============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 5.12, 20 June 2007 ============================================================ Contents ============================================================ 1. Update on a Council Framework Decision on the protection of personal data 2. PCDA brings a major change in the WIPO mandate 3. Pr|m's Treaty is now included into the EU legal framework 4. French collective society sues P2P producers 5. Privacy Ranking of Internet Service Companies 6. European Visa Information System accepted by the EU bodies 7. Google answers Article 29 Working Party on data protection standards 8. ENDitorial: The 2001 CoE Cybercrime Convention more dangerous than ever 9. Recommended Reading 10. Agenda 11. About ============================================================ 1. Update on a Council Framework Decision on the protection of personal data ============================================================ The Council of the European Union disscused again in its Justice and Home Affairs Council meeting on 12-13 June 2007 the Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters, without making any clear steps for its adoption or taking into consideration the European Data Protection Supervisor (EDPS) comments. The conclusions of the Council meeting note that the new framework decision will be based on the Council of Europe established minimum data protection principles set by the Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data and its Additional Protocol of 8 November 2001, including Recommendation (87)15 regulating the use of personal data in the police sector. It also announced that it would "examine all solutions suggested by the European Parliament" that voted in favour of amendments that would provide stronger data protection, and expects "to reach a political agreement on the proposal as soon as possible and at the latest by the end of 2007." The Council conclusions did not give any consideration to the opinions expressed earlier this year by the EDPS that advised against adopting the proposal considering it failed to provide appropriate data protection. EDPS reacted also to the latest conclusions by making an appeal to the Portuguese presidency of the European Union in a public letter sent to the Ministers for Justice and Interior . Peter Hustinx showed his concern that a number of agreements on new anti-terrorist measures have been concluded without fully considering the impact on fundamental rights. "I fear that messages such as 'no right to privacy until life and security are guaranteed' are developing into a mantra suggesting that fundamental rights and freedoms are a luxury that security can not afford. I very much challenge that view and stress that there should be no doubt that effective anti-terror measures can be framed within the boundaries of data protection" said Hustinx. EDPS expresses his concern that such a negative approach to individual privacy rights reveals an apparent lack of understanding of the framework of human rights law. This framework has always allowed for necessary and proportionate measures to combat crime and terrorism. This negative approach also ignores the lessons learned about the abuse of fundamental rights from dealing with terrorism within Europe's borders over the last 50 years. EDPS also considered that its relationship with the Council of the European Union needs further improvement. Consequently, he makes himself available as an advisor on all matters concerning personal data processing so that the Council may adopt effective and legitimate new policies. The delay in adopting the Council Framework Decision has been criticized also by the European Commission, through Vice-president Franco Frattini, responsible for Justice, Freedom and Security that "regrets that the Framework Decision is not yet adopted, in particular because the Commission's proposal for the Framework Decision was already tabled in 2005 and it only establishes a minimum level of harmonisation of data protection principles." The Commission also encouraged the Council to give priority to the discussions on the Framework Decision in order to reach a political agreement on the this act as soon as possible. Council Conclusions concerning the Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters (12.06.2007) http://www.consilium.europa.eu/ueDocs/cms_Data/docs/pressData/en/jha/94634.p... Data protection - Proposal for a Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (12.06.2007) http://www.europa.eu/rapid/pressReleasesAction.do?reference=IP/07/808 Presidency work programme and the protection of individuals with regard to the processing of personal data and the free movement of such data (11.06.2007) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... EDPS letter to incoming Portuguese presidency: fundamental rights are not captives of security (12.06.2007) http://www.europa.eu/rapid/pressReleasesAction.do?reference=EDPS/07/6 EDRI-gram: The European Parliament voted for stronger data protection (6.06.2007) http://www.edri.org/edrigram/number5.11/ep-data-protection-police EDRI-gram: EDPS advises against new data protection framework decision (9.05.2007) http://www.edri.org/edrigram/number5.9/edps-framework-decision ============================================================ 2. PCDA brings a major change in the WIPO mandate ============================================================ During 11-15 June 2007, the Provisional Committee on Proposals for a WIPO (World Intellectual Property Organization) Development Agenda (PCDA) had meetings during which WIPO members negotiated agreements on several proposals for new activities of the UN organization. "This is a major achievement. It's a complete overhaul of the WIPO concept, broadening it to reflect society's growing concern with ownership of technologies and knowledge, and its effects for the future, both in developed and developing countries" was the statement of a participant in the meetings. Six clusters of proposals, labelled A to F, were under discussion during the meeting on issues such as open collaborative projects, intellectual property protection, and development impact assessments. An agreement was reached on 21 proposals that came now besides the 24 agreed upon during the meeting on 23 February. All of the 45 proposals agreed this year will be adopted by the General Assembly and implemented in September. The initial idea of reforming WIPO came in 2004 from Argentina and Brazil and the 45 proposals have resulted from the 111 proposals made by various countries during a two-year period. Proposals agreed during this last meeting covered domains such as technical assistance, rule making, technology transfer, development impact assessments, WIPO's mandate, touching topics such as protection to competition, access to knowledge and open collaborative models to support public domain. A new WIPO Committee on Development and IP was recommended for setting up to replace PCDA and the Permanent Committee on Cooperation for Development Related to Intellectual Property (PCIPD). The proposed committee would hold its first meeting in the first half of 2008. The new committee's tasks will be to elaborate a work programme for the implementation of the proposed recommendations, to "monitor, assess, discuss and report on the implementation of all recommendations adopted, discuss IP and development related issues as agreed by the Committee, as well as those decided by the General Assembly." The director general of the World Intellectual Property Organization (WIPO), Dr.Kamil Idris has considered the discussions as "a milestone in the history of the Organization". "This process and the spirit of compromise and mutual understanding in which it took place, is an important contribution to international efforts to promote the development of a balanced intellectual property system that is responsive to the needs and interests of all countries - developed and developing alike" he added. James Love, director of the NGO- Knowledge Ecology International (KEI) explained the importance of the result: "After three years, WIPO has produced a meaningful and welcome new vision for WIPO. The governments who participated in the negotiations agreed that WIPO is no longer only to pursue mindless expansions of intellectual property rights, but now is a place to discuss a broad range of topics, including measures to protect or promote access to knowledge, the implications and benefits of a rich and accessible public domain, and strategies for dealing with abuses of rights, or other measures to protect the public interest." He also emphasised the need to continue the common efforts for the implementation of the Development Agenda: "Having concluded a difficult and quite meaty negotiation over WIPO's purpose and direction, there will be an effort to implement the new Development Agenda. The next two to three years will be critical. One has to prudently wonder how sustainable is the interest in this reform effort. The institutional juggernaut behind stronger IPR is well financed and permanent, and the opposition is often poorly resourced and episodic." In A 'Major Achievement', WIPO Negotiators Create New Development Mandate (18.06.2007) http://www.ip-watch.org/weblog/index.php?p=656 WIPO Committee Reaches Breakthrough Agreements On Development Agenda (15.06.2007) http://www.ip-watch.org/weblog/index.php?p=655 Final PCDA Recommendations to 2007 General Assembly (15.06.2007) http://www.keionline.org/index.php?option=com_jd-wp&Itemid=39&p=51 KEI Statement on conclusion of WIPO Development Agenda negotiations (15.06.2007) http://www.keionline.org/index.php?option=com_content&task=view&id=88 WIPO Director General Welcomes Major Breakthrough following Agreement on Proposals for a WIPO Development Agenda (18.06.2007) http://www.wipo.int/pressroom/en/articles/2007/article_0037.html Blogging WIPO: The New Development Agenda (18.06.2007) http://www.eff.org/deeplinks/archives/005320.php ============================================================ 3. Pr|m's Treaty is now included into the EU legal framework ============================================================ The EU has adopted as its own law, with very little alterations, the so-called Pr|m Treaty, signed on 27 May 2005 by Belgium, Germany, Spain, France, Luxembourg, The Netherlands and Austria, which allowed the police forces of their countries to compare and exchange data more easily. The new law, adopted by the European Parliament's report of Fausto Correia (PES, PT) and approved by the Council of Ministers during a meeting of the justice and home office ministers last week, gives the EU member-states three years to rewrite domestic laws in order to comply with it. "Member states have to adopt legislation on the basis of the decision. They can copy and paste it, it is self-explaining, not like a Directive, which contains only objectives. This agreement contains a huge amount of legislation concerning DNA data and data protection rules." said a spokesman of the European Council. Peter Hustinx, the EDPS, still expresses his concern and his disappointment for not having been listened to. "It seems that Council has not sufficiently taken my remarks into account." The new rules will open up police databases but not fully, said the Home Office spokeswoman: "The primary aspects of this are data sharing on fingerprints, DNA samples and vehicle registrations." "What will happen now is that countries will have the ability automatically to determine immediately whether a member state holds matching DNA or fingerprint information, but they won't have automatic access to the databases or the information itself," she added. UK had previously resisted joining the Pr|m Treaty. "The implications of this treaty are far reaching and will affect all EU citizens," said Philip Bradbourn, Conservative justice and home affairs spokesman. However, UK has signed this new EU deal. "We are sleepwalking into a Big Brother Europe while our government stands idly by" said Syed Kamall, a British Conservative MEP. Police will share data across Europe against privacy chief's advice (14.06.2007) http://www.out-law.com//default.aspx?page=8148 DNA data deal 'will create Big Brother Europe' (11.06.2007) http://www.eupolitix.com/EN/News/200706/462d5e3f-1a57-4805-a12e-1cb072b124dd... Pr|m Treaty will allow EU27 to exchange DNA data to fight crime (7.06.2007) http://www.europarl.europa.eu/news/expert/infopress_page/019-7568-157-06-23-... Controversial data-sharing deal to get the go-ahead (12.06.2007) http://euobserver.com/9/24244 EDRI-gram: From Schengen to Pr|m: Data Protection under 3rd pillar a prerequisite (28.02.2007) http://www.edri.org/edrigram/number5.4/prum ============================================================ 4. French collective society sues P2P producers ============================================================ Under the cover of the DADVSI law with the so-called Vivendi amendment (initiated by Vivendi Universal) the French association SPPF (Sociiti civile des producteurs de phonogramme en France - The French collective society for phonogram producers representing the independent labels) started a legal action against P2P software producers. The Vivendi amendment, strongly debated in the Parliament, but supported by Nicolas Sarkozy and barely passed by the Joint Committee of the National Assembly and the Senate, considers as criminal the creation and distribution of all software obviously intended to provide to public some unauthorised copyrighted works. The non-compliance is punished by three years of prison and a 300 000 Euro fine. From a civil law point of view, the amendment obliges the creators of the P2P software to implement prevention measures in order to prohibit downloading alleged illegal content. The amendment gave SPPF the opportunity to file ridiculous actions against two P2P software producers Morpheus and Azureus with a third, Shareaza, being next in line to be sued. SPPF initiated the suit as a civil action, considering the criminal actions would have been too complicated to organize. Also the civil actions give the possibility to ask for consistent damages as stated Jirtme Roger, SPPF director. SPPF asks 16.6 millions Euros from Azureus and 3.7 millions Euros from Morpheus. The figures are based on a poll carried out by AdVestigo company, of downloads in the P2P networks over a period of 10 months on a sample of 4750 titles. Then the results were enlarged for their entire catalogue of 475 000 titles and the total was multiplied with 2 Euros (1 Euro as the price for a sale and 1 Euro as damages). France : SPFF attacks Morpheus, Azureus and Shareaza (only in French, 12.06.2007) http://www.ratiatum.com/news5163_France_la_SPFF_attaque_Morpheus_Azureus_et_... P2P : Details on the legal actions of SPPF (only in French, 12.06.2007) http://www.ratiatum.com/breve5164_P2P_precisions_sur_les_actions_judiciaires... EDRI-gram : Update on French EUCD Transposition (29.03.2006) http://www.edri.org/edrigram/number4.6/frencheucd ============================================================ 5. Privacy Ranking of Internet Service Companies ============================================================ Privacy International (PI) has undertaken a study that reveals the privacy threats and rank the positions in this matter of key players on the Internet services market. The objective of the research is not only to point fingers but also to find out trends and emergent issues related to privacy on the Internet. The report was issued by PI after a six-month investigation on the privacy practices covering search, email, e-commerce and social networking sites. The methodology used included 20 main parameters among which data collection and processing, data retention, openness and transparency or responsiveness to customers' complaints. Data was gathered from newspaper articles, privacy policies, blogs, submissions to government inquiries, information obtained from present and former company staff, technical analyses and interviews with company representatives. Because the 2007 rankings are a precedent, PI will regard the current report as a consultation report and will establish a broad outreach for two months to ensure that any new and relevant information is taken into account before publishing a full report in September. The research has coded the companies by colour, from green "privacy-friendly and privacy enhancing", to black, "comprehensive consumer surveillance and entrenched hostility to privacy". While there was no company ranked in the green area, and only few were ranked blue, "generally privacy aware", (such as eBay, LiveJournal, Wikipedia), the only company coded black by the preliminary stage of the research was Google. Google was mostly criticized for its lack of transparency, PI considering that its data retention policy was not very clear. "Google maintains records of all search strings and the associated IP-addresses and time stamps for at least 18 to 24 months and does not provide users with an expungement option. Google has access to additional personal information, including hobbies, employment, address, and phone number, contained within user profiles in Orkut. Google often maintains these records even after a user has deleted his profile or removed information from Orkut." Google's privacy policy was considered "vague, incomplete and possibly deceptive", and its response to customers' complaints, a poor one. A Google employee's blog, Matt Cutts, complained by the fact that the company was not given credit for not handing over data to the US Government and for not having leaked search queries of its users. In an open letter addressed to Google's CEO Eric Schmidt, Privacy International accused Google for having smeared its good name. "Two European journalists have independently told us that Google representatives have contacted them with the claim that 'Privacy International has a conflict of interest regarding Microsoft'." PI also stated no company had made such accusation in its 17 years of life. PI asked for an apology from Google, "but if you cannot deliver this then I think you should reflect carefully on the actions of your representatives before embarking on what I believe amounts to a smear campaign. As with Microsoft, eBay and any other organisation we are more than happy to work with you to help resolve the many privacy challenges for Google that our report has highlighted." A Race to the Bottom: Privacy Ranking of Internet Service Companies, A Consultation report (9.06.2007) http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553961 Privacy International accuses Google of smear campaign (11.06.2007) http://www.theregister.co.uk/2007/06/11/google_privacy_international/ Why I disagree with Privacy International (11.06.2007) http://www.mattcutts.com/blog/privacy-international-loses-all-credibility/ An Open Letter to Google (10.06.2007) http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553964 ============================================================ 6. European Visa Information System accepted by the EU bodies ============================================================ The legislative package on the Visa Information System (VIS) was adopted by the European Parliament and a political agreement was reached within the Justice and Home Affairs Council in the last couple of weeks. This means that the final steps have been adopted to create the biggest biometric database in the world. The VIS Legislative package is formed by the VIS Regulation and the VIS Decision. The VIS Regulation will allow consulates and other competent authorities to start using the system when processing visa applications and to check visas. The VIS Decision will allow police and law enforcement authorities to consult the data under certain conditions that should ensure a high level of data protection. The European Parliament adopted on 7 June 2007 two reports from Baroness Sarah Ludford (ALDE, UK). The first report that adopted the VIS regulation aimed at preventing an applicant who is refused a visa by one Schengen country from applying to others ("visa shopping"), but also facilitating the fight against fraud and checks at external borders. The second report that adopted the VIS decision stated that the access to the VIS database should be "limited to those who 'have a need to know' and possess appropriate knowledge about data security and data protection rules". The report stresses that "adequate provisions have to be provided for to ensure the necessary data protection", and that such data "shall only be processed for the purposes of the prevention, detection, investigation and prosecution of terrorist offences or other serious criminal offences." The report also states that "personal data obtained...from the VIS shall not be transferred or made available to a third country or to an international organisation." Less than a week later the VIS package obtained the political agreement in the Justice and Home Affairs Council, thus making the new system almost a reality, because the new rules need just to be formally approved by the EU member-states governments. The Visa Information System will store data on up to 70 million people concerning visas for visits to or transit through the Schengen Area. This data will include biometrics (photographs and fingerprints) and written information such as the name, address and occupation of the applicant, date and place of the application, and any decision taken by the Member State responsible to issue, refuse, annul, revoke or extend the visa. Citizens of more than 100 countries need a visa to enter the EU. The Baroness Sarah Ludford MEP insisted that "the VIS is a border-management system and its principle is not to combat terrorism and crime. Let us remember that 99.9% of visitors to the EU are legitimate travellers who do not have any connection with criminality whatsoever, nor indeed do illegal immigrants or unauthorised entrants." The Conservatives have condemned the reports as an invasion of privacy rights, and have called on UK government to opt out. European Data Protection Supervisor Peter Hustinx expressed his concern: "The circle of data subjects that can be included in this system is not limited to data of persons suspected or convicted of specific crimes." EU visa information system to help prevent visa shopping (7.06.2007) http://www.europarl.europa.eu/news/expert/infopress_page/019-7569-157-06-23-... Visa Information System (VIS): The JHA-Council reaches a political agreement on the VIS Regulation and VIS Decision (12.06.2007) http://www.europa.eu/rapid/pressReleasesAction.do?reference=IP/07/802&format=HTML&aged=0&language=EN&guiLanguage=en EU to create world's biggest bio-data pool (13.06.2007) http://euobserver.com/22/24261 EU backs biometrics visa database (8.06.2007) http://www.euractiv.com/en/justice/eu-backs-biometrics-visa-database/article... EDRI-gram: EU Visa Database under scrutiny of the European Data Protection Supervisor (2.02.2006) http://www.edri.org/edrigram/number4.2/visadatabase ============================================================ 7. Google answers Article 29 Working Party on data protection standards ============================================================ Google has answered several questions related to its data protection standards addressed by the Article 29 Working Party, especially on the period after which the anonymisation of the search server logs can be obtained. Initially Google announced in March 2007 a reduction of the retention period for data related to users and their searches to 18-24 months, but, after the Article 29 Working Party's letter, Peter Fleischer, global privacy counsel at Google, accepted a period of 18 months. However, he also stated that the period could be extended to 24 months, depending on the implementation of the Data retention directive in some of the EU member states. Google explained that the period is necessary to use for logs in their activities, such as spell-checking help, preventing abuse and fraud or helping users refining their search queries based on previous experiences. The privacy counsel has also used as one of the main reasons for keeping the logs, the requirements of the Data retention directive that will require the state members to keep the traffic data between 6 and 24 months. But he also raised several questions marks regarding the clarity of the text of the directive. However, Philippos Mitletton, that works for the European Commission's Data Protection Unit, explained to Out-Law that the data retention directive should not apply to Google "The Data Retention Directive applies only to providers of publicly available electronic communications services or of public communication networks and not to search engine systems. Accordingly, Google is not subject to this Directive as far as it concerns the search engine part of its applications and has no obligations thereof." But Google's letter goes beyond the text of the directive and expresses concerns about the possibile extentions of the directive's purpose at the implementation of the Data Retention Directive in each EU member-state. It also reffers to the German Ministry of Justice proposal that webmail providers should be required to verify the identity of their account holders and asks " Could we challenge its legality in court, either as an unconstitutional infringement of privacy, or as an example of jurisdictional over-reach?" In practice, the German working group against data retention has already gathered a lot of supporters for a constitutional court challenge against the data retention law, that would be the largest constitutional court case in Germany ever. The letter Google has sent to the Article 29 Working Party points also to other privacy-sensitive issues raised. The major search engine explained that its anonymisation process deletes the final digits of the logged IP addresses and that the process is irreversible, even for Google staff. Fleischer explained also the Google position regarding cookies: "We believe that cookies data management in a user's browser is fundamentally a browser/client issue, not a service/server issue. Therefore, the lifetime of a cookie does not indicate or imply any enforcement of data retention. We also believe that cookie lifetimes should not be so short as to expire and force users to re-enter basic preferences (such as language preference). Nonetheless, we acknowledge that cookie lifetimes should be "proportionate" to the data processing being performed." Article29 Working party letter to Google (16.05.2007) http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_google_16_05_07_en... Google response to Article 29 Working Party (10.06.2007) http://64.233.179.110/blog_resources/Google_response_Working_Party_06_2007.p... How long should Google remember searches? (11.06.2007) http://googleblog.blogspot.com/2007/06/how-long-should-google-remember.html Google makes data retention concession(12.06.2007) http://www.out-law.com/page-8140 Data retention laws do not cover Google searches, says Europe (13.06.2006) http://www.out-law.com/page-8147 EDRI-gram: Privacy bodies investigate Google's data protection standards (25.04.2007) http://www.edri.org/edrigram/number5.8/google-data-protection EDRI-gram: Google limits the search data retention period (28.03.2007) http://www.edri.org/edrigram/number5.6/google-data-retention ============================================================ 8. ENDitorial: The 2001 CoE Cybercrime Convention more dangerous than ever ============================================================ The Council of Europe (CoE) has definitely highly prioritised the broad ratification, all over the world, of its Convention on Cybercrime, opened to signatures since November 2001 and entered into force on 1 July 2004. As part of its efforts to achieve this goal, a conference on "Cooperation against cybercrime" was held in Strasbourg on 11-12 June 2007, to which EDRI was invited to participate with a presentation (some of the participants presentations are available on the conference website). This conference was organized in the framework of the CoE Octopus programme against corruption and organised crime in Europe, three years after the 2004 venue on "The challenge of cybercrime" and two years after the joint CoE-OAS (Organisation of American States) conference on "Cybercrime: a global challenge, a global response". The CoE has also been promoting this Convention in many international fora, including the World Summit on the Information Society and its following-up Internet Governance Forum. Finally, it has held numerous regional meetings and training events for member States and third States to help them implement Convention -ready or -compatible provisions in their legislations. Almost 140 participants attended the conference (list available on the conference website). They were mainly law enforcement authorities (LEAs) from all over the world (representing 49 countries from the 5 continents), plus 12 intergovernmental organisations (among them EUROPOL, INTERPOL, and ENISA - the European network and information security agency), 3 non governmental organisations (EDRI, ICMEC - the International Centre for Missing and exploited children, and the French Human Rights League), 3 international multi-stakeholders forums (the Inhope association of Internet hotlines, the Anti-Phishing forum and the London Action Plan against spam) and 3 private sector (Microsoft, NASSCOM - India's national association for software and service companies, and RSA). Surprisingly, no representative from ISPs attended, and none of them was invited to make a presentation, although the Convention on Cybercrime puts a severe burden on them since most of its procedural provisions (articles 16 to 21) are directly requiring the cooperation of ISPs in order to achieve preservation, production, search and seizure of stored computer data, real-time collection of traffic data and interception of content data. However, Microsoft was well represented and obviously given an important role in the conference with no less than 3 presentations in plenary sessions. A presentation by Alexander Seger, Head of Technical Cooperation in the Department of Crime Problems (CoE DG of Legal Affairs) gave a clue to understand this special treatment: the CoE has launched a new project against cybercrime, "a global project to support European and non-European countries to accede and implement the Convention on cybercrime or its Protocol on xenophobia and racism", (details on the project available on the conference website), which started on September 2006 for a duration of 30 months. The overall budget is 1.7 million euros, of which only 550,000 euros are currently available: 290,000 euros from the CoE own funding and 260,000 euros from Microsoft contribution. It has to be noted that this private funding is new practice to the CoE, to the extent that Microsoft funding had to be approved by the CoE Council of Ministers. As Alexander Seger suggested in his presentation, "other donors (public and private) [are] invited to join this project" and "beyond this project, CoE may now seek stronger cooperation with the private sector". If such extension is indeed realised in the future, one may wonder whether the CoE will be able to remain the reference it currently represents in terms of respect for human rights, democracy and the rule of law. Interestingly enough, this trend in having CoE projects funded by the private sector starts with this very Convention on cybercrime, probably the only one among the current 200 CoE Treaties which have been so criticized by human rights NGOs, as EDRI reminded in its presentation. While Alexander Seger and Microsoft representatives insisted on the fact that "no specific condition [has been] attached to the financial contribution from Microsoft", it would be quite naive to find this "guarantee" satisfactory: agenda -setting and -pushing is certainly already worth the money spent. The interest of companies like Microsoft in such a project is directly linked to the substantive provisions of the Convention (articles 2 to 13), which aim at harmonizing the criminalisation of the commission of "offences against the confidentiality, integrity and availability of computer data and systems" (art. 2-6), "computer related offences" (forgery and fraud, art. 7-8), "content-related offences" (Internet child pornography, art. 9), "offences related to infringements of copyright and related rights" (art. 10) or attempting, aiding or abetting the commission of such offences (art. 11). Copyright infringement was almost not evoked during the 2007 conference. The fight against Internet child pornography served as the consensual vehicle to promote such tools as both the Convention and private hotlines: concerns regarding the respect for the rule of law, as raised by EDRI, were received, as usual, with suspicion of laxity. EDRI was the only participant pointing to the fact that the additional Protocol against racism and xenophobia could only be ratified by countries that already criminalise in their national laws the dissemination of such content, as well as insults and threats based on racism and xenophobia. Thus, it would never solve cases such as the famous Yahoo! case between France and the USA, simply because, as EDRI noted, the Convention and its Protocol fail to address the major issue of the competence of jurisdictions. The real big issues for LEAs during this conference were the most prevalent threats as well as the new trends they perceive in current cybercrime activities: spamming, phishing and its many variants using SMS (SMSishing), VoIP (Vishing), DNS redirections (pharming), the use of botnets, the use of P2P networks and instant messaging systems, were among the many identified aspects of a proteiform cybercrime. Although all the presentations on these trends (specially from Europol and from French LEAs) acknowledged the lack of statistics and the difficulty to gather data on this kind of crime, they were able to agree on its current volume and its broadening, and to conclude on the increased need to limit - if not forbid - anonymity and encryption of exchanges, to better control the Internet use from cybercafes and other public places, and, last but not least, to further extend cooperation with private sector (telecom operators and ISPs) and communication and exchange of data among LEAs for mutual assistance purposes. International cooperation between LEAs is exactly the subject of the numerous remaining provisions of the Convention (articles 23 to 35). In summary, these provisions allow any State party to the Convention to request from any other party the communication of data collected under the provisions of articles 16 to 21, without any dual criminality requirement (except if relevant reservation has been made upon ratification) and with very limited possibility of refusal: actually, as Henrik Kaspersen, professor at the Free university of Amsterdam and chair of the committee of the CoE Convention on cybercrime, analysed, the current 43 signatories (among them 21 having ratified the text) made a quite moderate use of reservations. Moreover, the Convention conditions and safeguards (article 15) are far from being adequate and harmonised among the State parties to the Treaty: although the EU Article 29 working group warned against this and other failures of the Convention when the text was still being drafted, its opinion was not taken into account. With the extension of the Convention to States with far less privacy safeguards than the CoE member States - which are bound by the European Convention on Human Rights -, starting with the USA, this threat is becoming to realise the worst fears of the Global Internet Liberty Campaign (GILC) international coalition of NGOs - among them future EDRI founders - when it published in 2001 its "Eight Reasons the International Cybercrime Treaty Should be Rejected", after a long campaign against the eventually signed Convention. Furthermore, although one can argue that, since 2001, the situation has become even worse with laws adopted all over the world, including at the European Union level, it has to be acknowledged that "the CoE Convention on cybercrime opened the way to more and more invasive laws", as EDRI concluded at the end of its presentation at this conference, leading to have "on-line activities and behaviours more criminalised than their off-line equivalent and citizens benefit from less protections and safeguards on-line than off-line". In order to limit the risk that, six years after its signature, the CoE Convention on cybercrime becomes more dangerous than ever, EDRI advocated, "before any further extension in scope and/or ratification/accession, (the) need for an assessment of the Convention and its national implementations with regards to human rights, democracy and the rule of law". Finally, in the same way as EDRI considers that, at the EU level, data protection under third pillar is a prerequisite to any broadening of information systems in criminal matters, EDRI recommended that the Council of Europe "devote[s] an equivalent energy to extend ratifications/accessions to Convention no.108 for the protection of individuals with regard to automatic processing of personal data". But such a goal does not seem to be on CoE agenda. CoE Octopus Conference 2007 (11-12.06.2007) http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_economic_c... CoE Octopus Conference 2004 (15-17.09.2004) http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_economic_c... Joint COE-OAS Conference 2005 (12-13.10.2005) http://www.coe.int/T/E/Legal_Affairs/About_us/Cooperation/5Madrid(cyber)_OAS... EU Article 29 WP Opinion on the CoE Draft Convention on Cybercrime (22.03.2001) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2001/wp41en.pdf GILC coalition "Treaty Watch" website http://www.treatywatch.org IRIS dossier of the campaign against the Convention and its Protocol (only in French) http://www.iris.sgdg.org/actions/cybercrime EDRI-gram: From Schengen To Pr|m: Data Protection Under 3Rd Pillar A Prerequisite (28.02.2007) http://www.edri.org/edrigram/number5.4/prum CoE Convention no.108 on data ptrotection (28.01.1981) http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=108&DF=6/20/2007&CL=ENG (Contribution by Meryem Marzouki, EDRI-member IRIS - France) ============================================================ 9. Recommended Reading ============================================================ Belgian Biometric Passport does not get a pass... Your personal data are in danger! http://www.dice.ucl.ac.be/crypto/passport/index.html Centre for Educational Research and Innovation - Giving Knowledge for Free The Emergence of Open Educational Resources http://www.oecdbookshop.org/oecd/display.asp?CID=&LANG=EN&SF1=DI&ST1=5L4S6TNG3F9X ============================================================ 10. Agenda ============================================================ 8 May - 22 July 2007, Austria Annual decentralized community event around free software lectures, panel discussions, workshops, fairs and socialising http://www.linuxwochen.at 17-22 June 2007 Seville, Spain 19th Annual FIRST Conference, "Private Lives and Corporate Risk" http://www.first.org/conference/2007/ 18-22 June 2007, Geneva, Switzerland Second Special Session of the Standing Committee on Copyright and Related Rights (SCCR) http://www.wipo.int/meetings/en/details.jsp?meeting_id=12744 28 June 2007, London, UK First London CC-Salon organized by Free Culture London and the Open Rights Group http://wiki.creativecommons.org/London_Salon 8-12 August 2007, near Berlin, Germany Chaos Communication Camp 2007 "In Fairy Dust We Trust!" http://events.ccc.de/camp/2007/ 5-11 September 2007, Linz, Austria Ars Electronica Festival - Festival for Art, Technology and Society http://www.aec.at/en/festival2007/index.asp 25 September 2007, Montreal, Canada Civil Society Workshop: Privacy Rights In A World Under Surveillance A one-day workshop organized by the International Civil Liberties Monitoring Group (ICLMG) in cooperation with Canadian and international civil rights and privacy organizations ahead of the 29th International Conference of Data Protection and Privacy Commissioners in Montreal. http://www.thepublicvoice.org/events/montreal07/default.html 12-15 November 2007, Rio de Janeiro, Brazil The Government of Brazil will host the second Internet Governance Forum meeting. http://www.intgovforum.org/ http://cgi.br/igf/ ============================================================ 11. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 25 members from 16 European countries. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE