============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 10.1, 18 January 2012 ============================================================ Contents ============================================================ EDRi supports protests against US blacklist legislation 1. What's Wrong with ACTA Week 2. The US pressure on Spain to censor the Internet has paid off 3. Belarus strongly censors the Internet 4. Commission confirms illegality of Data Retention Directive 5. Romanian Senate rejects the new data retention law 6. Finnish ISP started blocking The Pirate Bay 7. Dutch Internet providers forced to block The Pirate Bay 8. US continue pushing on EU Commission against Data Protection proposals 9. Researchers say smart meter technology is privacy intrusive 10.ENDitorial: Copyright vs Public Domain-copyright as a barrier to culture? 11. Recommended Action 12. Recommended Reading 13. Agenda 14. About ============================================================ EDRi supports protests against US blacklist legislation ============================================================ EDRi supports today's black-out campaign against SOPA and PIPA and endorses the positions of the human rights international community in criticizing the two draft normative acts from US. Human rights community speaks out on PROTECT IP Act (16.01.2012) https://www.accessnow.org/policy-activism/press-blog/human-rights-community-... Human rights community against SOPA (15.11.2011) http://www.edri.org/files/sopa_civilsociety_15Nov_2011.pdf More details on the blackout campaign https://www.eff.org/deeplinks/2012/01/january-18-internet-wide-protests-agai... https://blacklist.eff.org/ http://sopastrike.com/ ============================================================ 1. What's Wrong with ACTA Week ============================================================ Since many politicians and citizens are not yet aware of ACTA's serious implications, EDRi has launched a "What's Wrong with ACTA Week". We have put together five one-page briefing documents which briefly summarise the most important issues: ACTA and its Impact on Fundamental Rights (16.01.2012) http://www.edri.org/files/EDRI_acta_series_1_20120116.pdf ACTA - Criminal Sanctions (17.01.2012) http://www.edri.org/files/EDRI_acta_series_2_20120117.pdf ACTA - Innovation and Competition (18.01.2012) http://www.edri.org/files/EDRI_acta_series_3_20120118.pdf ACTA and its Impact on the EU's International Relations (will be released on 19.01.2012) http://www.edri.org/ACTA_Week ACTA and its Safeguards (will be released on 20.01.2012) http://www.edri.org/ACTA_Week ============================================================ 2. The US pressure on Spain to censor the Internet has paid off ============================================================ The US has continued to pressure Spain since 2008 to adopt measures against users allegedly illegally downloading copyrighted music and movies from file-sharing networks. And now this pressure has paid off; the Spanish Congress approved at the end of 2011 the so-called Sinde law (Ley Sinde) which allows the closing down of websites deemed to illegally download copyrighted material. Wikileaks cables revealed in 2010 that the US pressured Spain to pass stronger copyright enforcement laws threatening to put Spain on their Special 301 Report (a watch list of countries with "bad" intellectual property policies), threat which they actually delivered. "We propose to tell the new government that Spain will appear on the Watch List if it does not do three things by October 2008. First, issue a (Government of Spain) announcement stating that Internet piracy is illegal, and that the copyright levy system does not compensate creators for copyrighted material acquired through peer-to-peer file sharing. Second, amend the 2006 "circular" that is widely interpreted in Spain as saying that peer-to-peer file sharing is legal. Third, announce that the GoS (Government of Spain) will adopt measures along the lines of the French and/or UK proposals aimed at curbing Internet piracy by the summer of 2009," says the text of the diplomatic cable announcing the pressure tactics revealed by WikiLeaks. The Sinde Law was promoted by Angeles Gonzalez-Sinde Reig, former head of the Spanish Academy of Cinematographic Arts & Sciences, when becoming Minister of Culture in 2009. Sinde Law was giving a government committee the power to blacklist Internet sites allegedly trafficking copyrighted files. The new legislation creates a government body, the Commission of the Intellectual Property which will have the power to evaluate sites and force Internet service providers to block, within ten days, the sites deemed to be trading in pirated material. The owners of the websites have three days to present arguments before the commission to justify their activities and after the commission has decided the removal of certain content, the ISPs have 24 hours to block the service or to remove the content, and the website owners have no access to appeal. If website owners don4t comply voluntarily, a court will intervene to close down the website or to block the service, requiring to the ISPs to reveal the identity of the website owners. The US supported Sinde law, lobbying hard for her measure, even asking support from Spanish opposition parties, with the purpose to have Spain's position influence later on the European Union during Spain's EU presidency, as appeared in Wikileaks revealed cables. But, despite the government's expectations, the opposition to Sinde law was fierce, being strongly criticized by Internet groups and lawyers, which has led to the bill being stopped in the Parliament at the end of 2010. The government left the law for the incoming administration to handle after November 2011 and the new government approved very rapidly a modified version of the law where, for instance, judges will have to issue the actual blacklist order. It appears that this sudden decision was also pressured by the US. El Pais revealed on 12 December 2011 a letter of the US ambassador addressed to the Spanish officials complaining the law had not yet entered into force. "The government has unfortunately failed to finish the job for political reasons, to the detriment of the reputation and economy of Spain. I encourage the Government of Spain to implement the Sinde Law immediately to safeguard the reputation of Spain as an innovative country that does what it says it will, and as a country that breeds confidence," said the letter. The ambassador also reminded Spain of having already been once on the special 301 Report and warned of the risk of the country being further downgraded and returned to the "Priority Watch List" of "the worst global violators of intellectual property rights", which can lead to serious commercial sanctions. Spanish Internet users are already organizing a boycott, calling Internet users not to purchase or consume any artistic or intellectual works of authors, producers, agents, or managers who have explicitly expressed or participated lobbying for Sinde law. Victor Domingo Prieto, President of La Asociacisn de Internautas has stated that "when the Intellectual Property Commission take its first steps (of blocking sites), reports of the unconstitutionality of their decisions will occur immediately." How the US pressured Spain to adopt unpopular Web blocking law (5.01.2012) http://arstechnica.com/tech-policy/news/2012/01/how-the-us-convinced-spain-t... US slammed Zapatero for not passing "Sinde" anti-piracy law (4.01.2012) http://www.elpais.com/articulo/english/US/slammed/Zapatero/for/not/passing/S... Spain's SOPA Law: How It Works And Why It Won't (9.01.2012) http://spectrum.ieee.org/tech-talk/telecom/internet/spains-sopa-law-how-it-w... Anti-internet piracy law adopted by Spanish government (3.01.2012) http://www.bbc.co.uk/news/technology-16391727 The Government of PP approves the regulation of Sinde Law and eliminates the licence (only in Spanish, 30.12.2011) http://www.elmundo.es/elmundo/2011/12/30/navegante/1325253506.html Spain's Ley Sinde: New Revelations of U.S. Coercion (9.01.2012) https://www.eff.org/deeplinks/2012/01/spains-ley-sinde-new-revelations EDRi-gram: Spanish anti-piracy law approved by the Government (24.03.2011) http://www.edri.org/edrigram/number8.6/spain-govt-adopts-antipiracy-law ============================================================ 3. Belarus strongly censors the Internet ============================================================ 6 January 2012 saw the coming into force of the Belarusian law imposing even more restrictions on online free expression in a country that is already viewed as a dictatorship. Belarus is already listed as a country "under surveillance" in the Reporters Without Borders annual report on "Enemies of the Internet" and is ranked 154th out of 178 countries in the 2010 press freedom index. The law recently entered into force turns browsing foreign websites into an offence to be punished by fines up to about 100 Euro and makes ISPs liable for the actions of their users. Which means that, in carrying out its online activities, any business in the country will be able to use only the fully local Internet domains, excluding such sites, search engines or social networks as Wikipedia, Facebook, Twitter. Even Google may be in the same position as it hosts its website Google.by in US. The initial decree, issued in February 2010 by President Alyaksandr Lukashenko, already requires the compulsory registration of all Belarusian websites that must then be hosted in the country. Also, anyone going online in an Internet cafi or using a shared connection will have to identify themselves, and a record will be kept of everyone's surfing history for a year. Not only ISPs are liable for their users' activities online but home Internet subscribers are also considered liable for others who might share their connections with them. ISPs are expected to monitor foreign website use and report the findings to authorities just as the simple citizens sharing an Internet connection with others are expected to report any law infringement. A list of banned sites is issued by the State Inspection on Electronic Communications on the basis of decisions by several institutions such as the Operational and Analytical Centre and the criteria for the inclusion of sites on the list include content that is pornographic or advocates violence or "extremism", which, as proven several times, is vague enough to lead to abuse and overblocking. Thus, the authorities may draw up a list of banned sites the access to which must be blocked by ISPs at 24 hours' notice in official institutions and cultural and educational institutions. Websites such as news Charter97, Belaruspartisan, and the blog of the humorist Yauhen Lipkovich, which are critical to the government or the President, are already on the blacklist. After Lukashenko has taken all the measures to eliminate any opposition, the Internet has practically remained the only environment to apply pressure on the regime. A Facebook group "Wanted criminals in civilian clothes", blogs and Posobniki.com all helped in exposing the regime's crimes and abuses. This made the Internet a target for the government, hence the present restrictive legislation. Belarus Bans Browsing of All Foreign Websites (3.01.2012) http://torrentfreak.com/belarus-bans-browsing-of-all-foreign-websites-120103... Belarus authorities turn up the heat on the Internet (6.01.2012) http://en.rsf.org/belarus-belarus-authorities-turn-up-the-06-01-2012,41634.h... Internet in Belarus, November 2011 (4.01.2012) http://e-belarus.org/news/201201041.html In Belarus, the freedom of the internet is at stake (6.01.2012) http://www.indexoncensorship.org/2012/01/belarus-internet-freedom-mike-harri... ============================================================ 4. Commission confirms illegality of Data Retention Directive ============================================================ The EDRi-member Quintessenz - Austria has published a leak of an internal paper from the Commission intended to inform DAPIX, the Council's working party on information exchange and data protection, of the results of the Commission's consultation in April 2011 on the reform of the Data Retention Directive (DRD). It raises a number of issues with the Directive that the Commission wishes to tackle in order to cast it in a better light. The Commission admits that "there is a continued perception that there is little evidence at an EU and national level on the value of data retention in terms of public security and criminal justice, nor of what alternatives have been considered". It then asks at the end of the document: "What are the most effective ways of demonstrating value of data retention in general and of the DRD itself?" The origin of the "perception" that there is little evidence existing as to the value of the Directive is shown by the Commission's statement that only 11 of 27 Member States have provided data that could be used in order to highlight the added value of the Directive. Legal uncertainties that have been overlooked during the drafting process of the Directive are now posing a certain number of problems for the Commission. In the document, the Commission acknowledges for example the lack of a "logical separation between data stored and then accessed for a) business purposes, b) for purposes of combating 'serious crime' and c) for purposes other than combating serious crime" and the lack of a monitoring system showing "data (that) would not have been available to law enforcement without mandatory retention". The question of distinguishing between data retained for business purposes from data retained under the Directive is asked but left unanswered. The Commission also states that unclear definitions in the DRD have led to service providers storing instant messaging, chats and filesharing details even though these types of data are outside the scope of the Directive. It is often unclear to businesses in the telecommunications sector which data should be stored. Law enforcement agencies have apparently lobbied the Commission for a "technological neutrality" of the Directive to ensure a broad "ability to know who communicated with whom, when, where and how" - despite, it appears, being able to justify the retention of the data already being stored. Moreover, the paper repeats EDRi's concern regarding the "serious crime" limitation, which is not defined at EU level or in many Member States, and regarding the lack of a clear limitation of the purposes for which data is being retained. It states that there have been many demands for the extension of the use of data to copyright infringements or for such vaguely defined offenses as "hacking" and "urgent cases". According to the document, the Directive has also led to an unclear situation for citizens due the absence of a procedure for reporting and redressing data breaches and the absence of a monitoring system to know who actually accessed the data. Furthermore, the Commission states that, depending on the country, there is no or only a very low reimbursement of storage costs, which leads to a distortion of the free market. Especially the costs for small businesses are being rated as "disproportionately high". This also means that countries having implemented the Directive will have an economic interest and will pressure other countries into implementing data retention. In order to justify limitations of fundamental rights, such as the right to privacy and to data protection, measures must be necessary and proportionate. The leaked document however shows that the Commission can neither prove necessity nor proportionality of the Data Retention Directive - but still wants to keep the Directive. Despite unending implementation problems and proven failure of the current Directive, the Commission is maintaining its pressure on Member States that have not already implemented the Directive, to do so. The Commission is currently examining the possibility amending the Directive and is conducting a study on data preservation ("quick freeze") which is due for May 2012. Leaked Commission document (15.12.2011) http://quintessenz.org/d/000100011699 Commission's DRD implementation report (18.04.2011) http://ec.europa.eu/commission_2010-2014/malmstrom/archive/20110418_data_ret... EDRi's Shadow implementation report (17.04.2011) http://www.edri.org/files/shadow_drd_report_110417.pdf (Contribution by Kirsten Fiedler - EDRi) ============================================================ 5. Romanian Senate rejects the new data retention law ============================================================ Following the pressure of the European Commission to the Romanian authorities to implement the data retention directive and despite the decision of the Constitutional Court from 2009 against the data retention law, a new draft law has emerged, but it was rejected by the Senate at the end of 2011. The Romanian Ministry of Communications and Information Society (MCSI) has tried to have the new draft promoted as a Government proposal, but has failed to do so for unclear reasons. The Romanian Data Protection Authority has decided not to endorse the new draft law, as the article related to the security institutions to the retain data is still vague. The text is in fact similar to the old law that was declared unconstitutional and even worse in some specific cases, such as for example the judicial approval to have access to the retained data that is unclear in the new proposal. However, the MCSI rejected claims of the civil society that the new law was still unconstitutional and decided to go further with the same draft. In the end, the Minister promoted the law as his own initiative in the Chamber of Deputies (because he is also a deputy) together with a Party colleague. The law was sent for debates to the Senate, where it received a unusual point of view from the Government that refused to endorse the law and said that the Parliament should decide its fate, because of the conflict between the Constitutional Court decision and the EU data retention directive. The law was quickly debated by the Senate, after the Legal and Human Rights Committees decided to suggest the rejection the law, as the content is similar to the one already declared unconstitutional. On 21 December 2011, the Senate decided unanimously that the law should be rejected. However, the vote in the Senate is only consultative for this law and the decisive vote will be taken by the Chamber of Deputies, that will start discussing the law in its Commissions starting with February 2012. Data retention: Commission requests Germany and Romania fully transpose EU rules (27.10.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/1248&type=HTML Romanian DPA does not endorse the data retention law (only in Romanian, 29.08.2011) http://dataprotection.ro/?page=stire_07092011&lang=ro The Romanian Government refuses to adopt a point of view on data retention law (only in Romanian, 19.12.2011) http://apti.ro/retinerea-datelor-Guvernul-refuza-sa-isi-asume-un-punct-de-ve... Report of the Senate Legal Committee to reject the data retention law (only in Romanian, 20.12.2011) http://www.apti.ro/sites/default/files/Raport%20respingere%20Senat%2020%20de.... The Senate rejects the data retention law (only in Romanian, 22.12.2011) http://legi-internet.ro/blogs/index.php/2011/12/22/legea-pastrarii-datelor-d... EDRi-gram: New draft law for data retention in Romania (29.06.2011) http://www.edri.org/edrigram/number9.13/new-draft-data-retention-romania ============================================================ 6. Finnish ISP started blocking The Pirate Bay ============================================================ On 9 January 2012, the Helsinki Enforcement authority obligated Finnish ISP Elisa to execute the court ruling that it had to block access to The Pirate Bay from its network. This is the latest phase in an ongoing legal fight between the Copyright Information and Anti-Piracy Centre (CIAPC) and Elisa. Acting on behalf of IFPI Finland, CIAPC brought the case to court in May 2011, and in October the court ruled that Elisa must block access to The Pirate Bay. Elisa has appealed the ruling to a higher court. The court ruling from October did not specify the domain names and IP addresses that Elisa should block. The Enforcement authority gave Elisa a list of domain names compiled by the CIAPC, including not only domains of The Pirate Bay itself but various translations of the name such as depiraatbaai.be. One of the listed domain names was piraattilahti.fi ("pirate bay" in Finnish), a website owned by a private Finnish person. The site did not contain any links to or material from The Pirate Bay, but instead hosted a campaign page against SOPA (Stop Online Piracy Act), the controversial US draft bill. The owner of the site changed piraattilahti.fi to point to Effi's web server, with the result that people outside Elisa's network saw Effi's web pages and those inside Elisa got nothing when they entered piraattilahti.fi in their browser. The site was later removed from the blocking list. Another initially blocked site was piraatti.fi, which is in fact an anti-piracy propaganda site. It was unblocked a few days later. After the enforcement of the block, the website of CIAPC was flooded offline and CIAPC claimed to have received a bomb threat. The enforcement raises some questions. First of all, how can a private organisation be empowered to manage a list of websites that people should not be allowed to access - apparently without checking at all what the site actually contains. Furthermore, why such a hurry to enforce a court decision that has been appealed, especially as there is a fresh precedent from the European Court of Justice that basically disallows the Finnish lower court decision. Elisa's press release (9.01.2012, updated 11.01.2012) http://www.elisa.fi/ir/pressi/index.cfm?t=100&o=5130&did=17728 EDRi-gram 9.21: Finnish ISP ordered to block The Pirate Bay (2.11.2011) http://www.edri.org/edrigram/number9.21/finnish-isp-block-piratebay European Court of Justice press release (24.10.2011) http://curia.europa.eu/jcms/upload/docs/application/pdf/2011-11/cp110126en.p... (Contribution by Timo Karjalainen, EDRi member Electronic Frontier Finland - Effi) ============================================================ 7. Dutch Internet providers forced to block The Pirate Bay ============================================================ In its judgement of 11 January 2012, the Court of The Hague granted Dutch copyright enforcement organisation Brein's request to order Dutch internet providers Ziggo and XS4ALL to block access to The Pirate Bay. This is the opposite of an earlier ruling given in summary proceedings where no such order was given. Ziggo and XS4all will appeal the ruling. The Court of The Hague held that Ziggo and XS4ALL have to block access to the domain names and IP-addresses of The Pirate Bay. In the future, Brein may also give the providers additional lists to block. The Court came to this conclusion based on additional evidence provided by Brein that a large number of Ziggo and XS4ALL subscribers used The Pirate Bay to download content without authorisation. The Court based its order on article 26d of the Dutch Copyright Act and article 15e of the Dutch Neighbouring Rights Act. These articles, which are based on Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society, give the judiciary the right to order intermediaries whose services are used by third parties to infringe copyrights, to discontinue the services that are used for these infringing activities. The Court reasons that, based on the ECJ's explanation of Article 11 of the IP Enforcement Directive 2004/48/EC in the L'Oreal/Ebay case, this order can also be extended to prevent future infringements. Therefore, the order does not have to be focussed on a specific infringement, but its scope can be broader, according to the Court. Referring to the judgement of the European Court of Justice (ECJ) in Sabam/Scarlet case, the Court states that a right balance has to be struck between fundamental rights and the protection of intellectual property. This balance has to be determined by the principles of subsidiarity and proportionality. According to the Court, blocking The Pirate Bay adheres to these two principles for a number of reasons. First, according to the Court, only a marginal amount of legal content can be found on The Pirate Bay. The legal content that is provided can also be retrieved with other means and therefore there is not a violation of article 10 ECHR. Second, the Court notes that direct proceedings against The Pirate Bay and release groups have proven to be futile. Therefore it is appropriate to address intermediaries. Third, blocking The Pirate Bay would essentially substantiate an earlier order of the Court of Amsterdam that already ordered the administrators of The Pirate Bay to disable their website, including legal content. Fourth, the Court does not consider a DNS and IP blockade to constitute active surveillance, as it is directed at one website. It does not involve deep packet inspection to prevent any possible infringements from happening and it is therefore not forbidden by article 15 sub 1 of the E-Commerce Directive 2000/31/EC and the Sabam/Scarlet ruling of the ECJ. As can be seen by the many contradicting rulings given by various Courts in Europe, court cases regarding the blocking of websites do not always lead to the same result. For example, on 9 January 2012, the local Court of Helsinki in Finland ordered Elisa, one of the largest Internet Providers in Finland, to block access to The Pirate Bay for its customers. On the other hand, on the 31 August 2011, the Court of Cologne held that Internet Provider HanseNet could not be ordered to block access to a Russian website that facilitated copyright infringement. Considering these completely different outcomes across the European Union, it is remarkable that the Court of The Hague did not see reason to ask preliminary questions to the ECJ. Decision of the Court of The Hague (only in Dutch, 11.01.2012) http://zoeken.rechtspraak.nl/detailpage.aspx?ljn=BV0549 Court of Cologne's decisions on Hansenet (only in German, 31.08.2011) http://www.justiz.nrw.de/nrwe/lgs/koeln/lg_koeln/j2011/28_O_362_10_Urteil_20... EDRi-gram: Dutch Internet Provider Not Obliged To Block The Pirate Bay (28.07.2010) http://www.edri.org/edrigram/number8.15/dutch-isps-not-blocking-piratebay/ Blocking The Pirate Bay: will the Dutch court ruling hold in appeal? (18.01.2012) http://kluwercopyrightblog.com/2012/01/18/blocking-the-pirate-bay-will-the-d... (Contribution by Arjan de Jong - volunteer Bits of Freedom) ============================================================ 8. US continue pushing on EU Commission against Data Protection proposals ============================================================ The US Department of Commerce has circulated a second informal note with comments on the proposals for a data protection regulation and a directive on data protection in the field of law enforcement. This time, its criticism focuses on the following concerns: the regulation could hinder commercial interoperability and be even counter-productive for consumer privacy protection, it could have negative impact on the freedom of speech and other human rights, on law enforcement cooperation, on cooperation between regulatory authorities and on civil litigation. The high-level interference with the internal processes of the European Commission by the United States is quite extraordinary. Undoubtedly, a degree of concern can legitimately be expressed as the final decisions are being made on a piece of legislation which has international significance. However, this amount of interference, before either the European Parliament or Council (the Member States) have been able to have their say, implies a significant level of disrespect for the institutions of the Union and their ability to resolve any issues with what is, after all, the first draft in a legislative process which will last two to three years. According to the DoC's informal note, the Safe Harbor Agreement enabled transfer of personal data and is a "vital component of transatlantic trade". The DoC thereby completely ignores the findings of several external evaluations on the EU-US Safe Harbor Privacy Principles which attacked the agreement in terms of compliance and enforcement and is today widely considered to be entirely without credibility. The note praises Article 40 and its provisions regarding Binding Corporate Rules (BCR) as a legal basis for transfers of personal data to third countries but asks for more detail regarding the type of verification data protection authorities will consider sufficient. The document also states that codes of conduct (of the kind that have failed to develop in the existing Directive, but are nonetheless envisaged in the USA) can lead to an increase in interoperability and enhanced consumer protection and suggests that the EU looks into mechanisms to convert codes of conduct into BCRs. However, the provision for explicit consent with a single standard is heavily criticized since, it is argued, if it is not simplified and meaningful, it could easily overburden individuals. The DoC states that asingle standard is ill-suited for institutions and types of commerce that offer financial products and services. The DoC then criticises the Regulation's specifications regarding "privacy by design" and the broad authority given to the EU Commission to set out the technical standards - without presenting any valid arguments against the proposed principle of privacy by design itself. The informal note also qualifies some provisions as being infeasible, since they would impose burdens on businesses without enhancing consumer protection, such as data breach notification and the right to be forgotten. In contrast to its first note from December 2011 the DoC now admits that the US itself has several federal laws regarding breach notification but repeats its criticism of the first informal note regarding the obligation to notify data subjects within 24 hours arguing that the period is "simply too short", that it could lead to "massive fines" for companies and to confusing "false alarms" for consumers. The draft Regulation is also considered to be inconsistent with the global nature of the Internet since it would assert jurisdiction over persons operating websites without a legal nexus with Europe (i.e. exactly what the US is proposing in its current draft proposals on intellectual property). According to the DoC, the term "directed to" is neither sufficiently defined in paragraph 15 nor does the limiting principle go far enough. Oddly enough, the "directed to residents of the US" provision of the planned Protect IP Act (PIPA) raises no similar concerns in the US. As mention above, the note qualifies the "right to be forgotten" as undermining freedom of expression, as technically impracticable and as ignoring the open and decentralised nature of the Internet. The DoC expresses concern that exceptions in article 80 are narrower than the freedom of expression, that the "right" to be forgotten is not an internationally recognised right and protected expression will be deleted. However, the DoC seems to ignore that this article is based on an already existing right as set out by the EU (1995/46/EC, article 12 b) and that these concerns can easily be addressed by clarification of the wording of the current draft of the Regulation. Of course, the DoC is also very concerned about the draft Police and Criminal Justice Data Protection Directive saying that it would limit information and evidence sharing to "the minimum necessary" - which is a useful, albeit unintentional, confirmation that the proposal is legal under the Charter of Fundamental Rights. They are also unhappy about the fact that other legal information-sharing instruments with EU Member States would probably not suffice under the proposed Directive since existing instruments must meet specific and "problematic" privacy protection requirements. Moreover, the DoC fears that the "strong system of privacy protection" existing in the United States (which, incidentally, does not cover EU citizens) would disappear since it would be forced to adopt the European style of data protection. The DoC criticises the data transfer provisions of the draft Regulation (art. 37-41) arguing that they would undermine cooperation and data sharing processes among regulatory authorities in the US, the EU and the EU's Member States based on cooperative arrangements. The document then specifically targets article 42 stating that its restrictions could block or delay access to information held by US firms and have an impact on investigations of EU firms and citizens. Bizarrely, the US DoC is worried about regulating a currently unregulated situation which would permit data exchange in the absence of a legal framework and legal safeguards. According to the note, article 42 might even affect the US-registered companies located in the EU and their ability to conduct business in the US. It is noteworthy that the US currently uses instruments such as the Foreign Intelligence Surveillance Act to retrieve data on foreign individuals' political activities, who may have no contact whatsoever with the USA, via companies with US offices. This legal vacuum would be addressed by article 42. An unusually high number of Commission services issued negative internal opinions to the draft legislation, thus delaying the inter-service process (see 2 opinions below). This was partly as a result of this significant lobbying campaign (including high-level phone calls to top level staff in the European Commission) against the leaked draft proposal for a Regulation by the United States Department of Commerce and the Federal Trade Commission, the official draft proposal of which is now expected to be published in February/March. First informal note circulated by the US (21.12.2011) http://edri.org/US-DPR Second informal note by the US (16.01.2012) http://www.edri.org/files/US_lobbying16012012_0000.pdf Opinion DG Trade (21.12.2011) http://www.edri.org/files/21122011_DGTradeOpinion.pdf Opinion DG Infso (21.12.2011) http://www.edri.org/files/120112_DGINFSO_negativereply.pdf Chris Connolly (Galexia), US Safe Harbor - Fact or Fiction?, Privacy Laws and Business International, issue 96, December 2008: http://www.galexia.com/public/research/assets/safe_harbor_fact_or_fiction_20... The implementation of Commission Decision 520/2000/EC on the adequate protection of personal data provided by the Safe Harbour privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce SEC(2004)1323 http://ec.europa.eu/justice/policies/privacy/docs/adequacy/sec-2004-1323_en.... (Contribution by Kirsten Fiedler - EDRi) ============================================================ 9. Researchers say smart meter technology is privacy intrusive ============================================================ Two German researchers presented a talk entitled "Smart Hacking for Privacy" at the 28th Chaos Computing Congress that took place between 27 and 30 December 2011, on the privacy implications of "smart" electricity meters. These devices, installed in homes, collect information to determine the power consumption. The researchers had signed up with Discovergy, one of the independent companies providing such smart meters, to check out how secure the devices were and what information could be obtained from the data gathered by them. According to Discovergy's website, the web interface accessing the consumption data used HTTPS to protect the data and the data sent back to Discovergy was encrypted and signed in order to prevent forged data. The website also stated these facts had been confirmed by independent experts. Following the presentation of the researchers on 30 December, these statements disappeared from the company's website and as it came out, the SSL certificate of the site was misconfigured and presented an invalid certificate warning, then proceeded to redirect them to an HTTP URL where the data and password were transmitted in clear text across the internet. The researchers found out the traffic was not encrypted and signed and, therefore, easy to intercept. Thus, they were able to demonstrate that data from the entire life of the device was stored on Discovergy's servers. One of the main concerns was that the smart meters were monitoring the power usage in two-second intervals which implies the devices were able to discern very fine modifications in power consumptions such as differences based on the brightness levels displayed for different scenes in TV shows and movies. The researchers believe that two seconds measurements are unnecessary for the stated goals of the smart meter companies and too privacy intrusive as the data obtained could be used to establish very fine details. "Unfortunately, smart meters are able to become surveillance devices that monitor the behaviour of the customers leading to unprecedented invasions of consumer privacy. High-resolution energy consumption data is transmitted to the utility company in principle allowing intrusive identification and monitoring of equipment within consumers' homes (e.g., TV set, refrigerator, toaster, and oven)", said the researchers in a statement prior to the presentation. Nikolaus Starzacher, CEO of Discovergy, explained that one of the reasons for using the two second polling interval was to provide services such as notifying a customer that he forgot an iron or another house appliance on, when leaving the house. Also, the researchers claimed that they had been able to send false details about their energy consumption back over the unencrypted Discovergy network meaning that consumers might be able to "potentially fake the amount of consumed power being billed". In the opinion of Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, EU and UK plans to install smart meter are "set to become another public sector IT disaster". In a joint paper with his fellow academic Shailendra Fuloria, Anderson warned over the threat of the vulnerability of the smart meters which might allow hackers to break into a "head-end" hub where smart metering data are collated and thus be able to even cut the supply of energy across "tens of millions of households". "The introduction of hundreds of millions of these meters in North America and Europe over the next ten years, each containing a remotely commanded off switch, remote software upgrade and complex functionality, creates a shocking vulnerability," Anderson said adding: "An attacker who takes over the control facility or who takes over the meters directly could create widespread blackouts; a software bug could do the same." In his opinion, regulators have started to be aware of the issue and possible solutions under discussion might be "shared control, as used in nuclear command and control; backup keys as used in Microsoft Windows; rate-limiting mechanisms to bound the scale of an attack; and local-override features to mitigate its effects." Smart meter hacking can disclose which TV shows and movies you watch (8.01.2012) http://nakedsecurity.sophos.com/2012/01/08/28c3-smart-meter-hacking-can-disc... Smart Hacking for Privacy (16.01.2012) http://www.youtube.com/28c3#p/u/54/YYe4SwQn2GE Smart meter technology is privacy intrusive, researchers claim (11.01.2012) http://www.out-law.com/en/articles/2012/january-/smart-meter-technology-is-p... ============================================================ 10.ENDitorial: Copyright vs Public Domain-copyright as a barrier to culture? ============================================================ "The book, as a book, belongs to the author, but as thought it belongs -- the word is not too big -- to the human species. Any intelligent being has a right to it. If one of the two rights, that of the writer and that of the human spirit, must be sacrificed, then certainly it should be the right of the writer, as the public interest is our sole preoccupation, and everyone, I declare, should come before us" - Victor Hugo, Opening speech of the International Literature Congress of 1878 For many of us, New Year means good resolutions for some even new beginnings but it also means new works of art in the public domain. This year - and just to name a few - James Joyce, Maurice Leblanc, Virginia Woolf, Robert Delaunay, Sherwood Anderson, Henri Bergson have entered the public domain. To be in the public domain: what does it concretely mean? Public domain works are part of a citizens' cultural heritage, therefore their use is not restricted - as they would be when they are protected by copyright. Practically, it means that people can freely copy, translate, adapt or use the works of the artists, writers or musicians. Entering the public domain leads to a wider, access to cultural content. The public domain promotes education and knowledge. It is a factor of new and further creation, knowledge and innovation. Some of these elements are of great importance and further enhance access to culture. Once a work has entered the public domain, new editions and republications flourish, giving the opportunity to a larger audience to access society's cultural heritage. 2010 turned into a year of Freud. When Sigmund Freud's works finally entered the public domain, publishers rushed to publish, commissioned new translations and subsequently sold new versions of his books. All in all, public domain enables a wider and higher circulation of artistic, literary, dramatic, musical works, encouraging access for all. And last but not least, public domain also has an economic value. Some publishers indeed have specialised their business model on publishing works for which copyright protection has expired. This is true not only for the book publishers but also in the music industry. A crucial question therefore arises: If public domain is so important and so beneficial, why do we have to wait for so long after the artist's, painter's or writer's death to have works of art finally in the public domain? The original idea behind copyright monopolies was to favour creativity and to enable artists, writers and authors to continue to create. This would be a great and praiseworthy purpose if only it had not have been turned away from its primary goals. Copyright is currently the rule and public domain is the exception. The content industry continually asks for, and receives ever-longer copyright terms, and consequently the public domain continually decreases. Just recently and after a strong lobby from the music industry, the European Union decided to extend copyright for performers and producers from 50 to 70 years. Turning back on Victor Hugo's idea of his work as a shared good, some in the rightsholders lobby are pushing the limits of protection, and moving cultural goods out of the reach of society. They argue that it serves the economy, helps to keep jobs and improves the investment in new talent. However what they miss here is that access to the works of the artists they claim to represent is restricted to the public, to other publishers or other record companies. In the end, this only serves the majors and the most famous artists, who are least in need of this "protection". Finally, while these dominant industries claim that term extension is needed in order to invest in new talent, the policy of ever longer copyright extension does not create any incentive to do so. In the absence of such incentive, major record companies will continue to invest only in performers that will bring in long-term of revenues, so alternative and less popular musicians will be left out, undermining cultural diversity. Nowadays, the protection of works subject to copyright is based not on their date of publication but on the death of the authors, and the life expectancy has improved, so the public domain is proportionally diminishing. If copyright is to incentivise creation, what is the logic behind remunerating artists for ever-longer periods after their deaths? The entire logic behind the copyright protection has been subverted. Cultural works are being locked away from the public and a greater barrier is being built between the public and their culture. If copyright is meant to defend culture and creation, it should not be used to create barriers between citizens and their heritage. Freud in the public domain (only in French, 27.01.2010) http://www.lexpress.fr/culture/livre/freud-dans-le-domaine-public_844789.htm... EDRi-gram: New rules on term of protection of music recordings (21.09.2011) http://edri.org/edrigram/number9.18/term-extension-music-copyright The progressive weakening of the public domain (only in French, 2.01.2012) http://www.numerama.com/magazine/21129-l-affaiblissement-progressif-du-domai... Public domain calculator http://outofcopyright.eu/ (Contribution by Marie Humeau - EDRi) ============================================================ 11. Recommended Action ============================================================ 5th International Computers, Privacy & Data Protection Conference: "European Data Protection: Coming of Age" CPDP 2012 takes place during a significant stage of the revision of the EU legal framework on data protection, thus several panels will focus on the review and the latest legislative proposals. More than 20 panels will be organized on key issues such as geolocalization, e-identity and e-management, enforcement of copyright protection, surveillance in the workplace, accountability and communication of privacy. In addition, there will be workshops and special sessions on topics such as eDiscovery, privacy impact assessments and "privacy by design", smart metering and transborder data flows. Since 2012 was declared the European Year of Active Ageing, three sessions will be devoted to the theme of Ageing and New Technologies. 25-27 January 2012, Brussels, Belgium http://www.cpdpconferences.org/ Corporate Responsibility to Respect Human Rights A new European Commissions' project will produce 3 sector-specific guides on the Corporate Responsibility to Respect Human Rights.The choice regarding which three sectors will be the included in this project, based on suggestions by stakeholders, will be made by the Commission and announced in February 2012. Therefore, it is very important that you give your input in order to highlight the importance of defending human rights in the digital environment. All stakeholders are invited to submit their suggestions for the choice of sectors by emailing sectorguidance@ihrb.org by:6pm CET on 27 January 2012. http://www.ihrb.org/news/2012/new_project_to_develop_business_and_human_righ... ============================================================ 12. Recommended Reading ============================================================ German police officer uses federal Trojan to spy on daughter. Her friend then breaks into fathers PC and police server (9.01.2012) http://www.thelocal.de/national/20120109-39999.html http://www.spiegel.de/netzwelt/netzpolitik/0,1518,807820,00.html CMCS: Hungarian Media Laws in Europe: An Assessment of the Consistency of Hungary's Media Laws with European Practices and Norms (5.01.2012) https://cmcs.ceu.hu/news/2012-01-05/new-study-hungarian-media-laws-in-europe... France: Fingerprints and transmission of data: biometrics to protect identity? (4.01.2012) http://www.statewatch.org/news/2012/jan/04fr-id.htm ============================================================ 13. Agenda ============================================================ 23-24 January 2012, Brussels, Belgium The European Thematic Network on Legal Aspects of Public Sector Information - LAPSI 2nd Public Conference and 3rd Award http://www.lapsi-project.eu/bruxellesprog 24 January 2012, Brussels, Belgium PrivacyCamp.eu - UnConference on Privacy and Data Protection http://www.edri.org/Privacy-Camp-EU 25-27 January 2012, Brussels, Belgium Computers, Privacy and Data Protection 2012 http://www.cpdpconferences.org/ 26 January 2012, Schaarbeek, Belgium Big Brother Awards Belgium http://www.bigbrotherawards.be/ 27 January 2012, Brussels, Belgium 21.30 - 02.00 (come early!) Privacy Party at Bozar http://www.edri.org/files/01-2012PRIVACY-PARTY-POSTER-DEF.jpg 4-5 February 2012, Brussels, Belgium FOSDEM 2012 - Free and Open source Software Developers' European Meeting http://fosdem.org/2012/ 25 February 2012, Szeged, Hungary Copyright and Human Rights in the Information Age: Conflict or Harmonious Coexistence http://www.juris.u-szeged.hu/english/news/conference-on-copyright 16 March 2012, Rotterdam, Netherlands EPSIplatform Conference: Taking government data re-use to the next level! http://epsiplatform.eventbrite.com/ 20 March - 1 April 2012, Berlin, Germany Wikimedia Chapters Meeting 2012 http://meta.wikimedia.org/wiki/Wikimedia_Conference_2012 13 April 2012, Biefeld, Germany Big Brother Awards Germany http://www.bigbrotherawards.de/ 16-18 April 2012, Cambridge, UK Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance Education OER12 and the OCW Consortium's Global Conference http://conference.ocwconsortium.org/index.php/2012/uk 2-4 May 2012, Berlin, Germany Re:Publica 2012: ACTION! http://re-publica.de/12/en 14-15 June 2012, Stockholm, Sweden EuroDIG 2012 http://www.eurodig.org/ 20-22 June 2012, Paris, France 2012 World Open Educational Resources Congress http://www.unesco.org/webworld/en/oer 9-10 July 2012, Barcelona, Spain 8th International Conference on Internet Law & Politics: Challenges and Opportunities of Online Entertainment http://edcp.uoc.edu/symposia/idp2012/cfp/?lang=en 12-14 September 2012, Louvain-la-Neuve, Belgium Building Institutions for Sustainable Scientific, Cultural and genetic Resources Commons. http://biogov.uclouvain.be/iasc/index.php 7-10 October 2012, Amsterdam, Netherlands 2012 Amsterdam Privacy Confernece Call for Papers by 1 February 2012 http://www.ivir.nl/news/CallforPapersAPC2012.pdf ============================================================ 14. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 28 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE