EDRi-gram newsletter - Number 8.4, 24 February 2010

EDRI-gram newsletter edrigram at edri.org
Wed Feb 24 12:01:21 PST 2010


============================================================

           EDRi-gram

biweekly newsletter about digital civil rights in Europe

    Number 8.4, 24 February 2010


============================================================
Contents
============================================================

1. Leaked ACTA text confirms suspicions
2. First decision in the Italian criminal case against Google executives
3. France's Parliament pursues its goal to censor the Internet
4. Germany's President signs an Internet bill against his own government
5. Spanish Fiscal Council criticizes the new draft law on IPR enforcement
6. EP: Draft reports on IPR enforcement published
7. French Court says an IP address is not enough for a user's identification
8. Chip and PIN system proven to be flawed
9. New Google's service raises privacy concerns
10. Romania: Moral damages for publishing personal data online
11. Germany DPAs to discuss the EU-US Safe Harbour Agreement
12. ENDitorial: Richard Stallman on "Copyright versus Public" in Berne
13. Recommended Action
14. Recommended Reading
15. Agenda
16. About

============================================================
1. Leaked ACTA text confirms suspicions
============================================================

The text of the digital chapter of the Anti-Counterfeiting Trade Agreement
was published on 21 February 2010, following news articles from IDG News
Service issued a few days before.

The text of the draft digital chapter confirms that there are several
problems with the draft agreement and many of the assurances given on the
topic were somewhat "economical with the truth".

These "economies" were on display again during a discussion between the
Commission Head of Unit responsible for the dossier, Luc Devigne and the
International Trade Committee of the Parliament. Mr Devigne explained that:
- there is no ACTA text, so there is nothing that the Commission could share
with the Parliament
- ACTA is about enforcement and not about changing substantive law

Mr Devigne was also quite economical with answers. He failed to answer
questions on:
- the failure to implement the relevant provisions of the Lisbon Treaty with
regard to transparency
- the fact that US lobbyists had access to the ACTA documents but not the
European Parliament
- if ACTA would require ordinary citizens to be excluded from the scope of
certain border measures or would simply allow for this to be the case
- if ACTA would lead to criminal sanctions, including prison, for people
that recorded films in cinemas
- if ACTA would criminalise an individual who, for example, created an open
source programme to open all documents on all formats, thereby (without
commercial interest) circumventing technical protection measures.

He also repeated the meaningless statement that "ACTA is not meant to
undermine civil liberties", which simply means that this was not the
original intent of the negotiations and does not, quiet obviously, exclude
this possibility.

Unsurprisingly, the unclear, ambiguous and "economical" answers lead to an
angry reaction from Parliamentarians. The little information that MEP Carl
Schlyter (Greens, Sweden) was able to glean from Mr Devigne's answers was,
he said, contrary to information that had previously been provided by
Commissioner De Gucht. Consequently, he requested that the Commissioner
attend future discussions instead of Devigne.

EDRi has prepared a public FAQ on ACTA in order to better explain why the
agreement is endangering human rights in Information Society.

EDRi explains that the treaty is not just about counterfeiting, because it
also covers a far greater range of issues, including mandated penalties for
non-commercial copyright infringement, worldwide Internet regulation and
world trade in generic medicines.

The leaked document talks mostly about copyright infringement. Although
the document is vague on whether non-commercial infringements are included,
provisions from the Border Measures section previously made public indicate
that the definition of counterfeiting will change current international
norms and expand the scope beyond catching organised criminal networks
smuggling goods that this agreement is purported to target.

The leaked ACTA chapter includes a "three-strikes" Internet disconnection
approach for alleged repeating copyright infringers. The document makes
clear that the US negotiators intend that ISPs would be required to adopt
threes strikes Internet disconnection policies in order to get the benefit
of "safe harbours" or limitations on lSPs' liability for copyright
infringement.

The proposal would require countries to adopt criminal measures, which are
outside the body of the harmonised EU legislation. When read alongside the
criminal measures provisions made public earlier in the ACTA negotiations,
many concerns arise about the increased criminalisation of activities
online. Without robust proportionality principles and with insufficient
consideration of civil liberties and human rights protections, ACTA is a
threat to ordinary behaviour on the Internet. The ineffective strategy of
deterrence without balance undermines the legitimacy of the law.

After the new chapter of ACTA has leaked, an Opinion from the European Data
Protection Supervisor (EDPS) explained that the current three strikes
proposals may be incompatible with the current data protection requirements.

The EDPS complained that he was not involved by the European Commission in
the debates on this treaty and declared: "Whereas intellectual property is
important to society and must be protected, it should not be placed above
individuals' fundamental rights to privacy and data protection. A right
balance between protection of intellectual property rights and the right to
privacy and data protection should be ensured. It is also particularly
crucial that data protection requirements are taken into account from the
very beginning of the negotiations so as not later on having to find
alternative privacy compliant solutions."

The next round of negotiations will take place in New Zealand on 12-16 April
2010. Parties agreed tentatively to a 5 day round, covering a detailed
discussion on Internet, civil, customs and penal measures.

Leaked ACTA draft reveals plans for internet clampdown (19.02.2010)
http://computerworld.co.nz/news.nsf/news/leaked-acta-draft-treaty-reveals-pl
ans-for-internet-clampdown

Leaked ACTA chapter on Internet
http://sites.google.com/site/actadigitalchapter/acta_digital_chapter.pdf

EDRi FAQ on ACTA (22.02.2010)
http://www.edri.org/files/acta_FAQ_100222.pdf

Opinion of the European Data Protection Supervisor on the current
negotiations by the European Union of an Anti-Counterfeiting Trade Agreement
(ACTA) (22.02.2010)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2010/10-02-22_ACTA_EN.pdf

Anti-Counterfeiting Trade Agreement: EDPS warns about its potential
incompatibility with EU data protection regime (22.02.2010)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2010/EDPS-2010-03_ACTA_EN.pdf

(contribution by Joe McNamee - EDRi)

============================================================
2. First decision in the Italian criminal case against Google executives
============================================================

Today, 24 February 2010, the Court of Milan made public the decision in the
criminal trial against four Google executives, charged of defamation and
illegal personal data handling in relationship to the publication on the
video sharing platform  of a video containing act of bullyism against a
person affected by the Down Syndrome.

The legal basis for the charges, following the prosecutor's theory of the
case, was that those executives failed to exercise a pre-emptive control
over the contents published by Google final users', thus allowing the
infringement of the reputation of the concerned person and of an NGO
representing Down-Syndrome-affected persons.

The Court acquitted all the defendant from the charges of defamation, while
found them liable of the illegal personal data handling charge. The whole
sentence (including the legal technicalities that support the decision) will
be public within the next 30 days.

The legal oddity of the prosecutor strategy is this:
1 - there is a rule of law that says: to not stop a fact means to cause it,
2 - data protection law requires a prior authorization to be obtained before
handling personal data,
3 - a video to be posted online is personal data,
4 - therefore Google executives had to check whether the user who posted the
video got the preemptive authorisation from the people of the video, and
5 - by failing to do so, they infringed the data protection law
6 - furthermore, by not controlling in advance they let the video to libel
the victim of the violence (this charge has been dismissed.)

The consequence is that under this (odd) interpretation of data protection
law, every Internet Service Provider is requested to infringe its user
privacy, to do a prior check on the legitimacy of the action performed by
the users themselves.

A nice Catch 22, and a goodbye to network neutrality and online privacy !

Google execs convicted for Italy autism video (24.02.2010)
http://www.reuters.com/article/idUSTRE61N2G520100224

Case Vividown, the intermediary is responsible (only in Italian, 24.02.2010)
http://punto-informatico.it/2819031/PI/News/caso-vividown-intermediario-responsabile.aspx

Intermediaries or controllers ? (only in Italian, 24.02.2010)
http://punto-informatico.it/2819668/PI/Commenti/intermediari-controllori.aspx

Serious threat to the web in Italy (24.02.2010)
http://googleblog.blogspot.com/2010/02/serious-threat-to-web-in-italy.html

(contribution by Andrea Monti - EDRi-member ALCEI Italy)

============================================================
3. France's Parliament pursues its goal to censor the Internet
============================================================

On 16 February, the National Assembly, the lower house of the French
Parliament, passed the first draft of the so-called Loppsi 2 bill allowing
the authorities to control the Internet under the pretext of improving the
citizens' security.

The new legislation deals not only with child pornography sites, but has in
view a long blacklist of other types of websites that ISPs will have to
block. The list of banned Web sites would be provided by the Interior
Ministry and it would be "the responsibility of each Internet service
provider to ensure that users don't have access to unsuitable content."
According to article 4 of the draft law, the ISPs contacted by the
authorities must block without delay the designated sites under the threat
of being fined up to 75 000 euro and one year of imprisonment for their
administrators in case of non-compliance.

The new legislation also allows the French police and security forces to
enter a suspect's house and clandestinely install software to spy on private
computers, following a judge decision.

Loppsi 2 contains other provisions as well, including improved
interoperability between police files and personal data kept by institutions
such as banks and a tripling of surveillance cameras in France under the
pretext of "video protection."

MEP Sandrine Billier believes the bill represents "a serious threat" to the
neutrality of the Internet. "The filtering and blocking of the Web has
become a standard weapon in the legislative arsenal of a government which
has been shameless in its handling of personal freedoms," she said in an
interview.

"Protection of childhood is shamelessly exploited by Nicolas Sarkozy to
implement a measure that will lead to collateral censorship and very
dangerous drifts. After the HADOPI comes the LOPPSI: the securitarian
machinery of the government is being deployed in an attempt to control the
Internet at the expense of freedoms", stated Jirimie Zimmermann from La
Quadrature du Net.

The draft law will go for a second reading in the Senate and, if approved,
it could come into force this summer.

The French Senate also started on 23 February 2010 the discussions on the
draft legislation for the opening of the online gambling market that would
require the ISPs to block any unauthorised gambling websites.

France Moves Closer to Unprecedented Internet Regulation (17.02.2010)
http://www.spiegel.de/international/europe/0,1518,678508,00.html

French Parliament approves Net censorship (11.02.2010)
http://www.laquadrature.net/en/french-parliament-approves-net-censorship

Loppsi was adopted by the National Assembly (only in French, 16.02.2010)
http://www.numerama.com/magazine/15100-la-loppsi-a-ete-adoptee-par-l-assemblee-nationale.html

Loppsi: the installation of software spies to suspects is adopted (only in
French, 11.02.2010)
http://www.numerama.com/magazine/15076-loppsi-l-installation-de-mouchards-chez-les-suspects-est-adoptee.html

Filtering of web sites: ISPs simple executants (only in French, 9.02.2010)
http://www.journaldunet.com/ebusiness/le-net/loppsi-et-internet/filtrage-des-sites-web.shtml

Online gambling filtering examined this Tuesday in the Senate (only in
French, 23.02.2010)
http://www.numerama.com/magazine/15127-le-filtrage-des-jeux-en-ligne-examine-ce-mardi-au-senat.html,

EDRi-gram: LOPPSI 2 French law - to block or not to block websites
(27.01.2010)
http://www.edri.org/edrigram/number8.2/loppsi-2-france-blocking-websites

============================================================
4. Germany's President signs an Internet bill against his own government
============================================================

Despite the fact that the German Government had decided not to apply the
internet censorship law (Zugangserschwerungsgesetz) proposed by the former
Government in April 2009, the new bill was signed on 17 February 2010 by
German President Horst Kvhler.

The president decided that the Access Impediment Law did not raise
any significant concerns related to the compatibility with the German
Constitution and that it was meant to fight online child pornography
allowing the blocking of offensive web sites.

This is a delicate situation for the government which will need the
opposition's support to repeal the legislation. Following the strong and
massive opposition to the bill by Internet users and civil rights groups,
the government coalition elected in September 2009 decided to put the law on
hold, focusing rather on removing Internet offensive content, based on
existing laws.

The government was hoping to have more time to draw up another anti-child
pornography law that would repeal the Access Impediment Law. "New
regulations will quickly be introduced that correspond to the principle of
deleting rather than blocking access," said Justice Minister Sabine
Leutheusser-Schnarrenberger on 17 February, adding that the government was
decided not to apply the law. Her statement was backed up by the Interior
Ministry.

The Working Group on Internet blocking and censorship (Censorship AK) asked
for the repeal of the bill in a press release and called for a spontaneous
demonstration of the Internet activists for the same goal. The demonstration
took place on 17 February in front of the Bellevue Palace.

The Bitkom association, which represents the German IT industry, called on
the government to clarify the situation and to quickly repeal the new law. A
spokesman from the German Pirate Party said it was "unbelievable" that
President Kvhler had signed the law into force.

The opposition parties will introduce a bill on 25 February before the
Bundestag, the lower house of the German Parliament, repealing the new law.

New Internet Legislation Embarrasses German Government (18.02.2010)
http://www.spiegel.de/international/germany/0,1518,678782,00.html

The Working Group on Internet blocking and censorship calls for immediate
lifting of Internet blocking law (only in German, 17.02.2010)
http://ak-zensur.de/2010/02/unterzeichnung.html

Spontaneous demonstration in front of Schloss Bellevue (only in German,
18.02.2010)
http://www.netzpolitik.org/2010/dokumentation-der-spontan-demo-vor-schloss-bellevue

New law to censor internet child pornography (17.02.2010)
http://www.dw-world.de/dw/article/0,,5259255,00.html

No internet censorship in Germany for the next year (18.10.2009)
http://ak-zensur.de/2009/10/access-blocking-germany.html

ZugErschwG signed (only in German, 18.02.2010)
http://blog.windfluechter.net/archives/919-ZugErschwG-unterzeichnet.html

EDRi-gram: Web blocking gets a reality check (21.10.2010)
http://www.edri.org/edrigram/number7.20/web-blocking-germany-uk

============================================================
5. Spanish Fiscal Council criticizes the new draft law on IPR enforcement
============================================================

In a non-binding report issued on 12 February 2010, the Spanish Fiscal
Council criticised the draft law proposed by the Government known as the
Sustainable Economy Law (la Ley de Economma Sostenible - LES) that foresees
new Intellectual Property Rights (IPR) enforcement measures on the Internet.

The Council shows concern related to the LES draft text which places the
intellectual property rights at the same level with the fundamental rights
such the freedom of expression, public security, national defence, public
health or non-discrimination on grounds of race, sex or religion. In the
Council's opinion, the intellectual property rights should be treated as
property rights and not as fundamental rights.

The report also raises concerns over the fact that the draft law gives the
Intellectual Property Commission (Comisisn de Propiedad Intelectual - CPI)
the power to propose the closing down of web sites offering download links
to alleged unauthorized copyright content. According to the Fiscal Council
this "has an enormous potential to invade the sphere of fundamental rights."

The report also emphasizes the fact that the proposed law "is limited to
cases where the service provider is established in Spain or in a State of
the European Union," which makes it inefficient. If sites with a Spanish
domain are closed, other identical sites may occur in countries that are
outside the EU.

Peaople's Party (PP) culture spokesman Josi Marma Lassalle stated that the
Fiscal Council's report supports PP's position in the matter and there are
many other voices that have expressed opposition to the proposed
legislation. "This is not a law against violations of intellectual property,
it is a law against civil rights," said Fernando Berlin, one of the
promoters of RedSOStenible.net, consisting of bloggers, businessmen, and
Internet user activist groups.

The Public Ministry also warned over the fact that the new draft allows CPI
to ask ISPs data that would help in identifying alleged copyright infringers
that sometimes will not be limited to information on the owner of a web
page, but other data as well that would need previous court authorisation.

Therefore, the Fiscal Council proposes a modification of the draft text so
that judicial authorisation should not refer only to data that are protected
by the secret of communications fundamental right but also for data covered
by the right to privacy. "Anyway, what in no case can CPI claim and cannot
be provided by ISPs are data regarding private communications that may
affect the fundamental right of the communication secret that mandatorily
require judicial authorisation" says the report.

On 16 February 2010, the Ministry of Justice Francisco Caamaqo defended the
LES and the modification introducing a regulation that would be to the
benefit of the right to freedom of expression and access to information and
not so much to the benefit of intellectual property. He stated that the new
law stipulated a judicial guarantee that would prevent an Administration
institution to block access to a web page without court order.

In the meantime, the Spain EU presidency is pushing its Declaration of
Granada for more IP enforcement actions. The present text suggest to the
European Commission "to analyse the possibility to present a modified
proposition of the Directive on the penal measures meant to guarantee the
respect of the intellectual property rights, in order to complete EU
legislative framework for the application of IPR" and invites "the member
states and the Commission to act for the promotion of a high level of
protection of the intellectual property in the bilateral and international
agreements".

The Fiscal Council criticises the draft law allowing the Culture to close
down web sites, (only in Spanish, updated 16.02.2010)
http://www.elmundo.es/elmundo/2010/02/15/navegante/1266250340.html

Fiscal Council's Report - Draft project of the Sustainable Economy Law -
Draft project of the organic law complementary to the Sustainable Economy
Law (only in Spanish, 12.02.2010)
http://www.elmundo.es/documentos/2010/02/15/informe.pdf

The Spanish Presidency proposes more repression on the Internet in its
Declaration of Granada (only in Spanish, 12.02.2010)
http://www.internautas.org/html/6016.html

The Minister of Justice defends the Sustainable Economy Law (only in
Spanish, updated 16.02.2010)
http://www.abc.es/20100216/cultura-/ministro-justicia-defiende-economia-201002161452.html

The Fiscal Council's non-binding report on Feb. 16 said the proposal
Spanish Societies Reject Concerns Over Anti-Piracy Law (17.02.2010)
http://www.billboard.biz/bbbiz/content_display/industry/e3i47f0e86cdb78f21b75b6d36d1b457616

PP says the Fiscal Council supports its thesis on the downloading and
criticises that the Government "continues without doing its homework" (only
in Spanish, 16.02.2010)
http://www.finanzas.com/noticias/formacion/2010-02-16/247579_dice-consejo-fiscal-avala-tesis.html

EDRi-gram: Spanish Government proposes new legislation against file-sharing
(13.01.2010)
http://www.edri.org/edrigram/number8.1/spain-law-file-sharing

============================================================
6. EP: Draft reports on IPR enforcement published
============================================================

The European Parliament (EP) is working on a position in regards with the
European Commission's Green Paper on enhancing the enforcement of
intellectual property rights on the internal market.

Three EP committees are involved in this process: the Legal Affairs
Committee (MEP Mareille Gallo, EPP, France) in charge of this report,
"Opinions" provided by the Industry, Research and Energy Committee (MEP Paul
R|big, EPP, Austria) and the Internal Market and Consumer Protection
Committee (MEP Zusana Roithova, EPP, Czech Republic).

MEP R|big's report calls for EU-wide licensing, interoperability and
supports the "mere conduit" status of ISPs. However, he also calls for
"effective" sanctions against copyright infringement.

MEP Roithova's report is quite balanced and avoids confusing copyright and
piracy. It calls for transparency on ACTA and "calls for proportionate
measures to be proposed for effectively and successfully combating the
negative impact of infringement of intellectual property rights in the
digital environment ("piracy") on the internal market and calls on the
Observatory to analyse the impact of alternative systems of equitable
compensation (for example, flat-rate licences)"

Unfortunately, MEP Gallo's report still confuses piracy and counterfeiting
and paints a doom-laden picture of what piracy and counterfeiting mean for
the EU ("threatens our economies and societies"). The report also demands
reports on the implementation of existing IPR legislation, but notes already
that it is inadequate. The draft document also calls for "cooperation" with
and "warning messages" from ISPs.

The next steps planned for this IPR report are the discussion on amendments
and the vote on 17 March 2010, with the final vote in the plenary estimated
for April 2010.

EU Green Paper on enhancing the enforcement of intellectual property rights
in the internal market (11.09.2009)
http://ec.europa.eu/internal_market/iprenforcement/docs/ip-09-1313/communication_en.pdf

Draft Report on enhancing the enforcement of intellectual property rights in
the internal market - MEP Mareille Gallo (15.02.2010)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-438.164+01+DOC+PDF+V0//EN&language=EN

Draft Opinion of the Committee on Industry, Research and Energy for the
Committee on Legal Affairs on enforcement of intellectual property rights in
the internal market - MEP Paul R|big (29.01.2010)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-438.391+01+DOC+PDF+V0//EN&language=EN

Draft Opinion of the Committee on the Internal Market and Consumer
Protection for the Committee on Legal Affairs on enhancing the enforcement
of intellectual property rights in the internal market - MEP Zusana Roithova
(5.02.2010)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-438.494+01+DOC+PDF+V0//EN&language=EN

(contribution by Joe McNamee - EDRi)

============================================================
7. French Court says an IP address is not enough for a user's identification
============================================================

The Paris Appeal Court has recently ruled that an IP address does not allow
the identification of an Internet user and therefore needs no prior
authorization from CNIL (National Commission for Information Technologies
and Civil Liberties) to be collected.

The decision comes to support the ruling of the Cassation Court of 13
January 2009 stating that the collection of an IP address by the collective
society SACEM agents was not to be considered as automatic treatment of
personal data, thus reversing a previous decision of the Rennes Appeal Court
of May 2009 which had considered the IP address as nominal data for the
collection of which the prior authorization of the CNIL was needed.

According to the French Data Protection Act, sworn agents may process
data related to offences, convictions, and safety measures on behalf of
rights holders of victims of copyright infringements in order to ensure the
defense of these rights but such processing, automatic or not, has to be
previously authorized by the CNIL.

However, the Court of Cassation considered that such a sworn agent does not
need a prior CNIL authorization if he accesses manually a person's list of
files uploaded onto a peer-to-peer network in violation of copyrights. In
the court's opinion, the collection of an IP address in order to find the
user's identity through his ISP does not constitute data processing.

While the Court of Cassation did not express a view as to whether an IP
address qualifies as personal data, the Appeal Court considers the IP
address as the material evidence of the infringement and cannot be
considered personal data because it does not identify the user.

The court also rejected the private copy exception by considering it "is not
applicable to downloading, the purpose of using p2p software being exactly
that of sharing and exchanging files between users (...)."

Justice: the IP address is not enough to identify a pirate (only in French,
18.02.2010)
http://www.numerama.com/magazine/15105-justice-l-adresse-ip-n-est-pas-suffisante-pour-identifier-un-pirate.html

French Court of Cassation Rules on Data Protection and Online Copyright
Infringement (11.02.2010)
http://www.huntonprivacyblog.com/2009/02/articles/french-court-of-cassation-rules-on-data-protection-and-online-copyright-infringement/

============================================================
8. Chip and PIN system proven to be flawed
============================================================

According to a research performed by a group of experts from the Computer
Laboratory, of Cambridge University, the Chip and PIN system is flawed,
allowing criminals to use stolen credit and debit cards, without knowing the
correct PIN.

The thieves can easily create a device to modify and intercept
communications between a card and a point-of-sale terminal, and making the
terminal believe the PIN was correctly verified when actually any PIN could
be introduced and the transaction would be accepted.

"The flaw is that when you put a card into a terminal, a negotiation takes
place about how the cardholder should be authenticated: using a PIN, using a
signature or not at all. This particular subprotocol is not authenticated,
so you can trick the card into thinking it's doing a chip-and-signature
transaction while the terminal thinks it's chip-and-PIN. The upshot is that
you can buy stuff using a stolen card and a PIN of 0000 (or anything you
want). We did so, on camera, using various journalists' cards. The
transactions went through fine and the receipts say "Verified by PIN," said
Professor Ross Anderson, one of the researchers.

The attacks can be successful for cards used online (a merchant POS
contacting the bank) and offline, for any amounts of money and to bank
schemes based on EMV (Europay, MasterCard, Visa). They would not work on
ATMs and with cards that have already been cancelled by the bank.

The research conclusion is that the attacks are possible due to "a lack of
authentication on the PIN verification response, coupled with an ambiguity
in the encoding of the result of cardholder verification as included in the
TVR (Terminal Verification Results)".

The main problem is that banks refuse to refund victims of this type of
attacks because they state that a card cannot be used without the correct
PIN which, as the paper shows is not true.

"This is not just a failure of bank technology. It's a failure of bank
regulation. The ombudsman supported the banks and the regulators have
refused to do anything. They were just too eager to believe the banks,"
stated Anderson.

Chip and PIN is broken (11.02.2010)
http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

Chip and PIN is Broken (draft for the 2010 IEEE Symposium on Security and
Privacy (draft)
http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf

Cambridge researchers show that the Chip and PIN system is vulnerable to
fraud (11.02.2010)
http://www.cl.cam.ac.uk/research/security/banking/nopin/press-release.html

Chip and pin card readers fundamentally flawed (11.02.2010)
http://www.telegraph.co.uk/science/science-news/7215920/Chip-and-pin-card-readers-fundamentally-flawed.html

Chip and PIN is broken, say researchers (11.02.2010)
http://news.zdnet.co.uk/security/0,1000000189,40022674,00.htm

============================================================
9. New Google's service raises privacy concerns
============================================================

The new networking service issued by Google company called Google Buzz has
met criticism and confusion from its users who complained that a list of
people they frequently email or chat with has appeared on their profile.

The problem occurred due to the default options when creating one's profile
which automatically post the respective list from Gmail and Google chat. In
order to avoid posting the respective list on the profile, the user has to
use the opt-out variant or edit the list himself.

"Google attempted to jump start Buzz with lists drawn from its successful
Gmail and Gchat services. While this may help Buzz grow and save users the
time to type in all their contacts, it also has an inherent danger of
inadvertent disclosure of private information," has commented EFF lawyer
Kurt Opsah.

Google chief executive Eric Schmidt reacted to the users' criticism by
stating that the issue had been caused by confusion and miscommunication.
"I would say that we did not understand how to communicate Google Buzz and
its privacy. There was a lot of confusion when it came out on Tuesday, and
people thought that somehow we were publishing their email addresses and
private information, which was not true (...) I think it was our fault that
we did not communicate that fact very well, but the important thing is that
no really bad stuff happens in the sense that nobody's personal information
was disclosed."

This statement is contradicted not only by users but even by Buzz product
manager Todd Jackson's statement on 16 February who told BBC that the
company was "very, very sorry" and that users were "rightfully upset".

Schmidt admitted however that the company made some changes in order to cope
with the situation. "Since Tuesday we have made a series of changes to the
product which make some very fundamental changes in the way that you
initially experience it, in particular instead of automatically following
everybody it now gives you a list of who you want to follow and it makes it
incredibly explicit that it has not been giving them information without you
giving it to them."

Protect Your Privacy on Google Buzz (12.02.2010)
http://www.eff.org/deeplinks/2010/02/protect-your-privacy-google-buzz

What's the Buzz about? Studying user reactions (12.02.2010)
http://www.lightbluetouchpaper.org/2010/02/12/whats-the-buzz-about-studying-user-reactions/

Google boss says 'nobody was harmed' by Buzz debacle (17.02.2010)
http://www.guardian.co.uk/technology/2010/feb/17/google-buzz-schmidt

============================================================
10. Romania: Moral damages for publishing personal data online
============================================================

A Romanian local court has decided to award 10 000 Euro as moral damages to
a private person, after his full details were published on the website of
the City Hall, including his HIV-related problems.

In June 2008, Bucharest District 1 City Hall published on its website
some decisions of the Local Council on the beneficiaries of free public
transport by subway for persons with severe handicap. The decisions were
published together with the annexes that contain all the personal data of
the respective persons (name and surname, address, ID card number, Unique
Personal Code Number and description of its respective disability).

The citizen who was on that list and initiated the action claimed moral
damages, considering that the data should not have been made public, but
just sent to the subway administration. He also claimed that he and his
parents suffered several moral prejudices after this event by the
deterioration of his relations with friends and neighbours. He actually was
forced to move from that respective location due to this disclosure.

The City Hall argued that they did not intend to discriminate anyone and the
publication of the Annexes was "a technical mistake".

The Bucharest District 1 Local Court of considered that the conditions
required by the Romanian law on tort had been met , and the City Hall had
breached the complainant's right to privacy as expressed in Article 8 of the
European Convention of Human Rights, law 677/2001 (Romanian transposition of
the data protection directive) and other specific legislation in the medical
field that oblige the public servants to keep the confidentiality on
patients with HIV positive or having AIDS. Therefore the Court has awarded
damages of 10 000 Euro to the complainant.

The court's decision was appealed by the City Hall to the Bucharest Tribunal
that rejected the appeal in February 2010. Thus, the initial decision of the
Bucharest District 1 Local Court remains definitive and applicable.

It is probably the first case publicly known in Romania when a person
receives moral damages from a national court on grounds of privacy breach,
after a series of cases at the European Court of Human Rights where Romania
was condemned for breaching Article 8. The decision of the court is also
surprising in regards with the amount awarded, the Romanian courts being
generally very defensive in awarding any moral damages.

Romania: record damages for publishing personal data on a website - contains
also the full court decision (only in Romanian, 18.02.2010)
http://legi-internet.ro/blogs/index.php/2010/02/18/daune-publicare-date-personale-site

ECHR case: Rotaru vs. Romania (4.05.2000)
http://www.echr.coe.int/Eng/press/2000/May/Rotaru.eng.htm

============================================================
11. Germany DPAs to discuss the EU-US Safe Harbour Agreement
============================================================

The German data protection authorities want to have a meeting on the EU-US
data protection Safe Harbour agreement and to agree on a resolution on this
matter.

Heise reports that some of the German Lander Data Protection Authorities
(DPAs) that will meet in D|sseldorf in April are unhappy about the practical
application of the Safe Harbour agreement, especially when a high number of
servers from companies such as Google and Facebook is located there,
including EU citizens personal data.

The concern of the German DPAs is motivated by report published by Galexia,
a US consulting company, which found that more than 200 companies claimed
to have joined the Safe Harbour Agreement without having done so. It also
showed that only about 350 companies complied with the minimal requirements
and that, by December 2008, in 10 years of application of the agreement,
there has been only a court case for not fulfilling the requirements,
without any sanctions for the infringing company.

The first case when a US company was charged by the US Federal Trade
Commission on falsely claiming compliance with the Safe Harbour Privacy
Principles took place only in 2009. The charged company - the Californian
Internet retailer Balls of Kryptonite - had led consumers to believe it was
located in the UK and had falsely claimed that they had self-certified their
compliance with the Safe Harbour.

Safe Harbor Agreements: wild card for American privacy infringers? (only in
German, 17.02.2010)
http://www.heise.de/newsticker/meldung/Safe-Harbor-Abkommen-Freibrief-fuer-amerikanische-Datenschutz-Suender-933700.html

The US Safe Harbor - Fact or Fiction? (12.2008)
http://www.galexia.com/public/research/articles/research_articles-pa08.html

US Prosecution for false web claim of Safe Harbor status (11.09.2009)
http://www.galexia.com/public/research/articles/research_articles-byte08.html

Court Halts U.S. Internet Seller Deceptively Posing as U.K. Home Electronics
Site (8.06.2009)
http://www.ftc.gov/opa/2009/08/bestpriced.shtm

============================================================
12. ENDitorial: Richard Stallman on "Copyright versus Public" in Berne
============================================================

On 11 February 2010 the auditorium at the University of Berne was packed for
a talk by Richard Stallman on copyright issues. Stallman is better known
as the founder of the GNU free software system which, together with the
operating system kernel named Linux, is very popular as GNU/Linux.

His talk was to be on software patents, but then he decided that when in
Berne, he wanted to protest against aspects of the Berne Convention which
constitutes the primary instrument of international law with regard to
copyright. So, he adjusted the topic of his talk accordingly.

Stallman explained how copyright had been introduced as a way of protecting
investments in printing. He described this as a win-win situation
originally, as consumers didn't lose anything by not being allowed to
reproduce paper books, but gained something, as without the printing
industry there wouldn't be any cheap books at all. However, modern
digital methods have changed this, as the reproduction costs of digital
files are very low, whether for one or for many copies. Like the music
and video industries, the book industry would like to maximize its
economic power by controlling its customers with DRM, digital
restrictions management. In extreme cases, the license to read a digital
book might even be only temporary.

Stallman described the worst practices, from video-content-scrambling, the
Sony rootkit, music on defective non-standard CDs, the "Amazon Swindle",
right up to Apple's "iBad", all designed to move control from the customer
to the seller.

He went on to refute the industry's claims of protecting the authors and
artists, explaining that the existing system is in fact very unfair to
everyone except a small number of best-sellers and stars.

Stallman also criticised the role of governments which serve not public but
rather industrial interests, e.g. by continuousely lengthening the terms of
copyright and criminalising people even for private copying. In effect, the
content industry is stealing works which legitimately belong to the public
after an initial period. The main problem is the length of this period
extending long after the death of the authors or artists.

Stallman proposed that the duration of copyright should be about ten
years from the date of publication, and that the copyright law should
distinguish three categories of creative works, as follows:
"Functional works" which have a practical use for getting a job done,
such as computer software, must be free in the sense of users having
the freedom to modify the work and redistribute them in an original or
modified form. Then, there are essays of opinion and scientific
papers. For these, noncommercial sharing must be allowed. Finally,
there are works of arts and entertainment. According to Stallman, with
regard to this latter category, there are legitimate arguments on both
sides with regard to whether non-commercial sharing should be allowed
while they're in copyright. He insists that in any case, making a
"remix" must be legal. Borderline cases should fall into the category
which allows the public more freedom; this rule would be necessary to
prevent abuse by intentional creation of borderline cases.

After the talk, Stallman auctioned a stuffed toy GNU with proceeds going to
the Free Software Foundation, of which he is president. Bidding was brisk
and went up to 500 CHF. Then it was question time, but most of the
questioners didn't get the answers they wanted or were expecting!

After a brief lunch break, it was time for the demonstration with three
demands:
- Copyright lasts far too long;
- Works should only be covered by copyright if published with copyright
notices;
- The "three step test" for exceptions to copyright places the copyright
holders above the public, and interferes with liberties that the
Internet-using public must have.

There were far fewer people, in fact only a couple dozen people at the
demonstration being one of Berne's smallest ones. Although members of most
political parties were present, it was visually completely taken over by the
Pirate Party waving large orange flags. (Demands for freedoms in the context
of the digital revolution belong to party's main agenda.) Led by Richard
Stallman, the demonstrators marched from the University to the
Waisenhausplatz, handing out leaflets and chanting "Sharing is good!" Here
the demo officially ended under the watchful eye of the police, but
reassembled briefly in front of the Federal House of Parliament for a couple
of photos. In spite of the many cameras, none of the pictures, nor any
mention of the event made it into the mainstream media.

It was a strange feeling to have a VIP like Stallman attract so many
with words and so few with action, and then be so totally ignored by
the mainstream media. It appears that while western democracies guarantee
freedom of speech, the hurdle for getting the public's attention for ideas
which are not yet in the mainstream is unreasonably high.

Free Software Foundation
http://www.fsf.org

Audio recording of Richard Stallman's talk (11.02.2010)
http://www.digitale-nachhaltigkeit.ch/wp-content/uploads/2010/02/RichardStallman_2010-02-11_CopyrightVSPublic_Bern.ogg

Online reactions and pictures from the event (12.02.2010)
http://www.digitale-nachhaltigkeit.ch/2010/02/richard-stallman/

(Contribution by Theo Schmidt and Norbert Bollow - Switzerland)

============================================================
13. Recommended Action
============================================================

Fundamental Rights Agency (FRA) International Video Competition
Topic: EU fundamental rights
Deadline for submission: 2.04.2010
Participants: EU citizens 18-30 years old
http://fra.europa.eu/fraWebsite/attachments/Flyer-video-comp.pdf

============================================================
14. Recommended Reading
============================================================

Measuring the Perpetrators and Funders of Typosquatting
At least 938,000 typosquatting domains target the top 3,264 .com sites.
http://www.benedelman.org/typosquatting/typosquatting.pdf
http://www.lightbluetouchpaper.org/2010/02/17/measuring-typosquattings-perpetrators-and-funders/

European Parliament - Culture Committee - Draft Report on "Europeana - next
steps"
http://www.europarl.europa.eu/meetdocs/2009_2014/documents/cult/pr/793/793669/793669en.pdf
Amendments to the draft report
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-430.897+02+DOC+PDF+V0//EN&language=EN
EU online library needs 'more and better' content (23.02.2010)
http://www.euractiv.com/en/culture/eu-online-library-needs-more-and-better-content-news-279202

============================================================
15. Agenda
============================================================

5 March 2010, Brussels, Belgium
Colloquium 2010: What's left of your privacy in 2010.
Protecting privacy against government and employer
http://www.progresslaw.net/index.php?&lns=2

12-13 April 2010, Oxford, UK
4th PrivacyOS Conference
https://www.privacyos.eu/archives/98-Invitation-4th-PrivacyOS-Conference-Oxford.html

14-16 April 2010, Berlin, Germany
re:publica'10 - Conference about blogs, social media and the digital society
http://www.re-publica.de/10

24 April 2010, London, United Kingdom
Open Knowledge Conference (OKCon) 2010
http://www.okfn.org/okcon/

29-30 April 2010, Madrid, Spain
EuroDIG 2010
http://www.eurodig.org/

6-7 May 2010, Krems, Austria
4th International Conference on eDemocracy 2010
Submission of papers: 1 March 2010
http://www.donau-uni.ac.at/en/department/gpa/telematik/veranstaltungen/id/13823/index.php

26-28 May 2010, Amsterdam, Netherlands
World Congress on Information Technology
http://www.wcit2010.com/

30-31 May 2010, Montreal, Canada
Third International Workshop on Global Internet Governance: An
Interdisciplinary Research Field in Construction
Submissions for thematic presentations: 20 March 2010
http://giga-net.org/page/2010-international-workshop

8-9 June 2010 - Funchal, Portugal
4th International Workshop on RFID Technology - Concepts, Applications,
Challenges - IWRT 2010
Paper Submission: 8 March 2010
http://www.iceis.org/Workshops/iwrt/iwrt2010-cfp.htm.

25-27 June 2010, Cluj, Romania
Networking Democracy?
New Media Innovations in Participatory Politics
http://www.brisc.info/NetDem/

9-11 July 2010, Gdansk, Poland
Wikimedia 2010 - the 6th annual Wikimedia Conference
http://wikimania2010.wikimedia.org/wiki/Main_Page

29-31 July 2010, Freiburg, Germany
IADIS - International Conference ICT, Society and Human Beings 2010
Paper submissions: 15 March 2010
http://www.ict-conf.org/

13-17 September 2010, Crete, Greece
Privacy and Security in the Future Internet
3rd Network and Information Security (NIS'10) Summer School
http://www.nis-summer-school.eu

============================================================
16. About
============================================================

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 27 members based or with offices in 17 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list