============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 7.23, 2 December 2009 ============================================================ Contents ============================================================ 1. Civil liberties groups ask EU to repeal data retention directive 2. Romanian Constitutional Court decision against data retention 3. Spain warned by Commissioner Reding for cutting off Internet access 4. Austria: BIM delivers draft act on implementing Data Retention Directive 5. Stockholm programme adopted by the European Parliament 6. Legal Complaints and Petition Against Second French "Horror Database" 7. Czech Big Brother Awards 2009 8. EC changes the openess concept in the draft eGov EIF 9. Spanish court revokes its decision to shut down P2P-related sites 10. ENDitorial: IGF 2009: the Forum is the Message (and the Massage as well) 11. ENDitorial: Keeping the "self" in self-regulation 12. Recommended Reading 13. Agenda 14. About ============================================================ 1. Civil liberties groups ask EU to repeal data retention directive ============================================================ Civil liberties groups European Digital Rights (EDRi) and the German Working Group on Data Retention (AK Vorrat) are calling on the European Union to repeal the 2006 directive on the data retention of electronic communications. In the event that the directive is not repealed, they demand that it is amended to introduce an opt-out right allowing Member States to decide whether or not to require the retention of communications data. In a statement to the European Commission published today, AK Vorrat points out that the directive has resulted in less liberty for citizens, in a constant threat that information on personal contacts, mobile phone movements and Internet use may be sold, lost or otherwise cause harm, as well as in higher prices for telecommunications services and in less competition. In a legal complaint regarding the directive filed with the European Court of Justice in 2006 and disclosed today on the Internet, Ireland pointed out that initially, many countries had not imposed any data retention requirements and that "no issue relating to the internal market could justify the imposition upon a Member State of an obligation to require telecommunications operators to retain data (...) where no such obligations previously existed under the law of that State". In several Member States, courts examined and are examining complaints filed by citizens and telecommunications operators, alleging that the indiscriminate collection of communications data violates the human right to privacy. Constitutional Courts in Romania and Bulgaria have already ruled data retention legislation unconstitutional. The German Federal Constitutional Court will hear complaints filed by over 34 000 citizens in December. Another action is pending in Ireland, while an application to the Constitutional Court of the Czech Republic is currently being prepared. "In a landmark decision taken last year, the European Court of Human Rights declared illegal a British DNA and fingerprints database, stating that 'the blanket and indiscriminate nature of the powers of retention (...) constitutes a disproportionate interference' with privacy and 'cannot be regarded as necessary in a democratic society.' The same is the case with the blanket and indiscriminate collection of information on personal contacts, mobile phone movements and Internet use", comments legal expert Patrick Breyer (AK Vorrat). "Anonymity is indispensable for a multitude of activities in a democratic state. Subjecting all citizens to a constant recording of whom they are in touch with is threatening to undermine or even destroy democracy while ostensibly defending it. The Commission must put an end to this Big Brother law now." "EDRi and its members have been campaigning against this directive for years, arguing that such data retention is necessarily a hazardously invasive act. Communication data is well beyond being simple logs of who we've called and when we called them. Traffic data are now used to create a map of human associations and more importantly, a map of human activity and intention," reminds Meryem Marzouki (EDRi). "With the growing use of massive national databases, and the current plans towards their interoperability at EU-level and full access for police purposes, the data retention directive paves the way to further extensions of purposes, where data once collected strictly for the requirements of a given service delivery become used for citizens surveillance and social control, when not for intelligence purposes. This is not acceptable in a democratic society, and should be ended now." This press release is supported by: - Dutch speaking League for Human Rights (Liga voor Mensenrechten) - Belgium - French speaking League for Human Rights (Ligue des droits de l'Homme) - Belgium - Flemish Bar Association (Orde van Vlaamse Balies) - Belgium - French and German speaking Bars of Belgium (Ordre des Barreaux Francophones et Germanophone) - Belgium - General Association of Professional Journalists in Belgium (AGJPB - Association generale des Journalistes Professionnels de Belgique - AVBB : Algemene Vereniging van Beroepsjournalisten in Belgie) - Belgium - Statewatch - UK - Werebuild.eu - Sweden This press release in French - EDRI et AK Vorrat demandent ` l'Union europienne d'abroger la directive "ritention de donnies" (1.12.2009) http://www.iris.sgdg.org/info-debat/comm-retention1209.html In German - B|rgerrechtsvereinigungen fordern EU zur Aufhebung der Richtlinie zur Vorratsdatenspeicherung auf (1.12.2009) http://www.vorratsdatenspeicherung.de/content/view/343/79/lang,de/ Statment from AK Vorrat on Data retention (only in German, 1.12.2009) http://www.vorratsdatenspeicherung.de/images/antworten_kommission_vds_2009-1... Summary of AK Vorrat Recommendations in English (1.12.2009) http://www.vorratsdatenspeicherung.de/images/reply_commission_data-retention... Irish Submission to the European Court of Justice (11.07.2006) http://www.vorratsdatenspeicherung.de/images/ireland_2006-07-11.pdf Romanian Constitutional Court decision against data retention (25.11.2009) http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/roma... Bulgarian case against data retention (17.12.2008) http://www.edri.org/edri-gram/number6.24/bulgarian-administrative-case-data-... Germany: Class-action law suit against data retention http://www.vorratsdatenspeicherung.de/content/view/51/70/lang,en/ Action against data retention in Ireland (14.09.2006) http://www.digitalrights.ie/2006/09/14/dri-brings-legal-action-over-mass-sur... EDRi' campaign against the data retention http://www.edri.org/campaigns/dataretention ============================================================ 2. Romanian Constitutional Court decision against data retention ============================================================ The decision of the Romanian Constitutional Court (CCR) against the data retention law was finally published in the Official Monitor on 23 November 2009. The motivation of the court, which was made public only with a few days before its publication in the Official Monitor, shows an interesting argument from a Court with no prior jurisprudence in the field of privacy protection. Thus, the court not only criticizes several aspects of the text of the law, but declares the whole law as unconstitutional because it breaches the right to corespondence and to privacy. Even though only several articles were mentioned in the motion of unconstitutionality, the Court went further and examined art 20 of the law that could have been interpreted as an open door for the secret services to access the retain data under any circumstances and without a judicial approval, an issue that was raised by EDRi-member APTI starting with the public consultations in 2007. CCR notes that the principle of limited collection of personal data is emptied through this new regulation that obliges a continuos retention of traffic data for 6 month."The legal obligation that foresees the continuous retention of personal data transforms though the exception from the principle of effective protection of privacy right and freedom of expression, into an absolute rule. The right appears as being regulated in a negative manner, its positive role losing its prevailing character." CCR also makes a comparison with article 91^1 of the Penal Procedure Court (CPP) dealing with audio and video interceptions in crime cases, that was considered constitutional in an earlier ruling. The text of the CPP allows the video interception only in a specific case and person, only with judicial supervision, only for the future and for a period that may not exceed 120 days under any circumstances . The Court concludes that basically, this data retention law deletes the right to privacy in terms of electronic communications: "Therefore, the regulation of a positive obligation that foresees the continuous limitation of the privacy right and secrecy of correspondence makes the essence of the right disappear by removing the safeguards regarding its execution." The court is underlining the fact, already pointed out by European civil organizations even during the adoption of the data retention directive, that the law considers all citizens as potential criminals: "This (data retention) equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes." Finally, the court quotes the ECHR case of Klass and others vs Germany (1978) considering that "taking surveillance measures without adequate and sufficient safeguards can lead to 'destroying democracy on the ground of defending it .'" According to art 147 of the Romanian Constitution, the legal provisions on data retention are now suspended. The Government and Parliament have 45 days to "fix" the unconstitutional provisions. But taking into consideration the CCR reasoning, there are little chances that any text that would ask for a six month blanket data retention would be considered as constitutional in Romania. Moreover, there is currently only an interim government and a new one is unlikely to appear in the next weeks (at least not until the second round of presidential election, which is scheduled for 6 December). Constitutional Court Decision no 1258 of 8 October 2009 (unofficial English translation, 23.11.2009) http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/roma... Constitutional Court Decision no 1258 of 8 October 2009 (only in Romanian, 23.11.2009) http://www.ccr.ro/decisions/pdf/ro/2009/D1258_09.pdf APTI's comments on draft data retention law (only in Romanian, 9.05.2007) http://www.apti.ro/webfm_send/24 Romania: Data retention law declared unconstitutional (21.10.2009) http://www.edri.org/edrigram/number7.20/romania-data-retention-law-unconstit... Art 147 of the Romanian Constitution http://www.cdep.ro/pls/dic/site.page?den=act2_2&par1=5#t5c0s0a147 ============================================================ 3. Spain warned by Commissioner Reding for cutting off Internet access ============================================================ On 23 November 2009, at the Spanish Telecom Regulatory Authority (CMT) international meeting, Viviane Reding warned that the European Commission could take action against Spain if the government decided to cut the Internet access of file-sharers. "Repression alone will certainly not solve the problem of Internet piracy; it may in many ways even run counter to the rights and freedoms which are part of Europe's values since the French Revolution," said the Commissioner who reminded Spain that the new telecom package agreed upon in November by the European Parliament and the Council of Ministers included a provision considering as illegal the internet access cut-off without an official procedure. "The new internet freedom provision now provides that any measures taken regarding access to and use of services and applications must always respect the fundamental rights and freedoms of citizens," and "Effective and timely judicial review is as much guaranteed as a prior, fair and impartial procedure, the presumption of innocence and the right to privacy," said Reding. As she has said on several other occasions, the Commissioner believes that new business models and modern, efficient ways must be found to protect intellectual property and artistic creation. On this occasion, she also criticised France's Hadopi three strikes law, argued that the development of a single European market for online content was a better way to act against Internet piracy and regretted the fragmentation of copyright law across the EU. "The lifting of impediments to the cross-border online distribution of creative works will improve the supply of attractive and affordable services that are legal. In turn, this will reduce the temptation for consumers to indulge in the illicit consumption of copyright-protected material." Reinaldo Rodrmguez, the President of the CMT considers Reding's statements are based on a misunderstanding and is confident that there will be no conflicts between the Spanish legislation and that of the EU. The Spanish Minister of Culture Angeles Gonzalez-Sinde has several times expressed her position against the French model being in favour of prosecuting illegal downloading sites but not users. The Spanish association of operators REDTEL is also opposed to the disconnection of the allegedly illegal downloaders, believing that sectioning measures are only doomed to fail and that raising awareness would be a much more efficient solution. The operators believe that while the citizens ask cultural materials more and more on new channels, the culture industry refrains from directing its offer through the Internet, in a legal form and with attractive deals. On 10 December 2009, a proposition will be presented to the Government by the coalition of content creators. The proposition will be centered on blocking P2P websites downloading contents from the Internet and not on cutting access of users. Reding warns Spain against internet cut-off (24.11.2009) http://euobserver.com/19/29041 Commissioner warns Spain that cutting-off Internet enters into conflict with EU (only in Spanish, 23.11.2009) http://www.hoytecnologia.com/noticias/Comisaria-advierte-Espana-cortar/14189... The European Commissioner warns Spain over regulating P2P (only in Spanish, 23.11.2009) http://www.adslzone.net/article3469-la-comisaria-europea-advierte-a-espana-s... The Coallition will ask the Government for the blocking of P2P websites, but never for the disconnection (only in Spanish, 2.11.2009) http://www.adslzone.net/article3403-la-coalicion-pedira-al-gobierno-el-bloqu... Spanish activists issue manifesto on the rights of Internet users (2.12.2009) http://www.boingboing.net/2009/12/02/spanish-activists-is.html ============================================================ 4. Austria: BIM delivers draft act on implementing Data Retention Directive ============================================================ In April 2009 - after the EU Commission decided to bring an action against Austria because of non-transposition of the Data Retention Directive 2006/24/EC (DRD) - the Ludwig Boltzmann Institute of Human Rights (BIM) was assigned by the Austrian Federal Ministry for Transport, Innovation and Technology to elaborate a draft act on the amendment to the Telecommunications Act 2003, in order to find a way of transposition that interferes least with fundamental rights of users. Although Austria had supported the Directive in 2006, the newly elected government has delayed the transposition not least because of serious doubts about its conformity with Art. 8 European Convention on Human Rights (ECHR), which provides a right to respect for one's "private and family life, his home and his correspondence". After we had been invited by the Ministry to elaborate such a draft act, we thought very seriously for a while, if we should accept and what the consequences would be. In the past years the BIM had criticised the DRD fundamentally in public and we had published studies on the Directive in the light of the ECHR which brought the result, that Data Retention is incompatible with the Human Rights provisions. So the main problem was (and still is), if a Human Rights Institute of high reputation writes the draft for transposing the directive, the act likely will get the "fundamental rights proofed"- stamp, what would clearly undermine the criticism on the issue in public perception. On the other hand the Austrian Government left no doubt that it is going to transpose the Data Retention, in order to avoid a conviction through the European Court of Justice (ECJ) and the assignment could be the chance to find a version of transposition which provides as much safety elements as possible. But this would not have been enough to decide for this job. The aim was to show in a accompanying scientific analyse, that it is not possible to "repair" the DRD by creating safeguards and transposing just the minimum necessary under Community Law - which of course we did. Even so the Data Retention causes a violation of Art 8 and 10 ECHR, so the BIM recommends, that those parts of the draft act, which stipulate the retention of data, should never enter into force - otherwise their mere existence would violate Human Rights! The BIM organised continuous round table discussions with concerned service providers, non-profit organisations, employee and consumer representations, as well as representatives of concerned ministries and other public authorities. In addition, meetings in small technical groups were held in order to assure clarity of the norm and to take into consideration all technical possibilities, especially concerning data security matters. On 11 September 2009 - almost ironic - the Ludwig Boltzmann Institute of Human Rights delivered the draft act on the amendment to the Telecommunications Act 2003. Presently it is announced for an official public examination. This hopefully perpetuates a public discussion about the non existing necessity of this instrument. Ceterum censeo data-retentionem esse delendam! Draft Law on data retention suggested by the BIM (only in German) http://bim.lbg.ac.at/de/informationsgesellschaft/bimentwurf-zur-vorratsdaten... Data retention opponents making their move (only in German, 26.11.2009) http://futurezone.orf.at/stories/1632818/ AK Vorrat Austria http://www.akvorrat.at/ Resistance against Data Retention in Austria (only in German, 1.12.2009) http://futurezone.orf.at/stories/1633168/ (Contribution by Christof Tschohl - Legal Researcher at the BIM and the main author of the BIM-contribution to the Austrian DR draft law) ============================================================ 5. Stockholm programme adopted by the European Parliament ============================================================ After six months of preparation, the European Union has almost reached agreement (somewhat behind schedule) on its 5-year plan for policy in the area of "freedom, security and justice", better known as the "Stockholm Programme". Discussions on this proposal took place in parallel, with the European Parliament preparing its opinion on the dossier at the same time as Member States were working towards finalising the "real" text. While the European Parliament's views have had a limited direct impact on the Stockholm Programme itself, they will have an influence on the practical projects that are subsequently set up by this new plan. The text adopted by the Parliament, in great haste and some chaos, is a mix of some very positive statements and some less helpful ones. On the plus side, an attempt was made to reshape the post-9/11 "balance" metaphor with regard to freedoms and justice: "(...) the EU is rooted in the principle of freedom; points out that, in support of that freedom, security must be pursued in accordance with the rule of law and subject to fundamental rights obligations; states that the balance between security and freedom must be seen from this perspective". There is also a stress on reviewing the impact of measures adopted under the programme and improving the evaluation systems already in place. On the negative side, opportunities were missed with regard to minimum levels of diligence to be required of the European Commission with regard to the issues to be addressed in impact assessments and with regard to the dangers inherent in the use of databases, particularly when these are interlinked. The Council, meanwhile, hit some problems in last minute discussions on the Programme, although at the time of writing, these problems do not appear fatal for the initiative as a whole. Bearing in mind the wish of one Member State Minister expressed during the debate between ministers, that the Stockholm Programme will lead to the "eradication of terrorism" and the wish of another that the programme would deal effectively with petty crime, it appears that some Member States have somewhat unrealistic expectations of the initiative. On the plus side, the text deleted some of the more destructive and populist (blocking of websites) and downright dangerous ("revoking" of the IP addresses of foreign ISPs considered criminal by the police) measures in the European Commission's Communication of June of this year, which was meant to form the basis of the Programme. On the negative side, the Council appears to be slipping into the misconception that IT-based automated policing will somehow produce systems that will be both cheaper and more efficient while also not endangering citizens' rights. This trend is demonstrated by its proposal (albeit neatly framed with words about protection of personal data) on "interoperability of IT systems ensuring full conformity with data protection and data security principles when developing such systems." Within the context, and keeping to this worrying theme, Swedish Minister Beatrice Ask (at the beginning of discussions in the Council) expressed her hope for the creation of "more cost-effective data exchange". As mentioned above, disagreements and delays have significantly slowed the final adoption of the text. While Ministers all agreed that citizens should be happy to trust any government (including foreign governments, following the SWIFT agreement on exchange of banking data) with their personal data, they did not trust each other to be responsible for mutually recognised asylum procedures. As a result, this aspect of the Programme has delayed its adoption. The next stage in this process will be the preparation of concrete projects to be proposed within the context of the adopted text. This will be done by the European Commission, ostensibly with the support of the Spanish Presidency of the Council. Commission Communication (10.06.2009) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0262:FIN:EN:P... Last available consolidated text: http://register.consilium.europa.eu/pdf/en/09/st16/st16484-re01.en09.pdf Second-last set of amendments to the Programme (27.11.2009) http://register.consilium.europa.eu/pdf/en/09/st16/st16484-re01ad01.en09.pdf EDRi-gram: Stockholm Programme moves quickly towards adoption (9.09.2009) http://www.edri.org/edri-gram/number7.17/stockholm-programme-european-parlia... ============================================================ 6. Legal Complaints and Petition Against Second French "Horror Database" ============================================================ The French coalition of groups, associations, trade unions and political parties from the opposition is making it clear after its first successful 'No to EDVIGE' in 2008 led to the withdrawal of the EDVIGE intelligence database by the French government, after a massive citizen mobilization (more than 220.000 signatures of a first petition, including almost 1200 signatures from organizations, legal complaints, demonstrations, and all possible democratic forms of protest). It now says 'Hell no!' to EDVIGE, after the same government reintroduced almost the same database with two new decrees published on 18 October 2009. The coalition has launched a new petition on 30 November 2009, calling on citizens to sign again against the new surveillance database. As things have developed so far, the French civil society firmness against EDVIGE remains intact: over only less than 3 days, more than 6100 individuals and 80 organizations have already signed, including main national associations, trade unions, and political parties from the opposition. Main members of the coalition, including French EDRI member IRIS, have filed legal complaints on the same day against the French government, asking the highest administrative Court (Conseil d'Etat) to annul the two new decrees. Other coalition members are preparing to join this legal action. The French anger is first due to the government contempt of the democratic process: for the second time, Sarkozy's government by-passed the Parliament to introduce a surveillance database, despite its own commitment in 2008 to have the creation of any new police file decided by the Parliament. Even worse, Members of Parliaments belonging to the President's majority voted on 24 November 2009 amendments to a draft law on 'the simplification of the legislation', explicitly allowing such a creation by simple regulation. Regarding the provisions of the decrees, the petition acknowledges the fact that the previous mobilization has allowed to avoid in the new EDVIGE database the collection of sensitive data related to sexual life and health. This doesn't prevent, however, the LGBT movement and organizations fighting AIDS to take again part in the mobilization against all other EDVIGE features remaining in the new database: it is an intelligence file, and no infraction needs to be committed before being filed to 'prevent violations of public security'; children start being filed at 13; On top of the many and, for some of them, sensitive data as defined by the French data protection Act in accordance with the 1995 directive, that are collected (identity, political, religious, philosophical activities as well as activities related to trade-unions; public activities, behaviours and movements; phone numbers and email addresses, vehicle registration, capital assets, and others that were already in EDVIGE N01), a mysterious 'geographical origin' has been added to the categories of collected data. This latter category, which doesn't correspond to any legal definition, has been qualified as a masked way of gathering information related to the ethnic origin, and anti-racist organizations have soon joined the second 'No to EDVIGE' campaign. EDRI previously reported that, during the Madrid Civil Society Conference on Global privacy Standards held last November, Peter Schaar, the German Federal Data Protection Commissioner, rightly underlined that "EDVIGE is a horror database for us, because it includes many persons that did not breach any laws - they are just 'risky persons'". It is very unfortunate that his French counterpart, Alex T|rk, does not share this point of view. In a communiqui published on 22 October 2009, the CNIL has found that "the new decrees will allow relevant police services to use (the created databases) under conditions guaranteeing citizens rights and freedoms thanks to the CNIL control powers". One might wonder how and against which evidence the CNIL would be able to control the 'risk assessment' having led to file one person in the EDVIGE database, given the fact that no single infraction needs to be committed first. "No to EDVIGE" coalition website (including petition with automatic update of signatures) http://nonaedvige.sgdg.org EDRi-gram: French Edvige Decree Withdrawn (3.12.2008) http://www.edri.org/edri-gram/number6.23/edvige-retired EDRi-gram: France Pushes The Introduction Of Edvige Project Through The Back Door (21.10.2009) http://www.edri.org/edrigram/number7.20/new-two-edvige-files "No to EDVIGE" against police file creation by simple regulation (in French only, 26.11.2009) http://nonaedvige.sgdg.org/spip.php?article1115 EDRi-gram: Declaration On Global Privacy Standards (5.11.2009) http://www.edri.org/edrigram/number7.21/privacy-standards-global CNIL: From "Edvige I' to 'Edvige III": intelligence databases from now on better supervised and better controlled (only in French, 22.10.2009) http://www.cnil.fr/la-cnil/actu-cnil/article/article//de-edvige-i-a-edvige-i... (Contribution by Meryem Marzouki, EDRI-member IRIS - France) ============================================================ 7. Czech Big Brother Awards 2009 ============================================================ The results of the fifth annual Big Brother Awards were announced at a festive evening in Prague's Theatre Na Pradle on 12 November 2009. A jury of experts chose from almost 80 nominations entered by the public. Among those awarded are the Czech Ministry of Schools, Youth and Sports for gathering information about pupils and students, Nokia company for its efforts to legalize snooping in its employees' email communication, the social networking site Facebook for its inconsistent approach to user privacy protection, the Czech Ministry of Health, the State Institute for Drug Control and National Health Registries, or the French "HADOPI law", nicknamed the "electronic guillotine". The "Statement of the year" went to the General Manager of the state-owned lottery operator Sazka, for demanding that slot-machines be equipped with ID scanners. He thinks this would prevent people who receive social benefits from gambling. "It is a question of a greater control or an increase in gambling," says Mr. Ales Husak. The positive prize was awarded to the citizens of Iran for boycotting telephones manufactured by Nokia Siemens, because a telecommunication surveillance system was sold by this company to the Government of Iran. The first ceremony in the Czech Republic took place in 2005. Similarly to previous years there are eight categories - Longterm Violation of Human Privacy (for companies and public organizations), Biggest Corporate Snoop (for companies), Biggest Government Agency Snoop (for government organizations), Dangerous New Technology, Big Brother Law, Snoop Among Nations, Statement of a Big Brother and finally the positive award for Achievements in Protecting Privacy. The Czech Awards are held by the EDRi-member Iuridicum Remedium. Big Brother Awards 2009 (only in Czech) http://www.bigbrotherawards.cz/ Czech Big Brother awards press release in English (12.11.2009) http://www.edri.org/files/Czech_BBA09_EN.pdf (Contribution by Katerina Hlatka - EDRi-member IURE) ============================================================ 8. EC changes the openess concept in the draft eGov EIF ============================================================ A second draft of the European Interoperability Framework (EIF) was recently leaked to the press showing that the European Commission (EC) has decided to take the side of Business Software Alliance (BSA), a lobby group for proprietary software vendors. The first draft of EIF is a document produced in 2004 by the "Interoperable delivery of pan-European eGovernment services to public administrations, businesses and citizens" (IDABC) for the European Union. According to EIF I, open standards are the key in obtaining interoperability in pan-European eGovernment services. The document defines the open standard as being a standard that is adopted and maintained by a non-profit organization the development of which "occurs on the basis of an open decision-making procedure available to all interested parties (consensus or majority decision etc.)." An open standard needs also to be published with a standard specification document that "is available either freely or at a nominal charge. It must be permissible to all to copy, distribute and use it for no fee or at a nominal fee." The intellectual property of an open standard (or part of it) "is made irrevocably available on a royalty-free basis" and "there are no constraints on the re-use of the standard." The EC produced a consultation document and launched a public consultation between June and September 2008 for a second version of the EIF. The consultation received 53 comments. The Free Software Foundation Europe (FSFE) has analysed the new version of the text, showing that the Commission has based its result practicaly only on the input of BSA ignoring other opinions from companies, groups and individuals in favour of Open Standards and Free Software. "The European Commission must not make itself the tool of particular interests. The current draft is unacceptable, and so is the total lack of transparency in the process that has led to this text," says Karsten Gerloff, FSFE's President. While the first version of EIF considers open standards as key tools for interoperability, thus strongly supporting Free Software and Open Standards in the public sector, EIF2 contains only a description of a so called "openness continuum", which also includes proprietary specifications. The new text no longer considers that openness is a key factor for interoperability in eGoverment services. "While there is a correlation between openness and interoperability, it is true that interoperability can be obtained without openness, for example via homogeneity of the ICT systems, which implies that all partners use, or agree to use, the same solution to implement a European Public Service" says the new draft. FSFE has sent a letter to the people in charge of eGovernment in EU member states that says: "The current text is not a viable successor to version 1 of the EIF. Instead of leading Europe forward into an interoperable future, it will promote vendor lock-in, block interoperability of eGovernment services, and damage the European software economy. If adopted, it will be a testament to the power which is exerted outside democratic and transparent processes, and will give rise to Euro-scepticism." The letter includes a set of 10 recommendations for the improvement of the draft. A press officer with the Delegation to the European Commission in Washington stated on 6 November that the document being circulated as "EIF 2.0" could not be attributed as an official European Commission document." It seems the EC indicated that the text was a document only intended to test public opinion. However, the second draft of the EIF document was discussed in a meeting between the EC and representatives of the EU Member States on 12 November in Brussels. According to the German Ministry of the Interior, most member states at the meeting considered the document a good starting point, "but there are some points that have to be discussed again, including the definition of interoperability and open source." A spokesman from the Dutch Ministry of Economic Affairs stated the revision was a major step back from the first version. "We informally said we were unhappy with it. The government will respond officially once the document is ready." FSFE: EC caves in to proprietary lobbyists on interoperability (27.11.2009) http://www.fsfe.org/news/2009/news-20091127-01.en.html European Interoperability Framework for European Public Services (EIF) - Version 2.0 - (work document in progress) (11.2009) http://www.bigwobber.nl/wp-content/uploads/2009/11/European-Interoperability... U Wants to Re-define "Closed" as "Nearly Open" (2.11.2009) http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2620&blogid=14 If Not EIF 2.0, Then What? (6.11.2009) http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2629&blogid=14 ============================================================ 9. Spanish court revokes its decision to shut down P2P-related sites ============================================================ A preliminary shut down decision against two P2P file-sharing link sites has been recently overturned by a Spanish court which also fined the anti-piracy group involved in the case. Two eD2K file-sharing link sites known as Elitelmula and Etmusica were shut down by court order in April 2009 on the basis of an action of by anti-piracy group SGAE. Shortly after, Juan Jose Carrasco Colonel, who ran the two sites, received a visit from a lawyer and a computer expert of SGAE who, under false pretences of coming from the court with a warrant, entered his home and inspected his computers and hard drives to find proofs of music downloads through the two sites between September and December 2007. The two lawyers of the sites succeeded in convincing the court that the hard drive evidence collected during the controversial raid was worthless and therefore the evidence was dismissed and both sites can now be reopened. "The reason for reopening the websites is that a hyperlink, per se, does not violate intellectual property law," said Javier de la Cueva, one of the lawyers, who explained that the dismissal of the hard drive evidence was due to having proved that it was impossible for the site's users' sharing statistics to be stored in it. He also pointed out that SGAE requested injunctions against Etmusic and Elitemula without summoning their client. "When this happens and injunctions are adopted, the defendant should have the opportunity of opposition, and this is what we have won," he said. Furthermore, the court fined SGEA with 500 euros for bad faith ("mala fides") concluding the group had acted on the intention to avoid the right to a defence of the defendants and for having failed to tell the court that earlier criminal proceedings brought by Promusicae to achieve preliminary injunctions against both sites, had already been dismissed. P2P Sites' Injunctions Overturned, Anti-Piracy Group Fined (24.11.2009) http://torrentfreak.com/p2p-sites-injunctions-overturned-anti-piracy-group-f... Spain: the judges fining an anti-piracy group guided by SGAE. (only in Spanish, 25.11.2009) http://www.onep2p.it/tag/juan-jose-carrasco-colonel/ The Judge orders the reopening of the two p2p sites and fines SGAE for mala fides in its request for closing down (only in Spanish, 22.11.2009) http://derecho-internet.org/node/497 ============================================================ 10. ENDitorial: IGF 2009: the Forum is the Message (and the Massage as well) ============================================================ Internet Governance Forum or Internet Governance Fair? One might still wonder what the IGF acronym stands for, after the closing of its fourth annual meeting in Sharm El Sheikh, Egypt, on 18 November 2009. As usual, the IGF featured a number (111 over 4 days!) of so-called multi-stakeholder panels and workshops, exhibition booths, launching events and other happenings. One might still equally wonder what 'Internet Governance' means in the IGF context: apparently, any and all Internet issues, roughly categorized under 7 headings: Access, Diversity, Openness, Security, Critical Internet Resources, Development and Capacity Building. The new comer finds it hard to understand the difference between discussion formats: main session (though run in parallel with up to 9 other events), workshop, open forum, best practice forum, dynamic coalition meeting: what's the exact difference in the end? The veteran is still waiting for the 'round-table' format, that is, a more output-oriented format for issues that have reached a certain level of maturity, that one would have expected as a result of the February and May 2009 IGF consultation meetings. But 'outcome' seems a banned concept, if not a jinx, at IGF. Marshall McLuhan would probably have liked it: the Forum is indeed the message and the massage altogether. However, some participants have a precise agenda to advance for better or worse. The Association for Progressive Communication (APC) took further steps on its joint initiative with the Council of Europe and UNECE towards a "Code of Good Practice on Transparency, Information and Participation in Internet governance", which builds on the principles of WSIS and the Aarhus Convention on Access to Information, Public Participation in Decision-Making and Access to Justice in Environmental Matters. The Electronic Privacy Information Center (EPIC) and the international Public Voice Coalition were instrumental in making privacy a key and crosscutting issue at this year IGF, most notably by moderating the main session on "security, openness, and privacy" and by convening high quality informative workshops to put privacy in focus in emerging contexts such as cloud computing, behavioural targeting and social networks. IGF was indeed the perfect opportunity for the Public Voice Coalition, of which EDRI is a main actor, to campaign on and collect more signatures to the recently adopted "Madrid Civil Society Declaration on Global Privacy Standards in a Global World". On the worrying side, no less than 3 workshops were explicitly dedicated to the promotion of the Council of Europe (CoE) Convention on Cybercrime through CoE (privately co-funded) projects. While these projects claim to include data protection and privacy in their objectives, this would certainly be better achieved if the CoE (as well as private companies) were dedicating comparable resources to the promotion of the CoE Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, together with its 2001 additional Protocol regarding supervisory authorities and transborder data flows. Another preoccupying issue is the promotion by many governments, but also by other stakeholders including some NGOs, of regulations and public-private initiatives to fight the "dangers" of the Internet through content regulation measures that have shown, till now, more harm to human rights and especially the rights to freedom of expression, to privacy and to access to knowledge, than effective protection of vulnerable groups. Human rights are not simply a discussion topic: they form a set of international state binding standards. Active campaigning and uncompromising on the softening and dilution of basic universal principles seems to be still required from the civil society side. While APC and some other participants seem to consider that human rights are gaining prominence at the IGF, it remains to be proven that, beyond endless discussions, the realization of human rights in the digital environment is making effective progress thanks to the IGF... or even AT the IGF one should rather say: during an event organized by the Open Net Initiative (ONI) to launch the book entitled "Access controlled", a promotion poster was taken down by security personnel on the grounds that it showed the following sentence: 'China's famous "Great Firewall of China" is one of the first national Internet filtering systems', a display which was claimed to violate UN policy. Should the IGF continue, then? Almost all stakeholders, including civil society ones, advocated in favour of the continuation of the IGF in the written comments they submitted as well as at the main session dedicated to the desirability of the Forum continuation after the expiration of its first 5-years mandate in 2010. Particularly and unanimously praised were the capacity building feature of the IGF and its ability to facilitate open dialogue among different stakeholders and different viewpoints. Governments are divided, though, on whether the IGF should lead to negotiated and/or binding outcomes: Canada, USA, and the EU presidency strongly stood against such idea, rather favouring IGF continuation in its current form. Others, like Brazil, Kenya and Switzerland, advocated for more concrete but not negotiated outcomes. China was the most clear and direct: "without reform to the present IGF, it is not necessary to give the IGF a five-year extension", advocating for a more classical UN style discussion. All developing countries highlighted the need for better inclusion and involvement of participants from the Global South. Since the IGF will probably be continued, the fact that the IGF 2011 will be held in Kenya might bring some improvement on this last issue. Next year's IGF meeting will be in Vilnius, Lithuania, on 14-17 September 2010. Internet Governance Forum, with workshops list and main sessions transcript (15-18.11.2009) http://www.intgovforum.org APC's project for a code of good practice in Internet governance http://www.apc.org/fr/projects/code-good-practice-internet-governance EPIC and The Public Voice workshops on Privacy (15-18.11.2009) http://thepublicvoice.org/events/egypt09/ The Madrid Privacy Declaration (3.11.2009) http://thepublicvoice.org/madrid-declaration/ Council of Europe Projects on Cybercrime http://www.coe.int/cybercrime EDRi-gram: The 2001 Coe Cybercrime Conv. More Dangerous Than Ever (20.07.2007) http://www.edri.org/edrigram/number5.12/cybercrime-convention-dangerous APC's assessment of IGF 2009 (26.11.2009) http://www.apc.org/en/system/files/APCIGF4Assessment_EN.pdf ONI's poster taken down and related videos, including UN Statement on the incident (15.11.2009) http://www.youtube.com/watch?v=d-kxYt2LwKc (Contribution by Meryem Marzouki, EDRI-member IRIS - France) ============================================================ 11. ENDitorial: Keeping the "self" in self-regulation ============================================================ Businesses, particularly in the Internet environment, fear (and often have good reason to fear) government regulation. Traditionally, therefore, Internet Service Providers have pushed for "self-regulatory" solutions to issues surrounding the management and operation of their own networks - as in the case of spam, for example. Self-regulation often seems to be, and often is, the most effective solution. There is, however, a growing and insidious trend in self-regulation, where increasing pressure is being put on Internet access and service providers to treat their own customers as potential criminals and to take on, usually unwillingly, policing roles. It is clear that this development has serious risks both to online freedoms and to the democratic controls that citizens would normally be able to rely on to protect them. Already, with the notable exception of Germany, when ISPs were asked (often under the threat of being portrayed as supporters of child abuse) to introduce "self-regulatory" web blocking, they felt obliged to do so. This activity clearly has little in common with the dictionary definition of "self-regulation". In Germany, the public debate that was provoked by the ISPs' brave and honourable decision not to cave in to moral blackmail lead to the country not taking the first crucial first step towards widespread censorship and an increasingly controlled Internet. Unfortunately, that democratic decision now risks being overturned by the European Commission's populist but profoundly flawed proposal to introduce "blocking" at an EU level. Last week, the telecoms package was approved by the European Parliament. This contains a new right for Member States to require that providers of e-communications networks and services include obligations in their consumer contracts regarding "unlawful activities" and undefined (and indefinable) "harmful content". Only a few weeks ago, we saw a leaked document related to ACTA explaining the United States' view that "ISPs need to put in place policies to deter unauthorised storage and transmission of IP infringing content (ex: clauses in customers' contracts allowing, inter alia, a graduated response)." Therefore, on the one hand, we see the telecoms package creating the power for governments to push private companies into using their contracts to restrict their consumers' use of the Internet. This not alone covers "illegal" activities but also legal activities that government or the ISP or a third party might find useful to restrict under the vague heading of the content being "harmful". This trend is neatly encapsulated in the Dutch "Notice and Takedown Code of Conduct" which explains that the "parties involved are also free to decide for themselves which information is considered as 'undesirable', irrespective of the question of it being in conflict with the law. They can deal with this undesirable information in the same way as information that is in conflict with the law". On the other hand, we see the USA proposing, within the context of ACTA, the introduction of "graduated response" via consumer contracts and therefore outside the scope of democratic oversight. Self-regulatory initiatives are often to promote/protect the interests of ISPs' customers, so self-regulation is neither automatically unwelcome nor negative. However, ISPs and providers of online services are there to do business, so when the cost of defending their users is higher than the cost of fighting pressure from third parties, it is hardly surprising when they take the decision most appropriate to the survival of their business. These activities are, however, outside their normal business practices and, therefore, the trend towards defending third parties and restricting users' rights is also harmful and unwelcome for them. "Self-regulation" risks becoming a way of tipping the cost/benefit balance definitively in favour of third parties and against citizens. The research carried out in 2004 by Dutch NGO Bits of Freedom which assessed the ease with which wholly invalid "notices" of illegal content could cause websites to be taken offline eloquently demonstrates what this trend means for free speech and justice on the Internet. As a result, we have ISPs being subject to a flurry of invitations to have discussions with international organisations from the European Commission to the Council of Europe to the United Nations with regard to "self-regulation" or "public-private partnership" in the field of intellectual property rights, terrorism, identity theft and various other forms of online activity where private companies are asked to duplicate or participate in policing activities. As long as society continues to be mislead by use of words like "self-regulation" or "partnership", the democratic impact and dangers of this trend will not be understood and freedoms will be undermined. Bits of Freedom research - The Multatuli Project ISP Notice & take down (1.10.2004) http://www.bof.nl/docs/researchpaperSANE.pdf Dutch Code of Conduct (in Dutch, 10.2008) http://www.samentegencybercrime.nl/UserFiles/File/,DanaInfo=ex01tp+NTD_Gedra... Dutch Notice and Take down Code of Conduct (10.2008) http://www.samentegencybercrime.nl/UserFiles/File/NTD_Gedragscode_Opmaak_Eng... ACTA leak (30.09.2009) http://www.wikileaks.com/wiki/European_Commission_"advance_warning"_summary_on_ACTA_Internet_Chapter%2C_30_Sep_2009 (contribution by Joe McNamee - EDRi) ============================================================ 12. Recommended Reading ============================================================ ENISA, supported by a group of subject matter experts comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, a risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations. (20.11.2009) http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-as... UK: Report published by the Human Genetics Commission (HGC), the Government's independent advisers on developments in human genetics (24.11.2009) http://www.hgc.gov.uk/Client/document.asp?DocId=226&CAtegoryId=8 ============================================================ 13. Agenda ============================================================ 4 December 2009, Brussels, Belgium Are you ready for the Internet of Things? Lift Workshop @ Brussels, Council and Tinker.it! http://liftconference.com/lift-at-home/events/2009/12/04/lift-brussel-counci... 9 December 2009, Brussels, Belgium The European OpenSource & Free Software Law Event - EOLE 2009 http://www.eolevent.eu/ 27-30 December 2009, Berlin, Germany 26th Chaos Communication Congress http://events.ccc.de/congress/2009/ 20-22 January 2010, Namur, Belgium The Conference for the 30th Anniversary of the CRID - An Information Society for All : A Legal Challenge http://www.crid.be/30years/ 29-30 January 2009, Turin, Italy "Cultural Commons" - First International Workshop http://www.css-ebla.it/css/ 29-30 January 2009, Brussels, Belgium Third edition of the Computers, Privacy and Data Protection - CPDP 2010 - An Element of Choice http://www.cpdpconferences.org/ 6-7 February 2010, Brussels, Belgium FOSDEM 2010 http://www.fosdem.org/2010/ 26-28 May 2010, Amsterdam, Netherlands World Congress on Information Technology http://www.wcit2010.com/ 9-11 July 2010, Gdansk, Poland Wikimedia 2010 - the 6th annual Wikimedia Conference http://meta.wikimedia.org/wiki/Wikimania_2010 ============================================================ 14. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE