EDRi-gram newsletter - Number 10.3, 15 February 2012

EDRI-gram newsletter edrigram at edri.org
Wed Feb 15 11:05:45 PST 2012


============================================================

     EDRi-gram

biweekly newsletter about digital civil rights in Europe

Number 10.3, 15 February 2012

============================================================
Contents
============================================================

1. European Anti-ACTA protests from 11 February
2. European Commission discusses tactical, partial retreat on ACTA
3. European Commission "Roadmap" for review of the IPR Enforcement Directive
4. Hadopi takes the final steps towards cutting Internet access
5. Two Strikes in Germany?
6. Software-hardware bundling not accepted in France
7. UK: 3 million checks on criminal records in 2011
8. RFID - a dangerous fashion trend highlighted on German streets by FoeBuD
9. Irish ISP puts its customers' personal data at risk
10. EU DP Regulation Proposal: The French CNIL defends its turf
11. Recommended Action
12. Recommended Reading
13. Agenda
14. About

============================================================
1. European Anti-ACTA protests of 11 February
============================================================

Several tens of thousands of citizens from an estimated 200 cities in Europe
went out in the streets on a cold 11 February 2012, in a massive
pan-european protest against ACTA and to support digital civil rights.
Several EDRI members and observers have reported for the EDRi-gram on what
happened in their countries.

The biggest turnout was in Germany, where 100 000 protesters flooded the
streets to demonstrate against the ACTA agreement. These massive protests in
spite of sub-zero temperature have caught the attention of not only
politicians but also media and the wider public completely by surprise. A
day before, the German government backed down in face of this wave of online
protest and postponed the signing of ACTA until the decision of the European
Parliament. The demonstrations were organized entirely in a decentralized
manner via the Internet. The participants were mostly very young and took
part in a demonstration for the first time. In Berlin 10 000 people took the
streets against ACTA, in Munich even 16 000. Never before have so many
people protested for reforming copyright legislation and against
overshooting surveillance of the digital realm. Because of the protests,
ACTA became the main topic in the news in Germany and has remained so ever
since. For the first time, these protests have ignited a wider debate on how
the outdated copyright law can be adapted to the requirements of the digital
age. Therefore, EDRi-member Digitale Gesellschaft e.V. demanded: "We must
reform copyright but must not cement it with ACTA."

In the capital of Bulgaria approx 6-8 000 people showed up in one of the
largest demonstration since 1997, shouting slogans against ACTA and for
Internet freedom. In some cases the local police did not allow the
participants in Sofia to wear the Guy Fawkes - or "V" - masks and even asked
for purchase proof for the laptops people brought at the event, to "make
sure they were not stolen".

Since the Austrian government signed ACTA on 26 January, a broad movement
against the treaty has formed. It consists of activists in and around the
EDRi member VIBE!AT, a group of former Pirate Party members who started
their own initiative (netzfreiheit.org), political parties and
representatives (the Greens, MEP Ehrenhauser and the Pirate Party) and
Anonymous. Together, these different groups have dominated the public
perception of ACTA. The efforts included: concentrated press releases to
push the story out of the tech departments, press conferences held by ACTA
opponents and discussions in independent media formats. The action peaked on
11 February when all over Austria close to 10 000 people took to the streets
to protest against ACTA.

Around 5 000 Romanians gathered in over 20 major cities, most of them
in Cluj-Napoca and Bucharest, to demonstrate against ACTA. They were also
chanting for Internet freedom and against surveillance. There are several
national online petitions gathering more than 40 000 signatures asking for
ACTA not to be ratified by the European Parliament or the national
Parliament.

After the publication of the information that the Czech Republic had signed
ACTA, EDRi-member Iuridicum Remedium published a Czech translation of the
campaign "Call your MPs" (EDRi). The media began to seriously inform about
ACTA and the first debate about the agreement was held on 2 February. On 6
February the Czech government office issued a statement that the Czech
Republic had stopped the ratification of ACTA, but that didn't stop several
Czech cities to join the demonstration against ACTA on 11 February 2012.

Around a thousand Hungarians gathered in Budapest for the country's first
ACTA protest, with smaller rallies held in Szikesfihervar, Szeged and Pics.
The demonstrations were organized by the Pirate Party  movements and
generated substantial media coverage.

Close to a thousand Hungarians gathered in Budapest for the the nation's
first ACTA protest, with smaller rallies also held in Szikesfihervar,
Szeged and Pics. The demonstrations were organized by the Hungarian
Anonymous Group, Occupy Budapest and the Pirate Party movement.

In Finland about 400 people attended the anti-ACTA demonstration on 11
February in the streets of Helsinki. The demonstrations helped raise
media attention, especially because earlier coverage on ACTA was very
low. The Finnish Parliament is expected to discuss ACTA in Autumn 2012.

Protesters also demonstrated against ACTA in The Netherlands. People in
various cities, including Amsterdam and Rotterdam, faced the cold and
expressed their discontent with ACTA. In Amsterdam some 250 people gathered
in Dam Square where there were some improvised speeches. MEP Marietje
Schaake visited the demonstration. Halfway in the afternoon, about half of
the demonstrators made an improvised march through the city.

In Brussels, around 300 people protested in the city centre shouting slogans
against ACTA and rolling out a huge banner: "ACTA: Sharing culture is a now
crime - Thank you EU!" Participants included local politicians,
representatives from several Belgian NGOs (such as Constant, datapanik and
Nurpa), international NGO AccessNow.org, press people and many Anonymous
masks.

Around 500 protesters also gathered in central London outside the offices of
rights holder representative groups to protest against ACTA.

There are several online petitions against ACTA gathering milllions ofore
than 40 000 signatures (the Access global petition has almost 400 000 and
the Avaaz petition has over 2 million signatures already).

Pictures from demonstrations on 11.02.2012
Sofia
http://www.dnevnik.bg/photos/2012/02/11/1764407_fotogaleriia_protestut_sreshtu_asta_v_sofiia/
Austria
http://fotos.stopp-acta.at/
Czech Republic
http://www.rozhlas.cz/zpravy/spolecnost/_galerie/1017187?type=image&pozice=1
Germany
http://netzpolitik.org/2012/bilder-von-berliner-anti-acta-demo/
Romania
http://www.facebook.com/spune.nu.acta?sk=photos
Bruxelles
https://secure.flickr.com/photos/hermapix/sets/72157629276115405/
Hungary
http://bit.ly/xlAkEa
Finland
http://www.flickr.com/photos/charris87/sets/72157629270109515/
Several European cities
http://www.numerama.com/magazine/21630-manif-anti-acta-les-meilleures-photos.html

Videos from demonstrations on 11.02.2012
Sofia
http://www.youtube.com/watch?v=6Y59XxJoStA
Austria
http://youtu.be/ViXKnH_Vnu8
Bucharest
http://www.youtube.com/watch?v=R2st38pe5CQ
Czech Republic
http://www.stopacta.cz/videa.html
Hungary
https://www.youtube.com/watch?v=-1Hscb-HGPc
Amsterdam
http://www.youtube.com/user/koelkast30
Helsinki
http://www.youtube.com/watch?v=Z0CdQIDbujI

National platforms against ACTA
Austria
http://stopp-acta.at
Czech Republic
http://www.stopacta.cz
Romania
http://www.stopacta.ro
UK
http://www.openrightsgroup.org/campaigns/stopacta

Global petition against ACTA and map of protests
https://www.accessnow.org/policy-activism/press-blog/acta-protest-feb-11

Aaavaz Petition: ACTA: The new threat to the net
https://secure.avaaz.org/en/eu_save_the_internet_spread/

(contributions by several EDRi members and observers)

============================================================
2. European Commission discusses tactical, partial retreat on ACTA
============================================================

At the meeting of the heads of cabinet of the European Commission on Monday
of this week, Commissioner De Gucht's representative announced that a
referral of ACTA to the Court of Justice of the European Union is currently
being considered.

The minutes of the meeting, which have been obtained by EDRi, say that the
head of cabinet described the "strong mobilisation" against the Agreement by
"certain NGOs and movements active on the Internet" and stated that a
referral of the Agreement to the Court of Justice is being considered. It is
noteworthy that the suggestion is only to check the compatibility of ACTA
with primary EU law. Such a referral, depending on how it is framed, risks
being quite vague and may not lead to a comprehensive response. However, any
broadly favourable response from the Court would most certainly be used to
push through the Agreement, on the basis that the ruling "proves" that there
is no problem.

The head of cabinet added that it is necessary to instigate a period of
reflection on how the EU should position itself on this issue and to make an
effort to go beyond the argument that growth in the digital economy is only
possible with adequate protection of intellectual property. The Secretary
General of the Commission closed the discussion by saying the Commission
would return to the dossier in due course, after a "period of thorough
reflection."

This brief exchange of views exposes a number of interesting points.
Firstly, the Commission, and Commissioner De Gucht in particular, were
clearly profoundly impressed by the weekend's demonstrations, contrary to
the Commission's public statements. Secondly, the Commission now has
sufficient doubts regarding the legality of the Agreement, again contrary to
the Commission's public statements, that a request for confirmation of
legality from the European Union's highest court is being seriously
considered. Finally, the comments of the Secretary General clearly show that
she sees a need for the Commission to think again.

Bearing in mind the extreme credibility problems of the European Commission
on this dossier, any hint that such a referral is a delaying tactic, to wait
until the furore surrounding the Agreement has died down, will further
inflame the tensions around ACTA.

The Commission must finally recognise the breadth of serious criticism of
ACTA, from  thirteen members of the Sakharov Network of winners of the
European Parliament's Sakharov Prize for Freedom of Thought, from  the
European Data Protection Supervisor, from the Organisation for Security and
Cooperation in Europe, from the UN Special Rapporteur on Freedom of
Expression (in his general comments on privatised online enforcement), from
the group of European Academics and the European Economic and Social
Committee. It may be comfortable to caricature critics of ACTA as
ill-informed anti-IPR activists. As with many comfortable assumptions, it is
wrong, it is insulting and it is counterproductive.

EDRi will write to the European Commission in order to warn of the dangers
of being perceived to be manipulating the decision-making process by sending
a weakly framed question to the Court of Justice or claiming that this will
give a comprehensive answer to critics' concerns. The Commission needs to
draw the consequences of the need for "thorough reflection" and use all
legal and research options at its disposal to address the problem of the
likely incompatibility of ACTA with  primary and secondary European Union
law. This needs to be done in a comprehensive manner.

Furthermore, if the Commission does indeed want "a period of thorough
reflection," it should also undertake a thorough impact assessment, in order
to study the possible impact of ACTA, regardless of the legality of the
Agreement. By adopting ACTA, a decision would be made to make it impossible
to reform key aspects of the 2004 IPR Enforcement before reviewing their
impact and to export those measures to other countries, a decision would be
made to encourage the Internet companies abroad to police their networks and
potentially use this power to restrict access to markets, a decision is
being made to impose disproportionate rules on damages and impose a grossly
unsatisfactory set of criteria for imposing criminal sanctions for
infringements. It is time for a full and independent impact assessment. Why
would the Commission reject this request? Perhaps this is the one time that
the phrase "if you have nothing to hide, you have nothing to fear" actually
makes sense.

If all of this is done, we will find ourselves in about two years in the
position we should be in already - with a legal proposal, backed up with an
impact assessment that can be discussed on its merits.

Sakharov Prize winners: Online Freedoms threatened by another step towards
treaty's adoption (15.12.2011)
http://en.rsf.org/union-europeenne-online-freedoms-threatened-by-15-12-2011,41557.html

EDPS: Anti-Counterfeiting Trade Agreement: EDPS warns about its potential
incompatibility with EU data protection regime (22.02.2010)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2010/EDPS-2010-03_ACTA_EN.pdf

OSCE media representative urges European Parliament to reassess ACTA to
safeguard freedom of expression (14.02.2012)
http://www.osce.org/fom/88154

UN Special Rapporteur - Report of the Special Rapporteur on the promotion
and protection of the right to freedom of opinion and expression, Frank La
Rue (16.05.2011)
http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/A.HRC.17.27_en.pdf

Academics' Opinion on ACTA (11.02.2011)
http://www.iri.uni-hannover.de/tl_files/pdf/ACTA_opinion_110211_DH2.pdf

Economic and Social Committee on IPR Strategy (12.01.2012)
https://www.laquadrature.net/wiki/EESC_on_IPR_Strategy

IPR Enforcement Directive
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004L0048R%2801%29:EN:NOT

(Contribution by Joe McNamee - EDRi)

============================================================
3. European Commission "Roadmap" for review of the IPR Enforcement Directive
============================================================

The European Commission recently published a "roadmap" to the review of the
Directive on Intellectual Property Enforcement (2004/48/EC). As it is
becoming traditional, the Commission neatly mixes up all kinds of
infringements, from dangerous fake medicines to illegal downloads and seeks
a "one size fits all" solution. In addition, the previously published
implementation report graphically describes the breakdown in the credibility
and perceived legitimacy of copyright in the digital environment (referring,
for example, to "ubiquitous" infringements).

Faced with the unquestionable failure (hence the calls for a review) of the
existing "one size fits" all legal framework and the seemingly obvious need
to reform the legal framework for copyright, the approach is to plough
forward with increased enforcement, as well as increased involvement of the
private sector in practical law enforcement. A non-committal statement that
"measures aimed at promoting the legal offer" is made but not expanded upon.

Interestingly, the "road map" explains that the current Directive's
definition of "commercial scale" needs to be clarified, in order to ensure
that individual consumers are not targeted. This is quite significant,
because the definition is significantly narrower than the one in the
Anti-Counterfeiting Trade Agreement (ACTA). This raises a fundamental
question - how can the EU be so confident that ACTA's definition of
"commercial scale" will not lead to disproportionate criminalisation of
end-users, when it believes that a more precise definition risks leading to
disproportionate measures against citizens in civil law?

It is also somewhat surprising to note that no problem has been identified
regarding the provision of personal data by Internet intermediaries -
despite the widespread of abuse of both process and data, particularly in
the UK and Germany. The focus instead is on developing the tools for
obtaining "evidence" from intermediaries.

It must be pointed out, of course, that much of what is in the IPR
Enforcement Directive is proposed in ACTA. As a result, as long as the
European Commission harbours hopes of being able to ratify that agreement,
it will consider itself to be prevented from making or even considering any
significant changes or improvements to this Directive.

Roadmap on IPRED (01.2012)
http://ec.europa.eu/governance/impact/planned_ia/docs/2011_markt_006_review_enforcement_directive_ipr_en.pdf

ACTA
http://register.consilium.europa.eu/pdf/en/11/st12/st12196.en11.pdf

IPR Enforcement Directive Implementation Report (22.12.2010)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0779:FIN:EN:HTML

(Contribution by Joe McNamee - EDRi)

============================================================
4. Hadopi takes the final steps towards cutting Internet access
============================================================

French authority Hadopi announced on 13 February 2012 that its Commission
for the Protection of Rights had sent the first complaints to court against
Internet users for illegal downloading of files as the last stage in its
three-strike system.

Since November 2010, more than 800 000 French Internet users have received
e-mail alerts that they were suspected of illegal downloading of copyrighted
material. Out of these, about 45 000 considered recidivists received a
letter of warning and after six months around 165 seem to have been convened
by the Commission on the Protection of Rights to be sent to court for a
decision to have their Internet connection cut.

Although a precise number has not been revealed, a Hadopi spokesperson
stated the cases had been sent to the prosecutors all over France, according
to the residence places of the accused Internet users. The Prosecutor's
Office will process cases and decide whether to take them to court which may
apply a maximum fine of 1 500 euro and a 1 month suspension of the Internet
service.

The offence that the Internet users are being accused is of not
implementing a system to "secure" their Internet connection or not
having made efforts to make such as system operates properly. Hadopi
produces as proof of the offence only the proceedings drafted by the
assigned agents on the basis of the findings provided by the company
hired by the rightsholders.

The law allows for a speedy simplified procedure for Hadopi where there is
no need to hear the defendant and through which the court may apply
sanctions if "it comes out from the judicial investigation that the facts
the user is accused of, are simple and proven."

The ministry of justice has even issued a letter asking the prosecutor
offices to avoid, except for particular cases, a more detailed investigation
because the proofs provided by Hadopi are enough to prove the offence.

"This is the myth of the pedagogical Hadopi that slumps. All those who
wanted to make you believe that Hadopi was a device meant only to sensitize
young Internet users on copyright, are now facing their own contradictions"
said Aurilie Filippetti, in charge of culture for the presidential candidate
Frangois Hollande's campaign.

Hadopi transmits its first cases to court! (only in French, 13.02.2012)
http://www.numerama.com/magazine/21634-hadopi-transmet-ses-premiers-dossiers-aux-tribunaux.html

Internet users sent to court by Hadopi (only in French, 13.02.2012)
http://www.lepoint.fr/chroniqueurs-du-point/emmanuel-berretta/exclusif-les-internautes-traduits-devant-les-parquets-par-la-hadopi-13-02-2012-1430826_52.php

Hadopi: the first cases sent to court. But how many? (only in French,
13.02.2012)
http://www.zdnet.fr/actualites/hadopi-les-premiers-dossiers-transmis-a-la-justice-mais-combien-39768507.htm

EDRi-gram: French Internet users on the verge of being disconnected
(5.10.2011)
http://www.edri.org/edrigram/number9.19/hadopi-report-france-18-months

============================================================
5. Two Strikes in Germany?
============================================================

On 3 February 2012, the German Ministry of Economics and Technology (BMWi)
published a comparative study on graduated response systems in Europe which
have been established to fight against copyright infringements on the
Internet. The study looked at the situation in France, UK and Ireland.
Regarding the Hadopi system in France, the study found that one of the main
results and successes is the drop by 31% of peer-to-peer between April 2010
and April 2011, thus completely ignoring the rising use of streaming and VPN
in France.

Even though the study admits that illegal filesharing has "not caused any
serious collapse in the turnover of the industry" (p. 61), the Ministry
recommends the introduction of a "two strikes" or "pre-litigation" model for
Germany. According to the study, this model should be based on a combination
of "educational notifications" and the disclosure of information to
rightsholders. The Secretary of State Hans-Joachim Otto considered the study
a valuable basis for the future discussions regarding online piracy.
However, cutting off users from the Internet has been ruled out.

As significant grounds for concern were already well known (it is widely
understood to have been mainly written by media lobbyists and
rightsholders), EDRi-member Digitale Gesellschaft published a shadow report.
It pointed out that existing models raise significant and fundamental data
protection problems. For instance, the Irish voluntary three-strikes system
is currently experiencing legal difficulties due to such concern and
numerous complaints to the data protection authority. In Ireland, hundreds
of notifications were received by innocent users.

The shadow report also highlighted the high costs for the French state
compared to the almost non-existing benefits for the economy. The shadow
report concluded that all efforts and means should be focused on the
creation of attractive offers instead of repressive measures and recommended
a general reform of outdated copyright laws.

Shadow report of the Digital Gesellschaft (only in German, 02.2012)
http://digitalegesellschaft.de/wp-content/uploads/2012/02/schattenbericht-digiges.pdf

Long version of the BMWi study (only in German, 01.2012)
http://www.bmwi.de/BMWi/Redaktion/PDF/Publikationen/Technologie-und-Innovation/warnhinweise-lang,property=pdf,bereich=bmwi,sprache=de,rwb=true.pdf

(Contribution by Kirsten Fielder - EDRi)

============================================================
6. Software-hardware bundling not accepted in France
============================================================

The giant Lenovo computer hardware manufacturer that sold computers with
Windows OS included suffered a defeat in a French court of Aix-en-Provence
in a case introduced by a French customer. This is another case in a long
line of defeats in France for companies that sell computers who include
mandatory unwanted software licences in their products' sales.

The case was brought to court in 2007 by Mr. Pitrus who decided to buy a
Lenovo laptop. As the laptop was not offered for sale without a Windows
Vista license and as he was using GNU-Linux, Mr. Pitrus rejected the Windows
Vista End User License Agreement (EULA) and contacted Lenovo to obtain a
refund. His request being denied, he brought the case to court. After a
first negative ruling in the court of Tarascon, the French Court of
Cassation reversed the judgment in a decisive ruling in November 2010 and
sent back the case to a court in Aix-en-Provence. The final judgement
obliged Lenovo to pay the plaintiff 120 euro as a refund for the software,
but also 800 euro for personal damages and 1000 euro for legal expenses.

The judge insisted on the distinction between hardware and software and
rejected Lenovo's argument that the sale in question was that of "complex
products made of an assembly of indispensable components for the definition
of a product as desired by the manufacturer". The company even compared the
sale of the computer which cannot operate without the software to that of a
car which cannot run without wheels.

The judge explained that the hardware is the object of a sale contract
giving the owner full right over it after having paid for it. On the other
hand, the supply of software is the provision of a service which gives only
the right to usage of the software (fact which is actually stipulated in the
licence of the software).  Moreover, joking over the comparison made by
Lenovo with the car and wheels, he considered that a better comparison would
be that of selling a car with a driver included.

This is a real victory and this significant decision is a positive precedent
as the legal ground of the ruling was European directive 2005/29/CE on
unfair business-to-consumer commercial practices in the internal market,
which could be used again as legal argument in similar cases in all EU
countries.

Hardware-software bundling crumbles in France (6.02.2012)
http://no.more.racketware.info/news/hardware-software-bundling-crumbles-france

Condemnation of Lenovo, symbol of computer and software bundled sale (only
in French, 6.02.2012)
http://non.aux.racketiciels.info/nouvelles/condamnation-lenovo-symbole-vente-liee-ordinateur-logiciel

Court's Decision (only in French, 9.01.2012)
http://www.cuifavocats.com/IMG/pdf/20120109_JproxAixEnProvence_PetruscLevovoA.pdf

Pitrus vs. Lenovo: the supply of unsolicited software is a unfair commercial
practice (only in French, 6.02.2012)
http://www.cuifavocats.com/Petrus-c-Lenovo-la-fourniture-de

List of similar French cases (only in French)
http://non.aux.racketiciels.info/documentation/droit/#jugements-proximite-et-amiable

============================================================
7. UK: 3 million checks on criminal records in 2011
============================================================

UK Privacy campaign group Big Brother Watch has recently revealed that
almost 3 million Criminal Records Bureau (CRB) checks were carried out in
England and Wales in 2011 by almost 4000 registered bodies.

The figures basically say that 1 in 17 Britons was checked and that a large
number of organizations had access to the individuals' private data without
the knowledge of the individuals in question.

Big Brother Watch said the figures were "a sad indictment of a country that
has lost all sight of proportion and has substituted common sense for a
piece of paper".

CRB checks were meant to protect children from coming into contact with
dangerous adults but the reality is that any person with or without a
conviction or a simple caution which has nothing to do with children, based
on a CRB check, may be considered as a dangerous criminal.

And an even more worrying aspect is that the system has proven wrong
time and again leading to perfectly innocent people being considered sex
offenders and losing their jobs.

In 2010, Big Brother Watch already revealed the inaccuracies and
inefficiencies of the CRB system (which should be entirely reliable) which
have been adding up to an average of 7 errors a day since 2004.

On 9 February 2012,  High Court judge Kenneth Parker suggested that the CRB
system was disproportionate and not compatible with the right to private
life stipulated by the European Convention on Human Rights and that the
issue fully deserved to be considered by the Court of Appeal.

Deputy Prime Minister Nick Clegg stated the system would be scaled back and
the Protection of Freedoms Bill included plans to ease Criminal Records
Bureau checks.

Regarding the respective changes, Home Office minister Lord Henley stated:
"What we are trying to do is create a system that will provide the necessary
safeguards but does not make parents feel that their children are
automatically safe - parents must still have the duty of looking after their
children by warning them of potential dangers," adding at the same time that
schools and other organisations would be allowed to insist on CRB checks.

3 Million Background Checks in 2011 (10.02.2012)
http://www.bigbrotherwatch.org.uk/home/2012/02/3-million-background-checks-2011.html

The Grim Consequences of CRB Mistakes (22.04.2010)
http://www.bigbrotherwatch.org.uk/home/2010/04/the-grim-consequences-of-crb-mistakes.html

CRB checks 'near 3m' says Big Brother Watch (10.02.2012)
http://www.bbc.co.uk/news/uk-16970424

Student in legal challenge to criminal record of GMP warning for stealing
bikes when he was aged 11 (9.02.2012)
http://menmedia.co.uk/manchestereveningnews/news/s/1485057_student-in-legal-challenge-to-criminal-record-of-gmp-warning-for-stealing-bikes-when-he-was-aged-11

============================================================
8. RFID - a dangerous fashion trend highlighted on German streets by FoeBuD
============================================================

On 11 January 2012, EDRi member FoeBuD staged an event on a shopping
street in Bielefeld, Germany, to raise awareness about RFID tags ("spy
chips") in clothing.

FoeBuD played an important role in putting this issue on the political
agenda in 2003, when major German retailer Metro AG conducted RFID
field trials in a model supermarket, dubbed "Future Store". While RFID
roll-outs in supermarkets have not occurred as quickly as expected at that
time (probably due in part to the concerns raised by privacy advocates),
recently the fashion industry seems to have taken a lead in introducing RFID
in goods sold to and carried by consumers.

RFID ("Radio Frequency Identification") tags are tiny chips with an
antenna, whish respond to a radio signal by transmitting back some
previously stored data including their unique serial number. Because
every single chip can be recognised by this ID, an RFID tag is not just
a contactless product bar code - it allows every individual item to be
identified. This makes RFID a very interesting technology for retail
logistics. But an RFID tag on a highly personal item (such as a piece of
clothing) could identify its owner if the owner's personal data somehow
becomes available - if the owner makes a payment with a card, for
example. The owner's data does not need to be stored on the chip itself,
it could be related to the chip's ID via an external database. Personal
tracking becomes a distinct possibility, indeed a patent for this has
been granted in the US.

RFID data transmissions cannot be seen or heard, so FoeBuD looked for a
way to visualise the threat to any passer-by on a regular shopping
street. An RFID reader was connected to a portable computer and
projector, which beamed any RFID data that was read onto a "speech
bubble"-shaped banner. Suddenly it was there for anyone to see that
RFID-tagged clothes are effectively announcing an identity to every
"interested" party reading  the device at a distance of up to 10 metres
(approximately, and depending on the type of RFID chip and reader).

At this event, FoeBuD targeted local fashion company Gerry Weber and
Italian fashion brand Peuterey (which had received a German Big Brother
Award from FoeBuD in 2011 for introducing RFID in a particularly
secretive way). Gerry Weber had actually been in contact with FoeBuD
about their RFID roll-out, but had ultimately chosen not to implement a
fundamental requirement: that the RFID tags be detached from every item
at the point of sale, without the customer having to ask for this. The
FoeBuD activists had alerted Gerry Weber about their action and were met by
the company's CIO and RFID project leader, and later by the company's
owner Gerhard Weber himself, who regrettably did not show a lot of
understanding towards the activists' concerns. But at least it is
possible to tear off Gerry Weber's RFID tags. In contrast, Peuterey does
not give any in-store information to its customers, and their RFID tags
are sown in beneath a label imprinted "do not remove this label".

FoeBuD's event and their demand that all RFID tags be removed or
permanently disabled at the point of sale were covered by the regional TV
and by newspapers across Germany. The group hopes to keep the momentum
going.

FoeBuD's coverage about their action, with pictures (only in German,
01.2012)
http://www.foebud.org/rfid/wdr-sendung-markt-kleidungsstuecke-mit-rfid-schnueffelchips-verwanzt/

Coverage by regional public TV station WDR (only in German, 16.01.2012)
http://www.wdr.de/tv/markt/sendungsbeitraege/2012/0116/01_rfid-chips.jsp

Privacy advocates discover RFID chips in clothing (only in German,
16.01.2012)
http://www.zeit.de/digital/datenschutz/2012-01/foebud-rfid-gerry-weber

Why RFID tags are a danger to consumers (only in German, 18.01.2012)
http://www.sueddeutsche.de/digital/2.220/rfid-aufkleber-als-schnueffelchips-warum-funketiketten-eine-gefahr-fuer-verbraucher-sind-1.1260505

BigBrotherAward 2011 to Peuterey (English summary, full speech in German)
https://www.bigbrotherawards.de/2011/.tec

BigBrotherAward 2003 to Metro (available in English and German)
https://www.bigbrotherawards.de/2003/.cop

Report on Metro's "Future Store" and 2003/04 RFID scandal:
http://www.spychips.com/metro/overview.html

US patent 7,076,441 on "Identification and tracking of persons using
RFID-tagged items in store environments"
http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/7076441

(Contribution by Sebastian Lisken, EDRi member FoeBuD - Germany)

============================================================
9. Irish ISP puts its customers' personal data at risk
============================================================

Personal data of more than 6 800 current and former customers of Eircom's
(biggest Irish ISP) mobile divisions may be at risk after three unencrypted
laptops have been stolen, two from the company offices in Parkwest Dublin
during 28 December 2011 - 2 January 2012 and one from an employee's home on
19 December 2011.

Eircom stated that most of the data involved were personal data including
name, address and telephone numbers, but in some cases passport, driving
licence numbers or utility bills and for about 550 customers the data on one
of the laptops included financial information such as bank accounts, debit
and credit card information.

Data Protection Commissioner Billy Hawkes considers the breach as one of the
most serious ones and said that Eircom had put its customers at risk of
identity theft. He also criticised the company for the delay in announcing
people of the thefts that would have given them the opportunity to protect
themselves.

"Our normal delay in getting reports in is 24 to 48 hours which is our
guideline for reports of such incidents. So I find it very surprising to
hear that reason being given by Eircom," said Hawkes as a reaction to
Eircom's statement that the delay in reporting came from the fact that the
company had tried to find out what data had been breached.

Furthermore, as Hawkes said, Eircom as a telecom company was supposed to
have higher protection standards and therefore it was "very surprising that
in two separate incidents Eircom laptops were not encrypted."
His conclusion is that "telecommunications companies have a huge amount of
data on all of us and should be subject to more stringent requirements."

Eircom stated the incidents had been immediately reported to the police, two
separate investigations were ongoing and that there was no evidence that the
lost data has been used by a third party. "Eircom treats privacy and
protection of all data extremely seriously and we have taken the following
pro-active measures to address the situation. As a precautionary step, we
have contacted the Irish Banking Federation, who has notified their members
of the potential risk to data for affected eMobile and Meteor customers."

The company also stated it would contact by telephone those customers whose
financial data was potentially at risk, and would send letters to all
affected customers to notify them of the breach.

The fact that the laptops in question were unencrypted was considered as
inexcusable and according to data protection consultant Daragh O'Brien the
delay in alerting the commissioner's office suggested faulty prevention and
detection policies in Eircom. Information security consultant Brian Honan
also said that companies were obliged, under various laws, to ensure the
proper security of information such as card payment information.

According to Eircom, a review of the group's encryption policy is in
progress "to ensure all computers and laptops are compliant with the group's
encryption policy."

Eircom customer data breached (10.02.2012)
http://www.irishtimes.com/newspaper/breaking/2012/0210/breaking9.html

Press Release - eircom Group Statement on Laptop Theft
http://pressroom.eircom.net/press_releases/article/eircom_Group_Statement_on_Laptop_Theft/

Eircom slammed for laptop and data loss (13.02.2012)
http://www.scmagazineuk.com/eircom-slammed-for-laptop-and-data-loss/article/227433/

============================================================
10. ENDitorial: EU DP Regulation Proposal: The French CNIL defends its turf
============================================================

The French CNIL was one of the first national Data Protection Authority
(DPA) to react to the publication, by the European Commission, of its Data
Protection Framework Proposal on 25 January 2012. In a very negative press
release published the day after, while quickly welcoming "substantial
improvements that were expected and necessary", the CNIL develops surprising
arguments to justify its particular concern, namely that "the defence of
data protection" would be "driven apart from citizens". CNIL's anger is
directed at Article 51 provision, defining the competent DPA. This article
provides that the competent supervisory authority shall be the one "of main
establishment of the data controller or processor".

When examining CNIL's arguments, one might wonder whether it has carefully
and entirely read the proposed Regulation before showing such a reaction.
This impression is even strengthened when learning about CNIL's intense
lobbying towards the French Parliament and Government, which need to provide
their opinion during the EC proposal discussion process. Actually, the
European Affairs Commission of the French National Assembly has already
adopted a resolution in line with the CNIL's opinion, and the Constitutional
Laws Commission of the French Senate is currently conducting hearings
(inviting inter alia French EDRi- ember IRIS to provide its views on 14
January), before adopting its own resolution on the proposed EC Data
Protection Framework (this French Parliament quick process is determined by
next Presidential elections, meaning that the Parliament will have to stop
its work early March 2012).

Arguments put forward by the CNIL could easily be refuted, especially since
some of them are based on a wrong or partial interpretation of the proposed
Regulation.

The CNIL claims that the provision "will reduce the national DPAs role to
that of a mailbox"; "will deprive widely the citizens of the protection
offered by their national authority"; "will constitute a real regression of
citizens' rights", which "would finally be less protected than consumer
rights" given that consumer laws allows for the competence of the consumer's
jurisdiction. Interestingly enough, the CNIL gives as example "a web user
having a problem with a social network which main establishment is in
another member state". Furthermore, the CNIL fears that the provision will
lead to "forum shopping" practices by companies when they decide on their
country of main establishment, a situation that would end not only in
"dumbing down" of citizens' data protection, but also in putting at risk the
French economy! Finally, the CNIL "considers that the proposed scheme leads
to a centralization of the regulation of privacy in the hands of a limited
number of authorities", and that "the European Commission will also benefit
from an important normative power".

It is true that the EC will play an important role, that could be balanced
through improving the powers, independence and processing of the European
Data Protection Board (Chapter VII of the Regulation) and the national
Supervisory Authorities (Chapter VI) as well as, of course, the substantive
provisions of the data protection principles themselves, as EDRI pointed out
in its initial comments and will detail further in the process.

However, the CNIL seems to ignore the difference between a Regulation and a
Directive! The very reason for the EC choice for the former is indeed the
fact that a Regulation goes far beyond simply harmonizing the national laws,
to rather impose the same law to all Member States, requiring in addition
that same independence and powers be allowed to all national DPAs. Given
this new situation, why a French citizen would be less protected by, say,
the German DPA than by the CNIL? Especially since, even currently, French
citizens and privacy defenders would have appreciated to see the CNIL taking
the position of other Member States DPAs on some particular issues.

Moreover, through the European Data Protection Board proceedings, European
citizens could only benefit from the emulation among DPAs: they will have to
be accountable to and controlled by each other. The national DPA would
certainly not be "reduced to a mailbox" in this game, since its role will be
essential here, and is guaranteed by provisions of Articles 55-56 and 66.
Moreover, Article 73-75 provides for better democratic control and recourses
not only by citizens, but also by non profit associations such as privacy
watchdogs or human rights organizations acting in their names.

The example provided by CNIL of a social network as the data controller and
processor is particularly misleading and perverse: as a matter of fact,
while Article 51 provision only concerns companies established in the EU,
many French Members of Parliaments already interpreted this example as the
future impossibility for the CNIL to impose penalty on major US companies,
such as Facebook (or Google which it already sanctioned).

Furthermore, the "forum shopping" risk is ridiculous: who on earth could
reasonably think that a company will choose its country of main
establishment according to data protection law (which, again, will in
addition be the same in all EU countries), rather than on the basis of
taxation and labour laws and practices?! Who on earth could reasonably think
that French economy would be put at risk by the CNIL's "superpowers"?!

Many other counter-arguments can be found in the text of the proposed
Regulation itself (such as the provided exceptions in Articles 80-83 and
other provisions as well). The fact is that, rather than raising sound
arguments towards improving the current proposal (and this is indeed much
needed), the CNIL currently seems to only be busy defending its turf.
Ungloriously.

CNIL - Draft EU Regulation on data protection: the defense of data
protection driven apart from citizens  (31.01.2012 original in French on
26.01.2012)
http://www.cnil.fr/english/news-and-events/news/article/draft-eu-regulation-on-data-protection-the-defense-of-data-protection-driven-apart-from-citizens/

CNIL - Draft EU regulation: the CNIL welcomes the French Parliament
commitment (only in French, 08.02.2012)
http://www.cnil.fr/la-cnil/actualite/article/article/projet-de-reglement-europeen-la-cnil-salue-lengagement-du-parlement-francais/

French National Assembly - EU Affairs Commission Resolution on Draft EU DP
Framework (only in French, 07.02.2012)
http://www.assemblee-nationale.fr/13/propositions/pion4227.asp

French Senate - Oral Question and public discussion on privacy and data
protection (only in French, 08.02.2012)
http://www.senat.fr/seances/s201202/s20120208/s20120208_mono.html#Niv1_SOM3

EDRi - Initial Comments On The Proposal For A Data Protection Regulation
(27.01.2012)
http://www.edri.org/CommentsDPR

(Contribution by Meryem Marzouki, EDRI-member IRIS - France)

============================================================
11. Recommended Action
============================================================

Petition: Support the establishment of a common European OpenData license
within the review of the Public Sector Information re-use Directive
Deadline: 1 March 2012
Available in Spanish and English
http://actuable.es/peticiones/say-to-neeliekroeseu-we-want-single-opendata-licence-in-the

============================================================
12. Recommended Reading
============================================================

EDRi papers: DRM -  The strange, broken world of the digital rights
management
http://www.edri.org/files/2012EDRiPapers/DRM.pdf

ACTA Survival Guide For Website Owners (7.02.2012)
http://www.edri.org/ACTAhowto

10 European Commission Myths About ACTA (8.02.2012)
http://www.edri.org/commission_myths

Sharing: Culture and the Economy in the Internet Age - By Philippe
Aigrain (3.02.2012)
http://www.laquadrature.net/en/sharing-culture-and-the-economy-in-the-internet-age-by-philippe-aigrain

============================================================
13. Agenda
============================================================

25 February 2012, Szeged, Hungary
Copyright and Human Rights in the Information Age: Conflict or Harmonious
Coexistence
http://www.juris.u-szeged.hu/english/news/conference-on-copyright

7 March 2012, Amsterdam, Netherlands
Big Brother Awards Netherlands 2012
https://www.bigbrotherawards.nl/

16 March 2012, Rotterdam, Netherlands
EPSIplatform Conference: Taking government data re-use to the next level!
http://epsiplatform.eventbrite.com/

30 March - 1 April 2012, Berlin, Germany
Wikimedia Chapters Meeting 2012
http://meta.wikimedia.org/wiki/Wikimedia_Conference_2012

13 April 2012, Biefeld, Germany
Big Brother Awards Germany
http://www.bigbrotherawards.de/

16-18 April 2012, Cambridge, UK
Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance
Education
OER12 and the OCW Consortium's Global Conference
http://conference.ocwconsortium.org/index.php/2012/uk

2-4 May 2012, Berlin, Germany
Re:Publica 2012: ACTION!
http://re-publica.de/12/en

14-15 June 2012, Stockholm, Sweden
EuroDIG 2012
http://www.eurodig.org/

20-22 June 2012, Paris, France
2012 World Open Educational Resources Congress
http://www.unesco.org/webworld/en/oer

2-6 July 2012, Budapest, Hungary
Policies and Practices in Access to Digital Archives: Towards a New
Research and Policy Agenda
http://www.summer.ceu.hu/sites/default/files/course_files/Policies-and-Practices-flyer%202012_0.pdf

9-10 July 2012, Barcelona, Spain
8th International Conference on Internet Law & Politics: Challenges and
Opportunities of Online Entertainment
http://edcp.uoc.edu/symposia/idp2012/cfp/?lang=en

11-13 July 2012, Vigo, Spain
The 12th Privacy Enhancing Technologies Symposium
(PETS 2012)
http://petsymposium.org/2012/

12-14 September 2012, Louvain-la-Neuve, Belgium
Building Institutions for Sustainable Scientific, Cultural and genetic
Resources Commons.
http://biogov.uclouvain.be/iasc/index.php

7-10 October 2012, Amsterdam, Netherlands
2012 Amsterdam Privacy Confernece
http://www.ivir.nl/news/CallforPapersAPC2012.pdf

============================================================
14. About
============================================================

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 28 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
http://flattr.com/thing/417077/edri-on-Flattr

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edri/2.html

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list