============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 6.3, 13 February 2008 ============================================================ Contents ============================================================ 1. Biometric data from non-EU travellers 2. PirateBay - blocked in Denmark 3. Internet-related privacy issues on the EU institutions' agenda 4. Microsoft's actions investigated again by the European Commission 5. Finnish e-voting system must not stay a trade secret 6. France's gendarmerie goes for open source software 7. Europe spams more than the US 8. Wales said no to ID cards 9. Recommended Reading 10. Agenda 11. About ============================================================ 1. Biometric data from non-EU travellers ============================================================ A set of new measures including biometric data from non-EU travellers are being proposed these days by the European Commission (EC). The proposals, drafted by Franco Frattini, the European Commissioner for Justice, Freedom and Security, are being put forward by the EC, arguing that the cross-border policy has to be revised to face the new challenges related to terrorism, organised crime and illegal migration. The package proposes the creation of an entry/exit register of non-European visitors to the EU bloc that will record the dates of entry and exit of each non-EU individual admitted to the Schengen visa-free area using biometric identifiers. In cases when a person's visa has expired, an alert can be issued to all national authorities. A second measure would be the introduction of a European Border Surveillance System that will use satellites and unmanned aircraft to check on the non-UE travellers on a short-stay visa and to track the movements of suspected illegal migrants. The system is already under construction and may be operational by 2012. The proposals include the setting up of a system requiring travellers from countries with a visa requirement to provide biometric data at European consulates in their country. Those arriving from countries that are not required visas, such as the United States, will have to submit fingerprints and a digitalized facial image. The EC will encourage member states to introduce "automated border-crossing checks" which will include new biometric technologies such as eye scanners. The system should, however, allow EU citizens and "low risk" frequent travellers from outside the bloc to pass through automated checkpoints granting them a status of "registered traveller" being thus able to have their biometric travel documents scanned and checked by machines. Non-Europeans could obtain the fast-track status on condition they have not previously overstayed their visas, have enough funds to pay for their stay in Europe and have a biometric passport. All non-European individuals will have to make an electronic application before travelling to the Schengen area, allowing them to be checked against anti-terror databases in advance. The proposals also suggest a better use of Frontex, the EU's border control agency, especially by means of "intensified" joint operations between member states at sea borders. Privacy advocates, lawmakers and even police representatives criticise the proposals considering the EU is piling up databases without an overall strategy or a clear vision and believing the EC is only trying to copy the United States in their practice to scan fingerprints and pictures of travellers. "It's boys with toys. They want to have the toys the Americans have," said Gus Hosein from Privacy International. "It is not good to have a proliferation of databases without a clear vision (...) The link between them is unclear and leads to gaps" also said Jan Velleman, a spokesman for Eurocop, a European police union. Tony Bunyan, Statewatch editor, comments: "Let us be clear about the effect of these three proposals. Everyone - citizens and visitors - travelling in and out of the EU is going placed under surveillance, have to get permission to enter and checked against national watch-lists whose scope is unknown, with data transferred to unspecified agencies in the EU and outside and records of movements held for years." According to Meryem Marzouki, EDRI board member: "These plans add a new wall to the European Fortress, as they consider any migrant as a potential criminal. This entry/exit system will lead to increased surveillance and social control at national level as soon as an alert will be issued after visa expiration without exit. Europe is on its way towards a totalitarian society. As long as there is not adequate data protection under third pillar, there would be no limit to such plans." Roscam Abbing from the Commission said that according to the reaction of the EU lawmakers and governments, a legislative proposal will follow but did not make any statements on when the systems would come into force and refrained from commenting upon criticisms to the lack of EU strategy in dealing with sensitive databases. It is not clear whether Britain, Ireland and Cyprus which are not members of Schengen area, will adopt the program. All proposed measures could then enter into force between 2012 and 2015. Proposed shake up of EU security includes call for fingerprinting all visitors (13.02.2008) http://www.iht.com/articles/ap/2008/02/13/europe/EU-GEN-EU-Fortress-Europe.p... EU plans to require biometrics of all non-European visitors (10.02.2008) http://www.iht.com/articles/2008/02/10/europe/union.php New EU fingerprint scheme fans privacy concerns (10.02.2008) http://www.reuters.com/article/reutersEdge/idUSL1079208520080210 Brussels to tighten EU external borders (6.02.2008) http://euobserver.com/22/25606 EU to announce fingerprinting for all visitors (12.02.2008) http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-560378 ============================================================ 2. PirateBay - blocked in Denmark ============================================================ Following a complaint by IFPI (International Federation of the Phonographic Industry), a Danish bailiff court issued on 4 February 2008 an injunction ordering Tele2, one of the major ISPs in Denmark, to block the access to the PirateBay domains. IFPI asked the court for this injunction because most of the materials referred on PirateBay are copyrighted and the exchange of these materials between PirateBay users is illegal. IFPI considered that Tele2 was not directly liable for the illegal copying, but was contributing to it, by making temporary copies of torrent files. Tele2 has been complying with the injunction so far by DNS filtering (same method as used in the child pornography filters and AllOfMp3), but is determined to fight against the injunction in the upper court in two weeks time. Niels Elgaard Larsen from the IT-Political Association of Denmark explained the situation for EDRi-gram: "We see a slippery slope. Blocking of first child porn, then a non-EU (Russian) site with alleged illegal music (AllOfMp3), and now a search engine inside the EU. Elsewhere in EU we hear politicians that want to block recipes for explosives, ads for non-taxed gambling, etc. This is not about music and movies at piratebay or anywhere else. This is about making ISP's policing the content flowing through their networks. It is about freedom on the internet. Do we want an open or a closed internet ?" But the injunction seema to have no direct effect on PirateBay website, that announces an increase by 12% of the number of visits from Denmark. According to their blog the website "is growing more because of the media attention than people actually coming to learn how to bypass the filter - our guess is that a lot of the users on the site now run OpenDNS instead of the censoring DNS at Tele2.dk." However, the court cases against the popular torrent tracker are not over. PirateBay is preparing for a long trial starting this spring following the 2006 seizure of their servers and 20 months of investigation. According to the Prosecutor Hakan Roswall, the website was commercially exploiting copyright-protected work because it was financed through advertising revenues. Piratebay expects the trial to last for years, especially because the decision in this case will be appealed by one of the parties. They also claim that this will not affect at all their activity. After it has been claimed that PirateBay is supporting trackers with child pornography, the website owners announced that they were collaborating with the Police officers to teach them "how to actually download stuff using the BT protocol. The police has actually been very open and frank with us about their technical difficulties and asking for help is the best solutions for all parties." Bailiff Court Decision (only in Danish, 4.02.2008) http://www.computerworld.dk/modules/davinci/getfile.php?id=18886&attachment Danish ISP shuts access to file-sharing Pirate Bay (4.02.2008) http://www.reuters.com/article/industryNews/idUSL0480268320080204?pageNumber=1&virtualBrandChannel=0 Denmark, first look (8.02.2008) http://courtblog.thepiratebay.org/2008/02/08/denmark-first-look/ Pirate Bay hit with legal action (31.01.2008) http://news.bbc.co.uk/2/hi/technology/7219802.stm Prepare for mudwrestling (6.02.2008) http://courtblog.thepiratebay.org/2008/02/06/prepare-for-mudwrestling/ ============================================================ 3. Internet-related privacy issues on the EU institutions' agenda ============================================================ The privacy problems created by the Internet and other new technologies such as RFID have an important place on the agenda of the European institutions that seem to be more anxious than ever to tackle those issues. The hearing at the European Parliament's Civil Liberties Committee reported in the last EDRi-gram seems to be only the top of the iceberg. Article 29 working party will discuss at the next meeting, on 18 February 2008, the highly sensitive topic of privacy & search engines, and it is probable to adopt an Opinion on this topic. But the views of the Working party's members are already public, after the last month meeting at the European Parliament. Moreover, Peter Schaar, Germany's Federal Data Protection Commissioner and Chairman of the Article 29 working party, made some straightforward comments to Financial Times, explaining that the cookie and search data retention period is too long : "For me personally it still seems rather long, and I could imagine I am not alone." He underlined the fact that IP addresses are considered as personal information according to the EU legislation and dismissed security concerns as a reason to keep data: "I cannot imagine that it is necessary to store data such as IP addresses for security reasons. What is the security threat? Security purposes don't justify the long-term storage of this data." Other national data protection agencies are looking into more privacy aspects of computer usage. The Spanish Data Protection defined last year the filtering of information for purposes other than virus and spam protection as "not in conformity with Spanish law". Also Article 29 Working Party plans to investigate targeted advertising, which could cause problems for Google or Yahoo. The European Commission is also working on a document on RFID policy, that will include the privacy aspects, based on the discussions in the RFID working group. It is not clear yet if the document will be a binding regulation or recommendation. EurActiv website points that the Commission will publish, in the next weeks, a new EU survey that shows "an overwhelming majority considers public awareness about privacy and data management to be low, but at the same time almost 75% of respondents say they are worried about leaving personal information on the Internet." Apparently the Commission expects these results and is looking at increasing the funding for awareness-raising campaigns and technologies which improve privacy protection. EU targets online privacy fears (11.02.2008) http://www.ft.com/cms/s/0/8e98263a-d844-11dc-98f7-0000779fd2ac.html?nclick_c... EU mulls new measures to protect privacy on the Web (7.02.2008) http://www.euractiv.com/en/infosociety/eu-mulls-new-measures-protect-privacy... EDRi-gram: European Parliament hearing on Internet privacy issues (30.01.2008) http://www.edri.org/edrigram/number6.2/ep-hearing-privacy ============================================================ 4. Microsoft's actions investigated again by the European Commission ============================================================ The European Commission has recently extended its formal probes launched on 14 January 2008 against Microsoft in two cases where it has been alleged that the multinational firm had abused its dominant market position. The first case was brought by a complaint from web browser Opera, which complained that the tying of Microsoft's Internet Explorer to its Windows operating system was anti-competitive. The second case under investigation was the complaint filed by the European Committee for Interoperable Systems for the Microsoft's refusal to disclose interoperability information on some Microsoft server products, Office and NET Framework. In relation to this case the Commission also intends to verify Office Open XML (OOXML) file format for not working with its competitors' specifications. In the latter case, the Commission will also check possible influence of the the votes by the company during the ISO standardization process for the OOXML document format. The Commission has asked Microsoft to provide information about its activities during the process wanting to know whether the software firm has put pressure on committees in various countries to ratify OOXML as a standard. ISO members refused to adopt OOXML in September of 2007 and Microsoft was asked to make improvements before the final vote that will take place at the end of February 2008 in Geneva. The Association for a Free Information Infrastructure had revealed, even before the September vote that there were some irregularities in the Microsoft's participation in the committees, calling for the ceasing of the standardization process. Among other charges, Microsoft is suspected of having bought votes in Sweden, of hindering the participation of the competition by limiting the number of seats and by "hijacking" standardization committees in some countries, including the US, Mexico and Columbia. EU looks into Microsoft's influence on ISO standardization process (08.02.2008) http://www.heise.de/english/newsticker/news/103201/ EU investigates Microsoft's OOXML campaign (08.02.2008) http://www.theregister.co.uk/2008/02/08/ooxml_eu_probe_iso/ Microsoft faces additional European antitrust probe (08.02.2008) http://www.marketwatch.com/news/story/microsoft-faces-additional-european-an... EDRi-gram: Opera complains to the EC on Microsoft's Internet Explorer (19.12.2007) http://www.edri.org/edrigram/number5.24/opera-commission-microsoft EDRi-gram: Reactions on the ISO voting procedures (12.09.2007) http://www.edri.org/edrigram/number5.17/iso-procedures ============================================================ 5. Finnish e-voting system must not stay a trade secret ============================================================ A member of Electronic Frontier Finland (Effi), a Finnish association for promoting digital rights and member of EDRi, has recently sent a request of information to the Finnish Ministry of Justice regarding their planned e-voting system. The system will be piloted in the municipal elections during October 2008 and it is based on a DRE (Direct Recording Electronic) type e-voting system from TietoEnator Finland and a Spanish back-end provider, Scytl. In their response, the Ministry of Justice states that, based on the Act on the Openness of Government Activities, the documentation that has been written concerning the specific details of the e-voting system has to be kept secret on the Documents that have to be kept secret include documents related to the information security of the system and documents that contain information about the trade secrets of a private company, in this case, the systems provider. Effi's analysis of the system is only based on high-level documents provided by the Ministry of Justice and a U.S. patent that has been granted to Scytl, and is assumed to form the basis of the Finnish e-voting system core. According to this analysis, the system will not utilise any voter-verified paper ballot system or even the electronic receipt system that is detailed in the Scytl patent. The current, traditional Finnish elections feature a widely distributed ballot counting process, which is carried out manually and collectively by the representatives of the competing parties at each polling station. The results of each polling station are individually published, providing the representatives with the possibility to cross-check that the votes at their polling station have been correctly tallied. The ballots are then separately counted again, independently of the original count, and archived in case of further recounts being deemed necessary. The system is quite fast, providing results in a matter of hours from the whole country, easy to understand, and very resilient. The e-voting system as currently proposed would make recounts that would be independent of the electronic system impossible. It would also make it possible for a much smaller team of individuals to alter the election results, as the software, which counts the ballots, is not public. Since Effi's original press release, the Ministry of Justice has unveiled a plan to contract an audit of the software from the University of Turku in Finland, but this effort seem to be rather under-resourced when compared to US e-voting system audits, and is likely to just scratch the surface. As a counterexample, thirty US states have already made the voter-verified paper ballot a mandatory part of electronic voting. For some reason, the Finnish Ministry of Justice has not seen this as a requirement for the all-electronic voting system in Finland. Ministry of Justice response to a member of Electronic Frontier Finland (only in Finnish, 23.01.2008) http://www.effi.org/system/files?file=om-2008-01-23.txt E-Voting pilot: Technical implementation and information security (only in Finnish, 20.06.2007) http://www.effi.org/system/files?file=Pilotin_tekninen_esittely_v1.0H.pdf Verified voting (28.01.2008) http://www.verifiedvoting.org/ Effi: Voting systems must not be trade secrets. (only in Finnish, 25.01.2008) http://www.effi.org/julkaisut/tiedotteet/lehdistotiedote-2008-01-25.html Municipal elections 2008: Electronic voting in three municipalities. Press release from Ministry of Justice (8.02.2008) http://www.om.fi/en/Etusivu/Ajankohtaista/Uutiset/1201510039860 Web demonstrator and an informational page for the e-voting system (only in Finnish, 11.02.2008) http://www.vaalit.fi/sahkoinenaanestaminen/ (Contribution by EDRi-member Electronic Frontier Finland) ============================================================ 6. France's gendarmerie goes for open source software ============================================================ The Gendarmerie, France's largest administrative body, intends to change in the next years the operating system of 70 000 workstations presently running on Windows XP to Ubuntu. This is a movement that continues the French Government's efforts to promote migration to open source for some years now. The Gendarmerie had already adopted OpenOffice.org and Firefox, the French National Assembly has also recently switched 1100 computers to Linux and the Ministry of Agriculture has started the migration from Windows at the end of 2006. The French Government's plans to migrate to open source was based on a study by technology services company Atos Origin, that: "showed that open-source software will from now on offer functionality adapted to the needs of MPs and will allow us to make substantial savings despite the associated migration and training costs" as was the Parliament's statement in 2006. The reasons for switching to open source software, besides the cost reductions, included a better control of security functions and a greater independence from the software vendors. France's gendarmerie switches to Linux (31.01.2008) http://www.heise.de/english/newsticker/news/102824 The French Gendarmerie throws Windows away (only in French, 31.01.2008) http://www.lexpress.fr/info/economie/infojour/infos.asp?id=141908 EDRi-gram: France Parliament shifts to open source software (6.12.2006) http://www.edri.org/edrigram/number4.23/oss_france ============================================================ 7. Europe spams more than the US ============================================================ According to security vendor Symantec, a shift has taken place in the weight of the spam networks, the European ones having created more unsolicited e-mail than those in the US lately. Thus, approximately 44 per cent of all spam messages are originated from Europe as compared to 35.1 per cent originated from the US. In the opinion of one of Symantec's European product marketing managers, Fredrik Sjostedt, the advantage taken by European spammers is due to the large penetration of broadband. "Historically the majority of spammers were U.S.-based, but now we're seeing a lot of Eastern European and Russian spam gangs active (.) We've moved away from traditional, individual spammers, to loosely tied groups of spam senders, malware coders, and people selling access to botnets," said Sjostedt. The reports also show a very high increase of spamming during the holiday time in December, reaching up to 93 million spam messages. Kelly Conley, Symnatec enterprise security group manager, wrote on its security response blog that, for the holidays, the spammers had changed their techniques by inserting seasonal oriented keywords into URLs, subject lines and embedded images within their messages. Other spam trends reported for the past month are the offering of rapidly dealing with visa problems in Europe or bio-fuel offers. Europe still top source of spam (6.02.2008) http://www.news.com/2100-7349_3-6229352.html EU overtakes US in spam spewing stakes (6.02.2008) http://www.itpro.co.uk/news/163215/eu-overtakes-us-in-spam-spewing-stakes.ht... ============================================================ 8. Wales said no to ID cards ============================================================ Welsh Assembly Government proposal for a "smart card" to be used to access public services in Wales was considered by civil liberties groups as a way of introducing identity cards "through the back door" and was rejected by the Liberal Democrats supported by the Labour Party members as well. The Government has claimed that the card was aimed at improving the way people use library and travel services but Suw Charman, founder of the EDRi-member Open Rights Group, considers the scheme as "pointless". "I haven't seen an argument about what's wrong with the existing cards. (...) Why do we need to put all this information on one smart card that's going to keep a log on what people do and where they go? It's treating people like criminals" was her statement to BBC. Concerns were also expressed in relation to the smart cards holding too much information especially in the light of the numerous incidents of data losses in UK during the last two years. Peter Black, social justice spokesperson stated: "We have already seen that Government cannot be trusted with our private data. If that database were also to include details of our medical treatment, our use of local government services and our education records then not only would our entire lives be an open book to anybody with a suitable card reader, but the risk of identity theft and fraud would be magnified many times. We cannot take that risk. (...) The frightening prospect of a draconian future rears in front of us wherein hospitals, police stations and social security offices across Britain, electronic readers will connect scanned cards to a massive central database in order to prove the identities of card-bearers." Mike German, leader of the Welsh Liberal Democrats expressed the satisfaction that the Assembly was unanimous in its position sending "a strong message to your (Labour) colleagues in London that ID cards are not welcome in Wales". He added that "ID cards are an excuse for the state to meddle in peoples' lives. They are an unwarranted intrusion in our lives. They won't combat terrorism and fraud, because we've seen in other countries these crimes still exist". Rights attack on smart card plan (6.02.2008) http://news.bbc.co.uk/2/hi/uk_news/wales/7229920.stm ID cards not welcome in Wales (16.01.2008) http://www.newswales.co.uk/?section=Politics&F=1&id=12922 ============================================================ 9. Recommended Reading ============================================================ Statewatch launches new SEMDOC website providing comprehensive information about EU Justice and Home Affairs policy. Statewatch has been systematically monitoring and documenting the development of EU Justice and Home Affairs (JHA) policy since 1991. The Statewatch European Monitoring and Documentation Centre on Justice and Home Affairs in the European Union seeks to increase public understanding and debate about JHA policy through the provision of comprehensive information about adopted and proposed legislation. http://www.statewatch.org/news/2008/feb/01semdoc.htm Reporters Without Borders Annual Report 2008 - The plight of journalists in 98 countries reviewed. Reporters Without Borders criticises lack of public commitment to press freedom and fears anti-media violence in coming months. http://www.rsf.org/article.php3?id_article=25484 Annual report 2008 http://www.rsf.org/IMG/pdf/rapport_en-2.pdf ============================================================ 10. Agenda ============================================================ 14 February 2008, Brussels, Belgium eIdentity workshop http://www.epractice.eu/workshop/eidentity 23-24 February 2008, Brussels, Belgium Research Room @ FOSDEM: Libre software communities meet research community - Introducing Research Friendly http://libresoft.es/Activities/Research_activities/fosdem2008 10-12 March 2008, Geneva, Switzerland WIPO Standing Committee on Copyright and Related Rights: Sixteenth Session http://www.wipo.int/meetings/en/details.jsp?meeting_id=14502 15 March 2008, London, UK OKCon 2008 - Open Knowledge: Applications, Tools and Services http://www.okfn.org/okcon/ 19 March 2008, London, UK Musicians, fans and online copyright http://www.eventbrite.com/event/98391291 2-4 April 2008, Berlin, Germany re:publica - The Critical Mass http://www.re-publica.de 10-12 April 2008, Amsterdam & Hilversum, Netherlands Economies of the Commons - Strategies for Sustainable Access and Creative Reuse of Images and Sounds Online International Working Conference http://www.ecommons.eu 28-29 April 2008, Vienna, Austria PRISE Final Conference -Towards privacy enhancing security technologies - the next steps http://www.prise.oeaw.ac.at/conference.htm 15-17 May 2008, Ljubljana, Slovenia EURAM Conference 2008 - Track "Creating Value Through Digital Commons" How collective management of IPRs, open innovation models, and digital communities shape the industrial dynamics in the XXI century. http://www.euram2008.org 30-31 May 2008, Bucharest, Romania eLiberatica 2008 - The benefits of Open and Free Technologies http://www.eliberatica.ro/2008/ 17-18 June 2008, Seoul, Korea The Future of the Internet Economy - OECD Ministerial Meeting http://www.oecd.org/FutureInternet 23-25 July 2008, Leuven, Belgium The 8th Privacy Enhancing Technologies Symposium (PETS 2008) http://petsymposium.org/2008/ 8-10 September 2008, Geneva, Switzerland The third annual Access to Knowledge Conference (A2K3) http://isp.law.yale.edu/Wiki/view.aspx/A2K3_Announcements ============================================================ 11. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 28 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE