====================================================================== EDRi-gram biweekly newsletter about digital civil rights in Europe Number 10.23, 5 December 2012 ======================================================================= Contents ======================================================================= 1. European domain names under siege 2. International coalition calls for withdrawal of Dutch hacking plans 3. Lobbying DP Regulation: European Banking Federation as an example 4. Chisugate: Copyright blackmail in Finland 5. Russia: Pussy Riot's videos declared illegal on the Internet 6. Netherlands: legislation for forced decryption announced 7. German government proposes extended tracking of Internet users 8. Danish opposition wants to abandon the illegal medicine site blocking 9. ENDitorial: What could possibly go wrong? 10. Recommended Reading 11. Agenda 12. About ======================================================================= 1. European domain names under siege ======================================================================= On 26 November 2012, 132 or 133 domain names were seized by the U.S. Immigration and Customs Enforcement's Homeland Security Investigations (ICE) in collaboration with the Europol and national law enforcement authorities. The seized domains were supposed to have illegally sold counterfeit products on the Internet online. The common press release of the ICE and Europol not only does not agree on the correct number of the domain names seized (132 on the ICE website or 133 on the Europol website), but also does not seem to know the difference between trademark and copyright ("the copyright holders confirmed that the purchased products were counterfeit" or "banner that (...) educates them about the federal crime of willful copyright infringement.") The US law enforcement authorities have seized domains before but this is the first time that European ccTLDs such as .be, .eu, .dk, .fr, .ro, or .uk. have been involved. The authorities have not released the list of the 31 European domain names involved in the action, but Torrentfreak already identified some of those sites, such as: chaussuresfoot.be, chaussurevogue.eu or eshopreplica.eu. The official press release talks about "a great example of the tremendous cooperation" that "enables us to go after criminals who are duping unsuspecting shoppers all over the world." But there is no information if the domain name holders were actually identified and accused of an IPR infringement in a penal case. Or, if a court order was required to shut down the website. Or, if the website was actually targeting the US Market, so that the US authorities be involved. Just a few days later, on 30 November 2012, several BitTorrent sites including Torrentz.eu, Fenopy.eu and BTscene.eu found their .EU domains put on hold by EURid, the European Registry of Internet Domain Names. b This domain name has been registered and is on hold. It is active but may not be traded or transferred pending the outcome of legal activity,b say EURidbs notes. EURid has made no further public comments, but informed the domain names holders that the action was made "upon request of the Belgian Public Prosecutor following notification of pending legal proceedings in respect of the website" without wanting to give any details regarding the legal proceedings involved. DDL linking sites Sceper.eu and Downextra.eu, torrent site RealTorrentz.eu, and streaming links sites WatchSeries.eu and ChannelCut.eu are also in a similar situation. All these sites appear in the first few pages of Googlebs Transparency Report which means that they are associated with a rather high number of takedown requests. It seems that now, only three sites on Googlebs report have not, at least not yet, been put on hold. In another news on torrent domain names, Torrentreactor.net and Torrents.net domain names and IP-addresses are to be blocked by all ISPs in Italy following a local court injunction. Websites selling counterfeit merchandise taken down by authorities in Europe and the USA (26.11.2012) https://www.europol.europa.eu/content/press/websites-selling-counterfeit-mer... BitTorrent Site Owners Fear European Domain Name Seizures (27.11.2012) http://torrentfreak.com/bittorrent-site-owners-fear-european-domain-seizures... Top BitTorrent Sites Have Domains Put On Hold Pending Legal Action (1.12.2012) https://torrentfreak.com/top-bittorrent-sites-have-domains-put-on-hold-pendi... Italian Court Orders Nationwide Block of TorrentReactor and Torrents.net (4.12.2012) http://torrentfreak.com/italian-court-orders-nationwide-block-of-torrentreac... ======================================================================= 2. International coalition calls for withdrawal of Dutch hacking plans ======================================================================= An international coalition of more than 40 civil rights organizations and security experts have expressed their b grave concernsb about a Dutch proposal to break into foreign computers and search and delete data. In a letter handed over to the Dutch minister of Security and Justice by Dutch digital rights organization Bits of Freedom on Monday 3 December 2012, the coalition urgently calls upon the minister to withdraw his proposal. According to the international coalition, the proposal poses serious risks to the human rights and cybersecurity of individuals worldwide. This is aggravated by the fact that countries will likely follow the initiative of the Netherlands. This will lead to a situation where countries will enforce their local laws on foreign computers. These local laws would not solely address cybercrime, but also issues deemed illegal in other countries, such as blasphemy and political criticism. The coalition therefore strongly urges the minister to withdraw his proposal. The letter is signed by more than 40 members of the civil society. These include civil rights organizations such as the Electronic Frontier Foundation (US), Privacy International (UK), the Chaos Computer Club (Germany) or EDRi. In addition, renowned security-experts and software developers Bruce Schneier (US), Richard Stallman (US) and Ron Deibert (Canada) signed the letter. The proposal will be debated in the Dutch parliament on Thursday, 6 December 2012. The letter is then likely to be discussed, as it received broad media coverage. If you are interested in the outcome, please mail directly to simone.halink@bof.nl. EDRi-gram: Dutch proposal to search and destroy foreign computers (24.10.2012) http://www.edri.org/edrigram/number10.20/dutch-proposal-state-spyware Dutch plans to remotely conduct searches and delete data on foreign computers (30.11.2012) https://www.bof.nl/live/wp-content/uploads/20121203-Sign-on_proposal_Opstelt... (Contribution by Simone Halink - EDRi member Bits of Freedom, Netherlands) ======================================================================= 3. Lobbying DP Regulation: European Banking Federation as an example ======================================================================= With the discussions on the proposed General Data Protection Regulation moving forward, lobbyists in Brussels are working overtime. One example is the European Banking Federation (EBF), which submitted a letter outlining its position and proposed changes to the text to MEPs. A public version is available on the EBF's website. EDRi has also seen the complete version with proposed amendments ready for copy&paste. Quite a few of these amendments have been tabled word-for-word in the IMCO Committee. In short, the EBF wants weaker obligations on data breach notification, implicit consent, lower fines, more profiling and more grounds for lawful processing: a) processing of data taken from publicly available lists or documents which should always be lawful; b) processing "necessary to defend an interest, collecting evidences as judicial proofs or file an action". In a bit more detail, the EBF wants controllers to be able to use "implicit" consent b no specific reasons are given for their unwillingness or inability to ask for explicit consent for processing personal data. Likewise, it wants to remove the provisions saying that consent is required in situations where there is a significant imbalance between the controller and data subject. Here, at least a reason is given, namely that this could apply to banks. Another proposal is to cut the fines data protection authorities can impose on controllers who break the law b the Commission proposal had 1 million Euro or 2% of global annual turnover for companies as the upper limit for the most egregious breaches. The EBF proposes to remove the second part, claiming that such fees would be disproportionate. Additionally, the EBF wants to make it easier to allow profiling. Their arguments are that sometimes profiling customers is imposed by anti-money-laundering laws, sometimes it makes sense for the banks to do it, e.g. before approving real-estate loans, and finally, they argue, it can sometimes be in the customer's interest. So, looking at the Commission's proposal, when would profiling be allowed? If it is expressly authorised by law; when it is carried out in the course of entering into a contract; when it is based on the data subject's consent b which would be easily obtainable for profiling measures that are supposedly in their interest. So, while legitimate cases would already be allowed, the EBF wants to push it further, to allow profiling when neither the customer nor the law have approved it. In some cases, the proposed changes also stem from a simple misunderstanding of the proposal. For example, the EBF proposes excluding the right to erasure, if there is a legal obligation for the controller to keep the data. Sounds sensible. So sensible in fact, that the Commission proposal contains a provision doing exactly this, just two paragraphs below in the same Article! There are more examples of such proposed changes duplicating rules that are already in the proposal. Such changes would not help the text's clarity, and could cause further misunderstanding when it will be applied in practice. One would imagine that industrial lobbyists would be lobbying for more legal clarity and not less. The bottom line is that some of the proposed amendments seriously weaken consumer protection, while others are based on a faulty understanding of the text, introducing provisions that are not needed and undermining the clarity of the Regulation. One would hope that this would not get the EBF far, especially in the European Parliament Committee charged with consumer protection. Think again. Many of its proposals on reasons for lawfulness, consent, profiling, data subject rights, and fees have simply been copied and pasted by several MEPs into their amendments. Whether these amendments will be carried remains to be seen. But already the fact that they were tabled shows how easily lobbies b even with proposed changes that sometimes simply do not make sense b can influence the political process. This was just one lobby group. There are many, many more. Brussels is awash with data b protectionb lobbying, misunderstandings and misinformation. Whether the fundamental right to privacy of 500 million Europeans will survive this onslaught is anyone's guess. As usual, EDRi is chasing around the corridors trying to redress the balance. EBU lobbying letter http://www.ebf-fbe.eu/uploads/D1391E-2012%20-%20EBF%20letter%20to%20Members%... EDRi's website on the Regulation http://protectmydata.eu (Contribution by EDRi intern - Owe Langfeldt) ======================================================================= 4. Chisugate: Copyright blackmail in Finland ======================================================================= In the spring of 2012, in Finland, the father of a young girl received what amounted to a blackmail letter from a copyright lawyer. The letter demanded the payment of 600 Euros as damages for having distributed copyright-protected music recordings. The letter also demanded that the father sign a non-disclosure agreement regarding the matter. The father contacted the lawyer and denied having distributed any copyrighted material. He explained that his daughter, who had been nine years old at the time of the so-called crimes, had tried to download some songs of her idol, the Finnish artist called Chisu. The girl had been saving money in order to buy Chisu's latest CD, but was impatient to hear some songs from the album already, and so her dad showed her how to write the appropriate keywords in search engines. Despite her attempts, the girl only managed to download something that did not play. Soon after that the father bought the CD for the girl. In November 2012, something unbelievable happened. Two police officers with a search warrant entered the home of the family and seized the girl's computer. The police officers also suggested the father pay up "to make things easier for everyone involved" because they would immediately drop the matter if he did. Even the Finnish Copyright Information and Anti-Piracy Centre (TTVK ry, a private association of the copyright industry) has admitted that the identity of a person who shares copyrighted material online cannot be ascertained, and that, in Finland, the threat letters are sent to the owner of the Internet connection. The owner of the connection is the one who risks being subjected to a search and seizure of property. TTVK also says that the majority of people who have received these letters have agreed to the non-disclosure and payments demanded of them. The amounts are smaller than in the US, but still hefty. Shocking but true, apparently a copyright holder can demand mafia-style payments from ordinary people who are told to hand over their money and shut up or otherwise the police might come and take away their computers. TTVK has openly admitted that the aim of the letters is to threaten other downloaders. The disturbing incident was covered in the Finnish online and printed press, and made international headlines. In his detailed Facebook post about the incident, the father makes it clear that he has supported artists in many ways for his entire life, but as a result of the unethical practices of the copyright industry he has come to question the sanity of the copyright enforcement system. After the incident had become a major PR headache for the copyright lobby, the matter was settled out of court between the father and TTVK, and the father apparently agreed to pay half of the originally demanded amount (300 Euros). After this, the seized laptop is being returned to its owner. Electronic Frontier Finland (Effi) filed a request to investigate the actions of the Helsinki district court and the police with the parliamentary ombudsman. According to the court papers, TTVK only had evidence that one music album had been downloaded from the IP address which belonged to the father. The court interpreted this as constituting significant ongoing damage to the copyright holder and ordered the ISP to reveal the identity of the user of the IP address to TTVK. In the opinion of Effi, this is an overreaching interpretation of the Finnish copyright law. The police "planned the search and seizure carefully" (in their own words) but failed to act in proportion to the alleged damage: they should have only copied the contents of the laptop for evidence instead of seizing the whole device. Additionally, as police resources are limited nowadays, carrying out a search and seizure operation in a minor case like this has probably delayed the investigation of more important cases. Antipiracy Center in Finland http://antipiracy.fi/inenglish/ Payment demand for child's downloading part of a strike against piracy - majority paid without resisting (only in Finnish, 21.11.2012) http://ylex.yle.fi/uutiset/popuutiset/lapsen-latailusta-saatu-maksumaarays-o... Payments of hundreds of euros for illegally downloading Chisu's album (only in Finnish, 2.12.2012) http://www.aamulehti.fi/Kotimaa/1194722011272/artikkeli/satojen%20eurojen%20... Post on Facebook from the father (only in Finnish, 20.11.2012) http://www.facebook.com/aki.w.nylund/posts/10151139041245079 Request to investigate the actions of Helsinki district court and the police in so-called Chisugate (only in Finnish, 27.11.2012) http://www.effi.org/kirjeet/121127-effi-tutkintapyynto-chisugate.html Anti-piracy group takes child's laptop in Finland (30.11.2012) http://www.bbc.co.uk/news/technology-20554442 (Contribution by Otso Kassinen and Timo Karjalainen - EDRi member Electronic Frontier Finland) ======================================================================= 5. Russia: Pussy Riot's videos declared illegal on the Internet ======================================================================= A Moscow-based court has ruled on 29 November 2012 that four videos of the already famous dissident punk band Pussy Riot are extremist and therefore should be banned on the Russian Internet. The court said that all the Russian websites that do not comply with this obligation could pay a fine of up to approx. 2500 Euro (100 000 roubles). Prosecutors took up the case on the request of State Duma member Alexander Starovoitov, from the Liberal Democratic Party of Russia. The court refused to allow the participation in the hearing of the one member of the punk band that was not convicted. Yekaterina Samutsevich, was freed last month after a court suspended her sentence. A Google representative confirmed that they would block the content on YouTube in Russia after they would receive the court order information. Under the Russian law, providers who host forbidden content are subject to criminal prosecution. "Whatever you think about these videos, they have become a part of the history of this country. Just as in old times, we burned books. Now we are deleting video clips which have undoubted historic significance." commented Russian blogger and analyst Oleg Kozyrev to the Radio Free Europe. The extremist nature of the videos was explained by the fact that it offended the Orthodox Christians, by shooting the anti-Putin performance video at Moscowbs main Russian Orthodox cathedral. This is why probably a spokesman for the Russian Orthodox Church welcomed the ruling. The ruling "violates the right to freedom of expression and shows the continued failure of the Russian justice system to protect political and artistic dissent," said Dr Agnes Callamard, Executive Director of the EDRi member ARTICLE 19, and explained that "the Russian government is trying to hide its attacks on democracy, claiming that the punk prayer which mocks the corrupt relationship between Putin and the church's patriarch is an attack on religious believers". The ruling should be enforced starting with 1 January 2013, but could be appealed. It is not clear who may appeal, though, after the spokeswoman for Moscow's Court, told journalists that Samutsevich has no right to appeal the court's decision because she did not take part in the hearing. But the Russian authorities might aim at more rules on the Internet. During the joint news conference held in Paris on 27 November 2012 by Russian Prime Minister Dmitry Medvedev and French Prime Minister Jean-Marc Ayrault, Medvedev was asked a question of legislative scrutiny with regard to internet regulation in Russia. In his reply, the Russian prime minister admitted that the current legislation regulating the Internet is b imperfectb and called upon the international community to b consider parameters to regulate the operation of the internet on the national or international level.b He also noted that the Russian Internet legislation b should not be referred to as repressive because not a single online source has been blocked or cut off during the enforcement of this legislation.b Moscow court orders removal of bextremistb Pussy Riot online videos (3.12.2012) http://netprophet.tol.org/2012/12/03/moscow-court-orders-removal-of-extremis... Moscow Court Designates Pussy Riot Videos As 'Extremist' (3.12.2012) http://www.rferl.org/content/pussy-riot-video-extremist-russia/24784613.html Moscow Court Finds Pussy Riot Video 'Extremist' (29.11.2012) http://en.rian.ru/russia/20121129/177815365.html Special Report On Russia: Enforcement Against Online Copyright Infringement (3.12.2012) http://www.ip-watch.org/2012/12/03/special-report-on-russia-enforcement-agai... Transcript of the Medvedev- Ayrault common press conference (27.11.2012) http://government.ru/eng/docs/21621/ Russia: Pussy Riot bpunk prayerb video banned (30.11.2012) http://www.article19.org/resources.php/resource/3547/en/russia:-pussy-riot-%... ======================================================================= 6. Netherlands: legislation for forced decryption announced ======================================================================= The Dutch Minister of Justice has sent a letter to the House of Representatives announcing a proposal for legislation that will allow the police to force a suspect to decrypt information that is under investigation in a case of terrorism or sexual abuse of children. The Minister has ignored all major conclusions and recommendations set forth in the report commissioned by his department. The Dutch House of Representatives has urged the Minister of Justice to investigate the feasibility of such injunction. The Parliament felt these extra powers to be necessary after the media reported that the police was having difficulties accessing encrypted information on the computer of someone suspected of sexually abusing children. However, there has been no supporting evidence that this is a structural problem. Last year, the minister agreed to investigate the feasibility of such an order. He promised to look into the reconcilability with the privilege against self-incrimination, experiences of other countries in implementing such legislation and technical developments. A comprehensive report was sent to the Parliament last week, accompanied with the announcement of a legislative proposal. The report states that, although such an injunction will always be an infringement on the privilege against self-incrimination, this privilege does not preclude such an injunction as there may be a legitimate interests at stake. The report sets out that the European Court of Justice considers four criteria to determine whether a forced decryption is acceptable. These criteria are: i) the nature and extent of the coercion, ii) the public interest, iii) the presence of relevant safeguards, and iv) the way in which the decrypted information is used. The research also looks into the use of similar powers in other countries. The United Kingdom has an extensive regulation with quite some safeguards for legal protection. France has a similar law and in the United States the enforced decryption is defined by case law. However, these legal systems differ from those in the Netherlands considerably. As a result, the experiences from these countries cannot easily be translated to the Dutch legal system. The research also examined the enforceability and developments in technology. It finds that the use of encryption is rising and that the concept of b plausible deniabilityb makes it hard to prove the existence of encrypted information in the first place. The researchers doubt the effectiveness of the proposed powers when used against serious criminals. Such an injunction will only work against petty criminals. The research concludes with three proposals, apart from maintaining the status quo. One option would be to codify the procedure for such an injunction, but not to penalize refusal by the suspect. Alternatively, one could penalize the use upon the refusal. This last proposal comes in two flavours: one in which the unencrypted information is used excluded from the suspect's case and one in which the information may be used against the suspect as well. Based on this research, the Minister has now announced a proposal for legislation that will allow the police to force a suspect to decrypt information that is under investigation in a case of terrorism or sexual abuse of children. The suspect will be penalized if he refuses to provide access to the information. The Minister does not want to let room for exclusion of evidence. The Ministry has thus ignored all major conclusions and recommendations of the report. Letter of Minister of Justice to the House of Representatives, announcing legislation to allow police to force a suspect to decrypt information (only in Dutch, 28.11.2012) http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken... Research: forced decryption and the privilege against self-incrimination (only in Dutch, 28.11.2012) http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken... Bits of Freedom: forced decryption will not work and makes the Netherlands more insecure (28.11.2012) https://www.bof.nl/2012/11/28/decryptiebevel-werkt-niet-en-maakt-nederland-o... (Contribution by Rejo Zenger - EDRi member Bits of Freedom, Netherlands) ======================================================================= 7. German government proposes extended tracking of Internet users ======================================================================= The German government is proposing an amendment to the Telecommunication Act that would allow law enforcement and intelligence agencies to extensively identify Internet users, without any court order or reasonable suspicion of a crime. The proposed amendment comes as a result of the German Federal Constitutional Court having decided in January 2012 that the rules governing the inquiry of telecommunication data from providers were unconstitutional. The Court found the provisions within the Telecommunication Act granting authorities the right to access such data, as unconstitutional and required additional specific provisions within the relevant specific laws, such as the code of criminal procedure. According to the draft amendment produced by the government, prosecution authorities as well as security and secret services may inquire certain personal data (such as name, address or bank information of customers) collected by telecommunications and Internet providers. Explicit provisions allow the use of a dynamic IP address for the identification of its holder. The amendment also includes a qualified legal basis for inquiry rights of the respective authorities against providers. The identification of IP addresses is not to be limited to a case-by-case basis. Providers are to install electronic data handover interfaces. The government is also planning to grant access to e-mail account passwords as well as to voicebox and mobile phone PIN codes without clearly defining the preconditions to such access. Several civil rights groups expressed concern regarding the draft amendment considering it poses a serious threat to civil liberties. b In the face of the fact that this has the quality of a breach of the privacy of telecommunication, the present draft of a revised disclosure of inventory data contains only insufficient provisions to guarantee the basic rights. It is especially problematic that it lacks the necessity of an injunction issued by a court or a state prosecutor. There has to be a qualified legal basis which fulfils the requirements of the principle of proportionality,b says Henning Lesch, Head of Law & Regulation of eco Association. Revision of Telecommunications Act Constitutional? (2.11.2012) http://international.eco.de/2012/news/revision-of-telecommunications-act-con... New German draft on state authorities' rights to inquiry telecommunications data from providers (11.2012) http://www.linkedin.com/groups/New-German-draft-on-state-4375471.S.181168482 German government to legalize extensive tracking of Internet users (26.11.2012) http://www.vorratsdatenspeicherung.de/content/view/714/79/lang,en/ German version http://www.vorratsdatenspeicherung.de/content/view/714/79/lang,de Draft Amendment (only in German, 19.09.2012) http://www.moenikes.de/ITC/wp-content/uploads/2012/10/2012-09-26_BR_Gesetzes... ======================================================================= 8. Danish opposition wants to abandon the illegal medicine site blocking ======================================================================= A majority outside the Danish government parties proposes to abandon blocking access to websites selling illegal medicine. The law (a new revision of the laws regulating selling of medicine etc.) allowing blocking of these sites was passed in May 2011. Since that time, only one website 24hdiet.com, was blocked and new domains selling the same products as 24hdiet quickly appeared (e.g. 24hdiet.net). Now, laws regulating the sale of medicine are being revised again to implement EU directive 2011/62/EU. Enhedslisten party proposed an amendment to the revision to abandon the blocking. The proposal is a result of Enhedslisten spokeswoman, Stine Brix who started the debate on an Etherpad. Questions put to the government were formulated on the Etherpad where and the text of the amendment to abandon the blocking appeared first. There is a majority in the parliament against the blocking from the parties of the previous government that introduced it. The spokeswoman for opposition party Venstre, the biggest party in the Parliament, explains that they have expected the blocking to work, but it turned out not to be effective and now she wants to focus on customs and international cooperation. The spokesman for the Social Democrats (Government Party), Flemming MC8ller Mortensen, said to Information that something had to be done, that was more than a signal, something that they can believe it works. "Because it is really difficult with all the things that can be done on the Internet across borders". This is just about one kind of blocking. For example the blocking of gambling sites is still in effect. But maybe the tide is finally turning in Denmark. DNS-censoring Illegal Pharmaceutical Vendors - 24hdiet.com Blocked (30.09.2012) http://blog.censurfridns.dk/en/node/32 Rollback of DNS Blocking (only in Danish) http://openetherpad.org/b1zz1fEEf4 Majority outside the Government will remove net-blocking for medicine pages (only in Danish, 27.11.2012) http://www.information.dk/318311 (Contribution by Niels Elgaard Larsen EDRi member IT Pol - Denmark) ======================================================================= 9. ENDitorial: What could possibly go wrong? ======================================================================= With the discussions on the proposed General Data Protection Regulation in full swing and the first opinions of some European Parliament Committees in, several themes of proposed changes emerge. One of these can be paraphrased as b we shouldn't bother controllers with too many obligations, they know their stuff and want to do the right thingb. Slightly more elaborate versions of this view have been used to justify amendments aiming to cut documentation obligations, lessen requirements on data breach notifications and information obligations. There also seems to be an undercurrent of b in any case, it's usually not that bad if things go wrongb. Indeed, how bad could it be if things go wrong? And do controllers handle personal data responsibly? A few cases that made headlines in the past years can provide examples. Between 2005 and 2007, Deutsche Telekom used its own traffic data to spy on journalists and trade union members of its own supervisory board in order to stop leaks. According to the head of unit in charge of the spy operation, this happened on behalf of the then-CEO and the chairman of the supervisory board. Since then, this head of unit has been sentenced to 3.5 years of prison, while the former CEO and the chairman of the supervisory board claimed not to have known anything. More recently, whatsapp, a smartphone application for sending text messages which is used around the globe to send more than a billion messages per day, is currently in the news for an astounding row of privacy gaffes. For starters, the service used to send messages without encryption, so that exchanges could be easily spied upon. It seems that whatsapp's developers had been made aware about this security hole the size of a barn door almost a year before they fixed it. Just a month later, another security flaw was uncovered, allowing to take over whatsapp accounts and send messages from compromised accounts using simple tools b there was an app for that. Instead of fixing the problem, whatsapp sent legal threats against the developers of the tools. Now, two and a half months later, this other barn door is still wide open. Between 2002 and 2005 Deutsche Bahn, a railway operator, screened 170 000 of its employees to find out about connections to subcontractors and possible corruption. In 2006 and 2007, it also spied on employees' e-mails to uncover whistleblowers, sifting through up to 150 000 e-mails a day. The company's CEO had to step down over these scandals, while still denying that any wrongdoing had occurred. Later on, investigations confirmed the suspicions and Deutsche Bahn was fined 1.12 Million Euro in 2009. Sounds like a lot? That year, it took Deutsche Bahn about seven hours to make that amount in pre-tax profit. In 2007 to 2010, when sending cars around the world to collect images for its service Street View, Google also collected information on wireless networks to be used to make cell phone localisation more precise. The software used also collected content sent over open WiFi networks, collecting websites visited, passwords, e-mails and other information. Google was not forthcoming in the investigations, first denying that payload data had been collected, then talking about a simple b mistakeb, then blaming it on a rogue developer. In the end, it turned out that the code in question was in fact documented, and that oversight was b minimalb, to quote from the US Federal Communications Commission's investigation report, which fined Google 25 000 USD for stonewalling the investigation. In a different register, police authorities do not fare better. They will be subject to a different text, a proposed Directive that contains more lax rules than the Regulation. Here as well, egregious violations can be found everywhere. For example, officers of the Irish Police (Garda) used police databases for their private interests, for example to run background checks on their daughters' boyfriends. In another case, a police officer used retained telecommunications traffic data to snoop on her ex-partner. Such cases have been discovered again and again over the years, following a usual pattern: they become public, the Data Protection Authority (DPA) investigates and conducts audits, finds wrongdoings, the Garda promises to change, rinses and repeats. In one case, the Garda also adopted a b code of practiceb, endorsed by the DPA. It does not seem to have helped much. In Poland, the police, as well as the anti-corruption office and the domestic intelligence agency, surveyed at least ten journalists of various media between 2005 and 2007, using telecommunications traffic data without court orders or any connection to ongoing investigations. One of the journalists, of the influential Gazeta Wyborcza, wrote several articles about well-known and sometimes controversial actions of the anti-corruption office b the one that later on requested his traffic data. After the case became public, an investigation was launched, but a regional prosecutorbs office claimed to have found no wrongdoing. Only after one of the spied journalists went to court, a meaningful investigation got under way. The court ruled on the case in April 2012, saying that the anti-corruption office violated the journalistbs privacy, as well as the right to protection of journalistic sources. In Dresden, Germany, the local police collected information on more or less every mobile phone call made and SMS sent in the city, in total almost one million connections, at the occasion of an anti-Nazi demonstration. The police justified collecting the information with several offences that occurred at the margins of the demonstration. Saxony's interior minister defended the measure as being b proportionateb, even after it became public that the police also used the data for totally unrelated investigations and had been told to stop this by the local prosecutor's office. Months after being formally reprimanded by Saxony's DPA, the police still used the data. What all these examples, both from the private and the public sector, show is that in many cases, incompetence or lack of oversight lead to unacceptable shortcomings, while in others, it is straight-up malice. In law-enforcement, there seems to be a widespread belief among practitioners that b we're the good guysb, which in turn sometimes leads to abuses. So no, we cannot trusts controllers to know their stuff and to want to do the right thing. And yes, it can be bad if things go wrong. Whatsapp case http://www.h-online.com/security/news/item/Account-theft-still-possible-with... http://www.h-online.com/security/news/item/WhatsApp-no-longer-sends-plain-te... http://www.h-online.com/security/news/item/WhatsApp-threatens-legal-action-a... http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-complete... http://www.androidpolice.com/2012/05/02/whatsappsniffer-shames-whatsapps-pla... Deutsche Telekom case http://www.wiwo.de/5239704-all.html http://www.wiwo.de/5239730.html Deutsche Bahn case http://www.heise.de/newsticker/meldung/Deutsche-Bahn-zahlt-Rekordstrafe-wege... http://www.heise.de/ct/meldung/Bahn-Datenskandal-Arbeitsminister-bekraeftigt... http://www.n24.de/news/newsitem_4936517.html http://www.sueddeutsche.de/wirtschaft/spitzel-affaere-bei-der-bahn-tiefensee... Google Streetview case http://www.wired.com/threatlevel/2012/05/google-wifi-fcc-investigation/ Irish police case http://www.edri.org/edrigram/number10.21/irish-dpa-police-self-regulation Surveillance of Polish journalists case http://wyborcza.pl/1,76842,8842563,Inwigilacja_dziennikarzy_badana_od_nowa.h... http://wyborcza.pl/1,76842,9763653,CBA_i_billingi_dziennikarza__Gazety_.html http://wyborcza.pl/1,75478,11625664,Precedensowy_wyrok__CBA_nie_moze__ot_tak... Dresden police case http://www.taz.de/!73222/ http://www.taz.de/!94114/ http://www.heise.de/newsticker/meldung/Saechsische-Polizei-nutzt-weiter-Mobi... (Contribution by EDRi interns Katarzyna Syska and Owe Langfeldt) ======================================================================= 10. Recommended Reading ======================================================================= Do we really want to put the ITU in charge of cybersecurity? (28.11.2012) http://edri.org/ITU-fail http://www.golem.de/news/internationale-fernmeldeunion-un-lassen-itu-blog-we... Northern Ireland Court Orders Facebook to take down b Paedophile Watchb page (30.11.2012) http://inforrm.wordpress.com/2012/11/30/news-northern-ireland-court-orders-f... EU urged to choose transatlantic convergence on data protection (5.12.2012) http://www.euractiv.com/infosociety/eu-urged-choose-data-protection-news-516... ======================================================================= 11. Agenda ======================================================================= 27-30 December 2012, Hamburg, Germany 29C3 - Chaos Communication Congress http://events.ccc.de/category/29c3/ 20-23 January 2013, Brussels, Belgium The Power of Information - How Science and Technology can Make a Difference http://www.ThePowerofInformation.eu 23-25 January 2013, Brussels, Belgium CPDP 2013 Conference - Reloading data protection http://www.cpdpconferences.org/callforpapers.html 2-3 February 2013, Brussels, Belgium FOSDEM https://fosdem.org/2013/ 22 February 2013, Warsaw, Poland ePSIplatform Conference: "Gotcha! Getting everyone on board" http://epsiplatform.eu/content/save-date-22-february-2013-epsiplatform-confe... 21-22 March 2013, Malta Online Privacy: Consenting to your Future CfP by 14 December 2012 http://www.onlineprivacyconference.eu/ 6-8 May 2013, Berlin, Germany re:publica 2013 http://www.re-publica.de 25-26 June 2013, Barcelona, Spain 9th International Conference on Internet Law & Politics: Big Data: Challenges and Opportunities. http://edcp.uoc.edu/symposia/idp2013/?lang=en 31 July b 4 August 2013, Geestmerambacht, Netherlands Observe. Hack. Make. - OHM2013 https://ohm2013.org/ 24-27 September 2013, Warsaw, Poland Public Voice Conference 2013 35th International Data Protection and Privacy Commissioners conference http://www.giodo.gov.pl/ ============================================================ 12. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 32 members based or with offices in 20 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-gram. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRi and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/mk/vesti/edri - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE