EDRI-gram newsletter - Number 5.12, 20 June 2007
EDRI-gram newsletter
edrigram at edri.org
Wed Jun 20 10:15:05 PDT 2007
============================================================
EDRI-gram
biweekly newsletter about digital civil rights in Europe
Number 5.12, 20 June 2007
============================================================
Contents
============================================================
1. Update on a Council Framework Decision on the protection of personal data
2. PCDA brings a major change in the WIPO mandate
3. Pr|m's Treaty is now included into the EU legal framework
4. French collective society sues P2P producers
5. Privacy Ranking of Internet Service Companies
6. European Visa Information System accepted by the EU bodies
7. Google answers Article 29 Working Party on data protection standards
8. ENDitorial: The 2001 CoE Cybercrime Convention more dangerous than ever
9. Recommended Reading
10. Agenda
11. About
============================================================
1. Update on a Council Framework Decision on the protection of personal data
============================================================
The Council of the European Union disscused again in its Justice and Home
Affairs Council meeting on 12-13 June 2007 the Council Framework Decision on
the protection of personal data processed in the framework of police and
judicial co-operation in criminal matters, without making any clear steps
for its adoption or taking into consideration the European Data Protection
Supervisor (EDPS) comments.
The conclusions of the Council meeting note that the new framework decision
will be based on the Council of Europe established minimum data protection
principles set by the Convention of 28 January 1981 for the protection of
individuals with regard to automatic processing of personal data and its
Additional Protocol of 8 November 2001, including Recommendation (87)15
regulating the use of personal data in the police sector.
It also announced that it would "examine all solutions suggested by the
European Parliament" that voted in favour of amendments that would provide
stronger data protection, and expects "to reach a political agreement on
the proposal as soon as possible and at the latest by the end of 2007."
The Council conclusions did not give any consideration to the opinions
expressed earlier this year by the EDPS that advised against adopting the
proposal considering it failed to provide appropriate data protection.
EDPS reacted also to the latest conclusions by making an appeal to the
Portuguese presidency of the European Union in a public letter sent to the
Ministers for Justice and Interior . Peter Hustinx showed his concern
that a number of agreements on new anti-terrorist measures have been
concluded without fully considering the impact on fundamental rights.
"I fear that messages such as 'no right to privacy until
life and security are guaranteed' are developing into a mantra suggesting
that fundamental rights and freedoms are a luxury that security can not
afford. I very much challenge that view and stress that there should be no
doubt that effective anti-terror measures can be framed within the
boundaries of data protection" said Hustinx.
EDPS expresses his concern that such a negative approach to individual
privacy rights reveals an apparent lack of understanding of the framework of
human rights law. This framework has always allowed for necessary and
proportionate measures to combat crime and terrorism. This negative approach
also ignores the lessons learned about the abuse of fundamental rights from
dealing with terrorism within Europe's borders over the last 50 years.
EDPS also considered that its relationship with the Council of the European
Union needs further improvement. Consequently, he makes himself available as
an advisor on all matters concerning personal data processing so that the
Council may adopt effective and legitimate new policies.
The delay in adopting the Council Framework Decision has been criticized
also by the European Commission, through Vice-president Franco Frattini,
responsible for Justice, Freedom and Security that "regrets that the
Framework Decision is not yet adopted, in particular because the
Commission's proposal for the Framework Decision was already tabled in 2005
and it only establishes a minimum level of harmonisation of data protection
principles."
The Commission also encouraged the Council to give priority to the
discussions on the Framework Decision in order to reach a political
agreement on the this act as soon as possible.
Council Conclusions concerning the Council Framework Decision on the
protection of personal data processed in the framework of police and
judicial co-operation in criminal matters (12.06.2007)
http://www.consilium.europa.eu/ueDocs/cms_Data/docs/pressData/en/jha/94634.pdf
Data protection - Proposal for a Framework Decision on the protection of
personal data processed in the framework of police and judicial cooperation
in criminal matters (12.06.2007)
http://www.europa.eu/rapid/pressReleasesAction.do?reference=IP/07/808
Presidency work programme and the protection of individuals with regard to
the processing of personal data and the free movement of such data
(11.06.2007)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2007/07-06-11_Letters_portuguese_presidency_EN.pdf
EDPS letter to incoming Portuguese presidency: fundamental rights are not
captives of security (12.06.2007)
http://www.europa.eu/rapid/pressReleasesAction.do?reference=EDPS/07/6
EDRI-gram: The European Parliament voted for stronger data protection
(6.06.2007)
http://www.edri.org/edrigram/number5.11/ep-data-protection-police
EDRI-gram: EDPS advises against new data protection framework decision
(9.05.2007)
http://www.edri.org/edrigram/number5.9/edps-framework-decision
============================================================
2. PCDA brings a major change in the WIPO mandate
============================================================
During 11-15 June 2007, the Provisional Committee on Proposals for a WIPO
(World Intellectual Property Organization) Development Agenda (PCDA) had
meetings during which WIPO members negotiated agreements on several
proposals for new activities of the UN organization.
"This is a major achievement. It's a complete overhaul of the WIPO concept,
broadening it to reflect society's growing concern with ownership of
technologies and knowledge, and its effects for the future, both in
developed and developing countries" was the statement of a participant in
the meetings.
Six clusters of proposals, labelled A to F, were under discussion during the
meeting on issues such as open collaborative projects, intellectual property
protection, and development impact assessments. An agreement was reached on
21 proposals that came now besides the 24 agreed upon during the meeting on
23 February. All of the 45 proposals agreed this year will be adopted by the
General Assembly and implemented in September.
The initial idea of reforming WIPO came in 2004 from Argentina and Brazil
and the 45 proposals have resulted from the 111 proposals made by various
countries during a two-year period.
Proposals agreed during this last meeting covered domains such as technical
assistance, rule making, technology transfer, development impact
assessments, WIPO's mandate, touching topics such as protection to
competition, access to knowledge and open collaborative models to support
public domain.
A new WIPO Committee on Development and IP was recommended for setting up to
replace PCDA and the Permanent Committee on Cooperation for Development
Related to Intellectual Property (PCIPD). The proposed committee would hold
its first meeting in the first half of 2008.
The new committee's tasks will be to elaborate a work programme for the
implementation of the proposed recommendations, to "monitor, assess, discuss
and report on the implementation of all recommendations adopted, discuss IP
and development related issues as agreed by the Committee, as well as those
decided by the General Assembly."
The director general of the World Intellectual Property Organization (WIPO),
Dr.Kamil Idris has considered the discussions as "a milestone in the history
of the Organization". "This process and the spirit of compromise and mutual
understanding in which it took place, is an important contribution to
international efforts to promote the development of a balanced intellectual
property system that is responsive to the needs and interests of all
countries - developed and developing alike" he added.
James Love, director of the NGO- Knowledge Ecology International (KEI)
explained the importance of the result: "After three years, WIPO has
produced a meaningful and welcome new vision for WIPO. The governments who
participated in the negotiations agreed that WIPO is no longer only to
pursue mindless expansions of intellectual property rights, but now is a
place to discuss a broad range of topics, including measures to protect or
promote access to knowledge, the implications and benefits of a rich and
accessible public domain, and strategies for dealing with abuses of rights,
or other measures to protect the public interest."
He also emphasised the need to continue the common efforts for the
implementation of the Development Agenda: "Having concluded a difficult and
quite meaty negotiation over WIPO's purpose and direction, there will be an
effort to implement the new Development Agenda. The next two to three years
will be critical. One has to prudently wonder how sustainable is the
interest in this reform effort. The institutional juggernaut behind stronger
IPR is well financed and permanent, and the opposition is often poorly
resourced and episodic."
In A 'Major Achievement', WIPO Negotiators Create New Development Mandate
(18.06.2007)
http://www.ip-watch.org/weblog/index.php?p=656
WIPO Committee Reaches Breakthrough Agreements On Development Agenda
(15.06.2007)
http://www.ip-watch.org/weblog/index.php?p=655
Final PCDA Recommendations to 2007 General Assembly (15.06.2007)
http://www.keionline.org/index.php?option=com_jd-wp&Itemid=39&p=51
KEI Statement on conclusion of WIPO Development Agenda negotiations
(15.06.2007)
http://www.keionline.org/index.php?option=com_content&task=view&id=88
WIPO Director General Welcomes Major Breakthrough following Agreement on
Proposals for a WIPO Development Agenda (18.06.2007)
http://www.wipo.int/pressroom/en/articles/2007/article_0037.html
Blogging WIPO: The New Development Agenda (18.06.2007)
http://www.eff.org/deeplinks/archives/005320.php
============================================================
3. Pr|m's Treaty is now included into the EU legal framework
============================================================
The EU has adopted as its own law, with very little alterations, the
so-called Pr|m Treaty, signed on 27 May 2005 by Belgium, Germany, Spain,
France, Luxembourg, The Netherlands and Austria, which allowed the police
forces of their countries to compare and exchange data more easily.
The new law, adopted by the European Parliament's report of Fausto Correia
(PES, PT) and approved by the Council of Ministers during a meeting of the
justice and home office ministers last week, gives the EU member-states
three years to rewrite domestic laws in order to comply with it.
"Member states have to adopt legislation on the basis of the decision. They
can copy and paste it, it is self-explaining, not like a Directive, which
contains only objectives. This agreement contains a huge amount of
legislation concerning DNA data and data protection rules." said a spokesman
of the European Council.
Peter Hustinx, the EDPS, still expresses his concern and his disappointment
for not having been listened to. "It seems that Council has not sufficiently
taken my remarks into account."
The new rules will open up police databases but not fully, said the Home
Office spokeswoman: "The primary aspects of this are data sharing on
fingerprints, DNA samples and vehicle registrations."
"What will happen now is that countries will have the ability automatically
to determine immediately whether a member state holds matching DNA or
fingerprint information, but they won't have automatic access to the
databases or the information itself," she added.
UK had previously resisted joining the Pr|m Treaty. "The implications of
this treaty are far reaching and will affect all EU citizens," said Philip
Bradbourn, Conservative justice and home affairs spokesman. However, UK has
signed this new EU deal.
"We are sleepwalking into a Big Brother Europe while our government stands
idly by" said Syed Kamall, a British Conservative MEP.
Police will share data across Europe against privacy chief's advice
(14.06.2007)
http://www.out-law.com//default.aspx?page=8148
DNA data deal 'will create Big Brother Europe' (11.06.2007)
http://www.eupolitix.com/EN/News/200706/462d5e3f-1a57-4805-a12e-1cb072b124dd.htm
Pr|m Treaty will allow EU27 to exchange DNA data to fight crime (7.06.2007)
http://www.europarl.europa.eu/news/expert/infopress_page/019-7568-157-06-23-902-20070606IPR07542-06-06-2007-2007-false/default_en.htm
Controversial data-sharing deal to get the go-ahead (12.06.2007)
http://euobserver.com/9/24244
EDRI-gram: From Schengen to Pr|m: Data Protection under 3rd pillar a
prerequisite (28.02.2007)
http://www.edri.org/edrigram/number5.4/prum
============================================================
4. French collective society sues P2P producers
============================================================
Under the cover of the DADVSI law with the so-called Vivendi amendment
(initiated by Vivendi Universal) the French association SPPF (Sociiti
civile
des producteurs de phonogramme en France - The French collective society for
phonogram producers representing the independent labels) started a legal
action against P2P software producers.
The Vivendi amendment, strongly debated in the Parliament, but supported by
Nicolas Sarkozy and barely passed by the Joint Committee of the National
Assembly and the Senate, considers as criminal the creation and distribution
of all software obviously intended to provide to public some unauthorised
copyrighted works. The non-compliance is punished by three years of prison
and a 300 000 Euro fine. From a civil law point of view, the amendment
obliges the creators of the P2P software to implement prevention measures in
order to prohibit downloading alleged illegal content.
The amendment gave SPPF the opportunity to file ridiculous actions against
two P2P software producers Morpheus and Azureus with a third, Shareaza,
being next in line to be sued.
SPPF initiated the suit as a civil action, considering the criminal actions
would have been too complicated to organize. Also the civil actions give the
possibility to ask for consistent damages as stated Jirtme Roger, SPPF
director. SPPF asks 16.6 millions Euros from Azureus and 3.7 millions Euros
from Morpheus. The figures are based on a poll carried out by AdVestigo
company, of downloads in the P2P networks over a period of 10 months on a
sample of 4750 titles. Then the results were enlarged for their entire
catalogue of 475 000 titles and the total was multiplied with 2 Euros (1
Euro as the price for a sale and 1 Euro as damages).
France : SPFF attacks Morpheus, Azureus and Shareaza (only in French,
12.06.2007)
http://www.ratiatum.com/news5163_France_la_SPFF_attaque_Morpheus_Azureus_et_Shareaza.html
P2P : Details on the legal actions of SPPF (only in French, 12.06.2007)
http://www.ratiatum.com/breve5164_P2P_precisions_sur_les_actions_judiciaires_de_la_SPPF.html
EDRI-gram : Update on French EUCD Transposition (29.03.2006)
http://www.edri.org/edrigram/number4.6/frencheucd
============================================================
5. Privacy Ranking of Internet Service Companies
============================================================
Privacy International (PI) has undertaken a study that reveals the
privacy threats and rank the positions in this matter of key players on the
Internet services market. The objective of the research is not only to point
fingers but also to find out trends and emergent issues related to privacy
on the Internet.
The report was issued by PI after a six-month investigation on the privacy
practices covering search, email, e-commerce and social networking sites.
The methodology used included 20 main parameters among which data
collection and processing, data retention, openness and transparency or
responsiveness to customers' complaints.
Data was gathered from newspaper articles, privacy policies, blogs,
submissions to government inquiries, information obtained from present and
former company staff, technical analyses and interviews with company
representatives.
Because the 2007 rankings are a precedent, PI will regard the current report
as a consultation report and will establish a broad outreach for two months
to ensure that any new and relevant information is taken into account before
publishing a full report in September.
The research has coded the companies by colour, from green "privacy-friendly
and privacy enhancing", to black, "comprehensive consumer surveillance and
entrenched hostility to privacy". While there was no company ranked in the
green area, and only few were ranked blue, "generally privacy aware", (such
as eBay, LiveJournal, Wikipedia), the only company coded black by the
preliminary stage of the research was Google.
Google was mostly criticized for its lack of transparency, PI considering
that its data retention policy was not very clear. "Google maintains records
of all search strings and the associated IP-addresses and time stamps for at
least 18 to 24 months and does not provide users with an expungement
option. Google has access to additional personal information, including
hobbies, employment, address, and phone number, contained within user
profiles in Orkut. Google often maintains these records even after a user
has deleted his profile or removed information from Orkut."
Google's privacy policy was considered "vague, incomplete and possibly
deceptive", and its response to customers' complaints, a poor one.
A Google employee's blog, Matt Cutts, complained by the fact that the
company was not given credit for not handing over data to the US Government
and for not having leaked search queries of its users.
In an open letter addressed to Google's CEO Eric Schmidt, Privacy
International accused Google for having smeared its good name. "Two European
journalists have independently told us that Google representatives have
contacted them with the claim that 'Privacy International has a conflict of
interest regarding Microsoft'." PI also stated no company had made such
accusation in its 17 years of life.
PI asked for an apology from Google, "but if you cannot deliver this then I
think you should reflect carefully on the actions of your representatives
before embarking on what I believe amounts to a smear campaign. As with
Microsoft, eBay and any other organisation we are more than happy to work
with you to help resolve the many privacy challenges for Google that our
report has highlighted."
A Race to the Bottom: Privacy Ranking of Internet Service Companies, A
Consultation report (9.06.2007)
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553961
Privacy International accuses Google of smear campaign (11.06.2007)
http://www.theregister.co.uk/2007/06/11/google_privacy_international/
Why I disagree with Privacy International (11.06.2007)
http://www.mattcutts.com/blog/privacy-international-loses-all-credibility/
An Open Letter to Google (10.06.2007)
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553964
============================================================
6. European Visa Information System accepted by the EU bodies
============================================================
The legislative package on the Visa Information System (VIS) was
adopted by the European Parliament and a political agreement was
reached within the Justice and Home Affairs Council in the last couple of
weeks. This means that the final steps have been adopted to create the
biggest biometric database in the world.
The VIS Legislative package is formed by the VIS Regulation and the VIS
Decision. The VIS Regulation will allow consulates and other competent
authorities to start using the system when processing visa applications and
to check visas. The VIS Decision will allow police and law enforcement
authorities to consult the data under certain conditions that should ensure
a high level of data protection.
The European Parliament adopted on 7 June 2007 two reports from Baroness
Sarah Ludford (ALDE, UK). The first report that adopted the VIS regulation
aimed at preventing an applicant who is refused a visa by one Schengen
country from applying to others ("visa shopping"), but also facilitating the
fight against fraud and checks at external borders.
The second report that adopted the VIS decision stated that the access to
the VIS database should be "limited to those who 'have a need to know' and
possess appropriate knowledge about data security and data protection
rules". The report stresses that "adequate provisions have to be provided
for to ensure the necessary data protection", and that such data "shall only
be processed for the purposes of the prevention, detection, investigation
and prosecution of terrorist offences or other serious criminal offences."
The report also states that "personal data obtained...from the VIS shall not
be transferred or made available to a third country or to an international
organisation."
Less than a week later the VIS package obtained the political agreement in
the Justice and Home Affairs Council, thus making the new system almost a
reality, because the new rules need just to be formally approved by the EU
member-states governments.
The Visa Information System will store data on up to 70 million people
concerning visas for visits to or transit through the Schengen Area. This
data will include biometrics (photographs and fingerprints) and written
information such as the name, address and occupation of the applicant, date
and place of the application, and any decision taken by the Member State
responsible to issue, refuse, annul, revoke or extend the visa. Citizens of
more than 100 countries need a visa to enter the EU.
The Baroness Sarah Ludford MEP insisted that "the VIS is a
border-management system and its principle is not to combat terrorism and
crime. Let us remember that 99.9% of visitors to the EU are legitimate
travellers who do not have any connection with criminality whatsoever, nor
indeed do illegal immigrants or unauthorised entrants."
The Conservatives have condemned the reports as an invasion of privacy
rights, and have called on UK government to opt out. European Data
Protection Supervisor Peter Hustinx expressed his concern: "The circle of
data subjects that can be included in this system is not limited to data of
persons suspected or convicted of specific crimes."
EU visa information system to help prevent visa shopping (7.06.2007)
http://www.europarl.europa.eu/news/expert/infopress_page/019-7569-157-06-23-902-20070606IPR07543-06-06-2007-2007-false/default_en.htm
Visa Information System (VIS): The JHA-Council reaches a political agreement
on the VIS Regulation and VIS Decision (12.06.2007)
http://www.europa.eu/rapid/pressReleasesAction.do?reference=IP/07/802&format=HTML&aged=0&language=EN&guiLanguage=en
EU to create world's biggest bio-data pool (13.06.2007)
http://euobserver.com/22/24261
EU backs biometrics visa database (8.06.2007)
http://www.euractiv.com/en/justice/eu-backs-biometrics-visa-database/article-164422
EDRI-gram: EU Visa Database under scrutiny of the European Data Protection
Supervisor (2.02.2006)
http://www.edri.org/edrigram/number4.2/visadatabase
============================================================
7. Google answers Article 29 Working Party on data protection standards
============================================================
Google has answered several questions related to its data protection
standards addressed by the Article 29 Working Party, especially on the
period after which the anonymisation of the search server logs can be
obtained.
Initially Google announced in March 2007 a reduction of the retention period
for data related to users and their searches to 18-24 months, but, after the
Article 29 Working Party's letter, Peter Fleischer, global privacy counsel
at Google, accepted a period of 18 months. However, he
also stated that the period could be extended to 24 months, depending on the
implementation of the Data retention directive in some of the EU member
states.
Google explained that the period is necessary to use for logs in their
activities, such as spell-checking help, preventing abuse and fraud or
helping users refining their search queries based on previous experiences.
The privacy counsel has also used as one of the main reasons for keeping the
logs, the requirements of the Data retention directive that will require the
state members to keep the traffic data between 6 and 24 months. But he also
raised several questions marks regarding the clarity of the text of the
directive.
However, Philippos Mitletton, that works for the European Commission's Data
Protection Unit, explained to Out-Law that the data retention directive
should not apply to Google
"The Data Retention Directive applies only to providers of publicly
available electronic communications services or of public communication
networks and not to search engine systems. Accordingly, Google is not
subject to this Directive as far as it concerns the search engine part of
its applications and has no obligations thereof."
But Google's letter goes beyond the text of the directive and expresses
concerns about the possibile extentions of the directive's purpose at the
implementation of the Data Retention Directive in each EU member-state. It
also reffers to the German Ministry of Justice proposal that webmail
providers should be required to verify the identity of their
account holders and asks " Could we challenge its legality in court, either
as an unconstitutional infringement of privacy, or as an example of
jurisdictional over-reach?" In practice, the German working group against
data retention has already gathered a lot of supporters for a constitutional
court challenge against the data retention law, that would be the largest
constitutional court case in Germany ever.
The letter Google has sent to the Article 29 Working Party points also to
other privacy-sensitive issues raised. The major search engine explained
that its anonymisation process deletes the final digits of the logged IP
addresses and that the process is irreversible, even for Google staff.
Fleischer explained also the Google position regarding cookies: "We believe
that cookies data management in a user's browser is fundamentally a
browser/client issue, not a service/server issue. Therefore, the lifetime of
a cookie does not indicate or imply any enforcement of data retention. We
also believe that cookie lifetimes should not be so short as to expire and
force users to re-enter basic preferences (such as language preference).
Nonetheless, we acknowledge that cookie lifetimes should be "proportionate"
to the data processing being performed."
Article29 Working party letter to Google (16.05.2007)
http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_google_16_05_07_en.pdf
Google response to Article 29 Working Party (10.06.2007)
http://64.233.179.110/blog_resources/Google_response_Working_Party_06_2007.pdf
How long should Google remember searches? (11.06.2007)
http://googleblog.blogspot.com/2007/06/how-long-should-google-remember.html
Google makes data retention concession(12.06.2007)
http://www.out-law.com/page-8140
Data retention laws do not cover Google searches, says Europe (13.06.2006)
http://www.out-law.com/page-8147
EDRI-gram: Privacy bodies investigate Google's data protection standards
(25.04.2007)
http://www.edri.org/edrigram/number5.8/google-data-protection
EDRI-gram: Google limits the search data retention period (28.03.2007)
http://www.edri.org/edrigram/number5.6/google-data-retention
============================================================
8. ENDitorial: The 2001 CoE Cybercrime Convention more dangerous than ever
============================================================
The Council of Europe (CoE) has definitely highly prioritised the broad
ratification, all over the world, of its Convention on Cybercrime, opened to
signatures since November 2001 and entered into force on 1 July 2004. As
part of its efforts to achieve this goal, a conference on "Cooperation
against cybercrime" was held in Strasbourg on 11-12 June 2007, to which EDRI
was invited to participate with a presentation (some of the participants
presentations are available on the conference website).
This conference was organized in the framework of the CoE Octopus programme
against corruption and organised crime in Europe, three years after the 2004
venue on "The challenge of cybercrime" and two years after the joint CoE-OAS
(Organisation of American States) conference on "Cybercrime: a global
challenge, a global response". The CoE has also been promoting this
Convention in many international fora, including the World Summit on the
Information Society and its following-up Internet Governance Forum. Finally,
it has held numerous regional meetings and training events for member States
and third States to help them implement Convention -ready or -compatible
provisions in their legislations.
Almost 140 participants attended the conference (list available on the
conference website). They were mainly law enforcement authorities (LEAs)
from all over the world (representing 49 countries from the 5 continents),
plus 12 intergovernmental organisations (among them EUROPOL, INTERPOL, and
ENISA - the European network and information security agency), 3 non
governmental organisations (EDRI, ICMEC - the International Centre for
Missing and exploited children, and the French Human Rights League), 3
international multi-stakeholders forums (the Inhope association of Internet
hotlines, the Anti-Phishing forum and the London Action Plan against spam)
and 3 private sector (Microsoft, NASSCOM - India's national association for
software and service companies, and RSA).
Surprisingly, no representative from ISPs attended, and none of them was
invited to make a presentation, although the Convention on Cybercrime puts a
severe burden on them since most of its procedural provisions (articles 16
to 21) are directly requiring the cooperation of ISPs in order to achieve
preservation, production, search and seizure of stored computer data,
real-time collection of traffic data and interception of content data.
However, Microsoft was well represented and obviously given an important
role in the conference with no less than 3 presentations in plenary
sessions. A presentation by Alexander Seger, Head of Technical Cooperation
in the Department of Crime Problems (CoE DG of Legal Affairs) gave a clue to
understand this special treatment: the CoE has launched a new project
against cybercrime, "a global project to support European and non-European
countries to accede and implement the Convention on cybercrime or its
Protocol on xenophobia and racism", (details on the project available on the
conference website), which started on September 2006 for a duration of 30
months. The overall budget is 1.7 million euros, of which only 550,000 euros
are currently available: 290,000 euros from the CoE own funding and 260,000
euros from Microsoft contribution.
It has to be noted that this private funding is new practice to the CoE, to
the extent that Microsoft funding had to be approved by the CoE Council of
Ministers. As Alexander Seger suggested in his presentation, "other donors
(public and private) [are] invited to join this project" and "beyond this
project, CoE may now seek stronger cooperation with the private sector". If
such extension is indeed realised in the future, one may wonder whether the
CoE will be able to remain the reference it currently represents in terms of
respect for human rights, democracy and the rule of law. Interestingly
enough, this trend in having CoE projects funded by the private sector
starts with this very Convention on cybercrime, probably the only one among
the current 200 CoE Treaties which have been so criticized by human rights
NGOs, as EDRI reminded in its presentation. While Alexander Seger and
Microsoft representatives insisted on the fact that "no specific condition
[has been] attached to the financial contribution from Microsoft", it would
be quite naive to find this "guarantee" satisfactory: agenda -setting
and -pushing is certainly already worth the money spent.
The interest of companies like Microsoft in such a project is directly
linked to the substantive provisions of the Convention (articles 2 to 13),
which aim at harmonizing the criminalisation of the commission of "offences
against the confidentiality, integrity and availability of computer data and
systems" (art. 2-6), "computer related offences" (forgery and fraud, art.
7-8), "content-related offences" (Internet child pornography, art. 9),
"offences related to infringements of copyright and related rights" (art.
10) or attempting, aiding or abetting the commission of such offences (art.
11).
Copyright infringement was almost not evoked during the 2007 conference. The
fight against Internet child pornography served as the consensual vehicle to
promote such tools as both the Convention and private hotlines: concerns
regarding the respect for the rule of law, as raised by EDRI, were received,
as usual, with suspicion of laxity. EDRI was the only participant pointing
to the fact that the additional Protocol against racism and xenophobia could
only be ratified by countries that already criminalise in their national
laws the dissemination of such content, as well as insults and threats based
on racism and xenophobia. Thus, it would never solve cases such as the
famous Yahoo! case between France and the USA, simply because, as EDRI
noted, the Convention and its Protocol fail to address the major issue of
the competence of jurisdictions.
The real big issues for LEAs during this conference were the most prevalent
threats as well as the new trends they perceive in current cybercrime
activities: spamming, phishing and its many variants using SMS (SMSishing),
VoIP (Vishing), DNS redirections (pharming), the use of botnets, the use of
P2P networks and instant messaging systems, were among the many identified
aspects of a proteiform cybercrime. Although all the presentations on these
trends (specially from Europol and from French LEAs) acknowledged the lack
of statistics and the difficulty to gather data on this kind of crime, they
were able to agree on its current volume and its broadening, and to conclude
on the increased need to limit - if not forbid - anonymity and encryption of
exchanges, to better control the Internet use from cybercafes and other
public places, and, last but not least, to further extend cooperation with
private sector (telecom operators and ISPs) and communication and exchange
of data among LEAs for mutual assistance purposes.
International cooperation between LEAs is exactly the subject of the
numerous remaining provisions of the Convention (articles 23 to 35). In
summary, these provisions allow any State party to the Convention to request
from any other party the communication of data collected under the
provisions of articles 16 to 21, without any dual criminality requirement
(except if relevant reservation has been made upon ratification) and with
very limited possibility of refusal: actually, as Henrik Kaspersen,
professor at the Free university of Amsterdam and chair of the committee of
the CoE Convention on cybercrime, analysed, the current 43 signatories
(among them 21 having ratified the text) made a quite moderate use of
reservations. Moreover, the Convention conditions and safeguards (article
15) are far from being adequate and harmonised among the State parties to
the Treaty: although the EU Article 29 working group warned against this and
other failures of the Convention when the text was still being drafted, its
opinion was not taken into account. With the extension of the Convention to
States with far less privacy safeguards than the CoE member States - which
are bound by the European Convention on Human Rights -, starting with the
USA, this threat is becoming to realise the worst fears of the Global
Internet Liberty Campaign (GILC) international coalition of NGOs - among
them future EDRI founders - when it published in 2001 its "Eight Reasons the
International Cybercrime Treaty Should be Rejected", after a long campaign
against the eventually signed Convention.
Furthermore, although one can argue that, since 2001, the situation has
become even worse with laws adopted all over the world, including at the
European Union level, it has to be acknowledged that "the CoE Convention on
cybercrime opened the way to more and more invasive laws", as EDRI concluded
at the end of its presentation at this conference, leading to have "on-line
activities and behaviours more criminalised than their off-line equivalent
and citizens benefit from less protections and safeguards on-line than
off-line". In order to limit the risk that, six years after its signature,
the CoE Convention on cybercrime becomes more dangerous than ever, EDRI
advocated, "before any further extension in scope and/or
ratification/accession, (the) need for an assessment of the Convention and
its national implementations with regards to human rights, democracy and the
rule of law". Finally, in the same way as EDRI considers that, at the EU
level, data protection under third pillar is a prerequisite to any
broadening of information systems in criminal matters, EDRI recommended that
the Council of Europe "devote[s] an equivalent energy to extend
ratifications/accessions to Convention no.108 for the protection of
individuals with regard to automatic processing of personal data". But such
a goal does not seem to be on CoE agenda.
CoE Octopus Conference 2007 (11-12.06.2007)
http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_economic_crime/3_technical_cooperation/cyber/Octopus_if_2007.asp
CoE Octopus Conference 2004 (15-17.09.2004)
http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_economic_crime/3_Technical_cooperation/OCTOPUS/2004/Octopus-Interface-2004.asp
Joint COE-OAS Conference 2005 (12-13.10.2005)
http://www.coe.int/T/E/Legal_Affairs/About_us/Cooperation/5Madrid(cyber)_OAS.asp
EU Article 29 WP Opinion on the CoE Draft Convention on Cybercrime
(22.03.2001)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2001/wp41en.pdf
GILC coalition "Treaty Watch" website
http://www.treatywatch.org
IRIS dossier of the campaign against the Convention and its Protocol (only
in French)
http://www.iris.sgdg.org/actions/cybercrime
EDRI-gram: From Schengen To Pr|m: Data Protection Under 3Rd Pillar A
Prerequisite (28.02.2007)
http://www.edri.org/edrigram/number5.4/prum
CoE Convention no.108 on data ptrotection (28.01.1981)
http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=108&DF=6/20/2007&CL=ENG
(Contribution by Meryem Marzouki, EDRI-member IRIS - France)
============================================================
9. Recommended Reading
============================================================
Belgian Biometric Passport does not get a pass...
Your personal data are in danger!
http://www.dice.ucl.ac.be/crypto/passport/index.html
Centre for Educational Research and Innovation - Giving Knowledge for Free
The Emergence of Open Educational Resources
http://www.oecdbookshop.org/oecd/display.asp?CID=&LANG=EN&SF1=DI&ST1=5L4S6TNG3F9X
============================================================
10. Agenda
============================================================
8 May - 22 July 2007, Austria
Annual decentralized community event around free software lectures,
panel discussions, workshops, fairs and socialising
http://www.linuxwochen.at
17-22 June 2007 Seville, Spain
19th Annual FIRST Conference, "Private Lives and Corporate Risk"
http://www.first.org/conference/2007/
18-22 June 2007, Geneva, Switzerland
Second Special Session of the Standing Committee on Copyright and Related
Rights (SCCR)
http://www.wipo.int/meetings/en/details.jsp?meeting_id=12744
28 June 2007, London, UK
First London CC-Salon organized by Free Culture London and the Open Rights
Group
http://wiki.creativecommons.org/London_Salon
8-12 August 2007, near Berlin, Germany
Chaos Communication Camp 2007
"In Fairy Dust We Trust!"
http://events.ccc.de/camp/2007/
5-11 September 2007, Linz, Austria
Ars Electronica Festival - Festival for Art, Technology and Society
http://www.aec.at/en/festival2007/index.asp
25 September 2007, Montreal, Canada
Civil Society Workshop: Privacy Rights In A World Under Surveillance
A one-day workshop organized by the International Civil Liberties Monitoring
Group (ICLMG) in cooperation with Canadian and international civil rights
and privacy organizations ahead of the 29th International Conference of Data
Protection and Privacy Commissioners in Montreal.
http://www.thepublicvoice.org/events/montreal07/default.html
12-15 November 2007, Rio de Janeiro, Brazil
The Government of Brazil will host the second Internet Governance Forum
meeting.
http://www.intgovforum.org/
http://cgi.br/igf/
============================================================
11. About
============================================================
EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 25 members from 16 European countries.
European Digital Rights takes an active interest in developments in the EU
accession countries and wants to share knowledge and awareness through the
EDRI-grams. All contributions, suggestions for content, corrections or
agenda-tips are most welcome. Errors are corrected as soon as possible and
visibly on the EDRI website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 2.0 License. See the full text at
http://creativecommons.org/licenses/by/2.0/
Newsletter editor: Bogdan Manolea <edrigram at edri.org>
Information about EDRI and its members:
http://www.edri.org/
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list