EDRi-gram newsletter - Number 9.10, 18 May 2011

EDRI-gram newsletter edrigram at edri.org
Wed May 18 10:15:03 PDT 2011


============================================================

       EDRi-gram

biweekly newsletter about digital civil rights in Europe

Number 9.10, 18 May 2011

============================================================
Contents
============================================================

1. EU and China adopt harmonised approach to censorship
2. Data retention in EU Council Meeting
3. Belgium Senate deletes the repressive part of the three strikes draft law
4. Dutch ISPs admit to using deep packet inspection
5. CoE refuses to start investigation on biometrics
6. Ireland adopts innovation agenda on intellectual property
7. UK police has bought surveillance software to track online movements
8. Google found guilty in Belgium for newspapers' copyright infringement
9. Privatised enforcement series E: Online trading platforms sell out
10. CFP 2011 Conference to address the Future of Technology and Human Rights
11. ENDitorial: RFID PIA: Check against delivery
12. Recommended Action
13. Recommended Reading
14. Agenda
15. About

============================================================
1. EU and China adopt harmonised approach to censorship
============================================================

The European Union and China appear to have agreed to share their preferred
approaches to censorship, producing a model that is a perfect mix between
current EU and Chinese policies.

On 20 April 2011, at an event in the European Parliament entitled "Creative
Industries: Innovation for Growth", the French European Commissioner for the
Internal Market, Michel Barnier, announced plans to make focus on Internet
providers to enforce intellectual property. He explained that he did not
want to "criminalise" consumers and therefore would put the pressure on
online intermediaries (who will then police and punish the consumers
instead).

Eight days later, on 28 April, the Beijing Copyright Bureau decided to
follow exactly the same model. In its "Guiding Framework for the Protection
of Copyright for Network Dissemination," it proposes a range of obligations
on Internet intermediaries such as:

-180-day data retention for the name and IP address of users, if
the intermediary provides file-sharing or hosting services. This is
fractionally more liberal than the most liberal approach permitted by the
European Commission, which requires data retention for a minimum of six
months;

- deterring and restraining (sic) those who upload unlicensed
material, including terminating the offending users' service (as appears in
the preparatory works of the ACTA agreement, supported by the EU) and also
reporting these infringing acts to copyright law enforcement authorities;

- employing "effective technical measures to prevent users
uploading or linking to copyrighted works" (as supported by the EU in its
input to the European Court of Justice in the Scarlet/Sabam case (C-70/10).

While the developments in relation to copyright show China's willingness to
learn from the EU's planned repressive measures, the traffic is not entirely
one-way, as shown by the recent revelations on the Hungarian Presidency's
"virtual Schengen" proposal.

In 2008, the French EU Presidency developed plans for a "Cybercrime
Platform" to be run by Europol, as a means of collecting reports of
illicit/unwanted content from across Europe, acting as an "information hub"
with the reasonably obvious intention of a harmonised approach to blocking
web content.

This approach was further developed in the Internal Security Strategy from
2010, which said ominously that "while the very structure of the internet
knows no boundaries, jurisdiction for prosecuting cybercrime still stops at
national borders. Member States need to pool their efforts at EU level. The
High Tech Crime Centre at Europol already plays an important coordinating
role for law enforcement, but further action is needed."

The European Commission immediately took the initiative and offered funding
for projects that supported "the blocking of access to child pornography or
blocking the access to illegal Internet content through public-private
cooperation" - expanding blocking both to content of any kind and to
extra-judicial blocking, in contravention of the European Convention on
Human Rights and the EU Charter of Fundamental Rights. As a result, European
police forces were given a grant of 324 059 Euro to lobby for blocking in
the EU.

All of these developments have now led to the proposal for a "Great Firewall
of Europe", as demonstrated by an EU Council presentation published this
week by EDRi. This would harmonise the EU's approach to content that it
wished to stop at the EU's borders, following the same logic as the "Great
Firewall of China" which censors unwanted content from outside China's
jurisdiction. Ironically, both the European Commission and Council of
Ministers are now claiming that such a blocking plan was never the intention
and are distancing themselves from the proposal - even to the point of
rewriting the minutes of the meeting where the proposal was discussed.

In summary, therefore, the EU/China internal policy on censorship will be
based on the European model of censorship by proxy, whereby Internet
intermediaries undertake the work. For unwanted traffic from outside the EU,
the Chinese model of a "virtual border" is being pushed forward, despite
recent protestations of innocence from the EU institutions.

Hungarian presidency rewriting of history of meeting
http://register.consilium.europa.eu/pdf/en/11/st07/st07181-co01.en11.pdf

Virtual Schengen documents released by EU Council (12.05.2011)
http://www.edri.org/virtual_schengen

Commission input to ECJ on Scarlet/Sabam (only in French, 13.01.2011)
http://www.mlex.com/itm/Attachments/2011-01-13_1B8G0W13A97M04RY/C70_10%20FR%20Hearing.pdf

ACTA Draft: No Internet for Copyright Scofflaws (24.03.2010)
http://www.wired.com/threatlevel/2010/03/terminate-copyright-scofflaws/

EU Internal Security Strategy
http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/113055.pdf

French Presidency work programme
http://www.eu2008.fr/webdav/site/PFUE/shared/ProgrammePFUE/Programme_EN.pdf

EU Communication: Internal Security Strategy (22.11.2010)
http://www.statewatch.org/news/2010/nov/eu-com-internal-security-strategy-nov-10.pdf

Chinese copyright office: Guiding Framework on the Protection of Copyright
for Network Dissemination (28.04.2011)
http://www.r2g.net/english/english_news_article_1004.htm

EU information management instruments (20.07.2010)
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/10/349&type=HTML

Council and Commission distance themselves from blocking plans (only in
German, 16.05.2011)
http://www.spiegel.de/netzwelt/netzpolitik/0,1518,762783,00.html

Commission funding - ISEC 2010 action grants
http://bit.ly/mE9noz

(Contribution by Joe McNamee - EDRi)

============================================================
2. Data retention in EU Council Meeting
============================================================

The EU Council Working Group of Justice and Home Affairs had a first
discussion on 12 May 2011 on the European Commission implementation report
on the data retention directive.

The Commission agreed that the implementation has been uneven, both in terms
of retention periods, as well as in respecting data protection principles.
The working group discussed issues related to a common definition of
"organised crime", that was opposed by some, on the basis of infringing the
rights of Member States to govern their own affairs on entirely internal
processes ("subsidiarity").

This was just a preliminary discussion, where some member states claimed
that data retention was necessary, favouring a two year retention period.
Only a few countries brought forward the idea of the "quick freeze" as
an alternative solution.

The next schedule presented by the Commission includes several public
meetings, the first with civil society on 8 June 2011. After that, the
impact assessment should be finalized after the Summer and, by the end of
2011, the European Commission wishes to present its proposal to amend the
data retention directive.

Press release: 3085th Council meeting - Justice and Home Affairs
(12.05.2011)
http://www.consilium.europa.eu/uedocs/NewsWord/en/jha/121967.doc

EDRi-gram: Top 10 misleading statements of the European Commission on data
retention (20.04.2011)
http://www.edri.org/edrigram/number9.8/data-retention-evaluation

============================================================
3. Belgium Senate deletes the repressive part of the three strikes draft law
============================================================

The Belgium version of the French Hadopi three strikes law was significantly
changed by the Commission of Finance and Economical Affairs (COMFINECO) of
the Belgium Senate during a hearing organised on 11 May 2011 on copyright
and Internet.

The proposal, initially submitted in 2010 and re-tabled at the beginning of
2011, was amended by the removal of a series of articles which actually
referred to the three strikes system.

NURPA (the Net Users' Rights Protection Association) warns that the proposed
law, although amputated, still raises certain concerns and
draws the attention especially to article 12 which "requires the settling of
agreement between private actors and allows the limitation of the Internet
user's freedom of usage". The article stipulates that the agreement signed
with the ISPs "determines the limits and conditions under which a user that
has access to a public online communication service can use it to exchange
works protected by copyright or related right(s)."

Inspired also by the French Hadopi law, the proposed Belgium law introduces
the creation of a Council for the protection of copyright on the Internet
that would have as its main task to establish a list of legal offers. It is
not clear which criteria will be used to determine what offers will be legal
and which will be the means to keep such a list updated and complete.
"Instead of seeing the Internet as an opportunity to reduce the number of
intermediaries between the public and the artists, the text only continues
to place the copyright collective societies in the centre of the revenue
perception. There are innovating initiatives and a freedom of artistic
distribution that should be encouraged rather than playing in the hands of
the private societies" stated Daniel Faucon, spokesperson for NURPA.

Two contradictory opinions also marked the COMFINECO hearing, one according
to which the service providers would incite to illegal downloading and
therefore should be made responsible and a second one that is closer to
net neutrality, meaning that the service providers should not be held
accountable for the content exchanged on the Internet.

The Belgium HADOPI amputated in its repressive part (only in French,
12.05.2011)
http://nurpa.be/actualites/2011/05/HADOPI-belge-amputee-partie-repressive.html

The Belgium Hadopi is buried, but filtering is not (only in French,
12.05.2011)
http://www.numerama.com/magazine/18776-la-hadopi-belge-est-enterree-mais-pas-le-filtrage.html

EDRi-gram: Four strikes law returns to Belgium (9.05.2011)
http://www.edri.org/edrigram/number9.5/belgium-four-strikes-law-returns

============================================================
4. Dutch ISPs admit to using deep packet inspection
============================================================

During an investors day on 10 May 2011 in London, Dutch Internet service
provider KPN admitted to using deep packet inspection (DPI) technology, to
determine the use of certain applications by its mobile internet customers.
Vodafone soon followed with an announcement that it used this
technology for traffic shaping. The Dutch minister of Economic Affairs
within days announced an investigation into KPN's practices and promised to
publish the results within two weeks.

The recent revelations come after Dutch telecom giant KPN announced that
it will start charging mobile internet users extra for the use of
certain applications, such as internet telephony. This is a hot topic in
The Netherlands, as net neutrality rules will soon be discussed in the
Dutch parliament. Dutch digital rights organisation Bits of Freedom is
concerned that the application of DPI by KPN is a violation of the Dutch law
and called for customers to lodge a complaint with the public prosecutor.

Article on use of DPI by KPN (12.05.2011)
http://webwereld.nl/nieuws/106656/kpn-luistert-abonnees-af-met-deep-packet-inspection.html

Press release Bits of Freedom (12.05.2011)
https://www.bof.nl/2011/05/12/persbericht-bits-of-freedom-roept-kpn-abonnees-op-om-aangifte-te-doen-tegen-aftappen/

(contribution by Ot van Daalen - EDRi-member Bits of Freedom, Netherlands)

============================================================
5. CoE refuses to start investigation on biometrics
============================================================

In an answer to the 31 March 2011 petition calling the Council of Europe
(CoE) to start an in-depth survey under Article 52 of the European
Convention on Human Rights, Thorbjxrn Jagland, the Secretary General of the
CoE refused to start an investigation on the collection and storage of
citizens' biometric data by member states.

In his answer, Secretary General Jagland mainly points to the CoE
Resolution 1797, adopted in March 2011. He does stress the need to take
steps to ensure that relevant existing legal frameworks, including European
data protection Convention 108, be enhanced and modernised. However, the
Secretary General doesn't explain his refusal to investigate the legality of
the current national biometric schemes. Instead, Mr. Jagland refers
to various other Council of Europe bodies, such as the Parliamentary
Assembly, the commissioner for Human Rights and the Consultative Committee
of Convention 108.

In a first reaction to the response from Strasbourg, an alliance
spokesperson said: "The lack of protection of citizens rights against
government use of biometrics is stunning. Moreover, the digital fingerscan
technique itself is immature. For example a government test in the
Netherlands, published after our petition, showed biometric verification
failure rates of 21%. A test by the mayor of the city of Roermond revealed
that for no less than one in every five persons collecting travel documents,
the initial fingerprint scan had been so bad that it wasn't verifiable. So
how can you ever reach the goals of the Passport Laws by storing these on
the document chip? This confirms once again that an in-depth survey has to
be conducted soon on whether the human rights guarantees and conditions of
necessity (effectiveness, proportionality, subsidiarity and safety
guarantees) set by the European Convention on Human Rights and the data
protection Convention are indeed upheld in the countries involved."

The more than 80 petition signatories from 27 countries, including EDRi,
include - among others - digital, civil and human rights defenders, media,
legal and medical organisations, academia, politicians and personal victims
without a passport because of objections involving the biometric storage.

Petition to Council of Europe on government use of citizens biometrics
(updated on 12.05.2011)
https://www.privacyinternational.org/article/petition-council-europe-government-use-citizens-biometrics

Answer of Council of Europe (29.04.2011)
http://yfrog.com/z/h4yfwslj

EDRi-gram: NGOs ask CoE to investigate government collection of biometrics
(6.04.2011)
http://www.edri.org/edrigram/number9.7/petition-coe-biometrics

============================================================
6. Ireland adopts innovation agenda on intellectual property
============================================================

Richard Bruton, the Irish Minister for Enterprise, Jobs and Innovation, said
that he was determined that the Irish government should make whatever
changes were necessary to allow innovative digital companies to reach their
full potential in Ireland. He said that some companies have complained that
the current copyright legislation did not cater well for the digital
environment and created barriers to innovation and to the establishment of
new business models. For this reason, he has proposed research into how the
current copyright law could be amended in such a way so that it would foster
innovation.

In order to achieve the aforementioned goal, Mr  Bruton set up the Copyright
Review Committee which, in the words of the Department of Enterprise, Trade
and Innovation, has the following tasks:

(1) Examine the present national copyright legislation and identify any
areas that are perceived to create barriers to innovation;
(2) Identify solutions for removing these barriers and make recommendations
as to how these solutions might be implemented through changes to national
legislation;
(3) Examine the US style "fair use" doctrine to see if it would be
appropriate in an Irish/EU context;
(4) If it transpires that national copyright legislation requires to be
amended but cannot be amended, (bearing in mind that Irish copyright
legislation is bound by the European Communities Directives on Copyright and
Related Rights and other international obligations) make recommendations for
changes to the EU Directives that will eliminate the barriers to innovation
and optimise the balance between protecting creativity and promoting and
facilitating innovation.

After completing these four tasks, the Copyright Review Committee will
present a Report to the Government with a set of recommendations for
legislative change. The Review will start with a consultation. All
interested parties are invited to submit their views for inclusion in the
review.

The Chair of the Review Committee will be Dr. Eoin O'Dell of Trinity
College, Dublin. The other members of the Review Committee will be
Professor Stephen Hedley  (University College Cork) and Ms. Patricia
McGovern  (DFMG Solicitors). The deadline for sending submissions is the end
of June 2011.

Consultation on the Review of the Copyright and Related Rights Act 2000,
Department of Enterprise, Trade and Innovation of Ireland (09.05.2011)
http://www.deti.ie/science/ipr/copyright_review_2011.htm

Radical copyright law reform to boost Ireland's digital economy?(09.05.2011)
http://siliconrepublic.com/new-media/item/21695-radical-copyright-law-refor

(Contribution by Daniel Dimov - intern at EDRI)

============================================================
7. UK police has bought surveillance software to track online movements
============================================================

Civil liberties groups have shown great concern about the UK Metropolitan
police force's possible use of Geotime surveillance software that can map
nearly every move in the digital world of "suspect" individuals.

The Geotime security programme, that has recently been purchased by Britain
Metropolitan Police, is used by the US military and is able to show an
individual's movements and communications with other people on a
three-dimensional graphic. It can be used to put up information gathered
from social networking sites, satellite navigation equipment, mobile phones,
financial transactions and IP network logs, creating a 3D graphic of
correlations between actions, people and places.

The use of such a tool is seen as a threat to personal privacy.
Alex Hanff, the campaigns manager at Privacy International, showed concern
that by the aggregation of "millions and millions of pieces of microdata, a
very high-resolution picture of somebody" might be obtained. This could
also be used by the government and police "for the benefit of commercial
gain," and therefore, asked the UK police to explain who would decide how
this software will be used in the future.

"This latest tool could also be used in a wholly invasive way and could fly
in the face of the role of the police to facilitate rather than impede the
activities of democratic protesters," said Sarah McSherry, a partner at
Christian Khan Solicitors, representing several protesters in cases against
the Metropolitan police.

Daniel Hamilton, director of the Big Brother Watch privacy blog, stated for
ZDNet UK that "the ability to build up such a comprehensive record of any
person's movements represents a significant threat to personal privacy."

According to Geotime's website, the programme displays data from various
sources, allowing the user to navigate the data with a timeline and animated
display and the links between entities "can represent communications,
relationships, transactions, message logs etc and are visualised over time
to reveal temporal patterns and behaviours."

The representatives of The Metropolitan police stated it was "in the process
of evaluating the Geotime software to explore how it could possibly be used
to assist us in understanding patterns in data relating to both space and
time" and that it had not yet taken a final decision on whether the software
would be adopted permanently.

A spokesperson from the Ministry of Defence said the software was also under
investigation by the ministry.

This comes at a time when data retention has become a main issue of
discussion being increasingly challenged and criticised and as the UK
already exercises a high level of surveillance of individuals' online
activities.

According to the Guardian, Catt, an 86-year-old man without any criminal
record, has recently been granted permission to sue a secretive police unit
for having kept, on a clandestine database, a detailed record of his
presence at more than 55 peace and human rights peaceful protests over a
four-year period.

The respective unit has been compiling a huge, nationwide database of
thousands of protesters for more than ten years already. The police claims
the unit only monitors so-called "domestic extremists" (which in Catt's case
is a very exaggerated statement) and that the "minor" surveillance of Catt
was a "part of a far wider picture of information which it is necessary for
the police to continue to monitor in order to plan to maintain the peace,
minimise the risks of criminal offending and adequately to detect and
prosecute offenders".

Police buy software to map suspects' digital movements (11.05.2011)
http://www.guardian.co.uk/uk/2011/may/11/police-software-maps-digital-movements

Metropolitan Police trials GeoTime tracking software (12.05.2011)
http://www.zdnet.co.uk/news/security-management/2011/05/12/metropolitan-police-trials-geotime-tracking-software-40092756/

Privacy storm after police buy software that maps suspects' digital
movements (12.05.2011)
http://www.dailymail.co.uk/sciencetech/article-1386191/Privacy-storm-police-buy-Geotime-software-maps-suspects-digital-movements.html#ixzz1MX6kvAZ9

Protester to sue police over secret surveillance (3.05.2011)
http://www.guardian.co.uk/uk/2011/may/03/protester-sue-police-secret-surveillance

============================================================
8. Google found guilty in Belgium for newspapers' copyright infringement
============================================================

Google lost its appeal in front of the Belgian appeals court which upheld an
earlier ruling, having found the company guilty of infringing the copyright
of newspapers, in the case introduced in 2006 by Copiepresse.

In 2006, Copiepress, an agency acting for newspapers, sued Google for
allegedly infringing the copyright of newspapers when linking, on its Google
News service, to content from newspaper websites or copies of sections of
stories.

A Belgian judge ruled that Google had to remove all the content referring to
Belgian newspaper stories from its services and the Court of First Instance
in Belgium upheld that ruling in February 2007.

Google appealed the decision and argued that Google News was fully
consistent with applicable copyright laws and considered that US law should
have applied in the case because the company posts the articles of the
Belgian sites from the US. However, the court, based on the Berne
Convention, estimated that only the Belgian law could be applicable and that
the distribution through the Google.be website of works that are protected
by copyright in Belgium was illegal and that it did not matter that the
posts were made automatically by robots from abroad.

The court also estimated that one didn't need to read the entire article
to understand the information posted by Google, that Google News could not
be assimilated with press review and it infringed the paternity right by not
mentioning the name of the author.

The court's decision asked Google to remove all links to material from
Belgian newspapers in French (the rulings do not apply to Flemish
newspapers). Failing to comply with the court's decision may bring Google a
fine of about 25 000 Euro per day.

"References with short titles and direct links to the sources is not only
legal, but also encourages the users to read the online newspapers" stated
Al Verney, spokesperson for Google.

While Copiepress welcomes the decision, Google reminded the agency that it
is not the only search engine making reference to online contents but that
actually, this is common practice with most search engines.

It also seems Google wants to bring the case to a higher court.

Google infringes copyright when its services link to newspaper sites,
Belgian court rules (10.05.2011)
http://www.out-law.com/default.aspx?page=11911

Court's decision (only in French, 5.05.2011)
http://copiepresse.be/Copiepresse5mai2011.pdf

Google Busted for Copyright Violation in Belgium (7.05.2011)
http://www.pcworld.com/article/227379/google_busted_for_copyright_violation_in_belgium.html

Copiepresse press release (only in French, 5.05.2011)
http://www.copiepresse.be/Communique%20de%20presse%20condamnation%20Google.pdf

Google loses the Copiepresse case in appeal (only in French, 9.05.2011)
http://datanews.rnews.be/fr/ict/actualite/apercu/2011/05/09/google-perd-le-proces-copiepresse-en-appel/article-1195006983670.htm

New condemnation of Google News in Belgium (only in French, 9.05.2011)
http://lexpansion.lexpress.fr/high-tech/nouvelle-condamnation-de-google-news-en-belgique_255233.html

EDRi-gram: Belgium court backs decision against Google (14.02.2007)
http://www.edri.org/edrigram/number5.3/google-belgium

============================================================
9. Privatised enforcement series E: Online trading platforms sell out
============================================================

In a bizarrely designed document, looking like a mix between a wedding
invitation and an accident in a blue ink factory, leading online retailers
Amazon, eBay and Priceminister have sold out the interests of their
consumers in a "memorandum of understanding" with a range of luxury goods
and copyright groups. In return, they have received a non-binding
commitment not to be sued by the rightsholders for twelve months.

Under the agreement, the Internet platforms agree to take responsibility
"to assess the completeness and validity of " reports from rightsholders of
counterfeit goods being sold through their services and, based on this
extra-judicial notice, not only to remove the listings of the alleged
counterfeit material but also to take "deterrent measures against such
sellers".

Furthermore, for reasons that are not explicitly explained, Internet
platforms will receive lists of words "commonly used for the purpose of
offering for sale of 'obvious' counterfeit goods" which they will "take into
consideration". Up to the limits imposed by data protection law, "Internet
Platforms commit to disclose, upon request, relevant information including
the identity and contact details of alleged infringers and their user
names".

On the other side, the rightsholders undertake to make requests for personal
information "in good faith" and in accordance with the law.

With regard to sellers who are adjudged by the online retailer to have
repeatedly broken the law, the Internet platforms undertake to "implement
and enforce deterrent repeat infringer policies, according to their internal
guidelines" including temporary or permanent suspension of the seller. These
deterrent measures are to be implemented taking into account a number of
factors, including the "apparent intent of the alleged infringer". The
policing by the Internet platforms will, in turn, be policed by the
rightsholders who, subject to data protection law "commit to provide
information to Internet Platforms concerning those sellers they believe to
be repeat infringers and commit to provide feedback to Internet Platforms on
the effectiveness of Internet Platforms' policies regarding repeat
infringers (e.g. if rights owners feel that there has been a failure to take
measures against a repeat infringer).

In the entire document, which consists of 47 paragraphs, just one is devoted
to the enforcement of the law by law enforcement authorities.

Memorandum of Understanding (4.05.2011)
http://ec.europa.eu/internal_market/iprenforcement/docs/memorandum_04052011_en.pdf

(Contribution by Joe McNamee - EDRi)

============================================================
10. CFP 2011 Conference to address the Future of Technology and Human Rights
============================================================

The 21st Annual Computers Freedom and Privacy Conference (CFP 2011) will be
held on 14 - 16 June 2011 in Washington DC, USA, at the Georgetown
University Law Center.

CFP conferences traditionally look at the technology and policy space with
an eye toward predicting what innovation might bring in relation to human
rights. It is a yearly gathering of activists, thinkers, government,
legislative, NGOs, business to discuss differing views on controversial
issues related to technology and policy. The conference is open to the
general public.

"The Future is Now" is the theme of this year conference. Participants will
address emerging issues such as the role of social media in the democracy
movement in the Middle East and North Africa; technology and social media to
support human rights; the impact of mobile personal computing technology on
freedom and privacy; smart grid, e-health records, consumer location-based
advertising. cybersecurity, cloud computing, net neutrality, federated ID,
ubiquitous surveillance.

The program is structured around three days, with the 1st day dedicated to
privacy issues, the second to human rights and Freedoms, and the third to
computing and technology. A particular effort has been undertaken this year
to increase the international scope of the conference. Keynote addresses
will be given daily by prominent speakers, including Alessandro Acquisti
(CMU), Mona Altahawy (Columnist), Dannah Boyd (Microsoft), Agnhs Callamard
(Article 19), Cameron Kerry (US DoC), Edith Ramirez (FTC Commissioner),
Bruce Schneir (BT).

EDRi is involved both in the organization and in the participation to this
event through representatives of its members and observers. Meryem Marzouki
(France) chairs the 'Human Rights and Freedom' day program subcommitte, and
will be moderating a session on "MENA Beyond Stereotypes: Technology of Good
and Evil Before, During and After Revolutions". Katarzyna Szymielewicz
(Poland), Ralf Bendrath (Germany), Cedric Laurent (Belgium), and others will
address "The Global Challenge of Mandatory Data Retention Schemes". European
issues and persectives will also be highlighted during the session on "A
Clash of Civilizations: The EU and US Negotiate the Future of Privacy", with
the participation of Jan Philipp Albrecht, German MEP.

Together with the many other panels on currently hot issues in Europe, such
as the debate on technical intermediaries immunity or liability or the
impact on minorities and migrants of airport security measures and PNR data
collection, these sessions promise a very exciting conference this year.

All about CFP 2011 - Program, Speakers, Committee, Registration
(14-16.06.2011)
http://www.cfp.org/2011

(contribution by Meryem Marzouki - EDRi)

============================================================
11. ENDitorial: RFID PIA: Check against delivery
============================================================

In the context of the Hungarian Presidency of the European Council, the
European Commission and the Hungarian Innovation Office jointly organised
the IoT 2011 conference on the Internet of Things, earlier this week.

One of the main sessions was devoted to privacy and data protection in the
IoT age. The main points of the presentations in this session included the
high importance of technology design for any form of Internet regulation
(with reference to Lessig's "Code is law"), the need for a reduction of
bureaucracy in data protection and the importance of accurate information on
the consequences of IoT applications for individuals' privacy. The experts
stressed that it was important to maintain the existing data protection
principles also in an IoT age and that commercial competition must not take
place at the cost of reduced data protection standards.

Risk assessments like the RFID Privacy Impact Assessment (PIA) were
mentioned as an important tool that also enables end users (the data
subjects) to take informed decisions regarding the processing of their
personal data.

RFID and PIAs also became a topic during the Questions and Answers of the
following session, where Christian Plenge, Head of Architecture, Frameworks
& Innovation at METRO Systems GmbH (a company of one of the worlds largest
retailers, Metro Group), informed the audience that Metro had decided to
leave RFID tags on their products active after the point of sale and to
offer their customers the possibility to deactivate the tags on request. An
option which, according to Mr. Plenge, was only chosen once so far, when a
data protection group was given a tour in an RFID-equipped store.

This statement is of particular interest as the European Commission's
recommendation on RFID data protection suggests at points 11 and 12, that
retailers deactivate or remove RFID tags at the point of sale unless
consumers give their informed consent or a PIA concludes that the tags do
not represent a likely threat to privacy or the protection of personal data.

When being asked by EDRi if his statements could be understood that way that
Metro Group has decided not to follow the European Commissions
recommendation, Mr. Plenge said that the PIA they had conducted had
concluded that there was no likely threat to privacy or the protection of
personal data and that their activities were therefore in line with the EC
recommendation.

This view is also promoted on the website of Metro's Future Store
Initiative, which claims that Metros RFID use is "in full compliance with
existing provisions" and that their "transponders, ..., do not store any
personal consumer information". The Electronic Product Code (EPC; which is a
worldwide unique identifier) would only refer to product and process
information and "(p)ersonal data is neither disseminated nor stored".

For an audience not familiar with the data protection problems of RFID
applications and the discussions in the European Commission's RFID Expert
Group and elsewhere, this statement might be convincing at first sight.

The fact is however, that the question whether unique identifiers stored on
RFID tags constitute personal data or not, has been discussed at length at
various occasions and that Metro was well involved in these debates. As a
result of these debates - and of the process leading to the RFID PIA
framework - the answer to this question formally given in not one but
actually two working papers of the Article 29 Working Party (WP175 and
WP180): "... when a unique identifier is associated to a person, it falls in
the definition of personal data set forth in Directive 95/46/EC, regardless
of the fact that the 'social identity' (name, address, etc.) of the person
remains unknown (i.e. he is 'identifiable' but not necessarily
'identified')." (WP175, p. 8)

In the case of Metro's RFID use, this means that Metro - contrary to their
public statements - is in fact processing personal data of their customers
(the EPCs) and that Metro puts the personal data of their customers at risk
(which e.g. could be tracked by third parties without their knowledge) by
not deactivating the RFID tags at the point of sale and not taking any other
measures to mitigate the risks (at least as far as we know from Mr. Plenge
and the above mentioned corporate website).

Mr. Plenge's statement at the European Commission's IoT 2011 conference is
of particular importance as it was made several weeks after European
Commission Vice President Neelie Kroes, representatives of the European RFID
industry, the chairman of the Article 29 Data Protection Working Party and
the executive director of ENISA formally signed the RFID Privacy Impact
Assessment Framework as a tool of industry self regulation for data
protection compliant RFID applications. Before the signing ceremony took
place, this framework was formally endorsed by the Art. 29 Working Party
with working paper 180, in which the Working Party reconfirmed their above
mentioned statement on unique identifiers being personal data.

Mr. Plenge's statement that, besides the visit of a data protection group,
none of their customers ever requested that RFID tags on products should be
deactivated, highlights the drawback of opt-out regimes. Most of the
customers of retail stores are not data protection or RFID experts but
ordinary citizens. They need to trust the retailers to be given accurate
information and cannot base their shopping habits on general suspicion.
Therefore consumers are not aware of any threats to their privacy and expect
to have their personal data protected by default. It is therefore not a lack
of interest but a lack of knowledge that leads to this total of zero
deactivated RFID tags.

That it is not possible to sufficiently inform consumers about the data
protection risks of RFID applications at the point of sale was - by the
way - often claimed by industry representatives in the past couple of years
of RFID data protection discussions. This is one of the reasons why EDRi
always advocated for an opt-in regime instead of an opt-out one.

This current example of Metro Group's strategy is not only important because
this company is one of the worlds largest retailers, the actions of which
affect the data protection rights of a large number of individuals, but also
because it gives an example of the practical value of self regulation tools
like the RFID PIA framework.

In our EDRi-gram article on the signing ceremony we wrote amongst others:
"The RFID PIA Framework is an important milestone on the way to the
implementation of privacy friendly RFID applications. Now it is important
that industry quickly but thoroughly implements the PIA in practice." As the
Metro example suggests it is the word "thoroughly" that needs to be
emphasised in this statement.

At Point 20 of the RFID recommendation, the European Commission announced
that it would "provide a report on the implementation of this
Recommendation, its effectiveness and its impact on operators and
consumers," in particular as regards the measures recommended for RFID
applications used in the retail trade, before the end of May 2012. In our
view, it is important to make sure that global players like Metro Group are
as well covered by this report as small and medium sized RFID operators, as
their level of adoption not only affects a large number of individuals but
also predetermines the level of compliance of the whole industry.

Point 5 of the RFID recommendation suggests that RFID operators make the
results of their privacy impact assessments available to the competent
authorities (the national data protection authorities; DPAs) at least six
weeks before the deployment of the application. EDRi calls on the national
DPAs, the European Data Protection Supervisor and the Article 29 Working
Party to make a meaningful use of this opportunity by at least checking if
the PIA was conducted on the basis of a correct definition of personal data
and by providing statistics about how many PIA reports were made available
to them, in which member states, and by which industries.

EDRi is well aware that this request comes at a time when most DPAs suffer
from a lack of funding, staff and time. But we think that it is very
important - also for the future use of such tools in other areas - to ensure
that privacy risk assessments are carried out properly.

The RFID PIA Framework is an important milestone but we need to check
against delivery.

IoT 2011
http://www.iot-budapest.eu/

EDRi-gram 9.7: RFID Privacy Impact Assessment Framework formally adopted
(6.04.2011)
http://www.edri.org/edrigram/number9.7/rfid-pia-adopted-eu

EC recommendation (12.05.2009)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:122:0047:0051:EN:PDF

Metro Group Future Store Initiative: Privacy at METRO GROUP (last accessed
on 18.05.2011)
http://www.future-store.org/fsi-internet/html/en/1674/index.html

Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection
Impact Assessment Framework for RFID Applications (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp175_en.pdf

Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data
Protection Impact Assessment Framework for RFID Applications (11.02.2011)
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en.pdf
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_annex_en.pdf

(Contribution by Andreas Krisch - EDRi)

============================================================
12. Recommended Action
============================================================

European Commission: Public Consultation on Cloud Computing
Deadline: 31 August 2011
http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=cloudcomputing&lang=en

============================================================
13. Recommended Reading
============================================================

UK: A review of Intellectual Property and Growth - An independent report by
Ian Hargreaves (05.2011)
http://www.ipo.gov.uk/ipreview.htm
http://www.thepublicdomain.org/2011/05/18/the-hargreaves-review-is-published/

Demonstrators take to streets across Turkey to protest Internet bans
(15.05.2011)
http://www.todayszaman.com/newsDetail_getNewsById.action?newsId=244062

============================================================
14. Agenda
============================================================

30-31 May 2011, Belgrade, Serbia
Pan-European dialogue on Internet governance (EuroDIG)
http://www.eurodig.org/

2-3 June 2011, Krakow, Poland
4th International Conference on Multimedia, Communication, Services and
Security organized by AGH in the scope of and under the auspices of INDECT
project
http://mcss2011.indect-project.eu/

3 June 2011, Florence, Italy
E-privacy 2011 and Big Brother Awards 2011
http://e-privacy.winstonsmith.org/

4-5 June 2011, Bonn, Germany
PolitCamp 2011
http://11.politcamp.org

12-15 June 2011, Bled, Slovenia
24th Bled eConference, eFuture: Creating Solutions for the Individual,
Organisations and Society
http://www.bledconference.org/index.php/eConference/2011

14-16 June 2011, Washington DC, USA
CFP 2011 - Computers, Freedom & Privacy
"The Future is Now"
http://www.cfp.org/2011/wiki/index.php/Main_Page

11-12 July 2011, Barcelona, Spain
7th International Conference on Internet, Law & Politics (IDP 2011): Net
Neutrality and other challenges for the future of the Internet
http://edcp.uoc.edu/symposia/lang/en/idp2011/?lang=en

24-30 July 2011, Meissen, Germany
European Summer School on Internet Governance 2011
http://www.euro-ssig.eu/

27 - 30 October 2011, Barcelona, Spain
Free Culture Forum 2011
http://fcforum.net/

============================================================
15. About
============================================================

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 28 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edri/2.html

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing. 

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list