EDRi-gram newsletter - Number 9.17, 7 September 2011

EDRI-gram newsletter edrigram at edri.org
Wed Sep 7 11:33:35 PDT 2011 

============================================================

       EDRi-gram

biweekly newsletter about digital civil rights in Europe

Number 9.17, 7 September 2011

============================================================
Contents
============================================================

1. The EC tries to increase government control of the Internet
2. Sweden argues that transposing data retention directive is unnecessary
3. Diginotar breach leads to grave security concerns
4. EU privacy watchdog still displeased with online behavioural advertising
5. EP study on "Consumer Behaviour in a Digital Environment"
6. ECHR to analyse Azeri bloggers' complaint against unjust imprisonment
7. EP committee supports the introduction of body scanners in EU airports
8. ENDitorial: Abuse of Irish police databases
9. Recommended Reading
10. Agenda
11. About

============================================================
1. The EC tries to increase government control of the Internet
============================================================

The European Commission (EC) Information Society and Media
Directorate-General have recently drawn up a series of six policy papers
intended to increase government control over the Internet.

The policies have in view measures that include governmental control
over the domain names that can be registered, the veto power of governments
over new Internet domain names, significant structural changes at the level
of ICANN (Internet Corporation for Assigned Names and Numbers), an
obligation of the organisation to follow governments' advice (except for
cases considered illegal or damaging to the Internet stability) and the
creation of two bodies that would oversee ICANN decision-making and
finances.

The measures brought forth by the new policies would provide governments
with de facto control over the Internet's naming systems and would end up
the independent and autonomous approach of the Internet's domain name
system. The new suggestion seems a logical consequence of the position of
the head of European Comisson's  Audiovisual, Media and Internet
Directorate - Gerard de Graaf - at an ICANN meeting in Singapore in June
2011.

The recent EC papers come to argue for increased government control
and foresee the shift in power toward governments within the next 12 months.
According to the new policies, the governments are notified about the
applications received and are to indicate which TLDs might raise "public
policy concerns." This actually means that governments can try to block or
censor any content or applicant that they want, by using the "public policy
concerns" argument. The Governmental Advisory Committee (GAC) will be able
to raise formal objections later in the process.

GAC, which presently has no legal authority, will soon become a legislator
that can create a list of words that no Internet user in the world can
register, as proposed by the EC papers. GAC members (should be able to)
request the reservation or blocking of domain names at the second level
under new gTLDs. It should do this by constructing a censorship list, which
it calls a "reference list for all new gTLD operators to use and ICANN" say
the EC documents.

Milton Mueller from IGP (Internet Governance Project) explains that the fate
of the new registries and new domain names should be determined by users
and consumers, and not by a central planning authority dominated by
governments and special interest groups. "The new TLD program is also
important because domain names are a form of expression on the Internet. Any
policy that regulates the creation or operation of new domains based on
their meaning or the content underneath them is, de facto, a form of
globalized content regulation. Thus, even people who think domain names are
not that important need to pay attention to what happens in this space,
especially now that domain take-downs are becoming an increasingly common
form of state intervention."

EC's second paper is damaging for the freedom of expression by
introducing huge, unnecessary economic barriers to entry. What it proposes
is to subordinate the Internet community's self-governance to a hierarchical
control by the state, replacing ICANN's gTLD policy with a new one that will
allow governments through GAC, to take complete control over what new top
level domain names are allowed to exist.

These EC papers were developed not under public consultancy,
but secretly, thus lacking in democratic legitimacy. The plans are to
formally raise or even implement the proposed measures by the end of this
year, in particular at ICANN's meeting in Senegal in October.

The second EC ICANN Paper: How low can they go? (4.09.2011)
http://blog.internetgovernance.org/blog/_archives/2011/9/4/4893009.html

European Commission calls for greater government control over Internet
(31.08.2011)
http://news.dot-nxt.com/2011/08/31/ec-greater-government-control

Analysis: EC policy papers on ICANN (31.08.2011)
http://news.dot-nxt.com/2011/08/31/ec-papers-analysis

ICANN - informal background paper - New gTLD process (1.09.2011)
http://blog.internetgovernance.org/pdf/EC-TLD-censorship.pdf

Payback time: The European Commission papers on ICANN (2.09.2011)
http://blog.internetgovernance.org/blog/_archives/2011/9/2/4891821.html

============================================================
2. Sweden argues that transposing data retention directive is unnecessary
============================================================

On 5 September 2011, the Swedish government responded to the European Court
of Justice after the Commission referred Sweden to the Court for failing to
transpose the Directive on Data Retention (2006/24/EC).

Sweden's main argument is that it is unnecessary to transpose the Data
Retention Directive, considering the practical effects of existing Swedish
legislation. This implicitly means that transposition would be contrary to
the European Convention on Human Rights and the Charter of Fundamental
Rights, both of which require restrictions on fundamental rights to be
necessary and proportional.

The Directive on Data Retention 2006/24/EC was adopted in 2006 and the
Member States had until 15 September 2007 to transpose it into the national
law, and until 15 March 2009 to implement the retention of communications
data relating to Internet services. The Directive concerns the storage of
traffic and location data resulting from electronic communications. Traffic
and location data retained by Internet service providers and phone companies
will be made available only to national law enforcement authorities in
specific cases and in accordance with the national law. However, retention
periods, purpose limitation and access requirement vary vastly across the
EU.

The European Court of Justice found that Sweden failed to fulfil its
obligations to implement the Data Retention Directive in its national
legislation on 4 February 2010. Despite this first ruling, Sweden still has
not transposed the Directive 2006/24/EC. In the absence of a precise
timetable for the transposition of the Directive, the Commission decided to
send a letter of formal notice to Sweden in June last year. The Commission
asked Sweden for details on the measures Sweden planned to implement the
Directive and comply with the Court's decision.

Sweden informed the Commission on 21 January 2011 that draft legislation had
been submitted to its Parliament in order to transpose the Directive. The
legislation was to be adopted in mid-March. However, the Parliament deferred
the vote on the draft legislation implementing the Directive on Data
Retention for a year, due to the opposition from a minority of
parliamentarians. They used a constitutional rule allowing one-sixth of the
MPs to suspend the adoption of a proposed legislation.

Following this suspension of the legislative process, the European
Commission swiftly referred Sweden for a second time to the European Court
of Justice, requesting it to impose financial penalties (Case C-270/11). The
Commission asked the Court to impose a daily penalty of 40 947 Euros/day
after the second ruling and a lump sum of 9 597 Euros/day for each day
between the first and the second ruling. The ECJ will have to determine the
level of sanctions and if it will take the form of a penalty and/or a lump
sum.

In its response to the ECJ, Sweden argues that the penalties are
disproportionate considering firstly the fact that Sweden does not often
fail to fulfil its implementation obligations regarding European directives
and secondly that some other Member States likewise fail to implement the
Directive without being penalised by any financial penalties.

The Swedish government also indicated that since the first ruling, it has
taken all procedurally possible measures to implement the Directive. The
delay is due to political and legal matters with regards to the sensitive
subjects the Directive is dealing with, such as the right to privacy and
those debates are delaying the legislative process. It further points out
that this controversy is not limited to Sweden.

Moreover, according to Sweden, the failure to implement the Directive does
not create any barriers for the Single Market. Bearing in mind the
Commission's own assertion of the low costs of implementing the Directive
(as described in the implementation report), this seems to be difficult for
the Commission to deny. According to Sweden, the harmonisation realised by
the Directive on Data Retention is only minimal and does not appear to be
crucial in achieving competition on the Single Market. In addition, the
Directive does not say who finance data retention.

It finally appears that the Swedish Government believes that Directive
2002/58/EC on Privacy and Electronic Communications gives the Member States
the ability to adopt legislation covering the field of the Data Retention
Directive when necessary and that the 2006 Directive's implementation in
Sweden is therefore meaningless. The Swedish government especially
underlines that the Swedish crime prevention authorities already have
sufficient access to data even without full the implementation of the
Directive. Furthermore, the differenceasthe implementations across the EU
show the limits of the Data Retention directive and create a lack of
harmonisation.

According to Sweden, further implementation of the Data Retention Directive
is superfluous and unnecessary. The question remaining now is whether the
European Court of Justice will follow the Swedish defence on the "necessity"
of implementing the Data Retention Directive and the Directive's failure to
achieve the task on which its legal base is built - harmonisation. The
Commission now faces an unenviable task - it either forces a sovereign
Member State to impose unnecessary (and therefore illegal) restrictions on
fundamental rights or it accepts the challenge of finally acknowledges the
failure of the Directive and the inevitable battle with the Council that
will result from any serious effort to fix the broken legislation.

Data Retention Directive 2006/24/EC (15.03.2006)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF

Judgement of the Court Case C-185/09 (4.02.2010)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:080:0006:0006:EN:PDF

Commission refers Sweden back to Court to transpose EU legislation
(6.04.2011)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/409&format=HTML&aged=0&language=EN&guiLanguage=en

European Commission Application (31.05.2011)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2011:226:0017:0018:EN:PDF

Sweden's response to the ECJ - Case C-270/11 - (5.09.2011) (available only
in Swedish)
http://www.edri.org/files/sw_C-270-11_slutligt.pdf

(Contribution by Marie Humeau - EDRi)

============================================================
3. DigiNotar breach leads to grave security concerns
============================================================

A breach in the computer systems of Dutch certificate company Diginotar
led to grave concerns regarding the security of internet users in Iran
and Dutch government communications. On 2 September 2011, the Dutch
government denounced their trust in certificates issued by DigiNotar
after the discovery of fraudulent certificates. It advised Dutch
citizens not to log in on websites using these certificates, until the
certificates are replaced. Meanwhile, there is credible evidence that
the confidential communication of hundreds of thousands of Iranians with
Gmail has been intercepted.

In June 2011, the servers of DigiNotar were intruded and certificates
were fraudulently issued in the weeks after. Although some of these
certificates were revoked, DigiNotar kept the breach secret. Only weeks
later, following a message posted on a forum by someone from Iran who
tried to log in to Gmail and received a warning about a non-authentic
DigiNotar certificate for Google, did DigiNotar acknowledge the breach.
On 29 August 2011, the Dutch government was notified about the incident.

DigiNotar revoked the rogue Google certificate and asked a Dutch
security firm to perform an investigation into the breach. The report of
the investigation showed that DigiNotar did not observe basic security
measures and hundreds of false certificates were issued on its systems.
The rogue Google certificate proved to be in use since 27 July 2011.
Active abuse was observed between 4 and 29 August 2011. It is likely
that hundreds of thousands of sessions with Google from Iran were
intercepted using this certificate.

DigiNotar issues several types of certificates, including PKI-Overheid
certificates - typically used by the Dutch government for its websites -
and 'simple' certificates. As it could not be excluded that false
government certificates were also issued, the Dutch government decided
to switch to certificates from other authorities.

The incident with DigiNotar also raises questions about the safety and
trustworthiness of the certificate system in general. Worldwide, there
are hundreds of companies providing these certificates. Supervision on
these companies is limited. They can sell certificates as long as they
meet the conditions of the browser manufacturers. There is no guarantee
that all of them take adequate measures to prevent and detect breaches.
This should be a wake-up call for governments and organisations all over
the world to actively start working on better, more robust certification
systems.

Message about rogue certificate (28.08.2011)
https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en

Letter from the Dutch government about the intrusion at DigiNotar (only
in Dutch, 5.09.2011)
http://www.rijksoverheid.nl/documenten-en-publicaties/kamerstukken/2011/09/05/digitale-inbraak-diginotar.html

Interim report from Fox-IT about the DigiNotar Certificate Authority breach 
(5.09.2011)
http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html

(Contributed by Marjolein van der Heide - EDRi-member Bits of Freedom -  
Netherlands)

============================================================
4. EU privacy watchdog still displeased with online behavioural advertising
============================================================

In a letter sent to IAB Europe and European Advertising Standards Alliance
(EASA), Article 29 Working Party (WP) made some observations regarding the
self-regulatory framework for online behavioural advertising.

The WP considers that the companies having signed the self-regulatory code
may still be in breach of the EU laws in the use of cookies to track users'
online behaviour for targeted advertising.

The self-regulatory code, established in April 2011 by IAB Europe and EASA,
imposes the display of an icon on the companies' websites that tells users
that the adverts track their online activity.  By using the icon, users may
manage information preferences or stop receiving behavioural advertising.

The code also says that operators must give users access to an easy method
to turn off cookies and must inform users that they collect data on them for
behavioural advertising and give details on the advertisers they provide the
respective data. They also have to publish details of how they collect and
use the data, including whether personal or sensitive personal data is
involved.

However, Article 29 WP has shown in its letter that it did not consider
these measures enough to comply with the EU's e-Privacy Directive which
provides in its new form that storing and accessing information on users'
computers is only lawful "on condition that the subscriber or user concerned
has given his or her consent, having been provided with clear and
comprehensive information about the purposes of the processing".

The Directive establishes an exception where the cookie is "strictly
necessary" for the provision of a service "explicitly requested" by the
user.

"The mechanisms proposed by the EASA/IAB Code enable people to object to
being tracked for the purposes of serving behavioural advertising. However,
tracking and serving ads takes place unless people exercise the objection,"
said Jacob Kohnstamm, chairman of the Working Party, in the letter.
The WP believes the advertising icon used by companies that signed up to the
online behavioural advertising code did not actually provide users with "the
legally required information allowing them to make informed choices about
cookie tracking."

In Article 29 WP's opinion, the text of the code is rather confusing and
insufficiently clear which could lead to some users thinking "tracking has
no privacy implications for them". Kohnstamm says in the letter that the
information made available through clicking the icon should be more
accessible and be directly visible.

Ad network providers should "provide the necessary information before the
cookie is sent and rely on users' actions ... to signify their agreement to
receive the cookie and to be tracked". Valid consent can be received by
the provider by asking users to click a box to "accept" cookie tracking.
Each advertising network must also obtain consent from users even when
websites work with multiple ad network providers.

By obtaining prior, informed consent from the users, the ad provider no
longer needs to ask the user for subsequent access and transmissions of
cookies for the same purpose. However, the "opt out" ability should still be
available.

Kohnstamm also says that browser settings will not be enough to meet the
cookie consent requirements until they automatically reject third-party
cookies as default and allow users to take "affirmative action to accept
cookies from specific websites for a specific purpose." Browsers must also
advise users that the cookies tracking their data are being used by ad
network providers, in addition to informing them of what network providers
do with the cookies.

In June 2011, EU Commissioner Neelie Kroes told EU companies that they had a
year to find methods that achieve the legal standard for gaining consent, as
failure to do so would result in the Commission's action toward
non-compliant businesses.

Letter from the Article 29 Working Party addressed to Online Behavioural
Advertising (OBA) Industry regarding the self-regulatory Framework
(23.08.2011)
http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2011/20110803_letter_to_oba_annexes.pdf

Advertising code not cookie law compliant, data protection watchdogs say
(29.08.2011)
http://www.out-law.com/en/articles/2011/august/advertising-code-not-cookie-law-compliant-data-protection-watchdogs-say/

EDRi-gram: Article 29 WP issues opinion on cookies in the new ePrivacy
Directive (30.06.2010)
http://www.edri.org/edrigram/number8.13/article-29-cookie-eprivacy

============================================================
5. EP study on "Consumer Behaviour in a Digital Environment"
============================================================

The European Parliament (EP) has published a study on "Consumer Behaviour in
a Digital environment" that it commissioned from London School of Economics
(LSE). The study involved a limited stakeholder consultation, which included
an extensive exchange of views with EDRi and also looked at existing
literature and market developments. The study is part of an ongoing
reflection in the EU institutions on how to better achieve an effective
single market, particularly in the digital space.

The study identifies the following factors affecting the demand and supply
for illegal content:
1.the price;
2.the rise of the "prosumer" (users as both producers and consumers);
3.the exchange of products and files online between consumers; and
4.large economic incentives for providing what the authors of the study
refer to as"illegal content".

The conclusions of the study focus entirely on a positive agenda, seeking to
address the source of problems rather than looking at ways of dealing with
symptoms. For example, regarding unauthorised use of copyright-protected
content, the study proposes the development of innovative pricing and
payment systems as well as reforming copyright in a way that would eliminate
the inefficiencies that come from the fragmentation of the single market.
The authors of the research clearly prioritise positive measures to minimise
the causes of the unauthorised activity, rather than negative and defensive
measures that would punish consumers without addressing underlying causes.

Similarly, the report conclusions support efforts at improving awareness of
consumer protection legislation, enhanced dispute resolution and removal of
practical barriers to cross-border trade. The study also discusses the rise
of "prosumers", concluding that this development "potentially leads to
innovation, creativity and consumer empowerment. However, prosumers cannot
fully develop under current legal framework. The copyright exceptions regime
and cross-border licensing problems are singled out as current challenges".

While generally being a very positive and well-thought out piece of
research, the main negative point in the report is the repeated conflation
of "illegal content" with "illegal use of content," which, legally,
practically and societally are entirely different problems.

Finally, the research team identifies the following challenges faced by
copyright law with regard to illegal access to content ("illegal content" in
the vocabulary of the report):

a) the exceptions to copyright still differ significantly from Member
State to Member State;
b) licensing arrangements through collecting societies have not been
harmonised;
c) some Member States have introduced laws allowing restrictions on
internet access for connections where illegal file-sharing has been
conducted (or suspected), which may lead to market distortions and raises
the question of whether the right to Internet access introduced by the
Framework Directive is infringed;
d) the issue of who is responsible for clearing copyright on social media
such as YouTube is not clearly defined in the E-Commerce Directive because
peer-to-peer services were much less prevalent when the Directive was
written. (This final point is somewhat odd because the E-Commerce Directive
does not cover rights clearance and YouTube is a hosting service which
therefore renders the question of peer-to-peer somewhat irrelevant.)

Consumer Behaviour in a Digital Environment (2011)
http://www.europarl.europa.eu/meetdocs/2009_2014/documents/imco/dv/consumer_behav_/consumer_behav_en.pdf

Framework Directive - Directiev 2002/21/EC as amended by Directive
2009/140/EC and Regulation 544/2009
http://ec.europa.eu/information_society/policy/ecomm/doc/140framework.pdf

(Contribution by Daniel Dimov - intern at EDRi)

============================================================
6. ECHR to analyse Azeri bloggers' complaint against unjust imprisonment
============================================================

The Azeri bloggers that have been imprisoned for one year and a half under
alleged hooliganism accusations, have filed a complaint to the European
Court of Human Rights which will decide whether their detention was in
breach of the European Convention on Human Rights.

Emin Milli and Adnan Hajizade were arrested in Baku in July 2009, being
accused of hooliganism, after having reported to the police that they had
been physically attacked in a restaurant. Under pressure from the
international community, the two bloggers, detained in reality for attacks,
on their blogs, against the Government and the fact that they had
disseminated a video making fun of corrupt politicians, were finally
released in November 2010. Their release is however conditional and their
convictions have not been overturned.

Consequently, the two bloggers are now seeking official recognition that the
Azerbaijani authorities violated their rights. The fact that despite with
injuries they were not treated medically in prison, breaches article 3 of
the European Convention. The Azeri government was also in breach of article
5 that protects the right to freedom and security and says that a person may
only be detained when suspected of a crime or when sentenced to
imprisonment.

According to the Convention, the bloggers should have been informed of the
reasons for their arrest and they had a right to be tried within a
reasonable time or to be released pending trial. Milli and Hajizade were
held for the two months before the start of their trial and were still in
prison after than four months after their arrest.

The complaint also says that article 6, on the right to a fair trial, was
violated because the two people were allowed only belated access to their
lawyers because the court took no account of what their lawyers said.

Article 8 on respect for private and family life was also violated as
the two bloggers were denied family visits while held and certain family
members were not allowed to testify at the trial.

The Azeri government violated Article 10 as well which protects the right to
freedom of expression, including the "freedom to hold opinions and to
receive and impart information and ideas without interference by public
authority and regardless of frontiers." The two people were jailed
for criticizing the authorities.

Hajizade and Milli filed a complaint before a Baku court on 8 July 2009
which was rejected on 23 July 2009. On 10 August 2009, a separate complaint
against the interior ministry, Baku police and prosecutor's office of
failing to respect the right to be presumed innocent was also rejected.

A confidential cable from the US embassy in Baku on 9 July
2009, posted on the WikiLeaks website on 26 August, confirmed the fact that
the two bloggers did not receive medical treatment for their injuries during
their first night in detention and revealed that embassy officers' requests
to visit the two bloggers in prison were denied.

The cable also drew attention over the fact that on 10 July 2009 Milli was
to work as the interpreter for the PACE Special Rapporteur for Political
Prisoners which seems a rather strange coincidence.

European Court to examine case of two bloggers who were unjustly jailed
(2.09.2011)
http://en.rsf.org/azerbaijan-european-court-to-examine-case-of-02-09-2011,40880.html

US embassy thought two bloggers' arrest was suspicious (1.09.2011)
http://en.rsf.org/us-embassy-thought-two-bloggers-01-09-2011,40902.html

EDRi-gram: Azeri bloggers released from prison (1.12.2010)
http://www.edri.org/edrigram/number8.23/azeri-bloggers-released-prison

============================================================
7. EP committee supports the introduction of body scanners in EU airports
============================================================

To the dismay of liberal groups, the European Parliament's Transport
Committee decided on 31 August 2011 to back up the European Commission in
the introduction of body scanners in EU airports.

Although imposing certain conditions such as excluding x-ray technology, the
EP committee did not oppose the EC rules which do not specifically rule out
the use of naked imagery. "The rules do exclude the use of x-ray technology,
which is something we wanted. But it doesn't oblige producers to use stick
figures instead of the actual body image," stated Benjamin Krieger, a
spokesperson for the German Liberals in the European Parliament.

This decision comes when some European countries have reached the conclusion
that body scanners are not performing properly.

The German interior ministry has recently decided to postpone the
introduction of body scanners at airports for security reasons, after the
devices used for trial failed to do their job, giving false alerts at a 49%
rate. The errors included confusing sweaty armpits with concealed bomb
chemicals while body scanners are supposed to detect plastic or ceramic
elements concealed under clothing.

The technology has been strongly opposed by human rights groups, religious
organizations and even the European Parliament because it shows a real
outline of one's bodily features, which raises serious privacy concerns. The
devices are also expensive, reaching up to 130 000 euro/piece.
In 2010, Italy also fell back on the plan to implement the technology in
airports after experiencing the same results during the trial period.

Germany ditches body scanners after repeat false alerts (1.09.2011)
http://euobserver.com/22/113479

Meeting minutes TRAN Committee (30-31.08.2011)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-470.049+01+DOC+PDF+V0//EN&language=EN

EP transport committee votes in favour of body scanners (31.08.2011)
http://euobserver.com/1016/113478

Welcome to body scanners at EU airports (6.07.2011)
http://www.europolitics.info/sectoral-policies/welcome-to-body-scanners-at-eu-airports-art309256-20.html

Parliament sets conditions for airport body scanners (6.07.2011)
http://www.eubusiness.com/news-eu/security-aviation.b5r

EDRi-gram: MEPs approve body scanners on airports on a voluntarily basis
(1.06.2011)
http://www.edri.org/edrigram/number9.11/body-scanners-airports-ep

============================================================
8. ENDitorial: Abuse of Irish police databases
============================================================

In 2003, the then Minister for Justice, Michael McDowell, stated that he
"knew that journalists were bribing gardam (police)". This was said in the
context of proposed legislation which would create a crime of leaking
information. Unfortunately, the intervening years seem to have confirmed the
continued existence of police abuse of confidential information, resulting
in a recent announcement by the Data Protection Commissioner of a national
audit into garda compliance with data protection law.

The audit will focus on access to the main police database system, known as
PULSE, which was introduced in 1999. While that system has a read/write
audit trail, this has not acted as a deterrent to abuse - some police have
sought to evade the audit trail by requesting others to carry out searches
on their behalf, and login sharing has also been a problem. Consequently, in
his 2010 Annual Report the Data Protection Commissioner stated that:

"In 2007 we agreed a data protection Code of Practice with the Gardam which
included undertakings to monitor access to the Garda PULSE system. It is
disappointing to report that, despite our repeated engagements on this
issue, the monitoring of access by members of An Garda Smochana to PULSE
falls short of the standards we expect. We wish to see significant progress
by the Gardam in pro-actively monitoring PULSE access in 2011 and will be
carrying out an audit to satisfy ourselves of this progress."

The most recent allegations generally concern personal use of the system,
for example by using it to check on daughters' boyfriends or to check the
history of cars which they are buying. However, allegations of more serious
abuses are also common, including the sale of information to insurance
companies and even criminals.

Unfortunately, it is difficult to provide a full assessment of abuses which
have taken place. While many allegations have been published by the media
and some internal garda investigations carried out, the results of these
investigations have not been published, disciplinary sanctions (if any) are
seldom made public and there is no comprehensive official report. This
secrecy is a failing in itself and makes it impossible for the public to
have confidence in the system.

Nevertheless, there have been a number of cases in which abuses have been
clearly established and some significant examples from recent years include
a court award of 70 000 Euros damages to a family who were harmed by a garda
leak (2007), the dismissal of a garda for leaking information to a drug
dealer (2010) and most recently the finding that a detective sergeant abused
her position to monitor an ex-boyfriend through his phone records (2011). A
particularly telling example in 2007 followed the high profile death of a
person struck by a car driven by an off-duty garda. In that case, 187
individual gardai accessed that person's PULSE record following his death,
without apparent justification. An investigation into that incident
recommended that:
"supervisory ranks should regularly monitor the use of PULSE to ensure that
members adhere to their legal and disciplinary obligations in regard to its
proper use [and] suitable measures [should] be put in place by the Garda
authorities to ensure that audit-trails of the usage of PULSE and any other
official information systems can always be accurate and verifiable."

Unfortunately, it seems that several years later this has yet to be done.

GRA's concern about bribery claim, RTI News (04.08.2003)
http://www.rte.ie/news/2003/0904/justice.html

Family awarded 70,000 Euros over garda leak, RTI News (17.01.2007)
http://www.rte.ie/news/2007/0117/gray.html

Report by the Commission following the death of Mr. Derek O'Toole on March
4th 2007 and subsequent complaints and investigation under Section 98,
Garda  Smochana Act, 2005 (10.2008)
http://www.gardaombudsman.ie/GSOC/Report_October2008.pdf

Garda Data Protection Code of Practice (12.11.2007)
http://www.garda.ie/Controller.aspx?Page=136&Lang=1

Gardam line up 17 officers for quizzing over leaks to 'Don', Evening Herald
(16.10.2009)
http://www.herald.ie/news/gardai-line-up-17-officers-for-quizzing-over-leaks-to-don-1916105.html

Walsh, Human Rights and Policing in Ireland (Dublin: Clarus Press, 2009),
Ch. 32

Garda sacked for leaked secrets to Don's crime gang, Evening Herald
(18.06.2010)
http://www.herald.ie/news/garda-sacked-for-leaking-secrets-to-dons-crime-gang-2225992.html

2010 Annual Report of the Data Protection Commissioner (03.2010)
http://www.dataprotection.ie/documents/annualreports/2010AR.pdf

EDRi-gram: No effective sanction for Police abuse of Irish data retention
system (24.08.2011)
http://www.edri.org/edrigram/number9.16/abuse-data-retention-ireland

(Contribution by TJ McIntyre - EDRi-member Digital Rights Ireland)

============================================================
9. Recommended Reading
============================================================

Statewatch Analysis: UK: Internet censorhip looms as government finds
alternatives to flawed Digital Economy Act by Max Rowlands:

The routine blocking of websites believed to facilitate copyright
infringement has moved a step closer - despite concerns about the
proportionality and effectiveness of the practice - following a landmark
High Court ruling on the application of the Copyright, Designs and Patents
Act. Meanwhile, the much criticised Digital Economy Act continues to
flounder, with the introduction of its controversial copyright protection
scheme - which would allow the government to suspend the internet
connections of individuals accused of persistent copyright infringement -
now delayed until 2012 at the earliest.
http://www.statewatch.org/analyses/no-147-internet-censorship.pdf

Europe's Odd Anti-Piracy Stance: Send Money to the US! (4.09.2011)
http://torrentfreak.com/europes-odd-anti-piracy-stance-send-money-to-the-us-110904/

Naming Names on the Internet (4.09.2011)
http://www.nytimes.com/2011/09/05/technology/naming-names-on-the-internet.html

Open Data: Emerging trends, issues and best practices -  a research project
about openness of public data in EU local administration (2011)
http://www.lem.sssup.it/WPLem/odos/odos_report_2.pdf

============================================================
10. Agenda
============================================================

8-9 September 2011, Brussels, Belgium
6th Annual Conference of the European Policy for Intellectual Property
Fine-Tuning IPR debates
http://www.epip.eu/conferences/epip06/

10-17 September 2011
Freedom Not Fear - International Action Week
http://www.freedomnotfear.org

16-18 September 2011, Warsaw, Poland
Creative Commons Global Summit 2011
http://wiki.creativecommons.org/Global_Summit_2011

16 September 2011, Leeds, UK
Conference "Human Rights in the Digital Era"
http://digitalrights.leeds.ac.uk

17 September 2011, Worldwide
Software Freedom Day 2011
http://softwarefreedomday.org/

27-30 September 2011, Nairobi, Kenya
Sixth Annual IGF Meeting: Internet as a catalyst for change: access,
development, freedoms and innovation
http://www.intgovforum.org/cms/nairobipreparatory

11 October 2011, Brussels, Belgium
ePractice Workshop: Addressing evolving needs for cross-border eGovernment
services
http://www.epractice.eu/en/events/epractice-workshop-cross-border-services

13-14 October 2011, Lisbon, Portugal
2nd International Graduate Conference in Communication and Culture: The
Culture of Remix
http://blogs.nyu.edu/projects/materialworld/2011/05/cfp_the_culture_of_remix.html

20-21 October 2011, Warsaw, Poland
Open Govrenment Data Camp
http://opengovernmentdata.org/camp2011/

27-30 October 2011, Barcelona, Spain
Free Culture Forum 2011
http://fcforum.net/

9 November 2011, Bucharest, Romania
Inet Conference: Access, Trust and Freedom: Coordinates for future Internet
http://www.isoc.org/isoc/conferences/inet/11/bucharest-agenda.shtml

11-13 November 2011, Gothenburg, Sweden
FSCONS is the Nordic countries' largest gathering for free culture, free
software and a free society.
http://fscons.org/

25-27 January 2012, Brussels, Belgium
Computers, Privacy and Data Protection 2012
http://www.cpdpconferences.org/

============================================================
11. About
============================================================

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 28 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.

This EDRi-gram has been published with financial support from the EU's
Fundamental Rights and Citizenship Programme.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edri/2.html

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing. 

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list