EDRi-gram newsletter - Number 10.23, 5 December 2012

Wed Dec 5 11:49:08 PST 2012

======================================================================

EDRi-gram

biweekly newsletter about digital civil rights in Europe

Number 10.23, 5 December 2012

=======================================================================
Contents
=======================================================================

1. European domain names under siege
2. International coalition calls for withdrawal of Dutch hacking plans
3. Lobbying DP Regulation: European Banking Federation as an example
4. Chisugate: Copyright blackmail in Finland
5. Russia: Pussy Riot's videos declared illegal on the Internet
6. Netherlands: legislation for forced decryption announced
7. German government proposes extended tracking of Internet users
8. Danish opposition wants to abandon the illegal medicine site blocking
9. ENDitorial: What could possibly go wrong?
10. Recommended Reading
11. Agenda
12. About

=======================================================================
1. European domain names under siege
=======================================================================

On 26 November 2012, 132 or 133 domain names were seized by the U.S.
Immigration and Customs Enforcement's Homeland Security Investigations
(ICE) in collaboration with the Europol and national law enforcement
authorities. The seized domains were supposed to have illegally sold
counterfeit products on the Internet online.

The common press release of the ICE and Europol not only does not agree
on the correct number of the domain names seized (132 on the ICE website
or 133 on the Europol website), but also does not seem to know the
difference between trademark and copyright ("the copyright holders
confirmed that the purchased products were counterfeit" or "banner that
(...) educates them about the federal crime of willful copyright
infringement.")

The US law enforcement authorities have seized domains before but this
is the first time that European ccTLDs such as .be, .eu, .dk, .fr, .ro,
or .uk. have been involved. The authorities have not released the list
of the 31 European domain names involved in the action, but Torrentfreak
already identified some of those sites, such as: chaussuresfoot.be,
chaussurevogue.eu or eshopreplica.eu.

The official press release talks about "a great example of the
tremendous cooperation" that "enables us to go after criminals who are
duping unsuspecting shoppers all over the world." But there is no
information if the domain name holders were actually identified and
accused of an IPR infringement in a penal case. Or, if a court order was
required to shut down the website. Or, if the website was actually
targeting the US Market, so that the US authorities be involved.

Just a few days later, on 30 November 2012, several BitTorrent sites
including Torrentz.eu, Fenopy.eu and BTscene.eu found their .EU domains
put on hold by EURid, the European Registry of Internet Domain Names.
bThis domain name has been registered and is on hold. It is active but
may not be traded or transferred pending the outcome of legal activity,b
say EURidbs notes. EURid has made no further public comments, but
informed the domain names holders that the action was made "upon request
of the Belgian Public Prosecutor following notification of pending legal
proceedings in respect of the website" without wanting to give any
details regarding the legal proceedings involved.

DDL linking sites Sceper.eu and Downextra.eu, torrent site
RealTorrentz.eu, and streaming links sites WatchSeries.eu and
ChannelCut.eu are also in a similar situation. All these sites appear in
the first few pages of Googlebs Transparency Report which means that
they are associated with a rather high number of takedown requests. It
seems that now, only three sites on Googlebs report have not, at least
not yet, been put on hold.

In another news on torrent domain names, Torrentreactor.net and
Torrents.net domain names and IP-addresses are to be blocked by all ISPs
in Italy following a local court injunction.

Websites selling counterfeit merchandise taken down by authorities in
Europe and the USA (26.11.2012)
https://www.europol.europa.eu/content/press/websites-selling-counterfeit-merchandise-taken-down-authorities-europe-and-usa-1855

BitTorrent Site Owners Fear European Domain Name Seizures (27.11.2012)
http://torrentfreak.com/bittorrent-site-owners-fear-european-domain-seizures-121127/

Top BitTorrent Sites Have Domains Put On Hold Pending Legal Action
(1.12.2012)
https://torrentfreak.com/top-bittorrent-sites-have-domains-put-on-hold-pending-legal-action-121201/

Italian Court Orders Nationwide Block of TorrentReactor and Torrents.net
(4.12.2012)
http://torrentfreak.com/italian-court-orders-nationwide-block-of-torrentreactor-and-torrents-net-121204/

=======================================================================
2. International coalition calls for withdrawal of Dutch hacking plans
=======================================================================

An international coalition of more than 40 civil rights organizations
and security experts have expressed their bgrave concernsb about a Dutch
proposal to break into foreign computers and search and delete data. In
a letter handed over to the Dutch minister of Security and Justice by
Dutch digital rights organization Bits of Freedom on Monday 3 December
2012, the coalition urgently calls upon the minister to withdraw his
proposal.

According to the international coalition, the proposal poses serious
risks to the human rights and cybersecurity of individuals worldwide.
This is aggravated by the fact that countries will likely follow the
initiative of the Netherlands. This will lead to a situation where
countries will enforce their local laws on foreign computers. These
local laws would not solely address cybercrime, but also issues deemed
illegal in other countries, such as blasphemy and political criticism.

The coalition therefore strongly urges the minister to withdraw his
proposal. The letter is signed by more than 40 members of the civil
society. These include civil rights organizations such as the Electronic
Frontier Foundation (US), Privacy International (UK), the Chaos Computer
Club (Germany) or EDRi. In addition, renowned security-experts and
software developers Bruce Schneier (US), Richard Stallman (US) and Ron
Deibert (Canada) signed the letter.

The proposal will be debated in the Dutch parliament on Thursday, 6
December 2012. The letter is then likely to be discussed, as it received
broad media coverage. If you are interested in the outcome, please mail
directly to simone.halink at bof.nl.

EDRi-gram: Dutch proposal to search and destroy foreign computers
(24.10.2012)
http://www.edri.org/edrigram/number10.20/dutch-proposal-state-spyware

Dutch plans to remotely conduct searches and delete data on foreign
computers (30.11.2012)
https://www.bof.nl/live/wp-content/uploads/20121203-Sign-on_proposal_Opstelten.pdf

(Contribution by Simone Halink - EDRi member Bits of Freedom, Netherlands)

=======================================================================
3. Lobbying DP Regulation: European Banking Federation as an example
=======================================================================

With the discussions on the proposed General Data Protection Regulation
moving forward, lobbyists in Brussels are working overtime. One example
is the European Banking Federation (EBF), which submitted a letter
outlining its position and proposed changes to the text to MEPs. A
public version is available on the EBF's website. EDRi has also seen the
complete version with proposed amendments ready for copy&paste. Quite a
few of these amendments have been tabled word-for-word in the IMCO
Committee.

In short, the EBF wants weaker obligations on data breach notification,
implicit consent, lower fines, more profiling and more grounds for
lawful processing: a) processing of data taken from publicly available
lists or documents which should always be lawful; b) processing
"necessary to defend an interest, collecting evidences as judicial
proofs or file an action".

In a bit more detail, the EBF wants controllers to be able to use
"implicit" consent b no specific reasons are given for their
unwillingness or inability to ask for explicit consent for processing
personal data. Likewise, it wants to remove the provisions saying that
consent is required in situations where there is a significant imbalance
between the controller and data subject. Here, at least a reason is
given, namely that this could apply to banks.

Another proposal is to cut the fines data protection authorities can
impose on controllers who break the law b the Commission proposal had 1
million Euro or 2% of global annual turnover for companies as the upper
limit for the most egregious breaches. The EBF proposes to remove the
second part, claiming that such fees would be disproportionate.

Additionally, the EBF wants to make it easier to allow profiling. Their
arguments are that sometimes profiling customers is imposed by
anti-money-laundering laws, sometimes it makes sense for the banks to do
it, e.g. before approving real-estate loans, and finally, they argue, it
can sometimes be in the customer's interest. So, looking at the
Commission's proposal, when would profiling be allowed? If it is
expressly authorised by law; when it is carried out in the course of
entering into a contract; when it is based on the data subject's consent
b which would be easily obtainable for profiling measures that are
supposedly in their interest. So, while legitimate cases would already
be allowed, the EBF wants to push it further, to allow profiling when
neither the customer nor the law have approved it.

In some cases, the proposed changes also stem from a simple
misunderstanding of the proposal. For example, the EBF proposes
excluding the right to erasure, if there is a legal obligation for the
controller to keep the data. Sounds sensible. So sensible in fact, that
the Commission proposal contains a provision doing exactly this, just
two paragraphs below in the same Article! There are more examples of
such proposed changes duplicating rules that are already in the
proposal. Such changes would not help the text's clarity, and could
cause further misunderstanding when it will be applied in practice. One
would imagine that industrial lobbyists would be lobbying for more legal
clarity and not less.

The bottom line is that some of the proposed amendments seriously weaken
consumer protection, while others are based on a faulty understanding of
the text, introducing provisions that are not needed and undermining the
clarity of the Regulation. One would hope that this would not get the
EBF far, especially in the European Parliament Committee charged with
consumer protection. Think again. Many of its proposals on reasons for
lawfulness, consent, profiling, data subject rights, and fees have
simply been copied and pasted by several MEPs into their amendments.
Whether these amendments will be carried remains to be seen. But already
the fact that they were tabled shows how easily lobbies b even with
proposed changes that sometimes simply do not make sense b can
influence the political process. This was just one lobby group. There
are many, many more. Brussels is awash with data bprotectionb lobbying,
misunderstandings and misinformation. Whether the fundamental right to
privacy of 500 million Europeans will survive this onslaught is anyone's
guess. As usual, EDRi is chasing around the corridors trying to redress
the balance.

EBU lobbying letter
http://www.ebf-fbe.eu/uploads/D1391E-2012%20-%20EBF%20letter%20to%20Members%20of%20the%20European%20Parliament.pdf

EDRi's website on the Regulation
http://protectmydata.eu

(Contribution by EDRi intern - Owe Langfeldt)

=======================================================================
4. Chisugate: Copyright blackmail in Finland
=======================================================================

In the spring of 2012, in Finland, the father of a young girl received
what amounted to a blackmail letter from a copyright lawyer. The letter
demanded the payment of 600 Euros as damages for having distributed
copyright-protected music recordings. The letter also demanded that the
father sign a non-disclosure agreement regarding the matter.

The father contacted the lawyer and denied having distributed any
copyrighted material. He explained that his daughter, who had been nine
years old at the time of the so-called crimes, had tried to download
some songs of her idol, the Finnish artist called Chisu. The girl had
been saving money in order to buy Chisu's latest CD, but was impatient
to hear some songs from the album already, and so her dad showed her how
to write the appropriate keywords in search engines. Despite her
attempts, the girl only managed to download something that did not play.
Soon after that the father bought the CD for the girl.

In November 2012, something unbelievable happened. Two police officers
with a search warrant entered the home of the family and seized the
girl's computer. The police officers also suggested the father pay up
"to make things easier for everyone involved" because they would
immediately drop the matter if he did.

Even the Finnish Copyright Information and Anti-Piracy Centre (TTVK ry,
a private association of the copyright industry) has admitted that the
identity of a person who shares copyrighted material online cannot be
ascertained, and that, in Finland, the threat letters are sent to the
owner of the Internet connection. The owner of the connection is the one
who risks being subjected to a search and seizure of property.

TTVK also says that the majority of people who have received these
letters have agreed to the non-disclosure and payments demanded of them.
The amounts are smaller than in the US, but still hefty. Shocking but
true, apparently a copyright holder can demand mafia-style payments from
ordinary people who are told to hand over their money and shut up or
otherwise the police might come and take away their computers. TTVK has
openly admitted that the aim of the letters is to threaten other
downloaders.

The disturbing incident was covered in the Finnish online and printed
press, and made international headlines. In his detailed Facebook post
about the incident, the father makes it clear that he has supported
artists in many ways for his entire life, but as a result of the
unethical practices of the copyright industry he has come to question
the sanity of the copyright enforcement system.

After the incident had become a major PR headache for the copyright
lobby, the matter was settled out of court between the father and TTVK,
and the father apparently agreed to pay half of the originally demanded
amount (300 Euros). After this, the seized laptop is being returned to
its owner.

Electronic Frontier Finland (Effi) filed a request to investigate the
actions of the Helsinki district court and the police with the
parliamentary ombudsman. According to the court papers, TTVK only
had evidence that one music album had been downloaded from the IP
address which belonged to the father. The court interpreted this as
constituting significant ongoing damage to the copyright holder and
ordered the ISP to reveal the identity of the user of the IP address to
TTVK. In the opinion of Effi, this is an overreaching interpretation of
the Finnish copyright law. The police "planned the search and seizure
carefully" (in their own words) but failed to act in proportion to the
alleged damage: they should have only copied the contents of the laptop
for evidence instead of seizing the whole device. Additionally, as
police resources are limited nowadays, carrying out a search and seizure
operation in a minor case like this has probably delayed the
investigation of more important cases.

Antipiracy Center in Finland
http://antipiracy.fi/inenglish/

Payment demand for child's downloading part of a strike against piracy -
majority paid without resisting (only in Finnish, 21.11.2012)
http://ylex.yle.fi/uutiset/popuutiset/lapsen-latailusta-saatu-maksumaarays-osa-piratismin-vastaista-tehoiskua-valtaosa-

Payments of hundreds of euros for illegally downloading Chisu's album
(only in Finnish, 2.12.2012)
http://www.aamulehti.fi/Kotimaa/1194722011272/artikkeli/satojen%20eurojen%20maksut%20chisun%20levyn%20laittomasta%20imuroinnista.html

Post on Facebook from the father (only in Finnish, 20.11.2012)
http://www.facebook.com/aki.w.nylund/posts/10151139041245079

Request to investigate the actions of Helsinki district court and the
police in so-called Chisugate (only in Finnish, 27.11.2012)
http://www.effi.org/kirjeet/121127-effi-tutkintapyynto-chisugate.html

Anti-piracy group takes child's laptop in Finland (30.11.2012)
http://www.bbc.co.uk/news/technology-20554442

(Contribution by Otso Kassinen and Timo Karjalainen - EDRi member
Electronic Frontier Finland)

=======================================================================
5. Russia: Pussy Riot's videos declared illegal on the Internet
=======================================================================

A Moscow-based court has ruled on 29 November 2012 that four videos of
the already famous dissident punk band Pussy Riot are extremist and
therefore should be banned on the Russian Internet. The court said that
all the Russian websites that do not comply with this obligation could
pay a fine of up to approx. 2500 Euro (100 000 roubles). Prosecutors
took up the case on the request of State Duma member Alexander
Starovoitov, from the Liberal Democratic Party of Russia.

The court refused to allow the participation in the hearing of the one
member of the punk band that was not convicted. Yekaterina Samutsevich,
was freed last month after a court suspended her sentence.

A Google representative confirmed that they would block the content on
YouTube in Russia after they would receive the court order information.
Under the Russian law, providers who host forbidden content are subject
to criminal prosecution.

"Whatever you think about these videos, they have become a part of the
history of this country. Just as in old times, we burned books. Now we
are deleting video clips which have undoubted historic significance."
commented Russian blogger and analyst Oleg Kozyrev to the Radio Free
Europe.

The extremist nature of the videos was explained by the fact that it
offended the Orthodox Christians, by shooting the anti-Putin performance
video at Moscowbs main Russian Orthodox cathedral. This is why probably
a spokesman for the Russian Orthodox Church welcomed the ruling.

The ruling "violates the right to freedom of expression and shows the
continued failure of the Russian justice system to protect political and
artistic dissent," said Dr Agnes Callamard, Executive Director of the
EDRi member ARTICLE 19, and explained that "the Russian government is
trying to hide its attacks on democracy, claiming that the punk prayer
which mocks the corrupt relationship between Putin and the church's
patriarch is an attack on religious believers".

The ruling should be enforced starting with 1 January 2013, but could be
appealed. It is not clear who may appeal, though, after the
spokeswoman for Moscow's Court, told journalists that Samutsevich has
no right to appeal the court's decision because she did not take part in
the hearing.

But the Russian authorities might aim at more rules on the Internet.
During the joint news conference held in Paris on 27 November 2012 by
Russian Prime Minister Dmitry Medvedev and French Prime Minister
Jean-Marc Ayrault, Medvedev was asked a question of legislative scrutiny
with regard to internet regulation in Russia. In his reply, the Russian
prime minister admitted that the current legislation regulating the
Internet is bimperfectb and called upon the international community to
bconsider parameters to regulate the operation of the internet on the
national or international level.b He also noted that the Russian
Internet legislation bshould not be referred to as repressive because
not a single online source has been blocked or cut off during the
enforcement of this legislation.b

Moscow court orders removal of bextremistb Pussy Riot online videos
(3.12.2012)
http://netprophet.tol.org/2012/12/03/moscow-court-orders-removal-of-extremist-pussy-riot-online-videos/

Moscow Court Designates Pussy Riot Videos As 'Extremist' (3.12.2012)
http://www.rferl.org/content/pussy-riot-video-extremist-russia/24784613.html

Moscow Court Finds Pussy Riot Video 'Extremist' (29.11.2012)
http://en.rian.ru/russia/20121129/177815365.html

Special Report On Russia: Enforcement Against Online Copyright
Infringement  (3.12.2012)
http://www.ip-watch.org/2012/12/03/special-report-on-russia-enforcement-against-online-copyright-infringement/

Transcript of the Medvedev- Ayrault common press conference (27.11.2012)
http://government.ru/eng/docs/21621/

Russia: Pussy Riot bpunk prayerb video banned (30.11.2012)
http://www.article19.org/resources.php/resource/3547/en/russia:-pussy-riot-%E2%80%98punk-prayer%E2%80%99-video-banned

=======================================================================
6. Netherlands: legislation for forced decryption announced
=======================================================================

The Dutch Minister of Justice has sent a letter to the House of
Representatives announcing a proposal for legislation that will allow
the police to force a suspect to decrypt information that is under
investigation in a case of terrorism or sexual abuse of children. The
Minister has ignored all major conclusions and recommendations set forth
in the report commissioned by his department.

The Dutch House of Representatives has urged the Minister of Justice to
investigate the feasibility of such injunction. The Parliament felt
these extra powers to be necessary after the media reported that the
police was having difficulties accessing encrypted information on the
computer of someone suspected of sexually abusing children. However,
there has been no supporting evidence that this is a structural problem.

Last year, the minister agreed to investigate the feasibility of such an
order. He promised to look into the reconcilability with the privilege
against self-incrimination, experiences of other countries in
implementing such legislation and technical developments. A
comprehensive report was sent to the Parliament last week, accompanied
with the announcement of a legislative proposal.

The report states that, although such an injunction will always be an
infringement on the privilege against self-incrimination, this privilege
does not preclude such an injunction as there may be a legitimate
interests at stake. The report sets out that the European Court of
Justice considers four criteria to determine whether a forced decryption
is acceptable. These criteria are:
i) the nature and extent of the coercion,
ii) the public interest,
iii) the presence of relevant safeguards, and
iv) the way in which the decrypted information is used.

The research also looks into the use of similar powers in other
countries. The United Kingdom has an extensive regulation with quite
some safeguards for legal protection. France has a similar law and in
the United States the enforced decryption is defined by case law.
However, these legal systems differ from those in the Netherlands
considerably. As a result, the experiences from these countries cannot
easily be translated to the Dutch legal system.

The research also examined the enforceability and developments in
technology. It finds that the use of encryption is rising and that the
concept of bplausible deniabilityb makes it hard to prove the existence
of encrypted information in the first place. The researchers doubt the
effectiveness of the proposed powers when used against serious
criminals. Such an injunction will only work against petty criminals.

The research concludes with three proposals, apart from maintaining the
status quo. One option would be to codify the procedure for such an
injunction, but not to penalize refusal by the suspect. Alternatively,
one could penalize the use upon the refusal. This last proposal comes in
two flavours: one in which the unencrypted information is used excluded
from the suspect's case and one in which the information may be used
against the suspect as well.

Based on this research, the Minister has now announced a proposal for
legislation that will allow the police to force a suspect to decrypt
information that is under investigation in a case of terrorism or sexual
abuse of children. The suspect will be penalized if he refuses to
provide access to the information. The Minister does not want to let
room for exclusion of evidence. The Ministry has thus ignored all
major conclusions and recommendations of the report.

Letter of Minister of Justice to the House of Representatives,
announcing legislation to allow police to force a suspect to decrypt
information (only in Dutch, 28.11.2012)
http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/2012/11/28/brief-over-onderzoek-naar-wettelijk-decryptiebevel/kamerbrief-onderzoek-naar-wettelijk-decryptiebevel.pdf

Research: forced decryption and the privilege against self-incrimination
(only in Dutch, 28.11.2012)
http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/2012/11/28/het-decryptiebevel-en-het-nemo-tenurbeginsel/het-decryptiebevel-en-het-nemo-tenurbeginsel.pdf

Bits of Freedom: forced decryption will not work and makes the
Netherlands more insecure (28.11.2012)
https://www.bof.nl/2012/11/28/decryptiebevel-werkt-niet-en-maakt-nederland-onveiliger/

(Contribution by Rejo Zenger - EDRi member Bits of Freedom, Netherlands)

=======================================================================
7. German government proposes extended tracking of Internet users
=======================================================================

The German government is proposing an amendment to the Telecommunication
Act that would allow law enforcement and intelligence agencies to
extensively identify Internet users, without any court order or
reasonable suspicion of a crime.

The proposed amendment comes as a result of the German Federal
Constitutional Court having decided in January 2012 that the rules
governing the inquiry of telecommunication data from providers were
unconstitutional. The Court found the provisions within the
Telecommunication Act granting authorities the right to access such
data, as unconstitutional and required additional specific provisions
within the relevant specific laws, such as the code of criminal procedure.

According to the draft amendment produced by the government, prosecution
authorities as well as security and secret services may inquire certain
personal data (such as name, address or bank information of customers)
collected by telecommunications and Internet providers. Explicit
provisions allow the use of a dynamic IP address for the identification
of its holder. The amendment also includes a qualified legal basis for
inquiry rights of the respective authorities against providers. The
identification of IP addresses is not to be limited to a case-by-case
basis. Providers are to install electronic data handover interfaces. The
government is also planning to grant access to e-mail account passwords
as well as to voicebox and mobile phone PIN codes without clearly
defining the preconditions to such access. Several civil rights groups
expressed concern regarding the draft amendment considering it
poses a serious threat to civil liberties.

bIn the face of the fact that this has the quality of a breach of the
privacy of telecommunication, the present draft of a revised disclosure
of inventory data contains only insufficient provisions to guarantee the
basic rights. It is especially problematic that it lacks the necessity
of an injunction issued by a court or a state prosecutor. There has to
be a qualified legal basis which fulfils the requirements of the
principle of proportionality,b says Henning Lesch, Head of Law &
Regulation of eco Association.

Revision of Telecommunications Act Constitutional? (2.11.2012)
http://international.eco.de/2012/news/revision-of-telecommunications-act-constitutional.html

New German draft on state authorities' rights to inquiry
telecommunications data from providers (11.2012)
http://www.linkedin.com/groups/New-German-draft-on-state-4375471.S.181168482

German government to legalize extensive tracking of Internet users
(26.11.2012)
http://www.vorratsdatenspeicherung.de/content/view/714/79/lang,en/
German version
http://www.vorratsdatenspeicherung.de/content/view/714/79/lang,de

Draft Amendment (only in German, 19.09.2012)
http://www.moenikes.de/ITC/wp-content/uploads/2012/10/2012-09-26_BR_Gesetzesentwurf_Bestandsdatenauskunft.pdf

=======================================================================
8. Danish opposition wants to abandon the illegal medicine site blocking
=======================================================================

A majority outside the Danish government parties proposes to abandon
blocking access to websites selling illegal medicine. The law (a new
revision of the laws regulating selling of medicine etc.) allowing
blocking of these sites was passed in May 2011.

Since that time, only one website 24hdiet.com, was blocked and new
domains selling the same products as 24hdiet quickly appeared (e.g.
24hdiet.net).

Now, laws regulating the sale of medicine are being revised again to
implement EU directive 2011/62/EU.

Enhedslisten party proposed an amendment to the revision to abandon the
blocking. The proposal is a result of Enhedslisten spokeswoman, Stine
Brix who started the debate on an Etherpad. Questions put to the
government were formulated on the Etherpad where and the text of the
amendment to abandon the blocking appeared first.

There is a majority in the parliament against the blocking from the
parties of the previous government that introduced it. The spokeswoman
for opposition party Venstre, the biggest party in the Parliament,
explains that they have expected the blocking to work, but it turned out
not to be effective and now she wants to focus on customs and
international cooperation.

The spokesman for the Social Democrats (Government Party), Flemming
MC8ller Mortensen, said to Information that something had to be done,
that was more than a signal, something that they can believe it works.
"Because it is really difficult with all the things that can be done on
the Internet across borders".

This is just about one kind of blocking. For example the blocking of
gambling sites is still in effect.

But maybe the tide is finally turning in Denmark.

DNS-censoring Illegal Pharmaceutical Vendors - 24hdiet.com Blocked
(30.09.2012)
http://blog.censurfridns.dk/en/node/32

Rollback of DNS Blocking (only in Danish)
http://openetherpad.org/b1zz1fEEf4

Majority outside the Government will remove net-blocking for medicine
pages (only in Danish, 27.11.2012)
http://www.information.dk/318311

(Contribution by Niels Elgaard Larsen EDRi member IT Pol - Denmark)

=======================================================================
9. ENDitorial: What could possibly go wrong?
=======================================================================

With the discussions on the proposed General Data Protection Regulation
in full swing and the first opinions of some European Parliament
Committees in, several themes of proposed changes emerge. One of these
can be paraphrased as bwe shouldn't bother controllers with too many
obligations, they know their stuff and want to do the right thingb.

Slightly more elaborate versions of this view have been used to justify
amendments aiming to cut documentation obligations, lessen requirements
on data breach notifications and information obligations. There also
seems to be an undercurrent of bin any case, it's usually not that bad
if things go wrongb.

Indeed, how bad could it be if things go wrong? And do controllers
handle personal data responsibly? A few cases that made headlines in the
past years can provide examples.

Between 2005 and 2007, Deutsche Telekom used its own traffic data to spy
on journalists and trade union members of its own supervisory board in
order to stop leaks. According to the head of unit in charge of the spy
operation, this happened on behalf of the then-CEO and the chairman of
the supervisory board. Since then, this head of unit has been sentenced
to 3.5 years of prison, while the former CEO and the chairman of the
supervisory board claimed not to have known anything.

More recently, whatsapp, a smartphone application for sending text
messages which is used around the globe to send more than a billion
messages per day, is currently in the news for an astounding row of
privacy gaffes. For starters, the service used to send messages without
encryption, so that exchanges could be easily spied upon. It seems that
whatsapp's developers had been made aware about this security hole the
size of a barn door almost a year before they fixed it. Just a month
later, another security flaw was uncovered, allowing to take over
whatsapp accounts and send messages from compromised accounts using
simple tools b there was an app for that. Instead of fixing the problem,
whatsapp sent legal threats against the developers of the tools. Now,
two and a half months later, this other barn door is still wide open.

Between 2002 and 2005 Deutsche Bahn, a railway operator, screened
170 000 of its employees to find out about connections to subcontractors
and possible corruption. In 2006 and 2007, it also spied on employees'
e-mails to uncover whistleblowers, sifting through up to 150 000 e-mails
a day. The company's CEO had to step down over these scandals, while
still denying that any wrongdoing had occurred. Later on, investigations
confirmed the suspicions and Deutsche Bahn was fined 1.12 Million Euro
in 2009. Sounds like a lot? That year, it took Deutsche Bahn about seven
hours to make that amount in pre-tax profit.

In 2007 to 2010, when sending cars around the world to collect images
for its service Street View, Google also collected information on
wireless networks to be used to make cell phone localisation more
precise. The software used also collected content sent over open WiFi
networks, collecting websites visited, passwords, e-mails and other
information. Google was not forthcoming in the investigations, first
denying that payload data had been collected, then talking about a
simple bmistakeb, then blaming it on a rogue developer. In the end, it
turned out that the code in question was in fact documented, and that
oversight was bminimalb, to quote from the US Federal Communications
Commission's investigation report, which fined Google 25 000 USD for
stonewalling the investigation.

In a different register, police authorities do not fare better. They
will be subject to a different text, a proposed Directive that contains
more lax rules than the Regulation. Here as well, egregious violations
can be found everywhere.

For example, officers of the Irish Police (Garda) used police databases
for their private interests, for example to run background checks on
their daughters' boyfriends. In another case, a police officer used
retained telecommunications traffic data to snoop on her ex-partner.
Such cases have been discovered again and again over the years,
following a usual pattern: they become public, the Data Protection
Authority (DPA) investigates and conducts audits, finds wrongdoings, the
Garda promises to change, rinses and repeats. In one case, the Garda
also adopted a bcode of practiceb, endorsed by the DPA. It does not seem
to have helped much.

In Poland, the police, as well as the anti-corruption office and the
domestic intelligence agency, surveyed at least ten journalists of
various media between 2005 and 2007, using telecommunications traffic
data without court orders or any connection to ongoing investigations.
One of the journalists, of the influential Gazeta Wyborcza, wrote
several articles about well-known and sometimes controversial actions of
the anti-corruption office b the one that later on requested his traffic
data. After the case became public, an investigation was launched, but a
regional prosecutorbs office claimed to have found no wrongdoing. Only
after one of the spied journalists went to court, a meaningful
investigation got under way. The court ruled on the case in April 2012,
saying that the anti-corruption office violated the journalistbs
privacy, as well as the right to protection of journalistic sources.

In Dresden, Germany, the local police collected information on more or
less every mobile phone call made and SMS sent in the city, in total
almost one million connections, at the occasion of an anti-Nazi
demonstration. The police justified collecting the information with
several offences that occurred at the margins of the demonstration.
Saxony's interior minister defended the measure as being
bproportionateb, even after it became public that the police also used
the data for totally unrelated investigations and had been told to stop
this by the local prosecutor's office. Months after being formally
reprimanded by Saxony's DPA, the police still used the data.

What all these examples, both from the private and the public sector,
show is that in many cases, incompetence or lack of oversight lead to
unacceptable shortcomings, while in others, it is straight-up malice. In
law-enforcement, there seems to be a widespread belief among
practitioners that bwe're the good guysb, which in turn sometimes leads
to abuses. So no, we cannot trusts controllers to know their stuff and
to want to do the right thing. And yes, it can be bad if things go wrong.

Whatsapp case
http://www.h-online.com/security/news/item/Account-theft-still-possible-with-latest-WhatsApp-1760639.html
http://www.h-online.com/security/news/item/WhatsApp-no-longer-sends-plain-text-1674723.html
http://www.h-online.com/security/news/item/WhatsApp-threatens-legal-action-against-API-developers-1716912.html
http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-completely-unprotected-1708545.html
http://www.androidpolice.com/2012/05/02/whatsappsniffer-shames-whatsapps-plaintext-unprotected-chat-transfer-protocol-shows-off-just-how-much-can-be-sniffed/

Deutsche Telekom case
http://www.wiwo.de/5239704-all.html
http://www.wiwo.de/5239730.html

Deutsche Bahn case
http://www.heise.de/newsticker/meldung/Deutsche-Bahn-zahlt-Rekordstrafe-wegen-Datenschutzverstoessen-837477.html
http://www.heise.de/ct/meldung/Bahn-Datenskandal-Arbeitsminister-bekraeftigt-Forderung-nach-Arbeitnehmerdatenschutz-Update-210207.html
http://www.n24.de/news/newsitem_4936517.html
http://www.sueddeutsche.de/wirtschaft/spitzel-affaere-bei-der-bahn-tiefensee-macht-druck-1.486385

Google Streetview case
http://www.wired.com/threatlevel/2012/05/google-wifi-fcc-investigation/

Irish police case
http://www.edri.org/edrigram/number10.21/irish-dpa-police-self-regulation

Surveillance of Polish journalists case
http://wyborcza.pl/1,76842,8842563,Inwigilacja_dziennikarzy_badana_od_nowa.html
http://wyborcza.pl/1,76842,9763653,CBA_i_billingi_dziennikarza__Gazety_.html
http://wyborcza.pl/1,75478,11625664,Precedensowy_wyrok__CBA_nie_moze__ot_tak_sobie__nas.html

Dresden police case
http://www.taz.de/!73222/
http://www.taz.de/!94114/
http://www.heise.de/newsticker/meldung/Saechsische-Polizei-nutzt-weiter-Mobilfunkdaten-1390019.html

(Contribution by EDRi interns Katarzyna Syska and Owe Langfeldt)

=======================================================================
10. Recommended Reading
=======================================================================

Do we really want to put the ITU in charge of cybersecurity? (28.11.2012)
http://edri.org/ITU-fail
http://www.golem.de/news/internationale-fernmeldeunion-un-lassen-itu-blog-weitgehend-ungeschuetzt-1211-95980.html

Northern Ireland Court Orders Facebook to take down bPaedophile Watchb
page (30.11.2012)
http://inforrm.wordpress.com/2012/11/30/news-northern-ireland-court-orders-facebook-to-take-paedophile-watch-page/

EU urged to choose transatlantic convergence on data protection (5.12.2012)
http://www.euractiv.com/infosociety/eu-urged-choose-data-protection-news-516449

=======================================================================
11. Agenda
=======================================================================

27-30 December 2012, Hamburg, Germany
29C3 - Chaos Communication Congress
http://events.ccc.de/category/29c3/

20-23 January 2013, Brussels, Belgium
The Power of Information - How Science and Technology can Make a Difference
http://www.ThePowerofInformation.eu

23-25 January 2013, Brussels, Belgium
CPDP 2013 Conference - Reloading data protection
http://www.cpdpconferences.org/callforpapers.html

2-3 February 2013, Brussels, Belgium
FOSDEM
https://fosdem.org/2013/

22 February 2013, Warsaw, Poland
ePSIplatform Conference: "Gotcha! Getting everyone on board"
http://epsiplatform.eu/content/save-date-22-february-2013-epsiplatform-conference

21-22 March 2013, Malta
Online Privacy: Consenting to your Future
CfP by 14 December 2012
http://www.onlineprivacyconference.eu/

6-8 May 2013, Berlin, Germany
re:publica 2013
http://www.re-publica.de

25-26 June 2013, Barcelona, Spain
9th International Conference on Internet Law & Politics: Big Data:
Challenges and Opportunities.
http://edcp.uoc.edu/symposia/idp2013/?lang=en

31 July b 4 August 2013, Geestmerambacht, Netherlands
Observe. Hack. Make. - OHM2013
https://ohm2013.org/

24-27 September 2013, Warsaw, Poland
Public Voice Conference 2013
35th International Data Protection and Privacy Commissioners conference
http://www.giodo.gov.pl/

============================================================
12. About
============================================================

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 32 members based or with offices in 20 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge
and awareness through the EDRi-gram.

All contributions, suggestions for content, corrections or agenda-tips
are most welcome. Errors are corrected as soon as possible and are
visible on the EDRi website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRi and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in
the EU. If you wish to help us promote digital rights, please consider
making a private donation.
http://www.edri.org/about/sponsoring
http://flattr.com/thing/417077/edri-on-Flattr

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay.
Translations are provided by Metamorphosis
http://www.metamorphosis.org.mk/mk/vesti/edri

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are
provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian
Association for Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing
or unsubscribing.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE