EDRi-gram newsletter - Number 10.1, 18 January 2012

EDRI-gram newsletter edrigram at edri.org
Wed Jan 18 10:57:05 PST 2012



biweekly newsletter about digital civil rights in Europe

Number 10.1, 18 January 2012


EDRi supports protests against US blacklist legislation
1. What's Wrong with ACTA Week
2. The US pressure on Spain to censor the Internet has paid off
3. Belarus strongly censors the Internet
4. Commission confirms illegality of Data Retention Directive
5. Romanian Senate rejects the new data retention law
6. Finnish ISP started blocking The Pirate Bay
7. Dutch Internet providers forced to block The Pirate Bay
8. US continue pushing on EU Commission against Data Protection proposals
9. Researchers say smart meter technology is privacy intrusive
10.ENDitorial: Copyright vs Public Domain-copyright as a barrier to culture?
11. Recommended Action
12. Recommended Reading
13. Agenda
14. About

EDRi supports protests against US blacklist legislation

EDRi supports today's black-out campaign against SOPA and PIPA and endorses
the positions of the human rights international community in criticizing the
two draft normative acts from US.

Human rights community speaks out on PROTECT IP Act (16.01.2012)

Human rights community against SOPA (15.11.2011)

More details on the blackout campaign

1. What's Wrong with ACTA Week

Since many politicians and citizens are not yet aware of ACTA's serious
implications, EDRi has launched a "What's Wrong with ACTA Week". We have put
together five one-page briefing documents which briefly summarise the most
important issues:

ACTA and its Impact on Fundamental Rights (16.01.2012)

ACTA - Criminal Sanctions (17.01.2012)

ACTA - Innovation and Competition (18.01.2012)

ACTA and its Impact on the EU's International Relations (will be released on

ACTA and its Safeguards (will be released on 20.01.2012)

2. The US pressure on Spain to censor the Internet has paid off

The US has continued to pressure Spain since 2008 to adopt measures against
users allegedly illegally downloading copyrighted music and movies from
file-sharing networks. And now this pressure has paid off; the Spanish
Congress approved at the end of 2011 the so-called Sinde law (Ley Sinde)
which allows the closing down of websites deemed to illegally download
copyrighted material.

Wikileaks cables revealed in 2010 that the US pressured Spain to pass
stronger copyright enforcement laws threatening to put Spain on their
Special 301 Report (a watch list of countries with "bad" intellectual
property policies), threat which they actually delivered.

"We propose to tell the new government that Spain will appear on the Watch
List if it does not do three things by October 2008. First, issue a
(Government of Spain) announcement stating that Internet piracy is illegal,
and that the copyright levy system does not compensate creators for
copyrighted material acquired through peer-to-peer file sharing. Second,
amend the 2006 "circular" that is widely interpreted in Spain as saying that
peer-to-peer file sharing is legal. Third, announce that the GoS (Government
of Spain) will adopt measures along the lines of the French and/or UK
proposals aimed at curbing Internet piracy by the summer of 2009," says the
text of the diplomatic cable announcing the pressure tactics revealed by

The Sinde Law was promoted by Angeles Gonzalez-Sinde Reig, former head of
the Spanish Academy of Cinematographic Arts & Sciences, when becoming
Minister of Culture in 2009. Sinde Law was giving a government committee the
power to blacklist Internet sites allegedly trafficking copyrighted files.

The new legislation creates a government body, the Commission of the
Intellectual Property which will have the power to evaluate sites and force
Internet service providers to block, within ten days, the sites deemed to be
trading in pirated material.

The owners of the websites have three days to present arguments before the
commission to justify their activities and after the commission has decided
the removal of certain content, the ISPs have 24 hours to block the service
or to remove the content, and the website owners have no access to appeal.

If website owners don4t comply voluntarily, a court will intervene to close
down the website or to block the service, requiring to the ISPs to reveal
the identity of the website owners.

The US supported Sinde law, lobbying hard for her measure, even asking
support from Spanish opposition parties, with the purpose to have Spain's
position influence later on the European Union during Spain's EU presidency,
as appeared in Wikileaks revealed cables.

But, despite the government's expectations, the opposition to Sinde law was
fierce, being strongly criticized by Internet groups and lawyers, which has
led to the bill being stopped in the Parliament at the end of 2010.

The government left the law for the incoming administration to handle after
November 2011 and the new government approved very rapidly a modified
version of the law where, for instance, judges will have to issue the actual
blacklist order. It appears that this sudden decision was also pressured by
the US.

El Pais revealed on 12 December 2011 a letter of the US ambassador
addressed to the Spanish officials complaining the law had not yet entered
into force.

"The government has unfortunately failed to finish the job for political
reasons, to the detriment of the reputation and economy of Spain. I
encourage the Government of Spain to implement the Sinde Law immediately to
safeguard the reputation of Spain as an innovative country that does what it
says it will, and as a country that breeds confidence," said the letter. The
ambassador also reminded Spain of having already been once on the special
301 Report and warned of the risk of the country being further downgraded
and returned to the "Priority Watch List" of "the worst global violators of
intellectual property rights", which can lead to serious commercial

Spanish Internet users are already organizing a boycott, calling Internet
users not to purchase or consume any artistic or intellectual works of
authors, producers, agents, or managers who have explicitly expressed or
participated lobbying for Sinde law. Victor Domingo Prieto, President of La
Asociacisn de Internautas has stated that "when the Intellectual Property
Commission take its first steps (of blocking sites), reports of the
unconstitutionality of their decisions will occur immediately."

How the US pressured Spain to adopt unpopular Web blocking law (5.01.2012)

US slammed Zapatero for not passing "Sinde" anti-piracy law (4.01.2012)

Spain's SOPA Law: How It Works And Why It Won't (9.01.2012)

Anti-internet piracy law adopted by Spanish government (3.01.2012)

The Government of PP approves the regulation of Sinde Law and eliminates the
licence (only in Spanish, 30.12.2011)

Spain's Ley Sinde: New Revelations of U.S. Coercion (9.01.2012)

EDRi-gram: Spanish anti-piracy law approved by the Government (24.03.2011)

3. Belarus strongly censors the Internet

6 January 2012 saw the coming into force of the Belarusian law imposing even
more restrictions on online free expression in a country that is already
viewed as a dictatorship.

Belarus is already listed as a country "under surveillance" in the Reporters
Without Borders annual report on "Enemies of the Internet" and is ranked
154th out of 178 countries in the 2010 press freedom index.

The law recently entered into force turns browsing foreign websites into an
offence to be punished by fines up to about 100 Euro and makes ISPs liable
for the actions of their users. Which means that, in carrying out its online
activities, any business in the country will be able to use only the fully
local Internet domains, excluding such sites, search engines or social
networks as Wikipedia, Facebook, Twitter. Even Google may be in the same
position as it hosts its website Google.by in US.

The initial decree, issued in February 2010 by President Alyaksandr
Lukashenko, already requires the compulsory registration of all Belarusian
websites that must then be hosted in the country. Also, anyone going online
in an Internet cafi or using a shared connection will have to identify
themselves, and a record will be kept of everyone's surfing history for a

Not only ISPs are liable for their users' activities online but home
Internet subscribers are also considered liable for others who might share
their connections with them.

ISPs are expected to monitor foreign website use and report the findings to
authorities just as the simple citizens sharing an Internet connection with
others are expected to report any law infringement.

A list of banned sites is issued by the State Inspection on Electronic
Communications on the basis of decisions by several institutions such as the
Operational and Analytical Centre and the criteria for the inclusion of
sites on the list include content that is pornographic or advocates violence
or "extremism", which, as proven several times, is vague enough to lead to
abuse and overblocking.

Thus, the authorities may draw up a list of banned sites the access to which
must be blocked by ISPs at 24 hours' notice in official institutions and
cultural and educational institutions. Websites such as news Charter97,
Belaruspartisan, and the blog of the humorist Yauhen Lipkovich, which are
critical to the government or the President, are already on the blacklist.

After Lukashenko has taken all the measures to eliminate any opposition, the
Internet has practically remained the only environment to apply pressure on
the regime. A Facebook group "Wanted criminals in civilian clothes", blogs
and Posobniki.com all helped in exposing the regime's crimes and abuses.
This made the Internet a target for the government, hence the present
restrictive legislation.

Belarus Bans Browsing of All Foreign Websites (3.01.2012)

Belarus authorities turn up the heat on the Internet (6.01.2012)

Internet in Belarus, November 2011 (4.01.2012)

In Belarus, the freedom of the internet is at stake (6.01.2012)

4. Commission confirms illegality of Data Retention Directive

The EDRi-member Quintessenz - Austria has published a leak of an
internal paper from the Commission intended to inform DAPIX, the
Council's working party on information exchange and data protection, of
the results of the Commission's consultation in April 2011 on the reform
of the Data Retention Directive (DRD). It raises a number of issues with
the Directive that the Commission wishes to tackle in order to cast it
in a better light. The Commission admits that "there is a continued
perception that there is little evidence at an EU and national level on
the value of data retention in terms of public security and criminal
justice, nor of what alternatives have been considered".  It then asks
at the end of the document: "What are the most effective ways of
demonstrating value of data retention in general and of the DRD itself?"

The origin of the "perception" that there is little evidence existing as
to the value of the Directive is shown by the Commission's statement
that only 11 of 27 Member States have provided data that could be used
in order to highlight the added value of the Directive. Legal
uncertainties that have been overlooked during the drafting process of
the Directive are now posing a certain number of problems for the

In the document, the Commission acknowledges for example the lack of a
"logical separation between data stored and then accessed for a)
business purposes, b) for purposes of combating 'serious crime' and c)
for purposes other than combating serious crime" and the lack of a
monitoring system showing "data (that) would not have been available to
law enforcement without mandatory retention". The question of
distinguishing between data retained for business purposes from data
retained under the Directive is asked but left unanswered.

The Commission also states that unclear definitions in the DRD have led
to service providers storing instant messaging, chats and filesharing
details even though these types of data are outside the scope of the
Directive. It is often unclear to businesses in the telecommunications
sector which data should be stored. Law enforcement agencies have
apparently lobbied the Commission for a "technological neutrality" of
the Directive to ensure a broad "ability to know who communicated with
whom, when, where and how" - despite, it appears, being able to justify
the retention of the data already being stored.

Moreover, the paper repeats EDRi's concern regarding the "serious crime"
limitation, which is not defined at EU level or in many Member States,
and regarding the lack of a clear limitation of the purposes for which
data is being retained. It states that there have been many demands for
the extension of the use of data to copyright infringements or for such
vaguely defined offenses as "hacking" and "urgent cases". According to
the document, the Directive has also led to an unclear situation for
citizens due the absence of a procedure for reporting and redressing
data breaches and the absence of a monitoring system to know who
actually accessed the data.

Furthermore, the Commission states that, depending on the country, there
is no or only a very low reimbursement of storage costs, which leads to
a distortion of the free market. Especially the costs for small
businesses are being rated as "disproportionately high". This also means
that countries having implemented the Directive will have an economic
interest and will pressure other countries into implementing data retention.

In order to justify limitations of fundamental rights, such as the right
to privacy and to data protection, measures must be necessary and
proportionate. The leaked document however shows that the Commission
can neither prove necessity nor proportionality of the Data
Retention Directive - but still wants to keep the Directive. Despite
unending implementation problems and proven failure of the current
Directive, the Commission is maintaining its pressure on Member States
that have not already implemented the Directive, to do so.

The Commission is currently examining the possibility amending the
Directive and is conducting a study on data preservation ("quick
freeze") which is due for May 2012.

Leaked Commission document (15.12.2011)

Commission's DRD implementation report (18.04.2011)

EDRi's Shadow implementation report (17.04.2011)

(Contribution by Kirsten Fiedler - EDRi)

5. Romanian Senate rejects the new data retention law

Following the pressure of the European Commission to the Romanian
authorities to implement the data retention directive and despite the
decision of the Constitutional Court from 2009 against the data retention
law, a new draft law has emerged, but it was rejected by the Senate at the
end of 2011.

The Romanian Ministry of Communications and Information Society (MCSI) has
tried to have the new draft promoted as a Government proposal, but has
failed to do so for unclear reasons. The Romanian Data Protection Authority
has decided not to endorse the new draft law, as the article related to the
security institutions to the retain data is still vague.

The text is in fact similar to the old law that was declared
unconstitutional and even worse in some specific cases, such as for example
the judicial approval to have access to the retained data that is unclear in
the new proposal. However, the MCSI rejected claims of the civil society
that the new law was still unconstitutional and decided to go further with
the same draft.

In the end, the Minister promoted the law as his own initiative in the
Chamber of Deputies (because he is also a deputy) together with a Party
colleague. The law was sent for debates to the Senate, where it received a
unusual point of view from the Government that refused to endorse the law
and said that the Parliament should decide its fate, because of the conflict
between the Constitutional Court decision and the EU data retention

The law was quickly debated by the Senate, after the Legal and Human Rights
Committees decided to suggest the rejection the law, as the content is
similar to the one already declared unconstitutional. On 21 December 2011,
the Senate decided unanimously that the law should be rejected.

However, the vote in the Senate is only consultative for this law and the
decisive vote will be taken by the Chamber of Deputies, that will start
discussing the law in its Commissions starting with February 2012.

Data retention: Commission requests Germany and Romania fully transpose EU
rules (27.10.2011)

Romanian DPA does not endorse the data retention law (only in Romanian,

The Romanian Government refuses to adopt a point of view on data retention
law (only in Romanian, 19.12.2011)

Report of the Senate Legal Committee to reject the data retention law (only
in Romanian, 20.12.2011)

The Senate rejects the data retention law (only in Romanian, 22.12.2011)

EDRi-gram: New draft law for data retention in Romania (29.06.2011)

6. Finnish ISP started blocking The Pirate Bay

On 9 January 2012, the Helsinki Enforcement authority obligated Finnish ISP
Elisa to execute the court ruling that it had to block access to The Pirate
Bay from its network.

This is the latest phase in an ongoing legal fight between the Copyright
Information and Anti-Piracy Centre (CIAPC) and Elisa. Acting on behalf of
IFPI Finland, CIAPC brought the case to court in May 2011, and in October
the court ruled that Elisa must block access to The Pirate Bay. Elisa has
appealed the ruling to a higher court.

The court ruling from October did not specify the domain names and IP
addresses that Elisa should block. The Enforcement authority gave Elisa a
list of domain names compiled by the CIAPC, including not only domains of
The Pirate Bay itself but various translations of the name such as

One of the listed domain names was piraattilahti.fi ("pirate bay" in
Finnish), a website owned by a private Finnish person. The site did not
contain any links to or material from The Pirate Bay, but instead hosted a
campaign page against SOPA (Stop Online Piracy Act), the controversial US
draft bill. The owner of the site changed piraattilahti.fi to point to
Effi's web server, with the result that people outside Elisa's network saw
Effi's web pages and those inside Elisa got nothing when they entered
piraattilahti.fi in their browser. The site was later removed from the
blocking list.

Another initially blocked site was piraatti.fi, which is in fact an
anti-piracy propaganda site. It was unblocked a few days later.

After the enforcement of the block, the website of CIAPC was flooded offline
and CIAPC claimed to have received a bomb threat.

The enforcement raises some questions. First of all, how can a private
organisation be empowered to manage a list of websites that people should
not be allowed to access - apparently without checking at all what the site
actually contains. Furthermore, why such a hurry to enforce a court decision
that has been appealed, especially as there is a fresh precedent from the
European Court of Justice that basically disallows the Finnish lower court

Elisa's press release (9.01.2012, updated 11.01.2012)

EDRi-gram 9.21: Finnish ISP ordered to block The Pirate Bay (2.11.2011)

European Court of Justice press release (24.10.2011)

(Contribution by Timo Karjalainen, EDRi member Electronic Frontier
Finland - Effi)

7. Dutch Internet providers forced to block The Pirate Bay

In its judgement of 11 January 2012, the Court of The Hague granted
Dutch copyright enforcement organisation Brein's request to order Dutch
internet providers Ziggo and XS4ALL to block access to The Pirate Bay.
This is the opposite of an earlier ruling given in summary proceedings
where no such order was given. Ziggo and XS4all will appeal the ruling.

The Court of The Hague held that Ziggo and XS4ALL have to block access
to the domain names and IP-addresses of The Pirate Bay. In the future,
Brein may also give the providers additional lists to block. The
Court came to this conclusion based on additional evidence provided by
Brein that a large number of Ziggo and XS4ALL subscribers used The
Pirate Bay to download content without authorisation.

The Court based its order on article 26d of the Dutch Copyright Act and
article 15e of the Dutch Neighbouring Rights Act. These articles, which are
based on Directive 2001/29/EC on the harmonisation of certain aspects of
copyright and related rights in the information society, give the judiciary
the right to order intermediaries whose services are used by third parties
to infringe copyrights, to discontinue the services that are used for these
infringing activities.

The Court reasons that, based on the ECJ's explanation of Article 11 of the
IP Enforcement Directive 2004/48/EC in the L'Oreal/Ebay case, this order can
also be extended to prevent future infringements. Therefore, the order does
not have to be focussed on a specific infringement, but its scope can be
broader, according to the Court. Referring to the judgement of the European
Court of Justice (ECJ) in Sabam/Scarlet case, the Court states that a right
balance has to be struck between fundamental rights and the protection of
intellectual property. This balance has to be determined by the principles
of subsidiarity and proportionality. According to the Court, blocking The
Pirate Bay adheres to these two principles for a number of reasons.

First, according to the Court, only a marginal amount of legal content can
be found on The Pirate Bay. The legal content that is provided can also be
retrieved with other means and therefore there is not a violation of article
10 ECHR. Second, the Court notes that direct proceedings against The Pirate
Bay and release groups have proven to be futile. Therefore it is appropriate
to address intermediaries. Third, blocking The Pirate Bay would essentially
substantiate an earlier order of the Court of Amsterdam that already ordered
the administrators of The Pirate Bay to disable their website, including
legal content. Fourth, the Court does not consider a DNS and IP blockade to
constitute active surveillance, as it is directed at one website. It does
not involve deep packet inspection to prevent any possible infringements
from happening and it is therefore not forbidden by article 15 sub 1 of the
E-Commerce Directive 2000/31/EC and the Sabam/Scarlet ruling of the ECJ.

As can be seen by the many contradicting rulings given by various Courts
in Europe, court cases regarding the blocking of websites do not always
lead to the same result. For example, on 9 January 2012, the local Court
of Helsinki in Finland ordered Elisa, one of the largest Internet
Providers in Finland, to block access to The Pirate Bay for its
customers. On the other hand, on the 31 August 2011, the Court of
Cologne held that Internet Provider HanseNet could not be ordered to
block access to a Russian website that facilitated copyright

Considering these completely different outcomes across the European
Union, it is remarkable that the Court of The Hague did not see reason
to ask preliminary questions to the ECJ.

Decision of the Court of The Hague  (only in Dutch, 11.01.2012)

Court of Cologne's decisions on Hansenet (only in German, 31.08.2011)

EDRi-gram: Dutch Internet Provider Not Obliged To Block The Pirate Bay

Blocking The Pirate Bay: will the Dutch court ruling hold in appeal?

(Contribution by Arjan de Jong - volunteer Bits of Freedom)

8. US continue pushing on EU Commission against Data Protection proposals

The US Department of Commerce has circulated a second informal note with
comments on the proposals for a data protection regulation and a directive
on data protection in the field of law enforcement. This time, its criticism
focuses on the following concerns: the regulation could hinder commercial
interoperability and be even counter-productive for consumer privacy
protection, it could have negative impact on the freedom of speech and other
human rights, on law enforcement cooperation, on cooperation between
regulatory authorities and on civil litigation.

The high-level interference with the internal processes of the European
Commission by the United States is quite extraordinary. Undoubtedly, a
degree of concern can legitimately be expressed as the final decisions are
being made on a piece of legislation which has international significance.
However, this amount of interference, before either the European Parliament
or Council (the Member States) have been able to have their say, implies a
significant level of disrespect for the institutions of the Union and their
ability to resolve any issues with what is, after all, the first draft in a
legislative process which will last two to three years.

According to the DoC's informal note, the Safe Harbor Agreement enabled
transfer of personal data and is a "vital component of transatlantic trade".
The DoC thereby completely ignores the findings of several external
evaluations on the EU-US Safe Harbor Privacy Principles which attacked the
agreement in terms of compliance and enforcement and is today widely
considered to be entirely without credibility.

The note praises Article 40 and its provisions regarding Binding Corporate
Rules (BCR) as a legal basis for transfers of personal data to third
countries but asks for more detail regarding the type of verification data
protection authorities will consider sufficient. The document also states
that codes of conduct (of the kind that have failed to develop in the
existing Directive, but are nonetheless envisaged in the USA) can lead to an
increase in interoperability and enhanced consumer protection and suggests
that the EU looks into mechanisms to convert codes of conduct into BCRs.

However, the provision for explicit consent with a single standard is
heavily criticized since, it is argued, if it is not simplified and
meaningful, it could easily overburden individuals. The DoC states that
asingle standard is ill-suited for institutions and types of commerce that
offer financial products and services.

The DoC then criticises the Regulation's specifications regarding "privacy
by design" and the broad authority given to the EU Commission to set out the
technical standards - without presenting any valid arguments against the
proposed principle of privacy by design itself.

The informal note also qualifies some provisions as being infeasible, since
they would impose burdens on businesses without enhancing consumer
protection, such as data breach notification and the right to be forgotten.

In contrast to its first note from December 2011 the DoC now admits that
the US itself has several federal laws regarding breach notification but
repeats its criticism of the first informal note regarding the obligation
to notify data subjects within 24 hours arguing that the period is "simply
too short", that it could lead to "massive fines" for companies and to
confusing "false alarms" for consumers.

The draft Regulation is also considered to be inconsistent with the global
nature of the Internet since it would assert jurisdiction over persons
operating websites without a legal nexus with Europe (i.e. exactly what the
US is proposing in its current draft proposals on intellectual property).
According to the DoC, the term "directed to" is neither sufficiently defined
in paragraph 15 nor does the limiting principle go far enough. Oddly enough,
the "directed to residents of the US" provision of the planned Protect IP
Act (PIPA) raises no similar concerns in the US.

As mention above, the note qualifies the "right to be forgotten" as
undermining freedom of expression, as technically impracticable and as
ignoring the open and decentralised nature of the Internet. The DoC
expresses concern that exceptions in article 80 are narrower than the
freedom of expression, that the "right" to be forgotten is not an
internationally recognised right and protected expression will be deleted.
However, the DoC seems to ignore that this article is based on an already
existing right as set out by the EU (1995/46/EC, article 12 b) and that
these concerns can easily be addressed by clarification of the wording of
the current draft of the Regulation.

Of course, the DoC is also very concerned about the draft Police and
Criminal Justice Data Protection Directive saying that it would limit
information and evidence sharing to "the minimum necessary" - which is a
useful, albeit unintentional, confirmation that the proposal is legal under
the Charter of Fundamental Rights. They are also unhappy about the fact that
other legal information-sharing instruments with EU Member States would
probably not suffice under the proposed Directive since existing instruments
must meet specific and "problematic" privacy protection requirements.
Moreover, the DoC fears that the "strong system of privacy protection"
existing in the United States (which, incidentally, does not cover EU
citizens) would disappear since it would be forced to adopt the European
style of data protection.

The DoC criticises the data transfer provisions of the draft Regulation
(art. 37-41) arguing that they would undermine cooperation and data sharing
processes among regulatory authorities in the US, the EU and the EU's Member
States based on cooperative arrangements.

The document then specifically targets article 42 stating that its
restrictions could block or delay access to information held by US firms and
have an impact on investigations of EU firms and citizens. Bizarrely, the US
DoC is worried about regulating a currently unregulated situation which
would permit data exchange in the absence of a legal framework and legal
safeguards. According to the note, article 42 might even affect the
US-registered companies located in the EU and their ability to conduct
business in the US. It is noteworthy that the US currently uses instruments
such as the Foreign Intelligence Surveillance Act to retrieve data on
foreign individuals' political activities, who may have no contact
whatsoever with the USA, via companies with US offices. This legal vacuum
would be addressed by article 42.

An unusually high number of Commission services issued negative internal
opinions to the draft legislation, thus delaying the inter-service process
(see 2 opinions below). This was partly as a result of this significant
lobbying campaign (including high-level phone calls to top level staff in
the European Commission) against the leaked draft proposal for a Regulation
by the United States Department of Commerce and the Federal Trade
Commission, the official draft proposal of which is now expected to be
published in February/March.

First informal note circulated by the US (21.12.2011)

Second informal note by the US (16.01.2012)

Opinion DG Trade (21.12.2011)

Opinion DG Infso (21.12.2011)

Chris Connolly (Galexia), US Safe Harbor - Fact or Fiction?, Privacy Laws
and Business International, issue 96, December 2008:

The implementation of Commission Decision 520/2000/EC on the adequate
protection of personal data provided by the Safe Harbour privacy Principles
and related Frequently Asked Questions issued by the US Department of
Commerce SEC(2004)1323

(Contribution by Kirsten Fiedler - EDRi)

9. Researchers say smart meter technology is privacy intrusive

Two German researchers presented a talk entitled "Smart Hacking for Privacy"
at the 28th Chaos Computing Congress that took place between 27 and 30
December 2011, on the privacy implications of "smart" electricity meters.
These devices, installed in homes, collect information to determine the
power consumption. The researchers had signed up with Discovergy, one of the
independent companies providing such smart meters, to check out how secure
the devices were and what information could be obtained from the data
gathered by them.

According to Discovergy's website, the web interface accessing the
consumption data used HTTPS to protect the data and the data sent back to
Discovergy was encrypted and signed in order to prevent forged data. The
website also stated these facts had been confirmed by independent experts.

Following the presentation of the researchers on 30 December, these
statements disappeared from the company's website and as it came out, the
SSL certificate of the site was misconfigured and presented an invalid
certificate warning, then proceeded to redirect them to an HTTP URL where
the data and password were transmitted in clear text across the internet.
The researchers found out the traffic was not encrypted and signed and,
therefore, easy to intercept. Thus, they were able to demonstrate that data
from the entire life of the device was stored on Discovergy's servers.

One of the main concerns was that the smart meters were monitoring the power
usage in two-second intervals which implies the devices were able to discern
very fine modifications in power consumptions such as differences based on
the brightness levels displayed for different scenes in TV shows and movies.

The researchers believe that two seconds measurements are unnecessary for
the stated goals of the smart meter companies and too privacy intrusive as
the data obtained could be used to establish very fine details.

"Unfortunately, smart meters are able to become surveillance devices that
monitor the behaviour of the customers leading to unprecedented invasions of
consumer privacy. High-resolution energy consumption data is transmitted to
the utility company in principle allowing intrusive identification and
monitoring of equipment within consumers' homes (e.g., TV set, refrigerator,
toaster, and oven)", said the researchers in a statement prior to the

Nikolaus Starzacher, CEO of Discovergy, explained that one of the reasons
for using the two second polling interval was to provide services such as
notifying a customer that he forgot an iron or another house appliance on,
when leaving the house.

Also, the researchers claimed that they had been able to send false details
about their energy consumption back over the unencrypted Discovergy network
meaning that consumers might be able to "potentially fake the amount of
consumed power being billed".

In the opinion of Ross Anderson, professor in security engineering at the
University of Cambridge Computer Laboratory, EU and UK plans to install
smart meter are "set to become another public sector IT disaster".

In a joint paper with his fellow academic Shailendra Fuloria, Anderson
warned over the threat of the vulnerability of the smart meters which might
allow hackers to break into a "head-end" hub where smart metering data are
collated and thus be able to even cut the supply of energy across "tens
of millions of households".

"The introduction of hundreds of millions of these meters in North America
and Europe over the next ten years, each containing a remotely commanded off
switch, remote software upgrade and complex functionality, creates a
shocking vulnerability," Anderson said adding: "An attacker who takes
over the control facility or who takes over the meters directly could create
widespread blackouts; a software bug could do the same."

In his opinion, regulators have started to be aware of the issue and
possible solutions under discussion might be "shared control, as used in
nuclear command and control; backup keys as used in Microsoft Windows;
rate-limiting mechanisms to bound the scale of an attack; and local-override
features to mitigate its effects."

Smart meter hacking can disclose which TV shows and movies you watch

Smart Hacking for Privacy (16.01.2012)

Smart meter technology is privacy intrusive, researchers claim (11.01.2012)

10.ENDitorial: Copyright vs Public Domain-copyright as a barrier to culture?

"The book, as a book, belongs to the author, but as thought it belongs --
the word is not too big -- to the human species. Any intelligent being has a
right to it. If one of the two rights, that of the writer and that of the
human spirit, must be sacrificed, then certainly it should be the right of
the writer, as the public interest is our sole preoccupation, and everyone,
I declare, should come before us" - Victor Hugo, Opening speech of the
International Literature Congress of 1878

For many of us, New Year means good resolutions for some even new beginnings
but it also means new works of art in the public domain. This year - and
just to name a few - James Joyce, Maurice Leblanc, Virginia Woolf, Robert
Delaunay, Sherwood Anderson, Henri Bergson have entered the public

To be in the public domain: what does it concretely mean? Public domain
works are part of a citizens' cultural heritage, therefore their use is not
restricted - as they would be when they are protected by copyright.
Practically, it means that people can freely copy, translate, adapt or use
the works of the artists, writers or musicians.

Entering the public domain leads to a wider, access to cultural content.
The public domain promotes education and knowledge. It is a factor of new
and further creation, knowledge and innovation. Some of these elements are
of great importance and further enhance access to culture. Once a work has
entered the public domain, new editions and republications flourish,
giving the opportunity to a larger audience to access society's cultural
heritage. 2010 turned into a year of Freud. When Sigmund Freud's works
finally entered the public domain, publishers rushed to publish,
commissioned new translations and subsequently sold new versions of his

All in all, public domain enables a wider and higher circulation of
artistic, literary, dramatic, musical works, encouraging access for all. And
last but not least, public domain also has an economic value. Some
publishers indeed have specialised their business model on publishing works
for which copyright protection has expired. This is true not only for the
book publishers but also in the music industry.

A crucial question therefore arises: If public domain is so important and so
beneficial, why do we have to wait for so long after the artist's, painter's
or writer's death to have works of art finally in the public domain?

The original idea behind copyright monopolies was to favour creativity and
to enable artists, writers and authors to continue to create. This would be
a great and praiseworthy purpose if only it had not have been turned away
from its primary goals. Copyright is currently the rule and public domain is
the exception.

The content industry continually asks for, and receives ever-longer
copyright terms, and consequently the public domain continually
decreases. Just recently and after a strong lobby from the music industry,
the European Union decided to extend copyright for performers and producers
from 50 to 70 years. Turning back on Victor Hugo's idea of his work as a
shared good, some in the rightsholders lobby are pushing the limits of
protection, and moving cultural goods out of the reach of society. They
argue that it serves the economy, helps to keep jobs and improves the
investment in new talent. However what they miss here is that access to the
works of the artists they claim to represent is restricted to the public, to
other publishers or other record companies. In the end, this only serves the
majors and the most famous artists, who are least in need of this
"protection". Finally, while these dominant industries claim that term
extension is needed in order to invest in new talent, the policy of ever
longer copyright extension does not create any incentive to do so. In the
absence of such incentive, major record companies will continue to invest
only in performers that will bring in long-term of revenues, so alternative
and less popular musicians will be left out, undermining cultural diversity.

Nowadays, the protection of works subject to copyright is based not on their
date of publication but on the death of the authors, and the life expectancy
has improved, so the public domain is proportionally diminishing. If
copyright is to incentivise creation, what is the logic behind remunerating
artists for ever-longer periods after their deaths? The entire logic behind
the copyright protection has been subverted.

Cultural works are being locked away from the public and a greater barrier
is being built between the public and their culture. If copyright is meant
to defend culture and creation, it should not be used to create barriers
between citizens and their heritage.

Freud in the public domain (only in French, 27.01.2010)

EDRi-gram: New rules on term of protection of music recordings (21.09.2011)

The progressive weakening of the public domain (only in French, 2.01.2012)

Public domain calculator

(Contribution by Marie Humeau - EDRi)

11. Recommended Action

5th International Computers, Privacy & Data Protection Conference: "European
Data Protection: Coming of Age"
CPDP 2012 takes place during a significant stage of the revision of the EU
legal framework on data protection, thus several panels will focus on the
review and the latest legislative proposals. More than 20 panels will be
organized on key issues such as geolocalization, e-identity and
e-management, enforcement of copyright protection, surveillance in the
workplace, accountability and communication of privacy. In addition, there
will be workshops and special sessions on topics such as eDiscovery,
privacy impact assessments and "privacy by design", smart metering and
transborder data flows. Since 2012 was declared the European Year of Active
Ageing, three sessions will be devoted to the theme of Ageing and New
25-27 January 2012, Brussels, Belgium

Corporate Responsibility to Respect Human Rights
A new European Commissions' project will produce 3 sector-specific guides on
the Corporate Responsibility to Respect Human Rights.The choice regarding
which three sectors will be the included in this project, based on
suggestions by stakeholders, will be made by the Commission and announced in
February 2012. Therefore, it is very important that you give your input in
order to highlight the importance of defending human rights in the digital
All stakeholders are invited to submit their suggestions for the choice of
sectors by emailing sectorguidance at ihrb.org by:6pm CET on 27 January 2012.

12. Recommended Reading

German police officer uses federal Trojan to spy on daughter. Her friend
then breaks into fathers PC and police server (9.01.2012)

CMCS: Hungarian Media Laws in Europe: An Assessment of the Consistency of
Hungary's Media Laws with European Practices and Norms (5.01.2012)

France: Fingerprints and transmission of data: biometrics to protect
identity? (4.01.2012)

13. Agenda

23-24 January 2012, Brussels, Belgium
The European Thematic Network on Legal Aspects of Public Sector
Information - LAPSI 2nd Public Conference and 3rd Award

24 January 2012, Brussels, Belgium
PrivacyCamp.eu - UnConference on Privacy and Data Protection

25-27 January 2012, Brussels, Belgium
Computers, Privacy and Data Protection 2012

26 January 2012, Schaarbeek, Belgium
Big Brother Awards Belgium

27 January 2012, Brussels, Belgium
21.30 - 02.00 (come early!)
Privacy Party at Bozar

4-5 February 2012, Brussels, Belgium
FOSDEM 2012 - Free and Open source Software Developers' European Meeting

25 February 2012, Szeged, Hungary
Copyright and Human Rights in the Information Age: Conflict or Harmonious

16 March 2012, Rotterdam, Netherlands
EPSIplatform Conference: Taking government data re-use to the next level!

20 March - 1 April 2012, Berlin, Germany
Wikimedia Chapters Meeting 2012

13 April 2012, Biefeld, Germany
Big Brother Awards Germany

16-18 April 2012, Cambridge, UK
Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance
OER12 and the OCW Consortium's Global Conference

2-4 May 2012, Berlin, Germany
Re:Publica 2012: ACTION!

14-15 June 2012, Stockholm, Sweden
EuroDIG 2012

20-22 June 2012, Paris, France
2012 World Open Educational Resources Congress

9-10 July 2012, Barcelona, Spain
8th International Conference on Internet Law & Politics: Challenges and
Opportunities of Online Entertainment

12-14 September 2012, Louvain-la-Neuve, Belgium
Building Institutions for Sustainable Scientific, Cultural and genetic
Resources Commons.

7-10 October 2012, Amsterdam, Netherlands
2012 Amsterdam Privacy Confernece
Call for Papers by 1 February 2012

14. About

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 28 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users

- Newsletter archive

Back issues are available at:

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list