internet 4. Germany's President signs an Internet bill against his own government 5. Spanish Fiscal Council criticizes the new draft law on IPR enforcement 6. EP: Draft reports on IPR enforcement published 7. French Court says an IP address is not enough for a user's identification 8. Chip and PIN system proven to be flawed 9. New Google's service raises privacy concerns 10. Romania: Moral damages for publishing personal data online 11. Germany DPAs to discuss the EU-US Safe Harbour Agreement 12. ENDitorial: Richard Stallman on "Copyright versus Public" in Berne 13. Recommended Action 14. Recommended Reading 15. Agenda 16. About ============================================================ 1. Leaked ACTA text confirms suspicions ============================================================ The text of the digital chapter of the Anti-Counterfeiting Trade Agreement was published on 21 February 2010, following news articles from IDG News Service issued a few days before. The text of the draft digital chapter confirms that there are several problems with the draft agreement and many of the assurances given on the topic were somewhat "economical with the truth". These "economies" were on display again during a discussion between the Commission Head of Unit responsible for the dossier, Luc Devigne and the International Trade Committee of the Parliament. Mr Devigne explained that: - there is no ACTA text, so there is nothing that the Commission could share with the Parliament - ACTA is about enforcement and not about changing substantive law Mr Devigne was also quite economical with answers. He failed to answer questions on: - the failure to implement the relevant provisions of the Lisbon Treaty with regard to transparency - the fact that US lobbyists had access to the ACTA documents but not the European Parliament - if ACTA would require ordinary citizens to be excluded from the scope of certain border measures or would simply allow for this to be the case - if ACTA would lead to criminal sanctions, including prison, for people that recorded films in cinemas - if ACTA would criminalise an individual who, for example, created an open source programme to open all documents on all formats, thereby (without commercial interest) circumventing technical protection measures. He also repeated the meaningless statement that "ACTA is not meant to undermine civil liberties", which simply means that this was not the original intent of the negotiations and does not, quiet obviously, exclude this possibility. Unsurprisingly, the unclear, ambiguous and "economical" answers lead to an angry reaction from Parliamentarians. The little information that MEP Carl Schlyter (Greens, Sweden) was able to glean from Mr Devigne's answers was, he said, contrary to information that had previously been provided by Commissioner De Gucht. Consequently, he requested that the Commissioner attend future discussions instead of Devigne. EDRi has prepared a public FAQ on ACTA in order to better explain why the agreement is endangering human rights in Information Society. EDRi explains that the treaty is not just about counterfeiting, because it also covers a far greater range of issues, including mandated penalties for non-commercial copyright infringement, worldwide Internet regulation and world trade in generic medicines. The leaked document talks mostly about copyright infringement. Although the document is vague on whether non-commercial infringements are included, provisions from the Border Measures section previously made public indicate that the definition of counterfeiting will change current international norms and expand the scope beyond catching organised criminal networks smuggling goods that this agreement is purported to target. The leaked ACTA chapter includes a "three-strikes" Internet disconnection approach for alleged repeating copyright infringers. The document makes clear that the US negotiators intend that ISPs would be required to adopt threes strikes Internet disconnection policies in order to get the benefit of "safe harbours" or limitations on lSPs' liability for copyright infringement. The proposal would require countries to adopt criminal measures, which are outside the body of the harmonised EU legislation. When read alongside the criminal measures provisions made public earlier in the ACTA negotiations, many concerns arise about the increased criminalisation of activities online. Without robust proportionality principles and with insufficient consideration of civil liberties and human rights protections, ACTA is a threat to ordinary behaviour on the Internet. The ineffective strategy of deterrence without balance undermines the legitimacy of the law. After the new chapter of ACTA has leaked, an Opinion from the European Data Protection Supervisor (EDPS) explained that the current three strikes proposals may be incompatible with the current data protection requirements. The EDPS complained that he was not involved by the European Commission in the debates on this treaty and declared: "Whereas intellectual property is important to society and must be protected, it should not be placed above individuals' fundamental rights to privacy and data protection. A right balance between protection of intellectual property rights and the right to privacy and data protection should be ensured. It is also particularly crucial that data protection requirements are taken into account from the very beginning of the negotiations so as not later on having to find alternative privacy compliant solutions." The next round of negotiations will take place in New Zealand on 12-16 April 2010. Parties agreed tentatively to a 5 day round, covering a detailed discussion on Internet, civil, customs and penal measures. Leaked ACTA draft reveals plans for internet clampdown (19.02.2010) http://computerworld.co.nz/news.nsf/news/leaked-acta-draft-treaty-reveals-pl ans-for-internet-clampdown Leaked ACTA chapter on Internet http://sites.google.com/site/actadigitalchapter/acta_digital_chapter.pdf EDRi FAQ on ACTA (22.02.2010) http://www.edri.org/files/acta_FAQ_100222.pdf Opinion of the European Data Protection Supervisor on the current negotiations by the European Union of an Anti-Counterfeiting Trade Agreement (ACTA) (22.02.2010) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... Anti-Counterfeiting Trade Agreement: EDPS warns about its potential incompatibility with EU data protection regime (22.02.2010) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/P... (contribution by Joe McNamee - EDRi) ============================================================ 2. First decision in the Italian criminal case against Google executives ============================================================ Today, 24 February 2010, the Court of Milan made public the decision in the criminal trial against four Google executives, charged of defamation and illegal personal data handling in relationship to the publication on the video sharing platform of a video containing act of bullyism against a person affected by the Down Syndrome. The legal basis for the charges, following the prosecutor's theory of the case, was that those executives failed to exercise a pre-emptive control over the contents published by Google final users', thus allowing the infringement of the reputation of the concerned person and of an NGO representing Down-Syndrome-affected persons. The Court acquitted all the defendant from the charges of defamation, while found them liable of the illegal personal data handling charge. The whole sentence (including the legal technicalities that support the decision) will be public within the next 30 days. The legal oddity of the prosecutor strategy is this: 1 - there is a rule of law that says: to not stop a fact means to cause it, 2 - data protection law requires a prior authorization to be obtained before handling personal data, 3 - a video to be posted online is personal data, 4 - therefore Google executives had to check whether the user who posted the video got the preemptive authorisation from the people of the video, and 5 - by failing to do so, they infringed the data protection law 6 - furthermore, by not controlling in advance they let the video to libel the victim of the violence (this charge has been dismissed.) The consequence is that under this (odd) interpretation of data protection law, every Internet Service Provider is requested to infringe its user privacy, to do a prior check on the legitimacy of the action performed by the users themselves. A nice Catch 22, and a goodbye to network neutrality and online privacy ! Google execs convicted for Italy autism video (24.02.2010) http://www.reuters.com/article/idUSTRE61N2G520100224 Case Vividown, the intermediary is responsible (only in Italian, 24.02.2010) http://punto-informatico.it/2819031/PI/News/caso-vividown-intermediario-resp... Intermediaries or controllers ? (only in Italian, 24.02.2010) http://punto-informatico.it/2819668/PI/Commenti/intermediari-controllori.asp... Serious threat to the web in Italy (24.02.2010) http://googleblog.blogspot.com/2010/02/serious-threat-to-web-in-italy.html (contribution by Andrea Monti - EDRi-member ALCEI Italy) ============================================================ 3. France's Parliament pursues its goal to censor the Internet ============================================================ On 16 February, the National Assembly, the lower house of the French Parliament, passed the first draft of the so-called Loppsi 2 bill allowing the authorities to control the Internet under the pretext of improving the citizens' security. The new legislation deals not only with child pornography sites, but has in view a long blacklist of other types of websites that ISPs will have to block. The list of banned Web sites would be provided by the Interior Ministry and it would be "the responsibility of each Internet service provider to ensure that users don't have access to unsuitable content." According to article 4 of the draft law, the ISPs contacted by the authorities must block without delay the designated sites under the threat of being fined up to 75 000 euro and one year of imprisonment for their administrators in case of non-compliance. The new legislation also allows the French police and security forces to enter a suspect's house and clandestinely install software to spy on private computers, following a judge decision. Loppsi 2 contains other provisions as well, including improved interoperability between police files and personal data kept by institutions such as banks and a tripling of surveillance cameras in France under the pretext of "video protection." MEP Sandrine Billier believes the bill represents "a serious threat" to the neutrality of the Internet. "The filtering and blocking of the Web has become a standard weapon in the legislative arsenal of a government which has been shameless in its handling of personal freedoms," she said in an interview. "Protection of childhood is shamelessly exploited by Nicolas Sarkozy to implement a measure that will lead to collateral censorship and very dangerous drifts. After the HADOPI comes the LOPPSI: the securitarian machinery of the government is being deployed in an attempt to control the Internet at the expense of freedoms", stated Jirimie Zimmermann from La Quadrature du Net. The draft law will go for a second reading in the Senate and, if approved, it could come into force this summer. The French Senate also started on 23 February 2010 the discussions on the draft legislation for the opening of the online gambling market that would require the ISPs to block any unauthorised gambling websites. France Moves Closer to Unprecedented Internet Regulation (17.02.2010) http://www.spiegel.de/international/europe/0,1518,678508,00.html French Parliament approves Net censorship (11.02.2010) http://www.laquadrature.net/en/french-parliament-approves-net-censorship Loppsi was adopted by the National Assembly (only in French, 16.02.2010) http://www.numerama.com/magazine/15100-la-loppsi-a-ete-adoptee-par-l-assembl... Loppsi: the installation of software spies to suspects is adopted (only in French, 11.02.2010) http://www.numerama.com/magazine/15076-loppsi-l-installation-de-mouchards-ch... Filtering of web sites: ISPs simple executants (only in French, 9.02.2010) http://www.journaldunet.com/ebusiness/le-net/loppsi-et-internet/filtrage-des... Online gambling filtering examined this Tuesday in the Senate (only in French, 23.02.2010) http://www.numerama.com/magazine/15127-le-filtrage-des-jeux-en-ligne-examine..., EDRi-gram: LOPPSI 2 French law - to block or not to block websites (27.01.2010) http://www.edri.org/edrigram/number8.2/loppsi-2-france-blocking-websites ============================================================ 4. Germany's President signs an Internet bill against his own government ============================================================ Despite the fact that the German Government had decided not to apply the internet censorship law (Zugangserschwerungsgesetz) proposed by the former Government in April 2009, the new bill was signed on 17 February 2010 by German President Horst Kvhler. The president decided that the Access Impediment Law did not raise any significant concerns related to the compatibility with the German Constitution and that it was meant to fight online child pornography allowing the blocking of offensive web sites. This is a delicate situation for the government which will need the opposition's support to repeal the legislation. Following the strong and massive opposition to the bill by Internet users and civil rights groups, the government coalition elected in September 2009 decided to put the law on hold, focusing rather on removing Internet offensive content, based on existing laws. The government was hoping to have more time to draw up another anti-child pornography law that would repeal the Access Impediment Law. "New regulations will quickly be introduced that correspond to the principle of deleting rather than blocking access," said Justice Minister Sabine Leutheusser-Schnarrenberger on 17 February, adding that the government was decided not to apply the law. Her statement was backed up by the Interior Ministry. The Working Group on Internet blocking and censorship (Censorship AK) asked for the repeal of the bill in a press release and called for a spontaneous demonstration of the Internet activists for the same goal. The demonstration took place on 17 February in front of the Bellevue Palace. The Bitkom association, which represents the German IT industry, called on the government to clarify the situation and to quickly repeal the new law. A spokesman from the German Pirate Party said it was "unbelievable" that President Kvhler had signed the law into force. The opposition parties will introduce a bill on 25 February before the Bundestag, the lower house of the German Parliament, repealing the new law. New Internet Legislation Embarrasses German Government (18.02.2010) http://www.spiegel.de/international/germany/0,1518,678782,00.html The Working Group on Internet blocking and censorship calls for immediate lifting of Internet blocking law (only in German, 17.02.2010) http://ak-zensur.de/2010/02/unterzeichnung.html Spontaneous demonstration in front of Schloss Bellevue (only in German, 18.02.2010) http://www.netzpolitik.org/2010/dokumentation-der-spontan-demo-vor-schloss-b... New law to censor internet child pornography (17.02.2010) http://www.dw-world.de/dw/article/0,,5259255,00.html No internet censorship in Germany for the next year (18.10.2009) http://ak-zensur.de/2009/10/access-blocking-germany.html ZugErschwG signed (only in German, 18.02.2010) http://blog.windfluechter.net/archives/919-ZugErschwG-unterzeichnet.html EDRi-gram: Web blocking gets a reality check (21.10.2010) http://www.edri.org/edrigram/number7.20/web-blocking-germany-uk ============================================================ 5. Spanish Fiscal Council criticizes the new draft law on IPR enforcement ============================================================ In a non-binding report issued on 12 February 2010, the Spanish Fiscal Council criticised the draft law proposed by the Government known as the Sustainable Economy Law (la Ley de Economma Sostenible - LES) that foresees new Intellectual Property Rights (IPR) enforcement measures on the Internet. The Council shows concern related to the LES draft text which places the intellectual property rights at the same level with the fundamental rights such the freedom of expression, public security, national defence, public health or non-discrimination on grounds of race, sex or religion. In the Council's opinion, the intellectual property rights should be treated as property rights and not as fundamental rights. The report also raises concerns over the fact that the draft law gives the Intellectual Property Commission (Comisisn de Propiedad Intelectual - CPI) the power to propose the closing down of web sites offering download links to alleged unauthorized copyright content. According to the Fiscal Council this "has an enormous potential to invade the sphere of fundamental rights." The report also emphasizes the fact that the proposed law "is limited to cases where the service provider is established in Spain or in a State of the European Union," which makes it inefficient. If sites with a Spanish domain are closed, other identical sites may occur in countries that are outside the EU. Peaople's Party (PP) culture spokesman Josi Marma Lassalle stated that the Fiscal Council's report supports PP's position in the matter and there are many other voices that have expressed opposition to the proposed legislation. "This is not a law against violations of intellectual property, it is a law against civil rights," said Fernando Berlin, one of the promoters of RedSOStenible.net, consisting of bloggers, businessmen, and Internet user activist groups. The Public Ministry also warned over the fact that the new draft allows CPI to ask ISPs data that would help in identifying alleged copyright infringers that sometimes will not be limited to information on the owner of a web page, but other data as well that would need previous court authorisation. Therefore, the Fiscal Council proposes a modification of the draft text so that judicial authorisation should not refer only to data that are protected by the secret of communications fundamental right but also for data covered by the right to privacy. "Anyway, what in no case can CPI claim and cannot be provided by ISPs are data regarding private communications that may affect the fundamental right of the communication secret that mandatorily require judicial authorisation" says the report. On 16 February 2010, the Ministry of Justice Francisco Caamaqo defended the LES and the modification introducing a regulation that would be to the benefit of the right to freedom of expression and access to information and not so much to the benefit of intellectual property. He stated that the new law stipulated a judicial guarantee that would prevent an Administration institution to block access to a web page without court order. In the meantime, the Spain EU presidency is pushing its Declaration of Granada for more IP enforcement actions. The present text suggest to the European Commission "to analyse the possibility to present a modified proposition of the Directive on the penal measures meant to guarantee the respect of the intellectual property rights, in order to complete EU legislative framework for the application of IPR" and invites "the member states and the Commission to act for the promotion of a high level of protection of the intellectual property in the bilateral and international agreements". The Fiscal Council criticises the draft law allowing the Culture to close down web sites, (only in Spanish, updated 16.02.2010) http://www.elmundo.es/elmundo/2010/02/15/navegante/1266250340.html Fiscal Council's Report - Draft project of the Sustainable Economy Law - Draft project of the organic law complementary to the Sustainable Economy Law (only in Spanish, 12.02.2010) http://www.elmundo.es/documentos/2010/02/15/informe.pdf The Spanish Presidency proposes more repression on the Internet in its Declaration of Granada (only in Spanish, 12.02.2010) http://www.internautas.org/html/6016.html The Minister of Justice defends the Sustainable Economy Law (only in Spanish, updated 16.02.2010) http://www.abc.es/20100216/cultura-/ministro-justicia-defiende-economia-2010... The Fiscal Council's non-binding report on Feb. 16 said the proposal Spanish Societies Reject Concerns Over Anti-Piracy Law (17.02.2010) http://www.billboard.biz/bbbiz/content_display/industry/e3i47f0e86cdb78f21b7... PP says the Fiscal Council supports its thesis on the downloading and criticises that the Government "continues without doing its homework" (only in Spanish, 16.02.2010) http://www.finanzas.com/noticias/formacion/2010-02-16/247579_dice-consejo-fi... EDRi-gram: Spanish Government proposes new legislation against file-sharing (13.01.2010) http://www.edri.org/edrigram/number8.1/spain-law-file-sharing ============================================================ 6. EP: Draft reports on IPR enforcement published ============================================================ The European Parliament (EP) is working on a position in regards with the European Commission's Green Paper on enhancing the enforcement of intellectual property rights on the internal market. Three EP committees are involved in this process: the Legal Affairs Committee (MEP Mareille Gallo, EPP, France) in charge of this report, "Opinions" provided by the Industry, Research and Energy Committee (MEP Paul R|big, EPP, Austria) and the Internal Market and Consumer Protection Committee (MEP Zusana Roithova, EPP, Czech Republic). MEP R|big's report calls for EU-wide licensing, interoperability and supports the "mere conduit" status of ISPs. However, he also calls for "effective" sanctions against copyright infringement. MEP Roithova's report is quite balanced and avoids confusing copyright and piracy. It calls for transparency on ACTA and "calls for proportionate measures to be proposed for effectively and successfully combating the negative impact of infringement of intellectual property rights in the digital environment ("piracy") on the internal market and calls on the Observatory to analyse the impact of alternative systems of equitable compensation (for example, flat-rate licences)" Unfortunately, MEP Gallo's report still confuses piracy and counterfeiting and paints a doom-laden picture of what piracy and counterfeiting mean for the EU ("threatens our economies and societies"). The report also demands reports on the implementation of existing IPR legislation, but notes already that it is inadequate. The draft document also calls for "cooperation" with and "warning messages" from ISPs. The next steps planned for this IPR report are the discussion on amendments and the vote on 17 March 2010, with the final vote in the plenary estimated for April 2010. EU Green Paper on enhancing the enforcement of intellectual property rights in the internal market (11.09.2009) http://ec.europa.eu/internal_market/iprenforcement/docs/ip-09-1313/communica... Draft Report on enhancing the enforcement of intellectual property rights in the internal market - MEP Mareille Gallo (15.02.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-438.164+01+DOC+PDF+V0//EN&language=EN Draft Opinion of the Committee on Industry, Research and Energy for the Committee on Legal Affairs on enforcement of intellectual property rights in the internal market - MEP Paul R|big (29.01.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-438.391+01+DOC+PDF+V0//EN&language=EN Draft Opinion of the Committee on the Internal Market and Consumer Protection for the Committee on Legal Affairs on enhancing the enforcement of intellectual property rights in the internal market - MEP Zusana Roithova (5.02.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-438.494+01+DOC+PDF+V0//EN&language=EN (contribution by Joe McNamee - EDRi) ============================================================ 7. French Court says an IP address is not enough for a user's identification ============================================================ The Paris Appeal Court has recently ruled that an IP address does not allow the identification of an Internet user and therefore needs no prior authorization from CNIL (National Commission for Information Technologies and Civil Liberties) to be collected. The decision comes to support the ruling of the Cassation Court of 13 January 2009 stating that the collection of an IP address by the collective society SACEM agents was not to be considered as automatic treatment of personal data, thus reversing a previous decision of the Rennes Appeal Court of May 2009 which had considered the IP address as nominal data for the collection of which the prior authorization of the CNIL was needed. According to the French Data Protection Act, sworn agents may process data related to offences, convictions, and safety measures on behalf of rights holders of victims of copyright infringements in order to ensure the defense of these rights but such processing, automatic or not, has to be previously authorized by the CNIL. However, the Court of Cassation considered that such a sworn agent does not need a prior CNIL authorization if he accesses manually a person's list of files uploaded onto a peer-to-peer network in violation of copyrights. In the court's opinion, the collection of an IP address in order to find the user's identity through his ISP does not constitute data processing. While the Court of Cassation did not express a view as to whether an IP address qualifies as personal data, the Appeal Court considers the IP address as the material evidence of the infringement and cannot be considered personal data because it does not identify the user. The court also rejected the private copy exception by considering it "is not applicable to downloading, the purpose of using p2p software being exactly that of sharing and exchanging files between users (...)." Justice: the IP address is not enough to identify a pirate (only in French, 18.02.2010) http://www.numerama.com/magazine/15105-justice-l-adresse-ip-n-est-pas-suffis... French Court of Cassation Rules on Data Protection and Online Copyright Infringement (11.02.2010) http://www.huntonprivacyblog.com/2009/02/articles/french-court-of-cassation-... ============================================================ 8. Chip and PIN system proven to be flawed ============================================================ According to a research performed by a group of experts from the Computer Laboratory, of Cambridge University, the Chip and PIN system is flawed, allowing criminals to use stolen credit and debit cards, without knowing the correct PIN. The thieves can easily create a device to modify and intercept communications between a card and a point-of-sale terminal, and making the terminal believe the PIN was correctly verified when actually any PIN could be introduced and the transaction would be accepted. "The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN," said Professor Ross Anderson, one of the researchers. The attacks can be successful for cards used online (a merchant POS contacting the bank) and offline, for any amounts of money and to bank schemes based on EMV (Europay, MasterCard, Visa). They would not work on ATMs and with cards that have already been cancelled by the bank. The research conclusion is that the attacks are possible due to "a lack of authentication on the PIN verification response, coupled with an ambiguity in the encoding of the result of cardholder verification as included in the TVR (Terminal Verification Results)". The main problem is that banks refuse to refund victims of this type of attacks because they state that a card cannot be used without the correct PIN which, as the paper shows is not true. "This is not just a failure of bank technology. It's a failure of bank regulation. The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks," stated Anderson. Chip and PIN is broken (11.02.2010) http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ Chip and PIN is Broken (draft for the 2010 IEEE Symposium on Security and Privacy (draft) http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.... Cambridge researchers show that the Chip and PIN system is vulnerable to fraud (11.02.2010) http://www.cl.cam.ac.uk/research/security/banking/nopin/press-release.html Chip and pin card readers fundamentally flawed (11.02.2010) http://www.telegraph.co.uk/science/science-news/7215920/Chip-and-pin-card-re... Chip and PIN is broken, say researchers (11.02.2010) http://news.zdnet.co.uk/security/0,1000000189,40022674,00.htm ============================================================ 9. New Google's service raises privacy concerns ============================================================ The new networking service issued by Google company called Google Buzz has met criticism and confusion from its users who complained that a list of people they frequently email or chat with has appeared on their profile. The problem occurred due to the default options when creating one's profile which automatically post the respective list from Gmail and Google chat. In order to avoid posting the respective list on the profile, the user has to use the opt-out variant or edit the list himself. "Google attempted to jump start Buzz with lists drawn from its successful Gmail and Gchat services. While this may help Buzz grow and save users the time to type in all their contacts, it also has an inherent danger of inadvertent disclosure of private information," has commented EFF lawyer Kurt Opsah. Google chief executive Eric Schmidt reacted to the users' criticism by stating that the issue had been caused by confusion and miscommunication. "I would say that we did not understand how to communicate Google Buzz and its privacy. There was a lot of confusion when it came out on Tuesday, and people thought that somehow we were publishing their email addresses and private information, which was not true (...) I think it was our fault that we did not communicate that fact very well, but the important thing is that no really bad stuff happens in the sense that nobody's personal information was disclosed." This statement is contradicted not only by users but even by Buzz product manager Todd Jackson's statement on 16 February who told BBC that the company was "very, very sorry" and that users were "rightfully upset". Schmidt admitted however that the company made some changes in order to cope with the situation. "Since Tuesday we have made a series of changes to the product which make some very fundamental changes in the way that you initially experience it, in particular instead of automatically following everybody it now gives you a list of who you want to follow and it makes it incredibly explicit that it has not been giving them information without you giving it to them." Protect Your Privacy on Google Buzz (12.02.2010) http://www.eff.org/deeplinks/2010/02/protect-your-privacy-google-buzz What's the Buzz about? Studying user reactions (12.02.2010) http://www.lightbluetouchpaper.org/2010/02/12/whats-the-buzz-about-studying-... Google boss says 'nobody was harmed' by Buzz debacle (17.02.2010) http://www.guardian.co.uk/technology/2010/feb/17/google-buzz-schmidt ============================================================ 10. Romania: Moral damages for publishing personal data online ============================================================ A Romanian local court has decided to award 10 000 Euro as moral damages to a private person, after his full details were published on the website of the City Hall, including his HIV-related problems. In June 2008, Bucharest District 1 City Hall published on its website some decisions of the Local Council on the beneficiaries of free public transport by subway for persons with severe handicap. The decisions were published together with the annexes that contain all the personal data of the respective persons (name and surname, address, ID card number, Unique Personal Code Number and description of its respective disability). The citizen who was on that list and initiated the action claimed moral damages, considering that the data should not have been made public, but just sent to the subway administration. He also claimed that he and his parents suffered several moral prejudices after this event by the deterioration of his relations with friends and neighbours. He actually was forced to move from that respective location due to this disclosure. The City Hall argued that they did not intend to discriminate anyone and the publication of the Annexes was "a technical mistake". The Bucharest District 1 Local Court of considered that the conditions required by the Romanian law on tort had been met , and the City Hall had breached the complainant's right to privacy as expressed in Article 8 of the European Convention of Human Rights, law 677/2001 (Romanian transposition of the data protection directive) and other specific legislation in the medical field that oblige the public servants to keep the confidentiality on patients with HIV positive or having AIDS. Therefore the Court has awarded damages of 10 000 Euro to the complainant. The court's decision was appealed by the City Hall to the Bucharest Tribunal that rejected the appeal in February 2010. Thus, the initial decision of the Bucharest District 1 Local Court remains definitive and applicable. It is probably the first case publicly known in Romania when a person receives moral damages from a national court on grounds of privacy breach, after a series of cases at the European Court of Human Rights where Romania was condemned for breaching Article 8. The decision of the court is also surprising in regards with the amount awarded, the Romanian courts being generally very defensive in awarding any moral damages. Romania: record damages for publishing personal data on a website - contains also the full court decision (only in Romanian, 18.02.2010) http://legi-internet.ro/blogs/index.php/2010/02/18/daune-publicare-date-pers... ECHR case: Rotaru vs. Romania (4.05.2000) http://www.echr.coe.int/Eng/press/2000/May/Rotaru.eng.htm ============================================================ 11. Germany DPAs to discuss the EU-US Safe Harbour Agreement ============================================================ The German data protection authorities want to have a meeting on the EU-US data protection Safe Harbour agreement and to agree on a resolution on this matter. Heise reports that some of the German Lander Data Protection Authorities (DPAs) that will meet in D|sseldorf in April are unhappy about the practical application of the Safe Harbour agreement, especially when a high number of servers from companies such as Google and Facebook is located there, including EU citizens personal data. The concern of the German DPAs is motivated by report published by Galexia, a US consulting company, which found that more than 200 companies claimed to have joined the Safe Harbour Agreement without having done so. It also showed that only about 350 companies complied with the minimal requirements and that, by December 2008, in 10 years of application of the agreement, there has been only a court case for not fulfilling the requirements, without any sanctions for the infringing company. The first case when a US company was charged by the US Federal Trade Commission on falsely claiming compliance with the Safe Harbour Privacy Principles took place only in 2009. The charged company - the Californian Internet retailer Balls of Kryptonite - had led consumers to believe it was located in the UK and had falsely claimed that they had self-certified their compliance with the Safe Harbour. Safe Harbor Agreements: wild card for American privacy infringers? (only in German, 17.02.2010) http://www.heise.de/newsticker/meldung/Safe-Harbor-Abkommen-Freibrief-fuer-a... The US Safe Harbor - Fact or Fiction? (12.2008) http://www.galexia.com/public/research/articles/research_articles-pa08.html US Prosecution for false web claim of Safe Harbor status (11.09.2009) http://www.galexia.com/public/research/articles/research_articles-byte08.htm... Court Halts U.S. Internet Seller Deceptively Posing as U.K. Home Electronics Site (8.06.2009) http://www.ftc.gov/opa/2009/08/bestpriced.shtm ============================================================ 12. ENDitorial: Richard Stallman on "Copyright versus Public" in Berne ============================================================ On 11 February 2010 the auditorium at the University of Berne was packed for a talk by Richard Stallman on copyright issues. Stallman is better known as the founder of the GNU free software system which, together with the operating system kernel named Linux, is very popular as GNU/Linux. His talk was to be on software patents, but then he decided that when in Berne, he wanted to protest against aspects of the Berne Convention which constitutes the primary instrument of international law with regard to copyright. So, he adjusted the topic of his talk accordingly. Stallman explained how copyright had been introduced as a way of protecting investments in printing. He described this as a win-win situation originally, as consumers didn't lose anything by not being allowed to reproduce paper books, but gained something, as without the printing industry there wouldn't be any cheap books at all. However, modern digital methods have changed this, as the reproduction costs of digital files are very low, whether for one or for many copies. Like the music and video industries, the book industry would like to maximize its economic power by controlling its customers with DRM, digital restrictions management. In extreme cases, the license to read a digital book might even be only temporary. Stallman described the worst practices, from video-content-scrambling, the Sony rootkit, music on defective non-standard CDs, the "Amazon Swindle", right up to Apple's "iBad", all designed to move control from the customer to the seller. He went on to refute the industry's claims of protecting the authors and artists, explaining that the existing system is in fact very unfair to everyone except a small number of best-sellers and stars. Stallman also criticised the role of governments which serve not public but rather industrial interests, e.g. by continuousely lengthening the terms of copyright and criminalising people even for private copying. In effect, the content industry is stealing works which legitimately belong to the public after an initial period. The main problem is the length of this period extending long after the death of the authors or artists. Stallman proposed that the duration of copyright should be about ten years from the date of publication, and that the copyright law should distinguish three categories of creative works, as follows: "Functional works" which have a practical use for getting a job done, such as computer software, must be free in the sense of users having the freedom to modify the work and redistribute them in an original or modified form. Then, there are essays of opinion and scientific papers. For these, noncommercial sharing must be allowed. Finally, there are works of arts and entertainment. According to Stallman, with regard to this latter category, there are legitimate arguments on both sides with regard to whether non-commercial sharing should be allowed while they're in copyright. He insists that in any case, making a "remix" must be legal. Borderline cases should fall into the category which allows the public more freedom; this rule would be necessary to prevent abuse by intentional creation of borderline cases. After the talk, Stallman auctioned a stuffed toy GNU with proceeds going to the Free Software Foundation, of which he is president. Bidding was brisk and went up to 500 CHF. Then it was question time, but most of the questioners didn't get the answers they wanted or were expecting! After a brief lunch break, it was time for the demonstration with three demands: - Copyright lasts far too long; - Works should only be covered by copyright if published with copyright notices; - The "three step test" for exceptions to copyright places the copyright holders above the public, and interferes with liberties that the Internet-using public must have. There were far fewer people, in fact only a couple dozen people at the demonstration being one of Berne's smallest ones. Although members of most political parties were present, it was visually completely taken over by the Pirate Party waving large orange flags. (Demands for freedoms in the context of the digital revolution belong to party's main agenda.) Led by Richard Stallman, the demonstrators marched from the University to the Waisenhausplatz, handing out leaflets and chanting "Sharing is good!" Here the demo officially ended under the watchful eye of the police, but reassembled briefly in front of the Federal House of Parliament for a couple of photos. In spite of the many cameras, none of the pictures, nor any mention of the event made it into the mainstream media. It was a strange feeling to have a VIP like Stallman attract so many with words and so few with action, and then be so totally ignored by the mainstream media. It appears that while western democracies guarantee freedom of speech, the hurdle for getting the public's attention for ideas which are not yet in the mainstream is unreasonably high. Free Software Foundation http://www.fsf.org Audio recording of Richard Stallman's talk (11.02.2010) http://www.digitale-nachhaltigkeit.ch/wp-content/uploads/2010/02/RichardStal... Online reactions and pictures from the event (12.02.2010) http://www.digitale-nachhaltigkeit.ch/2010/02/richard-stallman/ (Contribution by Theo Schmidt and Norbert Bollow - Switzerland) ============================================================ 13. Recommended Action ============================================================ Fundamental Rights Agency (FRA) International Video Competition Topic: EU fundamental rights Deadline for submission: 2.04.2010 Participants: EU citizens 18-30 years old http://fra.europa.eu/fraWebsite/attachments/Flyer-video-comp.pdf ============================================================ 14. Recommended Reading ============================================================ Measuring the Perpetrators and Funders of Typosquatting At least 938,000 typosquatting domains target the top 3,264 .com sites. http://www.benedelman.org/typosquatting/typosquatting.pdf http://www.lightbluetouchpaper.org/2010/02/17/measuring-typosquattings-perpe... European Parliament - Culture Committee - Draft Report on "Europeana - next steps" http://www.europarl.europa.eu/meetdocs/2009_2014/documents/cult/pr/793/79366... Amendments to the draft report http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-430.897+02+DOC+PDF+V0//EN&language=EN EU online library needs 'more and better' content (23.02.2010) http://www.euractiv.com/en/culture/eu-online-library-needs-more-and-better-c... ============================================================ 15. Agenda ============================================================ 5 March 2010, Brussels, Belgium Colloquium 2010: What's left of your privacy in 2010. Protecting privacy against government and employer http://www.progresslaw.net/index.php?&lns=2 12-13 April 2010, Oxford, UK 4th PrivacyOS Conference https://www.privacyos.eu/archives/98-Invitation-4th-PrivacyOS-Conference-Oxf... 14-16 April 2010, Berlin, Germany re:publica'10 - Conference about blogs, social media and the digital society http://www.re-publica.de/10 24 April 2010, London, United Kingdom Open Knowledge Conference (OKCon) 2010 http://www.okfn.org/okcon/ 29-30 April 2010, Madrid, Spain EuroDIG 2010 http://www.eurodig.org/ 6-7 May 2010, Krems, Austria 4th International Conference on eDemocracy 2010 Submission of papers: 1 March 2010 http://www.donau-uni.ac.at/en/department/gpa/telematik/veranstaltungen/id/13... 26-28 May 2010, Amsterdam, Netherlands World Congress on Information Technology http://www.wcit2010.com/ 30-31 May 2010, Montreal, Canada Third International Workshop on Global Internet Governance: An Interdisciplinary Research Field in Construction Submissions for thematic presentations: 20 March 2010 http://giga-net.org/page/2010-international-workshop 8-9 June 2010 - Funchal, Portugal 4th International Workshop on RFID Technology - Concepts, Applications, Challenges - IWRT 2010 Paper Submission: 8 March 2010 http://www.iceis.org/Workshops/iwrt/iwrt2010-cfp.htm. 25-27 June 2010, Cluj, Romania Networking Democracy? New Media Innovations in Participatory Politics http://www.brisc.info/NetDem/ 9-11 July 2010, Gdansk, Poland Wikimedia 2010 - the 6th annual Wikimedia Conference http://wikimania2010.wikimedia.org/wiki/Main_Page 29-31 July 2010, Freiburg, Germany IADIS - International Conference ICT, Society and Human Beings 2010 Paper submissions: 15 March 2010 http://www.ict-conf.org/ 13-17 September 2010, Crete, Greece Privacy and Security in the Future Internet 3rd Network and Information Security (NIS'10) Summer School http://www.nis-summer-school.eu ============================================================ 16. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE